Baoding-FenShuaJiang
/
Green_GoodERP18_FSJ_Standard
Seguir 1
Destacar 0
Wiki 捐赠
gooderp18绿色标准版
No puede seleccionar más de 25 temas Los temas deben comenzar con una letra o número, pueden incluir guiones ('-') y pueden tener hasta 35 caracteres de largo.
Árbol: 0f75e31513
Ramas Etiquetas
${ item.name }
Crear rama ${ searchTerm }
desde '0f75e31513'
${ noResults }
Green_GoodERP18_FSJ_Standard/PostgreSQL/doc/postgresql/html/runtime-config-connection.html

465 líneas
35KB
Original Blame Histórico 

  1. <?xml version="1.0" encoding="UTF-8" standalone="no"?>

  2. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>19.3. Connections and Authentication</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /><link rel="prev" href="runtime-config-file-locations.html" title="19.2. File Locations" /><link rel="next" href="runtime-config-resource.html" title="19.4. Resource Consumption" /></head><body><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">19.3. Connections and Authentication</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="runtime-config-file-locations.html" title="19.2. File Locations">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="runtime-config.html" title="Chapter 19. Server Configuration">Up</a></td><th width="60%" align="center">Chapter 19. Server Configuration</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 12.4 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="runtime-config-resource.html" title="19.4. Resource Consumption">Next</a></td></tr></table><hr></hr></div><div class="sect1" id="RUNTIME-CONFIG-CONNECTION"><div class="titlepage"><div><div><h2 class="title" style="clear: both">19.3. Connections and Authentication</h2></div></div></div><div class="toc"><dl class="toc"><dt><span class="sect2"><a href="runtime-config-connection.html#RUNTIME-CONFIG-CONNECTION-SETTINGS">19.3.1. Connection Settings</a></span></dt><dt><span class="sect2"><a href="runtime-config-connection.html#RUNTIME-CONFIG-CONNECTION-AUTHENTICATION">19.3.2. Authentication</a></span></dt><dt><span class="sect2"><a href="runtime-config-connection.html#RUNTIME-CONFIG-CONNECTION-SSL">19.3.3. SSL</a></span></dt></dl></div><div class="sect2" id="RUNTIME-CONFIG-CONNECTION-SETTINGS"><div class="titlepage"><div><div><h3 class="title">19.3.1. Connection Settings</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt id="GUC-LISTEN-ADDRESSES"><span class="term"><code class="varname">listen_addresses</code> (<code class="type">string</code>)

  3.       <a id="id-1.6.6.6.2.2.1.1.3" class="indexterm"></a>

  4.       </span></dt><dd><p>

  5.          Specifies the TCP/IP address(es) on which the server is

  6.          to listen for connections from client applications.

  7.          The value takes the form of a comma-separated list of host names

  8.          and/or numeric IP addresses.  The special entry <code class="literal">*</code>

  9.          corresponds to all available IP interfaces.  The entry

  10.          <code class="literal">0.0.0.0</code> allows listening for all IPv4 addresses and

  11.          <code class="literal">::</code> allows listening for all IPv6 addresses.

  12.          If the list is empty, the server does not listen on any IP interface

  13.          at all, in which case only Unix-domain sockets can be used to connect

  14.          to it.

  15.          The default value is <span class="systemitem">localhost</span>,

  16.          which allows only local TCP/IP <span class="quote">“<span class="quote">loopback</span>”</span> connections to be

  17.          made.  While client authentication (<a class="xref" href="client-authentication.html" title="Chapter 20. Client Authentication">Chapter 20</a>) allows fine-grained control

  18.          over who can access the server, <code class="varname">listen_addresses</code>

  19.          controls which interfaces accept connection attempts, which

  20.          can help prevent repeated malicious connection requests on

  21.          insecure network interfaces.  This parameter can only be set

  22.          at server start.

  23.        </p></dd><dt id="GUC-PORT"><span class="term"><code class="varname">port</code> (<code class="type">integer</code>)

  24.       <a id="id-1.6.6.6.2.2.2.1.3" class="indexterm"></a>

  25.       </span></dt><dd><p>

  26.         The TCP port the server listens on; 5432 by default.  Note that the

  27.         same port number is used for all IP addresses the server listens on.

