Re: Is it worth accepting multiple CRLs?
Kyotaro Horiguchi <horikyota.ntt@gmail.com>
From: Kyotaro Horiguchi <horikyota.ntt@gmail.com>
To: peter.eisentraut@enterprisedb.com
Cc: sfrost@snowman.net, pgsql-hackers@postgresql.org
Date: 2021-02-17T04:05:26Z
Lists: pgsql-hackers
Attachments
- v5-0001-Allow-to-specify-CRL-directory.patch (text/x-patch)
The commit fe61df7f82 shot down this.
This patch allows a new GUC ssl_crl_dir and a new libpq connection
option sslcrldir to specify CRL directory, which stores multiple files
that contains one CRL. With that method server loads only CRLs for the
CA of the certificate being validated.
Along with rebasing, the documentation is slightly reworded.
revocation list (CRL). Certificates listed in this file, if it
exists, will be rejected while attempting to authenticate the
- server's certificate. If both sslcrl and sslcrldir are not set,
- this setting is assumed to be
+ server's certificate. If neither sslcrl sslcrldir is set, this
+ setting is assumed to be
<filename>~/.postgresql/root.crl</filename>. See
And added a line for the new variable in postgresql.conf.sample.
regards.
--
Kyotaro Horiguchi
NTT Open Source Software Center
Commits
-
Allow specifying CRL directory
- f5465fade908 14.0 landed
-
Introduce --with-ssl={openssl} as a configure option
- fe61df7f82aa 14.0 cited