Re: ssl_crl_file Certificate Revocation List doesn't work for postgresql 11
Yi Sun <yinan81@gmail.com>
From: Yi Sun <yinan81@gmail.com>
To: Kyotaro Horiguchi <horikyota.ntt@gmail.com>
Cc: pgsql-general@postgresql.org
Date: 2021-12-03T07:41:51Z
Lists: pgsql-general
Hi Kyotaro, Thank you for your explanation, after putting the crl file to client, it works now, thanks. Kyotaro Horiguchi <horikyota.ntt@gmail.com> 于2021年12月2日周四 下午12:46写道: > Hi. > > At Thu, 2 Dec 2021 11:31:26 +0800, Yi Sun <yinan81@gmail.com> wrote in > > Hi Kyotaro > > > > From the description, seems ~/.postgresql/root.crl is store client > > revoked certificate > > No. Revocation is checked on the peer. There's no point for a server > to check for revocation of its own certificate, and actually that > doesn't happen. Revocation of a client certificate is checked on > server side referencing server.crl. Revocation of a server certificate > is checked on client side referencing postgresql.crl. For example, > some web browsers make use of CRL of web *servers*, which is > automatically maintained in background. > > You will see it work if you duped the server.crl as > ~/.postgresql/root.crl on the client. (I spelled this wrongly in the > previous message..) > > > https://www.postgresql.org/docs/11/libpq-ssl.html > > ~/.postgresql/root.crl certificates revoked by certificate authorities > server > > certificate must not be on this list > > Just don't know why server parameter ssl_crl_file parameter configured > but > > don't take affect > > As explained above, it is because the CRL specified by ssl_crl_file > can only be used to verify client certificates. > > > > https://www.postgresql.org/docs/11/runtime-config-connection.html#GUC-SSL-CRL-FILE > > > > ssl_crl_file (string) > > > > Specifies the name of the file containing the SSL server certificate > > revocation list (CRL). Relative paths are relative to the data directory. > > This parameter can only be set in the postgresql.conf file or on the > server > > command line. The default is empty, meaning no CRL file is loaded. > > Ah, the "server" in "SSL server certificate revocation list" looks > like a noise word, rather misleading, or plain wrong, I'm not sure > which one it actually is. > > > Anyway I propose change the rephrase as "SSL client certification > revocation list" as attached. > > regards. > > -- > Kyotaro Horiguchi > NTT Open Source Software Center >
Commits
-
Doc: Fix misleading wording of CRL parameters
- fadac33bb8de 15.0 landed
- e2ebc90eb809 13.6 landed
- b6360aa46ce9 14.2 landed
- 7d0229e89f4f 10.20 landed
- 7b0643c77b46 11.15 landed
- 386d97781d17 12.10 landed