  28.         This parameter can only be set at server start.

  29.        </p></dd><dt id="GUC-MAX-CONNECTIONS"><span class="term"><code class="varname">max_connections</code> (<code class="type">integer</code>)

  30.       <a id="id-1.6.6.6.2.2.3.1.3" class="indexterm"></a>

  31.       </span></dt><dd><p>

  32.         Determines the maximum number of concurrent connections to the

  33.         database server. The default is typically 100 connections, but

  34.         might be less if your kernel settings will not support it (as

  35.         determined during <span class="application">initdb</span>).  This parameter can

  36.         only be set at server start.

  37.        </p><p>

  38.         When running a standby server, you must set this parameter to the

  39.         same or higher value than on the master server. Otherwise, queries

  40.         will not be allowed in the standby server.

  41.        </p></dd><dt id="GUC-SUPERUSER-RESERVED-CONNECTIONS"><span class="term"><code class="varname">superuser_reserved_connections</code>

  42.       (<code class="type">integer</code>)

  43.       <a id="id-1.6.6.6.2.2.4.1.3" class="indexterm"></a>

  44.       </span></dt><dd><p>

  45.         Determines the number of connection <span class="quote">“<span class="quote">slots</span>”</span> that

  46.         are reserved for connections by <span class="productname">PostgreSQL</span>

  47.         superusers.  At most <a class="xref" href="runtime-config-connection.html#GUC-MAX-CONNECTIONS">max_connections</a>

  48.         connections can ever be active simultaneously.  Whenever the

  49.         number of active concurrent connections is at least

  50.         <code class="varname">max_connections</code> minus

  51.         <code class="varname">superuser_reserved_connections</code>, new

  52.         connections will be accepted only for superusers, and no

  53.         new replication connections will be accepted.

  54.        </p><p>

  55.         The default value is three connections. The value must be less

  56.         than <code class="varname">max_connections</code>.

  57.         This parameter can only be set at server start.

  58.        </p></dd><dt id="GUC-UNIX-SOCKET-DIRECTORIES"><span class="term"><code class="varname">unix_socket_directories</code> (<code class="type">string</code>)

  59.       <a id="id-1.6.6.6.2.2.5.1.3" class="indexterm"></a>

  60.       </span></dt><dd><p>

  61.         Specifies the directory of the Unix-domain socket(s) on which the

  62.         server is to listen for connections from client applications.

  63.         Multiple sockets can be created by listing multiple directories

  64.         separated by commas.  Whitespace between entries is

  65.         ignored; surround a directory name with double quotes if you need

  66.         to include whitespace or commas in the name.

  67.         An empty value

  68.         specifies not listening on any Unix-domain sockets, in which case

  69.         only TCP/IP sockets can be used to connect to the server.

  70.         The default value is normally

  71.         <code class="filename">/tmp</code>, but that can be changed at build time.

  72.         This parameter can only be set at server start.

  73.        </p><p>

  74.         In addition to the socket file itself, which is named

  75.         <code class="literal">.s.PGSQL.<em class="replaceable"><code>nnnn</code></em></code> where

  76.         <em class="replaceable"><code>nnnn</code></em> is the server's port number, an ordinary file

  77.         named <code class="literal">.s.PGSQL.<em class="replaceable"><code>nnnn</code></em>.lock</code> will be

  78.         created in each of the <code class="varname">unix_socket_directories</code> directories.

  79.         Neither file should ever be removed manually.

  80.        </p><p>

  81.         This parameter is irrelevant on Windows, which does not have

  82.         Unix-domain sockets.

  83.        </p></dd><dt id="GUC-UNIX-SOCKET-GROUP"><span class="term"><code class="varname">unix_socket_group</code> (<code class="type">string</code>)

  84.       <a id="id-1.6.6.6.2.2.6.1.3" class="indexterm"></a>

  85.       </span></dt><dd><p>

  86.         Sets the owning group of the Unix-domain socket(s).  (The owning

  87.         user of the sockets is always the user that starts the

  88.         server.)  In combination with the parameter

  89.         <code class="varname">unix_socket_permissions</code> this can be used as

  90.         an additional access control mechanism for Unix-domain connections.

  91.         By default this is the empty string, which uses the default

  92.         group of the server user.  This parameter can only be set at

  93.         server start.

  94.        </p><p>

  95.         This parameter is irrelevant on Windows, which does not have

  96.         Unix-domain sockets.

  97.        </p></dd><dt id="GUC-UNIX-SOCKET-PERMISSIONS"><span class="term"><code class="varname">unix_socket_permissions</code> (<code class="type">integer</code>)

  98.       <a id="id-1.6.6.6.2.2.7.1.3" class="indexterm"></a>

  99.       </span></dt><dd><p>

  100.         Sets the access permissions of the Unix-domain socket(s).  Unix-domain

  101.         sockets use the usual Unix file system permission set.

