PostgreSQL has native support for using SSL connections to encrypt client/server communications for increased security. See Section 16.7, “Secure TCP/IP Connections with SSL” for details about the server-side SSL functionality.
If the server demands a client certificate,
libpq
will send the certificate stored in file
~/.postgresql/postgresql.crt
within the user's home directory.
A matching private key file ~/.postgresql/postgresql.key
must also be present, and must not be world-readable.
(On Microsoft Windows these files are named
%APPDATA%\postgresql\postgresql.crt
and
%APPDATA%\postgresql\postgresql.key
.)
If the file ~/.postgresql/root.crt
is present in the user's
home directory,
libpq will use the certificate list stored
therein to verify the server's certificate.
(On Microsoft Windows the file is named
%APPDATA%\postgresql\root.crt
.)
The SSL connection will
fail if the server does not present a certificate; therefore, to
use this feature the server must also have a root.crt
file.
Certificate Revocation List (CRL) entries are also checked if the file
~/.postgresql/root.crl
exists (%APPDATA%\postgresql\root.crl
on Microsoft Windows).
If you are using SSL inside your application (in addition to
inside libpq), you can use PQinitSSL(int)
to tell libpq that the SSL library
has already been initialized by your application.