Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
P
Postgres FD Implementation
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Abuhujair Javed
Postgres FD Implementation
Commits
ffd9aaa0
Commit
ffd9aaa0
authored
Sep 06, 2000
by
Peter Eisentraut
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
A bit of cleanup after SSL patch. Add it to config file, improve
documentation.
parent
6dc24961
Changes
7
Expand all
Hide whitespace changes
Inline
Side-by-side
Showing
7 changed files
with
260 additions
and
211 deletions
+260
-211
doc/src/sgml/client-auth.sgml
doc/src/sgml/client-auth.sgml
+168
-146
doc/src/sgml/installation.sgml
doc/src/sgml/installation.sgml
+8
-7
doc/src/sgml/runtime.sgml
doc/src/sgml/runtime.sgml
+66
-41
src/backend/postmaster/postmaster.c
src/backend/postmaster/postmaster.c
+9
-11
src/backend/utils/misc/guc.c
src/backend/utils/misc/guc.c
+2
-1
src/bin/psql/startup.c
src/bin/psql/startup.c
+5
-4
src/include/miscadmin.h
src/include/miscadmin.h
+2
-1
No files found.
doc/src/sgml/client-auth.sgml
View file @
ffd9aaa0
This diff is collapsed.
Click to expand it.
doc/src/sgml/installation.sgml
View file @
ffd9aaa0
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/installation.sgml,v 1.1
6 2000/08/29 20:02:07 momjian
Exp $ -->
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/installation.sgml,v 1.1
7 2000/09/06 19:54:45 petere
Exp $ -->
<chapter id="installation">
<title><![%flattext-install-include[<productname>PostgreSQL</> ]]>Installation Instructions</title>
...
...
@@ -354,7 +354,7 @@ su - postgres
The man pages that come with <productname>PostgreSQL</> will be installed under
this directory, in their respective
<filename>man<replaceable>x</></> subdirectories.
<filename><replaceable>PREFIX</>/man</>.
The default is
<filename><replaceable>PREFIX</>/man</>.
</para>
</listitem>
</varlistentry>
...
...
@@ -581,15 +581,16 @@ su - postgres
<term>--with-openssl=<replaceable>DIRECTORY</></term>
<listitem>
<para>
Build with support for
SSL
(encrypted) connections.
This requires the
OpenSSL library
to be installed.
Build with support for
<acronym>SSL</>
(encrypted) connections.
This requires the
<productname>OpenSSL</> package
to be installed.
The <replaceable>DIRECTORY</> argument specifies the
root directory of the OpenSSL installation.
root directory of the <productname>OpenSSL</> installation; the
default is <filename>/usr/local/ssl</>.
</para>
<para>
<filename>configure</> will check for the required header
files and libraries to make sure that your
OpenSSL
files and libraries to make sure that your
<productname>OpenSSL</>
installation is sufficient before proceeding.
</para>
</listitem>
...
...
@@ -601,7 +602,7 @@ su - postgres
<para>
Enables the <productname>PostgreSQL</> server to use the
syslog logging facility. (Using this option does not mean
that you
will have to
log with syslog or even that it will be done
that you
must
log with syslog or even that it will be done
by default, it simply makes it possible to turn this option
on at run time.)
</para>
...
...
doc/src/sgml/runtime.sgml
View file @
ffd9aaa0
<!--
$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.2
3 2000/08/29 20:02:07 momjian
Exp $
$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.2
4 2000/09/06 19:54:45 petere
Exp $
-->
<Chapter Id="runtime">
...
...
@@ -941,18 +941,6 @@ env PGOPTIONS='--geqo=off' psql
</listitem>
</varlistentry>
<varlistentry>
<term>TCPIP_SOCKET (<type>boolean</type>)</term>
<listitem>
<para>
If this is true, then the server will accept TCP/IP
connections. Otherwise only local Unix domain socket
connections are accepted. It is off by default. This option
can only be set at server start.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PORT (<type>integer</type>)</term>
<listitem>
...
