Baoding-FenShuaJiang
/
Green_GoodERP18_FSJ_Standard
Следить 1
В избранное 0
Вики 捐赠
gooderp18绿色标准版
Вы не можете выбрать более 25 тем Темы должны начинаться с буквы или цифры, могут содержать дефисы(-) и должны содержать не более 35 символов.
ветка: master
Ветки Теги
${ item.name }
Создать ветку ${ searchTerm }
из 'master'
${ noResults }
Green_GoodERP18_FSJ_Standard/PostgreSQL/doc/postgresql/html/libpq-ssl.html

237 lines
22KB
Исходник Постоянная ссылка Blame История 

  1. <?xml version="1.0" encoding="UTF-8" standalone="no"?>

  2. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>33.18. SSL Support</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /><link rel="prev" href="libpq-ldap.html" title="33.17. LDAP Lookup of Connection Parameters" /><link rel="next" href="libpq-threading.html" title="33.19. Behavior in Threaded Programs" /></head><body><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">33.18. SSL Support</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="libpq-ldap.html" title="33.17. LDAP Lookup of Connection Parameters">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="libpq.html" title="Chapter 33. libpq - C Library">Up</a></td><th width="60%" align="center">Chapter 33. <span xmlns="http://www.w3.org/1999/xhtml" class="application">libpq</span> - C Library</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 12.4 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="libpq-threading.html" title="33.19. Behavior in Threaded Programs">Next</a></td></tr></table><hr></hr></div><div class="sect1" id="LIBPQ-SSL"><div class="titlepage"><div><div><h2 class="title" style="clear: both">33.18. SSL Support</h2></div></div></div><div class="toc"><dl class="toc"><dt><span class="sect2"><a href="libpq-ssl.html#LIBQ-SSL-CERTIFICATES">33.18.1. Client Verification of Server Certificates</a></span></dt><dt><span class="sect2"><a href="libpq-ssl.html#LIBPQ-SSL-CLIENTCERT">33.18.2. Client Certificates</a></span></dt><dt><span class="sect2"><a href="libpq-ssl.html#LIBPQ-SSL-PROTECTION">33.18.3. Protection Provided in Different Modes</a></span></dt><dt><span class="sect2"><a href="libpq-ssl.html#LIBPQ-SSL-FILEUSAGE">33.18.4. SSL Client File Usage</a></span></dt><dt><span class="sect2"><a href="libpq-ssl.html#LIBPQ-SSL-INITIALIZE">33.18.5. SSL Library Initialization</a></span></dt></dl></div><a id="id-1.7.3.25.2" class="indexterm"></a><p>

  3.    <span class="productname">PostgreSQL</span> has native support for using <acronym class="acronym">SSL</acronym>

  4.    connections to encrypt client/server communications for increased

  5.    security. See <a class="xref" href="ssl-tcp.html" title="18.9. Secure TCP/IP Connections with SSL">Section 18.9</a> for details about the server-side

  6.    <acronym class="acronym">SSL</acronym> functionality.

  7.   </p><p>

  8.    <span class="application">libpq</span> reads the system-wide

  9.    <span class="productname">OpenSSL</span> configuration file. By default, this

  10.    file is named <code class="filename">openssl.cnf</code> and is located in the

  11.    directory reported by <code class="literal">openssl version -d</code>.  This default

  12.    can be overridden by setting environment variable

  13.    <code class="envar">OPENSSL_CONF</code> to the name of the desired configuration

  14.    file.

  15.   </p><div class="sect2" id="LIBQ-SSL-CERTIFICATES"><div class="titlepage"><div><div><h3 class="title">33.18.1. Client Verification of Server Certificates</h3></div></div></div><p>

  16.    By default, <span class="productname">PostgreSQL</span> will not perform any verification of

  17.    the server certificate. This means that it is possible to spoof the server

  18.    identity (for example by modifying a DNS record or by taking over the server

  19.    IP address) without the client knowing. In order to prevent spoofing,

  20.    the client must be able to verify the server's identity via a chain of

  21.    trust.  A chain of trust is established by placing a root (self-signed)

  22.    certificate authority (<acronym class="acronym">CA</acronym>) certificate on one

  23.    computer and a leaf certificate <span class="emphasis"><em>signed</em></span> by the

  24.    root certificate on another computer.  It is also possible to use an

  25.    <span class="quote">“<span class="quote">intermediate</span>”</span> certificate which is signed by the root

  26.    certificate and signs leaf certificates.

  27.   </p><p>

  28.    To allow the client to verify the identity of the server, place a root

  29.    certificate on the client and a leaf certificate signed by the root

  30.    certificate on the server.  To allow the server to verify the identity

  31.    of the client, place a root certificate on the server and a leaf

  32.    certificate signed by the root certificate on the client.  One or more

  33.    intermediate certificates (usually stored with the leaf certificate)

  34.    can also be used to link the leaf certificate to the root certificate.

  35.   </p><p>

  36.    Once a chain of trust has been established, there are two ways for

  37.    the client to validate the leaf certificate sent by the server.

  38.    If the parameter <code class="literal">sslmode</code> is set to <code class="literal">verify-ca</code>,

  39.    libpq will verify that the server is trustworthy by checking the

  40.    certificate chain up to the root certificate stored on the client.

  41.    If <code class="literal">sslmode</code> is set to <code class="literal">verify-full</code>,

  42.    libpq will <span class="emphasis"><em>also</em></span> verify that the server host

  43.    name matches the name stored in the server certificate. The

  44.    SSL connection will fail if the server certificate cannot be

  45.    verified. <code class="literal">verify-full</code> is recommended in most

  46.    security-sensitive environments.

  47.   </p><p>

  48.    In <code class="literal">verify-full</code> mode, the host name is matched against the

  49.    certificate's Subject Alternative Name attribute(s), or against the

  50.    Common Name attribute if no Subject Alternative Name of type <code class="literal">dNSName</code> is

  51.    present.  If the certificate's name attribute starts with an asterisk

  52.    (<code class="literal">*</code>), the asterisk will be treated as

  53.    a wildcard, which will match all characters <span class="emphasis"><em>except</em></span> a dot

  54.    (<code class="literal">.</code>). This means the certificate will not match subdomains.

  55.    If the connection is made using an IP address instead of a host name, the

  56.    IP address will be matched (without doing any DNS lookups).

  57.   </p><p>

  58.    To allow server certificate verification, one or more root certificates

  59.    must be placed in the file <code class="filename">~/.postgresql/root.crt</code>

  60.    in the user's home directory.  (On Microsoft Windows the file is named

  61.    <code class="filename">%APPDATA%\postgresql\root.crt</code>.)  Intermediate

  62.    certificates should also be added to the file if they are needed to link

  63.    the certificate chain sent by the server to the root certificates

  64.    stored on the client.

  65.   </p><p>

  66.    Certificate Revocation List (CRL) entries are also checked

  67.    if the file <code class="filename">~/.postgresql/root.crl</code> exists

  68.    (<code class="filename">%APPDATA%\postgresql\root.crl</code> on Microsoft

  69.    Windows).

  70.   </p><p>

  71.    The location of the root certificate file and the CRL can be changed by

  72.    setting

  73.    the connection parameters <code class="literal">sslrootcert</code> and <code class="literal">sslcrl</code>

  74.    or the environment variables <code class="envar">PGSSLROOTCERT</code> and <code class="envar">PGSSLCRL</code>.

  75.   </p><div class="note"><h3 class="title">Note</h3><p>

  76.     For backwards compatibility with earlier versions of PostgreSQL, if a

  77.     root CA file exists, the behavior of

  78.     <code class="literal">sslmode</code>=<code class="literal">require</code> will be the same

  79.     as that of <code class="literal">verify-ca</code>, meaning the server certificate

  80.     is validated against the CA. Relying on this behavior is discouraged,

  81.     and applications that need certificate validation should always use

  82.     <code class="literal">verify-ca</code> or <code class="literal">verify-full</code>.

  83.    </p></div></div><div class="sect2" id="LIBPQ-SSL-CLIENTCERT"><div class="titlepage"><div><div><h3 class="title">33.18.2. Client Certificates</h3></div></div></div><p>

  84.    If the server attempts to verify the identity of the

  85.    client by requesting the client's leaf certificate,

  86.    <span class="application">libpq</span> will send the certificates stored in

  87.    file <code class="filename">~/.postgresql/postgresql.crt</code> in the user's home

  88.    directory.  The certificates must chain to the root certificate trusted

  89.    by the server.  A matching

  90.    private key file <code class="filename">~/.postgresql/postgresql.key</code> must also

  91.    be present. The private

  92.    key file must not allow any access to world or group; achieve this by the

  93.    command <code class="command">chmod 0600 ~/.postgresql/postgresql.key</code>.

