AnalyticDB for PostgreSQL V7.0 provides security enhancement on password encryption and SSL encryption.
Password encryption
The SCRAM-SHA-256 encryption method is added to provide higher security than MD5.
By default, MD5 encryption is used for AnalyticDB for PostgreSQL. To enable the SCRAM-SHA-256 encryption method, you can connect to a database and execute the following statement:
SET password_encryption to 'SCRAM-SHA-256'
Unencrypted users are not supported for AnalyticDB for PostgreSQL V7.0.
SSL encryption
The pg_stat_ssl view is added to query SSL connections. Execute the following statement:
SELECT * FROM pg_stat_ssl;
The following information is returned:
pid | ssl | version | cipher | bits | compression | client_dn | client_serial | issuer_dn --------+-----+---------+-----------------------------+------+-------------+-----------+---------------+----------- 508802 | f | | | | | | | 508808 | f | | | | | | | 508815 | f | | | | | | | 509930 | t | TLSv1.2 | ECDHE-RSA-AES256-GCM-SHA384 | 256 | f | | | 508800 | f | | | | | | | 508799 | f | | | | | | | 508801 | f | | | | | | | (7 rows)
The ssl_extension_info() function is added to the
contrib/sslinfo
module.The
ssl_extension_info()
function is used to display the information of the SSL extension that exists in the X509 certificate used by the current connection. Examples:Enable the sslinfo module.
CREATE EXTENSION sslinfo;
Display the information of the SSL extension that exists in the X509 certificate used by the current connection.
SELECT ssl_extension_info();
SSL configuration is allowed to be updated during the reload period.
SSL encryption can be reconfigured without restarting the server by using
pg_ctl reload
, executingSELECT pg_reload_conf()
, or sending SIGHUP signals.ImportantIf the SSL key of the server needs a password, the SSL reconfiguration fails.