1111 *
1212 *
1313 * IDENTIFICATION
14- * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.67 2006/05/04 22:18 :38tgl Exp $
14+ * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.68 2006/05/06 01:31 :38momjian Exp $
1515 *
1616 * Since the server static private key ($DataDir/server.key)
1717 * will normally be stored unencrypted so that the database
@@ -795,7 +795,6 @@ initialize_SSL(void)
795795}
796796else
797797{
798- #ifdef X509_V_FLAG_CRL_CHECK
799798/*
800799 *Check the Certificate Revocation List (CRL) if file exists.
801800 *http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html
@@ -804,10 +803,18 @@ initialize_SSL(void)
804803
805804if (cvstore )
806805{
806+ /* Set the flags to check against the complete CRL chain */
807807if (X509_STORE_load_locations (cvstore ,ROOT_CRL_FILE ,NULL )!= 0 )
808- /* setting the flags to check against the complete CRL chain */
809- X509_STORE_set_flags (cvstore ,
808+ /* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
809+ #ifdef X509_V_FLAG_CRL_CHECK
810+ X509_STORE_set_flags (cvstore ,
810811X509_V_FLAG_CRL_CHECK |X509_V_FLAG_CRL_CHECK_ALL );
812+ #else
813+ ereport (LOG ,
814+ (errmsg ("SSL Certificate Revocation List (CRL) file \"%s\" ignored" ,
815+ ROOT_CRL_FILE ),
816+ errdetail ("Installed SSL library does not support CRL." )));
817+ #endif
811818else
812819{
813820/* Not fatal - we do not require CRL */
@@ -817,7 +824,6 @@ initialize_SSL(void)
817824errdetail ("Will not check certificates against CRL." )));
818825}
819826}
820- #endif /* X509_V_FLAG_CRL_CHECK */
821827
822828SSL_CTX_set_verify (SSL_context ,
823829 (SSL_VERIFY_PEER |