  94.    On Microsoft Windows these files are named

  95.    <code class="filename">%APPDATA%\postgresql\postgresql.crt</code> and

  96.    <code class="filename">%APPDATA%\postgresql\postgresql.key</code>, and there

  97.    is no special permissions check since the directory is presumed secure.

  98.    The location of the certificate and key files can be overridden by the

  99.    connection parameters <code class="literal">sslcert</code> and <code class="literal">sslkey</code> or the

  100.    environment variables <code class="envar">PGSSLCERT</code> and <code class="envar">PGSSLKEY</code>.

  101.   </p><p>

  102.    The first certificate in <code class="filename">postgresql.crt</code> must be the

  103.    client's certificate because it must match the client's private key.

  104.    <span class="quote">“<span class="quote">Intermediate</span>”</span> certificates can be optionally appended

  105.    to the file — doing so avoids requiring storage of intermediate

  106.    certificates on the server (<a class="xref" href="runtime-config-connection.html#GUC-SSL-CA-FILE">ssl_ca_file</a>).

  107.   </p><p>

  108.    For instructions on creating certificates, see <a class="xref" href="ssl-tcp.html#SSL-CERTIFICATE-CREATION" title="18.9.5. Creating Certificates">Section 18.9.5</a>.

  109.   </p></div><div class="sect2" id="LIBPQ-SSL-PROTECTION"><div class="titlepage"><div><div><h3 class="title">33.18.3. Protection Provided in Different Modes</h3></div></div></div><p>

  110.    The different values for the <code class="literal">sslmode</code> parameter provide different

  111.    levels of protection. SSL can provide

  112.    protection against three types of attacks:

  113. 

  114.    </p><div class="variablelist"><dl class="variablelist"><dt><span class="term">Eavesdropping</span></dt><dd><p>If a third party can examine the network traffic between the

  115.        client and the server, it can read both connection information (including

  116.        the user name and password) and the data that is passed. <acronym class="acronym">SSL</acronym>

  117.        uses encryption to prevent this.

  118.       </p></dd><dt><span class="term">Man in the middle (<acronym class="acronym">MITM</acronym>)</span></dt><dd><p>If a third party can modify the data while passing between the

  119.        client and server, it can pretend to be the server and therefore see and

  120.        modify data <span class="emphasis"><em>even if it is encrypted</em></span>. The third party can then

  121.        forward the connection information and data to the original server,

  122.        making it impossible to detect this attack. Common vectors to do this

  123.        include DNS poisoning and address hijacking, whereby the client is directed

  124.        to a different server than intended. There are also several other

  125.        attack methods that can accomplish this. <acronym class="acronym">SSL</acronym> uses certificate

  126.        verification to prevent this, by authenticating the server to the client.

  127.       </p></dd><dt><span class="term">Impersonation</span></dt><dd><p>If a third party can pretend to be an authorized client, it can

  128.        simply access data it should not have access to. Typically this can

  129.        happen through insecure password management. <acronym class="acronym">SSL</acronym> uses

  130.        client certificates to prevent this, by making sure that only holders

  131.        of valid certificates can access the server.

  132.       </p></dd></dl></div><p>

  133.   </p><p>

  134.    For a connection to be known SSL-secured, SSL usage must be configured

  135.    on <span class="emphasis"><em>both the client and the server</em></span> before the connection

  136.    is made. If it is only configured on the server, the client may end up

  137.    sending sensitive information (e.g. passwords) before

  138.    it knows that the server requires high security. In libpq, secure

  139.    connections can be ensured

  140.    by setting the <code class="literal">sslmode</code> parameter to <code class="literal">verify-full</code> or

  141.    <code class="literal">verify-ca</code>, and providing the system with a root certificate to

  142.    verify against. This is analogous to using an <code class="literal">https</code>

  143.    <acronym class="acronym">URL</acronym> for encrypted web browsing.

  144.   </p><p>

  145.    Once the server has been authenticated, the client can pass sensitive data.

  146.    This means that up until this point, the client does not need to know if

  147.    certificates will be used for authentication, making it safe to specify that

  148.    only in the server configuration.

