- 准备证书,包括server和client端的证书,比如
ca-cert.pem, ca-key.pem, server-cert.pem, server-key.pem, client-cert.pem, client-key.pem
- 修改
postgresql.conf文件中关于SSL的配置
ssl = on
ssl_ca_file = 'ca-cert.pem'
ssl_cert_file = 'server-cert.pem'
ssl_key_file = 'server-key.pem'
- 修改
pg_hba.conf中server端的证书要求
hostssl test. test. 0.0.0.0/0. scram-sha-256 clientcert=verify-full
其中clientcert=verfiy-ca或者1,表示客户端需要提供client-cert.pem和client-key.pem, 如果是verify-full则需要client的证书CN和user name一致
- psql使用SSL协议登录
psql "sslcert=cllient-cert.pem sslkey=client-key.pem sslrootcert=ca-cert.pem sslmode=verify-ca" -h 1.1.1.1 -U test
psql "sslcert=cllient-cert.pem sslkey=client-key.pem sslrootcert=ca-cert.pem sslmode=verify-full" -h 1.1.1.1 -U test postgres
sslmode为verify-full,除了验证server证书,还会验证server证书中的CN是否与host一致。
