SSL Certificate Mode and Root Certificate Parameters

<productname>OpenSSL</productname> engines unless the engine uses the <productname>OpenSSL</productname> password callback mechanism for prompts. </para> <para> There is no environment variable equivalent to this option, and no facility for looking it up in <filename>.pgpass</filename>. It can be used in a service file connection definition. Users with more sophisticated uses should consider using <productname>OpenSSL</productname> engines and tools like PKCS#11 or USB crypto offload devices. </para> </listitem> </varlistentry> <varlistentry id="libpq-connect-sslcertmode" xreflabel="sslcertmode"> <term><literal>sslcertmode</literal></term> <listitem> <para> This option determines whether a client certificate may be sent to the server, and whether the server is required to request one. There are three modes: <variablelist> <varlistentry> <term><literal>disable</literal></term> <listitem> <para> A client certificate is never sent, even if one is available (default location or provided via <xref linkend="libpq-connect-sslcert" />). </para> </listitem> </varlistentry> <varlistentry> <term><literal>allow</literal> (default)</term> <listitem> <para> A certificate may be sent, if the server requests one and the client has one to send. </para> </listitem> </varlistentry> <varlistentry> <term><literal>require</literal></term> <listitem> <para> The server <emphasis>must</emphasis> request a certificate. The connection will fail if the client does not send a certificate and the server successfully authenticates the client anyway. </para> </listitem> </varlistentry> </variablelist> </para> <note> <para> <literal>sslcertmode=require</literal> doesn't add any additional security, since there is no guarantee that the server is validating the certificate correctly; PostgreSQL servers generally request TLS certificates from clients whether they validate them or not. The option may be useful when troubleshooting more complicated TLS setups. </para> </note> </listitem> </varlistentry> <varlistentry id="libpq-connect-sslrootcert" xreflabel="sslrootcert"> <term><literal>sslrootcert</literal></term> <listitem> <para> This parameter specifies the name of a file containing SSL certificate authority (<acronym>CA</acronym>) certificate(s). If the file exists, the server's certificate will be verified to be signed by one of these authorities. The default is <filename>~/.postgresql/root.crt</filename>. </para> <para> The special value <literal>system</literal> may be specified instead, in which case the trusted CA roots from the SSL implementation will be loaded. The exact locations of these root certificates differ by SSL implementation and platform. For <productname>OpenSSL</productname> in particular, the locations may be further modified by the <envar>SSL_CERT_DIR</envar> and <envar>SSL_CERT_FILE</envar> environment variables. </para> <note> <para> When using <literal>sslrootcert=system</literal>, the default <literal>sslmode</literal> is changed to <literal>verify-full</literal>, and any weaker setting will result in an error. In most cases it is trivial for anyone to obtain a certificate trusted by the system for a hostname they control, rendering <literal>verify-ca</literal> and all weaker modes

This section describes the 'sslcertmode' parameter which determines if the client can send a certificate to the server and if the server should request one. The modes are 'disable', 'allow', and 'require'. It also explains the 'sslrootcert' parameter which specifies the file containing SSL CA certificates used to verify the server's certificate. The special value 'system' can be used to load trusted CA roots from the SSL implementation.