mirror of
https://git.postgresql.org/git/postgresql.git
synced 2024-09-16 01:40:33 +02:00
53e99f57fc
Fix lots of bad markup, bad English, bad explanations. This commit covers only about half the contrib modules, but I grow weary...
188 lines
5.2 KiB
Plaintext
188 lines
5.2 KiB
Plaintext
<!-- $PostgreSQL: pgsql/doc/src/sgml/sslinfo.sgml,v 1.3 2007/12/06 04:12:10 tgl Exp $ -->
|
|
|
|
<sect1 id="sslinfo">
|
|
<title>sslinfo</title>
|
|
|
|
<indexterm zone="sslinfo">
|
|
<primary>sslinfo</primary>
|
|
</indexterm>
|
|
|
|
<para>
|
|
The <filename>sslinfo</> module provides information about the SSL
|
|
certificate that the current client provided when connecting to
|
|
<productname>PostgreSQL</>. The module is useless (most functions
|
|
will return NULL) if the current connection does not use SSL.
|
|
</para>
|
|
|
|
<para>
|
|
This extension won't build at all unless the installation was
|
|
configured with <literal>--with-openssl</>.
|
|
</para>
|
|
|
|
<sect2>
|
|
<title>Functions Provided</title>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><function>
|
|
ssl_is_used() returns boolean
|
|
</function></term>
|
|
<listitem>
|
|
<para>
|
|
Returns TRUE if current connection to server uses SSL, and FALSE
|
|
otherwise.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><function>
|
|
ssl_client_cert_present() returns boolean
|
|
</function></term>
|
|
<listitem>
|
|
<para>
|
|
Returns TRUE if current client has presented a valid SSL client
|
|
certificate to the server, and FALSE otherwise. (The server
|
|
might or might not be configured to require a client certificate.)
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><function>
|
|
ssl_client_serial() returns numeric
|
|
</function></term>
|
|
<listitem>
|
|
<para>
|
|
Returns serial number of current client certificate. The combination of
|
|
certificate serial number and certificate issuer is guaranteed to
|
|
uniquely identify a certificate (but not its owner — the owner
|
|
ought to regularly change his keys, and get new certificates from the
|
|
issuer).
|
|
</para>
|
|
|
|
<para>
|
|
So, if you run your own CA and allow only certificates from this CA to
|
|
be accepted by the server, the serial number is the most reliable (albeit
|
|
not very mnemonic) means to identify a user.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><function>
|
|
ssl_client_dn() returns text
|
|
</function></term>
|
|
<listitem>
|
|
<para>
|
|
Returns the full subject of the current client certificate, converting
|
|
character data into the current database encoding. It is assumed that
|
|
if you use non-ASCII characters in the certificate names, your
|
|
database is able to represent these characters, too. If your database
|
|
uses the SQL_ASCII encoding, non-ASCII characters in the name will be
|
|
represented as UTF-8 sequences.
|
|
</para>
|
|
|
|
<para>
|
|
The result looks like <literal>/CN=Somebody /C=Some country/O=Some organization</>.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><function>
|
|
ssl_issuer_dn() returns text
|
|
</function></term>
|
|
<listitem>
|
|
<para>
|
|
Returns the full issuer name of the current client certificate, converting
|
|
character data into the current database encoding. Encoding conversions
|
|
are handled the same as for <function>ssl_client_dn</>.
|
|
</para>
|
|
<para>
|
|
The combination of the return value of this function with the
|
|
certificate serial number uniquely identifies the certificate.
|
|
</para>
|
|
<para>
|
|
This function is really useful only if you have more than one trusted CA
|
|
certificate in your server's <filename>root.crt</> file, or if this CA
|
|
has issued some intermediate certificate authority certificates.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><function>
|
|
ssl_client_dn_field(fieldname text) returns text
|
|
</function></term>
|
|
<listitem>
|
|
<para>
|
|
This function returns the value of the specified field in the
|
|
certificate subject, or NULL if the field is not present.
|
|
Field names are string constants that are
|
|
converted into ASN1 object identifiers using the OpenSSL object
|
|
database. The following values are acceptable:
|
|
</para>
|
|
<programlisting>
|
|
commonName (alias CN)
|
|
surname (alias SN)
|
|
name
|
|
givenName (alias GN)
|
|
countryName (alias C)
|
|
localityName (alias L)
|
|
stateOrProvinceName (alias ST)
|
|
organizationName (alias O)
|
|
organizationUnitName (alias OU)
|
|
title
|
|
description
|
|
initials
|
|
postalCode
|
|
streetAddress
|
|
generationQualifier
|
|
description
|
|
dnQualifier
|
|
x500UniqueIdentifier
|
|
pseudonym
|
|
role
|
|
emailAddress
|
|
</programlisting>
|
|
<para>
|
|
All of these fields are optional, except <structfield>commonName</>.
|
|
It depends
|
|
entirely on your CA's policy which of them would be included and which
|
|
wouldn't. The meaning of these fields, however, is strictly defined by
|
|
the X.500 and X.509 standards, so you cannot just assign arbitrary
|
|
meaning to them.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><function>
|
|
ssl_issuer_field(fieldname text) returns text
|
|
</function></term>
|
|
<listitem>
|
|
<para>
|
|
Same as <function>ssl_client_dn_field</>, but for the certificate issuer
|
|
rather than the certificate subject.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>Author</title>
|
|
|
|
<para>
|
|
Victor Wagner <email>vitus@cryptocom.ru</email>, Cryptocom LTD
|
|
</para>
|
|
|
|
<para>
|
|
E-Mail of Cryptocom OpenSSL development group:
|
|
<email>openssl@cryptocom.ru</email>
|
|
</para>
|
|
</sect2>
|
|
|
|
</sect1>
|