Add parameters for controlling locations of server-side SSL files
This allows changing the location of the files that were previously hard-coded to server.crt, server.key, root.crt, root.crl. server.crt and server.key continue to be the default settings and are thus required to be present by default if SSL is enabled. But the settings for the server-side CA and CRL are now empty by default, and if they are set, the files are required to be present. This replaces the previous behavior of ignoring the functionality if the files were not found.
This commit is contained in:
parent
a417f85e1d
commit
a445cb92ef
|
@ -668,6 +668,70 @@ SET ENABLE_SEQSCAN TO OFF;
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry id="guc-ssl-ca-file" xreflabel="ssl_ca_file">
|
||||||
|
<term><varname>ssl_ca_file</varname> (<type>string</type>)</term>
|
||||||
|
<indexterm>
|
||||||
|
<primary><varname>ssl_ca_file</> configuration parameter</primary>
|
||||||
|
</indexterm>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
Specifies the name of the file containing the SSL server certificate
|
||||||
|
authority (CA). The default is empty, meaning no CA file is loaded,
|
||||||
|
and client certificate verification is not performed. (In previous
|
||||||
|
releases of PostgreSQL, the name of this file was hard-coded
|
||||||
|
as <filename>root.crt</filename>.) Relative paths are relative to the
|
||||||
|
data directory. This parameter can only be set at server start.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry id="guc-ssl-cert-file" xreflabel="ssl_cert_file">
|
||||||
|
<term><varname>ssl_cert_file</varname> (<type>string</type>)</term>
|
||||||
|
<indexterm>
|
||||||
|
<primary><varname>ssl_cert_file</> configuration parameter</primary>
|
||||||
|
</indexterm>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
Specifies the name of the file containing the SSL server certificate.
|
||||||
|
The default is <filename>server.crt</filename>. Relative paths are
|
||||||
|
relative to the data directory. This parameter can only be set at
|
||||||
|
server start.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry id="guc-ssl-crl-file" xreflabel="ssl_crl_file">
|
||||||
|
<term><varname>ssl_crl_file</varname> (<type>string</type>)</term>
|
||||||
|
<indexterm>
|
||||||
|
<primary><varname>ssl_crl_file</> configuration parameter</primary>
|
||||||
|
</indexterm>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
Specifies the name of the file containing the SSL server certificate
|
||||||
|
revocation list (CRL). The default is empty, meaning no CRL file is
|
||||||
|
loaded. (In previous releases of PostgreSQL, the name of this file was
|
||||||
|
hard-coded as <filename>root.crl</filename>.) Relative paths are
|
||||||
|
relative to the data directory. This parameter can only be set at
|
||||||
|
server start.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry id="guc-ssl-key-file" xreflabel="ssl_key_file">
|
||||||
|
<term><varname>ssl_key_file</varname> (<type>string</type>)</term>
|
||||||
|
<indexterm>
|
||||||
|
<primary><varname>ssl_key_file</> configuration parameter</primary>
|
||||||
|
</indexterm>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
Specifies the name of the file containing the SSL server private key.
|
||||||
|
The default is <filename>server.key</filename>. Relative paths are
|
||||||
|
relative to the data directory. This parameter can only be set at
|
||||||
|
server start.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry id="guc-ssl-renegotiation-limit" xreflabel="ssl_renegotiation_limit">
|
<varlistentry id="guc-ssl-renegotiation-limit" xreflabel="ssl_renegotiation_limit">
|
||||||
<term><varname>ssl_renegotiation_limit</varname> (<type>integer</type>)</term>
|
<term><varname>ssl_renegotiation_limit</varname> (<type>integer</type>)</term>
|
||||||
<indexterm>
|
<indexterm>
|
||||||
|
|
|
@ -1831,10 +1831,8 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
|
||||||
SSL certificates and make sure that clients check the server's certificate.
|
SSL certificates and make sure that clients check the server's certificate.
