Thread: Is it worth accepting multiple CRLs?
Hello. PostgreSQL server accepts only one CRL file. It is easy to expand be_tls_init to accept a directory set in ssl_crl_file. But I'm not sure CRL is actually even utilized in the field so that could ends with just bloating the documentation. Is it work doing? regards. -- Kyotaro Horiguchi NTT Open Source Software Center
A CA may issue a CRL infrequently, but issue a delta-CRL frequently. Does the logic support this properly? Personal email. hbhotz@oxy.edu > On Jul 31, 2020, at 1:39 AM, Kyotaro Horiguchi <horikyota.ntt@gmail.com> wrote: > > Hello. > > PostgreSQL server accepts only one CRL file. It is easy to expand > be_tls_init to accept a directory set in ssl_crl_file. But I'm not > sure CRL is actually even utilized in the field so that could ends > with just bloating the documentation. > > Is it work doing? > > regards. > > -- > Kyotaro Horiguchi > NTT Open Source Software Center > >
Greetings, * Kyotaro Horiguchi (horikyota.ntt@gmail.com) wrote: > PostgreSQL server accepts only one CRL file. It is easy to expand > be_tls_init to accept a directory set in ssl_crl_file. But I'm not > sure CRL is actually even utilized in the field so that could ends > with just bloating the documentation. > > Is it work doing? Yes, CRLs are absolutely used in the field and having this would be nice. Thanks, Stephen
Attachment
At Fri, 31 Jul 2020 05:53:53 -0700, Henry B Hotz <hbhotz@oxy.edu> wrote in > A CA may issue a CRL infrequently, but issue a delta-CRL frequently. Does the logic support this properly? If you are talking about regsitering new revokations while server is running, it checks newer CRLs upon each lookup according to the documentation [1], so a new Delta-CRL can be added after server start. If server restart is allowed, the CRL file specified by ssl_crl_file can contain multiple CRLs by just concatenation. [1]: https://www.openssl.org/docs/man1.1.1/man3/X509_LOOKUP_hash_dir.html regards. -- Kyotaro Horiguchi NTT Open Source Software Center
At Fri, 31 Jul 2020 09:00:14 -0400, Stephen Frost <sfrost@snowman.net> wrote in > Greetings, > > * Kyotaro Horiguchi (horikyota.ntt@gmail.com) wrote: > > PostgreSQL server accepts only one CRL file. It is easy to expand > > be_tls_init to accept a directory set in ssl_crl_file. But I'm not > > sure CRL is actually even utilized in the field so that could ends > > with just bloating the documentation. > > > > Is it work doing? > > Yes, CRLs are absolutely used in the field and having this would be > nice. Thanks for the opinion. I'll continue working on this. regards. -- Kyotaro Horiguchi NTT Open Source Software Center
Uggg. At Mon, 03 Aug 2020 16:19:37 +0900 (JST), Kyotaro Horiguchi <horikyota.ntt@gmail.com> wrote in > At Fri, 31 Jul 2020 05:53:53 -0700, Henry B Hotz <hbhotz@oxy.edu> wrote in > > A CA may issue a CRL infrequently, but issue a delta-CRL frequently. Does the logic support this properly? > > If you are talking about regsitering new revokations while server is > running, it checks newer CRLs upon each lookup according to the > documentation [1], so a new Delta-CRL can be added after server > start. If server restart is allowed, the CRL file specified by I didin't know that ssl files are reloaded by SIGHUP (pg_ctl reload). So the ssl_crl_file is also reloaded on server reload. > ssl_crl_file can contain multiple CRLs by just concatenation. > > [1]: https://www.openssl.org/docs/man1.1.1/man3/X509_LOOKUP_hash_dir.html Still on-demand loading is the advantage of the hashed directory method. I'll continue working.. regards. -- Kyotaro Horiguchi NTT Open Source Software Center
At Mon, 03 Aug 2020 16:20:40 +0900 (JST), Kyotaro Horiguchi <horikyota.ntt@gmail.com> wrote in
> Thanks for the opinion. I'll continue working on this.
This is it, but..
Looking closer I realized that certificates are verified in each
backend so CRL cache doesn't work at all for the hashed directory
method. Therefore, all CRL files relevant to a certificate to be
verfied are loaded every time a backend starts.
The only advantage of this is avoiding irrelevant CRLs from being
loaded in exchange of loading relevant CRLs at every session
start. Session startup gets slower by many delta CRLs from the same
CA.
Seems far from promising.
regards.
--
Kyotaro Horiguchi
NTT Open Source Software Center
From 80a20df187bb2a8555996d7aecb951d345cf51c2 Mon Sep 17 00:00:00 2001
From: Kyotaro Horiguchi <horikyoga.ntt@gmail.com>
Date: Tue, 21 Jul 2020 23:01:27 +0900
Subject: [PATCH v1] Allow directory name for GUC ssl_crl_file and connection
option sslcrl
X509_STORE_load_locations accepts a directory, which leads to
on-demand loading method with which method only relevant CRLs are
loaded.
---
doc/src/sgml/config.sgml | 10 ++++----
doc/src/sgml/libpq.sgml | 10 +++++---
doc/src/sgml/runtime.sgml | 30 ++++++++++++++++++++++
src/backend/libpq/be-secure-openssl.c | 12 ++++++++-
src/interfaces/libpq/fe-secure-openssl.c | 12 ++++++++-
src/test/ssl/Makefile | 13 +++++++++-
src/test/ssl/ssl/clientcrldir/9bb9e3c3.r0 | 11 ++++++++
src/test/ssl/ssl/clientcrldir/a3d11bff.r0 | 11 ++++++++
src/test/ssl/ssl/servercrldir/a3d11bff.r0 | 11 ++++++++
src/test/ssl/ssl/servercrldir/a836cc2d.r0 | 11 ++++++++
src/test/ssl/t/001_ssltests.pl | 31 +++++++++++++++++++++--
src/test/ssl/t/SSLServer.pm | 5 +++-
12 files changed, 152 insertions(+), 15 deletions(-)
create mode 100644 src/test/ssl/ssl/clientcrldir/9bb9e3c3.r0
create mode 100644 src/test/ssl/ssl/clientcrldir/a3d11bff.r0
create mode 100644 src/test/ssl/ssl/servercrldir/a3d11bff.r0
create mode 100644 src/test/ssl/ssl/servercrldir/a836cc2d.r0
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 7a7177c550..a3e81619c9 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1182,11 +1182,11 @@ include_dir 'conf.d'
<listitem>
<para>
Specifies the name of the file containing the SSL server certificate
- revocation list (CRL).
- Relative paths are relative to the data directory.
- This parameter can only be set in the <filename>postgresql.conf</filename>
- file or on the server command line.
- The default is empty, meaning no CRL file is loaded.
+ revocation list (CRL) or the directory containing CRL files. Relative
+ paths are relative to the data directory. This parameter can only be
+ set in the <filename>postgresql.conf</filename> file or on the server
+ command line. The default is empty, meaning no CRL file is
+ loaded. See <xref linkend="ssl-crl-files"/> for details.
</para>
</listitem>
</varlistentry>
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index f7b765f76d..96bfbcfd82 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -1705,10 +1705,12 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
<listitem>
<para>
This parameter specifies the file name of the SSL certificate
- revocation list (CRL). Certificates listed in this file, if it
- exists, will be rejected while attempting to authenticate the
- server's certificate. The default is
- <filename>~/.postgresql/root.crl</filename>.
+ revocation list (CRL) or the directory name that contains CRL files.
+ Certificates listed in this file or directoty, if it exists, will be
+ rejected while attempting to authenticate the server's certificate.
+ The default is
+ <filename>~/.postgresql/root.crl</filename>. See
+ <xref linkend="ssl-crl-files"/> for details.
</para>
</listitem>
</varlistentry>
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index c8698898f3..5d7fd48ad7 100644
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -2486,6 +2486,36 @@ openssl x509 -req -in server.csr -text -days 365 \
</para>
</sect2>
+ <sect2 id="ssl-crl-files">
+ <title>Certification Revokation List files</title>
+
+ <para> The server setting <xref linkend="guc-ssl-crl-file"/> and the
+ connection option <xref linkend="libpq-connect-sslcrl"/> specify either a
+ file containing one or more CRL, or a directory containing a separate file
+ for every CRL. In the first method, file method, the all CRLs in the file
+ is loaded at server start time or by reloading config file
+ (<command>pg_ctl reload</command>). In the second method, hashed directory
+ method, CRL files are loaded on-demand, that is, only the relevant CRL
+ files are loaded at connection time.
+ </para>
+ <para>
+ The CRL file used for the file method can contain multiple CRLs, like
+ certificates, by just concatenated if it is in PEM format. In the hashed
+ directory method, every file in the directory has the name
+ with <parameter>hash</parameter>.r<parameter>N</parameter> format,
+ where <parameter>hash</parameter> is the hash value of the issuer of the
+ CRL and <parameter>N</parameter> is a sequence number that starts at
+ zero. The hash value is calculated using openssl command. In both cases
+ the CRLs from all CAs involved in a certificate chain are needed to verify
+ a certificate, even if some or all of them are empty.
+<programlisting>
+$ openssl crl -hash -noout -in foo.crl
+98668507
+$ cp foo.crl $PGDATA/crldir/98668507.r0
+</programlisting>
+ </para>
+ </sect2>
+
</sect1>
<sect1 id="gssapi-enc">
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 8b21ff4065..d85dc710a4 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -289,8 +289,18 @@ be_tls_init(bool isServerStart)
if (cvstore)
{
+ char *filename = NULL;
+ char *dirname = NULL;
+ struct stat statbuf;
+
+ /* identify whether it is a file or a directoty */
+ if (stat(ssl_crl_file, &statbuf) == 0 && S_ISDIR(statbuf.st_mode))
+ dirname = ssl_crl_file;
+ else
+ filename = ssl_crl_file;
+
/* Set the flags to check against the complete CRL chain */
- if (X509_STORE_load_locations(cvstore, ssl_crl_file, NULL) == 1)
+ if (X509_STORE_load_locations(cvstore, filename, dirname) == 1)
{
X509_STORE_set_flags(cvstore,
X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index d609a38bbe..1ae60226b1 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -936,6 +936,10 @@ initialize_SSL(PGconn *conn)
if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != NULL)
{
+ char *filename = NULL;
+ char *dirname = NULL;
+ struct stat statbuf;
+
if (conn->sslcrl && strlen(conn->sslcrl) > 0)
strlcpy(fnbuf, conn->sslcrl, sizeof(fnbuf));
else if (have_homedir)
@@ -943,9 +947,15 @@ initialize_SSL(PGconn *conn)
else
fnbuf[0] = '\0';
+ /* Identify whether it is a file or a directory */
+ if (stat(fnbuf, &statbuf) == 0 && S_ISDIR(statbuf.st_mode))
+ dirname = fnbuf;
+ else
+ filename = fnbuf;
+
/* Set the flags to check against the complete CRL chain */
if (fnbuf[0] != '\0' &&
- X509_STORE_load_locations(cvstore, fnbuf, NULL) == 1)
+ X509_STORE_load_locations(cvstore, filename, dirname) == 1)
{
X509_STORE_set_flags(cvstore,
X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile
index 777ee39413..b04e532295 100644
--- a/src/test/ssl/Makefile
+++ b/src/test/ssl/Makefile
@@ -30,12 +30,14 @@ SSLFILES := $(CERTIFICATES:%=ssl/%.key) $(CERTIFICATES:%=ssl/%.crt) \
ssl/client+client_ca.crt ssl/client-der.key \
ssl/client-encrypted-pem.key ssl/client-encrypted-der.key
+SSLDIRS := ssl/clientcrldir ssl/servercrldir
+
# This target re-generates all the key and certificate files. Usually we just
# use the ones that are committed to the tree without rebuilding them.
#
# This target will fail unless preceded by sslfiles-clean.
#
-sslfiles: $(SSLFILES)
+sslfiles: $(SSLFILES) $(SSLDIRS)
# OpenSSL requires a directory to put all generated certificates in. We don't
# use this for anything, but we need a location.
@@ -146,10 +148,19 @@ ssl/root+server.crl: ssl/root.crl ssl/server.crl
cat $^ > $@
ssl/root+client.crl: ssl/root.crl ssl/client.crl
cat $^ > $@
+ssl/servercrldir: ssl/server.crl
+ mkdir ssl/servercrldir
+ cp ssl/server.crl ssl/servercrldir/`openssl crl -hash -noout -in ssl/server.crl`.r0
+ cp ssl/root.crl ssl/servercrldir/`openssl crl -hash -noout -in ssl/root.crl`.r0
+ssl/clientcrldir: ssl/client.crl
+ mkdir ssl/clientcrldir
+ cp ssl/client.crl ssl/clientcrldir/`openssl crl -hash -noout -in ssl/client.crl`.r0
+ cp ssl/root.crl ssl/clientcrldir/`openssl crl -hash -noout -in ssl/root.crl`.r0
.PHONY: sslfiles-clean
sslfiles-clean:
rm -f $(SSLFILES) ssl/client_ca.srl ssl/server_ca.srl ssl/client_ca-certindex* ssl/server_ca-certindex*
ssl/root_ca-certindex*ssl/root_ca.srl ssl/temp_ca.crt ssl/temp_ca_signed.crt
+ rm -rf $(SSLDIRS)
clean distclean maintainer-clean:
rm -rf tmp_check
diff --git a/src/test/ssl/ssl/clientcrldir/9bb9e3c3.r0 b/src/test/ssl/ssl/clientcrldir/9bb9e3c3.r0
new file mode 100644
index 0000000000..a667680e04
--- /dev/null
+++ b/src/test/ssl/ssl/clientcrldir/9bb9e3c3.r0
@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
+MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
+BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
+8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
+xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
+pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
+nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
+2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/clientcrldir/a3d11bff.r0 b/src/test/ssl/ssl/clientcrldir/a3d11bff.r0
new file mode 100644
index 0000000000..e879cf25a7
--- /dev/null
+++ b/src/test/ssl/ssl/clientcrldir/a3d11bff.r0
@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
+MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
+qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
+4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
+lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
+pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
+PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
+AlO+O0a4SpYS
+-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/servercrldir/a3d11bff.r0 b/src/test/ssl/ssl/servercrldir/a3d11bff.r0
new file mode 100644
index 0000000000..e879cf25a7
--- /dev/null
+++ b/src/test/ssl/ssl/servercrldir/a3d11bff.r0
@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
+MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
+qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
+4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
+lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
+pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
+PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
+AlO+O0a4SpYS
+-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/servercrldir/a836cc2d.r0 b/src/test/ssl/ssl/servercrldir/a836cc2d.r0
new file mode 100644
index 0000000000..717951c26a
--- /dev/null
+++ b/src/test/ssl/ssl/servercrldir/a836cc2d.r0
@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
+MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
+BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
+xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
+nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
+RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
+SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
+41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+-----END X509 CRL-----
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index fd2727b568..8b0787ce7f 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -13,7 +13,7 @@ use SSLServer;
if ($ENV{with_openssl} eq 'yes')
{
- plan tests => 93;
+ plan tests => 100;
}
else
{
@@ -214,6 +214,12 @@ test_connect_fails(
"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/client.crl",
qr/SSL error/,
"CRL belonging to a different CA");
+# The same for CRL directory, fails
+test_connect_fails(
+ $common_connstr,
+ "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/clientcrldir",
+ qr/SSL error/,
+ "directory CRL belonging to a different CA");
# With the correct CRL, succeeds (this cert is not revoked)
test_connect_ok(
@@ -221,6 +227,12 @@ test_connect_ok(
"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl",
"CRL with a non-revoked cert");
+# With the correct server CRL directory, succeeds (this cert is not revoked)
+test_connect_ok(
+ $common_connstr,
+ "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/servercrldir",
+ "HOGE directory CRL with a non-revoked cert");
+
# Check that connecting with verify-full fails, when the hostname doesn't
# match the hostname in the server's certificate.
$common_connstr =
@@ -346,7 +358,12 @@ test_connect_fails(
$common_connstr,
"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl",
qr/SSL error/,
- "does not connect with client-side CRL");
+ "does not connect with client-side CRL file");
+test_connect_fails(
+ $common_connstr,
+ "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/servercrldir",
+ qr/SSL error/,
+ "does not connect with client-side CRL directory");
# pg_stat_ssl
command_like(
@@ -545,6 +562,16 @@ test_connect_ok(
test_connect_fails($common_connstr, "sslmode=require sslcert=ssl/client.crt",
qr/SSL error/, "intermediate client certificate is missing");
+# test server-side CRL directory
+switch_server_cert($node, 'server-revoked', undef, 1);
+
+# revoked client cert
+test_connect_fails(
+ $common_connstr,
+ "user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked_tmp.key",
+ qr/SSL error/,
+ "certificate authorization fails with revoked client cert with server-side CRL directory");
+
# clean up
foreach my $key (@keys)
{
diff --git a/src/test/ssl/t/SSLServer.pm b/src/test/ssl/t/SSLServer.pm
index 1e392b8fbf..5bc3bc91d5 100644
--- a/src/test/ssl/t/SSLServer.pm
+++ b/src/test/ssl/t/SSLServer.pm
@@ -151,6 +151,8 @@ sub configure_test_server_for_ssl
copy_files("ssl/root+client_ca.crt", $pgdata);
copy_files("ssl/root_ca.crt", $pgdata);
copy_files("ssl/root+client.crl", $pgdata);
+ mkdir("$pgdata/clientcrldir");
+ copy_files("ssl/clientcrldir/*", "$pgdata/clientcrldir/");
