1 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>19.3. Connections and Authentication</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot" /><link rel="prev" href="runtime-config-file-locations.html" title="19.2. File Locations" /><link rel="next" href="runtime-config-resource.html" title="19.4. Resource Consumption" /></head><body id="docContent" class="container-fluid col-10"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">19.3. Connections and Authentication</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="runtime-config-file-locations.html" title="19.2. File Locations">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="runtime-config.html" title="Chapter 19. Server Configuration">Up</a></td><th width="60%" align="center">Chapter 19. Server Configuration</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 18.0 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="runtime-config-resource.html" title="19.4. Resource Consumption">Next</a></td></tr></table><hr /></div><div class="sect1" id="RUNTIME-CONFIG-CONNECTION"><div class="titlepage"><div><div><h2 class="title" style="clear: both">19.3. Connections and Authentication <a href="#RUNTIME-CONFIG-CONNECTION" class="id_link">#</a></h2></div></div></div><div class="toc"><dl class="toc"><dt><span class="sect2"><a href="runtime-config-connection.html#RUNTIME-CONFIG-CONNECTION-SETTINGS">19.3.1. Connection Settings</a></span></dt><dt><span class="sect2"><a href="runtime-config-connection.html#RUNTIME-CONFIG-TCP-SETTINGS">19.3.2. TCP Settings</a></span></dt><dt><span class="sect2"><a href="runtime-config-connection.html#RUNTIME-CONFIG-CONNECTION-AUTHENTICATION">19.3.3. Authentication</a></span></dt><dt><span class="sect2"><a href="runtime-config-connection.html#RUNTIME-CONFIG-CONNECTION-SSL">19.3.4. SSL</a></span></dt></dl></div><div class="sect2" id="RUNTIME-CONFIG-CONNECTION-SETTINGS"><div class="titlepage"><div><div><h3 class="title">19.3.1. Connection Settings <a href="#RUNTIME-CONFIG-CONNECTION-SETTINGS" class="id_link">#</a></h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt id="GUC-LISTEN-ADDRESSES"><span class="term"><code class="varname">listen_addresses</code> (<code class="type">string</code>)
3 <a id="id-1.6.6.6.2.2.1.1.3" class="indexterm"></a>
4 </span> <a href="#GUC-LISTEN-ADDRESSES" class="id_link">#</a></dt><dd><p>
5 Specifies the TCP/IP address(es) on which the server is
6 to listen for connections from client applications.
7 The value takes the form of a comma-separated list of host names
8 and/or numeric IP addresses. The special entry <code class="literal">*</code>
9 corresponds to all available IP interfaces. The entry
10 <code class="literal">0.0.0.0</code> allows listening for all IPv4 addresses and
11 <code class="literal">::</code> allows listening for all IPv6 addresses.
12 If the list is empty, the server does not listen on any IP interface
13 at all, in which case only Unix-domain sockets can be used to connect
14 to it. If the list is not empty, the server will start if it
15 can listen on at least one TCP/IP address. A warning will be
16 emitted for any TCP/IP address which cannot be opened.
17 The default value is <span class="systemitem">localhost</span>,
18 which allows only local TCP/IP <span class="quote">“<span class="quote">loopback</span>”</span> connections to be
21 While client authentication (<a class="xref" href="client-authentication.html" title="Chapter 20. Client Authentication">Chapter 20</a>) allows fine-grained control
22 over who can access the server, <code class="varname">listen_addresses</code>
23 controls which interfaces accept connection attempts, which
24 can help prevent repeated malicious connection requests on
25 insecure network interfaces. This parameter can only be set
27 </p></dd><dt id="GUC-PORT"><span class="term"><code class="varname">port</code> (<code class="type">integer</code>)
28 <a id="id-1.6.6.6.2.2.2.1.3" class="indexterm"></a>
29 </span> <a href="#GUC-PORT" class="id_link">#</a></dt><dd><p>
30 The TCP port the server listens on; 5432 by default. Note that the
31 same port number is used for all IP addresses the server listens on.
32 This parameter can only be set at server start.
33 </p></dd><dt id="GUC-MAX-CONNECTIONS"><span class="term"><code class="varname">max_connections</code> (<code class="type">integer</code>)
34 <a id="id-1.6.6.6.2.2.3.1.3" class="indexterm"></a>
35 </span> <a href="#GUC-MAX-CONNECTIONS" class="id_link">#</a></dt><dd><p>
36 Determines the maximum number of concurrent connections to the
37 database server. The default is typically 100 connections, but
38 might be less if your kernel settings will not support it (as
39 determined during <span class="application">initdb</span>). This parameter can
40 only be set at server start.
42 <span class="productname">PostgreSQL</span> sizes certain resources based directly on the value of
43 <code class="varname">max_connections</code>. Increasing its value leads to
44 higher allocation of those resources, including shared memory.
46 When running a standby server, you must set this parameter to the
47 same or higher value than on the primary server. Otherwise, queries
48 will not be allowed in the standby server.
49 </p></dd><dt id="GUC-RESERVED-CONNECTIONS"><span class="term"><code class="varname">reserved_connections</code> (<code class="type">integer</code>)
50 <a id="id-1.6.6.6.2.2.4.1.3" class="indexterm"></a>
51 </span> <a href="#GUC-RESERVED-CONNECTIONS" class="id_link">#</a></dt><dd><p>
52 Determines the number of connection <span class="quote">“<span class="quote">slots</span>”</span> that are
53 reserved for connections by roles with privileges of the
54 <a class="xref" href="predefined-roles.html#PREDEFINED-ROLE-PG-USE-RESERVED-CONNECTIONS">pg_use_reserved_connections</a>
55 role. Whenever the number of free connection slots is greater than
56 <a class="xref" href="runtime-config-connection.html#GUC-SUPERUSER-RESERVED-CONNECTIONS">superuser_reserved_connections</a> but less than or
57 equal to the sum of <code class="varname">superuser_reserved_connections</code>
58 and <code class="varname">reserved_connections</code>, new connections will be
59 accepted only for superusers and roles with privileges of
60 <code class="literal">pg_use_reserved_connections</code>. If
61 <code class="varname">superuser_reserved_connections</code> or fewer connection
62 slots are available, new connections will be accepted only for
65 The default value is zero connections. The value must be less than
66 <code class="varname">max_connections</code> minus
67 <code class="varname">superuser_reserved_connections</code>. This parameter can
68 only be set at server start.
