Re: [COMMITTERS] pgsql: Don't try to compile SSL CRL support if local - Mailing list pgsql-patches

From Bruce Momjian
Subject Re: [COMMITTERS] pgsql: Don't try to compile SSL CRL support if local
Date
Msg-id 200605051828.k45ISDA10176@candle.pha.pa.us
Whole thread Raw
Responses Re: [COMMITTERS] pgsql: Don't try to compile SSL CRL support if local  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-patches
Tom Lane wrote:
> Kris Jurka <books@ejurka.com> writes:
> > On Thu, 4 May 2006, Tom Lane wrote:
> >> Don't try to compile SSL CRL support if local SSL installation hasn't
> >> got it.  Per buildfarm failure on 'canary'.
>
> > It seems a little bit dangerous to just not check the CRL without so much
> > as a warning message.
>
> [ shrug... ]  Anyone who's running openssl 0.9.6, or whatever that is on
> canary, isn't expecting CRL support anyway.  And all I did is restore
> the behavior we've had for lo these past many years.

The problem is that we now document that we support CRL, so either we
log if we skip it, or we have to document which versions of OpenSSL do
not support CRL (yuck).

The attached patch checks for the file, and either user it or generates
a log message that it was skipped.

--
  Bruce Momjian   http://candle.pha.pa.us
  EnterpriseDB    http://www.enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +
Index: src/backend/libpq/be-secure.c
===================================================================
RCS file: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v
retrieving revision 1.67
diff -c -c -r1.67 be-secure.c
*** src/backend/libpq/be-secure.c    4 May 2006 22:18:38 -0000    1.67
--- src/backend/libpq/be-secure.c    5 May 2006 18:26:37 -0000
***************
*** 795,801 ****
      }
      else
      {
- #ifdef X509_V_FLAG_CRL_CHECK
          /*
           *    Check the Certificate Revocation List (CRL) if file exists.
           *    http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html
--- 795,800 ----
***************
*** 804,813 ****

          if (cvstore)
          {
              if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
!                /* setting the flags to check against the complete CRL chain */
!                X509_STORE_set_flags(cvstore,
                              X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
              else
              {
                  /* Not fatal - we do not require CRL */
--- 803,820 ----

          if (cvstore)
          {
+            /* Set the flags to check against the complete CRL chain */
              if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
! /* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
! #ifdef X509_V_FLAG_CRL_CHECK
!                 X509_STORE_set_flags(cvstore,
                              X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
+ #else
+                 ereport(LOG,
+                     (errmsg("SSL Certificate Revocation List (CRL) file \"%s\" ignored",
+                             ROOT_CRL_FILE),
+                      errdetail("Installed SSL library does not support CRL.")));
+ #endif
              else
              {
                  /* Not fatal - we do not require CRL */
***************
*** 817,823 ****
                       errdetail("Will not check certificates against CRL.")));
              }
          }
- #endif /* X509_V_FLAG_CRL_CHECK */

          SSL_CTX_set_verify(SSL_context,
                             (SSL_VERIFY_PEER |
--- 824,829 ----

pgsql-patches by date:

Previous
From: Martijn van Oosterhout
Date:
Subject: Re: Have configure complain about unknown options
Next
From: Tom Lane
Date:
Subject: Re: [COMMITTERS] pgsql: Don't try to compile SSL CRL support if local