  102.         The parameter value is expected to be a numeric mode

  103.         specified in the format accepted by the

  104.         <code class="function">chmod</code> and <code class="function">umask</code>

  105.         system calls.  (To use the customary octal format the number

  106.         must start with a <code class="literal">0</code> (zero).)

  107.        </p><p>

  108.         The default permissions are <code class="literal">0777</code>, meaning

  109.         anyone can connect. Reasonable alternatives are

  110.         <code class="literal">0770</code> (only user and group, see also

  111.         <code class="varname">unix_socket_group</code>) and <code class="literal">0700</code>

  112.         (only user). (Note that for a Unix-domain socket, only write

  113.         permission matters, so there is no point in setting or revoking

  114.         read or execute permissions.)

  115.        </p><p>

  116.         This access control mechanism is independent of the one

  117.         described in <a class="xref" href="client-authentication.html" title="Chapter 20. Client Authentication">Chapter 20</a>.

  118.        </p><p>

  119.         This parameter can only be set at server start.

  120.        </p><p>

  121.         This parameter is irrelevant on systems, notably Solaris as of Solaris

  122.         10, that ignore socket permissions entirely.  There, one can achieve a

  123.         similar effect by pointing <code class="varname">unix_socket_directories</code> to a

  124.         directory having search permission limited to the desired audience.

  125.         This parameter is also irrelevant on Windows, which does not have

  126.         Unix-domain sockets.

  127.        </p></dd><dt id="GUC-BONJOUR"><span class="term"><code class="varname">bonjour</code> (<code class="type">boolean</code>)

  128.       <a id="id-1.6.6.6.2.2.8.1.3" class="indexterm"></a>

  129.       </span></dt><dd><p>

  130.         Enables advertising the server's existence via

  131.         <span class="productname">Bonjour</span>.  The default is off.

  132.         This parameter can only be set at server start.

  133.        </p></dd><dt id="GUC-BONJOUR-NAME"><span class="term"><code class="varname">bonjour_name</code> (<code class="type">string</code>)

  134.       <a id="id-1.6.6.6.2.2.9.1.3" class="indexterm"></a>

  135.       </span></dt><dd><p>

  136.         Specifies the <span class="productname">Bonjour</span> service

  137.         name.  The computer name is used if this parameter is set to the

  138.         empty string <code class="literal">''</code> (which is the default).  This parameter is

  139.         ignored if the server was not compiled with

  140.         <span class="productname">Bonjour</span> support.

  141.         This parameter can only be set at server start.

  142.        </p></dd><dt id="GUC-TCP-KEEPALIVES-IDLE"><span class="term"><code class="varname">tcp_keepalives_idle</code> (<code class="type">integer</code>)

  143.       <a id="id-1.6.6.6.2.2.10.1.3" class="indexterm"></a>

  144.       </span></dt><dd><p>

  145.         Specifies the amount of time with no network activity after which

  146.         the operating system should send a TCP keepalive message to the client.

  147.         If this value is specified without units, it is taken as seconds.

  148.         A value of 0 (the default) selects the operating system's default.

  149.         This parameter is supported only on systems that support

  150.         <code class="symbol">TCP_KEEPIDLE</code> or an equivalent socket option, and on

  151.         Windows; on other systems, it must be zero.

  152.         In sessions connected via a Unix-domain socket, this parameter is

  153.         ignored and always reads as zero.

  154.        </p><div class="note"><h3 class="title">Note</h3><p>

  155.          On Windows, setting a value of 0 will set this parameter to 2 hours,

  156.          since Windows does not provide a way to read the system default value.

  157.         </p></div></dd><dt id="GUC-TCP-KEEPALIVES-INTERVAL"><span class="term"><code class="varname">tcp_keepalives_interval</code> (<code class="type">integer</code>)

  158.       <a id="id-1.6.6.6.2.2.11.1.3" class="indexterm"></a>

  159.       </span></dt><dd><p>

  160.         Specifies the amount of time after which a TCP keepalive message

  161.         that has not been acknowledged by the client should be retransmitted.

