<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>19.3. Connections and Authentication</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot" /><link rel="prev" href="runtime-config-file-locations.html" title="19.2. File Locations" /><link rel="next" href="runtime-config-resource.html" title="19.4. Resource Consumption" /></head><body><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">19.3. Connections and Authentication</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="runtime-config-file-locations.html" title="19.2. File Locations">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="runtime-config.html" title="Chapter 19. Server Configuration">Up</a></td><th width="60%" align="center">Chapter 19. Server Configuration</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 11.5 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="runtime-config-resource.html" title="19.4. Resource Consumption">Next</a></td></tr></table><hr></hr></div><div class="sect1" id="RUNTIME-CONFIG-CONNECTION"><div class="titlepage"><div><div><h2 class="title" style="clear: both">19.3. Connections and Authentication</h2></div></div></div><div class="toc"><dl class="toc"><dt><span class="sect2"><a href="runtime-config-connection.html#RUNTIME-CONFIG-CONNECTION-SETTINGS">19.3.1. Connection Settings</a></span></dt><dt><span class="sect2"><a href="runtime-config-connection.html#RUNTIME-CONFIG-CONNECTION-AUTHENTICATION">19.3.2. Authentication</a></span></dt><dt><span class="sect2"><a href="runtime-config-connection.html#RUNTIME-CONFIG-CONNECTION-SSL">19.3.3. SSL</a></span></dt></dl></div><div class="sect2" id="RUNTIME-CONFIG-CONNECTION-SETTINGS"><div class="titlepage"><div><div><h3 class="title">19.3.1. Connection Settings</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt id="GUC-LISTEN-ADDRESSES"><span class="term"><code class="varname">listen_addresses</code> (<code class="type">string</code>)
<a id="id-1.6.6.6.2.2.1.1.3" class="indexterm"></a>
</span></dt><dd><p>
Specifies the TCP/IP address(es) on which the server is
to listen for connections from client applications.
The value takes the form of a comma-separated list of host names
and/or numeric IP addresses. The special entry <code class="literal">*</code>
corresponds to all available IP interfaces. The entry
<code class="literal">0.0.0.0</code> allows listening for all IPv4 addresses and
<code class="literal">::</code> allows listening for all IPv6 addresses.
If the list is empty, the server does not listen on any IP interface
at all, in which case only Unix-domain sockets can be used to connect
to it.
The default value is <span class="systemitem">localhost</span>,
which allows only local TCP/IP <span class="quote">“<span class="quote">loopback</span>”</span> connections to be
made. While client authentication (<a class="xref" href="client-authentication.html" title="Chapter 20. Client Authentication">Chapter 20</a>) allows fine-grained control
over who can access the server, <code class="varname">listen_addresses</code>
controls which interfaces accept connection attempts, which
can help prevent repeated malicious connection requests on
insecure network interfaces. This parameter can only be set
at server start.
</p></dd><dt id="GUC-PORT"><span class="term"><code class="varname">port</code> (<code class="type">integer</code>)
<a id="id-1.6.6.6.2.2.2.1.3" class="indexterm"></a>
</span></dt><dd><p>
The TCP port the server listens on; 5432 by default. Note that the
same port number is used for all IP addresses the server listens on.
This parameter can only be set at server start.
</p></dd><dt id="GUC-MAX-CONNECTIONS"><span class="term"><code class="varname">max_connections</code> (<code class="type">integer</code>)
<a id="id-1.6.6.6.2.2.3.1.3" class="indexterm"></a>
</span></dt><dd><p>
Determines the maximum number of concurrent connections to the
database server. The default is typically 100 connections, but
might be less if your kernel settings will not support it (as
determined during <span class="application">initdb</span>). This parameter can
only be set at server start.
</p><p>
When running a standby server, you must set this parameter to the
same or higher value than on the master server. Otherwise, queries
will not be allowed in the standby server.
</p></dd><dt id="GUC-SUPERUSER-RESERVED-CONNECTIONS"><span class="term"><code class="varname">superuser_reserved_connections</code>
(<code class="type">integer</code>)
<a id="id-1.6.6.6.2.2.4.1.3" class="indexterm"></a>
</span></dt><dd><p>
Determines the number of connection <span class="quote">“<span class="quote">slots</span>”</span> that
are reserved for connections by <span class="productname">PostgreSQL</span>
superusers. At most <a class="xref" href="runtime-config-connection.html#GUC-MAX-CONNECTIONS">max_connections</a>
connections can ever be active simultaneously. Whenever the
number of active concurrent connections is at least
<code class="varname">max_connections</code> minus
<code class="varname">superuser_reserved_connections</code>, new
connections will be accepted only for superusers, and no
new replication connections will be accepted.
</p><p>
The default value is three connections. The value must be less
than <code class="varname">max_connections</code> minus
<a class="xref" href="runtime-config-replication.html#GUC-MAX-WAL-SENDERS">max_wal_senders</a>.
This parameter can only be set at server start.
</p></dd><dt id="GUC-UNIX-SOCKET-DIRECTORIES"><span class="term"><code class="varname">unix_socket_directories</code> (<code class="type">string</code>)
<a id="id-1.6.6.6.2.2.5.1.3" class="indexterm"></a>
</span></dt><dd><p>
Specifies the directory of the Unix-domain socket(s) on which the
server is to listen for connections from client applications.
Multiple sockets can be created by listing multiple directories
separated by commas. Whitespace between entries is
ignored; surround a directory name with double quotes if you need
to include whitespace or commas in the name.
An empty value
specifies not listening on any Unix-domain sockets, in which case
only TCP/IP sockets can be used to connect to the server.
The default value is normally
<code class="filename">/tmp</code>, but that can be changed at build time.
This parameter can only be set at server start.
</p><p>
In addition to the socket file itself, which is named
<code class="literal">.s.PGSQL.<em class="replaceable"><code>nnnn</code></em></code> where
<em class="replaceable"><code>nnnn</code></em> is the server's port number, an ordinary file
named <code class="literal">.s.PGSQL.<em class="replaceable"><code>nnnn</code></em>.lock</code> will be
created in each of the <code class="varname">unix_socket_directories</code> directories.
Neither file should ever be removed manually.
</p><p>
This parameter is irrelevant on Windows, which does not have
Unix-domain sockets.
</p></dd><dt id="GUC-UNIX-SOCKET-GROUP"><span class="term"><code class="varname">unix_socket_group</code> (<code class="type">string</code>)
<a id="id-1.6.6.6.2.2.6.1.3" class="indexterm"></a>
</span></dt><dd><p>
Sets the owning group of the Unix-domain socket(s). (The owning
user of the sockets is always the user that starts the
server.) In combination with the parameter
<code class="varname">unix_socket_permissions</code> this can be used as
an additional access control mechanism for Unix-domain connections.
By default this is the empty string, which uses the default
group of the server user. This parameter can only be set at
server start.
</p><p>
This parameter is irrelevant on Windows, which does not have
Unix-domain sockets.
</p></dd><dt id="GUC-UNIX-SOCKET-PERMISSIONS"><span class="term"><code class="varname">unix_socket_permissions</code> (<code class="type">integer</code>)
<a id="id-1.6.6.6.2.2.7.1.3" class="indexterm"></a>
</span></dt><dd><p>
Sets the access permissions of the Unix-domain socket(s). Unix-domain
sockets use the usual Unix file system permission set.
The parameter value is expected to be a numeric mode
specified in the format accepted by the
<code class="function">chmod</code> and <code class="function">umask</code>
system calls. (To use the customary octal format the number
must start with a <code class="literal">0</code> (zero).)
</p><p>
The default permissions are <code class="literal">0777</code>, meaning
anyone can connect. Reasonable alternatives are
<code class="literal">0770</code> (only user and group, see also
<code class="varname">unix_socket_group</code>) and <code class="literal">0700</code>
(only user). (Note that for a Unix-domain socket, only write
permission matters, so there is no point in setting or revoking
read or execute permissions.)
</p><p>
This access control mechanism is independent of the one
described in <a class="xref" href="client-authentication.html" title="Chapter 20. Client Authentication">Chapter 20</a>.
</p><p>
This parameter can only be set at server start.
</p><p>
This parameter is irrelevant on systems, notably Solaris as of Solaris
10, that ignore socket permissions entirely. There, one can achieve a
similar effect by pointing <code class="varname">unix_socket_directories</code> to a
directory having search permission limited to the desired audience.
This parameter is also irrelevant on Windows, which does not have
Unix-domain sockets.
</p></dd><dt id="GUC-BONJOUR"><span class="term"><code class="varname">bonjour</code> (<code class="type">boolean</code>)
<a id="id-1.6.6.6.2.2.8.1.3" class="indexterm"></a>
</span></dt><dd><p>
Enables advertising the server's existence via
<span class="productname">Bonjour</span>. The default is off.
This parameter can only be set at server start.
