diff options
| author | Peter Eisentraut <peter_e@gmx.net> | 2018-11-20 21:49:01 +0100 |
|---|---|---|
| committer | Peter Eisentraut <peter_e@gmx.net> | 2018-11-20 22:12:10 +0100 |
| commit | e73e67c719593c1c16139cc6c516d8379f22f182 (patch) | |
| tree | f62efbed6917c3649865cd70c08c8bf4bdf7482e /doc/src | |
| parent | 2d9140ed266d702b305adeaf916086e1a586affe (diff) | |
| download | postgresql-e73e67c719593c1c16139cc6c516d8379f22f182.tar.gz postgresql-e73e67c719593c1c16139cc6c516d8379f22f182.zip | |
Add settings to control SSL/TLS protocol version
For example:
ssl_min_protocol_version = 'TLSv1.1'
ssl_max_protocol_version = 'TLSv1.2'
Reviewed-by: Steve Singer <steve@ssinger.info>
Discussion: https://www.postgresql.org/message-id/flat/1822da87-b862-041a-9fc2-d0310c3da173@2ndquadrant.com
Diffstat (limited to 'doc/src')
| -rw-r--r-- | doc/src/sgml/config.sgml | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index c4effa034c1..5d76862f461 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -1291,6 +1291,50 @@ include_dir 'conf.d' </listitem> </varlistentry> + <varlistentry id="guc-ssl-min-protocol-version" xreflabel="ssl_min_protocol_version"> + <term><varname>ssl_min_protocol_version</varname> (<type>enum</type>) + <indexterm> + <primary><varname>ssl_min_protocol_version</varname> configuration parameter</primary> + </indexterm> + </term> + <listitem> + <para> + Sets the minimum SSL/TLS protocol version to use. Valid values are + currently: <literal>TLSv1</literal>, <literal>TLSv1.1</literal>, + <literal>TLSv1.2</literal>, <literal>TLSv1.3</literal>. Older + versions of the <productname>OpenSSL</productname> library do not + support all values; an error will be raised if an unsupported setting + is chosen. Protocol versions before TLS 1.0, namely SSL version 2 and + 3, are always disabled. + </para> + + <para> + The default is <literal>TLSv1</literal>, mainly to support older + versions of the <productname>OpenSSL</productname> library. You might + want to set this to a higher value if all software components can + support the newer protocol versions. + </para> + </listitem> + </varlistentry> + + <varlistentry id="guc-ssl-max-protocol-version" xreflabel="ssl_max_protocol_version"> + <term><varname>ssl_max_protocol_version</varname> (<type>enum</type>) + <indexterm> + <primary><varname>ssl_max_protocol_version</varname> configuration parameter</primary> + </indexterm> + </term> + <listitem> + <para> + Sets the maximum SSL/TLS protocol version to use. Valid values are as + for <xref linkend="guc-ssl-min-protocol-version"/>, with addition of + an empty string, which allows any protocol version. The default is to + allow any version. Setting the maximum protocol version is mainly + useful for testing or if some component has issues working with a + newer protocol. + </para> + </listitem> + </varlistentry> + <varlistentry id="guc-ssl-dh-params-file" xreflabel="ssl_dh_params_file"> <term><varname>ssl_dh_params_file</varname> (<type>string</type>) <indexterm> |