Securing PostgreSQL server with SSL/TLS on RHEL7

转载

wx5bcd90b347f01 2021-10-25 15:02:07

文章标签 rhel7 PostgreSQL ssl sql postgresql 文章分类 代码人生

Configuration File

   /var/lib/pgsql/data/postgresql.conf

shortform

Raw

ssl = 'on'
ssl_ciphers = 'ECDHE-RSA-AES256-SHA384:AES256-SHA256:HIGH:!RC4:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL'
ssl_cert_file = '/var/lib/pgsql/data/server.crt'
ssl_key_file = '/var/lib/pgsql/data/server.key'

Protocols

postgresql in all versions prior to upstream 9.4 uses TLSv1 exclusively and will not negotiate anything else.

Ciphers

Raw

    ssl_ciphers = 'ECDHE-RSA-AES256-SHA384:AES256-SHA256:HIGH:!RC4:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL'

provides secure connections within the limitation of TLSv1
Ciphers - Alternative Values
Raw

ssl_ciphers = 'ECDHE-RSA-AES256-SHA384:AES256-SHA256:HIGH:RC4:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL'

Allows RC4 for older clients

Certificate Handling

Apache expects separate PEM format files for key and certificate, and another for the CA chain.

Key File

Raw

ssl_key_file = '/var/lib/pgsql/data/server.key'

key should be owned and readable only by postgres user

Certificate File

Raw

ssl_cert_file = '/var/lib/pgsql/data/server.crt'

should also contain intermediates and root CA certificate in the following order
* server
* intermediate 1, signer of server
* intermediate 2, signer of intermediate 1
* root of certificate authority, signer of intermediate 2