# Stop and restart server to load new listen_addresses.
$node->restart;
@@ -168,6 +170,7 @@ sub switch_server_cert
my $node = $_[0];
my $certfile = $_[1];
my $cafile = $_[2] || "root+client_ca";
+ my $crlfile = ($_[3] ? "clientcrldir" : "root+client.crl");
my $pgdata = $node->data_dir;
open my $sslconf, '>', "$pgdata/sslconfig.conf";
@@ -175,7 +178,7 @@ sub switch_server_cert
print $sslconf "ssl_ca_file='$cafile.crt'\n";
print $sslconf "ssl_cert_file='$certfile.crt'\n";
print $sslconf "ssl_key_file='$certfile.key'\n";
- print $sslconf "ssl_crl_file='root+client.crl'\n";
+ print $sslconf "ssl_crl_file='$crlfile'\n";
close $sslconf;
$node->restart;
--
2.18.4
Greetings, * Kyotaro Horiguchi (horikyota.ntt@gmail.com) wrote: > At Mon, 03 Aug 2020 16:20:40 +0900 (JST), Kyotaro Horiguchi <horikyota.ntt@gmail.com> wrote in > > Thanks for the opinion. I'll continue working on this. > > This is it, but.. Thanks! > Looking closer I realized that certificates are verified in each > backend so CRL cache doesn't work at all for the hashed directory > method. Therefore, all CRL files relevant to a certificate to be > verfied are loaded every time a backend starts. > > The only advantage of this is avoiding irrelevant CRLs from being > loaded in exchange of loading relevant CRLs at every session > start. Session startup gets slower by many delta CRLs from the same > CA. > > Seems far from promising. I agree that it's not ideal, but I don't know that this is a reason to not move forward with this feature..? We could certainly have a later patch which improves this in some way (though exactly how isn't clear... if we move the CRL loading into postmaster then we'd have to load *all* of them, and then we'd still need to check if they've changed since we loaded them, and presumably have some way to signal the postmaster to update its set from time to time..), but that can be a future effort. I took a quick look through the patch and it seemed pretty straight forward to me and a good improvement. Would love to hear other thoughts. I hope you'll submit this for the September CF and ping me when you do and I'll see if I can get it committed. Thanks! Stephen
Attachment
Hello. At Sat, 15 Aug 2020 13:18:22 -0400, Stephen Frost <sfrost@snowman.net> wrote in > > Looking closer I realized that certificates are verified in each > > backend so CRL cache doesn't work at all for the hashed directory > > method. Therefore, all CRL files relevant to a certificate to be > > verfied are loaded every time a backend starts. > > > > The only advantage of this is avoiding irrelevant CRLs from being > > loaded in exchange of loading relevant CRLs at every session > > start. Session startup gets slower by many delta CRLs from the same > > CA. > > > > Seems far from promising. > > I agree that it's not ideal, but I don't know that this is a reason to > not move forward with this feature..? Since one of the significant advantage of the directory method is differential loading of new CRLs. But actually it has other advanges like easier file handling and not needing server reload. > We could certainly have a later patch which improves this in some way > (though exactly how isn't clear... if we move the CRL loading into > postmaster then we'd have to load *all* of them, and then we'd still > need to check if they've changed since we loaded them, and presumably > have some way to signal the postmaster to update its set from time to > time..), but that can be a future effort. > > I took a quick look through the patch and it seemed pretty straight > forward to me and a good improvement. > > Would love to hear other thoughts. I hope you'll submit this for the > September CF and ping me when you do and I'll see if I can get it > committed. Thank you very much. I'll do that after some polishing. A near-by discussion about OpenSSL3.0 conflicts with this but it's easy to follow. regards. -- Kyotaro Horiguchi NTT Open Source Software Center
At Tue, 18 Aug 2020 16:43:47 +0900 (JST), Kyotaro Horiguchi <horikyota.ntt@gmail.com> wrote in
> Thank you very much. I'll do that after some polishing.
>
> A near-by discussion about OpenSSL3.0 conflicts with this but it's
> easy to follow.
Rebased. Fixed bogus tests and strange tentative API change of
SSLServer.pm. Corrected a (maybe) spelling mistake. I'm going to
register this to the coming CF.
regards.
--
Kyotaro Horiguchi
NTT Open Source Software Center
From 4ae2bdd3828332a3404acf36635a433464c56485 Mon Sep 17 00:00:00 2001
From: Kyotaro Horiguchi <horikyoga.ntt@gmail.com>
Date: Tue, 21 Jul 2020 23:01:27 +0900
Subject: [PATCH] Allow directory name for GUC ssl_crl_file and connection
option sslcrl
X509_STORE_load_locations accepts a directory, which leads to
on-demand loading method with which method only relevant CRLs are
loaded.
---
doc/src/sgml/config.sgml | 10 ++--
doc/src/sgml/libpq.sgml | 8 ++--
doc/src/sgml/runtime.sgml | 30 ++++++++++++
src/backend/libpq/be-secure-openssl.c | 12 ++++-
src/interfaces/libpq/fe-secure-openssl.c | 12 ++++-
src/test/ssl/Makefile | 20 +++++++-
src/test/ssl/ssl/both-cas-1.crt | 46 +++++++++----------
src/test/ssl/ssl/both-cas-2.crt | 46 +++++++++----------
src/test/ssl/ssl/client+client_ca.crt | 28 +++++------
src/test/ssl/ssl/client-crldir/9bb9e3c3.r0 | 11 +++++
src/test/ssl/ssl/client-revoked.crt | 14 +++---
src/test/ssl/ssl/client.crl | 16 +++----
src/test/ssl/ssl/client.crt | 14 +++---
src/test/ssl/ssl/client_ca.crt | 14 +++---
.../ssl/ssl/root+client-crldir/9bb9e3c3.r0 | 11 +++++
.../ssl/ssl/root+client-crldir/a3d11bff.r0 | 11 +++++
src/test/ssl/ssl/root+client.crl | 32 ++++++-------
src/test/ssl/ssl/root+client_ca.crt | 32 ++++++-------
.../ssl/ssl/root+server-crldir/a3d11bff.r0 | 11 +++++
.../ssl/ssl/root+server-crldir/a836cc2d.r0 | 11 +++++
src/test/ssl/ssl/root+server.crl | 32 ++++++-------
src/test/ssl/ssl/root+server_ca.crt | 32 ++++++-------
src/test/ssl/ssl/root.crl | 16 +++----
src/test/ssl/ssl/root_ca.crt | 18 ++++----
src/test/ssl/ssl/server-cn-and-alt-names.crt | 14 +++---
src/test/ssl/ssl/server-cn-only.crt | 14 +++---
src/test/ssl/ssl/server-crldir/a836cc2d.r0 | 11 +++++
.../ssl/ssl/server-multiple-alt-names.crt | 14 +++---
src/test/ssl/ssl/server-no-names.crt | 16 +++----
src/test/ssl/ssl/server-revoked.crt | 14 +++---
src/test/ssl/ssl/server-single-alt-name.crt | 16 +++----
src/test/ssl/ssl/server-ss.crt | 18 ++++----
src/test/ssl/ssl/server.crl | 16 +++----
src/test/ssl/ssl/server_ca.crt | 14 +++---
src/test/ssl/t/001_ssltests.pl | 31 ++++++++++++-
src/test/ssl/t/SSLServer.pm | 5 +-
36 files changed, 418 insertions(+), 252 deletions(-)
create mode 100644 src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
create mode 100644 src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
create mode 100644 src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
create mode 100644 src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
create mode 100644 src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
create mode 100644 src/test/ssl/ssl/server-crldir/a836cc2d.r0
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 7a7177c550..a3e81619c9 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1182,11 +1182,11 @@ include_dir 'conf.d'
<listitem>
<para>
Specifies the name of the file containing the SSL server certificate
- revocation list (CRL).
- Relative paths are relative to the data directory.
- This parameter can only be set in the <filename>postgresql.conf</filename>
- file or on the server command line.
- The default is empty, meaning no CRL file is loaded.
+ revocation list (CRL) or the directory containing CRL files. Relative
+ paths are relative to the data directory. This parameter can only be
+ set in the <filename>postgresql.conf</filename> file or on the server
+ command line. The default is empty, meaning no CRL file is
+ loaded. See <xref linkend="ssl-crl-files"/> for details.
</para>
</listitem>
</varlistentry>
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 92556c7ce0..8480b7d61a 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -1708,10 +1708,12 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
<listitem>
<para>
This parameter specifies the file name of the SSL certificate
- revocation list (CRL). Certificates listed in this file, if it
- exists, will be rejected while attempting to authenticate the
+ revocation list (CRL) or the directory name that contains CRL files.
+ Certificates listed in this file or in the files in this directoty, if
+ it exists, will be rejected while attempting to authenticate the
server's certificate. The default is
- <filename>~/.postgresql/root.crl</filename>.
+ <filename>~/.postgresql/root.crl</filename>. See
+ <xref linkend="ssl-crl-files"/> for details.
</para>
</listitem>
</varlistentry>
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index c8698898f3..da00738d8c 100644
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -2486,6 +2486,36 @@ openssl x509 -req -in server.csr -text -days 365 \
</para>
</sect2>
+ <sect2 id="ssl-crl-files">
+ <title>Certification Revocation List files</title>
+
+ <para> The server setting <xref linkend="guc-ssl-crl-file"/> and the
+ connection option <xref linkend="libpq-connect-sslcrl"/> specify either a
+ file containing one or more CRL, or a directory containing a separate file
+ for every CRL. In the first method, file method, the all CRLs in the file
+ is loaded at server start time or by reloading config file
+ (<command>pg_ctl reload</command>). In the second method, hashed directory
+ method, CRL files are loaded on-demand, that is, only the relevant CRL
+ files are loaded at connection time.
+ </para>
+ <para>
+ The CRL file used for the file method can contain multiple CRLs, like
+ certificates, by just concatenated if it is in PEM format. In the hashed
+ directory method, every file in the directory has the name
+ with <parameter>hash</parameter>.r<parameter>N</parameter> format,
+ where <parameter>hash</parameter> is the hash value of the issuer of the
+ CRL and <parameter>N</parameter> is a sequence number that starts at
+ zero. The hash value is calculated using openssl command. In both cases
+ the CRLs from all CAs involved in a certificate chain are needed to verify
+ a certificate, even if some or all of them are empty.
+<programlisting>
+$ openssl crl -hash -noout -in foo.crl
+98668507
+$ cp foo.crl $PGDATA/crldir/98668507.r0
+</programlisting>
+ </para>
+ </sect2>
+
</sect1>
<sect1 id="gssapi-enc">
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 8b21ff4065..d85dc710a4 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -289,8 +289,18 @@ be_tls_init(bool isServerStart)
if (cvstore)
{
+ char *filename = NULL;
+ char *dirname = NULL;
+ struct stat statbuf;
+
+ /* identify whether it is a file or a directoty */
+ if (stat(ssl_crl_file, &statbuf) == 0 && S_ISDIR(statbuf.st_mode))
+ dirname = ssl_crl_file;
+ else
+ filename = ssl_crl_file;
+
/* Set the flags to check against the complete CRL chain */
- if (X509_STORE_load_locations(cvstore, ssl_crl_file, NULL) == 1)
+ if (X509_STORE_load_locations(cvstore, filename, dirname) == 1)
{
X509_STORE_set_flags(cvstore,
X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index d609a38bbe..1ae60226b1 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -936,6 +936,10 @@ initialize_SSL(PGconn *conn)
if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != NULL)
{
+ char *filename = NULL;
+ char *dirname = NULL;
+ struct stat statbuf;
+
if (conn->sslcrl && strlen(conn->sslcrl) > 0)
strlcpy(fnbuf, conn->sslcrl, sizeof(fnbuf));
else if (have_homedir)
@@ -943,9 +947,15 @@ initialize_SSL(PGconn *conn)
else
fnbuf[0] = '\0';
+ /* Identify whether it is a file or a directory */
+ if (stat(fnbuf, &statbuf) == 0 && S_ISDIR(statbuf.st_mode))
+ dirname = fnbuf;
+ else
+ filename = fnbuf;
+
/* Set the flags to check against the complete CRL chain */
if (fnbuf[0] != '\0' &&
- X509_STORE_load_locations(cvstore, fnbuf, NULL) == 1)
+ X509_STORE_load_locations(cvstore, filename, dirname) == 1)
{
X509_STORE_set_flags(cvstore,
X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile
index 777ee39413..ccf2951770 100644
--- a/src/test/ssl/Makefile
+++ b/src/test/ssl/Makefile
@@ -30,12 +30,15 @@ SSLFILES := $(CERTIFICATES:%=ssl/%.key) $(CERTIFICATES:%=ssl/%.crt) \
ssl/client+client_ca.crt ssl/client-der.key \
ssl/client-encrypted-pem.key ssl/client-encrypted-der.key
+SSLDIRS := ssl/client-crldir ssl/server-crldir \
+ ssl/root+client-crldir ssl/root+server-crldir
+
# This target re-generates all the key and certificate files. Usually we just
# use the ones that are committed to the tree without rebuilding them.
#
# This target will fail unless preceded by sslfiles-clean.
#
-sslfiles: $(SSLFILES)
+sslfiles: $(SSLFILES) $(SSLDIRS)