...
@@ -1005,6 +993,29 @@ env PGOPTIONS='--geqo=off' psql
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>SSL (<type>boolean</type>)</term>
<listitem>
<para>
Enables <acronym>SSL</> connections. Please read
<xref linkend="ssl"> before using this. The default
is off.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>TCPIP_SOCKET (<type>boolean</type>)</term>
<listitem>
<para>
If this is true, then the server will accept TCP/IP
connections. Otherwise only local Unix domain socket
connections are accepted. It is off by default. This option
can only be set at server start.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</sect2>
...
...
@@ -1048,6 +1059,11 @@ env PGOPTIONS='--geqo=off' psql
<entry>tcpip_socket = on</entry>
<entry></entry>
</row>
<row>
<entry>-l</entry>
<entry>ssl = on</entry>
<entry></entry>
</row>
<row>
<entry>-N <replaceable>x</replaceable></entry>
<entry>max_connections = <replaceable>x</replaceable></entry>
...
...
@@ -1726,64 +1742,66 @@ perl: warning: Falling back to the standard locale ("C").
</para>
</sect1>
<sect1>
<title>Secure TCP/IP Connection with SSL</title>
<sect1
id="ssl"
>
<title>Secure TCP/IP Connection
s
with SSL</title>
<para>
PostgreSQL has native support for connections over SSL to encrypt
<productname>PostgreSQL</> has native support for connections over
<acronym>SSL</> to encrypt
client/server communications for increased security. This requires
<productname>OpenSSL</productname> to be installed on both client
and server systems and support enabled at
compile-time using
the configure script
.
and server systems and support enabled at
build-time (see <xref
linkend="installation">)
.
</para>
<para>
With SSL support compiled in, the
Postgres backend can be
started with argument -l to enable SSL connections.
When starting in SSL mode, the postmaster will look for the
f
iles <filename>server.key</filename> and
<filename>server.cert</filename> in the <envar>PGDATA</envar>
directory. These files should contain the server private key and
certificate respectively. If the private key is protected with a
passphrase, the postmaster will prompt for the passphrase and not
start until it has been provided.
With SSL support compiled in, the
<productname>PostgreSQL</> server
can be started with the argument <option>-l</> (ell) to enable
SSL connections. When starting in SSL mode, the postmaster will look
f
or the files <filename>server.key</> and <filename>server.crt</> in
the data directory. These files should contain the server private key
and certificate respectively. These files must be set up correctly
before an SSL-enabled server can start. If the private key is protected
with a passphrase, the postmaster will prompt for the passphrase and will
not
start until it has been provided.
</para>
<para>
The postmaster will listen for both standard and SSL connections
on the same TCP/IP port, and will negotiate with any connecting
client wether to use SSL or not. Use the <filename>pg_hba.conf</filename>
file to optionally require SSL in order to accept a connection.
client wether to use SSL or not. See <xref linkend="client-authentication">
about how to force on the server side the use of SSL for certain
connections.
</para>
<para>
For details on how to create your server private key and certificate,
refer to the
OpenSSL documentation. A simple self-signed certificate
c
an be used to get started testing, but a certificate signed by a CA
(either one of the global CAs or a local one) should be used in
refer to the
<productname>OpenSSL</> documentation. A simple self-signed
c
ertificate can be used to get started testing, but a certificate signed
by a CA
(either one of the global CAs or a local one) should be used in
production so the client can verify the servers identity. To create
a quick self-signed certificate, use the <filename>CA.pl</filename>
script included in OpenSSL:
<programlisting>
CA.pl -newcert
CA.pl -newcert
</programlisting>
Fill out the information the script asks for. Make sure to enter
the local hostname as Common Name. The script will generate a key
which
is passphrase protected. To remove the passphrase (required
the local host
name as Common Name. The script will generate a key
that
is passphrase protected. To remove the passphrase (required
if you want automatic start-up of the postmaster), run the command
<programlisting>
openssl x509 -inform PEM -outform PEM -in newreq.pem -out newkey_no_passphrase.pem
openssl x509 -inform PEM -outform PEM -in newreq.pem -out newkey_no_passphrase.pem
</programlisting>
Enter the old passphrase to unlock the existing key. Copy the file
<filename>newreq.pem</
filename> to <filename>PGDATA/server.cert</filename
>
and <filename>newkey_no_passphrase.pem</
filename> to
<filename>
PGDATA/server.key</filename
>. Remove the PRIVATE KEY part
from the <filename>server.c
e
rt</filename> using any text editor.
