summaryrefslogtreecommitdiffstats
path: root/doc/src/sgml/html/runtime-config-connection.html
diff options
context:
space:
mode:
Diffstat (limited to 'doc/src/sgml/html/runtime-config-connection.html')
-rw-r--r--doc/src/sgml/html/runtime-config-connection.html546
1 files changed, 546 insertions, 0 deletions
diff --git a/doc/src/sgml/html/runtime-config-connection.html b/doc/src/sgml/html/runtime-config-connection.html
new file mode 100644
index 0000000..3faa9b4
--- /dev/null
+++ b/doc/src/sgml/html/runtime-config-connection.html
@@ -0,0 +1,546 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>20.3. Connections and Authentication</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot" /><link rel="prev" href="runtime-config-file-locations.html" title="20.2. File Locations" /><link rel="next" href="runtime-config-resource.html" title="20.4. Resource Consumption" /></head><body id="docContent" class="container-fluid col-10"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">20.3. Connections and Authentication</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="runtime-config-file-locations.html" title="20.2. File Locations">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="runtime-config.html" title="Chapter 20. Server Configuration">Up</a></td><th width="60%" align="center">Chapter 20. Server Configuration</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 15.5 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="runtime-config-resource.html" title="20.4. Resource Consumption">Next</a></td></tr></table><hr /></div><div class="sect1" id="RUNTIME-CONFIG-CONNECTION"><div class="titlepage"><div><div><h2 class="title" style="clear: both">20.3. Connections and Authentication</h2></div></div></div><div class="toc"><dl class="toc"><dt><span class="sect2"><a href="runtime-config-connection.html#RUNTIME-CONFIG-CONNECTION-SETTINGS">20.3.1. Connection Settings</a></span></dt><dt><span class="sect2"><a href="runtime-config-connection.html#RUNTIME-CONFIG-CONNECTION-AUTHENTICATION">20.3.2. Authentication</a></span></dt><dt><span class="sect2"><a href="runtime-config-connection.html#RUNTIME-CONFIG-CONNECTION-SSL">20.3.3. SSL</a></span></dt></dl></div><div class="sect2" id="RUNTIME-CONFIG-CONNECTION-SETTINGS"><div class="titlepage"><div><div><h3 class="title">20.3.1. Connection Settings</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt id="GUC-LISTEN-ADDRESSES"><span class="term"><code class="varname">listen_addresses</code> (<code class="type">string</code>)
+ <a id="id-1.6.7.6.2.2.1.1.3" class="indexterm"></a>
+ </span></dt><dd><p>
+ Specifies the TCP/IP address(es) on which the server is
+ to listen for connections from client applications.
+ The value takes the form of a comma-separated list of host names
+ and/or numeric IP addresses. The special entry <code class="literal">*</code>
+ corresponds to all available IP interfaces. The entry
+ <code class="literal">0.0.0.0</code> allows listening for all IPv4 addresses and
+ <code class="literal">::</code> allows listening for all IPv6 addresses.
+ If the list is empty, the server does not listen on any IP interface
+ at all, in which case only Unix-domain sockets can be used to connect
+ to it. If the list is not empty, the server will start if it
+ can listen on at least one TCP/IP address. A warning will be
+ emitted for any TCP/IP address which cannot be opened.
+ The default value is <span class="systemitem">localhost</span>,
+ which allows only local TCP/IP <span class="quote">“<span class="quote">loopback</span>”</span> connections to be
+ made.
+ </p><p>
+ While client authentication (<a class="xref" href="client-authentication.html" title="Chapter 21. Client Authentication">Chapter 21</a>) allows fine-grained control
+ over who can access the server, <code class="varname">listen_addresses</code>
+ controls which interfaces accept connection attempts, which
+ can help prevent repeated malicious connection requests on
+ insecure network interfaces. This parameter can only be set
+ at server start.
+ </p></dd><dt id="GUC-PORT"><span class="term"><code class="varname">port</code> (<code class="type">integer</code>)
+ <a id="id-1.6.7.6.2.2.2.1.3" class="indexterm"></a>
+ </span></dt><dd><p>
+ The TCP port the server listens on; 5432 by default. Note that the
+ same port number is used for all IP addresses the server listens on.
+ This parameter can only be set at server start.
+ </p></dd><dt id="GUC-MAX-CONNECTIONS"><span class="term"><code class="varname">max_connections</code> (<code class="type">integer</code>)
+ <a id="id-1.6.7.6.2.2.3.1.3" class="indexterm"></a>
+ </span></dt><dd><p>
+ Determines the maximum number of concurrent connections to the
+ database server. The default is typically 100 connections, but
+ might be less if your kernel settings will not support it (as
+ determined during <span class="application">initdb</span>). This parameter can
+ only be set at server start.
