Re: ssl_crl_file Certificate Revocation List doesn't work for postgresql 11
Kyotaro Horiguchi <horikyota.ntt@gmail.com>
From: Kyotaro Horiguchi <horikyota.ntt@gmail.com>
To: yinan81@gmail.com
Cc: pgsql-general@postgresql.org
Date: 2021-12-02T00:28:48Z
Lists: pgsql-general
At Wed, 1 Dec 2021 16:56:11 +0800, Yi Sun <yinan81@gmail.com> wrote in > We want to revoke server certificate, just don't know why doesn't take > affect > https://www.postgresql.org/docs/11/ssl-tcp.html > https://www.postgresql.org/docs/11/runtime-config-connection.html#GUC-SSL-CRL-FILE Understood. ~/.postgresq/root.crl is required to check server revokation. https://www.postgresql.org/docs/11/libpq-ssl.html > To allow server certificate verification, one or more root > certificates must be placed in the file ~/.postgresql/root.crt in the > user's home directory. (On Microsoft Windows the file is named > %APPDATA%\postgresql\root.crt.) Intermediate certificates should also > be added to the file if they are needed to link the certificate chain > sent by the server to the root certificates stored on the client. > > Certificate Revocation List (CRL) entries are also checked if the file > ~/.postgresql/root.crl exists (%APPDATA%\postgresql\root.crl on > Microsoft Windows). regards. -- Kyotaro Horiguchi NTT Open Source Software Center
Commits
-
Doc: Fix misleading wording of CRL parameters
- fadac33bb8de 15.0 landed
- e2ebc90eb809 13.6 landed
- b6360aa46ce9 14.2 landed
- 7d0229e89f4f 10.20 landed
- 7b0643c77b46 11.15 landed
- 386d97781d17 12.10 landed