On 2021-01-19 09:32, Kyotaro Horiguchi wrote:
> At Tue, 19 Jan 2021 09:17:34 +0900 (JST), Kyotaro Horiguchi <horikyota.ntt@gmail.com> wrote in
>> By the way we can do the same thing on CA file/dir, but I personally
>> think that the benefit from the specify-by-directory for CA files is
>> far less than CRL files. So I'm not going to do this for CA files for
>> now.
>
> This is it. A new guc ssl_crl_dir and connection option crldir are
> added.
This looks pretty good to me overall.
You need to update the expected result of the postgres_fdw test.
Also check your patch for whitespace errors with git diff --check or
similar.
> One problem raised upthread is the footprint for test is quite large
> because all certificate and key files are replaced by this patch. I
> think we can shrink the footprint by generating that files on-demand
> but that needs openssl frontend to be installed on the development
> environment.
I don't understand why you need to recreate all these files. All your
patch should contain are the new *.r0 files that are computed from the
existing *.crl files. Nothing else should change, AIUI.
Some of the makefile rules for generating the CRL files need some
refinement. In
+ssl/root+server-crldir: ssl/server.crl
+ mkdir ssl/root+server-crldir
+ cp ssl/server.crl ssl/root+server-crldir/`openssl crl -hash -noout
-in ssl/server.crl`.r0
+ cp ssl/root.crl ssl/root+server-crldir/`openssl crl -hash -noout -in
ssl/root.crl`.r0
+ssl/root+client-crldir: ssl/client.crl
+ mkdir ssl/root+client-crldir
+ cp ssl/client.crl ssl/root+client-crldir/`openssl crl -hash -noout
-in ssl/client.crl`.r0
+ cp ssl/root.crl ssl/root+client-crldir/`openssl crl -hash -noout -in
ssl/root.crl`.r0
the rules should also have a dependency on ssl/root.crl in addition to
ssl/server.crl.
By the way:
- print $sslconf "ssl_crl_file='root+client.crl'\n";
+ print $sslconf "ssl_crl_file='$crlfile'\n" if (defined $crlfile);
+ print $sslconf "ssl_crl_dir='$crldir'\n" if (defined $crldir);
Trailing "if" doesn't need parentheses.