|
||||||
To do that, the server
|
To do that, the server
|
||||||
must be configured to accept only <literal>hostssl</> connections (<xref
|
must be configured to accept only <literal>hostssl</> connections (<xref
|
||||||
linkend="auth-pg-hba-conf">) and have SSL
|
linkend="auth-pg-hba-conf">) and have SSL key and certificate files
|
||||||
<filename>server.key</filename> (key) and
|
(<xref linkend="ssl-tcp">). The TCP client must connect using
|
||||||
<filename>server.crt</filename> (certificate) files (<xref
|
|
||||||
linkend="ssl-tcp">). The TCP client must connect using
|
|
||||||
<literal>sslmode=verify-ca</> or
|
<literal>sslmode=verify-ca</> or
|
||||||
<literal>verify-full</> and have the appropriate root certificate
|
<literal>verify-full</> and have the appropriate root certificate
|
||||||
file installed (<xref linkend="libpq-connect">).
|
file installed (<xref linkend="libpq-connect">).
|
||||||
|
@ -2053,10 +2051,12 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
|
||||||
</note>
|
</note>
|
||||||
|
|
||||||
<para>
|
<para>
|
||||||
To start in <acronym>SSL</> mode, the files <filename>server.crt</>
|
To start in <acronym>SSL</> mode, files containing the server certificate
|
||||||
and <filename>server.key</> must exist in the server's data directory.
|
and private key must exist. By default, these files are expected to be
|
||||||
These files should contain the server certificate and private key,
|
named <filename>server.crt</> and <filename>server.key</>, respectively, in
|
||||||
respectively.
|
the server's data directory, but other names and locations can be specified
|
||||||
|
using the configuration parameters <xref linkend="guc-ssl-cert-file">
|
||||||
|
and <xref linkend="guc-ssl-key-file">.
|
||||||
On Unix systems, the permissions on <filename>server.key</filename> must
|
On Unix systems, the permissions on <filename>server.key</filename> must
|
||||||
disallow any access to world or group; achieve this by the command
|
disallow any access to world or group; achieve this by the command
|
||||||
<command>chmod 0600 server.key</command>.
|
<command>chmod 0600 server.key</command>.
|
||||||
|
@ -2083,7 +2083,9 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
|
||||||
To require the client to supply a trusted certificate, place
|
To require the client to supply a trusted certificate, place
|
||||||
certificates of the certificate authorities (<acronym>CA</acronym>s)
|
certificates of the certificate authorities (<acronym>CA</acronym>s)
|
||||||
you trust in the file <filename>root.crt</filename> in the data
|
you trust in the file <filename>root.crt</filename> in the data
|
||||||
directory, and set the <literal>clientcert</literal> parameter
|
directory, set the parameter <xref linkend="guc-ssl-ca-file"> in
|
||||||
|
<filename>postgresql.conf</filename> to <literal>root.crt</literal>,
|
||||||
|
and set the <literal>clientcert</literal> parameter
|
||||||
to 1 on the appropriate <literal>hostssl</> line(s) in
|
to 1 on the appropriate <literal>hostssl</> line(s) in
|
||||||
<filename>pg_hba.conf</>.
|
<filename>pg_hba.conf</>.
|
||||||
A certificate will then be requested from the client during
|
A certificate will then be requested from the client during
|
||||||
|
@ -2091,7 +2093,7 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
|
||||||
description of how to set up certificates on the client.) The server will
|
description of how to set up certificates on the client.) The server will
|
||||||
verify that the client's certificate is signed by one of the trusted
|
verify that the client's certificate is signed by one of the trusted
|
||||||
certificate authorities. Certificate Revocation List (CRL) entries
|
certificate authorities. Certificate Revocation List (CRL) entries
|
||||||
are also checked if the file <filename>root.crl</filename> exists.
|
are also checked if the parameter <xref linkend="guc-ssl-crl-file"> is set.
