From: | Bruce Momjian <bruce(at)momjian(dot)us> |
---|---|
To: | andy(at)freeborough(dot)com, pgsql-docs(at)lists(dot)postgresql(dot)org |
Subject: | Re: 19.9. Secure TCP/IP Connections with SSL |
Date: | 2023-10-26 21:59:42 |
Message-ID: | ZTrhTphM0BdKQGcY@momjian.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-docs |
On Wed, Oct 25, 2023 at 03:44:04PM +0000, PG Doc comments form wrote:
> The following documentation comment has been logged on the website:
>
> Page: https://www.postgresql.org/docs/16/ssl-tcp.html
> Description:
>
> There is no mention of key lengths on the manual page about SSL/TLS
> connections even though there are restrictions. It probably depends on the
> build which is why it's been omitted, but I think to help new people it
> would be great to have a Note box that covers key lengths restrictions. It
> came up on reddit today and while the following is in the error log..
>
> FATAL: could not load server certificate file
> "/etc/postgresql/16/main/server.crt": ee key too small
>
> It is amongst a chain of other messages and has a long line such that it
> could be missed as it's truncated (though it should still have been spotted
> of course). Regardless, I like the idea of all the things you need to do/be
> mindful of being in the manual. It could be something like..
>
> Note
> Some builds of PostgreSQL specify a minimum key length for certificates to
> enforce best-practices. If the key you use is does not meet or exceed this
> minimum length PostgreSQL will fail to start. It's common practice to
> require a key of at least length 2048.
I think this is based on the SSL/TLS library in use which is why we
don't mention it in our docs, e.g.:
https://stackoverflow.com/questions/61626206/what-could-cause-dh-key-too-small-error
--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EDB https://enterprisedb.com
Only you can decide what is important to you.
From | Date | Subject | |
---|---|---|---|
Next Message | Laurenz Albe | 2023-10-27 06:48:49 | Re: unnest multirange, returned order |
Previous Message | David G. Johnston | 2023-10-26 12:59:25 | Re: pg_isready --dbname option is broken. So it should not be in the manual |