  162.         If this value is specified without units, it is taken as seconds.

  163.         A value of 0 (the default) selects the operating system's default.

  164.         This parameter is supported only on systems that support

  165.         <code class="symbol">TCP_KEEPINTVL</code> or an equivalent socket option, and on

  166.         Windows; on other systems, it must be zero.

  167.         In sessions connected via a Unix-domain socket, this parameter is

  168.         ignored and always reads as zero.

  169.        </p><div class="note"><h3 class="title">Note</h3><p>

  170.          On Windows, setting a value of 0 will set this parameter to 1 second,

  171.          since Windows does not provide a way to read the system default value.

  172.         </p></div></dd><dt id="GUC-TCP-KEEPALIVES-COUNT"><span class="term"><code class="varname">tcp_keepalives_count</code> (<code class="type">integer</code>)

  173.       <a id="id-1.6.6.6.2.2.12.1.3" class="indexterm"></a>

  174.       </span></dt><dd><p>

  175.         Specifies the number of TCP keepalive messages that can be lost before

  176.         the server's connection to the client is considered dead.

  177.         A value of 0 (the default) selects the operating system's default.

  178.         This parameter is supported only on systems that support

  179.         <code class="symbol">TCP_KEEPCNT</code> or an equivalent socket option;

  180.         on other systems, it must be zero.

  181.         In sessions connected via a Unix-domain socket, this parameter is

  182.         ignored and always reads as zero.

  183.        </p><div class="note"><h3 class="title">Note</h3><p>

  184.          This parameter is not supported on Windows, and must be zero.

  185.         </p></div></dd><dt id="GUC-TCP-USER-TIMEOUT"><span class="term"><code class="varname">tcp_user_timeout</code> (<code class="type">integer</code>)

  186.       <a id="id-1.6.6.6.2.2.13.1.3" class="indexterm"></a>

  187.       </span></dt><dd><p>

  188.         Specifies the amount of time that transmitted data may

  189.         remain unacknowledged before the TCP connection is forcibly closed.

  190.         If this value is specified without units, it is taken as milliseconds.

  191.         A value of 0 (the default) selects the operating system's default.

  192.         This parameter is supported only on systems that support

  193.         <code class="symbol">TCP_USER_TIMEOUT</code>; on other systems, it must be zero.

  194.         In sessions connected via a Unix-domain socket, this parameter is

  195.         ignored and always reads as zero.

  196.        </p><div class="note"><h3 class="title">Note</h3><p>

  197.          This parameter is not supported on Windows, and must be zero.

  198.         </p></div></dd></dl></div></div><div class="sect2" id="RUNTIME-CONFIG-CONNECTION-AUTHENTICATION"><div class="titlepage"><div><div><h3 class="title">19.3.2. Authentication</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt id="GUC-AUTHENTICATION-TIMEOUT"><span class="term"><code class="varname">authentication_timeout</code> (<code class="type">integer</code>)

  199.       <a id="id-1.6.6.6.3.2.1.1.3" class="indexterm"></a>

  200.       <a id="id-1.6.6.6.3.2.1.1.4" class="indexterm"></a>

  201.       <a id="id-1.6.6.6.3.2.1.1.5" class="indexterm"></a>

  202.       </span></dt><dd><p>

  203.         Maximum amount of time allowed to complete client authentication. If a

  204.         would-be client has not completed the authentication protocol in

  205.         this much time, the server closes the connection. This prevents

  206.         hung clients from occupying a connection indefinitely.

  207.         If this value is specified without units, it is taken as seconds.

  208.         The default is one minute (<code class="literal">1m</code>).

  209.         This parameter can only be set in the <code class="filename">postgresql.conf</code>

  210.         file or on the server command line.

  211.        </p></dd><dt id="GUC-PASSWORD-ENCRYPTION"><span class="term"><code class="varname">password_encryption</code> (<code class="type">enum</code>)

  212.       <a id="id-1.6.6.6.3.2.2.1.3" class="indexterm"></a>

  213.       </span></dt><dd><p>

  214.         When a password is specified in <a class="xref" href="sql-createrole.html" title="CREATE ROLE"><span class="refentrytitle">CREATE ROLE</span></a> or

  215.         <a class="xref" href="sql-alterrole.html" title="ALTER ROLE"><span class="refentrytitle">ALTER ROLE</span></a>, this parameter determines the algorithm

  216.         to use to encrypt the password. The default value is <code class="literal">md5</code>,

  217.         which stores the password as an MD5 hash (<code class="literal">on</code> is also

  218.         accepted, as alias for <code class="literal">md5</code>). Setting this parameter to

  219.         <code class="literal">scram-sha-256</code> will encrypt the password with SCRAM-SHA-256.