69 </p></dd><dt id="GUC-SUPERUSER-RESERVED-CONNECTIONS"><span class="term"><code class="varname">superuser_reserved_connections</code>
70 (<code class="type">integer</code>)
71 <a id="id-1.6.6.6.2.2.5.1.3" class="indexterm"></a>
72 </span> <a href="#GUC-SUPERUSER-RESERVED-CONNECTIONS" class="id_link">#</a></dt><dd><p>
73 Determines the number of connection <span class="quote">“<span class="quote">slots</span>”</span> that
74 are reserved for connections by <span class="productname">PostgreSQL</span>
75 superusers. At most <a class="xref" href="runtime-config-connection.html#GUC-MAX-CONNECTIONS">max_connections</a>
76 connections can ever be active simultaneously. Whenever the
77 number of active concurrent connections is at least
78 <code class="varname">max_connections</code> minus
79 <code class="varname">superuser_reserved_connections</code>, new
80 connections will be accepted only for superusers. The connection slots
81 reserved by this parameter are intended as final reserve for emergency
82 use after the slots reserved by
83 <a class="xref" href="runtime-config-connection.html#GUC-RESERVED-CONNECTIONS">reserved_connections</a> have been exhausted.
85 The default value is three connections. The value must be less
86 than <code class="varname">max_connections</code> minus
87 <code class="varname">reserved_connections</code>.
88 This parameter can only be set at server start.
89 </p></dd><dt id="GUC-UNIX-SOCKET-DIRECTORIES"><span class="term"><code class="varname">unix_socket_directories</code> (<code class="type">string</code>)
90 <a id="id-1.6.6.6.2.2.6.1.3" class="indexterm"></a>
91 </span> <a href="#GUC-UNIX-SOCKET-DIRECTORIES" class="id_link">#</a></dt><dd><p>
92 Specifies the directory of the Unix-domain socket(s) on which the
93 server is to listen for connections from client applications.
94 Multiple sockets can be created by listing multiple directories
95 separated by commas. Whitespace between entries is
96 ignored; surround a directory name with double quotes if you need
97 to include whitespace or commas in the name.
99 specifies not listening on any Unix-domain sockets, in which case
100 only TCP/IP sockets can be used to connect to the server.
102 A value that starts with <code class="literal">@</code> specifies that a
103 Unix-domain socket in the abstract namespace should be created
104 (currently supported on Linux only). In that case, this value
105 does not specify a <span class="quote">“<span class="quote">directory</span>”</span> but a prefix from which
106 the actual socket name is computed in the same manner as for the
107 file-system namespace. While the abstract socket name prefix can be
108 chosen freely, since it is not a file-system location, the convention
109 is to nonetheless use file-system-like values such as
110 <code class="literal">@/tmp</code>.
112 The default value is normally
113 <code class="filename">/tmp</code>, but that can be changed at build time.
114 On Windows, the default is empty, which means no Unix-domain socket is
116 This parameter can only be set at server start.
118 In addition to the socket file itself, which is named
119 <code class="literal">.s.PGSQL.<em class="replaceable"><code>nnnn</code></em></code> where
120 <em class="replaceable"><code>nnnn</code></em> is the server's port number, an ordinary file
121 named <code class="literal">.s.PGSQL.<em class="replaceable"><code>nnnn</code></em>.lock</code> will be
122 created in each of the <code class="varname">unix_socket_directories</code> directories.
123 Neither file should ever be removed manually.
124 For sockets in the abstract namespace, no lock file is created.
125 </p></dd><dt id="GUC-UNIX-SOCKET-GROUP"><span class="term"><code class="varname">unix_socket_group</code> (<code class="type">string</code>)
126 <a id="id-1.6.6.6.2.2.7.1.3" class="indexterm"></a>
127 </span> <a href="#GUC-UNIX-SOCKET-GROUP" class="id_link">#</a></dt><dd><p>
128 Sets the owning group of the Unix-domain socket(s). (The owning
129 user of the sockets is always the user that starts the
130 server.) In combination with the parameter
131 <code class="varname">unix_socket_permissions</code> this can be used as
132 an additional access control mechanism for Unix-domain connections.
133 By default this is the empty string, which uses the default
134 group of the server user. This parameter can only be set at
137 This parameter is not supported on Windows. Any setting will be
138 ignored. Also, sockets in the abstract namespace have no file owner,
139 so this setting is also ignored in that case.
140 </p></dd><dt id="GUC-UNIX-SOCKET-PERMISSIONS"><span class="term"><code class="varname">unix_socket_permissions</code> (<code class="type">integer</code>)
141 <a id="id-1.6.6.6.2.2.8.1.3" class="indexterm"></a>
142 </span> <a href="#GUC-UNIX-SOCKET-PERMISSIONS" class="id_link">#</a></dt><dd><p>
143 Sets the access permissions of the Unix-domain socket(s). Unix-domain
144 sockets use the usual Unix file system permission set.
