Configuration FileRaw
/var/lib/pgsql/data/postgresql.conf
shortform
Raw
ssl = 'on'
ssl_ciphers = 'ECDHE-RSA-AES256-SHA384:AES256-SHA256:HIGH:!RC4:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL'
Protocols
postgresql in all versions prior to upstream 9.4 uses TLSv1 exclusively and will not negotiate anything else.
Ciphers
Raw
ssl_ciphers = 'ECDHE-RSA-AES256-SHA384:AES256-SHA256:HIGH:!RC4:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL'
provides secure connections within the limitation of TLSv1
Ciphers - Alternative Values
Raw
ssl_ciphers = 'ECDHE-RSA-AES256-SHA384:AES256-SHA256:HIGH:RC4:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL'
Allows RC4 for older clients
Certificate Handling
Apache expects separate PEM format files for key and certificate, and another for the CA chain.
Key File
Key MUST be placed in file
Raw
/var/lib/pgsql/data/server.key
key should be owned and readable only by postgres user
Certificate File
Certificate MUST be placed in file
Raw
/var/lib/pgsql/data/server.crt
should also contain intermediates and root CA certificate in the following order
* server
* intermediate 1, signer of server
* intermediate 2, signer of intermediate 1
* root of certificate authority, signer of intermediate 2