PostgreSQL

Postgres SSLMode Parameter

PostgreSQL is a free and open-source relational database that is widely used in a variety of applications. PostgreSQL allows us to manage and access the databases securely and efficiently. One of the security features that is provided by PostgreSQL is its ability to connect securely using SSL (Secure Sockets Layer).

The PostgreSQL sslmode parameter plays a crucial role in establishing the SSL connections as it defines the level of security that is required when connecting to the PostgreSQL server. In addition, it allows the clients to specify the type of SSL connection as needed.

This tutorial explores how to configure and work with PostgreSQL using SSL and the sslmode parameter.

PostgreSQL SSLMode Parameter

In PostgreSQL, the sslmode parameter specifies the SSL encryption mode for client-server communication.

The parameter accepts the following values:

  1. Disable – It disables the SSL security.
  2. Allow – It tries to connect with SSL first but falls back to non-SSL if the server does not support it.
  3. Prefer – It tries to connect with SSL at first but falls back to non-SSL if the connection to the server cannot be established. This is similar to the “allow” value and is the default functionality.
  4. Require – This requires an SSL connection. If it is set to require, the connection is not established unless it’s under SSL.
  5. Verify-ca – It requires an SSL connection, and the server certificate is verified for the correct CA. This helps to prevent the attacks such as MITM attacks.
  6. Verify-full – It requires an SSL connection while the server certificate is verified for the correct CA, and the server hostname must match the one that is defined in the certificate. This is the most secure option.

The provided values are the accepted values for the sslmode parameter in PostgreSQL auth.

How to Use the PostgreSQL SSLMODE Parameter

The following steps describe how you can use the sslmode parameter in PostgreSQL. We assume that you have a PostgreSQL server installed on your machine.

Step 1: Generate the SSL Certificates

Start by generating the SSL server key, server certificates, and root certificate using the openssl tool. You can run the commands as follows:

Create the server key:

openssl genpkey -algorithm RSA -out server.key -pkeyopt rsa_keygen_bits:2048

Secure the server key:

chmod 400 server.key

Create the server certificate:

openssl req -new -key server.key -out server.csr

Self-sign the server certificate:

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Step 2: Configure the PostgreSQL Server to Use SSL

The next step is configuring the PostgreSQL server to support SSL and using the provided certificates and keys. We can do this by editing the PostgreSQL server configuration file.

Start by moving the generated certificates into the data directory of PostgreSQL which is typically located at /var/lib/postgresql/<version>/main.

For example:

sudo mv server.key server.crt /var/lib/postgresql/15/main/

Next, edit the postgresql.conf file and enable the server configuration file. Locate the following entries:

#ssl = off
#ssl_cert_file = 'server.crt'
#ssl_key_file = 'server.key'

Uncomment the previous entries by removing the preceding “#” characters.

ssl = on
ssl_cert_file = 'server.crt'
ssl_key_file = 'server.key'

Once satisfied, save the changes to the configuration file and restart the PostgreSQL server.

sudo systemctl restart postgresql

Step 3: Connect to the PostgreSQL Server with a Specific SSL Mode

Once we configured the server to accept the SSL connections, the clients can specify the type of SSL connection that they want.

We do this by appending the sslmode parameter to the connection string or settings. The following are examples on how to specify the SSL modes in PSQL.

Connect using the sslmode=disable:

psql "dbname=postgres user=postgres host=localhost sslmode=disable"

Connect using the sslmode=require:

psql "dbname=postgres user=postgres host=localhost sslmode=require"

Connect using the sslmode=verify-ca:

psql "dbname=postgres user=postgres host=localhost sslmode=verify-ca sslrootcert=root.crt"

Connect using the sslmode=verify-full:

psql "dbname=postgres user=postgres host=localhost sslmode=verify-full sslrootcert=root.crt"

Replace the dbname, user, host, and sslrootcert with your target database name, username, host, and root certificate path, respectively.

Conclusion

This tutorial walked you through the steps of configuring the SSL authentication in PostgreSQL and defining the various SSL levels using the sslmode parameter.

About the author

John Otieno

My name is John and am a fellow geek like you. I am passionate about all things computers from Hardware, Operating systems to Programming. My dream is to share my knowledge with the world and help out fellow geeks. Follow my content by subscribing to LinuxHint mailing list