145 The parameter value is expected to be a numeric mode
146 specified in the format accepted by the
147 <code class="function">chmod</code> and <code class="function">umask</code>
148 system calls. (To use the customary octal format the number
149 must start with a <code class="literal">0</code> (zero).)
151 The default permissions are <code class="literal">0777</code>, meaning
152 anyone can connect. Reasonable alternatives are
153 <code class="literal">0770</code> (only user and group, see also
154 <code class="varname">unix_socket_group</code>) and <code class="literal">0700</code>
155 (only user). (Note that for a Unix-domain socket, only write
156 permission matters, so there is no point in setting or revoking
157 read or execute permissions.)
159 This access control mechanism is independent of the one
160 described in <a class="xref" href="client-authentication.html" title="Chapter 20. Client Authentication">Chapter 20</a>.
162 This parameter can only be set at server start.
164 This parameter is irrelevant on systems, notably Solaris as of Solaris
165 10, that ignore socket permissions entirely. There, one can achieve a
166 similar effect by pointing <code class="varname">unix_socket_directories</code> to a
167 directory having search permission limited to the desired audience.
169 Sockets in the abstract namespace have no file permissions, so this
170 setting is also ignored in that case.
171 </p></dd><dt id="GUC-BONJOUR"><span class="term"><code class="varname">bonjour</code> (<code class="type">boolean</code>)
172 <a id="id-1.6.6.6.2.2.9.1.3" class="indexterm"></a>
173 </span> <a href="#GUC-BONJOUR" class="id_link">#</a></dt><dd><p>
174 Enables advertising the server's existence via
175 <span class="productname">Bonjour</span>. The default is off.
176 This parameter can only be set at server start.
177 </p></dd><dt id="GUC-BONJOUR-NAME"><span class="term"><code class="varname">bonjour_name</code> (<code class="type">string</code>)
178 <a id="id-1.6.6.6.2.2.10.1.3" class="indexterm"></a>
179 </span> <a href="#GUC-BONJOUR-NAME" class="id_link">#</a></dt><dd><p>
180 Specifies the <span class="productname">Bonjour</span> service
181 name. The computer name is used if this parameter is set to the
182 empty string <code class="literal">''</code> (which is the default). This parameter is
183 ignored if the server was not compiled with
184 <span class="productname">Bonjour</span> support.
185 This parameter can only be set at server start.
186 </p></dd></dl></div></div><div class="sect2" id="RUNTIME-CONFIG-TCP-SETTINGS"><div class="titlepage"><div><div><h3 class="title">19.3.2. TCP Settings <a href="#RUNTIME-CONFIG-TCP-SETTINGS" class="id_link">#</a></h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt id="GUC-TCP-KEEPALIVES-IDLE"><span class="term"><code class="varname">tcp_keepalives_idle</code> (<code class="type">integer</code>)
187 <a id="id-1.6.6.6.3.2.1.1.3" class="indexterm"></a>
188 </span> <a href="#GUC-TCP-KEEPALIVES-IDLE" class="id_link">#</a></dt><dd><p>
189 Specifies the amount of time with no network activity after which
190 the operating system should send a TCP keepalive message to the client.
191 If this value is specified without units, it is taken as seconds.
192 A value of 0 (the default) selects the operating system's default.
193 On Windows, setting a value of 0 will set this parameter to 2 hours,
194 since Windows does not provide a way to read the system default value.
195 This parameter is supported only on systems that support
196 <code class="symbol">TCP_KEEPIDLE</code> or an equivalent socket option, and on
197 Windows; on other systems, it must be zero.
198 In sessions connected via a Unix-domain socket, this parameter is
199 ignored and always reads as zero.
200 </p></dd><dt id="GUC-TCP-KEEPALIVES-INTERVAL"><span class="term"><code class="varname">tcp_keepalives_interval</code> (<code class="type">integer</code>)
201 <a id="id-1.6.6.6.3.2.2.1.3" class="indexterm"></a>
202 </span> <a href="#GUC-TCP-KEEPALIVES-INTERVAL" class="id_link">#</a></dt><dd><p>
203 Specifies the amount of time after which a TCP keepalive message
204 that has not been acknowledged by the client should be retransmitted.
205 If this value is specified without units, it is taken as seconds.
206 A value of 0 (the default) selects the operating system's default.
207 On Windows, setting a value of 0 will set this parameter to 1 second,
208 since Windows does not provide a way to read the system default value.
209 This parameter is supported only on systems that support
210 <code class="symbol">TCP_KEEPINTVL</code> or an equivalent socket option, and on
211 Windows; on other systems, it must be zero.
212 In sessions connected via a Unix-domain socket, this parameter is
213 ignored and always reads as zero.
214 </p></dd><dt id="GUC-TCP-KEEPALIVES-COUNT"><span class="term"><code class="varname">tcp_keepalives_count</code> (<code class="type">integer</code>)
215 <a id="id-1.6.6.6.3.2.3.1.3" class="indexterm"></a>
216 </span> <a href="#GUC-TCP-KEEPALIVES-COUNT" class="id_link">#</a></dt><dd><p>
217 Specifies the number of TCP keepalive messages that can be lost before
218 the server's connection to the client is considered dead.
219 A value of 0 (the default) selects the operating system's default.
220 This parameter is supported only on systems that support
221 <code class="symbol">TCP_KEEPCNT</code> or an equivalent socket option (which does not include Windows);
222 on other systems, it must be zero.
223 In sessions connected via a Unix-domain socket, this parameter is
224 ignored and always reads as zero.
225 </p></dd><dt id="GUC-TCP-USER-TIMEOUT"><span class="term"><code class="varname">tcp_user_timeout</code> (<code class="type">integer</code>)
226 <a id="id-1.6.6.6.3.2.4.1.3" class="indexterm"></a>
227 </span> <a href="#GUC-TCP-USER-TIMEOUT" class="id_link">#</a></dt><dd><p>
228 Specifies the amount of time that transmitted data may
229 remain unacknowledged before the TCP connection is forcibly closed.
