Re: Is it worth accepting multiple CRLs?

Kyotaro Horiguchi <horikyota.ntt@gmail.com>

From: Kyotaro Horiguchi <horikyota.ntt@gmail.com>
To: peter.eisentraut@enterprisedb.com
Cc: sfrost@snowman.net, pgsql-hackers@postgresql.org
Date: 2021-02-17T04:05:26Z
Lists: pgsql-hackers

Attachments

The commit fe61df7f82 shot down this.

This patch allows a new GUC ssl_crl_dir and a new libpq connection
option sslcrldir to specify CRL directory, which stores multiple files
that contains one CRL. With that method server loads only CRLs for the
CA of the certificate being validated.

Along with rebasing, the documentation is slightly reworded.

revocation list (CRL).  Certificates listed in this file, if it
         exists, will be rejected while attempting to authenticate the
-        server's certificate.  If both sslcrl and sslcrldir are not set,
-        this setting is assumed to be
+        server's certificate.  If neither sslcrl sslcrldir is set, this
+        setting is assumed to be
         <filename>~/.postgresql/root.crl</filename>. See

And added a line for the new variable in postgresql.conf.sample.

regards.

-- 
Kyotaro Horiguchi
NTT Open Source Software Center

Commits

  1. Allow specifying CRL directory

  2. Introduce --with-ssl={openssl} as a configure option