Baoding-FenShuaJiang
/
Green_GoodERP18_FSJ_Standard
Прати 1
Волим 0
Вики 捐赠
gooderp18绿色标准版
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Грана: master
Гране Ознаке
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
Green_GoodERP18_FSJ_Standard/PostgreSQL/doc/postgresql/html/ssl-tcp.html

251 lines
20KB
Датотека Пермалинк Blame Историја 

  1. <?xml version="1.0" encoding="UTF-8" standalone="no"?>

  2. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>18.9. Secure TCP/IP Connections with SSL</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /><link rel="prev" href="encryption-options.html" title="18.8. Encryption Options" /><link rel="next" href="gssapi-enc.html" title="18.10. Secure TCP/IP Connections with GSSAPI Encryption" /></head><body><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">18.9. Secure TCP/IP Connections with SSL</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="encryption-options.html" title="18.8. Encryption Options">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="runtime.html" title="Chapter 18. Server Setup and Operation">Up</a></td><th width="60%" align="center">Chapter 18. Server Setup and Operation</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 12.4 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="gssapi-enc.html" title="18.10. Secure TCP/IP Connections with GSSAPI Encryption">Next</a></td></tr></table><hr></hr></div><div class="sect1" id="SSL-TCP"><div class="titlepage"><div><div><h2 class="title" style="clear: both">18.9. Secure TCP/IP Connections with SSL</h2></div></div></div><div class="toc"><dl class="toc"><dt><span class="sect2"><a href="ssl-tcp.html#SSL-SETUP">18.9.1. Basic Setup</a></span></dt><dt><span class="sect2"><a href="ssl-tcp.html#SSL-OPENSSL-CONFIG">18.9.2. OpenSSL Configuration</a></span></dt><dt><span class="sect2"><a href="ssl-tcp.html#SSL-CLIENT-CERTIFICATES">18.9.3. Using Client Certificates</a></span></dt><dt><span class="sect2"><a href="ssl-tcp.html#SSL-SERVER-FILES">18.9.4. SSL Server File Usage</a></span></dt><dt><span class="sect2"><a href="ssl-tcp.html#SSL-CERTIFICATE-CREATION">18.9.5. Creating Certificates</a></span></dt></dl></div><a id="id-1.6.5.11.2" class="indexterm"></a><p>

  3.    <span class="productname">PostgreSQL</span> has native support for using

  4.    <acronym class="acronym">SSL</acronym> connections to encrypt client/server communications

  5.    for increased security. This requires that

  6.    <span class="productname">OpenSSL</span> is installed on both client and

  7.    server systems and that support in <span class="productname">PostgreSQL</span> is

  8.    enabled at build time (see <a class="xref" href="installation.html" title="Chapter 16. Installation from Source Code">Chapter 16</a>).

  9.   </p><div class="sect2" id="SSL-SETUP"><div class="titlepage"><div><div><h3 class="title">18.9.1. Basic Setup</h3></div></div></div><p>

  10.    With <acronym class="acronym">SSL</acronym> support compiled in, the

  11.    <span class="productname">PostgreSQL</span> server can be started with

  12.    <acronym class="acronym">SSL</acronym> enabled by setting the parameter

  13.    <a class="xref" href="runtime-config-connection.html#GUC-SSL">ssl</a> to <code class="literal">on</code> in

  14.    <code class="filename">postgresql.conf</code>.  The server will listen for both normal

  15.    and <acronym class="acronym">SSL</acronym> connections on the same TCP port, and will negotiate

  16.    with any connecting client on whether to use <acronym class="acronym">SSL</acronym>.  By

  17.    default, this is at the client's option; see <a class="xref" href="auth-pg-hba-conf.html" title="20.1. The pg_hba.conf File">Section 20.1</a> about how to set up the server to require

  18.    use of <acronym class="acronym">SSL</acronym> for some or all connections.