|
||||||
<!-- If this URL changes replace it with a URL to www.archive.org. -->
|
<!-- If this URL changes replace it with a URL to www.archive.org. -->
|
||||||
(See <ulink
|
(See <ulink
|
||||||
url="http://h71000.www7.hp.com/DOC/83final/BA554_90007/ch04s02.html"></>
|
url="http://h71000.www7.hp.com/DOC/83final/BA554_90007/ch04s02.html"></>
|
||||||
|
@ -2103,7 +2105,7 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
|
||||||
available for all authentication methods, but only for rows specified as
|
available for all authentication methods, but only for rows specified as
|
||||||
<literal>hostssl</>. When <literal>clientcert</literal> is not specified
|
<literal>hostssl</>. When <literal>clientcert</literal> is not specified
|
||||||
or is set to 0, the server will still verify presented client
|
or is set to 0, the server will still verify presented client
|
||||||
certificates against <filename>root.crt</filename> if that file exists
|
certificates against its CA list, if one is configured,
|
||||||
— but it will not insist that a client certificate be presented.
|
— but it will not insist that a client certificate be presented.
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
|
@ -2127,7 +2129,8 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
|
||||||
|
|
||||||
<para>
|
<para>
|
||||||
<xref linkend="ssl-file-usage"> summarizes the files that are
|
<xref linkend="ssl-file-usage"> summarizes the files that are
|
||||||
relevant to the SSL setup on the server.
|
relevant to the SSL setup on the server. (The shown file names are default
|
||||||
|
or typical names. The locally configured names could be different.)
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
<table id="ssl-file-usage">
|
<table id="ssl-file-usage">
|
||||||
|
@ -2144,27 +2147,27 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
|
||||||
<tbody>
|
<tbody>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry><filename>$PGDATA/server.crt</></entry>
|
<entry><xref linkend="guc-ssl-cert-file"> (<filename>$PGDATA/server.crt</>)</entry>
|
||||||
<entry>server certificate</entry>
|
<entry>server certificate</entry>
|
||||||
<entry>sent to client to indicate server's identity</entry>
|
<entry>sent to client to indicate server's identity</entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry><filename>$PGDATA/server.key</></entry>
|
<entry><xref linkend="guc-ssl-key-file"> (<filename>$PGDATA/server.key</>)</entry>
|
||||||
<entry>server private key</entry>
|
<entry>server private key</entry>
|
||||||
<entry>proves server certificate was sent by the owner; does not indicate
|
<entry>proves server certificate was sent by the owner; does not indicate
|
||||||
certificate owner is trustworthy</entry>
|
certificate owner is trustworthy</entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry><filename>$PGDATA/root.crt</></entry>
|
<entry><xref linkend="guc-ssl-ca-file"> (<filename>$PGDATA/root.crt</>)</entry>
|
||||||
<entry>trusted certificate authorities</entry>
|
<entry>trusted certificate authorities</entry>
|
||||||
<entry>checks that client certificate is
|
<entry>checks that client certificate is
|
||||||
signed by a trusted certificate authority</entry>
|
signed by a trusted certificate authority</entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry><filename>$PGDATA/root.crl</></entry>
|
<entry><xref linkend="guc-ssl-crl-file"> (<filename>$PGDATA/root.crl</>)</entry>
|
||||||
<entry>certificates revoked by certificate authorities</entry>
|
<entry>certificates revoked by certificate authorities</entry>
|
||||||
<entry>client certificate must not be on this list</entry>
|
<entry>client certificate must not be on this list</entry>
|
||||||
</row>
|
</row>
|
||||||
|
@ -2176,6 +2179,7 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
|
||||||
<para>
|
<para>
|
||||||
The files <filename>server.key</>, <filename>server.crt</>,
|
The files <filename>server.key</>, <filename>server.crt</>,
|
||||||
<filename>root.crt</filename>, and <filename>root.crl</filename>
|
<filename>root.crt</filename>, and <filename>root.crl</filename>
|
||||||
|
(or their configured alternative names)
|
||||||
are only examined during server start; so you must restart
|
are only examined during server start; so you must restart
|
||||||
the server for changes in them to take effect.