+ </p><p>
+ When running a standby server, you must set this parameter to the
+ same or higher value than on the primary server. Otherwise, queries
+ will not be allowed in the standby server.
+ </p></dd><dt id="GUC-SUPERUSER-RESERVED-CONNECTIONS"><span class="term"><code class="varname">superuser_reserved_connections</code>
+ (<code class="type">integer</code>)
+ <a id="id-1.6.7.6.2.2.4.1.3" class="indexterm"></a>
+ </span></dt><dd><p>
+ Determines the number of connection <span class="quote">“<span class="quote">slots</span>”</span> that
+ are reserved for connections by <span class="productname">PostgreSQL</span>
+ superusers. At most <a class="xref" href="runtime-config-connection.html#GUC-MAX-CONNECTIONS">max_connections</a>
+ connections can ever be active simultaneously. Whenever the
+ number of active concurrent connections is at least
+ <code class="varname">max_connections</code> minus
+ <code class="varname">superuser_reserved_connections</code>, new
+ connections will be accepted only for superusers, and no
+ new replication connections will be accepted.
+ </p><p>
+ The default value is three connections. The value must be less
+ than <code class="varname">max_connections</code>.
+ This parameter can only be set at server start.
+ </p></dd><dt id="GUC-UNIX-SOCKET-DIRECTORIES"><span class="term"><code class="varname">unix_socket_directories</code> (<code class="type">string</code>)
+ <a id="id-1.6.7.6.2.2.5.1.3" class="indexterm"></a>
+ </span></dt><dd><p>
+ Specifies the directory of the Unix-domain socket(s) on which the
+ server is to listen for connections from client applications.
+ Multiple sockets can be created by listing multiple directories
+ separated by commas. Whitespace between entries is
+ ignored; surround a directory name with double quotes if you need
+ to include whitespace or commas in the name.
+ An empty value
+ specifies not listening on any Unix-domain sockets, in which case
+ only TCP/IP sockets can be used to connect to the server.
+ </p><p>
+ A value that starts with <code class="literal">@</code> specifies that a
+ Unix-domain socket in the abstract namespace should be created
+ (currently supported on Linux only). In that case, this value
+ does not specify a <span class="quote">“<span class="quote">directory</span>”</span> but a prefix from which
+ the actual socket name is computed in the same manner as for the
+ file-system namespace. While the abstract socket name prefix can be
+ chosen freely, since it is not a file-system location, the convention
+ is to nonetheless use file-system-like values such as
+ <code class="literal">@/tmp</code>.
+ </p><p>
+ The default value is normally
+ <code class="filename">/tmp</code>, but that can be changed at build time.
+ On Windows, the default is empty, which means no Unix-domain socket is
+ created by default.
+ This parameter can only be set at server start.
+ </p><p>
+ In addition to the socket file itself, which is named
+ <code class="literal">.s.PGSQL.<em class="replaceable"><code>nnnn</code></em></code> where
+ <em class="replaceable"><code>nnnn</code></em> is the server's port number, an ordinary file
+ named <code class="literal">.s.PGSQL.<em class="replaceable"><code>nnnn</code></em>.lock</code> will be
+ created in each of the <code class="varname">unix_socket_directories</code> directories.
+ Neither file should ever be removed manually.
+ For sockets in the abstract namespace, no lock file is created.
+ </p></dd><dt id="GUC-UNIX-SOCKET-GROUP"><span class="term"><code class="varname">unix_socket_group</code> (<code class="type">string</code>)
+ <a id="id-1.6.7.6.2.2.6.1.3" class="indexterm"></a>
+ </span></dt><dd><p>
+ Sets the owning group of the Unix-domain socket(s). (The owning
+ user of the sockets is always the user that starts the
+ server.) In combination with the parameter
+ <code class="varname">unix_socket_permissions</code> this can be used as
+ an additional access control mechanism for Unix-domain connections.
+ By default this is the empty string, which uses the default
+ group of the server user. This parameter can only be set at
+ server start.
+ </p><p>
+ This parameter is not supported on Windows. Any setting will be
+ ignored. Also, sockets in the abstract namespace have no file owner,
+ so this setting is also ignored in that case.
+ </p></dd><dt id="GUC-UNIX-SOCKET-PERMISSIONS"><span class="term"><code class="varname">unix_socket_permissions</code> (<code class="type">integer</code>)
+ <a id="id-1.6.7.6.2.2.7.1.3" class="indexterm"></a>
+ </span></dt><dd><p>
+ Sets the access permissions of the Unix-domain socket(s). Unix-domain
+ sockets use the usual Unix file system permission set.
+ The parameter value is expected to be a numeric mode
+ specified in the format accepted by the
+ <code class="function">chmod</code> and <code class="function">umask</code>
+ system calls. (To use the customary octal format the number
+ must start with a <code class="literal">0</code> (zero).)
