All Products
Search

This Product

    AnalyticDB:Password and SSL security enhancements

    Document Center

    AnalyticDB:Password and SSL security enhancements

    Last Updated:Mar 30, 2026

    AnalyticDB for PostgreSQL V7.0 adds two security enhancements: stronger password encryption with SCRAM-SHA-256 and expanded SSL management capabilities.

    Password encryption

    V7.0 adds support for SCRAM-SHA-256, a challenge-response authentication method defined in RFC 7677. Unlike MD5, SCRAM-SHA-256 prevents password sniffing on untrusted connections and stores passwords in a cryptographically hashed form on the server.

    MD5 is still the default encryption method. To switch to SCRAM-SHA-256, connect to the database and run:

    SET password_encryption TO 'SCRAM-SHA-256';
    Important

    AnalyticDB for PostgreSQL V7.0 does not support users without password encryption.

    SSL encryption

    V7.0 adds three SSL enhancements: a system view for monitoring SSL connections, a function for inspecting X.509 certificate extensions, and support for reloading SSL configuration without restarting the server.

    Query SSL connection status

    The pg_stat_ssl view returns one row per backend process, showing whether SSL is active and, if so, the TLS version and cipher in use.

    SELECT * FROM pg_stat_ssl;

    Example output:

       pid   | ssl | version |           cipher            | bits | compression | client_dn | client_serial | issuer_dn
---------+-----+---------+-----------------------------+------+-------------+-----------+---------------+-----------
  508802 | f   |         |                             |      |             |           |               |
  508808 | f   |         |                             |      |             |           |               |
  508815 | f   |         |                             |      |             |           |               |
  509930 | t   | TLSv1.2 | ECDHE-RSA-AES256-GCM-SHA384 |  256 | f           |           |               |
  508800 | f   |         |                             |      |             |           |               |
  508799 | f   |         |                             |      |             |           |               |
  508801 | f   |         |                             |      |             |           |               |
(7 rows)

    The ssl column shows t (SSL active) or f (not active). Rows with ssl = t include the TLS version, cipher, and key size in bits.

    Inspect X.509 certificate extensions

    The ssl_extension_info() function, added to the contrib/sslinfo module, displays the SSL extensions present in the X.509 certificate used by the current connection.

    To use this function:

    1. Enable the sslinfo extension:

      CREATE EXTENSION sslinfo;

    2. Query the SSL extensions for the current connection:

      SELECT ssl_extension_info();

    Reload SSL configuration without restarting

    SSL configuration can now be applied without restarting the server. Use any of the following methods:

    • Run pg_ctl reload from the command line.

    • Run SELECT pg_reload_conf(); from a database session.

    • Send a SIGHUP signal to the server process.

    If a reload error occurs, the server continues using the previous SSL configuration — the service is not interrupted.

    Important

    If the server's SSL key is protected by a passphrase, SSL reconfiguration fails.