  220.        </p><p>

  221.         Note that older clients might lack support for the SCRAM authentication

  222.         mechanism, and hence not work with passwords encrypted with

  223.         SCRAM-SHA-256.  See <a class="xref" href="auth-password.html" title="20.5. Password Authentication">Section 20.5</a> for more details.

  224.        </p></dd><dt id="GUC-KRB-SERVER-KEYFILE"><span class="term"><code class="varname">krb_server_keyfile</code> (<code class="type">string</code>)

  225.       <a id="id-1.6.6.6.3.2.3.1.3" class="indexterm"></a>

  226.       </span></dt><dd><p>

  227.         Sets the location of the Kerberos server key file. See

  228.         <a class="xref" href="gssapi-auth.html" title="20.6. GSSAPI Authentication">Section 20.6</a>

  229.         for details. This parameter can only be set in the

  230.         <code class="filename">postgresql.conf</code> file or on the server command line.

  231.        </p></dd><dt id="GUC-KRB-CASEINS-USERS"><span class="term"><code class="varname">krb_caseins_users</code> (<code class="type">boolean</code>)

  232.       <a id="id-1.6.6.6.3.2.4.1.3" class="indexterm"></a>

  233.       </span></dt><dd><p>

  234.         Sets whether GSSAPI user names should be treated

  235.         case-insensitively.

  236.         The default is <code class="literal">off</code> (case sensitive). This parameter can only be

  237.         set in the <code class="filename">postgresql.conf</code> file or on the server command line.

  238.        </p></dd><dt id="GUC-DB-USER-NAMESPACE"><span class="term"><code class="varname">db_user_namespace</code> (<code class="type">boolean</code>)

  239.       <a id="id-1.6.6.6.3.2.5.1.3" class="indexterm"></a>

  240.       </span></dt><dd><p>

  241.         This parameter enables per-database user names.  It is off by default.

  242.         This parameter can only be set in the <code class="filename">postgresql.conf</code>

  243.         file or on the server command line.

  244.        </p><p>

  245.         If this is on, you should create users as <em class="replaceable"><code>username@dbname</code></em>.

  246.         When <em class="replaceable"><code>username</code></em> is passed by a connecting client,

  247.         <code class="literal">@</code> and the database name are appended to the user

  248.         name and that database-specific user name is looked up by the

  249.         server. Note that when you create users with names containing

  250.         <code class="literal">@</code> within the SQL environment, you will need to

  251.         quote the user name.

  252.        </p><p>

  253.         With this parameter enabled, you can still create ordinary global

  254.         users.  Simply append <code class="literal">@</code> when specifying the user

  255.         name in the client, e.g. <code class="literal">joe@</code>.  The <code class="literal">@</code>

  256.         will be stripped off before the user name is looked up by the

  257.         server.

  258.        </p><p>

  259.         <code class="varname">db_user_namespace</code> causes the client's and

  260.         server's user name representation to differ.

  261.         Authentication checks are always done with the server's user name

  262.         so authentication methods must be configured for the

  263.         server's user name, not the client's.  Because

  264.         <code class="literal">md5</code> uses the user name as salt on both the

  265.         client and server, <code class="literal">md5</code> cannot be used with

  266.         <code class="varname">db_user_namespace</code>.

  267.        </p><div class="note"><h3 class="title">Note</h3><p>

  268.          This feature is intended as a temporary measure until a

  269.          complete solution is found.  At that time, this option will

  270.          be removed.

  271.         </p></div></dd></dl></div></div><div class="sect2" id="RUNTIME-CONFIG-CONNECTION-SSL"><div class="titlepage"><div><div><h3 class="title">19.3.3. SSL</h3></div></div></div><p>

  272.       See <a class="xref" href="ssl-tcp.html" title="18.9. Secure TCP/IP Connections with SSL">Section 18.9</a> for more information about setting up SSL.

  273.      </p><div class="variablelist"><dl class="variablelist"><dt id="GUC-SSL"><span class="term"><code class="varname">ssl</code> (<code class="type">boolean</code>)

  274.       <a id="id-1.6.6.6.4.3.1.1.3" class="indexterm"></a>

  275.       </span></dt><dd><p>

  276.         Enables <acronym class="acronym">SSL</acronym> connections.

  277.         This parameter can only be set in the <code class="filename">postgresql.conf</code>

  278.         file or on the server command line.

