diff options
| author | Daniel Gustafsson <dgustafsson@postgresql.org> | 2025-04-03 13:16:43 +0200 |
|---|---|---|
| committer | Daniel Gustafsson <dgustafsson@postgresql.org> | 2025-04-03 13:16:43 +0200 |
| commit | 2da74d8d6400975bf73fb0df97c3943ad3ed9a36 (patch) | |
| tree | 5f20eb74d2450a87985026348a8f406d438c1a6a /doc/src | |
| parent | e4309f73f698851a2f7d49ca5e98e3e188400891 (diff) | |
| download | postgresql-2da74d8d6400975bf73fb0df97c3943ad3ed9a36.tar.gz postgresql-2da74d8d6400975bf73fb0df97c3943ad3ed9a36.zip | |
libpq: Add support for dumping SSL key material to file
This adds a new connection parameter which instructs libpq to
write out keymaterial clientside into a file in order to make
connection debugging with Wireshark and similar tools possible.
The file format used is the standardized NSS format.
Author: Abhishek Chanda <abhishek.becs@gmail.com>
Co-authored-by: Daniel Gustafsson <daniel@yesql.se>
Reviewed-by: Jacob Champion <jacob.champion@enterprisedb.com>
Discussion: https://postgr.es/m/CAKiP-K85C8uQbzXKWf5wHQPkuygGUGcufke713iHmYWOe9q2dA@mail.gmail.com
Diffstat (limited to 'doc/src')
| -rw-r--r-- | doc/src/sgml/libpq.sgml | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml index d7051190320..5e3281ca2eb 100644 --- a/doc/src/sgml/libpq.sgml +++ b/doc/src/sgml/libpq.sgml @@ -1918,6 +1918,30 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname </listitem> </varlistentry> + <varlistentry id="libpq-connect-sslkeylogfile" xreflabel="sslkeylogfile"> + <term><literal>sslkeylogfile</literal></term> + <listitem> + <para> + This parameter specifies the location where <literal>libpq</literal> + will log keys used in this SSL context. This is useful for debugging + <productname>PostgreSQL</productname> protocol interactions or client + connections using network inspection tools like + <productname>Wireshark</productname>. This parameter is ignored if an + SSL connection is not made, or if <productname>LibreSSL</productname> + is used (<productname>LibreSSL</productname> does not support key + logging). Keys are logged using the <productname>NSS</productname> + format. + <warning> + <para> + Key logging will expose potentially sensitive information in the + keylog file. Keylog files should be handled with the same care as + <xref linkend="libpq-connect-sslkey" /> files. + </para> + </warning> + </para> + </listitem> + </varlistentry> + <varlistentry id="libpq-connect-sslpassword" xreflabel="sslpassword"> <term><literal>sslpassword</literal></term> <listitem> |