Debian 12 bookworm
Sponsored Link

PostgreSQL 15 : PostgreSQL over SSL/TLS2023/07/05

 
SSL/TLS connection to PostgreSQL.
[1] SSL/TLS is enabled by default, so it does not need to change settings if you don't have specific requirements to the system.
So SSL/TLS connection is enabled automatically if you connect to PostgreSQL via TCP.
# settings for SSL/TLS
# certificate is from the OS bundle

root@www:~#
grep -n ^ssl /etc/postgresql/15/main/postgresql.conf

105:ssl = on
107:ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
110:ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'

# settings for connection method

root@www:~#
grep -v -E '^#|^$' /etc/postgresql/15/main/pg_hba.conf

local   all             postgres                                peer
local   all             all                                     peer
host    all             all             127.0.0.1/32            scram-sha-256
host    all             all             ::1/128                 scram-sha-256
local   replication     all                                     peer
host    replication     all             127.0.0.1/32            scram-sha-256
host    replication     all             ::1/128                 scram-sha-256


# to connect via socket that is the default, connection is not encrypted

debian@www:~$
psql testdb

psql (15.3 (Debian 15.3-0+deb12u1))
Type "help" for help.

testdb=> \q

# to connect via TCP, connection is encrypted

debian@www:~$
psql -h 127.0.0.1 -d testdb -U debian

Password for user debian:
psql (15.3 (Debian 15.3-0+deb12u1))
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, compression: off)
Type "help" for help.

testdb=> select name as "Parameter name", setting as value, short_desc from pg_settings where name like '%ssl%';
             Parameter name             |                 value                  |                               short_desc     
----------------------------------------+----------------------------------------+-------------------------------------------------------------------------
 ssl                                    | on                                     | Enables SSL connections.
 ssl_ca_file                            |                                        | Location of the SSL certificate authority file.
 ssl_cert_file                          | /etc/ssl/certs/ssl-cert-snakeoil.pem   | Location of the SSL server certificate file.
 ssl_crl_dir                            |                                        | Location of the SSL certificate revocation list directory.
 ssl_crl_file                           |                                        | Location of the SSL certificate revocation list file.
 ssl_key_file                           | /etc/ssl/private/ssl-cert-snakeoil.key | Location of the SSL server private key file.
 ssl_library                            | OpenSSL                                | Shows the name of the SSL library.
 ssl_passphrase_command_supports_reload | off                                    | Controls whether ssl_passphrase_command is called during server reload.
 ssl_prefer_server_ciphers              | on                                     | Give priority to server ciphersuite order.
(9 rows)
Matched Content