+ </p><p>
+ The default permissions are <code class="literal">0777</code>, meaning
+ anyone can connect. Reasonable alternatives are
+ <code class="literal">0770</code> (only user and group, see also
+ <code class="varname">unix_socket_group</code>) and <code class="literal">0700</code>
+ (only user). (Note that for a Unix-domain socket, only write
+ permission matters, so there is no point in setting or revoking
+ read or execute permissions.)
+ </p><p>
+ This access control mechanism is independent of the one
+ described in <a class="xref" href="client-authentication.html" title="Chapter 21. Client Authentication">Chapter 21</a>.
+ </p><p>
+ This parameter can only be set at server start.
+ </p><p>
+ This parameter is irrelevant on systems, notably Solaris as of Solaris
+ 10, that ignore socket permissions entirely. There, one can achieve a
+ similar effect by pointing <code class="varname">unix_socket_directories</code> to a
+ directory having search permission limited to the desired audience.
+ </p><p>
+ Sockets in the abstract namespace have no file permissions, so this
+ setting is also ignored in that case.
+ </p></dd><dt id="GUC-BONJOUR"><span class="term"><code class="varname">bonjour</code> (<code class="type">boolean</code>)
+ <a id="id-1.6.7.6.2.2.8.1.3" class="indexterm"></a>
+ </span></dt><dd><p>
+ Enables advertising the server's existence via
+ <span class="productname">Bonjour</span>. The default is off.
+ This parameter can only be set at server start.
+ </p></dd><dt id="GUC-BONJOUR-NAME"><span class="term"><code class="varname">bonjour_name</code> (<code class="type">string</code>)
+ <a id="id-1.6.7.6.2.2.9.1.3" class="indexterm"></a>
+ </span></dt><dd><p>
+ Specifies the <span class="productname">Bonjour</span> service
+ name. The computer name is used if this parameter is set to the
+ empty string <code class="literal">''</code> (which is the default). This parameter is
+ ignored if the server was not compiled with
+ <span class="productname">Bonjour</span> support.
+ This parameter can only be set at server start.
+ </p></dd><dt id="GUC-TCP-KEEPALIVES-IDLE"><span class="term"><code class="varname">tcp_keepalives_idle</code> (<code class="type">integer</code>)
+ <a id="id-1.6.7.6.2.2.10.1.3" class="indexterm"></a>
+ </span></dt><dd><p>
+ Specifies the amount of time with no network activity after which
+ the operating system should send a TCP keepalive message to the client.
+ If this value is specified without units, it is taken as seconds.
+ A value of 0 (the default) selects the operating system's default.
+ This parameter is supported only on systems that support
+ <code class="symbol">TCP_KEEPIDLE</code> or an equivalent socket option, and on
+ Windows; on other systems, it must be zero.
+ In sessions connected via a Unix-domain socket, this parameter is
+ ignored and always reads as zero.
+ </p><div class="note"><h3 class="title">Note</h3><p>
+ On Windows, setting a value of 0 will set this parameter to 2 hours,
+ since Windows does not provide a way to read the system default value.
+ </p></div></dd><dt id="GUC-TCP-KEEPALIVES-INTERVAL"><span class="term"><code class="varname">tcp_keepalives_interval</code> (<code class="type">integer</code>)
+ <a id="id-1.6.7.6.2.2.11.1.3" class="indexterm"></a>
+ </span></dt><dd><p>
+ Specifies the amount of time after which a TCP keepalive message
+ that has not been acknowledged by the client should be retransmitted.
+ If this value is specified without units, it is taken as seconds.
+ A value of 0 (the default) selects the operating system's default.
+ This parameter is supported only on systems that support
+ <code class="symbol">TCP_KEEPINTVL</code> or an equivalent socket option, and on
+ Windows; on other systems, it must be zero.
+ In sessions connected via a Unix-domain socket, this parameter is
+ ignored and always reads as zero.
+ </p><div class="note"><h3 class="title">Note</h3><p>
+ On Windows, setting a value of 0 will set this parameter to 1 second,
+ since Windows does not provide a way to read the system default value.
+ </p></div></dd><dt id="GUC-TCP-KEEPALIVES-COUNT"><span class="term"><code class="varname">tcp_keepalives_count</code> (<code class="type">integer</code>)
+ <a id="id-1.6.7.6.2.2.12.1.3" class="indexterm"></a>
+ </span></dt><dd><p>
+ Specifies the number of TCP keepalive messages that can be lost before
+ the server's connection to the client is considered dead.
+ A value of 0 (the default) selects the operating system's default.
+ This parameter is supported only on systems that support
+ <code class="symbol">TCP_KEEPCNT</code> or an equivalent socket option;
+ on other systems, it must be zero.
