ssl_key (string)
Specifies the path to the private key file to be used for incoming frontend connections. There is no default value for this option, and if left unset SSL will be disabled for incoming frontend connections.
This parameter can only be set at server start.
ssl_cert (string)
Specifies the path to the public x509 certificate file to be used for the incoming frontend connections. There is no default value for this option, and if left unset SSL will be disabled for incoming frontend connections.
This parameter can only be set at server start.
ssl_ca_cert (string)
Specifies the path to a PEM format CA certificate files, which can be used to verify the backend server certificates. This is analogous to the -CApath option of the OpenSSL verify(1) command.
This parameter can only be set at server start.
Also, make sure TLS between PGPool and the Postgres backends and between Postgres replication nodes is the thing.
Also, TLS should be optional. Just because we think the user should definitely be using encryption doesn't mean that the boshrelease has to think it too.
jhunt
commented
4 years ago
Forcing people to send database information unencrypted over the wire seems bad. Let's fix it.
First, terminate incoming client TLS at the pgpool layer. http://www.pgpool.net/docs/latest/en/html/runtime-ssl.html#RUNTIME-CONFIG-SSL-SETTINGS
Also, make sure TLS between PGPool and the Postgres backends and between Postgres replication nodes is the thing.
Here's a thing I googled: https://evol-monkey.blogspot.com/2015/10/postgresql-94-streaming-replication.html
Also, TLS should be optional. Just because we think the user should definitely be using encryption doesn't mean that the boshrelease has to think it too.