230 If this value is specified without units, it is taken as milliseconds.
231 A value of 0 (the default) selects the operating system's default.
232 This parameter is supported only on systems that support
233 <code class="symbol">TCP_USER_TIMEOUT</code> (which does not include Windows); on other systems, it must be zero.
234 In sessions connected via a Unix-domain socket, this parameter is
235 ignored and always reads as zero.
236 </p></dd><dt id="GUC-CLIENT-CONNECTION-CHECK-INTERVAL"><span class="term"><code class="varname">client_connection_check_interval</code> (<code class="type">integer</code>)
237 <a id="id-1.6.6.6.3.2.5.1.3" class="indexterm"></a>
238 </span> <a href="#GUC-CLIENT-CONNECTION-CHECK-INTERVAL" class="id_link">#</a></dt><dd><p>
239 Sets the time interval between optional checks that the client is still
240 connected, while running queries. The check is performed by polling
241 the socket, and allows long running queries to be aborted sooner if
242 the kernel reports that the connection is closed.
244 This option relies on kernel events exposed by Linux, macOS, illumos
245 and the BSD family of operating systems, and is not currently available
248 If the value is specified without units, it is taken as milliseconds.
249 The default value is <code class="literal">0</code>, which disables connection
250 checks. Without connection checks, the server will detect the loss of
251 the connection only at the next interaction with the socket, when it
252 waits for, receives or sends data.
254 For the kernel itself to detect lost TCP connections reliably and within
255 a known timeframe in all scenarios including network failure, it may
256 also be necessary to adjust the TCP keepalive settings of the operating
257 system, or the <a class="xref" href="runtime-config-connection.html#GUC-TCP-KEEPALIVES-IDLE">tcp_keepalives_idle</a>,
258 <a class="xref" href="runtime-config-connection.html#GUC-TCP-KEEPALIVES-INTERVAL">tcp_keepalives_interval</a> and
259 <a class="xref" href="runtime-config-connection.html#GUC-TCP-KEEPALIVES-COUNT">tcp_keepalives_count</a> settings of
260 <span class="productname">PostgreSQL</span>.
261 </p></dd></dl></div></div><div class="sect2" id="RUNTIME-CONFIG-CONNECTION-AUTHENTICATION"><div class="titlepage"><div><div><h3 class="title">19.3.3. Authentication <a href="#RUNTIME-CONFIG-CONNECTION-AUTHENTICATION" class="id_link">#</a></h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt id="GUC-AUTHENTICATION-TIMEOUT"><span class="term"><code class="varname">authentication_timeout</code> (<code class="type">integer</code>)
262 <a id="id-1.6.6.6.4.2.1.1.3" class="indexterm"></a>
263 <a id="id-1.6.6.6.4.2.1.1.4" class="indexterm"></a>
264 <a id="id-1.6.6.6.4.2.1.1.5" class="indexterm"></a>
265 </span> <a href="#GUC-AUTHENTICATION-TIMEOUT" class="id_link">#</a></dt><dd><p>
266 Maximum amount of time allowed to complete client authentication. If a
267 would-be client has not completed the authentication protocol in
268 this much time, the server closes the connection. This prevents
269 hung clients from occupying a connection indefinitely.
270 If this value is specified without units, it is taken as seconds.
271 The default is one minute (<code class="literal">1m</code>).
272 This parameter can only be set in the <code class="filename">postgresql.conf</code>
273 file or on the server command line.
274 </p></dd><dt id="GUC-PASSWORD-ENCRYPTION"><span class="term"><code class="varname">password_encryption</code> (<code class="type">enum</code>)
275 <a id="id-1.6.6.6.4.2.2.1.3" class="indexterm"></a>
276 </span> <a href="#GUC-PASSWORD-ENCRYPTION" class="id_link">#</a></dt><dd><p>
277 When a password is specified in <a class="xref" href="sql-createrole.html" title="CREATE ROLE"><span class="refentrytitle">CREATE ROLE</span></a> or
278 <a class="xref" href="sql-alterrole.html" title="ALTER ROLE"><span class="refentrytitle">ALTER ROLE</span></a>, this parameter determines the
279 algorithm to use to encrypt the password. Possible values are
280 <code class="literal">scram-sha-256</code>, which will encrypt the password with
281 SCRAM-SHA-256, and <code class="literal">md5</code>, which stores the password
282 as an MD5 hash. The default is <code class="literal">scram-sha-256</code>.
284 Note that older clients might lack support for the SCRAM authentication
285 mechanism, and hence not work with passwords encrypted with
286 SCRAM-SHA-256. See <a class="xref" href="auth-password.html" title="20.5. Password Authentication">Section 20.5</a> for more details.
287 </p><div class="warning"><h3 class="title">Warning</h3><p>
288 Support for MD5-encrypted passwords is deprecated and will be removed
289 in a future release of <span class="productname">PostgreSQL</span>. Refer
290 to <a class="xref" href="auth-password.html" title="20.5. Password Authentication">Section 20.5</a> for details about migrating to
291 another password type.
292 </p></div></dd><dt id="GUC-SCRAM-ITERATIONS"><span class="term"><code class="varname">scram_iterations</code> (<code class="type">integer</code>)
293 <a id="id-1.6.6.6.4.2.3.1.3" class="indexterm"></a>
294 </span> <a href="#GUC-SCRAM-ITERATIONS" class="id_link">#</a></dt><dd><p>
295 The number of computational iterations to be performed when encrypting
296 a password using SCRAM-SHA-256. The default is <code class="literal">4096</code>.