  19.   </p><p>

  20.    To start in <acronym class="acronym">SSL</acronym> mode, files containing the server certificate

  21.    and private key must exist.  By default, these files are expected to be

  22.    named <code class="filename">server.crt</code> and <code class="filename">server.key</code>, respectively, in

  23.    the server's data directory, but other names and locations can be specified

  24.    using the configuration parameters <a class="xref" href="runtime-config-connection.html#GUC-SSL-CERT-FILE">ssl_cert_file</a>

  25.    and <a class="xref" href="runtime-config-connection.html#GUC-SSL-KEY-FILE">ssl_key_file</a>.

  26.   </p><p>

  27.    On Unix systems, the permissions on <code class="filename">server.key</code> must

  28.    disallow any access to world or group; achieve this by the command

  29.    <code class="command">chmod 0600 server.key</code>.  Alternatively, the file can be

  30.    owned by root and have group read access (that is, <code class="literal">0640</code>

  31.    permissions).  That setup is intended for installations where certificate

  32.    and key files are managed by the operating system.  The user under which

  33.    the <span class="productname">PostgreSQL</span> server runs should then be made a

  34.    member of the group that has access to those certificate and key files.

  35.   </p><p>

  36.     If the data directory allows group read access then certificate files may

  37.     need to be located outside of the data directory in order to conform to the

  38.     security requirements outlined above.  Generally, group access is enabled

  39.     to allow an unprivileged user to backup the database, and in that case the

  40.     backup software will not be able to read the certificate files and will

  41.     likely error.

  42.   </p><p>

  43.    If the private key is protected with a passphrase, the

  44.    server will prompt for the passphrase and will not start until it has

  45.    been entered.

  46.    Using a passphrase by default disables the ability to change the server's

  47.    SSL configuration without a server restart, but see <a class="xref" href="runtime-config-connection.html#GUC-SSL-PASSPHRASE-COMMAND-SUPPORTS-RELOAD">ssl_passphrase_command_supports_reload</a>.

  48.    Furthermore, passphrase-protected private keys cannot be used at all

  49.    on Windows.

  50.   </p><p>

  51.    The first certificate in <code class="filename">server.crt</code> must be the

  52.    server's certificate because it must match the server's private key.

  53.    The certificates of <span class="quote">“<span class="quote">intermediate</span>”</span> certificate authorities

  54.    can also be appended to the file.  Doing this avoids the necessity of

  55.    storing intermediate certificates on clients, assuming the root and

  56.    intermediate certificates were created with <code class="literal">v3_ca</code>

  57.    extensions.  This allows easier expiration of intermediate certificates.

  58.   </p><p>

  59.    It is not necessary to add the root certificate to

  60.    <code class="filename">server.crt</code>.  Instead, clients must have the root

  61.    certificate of the server's certificate chain.

  62.   </p></div><div class="sect2" id="SSL-OPENSSL-CONFIG"><div class="titlepage"><div><div><h3 class="title">18.9.2. OpenSSL Configuration</h3></div></div></div><p>

  63.    <span class="productname">PostgreSQL</span> reads the system-wide

  64.    <span class="productname">OpenSSL</span> configuration file. By default, this

  65.    file is named <code class="filename">openssl.cnf</code> and is located in the

  66.    directory reported by <code class="literal">openssl version -d</code>.

  67.    This default can be overridden by setting environment variable

  68.    <code class="envar">OPENSSL_CONF</code> to the name of the desired configuration file.

  69.   </p><p>

  70.    <span class="productname">OpenSSL</span> supports a wide range of ciphers

  71.    and authentication algorithms, of varying strength.  While a list of

  72.    ciphers can be specified in the <span class="productname">OpenSSL</span>

  73.    configuration file, you can specify ciphers specifically for use by

  74.    the database server by modifying <a class="xref" href="runtime-config-connection.html#GUC-SSL-CIPHERS">ssl_ciphers</a> in

  75.    <code class="filename">postgresql.conf</code>.

  76.   </p><div class="note"><h3 class="title">Note</h3><p>

  77.     It is possible to have authentication without encryption overhead by

  78.     using <code class="literal">NULL-SHA</code> or <code class="literal">NULL-MD5</code> ciphers.  However,

  79.     a man-in-the-middle could read and pass communications between client

  80.     and server.  Also, encryption overhead is minimal compared to the

  81.     overhead of authentication.  For these reasons NULL ciphers are not

  82.     recommended.

