diff options
Diffstat (limited to 'doc/src')
| -rw-r--r-- | doc/src/sgml/libpq.sgml | 49 |
1 files changed, 17 insertions, 32 deletions
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml index 74b6ed0cf97..80179f99783 100644 --- a/doc/src/sgml/libpq.sgml +++ b/doc/src/sgml/libpq.sgml @@ -1773,15 +1773,18 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname <term><literal>sslnegotiation</literal></term> <listitem> <para> - This option controls whether <productname>PostgreSQL</productname> - will perform its protocol negotiation to request encryption from the - server or will just directly make a standard <acronym>SSL</acronym> - connection. Traditional <productname>PostgreSQL</productname> - protocol negotiation is the default and the most flexible with - different server configurations. If the server is known to support - direct <acronym>SSL</acronym> connections then the latter requires one - fewer round trip reducing connection latency and also allows the use - of protocol agnostic SSL network tools. + This option controls how SSL encryption is negotiated with the server, + if SSL is used. In the default <literal>postgres</literal> mode, the + client first asks the server if SSL is supported. In + <literal>direct</literal> mode, the client starts the standard SSL + handshake directly after establishing the TCP/IP connection. Traditional + <productname>PostgreSQL</productname> protocol negotiation is the most + flexible with different server configurations. If the server is known + to support direct <acronym>SSL</acronym> connections then the latter + requires one fewer round trip reducing connection latency and also + allows the use of protocol agnostic SSL network tools. The direct SSL + option was introduced in <productname>PostgreSQL</productname> version + 17. </para> <variablelist> @@ -1799,32 +1802,14 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname <term><literal>direct</literal></term> <listitem> <para> - first attempt to establish a standard SSL connection and if that - fails reconnect and perform the negotiation. This fallback - process adds significant latency if the initial SSL connection - fails. - </para> - <para> - An exception is if <literal>gssencmode</literal> is set - to <literal>prefer</literal>, but the server rejects GSS encryption. - In that case, SSL is negotiated over the same TCP connection using - <productname>PostgreSQL</productname> protocol negotiation. In - other words, the direct SSL handshake is not used, if a TCP - connection has already been established and can be used for the + start SSL handshake directly after establishing the TCP/IP + connection. This is only allowed with sslmode=require or higher, + because the weaker settings could lead to unintended fallback to + plaintext authentication when the server does not support direct SSL handshake. </para> </listitem> </varlistentry> - - <varlistentry> - <term><literal>requiredirect</literal></term> - <listitem> - <para> - attempt to establish a standard SSL connection and if that fails - return a connection failure immediately. - </para> - </listitem> - </varlistentry> </variablelist> </listitem> </varlistentry> @@ -2065,7 +2050,7 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname connections without having to decrypt the SSL stream. (Note that unless the proxy is aware of the PostgreSQL protocol handshake this would require setting <literal>sslnegotiation</literal> - to <literal>direct</literal> or <literal>requiredirect</literal>.) + to <literal>direct</literal>.) However, <acronym>SNI</acronym> makes the destination host name appear in cleartext in the network traffic, so it might be undesirable in some cases. |