<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <HTML ><HEAD ><TITLE >Secure TCP/IP Connections with SSL</TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK REV="MADE" HREF="mailto:pgsql-docs@postgresql.org"><LINK REL="HOME" TITLE="PostgreSQL 8.0.11 Documentation" HREF="index.html"><LINK REL="UP" TITLE="Server Run-time Environment" HREF="runtime.html"><LINK REL="PREVIOUS" TITLE="Encryption Options" HREF="encryption-options.html"><LINK REL="NEXT" TITLE="Secure TCP/IP Connections with SSH Tunnels" HREF="ssh-tunnels.html"><LINK REL="STYLESHEET" TYPE="text/css" HREF="stylesheet.css"><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"><META NAME="creation" CONTENT="2007-02-02T03:57:22"></HEAD ><BODY CLASS="SECT1" ><DIV CLASS="NAVHEADER" ><TABLE SUMMARY="Header navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TH COLSPAN="5" ALIGN="center" VALIGN="bottom" >PostgreSQL 8.0.11 Documentation</TH ></TR ><TR ><TD WIDTH="10%" ALIGN="left" VALIGN="top" ><A HREF="encryption-options.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="10%" ALIGN="left" VALIGN="top" ><A HREF="runtime.html" >Fast Backward</A ></TD ><TD WIDTH="60%" ALIGN="center" VALIGN="bottom" >Chapter 16. Server Run-time Environment</TD ><TD WIDTH="10%" ALIGN="right" VALIGN="top" ><A HREF="runtime.html" >Fast Forward</A ></TD ><TD WIDTH="10%" ALIGN="right" VALIGN="top" ><A HREF="ssh-tunnels.html" ACCESSKEY="N" >Next</A ></TD ></TR ></TABLE ><HR ALIGN="LEFT" WIDTH="100%"></DIV ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A NAME="SSL-TCP" >16.8. Secure TCP/IP Connections with SSL</A ></H1 ><A NAME="AEN19407" ></A ><P > <SPAN CLASS="PRODUCTNAME" >PostgreSQL</SPAN > has native support for using <ACRONYM CLASS="ACRONYM" >SSL</ACRONYM > connections to encrypt client/server communications for increased security. This requires that <SPAN CLASS="PRODUCTNAME" >OpenSSL</SPAN > is installed on both client and server systems and that support in <SPAN CLASS="PRODUCTNAME" >PostgreSQL</SPAN > is enabled at build time (see <A HREF="installation.html" >Chapter 14</A >). </P ><P > With <ACRONYM CLASS="ACRONYM" >SSL</ACRONYM > support compiled in, the <SPAN CLASS="PRODUCTNAME" >PostgreSQL</SPAN > server can be started with <ACRONYM CLASS="ACRONYM" >SSL</ACRONYM > enabled by setting the parameter <A HREF="runtime-config.html#GUC-SSL" >ssl</A > to <TT CLASS="LITERAL" >on</TT > in <TT CLASS="FILENAME" >postgresql.conf</TT >. When starting in <ACRONYM CLASS="ACRONYM" >SSL</ACRONYM > mode, the server will look for the files <TT CLASS="FILENAME" >server.key</TT > and <TT CLASS="FILENAME" >server.crt</TT > in the data directory, which must contain the server private key and certificate, respectively. These files must be set up correctly before an <ACRONYM CLASS="ACRONYM" >SSL</ACRONYM >-enabled server can start. If the private key is protected with a passphrase, the server will prompt for the passphrase and will not start until it has been entered. </P ><P > The server will listen for both standard and <ACRONYM CLASS="ACRONYM" >SSL</ACRONYM > connections on the same TCP port, and will negotiate with any connecting client on whether to use <ACRONYM CLASS="ACRONYM" >SSL</ACRONYM >. By default, this is at the client's option; see <A HREF="client-authentication.html#AUTH-PG-HBA-CONF" >Section 19.1</A > about how to set up the server to require use of <ACRONYM CLASS="ACRONYM" >SSL</ACRONYM > for some or all connections. </P ><P > For details on how to create your server private key and certificate, refer to the <SPAN CLASS="PRODUCTNAME" >OpenSSL</SPAN > documentation. A self-signed certificate can be used for testing, but a certificate signed by a certificate authority (<ACRONYM CLASS="ACRONYM" >CA</ACRONYM >) (either one of the global <ACRONYM CLASS="ACRONYM" >CAs</ACRONYM > or a local one) should be used in production so the client can verify the server's identity. To create a quick self-signed certificate, use the following <SPAN CLASS="PRODUCTNAME" >OpenSSL</SPAN > command: </P><PRE CLASS="PROGRAMLISTING" >openssl req -new -text -out server.req</PRE ><P> Fill out the information that <TT CLASS="COMMAND" >openssl</TT > asks for. Make sure that you enter the local host name as <SPAN CLASS="QUOTE" >"Common Name"</SPAN >; the challenge password can be left blank. The program will generate a key that is passphrase protected; it will not accept a passphrase that is less than four characters long. To remove the passphrase (as you must if you want automatic start-up of the server), run the commands </P><PRE CLASS="PROGRAMLISTING" >openssl rsa -in privkey.pem -out server.key rm privkey.pem</PRE ><P> Enter the old passphrase to unlock the existing key. Now do </P><PRE CLASS="PROGRAMLISTING" >openssl req -x509 -in server.req -text -key server.key -out server.crt chmod og-rwx server.key</PRE ><P> to turn the certificate into a self-signed certificate and to copy the key and certificate to where the server will look for them. </P ><P > If verification of client certificates is required, place the certificates of the <ACRONYM CLASS="ACRONYM" >CA</ACRONYM >(s) you wish to check for in the file <TT CLASS="FILENAME" >root.crt</TT > in the data directory. When present, a client certificate will be requested from the client during SSL connection startup, and it must have been signed by one of the certificates present in <TT CLASS="FILENAME" >root.crt</TT >. </P ><P > When the <TT CLASS="FILENAME" >root.crt</TT > file is not present, client certificates will not be requested or checked. In this mode, SSL provides communication security but not authentication. </P ><P > The files <TT CLASS="FILENAME" >server.key</TT >, <TT CLASS="FILENAME" >server.crt</TT >, and <TT CLASS="FILENAME" >root.crt</TT > are only examined during server start; so you must restart the server to make changes in them take effect. </P ></DIV ><DIV CLASS="NAVFOOTER" ><HR ALIGN="LEFT" WIDTH="100%"><TABLE SUMMARY="Footer navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" ><A HREF="encryption-options.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="index.html" ACCESSKEY="H" >Home</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" ><A HREF="ssh-tunnels.html" ACCESSKEY="N" >Next</A ></TD ></TR ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" >Encryption Options</TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="runtime.html" ACCESSKEY="U" >Up</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" >Secure TCP/IP Connections with <SPAN CLASS="APPLICATION" >SSH</SPAN > Tunnels</TD ></TR ></TABLE ></DIV ></BODY ></HTML >