Re: Is it worth accepting multiple CRLs?

Kyotaro Horiguchi <horikyota.ntt@gmail.com>

From: Kyotaro Horiguchi <horikyota.ntt@gmail.com>
To: peter.eisentraut@enterprisedb.com
Cc: sfrost@snowman.net, pgsql-hackers@postgresql.org
Date: 2021-01-19T08:32:00Z
Lists: pgsql-hackers

Attachments

At Tue, 19 Jan 2021 09:17:34 +0900 (JST), Kyotaro Horiguchi <horikyota.ntt@gmail.com> wrote in 
> By the way we can do the same thing on CA file/dir, but I personally
> think that the benefit from the specify-by-directory for CA files is
> far less than CRL files. So I'm not going to do this for CA files for
> now.

This is it. A new guc ssl_crl_dir and connection option crldir are
added.

One problem raised upthread is the footprint for test is quite large
because all certificate and key files are replaced by this patch. I
think we can shrink the footprint by generating that files on-demand
but that needs openssl frontend to be installed on the development
environment.

If we agree that requirement, I'm going to go that direction.

regards.

-- 
Kyotaro Horiguchi
NTT Open Source Software Center

Commits

  1. Allow specifying CRL directory

  2. Introduce --with-ssl={openssl} as a configure option