<filename>newreq.pem</
> to <filename><replaceable>PGDATA</>/server.crt</
>
and <filename>newkey_no_passphrase.pem</
> to
<filename>
<replaceable>PGDATA</>/server.key</
>. Remove the PRIVATE KEY part
from the <filename>server.crt</filename> using any text editor.
</para>
</sect1>
<sect1>
<title>Secure TCP/IP Connection
with SSH
</title>
<title>Secure TCP/IP Connection
s with SSH tunnels
</title>
<note>
<title>Acknowledgement</title>
...
...
@@ -1828,6 +1846,13 @@ psql -h localhost -p 3333 template1
terminal session.
</para>
<tip>
<para>
Several other products exist that can provide secure tunnels using
a procedure similar in concept to the one just described.
</para>
</tip>
</sect1>
</Chapter>
...
...
src/backend/postmaster/postmaster.c
View file @
ffd9aaa0
...
...
@@ -11,7 +11,7 @@
*
*
* IDENTIFICATION
* $Header: /cvsroot/pgsql/src/backend/postmaster/postmaster.c,v 1.16
5 2000/09/06 14:15:19
petere Exp $
* $Header: /cvsroot/pgsql/src/backend/postmaster/postmaster.c,v 1.16
6 2000/09/06 19:54:46
petere Exp $
*
* NOTES
*
...
...
@@ -193,10 +193,8 @@ static bool Reinit = true;
static
int
SendStop
=
false
;
bool
NetServer
=
false
;
/* listen on TCP/IP */
bool
EnableSSL
=
false
;
#ifdef USE_SSL
static
bool
DisableSSL
=
false
;
/* Completely disable SSL, even if compiled in */
#endif
static
pid_t
StartupPID
=
0
,
ShutdownPID
=
0
;
...
...
@@ -452,7 +450,7 @@ PostmasterMain(int argc, char *argv[])
break
;
#ifdef USE_SSL
case
'l'
:
Dis
ableSSL
=
true
;
En
ableSSL
=
true
;
break
;
#endif
case
'm'
:
...
...
@@ -563,13 +561,13 @@ PostmasterMain(int argc, char *argv[])
}
#ifdef USE_SSL
if
(
!
NetServer
&&
!
DisableSSL
)
if
(
EnableSSL
&&
!
NetServer
)
{
fprintf
(
stderr
,
"%s: For SSL,
you must enable TCP/IP connections. Use -l to disable SSL
\n
"
,
fprintf
(
stderr
,
"%s: For SSL,
TCP/IP connections must be enabled. See -? for help.
\n
"
,
progname
);
exit
(
1
);
}
if
(
!
Dis
ableSSL
)
if
(
En
ableSSL
)
InitSSL
();
#endif
...
...
@@ -750,9 +748,9 @@ usage(const char *progname)
printf
(
" -d 1-5 debugging level
\n
"
);
printf
(
" -D <directory> database directory
\n
"
);
printf
(
" -F turn fsync off
\n
"
);
printf
(
" -i
listen on TCP/IP socket
s
\n
"
);
printf
(
" -i
enable TCP/IP connection
s
\n
"
);
#ifdef USE_SSL
printf
(
" -l
disable SSL
\n
"
);
printf
(
" -l
enable SSL connections
\n
"
);
#endif
printf
(
" -N <number> maximum number of allowed connections (1..%d, default %d)
\n
"
,
MAXBACKENDS
,
DEF_MAXBACKENDS
);
...
