@@ -2158,6 +2158,9 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
21582158 enabled at build time (see <xref linkend="installation"/>).
21592159 </para>
21602160
2161+ <sect2 id="ssl-setup">
2162+ <title>Basic Setup</title>
2163+
21612164 <para>
21622165 With <acronym>SSL</acronym> support compiled in, the
21632166 <productname>PostgreSQL</productname> server can be started with
@@ -2171,35 +2174,6 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
21712174 use of <acronym>SSL</acronym> for some or all connections.
21722175 </para>
21732176
2174- <para>
2175- <productname>PostgreSQL</productname> reads the system-wide
2176- <productname>OpenSSL</productname> configuration file. By default, this
2177- file is named <filename>openssl.cnf</filename> and is located in the
2178- directory reported by <literal>openssl version -d</literal>.
2179- This default can be overridden by setting environment variable
2180- <envar>OPENSSL_CONF</envar> to the name of the desired configuration file.
2181- </para>
2182-
2183- <para>
2184- <productname>OpenSSL</productname> supports a wide range of ciphers
2185- and authentication algorithms, of varying strength. While a list of
2186- ciphers can be specified in the <productname>OpenSSL</productname>
2187- configuration file, you can specify ciphers specifically for use by
2188- the database server by modifying <xref linkend="guc-ssl-ciphers"/> in
2189- <filename>postgresql.conf</filename>.
2190- </para>
2191-
2192- <note>
2193- <para>
2194- It is possible to have authentication without encryption overhead by
2195- using <literal>NULL-SHA</literal> or <literal>NULL-MD5</literal> ciphers. However,
2196- a man-in-the-middle could read and pass communications between client
2197- and server. Also, encryption overhead is minimal compared to the
2198- overhead of authentication. For these reasons NULL ciphers are not
2199- recommended.
2200- </para>
2201- </note>
2202-
22032177 <para>
22042178 To start in <acronym>SSL</acronym> mode, files containing the server certificate
22052179 and private key must exist. By default, these files are expected to be
@@ -2245,6 +2219,40 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
22452219 <filename>server.crt</filename>. Instead, clients must have the root
22462220 certificate of the server's certificate chain.
22472221 </para>
2222+ </sect2>
2223+
2224+ <sect2 id="ssl-openssl-config">
2225+ <title>OpenSSL Configuration</title>
2226+
2227+ <para>
2228+ <productname>PostgreSQL</productname> reads the system-wide
2229+ <productname>OpenSSL</productname> configuration file. By default, this
2230+ file is named <filename>openssl.cnf</filename> and is located in the
2231+ directory reported by <literal>openssl version -d</literal>.
2232+ This default can be overridden by setting environment variable
2233+ <envar>OPENSSL_CONF</envar> to the name of the desired configuration file.
2234+ </para>
2235+
2236+ <para>
2237+ <productname>OpenSSL</productname> supports a wide range of ciphers
2238+ and authentication algorithms, of varying strength. While a list of
2239+ ciphers can be specified in the <productname>OpenSSL</productname>
2240+ configuration file, you can specify ciphers specifically for use by
2241+ the database server by modifying <xref linkend="guc-ssl-ciphers"/> in
2242+ <filename>postgresql.conf</filename>.
2243+ </para>
2244+
2245+ <note>
2246+ <para>
2247+ It is possible to have authentication without encryption overhead by
2248+ using <literal>NULL-SHA</literal> or <literal>NULL-MD5</literal> ciphers. However,
2249+ a man-in-the-middle could read and pass communications between client
2250+ and server. Also, encryption overhead is minimal compared to the
2251+ overhead of authentication. For these reasons NULL ciphers are not
2252+ recommended.
2253+ </para>
2254+ </note>
2255+ </sect2>
22482256
22492257 <sect2 id="ssl-client-certificates">
22502258 <title>Using Client Certificates</title>