  279.         The default is <code class="literal">off</code>.

  280.        </p></dd><dt id="GUC-SSL-CA-FILE"><span class="term"><code class="varname">ssl_ca_file</code> (<code class="type">string</code>)

  281.       <a id="id-1.6.6.6.4.3.2.1.3" class="indexterm"></a>

  282.       </span></dt><dd><p>

  283.         Specifies the name of the file containing the SSL server certificate

  284.         authority (CA).

  285.         Relative paths are relative to the data directory.

  286.         This parameter can only be set in the <code class="filename">postgresql.conf</code>

  287.         file or on the server command line.

  288.         The default is empty, meaning no CA file is loaded,

  289.         and client certificate verification is not performed.

  290.        </p></dd><dt id="GUC-SSL-CERT-FILE"><span class="term"><code class="varname">ssl_cert_file</code> (<code class="type">string</code>)

  291.       <a id="id-1.6.6.6.4.3.3.1.3" class="indexterm"></a>

  292.       </span></dt><dd><p>

  293.         Specifies the name of the file containing the SSL server certificate.

  294.         Relative paths are relative to the data directory.

  295.         This parameter can only be set in the <code class="filename">postgresql.conf</code>

  296.         file or on the server command line.

  297.         The default is <code class="filename">server.crt</code>.

  298.        </p></dd><dt id="GUC-SSL-CRL-FILE"><span class="term"><code class="varname">ssl_crl_file</code> (<code class="type">string</code>)

  299.       <a id="id-1.6.6.6.4.3.4.1.3" class="indexterm"></a>

  300.       </span></dt><dd><p>

  301.         Specifies the name of the file containing the SSL server certificate

  302.         revocation list (CRL).

  303.         Relative paths are relative to the data directory.

  304.         This parameter can only be set in the <code class="filename">postgresql.conf</code>

  305.         file or on the server command line.

  306.         The default is empty, meaning no CRL file is loaded.

  307.        </p></dd><dt id="GUC-SSL-KEY-FILE"><span class="term"><code class="varname">ssl_key_file</code> (<code class="type">string</code>)

  308.       <a id="id-1.6.6.6.4.3.5.1.3" class="indexterm"></a>

  309.       </span></dt><dd><p>

  310.         Specifies the name of the file containing the SSL server private key.

  311.         Relative paths are relative to the data directory.

  312.         This parameter can only be set in the <code class="filename">postgresql.conf</code>

  313.         file or on the server command line.

  314.         The default is <code class="filename">server.key</code>.

  315.        </p></dd><dt id="GUC-SSL-CIPHERS"><span class="term"><code class="varname">ssl_ciphers</code> (<code class="type">string</code>)

  316.       <a id="id-1.6.6.6.4.3.6.1.3" class="indexterm"></a>

  317.       </span></dt><dd><p>

  318.         Specifies a list of <acronym class="acronym">SSL</acronym> cipher suites that are

  319.         allowed to be used by SSL connections.  See the

  320.         <span class="citerefentry"><span class="refentrytitle">ciphers</span></span>

  321.         manual page in the <span class="application">OpenSSL</span> package for the

  322.         syntax of this setting and a list of supported values.  Only

  323.         connections using TLS version 1.2 and lower are affected.  There is

  324.         currently no setting that controls the cipher choices used by TLS

  325.         version 1.3 connections.  The default value is

  326.         <code class="literal">HIGH:MEDIUM:+3DES:!aNULL</code>.  The default is usually a

  327.         reasonable choice unless you have specific security requirements.

  328.        </p><p>

  329.         This parameter can only be set in the

  330.         <code class="filename">postgresql.conf</code> file or on the server command

  331.         line.

  332.        </p><p>

  333.         Explanation of the default value:

  334.         </p><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="literal">HIGH</code></span></dt><dd><p>

  335.             Cipher suites that use ciphers from <code class="literal">HIGH</code> group (e.g.,

  336.             AES, Camellia, 3DES)

  337.            </p></dd><dt><span class="term"><code class="literal">MEDIUM</code></span></dt><dd><p>

  338.             Cipher suites that use ciphers from <code class="literal">MEDIUM</code> group

  339.             (e.g., RC4, SEED)

  340.            </p></dd><dt><span class="term"><code class="literal">+3DES</code></span></dt><dd><p>

  341.             The OpenSSL default order for <code class="literal">HIGH</code> is problematic

  342.             because it orders 3DES higher than AES128.  This is wrong because

  343.             3DES offers less security than AES128, and it is also much

  344.             slower.  <code class="literal">+3DES</code> reorders it after all other

  345.             <code class="literal">HIGH</code> and <code class="literal">MEDIUM</code> ciphers.

