Re: Is it worth accepting multiple CRLs?
Kyotaro Horiguchi <horikyota.ntt@gmail.com>
From: Kyotaro Horiguchi <horikyota.ntt@gmail.com>
To: hbhotz@oxy.edu
Cc: pgsql-hackers@postgresql.org
Date: 2020-08-03T07:19:37Z
Lists: pgsql-hackers
At Fri, 31 Jul 2020 05:53:53 -0700, Henry B Hotz <hbhotz@oxy.edu> wrote in > A CA may issue a CRL infrequently, but issue a delta-CRL frequently. Does the logic support this properly? If you are talking about regsitering new revokations while server is running, it checks newer CRLs upon each lookup according to the documentation [1], so a new Delta-CRL can be added after server start. If server restart is allowed, the CRL file specified by ssl_crl_file can contain multiple CRLs by just concatenation. [1]: https://www.openssl.org/docs/man1.1.1/man3/X509_LOOKUP_hash_dir.html regards. -- Kyotaro Horiguchi NTT Open Source Software Center
Commits
-
Allow specifying CRL directory
- f5465fade908 14.0 landed
-
Introduce --with-ssl={openssl} as a configure option
- fe61df7f82aa 14.0 cited