|
the server for changes in them to take effect.
|
||||||
</para>
|
</para>
|
||||||
|
|
|
@ -77,10 +77,10 @@
|
||||||
|
|
||||||
#ifdef USE_SSL
|
#ifdef USE_SSL
|
||||||
|
|
||||||
#define ROOT_CERT_FILE "root.crt"
|
char *ssl_cert_file;
|
||||||
#define ROOT_CRL_FILE "root.crl"
|
char *ssl_key_file;
|
||||||
#define SERVER_CERT_FILE "server.crt"
|
char *ssl_ca_file;
|
||||||
#define SERVER_PRIVATE_KEY_FILE "server.key"
|
char *ssl_crl_file;
|
||||||
|
|
||||||
static DH *load_dh_file(int keylength);
|
static DH *load_dh_file(int keylength);
|
||||||
static DH *load_dh_buffer(const char *, size_t);
|
static DH *load_dh_buffer(const char *, size_t);
|
||||||
|
@ -746,17 +746,17 @@ initialize_SSL(void)
|
||||||
* Load and verify server's certificate and private key
|
* Load and verify server's certificate and private key
|
||||||
*/
|
*/
|
||||||
if (SSL_CTX_use_certificate_chain_file(SSL_context,
|
if (SSL_CTX_use_certificate_chain_file(SSL_context,
|
||||||
SERVER_CERT_FILE) != 1)
|
ssl_cert_file) != 1)
|
||||||
ereport(FATAL,
|
ereport(FATAL,
|
||||||
(errcode(ERRCODE_CONFIG_FILE_ERROR),
|
(errcode(ERRCODE_CONFIG_FILE_ERROR),
|
||||||
errmsg("could not load server certificate file \"%s\": %s",
|
errmsg("could not load server certificate file \"%s\": %s",
|
||||||
SERVER_CERT_FILE, SSLerrmessage())));
|
ssl_cert_file, SSLerrmessage())));
|
||||||
|
|
||||||
if (stat(SERVER_PRIVATE_KEY_FILE, &buf) != 0)
|
if (stat(ssl_key_file, &buf) != 0)
|
||||||
ereport(FATAL,
|
ereport(FATAL,
|
||||||
(errcode_for_file_access(),
|
(errcode_for_file_access(),
|
||||||
errmsg("could not access private key file \"%s\": %m",
|
errmsg("could not access private key file \"%s\": %m",
|
||||||
SERVER_PRIVATE_KEY_FILE)));
|
ssl_key_file)));
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Require no public access to key file.
|
* Require no public access to key file.
|
||||||
|
@ -771,16 +771,16 @@ initialize_SSL(void)
|
||||||
ereport(FATAL,
|
ereport(FATAL,
|
||||||
(errcode(ERRCODE_CONFIG_FILE_ERROR),
|
(errcode(ERRCODE_CONFIG_FILE_ERROR),
|
||||||
errmsg("private key file \"%s\" has group or world access",
|
errmsg("private key file \"%s\" has group or world access",
|
||||||
SERVER_PRIVATE_KEY_FILE),
|
ssl_key_file),
|
||||||
errdetail("Permissions should be u=rw (0600) or less.")));
|
errdetail("Permissions should be u=rw (0600) or less.")));
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if (SSL_CTX_use_PrivateKey_file(SSL_context,
|
if (SSL_CTX_use_PrivateKey_file(SSL_context,
|
||||||
SERVER_PRIVATE_KEY_FILE,
|
ssl_key_file,
|
||||||
SSL_FILETYPE_PEM) != 1)
|
SSL_FILETYPE_PEM) != 1)
|
||||||
ereport(FATAL,
|
ereport(FATAL,
|
||||||
(errmsg("could not load private key file \"%s\": %s",
|
(errmsg("could not load private key file \"%s\": %s",
|
||||||
SERVER_PRIVATE_KEY_FILE, SSLerrmessage())));
|
ssl_key_file, SSLerrmessage())));
|
||||||
|
|
||||||
if (SSL_CTX_check_private_key(SSL_context) != 1)
|
if (SSL_CTX_check_private_key(SSL_context) != 1)
|
||||||
ereport(FATAL,
|
ereport(FATAL,
|
||||||
|
@ -797,48 +797,30 @@ initialize_SSL(void)
|
||||||
elog(FATAL, "could not set the cipher list (no valid ciphers available)");
|
elog(FATAL, "could not set the cipher list (no valid ciphers available)");
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Attempt to load CA store, so we can verify client certificates if
|
* Load CA store, so we can verify client certificates if needed.
