User guide

ManualsBrandsAmazon ManualsComputer equipmentRedshift

161

162

163

164

165

166

167

168

169

170

Amazon Redshift supports the Elliptic Curve Diffie—Hellman Ephemeral (ECDHE) key agreement protocol.

With ECDHE, the client and server each have an elliptic curve public-private key pair that is used to

establish a shared secret over an insecure channel.You do not need to configure anything in Amazon

Redshift to enable ECDHE; if you connect from a SQL client tool that uses ECDHE to encrypt

communication between the client and server, Amazon Redshift will use the provided cipher list to make

the appropriate connection. For more information, see Elliptic Curve Diffie—Hellman on Wikipedia and

Ciphers on the OpenSSL website.

Using SSL and Server Certificates in ODBC

ODBC DSNs contain an sslmode setting that determines how to handle encryption for client connections

and server certificate verification. Amazon Redshift supports the following sslmode values from the client

connection:

• disable

SSL is disabled and the connection is not encrypted.

• allow

SSL is used if the server requires it.

• prefer

SSL is used if the server supports it. Amazon Redshift supports SSL, so SSL is used when you set

sslmode to prefer.

• require

SSL is required.

• verify-ca

SSL must be used and the server certificate must be verified.

Amazon Redshift does not support verify-full. For more information about sslmode options, see

SSL Support in the PostgreSQL documentation.

To determine whether SSL is used and server certificates are verified in a connection between the client

and the server, you need to review the sslmode setting for your ODBC DSN on the client and the

require_SSL setting for the Amazon Redshift cluster on the server. The following table describes the

encryption result for the various client and server setting combinations:

Resultrequire_SSL

(server)

sslmode (cli-

ent)

The connection is not encrypted.falsedisable

The connection cannot be made because the server requires SSL and

the client has SSL disabled for the connection.

truedisable

The connection is encrypted.trueallow

The connection is not encrypted.falseallow

The connection is encrypted.trueprefer or

require

The connection is encrypted.falseprefer or

require

The connection is encrypted and the server certificate is verified.trueverify-ca

API Version 2012-12-01

159

Amazon Redshift Management Guide

Configuring Connections in Amazon Redshift