Home Explore Blog CI



postgresql
24th chunk of `doc/src/sgml/config.sgml`
036ba47a1c2d6ff7501432bee1c219e1408b7958fad6d6ff0000000100000fa0
 ephemeral DH family of SSL ciphers. The default is
        empty, in which case compiled-in default DH parameters used. Using
        custom DH parameters reduces the exposure if an attacker manages to
        crack the well-known compiled-in DH parameters. You can create your own
        DH parameters file with the command
        <command>openssl dhparam -out dhparams.pem 2048</command>.
       </para>

       <para>
        This parameter can only be set in the <filename>postgresql.conf</filename>
        file or on the server command line.
       </para>
      </listitem>
     </varlistentry>

     <varlistentry id="guc-ssl-passphrase-command" xreflabel="ssl_passphrase_command">
      <term><varname>ssl_passphrase_command</varname> (<type>string</type>)
      <indexterm>
       <primary><varname>ssl_passphrase_command</varname> configuration parameter</primary>
      </indexterm>
      </term>
      <listitem>
       <para>
        Sets an external command to be invoked when a passphrase for
        decrypting an SSL file such as a private key needs to be obtained.  By
        default, this parameter is empty, which means the built-in prompting
        mechanism is used.
       </para>
       <para>
        The command must print the passphrase to the standard output and exit
        with code 0.  In the parameter value, <literal>%p</literal> is
        replaced by a prompt string.  (Write <literal>%%</literal> for a
        literal <literal>%</literal>.)  Note that the prompt string will
        probably contain whitespace, so be sure to quote adequately.  A single
        newline is stripped from the end of the output if present.
       </para>
       <para>
        The command does not actually have to prompt the user for a
        passphrase.  It can read it from a file, obtain it from a keychain
        facility, or similar.  It is up to the user to make sure the chosen
        mechanism is adequately secure.
       </para>
       <para>
        This parameter can only be set in the <filename>postgresql.conf</filename>
        file or on the server command line.
       </para>
      </listitem>
     </varlistentry>

     <varlistentry id="guc-ssl-passphrase-command-supports-reload" xreflabel="ssl_passphrase_command_supports_reload">
      <term><varname>ssl_passphrase_command_supports_reload</varname> (<type>boolean</type>)
      <indexterm>
       <primary><varname>ssl_passphrase_command_supports_reload</varname> configuration parameter</primary>
      </indexterm>
      </term>
      <listitem>
       <para>
        This parameter determines whether the passphrase command set by
        <varname>ssl_passphrase_command</varname> will also be called during a
        configuration reload if a key file needs a passphrase.  If this
        parameter is off (the default), then
        <varname>ssl_passphrase_command</varname> will be ignored during a
        reload and the SSL configuration will not be reloaded if a passphrase
        is needed.  That setting is appropriate for a command that requires a
        TTY for prompting, which might not be available when the server is
        running.  Setting this parameter to on might be appropriate if the
        passphrase is obtained from a file, for example.
       </para>
       <para>
        This parameter can only be set in the <filename>postgresql.conf</filename>
        file or on the server command line.
       </para>
      </listitem>
     </varlistentry>
    </variablelist>
    </sect2>
   </sect1>

   <sect1 id="runtime-config-resource">
    <title>Resource Consumption</title>

    <sect2 id="runtime-config-resource-memory">
     <title>Memory</title>

     <variablelist>
     <varlistentry id="guc-shared-buffers" xreflabel="shared_buffers">
      <term><varname>shared_buffers</varname> (<type>integer</type>)
      <indexterm>
       <primary><varname>shared_buffers</varname> configuration parameter</primary>
      </indexterm>
      </term>
      <listitem>
Title: SSL Passphrase Command and Configuration Reload
Summary
This section details parameters for handling SSL passphrase decryption. `ssl_passphrase_command` specifies an external command to retrieve the passphrase for decrypting SSL files, like private keys, instead of using the built-in prompt. The command must output the passphrase to standard output and exit with code 0. The parameter value allows for replacing '%p' with a prompt string. The section also covers `ssl_passphrase_command_supports_reload`, which determines if the passphrase command will be called during a configuration reload if a passphrase is required. If disabled (the default), the command is ignored during reload, preventing SSL configuration reload. Both parameters are configurable only in `postgresql.conf` or via the server command line. The document then transitions into the "Resource Consumption" section and talks about memory related parameters such as shared_buffers.