# OpenSSL requires a directory to put all generated certificates in. We don't
# use this for anything, but we need a location.
@@ -146,10 +149,25 @@ ssl/root+server.crl: ssl/root.crl ssl/server.crl
cat $^ > $@
ssl/root+client.crl: ssl/root.crl ssl/client.crl
cat $^ > $@
+ssl/root+server-crldir: ssl/server.crl
+ mkdir ssl/root+server-crldir
+ cp ssl/server.crl ssl/root+server-crldir/`openssl crl -hash -noout -in ssl/server.crl`.r0
+ cp ssl/root.crl ssl/root+server-crldir/`openssl crl -hash -noout -in ssl/root.crl`.r0
+ssl/root+client-crldir: ssl/client.crl
+ mkdir ssl/root+client-crldir
+ cp ssl/client.crl ssl/root+client-crldir/`openssl crl -hash -noout -in ssl/client.crl`.r0
+ cp ssl/root.crl ssl/root+client-crldir/`openssl crl -hash -noout -in ssl/root.crl`.r0
+ssl/server-crldir: ssl/server.crl
+ mkdir ssl/server-crldir
+ cp ssl/server.crl ssl/server-crldir/`openssl crl -hash -noout -in ssl/server.crl`.r0
+ssl/client-crldir: ssl/client.crl
+ mkdir ssl/client-crldir
+ cp ssl/client.crl ssl/client-crldir/`openssl crl -hash -noout -in ssl/client.crl`.r0
.PHONY: sslfiles-clean
sslfiles-clean:
rm -f $(SSLFILES) ssl/client_ca.srl ssl/server_ca.srl ssl/client_ca-certindex* ssl/server_ca-certindex*
ssl/root_ca-certindex*ssl/root_ca.srl ssl/temp_ca.crt ssl/temp_ca_signed.crt
+ rm -rf $(SSLDIRS)
clean distclean maintainer-clean:
rm -rf tmp_check
diff --git a/src/test/ssl/ssl/both-cas-1.crt b/src/test/ssl/ssl/both-cas-1.crt
index 37ffa10174..1ab329c8ab 100644
--- a/src/test/ssl/ssl/both-cas-1.crt
+++ b/src/test/ssl/ssl/both-cas-1.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUbDho+LuL8GrZ/iVFY16vdG6kNo0wDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjAwODMxMDYwNzIyWhcNNDgwMTE3MDYw
+NzIyWjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,17 +10,17 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAo5siIstgYy1MjyVaSHpxy6Cq7JT73RhYYudtAy8e
+XwVXqy3xuZtl+i2XaWnsojyHRZ83t+1rVCoesbZefyfz9d6qZJkCkWdKdjiVEu+s
+CJSo+tGyCZQ1ZTb+07WY01P97gfswP+VHN4EjxJmUnLdqJEJsdOckvL1mBfortt6
+CvL7adPwftppNivF64R0QZfOsLIaaOa0oi33DQDDNUdrx5f3xWwYmzw+f95lvbYR
+DXCytT647nc44Gu09erE4sWipIknFBvg3P1D0icFSIoEh44mU9o1lHUFsogXa09g
+8Vkho/rudYrHi/cwwzQlUjZyHPg6k1iU9oZGEaW5gVKxSw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
+ZTAeFw0yMDA4MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMEIxQDA+BgNVBAMMN1Rl
c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
@@ -29,17 +29,17 @@ B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+AKsQncM/5JZez/dECPg7xp8T5Sj++mJSiFsFr2Isk3HjJBI+skvZfpWkJnkEUl4a
++BspqoeAD5K+Fad0/Xg/AyZztONpLU+haA4eQCpwYHVY/DSjasjEI5BbCV8mrrYP
+SLcKGIJrPW+beO8pbjdkJNxBiDTeYzMBTbfHvarBYLYAvur8ZvUgKExDWP5kGUe8
+zA9F4FJ/Nig03QzQgxaNjxXoy892fAs6KyWFoGZDqAXlXAFNuz83joTiGNzNTiW4
+qRKpBa6aitnPVeIs8m3z/SUcm5PdMWvXVlsrlA0Gx2EM/B02EWnPk/U+CHtNey7r
+h4LJ4NA9GngE2gewd/gNItc=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
+ZTAeFw0yMDA4MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMEIxQDA+BgNVBAMMN1Rl
c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
@@ -48,10 +48,10 @@ t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+AArYO305zkNZc+vdbeXNpgi1/FrOHl2b0DvG4i2gcUVDvvjIHUnVLf2cak+81vER
+CqlCkutXxB+/fyxVXYtLKXQh0D/68QikH+ImEavrUrANXvQRvoixIjrfub/nZB75
+EiOTIR2N0/m6ndjCHJU0W8N7Tt9qob31e3bVJBZOc+9e80y8GDQiMKYACmet9zUR
+hR/yvJhUsH/u5Y7OwrvcyCs+PJXzPnZTSsatSkHI4KY22+7K+ZhscLIaBKjqlIDj
++fHBrutW9jtog1E3JUO9ZHokB1qlRLs4YhpQ8YzHRabEBaX892ZPLNwtmFLOWK1p
+9klR7/RXnu13nStNIYAHk20=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/both-cas-2.crt b/src/test/ssl/ssl/both-cas-2.crt
index 2f2723f2b1..6669f42c92 100644
--- a/src/test/ssl/ssl/both-cas-2.crt
+++ b/src/test/ssl/ssl/both-cas-2.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUbDho+LuL8GrZ/iVFY16vdG6kNo0wDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjAwODMxMDYwNzIyWhcNNDgwMTE3MDYw
+NzIyWjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,17 +10,17 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAo5siIstgYy1MjyVaSHpxy6Cq7JT73RhYYudtAy8e
+XwVXqy3xuZtl+i2XaWnsojyHRZ83t+1rVCoesbZefyfz9d6qZJkCkWdKdjiVEu+s
+CJSo+tGyCZQ1ZTb+07WY01P97gfswP+VHN4EjxJmUnLdqJEJsdOckvL1mBfortt6
+CvL7adPwftppNivF64R0QZfOsLIaaOa0oi33DQDDNUdrx5f3xWwYmzw+f95lvbYR
+DXCytT647nc44Gu09erE4sWipIknFBvg3P1D0icFSIoEh44mU9o1lHUFsogXa09g
+8Vkho/rudYrHi/cwwzQlUjZyHPg6k1iU9oZGEaW5gVKxSw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
+ZTAeFw0yMDA4MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMEIxQDA+BgNVBAMMN1Rl
c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
@@ -29,17 +29,17 @@ t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+AArYO305zkNZc+vdbeXNpgi1/FrOHl2b0DvG4i2gcUVDvvjIHUnVLf2cak+81vER
+CqlCkutXxB+/fyxVXYtLKXQh0D/68QikH+ImEavrUrANXvQRvoixIjrfub/nZB75
+EiOTIR2N0/m6ndjCHJU0W8N7Tt9qob31e3bVJBZOc+9e80y8GDQiMKYACmet9zUR
+hR/yvJhUsH/u5Y7OwrvcyCs+PJXzPnZTSsatSkHI4KY22+7K+ZhscLIaBKjqlIDj
++fHBrutW9jtog1E3JUO9ZHokB1qlRLs4YhpQ8YzHRabEBaX892ZPLNwtmFLOWK1p
+9klR7/RXnu13nStNIYAHk20=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
+ZTAeFw0yMDA4MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMEIxQDA+BgNVBAMMN1Rl
c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
@@ -48,10 +48,10 @@ B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+AKsQncM/5JZez/dECPg7xp8T5Sj++mJSiFsFr2Isk3HjJBI+skvZfpWkJnkEUl4a
++BspqoeAD5K+Fad0/Xg/AyZztONpLU+haA4eQCpwYHVY/DSjasjEI5BbCV8mrrYP
+SLcKGIJrPW+beO8pbjdkJNxBiDTeYzMBTbfHvarBYLYAvur8ZvUgKExDWP5kGUe8
+zA9F4FJ/Nig03QzQgxaNjxXoy892fAs6KyWFoGZDqAXlXAFNuz83joTiGNzNTiW4
+qRKpBa6aitnPVeIs8m3z/SUcm5PdMWvXVlsrlA0Gx2EM/B02EWnPk/U+CHtNey7r
+h4LJ4NA9GngE2gewd/gNItc=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client+client_ca.crt b/src/test/ssl/ssl/client+client_ca.crt
index 2804527f3e..154bcd58e7 100644
--- a/src/test/ssl/ssl/client+client_ca.crt
+++ b/src/test/ssl/ssl/client+client_ca.crt
@@ -1,24 +1,24 @@
-----BEGIN CERTIFICATE-----
MIICzDCCAbQCAQEwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBYxFDASBgNVBAMMC3NzbHRl
+Fw0yMDA4MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMBYxFDASBgNVBAMMC3NzbHRl
c3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtIugLqHywEAE
vyRZGMVAkdk1zCa5FFaPOEFhHiAMpwFOEIEi4Svk9kSSRecmeJcody1sLNoFqtTA
b5tYaDoGIVZfc8/kxm8sbsTE/3JOsON3CMqjOQkI1ZKjDSF1gtrGSmatgjqsMnlP
UJkFEsPhFg6NTf1ZUjFiQeWEli0fQJ2/k+7MI4S0t0pDJJJWrqF4l6eSgu8rsBoX
XHy4OLAz6j23r2k5FZs6H/poII95ia+E8hG8SrJmMa88naRdq7hHW802Z6lEhnRW
ND+tDGjt0ZaTfxx+CxN4UjgbboOJifTykVHjuzBR1+IzLHcxoZCLP1cjadSqMz5b
-ziJTGtHzYwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAcIGps6BnsRxkN5sphg6GK
-tzDvp2IUyOu5oeAHdJLT5JFZhKKzhDD4KiOv+XWzdHcSAl3xMqAqnFdSTCt2vtc+
-rk04eyVWJALyf6oPT60Vn5sFaaxlTg1+tnZMCCycDxM6lc/6onzgp6DUWGozlgSh
-eNgCyaNU73VTuMgd+s/QrZ5HCr0OPAb3aWRQy7hVZeOniNBXWrO/CC2Swfwz7jU3
-dvLAWYENUvZlE2S7HnQGclGIJb38qFCnquuSgmO9yT30Lmmwp33k5/evN9cNQMxU
-c4ChYCaabOGXUaBJNzJAYMEUHh+o+LPgFF2iB0mL7FAUip9XsjOiOwcrbusM/g+2
+ziJTGtHzYwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCQonvnvG8wlfoo+J476Kjr
+Jm4i9pPgUTYNyF4lzhXViw24bKZVsNBaeVbu6XXRamzkrLL/qYUrQAm2ZcDqnVxC
+GXLgOYwIvuN7hGyks3Jh+tWQQf5UuhbhyJrOju1Z8nTI2dDgiHjsEHVxbVM9vMYl
+IiwjoU68gR/Gc8tApiIJe/HDMmSbm2W58heXXKG7r5790u5MO0vdBiGTlj0WdktU
+dB/ltpt5sm17SoUvSDIKZkLjHv/cuetCh7tCVrs0Gi0mf2aWdlXhPDh+KnDzEhlf
+/vW2Btlq1LQtYfP0yzkrmGR2dt72pg6bN6e7qc5YDYMXQPXvEZBiQbsgBPMm75Mc
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
+ZTAeFw0yMDA4MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMEIxQDA+BgNVBAMMN1Rl
c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
@@ -27,10 +27,10 @@ B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+AKsQncM/5JZez/dECPg7xp8T5Sj++mJSiFsFr2Isk3HjJBI+skvZfpWkJnkEUl4a
++BspqoeAD5K+Fad0/Xg/AyZztONpLU+haA4eQCpwYHVY/DSjasjEI5BbCV8mrrYP
+SLcKGIJrPW+beO8pbjdkJNxBiDTeYzMBTbfHvarBYLYAvur8ZvUgKExDWP5kGUe8
+zA9F4FJ/Nig03QzQgxaNjxXoy892fAs6KyWFoGZDqAXlXAFNuz83joTiGNzNTiW4
+qRKpBa6aitnPVeIs8m3z/SUcm5PdMWvXVlsrlA0Gx2EM/B02EWnPk/U+CHtNey7r
+h4LJ4NA9GngE2gewd/gNItc=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0 b/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
new file mode 100644
index 0000000000..b5c689e537
--- /dev/null
+++ b/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMDA4
+MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMBQwEgIBAhcNMjAwODMxMDYwNzIzWjAN
+BgkqhkiG9w0BAQsFAAOCAQEAQ3ZK9Bx9i2JBSR2XgEFSvy8JrtRurpGpGcnh0ann
+G/vLY+Kp/UGiVnh8jwJ35Q7VUVGYNTKv2gc+WFFmscZaoP69RrgA9fbl9gZ4yUic
+H+XXiR4mQKk03EEKuPlZdWA1PMGAoAZxA8aCrrDZobrRgXEiSRdoQl8sHEJ3f1W1
+EoL+F3w77GzirYQukfNyIfzA6YpfphrNUkDN8jjrNB5/XzTT7fysutpflVKs/tLl
+TKHmwkrCC+TXJ8P2/KaIdQ0QgJSv5XIKS0vn4GC+zgjoUC3D1fprfRqmrBeQyLXV
+eUJda/H6uldOPpAJ2yLNR7S7COvFkGvIxunG7uPZiGq1eg==
+-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/client-revoked.crt b/src/test/ssl/ssl/client-revoked.crt
index 14857a33a2..1a9047dc63 100644
--- a/src/test/ssl/ssl/client-revoked.crt
+++ b/src/test/ssl/ssl/client-revoked.crt
@@ -1,17 +1,17 @@
-----BEGIN CERTIFICATE-----
MIICzDCCAbQCAQIwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBYxFDASBgNVBAMMC3NzbHRl
+Fw0yMDA4MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMBYxFDASBgNVBAMMC3NzbHRl
c3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoBcmY2Z+qa+l
UB5YSYnGLt96S7axkoDvIzLJkwJugGqw1U72A6lAUTyAPVntsmbhoMpDEHK6ylg8
U4HC3L1hbhSpFriTITJ3TzH4+wdDH1KZYlM2k0gfrKrksJyZ7ftAyuBvzBRlFbBe
xopR9VQjqgAuNKByJswldOe0KwP0nmb/TtT9lkAt7XjrSut5MUezFVnvTxabm7tQ
ciDG+8QqE0b8lH3N3VOXWZWCeXPRrwboO3baAmcue4V20N0ALARP+QZNElBa7Jq+
l77VNjneRk07jjaE7PCGVlWfPggppZos1Ay1sb2JhK0S9pZrynQT/ck3qhG4QuKp
-cmn/Bbe/8wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBySTwOO9zSFCtfRjbbblDx
-AK2ttILR0ZJXnvzjNjuErsT9qeXaq2t/iG/vmhH5XDjaefXFLCLqFunvcg6cIz1A
-HhAw+JInfyk3TUpDaX6M0X8qj184e4kXzVc83Afa3LiP5JkirzCSv6ErqAHw2VVd
-bZbZUwMfQLpWHVqXK89Pb7q791H4VeEx9CLxtZ2PSr2GCdpFbVMJvdBPChD2Re1A
-ELcbMZ9iOq2AUN/gxrt7HnE3dRoGQk6AJOfvhi2eZcVWiLtITScdPk1nYcNxGid3
-BWW+tdLbjmSe2FXNfDwBTvuHh5A9S399X5l/nLAng2iTGSvIm1OgUnC2oWsok3EI
+cmn/Bbe/8wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAQzzp5yTHFan/LkTXHkvuU
+XEqQbUzD7iUuEop7I6BY8vzLkijylCIXDOg7WmD2Sysb3+7nJ8JG8BZzXnXoS+hz
+sdEF/lFIZltx6S9wvC6QMK8vJat+XM0FBO7C27cswD929Loiqy0CxOdbrED8kwWf
+oN7Kv01wdtEmd+xK6zqtDB/vm8Dq89zlBDHnJeM5iJi+BIMt1HM+FAlxDwgm18Xa
+K9u7xrmvpycfXFZ+nLM0B8gxJAQ8djxgB/hOAM9CDSEhzN5BJIZ4slZRq9bGVLjy
+dvrW0LoNKhitgS/Pe400Ej9LGXSsBrVP6FXHcL4qvHqdwKl0R3QiodX6ro2H0vBY
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client.crl b/src/test/ssl/ssl/client.crl
index a667680e04..b5c689e537 100644
--- a/src/test/ssl/ssl/client.crl
+++ b/src/test/ssl/ssl/client.crl
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMDA4
+MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMBQwEgIBAhcNMjAwODMxMDYwNzIzWjAN
+BgkqhkiG9w0BAQsFAAOCAQEAQ3ZK9Bx9i2JBSR2XgEFSvy8JrtRurpGpGcnh0ann
+G/vLY+Kp/UGiVnh8jwJ35Q7VUVGYNTKv2gc+WFFmscZaoP69RrgA9fbl9gZ4yUic
+H+XXiR4mQKk03EEKuPlZdWA1PMGAoAZxA8aCrrDZobrRgXEiSRdoQl8sHEJ3f1W1
+EoL+F3w77GzirYQukfNyIfzA6YpfphrNUkDN8jjrNB5/XzTT7fysutpflVKs/tLl
+TKHmwkrCC+TXJ8P2/KaIdQ0QgJSv5XIKS0vn4GC+zgjoUC3D1fprfRqmrBeQyLXV
+eUJda/H6uldOPpAJ2yLNR7S7COvFkGvIxunG7uPZiGq1eg==
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/client.crt b/src/test/ssl/ssl/client.crt
index 4d0a6ef419..b46de4fa9b 100644
--- a/src/test/ssl/ssl/client.crt
+++ b/src/test/ssl/ssl/client.crt
@@ -1,17 +1,17 @@
-----BEGIN CERTIFICATE-----
MIICzDCCAbQCAQEwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBYxFDASBgNVBAMMC3NzbHRl
+Fw0yMDA4MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMBYxFDASBgNVBAMMC3NzbHRl
c3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtIugLqHywEAE
vyRZGMVAkdk1zCa5FFaPOEFhHiAMpwFOEIEi4Svk9kSSRecmeJcody1sLNoFqtTA
b5tYaDoGIVZfc8/kxm8sbsTE/3JOsON3CMqjOQkI1ZKjDSF1gtrGSmatgjqsMnlP
UJkFEsPhFg6NTf1ZUjFiQeWEli0fQJ2/k+7MI4S0t0pDJJJWrqF4l6eSgu8rsBoX
XHy4OLAz6j23r2k5FZs6H/poII95ia+E8hG8SrJmMa88naRdq7hHW802Z6lEhnRW
ND+tDGjt0ZaTfxx+CxN4UjgbboOJifTykVHjuzBR1+IzLHcxoZCLP1cjadSqMz5b
-ziJTGtHzYwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAcIGps6BnsRxkN5sphg6GK
-tzDvp2IUyOu5oeAHdJLT5JFZhKKzhDD4KiOv+XWzdHcSAl3xMqAqnFdSTCt2vtc+
-rk04eyVWJALyf6oPT60Vn5sFaaxlTg1+tnZMCCycDxM6lc/6onzgp6DUWGozlgSh
-eNgCyaNU73VTuMgd+s/QrZ5HCr0OPAb3aWRQy7hVZeOniNBXWrO/CC2Swfwz7jU3
-dvLAWYENUvZlE2S7HnQGclGIJb38qFCnquuSgmO9yT30Lmmwp33k5/evN9cNQMxU
-c4ChYCaabOGXUaBJNzJAYMEUHh+o+LPgFF2iB0mL7FAUip9XsjOiOwcrbusM/g+2
+ziJTGtHzYwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCQonvnvG8wlfoo+J476Kjr
+Jm4i9pPgUTYNyF4lzhXViw24bKZVsNBaeVbu6XXRamzkrLL/qYUrQAm2ZcDqnVxC
+GXLgOYwIvuN7hGyks3Jh+tWQQf5UuhbhyJrOju1Z8nTI2dDgiHjsEHVxbVM9vMYl
+IiwjoU68gR/Gc8tApiIJe/HDMmSbm2W58heXXKG7r5790u5MO0vdBiGTlj0WdktU
+dB/ltpt5sm17SoUvSDIKZkLjHv/cuetCh7tCVrs0Gi0mf2aWdlXhPDh+KnDzEhlf
+/vW2Btlq1LQtYfP0yzkrmGR2dt72pg6bN6e7qc5YDYMXQPXvEZBiQbsgBPMm75Mc
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client_ca.crt b/src/test/ssl/ssl/client_ca.crt
index 1ef3771261..23bac28a0c 100644
--- a/src/test/ssl/ssl/client_ca.crt
+++ b/src/test/ssl/ssl/client_ca.crt
@@ -1,7 +1,7 @@
-----BEGIN CERTIFICATE-----
MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
+ZTAeFw0yMDA4MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMEIxQDA+BgNVBAMMN1Rl
c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
@@ -10,10 +10,10 @@ B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+AKsQncM/5JZez/dECPg7xp8T5Sj++mJSiFsFr2Isk3HjJBI+skvZfpWkJnkEUl4a
++BspqoeAD5K+Fad0/Xg/AyZztONpLU+haA4eQCpwYHVY/DSjasjEI5BbCV8mrrYP
+SLcKGIJrPW+beO8pbjdkJNxBiDTeYzMBTbfHvarBYLYAvur8ZvUgKExDWP5kGUe8
+zA9F4FJ/Nig03QzQgxaNjxXoy892fAs6KyWFoGZDqAXlXAFNuz83joTiGNzNTiW4
+qRKpBa6aitnPVeIs8m3z/SUcm5PdMWvXVlsrlA0Gx2EM/B02EWnPk/U+CHtNey7r
+h4LJ4NA9GngE2gewd/gNItc=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0 b/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
new file mode 100644
index 0000000000..b5c689e537
--- /dev/null
+++ b/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMDA4
+MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMBQwEgIBAhcNMjAwODMxMDYwNzIzWjAN
+BgkqhkiG9w0BAQsFAAOCAQEAQ3ZK9Bx9i2JBSR2XgEFSvy8JrtRurpGpGcnh0ann
+G/vLY+Kp/UGiVnh8jwJ35Q7VUVGYNTKv2gc+WFFmscZaoP69RrgA9fbl9gZ4yUic
+H+XXiR4mQKk03EEKuPlZdWA1PMGAoAZxA8aCrrDZobrRgXEiSRdoQl8sHEJ3f1W1
+EoL+F3w77GzirYQukfNyIfzA6YpfphrNUkDN8jjrNB5/XzTT7fysutpflVKs/tLl
+TKHmwkrCC+TXJ8P2/KaIdQ0QgJSv5XIKS0vn4GC+zgjoUC3D1fprfRqmrBeQyLXV
+eUJda/H6uldOPpAJ2yLNR7S7COvFkGvIxunG7uPZiGq1eg==
+-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0 b/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
new file mode 100644
index 0000000000..8cca69ba40
--- /dev/null
+++ b/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMDA4MzEw
+NjA3MjNaFw00ODAxMTcwNjA3MjNaMA0GCSqGSIb3DQEBCwUAA4IBAQB/pWC8moSA
+DL36OWwOig7/yEmbVdpFk2mPmAullbH0A6I/lWkrSrKbb0wk8tE04N2Pw0WDvtqd
+aWq5bx1mL1ve0su2SUkuM5Tb26ZVakI3WDCdDmJIEXAE32g6gmdnAZqaaK2Sy58y
+fEvCTe8Zxe0+8eHNv0VYfhl1ALUwMoO/VrVd453O1FWfXBopm+kkHPB6BDyo9ZbN
+PzLHGnGAP2L+1Ps5TP1AMk2ZEZ87QysB4G2qm1x4A6R4Jf6XBOC5y4YI+vsncUZ2
+UCajgatsFN6LZVHO+q1h5LhsVpSCs9yX8gjaoenJtOrY6XFis1DNHrm0QFSN/yNu
+Muuf3P8i5zl0
+-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+client.crl b/src/test/ssl/ssl/root+client.crl
index 854d77b71e..fdc00efebb 100644
--- a/src/test/ssl/ssl/root+client.crl
+++ b/src/test/ssl/ssl/root+client.crl
@@ -1,22 +1,22 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMDA4MzEw
+NjA3MjNaFw00ODAxMTcwNjA3MjNaMA0GCSqGSIb3DQEBCwUAA4IBAQB/pWC8moSA
+DL36OWwOig7/yEmbVdpFk2mPmAullbH0A6I/lWkrSrKbb0wk8tE04N2Pw0WDvtqd
+aWq5bx1mL1ve0su2SUkuM5Tb26ZVakI3WDCdDmJIEXAE32g6gmdnAZqaaK2Sy58y
+fEvCTe8Zxe0+8eHNv0VYfhl1ALUwMoO/VrVd453O1FWfXBopm+kkHPB6BDyo9ZbN
+PzLHGnGAP2L+1Ps5TP1AMk2ZEZ87QysB4G2qm1x4A6R4Jf6XBOC5y4YI+vsncUZ2
+UCajgatsFN6LZVHO+q1h5LhsVpSCs9yX8gjaoenJtOrY6XFis1DNHrm0QFSN/yNu
+Muuf3P8i5zl0
-----END X509 CRL-----
-----BEGIN X509 CRL-----
MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMDA4
+MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMBQwEgIBAhcNMjAwODMxMDYwNzIzWjAN
+BgkqhkiG9w0BAQsFAAOCAQEAQ3ZK9Bx9i2JBSR2XgEFSvy8JrtRurpGpGcnh0ann
+G/vLY+Kp/UGiVnh8jwJ35Q7VUVGYNTKv2gc+WFFmscZaoP69RrgA9fbl9gZ4yUic
+H+XXiR4mQKk03EEKuPlZdWA1PMGAoAZxA8aCrrDZobrRgXEiSRdoQl8sHEJ3f1W1
+EoL+F3w77GzirYQukfNyIfzA6YpfphrNUkDN8jjrNB5/XzTT7fysutpflVKs/tLl
+TKHmwkrCC+TXJ8P2/KaIdQ0QgJSv5XIKS0vn4GC+zgjoUC3D1fprfRqmrBeQyLXV
+eUJda/H6uldOPpAJ2yLNR7S7COvFkGvIxunG7uPZiGq1eg==
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+client_ca.crt b/src/test/ssl/ssl/root+client_ca.crt
index 1867cd9c31..c7c024eeba 100644
--- a/src/test/ssl/ssl/root+client_ca.crt
+++ b/src/test/ssl/ssl/root+client_ca.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUbDho+LuL8GrZ/iVFY16vdG6kNo0wDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjAwODMxMDYwNzIyWhcNNDgwMTE3MDYw
+NzIyWjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,17 +10,17 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAo5siIstgYy1MjyVaSHpxy6Cq7JT73RhYYudtAy8e
+XwVXqy3xuZtl+i2XaWnsojyHRZ83t+1rVCoesbZefyfz9d6qZJkCkWdKdjiVEu+s
+CJSo+tGyCZQ1ZTb+07WY01P97gfswP+VHN4EjxJmUnLdqJEJsdOckvL1mBfortt6
+CvL7adPwftppNivF64R0QZfOsLIaaOa0oi33DQDDNUdrx5f3xWwYmzw+f95lvbYR
+DXCytT647nc44Gu09erE4sWipIknFBvg3P1D0icFSIoEh44mU9o1lHUFsogXa09g
+8Vkho/rudYrHi/cwwzQlUjZyHPg6k1iU9oZGEaW5gVKxSw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
+ZTAeFw0yMDA4MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMEIxQDA+BgNVBAMMN1Rl
c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
@@ -29,10 +29,10 @@ B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+AKsQncM/5JZez/dECPg7xp8T5Sj++mJSiFsFr2Isk3HjJBI+skvZfpWkJnkEUl4a
++BspqoeAD5K+Fad0/Xg/AyZztONpLU+haA4eQCpwYHVY/DSjasjEI5BbCV8mrrYP
+SLcKGIJrPW+beO8pbjdkJNxBiDTeYzMBTbfHvarBYLYAvur8ZvUgKExDWP5kGUe8
+zA9F4FJ/Nig03QzQgxaNjxXoy892fAs6KyWFoGZDqAXlXAFNuz83joTiGNzNTiW4
+qRKpBa6aitnPVeIs8m3z/SUcm5PdMWvXVlsrlA0Gx2EM/B02EWnPk/U+CHtNey7r
+h4LJ4NA9GngE2gewd/gNItc=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0 b/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
new file mode 100644
index 0000000000..8cca69ba40
--- /dev/null
+++ b/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMDA4MzEw
+NjA3MjNaFw00ODAxMTcwNjA3MjNaMA0GCSqGSIb3DQEBCwUAA4IBAQB/pWC8moSA
+DL36OWwOig7/yEmbVdpFk2mPmAullbH0A6I/lWkrSrKbb0wk8tE04N2Pw0WDvtqd
+aWq5bx1mL1ve0su2SUkuM5Tb26ZVakI3WDCdDmJIEXAE32g6gmdnAZqaaK2Sy58y
+fEvCTe8Zxe0+8eHNv0VYfhl1ALUwMoO/VrVd453O1FWfXBopm+kkHPB6BDyo9ZbN
+PzLHGnGAP2L+1Ps5TP1AMk2ZEZ87QysB4G2qm1x4A6R4Jf6XBOC5y4YI+vsncUZ2
+UCajgatsFN6LZVHO+q1h5LhsVpSCs9yX8gjaoenJtOrY6XFis1DNHrm0QFSN/yNu
+Muuf3P8i5zl0
+-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0 b/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
new file mode 100644
index 0000000000..9588d1e524
--- /dev/null
+++ b/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMDA4
+MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMBQwEgIBBhcNMjAwODMxMDYwNzIzWjAN
+BgkqhkiG9w0BAQsFAAOCAQEA2CBoLuLCpXcVSHqQtKnTcz25FyPsGkSO3luiUiG5
+jnI9HvZ9OzeQGGho6XBhVHAmEtwKOo6pcxqDe8Qkf6X7v0AUc19BWkxOXT+sCCdM
+yOvRhNPAhxJToGgKqp41noTSMhZPLsvFEfbbFTZEABScfX2K+XdvQlAYXa3U375E
+71jFenrNh8fNTKfcikmio1rsybQ4PG/ASsrUflQ5LAz3Nm3awdw01auGzRFezq3z
+Ivnq3z5b2q+m653PUsygNRMFVxCAgrvqAadKci7MK/QthCbocrLIhuc9Mmx1Nbkm
+Wnv+La3b5HeH8Zi9Q89IBr12rH70Y6K3hggCUAo9CoK3zw==
+-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+server.crl b/src/test/ssl/ssl/root+server.crl
index 9720b3023c..ba7994d1fa 100644
--- a/src/test/ssl/ssl/root+server.crl
+++ b/src/test/ssl/ssl/root+server.crl
@@ -1,22 +1,22 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMDA4MzEw
+NjA3MjNaFw00ODAxMTcwNjA3MjNaMA0GCSqGSIb3DQEBCwUAA4IBAQB/pWC8moSA
+DL36OWwOig7/yEmbVdpFk2mPmAullbH0A6I/lWkrSrKbb0wk8tE04N2Pw0WDvtqd
+aWq5bx1mL1ve0su2SUkuM5Tb26ZVakI3WDCdDmJIEXAE32g6gmdnAZqaaK2Sy58y
+fEvCTe8Zxe0+8eHNv0VYfhl1ALUwMoO/VrVd453O1FWfXBopm+kkHPB6BDyo9ZbN
+PzLHGnGAP2L+1Ps5TP1AMk2ZEZ87QysB4G2qm1x4A6R4Jf6XBOC5y4YI+vsncUZ2
+UCajgatsFN6LZVHO+q1h5LhsVpSCs9yX8gjaoenJtOrY6XFis1DNHrm0QFSN/yNu
+Muuf3P8i5zl0
-----END X509 CRL-----
-----BEGIN X509 CRL-----
MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMDA4
+MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMBQwEgIBBhcNMjAwODMxMDYwNzIzWjAN
+BgkqhkiG9w0BAQsFAAOCAQEA2CBoLuLCpXcVSHqQtKnTcz25FyPsGkSO3luiUiG5
+jnI9HvZ9OzeQGGho6XBhVHAmEtwKOo6pcxqDe8Qkf6X7v0AUc19BWkxOXT+sCCdM
+yOvRhNPAhxJToGgKqp41noTSMhZPLsvFEfbbFTZEABScfX2K+XdvQlAYXa3U375E
+71jFenrNh8fNTKfcikmio1rsybQ4PG/ASsrUflQ5LAz3Nm3awdw01auGzRFezq3z
+Ivnq3z5b2q+m653PUsygNRMFVxCAgrvqAadKci7MK/QthCbocrLIhuc9Mmx1Nbkm
+Wnv+La3b5HeH8Zi9Q89IBr12rH70Y6K3hggCUAo9CoK3zw==
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+server_ca.crt b/src/test/ssl/ssl/root+server_ca.crt
index 861eba80d0..2c5c2d9a76 100644
--- a/src/test/ssl/ssl/root+server_ca.crt
+++ b/src/test/ssl/ssl/root+server_ca.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUbDho+LuL8GrZ/iVFY16vdG6kNo0wDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjAwODMxMDYwNzIyWhcNNDgwMTE3MDYw
+NzIyWjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,17 +10,17 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAo5siIstgYy1MjyVaSHpxy6Cq7JT73RhYYudtAy8e
+XwVXqy3xuZtl+i2XaWnsojyHRZ83t+1rVCoesbZefyfz9d6qZJkCkWdKdjiVEu+s
+CJSo+tGyCZQ1ZTb+07WY01P97gfswP+VHN4EjxJmUnLdqJEJsdOckvL1mBfortt6
+CvL7adPwftppNivF64R0QZfOsLIaaOa0oi33DQDDNUdrx5f3xWwYmzw+f95lvbYR
+DXCytT647nc44Gu09erE4sWipIknFBvg3P1D0icFSIoEh44mU9o1lHUFsogXa09g
+8Vkho/rudYrHi/cwwzQlUjZyHPg6k1iU9oZGEaW5gVKxSw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
+ZTAeFw0yMDA4MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMEIxQDA+BgNVBAMMN1Rl
c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
@@ -29,10 +29,10 @@ t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+AArYO305zkNZc+vdbeXNpgi1/FrOHl2b0DvG4i2gcUVDvvjIHUnVLf2cak+81vER
+CqlCkutXxB+/fyxVXYtLKXQh0D/68QikH+ImEavrUrANXvQRvoixIjrfub/nZB75
+EiOTIR2N0/m6ndjCHJU0W8N7Tt9qob31e3bVJBZOc+9e80y8GDQiMKYACmet9zUR
+hR/yvJhUsH/u5Y7OwrvcyCs+PJXzPnZTSsatSkHI4KY22+7K+ZhscLIaBKjqlIDj
++fHBrutW9jtog1E3JUO9ZHokB1qlRLs4YhpQ8YzHRabEBaX892ZPLNwtmFLOWK1p
+9klR7/RXnu13nStNIYAHk20=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/root.crl b/src/test/ssl/ssl/root.crl
index e879cf25a7..8cca69ba40 100644
--- a/src/test/ssl/ssl/root.crl
+++ b/src/test/ssl/ssl/root.crl
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMDA4MzEw
+NjA3MjNaFw00ODAxMTcwNjA3MjNaMA0GCSqGSIb3DQEBCwUAA4IBAQB/pWC8moSA
+DL36OWwOig7/yEmbVdpFk2mPmAullbH0A6I/lWkrSrKbb0wk8tE04N2Pw0WDvtqd
+aWq5bx1mL1ve0su2SUkuM5Tb26ZVakI3WDCdDmJIEXAE32g6gmdnAZqaaK2Sy58y
+fEvCTe8Zxe0+8eHNv0VYfhl1ALUwMoO/VrVd453O1FWfXBopm+kkHPB6BDyo9ZbN
+PzLHGnGAP2L+1Ps5TP1AMk2ZEZ87QysB4G2qm1x4A6R4Jf6XBOC5y4YI+vsncUZ2
+UCajgatsFN6LZVHO+q1h5LhsVpSCs9yX8gjaoenJtOrY6XFis1DNHrm0QFSN/yNu
+Muuf3P8i5zl0
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root_ca.crt b/src/test/ssl/ssl/root_ca.crt
index 402d7dab89..92000763a9 100644
--- a/src/test/ssl/ssl/root_ca.crt
+++ b/src/test/ssl/ssl/root_ca.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUbDho+LuL8GrZ/iVFY16vdG6kNo0wDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjAwODMxMDYwNzIyWhcNNDgwMTE3MDYw
+NzIyWjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,10 +10,10 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAo5siIstgYy1MjyVaSHpxy6Cq7JT73RhYYudtAy8e
+XwVXqy3xuZtl+i2XaWnsojyHRZ83t+1rVCoesbZefyfz9d6qZJkCkWdKdjiVEu+s
+CJSo+tGyCZQ1ZTb+07WY01P97gfswP+VHN4EjxJmUnLdqJEJsdOckvL1mBfortt6
+CvL7adPwftppNivF64R0QZfOsLIaaOa0oi33DQDDNUdrx5f3xWwYmzw+f95lvbYR
+DXCytT647nc44Gu09erE4sWipIknFBvg3P1D0icFSIoEh44mU9o1lHUFsogXa09g
+8Vkho/rudYrHi/cwwzQlUjZyHPg6k1iU9oZGEaW5gVKxSw==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-cn-and-alt-names.crt b/src/test/ssl/ssl/server-cn-and-alt-names.crt
index 2bb206e413..406d50dbca 100644
--- a/src/test/ssl/ssl/server-cn-and-alt-names.crt
+++ b/src/test/ssl/ssl/server-cn-and-alt-names.crt
@@ -1,7 +1,7 @@
-----BEGIN CERTIFICATE-----
MIIDTjCCAjagAwIBAgIBATANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0
IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
-cnRzMB4XDTE4MTEyNzEzNDA1NFoXDTQ2MDQxNDEzNDA1NFowRjEeMBwGA1UECwwV
+cnRzMB4XDTIwMDgzMTA2MDcyM1oXDTQ4MDExNzA2MDcyM1owRjEeMBwGA1UECwwV
UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMSQwIgYDVQQDDBtjb21tb24tbmFtZS5wZy1z
c2x0ZXN0LnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBURL6
YPWJjVQEZY0uy4HEaTI4ZMjVf+xdwJRntos4aRcdhq2JRNwitI00BLnIK9ur8D8L
@@ -11,10 +11,10 @@ YsWwHgcuEIZk3z287hxuyU3j5isYoRwd5cZZFrG/qBJdukSBRil5/PP5AHsB6lTl
pae2bdf4TXB7kActIpyTBR0G5Pm5iCZlxgD+QILj/1FLTaNOW7hV+t1J6YfC6jZR
Dk4MnHMCFasSXcXhAgMBAAGjSzBJMEcGA1UdEQRAMD6CHWRuczEuYWx0LW5hbWUu
cGctc3NsdGVzdC50ZXN0gh1kbnMyLmFsdC1uYW1lLnBnLXNzbHRlc3QudGVzdDAN
-BgkqhkiG9w0BAQsFAAOCAQEAQeKHXoyipubldf4HUDCXrcIk6KiEs9DMH1DXRk7L
-z2Hr0TljmKoGG5P6OrF4eP82bhXZlQmwHVclB7Pfo5DvoMYmYjSHxcEAeyJ7etxb
-pV11yEkMkCbQpBVtdMqyTpckXM49GTwqD9US5p1E350snq4Duj3O7fSpE4HMfSd8
-dCkYdaCHq2NWH4/MfEBRy096oOIFxqgm6tRCU95ZI8KeeK4WwPXiGV2mb2rHj1kv
-uBRC+sJGSnsLdbZzkpdAN1qnWrJoLezAMdhTmNRUJ7Cq8hAkroFIp+LE+JyxR9Nw
-m6jD3eEwCAQi0pPGLEn4Rq4B8kxzL5F/jTq7PONRvOAdIg==
+BgkqhkiG9w0BAQsFAAOCAQEAdXbTpv6xPsy7YMB5AWwmV50aWJ1J7cNSF2mEhQxK
+LNYQi5Z1Ov/MuWxCYbW5EeMQlSS/XJbBnFJR8dFgUXd36uQoe8jHDjf5ceG/CeVb
+AFCvMu2dgbA/PisONnlJJ5jL3eEHA0hIg7EvBzPA0Y2GseeZfTECPrXYOF8kJHyN
+cQjsLsOJuhkeKXsvpASlAuRx+e/7FebXw2Ak/9tMo2TekiFokuVymhcZbH4YrcGO
+dT60+cMm8+Cd9to/uatbF/f0LOKFgQ8LNDb+ZAytJ4NxXw7DB6LwAXyXQlPS6iMg
+q7A/owJO3mtuHgy5XGhtKnP/0l9pKlGASykYJNIMmSCNgQ==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-cn-only.crt b/src/test/ssl/ssl/server-cn-only.crt
index 67bf0b1645..a185b50b0a 100644
--- a/src/test/ssl/ssl/server-cn-only.crt
+++ b/src/test/ssl/ssl/server-cn-only.crt
@@ -1,7 +1,7 @@
-----BEGIN CERTIFICATE-----
MIIC/DCCAeQCAQIwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNlcnZlciBjZXJ0czAe
-Fw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEYxHjAcBgNVBAsMFVBvc3Rn
+Fw0yMDA4MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMEYxHjAcBgNVBAsMFVBvc3Rn
cmVTUUwgdGVzdCBzdWl0ZTEkMCIGA1UEAwwbY29tbW9uLW5hbWUucGctc3NsdGVz
dC50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1bNU8yTuLl/5
bR4Rp1ET5NMC2wgrTwKQsxSeOzvMmTGeebpEYFc/Hq8rcCQAiL7AbhiZeNg/ca4y
@@ -9,10 +9,10 @@ JdouOdaHaTMFJ8hFDI1tNOGeFK7ecOMBWQ97GxKs/KIqKYW42AN+QZ7l1Apr0CDZ
K5VTi931JjE4wCIgUgLi2zgwtZYl/kP896F1K5zR7kx773U2dvP3SeV2ziUe+4NH
5oqdmVMeZyHfB+Fe/uU1AiYgHN/CXfop39tYHR8ARUWx7eJlaaKBoj/0UqH/9Yir
jdM0vGfrw4JCjIx78caNkNH9fCjesTqODr+IDBJaJv3Jpt9g8puqrYagXLppiaYS
-q5oOAu5fuQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCTxkqpNNuO15osb+Lyw2aQ
-RikYZiSJ4uJcOIya6DqSYSNf8wrgGMJAKz9TkCGEG7SszLCASaSIS/s+sR1+bE19
-f6BxoBnppPW8uIkTtQvmGhhcWHO13zMUs8bmg9OY7MvFYJdQAmSqfYebUCYR73So
-OthALxV8h+boW5/xc2XM1NObpcuShQ9/uynm2dL3EbrNjvcoXOwu865FmVMffEn9
-+zhE8xl4kMKObQvB3r2utCmlAmJLaU2ejADncS9Y4ZwRMa7x+vfvekF/FvLEXUal
-QcDlfrZ0xsw/HK7n0/UFXf5fUXq3hgUGcXEdWW7/yTA43qNxednfa+fMqlFztupt
+q5oOAu5fuQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQB8TNuHgAscHJWExsswCCFX
+qfKjpnF/SKD5DGSj+NKfI2CGxWg4X9D67V470OkgHtQqujKb0sIOrbXz2tCg0Z6u
+rbeNctGXKATCawae1nmlz81xBV5cIjlB2mNMQLY0c0zjWozyEq8kEk6bDZ7Nj3bZ
+bf7QK9xdBfWXRhXWSfk45KasxZU/MN+sdIu/xFyBwSEtqVQsfbBK7kOOmDG2SU48
+MA4km6tPVf86BHQshu8vDkB2zWAdECkMVKudkdPT9sT3u26FSGmboXnWNOlfR7TP
+G9BRh+r0zOntkGhJsqUZcEdoOIShKy+69ly2QP7K78EaWvw5Q2ZUqekAvaA7McPb
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-crldir/a836cc2d.r0 b/src/test/ssl/ssl/server-crldir/a836cc2d.r0
new file mode 100644
index 0000000000..9588d1e524
--- /dev/null
+++ b/src/test/ssl/ssl/server-crldir/a836cc2d.r0
@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMDA4
+MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMBQwEgIBBhcNMjAwODMxMDYwNzIzWjAN
+BgkqhkiG9w0BAQsFAAOCAQEA2CBoLuLCpXcVSHqQtKnTcz25FyPsGkSO3luiUiG5
+jnI9HvZ9OzeQGGho6XBhVHAmEtwKOo6pcxqDe8Qkf6X7v0AUc19BWkxOXT+sCCdM
+yOvRhNPAhxJToGgKqp41noTSMhZPLsvFEfbbFTZEABScfX2K+XdvQlAYXa3U375E
+71jFenrNh8fNTKfcikmio1rsybQ4PG/ASsrUflQ5LAz3Nm3awdw01auGzRFezq3z
+Ivnq3z5b2q+m653PUsygNRMFVxCAgrvqAadKci7MK/QthCbocrLIhuc9Mmx1Nbkm
+Wnv+La3b5HeH8Zi9Q89IBr12rH70Y6K3hggCUAo9CoK3zw==
+-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/server-multiple-alt-names.crt b/src/test/ssl/ssl/server-multiple-alt-names.crt
index 158153d10c..3a392bc7bc 100644
--- a/src/test/ssl/ssl/server-multiple-alt-names.crt
+++ b/src/test/ssl/ssl/server-multiple-alt-names.crt
@@ -1,7 +1,7 @@
-----BEGIN CERTIFICATE-----
MIIDRDCCAiygAwIBAgIBBDANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0
IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
-cnRzMB4XDTE4MTEyNzEzNDA1NFoXDTQ2MDQxNDEzNDA1NFowIDEeMBwGA1UECwwV
+cnRzMB4XDTIwMDgzMTA2MDcyM1oXDTQ4MDExNzA2MDcyM1owIDEeMBwGA1UECwwV
UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA10iQpfVf4nCqjkRcLXP9ONQqdhMPMdjHasKqmsFTx83SZLKUzKMOb56j
3bg83stqGoId4MIxtqnDKaSg1+kseQ1HCi0cu/E3lHLEkPibl9dyVGhXVnPDBdOp
@@ -11,10 +11,10 @@ YXOKjP4+fWr18HdZLrzsa4xPRa9XcsDNyffjWvQTfptR/2vFKN8Ffv3XUqxUx6av
VCyRKa8xAUS/pHVGnzFQY+oqWREn2wIDAQABo2cwZTBjBgNVHREEXDBagh1kbnMx
LmFsdC1uYW1lLnBnLXNzbHRlc3QudGVzdIIdZG5zMi5hbHQtbmFtZS5wZy1zc2x0
ZXN0LnRlc3SCGioud2lsZGNhcmQucGctc3NsdGVzdC50ZXN0MA0GCSqGSIb3DQEB
-CwUAA4IBAQAuV+4TNADB/AinkjQVyzPtmeWDWZJDByRSGIzGlrYtzzrJzdRkohlL
-svZi0QQWbYq3pkRoUncYXXp/JvS48Ft1jRi87RpLRiPRxJC9Eq77kMS5UKCIs86W
-0nuYQ2tNmgHb7gnLHEr2t9gFEXcLwUAnRfNJK56KVmCl/v3/4kcVDLlL6L+pL80r
-WGKGvixNy3bDCJ/YGJu6NH+H7NMlqFcg07nEWUHgMzETGGycTcPy3S6mY5P/1Ep1
-MCSTucUKoBIte2t5p9vM6bsFIioQDAYABhacmC62Z5xNW8evmNVtBDPLR1THsWhq
-UjzdIzjpDgv1KUCVEPc1uVrZ5eju+aoU
+CwUAA4IBAQBORmS+8OIlqJVyquIl4El7OHuC4f2e4s0/uLnEMgIzuXFyi1E7XgXr
+vqHFNIux6/jFnkgT1kvR6I2yZc2UTmU88cjGp2nLb4qglWN0TQonBpm3Ibd3q6Zk
+h2/Z3z2d0CVZKVeKwmX6sWDx3QBmalLTI9UfmnF+3PM7NXWAEyh+HAUAsQFnq7g0
+hAGZnAcGTpVMPDgw6RPwS0LyRW7+pGUWqunoz5ORgC4kPlS/xDlmtCXJNp1Elar9
+Pt/ovjkHyNMMIQV2HgWqnTtfqUoFQsAejFvVmNHVRBrJwi5+tG10f1UI4ST+Ky+I
+4ECOGan/YOKxWzXMy6B2QInFAcaTflQQ
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-no-names.crt b/src/test/ssl/ssl/server-no-names.crt
index 97e11176f6..6682d9f25e 100644
--- a/src/test/ssl/ssl/server-no-names.crt
+++ b/src/test/ssl/ssl/server-no-names.crt
@@ -1,18 +1,18 @@
-----BEGIN CERTIFICATE-----
MIIC1jCCAb4CAQUwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNlcnZlciBjZXJ0czAe
-Fw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMCAxHjAcBgNVBAsMFVBvc3Rn
+Fw0yMDA4MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMCAxHjAcBgNVBAsMFVBvc3Rn
cmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJ85/vh52iDZAeQmWt47o0kR7VVlRLGf4sF4cfxPl+eIWIzhib1fajdcqFiy81LC
+t9bAyRqMyR3dve9RGK6IDFjMH/0DBf3tFSRnxN+5TdSAhKIJslmtUdOl8kS/smF
4+BikCg509aq0U+ac79e/q42OyvH9X/cI6i9SPd4hzJDMCX54LZT1Of/90nSQX6E
Oc5Hcj/d7psBugmMBW8uXYAGvJpq14e5RoK78F/mYbUNqtc1c8pi4/4quSMeEfQp
Dgmzee7ts8SIbQT8mYJHjnaPvZYpv4+Ikc7F0wzLO1neTpsYaVvDrSMLBCdQkCU8
-vgb1T6WlVgbp/sfE5okSxx8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAh+erODlf
-+mEK2toZhaAmikNJ3Toj9P7I0C0Mo/tl2aVz8jQc/ft5t3blwZHfRzC9WmgnZLdY
-yiCVgUlf9Kwhi836Btbczj3cK6MrngQneFBzSnCzsj40CuQAw5TOI8XRFFGL+fpl
-o7ZnbmMZRhkPqDmNWXfpu7CYOFQyExkDoo0lTfqM+tF8zuKVTmsuWWvZpjuvqWFQ
-/L+XRXi0cvhh+DY9vJiKNRg4exF7/tSedTJmLA8skuaXgAVez4rqzX4k1XnQo6Vi
-YpAIQ4dGiijY24fDq2I/6pO3xlWtN+Lwu44Mnn2vWRtXijT69P5R12W8XS7+ciTU
-NXu/iOo8f7mNDA==
+vgb1T6WlVgbp/sfE5okSxx8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAvRq8eCJl
+gAu2LT21OKmuhiMLPWyNVbyHo+A8UOKBXo1WwRbU4W0u2Ki5LenriekpW2A4qiZ1
+HDxpLaSquSIzPwtDvnMqtQ4BDEaikwmGxEl5EIR2+75riV9BNFgA0g+zVTPN+I33
+/OdNbI9XvIVkyOfxgaoE9kcWF6wRLB70oOYtuInUajEuG8GEKR5vrWXPa6sZoUxh
+ziGM/FHSNs3XqLDJxcUx7FMJH7iz9IlhJVN4aEEYX/L3cVnIWCnlNYp1UMHBTBqD
+aaGVTS7I8cIqOT1I0MxRqKBnTDXgfKb6yHYCgdQUzuFH3BcM08D7G6iuH6DCL3ib
+w5kP06Ufd7oOlA==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-revoked.crt b/src/test/ssl/ssl/server-revoked.crt
index 1ca5e6d3ef..2fa1a6ea71 100644
--- a/src/test/ssl/ssl/server-revoked.crt
+++ b/src/test/ssl/ssl/server-revoked.crt
@@ -1,7 +1,7 @@
-----BEGIN CERTIFICATE-----
MIIC/DCCAeQCAQYwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNlcnZlciBjZXJ0czAe
-Fw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEYxHjAcBgNVBAsMFVBvc3Rn
+Fw0yMDA4MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMEYxHjAcBgNVBAsMFVBvc3Rn
cmVTUUwgdGVzdCBzdWl0ZTEkMCIGA1UEAwwbY29tbW9uLW5hbWUucGctc3NsdGVz
dC50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAooPO8lSz434p
4PBYBbTN8jkLW3cHEpTCH4yvC0V40hzGEl30HPLp82e+kxr+Q0+gd82fvc4Yth5I
@@ -9,10 +9,10 @@ PKINznp28GMs5/E9cUU3hMK4jFhKLMiOeIve3M/9ryHK874qpNjJoSxxPz7+s2eq
WoFc2px0KFIamTTLfi7Ju9aPb/AMlZNsUnbRsj7fQc7EJ8rwOnezw2Wy5VK4soX+
qpuJ0Nm44ApzT8YmjYX/kAX0yQxgQuYbpcBWr9cOQjegu3FAqHqRh9ye7d8jQzCv
34Wg/ar4rkqyQDcokuWAE7KQbnk51t7omzhM8eswFOAL1pas/8jWBvy0VjYVU34P
-9aXxP8GiHQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAS9abT/PhJgwAnm46Rzu16
-lL7tDb3SeR1RL25xZLzCexHcYJFi7aDZix3QlLRvf6HPqqUPuPYRICTBF4+fieEh
-r5LotdAnadfYONwoB5GiYy2d93VGqlLosI27R6/tVvImXupviPpIYMDgBBRr1pZc
-ykQOjog6T+xk9TqsfFQDe2/VKF7a5RxOA/V77GZ5qge5Nlx9jSXQ/WUG9vDQj9BA
-d4nOwvjauKlcSqUU/3uVKntXQTNjmyq7S75eBitS920LLfjTL9LInLugDikFa/J/
-yPBkJLa/+rNMPikcnF3ci4Oi/XwLA8kGdGZAADuiIOeyORMuLFoTk7KpOYGKS5/U
+9aXxP8GiHQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQANC+ABgpTg8mHipdTBhhUH
+klkvnmPwzUyfTMfjAMpM/aMXY12R2pcKbDm7uSFZQPyL4w2W6sa56rbFzXLER9U1
+woOdlUfpREtISaC+wI+plhPLvERW9Id57IWNuOpPaAP2KWOVa9gtRVIBj/Z09+3w
+nB3aqHxCl7GKI78ruqR8VGAhSl58KAVzG7TS25848nYIijZ4Aeoqr99x6EuHAVhf
+47xShRQTQZTzANaXqMaqeR4UoPxb5GUt1I2+4Q9Q0FC3M4CVgCbxgaKqmNms88k9
+yrXx+BA5fDXMhcyX/R09t+aPBnKhC+dmLohmB9cV0jgQLAGaN81+ZXyyghXk3iCV
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-single-alt-name.crt b/src/test/ssl/ssl/server-single-alt-name.crt
index e7403f3a6b..6637fa467b 100644
--- a/src/test/ssl/ssl/server-single-alt-name.crt
+++ b/src/test/ssl/ssl/server-single-alt-name.crt
@@ -1,7 +1,7 @@
-----BEGIN CERTIFICATE-----
MIIDCzCCAfOgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0
IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
-cnRzMB4XDTE4MTEyNzEzNDA1NFoXDTQ2MDQxNDEzNDA1NFowIDEeMBwGA1UECwwV
+cnRzMB4XDTIwMDgzMTA2MDcyM1oXDTQ4MDExNzA2MDcyM1owIDEeMBwGA1UECwwV
UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAxYocLWWuiDsDzJ7wLc0zfwkGJAEy4hlHjTA5GXSEnGPlOnx1fxejZOGL
1HLff5h8zB+SQXrplHCcwwRrxVgGY7P59kXMXX1akTwXUJHc/EoTtqLO+6fHLygz
@@ -9,11 +9,11 @@ F1d0i5NPO3xrk1wMt7bYLhiPbWpplWiHXzbJy8wf3dXgzCwtxXf8Z1UqjtCnA/Zk
J/kPWuHJxzH5OvDJvZsq+Fbkl3catFpwUlAV9TKsC78W/K5I+afzppsmSvsIKAWW
Dp7g71IVjvJeI6Aui2yhDn9iuJMuKe9RMYIwJLFqiX3urHcjaBSkJm6Lsf7gO30v
kVwIyyGXRNTfZ2yPDoSXVZvOnq+gKwIDAQABoy4wLDAqBgNVHREEIzAhgh9zaW5n
-bGUuYWx0LW5hbWUucGctc3NsdGVzdC50ZXN0MA0GCSqGSIb3DQEBCwUAA4IBAQBU
-8wp8KZfS8vClx2gYSRlbXu3J1oAu4EBh45OuuRuLOJUhQZYcjFB3d/s0R1kcCQkB
-EekV9X1iQSzk/HQq4uWi6ViUzxTR67Q6TXEFo8iuqJ6Rag7R7G6fhRD1upf1lev+
-rz7F9GsoWLyLAg8//DUfq1kfQUyy6TxamoRs0vipZ4s0p4G8rbRCxKT1WTRLJFdd
-fSDVuMNuQQKTQXNdp6cYn+ikEhbUv/gG2S7Xiy2UM8oR7DR54nZBAKxgujWJZPfX
-/ieSwLxnLFyePwtwgk9xMmywFBjHWTxSdyI1UnJwWC917BSw4M00djsRv5COsBX7
-v/Co7oiMyTrCqyCsWOBu
+bGUuYWx0LW5hbWUucGctc3NsdGVzdC50ZXN0MA0GCSqGSIb3DQEBCwUAA4IBAQBP
+tJo8pTdcrsvooz15feSdJpxxmUut7/ub4ddRZQj08jL7SrUtAfmiUFBqaR618lr7
++7L30XkVv4j0p6U5jaE6V0L/r/GH6XyFLoH7ygTa4mmSrK8BWU1h2PvcqswxbxBY
+5Bu7pTajip2JuQ+6+rKfEvchGsELtWc1526QIa3LFsHTL8eWCFny16K7zlMkfFB1
+w58suL8ucTWfEcRByKkLD7wcZpAFvQD80BU7TvErr4ydEiNfH5NwrrUzycracPnc
+WKTjbAkRO615ht1z5E/TTLXENPlmibu08/g+Y8wu61S2Bjhn5LM33zKb/OrpVraY
+vVEKKU2NkD8bb+ztzu/H
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-ss.crt b/src/test/ssl/ssl/server-ss.crt
index d775e6029a..6662afe3af 100644
--- a/src/test/ssl/ssl/server-ss.crt
+++ b/src/test/ssl/ssl/server-ss.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDGDCCAgCgAwIBAgIUVR71MjsbvBO6T1gJQaL/6hMwhqQwDQYJKoZIhvcNAQEL
+MIIDGDCCAgCgAwIBAgIUby7HZZ6t7KHCu15JC/MVcj8VEYcwDQYJKoZIhvcNAQEL
BQAwRjEkMCIGA1UEAwwbY29tbW9uLW5hbWUucGctc3NsdGVzdC50ZXN0MR4wHAYD
-VQQLDBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYw
-NDE0MTM0MDU0WjBGMSQwIgYDVQQDDBtjb21tb24tbmFtZS5wZy1zc2x0ZXN0LnRl
+VQQLDBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUwHhcNMjAwODMxMDYwNzIzWhcNNDgw
+MTE3MDYwNzIzWjBGMSQwIgYDVQQDDBtjb21tb24tbmFtZS5wZy1zc2x0ZXN0LnRl
c3QxHjAcBgNVBAsMFVBvc3RncmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBANWzVPMk7i5f+W0eEadRE+TTAtsIK08CkLMUnjs7
zJkxnnm6RGBXPx6vK3AkAIi+wG4YmXjYP3GuMiXaLjnWh2kzBSfIRQyNbTThnhSu
@@ -10,10 +10,10 @@ zJkxnnm6RGBXPx6vK3AkAIi+wG4YmXjYP3GuMiXaLjnWh2kzBSfIRQyNbTThnhSu
Jf5D/PehdSuc0e5Me+91Nnbz90nlds4lHvuDR+aKnZlTHmch3wfhXv7lNQImIBzf
wl36Kd/bWB0fAEVFse3iZWmigaI/9FKh//WIq43TNLxn68OCQoyMe/HGjZDR/Xwo
3rE6jg6/iAwSWib9yabfYPKbqq2GoFy6aYmmEquaDgLuX7kCAwEAATANBgkqhkiG
-9w0BAQsFAAOCAQEAtHR6o4UIO/aWEAzcmnJKsQDC999jbQGiqs9+v62mz5TvCk/1
-gL9/s/yfGY+pnDGW1ijI2xiL9KCJzjd8YB+F8iUViVQ6uHBxghxC1H2qOIr2UPFQ
-gQRu7d0DByQBsiXMOdw10luGo1oHhqMe5J7VyMVG/7aRpr6zYKrH7PzsB8ucvxzv
-Lm8ez0WBPebV69sim431iJcVcxxBbFd4qUJ9cHIc7VO2mSaazsIOzbd400POF/vk
-gfpDs48GfnZ+X3hgoQA4u7eudLqttI+j1xV+IHlCtaa1nDHymUrN/FhI1x+6c1SU
-V12eHqVatPMe0d+OCJPqIL9lbe+sGXlxDkMqAQ==
+9w0BAQsFAAOCAQEAO68c0amf+x5U7o6nZfNcwwMEY3wPt/NYWnfwp0+/5R50KY2L
+ZKqKxN26BQPFID2j/H84ve5idcJoilzy3W4/P5hs7R53sTyID/fFz6xB7p3eQnJO
+I6YT8D+dcNnipjK3O0O4Htqq7L25idkmYM8HxeSVWC65MzbUI9nLzqg4FRv3pM+m
+AM9Cpq41j8mhN3NS2vhpgy9T6qrM8v0usJuoAMMnwp0yXo3/ZfpoT80BaGhlWR5g
+Wm36rA50Z0Vz1zgRJb/xXl9SEnySWAM/WIuRiAHRw9J5K3ye8U8aW+xV3/uQEtG2
+s7h6mW3YqdIh2o5Gc83rLEvPOHLFohKMvFmJTA==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server.crl b/src/test/ssl/ssl/server.crl
index 717951c26a..9588d1e524 100644
--- a/src/test/ssl/ssl/server.crl
+++ b/src/test/ssl/ssl/server.crl
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMDA4
+MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMBQwEgIBBhcNMjAwODMxMDYwNzIzWjAN
+BgkqhkiG9w0BAQsFAAOCAQEA2CBoLuLCpXcVSHqQtKnTcz25FyPsGkSO3luiUiG5
+jnI9HvZ9OzeQGGho6XBhVHAmEtwKOo6pcxqDe8Qkf6X7v0AUc19BWkxOXT+sCCdM
+yOvRhNPAhxJToGgKqp41noTSMhZPLsvFEfbbFTZEABScfX2K+XdvQlAYXa3U375E
+71jFenrNh8fNTKfcikmio1rsybQ4PG/ASsrUflQ5LAz3Nm3awdw01auGzRFezq3z
+Ivnq3z5b2q+m653PUsygNRMFVxCAgrvqAadKci7MK/QthCbocrLIhuc9Mmx1Nbkm
+Wnv+La3b5HeH8Zi9Q89IBr12rH70Y6K3hggCUAo9CoK3zw==
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/server_ca.crt b/src/test/ssl/ssl/server_ca.crt
index 9f727bf9e9..94da6cd092 100644
--- a/src/test/ssl/ssl/server_ca.crt
+++ b/src/test/ssl/ssl/server_ca.crt
@@ -1,7 +1,7 @@
-----BEGIN CERTIFICATE-----
MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
+ZTAeFw0yMDA4MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMEIxQDA+BgNVBAMMN1Rl
c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
@@ -10,10 +10,10 @@ t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+AArYO305zkNZc+vdbeXNpgi1/FrOHl2b0DvG4i2gcUVDvvjIHUnVLf2cak+81vER
+CqlCkutXxB+/fyxVXYtLKXQh0D/68QikH+ImEavrUrANXvQRvoixIjrfub/nZB75
+EiOTIR2N0/m6ndjCHJU0W8N7Tt9qob31e3bVJBZOc+9e80y8GDQiMKYACmet9zUR
+hR/yvJhUsH/u5Y7OwrvcyCs+PJXzPnZTSsatSkHI4KY22+7K+ZhscLIaBKjqlIDj
++fHBrutW9jtog1E3JUO9ZHokB1qlRLs4YhpQ8YzHRabEBaX892ZPLNwtmFLOWK1p
+9klR7/RXnu13nStNIYAHk20=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index fd2727b568..dd8833ac48 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -13,7 +13,7 @@ use SSLServer;
if ($ENV{with_openssl} eq 'yes')
{
- plan tests => 93;
+ plan tests => 100;
}
else
{
@@ -214,6 +214,12 @@ test_connect_fails(
"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/client.crl",
qr/SSL error/,
"CRL belonging to a different CA");
+# The same for CRL directory, fails
+test_connect_fails(
+ $common_connstr,
+ "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/client-crldir",
+ qr/SSL error/,
+ "directory CRL belonging to a different CA");
# With the correct CRL, succeeds (this cert is not revoked)
test_connect_ok(
@@ -221,6 +227,12 @@ test_connect_ok(
"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl",
"CRL with a non-revoked cert");
+# With the correct server CRL directory, succeeds (this cert is not revoked)
+test_connect_ok(
+ $common_connstr,
+ "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server-crldir",
+ "directory CRL with a non-revoked cert");
+
# Check that connecting with verify-full fails, when the hostname doesn't
# match the hostname in the server's certificate.
$common_connstr =
@@ -346,7 +358,12 @@ test_connect_fails(
$common_connstr,
"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl",
qr/SSL error/,
- "does not connect with client-side CRL");
+ "does not connect with client-side CRL file");
+test_connect_fails(
+ $common_connstr,
+ "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server-crldir",
+ qr/SSL error/,
+ "does not connect with client-side CRL directory");
# pg_stat_ssl
command_like(
@@ -545,6 +562,16 @@ test_connect_ok(
test_connect_fails($common_connstr, "sslmode=require sslcert=ssl/client.crt",
qr/SSL error/, "intermediate client certificate is missing");
+# test server-side CRL directory
+switch_server_cert($node, 'server-cn-only', undef, 'root+client-crldir');
+
+# revoked client cert
+test_connect_fails(
+ $common_connstr,
+ "user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked_tmp.key",
+ qr/SSL error/,
+ "certificate authorization fails with revoked client cert with server-side CRL directory");
+
# clean up
foreach my $key (@keys)
{
diff --git a/src/test/ssl/t/SSLServer.pm b/src/test/ssl/t/SSLServer.pm
index f5987a003e..381e8a95d6 100644
--- a/src/test/ssl/t/SSLServer.pm
+++ b/src/test/ssl/t/SSLServer.pm
@@ -150,6 +150,8 @@ sub configure_test_server_for_ssl
copy_files("ssl/root+client_ca.crt", $pgdata);
copy_files("ssl/root_ca.crt", $pgdata);
copy_files("ssl/root+client.crl", $pgdata);
+ mkdir("$pgdata/root+client-crldir");
+ copy_files("ssl/root+client-crldir/*", "$pgdata/root+client-crldir/");
# Stop and restart server to load new listen_addresses.
$node->restart;
@@ -167,6 +169,7 @@ sub switch_server_cert
my $node = $_[0];
my $certfile = $_[1];
my $cafile = $_[2] || "root+client_ca";
+ my $crlfile = $_[3] || "root+client.crl";
my $pgdata = $node->data_dir;
open my $sslconf, '>', "$pgdata/sslconfig.conf";
@@ -174,7 +177,7 @@ sub switch_server_cert
print $sslconf "ssl_ca_file='$cafile.crt'\n";
print $sslconf "ssl_cert_file='$certfile.crt'\n";
print $sslconf "ssl_key_file='$certfile.key'\n";
- print $sslconf "ssl_crl_file='root+client.crl'\n";
+ print $sslconf "ssl_crl_file='$crlfile'\n";
close $sslconf;
$node->restart;
--
2.18.4
On Mon, Aug 31, 2020 at 06:03:02PM +0900, Kyotaro Horiguchi wrote: > Rebased. Fixed bogus tests and strange tentative API change of > SSLServer.pm. Corrected a (maybe) spelling mistake. I'm going to > register this to the coming CF. Stephen, are you planning to look at that? I know that you are not registered as a reviewer, but you mentioned upthread that you may be able to look at it. The changes in libpq's backend/frontend are rather simple, but the docs and the changes in the TAP tests require a careful lookup. -- Michael
Attachment
On 2020-08-31 11:03, Kyotaro Horiguchi wrote: > At Tue, 18 Aug 2020 16:43:47 +0900 (JST), Kyotaro Horiguchi <horikyota.ntt@gmail.com> wrote in >> Thank you very much. I'll do that after some polishing. >> >> A near-by discussion about OpenSSL3.0 conflicts with this but it's >> easy to follow. > > Rebased. Fixed bogus tests and strange tentative API change of > SSLServer.pm. Corrected a (maybe) spelling mistake. I'm going to > register this to the coming CF. Other systems that offer both a CRL file and a CRL directory usually specify those using two separate configuration settings. Examples: https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_ssl_crlpath https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationpath These are then presumably both passed to X509_STORE_load_locations(), which supports specifying a file and directory concurrently. I think that would be a preferable approach. In practical terms, it would allow a user to introduce the directory method gradually without having to convert the existing CRL file at the same time.
At Fri, 15 Jan 2021 08:56:27 +0100, Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote in > On 2020-08-31 11:03, Kyotaro Horiguchi wrote: > > At Tue, 18 Aug 2020 16:43:47 +0900 (JST), Kyotaro Horiguchi > > <horikyota.ntt@gmail.com> wrote in > >> Thank you very much. I'll do that after some polishing. > >> > >> A near-by discussion about OpenSSL3.0 conflicts with this but it's > >> easy to follow. > > Rebased. Fixed bogus tests and strange tentative API change of > > SSLServer.pm. Corrected a (maybe) spelling mistake. I'm going to > > register this to the coming CF. > > Other systems that offer both a CRL file and a CRL directory usually > specify those using two separate configuration settings. Examples: > > https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_ssl_crlpath > https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationpath > > These are then presumably both passed to X509_STORE_load_locations(), > which supports specifying a file and directory concurrently. > > I think that would be a preferable approach. In practical terms, it > would allow a user to introduce the directory method gradually without > having to convert the existing CRL file at the same time. Thank you for the information. The only reason for sharing the same variable for both file and directory is to avoid additional variable only for this reason. I'll post a new version where new GUC ssl_crl_path is added. By the way we can do the same thing on CA file/dir, but I personally think that the benefit from the specify-by-directory for CA files is far less than CRL files. So I'm not going to do this for CA files for now. regards. -- Kyotaro Horiguchi NTT Open Source Software Center
On 2021-01-19 01:17, Kyotaro Horiguchi wrote: > Thank you for the information. The only reason for sharing the same > variable for both file and directory is to avoid additional variable > only for this reason. I'll post a new version where new GUC > ssl_crl_path is added. Okay, I look forward to that patch. > By the way we can do the same thing on CA file/dir, but I personally > think that the benefit from the specify-by-directory for CA files is > far less than CRL files. So I'm not going to do this for CA files for > now. Yeah, that seems not so commonly used.
At Tue, 19 Jan 2021 09:17:34 +0900 (JST), Kyotaro Horiguchi <horikyota.ntt@gmail.com> wrote in
> By the way we can do the same thing on CA file/dir, but I personally
> think that the benefit from the specify-by-directory for CA files is
> far less than CRL files. So I'm not going to do this for CA files for
> now.
This is it. A new guc ssl_crl_dir and connection option crldir are
added.
One problem raised upthread is the footprint for test is quite large
because all certificate and key files are replaced by this patch. I
think we can shrink the footprint by generating that files on-demand
but that needs openssl frontend to be installed on the development
environment.
If we agree that requirement, I'm going to go that direction.
regards.
--
Kyotaro Horiguchi
NTT Open Source Software Center
From 898ab229a54373dc4794af8fa7eebffbf2849c13 Mon Sep 17 00:00:00 2001
From: Kyotaro Horiguchi <horikyoga.ntt@gmail.com>
Date: Tue, 21 Jul 2020 23:01:27 +0900
Subject: [PATCH v3] Allow to specify CRL directory
We have the ssl_crl_file GUC variable and the sslcrl connection option
to specify a CRL file. X509_STORE_load_locations accepts a directory,
which leads to on-demand loading method with which method only
relevant CRLs are loaded. Allow server and client to use the hashed
directory method. We could use the existing variable and option to
specify the direcotry name but allowing to use both methods at the
same time gives operation flexibility to users.
