Commit 5ce7599b authored by Tom Lane's avatar Tom Lane

Fix markup, spelling, grammar, and explanations for SSLKEY patch.

parent 7f1d68a4
<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.111 2007/02/16 02:59:40 momjian Exp $ --> <!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.112 2007/02/16 16:37:29 tgl Exp $ -->
<chapter Id="runtime-config"> <chapter Id="runtime-config">
<title>Server Configuration</title> <title>Server Configuration</title>
...@@ -569,15 +569,15 @@ SET ENABLE_SEQSCAN TO OFF; ...@@ -569,15 +569,15 @@ SET ENABLE_SEQSCAN TO OFF;
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry id="guc-ssl-ciphers" xreflabel="ssl-ciphers"> <varlistentry id="guc-ssl-ciphers" xreflabel="ssl_ciphers">
<term><varname>ssl_ciphers> (<type>string</type>)</term> <term><varname>ssl_ciphers</varname> (<type>string</type>)</term>
<indexterm> <indexterm>
<primary><varname>ssl_ciphers</> configuration parameter</primary> <primary><varname>ssl_ciphers</> configuration parameter</primary>
</indexterm> </indexterm>
<listitem> <listitem>
<para> <para>
Specifies a list of <acronym>SSL</> ciphers which can be used to Specifies a list of <acronym>SSL</> ciphers that are allowed to be
establish secure connections. See the <application>openssl</> used on secure connections. See the <application>openssl</>
manual page for a list of supported ciphers. manual page for a list of supported ciphers.
</para> </para>
</listitem> </listitem>
......
<!-- $PostgreSQL: pgsql/doc/src/sgml/libpq.sgml,v 1.230 2007/02/16 03:50:29 momjian Exp $ --> <!-- $PostgreSQL: pgsql/doc/src/sgml/libpq.sgml,v 1.231 2007/02/16 16:37:29 tgl Exp $ -->
<chapter id="libpq"> <chapter id="libpq">
<title><application>libpq</application> - C Library</title> <title><application>libpq</application> - C Library</title>
...@@ -4178,10 +4178,11 @@ setting, and is only available if ...@@ -4178,10 +4178,11 @@ setting, and is only available if
<primary><envar>PGSSLKEY</envar></primary> <primary><envar>PGSSLKEY</envar></primary>
</indexterm> </indexterm>
<envar>PGSSLKEY</envar> <envar>PGSSLKEY</envar>
specifies the hardware token which stores the secret key for the client specifies the hardware token that stores the secret key for the client
certificate, instead of a file. The value of this variable should consist certificate. The value of this variable should consist
of a colon-separated engine name (engines are <productname>OpenSSL</> of a colon-separated engine name (engines are <productname>OpenSSL</>
loadable modules) and an engine-specific key identifier. loadable modules) and an engine-specific key identifier. If this is not
set, the secret key must be kept in a file.
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
...@@ -4450,30 +4451,29 @@ ldap://ldap.mycompany.com/dc=mycompany,dc=com?uniqueMember?one?(cn=mydatabase) ...@@ -4450,30 +4451,29 @@ ldap://ldap.mycompany.com/dc=mycompany,dc=com?uniqueMember?one?(cn=mydatabase)
for increased security. See <xref linkend="ssl-tcp"> for details for increased security. See <xref linkend="ssl-tcp"> for details
about the server-side <acronym>SSL</> functionality. about the server-side <acronym>SSL</> functionality.
</para> </para>
<para> <para>
<application>libpq</application> reads the system-wide <application>libpq</application> reads the system-wide
<productname>OpenSSL</productname> configuration file. By default, this <productname>OpenSSL</productname> configuration file. By default, this
file is named <filename>openssl.cnf</filename> and is located in the file is named <filename>openssl.cnf</filename> and is located in the
directory reported by <application>openssl</>: directory reported by <literal>openssl version -d</>.
<programlisting> This default can be overridden by setting environment variable
openssl version -d <envar>OPENSSL_CONF</envar> to the name of the desired configuration
</programlisting> file.
The default can be overriden by setting environment variable
<envar>OPENSSL_CONF</envar> to the name of the desired configuration
file.
