At Thu, 2 Dec 2021 11:31:26 +0800, Yi Sun <yinan81@gmail.com> wrote in > Hi Kyotaro > > From the description, seems ~/.postgresql/root.crl is store client > revoked certificate
No. Revocation is checked on the peer. There's no point for a server to check for revocation of its own certificate, and actually that doesn't happen. Revocation of a client certificate is checked on server side referencing server.crl. Revocation of a server certificate is checked on client side referencing postgresql.crl. For example, some web browsers make use of CRL of web *servers*, which is automatically maintained in background.
You will see it work if you duped the server.crl as ~/.postgresql/root.crl on the client. (I spelled this wrongly in the previous message..)
> https://www.postgresql.org/docs/11/libpq-ssl.html > ~/.postgresql/root.crl certificates revoked by certificate authorities server > certificate must not be on this list > Just don't know why server parameter ssl_crl_file parameter configured but > don't take affect
As explained above, it is because the CRL specified by ssl_crl_file can only be used to verify client certificates.
> https://www.postgresql.org/docs/11/runtime-config-connection.html#GUC-SSL-CRL-FILE > > ssl_crl_file (string) > > Specifies the name of the file containing the SSL server certificate > revocation list (CRL). Relative paths are relative to the data directory. > This parameter can only be set in the postgresql.conf file or on the server > command line. The default is empty, meaning no CRL file is loaded.
Ah, the "server" in "SSL server certificate revocation list" looks like a noise word, rather misleading, or plain wrong, I'm not sure which one it actually is.
Anyway I propose change the rephrase as "SSL client certification revocation list" as attached.
regards.
-- Kyotaro Horiguchi NTT Open Source Software Center