SSL Configuration Parameters: CRL Directory, Key File, and Cipher Suites

<listitem> <para> Specifies the name of the file containing the SSL client certificate revocation list (CRL). Relative paths are relative to the data directory. This parameter can only be set in the <filename>postgresql.conf</filename> file or on the server command line. The default is empty, meaning no CRL file is loaded (unless <xref linkend="guc-ssl-crl-dir"/> is set). </para> </listitem> </varlistentry> <varlistentry id="guc-ssl-crl-dir" xreflabel="ssl_crl_dir"> <term><varname>ssl_crl_dir</varname> (<type>string</type>) <indexterm> <primary><varname>ssl_crl_dir</varname> configuration parameter</primary> </indexterm> </term> <listitem> <para> Specifies the name of the directory containing the SSL client certificate revocation list (CRL). Relative paths are relative to the data directory. This parameter can only be set in the <filename>postgresql.conf</filename> file or on the server command line. The default is empty, meaning no CRLs are used (unless <xref linkend="guc-ssl-crl-file"/> is set). </para> <para> The directory needs to be prepared with the <productname>OpenSSL</productname> command <literal>openssl rehash</literal> or <literal>c_rehash</literal>. See its documentation for details. </para> <para> When using this setting, CRLs in the specified directory are loaded on-demand at connection time. New CRLs can be added to the directory and will be used immediately. This is unlike <xref linkend="guc-ssl-crl-file"/>, which causes the CRL in the file to be loaded at server start time or when the configuration is reloaded. Both settings can be used together. </para> </listitem> </varlistentry> <varlistentry id="guc-ssl-key-file" xreflabel="ssl_key_file"> <term><varname>ssl_key_file</varname> (<type>string</type>) <indexterm> <primary><varname>ssl_key_file</varname> configuration parameter</primary> </indexterm> </term> <listitem> <para> Specifies the name of the file containing the SSL server private key. Relative paths are relative to the data directory. This parameter can only be set in the <filename>postgresql.conf</filename> file or on the server command line. The default is <filename>server.key</filename>. </para> </listitem> </varlistentry> <varlistentry id="guc-ssl-tls13-ciphers" xreflabel="ssl_tls13_ciphers"> <term><varname>ssl_tls13_ciphers</varname> (<type>string</type>) <indexterm> <primary><varname>ssl_tls13_ciphers</varname> configuration parameter</primary> </indexterm> </term> <listitem> <para> Specifies a list of cipher suites that are allowed by connections using <acronym>TLS</acronym> version 1.3. Multiple cipher suites can be specified by using a colon separated list. If left blank, the default set of cipher suites in <productname>OpenSSL</productname> will be used. </para> <para> This parameter can only be set in the <filename>postgresql.conf</filename> file or on the server command line. </para> </listitem> </varlistentry> <varlistentry id="guc-ssl-ciphers" xreflabel="ssl_ciphers"> <term><varname>ssl_ciphers</varname> (<type>string</type>) <indexterm> <primary><varname>ssl_ciphers</varname> configuration parameter</primary> </indexterm> </term> <listitem> <para> Specifies a list of <acronym>SSL</acronym> ciphers that are allowed by connections using TLS version 1.2 and lower, see <xref linkend="guc-ssl-tls13-ciphers"/> for TLS version 1.3 connections. See the <citerefentry><refentrytitle>ciphers</refentrytitle></citerefentry>

This section continues detailing SSL configuration parameters, focusing on the SSL client certificate revocation list directory (`ssl_crl_dir`), which allows on-demand loading of CRLs, unlike the file-based approach. It also covers the SSL server private key file (`ssl_key_file`), the TLS 1.3 cipher suites (`ssl_tls13_ciphers`), and the SSL ciphers for TLS 1.2 and lower (`ssl_ciphers`). These parameters enable fine-grained control over the cryptographic algorithms used for secure connections.