</p></dd><dt id="GUC-BONJOUR-NAME"><span class="term"><code class="varname">bonjour_name</code> (<code class="type">string</code>)
<a id="id-1.6.6.6.2.2.9.1.3" class="indexterm"></a>
</span></dt><dd><p>
Specifies the <span class="productname">Bonjour</span> service
name. The computer name is used if this parameter is set to the
empty string <code class="literal">''</code> (which is the default). This parameter is
ignored if the server was not compiled with
<span class="productname">Bonjour</span> support.
This parameter can only be set at server start.
</p></dd><dt id="GUC-TCP-KEEPALIVES-IDLE"><span class="term"><code class="varname">tcp_keepalives_idle</code> (<code class="type">integer</code>)
<a id="id-1.6.6.6.2.2.10.1.3" class="indexterm"></a>
</span></dt><dd><p>
Specifies the number of seconds of inactivity after which TCP
should send a keepalive message to the client. A value of 0 uses
the system default.
This parameter is supported only on systems that support
<code class="symbol">TCP_KEEPIDLE</code> or an equivalent socket option, and on
Windows; on other systems, it must be zero.
In sessions connected via a Unix-domain socket, this parameter is
ignored and always reads as zero.
</p><div class="note"><h3 class="title">Note</h3><p>
On Windows, a value of 0 will set this parameter to 2 hours,
since Windows does not provide a way to read the system default value.
</p></div></dd><dt id="GUC-TCP-KEEPALIVES-INTERVAL"><span class="term"><code class="varname">tcp_keepalives_interval</code> (<code class="type">integer</code>)
<a id="id-1.6.6.6.2.2.11.1.3" class="indexterm"></a>
</span></dt><dd><p>
Specifies the number of seconds after which a TCP keepalive message
that is not acknowledged by the client should be retransmitted.
A value of 0 uses the system default.
This parameter is supported only on systems that support
<code class="symbol">TCP_KEEPINTVL</code> or an equivalent socket option, and on
Windows; on other systems, it must be zero.
In sessions connected via a Unix-domain socket, this parameter is
ignored and always reads as zero.
</p><div class="note"><h3 class="title">Note</h3><p>
On Windows, a value of 0 will set this parameter to 1 second,
since Windows does not provide a way to read the system default value.
</p></div></dd><dt id="GUC-TCP-KEEPALIVES-COUNT"><span class="term"><code class="varname">tcp_keepalives_count</code> (<code class="type">integer</code>)
<a id="id-1.6.6.6.2.2.12.1.3" class="indexterm"></a>
</span></dt><dd><p>
Specifies the number of TCP keepalives that can be lost before
the server's connection to the client is considered dead.
A value of 0 uses the system default.
This parameter is supported only on systems that support
<code class="symbol">TCP_KEEPCNT</code> or an equivalent socket option;
on other systems, it must be zero.
In sessions connected via a Unix-domain socket, this parameter is
ignored and always reads as zero.
</p><div class="note"><h3 class="title">Note</h3><p>
This parameter is not supported on Windows, and must be zero.
</p></div></dd></dl></div></div><div class="sect2" id="RUNTIME-CONFIG-CONNECTION-AUTHENTICATION"><div class="titlepage"><div><div><h3 class="title">19.3.2. Authentication</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt id="GUC-AUTHENTICATION-TIMEOUT"><span class="term"><code class="varname">authentication_timeout</code> (<code class="type">integer</code>)
<a id="id-1.6.6.6.3.2.1.1.3" class="indexterm"></a>
<a id="id-1.6.6.6.3.2.1.1.4" class="indexterm"></a>
<a id="id-1.6.6.6.3.2.1.1.5" class="indexterm"></a>
</span></dt><dd><p>
Maximum time to complete client authentication, in seconds. If a
would-be client has not completed the authentication protocol in
this much time, the server closes the connection. This prevents
hung clients from occupying a connection indefinitely.
The default is one minute (<code class="literal">1m</code>).
This parameter can only be set in the <code class="filename">postgresql.conf</code>
file or on the server command line.
</p></dd><dt id="GUC-PASSWORD-ENCRYPTION"><span class="term"><code class="varname">password_encryption</code> (<code class="type">enum</code>)
<a id="id-1.6.6.6.3.2.2.1.3" class="indexterm"></a>
</span></dt><dd><p>
When a password is specified in <a class="xref" href="sql-createrole.html" title="CREATE ROLE"><span class="refentrytitle">CREATE ROLE</span></a> or
<a class="xref" href="sql-alterrole.html" title="ALTER ROLE"><span class="refentrytitle">ALTER ROLE</span></a>, this parameter determines the algorithm
to use to encrypt the password. The default value is <code class="literal">md5</code>,
which stores the password as an MD5 hash (<code class="literal">on</code> is also
accepted, as alias for <code class="literal">md5</code>). Setting this parameter to
<code class="literal">scram-sha-256</code> will encrypt the password with SCRAM-SHA-256.