|
||||||
* needed.
|
|
||||||
*/
|
*/
|
||||||
ssl_loaded_verify_locations = false;
|
if (ssl_ca_file[0])
|
||||||
|
|
||||||
if (access(ROOT_CERT_FILE, R_OK) != 0)
|
|
||||||
{
|
{
|
||||||
/*
|
if (SSL_CTX_load_verify_locations(SSL_context, ssl_ca_file, NULL) != 1 ||
|
||||||
* If root certificate file simply not found, don't log an error here,
|
(root_cert_list = SSL_load_client_CA_file(ssl_ca_file)) == NULL)
|
||||||
* because it's quite likely the user isn't planning on using client
|
|
||||||
* certificates. If we can't access it for other reasons, it is an
|
|
||||||
* error.
|
|
||||||
*/
|
|
||||||
if (errno != ENOENT)
|
|
||||||
ereport(FATAL,
|
|
||||||
(errmsg("could not access root certificate file \"%s\": %m",
|
|
||||||
ROOT_CERT_FILE)));
|
|
||||||
}
|
|
||||||
else if (SSL_CTX_load_verify_locations(SSL_context, ROOT_CERT_FILE, NULL) != 1 ||
|
|
||||||
(root_cert_list = SSL_load_client_CA_file(ROOT_CERT_FILE)) == NULL)
|
|
||||||
{
|
|
||||||
/*
|
|
||||||
* File was there, but we could not load it. This means the file is
|
|
||||||
* somehow broken, and we cannot do verification at all - so fail.
|
|
||||||
*/
|
|
||||||
ereport(FATAL,
|
ereport(FATAL,
|
||||||
(errmsg("could not load root certificate file \"%s\": %s",
|
(errmsg("could not load root certificate file \"%s\": %s",
|
||||||
ROOT_CERT_FILE, SSLerrmessage())));
|
ssl_ca_file, SSLerrmessage())));
|
||||||
}
|
}
|
||||||
else
|
|
||||||
{
|
|
||||||
/*----------
|
/*----------
|
||||||
* Load the Certificate Revocation List (CRL) if file exists.
|
* Load the Certificate Revocation List (CRL).
