Securing postgresql-server (v9.2.23) that uses openssl

This article is part of the Securing Applications Collection

Configuration File

   /var/lib/pgsql/data/postgresql.conf

shortform

ssl = 'on'
ssl_ciphers = 'ECDHE-RSA-AES256-SHA384:AES256-SHA256:HIGH:!RC4:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL'
ssl_cert_file = '/var/lib/pgsql/data/server.crt'
ssl_key_file = '/var/lib/pgsql/data/server.key'

Protocols

postgresql in all versions prior to upstream 9.4 uses TLSv1 exclusively and will not negotiate anything else.

Ciphers

    ssl_ciphers = 'ECDHE-RSA-AES256-SHA384:AES256-SHA256:HIGH:!RC4:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL'

provides secure connections within the limitation of TLSv1

Ciphers - Alternative Values

ssl_ciphers = 'ECDHE-RSA-AES256-SHA384:AES256-SHA256:HIGH:RC4:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL'

Allows RC4 for older clients

Certificate Handling

Apache expects separate PEM format files for key and certificate, and another for the CA chain.

Key File

ssl_key_file = '/var/lib/pgsql/data/server.key'

key should be owned and readable only by postgres user

Certificate File

ssl_cert_file = '/var/lib/pgsql/data/server.crt'

should also contain intermediates and root CA certificate in the following order
* server
* intermediate 1, signer of server
* intermediate 2, signer of intermediate 1
* root of certificate authority, signer of intermediate 2