SSL Root Certificate, CRL, CRL Directory, and SNI Parameters

<filename>~/.postgresql/root.crt</filename>. </para> <para> The special value <literal>system</literal> may be specified instead, in which case the trusted CA roots from the SSL implementation will be loaded. The exact locations of these root certificates differ by SSL implementation and platform. For <productname>OpenSSL</productname> in particular, the locations may be further modified by the <envar>SSL_CERT_DIR</envar> and <envar>SSL_CERT_FILE</envar> environment variables. </para> <note> <para> When using <literal>sslrootcert=system</literal>, the default <literal>sslmode</literal> is changed to <literal>verify-full</literal>, and any weaker setting will result in an error. In most cases it is trivial for anyone to obtain a certificate trusted by the system for a hostname they control, rendering <literal>verify-ca</literal> and all weaker modes useless. </para> <para> The magic <literal>system</literal> value will take precedence over a local certificate file with the same name. If for some reason you find yourself in this situation, use an alternative path like <literal>sslrootcert=./system</literal> instead. </para> </note> </listitem> </varlistentry> <varlistentry id="libpq-connect-sslcrl" xreflabel="sslcrl"> <term><literal>sslcrl</literal></term> <listitem> <para> This parameter specifies the file name of the SSL server certificate revocation list (CRL). Certificates listed in this file, if it exists, will be rejected while attempting to authenticate the server's certificate. If neither <xref linkend="libpq-connect-sslcrl"/> nor <xref linkend="libpq-connect-sslcrldir"/> is set, this setting is taken as <filename>~/.postgresql/root.crl</filename>. </para> </listitem> </varlistentry> <varlistentry id="libpq-connect-sslcrldir" xreflabel="sslcrldir"> <term><literal>sslcrldir</literal></term> <listitem> <para> This parameter specifies the directory name of the SSL server certificate revocation list (CRL). Certificates listed in the files in this directory, if it exists, will be rejected while attempting to authenticate the server's certificate. </para> <para> The directory needs to be prepared with the <productname>OpenSSL</productname> command <literal>openssl rehash</literal> or <literal>c_rehash</literal>. See its documentation for details. </para> <para> Both <literal>sslcrl</literal> and <literal>sslcrldir</literal> can be specified together. </para> </listitem> </varlistentry> <varlistentry id="libpq-connect-sslsni" xreflabel="sslsni"> <term><literal>sslsni</literal><indexterm><primary>Server Name Indication</primary></indexterm></term> <listitem> <para> If set to 1 (default), libpq sets the TLS extension <quote>Server Name Indication</quote> (<acronym>SNI</acronym>) on SSL-enabled connections. By setting this parameter to 0, this is turned off. </para> <para> The Server Name Indication can be used by SSL-aware proxies to route connections without having to decrypt the SSL stream. (Note that unless the proxy is aware of the PostgreSQL protocol handshake this would require setting <literal>sslnegotiation</literal> to <literal>direct</literal>.) However, <acronym>SNI</acronym> makes the destination host name appear in cleartext in the network traffic, so it might be undesirable in some cases. </para> </listitem> </varlistentry> <varlistentry id="libpq-connect-requirepeer" xreflabel="requirepeer">

This section details several SSL-related connection parameters for libpq. It describes 'sslrootcert', which specifies the file containing SSL CA certificates. It also covers 'sslcrl' and 'sslcrldir', used to specify the SSL server certificate revocation list (CRL) file and directory, respectively. Finally, it discusses 'sslsni', which controls whether libpq sets the TLS Server Name Indication (SNI) extension on SSL-enabled connections.