297 A higher number of iterations provides additional protection against
298 brute-force attacks on stored passwords, but makes authentication
299 slower. Changing the value has no effect on existing passwords
300 encrypted with SCRAM-SHA-256 as the iteration count is fixed at the
301 time of encryption. In order to make use of a changed value, a new
302 password must be set.
303 </p></dd><dt id="GUC-MD5-PASSWORD-WARNINGS"><span class="term"><code class="varname">md5_password_warnings</code> (<code class="type">boolean</code>)
304 <a id="id-1.6.6.6.4.2.4.1.3" class="indexterm"></a>
305 </span> <a href="#GUC-MD5-PASSWORD-WARNINGS" class="id_link">#</a></dt><dd><p>
306 Controls whether a <code class="literal">WARNING</code> about MD5 password
307 deprecation is produced when a <code class="command">CREATE ROLE</code> or
308 <code class="command">ALTER ROLE</code> statement sets an MD5-encrypted password.
309 The default value is <code class="literal">on</code>.
310 </p></dd><dt id="GUC-KRB-SERVER-KEYFILE"><span class="term"><code class="varname">krb_server_keyfile</code> (<code class="type">string</code>)
311 <a id="id-1.6.6.6.4.2.5.1.3" class="indexterm"></a>
312 </span> <a href="#GUC-KRB-SERVER-KEYFILE" class="id_link">#</a></dt><dd><p>
313 Sets the location of the server's Kerberos key file. The default is
314 <code class="filename">FILE:/usr/local/pgsql/etc/krb5.keytab</code>
315 (where the directory part is whatever was specified
316 as <code class="varname">sysconfdir</code> at build time; use
317 <code class="literal">pg_config --sysconfdir</code> to determine that).
318 If this parameter is set to an empty string, it is ignored and a
319 system-dependent default is used.
320 This parameter can only be set in the
321 <code class="filename">postgresql.conf</code> file or on the server command line.
322 See <a class="xref" href="gssapi-auth.html" title="20.6. GSSAPI Authentication">Section 20.6</a> for more information.
323 </p></dd><dt id="GUC-KRB-CASEINS-USERS"><span class="term"><code class="varname">krb_caseins_users</code> (<code class="type">boolean</code>)
324 <a id="id-1.6.6.6.4.2.6.1.3" class="indexterm"></a>
325 </span> <a href="#GUC-KRB-CASEINS-USERS" class="id_link">#</a></dt><dd><p>
326 Sets whether GSSAPI user names should be treated
328 The default is <code class="literal">off</code> (case sensitive). This parameter can only be
329 set in the <code class="filename">postgresql.conf</code> file or on the server command line.
330 </p></dd><dt id="GUC-GSS-ACCEPT-DELEGATION"><span class="term"><code class="varname">gss_accept_delegation</code> (<code class="type">boolean</code>)
331 <a id="id-1.6.6.6.4.2.7.1.3" class="indexterm"></a>
332 </span> <a href="#GUC-GSS-ACCEPT-DELEGATION" class="id_link">#</a></dt><dd><p>
333 Sets whether GSSAPI delegation should be accepted from the client.
334 The default is <code class="literal">off</code> meaning credentials from the client will
335 <span class="emphasis"><em>not</em></span> be accepted. Changing this to <code class="literal">on</code> will make the server
336 accept credentials delegated to it from the client. This parameter can only be
337 set in the <code class="filename">postgresql.conf</code> file or on the server command line.
338 </p></dd><dt id="GUC-OAUTH-VALIDATOR-LIBRARIES"><span class="term"><code class="varname">oauth_validator_libraries</code> (<code class="type">string</code>)
339 <a id="id-1.6.6.6.4.2.8.1.3" class="indexterm"></a>
340 </span> <a href="#GUC-OAUTH-VALIDATOR-LIBRARIES" class="id_link">#</a></dt><dd><p>
341 The library/libraries to use for validating OAuth connection tokens. If
342 only one validator library is provided, it will be used by default for
343 any OAuth connections; otherwise, all
344 <a class="link" href="auth-oauth.html" title="20.15. OAuth Authorization/Authentication"><code class="literal">oauth</code> HBA entries</a>
345 must explicitly set a <code class="literal">validator</code> chosen from this
346 list. If set to an empty string (the default), OAuth connections will be
347 refused. This parameter can only be set in the
348 <code class="filename">postgresql.conf</code> file.
350 Validator modules must be implemented/obtained separately;
351 <span class="productname">PostgreSQL</span> does not ship with any default
352 implementations. For more information on implementing OAuth validators,
353 see <a class="xref" href="oauth-validators.html" title="Chapter 50. OAuth Validator Modules">Chapter 50</a>.
354 </p></dd></dl></div></div><div class="sect2" id="RUNTIME-CONFIG-CONNECTION-SSL"><div class="titlepage"><div><div><h3 class="title">19.3.4. SSL <a href="#RUNTIME-CONFIG-CONNECTION-SSL" class="id_link">#</a></h3></div></div></div><p>
355 See <a class="xref" href="ssl-tcp.html" title="18.9. Secure TCP/IP Connections with SSL">Section 18.9</a> for more information about setting up
356 <acronym class="acronym">SSL</acronym>. The configuration parameters for controlling
357 transfer encryption using <acronym class="acronym">TLS</acronym> protocols are named
358 <code class="literal">ssl</code> for historic reasons, even though support for
359 the <acronym class="acronym">SSL</acronym> protocol has been deprecated.
360 <acronym class="acronym">SSL</acronym> is in this context used interchangeably with
361 <acronym class="acronym">TLS</acronym>.
