Re: Is it worth accepting multiple CRLs?

Kyotaro Horiguchi <horikyota.ntt@gmail.com>

From: Kyotaro Horiguchi <horikyota.ntt@gmail.com>
To: hbhotz@oxy.edu
Cc: pgsql-hackers@postgresql.org
Date: 2020-08-03T07:19:37Z
Lists: pgsql-hackers
At Fri, 31 Jul 2020 05:53:53 -0700, Henry B Hotz <hbhotz@oxy.edu> wrote in 
> A CA may issue a CRL infrequently, but issue a delta-CRL frequently. Does the logic support this properly?

If you are talking about regsitering new revokations while server is
running, it checks newer CRLs upon each lookup according to the
documentation [1], so a new Delta-CRL can be added after server
start. If server restart is allowed, the CRL file specified by
ssl_crl_file can contain multiple CRLs by just concatenation.

[1]: https://www.openssl.org/docs/man1.1.1/man3/X509_LOOKUP_hash_dir.html

regards.

-- 
Kyotaro Horiguchi
NTT Open Source Software Center



Commits

  1. Allow specifying CRL directory

  2. Introduce --with-ssl={openssl} as a configure option