|
||||||
* http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html
|
* http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html
|
||||||
*----------
|
*----------
|
||||||
*/
|
*/
|
||||||
|
if (ssl_crl_file[0])
|
||||||
|
{
|
||||||
X509_STORE *cvstore = SSL_CTX_get_cert_store(SSL_context);
|
X509_STORE *cvstore = SSL_CTX_get_cert_store(SSL_context);
|
||||||
|
|
||||||
if (cvstore)
|
if (cvstore)
|
||||||
{
|
{
|
||||||
/* Set the flags to check against the complete CRL chain */
|
/* Set the flags to check against the complete CRL chain */
|
||||||
if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) == 1)
|
if (X509_STORE_load_locations(cvstore, ssl_crl_file, NULL) == 1)
|
||||||
{
|
{
|
||||||
/* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
|
/* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
|
||||||
#ifdef X509_V_FLAG_CRL_CHECK
|
#ifdef X509_V_FLAG_CRL_CHECK
|
||||||
|
@ -847,19 +829,19 @@ initialize_SSL(void)
|
||||||
#else
|
#else
|
||||||
ereport(LOG,
|
ereport(LOG,
|
||||||
(errmsg("SSL certificate revocation list file \"%s\" ignored",
|
(errmsg("SSL certificate revocation list file \"%s\" ignored",
|
||||||
ROOT_CRL_FILE),
|
ssl_crl_file),
|
||||||
errdetail("SSL library does not support certificate revocation lists.")));
|
errdetail("SSL library does not support certificate revocation lists.")));
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
ereport(FATAL,
|
||||||
/* Not fatal - we do not require CRL */
|
(errmsg("could not load SSL certificate revocation list file \"%s\": %s",
|
||||||
ereport(LOG,
|
ssl_crl_file, SSLerrmessage())));
|
||||||
(errmsg("SSL certificate revocation list file \"%s\" not found, skipping: %s",
|
}
|
||||||
ROOT_CRL_FILE, SSLerrmessage()),
|
|
||||||
errdetail("Certificates will not be checked against revocation list.")));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (ssl_ca_file[0])
|
||||||
|
{
|
||||||
/*
|
/*
|
||||||
* Always ask for SSL client cert, but don't fail if it's not
|
* Always ask for SSL client cert, but don't fail if it's not
|
||||||
* presented. We might fail such connections later, depending on
|
* presented. We might fail such connections later, depending on
|
||||||
|
@ -872,7 +854,6 @@ initialize_SSL(void)
|
||||||
|
|
||||||
/* Set flag to remember CA store is successfully loaded */
|
/* Set flag to remember CA store is successfully loaded */
|
||||||
ssl_loaded_verify_locations = true;
|
ssl_loaded_verify_locations = true;
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Tell OpenSSL to send the list of root certs we trust to clients in
|
* Tell OpenSSL to send the list of root certs we trust to clients in
|
||||||
|
|
|
@ -1417,7 +1417,7 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num)
|
||||||
ereport(LOG,
|
ereport(LOG,
|
||||||
(errcode(ERRCODE_CONFIG_FILE_ERROR),
|
(errcode(ERRCODE_CONFIG_FILE_ERROR),
|
||||||
errmsg("client certificates can only be checked if a root certificate store is available"),
|
errmsg("client certificates can only be checked if a root certificate store is available"),
|
||||||
errhint("Make sure the root.crt file is present and readable."),
|
errhint("Make sure the configuration parameter \"ssl_ca_file\" is set."),
|
||||||
errcontext("line %d of configuration file \"%s\"",
|
errcontext("line %d of configuration file \"%s\"",
|
||||||
line_num, HbaFileName)));
|
line_num, HbaFileName)));
|
||||||
return false;
|
return false;
|
||||||
|
|
|
@ -39,6 +39,7 @@
|
||||||
#include "funcapi.h"