  83.    </p></div></div><div class="sect2" id="SSL-CLIENT-CERTIFICATES"><div class="titlepage"><div><div><h3 class="title">18.9.3. Using Client Certificates</h3></div></div></div><p>

  84.    To require the client to supply a trusted certificate,

  85.    place certificates of the root certificate authorities

  86.    (<acronym class="acronym">CA</acronym>s) you trust in a file in the data

  87.    directory, set the parameter <a class="xref" href="runtime-config-connection.html#GUC-SSL-CA-FILE">ssl_ca_file</a> in

  88.    <code class="filename">postgresql.conf</code> to the new file name, and add the

  89.    authentication option <code class="literal">clientcert=verify-ca</code> or

  90.    <code class="literal">clientcert=verify-full</code> to the appropriate

  91.    <code class="literal">hostssl</code> line(s) in <code class="filename">pg_hba.conf</code>.

  92.    A certificate will then be requested from the client during SSL

  93.    connection startup.  (See <a class="xref" href="libpq-ssl.html" title="33.18. SSL Support">Section 33.18</a> for a description

  94.    of how to set up certificates on the client.)

  95.   </p><p>

  96.    For a <code class="literal">hostssl</code> entry with

  97.    <code class="literal">clientcert=verify-ca</code>, the server will verify

  98.    that the client's certificate is signed by one of the trusted

  99.    certificate authorities. If <code class="literal">clientcert=verify-full</code>

  100.    is specified, the server will not only verify the certificate

  101.    chain, but it will also check whether the username or its mapping

  102.    matches the <code class="literal">cn</code> (Common Name) of the provided certificate.

  103.    Note that certificate chain validation is always ensured when the

  104.    <code class="literal">cert</code> authentication method is used

  105.    (see <a class="xref" href="auth-cert.html" title="20.12. Certificate Authentication">Section 20.12</a>).

  106.   </p><p>

  107.    Intermediate certificates that chain up to existing root certificates

  108.    can also appear in the <a class="xref" href="runtime-config-connection.html#GUC-SSL-CA-FILE">ssl_ca_file</a> file if

  109.    you wish to avoid storing them on clients (assuming the root and

  110.    intermediate certificates were created with <code class="literal">v3_ca</code>

  111.    extensions).  Certificate Revocation List (CRL) entries are also

  112.    checked if the parameter <a class="xref" href="runtime-config-connection.html#GUC-SSL-CRL-FILE">ssl_crl_file</a> is set.

  113.   </p><p>

  114.    The <code class="literal">clientcert</code> authentication option is available for

  115.    all authentication methods, but only in <code class="filename">pg_hba.conf</code> lines

  116.    specified as <code class="literal">hostssl</code>.  When <code class="literal">clientcert</code> is

  117.    not specified or is set to <code class="literal">no-verify</code>, the server will still

  118.    verify any presented client certificates against its CA file, if one is

  119.    configured — but it will not insist that a client certificate be presented.

  120.   </p><p>

  121.    There are two approaches to enforce that users provide a certificate during login.

  122.   </p><p>

  123.    The first approach makes use of the <code class="literal">cert</code> authentication

  124.    method for <code class="literal">hostssl</code> entries in <code class="filename">pg_hba.conf</code>,

  125.    such that the certificate itself is used for authentication while also

  126.    providing ssl connection security. See <a class="xref" href="auth-cert.html" title="20.12. Certificate Authentication">Section 20.12</a> for details.

  127.    (It is not necessary to specify any <code class="literal">clientcert</code> options

  128.    explicitly when using the <code class="literal">cert</code> authentication method.)

  129.    In this case, the <code class="literal">cn</code> (Common Name) provided in

  130.    the certificate is checked against the user name or an applicable mapping.

  131.   </p><p>

  132.    The second approach combines any authentication method for <code class="literal">hostssl</code>

  133.    entries with the verification of client certificates by setting the

  134.    <code class="literal">clientcert</code> authentication option to <code class="literal">verify-ca</code>

  135.    or <code class="literal">verify-full</code>. The former option only enforces that

  136.    the certificate is valid, while the latter also ensures that the

  137.    <code class="literal">cn</code> (Common Name) in the certificate matches

  138.    the user name or an applicable mapping.

