Uggg.
At Mon, 03 Aug 2020 16:19:37 +0900 (JST), Kyotaro Horiguchi <horikyota.ntt@gmail.com> wrote in
> At Fri, 31 Jul 2020 05:53:53 -0700, Henry B Hotz <hbhotz@oxy.edu> wrote in
> > A CA may issue a CRL infrequently, but issue a delta-CRL frequently. Does the logic support this properly?
>
> If you are talking about regsitering new revokations while server is
> running, it checks newer CRLs upon each lookup according to the
> documentation [1], so a new Delta-CRL can be added after server
> start. If server restart is allowed, the CRL file specified by
I didin't know that ssl files are reloaded by SIGHUP (pg_ctl
reload). So the ssl_crl_file is also reloaded on server reload.
> ssl_crl_file can contain multiple CRLs by just concatenation.
>
> [1]: https://www.openssl.org/docs/man1.1.1/man3/X509_LOOKUP_hash_dir.html
Still on-demand loading is the advantage of the hashed directory
method. I'll continue working..
regards.
--
Kyotaro Horiguchi
NTT Open Source Software Center
