83 lines
2.2 KiB
Plaintext
83 lines
2.2 KiB
Plaintext
src/backend/libpq/README.SSL
|
|
|
|
SSL
|
|
===
|
|
|
|
>From the servers perspective:
|
|
|
|
|
|
Receives StartupPacket
|
|
|
|
|
|
|
|
(Is SSL_NEGOTIATE_CODE?) ----------- Normal startup
|
|
| No
|
|
|
|
|
| Yes
|
|
|
|
|
|
|
|
(Server compiled with USE_SSL?) ------- Send 'N'
|
|
| No |
|
|
| |
|
|
| Yes Normal startup
|
|
|
|
|
|
|
|
Send 'S'
|
|
|
|
|
|
|
|
Establish SSL
|
|
|
|
|
|
|
|
Normal startup
|
|
|
|
|
|
|
|
|
|
|
|
>From the clients perspective (v6.6 client _with_ SSL):
|
|
|
|
|
|
Connect
|
|
|
|
|
|
|
|
Send packet with SSL_NEGOTIATE_CODE
|
|
|
|
|
|
|
|
Receive single char ------- 'S' -------- Establish SSL
|
|
| |
|
|
| '<else>' |
|
|
| Normal startup
|
|
|
|
|
|
|
|
Is it 'E' for error ------------------- Retry connection
|
|
| Yes without SSL
|
|
| No
|
|
|
|
|
Is it 'N' for normal ------------------- Normal startup
|
|
| Yes
|
|
|
|
|
Fail with unknown
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
Ephemeral DH
|
|
============
|
|
|
|
Since the server static private key ($DataDir/server.key) will
|
|
normally be stored unencrypted so that the database backend can
|
|
restart automatically, it is important that we select an algorithm
|
|
that continues to provide confidentiality even if the attacker has the
|
|
server's private key. Ephemeral DH (EDH) keys provide this and more
|
|
(Perfect Forward Secrecy aka PFS).
|
|
|
|
N.B., the static private key should still be protected to the largest
|
|
extent possible, to minimize the risk of impersonations.
|
|
|
|
Another benefit of EDH is that it allows the backend and clients to
|
|
use DSA keys. DSA keys can only provide digital signatures, not
|
|
encryption, and are often acceptable in jurisdictions where RSA keys
|
|
are unacceptable.
|
|
|
|
The downside to EDH is that it makes it impossible to use ssldump(1)
|
|
if there's a problem establishing an SSL session. In this case you'll
|
|
need to temporarily disable EDH (see initialize_dh()).
|