</p><p>
Note that older clients might lack support for the SCRAM authentication
mechanism, and hence not work with passwords encrypted with
SCRAM-SHA-256. See <a class="xref" href="auth-password.html" title="20.5. Password Authentication">Section 20.5</a> for more details.
</p></dd><dt id="GUC-KRB-SERVER-KEYFILE"><span class="term"><code class="varname">krb_server_keyfile</code> (<code class="type">string</code>)
<a id="id-1.6.6.6.3.2.3.1.3" class="indexterm"></a>
</span></dt><dd><p>
Sets the location of the Kerberos server key file. See
<a class="xref" href="gssapi-auth.html" title="20.6. GSSAPI Authentication">Section 20.6</a>
for details. This parameter can only be set in the
<code class="filename">postgresql.conf</code> file or on the server command line.
</p></dd><dt id="GUC-KRB-CASEINS-USERS"><span class="term"><code class="varname">krb_caseins_users</code> (<code class="type">boolean</code>)
<a id="id-1.6.6.6.3.2.4.1.3" class="indexterm"></a>
</span></dt><dd><p>
Sets whether GSSAPI user names should be treated
case-insensitively.
The default is <code class="literal">off</code> (case sensitive). This parameter can only be
set in the <code class="filename">postgresql.conf</code> file or on the server command line.
</p></dd><dt id="GUC-DB-USER-NAMESPACE"><span class="term"><code class="varname">db_user_namespace</code> (<code class="type">boolean</code>)
<a id="id-1.6.6.6.3.2.5.1.3" class="indexterm"></a>
</span></dt><dd><p>
This parameter enables per-database user names. It is off by default.
This parameter can only be set in the <code class="filename">postgresql.conf</code>
file or on the server command line.
</p><p>
If this is on, you should create users as <em class="replaceable"><code>username@dbname</code></em>.
When <em class="replaceable"><code>username</code></em> is passed by a connecting client,
<code class="literal">@</code> and the database name are appended to the user
name and that database-specific user name is looked up by the
server. Note that when you create users with names containing
<code class="literal">@</code> within the SQL environment, you will need to
quote the user name.
</p><p>
With this parameter enabled, you can still create ordinary global
users. Simply append <code class="literal">@</code> when specifying the user
name in the client, e.g. <code class="literal">joe@</code>. The <code class="literal">@</code>
will be stripped off before the user name is looked up by the
server.
</p><p>
<code class="varname">db_user_namespace</code> causes the client's and
server's user name representation to differ.
Authentication checks are always done with the server's user name
so authentication methods must be configured for the
server's user name, not the client's. Because
<code class="literal">md5</code> uses the user name as salt on both the
client and server, <code class="literal">md5</code> cannot be used with
<code class="varname">db_user_namespace</code>.
</p><div class="note"><h3 class="title">Note</h3><p>
This feature is intended as a temporary measure until a
complete solution is found. At that time, this option will
be removed.
</p></div></dd></dl></div></div><div class="sect2" id="RUNTIME-CONFIG-CONNECTION-SSL"><div class="titlepage"><div><div><h3 class="title">19.3.3. SSL</h3></div></div></div><p>
See <a class="xref" href="ssl-tcp.html" title="18.9. Secure TCP/IP Connections with SSL">Section 18.9</a> for more information about setting up SSL.
</p><div class="variablelist"><dl class="variablelist"><dt id="GUC-SSL"><span class="term"><code class="varname">ssl</code> (<code class="type">boolean</code>)
<a id="id-1.6.6.6.4.3.1.1.3" class="indexterm"></a>
</span></dt><dd><p>
Enables <acronym class="acronym">SSL</acronym> connections.
This parameter can only be set in the <code class="filename">postgresql.conf</code>
file or on the server command line.
The default is <code class="literal">off</code>.
</p></dd><dt id="GUC-SSL-CA-FILE"><span class="term"><code class="varname">ssl_ca_file</code> (<code class="type">string</code>)
<a id="id-1.6.6.6.4.3.2.1.3" class="indexterm"></a>
</span></dt><dd><p>
Specifies the name of the file containing the SSL server certificate
authority (CA).
Relative paths are relative to the data directory.
This parameter can only be set in the <code class="filename">postgresql.conf</code>
file or on the server command line.
The default is empty, meaning no CA file is loaded,
and client certificate verification is not performed.
</p></dd><dt id="GUC-SSL-CERT-FILE"><span class="term"><code class="varname">ssl_cert_file</code> (<code class="type">string</code>)
<a id="id-1.6.6.6.4.3.3.1.3" class="indexterm"></a>
</span></dt><dd><p>
Specifies the name of the file containing the SSL server certificate.
Relative paths are relative to the data directory.
This parameter can only be set in the <code class="filename">postgresql.conf</code>
file or on the server command line.
The default is <code class="filename">server.crt</code>.
</p></dd><dt id="GUC-SSL-CRL-FILE"><span class="term"><code class="varname">ssl_crl_file</code> (<code class="type">string</code>)
<a id="id-1.6.6.6.4.3.4.1.3" class="indexterm"></a>
</span></dt><dd><p>
Specifies the name of the file containing the SSL server certificate
revocation list (CRL).
Relative paths are relative to the data directory.
This parameter can only be set in the <code class="filename">postgresql.conf</code>
file or on the server command line.
The default is empty, meaning no CRL file is loaded.
</p></dd><dt id="GUC-SSL-KEY-FILE"><span class="term"><code class="varname">ssl_key_file</code> (<code class="type">string</code>)
<a id="id-1.6.6.6.4.3.5.1.3" class="indexterm"></a>
</span></dt><dd><p>
Specifies the name of the file containing the SSL server private key.
Relative paths are relative to the data directory.
This parameter can only be set in the <code class="filename">postgresql.conf</code>
file or on the server command line.
The default is <code class="filename">server.key</code>.
</p></dd><dt id="GUC-SSL-CIPHERS"><span class="term"><code class="varname">ssl_ciphers</code> (<code class="type">string</code>)
<a id="id-1.6.6.6.4.3.6.1.3" class="indexterm"></a>
</span></dt><dd><p>
Specifies a list of <acronym class="acronym">SSL</acronym> cipher suites that are allowed to be
used on secure connections. See
the <span class="citerefentry"><span class="refentrytitle">ciphers</span></span> manual page
in the <span class="application">OpenSSL</span> package for the syntax of this setting
and a list of supported values.
This parameter can only be set in the <code class="filename">postgresql.conf</code>
file or on the server command line.
The default value is <code class="literal">HIGH:MEDIUM:+3DES:!aNULL</code>. The
default is usually a reasonable choice unless you have specific
security requirements.
</p><p>
Explanation of the default value:
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="literal">HIGH</code></span></dt><dd><p>
Cipher suites that use ciphers from <code class="literal">HIGH</code> group (e.g.,
AES, Camellia, 3DES)
</p></dd><dt><span class="term"><code class="literal">MEDIUM</code></span></dt><dd><p>
Cipher suites that use ciphers from <code class="literal">MEDIUM</code> group
(e.g., RC4, SEED)
</p></dd><dt><span class="term"><code class="literal">+3DES</code></span></dt><dd><p>
The OpenSSL default order for <code class="literal">HIGH</code> is problematic
because it orders 3DES higher than AES128. This is wrong because
3DES offers less security than AES128, and it is also much
slower. <code class="literal">+3DES</code> reorders it after all other
<code class="literal">HIGH</code> and <code class="literal">MEDIUM</code> ciphers.
</p></dd><dt><span class="term"><code class="literal">!aNULL</code></span></dt><dd><p>
Disables anonymous cipher suites that do no authentication. Such
cipher suites are vulnerable to man-in-the-middle attacks and
therefore should not be used.
</p></dd></dl></div><p>
</p><p>
Available cipher suite details will vary across OpenSSL versions. Use
the command
<code class="literal">openssl ciphers -v 'HIGH:MEDIUM:+3DES:!aNULL'</code> to
see actual details for the currently installed <span class="application">OpenSSL</span>
version. Note that this list is filtered at run time based on the
server key type.
</p></dd><dt id="GUC-SSL-PREFER-SERVER-CIPHERS"><span class="term"><code class="varname">ssl_prefer_server_ciphers</code> (<code class="type">boolean</code>)
<a id="id-1.6.6.6.4.3.7.1.3" class="indexterm"></a>
</span></dt><dd><p>
Specifies whether to use the server's SSL cipher preferences, rather
than the client's.
This parameter can only be set in the <code class="filename">postgresql.conf</code>
file or on the server command line.
The default is <code class="literal">true</code>.
</p><p>
Older PostgreSQL versions do not have this setting and always use the
client's preferences. This setting is mainly for backward
compatibility with those versions. Using the server's preferences is
usually better because it is more likely that the server is appropriately
configured.
</p></dd><dt id="GUC-SSL-ECDH-CURVE"><span class="term"><code class="varname">ssl_ecdh_curve</code> (<code class="type">string</code>)
<a id="id-1.6.6.6.4.3.8.1.3" class="indexterm"></a>
</span></dt><dd><p>
Specifies the name of the curve to use in <acronym class="acronym">ECDH</acronym> key
exchange. It needs to be supported by all clients that connect.
It does not need to be the same curve used by the server's Elliptic
Curve key.
This parameter can only be set in the <code class="filename">postgresql.conf</code>
file or on the server command line.
The default is <code class="literal">prime256v1</code>.
</p><p>
OpenSSL names for the most common curves are:
<code class="literal">prime256v1</code> (NIST P-256),
<code class="literal">secp384r1</code> (NIST P-384),
<code class="literal">secp521r1</code> (NIST P-521).
The full list of available curves can be shown with the command
<code class="command">openssl ecparam -list_curves</code>. Not all of them
are usable in <acronym class="acronym">TLS</acronym> though.
</p></dd><dt id="GUC-SSL-DH-PARAMS-FILE"><span class="term"><code class="varname">ssl_dh_params_file</code> (<code class="type">string</code>)
<a id="id-1.6.6.6.4.3.9.1.3" class="indexterm"></a>
</span></dt><dd><p>
Specifies the name of the file containing Diffie-Hellman parameters
used for so-called ephemeral DH family of SSL ciphers. The default is
empty, in which case compiled-in default DH parameters used. Using
custom DH parameters reduces the exposure if an attacker manages to
crack the well-known compiled-in DH parameters. You can create your own
DH parameters file with the command
<code class="command">openssl dhparam -out dhparams.pem 2048</code>.
</p><p>
This parameter can only be set in the <code class="filename">postgresql.conf</code>
file or on the server command line.
</p></dd><dt id="GUC-SSL-PASSPHRASE-COMMAND"><span class="term"><code class="varname">ssl_passphrase_command</code> (<code class="type">string</code>)
<a id="id-1.6.6.6.4.3.10.1.3" class="indexterm"></a>
</span></dt><dd><p>
Sets an external command to be invoked when a passphrase for
decrypting an SSL file such as a private key needs to be obtained. By
default, this parameter is empty, which means the built-in prompting
mechanism is used.
</p><p>
The command must print the passphrase to the standard output and exit
with code 0. In the parameter value, <code class="literal">%p</code> is
replaced by a prompt string. (Write <code class="literal">%%</code> for a
literal <code class="literal">%</code>.) Note that the prompt string will
probably contain whitespace, so be sure to quote adequately. A single
newline is stripped from the end of the output if present.
</p><p>
The command does not actually have to prompt the user for a
passphrase. It can read it from a file, obtain it from a keychain
facility, or similar. It is up to the user to make sure the chosen
mechanism is adequately secure.
</p><p>
This parameter can only be set in the <code class="filename">postgresql.conf</code>
file or on the server command line.
</p></dd><dt id="GUC-SSL-PASSPHRASE-COMMAND-SUPPORTS-RELOAD"><span class="term"><code class="varname">ssl_passphrase_command_supports_reload</code> (<code class="type">boolean</code>)
<a id="id-1.6.6.6.4.3.11.1.3" class="indexterm"></a>
</span></dt><dd><p>
This parameter determines whether the passphrase command set by
<code class="varname">ssl_passphrase_command</code> will also be called during a
configuration reload if a key file needs a passphrase. If this
parameter is false (the default), then
<code class="varname">ssl_passphrase_command</code> will be ignored during a
reload and the SSL configuration will not be reloaded if a passphrase
is needed. That setting is appropriate for a command that requires a
TTY for prompting, which might not be available when the server is
running. Setting this parameter to true might be appropriate if the
passphrase is obtained from a file, for example.
</p><p>
This parameter can only be set in the <code class="filename">postgresql.conf</code>
file or on the server command line.
</p></dd></dl></div></div></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="runtime-config-file-locations.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="runtime-config.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="runtime-config-resource.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">19.2. File Locations </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> 19.4. Resource Consumption</td></tr></table></div></body></html>
