Re: Is it worth accepting multiple CRLs? - Mailing list pgsql-hackers

From Kyotaro Horiguchi
Subject Re: Is it worth accepting multiple CRLs?
Date
Msg-id 20210218.170625.436963865465601123.horikyota.ntt@gmail.com
Whole thread Raw
In response to Re: Is it worth accepting multiple CRLs?  (Peter Eisentraut <peter.eisentraut@enterprisedb.com>)
List pgsql-hackers
Thanks for committing this!

At Thu, 18 Feb 2021 08:24:23 +0100, Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote in 
> On 2021-02-17 05:05, Kyotaro Horiguchi wrote:
> > The commit fe61df7f82 shot down this.
> > This patch allows a new GUC ssl_crl_dir and a new libpq connection
> > option sslcrldir to specify CRL directory, which stores multiple files
> > that contains one CRL. With that method server loads only CRLs for the
> > CA of the certificate being validated.
> > Along with rebasing, the documentation is slightly reworded.
> 
> Committed this.
> 
> I changed the documentation a bit.  Instead of having a separate
> section describing the CRL options, I put that information directly
> into the libpq and GUC sections.  Some of the information, such as
> that the directory files are loaded on demand, isn't so obviously
> useful in the libpq case, so I found that a bit confusing.  Also, I

Agreed.

> got the impression that the hashed directory format is sort of
> internal to OpenSSL, and there are several versions of that format, so
> I didn't want to copy over the description of these internals.
> Instead, I referred to the openssl rehash/c_rehash commands for
> information.  If we get support for non-OpenSSL providers, we'll
> probably have to revisit this.

Thanks.  I'm fine with that, either.

regards.

-- 
Kyotaro Horiguchi
NTT Open Source Software Center



pgsql-hackers by date:

Previous
From: Amit Langote
Date:
Subject: Re: POC: postgres_fdw insert batching
Next
From: Pavel Stehule
Date:
Subject: Re: proposal - psql - use pager for \watch command