</para> </para>
<para> <para>
If the server demands a client certificate, If the server demands a client certificate,
<application>libpq</application> <application>libpq</application>
will send the certificate stored in file will send the certificate stored in file
<filename>~/.postgresql/postgresql.crt</> within the user's home directory. <filename>~/.postgresql/postgresql.crt</> within the user's home directory.
A matching private key file <filename>~/.postgresql/postgresql.key</> A matching private key file <filename>~/.postgresql/postgresql.key</>
must also be present, and must not be world-readable, unless the secret must also be present, unless the secret key for the certificate is stored
key is stored in a hardware token, as specified by in a hardware token, as specified by <envar>PGSSLKEY</envar>.
<envar>PGSSLKEY</envar>.
(On Microsoft Windows these files are named (On Microsoft Windows these files are named
<filename>%APPDATA%\postgresql\postgresql.crt</filename> and <filename>%APPDATA%\postgresql\postgresql.crt</filename> and
<filename>%APPDATA%\postgresql\postgresql.key</filename>.) <filename>%APPDATA%\postgresql\postgresql.key</filename>.)
The private key file must not be world-readable.
</para> </para>
<para> <para>
...@@ -4481,7 +4481,7 @@ ldap://ldap.mycompany.com/dc=mycompany,dc=com?uniqueMember?one?(cn=mydatabase) ...@@ -4481,7 +4481,7 @@ ldap://ldap.mycompany.com/dc=mycompany,dc=com?uniqueMember?one?(cn=mydatabase)
should consist of a colon-separated engine name and key identifier. In should consist of a colon-separated engine name and key identifier. In
this case, <application>libpq</application> will load the specified this case, <application>libpq</application> will load the specified
engine, i.e. the <productname>OpenSSL</> module which supports special engine, i.e. the <productname>OpenSSL</> module which supports special
hardware and reference the key with the specified identifier. hardware, and reference the key with the specified identifier.
Identifiers are engine-specific. Typically, cryptography hardware tokens Identifiers are engine-specific. Typically, cryptography hardware tokens
do not reveal secret keys to the application. Instead, applications do not reveal secret keys to the application. Instead, applications
delegate all cryptography operations which require the secret key to delegate all cryptography operations which require the secret key to
......
<!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.377 2007/02/16 02:59:40 momjian Exp $ --> <!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.378 2007/02/16 16:37:29 tgl Exp $ -->
<chapter Id="runtime"> <chapter Id="runtime">
<title>Operating System Environment</title> <title>Operating System Environment</title>
...@@ -1518,20 +1518,17 @@ $ <userinput>kill -INT `head -1 /usr/local/pgsql/data/postmaster.pid`</userinput ...@@ -1518,20 +1518,17 @@ $ <userinput>kill -INT `head -1 /usr/local/pgsql/data/postmaster.pid`</userinput
<para> <para>
<productname>OpenSSL</productname> supports a wide range of ciphers <productname>OpenSSL</productname> supports a wide range of ciphers
and authentication algorithms, whose strength varies significantly. and authentication algorithms, whose strength varies significantly.
You can restrict the list of ciphers which can be used to connect to You can restrict the list of ciphers that can be used to connect to
your server using the <xref linkend="guc-ssl-ciphers"> parameter. your server by adjusting the <xref linkend="guc-ssl-ciphers"> parameter.
</para> </para>
<para> <para>
<productname>PostgreSQL</productname> reads a system-wide <productname>PostgreSQL</productname> reads the system-wide
<productname>OpenSSL</productname> configuration file. By default this <productname>OpenSSL</productname> configuration file. By default, this
file is named <filename>openssl.cnf</filename> and is located in the file is named <filename>openssl.cnf</filename> and is located in the
directory reported by <application>openssl</>: directory reported by <literal>openssl version -d</>.
<programlisting> This default can be overridden by setting environment variable
openssl version -d <envar>OPENSSL_CONF</envar> to the name of the desired configuration file.
</programlisting>
This default can be overriden by setting environment variable
<envar>OPENSSL_CONF</envar> to the name of desired configuration file.
</para> </para>
<para> <para>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment