SSL Negotiation, Compression, Certificate, and Key Parameters

establishing the TCP/IP connection. Traditional <productname>PostgreSQL</productname> protocol negotiation is the most flexible with different server configurations. If the server is known to support direct <acronym>SSL</acronym> connections then the latter requires one fewer round trip reducing connection latency and also allows the use of protocol agnostic SSL network tools. The direct SSL option was introduced in <productname>PostgreSQL</productname> version 17. </para> <variablelist> <varlistentry> <term><literal>postgres</literal></term> <listitem> <para> perform <productname>PostgreSQL</productname> protocol negotiation. This is the default if the option is not provided. </para> </listitem> </varlistentry> <varlistentry> <term><literal>direct</literal></term> <listitem> <para> start SSL handshake directly after establishing the TCP/IP connection. This is only allowed with <literal>sslmode=require</literal> or higher, because the weaker settings could lead to unintended fallback to plaintext authentication when the server does not support direct SSL handshake. </para> </listitem> </varlistentry> </variablelist> </listitem> </varlistentry> <varlistentry id="libpq-connect-sslcompression" xreflabel="sslcompression"> <term><literal>sslcompression</literal></term> <listitem> <para> If set to 1, data sent over SSL connections will be compressed. If set to 0, compression will be disabled. The default is 0. This parameter is ignored if a connection without SSL is made. </para> <para> SSL compression is nowadays considered insecure and its use is no longer recommended. <productname>OpenSSL</productname> 1.1.0 disabled compression by default, and many operating system distributions disabled it in prior versions as well, so setting this parameter to on will not have any effect if the server does not accept compression. <productname>PostgreSQL</productname> 14 disabled compression completely in the backend. </para> <para> If security is not a primary concern, compression can improve throughput if the network is the bottleneck. Disabling compression can improve response time and throughput if CPU performance is the limiting factor. </para> </listitem> </varlistentry> <varlistentry id="libpq-connect-sslcert" xreflabel="sslcert"> <term><literal>sslcert</literal></term> <listitem> <para> This parameter specifies the file name of the client SSL certificate, replacing the default <filename>~/.postgresql/postgresql.crt</filename>. This parameter is ignored if an SSL connection is not made. </para> </listitem> </varlistentry> <varlistentry id="libpq-connect-sslkey" xreflabel="sslkey"> <term><literal>sslkey</literal></term> <listitem> <para> This parameter specifies the location for the secret key used for the client certificate. It can either specify a file name that will be used instead of the default <filename>~/.postgresql/postgresql.key</filename>, or it can specify a key obtained from an external <quote>engine</quote> (engines are <productname>OpenSSL</productname> loadable modules). An external engine specification should consist of a colon-separated engine name and an engine-specific key identifier. This parameter is ignored if an SSL connection is not made. </para> </listitem> </varlistentry> <varlistentry id="libpq-connect-sslkeylogfile"

This section continues the discussion on SSL parameters. It elaborates on the 'sslnegotiation' parameter, detailing the 'postgres' and 'direct' modes for SSL handshake. It then explains the 'sslcompression' parameter, noting its security concerns and potential performance implications. Finally, it describes the 'sslcert' and 'sslkey' parameters, used to specify the client SSL certificate and secret key locations, respectively.