Secure Socket Layer (SSL)

5.13.1. SSL Settings

ssl ( boolean )

When set to on, Pgpool-II enables the SSL for both the frontend and backend communications. Default is off.

Note: ssl_key and ssl_cert must also be configured in order for SSL to work with frontend connections.

Note: For SSL to work Pgpool-II must be build with OpenSSL support. See Section 2.5 for details on building the Pgpool-II .

This parameter can only be set at server start.

ssl_key ( string )

Specifies the path to the private key file to be used for incoming frontend connections. If specifies relative path, it is based on the directory where pgpool is starting up. There is no default value for this option, and if left unset SSL will be disabled for incoming frontend connections.

This parameter can only be set at server start.

ssl_cert ( string )

Specifies the path to the public x509 certificate file to be used for the incoming frontend connections. If specifies relative path, based path is Pgpool-II is run directory. There is no default value for this option, and if left unset SSL will be disabled for incoming frontend connections.

This parameter can only be set at server start.

ssl_ca_cert ( string )

Specifies the path to a PEM format CA certificate files, which can be used to verify the backend server certificates. This is analogous to the -CApath option of the OpenSSL verify(1) command.

This parameter can only be set at server start.

ssl_ca_cert_dir ( string )

Specifies the path to a directory containing PEM format CA certificate files, which can be used to verify the backend server certificates. This is analogous to the -CApath option of the OpenSSL verify(1) command.

The default value for this option is unset, which means no verification takes place. Verification will still happen if this option is not set but a value is provided for ssl_ca_cert .

This parameter can only be set at server start.

ssl_ciphers ( string )

Specifies a list of SSL cipher suites that are allowed to be used by SSL connections. See the ciphers manual page in the OpenSSL package for the syntax of this setting and a list of supported values. Only connections using TLS version 1.2 and lower are affected. There is currently no setting that controls the cipher choices used by TLS version 1.3 connections. The default value is HIGH:MEDIUM:+3DES:!aNULL , which is same as PostgreSQL . See PostgreSQL manual to know why the value is chosen.

This parameter can only be set at server start.

ssl_prefer_server_ciphers ( boolean )

Specifies whether to use the server's SSL cipher preferences, rather than the client's. The default value is false.

This parameter can only be set at server start.

ssl_ecdh_curve ( string )

Specifies the name of the curve to use in ECDH key exchange. It needs to be supported by all clients that connect. It does not need to be the same curve used by the server's Elliptic Curve key. The default value is prime256v1 .

OpenSSL names for the most common curves are: prime256v1 (NIST P-256), secp384r1 (NIST P-384), secp521r1 (NIST P-521). The full list of available curves can be shown with the command openssl ecparam -list_curves . Not all of them are usable in TLS though.

This parameter can only be set at server start.

ssl_dh_params_file ( string )

Specifies the name of the file containing Diffie-Hellman parameters used for so-called ephemeral DH family of SSL ciphers. The default is empty. In which case compiled-in default DH parameters used. Using Custom DH parameters reduces the exposure if an attacker manages to crack the well-known compiled-in DH parameters. You can create your own DH parameters file with the command openssl -out dhparams.pem 2048 .

This parameter can only be set at server start.

5.13.2. Generating SSL certificates

Certificate handling is outside the scope of this document. The Secure TCP/IP Connections with SSL page at postgresql.org has pointers with sample commands for how to generate self-signed certificates.