  346.            </p></dd><dt><span class="term"><code class="literal">!aNULL</code></span></dt><dd><p>

  347.             Disables anonymous cipher suites that do no authentication.  Such

  348.             cipher suites are vulnerable to man-in-the-middle attacks and

  349.             therefore should not be used.

  350.            </p></dd></dl></div><p>

  351.        </p><p>

  352.         Available cipher suite details will vary across OpenSSL versions.  Use

  353.         the command

  354.         <code class="literal">openssl ciphers -v 'HIGH:MEDIUM:+3DES:!aNULL'</code> to

  355.         see actual details for the currently installed <span class="application">OpenSSL</span>

  356.         version.  Note that this list is filtered at run time based on the

  357.         server key type.

  358.        </p></dd><dt id="GUC-SSL-PREFER-SERVER-CIPHERS"><span class="term"><code class="varname">ssl_prefer_server_ciphers</code> (<code class="type">boolean</code>)

  359.       <a id="id-1.6.6.6.4.3.7.1.3" class="indexterm"></a>

  360.       </span></dt><dd><p>

  361.         Specifies whether to use the server's SSL cipher preferences, rather

  362.         than the client's.

  363.         This parameter can only be set in the <code class="filename">postgresql.conf</code>

  364.         file or on the server command line.

  365.         The default is <code class="literal">on</code>.

  366.        </p><p>

  367.         Older PostgreSQL versions do not have this setting and always use the

  368.         client's preferences.  This setting is mainly for backward

  369.         compatibility with those versions.  Using the server's preferences is

  370.         usually better because it is more likely that the server is appropriately

  371.         configured.

  372.        </p></dd><dt id="GUC-SSL-ECDH-CURVE"><span class="term"><code class="varname">ssl_ecdh_curve</code> (<code class="type">string</code>)

  373.       <a id="id-1.6.6.6.4.3.8.1.3" class="indexterm"></a>

  374.       </span></dt><dd><p>

  375.         Specifies the name of the curve to use in <acronym class="acronym">ECDH</acronym> key

  376.         exchange.  It needs to be supported by all clients that connect.

  377.         It does not need to be the same curve used by the server's Elliptic

  378.         Curve key.

  379.         This parameter can only be set in the <code class="filename">postgresql.conf</code>

  380.         file or on the server command line.

  381.         The default is <code class="literal">prime256v1</code>.

  382.        </p><p>

  383.         OpenSSL names for the most common curves are:

  384.         <code class="literal">prime256v1</code> (NIST P-256),

  385.         <code class="literal">secp384r1</code> (NIST P-384),

  386.         <code class="literal">secp521r1</code> (NIST P-521).

  387.         The full list of available curves can be shown with the command

  388.         <code class="command">openssl ecparam -list_curves</code>.  Not all of them

  389.         are usable in <acronym class="acronym">TLS</acronym> though.

  390.        </p></dd><dt id="GUC-SSL-MIN-PROTOCOL-VERSION"><span class="term"><code class="varname">ssl_min_protocol_version</code> (<code class="type">enum</code>)

  391.       <a id="id-1.6.6.6.4.3.9.1.3" class="indexterm"></a>

  392.       </span></dt><dd><p>

  393.         Sets the minimum SSL/TLS protocol version to use.  Valid values are

  394.         currently: <code class="literal">TLSv1</code>, <code class="literal">TLSv1.1</code>,

  395.         <code class="literal">TLSv1.2</code>, <code class="literal">TLSv1.3</code>.  Older

  396.         versions of the <span class="productname">OpenSSL</span> library do not

  397.         support all values; an error will be raised if an unsupported setting

  398.         is chosen.  Protocol versions before TLS 1.0, namely SSL version 2 and

  399.         3, are always disabled.

  400.        </p><p>

  401.         The default is <code class="literal">TLSv1</code>, mainly to support older

  402.         versions of the <span class="productname">OpenSSL</span> library.  You might

  403.         want to set this to a higher value if all software components can

  404.         support the newer protocol versions.

