diff options
Diffstat (limited to 'contrib/sslinfo/README.sslinfo')
-rw-r--r-- | contrib/sslinfo/README.sslinfo | 120 |
1 files changed, 0 insertions, 120 deletions
diff --git a/contrib/sslinfo/README.sslinfo b/contrib/sslinfo/README.sslinfo deleted file mode 100644 index 5ce13f54f5c..00000000000 --- a/contrib/sslinfo/README.sslinfo +++ /dev/null @@ -1,120 +0,0 @@ -sslinfo - information about current SSL certificate for PostgreSQL -================================================================== -Author: Victor Wagner <vitus@cryptocom.ru>, Cryptocom LTD -E-Mail of Cryptocom OpenSSL development group: <openssl@cryptocom.ru> - - -1. Notes --------- -This extension won't build unless your PostgreSQL server is configured -with --with-openssl. Information provided with these functions would -be completely useless if you don't use SSL to connect to database. - - -2. Functions Description ------------------------- - -2.1. ssl_is_used() -~~~~~~~~~~~~~~~~~~ - - ssl_is_used() RETURNS boolean; - -Returns TRUE, if current connection to server uses SSL and FALSE -otherwise. - -2.2. ssl_client_cert_present() -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - ssl_client_cert_present() RETURNS boolean - -Returns TRUE if current client have presented valid SSL client -certificate to the server and FALSE otherwise (e.g., no SSL, -certificate hadn't be requested by server). - -2.3. ssl_client_serial() -~~~~~~~~~~~~~~~~~~~~~~~~ - - ssl_client_serial() RETURNS numeric - -Returns serial number of current client certificate. The combination -of certificate serial number and certificate issuer is guaranteed to -uniquely identify certificate (but not its owner -- the owner ought to -regularily change his keys, and get new certificates from the issuer). - -So, if you run you own CA and allow only certificates from this CA to -be accepted by server, the serial number is the most reliable (albeit -not very mnemonic) means to indentify user. - -2.4. ssl_client_dn() -~~~~~~~~~~~~~~~~~~~~ - - ssl_client_dn() RETURNS text - -Returns the full subject of current client certificate, converting -character data into the current database encoding. It is assumed that -if you use non-Latin characters in the certificate names, your -database is able to represent these characters, too. If your database -uses the SQL_ASCII encoding, non-Latin characters in the name will be -represented as UTF-8 sequences. - -The result looks like '/CN=Somebody /C=Some country/O=Some organization'. - -2.5. ssl_issuer_dn() -~~~~~~~~~~~~~~~~~~~~ - -Returns the full issuer name of the client certificate, converting -character data into current database encoding. - -The combination of the return value of this function with the -certificate serial number uniquely identifies the certificate. - -The result of this function is really useful only if you have more -than one trusted CA certificate in your server's root.crt file, or if -this CA has issued some intermediate certificate authority -certificates. - -2.6. ssl_client_dn_field() -~~~~~~~~~~~~~~~~~~~~~~~~~~ - - ssl_client_dn_field(fieldName text) RETURNS text - -This function returns the value of the specified field in the -certificate subject. Field names are string constants that are -converted into ASN1 object identificators using the OpenSSL object -database. The following values are acceptable: - - commonName (alias CN) - surname (alias SN) - name - givenName (alias GN) - countryName (alias C) - localityName (alias L) - stateOrProvinceName (alias ST) - organizationName (alias O) - organizationUnitName (alias OU) - title - description - initials - postalCode - streetAddress - generationQualifier - description - dnQualifier - x500UniqueIdentifier - pseudonim - role - emailAddress - -All of these fields are optional, except commonName. It depends -entirely on your CA policy which of them would be included and which -wouldn't. The meaning of these fields, howeer, is strictly defined by -the X.500 and X.509 standards, so you cannot just assign arbitrary -meaning to them. - -2.7 ssl_issuer_field() -~~~~~~~~~~~~~~~~~~~ - - ssl_issuer_field(fieldName text) RETURNS text; - -Does same as ssl_client_dn_field, but for the certificate issuer -rather than the certificate subject. |