Re: Is it worth accepting multiple CRLs? - Mailing list pgsql-hackers

From Peter Eisentraut
Subject Re: Is it worth accepting multiple CRLs?
Date
Msg-id 554b446f-a210-cadc-24a1-079d88872468@enterprisedb.com
Whole thread Raw
In response to Re: Is it worth accepting multiple CRLs?  (Kyotaro Horiguchi <horikyota.ntt@gmail.com>)
Responses Re: Is it worth accepting multiple CRLs?
List pgsql-hackers
On 2021-02-17 05:05, Kyotaro Horiguchi wrote:
> The commit fe61df7f82 shot down this.
> 
> This patch allows a new GUC ssl_crl_dir and a new libpq connection
> option sslcrldir to specify CRL directory, which stores multiple files
> that contains one CRL. With that method server loads only CRLs for the
> CA of the certificate being validated.
> 
> Along with rebasing, the documentation is slightly reworded.

Committed this.

I changed the documentation a bit.  Instead of having a separate section 
describing the CRL options, I put that information directly into the 
libpq and GUC sections.  Some of the information, such as that the 
directory files are loaded on demand, isn't so obviously useful in the 
libpq case, so I found that a bit confusing.  Also, I got the impression 
that the hashed directory format is sort of internal to OpenSSL, and 
there are several versions of that format, so I didn't want to copy over 
the description of these internals.  Instead, I referred to the openssl 
rehash/c_rehash commands for information.  If we get support for 
non-OpenSSL providers, we'll probably have to revisit this.




pgsql-hackers by date:

Previous
From: Michael Paquier
Date:
Subject: Re: pg_collation_actual_version() ERROR: cache lookup failed for collation 123
Next
From: torikoshia
Date:
Subject: Re: adding wait_start column to pg_locks