+ In sessions connected via a Unix-domain socket, this parameter is
+ ignored and always reads as zero.
+ </p><div class="note"><h3 class="title">Note</h3><p>
+ This parameter is not supported on Windows, and must be zero.
+ </p></div></dd><dt id="GUC-TCP-USER-TIMEOUT"><span class="term"><code class="varname">tcp_user_timeout</code> (<code class="type">integer</code>)
+ <a id="id-1.6.7.6.2.2.13.1.3" class="indexterm"></a>
+ </span></dt><dd><p>
+ Specifies the amount of time that transmitted data may
+ remain unacknowledged before the TCP connection is forcibly closed.
+ If this value is specified without units, it is taken as milliseconds.
+ A value of 0 (the default) selects the operating system's default.
+ This parameter is supported only on systems that support
+ <code class="symbol">TCP_USER_TIMEOUT</code>; on other systems, it must be zero.
+ In sessions connected via a Unix-domain socket, this parameter is
+ ignored and always reads as zero.
+ </p><div class="note"><h3 class="title">Note</h3><p>
+ This parameter is not supported on Windows, and must be zero.
+ </p></div></dd><dt id="GUC-CLIENT-CONNECTION-CHECK-INTERVAL"><span class="term"><code class="varname">client_connection_check_interval</code> (<code class="type">integer</code>)
+ <a id="id-1.6.7.6.2.2.14.1.3" class="indexterm"></a>
+ </span></dt><dd><p>
+ Sets the time interval between optional checks that the client is still
+ connected, while running queries. The check is performed by polling
+ the socket, and allows long running queries to be aborted sooner if
+ the kernel reports that the connection is closed.
+ </p><p>
+ This option relies on kernel events exposed by Linux, macOS, illumos
+ and the BSD family of operating systems, and is not currently available
+ on other systems.
+ </p><p>
+ If the value is specified without units, it is taken as milliseconds.
+ The default value is <code class="literal">0</code>, which disables connection
+ checks. Without connection checks, the server will detect the loss of
+ the connection only at the next interaction with the socket, when it
+ waits for, receives or sends data.
+ </p><p>
+ For the kernel itself to detect lost TCP connections reliably and within
+ a known timeframe in all scenarios including network failure, it may
+ also be necessary to adjust the TCP keepalive settings of the operating
+ system, or the <a class="xref" href="runtime-config-connection.html#GUC-TCP-KEEPALIVES-IDLE">tcp_keepalives_idle</a>,
+ <a class="xref" href="runtime-config-connection.html#GUC-TCP-KEEPALIVES-INTERVAL">tcp_keepalives_interval</a> and
+ <a class="xref" href="runtime-config-connection.html#GUC-TCP-KEEPALIVES-COUNT">tcp_keepalives_count</a> settings of
+ <span class="productname">PostgreSQL</span>.
+ </p></dd></dl></div></div><div class="sect2" id="RUNTIME-CONFIG-CONNECTION-AUTHENTICATION"><div class="titlepage"><div><div><h3 class="title">20.3.2. Authentication</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt id="GUC-AUTHENTICATION-TIMEOUT"><span class="term"><code class="varname">authentication_timeout</code> (<code class="type">integer</code>)
+ <a id="id-1.6.7.6.3.2.1.1.3" class="indexterm"></a>
+ <a id="id-1.6.7.6.3.2.1.1.4" class="indexterm"></a>
+ <a id="id-1.6.7.6.3.2.1.1.5" class="indexterm"></a>
+ </span></dt><dd><p>
+ Maximum amount of time allowed to complete client authentication. If a
+ would-be client has not completed the authentication protocol in
+ this much time, the server closes the connection. This prevents
+ hung clients from occupying a connection indefinitely.
+ If this value is specified without units, it is taken as seconds.
+ The default is one minute (<code class="literal">1m</code>).
+ This parameter can only be set in the <code class="filename">postgresql.conf</code>
+ file or on the server command line.
+ </p></dd><dt id="GUC-PASSWORD-ENCRYPTION"><span class="term"><code class="varname">password_encryption</code> (<code class="type">enum</code>)
+ <a id="id-1.6.7.6.3.2.2.1.3" class="indexterm"></a>
+ </span></dt><dd><p>
+ When a password is specified in <a class="xref" href="sql-createrole.html" title="CREATE ROLE"><span class="refentrytitle">CREATE ROLE</span></a> or
+ <a class="xref" href="sql-alterrole.html" title="ALTER ROLE"><span class="refentrytitle">ALTER ROLE</span></a>, this parameter determines the
+ algorithm to use to encrypt the password. Possible values are
+ <code class="literal">scram-sha-256</code>, which will encrypt the password with
+ SCRAM-SHA-256, and <code class="literal">md5</code>, which stores the password
+ as an MD5 hash. The default is <code class="literal">scram-sha-256</code>.
