diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index aa5c15f1a0..bbddbe5903 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -1,4 +1,4 @@ - + Server Configuration @@ -569,15 +569,15 @@ SET ENABLE_SEQSCAN TO OFF; - - ssl_ciphers> (string) + + ssl_ciphers (string) ssl_ciphers configuration parameter - Specifies a list of SSL ciphers which can be used to - establish secure connections. See the openssl + Specifies a list of SSL ciphers that are allowed to be + used on secure connections. See the openssl manual page for a list of supported ciphers. diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml index 4dbf47ac50..5b8ef438b3 100644 --- a/doc/src/sgml/libpq.sgml +++ b/doc/src/sgml/libpq.sgml @@ -1,4 +1,4 @@ - + <application>libpq</application> - C Library @@ -4178,10 +4178,11 @@ setting, and is only available if PGSSLKEY PGSSLKEY -specifies the hardware token which stores the secret key for the client -certificate, instead of a file. The value of this variable should consist +specifies the hardware token that stores the secret key for the client +certificate. The value of this variable should consist of a colon-separated engine name (engines are OpenSSL -loadable modules) and an engine-specific key identifier. +loadable modules) and an engine-specific key identifier. If this is not +set, the secret key must be kept in a file. @@ -4450,30 +4451,29 @@ ldap://ldap.mycompany.com/dc=mycompany,dc=com?uniqueMember?one?(cn=mydatabase) for increased security. See for details about the server-side SSL functionality. + - libpq reads the system-wide - OpenSSL configuration file. By default, this - file is named openssl.cnf and is located in the - directory reported by openssl: - - openssl version -d - - The default can be overriden by setting environment variable - OPENSSL_CONF to the name of the desired configuration - file. + libpq reads the system-wide + OpenSSL configuration file. By default, this + file is named openssl.cnf and is located in the + directory reported by openssl version -d. + This default can be overridden by setting environment variable + OPENSSL_CONF to the name of the desired configuration + file. + If the server demands a client certificate, libpq will send the certificate stored in file ~/.postgresql/postgresql.crt within the user's home directory. A matching private key file ~/.postgresql/postgresql.key - must also be present, and must not be world-readable, unless the secret - key is stored in a hardware token, as specified by - PGSSLKEY. + must also be present, unless the secret key for the certificate is stored + in a hardware token, as specified by PGSSLKEY. (On Microsoft Windows these files are named %APPDATA%\postgresql\postgresql.crt and %APPDATA%\postgresql\postgresql.key.) + The private key file must not be world-readable. @@ -4481,7 +4481,7 @@ ldap://ldap.mycompany.com/dc=mycompany,dc=com?uniqueMember?one?(cn=mydatabase) should consist of a colon-separated engine name and key identifier. In this case, libpq will load the specified engine, i.e. the OpenSSL module which supports special - hardware and reference the key with the specified identifier. + hardware, and reference the key with the specified identifier. Identifiers are engine-specific. Typically, cryptography hardware tokens do not reveal secret keys to the application. Instead, applications delegate all cryptography operations which require the secret key to diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml index 7bed97a86f..57e4692710 100644 --- a/doc/src/sgml/runtime.sgml +++ b/doc/src/sgml/runtime.sgml @@ -1,4 +1,4 @@ - + Operating System Environment @@ -1518,20 +1518,17 @@ $ kill -INT `head -1 /usr/local/pgsql/data/postmaster.pid` OpenSSL supports a wide range of ciphers and authentication algorithms, whose strength varies significantly. - You can restrict the list of ciphers which can be used to connect to - your server using the parameter. + You can restrict the list of ciphers that can be used to connect to + your server by adjusting the parameter. - PostgreSQL reads a system-wide - OpenSSL configuration file. By default this + PostgreSQL reads the system-wide + OpenSSL configuration file. By default, this file is named openssl.cnf and is located in the - directory reported by openssl: - - openssl version -d - - This default can be overriden by setting environment variable - OPENSSL_CONF to the name of desired configuration file. + directory reported by openssl version -d. + This default can be overridden by setting environment variable + OPENSSL_CONF to the name of the desired configuration file.