  139.   </p></div><div class="sect2" id="SSL-SERVER-FILES"><div class="titlepage"><div><div><h3 class="title">18.9.4. SSL Server File Usage</h3></div></div></div><p>

  140.     <a class="xref" href="ssl-tcp.html#SSL-FILE-USAGE" title="Table 18.2. SSL Server File Usage">Table 18.2</a> summarizes the files that are

  141.     relevant to the SSL setup on the server.  (The shown file names are default

  142.     names.  The locally configured names could be different.)

  143.    </p><div class="table" id="SSL-FILE-USAGE"><p class="title"><strong>Table 18.2. SSL Server File Usage</strong></p><div class="table-contents"><table class="table" summary="SSL Server File Usage" border="1"><colgroup><col /><col /><col /></colgroup><thead><tr><th>File</th><th>Contents</th><th>Effect</th></tr></thead><tbody><tr><td><a class="xref" href="runtime-config-connection.html#GUC-SSL-CERT-FILE">ssl_cert_file</a> (<code class="filename">$PGDATA/server.crt</code>)</td><td>server certificate</td><td>sent to client to indicate server's identity</td></tr><tr><td><a class="xref" href="runtime-config-connection.html#GUC-SSL-KEY-FILE">ssl_key_file</a> (<code class="filename">$PGDATA/server.key</code>)</td><td>server private key</td><td>proves server certificate was sent by the owner; does not indicate

  144.       certificate owner is trustworthy</td></tr><tr><td><a class="xref" href="runtime-config-connection.html#GUC-SSL-CA-FILE">ssl_ca_file</a></td><td>trusted certificate authorities</td><td>checks that client certificate is

  145.       signed by a trusted certificate authority</td></tr><tr><td><a class="xref" href="runtime-config-connection.html#GUC-SSL-CRL-FILE">ssl_crl_file</a></td><td>certificates revoked by certificate authorities</td><td>client certificate must not be on this list</td></tr></tbody></table></div></div><br class="table-break" /><p>

  146.     The server reads these files at server start and whenever the server

  147.     configuration is reloaded.  On <span class="systemitem">Windows</span>

  148.     systems, they are also re-read whenever a new backend process is spawned

  149.     for a new client connection.

  150.    </p><p>

  151.     If an error in these files is detected at server start, the server will

  152.     refuse to start.  But if an error is detected during a configuration

  153.     reload, the files are ignored and the old SSL configuration continues to

  154.     be used.  On <span class="systemitem">Windows</span> systems, if an error in

  155.     these files is detected at backend start, that backend will be unable to

  156.     establish an SSL connection.  In all these cases, the error condition is

  157.     reported in the server log.

  158.    </p></div><div class="sect2" id="SSL-CERTIFICATE-CREATION"><div class="titlepage"><div><div><h3 class="title">18.9.5. Creating Certificates</h3></div></div></div><p>

  159.      To create a simple self-signed certificate for the server, valid for 365

  160.      days, use the following <span class="productname">OpenSSL</span> command,

  161.      replacing <em class="replaceable"><code>dbhost.yourdomain.com</code></em> with the

  162.      server's host name:

  163. </p><pre class="programlisting">

  164. openssl req -new -x509 -days 365 -nodes -text -out server.crt \

  165.   -keyout server.key -subj "/CN=<em class="replaceable"><code>dbhost.yourdomain.com</code></em>"

  166. </pre><p>

  167.     Then do:

  168. </p><pre class="programlisting">

  169. chmod og-rwx server.key

  170. </pre><p>

  171.     because the server will reject the file if its permissions are more

  172.     liberal than this.

  173.     For more details on how to create your server private key and

  174.     certificate, refer to the <span class="productname">OpenSSL</span> documentation.

  175.    </p><p>

  176.     While a self-signed certificate can be used for testing, a certificate

  177.     signed by a certificate authority (<acronym class="acronym">CA</acronym>) (usually an

  178.     enterprise-wide root <acronym class="acronym">CA</acronym>) should be used in production.

