openssl.mdgit
openssl req -new -text -out server.req -subj '/C=CN/ST=Zhejiang/L=Hangzhou/O=dbpaas/CN=dbpaas-ip-port' -passout pass:'xxx' -passourt 意思是对输出文件的加密密码
openssl rsa -in privkey.pem -out server.key -passin pass:'xxx' -passin 这里是设置输入文件须要的密码 rm -f privkey.pem
openssl req -x509 -in server.req -text -key server.key -out server.crt
chmod 600 server.key
mv -f server.crt server.key $PGDATA
ssl = on ssl_cert_file = 'server.crt' # (change requires restart) ssl_key_file = 'server.key' 下面的不用改,pg默认 ssl_ciphers = 'DEFAULT:!LOW:!EXP:!MD5:@STRENGTH' # allowed SSL ciphers # (change requires restart) ssl_renegotiation_limit = 512MB # amount of data between renegotiations
pg_ctl restart -m fast 会有 SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
create extension sslinfo; CREATE EXTENSION digoal=# select ssl_is_used(); ssl_is_used ------------- t (1 row) digoal=# select ssl_cipher(); ssl_cipher -------------------- DHE-RSA-AES256-SHA (1 row) digoal=# select ssl_version(); ssl_version ------------- TLSv1 (1 row)
psql "sslmode=require" -h 172.16.3.33 -p 1999 -U postgres -d pg psql "sslmode=disable" -h 172.16.3.33 -p 1999 -U postgres -d pg
参考: https://github.com/digoal/blog/blob/master/201305/20130522_01.md https://www.jianshu.com/p/15b1d935a44bgithub