---
doc/src/sgml/config.sgml | 21 ++++++++-
doc/src/sgml/libpq.sgml | 20 +++++++-
doc/src/sgml/runtime.sgml | 33 +++++++++++++
src/backend/libpq/be-secure-openssl.c | 27 +++++++++--
src/backend/libpq/be-secure.c | 1 +
src/backend/utils/misc/guc.c | 10 ++++
src/include/libpq/libpq.h | 1 +
src/interfaces/libpq/fe-connect.c | 6 +++
src/interfaces/libpq/fe-secure-openssl.c | 24 +++++++---
src/interfaces/libpq/libpq-int.h | 1 +
src/test/ssl/Makefile | 20 +++++++-
src/test/ssl/ssl/both-cas-1.crt | 46 +++++++++----------
src/test/ssl/ssl/both-cas-2.crt | 46 +++++++++----------
src/test/ssl/ssl/client+client_ca.crt | 28 +++++------
src/test/ssl/ssl/client-crldir/9bb9e3c3.r0 | 11 +++++
src/test/ssl/ssl/client-revoked.crt | 14 +++---
src/test/ssl/ssl/client.crl | 16 +++----
src/test/ssl/ssl/client.crt | 14 +++---
src/test/ssl/ssl/client_ca.crt | 14 +++---
.../ssl/ssl/root+client-crldir/9bb9e3c3.r0 | 11 +++++
.../ssl/ssl/root+client-crldir/a3d11bff.r0 | 11 +++++
src/test/ssl/ssl/root+client.crl | 32 ++++++-------
src/test/ssl/ssl/root+client_ca.crt | 32 ++++++-------
.../ssl/ssl/root+server-crldir/a3d11bff.r0 | 11 +++++
.../ssl/ssl/root+server-crldir/a836cc2d.r0 | 11 +++++
src/test/ssl/ssl/root+server.crl | 32 ++++++-------
src/test/ssl/ssl/root+server_ca.crt | 32 ++++++-------
src/test/ssl/ssl/root.crl | 16 +++----
src/test/ssl/ssl/root_ca.crt | 18 ++++----
src/test/ssl/ssl/server-cn-and-alt-names.crt | 14 +++---
src/test/ssl/ssl/server-cn-only.crt | 14 +++---
src/test/ssl/ssl/server-crldir/a836cc2d.r0 | 11 +++++
.../ssl/ssl/server-multiple-alt-names.crt | 14 +++---
src/test/ssl/ssl/server-no-names.crt | 16 +++----
src/test/ssl/ssl/server-revoked.crt | 14 +++---
src/test/ssl/ssl/server-single-alt-name.crt | 16 +++----
src/test/ssl/ssl/server-ss.crt | 18 ++++----
src/test/ssl/ssl/server.crl | 16 +++----
src/test/ssl/ssl/server_ca.crt | 14 +++---
src/test/ssl/t/001_ssltests.pl | 31 ++++++++++++-
src/test/ssl/t/SSLServer.pm | 14 +++++-
41 files changed, 496 insertions(+), 255 deletions(-)
create mode 100644 src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
create mode 100644 src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
create mode 100644 src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
create mode 100644 src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
create mode 100644 src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
create mode 100644 src/test/ssl/ssl/server-crldir/a836cc2d.r0
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 82864bbb24..85d4402745 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1214,7 +1214,26 @@ include_dir 'conf.d'
Relative paths are relative to the data directory.
This parameter can only be set in the <filename>postgresql.conf</filename>
file or on the server command line.
- The default is empty, meaning no CRL file is loaded.
+ The default is empty, meaning no CRL file is loaded unless
+ <xref linkend="guc-ssl-crl-dir"/> is set.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="guc-ssl-crl-dir" xreflabel="ssl_crl_dir">
+ <term><varname>ssl_crl_dir</varname> (<type>string</type>)
+ <indexterm>
+ <primary><varname>ssl_crl_dir</varname> configuration parameter</primary>
+ </indexterm>
+ </term>
+ <listitem>
+ <para>
+ Specifies the name of the directory containing the SSL server
+ certificate revocation list (CRL). Relative paths are relative to the
+ data directory. This parameter can only be set in
+ the <filename>postgresql.conf</filename> file or on the server command
+ line. The default is empty, meaning no CRL file is loaded unless
+ <xref linkend="guc-ssl-crl-file"/> is set.
</para>
</listitem>
</varlistentry>
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 2bb3bf77e4..e9bc622fca 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -1723,8 +1723,24 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
This parameter specifies the file name of the SSL certificate
revocation list (CRL). Certificates listed in this file, if it
exists, will be rejected while attempting to authenticate the
- server's certificate. The default is
- <filename>~/.postgresql/root.crl</filename>.
+ server's certificate. If both <xref linkend='libpq-connect-sslcrl'/>
+ and <xref linkend='libpq-connect-sslcrldir'/> are not set, this
+ setting is assumed to be
+ <filename>~/.postgresql/root.crl</filename>. See
+ <xref linkend="ssl-crl-files"/> for details.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="libpq-connect-sslcrldir" xreflabel="sslcrldir">
+ <term><literal>sslcrldir</literal></term>
+ <listitem>
+ <para>
+ This parameter specifies the directory name of the SSL certificate
+ revocation list (CRL). Certificates listed in the files in this
+ directory, if it exists, will be rejected while attempting to
+ authenticate the server's certificate. See
+ <xref linkend="ssl-crl-files"/> for details.
</para>
</listitem>
</varlistentry>
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index 283352d3a4..45fc5d6678 100644
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -2550,6 +2550,39 @@ openssl x509 -req -in server.csr -text -days 365 \
</para>
</sect2>
+ <sect2 id="ssl-crl-files">
+ <title>Certification Revocation List files</title>
+
+ <para> The server setting <xref linkend="guc-ssl-crl-file"/> and
+ <xref linkend="guc-ssl-crl-dir"/>, and the connection option
+ <xref linkend="libpq-connect-sslcrl"/> and
+ <xref linkend="libpq-connect-sslcrldir"/> specify a file containing one or
+ more CRL, or a directory containing a separate file for every CRL
+ respectively. Settings for CRL file and CRL directory can be specified
+ together. In the first method, file method, the all CRLs in the file is
+ loaded at server start time or by reloading config file (<command>pg_ctl
+ reload</command>). In the second method, hashed directory method, CRL
+ files are loaded on-demand, that is, only the relevant CRL files are
+ loaded at connection time.
+ </para>
+ <para>
+ The CRL file used for the file method can contain multiple CRLs, like
+ certificates, by just concatenated if it is in PEM format. In the hashed
+ directory method, every file in the directory has the name
+ with <parameter>hash</parameter>.r<parameter>N</parameter> format,
+ where <parameter>hash</parameter> is the hash value of the issuer of the
+ CRL and <parameter>N</parameter> is a sequence number that starts at
+ zero. The hash value is calculated using openssl command. In both cases
+ the CRLs from all CAs involved in a certificate chain are needed to verify
+ a certificate, even if some or all of them are empty.
+<programlisting>
+$ openssl crl -hash -noout -in foo.crl
+98668507
+$ cp foo.crl $PGDATA/crldir/98668507.r0
+</programlisting>
+ </para>
+ </sect2>
+
</sect1>
<sect1 id="gssapi-enc">
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 0494ad7ded..90436bd847 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -285,26 +285,47 @@ be_tls_init(bool isServerStart)
* http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html
*----------
*/
- if (ssl_crl_file[0])
+ if (ssl_crl_file[0] || ssl_crl_dir[0])
{
X509_STORE *cvstore = SSL_CTX_get_cert_store(context);
if (cvstore)
{
/* Set the flags to check against the complete CRL chain */
- if (X509_STORE_load_locations(cvstore, ssl_crl_file, NULL) == 1)
+ if (X509_STORE_load_locations(cvstore,
+ ssl_crl_file[0] ? ssl_crl_file : NULL,
+ ssl_crl_dir[0] ? ssl_crl_dir : NULL)
+ == 1)
{
X509_STORE_set_flags(cvstore,
X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
}
- else
+ else if (ssl_crl_dir[0] == 0)
{
+
ereport(isServerStart ? FATAL : LOG,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("could not load SSL certificate revocation list file \"%s\": %s",
ssl_crl_file, SSLerrmessage(ERR_get_error()))));
goto error;
}
+ else if (ssl_crl_file[0] == 0)
+ {
+ ereport(isServerStart ? FATAL : LOG,
+ (errcode(ERRCODE_CONFIG_FILE_ERROR),
+ errmsg("could not load SSL certificate revocation list directory \"%s\": %s",
+ ssl_crl_dir, SSLerrmessage(ERR_get_error()))));
+ goto error;
+ }
+ else
+ {
+ ereport(isServerStart ? FATAL : LOG,
+ (errcode(ERRCODE_CONFIG_FILE_ERROR),
+ errmsg("could not load SSL certificate revocation list file \"%s\" and/or directory \"%s\":
%s",
+ ssl_crl_file, ssl_crl_dir,
+ SSLerrmessage(ERR_get_error()))));
+ goto error;
+ }
}
}
diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c
index 4cf139a223..3ad6890f70 100644
--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@@ -42,6 +42,7 @@ char *ssl_cert_file;
char *ssl_key_file;
char *ssl_ca_file;
char *ssl_crl_file;
+char *ssl_crl_dir;
char *ssl_dh_params_file;
char *ssl_passphrase_command;
bool ssl_passphrase_command_supports_reload;
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index 17579eeaca..df19c5318f 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -4355,6 +4355,16 @@ static struct config_string ConfigureNamesString[] =
NULL, NULL, NULL
},
+ {
+ {"ssl_crl_dir", PGC_SIGHUP, CONN_AUTH_SSL,
+ gettext_noop("Location of the SSL certificate revocation list directory."),
+ NULL
+ },
+ &ssl_crl_dir,
+ "",
+ NULL, NULL, NULL
+ },
+
{
{"stats_temp_directory", PGC_SIGHUP, STATS_COLLECTOR,
gettext_noop("Writes temporary statistics files to the specified directory."),
diff --git a/src/include/libpq/libpq.h b/src/include/libpq/libpq.h
index a55898c85a..b41b10620a 100644
--- a/src/include/libpq/libpq.h
+++ b/src/include/libpq/libpq.h
@@ -82,6 +82,7 @@ extern char *ssl_cert_file;
extern char *ssl_key_file;
extern char *ssl_ca_file;
extern char *ssl_crl_file;
+extern char *ssl_crl_dir;
extern char *ssl_dh_params_file;
extern PGDLLIMPORT char *ssl_passphrase_command;
extern PGDLLIMPORT bool ssl_passphrase_command_supports_reload;
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index 2b78ed8ec3..cc9d801818 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -317,6 +317,10 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
"SSL-Revocation-List", "", 64,
offsetof(struct pg_conn, sslcrl)},
+ {"sslcrldir", "PGSSLCRLDIR", NULL, NULL,
+ "SSL-Revocation-List-Dir", "", 64,
+ offsetof(struct pg_conn, sslcrldir)},
+
{"requirepeer", "PGREQUIREPEER", NULL, NULL,
"Require-Peer", "", 10,
offsetof(struct pg_conn, requirepeer)},
@@ -3997,6 +4001,8 @@ freePGconn(PGconn *conn)
free(conn->sslrootcert);
if (conn->sslcrl)
free(conn->sslcrl);
+ if (conn->sslcrldir)
+ free(conn->sslcrldir);
if (conn->sslcompression)
free(conn->sslcompression);
if (conn->requirepeer)
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 075f754e1f..e2d047ad70 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -794,7 +794,8 @@ initialize_SSL(PGconn *conn)
if (!(conn->sslcert && strlen(conn->sslcert) > 0) ||
!(conn->sslkey && strlen(conn->sslkey) > 0) ||
!(conn->sslrootcert && strlen(conn->sslrootcert) > 0) ||
- !(conn->sslcrl && strlen(conn->sslcrl) > 0))
+ !((conn->sslcrl && strlen(conn->sslcrl) > 0) ||
+ (conn->sslcrldir && strlen(conn->sslcrldir) > 0)))
have_homedir = pqGetHomeDirectory(homedir, sizeof(homedir));
else /* won't need it */
have_homedir = false;
@@ -936,20 +937,29 @@ initialize_SSL(PGconn *conn)
if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != NULL)
{
+ char *fname = NULL;
+ char *dname = NULL;
+
if (conn->sslcrl && strlen(conn->sslcrl) > 0)
- strlcpy(fnbuf, conn->sslcrl, sizeof(fnbuf));
- else if (have_homedir)
+ fname = conn->sslcrl;
+ if (conn->sslcrldir && strlen(conn->sslcrldir) > 0)
+ dname = conn->sslcrldir;
+
+ /* defaults to use the default CRL file */
+ if (!fname && !dname && have_homedir)
+ {
snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CRL_FILE);
- else
- fnbuf[0] = '\0';
+ fname = fnbuf;
+ }
/* Set the flags to check against the complete CRL chain */
- if (fnbuf[0] != '\0' &&
- X509_STORE_load_locations(cvstore, fnbuf, NULL) == 1)
+ if ((fname || dname) &&
+ X509_STORE_load_locations(cvstore, fname, dname) == 1)
{
X509_STORE_set_flags(cvstore,
X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
}
+
/* if not found, silently ignore; we do not require CRL */
ERR_clear_error();
}
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 4db498369c..ce36aabd25 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -362,6 +362,7 @@ struct pg_conn
char *sslpassword; /* client key file password */
char *sslrootcert; /* root certificate filename */
char *sslcrl; /* certificate revocation list filename */
+ char *sslcrldir; /* certificate revocation list directory name */
char *requirepeer; /* required peer credentials for local sockets */
char *gssencmode; /* GSS mode (require,prefer,disable) */
char *krbsrvname; /* Kerberos service name */
diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile
index 93335b1ea2..59ebe4c364 100644
--- a/src/test/ssl/Makefile
+++ b/src/test/ssl/Makefile
@@ -30,12 +30,15 @@ SSLFILES := $(CERTIFICATES:%=ssl/%.key) $(CERTIFICATES:%=ssl/%.crt) \
ssl/client+client_ca.crt ssl/client-der.key \
ssl/client-encrypted-pem.key ssl/client-encrypted-der.key
+SSLDIRS := ssl/client-crldir ssl/server-crldir \
+ ssl/root+client-crldir ssl/root+server-crldir
+
# This target re-generates all the key and certificate files. Usually we just
# use the ones that are committed to the tree without rebuilding them.
#
# This target will fail unless preceded by sslfiles-clean.
#
-sslfiles: $(SSLFILES)
+sslfiles: $(SSLFILES) $(SSLDIRS)
