mirrors/postgres
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Doc: update libpq.sgml for root-owned SSL private keys.

Browse Source 
My oversight in a59c79564.

Discussion: https://postgr.es/m/f4b7bc55-97ac-9e69-7398-335e212f7743@pgmasters.net
This commit is contained in:
Tom Lane 2022-03-02 11:29:11 -05:00
parent e58791c6ad
commit 50f03473ed
1 changed files with 19 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
doc/src/sgml/libpq.sgml
View File

@ -8397,23 +8397,35 @@ ldap://ldap.acme.com/cn=dbserver,cn=hosts?pgconnectinfo?base?(objectclass=*)
<para> <para>
If the server attempts to verify the identity of the If the server attempts to verify the identity of the
client by requesting the client's leaf certificate, client by requesting the client's leaf certificate,
<application>libpq</application> will send the certificates stored in <application>libpq</application> will send the certificate(s) stored in
file <filename>~/.postgresql/postgresql.crt</filename> in the user's home file <filename>~/.postgresql/postgresql.crt</filename> in the user's home
directory. The certificates must chain to the root certificate trusted directory. The certificates must chain to the root certificate trusted
by the server. A matching by the server. A matching
private key file <filename>~/.postgresql/postgresql.key</filename> must also private key file <filename>~/.postgresql/postgresql.key</filename> must also
be present. The private be present.
key file must not allow any access to world or group; achieve this by the
command <command>chmod 0600 ~/.postgresql/postgresql.key</command>.
On Microsoft Windows these files are named On Microsoft Windows these files are named
<filename>%APPDATA%\postgresql\postgresql.crt</filename> and <filename>%APPDATA%\postgresql\postgresql.crt</filename> and
<filename>%APPDATA%\postgresql\postgresql.key</filename>, and there <filename>%APPDATA%\postgresql\postgresql.key</filename>.
is no special permissions check since the directory is presumed secure.
The location of the certificate and key files can be overridden by the The location of the certificate and key files can be overridden by the
connection parameters <literal>sslcert</literal> and <literal>sslkey</literal> or the connection parameters <literal>sslcert</literal>
and <literal>sslkey</literal>, or by the
environment variables <envar>PGSSLCERT</envar> and <envar>PGSSLKEY</envar>. environment variables <envar>PGSSLCERT</envar> and <envar>PGSSLKEY</envar>.
</para> </para>
<para>
On Unix systems, the permissions on the private key file must disallow
any access to world or group; achieve this by a command such as
<command>chmod 0600 ~/.postgresql/postgresql.key</command>.
Alternatively, the file can be owned by root and have group read access
(that is, <literal>0640</literal> permissions). That setup is intended
for installations where certificate and key files are managed by the
operating system. The user of <application>libpq</application> should
then be made a member of the group that has access to those certificate
and key files. (On Microsoft Windows, there is no file permissions
check, since the <filename>%APPDATA%\postgresql</filename> directory is
presumed secure.)
</para>
<para> <para>
The first certificate in <filename>postgresql.crt</filename> must be the The first certificate in <filename>postgresql.crt</filename> must be the
client's certificate because it must match the client's private key. client's certificate because it must match the client's private key.