Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commite747f49

Browse files
committed
Add support for SSL Certificate Revocation List (CRL) files, root.crl.
Libor Hoho?
1 parent1a84275 commite747f49

File tree

2 files changed

+31
-6
lines changed

2 files changed

+31
-6
lines changed

‎doc/src/sgml/runtime.sgml

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.370 2006/04/11 21:04:52 momjian Exp $ -->
1+
<!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.371 2006/04/27 02:29:14 momjian Exp $ -->
22

33
<chapter Id="runtime">
44
<title>Operating System Environment</title>
@@ -1553,7 +1553,9 @@ chmod og-rwx server.key
15531553
the file <filename>root.crt</filename> in the data directory. When
15541554
present, a client certificate will be requested from the client
15551555
during SSL connection startup, and it must have been signed by one of the
1556-
certificates present in <filename>root.crt</filename>.
1556+
certificates present in <filename>root.crt</filename>. Certificate
1557+
Revocation List (CRL) entries are also checked if the file
1558+
<filename>root.crl</filename> exists.
15571559
</para>
15581560

15591561
<para>
@@ -1564,9 +1566,9 @@ chmod og-rwx server.key
15641566

15651567
<para>
15661568
The files <filename>server.key</>, <filename>server.crt</>,
1567-
and<filename>root.crt</filename> are only examined during server
1568-
start; so you must restartthe server to make changes in them take
1569-
effect.
1569+
<filename>root.crt</filename>, and <filename>root.crl</filename>
1570+
are only examined during serverstart; so you must restart
1571+
the server to make changes in them takeeffect.
15701572
</para>
15711573
</sect1>
15721574

‎src/backend/libpq/be-secure.c

Lines changed: 24 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@
1111
*
1212
*
1313
* IDENTIFICATION
14-
* $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.63 2006/03/21 18:18:35 neilc Exp $
14+
* $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.64 2006/04/27 02:29:14 momjian Exp $
1515
*
1616
* Since the server static private key ($DataDir/server.key)
1717
* will normally be stored unencrypted so that the database
@@ -102,6 +102,7 @@
102102
#ifdefUSE_SSL
103103

104104
#defineROOT_CERT_FILE"root.crt"
105+
#defineROOT_CRL_FILE"root.crl"
105106
#defineSERVER_CERT_FILE"server.crt"
106107
#defineSERVER_PRIVATE_KEY_FILE "server.key"
107108

@@ -794,6 +795,28 @@ initialize_SSL(void)
794795
}
795796
else
796797
{
798+
/*
799+
*Check the Certificate Revocation List (CRL) if file exists.
800+
*http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html
801+
*/
802+
X509_STORE*cvstore=SSL_CTX_get_cert_store(SSL_context);
803+
804+
if (cvstore)
805+
{
806+
if (X509_STORE_load_locations(cvstore,ROOT_CRL_FILE,NULL)!=0)
807+
/* setting the flags to check against the complete CRL chain */
808+
X509_STORE_set_flags(cvstore,
809+
X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
810+
else
811+
{
812+
/* Not fatal - we do not require CRL */
813+
ereport(LOG,
814+
(errmsg("SSL Certificate Revocation List (CRL) file \"%s\" not found, skipping: %s",
815+
ROOT_CRL_FILE,SSLerrmessage()),
816+
errdetail("Will not check certificates against CRL.")));
817+
}
818+
}
819+
797820
SSL_CTX_set_verify(SSL_context,
798821
(SSL_VERIFY_PEER |
799822
SSL_VERIFY_FAIL_IF_NO_PEER_CERT |

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp