# SSL communication settings for connecting EAInfoport and PostgreSQL database

### Question

[![image-1715936143328.png](https://doc.eainfoport.cz/uploads/images/gallery/2024-05/scaled-1680-/image-1715936143328.png)](https://doc.eainfoport.cz/uploads/images/gallery/2024-05/image-1715936143328.png)

How to set up SSL communication for connecting EAInforport and PostgreSQL database?

### Answer

The following procedure is verified on a PostgreSQL 13 and Infoport 8.7.x installation.

A detailed description of the database setup is provided directly in the current documentation [https://www.postgresql.org/docs/current/ssl-tcp.html ](https://www.postgresql.org/docs/current/ssl-tcp.html)which we recommend to study carefully. In addition, [https://methoddev.com/blog/postgresql-windows-encrypted-connection-ssl](https://methoddev.com/blog/postgresql-windows-encrypted-connection-ssl) provides a step-by-step procedure on how to configure the database in practice.

To verify that the communication is secure, it is advisable to use the following sql query that can be run on the database:

SELECT application\_name, datname, usename, ssl, client\_addr

FROM pg\_stat\_ssl

INNER JOIN pg\_stat\_activity ON pg\_stat\_ssl.pid = pg\_stat\_activity.pid;

The result will show if the session (a specific application connection - e.g. EAInfoport) is secured by ssl. It is recommended to check this both before starting any changes to the settings and after they are completed.

EAInfoport settings are (for now - later will be part of Configuration Manager) done using the appsettings.json configuration file. Here you need to add the value "InfoportConnection\_Npgsql" with ";ApplicationName=Infoport;SSL Mode=VerifyCA". This setting means that EAInfoport will require an ssl connection to the database, and will check that a trusted certificate exists.

***Note:*** if the db server is set to require ssl (=reject connection without ssl) but the connection string of EAInfoport is set to ";SSL Mode=Disable", the EAInfoport log will show a message like "28000: pg\_hba.conf rejects connection for host "x.x.x", user "xx", database "xx", SSL off".

- - - - - -

EAInfoport version 7.x has not been developed or tested for ssl connections, but the following can be tested:

Since version 6 (.NET - not the database) the parameter variations for ssl have been changed (see also Security and Encryption | Npgsql Documentation)

Npgsql v6.0+:

Disable  
Allow  
Prefer (default)  
Require  
VerifyCA  
VerifyFull  
Npgsql pre-v6.0:

Disable (default)  
Prefer  
Require  
For .NET version 2 (= for EAInfoport 7.x) it is possible to try ';SSL Mode=Prefer' as a parameter or add that I trust the certificate, i.e. ";SSL Mode=Prefer;Trust Server Certificate=true"

The last option is to replace Prefer with Require