From de75ecb6eb6d19177e213c77da000766171c95a5 Mon Sep 17 00:00:00 2001 From: David Zhang Date: Tue, 5 Mar 2024 15:32:05 -0800 Subject: [PATCH 2/3] doc - support certificate status check using OCSP stapling --- doc/src/sgml/config.sgml | 17 +++++++++++++++++ doc/src/sgml/libpq.sgml | 30 ++++++++++++++++++++++++++++++ doc/src/sgml/runtime.sgml | 6 ++++++ 3 files changed, 53 insertions(+) diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index b38cbd714a..28c0d3e00a 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -1262,6 +1262,23 @@ include_dir 'conf.d' + + ssl_ocsp_file (string) + + ssl_ocsp_file configuration parameter + + + + + Specifies the name of the file containing the SSL server stapled + certificate status (OCSP Stapling). Relative paths are relative to the + data directory. This parameter can only be set in the + postgresql.conf file or on the server command line. + The default is empty, meaning no OCSP Stapling file is loaded. + + + + ssl_crl_file (string) diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml index 1d8998efb2..a6457453f5 100644 --- a/doc/src/sgml/libpq.sgml +++ b/doc/src/sgml/libpq.sgml @@ -1761,6 +1761,21 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname + + sslocspstapling + + + If set to 1, an SSL connection to the server + will send a certificate status request. libpq + will then refuse to connect if the server does not provide a valid OCSP + Stapling response. If set to 0 (default), + libpq will neither request the certificate + status nor check OCSP Stapling response. This option is only available if + PostgreSQL is compiled with SSL support. + + + + sslkey @@ -8323,6 +8338,16 @@ myEventProc(PGEventId evtId, void *evtInfo, void *passThrough) + + + + PGSSLOCSPSTAPLING + + PGSSLOCSPSTAPLING behaves the same as the connection parameter. + + + @@ -8899,6 +8924,11 @@ ldap://ldap.acme.com/cn=dbserver,cn=hosts?pgconnectinfo?base?(objectclass=*) Windows). + + Stapled server certificate status (OCSP Stapling) will be checked, + if the parameter sslocspstapling is set to 1. + + The location of the root certificate file and the CRL can be changed by setting diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml index 6047b8171d..0fa946a2ee 100644 --- a/doc/src/sgml/runtime.sgml +++ b/doc/src/sgml/runtime.sgml @@ -2405,6 +2405,12 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433 sent to client to indicate server's identity + + + server certificate status stapled by ocsp responder + sent to client to indicate server certificate status + + ($PGDATA/server.key) server private key -- 2.34.1