...
@@ -1060,7 +1058,7 @@ readStartupPacket(void *arg, PacketLen len, void *pkt)
char
SSLok
;
#ifdef USE_SSL
if
(
Dis
ableSSL
||
port
->
laddr
.
sa
.
sa_family
!=
AF_INET
)
if
(
!
En
ableSSL
||
port
->
laddr
.
sa
.
sa_family
!=
AF_INET
)
/* No SSL when disabled or on Unix sockets */
SSLok
=
'N'
;
else
...
...
src/backend/utils/misc/guc.c
View file @
ffd9aaa0
...
...
@@ -4,7 +4,7 @@
* Support for grand unified configuration scheme, including SET
* command, configuration file, and command line options.
*
* $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.1
0 2000/08/28 11:57:41
petere Exp $
* $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.1
1 2000/09/06 19:54:47
petere Exp $
*
* Copyright 2000 by PostgreSQL Global Development Group
* Written by Peter Eisentraut <peter_e@gmx.net>.
...
...
@@ -160,6 +160,7 @@ ConfigureNamesBool[] =
{
"geqo"
,
PGC_USERSET
,
&
enable_geqo
,
true
},
{
"tcpip_socket"
,
PGC_POSTMASTER
,
&
NetServer
,
false
},
{
"ssl"
,
PGC_POSTMASTER
,
&
EnableSSL
,
false
},
{
"fsync"
,
PGC_USERSET
,
&
enableFsync
,
true
},
{
"log_connections"
,
PGC_SIGHUP
,
&
Log_connections
,
false
},
...
...
src/bin/psql/startup.c
View file @
ffd9aaa0
...
...
@@ -3,7 +3,7 @@
*
* Copyright 2000 by PostgreSQL Global Development Group
*
* $Header: /cvsroot/pgsql/src/bin/psql/startup.c,v 1.3
5 2000/08/30 14:54:23 momjian
Exp $
* $Header: /cvsroot/pgsql/src/bin/psql/startup.c,v 1.3
6 2000/09/06 19:54:48 petere
Exp $
*/
#include "postgres.h"
...
...
@@ -264,12 +264,13 @@ main(int argc, char *argv[])
"Type:
\\
copyright for distribution terms
\n
"
"
\\
h for help with SQL commands
\n
"
"
\\
? for help on internal slash commands
\n
"
"
\\
g or terminate with semicolon to execute query
\n
"
"
\\
g or terminate with semicolon to execute query
\n
"
"
\\
q to quit
\n\n
"
,
pset
.
progname
);
}
#ifdef USE_SSL
printSSLInfo
();
printSSLInfo
();
#endif
}
SetVariable
(
pset
.
vars
,
"PROMPT1"
,
DEFAULT_PROMPT1
);
SetVariable
(
pset
.
vars
,
"PROMPT2"
,
DEFAULT_PROMPT2
);
SetVariable
(
pset
.
vars
,
"PROMPT3"
,
DEFAULT_PROMPT3
);
...
...
src/include/miscadmin.h
View file @
ffd9aaa0
...
...
@@ -12,7 +12,7 @@
* Portions Copyright (c) 1996-2000, PostgreSQL, Inc
* Portions Copyright (c) 1994, Regents of the University of California
*
* $Id: miscadmin.h,v 1.6
5 2000/09/06 14:15:24
petere Exp $
* $Id: miscadmin.h,v 1.6
6 2000/09/06 19:54:52
petere Exp $
*
* NOTES
* some of the information in this file will be moved to
...
...
@@ -107,6 +107,7 @@ extern int SortMem;
configuration file processor has access to them */
extern
bool
NetServer
;
extern
bool
EnableSSL
;
extern
int
MaxBackends
;
extern
int
NBuffers
;
extern
int
PostPortName
;
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment