| pgpool-II 4.4devel Documentation | |||
|---|---|---|---|
| Prev | Up | Chapter 5. Server Configuration | Next |
When set to on, Pgpool-II enables the SSL for both the frontend and backend communications. Default is off.
Note: ssl_key and ssl_cert must also be configured in order for SSL to work with frontend connections.
Note: For SSL to work Pgpool-II must be build with OpenSSL support. See Section 2.5 for details on building the Pgpool-II.
This parameter can only be set at server start.
Specifies the private key file to be used for incoming frontend connections. Relative paths are relative to Pgpool-II configuration directory. There is no default value for this option, and if left unset SSL will be disabled for incoming frontend connections.
This parameter can only be set at server start.
Specifies the public x509 certificate file to be used for the incoming frontend connections. Relative paths are relative to Pgpool-II configuration directory. There is no default value for this option, and if left unset SSL will be disabled for incoming frontend connections.
This parameter can only be set at server start.
Specifies a PEM format CA certificate file, which can be used to verify the backend server certificates. Relative paths are relative to Pgpool-II configuration directory. This is analogous to the -CApath option of the OpenSSL verify(1) command.
This parameter can only be set at server start.
Specifies the path to a directory containing PEM format CA certificate files, which can be used to verify the backend server certificates. This is analogous to the -CApath option of the OpenSSL verify(1) command.
The default value for this option is unset, which means no verification takes place. Verification will still happen if this option is not set but a value is provided for ssl_ca_cert.
This parameter can only be set at server start.
Specifies the file containing the SSL server certificate revocation list (CRL). Relative paths are relative to Pgpool-II configuration directory. The default is empty, meaning no CRL file is loaded.
This parameter can only be set at server start.
Specifies a list of SSL cipher suites that are allowed to be used by SSL connections. See the ciphers manual page in the OpenSSL package for the syntax of this setting and a list of supported values. Only connections using TLS version 1.2 and lower are affected. There is currently no setting that controls the cipher choices used by TLS version 1.3 connections. The default value is HIGH:MEDIUM:+3DES:!aNULL, which is same as PostgreSQL. See PostgreSQL manual to know why the value is chosen.
This parameter can only be set at server start.
Specifies whether to use the server's SSL cipher preferences, rather than the client's. The default value is false.
This parameter can only be set at server start.
Specifies the name of the curve to use in ECDH key exchange. It needs to be supported by all clients that connect. It does not need to be the same curve used by the server's Elliptic Curve key. The default value is prime256v1.
OpenSSL names for the most common curves are: prime256v1 (NIST P-256), secp384r1 (NIST P-384), secp521r1 (NIST P-521). The full list of available curves can be shown with the command openssl ecparam -list_curves. Not all of them are usable in TLS though.
This parameter can only be set at server start.
Specifies the name of the file containing Diffie-Hellman parameters used for so-called ephemeral DH family of SSL ciphers. The default is empty. In which case compiled-in default DH parameters used. Using Custom DH parameters reduces the exposure if an attacker manages to crack the well-known compiled-in DH parameters. You can create your own DH parameters file with the command openssl -out dhparams.pem 2048.
This parameter can only be set at server start.
Sets an external command to be invoked when a passphrase for decrypting an SSL file such as a private key needs to be obtained. By default, this parameter is empty, which means SSL file will not be loaded if passphrase is required.
The command must print the passphrase to the standard output and exit with code 0. In the parameter value, %p is replaced by a prompt string. (Write %% for a literal %.) Note that the prompt string will probably contain whitespace, so be sure to quote adequately. A single newline is stripped from the end of the output if present.
The command does not actually have to prompt the user for a passphrase. It can read it from a file, obtain it from a keychain facility, or similar. It is up to the user to make sure the chosen mechanism is adequately secure.
This parameter can only be set at server start.
Certificate handling is outside the scope of this document. The Secure TCP/IP Connections with SSL page at postgresql.org has pointers with sample commands for how to generate self-signed certificates.