Securing postgresql-server (v8.4.20) that uses openssl

This article is part of the Securing Applications Collection

Configuration File

   /var/lib/pgsql/data/postgresql.conf

shortform

ssl = 'on'
ssl_ciphers = 'ECDHE-RSA-AES256-SHA384:AES256-SHA256:HIGH:!RC4:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL'

Protocols

postgresql in all versions prior to upstream 9.4 uses TLSv1 exclusively and will not negotiate anything else.

Ciphers

    ssl_ciphers = 'ECDHE-RSA-AES256-SHA384:AES256-SHA256:HIGH:!RC4:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL'

provides secure connections within the limitation of TLSv1

Ciphers - Alternative Values

ssl_ciphers = 'ECDHE-RSA-AES256-SHA384:AES256-SHA256:HIGH:RC4:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL'

Allows RC4 for older clients

Certificate Handling

Apache expects separate PEM format files for key and certificate, and another for the CA chain.

Key File

Key MUST be placed in file

/var/lib/pgsql/data/server.key

key should be owned and readable only by postgres user

Certificate File

Certificate MUST be placed in file

/var/lib/pgsql/data/server.crt

should also contain intermediates and root CA certificate in the following order
* server
* intermediate 1, signer of server
* intermediate 2, signer of intermediate 1
* root of certificate authority, signer of intermediate 2