  149.   </p><p>

  150.    All <acronym class="acronym">SSL</acronym> options carry overhead in the form of encryption and

  151.    key-exchange, so there is a trade-off that has to be made between performance

  152.    and security. <a class="xref" href="libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS" title="Table 33.1. SSL Mode Descriptions">Table 33.1</a>

  153.    illustrates the risks the different <code class="literal">sslmode</code> values

  154.    protect against, and what statement they make about security and overhead.

  155.   </p><div class="table" id="LIBPQ-SSL-SSLMODE-STATEMENTS"><p class="title"><strong>Table 33.1. SSL Mode Descriptions</strong></p><div class="table-contents"><table class="table" summary="SSL Mode Descriptions" border="1"><colgroup><col /><col /><col /><col /></colgroup><thead><tr><th><code class="literal">sslmode</code></th><th>Eavesdropping protection</th><th><acronym class="acronym">MITM</acronym> protection</th><th>Statement</th></tr></thead><tbody><tr><td><code class="literal">disable</code></td><td>No</td><td>No</td><td>I don't care about security, and I don't want to pay the overhead

  156.        of encryption.

  157.       </td></tr><tr><td><code class="literal">allow</code></td><td>Maybe</td><td>No</td><td>I don't care about security, but I will pay the overhead of

  158.        encryption if the server insists on it.

  159.       </td></tr><tr><td><code class="literal">prefer</code></td><td>Maybe</td><td>No</td><td>I don't care about encryption, but I wish to pay the overhead of

  160.        encryption if the server supports it.

  161.       </td></tr><tr><td><code class="literal">require</code></td><td>Yes</td><td>No</td><td>I want my data to be encrypted, and I accept the overhead. I trust

  162.        that the network will make sure I always connect to the server I want.

  163.       </td></tr><tr><td><code class="literal">verify-ca</code></td><td>Yes</td><td>Depends on CA policy</td><td>I want my data encrypted, and I accept the overhead. I want to be

  164.        sure that I connect to a server that I trust.

  165.       </td></tr><tr><td><code class="literal">verify-full</code></td><td>Yes</td><td>Yes</td><td>I want my data encrypted, and I accept the overhead. I want to be

  166.         sure that I connect to a server I trust, and that it's the one I

  167.         specify.

  168.        </td></tr></tbody></table></div></div><br class="table-break" /><p>

  169.    The difference between <code class="literal">verify-ca</code> and <code class="literal">verify-full</code>

  170.    depends on the policy of the root <acronym class="acronym">CA</acronym>. If a public

  171.    <acronym class="acronym">CA</acronym> is used, <code class="literal">verify-ca</code> allows connections to a server

  172.    that <span class="emphasis"><em>somebody else</em></span> may have registered with the <acronym class="acronym">CA</acronym>.

  173.    In this case, <code class="literal">verify-full</code> should always be used. If

  174.    a local <acronym class="acronym">CA</acronym> is used, or even a self-signed certificate, using

  175.    <code class="literal">verify-ca</code> often provides enough protection.

  176.   </p><p>

  177.    The default value for <code class="literal">sslmode</code> is <code class="literal">prefer</code>. As is shown

  178.    in the table, this makes no sense from a security point of view, and it only

  179.    promises performance overhead if possible. It is only provided as the default

  180.    for backward compatibility, and is not recommended in secure deployments.

  181.   </p></div><div class="sect2" id="LIBPQ-SSL-FILEUSAGE"><div class="titlepage"><div><div><h3 class="title">33.18.4. SSL Client File Usage</h3></div></div></div><p>

  182.    <a class="xref" href="libpq-ssl.html#LIBPQ-SSL-FILE-USAGE" title="Table 33.2. Libpq/Client SSL File Usage">Table 33.2</a> summarizes the files that are

  183.    relevant to the SSL setup on the client.

