Securing postgresql-server (v8.1.23) that uses openssl

This article is part of the Securing Applications Collection

Configuration File

   /var/lib/pgsql/data/postgresql.conf

shortform

ssl = 'on'
ssl_renegotiation_limit = 0

Protocols

postgresql in all versions prior to upstream 9.4 uses TLSv1 exclusively and will not negotiate anything else.

Ciphers

postgresql-8.1.23 does not allow for configuration of ciphers

Certificate Handling

postgresql expects separate PEM format files for key and certificates.

Key File

Key MUST be placed in file

/var/lib/pgsql/data/server.key

key should be owned and readable only by postgres user

Certificate File

Certificate MUST be placed in file

/var/lib/pgsql/data/server.crt

Due to inadequate coding the server will only offer the main certificate and cannot provide intermediates. This severely limits the ability to use a correctly authenticated certificate chain.