From: Daniel Gustafsson Date: Thu, 16 Apr 2026 09:18:57 +0000 (+0200) Subject: doc: Add missing GUCs to SSL SNI docs X-Git-Url: http://git.ipfire.org/index.cgi?a=commitdiff_plain;h=4abcdc1bbebfaeffc072296711e8a2af8d7d7cdf;p=thirdparty%2Fpostgresql.git doc: Add missing GUCs to SSL SNI docs The ssl_sni and hosts_file GUCs were missing from the configuration section of the documentation, they were only described in the main SSL SNI subsection. This adds the GUCs to the relevant sections as well as rewords the existing SSL SNI documentation to refer to the settings along with a few smaller fixups. Author: Daniel Gustafsson Reported-by: Fujii Masao Reviewed-by: Fujii Masao Discussion: https://postgr.es/m/CAHGQGwESD2Pty+J1kP3mXmWwMKZ5uJmknZdJsSGrMSRR6CQBmw@mail.gmail.com --- diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index 009295f20e9..67da9a1de66 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -507,9 +507,10 @@ include_dir 'conf.d' In addition to the postgresql.conf file already mentioned, PostgreSQL uses - two other manually-edited configuration files, which control + three other manually-edited configuration files, which control client authentication (their use is discussed in ). By default, all three + linkend="client-authentication"/>) and SSL host configuration. + By default, all four configuration files are stored in the database cluster's data directory. The parameters described in this section allow the configuration files to be placed elsewhere. (Doing so can ease @@ -579,6 +580,22 @@ include_dir 'conf.d' + + hosts_file (string) + + hosts_file configuration parameter + + + + + Specifies the configuration file for host-based SSL configuration + (customarily called pg_hosts.conf). + This parameter can only be set at server start. See also + . + + + + external_pid_file (string) @@ -620,10 +637,11 @@ include_dir 'conf.d' If you wish, you can specify the configuration file names and locations individually using the parameters config_file, - hba_file and/or ident_file. + hba_file, ident_file and/or + hosts_file. config_file can only be specified on the postgres command line, but the others can be - set within the main configuration file. If all three parameters plus + set within the main configuration file. If all four parameters plus data_directory are explicitly set, then it is not necessary to specify or PGDATA. @@ -1734,6 +1752,25 @@ include_dir 'conf.d' + + + ssl_sni (boolean) + + ssl_sni configuration parameter + + + + + Enables SNI configuration for SSL connections. When set to on + host configuration from is used, see + for more details. + + + This parameter can only be set in the postgresql.conf + file or on the server command line. The default is off. + + + diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml index 8576ae325d4..b01e74638c4 100644 --- a/doc/src/sgml/runtime.sgml +++ b/doc/src/sgml/runtime.sgml @@ -2602,18 +2602,16 @@ openssl x509 -req -in server.csr -text -days 365 \ PostgreSQL can be configured for Server Name - Indication, SNI, using the pg_hosts.conf - configuration file. PostgreSQL inspects the TLS - hostname extension in the SSL connection handshake, and selects the right - TLS certificate, key and CA certificate to use for the connection based on - entries in the configuration file pg_hosts.conf. + Indication, SNI, using the + configuration parameter. PostgreSQL inspects the + TLS hostname extension in the SSL connection handshake, and selects the + right certificate, key and CA certificate to use for the connection based + on entries in the configuration file. - SNI configuration is defined in the hosts configuration file, - pg_hosts.conf, which is stored in the cluster's - data directory. The hosts configuration file contains lines of these - general forms: + The configuration file contains lines of + these general forms: hostname SSL_certificate SSL_key SSL_CA_certificate SSL_passphrase_cmd SSL_passphrase_cmd_reload include file @@ -2622,8 +2620,9 @@ openssl x509 -req -in server.csr -text -days 365 \ Comments, whitespace, line continuations, and inclusion directives are handled in the same way as - in pg_hba.conf. hostname - is matched against the hostname TLS extension in the SSL handshake. + in . hostname + is matched case-insensitively against the hostname TLS + extension in the SSL handshake. SSL_certificate, SSL_key, SSL_CA_certificate, @@ -2655,7 +2654,7 @@ openssl x509 -req -in server.csr -text -days 365 \ Host Entry - sslsni + Hostname extension Description @@ -2695,9 +2694,9 @@ openssl x509 -req -in server.csr -text -days 365 \ - If pg_hosts.conf is empty or missing, then the SSL + If is empty or missing, then the SSL configuration in postgresql.conf will be used for all - connections. If pg_hosts.conf is non-empty then it + connections. If is non-empty then it will take precedence over certificate and key settings in postgresql.conf. @@ -2705,7 +2704,7 @@ openssl x509 -req -in server.csr -text -days 365 \ It is currently not possible to set different clientname values for the different certificates. Any clientname - setting in pg_hba.conf will be applied during + setting in will be applied during authentication regardless of which set of certificates have been loaded via an SNI enabled connection.