362 </p><div class="variablelist"><dl class="variablelist"><dt id="GUC-SSL"><span class="term"><code class="varname">ssl</code> (<code class="type">boolean</code>)
363 <a id="id-1.6.6.6.5.3.1.1.3" class="indexterm"></a>
364 </span> <a href="#GUC-SSL" class="id_link">#</a></dt><dd><p>
365 Enables <acronym class="acronym">SSL</acronym> connections.
366 This parameter can only be set in the <code class="filename">postgresql.conf</code>
367 file or on the server command line.
368 The default is <code class="literal">off</code>.
369 </p></dd><dt id="GUC-SSL-CA-FILE"><span class="term"><code class="varname">ssl_ca_file</code> (<code class="type">string</code>)
370 <a id="id-1.6.6.6.5.3.2.1.3" class="indexterm"></a>
371 </span> <a href="#GUC-SSL-CA-FILE" class="id_link">#</a></dt><dd><p>
372 Specifies the name of the file containing the SSL server certificate
374 Relative paths are relative to the data directory.
375 This parameter can only be set in the <code class="filename">postgresql.conf</code>
376 file or on the server command line.
377 The default is empty, meaning no CA file is loaded,
378 and client certificate verification is not performed.
379 </p></dd><dt id="GUC-SSL-CERT-FILE"><span class="term"><code class="varname">ssl_cert_file</code> (<code class="type">string</code>)
380 <a id="id-1.6.6.6.5.3.3.1.3" class="indexterm"></a>
381 </span> <a href="#GUC-SSL-CERT-FILE" class="id_link">#</a></dt><dd><p>
382 Specifies the name of the file containing the SSL server certificate.
383 Relative paths are relative to the data directory.
384 This parameter can only be set in the <code class="filename">postgresql.conf</code>
385 file or on the server command line.
386 The default is <code class="filename">server.crt</code>.
387 </p></dd><dt id="GUC-SSL-CRL-FILE"><span class="term"><code class="varname">ssl_crl_file</code> (<code class="type">string</code>)
388 <a id="id-1.6.6.6.5.3.4.1.3" class="indexterm"></a>
389 </span> <a href="#GUC-SSL-CRL-FILE" class="id_link">#</a></dt><dd><p>
390 Specifies the name of the file containing the SSL client certificate
391 revocation list (CRL).
392 Relative paths are relative to the data directory.
393 This parameter can only be set in the <code class="filename">postgresql.conf</code>
394 file or on the server command line.
395 The default is empty, meaning no CRL file is loaded (unless
396 <a class="xref" href="runtime-config-connection.html#GUC-SSL-CRL-DIR">ssl_crl_dir</a> is set).
397 </p></dd><dt id="GUC-SSL-CRL-DIR"><span class="term"><code class="varname">ssl_crl_dir</code> (<code class="type">string</code>)
398 <a id="id-1.6.6.6.5.3.5.1.3" class="indexterm"></a>
399 </span> <a href="#GUC-SSL-CRL-DIR" class="id_link">#</a></dt><dd><p>
400 Specifies the name of the directory containing the SSL client
401 certificate revocation list (CRL). Relative paths are relative to the
402 data directory. This parameter can only be set in
403 the <code class="filename">postgresql.conf</code> file or on the server command
404 line. The default is empty, meaning no CRLs are used (unless
405 <a class="xref" href="runtime-config-connection.html#GUC-SSL-CRL-FILE">ssl_crl_file</a> is set).
407 The directory needs to be prepared with the
408 <span class="productname">OpenSSL</span> command
409 <code class="literal">openssl rehash</code> or <code class="literal">c_rehash</code>. See
410 its documentation for details.
412 When using this setting, CRLs in the specified directory are loaded
413 on-demand at connection time. New CRLs can be added to the directory
414 and will be used immediately. This is unlike <a class="xref" href="runtime-config-connection.html#GUC-SSL-CRL-FILE">ssl_crl_file</a>, which causes the CRL in the file to be
415 loaded at server start time or when the configuration is reloaded.
416 Both settings can be used together.
417 </p></dd><dt id="GUC-SSL-KEY-FILE"><span class="term"><code class="varname">ssl_key_file</code> (<code class="type">string</code>)
418 <a id="id-1.6.6.6.5.3.6.1.3" class="indexterm"></a>
419 </span> <a href="#GUC-SSL-KEY-FILE" class="id_link">#</a></dt><dd><p>
420 Specifies the name of the file containing the SSL server private key.
421 Relative paths are relative to the data directory.
422 This parameter can only be set in the <code class="filename">postgresql.conf</code>
423 file or on the server command line.
424 The default is <code class="filename">server.key</code>.
425 </p></dd><dt id="GUC-SSL-TLS13-CIPHERS"><span class="term"><code class="varname">ssl_tls13_ciphers</code> (<code class="type">string</code>)
426 <a id="id-1.6.6.6.5.3.7.1.3" class="indexterm"></a>
427 </span> <a href="#GUC-SSL-TLS13-CIPHERS" class="id_link">#</a></dt><dd><p>
428 Specifies a list of cipher suites that are allowed by connections using
429 <acronym class="acronym">TLS</acronym> version 1.3. Multiple cipher suites can be
430 specified by using a colon separated list. If left blank, the default
431 set of cipher suites in <span class="productname">OpenSSL</span> will be used.