+ </p><p>
+ Note that older clients might lack support for the SCRAM authentication
+ mechanism, and hence not work with passwords encrypted with
+ SCRAM-SHA-256. See <a class="xref" href="auth-password.html" title="21.5. Password Authentication">Section 21.5</a> for more details.
+ </p></dd><dt id="GUC-KRB-SERVER-KEYFILE"><span class="term"><code class="varname">krb_server_keyfile</code> (<code class="type">string</code>)
+ <a id="id-1.6.7.6.3.2.3.1.3" class="indexterm"></a>
+ </span></dt><dd><p>
+ Sets the location of the server's Kerberos key file. The default is
+ <code class="filename">FILE:/usr/local/pgsql/etc/krb5.keytab</code>
+ (where the directory part is whatever was specified
+ as <code class="varname">sysconfdir</code> at build time; use
+ <code class="literal">pg_config --sysconfdir</code> to determine that).
+ If this parameter is set to an empty string, it is ignored and a
+ system-dependent default is used.
+ This parameter can only be set in the
+ <code class="filename">postgresql.conf</code> file or on the server command line.
+ See <a class="xref" href="gssapi-auth.html" title="21.6. GSSAPI Authentication">Section 21.6</a> for more information.
+ </p></dd><dt id="GUC-KRB-CASEINS-USERS"><span class="term"><code class="varname">krb_caseins_users</code> (<code class="type">boolean</code>)
+ <a id="id-1.6.7.6.3.2.4.1.3" class="indexterm"></a>
+ </span></dt><dd><p>
+ Sets whether GSSAPI user names should be treated
+ case-insensitively.
+ The default is <code class="literal">off</code> (case sensitive). This parameter can only be
+ set in the <code class="filename">postgresql.conf</code> file or on the server command line.
+ </p></dd><dt id="GUC-DB-USER-NAMESPACE"><span class="term"><code class="varname">db_user_namespace</code> (<code class="type">boolean</code>)
+ <a id="id-1.6.7.6.3.2.5.1.3" class="indexterm"></a>
+ </span></dt><dd><p>
+ This parameter enables per-database user names. It is off by default.
+ This parameter can only be set in the <code class="filename">postgresql.conf</code>
+ file or on the server command line.
+ </p><p>
+ If this is on, you should create users as <em class="replaceable"><code>username@dbname</code></em>.
+ When <em class="replaceable"><code>username</code></em> is passed by a connecting client,
+ <code class="literal">@</code> and the database name are appended to the user
+ name and that database-specific user name is looked up by the
+ server. Note that when you create users with names containing
+ <code class="literal">@</code> within the SQL environment, you will need to
+ quote the user name.
+ </p><p>
+ With this parameter enabled, you can still create ordinary global
+ users. Simply append <code class="literal">@</code> when specifying the user
+ name in the client, e.g., <code class="literal">joe@</code>. The <code class="literal">@</code>
+ will be stripped off before the user name is looked up by the
+ server.
+ </p><p>
+ <code class="varname">db_user_namespace</code> causes the client's and
+ server's user name representation to differ.
+ Authentication checks are always done with the server's user name
+ so authentication methods must be configured for the
+ server's user name, not the client's. Because
+ <code class="literal">md5</code> uses the user name as salt on both the
+ client and server, <code class="literal">md5</code> cannot be used with
+ <code class="varname">db_user_namespace</code>.
+ </p><div class="note"><h3 class="title">Note</h3><p>
+ This feature is intended as a temporary measure until a
+ complete solution is found. At that time, this option will
+ be removed.
+ </p></div></dd></dl></div></div><div class="sect2" id="RUNTIME-CONFIG-CONNECTION-SSL"><div class="titlepage"><div><div><h3 class="title">20.3.3. SSL</h3></div></div></div><p>
+ See <a class="xref" href="ssl-tcp.html" title="19.9. Secure TCP/IP Connections with SSL">Section 19.9</a> for more information about setting up
+ <acronym class="acronym">SSL</acronym>. The configuration parameters for controlling
+ transfer encryption using <acronym class="acronym">TLS</acronym> protocols are named
+ <code class="literal">ssl</code> for historic reasons, even though support for
+ the <acronym class="acronym">SSL</acronym> protocol has been deprecated.
+ <acronym class="acronym">SSL</acronym> is in this context used interchangeably with
+ <acronym class="acronym">TLS</acronym>.
+ </p><div class="variablelist"><dl class="variablelist"><dt id="GUC-SSL"><span class="term"><code class="varname">ssl</code> (<code class="type">boolean</code>)
+ <a id="id-1.6.7.6.4.3.1.1.3" class="indexterm"></a>
+ </span></dt><dd><p>
+ Enables <acronym class="acronym">SSL</acronym> connections.