  179.    </p><p>

  180.     To create a server certificate whose identity can be validated

  181.     by clients, first create a certificate signing request

  182.     (<acronym class="acronym">CSR</acronym>) and a public/private key file:

  183. </p><pre class="programlisting">

  184. openssl req -new -nodes -text -out root.csr \

  185.   -keyout root.key -subj "/CN=<em class="replaceable"><code>root.yourdomain.com</code></em>"

  186. chmod og-rwx root.key

  187. </pre><p>

  188.     Then, sign the request with the key to create a root certificate

  189.     authority (using the default <span class="productname">OpenSSL</span>

  190.     configuration file location on <span class="productname">Linux</span>):

  191. </p><pre class="programlisting">

  192. openssl x509 -req -in root.csr -text -days 3650 \

  193.   -extfile /etc/ssl/openssl.cnf -extensions v3_ca \

  194.   -signkey root.key -out root.crt

  195. </pre><p>

  196.     Finally, create a server certificate signed by the new root certificate

  197.     authority:

  198. </p><pre class="programlisting">

  199. openssl req -new -nodes -text -out server.csr \

  200.   -keyout server.key -subj "/CN=<em class="replaceable"><code>dbhost.yourdomain.com</code></em>"

  201. chmod og-rwx server.key

  202. 

  203. openssl x509 -req -in server.csr -text -days 365 \

  204.   -CA root.crt -CAkey root.key -CAcreateserial \

  205.   -out server.crt

  206. </pre><p>

  207.     <code class="filename">server.crt</code> and <code class="filename">server.key</code>

  208.     should be stored on the server, and <code class="filename">root.crt</code> should

  209.     be stored on the client so the client can verify that the server's leaf

  210.     certificate was signed by its trusted root certificate.

  211.     <code class="filename">root.key</code> should be stored offline for use in

  212.     creating future certificates.

  213.    </p><p>

  214.     It is also possible to create a chain of trust that includes

  215.     intermediate certificates:

  216. </p><pre class="programlisting">

  217. # root

  218. openssl req -new -nodes -text -out root.csr \

  219.   -keyout root.key -subj "/CN=<em class="replaceable"><code>root.yourdomain.com</code></em>"

  220. chmod og-rwx root.key

  221. openssl x509 -req -in root.csr -text -days 3650 \

  222.   -extfile /etc/ssl/openssl.cnf -extensions v3_ca \

  223.   -signkey root.key -out root.crt

  224. 

  225. # intermediate

  226. openssl req -new -nodes -text -out intermediate.csr \

  227.   -keyout intermediate.key -subj "/CN=<em class="replaceable"><code>intermediate.yourdomain.com</code></em>"

  228. chmod og-rwx intermediate.key

  229. openssl x509 -req -in intermediate.csr -text -days 1825 \

  230.   -extfile /etc/ssl/openssl.cnf -extensions v3_ca \

  231.   -CA root.crt -CAkey root.key -CAcreateserial \

  232.   -out intermediate.crt

  233. 

  234. # leaf

  235. openssl req -new -nodes -text -out server.csr \

  236.   -keyout server.key -subj "/CN=<em class="replaceable"><code>dbhost.yourdomain.com</code></em>"

  237. chmod og-rwx server.key

  238. openssl x509 -req -in server.csr -text -days 365 \

  239.   -CA intermediate.crt -CAkey intermediate.key -CAcreateserial \

  240.   -out server.crt

  241. </pre><p>

  242.     <code class="filename">server.crt</code> and

  243.     <code class="filename">intermediate.crt</code> should be concatenated

  244.     into a certificate file bundle and stored on the server.

  245.     <code class="filename">server.key</code> should also be stored on the server.

  246.     <code class="filename">root.crt</code> should be stored on the client so

  247.     the client can verify that the server's leaf certificate was signed

  248.     by a chain of certificates linked to its trusted root certificate.

  249.     <code class="filename">root.key</code> and <code class="filename">intermediate.key</code>

  250.     should be stored offline for use in creating future certificates.

  251.    </p></div></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="encryption-options.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="runtime.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="gssapi-enc.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">18.8. Encryption Options </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> 18.10. Secure TCP/IP Connections with GSSAPI Encryption</td></tr></table></div></body></html>
上海开阖软件有限公司 沪ICP备12045867号-1