433 This parameter can only be set in the
434 <code class="filename">postgresql.conf</code> file or on the server command
436 </p></dd><dt id="GUC-SSL-CIPHERS"><span class="term"><code class="varname">ssl_ciphers</code> (<code class="type">string</code>)
437 <a id="id-1.6.6.6.5.3.8.1.3" class="indexterm"></a>
438 </span> <a href="#GUC-SSL-CIPHERS" class="id_link">#</a></dt><dd><p>
439 Specifies a list of <acronym class="acronym">SSL</acronym> ciphers that are allowed by
440 connections using TLS version 1.2 and lower, see
441 <a class="xref" href="runtime-config-connection.html#GUC-SSL-TLS13-CIPHERS">ssl_tls13_ciphers</a> for TLS version 1.3 connections. See
442 the <span class="citerefentry"><span class="refentrytitle">ciphers</span></span>
443 manual page in the <span class="productname">OpenSSL</span> package for the
444 syntax of this setting and a list of supported values. The default value
445 is <code class="literal">HIGH:MEDIUM:+3DES:!aNULL</code>. The default is usually a
446 reasonable choice unless you have specific security requirements.
448 This parameter can only be set in the
449 <code class="filename">postgresql.conf</code> file or on the server command
452 Explanation of the default value:
453 </p><div class="variablelist"><dl class="variablelist"><dt id="GUC-SSL-CIPHERS-HIGH"><span class="term"><code class="literal">HIGH</code></span> <a href="#GUC-SSL-CIPHERS-HIGH" class="id_link">#</a></dt><dd><p>
454 Cipher suites that use ciphers from <code class="literal">HIGH</code> group (e.g.,
456 </p></dd><dt id="GUC-SSL-CIPHERS-MEDIUM"><span class="term"><code class="literal">MEDIUM</code></span> <a href="#GUC-SSL-CIPHERS-MEDIUM" class="id_link">#</a></dt><dd><p>
457 Cipher suites that use ciphers from <code class="literal">MEDIUM</code> group
459 </p></dd><dt id="GUC-SSL-CIPHERS-PLUS-3DES"><span class="term"><code class="literal">+3DES</code></span> <a href="#GUC-SSL-CIPHERS-PLUS-3DES" class="id_link">#</a></dt><dd><p>
460 The <span class="productname">OpenSSL</span> default order for
461 <code class="literal">HIGH</code> is problematic because it orders 3DES
462 higher than AES128. This is wrong because 3DES offers less
463 security than AES128, and it is also much slower.
464 <code class="literal">+3DES</code> reorders it after all other
465 <code class="literal">HIGH</code> and <code class="literal">MEDIUM</code> ciphers.
466 </p></dd><dt id="GUC-SSL-CIPHERS-NOT-ANULL"><span class="term"><code class="literal">!aNULL</code></span> <a href="#GUC-SSL-CIPHERS-NOT-ANULL" class="id_link">#</a></dt><dd><p>
467 Disables anonymous cipher suites that do no authentication. Such
468 cipher suites are vulnerable to <acronym class="acronym">MITM</acronym> attacks and
469 therefore should not be used.
470 </p></dd></dl></div><p>
472 Available cipher suite details will vary across
473 <span class="productname">OpenSSL</span> versions. Use the command
474 <code class="literal">openssl ciphers -v 'HIGH:MEDIUM:+3DES:!aNULL'</code> to
475 see actual details for the currently installed
476 <span class="productname">OpenSSL</span> version. Note that this list is
477 filtered at run time based on the server key type.
478 </p></dd><dt id="GUC-SSL-PREFER-SERVER-CIPHERS"><span class="term"><code class="varname">ssl_prefer_server_ciphers</code> (<code class="type">boolean</code>)
479 <a id="id-1.6.6.6.5.3.9.1.3" class="indexterm"></a>
480 </span> <a href="#GUC-SSL-PREFER-SERVER-CIPHERS" class="id_link">#</a></dt><dd><p>
481 Specifies whether to use the server's SSL cipher preferences, rather
483 This parameter can only be set in the <code class="filename">postgresql.conf</code>
484 file or on the server command line.
485 The default is <code class="literal">on</code>.
487 <span class="productname">PostgreSQL</span> versions before 9.4 do not have
488 this setting and always use the client's preferences. This setting is
489 mainly for backward compatibility with those versions. Using the
490 server's preferences is usually better because it is more likely that
491 the server is appropriately configured.
492 </p></dd><dt id="GUC-SSL-GROUPS"><span class="term"><code class="varname">ssl_groups</code> (<code class="type">string</code>)
493 <a id="id-1.6.6.6.5.3.10.1.3" class="indexterm"></a>
494 </span> <a href="#GUC-SSL-GROUPS" class="id_link">#</a></dt><dd><p>
495 Specifies the name of the curve to use in <acronym class="acronym">ECDH</acronym> key
496 exchange. It needs to be supported by all clients that connect.
497 Multiple curves can be specified by using a colon-separated list.
498 It does not need to be the same curve used by the server's Elliptic
499 Curve key. This parameter can only be set in the
500 <code class="filename">postgresql.conf</code> file or on the server command line.
501 The default is <code class="literal">X25519:prime256v1</code>.
503 <span class="productname">OpenSSL</span> names for the most common curves
505 <code class="literal">prime256v1</code> (NIST P-256),
506 <code class="literal">secp384r1</code> (NIST P-384),
507 <code class="literal">secp521r1</code> (NIST P-521).
508 An incomplete list of available groups can be shown with the command
509 <code class="command">openssl ecparam -list_curves</code>. Not all of them are
510 usable with <acronym class="acronym">TLS</acronym> though, and many supported group
511 names and aliases are omitted.
