Re: Is it worth accepting multiple CRLs?
Kyotaro Horiguchi <horikyota.ntt@gmail.com>
From: Kyotaro Horiguchi <horikyota.ntt@gmail.com>
To: peter.eisentraut@enterprisedb.com
Cc: sfrost@snowman.net, pgsql-hackers@postgresql.org
Date: 2021-02-18T08:06:25Z
Lists: pgsql-hackers
Thanks for committing this! At Thu, 18 Feb 2021 08:24:23 +0100, Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote in > On 2021-02-17 05:05, Kyotaro Horiguchi wrote: > > The commit fe61df7f82 shot down this. > > This patch allows a new GUC ssl_crl_dir and a new libpq connection > > option sslcrldir to specify CRL directory, which stores multiple files > > that contains one CRL. With that method server loads only CRLs for the > > CA of the certificate being validated. > > Along with rebasing, the documentation is slightly reworded. > > Committed this. > > I changed the documentation a bit. Instead of having a separate > section describing the CRL options, I put that information directly > into the libpq and GUC sections. Some of the information, such as > that the directory files are loaded on demand, isn't so obviously > useful in the libpq case, so I found that a bit confusing. Also, I Agreed. > got the impression that the hashed directory format is sort of > internal to OpenSSL, and there are several versions of that format, so > I didn't want to copy over the description of these internals. > Instead, I referred to the openssl rehash/c_rehash commands for > information. If we get support for non-OpenSSL providers, we'll > probably have to revisit this. Thanks. I'm fine with that, either. regards. -- Kyotaro Horiguchi NTT Open Source Software Center
Commits
-
Allow specifying CRL directory
- f5465fade908 14.0 landed
-
Introduce --with-ssl={openssl} as a configure option
- fe61df7f82aa 14.0 cited