mirror of
https://git.postgresql.org/git/postgresql.git
synced 2024-09-30 01:51:30 +02:00
8d9978a717
Quotes are applied to GUCs in a very inconsistent way across the code base, with a mix of double quotes or no quotes used. This commit removes double quotes around all the GUC names that are obviously referred to as parameters with non-English words (use of underscore, mixed case, etc). This is the result of a discussion with Álvaro Herrera, Nathan Bossart, Laurenz Albe, Peter Eisentraut, Tom Lane and Daniel Gustafsson. Author: Peter Smith Discussion: https://postgr.es/m/CAHut+Pv-kSN8SkxSdoHano_wPubqcg5789ejhCDZAcLFceBR-w@mail.gmail.com |
||
---|---|---|
.. | ||
auth-sasl.c | ||
auth-scram.c | ||
auth.c | ||
be-fsstubs.c | ||
be-gssapi-common.c | ||
be-secure-common.c | ||
be-secure-gssapi.c | ||
be-secure-openssl.c | ||
be-secure.c | ||
crypt.c | ||
hba.c | ||
ifaddr.c | ||
Makefile | ||
meson.build | ||
pg_hba.conf.sample | ||
pg_ident.conf.sample | ||
pqcomm.c | ||
pqformat.c | ||
pqmq.c | ||
pqsignal.c | ||
README.SSL |
src/backend/libpq/README.SSL SSL === >From the servers perspective: Receives StartupPacket | | (Is SSL_NEGOTIATE_CODE?) ----------- Normal startup | No | | Yes | | (Server compiled with USE_SSL?) ------- Send 'N' | No | | | | Yes Normal startup | | Send 'S' | | Establish SSL | | Normal startup >From the clients perspective (v6.6 client _with_ SSL): Connect | | Send packet with SSL_NEGOTIATE_CODE | | Receive single char ------- 'S' -------- Establish SSL | | | '<else>' | | Normal startup | | Is it 'E' for error ------------------- Retry connection | Yes without SSL | No | Is it 'N' for normal ------------------- Normal startup | Yes | Fail with unknown --------------------------------------------------------------------------- Ephemeral DH ============ Since the server static private key ($DataDir/server.key) will normally be stored unencrypted so that the database backend can restart automatically, it is important that we select an algorithm that continues to provide confidentiality even if the attacker has the server's private key. Ephemeral DH (EDH) keys provide this and more (Perfect Forward Secrecy aka PFS). N.B., the static private key should still be protected to the largest extent possible, to minimize the risk of impersonations. Another benefit of EDH is that it allows the backend and clients to use DSA keys. DSA keys can only provide digital signatures, not encryption, and are often acceptable in jurisdictions where RSA keys are unacceptable. The downside to EDH is that it makes it impossible to use ssldump(1) if there's a problem establishing an SSL session. In this case you'll need to temporarily disable EDH (see initialize_dh()).