cary huang: TLS setup on Postgres 15 – Common Practice

1.0 Introduction TLS is one of the most commonly used security protocol in most applications but also least understood. In this blog, I will briefly explain the concept of TLS and how it can be configured to Postgres version 15 compiled with compatible OpenSSL library. 2.0 PostgreSQL Server Side Settings These are the TLS settings available in postgresql.conf related to TLS. Note that these parameters start with prefix SSL, which is a term used interchangeably with TLS (which is a newer term). Both refer to the same thing. #ssl = off #ssl_ca_file = '' #ssl_cert_file = 'server.crt' #ssl_crl_file = '' #ssl_crl_dir = '' #ssl_key_file = 'server.key' #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers #ssl_prefer_server_ciphers = on #ssl_ecdh_curve = 'prime256v1' #ssl_min_protocol_version = 'TLSv1.2' #ssl_max_protocol_version = '' #ssl_dh_params_file = '' #ssl_passphrase_command = '' #ssl_passphrase_command_supports_reload = off Most of the time, you just need to fill in ssl, ssl_ca_file, ssl_cert_file, ssl_key_file and possibly ssl_passphrase_command. For example: ssl = on ssl_ca_file = '/home/user/cert/cacert.pem' ssl_cert_file = '/home/user/cert/server.pem' ssl_key_file = '/home/user/cert/server.key' ssl_passphrase_command = 'echo passphrase' These basic TLS parameters tell Postgres that you would like to enable TLS on your server and provide paths to Certificate Authority (CA) certificate file, entity certificate file and a private key file. These 3 files are normally referred as X509 certificates and are mainly used to guarantee trust between a client and a server. the CA certificate file (ssl_ca_file) is the root of trust and you can use openssl to generate one for your organization and use it to create and sign other entity certificates for your application to use. the entity certificate (ssl_cert_file) and private key (ssl_key_file) form a pair, in a sense that the certificate itself contains a public key while the private key file contains the private key. These keys[...]