11<!--
2- $Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.29 2000/10/19 04:53:41 tgl Exp $
2+ $Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.30 2000/10/20 14:00:49 thomas Exp $
33-->
44
55<Chapter Id="runtime">
@@ -1014,7 +1014,7 @@ env PGOPTIONS='--geqo=off' psql
10141014 <listitem>
10151015 <para>
10161016 Enables <acronym>SSL</> connections. Please read
1017- <xref linkend="ssl"> before using this. The default
1017+ <xref linkend="ssl-tcp "> before using this. The default
10181018 is off.
10191019 </para>
10201020 </listitem>
@@ -1637,7 +1637,7 @@ set semsys:seminfo_semmsl=32
16371637 </para>
16381638 </sect1>
16391639
1640- <sect1 id="ssl">
1640+ <sect1 id="ssl-tcp ">
16411641 <title>Secure TCP/IP Connections with SSL</title>
16421642
16431643 <para>
@@ -1654,7 +1654,8 @@ set semsys:seminfo_semmsl=32
16541654 can be started with the argument <option>-l</> (ell) to enable
16551655 SSL connections. When starting in SSL mode, the postmaster will look
16561656 for the files <filename>server.key</> and <filename>server.crt</> in
1657- the data directory. These files should contain the server private key
1657+ the data directory (pointed to by <envar>PGDATA</envar>).
1658+ These files should contain the server private key
16581659 and certificate respectively. These files must be set up correctly
16591660 before an SSL-enabled server can start. If the private key is protected
16601661 with a passphrase, the postmaster will prompt for the passphrase and will
@@ -1664,7 +1665,8 @@ set semsys:seminfo_semmsl=32
16641665 <para>
16651666 The postmaster will listen for both standard and SSL connections
16661667 on the same TCP/IP port, and will negotiate with any connecting
1667- client wether to use SSL or not. See <xref linkend="client-authentication">
1668+ client whether or not to use SSL.
1669+ See <xref linkend="client-authentication">
16681670 about how to force on the server side the use of SSL for certain
16691671 connections.
16701672 </para>
@@ -1695,63 +1697,7 @@ openssl x509 -inform PEM -outform PEM -in newreq.pem -out newkey_no_passphrase.p
16951697 </para>
16961698 </sect1>
16971699
1698- <sect1 id="ssl">
1699- <title>Secure TCP/IP Connection with SSL</title>
1700-
1701- <para>
1702- PostgreSQL has native support for connections over SSL to encrypt
1703- client/server communications for increased security. This requires
1704- <productname>OpenSSL</productname> to be installed on both client
1705- and server systems and support enabled at compile-time using
1706- the configure script.
1707- </para>
1708-
1709- <para>
1710- With SSL support compiled in, the Postgres backend can be
1711- started with argument -l to enable SSL connections.
1712- When starting in SSL mode, the postmaster will look for the
1713- files <filename>server.key</filename> and
1714- <filename>server.cert</filename> in the <envar>PGDATA</envar>
1715- directory. These files should contain the server private key and
1716- certificate respectively. If the private key is protected with a
1717- passphrase, the postmaster will prompt for the passphrase and not
1718- start until it has been provided.
1719- </para>
1720-
1721- <para>
1722- The postmaster will listen for both standard and SSL connections
1723- on the same TCP/IP port, and will negotiate with any connecting
1724- client wether to use SSL or not. Use the <filename>pg_hba.conf</filename>
1725- file to optionally require SSL in order to accept a connection.
1726- </para>
1727-
1728- <para>
1729- For details on how to create your server private key and certificate,
1730- refer to the OpenSSL documentation. A simple self-signed certificate
1731- can be used to get started testing, but a certificate signed by a CA
1732- (either one of the global CAs or a local one) should be used in
1733- production so the client can verify the servers identity. To create
1734- a quick self-signed certificate, use the <filename>CA.pl</filename>
1735- script included in OpenSSL:
1736- <programlisting>
1737- CA.pl -newcert
1738- </programlisting>
1739- Fill out the information the script asks for. Make sure to enter
1740- the local hostname as Common Name. The script will generate a key
1741- which is passphrase protected. To remove the passphrase (required
1742- if you want automatic startup of the postmaster), run the command
1743- <programlisting>
1744- openssl x509 -inform PEM -outform PEM -in newreq.pem -out newkey_no_passphrase.pem
1745- </programlisting>
1746- Enter the old passphrase to unlock the existing key. Copy the file
1747- <filename>newreq.pem</filename> to <filename>PGDATA/server.cert</filename>
1748- and <filename>newkey_no_passphrase.pem</filename> to
1749- <filename>PGDATA/server.key</filename>. Remove the PRIVATE KEY part
1750- from the <filename>server.cert</filename> using any text editor.
1751- </para>
1752- </sect1>
1753-
1754- <sect1 id="ssh">
1700+ <sect1 id="ssh-tunnels">
17551701 <title>Secure TCP/IP Connections with SSH tunnels</title>
17561702
17571703 <note>