+ This parameter can only be set in the <code class="filename">postgresql.conf</code>
+ file or on the server command line.
+ The default is <code class="literal">off</code>.
+ </p></dd><dt id="GUC-SSL-CA-FILE"><span class="term"><code class="varname">ssl_ca_file</code> (<code class="type">string</code>)
+ <a id="id-1.6.7.6.4.3.2.1.3" class="indexterm"></a>
+ </span></dt><dd><p>
+ Specifies the name of the file containing the SSL server certificate
+ authority (CA).
+ Relative paths are relative to the data directory.
+ This parameter can only be set in the <code class="filename">postgresql.conf</code>
+ file or on the server command line.
+ The default is empty, meaning no CA file is loaded,
+ and client certificate verification is not performed.
+ </p></dd><dt id="GUC-SSL-CERT-FILE"><span class="term"><code class="varname">ssl_cert_file</code> (<code class="type">string</code>)
+ <a id="id-1.6.7.6.4.3.3.1.3" class="indexterm"></a>
+ </span></dt><dd><p>
+ Specifies the name of the file containing the SSL server certificate.
+ Relative paths are relative to the data directory.
+ This parameter can only be set in the <code class="filename">postgresql.conf</code>
+ file or on the server command line.
+ The default is <code class="filename">server.crt</code>.
+ </p></dd><dt id="GUC-SSL-CRL-FILE"><span class="term"><code class="varname">ssl_crl_file</code> (<code class="type">string</code>)
+ <a id="id-1.6.7.6.4.3.4.1.3" class="indexterm"></a>
+ </span></dt><dd><p>
+ Specifies the name of the file containing the SSL client certificate
+ revocation list (CRL).
+ Relative paths are relative to the data directory.
+ This parameter can only be set in the <code class="filename">postgresql.conf</code>
+ file or on the server command line.
+ The default is empty, meaning no CRL file is loaded (unless
+ <a class="xref" href="runtime-config-connection.html#GUC-SSL-CRL-DIR">ssl_crl_dir</a> is set).
+ </p></dd><dt id="GUC-SSL-CRL-DIR"><span class="term"><code class="varname">ssl_crl_dir</code> (<code class="type">string</code>)
+ <a id="id-1.6.7.6.4.3.5.1.3" class="indexterm"></a>
+ </span></dt><dd><p>
+ Specifies the name of the directory containing the SSL client
+ certificate revocation list (CRL). Relative paths are relative to the
+ data directory. This parameter can only be set in
+ the <code class="filename">postgresql.conf</code> file or on the server command
+ line. The default is empty, meaning no CRLs are used (unless
+ <a class="xref" href="runtime-config-connection.html#GUC-SSL-CRL-FILE">ssl_crl_file</a> is set).
+ </p><p>
+ The directory needs to be prepared with the
+ <span class="productname">OpenSSL</span> command
+ <code class="literal">openssl rehash</code> or <code class="literal">c_rehash</code>. See
+ its documentation for details.
+ </p><p>
+ When using this setting, CRLs in the specified directory are loaded
+ on-demand at connection time. New CRLs can be added to the directory
+ and will be used immediately. This is unlike <a class="xref" href="runtime-config-connection.html#GUC-SSL-CRL-FILE">ssl_crl_file</a>, which causes the CRL in the file to be
+ loaded at server start time or when the configuration is reloaded.
+ Both settings can be used together.
+ </p></dd><dt id="GUC-SSL-KEY-FILE"><span class="term"><code class="varname">ssl_key_file</code> (<code class="type">string</code>)
+ <a id="id-1.6.7.6.4.3.6.1.3" class="indexterm"></a>
+ </span></dt><dd><p>
+ Specifies the name of the file containing the SSL server private key.
+ Relative paths are relative to the data directory.
+ This parameter can only be set in the <code class="filename">postgresql.conf</code>
+ file or on the server command line.
+ The default is <code class="filename">server.key</code>.
+ </p></dd><dt id="GUC-SSL-CIPHERS"><span class="term"><code class="varname">ssl_ciphers</code> (<code class="type">string</code>)
+ <a id="id-1.6.7.6.4.3.7.1.3" class="indexterm"></a>
+ </span></dt><dd><p>
+ Specifies a list of <acronym class="acronym">SSL</acronym> cipher suites that are
+ allowed to be used by SSL connections. See the
+ <span class="citerefentry"><span class="refentrytitle">ciphers</span></span>
+ manual page in the <span class="productname">OpenSSL</span> package for the
+ syntax of this setting and a list of supported values. Only
+ connections using TLS version 1.2 and lower are affected. There is
+ currently no setting that controls the cipher choices used by TLS
+ version 1.3 connections. The default value is
+ <code class="literal">HIGH:MEDIUM:+3DES:!aNULL</code>. The default is usually a
+ reasonable choice unless you have specific security requirements.
+ </p><p>
+ This parameter can only be set in the
+ <code class="filename">postgresql.conf</code> file or on the server command
+ line.
+ </p><p>
+ Explanation of the default value:
+ </p><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="literal">HIGH</code></span></dt><dd><p>
+ Cipher suites that use ciphers from <code class="literal">HIGH</code> group (e.g.,
+ AES, Camellia, 3DES)
+ </p></dd><dt><span class="term"><code class="literal">MEDIUM</code></span></dt><dd><p>
+ Cipher suites that use ciphers from <code class="literal">MEDIUM</code> group
+ (e.g., RC4, SEED)
+ </p></dd><dt><span class="term"><code class="literal">+3DES</code></span></dt><dd><p>
+ The <span class="productname">OpenSSL</span> default order for
+ <code class="literal">HIGH</code> is problematic because it orders 3DES
+ higher than AES128. This is wrong because 3DES offers less
+ security than AES128, and it is also much slower.
+ <code class="literal">+3DES</code> reorders it after all other
+ <code class="literal">HIGH</code> and <code class="literal">MEDIUM</code> ciphers.
+ </p></dd><dt><span class="term"><code class="literal">!aNULL</code></span></dt><dd><p>
+ Disables anonymous cipher suites that do no authentication. Such
+ cipher suites are vulnerable to <acronym class="acronym">MITM</acronym> attacks and
+ therefore should not be used.
+ </p></dd></dl></div><p>
+ </p><p>
+ Available cipher suite details will vary across
+ <span class="productname">OpenSSL</span> versions. Use the command
+ <code class="literal">openssl ciphers -v 'HIGH:MEDIUM:+3DES:!aNULL'</code> to
+ see actual details for the currently installed
+ <span class="productname">OpenSSL</span> version. Note that this list is
+ filtered at run time based on the server key type.
+ </p></dd><dt id="GUC-SSL-PREFER-SERVER-CIPHERS"><span class="term"><code class="varname">ssl_prefer_server_ciphers</code> (<code class="type">boolean</code>)
+ <a id="id-1.6.7.6.4.3.8.1.3" class="indexterm"></a>
+ </span></dt><dd><p>
+ Specifies whether to use the server's SSL cipher preferences, rather
+ than the client's.
+ This parameter can only be set in the <code class="filename">postgresql.conf</code>
+ file or on the server command line.
+ The default is <code class="literal">on</code>.
+ </p><p>
+ Older PostgreSQL versions do not have this setting and always use the
+ client's preferences. This setting is mainly for backward
+ compatibility with those versions. Using the server's preferences is
+ usually better because it is more likely that the server is appropriately
+ configured.
+ </p></dd><dt id="GUC-SSL-ECDH-CURVE"><span class="term"><code class="varname">ssl_ecdh_curve</code> (<code class="type">string</code>)
+ <a id="id-1.6.7.6.4.3.9.1.3" class="indexterm"></a>
+ </span></dt><dd><p>
+ Specifies the name of the curve to use in <acronym class="acronym">ECDH</acronym> key
+ exchange. It needs to be supported by all clients that connect.
+ It does not need to be the same curve used by the server's Elliptic
+ Curve key.
+ This parameter can only be set in the <code class="filename">postgresql.conf</code>
+ file or on the server command line.
+ The default is <code class="literal">prime256v1</code>.
+ </p><p>
+ <span class="productname">OpenSSL</span> names for the most common curves
+ are:
+ <code class="literal">prime256v1</code> (NIST P-256),
+ <code class="literal">secp384r1</code> (NIST P-384),
+ <code class="literal">secp521r1</code> (NIST P-521).
+ The full list of available curves can be shown with the command
+ <code class="command">openssl ecparam -list_curves</code>. Not all of them
+ are usable in <acronym class="acronym">TLS</acronym> though.
+ </p></dd><dt id="GUC-SSL-MIN-PROTOCOL-VERSION"><span class="term"><code class="varname">ssl_min_protocol_version</code> (<code class="type">enum</code>)
+ <a id="id-1.6.7.6.4.3.10.1.3" class="indexterm"></a>
+ </span></dt><dd><p>
+ Sets the minimum SSL/TLS protocol version to use. Valid values are
+ currently: <code class="literal">TLSv1</code>, <code class="literal">TLSv1.1</code>,
+ <code class="literal">TLSv1.2</code>, <code class="literal">TLSv1.3</code>. Older
+ versions of the <span class="productname">OpenSSL</span> library do not
+ support all values; an error will be raised if an unsupported setting
+ is chosen. Protocol versions before TLS 1.0, namely SSL version 2 and
+ 3, are always disabled.
+ </p><p>
+ The default is <code class="literal">TLSv1.2</code>, which satisfies industry
+ best practices as of this writing.