|
#include "funcapi.h"
|
||||||
#include "libpq/auth.h"
|
#include "libpq/auth.h"
|
||||||
#include "libpq/be-fsstubs.h"
|
#include "libpq/be-fsstubs.h"
|
||||||
|
#include "libpq/libpq.h"
|
||||||
#include "libpq/pqformat.h"
|
#include "libpq/pqformat.h"
|
||||||
#include "miscadmin.h"
|
#include "miscadmin.h"
|
||||||
#include "optimizer/cost.h"
|
#include "optimizer/cost.h"
|
||||||
|
@ -2960,6 +2961,46 @@ static struct config_string ConfigureNamesString[] =
|
||||||
check_canonical_path, NULL, NULL
|
check_canonical_path, NULL, NULL
|
||||||
},
|
},
|
||||||
|
|
||||||
|
{
|
||||||
|
{"ssl_cert_file", PGC_POSTMASTER, CONN_AUTH_SECURITY,
|
||||||
|
gettext_noop("Location of the SSL server certificate file."),
|
||||||
|
NULL
|
||||||
|
},
|
||||||
|
&ssl_cert_file,
|
||||||
|
"server.crt",
|
||||||
|
NULL, NULL, NULL
|
||||||
|
},
|
||||||
|
|
||||||
|
{
|
||||||
|
{"ssl_key_file", PGC_POSTMASTER, CONN_AUTH_SECURITY,
|
||||||
|
gettext_noop("Location of the SSL server private key file."),
|
||||||
|
NULL
|
||||||
|
},
|
||||||
|
&ssl_key_file,
|
||||||
|
"server.key",
|
||||||
|
NULL, NULL, NULL
|
||||||
|
},
|
||||||
|
|
||||||
|
{
|
||||||
|
{"ssl_ca_file", PGC_POSTMASTER, CONN_AUTH_SECURITY,
|
||||||
|
gettext_noop("Location of the SSL certificate authority file."),
|
||||||
|
NULL
|
||||||
|
},
|
||||||
|
&ssl_ca_file,
|
||||||
|
"",
|
||||||
|
NULL, NULL, NULL
|
||||||
|
},
|
||||||
|
|
||||||
|
{
|
||||||
|
{"ssl_crl_file", PGC_POSTMASTER, CONN_AUTH_SECURITY,
|
||||||
|
gettext_noop("Location of the SSL certificate revocation list file."),
|
||||||
|
NULL
|
||||||
|
},
|
||||||
|
&ssl_crl_file,
|
||||||
|
"",
|
||||||
|
NULL, NULL, NULL
|
||||||
|
},
|
||||||
|
|
||||||
{
|
{
|
||||||
{"stats_temp_directory", PGC_SIGHUP, STATS_COLLECTOR,
|
{"stats_temp_directory", PGC_SIGHUP, STATS_COLLECTOR,
|
||||||
gettext_noop("Writes temporary statistics files to the specified directory."),
|
gettext_noop("Writes temporary statistics files to the specified directory."),
|
||||||
|
|
|
@ -81,6 +81,10 @@
|
||||||
#ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' # allowed SSL ciphers
|
#ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' # allowed SSL ciphers
|
||||||
# (change requires restart)
|
# (change requires restart)
|
||||||
#ssl_renegotiation_limit = 512MB # amount of data between renegotiations
|
#ssl_renegotiation_limit = 512MB # amount of data between renegotiations
|
||||||
|
#ssl_cert_file = 'server.crt' # (change requires restart)
|
||||||
|
#ssl_key_file = 'server.key' # (change requires restart)
|
||||||
|
#ssl_ca_file = '' # (change requires restart)
|
||||||
|
#ssl_crl_file = '' # (change requires restart)
|
||||||
#password_encryption = on
|
#password_encryption = on
|
||||||
#db_user_namespace = off
|
#db_user_namespace = off
|
||||||
|
|
||||||
|
|
|
@ -70,6 +70,11 @@ extern void pq_endcopyout(bool errorAbort);
|
||||||
/*
|
/*
|
||||||
* prototypes for functions in be-secure.c
|
* prototypes for functions in be-secure.c
|
||||||
*/
|
*/
|
||||||
|
extern char *ssl_cert_file;
|
||||||
|
extern char *ssl_key_file;
|
||||||
|
extern char *ssl_ca_file;
|
||||||
|
extern char *ssl_crl_file;
|
||||||
|
|
||||||
extern int secure_initialize(void);
|
extern int secure_initialize(void);
|
||||||
extern bool secure_loaded_verify_locations(void);
|
extern bool secure_loaded_verify_locations(void);
|
||||||
extern void secure_destroy(void);
|
extern void secure_destroy(void);
|
||||||
|
|
Loading…
Reference in New Issue