33.18. SSL Support

www.postgresql.org
7 min read
standard
33.18. SSL Support 33.18.1. Client Verification of Server Certificates 33.18.2. Client Certificates 33.18.3. Protection Provided in Different Modes 33.18.4. SSL Client …
33.18. SSL Support

PostgreSQL has native support for using SSL connections to encrypt client/server communications for increased security. See Section 18.9 for details about the server-side SSL functionality.

libpq reads the system-wide OpenSSL configuration file. By default, this file is named openssl.cnf and is located in the directory reported by openssl version -d . This default can be overridden by setting environment variable OPENSSL_CONF to the name of the desired configuration file.

33.18.1. Client Verification of Server Certificates By default, PostgreSQL will not perform any verification of the server certificate. This means that it is possible to spoof the server identity (for example by modifying a DNS record or by taking over the server IP address) without the client knowing. In order to prevent spoofing, the client must be able to verify the server's identity via a chain of trust. A chain of trust is established by placing a root (self-signed) certificate authority ( CA ) certificate on one computer and a leaf certificate signed by the root certificate on another computer. It is also possible to use an "intermediate" certificate which is signed by the root certificate and signs leaf certificates. To allow the client to verify the identity of the server, place a root certificate on the client and a leaf certificate signed by the root certificate on the server. To allow the server to verify the identity of the client, place a root certificate on the server and a leaf certificate signed by the root certificate on the client. One or more intermediate certificates (usually stored with the leaf certificate) can also be used to link the leaf certificate to the root certificate. Once a chain of trust has been established, there are two ways for the client to validate the leaf certificate sent by the server. If the parameter sslmode is set to verify-ca , libpq will verify that the server is trustworthy by checking the certificate chain up to the root…
Read full article