19.9. Secure TCP/IP Connections with SSL

On Wed, Oct 25, 2023 at 03:44:04PM +0000, PG Doc comments form wrote:

The following documentation comment has been logged on the website:

Page: https://www.postgresql.org/docs/16/ssl-tcp.html
Description:

There is no mention of key lengths on the manual page about SSL/TLS
connections even though there are restrictions. It probably depends on the
build which is why it's been omitted, but I think to help new people it
would be great to have a Note box that covers key lengths restrictions. It
came up on reddit today and while the following is in the error log..

FATAL: could not load server certificate file
"/etc/postgresql/16/main/server.crt": ee key too small

It is amongst a chain of other messages and has a long line such that it
could be missed as it's truncated (though it should still have been spotted
of course). Regardless, I like the idea of all the things you need to do/be
mindful of being in the manual. It could be something like..

Note
Some builds of PostgreSQL specify a minimum key length for certificates to
enforce best-practices. If the key you use is does not meet or exceed this
minimum length PostgreSQL will fail to start. It's common practice to
require a key of at least length 2048.

I think this is based on the SSL/TLS library in use which is why we
don't mention it in our docs, e.g.:

https://stackoverflow.com/questions/61626206/what-could-cause-dh-key-too-small-error

--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EDB https://enterprisedb.com

Only you can decide what is important to you.