  184.   </p><div class="table" id="LIBPQ-SSL-FILE-USAGE"><p class="title"><strong>Table 33.2. Libpq/Client SSL File Usage</strong></p><div class="table-contents"><table class="table" summary="Libpq/Client SSL File Usage" border="1"><colgroup><col /><col /><col /></colgroup><thead><tr><th>File</th><th>Contents</th><th>Effect</th></tr></thead><tbody><tr><td><code class="filename">~/.postgresql/postgresql.crt</code></td><td>client certificate</td><td>requested by server</td></tr><tr><td><code class="filename">~/.postgresql/postgresql.key</code></td><td>client private key</td><td>proves client certificate sent by owner; does not indicate

  185.       certificate owner is trustworthy</td></tr><tr><td><code class="filename">~/.postgresql/root.crt</code></td><td>trusted certificate authorities</td><td>checks that server certificate is signed by a trusted certificate

  186.       authority</td></tr><tr><td><code class="filename">~/.postgresql/root.crl</code></td><td>certificates revoked by certificate authorities</td><td>server certificate must not be on this list</td></tr></tbody></table></div></div><br class="table-break" /></div><div class="sect2" id="LIBPQ-SSL-INITIALIZE"><div class="titlepage"><div><div><h3 class="title">33.18.5. SSL Library Initialization</h3></div></div></div><p>

  187.    If your application initializes <code class="literal">libssl</code> and/or

  188.    <code class="literal">libcrypto</code> libraries and <span class="application">libpq</span>

  189.    is built with <acronym class="acronym">SSL</acronym> support, you should call

  190.    <code class="function">PQinitOpenSSL</code> to tell <span class="application">libpq</span>

  191.    that the <code class="literal">libssl</code> and/or <code class="literal">libcrypto</code> libraries

  192.    have been initialized by your application, so that

  193.    <span class="application">libpq</span> will not also initialize those libraries.

  194.   </p><p>

  195.    </p><div class="variablelist"><dl class="variablelist"><dt id="LIBPQ-PQINITOPENSSL"><span class="term">

  196.       <code class="function">PQinitOpenSSL</code>

  197.       <a id="id-1.7.3.25.9.3.1.1.1.2" class="indexterm"></a>

  198.      </span></dt><dd><p>

  199.        Allows applications to select which security libraries to initialize.

  200. </p><pre class="synopsis">

  201. void PQinitOpenSSL(int do_ssl, int do_crypto);

  202. </pre><p>

  203.       </p><p>

  204.        When <em class="parameter"><code>do_ssl</code></em> is non-zero, <span class="application">libpq</span>

  205.        will initialize the <span class="application">OpenSSL</span> library before first

  206.        opening a database connection.  When <em class="parameter"><code>do_crypto</code></em> is

  207.        non-zero, the <code class="literal">libcrypto</code> library will be initialized.  By

  208.        default (if <code class="function">PQinitOpenSSL</code> is not called), both libraries

  209.        are initialized.  When SSL support is not compiled in, this function is

  210.        present but does nothing.

  211.       </p><p>

  212.        If your application uses and initializes either <span class="application">OpenSSL</span>

  213.        or its underlying <code class="literal">libcrypto</code> library, you <span class="emphasis"><em>must</em></span>

  214.        call this function with zeroes for the appropriate parameter(s)

  215.        before first opening a database connection.  Also be sure that you

  216.        have done that initialization before opening a database connection.

  217.       </p></dd><dt id="LIBPQ-PQINITSSL"><span class="term">

  218.       <code class="function">PQinitSSL</code>

  219.       <a id="id-1.7.3.25.9.3.1.2.1.2" class="indexterm"></a>

  220.      </span></dt><dd><p>

  221.        Allows applications to select which security libraries to initialize.

  222. </p><pre class="synopsis">

  223. void PQinitSSL(int do_ssl);

  224. </pre><p>

  225.       </p><p>

  226.        This function is equivalent to

  227.        <code class="literal">PQinitOpenSSL(do_ssl, do_ssl)</code>.

  228.        It is sufficient for applications that initialize both or neither

  229.        of <span class="application">OpenSSL</span> and <code class="literal">libcrypto</code>.

  230.       </p><p>

  231.        <code class="function">PQinitSSL</code> has been present since

  232.        <span class="productname">PostgreSQL</span> 8.0, while <code class="function">PQinitOpenSSL</code>

  233.        was added in <span class="productname">PostgreSQL</span> 8.4, so <code class="function">PQinitSSL</code>

  234.        might be preferable for applications that need to work with older

  235.        versions of <span class="application">libpq</span>.

  236.       </p></dd></dl></div><p>

  237.   </p></div></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="libpq-ldap.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="libpq.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="libpq-threading.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">33.17. LDAP Lookup of Connection Parameters </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> 33.19. Behavior in Threaded Programs</td></tr></table></div></body></html>
上海开阖软件有限公司 沪ICP备12045867号-1