513 In <span class="productname">PostgreSQL</span> versions before 18.0 this
514 setting was named <code class="literal">ssl_ecdh_curve</code> and only accepted
516 </p></dd><dt id="GUC-SSL-MIN-PROTOCOL-VERSION"><span class="term"><code class="varname">ssl_min_protocol_version</code> (<code class="type">enum</code>)
517 <a id="id-1.6.6.6.5.3.11.1.3" class="indexterm"></a>
518 </span> <a href="#GUC-SSL-MIN-PROTOCOL-VERSION" class="id_link">#</a></dt><dd><p>
519 Sets the minimum SSL/TLS protocol version to use. Valid values are
520 currently: <code class="literal">TLSv1</code>, <code class="literal">TLSv1.1</code>,
521 <code class="literal">TLSv1.2</code>, <code class="literal">TLSv1.3</code>. Older
522 versions of the <span class="productname">OpenSSL</span> library do not
523 support all values; an error will be raised if an unsupported setting
524 is chosen. Protocol versions before TLS 1.0, namely SSL version 2 and
525 3, are always disabled.
527 The default is <code class="literal">TLSv1.2</code>, which satisfies industry
528 best practices as of this writing.
530 This parameter can only be set in the <code class="filename">postgresql.conf</code>
531 file or on the server command line.
532 </p></dd><dt id="GUC-SSL-MAX-PROTOCOL-VERSION"><span class="term"><code class="varname">ssl_max_protocol_version</code> (<code class="type">enum</code>)
533 <a id="id-1.6.6.6.5.3.12.1.3" class="indexterm"></a>
534 </span> <a href="#GUC-SSL-MAX-PROTOCOL-VERSION" class="id_link">#</a></dt><dd><p>
535 Sets the maximum SSL/TLS protocol version to use. Valid values are as
536 for <a class="xref" href="runtime-config-connection.html#GUC-SSL-MIN-PROTOCOL-VERSION">ssl_min_protocol_version</a>, with addition of
537 an empty string, which allows any protocol version. The default is to
538 allow any version. Setting the maximum protocol version is mainly
539 useful for testing or if some component has issues working with a
542 This parameter can only be set in the <code class="filename">postgresql.conf</code>
543 file or on the server command line.
544 </p></dd><dt id="GUC-SSL-DH-PARAMS-FILE"><span class="term"><code class="varname">ssl_dh_params_file</code> (<code class="type">string</code>)
545 <a id="id-1.6.6.6.5.3.13.1.3" class="indexterm"></a>
546 </span> <a href="#GUC-SSL-DH-PARAMS-FILE" class="id_link">#</a></dt><dd><p>
547 Specifies the name of the file containing Diffie-Hellman parameters
548 used for so-called ephemeral DH family of SSL ciphers. The default is
549 empty, in which case compiled-in default DH parameters used. Using
550 custom DH parameters reduces the exposure if an attacker manages to
551 crack the well-known compiled-in DH parameters. You can create your own
552 DH parameters file with the command
553 <code class="command">openssl dhparam -out dhparams.pem 2048</code>.
555 This parameter can only be set in the <code class="filename">postgresql.conf</code>
556 file or on the server command line.
557 </p></dd><dt id="GUC-SSL-PASSPHRASE-COMMAND"><span class="term"><code class="varname">ssl_passphrase_command</code> (<code class="type">string</code>)
558 <a id="id-1.6.6.6.5.3.14.1.3" class="indexterm"></a>
559 </span> <a href="#GUC-SSL-PASSPHRASE-COMMAND" class="id_link">#</a></dt><dd><p>
560 Sets an external command to be invoked when a passphrase for
561 decrypting an SSL file such as a private key needs to be obtained. By
562 default, this parameter is empty, which means the built-in prompting
565 The command must print the passphrase to the standard output and exit
566 with code 0. In the parameter value, <code class="literal">%p</code> is
567 replaced by a prompt string. (Write <code class="literal">%%</code> for a
568 literal <code class="literal">%</code>.) Note that the prompt string will
569 probably contain whitespace, so be sure to quote adequately. A single
570 newline is stripped from the end of the output if present.
572 The command does not actually have to prompt the user for a
573 passphrase. It can read it from a file, obtain it from a keychain
574 facility, or similar. It is up to the user to make sure the chosen
575 mechanism is adequately secure.
577 This parameter can only be set in the <code class="filename">postgresql.conf</code>
578 file or on the server command line.
579 </p></dd><dt id="GUC-SSL-PASSPHRASE-COMMAND-SUPPORTS-RELOAD"><span class="term"><code class="varname">ssl_passphrase_command_supports_reload</code> (<code class="type">boolean</code>)
580 <a id="id-1.6.6.6.5.3.15.1.3" class="indexterm"></a>
581 </span> <a href="#GUC-SSL-PASSPHRASE-COMMAND-SUPPORTS-RELOAD" class="id_link">#</a></dt><dd><p>
582 This parameter determines whether the passphrase command set by
583 <code class="varname">ssl_passphrase_command</code> will also be called during a
584 configuration reload if a key file needs a passphrase. If this
585 parameter is off (the default), then
586 <code class="varname">ssl_passphrase_command</code> will be ignored during a
587 reload and the SSL configuration will not be reloaded if a passphrase
588 is needed. That setting is appropriate for a command that requires a
589 TTY for prompting, which might not be available when the server is
590 running. Setting this parameter to on might be appropriate if the
591 passphrase is obtained from a file, for example.
593 This parameter can only be set in the <code class="filename">postgresql.conf</code>
594 file or on the server command line.
595 </p></dd></dl></div></div></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="runtime-config-file-locations.html" title="19.2. File Locations">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="runtime-config.html" title="Chapter 19. Server Configuration">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="runtime-config-resource.html" title="19.4. Resource Consumption">Next</a></td></tr><tr><td width="40%" align="left" valign="top">19.2. File Locations </td><td width="20%" align="center"><a accesskey="h" href="index.html" title="PostgreSQL 18.0 Documentation">Home</a></td><td width="40%" align="right" valign="top"> 19.4. Resource Consumption</td></tr></table></div></body></html>
begriffs.com / projects / ai-pg / blob