+ </p><p>
+ This parameter can only be set in the <code class="filename">postgresql.conf</code>
+ file or on the server command line.
+ </p></dd><dt id="GUC-SSL-MAX-PROTOCOL-VERSION"><span class="term"><code class="varname">ssl_max_protocol_version</code> (<code class="type">enum</code>)
+ <a id="id-1.6.7.6.4.3.11.1.3" class="indexterm"></a>
+ </span></dt><dd><p>
+ Sets the maximum SSL/TLS protocol version to use. Valid values are as
+ for <a class="xref" href="runtime-config-connection.html#GUC-SSL-MIN-PROTOCOL-VERSION">ssl_min_protocol_version</a>, with addition of
+ an empty string, which allows any protocol version. The default is to
+ allow any version. Setting the maximum protocol version is mainly
+ useful for testing or if some component has issues working with a
+ newer protocol.
+ </p><p>
+ This parameter can only be set in the <code class="filename">postgresql.conf</code>
+ file or on the server command line.
+ </p></dd><dt id="GUC-SSL-DH-PARAMS-FILE"><span class="term"><code class="varname">ssl_dh_params_file</code> (<code class="type">string</code>)
+ <a id="id-1.6.7.6.4.3.12.1.3" class="indexterm"></a>
+ </span></dt><dd><p>
+ Specifies the name of the file containing Diffie-Hellman parameters
+ used for so-called ephemeral DH family of SSL ciphers. The default is
+ empty, in which case compiled-in default DH parameters used. Using
+ custom DH parameters reduces the exposure if an attacker manages to
+ crack the well-known compiled-in DH parameters. You can create your own
+ DH parameters file with the command
+ <code class="command">openssl dhparam -out dhparams.pem 2048</code>.
+ </p><p>
+ This parameter can only be set in the <code class="filename">postgresql.conf</code>
+ file or on the server command line.
+ </p></dd><dt id="GUC-SSL-PASSPHRASE-COMMAND"><span class="term"><code class="varname">ssl_passphrase_command</code> (<code class="type">string</code>)
+ <a id="id-1.6.7.6.4.3.13.1.3" class="indexterm"></a>
+ </span></dt><dd><p>
+ Sets an external command to be invoked when a passphrase for
+ decrypting an SSL file such as a private key needs to be obtained. By
+ default, this parameter is empty, which means the built-in prompting
+ mechanism is used.
+ </p><p>
+ The command must print the passphrase to the standard output and exit
+ with code 0. In the parameter value, <code class="literal">%p</code> is
+ replaced by a prompt string. (Write <code class="literal">%%</code> for a
+ literal <code class="literal">%</code>.) Note that the prompt string will
+ probably contain whitespace, so be sure to quote adequately. A single
+ newline is stripped from the end of the output if present.
+ </p><p>
+ The command does not actually have to prompt the user for a
+ passphrase. It can read it from a file, obtain it from a keychain
+ facility, or similar. It is up to the user to make sure the chosen
+ mechanism is adequately secure.
+ </p><p>
+ This parameter can only be set in the <code class="filename">postgresql.conf</code>
+ file or on the server command line.
+ </p></dd><dt id="GUC-SSL-PASSPHRASE-COMMAND-SUPPORTS-RELOAD"><span class="term"><code class="varname">ssl_passphrase_command_supports_reload</code> (<code class="type">boolean</code>)
+ <a id="id-1.6.7.6.4.3.14.1.3" class="indexterm"></a>
+ </span></dt><dd><p>
+ This parameter determines whether the passphrase command set by
+ <code class="varname">ssl_passphrase_command</code> will also be called during a
+ configuration reload if a key file needs a passphrase. If this
+ parameter is off (the default), then
+ <code class="varname">ssl_passphrase_command</code> will be ignored during a
+ reload and the SSL configuration will not be reloaded if a passphrase
+ is needed. That setting is appropriate for a command that requires a
+ TTY for prompting, which might not be available when the server is
+ running. Setting this parameter to on might be appropriate if the
+ passphrase is obtained from a file, for example.
+ </p><p>
+ This parameter can only be set in the <code class="filename">postgresql.conf</code>
+ file or on the server command line.
+ </p></dd></dl></div></div></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="runtime-config-file-locations.html" title="20.2. File Locations">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="runtime-config.html" title="Chapter 20. Server Configuration">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="runtime-config-resource.html" title="20.4. Resource Consumption">Next</a></td></tr><tr><td width="40%" align="left" valign="top">20.2. File Locations </td><td width="20%" align="center"><a accesskey="h" href="index.html" title="PostgreSQL 15.5 Documentation">Home</a></td><td width="40%" align="right" valign="top"> 20.4. Resource Consumption</td></tr></table></div></body></html> \ No newline at end of file