summaryrefslogtreecommitdiffstats
path: root/doc/src/sgml/sslinfo.sgml
diff options
context:
space:
mode:
Diffstat (limited to 'doc/src/sgml/sslinfo.sgml')
-rw-r--r--doc/src/sgml/sslinfo.sgml263
1 files changed, 263 insertions, 0 deletions
diff --git a/doc/src/sgml/sslinfo.sgml b/doc/src/sgml/sslinfo.sgml
new file mode 100644
index 0000000..2a9c45a
--- /dev/null
+++ b/doc/src/sgml/sslinfo.sgml
@@ -0,0 +1,263 @@
+<!-- doc/src/sgml/sslinfo.sgml -->
+
+<sect1 id="sslinfo" xreflabel="sslinfo">
+ <title>sslinfo</title>
+
+ <indexterm zone="sslinfo">
+ <primary>sslinfo</primary>
+ </indexterm>
+
+ <para>
+ The <filename>sslinfo</filename> module provides information about the SSL
+ certificate that the current client provided when connecting to
+ <productname>PostgreSQL</productname>. The module is useless (most functions
+ will return NULL) if the current connection does not use SSL.
+ </para>
+
+ <para>
+ Some of the information available through this module can also be obtained
+ using the built-in system view <link linkend="monitoring-pg-stat-ssl-view">
+ <structname>pg_stat_ssl</structname></link>.
+ </para>
+
+ <para>
+ This extension won't build at all unless the installation was
+ configured with <literal>--with-ssl=openssl</literal>.
+ </para>
+
+ <sect2>
+ <title>Functions Provided</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>
+ <function>ssl_is_used() returns boolean</function>
+ <indexterm>
+ <primary>ssl_is_used</primary>
+ </indexterm>
+ </term>
+ <listitem>
+ <para>
+ Returns true if current connection to server uses SSL, and false
+ otherwise.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <function>ssl_version() returns text</function>
+ <indexterm>
+ <primary>ssl_version</primary>
+ </indexterm>
+ </term>
+ <listitem>
+ <para>
+ Returns the name of the protocol used for the SSL connection (e.g., TLSv1.0,
+ TLSv1.1, TLSv1.2 or TLSv1.3).
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <function>ssl_cipher() returns text</function>
+ <indexterm>
+ <primary>ssl_cipher</primary>
+ </indexterm>
+ </term>
+ <listitem>
+ <para>
+ Returns the name of the cipher used for the SSL connection
+ (e.g., DHE-RSA-AES256-SHA).
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <function>ssl_client_cert_present() returns boolean</function>
+ <indexterm>
+ <primary>ssl_client_cert_present</primary>
+ </indexterm>
+ </term>
+ <listitem>
+ <para>
+ Returns true if current client has presented a valid SSL client
+ certificate to the server, and false otherwise. (The server
+ might or might not be configured to require a client certificate.)
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <function>ssl_client_serial() returns numeric</function>
+ <indexterm>
+ <primary>ssl_client_serial</primary>
+ </indexterm>
+ </term>
+ <listitem>
+ <para>
+ Returns serial number of current client certificate. The combination of
+ certificate serial number and certificate issuer is guaranteed to
+ uniquely identify a certificate (but not its owner &mdash; the owner
+ ought to regularly change their keys, and get new certificates from the
+ issuer).
+ </para>
+
+ <para>
+ So, if you run your own CA and allow only certificates from this CA to
+ be accepted by the server, the serial number is the most reliable (albeit
+ not very mnemonic) means to identify a user.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <function>ssl_client_dn() returns text</function>
+ <indexterm>
+ <primary>ssl_client_dn</primary>
+ </indexterm>
+ </term>
+ <listitem>
+ <para>
+ Returns the full subject of the current client certificate, converting
+ character data into the current database encoding. It is assumed that
+ if you use non-ASCII characters in the certificate names, your
+ database is able to represent these characters, too. If your database
+ uses the SQL_ASCII encoding, non-ASCII characters in the name will be
+ represented as UTF-8 sequences.
+ </para>
+
+ <para>
+ The result looks like <literal>/CN=Somebody /C=Some country/O=Some organization</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <function>ssl_issuer_dn() returns text</function>
+ <indexterm>
+ <primary>ssl_issuer_dn</primary>
+ </indexterm>
+ </term>
+ <listitem>
+ <para>
+ Returns the full issuer name of the current client certificate, converting
+ character data into the current database encoding. Encoding conversions
+ are handled the same as for <function>ssl_client_dn</function>.
+ </para>
+ <para>
+ The combination of the return value of this function with the
+ certificate serial number uniquely identifies the certificate.
+ </para>
+ <para>
+ This function is really useful only if you have more than one trusted CA
+ certificate in your server's certificate authority file, or if this CA
+ has issued some intermediate certificate authority certificates.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <function>ssl_client_dn_field(fieldname text) returns text</function>
+ <indexterm>
+ <primary>ssl_client_dn_field</primary>
+ </indexterm>
+ </term>
+ <listitem>
+ <para>
+ This function returns the value of the specified field in the
+ certificate subject, or NULL if the field is not present.
+ Field names are string constants that are converted into ASN1 object
+ identifiers using the <productname>OpenSSL</productname> object
+ database. The following values are acceptable:
+ </para>
+<literallayout class="monospaced">
+commonName (alias CN)
+surname (alias SN)
+name
+givenName (alias GN)
+countryName (alias C)
+localityName (alias L)
+stateOrProvinceName (alias ST)
+organizationName (alias O)
+organizationalUnitName (alias OU)
+title
+description
+initials
+postalCode
+streetAddress
+generationQualifier
+description
+dnQualifier
+x500UniqueIdentifier
+pseudonym
+role
+emailAddress
+</literallayout>
+ <para>
+ All of these fields are optional, except <structfield>commonName</structfield>.
+ It depends
+ entirely on your CA's policy which of them would be included and which
+ wouldn't. The meaning of these fields, however, is strictly defined by
+ the X.500 and X.509 standards, so you cannot just assign arbitrary
+ meaning to them.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <function>ssl_issuer_field(fieldname text) returns text</function>
+ <indexterm>
+ <primary>ssl_issuer_field</primary>
+ </indexterm>
+ </term>
+ <listitem>
+ <para>
+ Same as <function>ssl_client_dn_field</function>, but for the certificate issuer
+ rather than the certificate subject.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <function>ssl_extension_info() returns setof record</function>
+ <indexterm>
+ <primary>ssl_extension_info</primary>
+ </indexterm>
+ </term>
+ <listitem>
+ <para>
+ Provide information about extensions of client certificate: extension name,
+ extension value, and if it is a critical extension.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </sect2>
+
+ <sect2>
+ <title>Author</title>
+
+ <para>
+ Victor Wagner <email>vitus@cryptocom.ru</email>, Cryptocom LTD
+ </para>
+
+ <para>
+ Dmitry Voronin <email>carriingfate92@yandex.ru</email>
+ </para>
+
+ <para>
+ E-Mail of Cryptocom OpenSSL development group:
+ <email>openssl@cryptocom.ru</email>
+ </para>
+ </sect2>
+
+</sect1>