  405.        </p></dd><dt id="GUC-SSL-MAX-PROTOCOL-VERSION"><span class="term"><code class="varname">ssl_max_protocol_version</code> (<code class="type">enum</code>)

  406.       <a id="id-1.6.6.6.4.3.10.1.3" class="indexterm"></a>

  407.       </span></dt><dd><p>

  408.         Sets the maximum SSL/TLS protocol version to use.  Valid values are as

  409.         for <a class="xref" href="runtime-config-connection.html#GUC-SSL-MIN-PROTOCOL-VERSION">ssl_min_protocol_version</a>, with addition of

  410.         an empty string, which allows any protocol version.  The default is to

  411.         allow any version.  Setting the maximum protocol version is mainly

  412.         useful for testing or if some component has issues working with a

  413.         newer protocol.

  414.        </p></dd><dt id="GUC-SSL-DH-PARAMS-FILE"><span class="term"><code class="varname">ssl_dh_params_file</code> (<code class="type">string</code>)

  415.       <a id="id-1.6.6.6.4.3.11.1.3" class="indexterm"></a>

  416.       </span></dt><dd><p>

  417.         Specifies the name of the file containing Diffie-Hellman parameters

  418.         used for so-called ephemeral DH family of SSL ciphers. The default is

  419.         empty, in which case compiled-in default DH parameters used. Using

  420.         custom DH parameters reduces the exposure if an attacker manages to

  421.         crack the well-known compiled-in DH parameters. You can create your own

  422.         DH parameters file with the command

  423.         <code class="command">openssl dhparam -out dhparams.pem 2048</code>.

  424.        </p><p>

  425.         This parameter can only be set in the <code class="filename">postgresql.conf</code>

  426.         file or on the server command line.

  427.        </p></dd><dt id="GUC-SSL-PASSPHRASE-COMMAND"><span class="term"><code class="varname">ssl_passphrase_command</code> (<code class="type">string</code>)

  428.       <a id="id-1.6.6.6.4.3.12.1.3" class="indexterm"></a>

  429.       </span></dt><dd><p>

  430.         Sets an external command to be invoked when a passphrase for

  431.         decrypting an SSL file such as a private key needs to be obtained.  By

  432.         default, this parameter is empty, which means the built-in prompting

  433.         mechanism is used.

  434.        </p><p>

  435.         The command must print the passphrase to the standard output and exit

  436.         with code 0.  In the parameter value, <code class="literal">%p</code> is

  437.         replaced by a prompt string.  (Write <code class="literal">%%</code> for a

  438.         literal <code class="literal">%</code>.)  Note that the prompt string will

  439.         probably contain whitespace, so be sure to quote adequately.  A single

  440.         newline is stripped from the end of the output if present.

  441.        </p><p>

  442.         The command does not actually have to prompt the user for a

  443.         passphrase.  It can read it from a file, obtain it from a keychain

  444.         facility, or similar.  It is up to the user to make sure the chosen

  445.         mechanism is adequately secure.

  446.        </p><p>

  447.         This parameter can only be set in the <code class="filename">postgresql.conf</code>

  448.         file or on the server command line.

  449.        </p></dd><dt id="GUC-SSL-PASSPHRASE-COMMAND-SUPPORTS-RELOAD"><span class="term"><code class="varname">ssl_passphrase_command_supports_reload</code> (<code class="type">boolean</code>)

  450.       <a id="id-1.6.6.6.4.3.13.1.3" class="indexterm"></a>

  451.       </span></dt><dd><p>

  452.         This parameter determines whether the passphrase command set by

  453.         <code class="varname">ssl_passphrase_command</code> will also be called during a

  454.         configuration reload if a key file needs a passphrase.  If this

  455.         parameter is off (the default), then

  456.         <code class="varname">ssl_passphrase_command</code> will be ignored during a

  457.         reload and the SSL configuration will not be reloaded if a passphrase

  458.         is needed.  That setting is appropriate for a command that requires a

  459.         TTY for prompting, which might not be available when the server is

  460.         running.  Setting this parameter to on might be appropriate if the

  461.         passphrase is obtained from a file, for example.

  462.        </p><p>

  463.         This parameter can only be set in the <code class="filename">postgresql.conf</code>

  464.         file or on the server command line.

  465.        </p></dd></dl></div></div></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="runtime-config-file-locations.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="runtime-config.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="runtime-config-resource.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">19.2. File Locations </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> 19.4. Resource Consumption</td></tr></table></div></body></html>
上海开阖软件有限公司 沪ICP备12045867号-1