cary huang: TLS setup on Postgres 15 – Common Practice
原文英文,约1100词,阅读约需4分钟。发表于: 。1.0 Introduction TLS is one of the most commonly used security protocol in most applications but also least understood. In this blog, I will briefly explain the concept of TLS and how it can be configured to Postgres version 15 compiled with compatible OpenSSL library. 2.0 PostgreSQL Server Side Settings These are the TLS settings available in postgresql.conf related to TLS. Note that these parameters start with prefix SSL, which is a term used interchangeably with TLS (which is a newer term). Both refer to the same thing. #ssl = off #ssl_ca_file = '' #ssl_cert_file = 'server.crt' #ssl_crl_file = '' #ssl_crl_dir = '' #ssl_key_file = 'server.key' #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers #ssl_prefer_server_ciphers = on #ssl_ecdh_curve = 'prime256v1' #ssl_min_protocol_version = 'TLSv1.2' #ssl_max_protocol_version = '' #ssl_dh_params_file = '' #ssl_passphrase_command = '' #ssl_passphrase_command_supports_reload = off Most of the time, you just need to fill in ssl, ssl_ca_file, ssl_cert_file, ssl_key_file and possibly ssl_passphrase_command. For example: ssl = on ssl_ca_file = '/home/user/cert/cacert.pem' ssl_cert_file = '/home/user/cert/server.pem' ssl_key_file = '/home/user/cert/server.key' ssl_passphrase_command = 'echo passphrase' These basic TLS parameters tell Postgres that you would like to enable TLS on your server and provide paths to Certificate Authority (CA) certificate file, entity certificate file and a private key file. These 3 files are normally referred as X509 certificates and are mainly used to guarantee trust between a client and a server. the CA certificate file (ssl_ca_file) is the root of trust and you can use openssl to generate one for your organization and use it to create and sign other entity certificates for your application to use. the entity certificate (ssl_cert_file) and private key (ssl_key_file) form a pair, in a sense that the certificate itself contains a public key while the private key file contains the private key. These keys[...]
TLS是最常用的安全协议,本文将简要介绍TLS的概念,以及如何在Postgres 15版本中配置TLS,需要填写ssl、ssl_ca_file、ssl_cert_file、ssl_key_file和ssl_passphrase_command等参数,并使用openssl生成和签署证书文件,还需要配置pg_hba.conf,以控制哪些连接需要TLS,哪些不需要,客户端连接时,需要指定证书和CA证书,以验证服务器证书。