# OpenSSL requires a directory to put all generated certificates in. We don't
# use this for anything, but we need a location.
@@ -146,10 +149,25 @@ ssl/root+server.crl: ssl/root.crl ssl/server.crl
cat $^ > $@
ssl/root+client.crl: ssl/root.crl ssl/client.crl
cat $^ > $@
+ssl/root+server-crldir: ssl/server.crl
+ mkdir ssl/root+server-crldir
+ cp ssl/server.crl ssl/root+server-crldir/`openssl crl -hash -noout -in ssl/server.crl`.r0
+ cp ssl/root.crl ssl/root+server-crldir/`openssl crl -hash -noout -in ssl/root.crl`.r0
+ssl/root+client-crldir: ssl/client.crl
+ mkdir ssl/root+client-crldir
+ cp ssl/client.crl ssl/root+client-crldir/`openssl crl -hash -noout -in ssl/client.crl`.r0
+ cp ssl/root.crl ssl/root+client-crldir/`openssl crl -hash -noout -in ssl/root.crl`.r0
+ssl/server-crldir: ssl/server.crl
+ mkdir ssl/server-crldir
+ cp ssl/server.crl ssl/server-crldir/`openssl crl -hash -noout -in ssl/server.crl`.r0
+ssl/client-crldir: ssl/client.crl
+ mkdir ssl/client-crldir
+ cp ssl/client.crl ssl/client-crldir/`openssl crl -hash -noout -in ssl/client.crl`.r0
.PHONY: sslfiles-clean
sslfiles-clean:
rm -f $(SSLFILES) ssl/client_ca.srl ssl/server_ca.srl ssl/client_ca-certindex* ssl/server_ca-certindex*
ssl/root_ca-certindex*ssl/root_ca.srl ssl/temp_ca.crt ssl/temp_ca_signed.crt
+ rm -rf $(SSLDIRS)
clean distclean maintainer-clean:
rm -rf tmp_check
diff --git a/src/test/ssl/ssl/both-cas-1.crt b/src/test/ssl/ssl/both-cas-1.crt
index 37ffa10174..1ab329c8ab 100644
--- a/src/test/ssl/ssl/both-cas-1.crt
+++ b/src/test/ssl/ssl/both-cas-1.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUbDho+LuL8GrZ/iVFY16vdG6kNo0wDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjAwODMxMDYwNzIyWhcNNDgwMTE3MDYw
+NzIyWjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,17 +10,17 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAo5siIstgYy1MjyVaSHpxy6Cq7JT73RhYYudtAy8e
+XwVXqy3xuZtl+i2XaWnsojyHRZ83t+1rVCoesbZefyfz9d6qZJkCkWdKdjiVEu+s
+CJSo+tGyCZQ1ZTb+07WY01P97gfswP+VHN4EjxJmUnLdqJEJsdOckvL1mBfortt6
+CvL7adPwftppNivF64R0QZfOsLIaaOa0oi33DQDDNUdrx5f3xWwYmzw+f95lvbYR
+DXCytT647nc44Gu09erE4sWipIknFBvg3P1D0icFSIoEh44mU9o1lHUFsogXa09g
+8Vkho/rudYrHi/cwwzQlUjZyHPg6k1iU9oZGEaW5gVKxSw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
+ZTAeFw0yMDA4MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMEIxQDA+BgNVBAMMN1Rl
c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
@@ -29,17 +29,17 @@ B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+AKsQncM/5JZez/dECPg7xp8T5Sj++mJSiFsFr2Isk3HjJBI+skvZfpWkJnkEUl4a
++BspqoeAD5K+Fad0/Xg/AyZztONpLU+haA4eQCpwYHVY/DSjasjEI5BbCV8mrrYP
+SLcKGIJrPW+beO8pbjdkJNxBiDTeYzMBTbfHvarBYLYAvur8ZvUgKExDWP5kGUe8
+zA9F4FJ/Nig03QzQgxaNjxXoy892fAs6KyWFoGZDqAXlXAFNuz83joTiGNzNTiW4
+qRKpBa6aitnPVeIs8m3z/SUcm5PdMWvXVlsrlA0Gx2EM/B02EWnPk/U+CHtNey7r
+h4LJ4NA9GngE2gewd/gNItc=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
+ZTAeFw0yMDA4MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMEIxQDA+BgNVBAMMN1Rl
c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
@@ -48,10 +48,10 @@ t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+AArYO305zkNZc+vdbeXNpgi1/FrOHl2b0DvG4i2gcUVDvvjIHUnVLf2cak+81vER
+CqlCkutXxB+/fyxVXYtLKXQh0D/68QikH+ImEavrUrANXvQRvoixIjrfub/nZB75
+EiOTIR2N0/m6ndjCHJU0W8N7Tt9qob31e3bVJBZOc+9e80y8GDQiMKYACmet9zUR
+hR/yvJhUsH/u5Y7OwrvcyCs+PJXzPnZTSsatSkHI4KY22+7K+ZhscLIaBKjqlIDj
++fHBrutW9jtog1E3JUO9ZHokB1qlRLs4YhpQ8YzHRabEBaX892ZPLNwtmFLOWK1p
+9klR7/RXnu13nStNIYAHk20=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/both-cas-2.crt b/src/test/ssl/ssl/both-cas-2.crt
index 2f2723f2b1..6669f42c92 100644
--- a/src/test/ssl/ssl/both-cas-2.crt
+++ b/src/test/ssl/ssl/both-cas-2.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUbDho+LuL8GrZ/iVFY16vdG6kNo0wDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjAwODMxMDYwNzIyWhcNNDgwMTE3MDYw
+NzIyWjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,17 +10,17 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAo5siIstgYy1MjyVaSHpxy6Cq7JT73RhYYudtAy8e
+XwVXqy3xuZtl+i2XaWnsojyHRZ83t+1rVCoesbZefyfz9d6qZJkCkWdKdjiVEu+s
+CJSo+tGyCZQ1ZTb+07WY01P97gfswP+VHN4EjxJmUnLdqJEJsdOckvL1mBfortt6
+CvL7adPwftppNivF64R0QZfOsLIaaOa0oi33DQDDNUdrx5f3xWwYmzw+f95lvbYR
+DXCytT647nc44Gu09erE4sWipIknFBvg3P1D0icFSIoEh44mU9o1lHUFsogXa09g
+8Vkho/rudYrHi/cwwzQlUjZyHPg6k1iU9oZGEaW5gVKxSw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
+ZTAeFw0yMDA4MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMEIxQDA+BgNVBAMMN1Rl
c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
@@ -29,17 +29,17 @@ t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+AArYO305zkNZc+vdbeXNpgi1/FrOHl2b0DvG4i2gcUVDvvjIHUnVLf2cak+81vER
+CqlCkutXxB+/fyxVXYtLKXQh0D/68QikH+ImEavrUrANXvQRvoixIjrfub/nZB75
+EiOTIR2N0/m6ndjCHJU0W8N7Tt9qob31e3bVJBZOc+9e80y8GDQiMKYACmet9zUR
+hR/yvJhUsH/u5Y7OwrvcyCs+PJXzPnZTSsatSkHI4KY22+7K+ZhscLIaBKjqlIDj
++fHBrutW9jtog1E3JUO9ZHokB1qlRLs4YhpQ8YzHRabEBaX892ZPLNwtmFLOWK1p
+9klR7/RXnu13nStNIYAHk20=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
+ZTAeFw0yMDA4MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMEIxQDA+BgNVBAMMN1Rl
c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
@@ -48,10 +48,10 @@ B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+AKsQncM/5JZez/dECPg7xp8T5Sj++mJSiFsFr2Isk3HjJBI+skvZfpWkJnkEUl4a
++BspqoeAD5K+Fad0/Xg/AyZztONpLU+haA4eQCpwYHVY/DSjasjEI5BbCV8mrrYP
+SLcKGIJrPW+beO8pbjdkJNxBiDTeYzMBTbfHvarBYLYAvur8ZvUgKExDWP5kGUe8
+zA9F4FJ/Nig03QzQgxaNjxXoy892fAs6KyWFoGZDqAXlXAFNuz83joTiGNzNTiW4
+qRKpBa6aitnPVeIs8m3z/SUcm5PdMWvXVlsrlA0Gx2EM/B02EWnPk/U+CHtNey7r
+h4LJ4NA9GngE2gewd/gNItc=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client+client_ca.crt b/src/test/ssl/ssl/client+client_ca.crt
index 2804527f3e..154bcd58e7 100644
--- a/src/test/ssl/ssl/client+client_ca.crt
+++ b/src/test/ssl/ssl/client+client_ca.crt
@@ -1,24 +1,24 @@
-----BEGIN CERTIFICATE-----
MIICzDCCAbQCAQEwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBYxFDASBgNVBAMMC3NzbHRl
+Fw0yMDA4MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMBYxFDASBgNVBAMMC3NzbHRl
c3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtIugLqHywEAE
vyRZGMVAkdk1zCa5FFaPOEFhHiAMpwFOEIEi4Svk9kSSRecmeJcody1sLNoFqtTA
b5tYaDoGIVZfc8/kxm8sbsTE/3JOsON3CMqjOQkI1ZKjDSF1gtrGSmatgjqsMnlP
UJkFEsPhFg6NTf1ZUjFiQeWEli0fQJ2/k+7MI4S0t0pDJJJWrqF4l6eSgu8rsBoX
XHy4OLAz6j23r2k5FZs6H/poII95ia+E8hG8SrJmMa88naRdq7hHW802Z6lEhnRW
ND+tDGjt0ZaTfxx+CxN4UjgbboOJifTykVHjuzBR1+IzLHcxoZCLP1cjadSqMz5b
-ziJTGtHzYwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAcIGps6BnsRxkN5sphg6GK
-tzDvp2IUyOu5oeAHdJLT5JFZhKKzhDD4KiOv+XWzdHcSAl3xMqAqnFdSTCt2vtc+
-rk04eyVWJALyf6oPT60Vn5sFaaxlTg1+tnZMCCycDxM6lc/6onzgp6DUWGozlgSh
-eNgCyaNU73VTuMgd+s/QrZ5HCr0OPAb3aWRQy7hVZeOniNBXWrO/CC2Swfwz7jU3
-dvLAWYENUvZlE2S7HnQGclGIJb38qFCnquuSgmO9yT30Lmmwp33k5/evN9cNQMxU
-c4ChYCaabOGXUaBJNzJAYMEUHh+o+LPgFF2iB0mL7FAUip9XsjOiOwcrbusM/g+2
+ziJTGtHzYwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCQonvnvG8wlfoo+J476Kjr
+Jm4i9pPgUTYNyF4lzhXViw24bKZVsNBaeVbu6XXRamzkrLL/qYUrQAm2ZcDqnVxC
+GXLgOYwIvuN7hGyks3Jh+tWQQf5UuhbhyJrOju1Z8nTI2dDgiHjsEHVxbVM9vMYl
+IiwjoU68gR/Gc8tApiIJe/HDMmSbm2W58heXXKG7r5790u5MO0vdBiGTlj0WdktU
+dB/ltpt5sm17SoUvSDIKZkLjHv/cuetCh7tCVrs0Gi0mf2aWdlXhPDh+KnDzEhlf
+/vW2Btlq1LQtYfP0yzkrmGR2dt72pg6bN6e7qc5YDYMXQPXvEZBiQbsgBPMm75Mc
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
+ZTAeFw0yMDA4MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMEIxQDA+BgNVBAMMN1Rl
c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
@@ -27,10 +27,10 @@ B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+AKsQncM/5JZez/dECPg7xp8T5Sj++mJSiFsFr2Isk3HjJBI+skvZfpWkJnkEUl4a
++BspqoeAD5K+Fad0/Xg/AyZztONpLU+haA4eQCpwYHVY/DSjasjEI5BbCV8mrrYP
+SLcKGIJrPW+beO8pbjdkJNxBiDTeYzMBTbfHvarBYLYAvur8ZvUgKExDWP5kGUe8
+zA9F4FJ/Nig03QzQgxaNjxXoy892fAs6KyWFoGZDqAXlXAFNuz83joTiGNzNTiW4
+qRKpBa6aitnPVeIs8m3z/SUcm5PdMWvXVlsrlA0Gx2EM/B02EWnPk/U+CHtNey7r
+h4LJ4NA9GngE2gewd/gNItc=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0 b/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
new file mode 100644
index 0000000000..b5c689e537
--- /dev/null
+++ b/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMDA4
+MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMBQwEgIBAhcNMjAwODMxMDYwNzIzWjAN
+BgkqhkiG9w0BAQsFAAOCAQEAQ3ZK9Bx9i2JBSR2XgEFSvy8JrtRurpGpGcnh0ann
+G/vLY+Kp/UGiVnh8jwJ35Q7VUVGYNTKv2gc+WFFmscZaoP69RrgA9fbl9gZ4yUic
+H+XXiR4mQKk03EEKuPlZdWA1PMGAoAZxA8aCrrDZobrRgXEiSRdoQl8sHEJ3f1W1
+EoL+F3w77GzirYQukfNyIfzA6YpfphrNUkDN8jjrNB5/XzTT7fysutpflVKs/tLl
+TKHmwkrCC+TXJ8P2/KaIdQ0QgJSv5XIKS0vn4GC+zgjoUC3D1fprfRqmrBeQyLXV
+eUJda/H6uldOPpAJ2yLNR7S7COvFkGvIxunG7uPZiGq1eg==
+-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/client-revoked.crt b/src/test/ssl/ssl/client-revoked.crt
index 14857a33a2..1a9047dc63 100644
--- a/src/test/ssl/ssl/client-revoked.crt
+++ b/src/test/ssl/ssl/client-revoked.crt
@@ -1,17 +1,17 @@
-----BEGIN CERTIFICATE-----
MIICzDCCAbQCAQIwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBYxFDASBgNVBAMMC3NzbHRl
+Fw0yMDA4MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMBYxFDASBgNVBAMMC3NzbHRl
c3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoBcmY2Z+qa+l
UB5YSYnGLt96S7axkoDvIzLJkwJugGqw1U72A6lAUTyAPVntsmbhoMpDEHK6ylg8
U4HC3L1hbhSpFriTITJ3TzH4+wdDH1KZYlM2k0gfrKrksJyZ7ftAyuBvzBRlFbBe
xopR9VQjqgAuNKByJswldOe0KwP0nmb/TtT9lkAt7XjrSut5MUezFVnvTxabm7tQ
ciDG+8QqE0b8lH3N3VOXWZWCeXPRrwboO3baAmcue4V20N0ALARP+QZNElBa7Jq+
l77VNjneRk07jjaE7PCGVlWfPggppZos1Ay1sb2JhK0S9pZrynQT/ck3qhG4QuKp
-cmn/Bbe/8wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBySTwOO9zSFCtfRjbbblDx
-AK2ttILR0ZJXnvzjNjuErsT9qeXaq2t/iG/vmhH5XDjaefXFLCLqFunvcg6cIz1A
-HhAw+JInfyk3TUpDaX6M0X8qj184e4kXzVc83Afa3LiP5JkirzCSv6ErqAHw2VVd
-bZbZUwMfQLpWHVqXK89Pb7q791H4VeEx9CLxtZ2PSr2GCdpFbVMJvdBPChD2Re1A
-ELcbMZ9iOq2AUN/gxrt7HnE3dRoGQk6AJOfvhi2eZcVWiLtITScdPk1nYcNxGid3
-BWW+tdLbjmSe2FXNfDwBTvuHh5A9S399X5l/nLAng2iTGSvIm1OgUnC2oWsok3EI
+cmn/Bbe/8wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAQzzp5yTHFan/LkTXHkvuU
+XEqQbUzD7iUuEop7I6BY8vzLkijylCIXDOg7WmD2Sysb3+7nJ8JG8BZzXnXoS+hz
+sdEF/lFIZltx6S9wvC6QMK8vJat+XM0FBO7C27cswD929Loiqy0CxOdbrED8kwWf
+oN7Kv01wdtEmd+xK6zqtDB/vm8Dq89zlBDHnJeM5iJi+BIMt1HM+FAlxDwgm18Xa
+K9u7xrmvpycfXFZ+nLM0B8gxJAQ8djxgB/hOAM9CDSEhzN5BJIZ4slZRq9bGVLjy
+dvrW0LoNKhitgS/Pe400Ej9LGXSsBrVP6FXHcL4qvHqdwKl0R3QiodX6ro2H0vBY
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client.crl b/src/test/ssl/ssl/client.crl
index a667680e04..b5c689e537 100644
--- a/src/test/ssl/ssl/client.crl
+++ b/src/test/ssl/ssl/client.crl
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMDA4
+MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMBQwEgIBAhcNMjAwODMxMDYwNzIzWjAN
+BgkqhkiG9w0BAQsFAAOCAQEAQ3ZK9Bx9i2JBSR2XgEFSvy8JrtRurpGpGcnh0ann
+G/vLY+Kp/UGiVnh8jwJ35Q7VUVGYNTKv2gc+WFFmscZaoP69RrgA9fbl9gZ4yUic
+H+XXiR4mQKk03EEKuPlZdWA1PMGAoAZxA8aCrrDZobrRgXEiSRdoQl8sHEJ3f1W1
+EoL+F3w77GzirYQukfNyIfzA6YpfphrNUkDN8jjrNB5/XzTT7fysutpflVKs/tLl
+TKHmwkrCC+TXJ8P2/KaIdQ0QgJSv5XIKS0vn4GC+zgjoUC3D1fprfRqmrBeQyLXV
+eUJda/H6uldOPpAJ2yLNR7S7COvFkGvIxunG7uPZiGq1eg==
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/client.crt b/src/test/ssl/ssl/client.crt
index 4d0a6ef419..b46de4fa9b 100644
--- a/src/test/ssl/ssl/client.crt
+++ b/src/test/ssl/ssl/client.crt
@@ -1,17 +1,17 @@
-----BEGIN CERTIFICATE-----
MIICzDCCAbQCAQEwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNsaWVudCBjZXJ0czAe
-Fw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBYxFDASBgNVBAMMC3NzbHRl
+Fw0yMDA4MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMBYxFDASBgNVBAMMC3NzbHRl
c3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtIugLqHywEAE
vyRZGMVAkdk1zCa5FFaPOEFhHiAMpwFOEIEi4Svk9kSSRecmeJcody1sLNoFqtTA
b5tYaDoGIVZfc8/kxm8sbsTE/3JOsON3CMqjOQkI1ZKjDSF1gtrGSmatgjqsMnlP
UJkFEsPhFg6NTf1ZUjFiQeWEli0fQJ2/k+7MI4S0t0pDJJJWrqF4l6eSgu8rsBoX
XHy4OLAz6j23r2k5FZs6H/poII95ia+E8hG8SrJmMa88naRdq7hHW802Z6lEhnRW
ND+tDGjt0ZaTfxx+CxN4UjgbboOJifTykVHjuzBR1+IzLHcxoZCLP1cjadSqMz5b
-ziJTGtHzYwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAcIGps6BnsRxkN5sphg6GK
-tzDvp2IUyOu5oeAHdJLT5JFZhKKzhDD4KiOv+XWzdHcSAl3xMqAqnFdSTCt2vtc+
-rk04eyVWJALyf6oPT60Vn5sFaaxlTg1+tnZMCCycDxM6lc/6onzgp6DUWGozlgSh
-eNgCyaNU73VTuMgd+s/QrZ5HCr0OPAb3aWRQy7hVZeOniNBXWrO/CC2Swfwz7jU3
-dvLAWYENUvZlE2S7HnQGclGIJb38qFCnquuSgmO9yT30Lmmwp33k5/evN9cNQMxU
-c4ChYCaabOGXUaBJNzJAYMEUHh+o+LPgFF2iB0mL7FAUip9XsjOiOwcrbusM/g+2
+ziJTGtHzYwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCQonvnvG8wlfoo+J476Kjr
+Jm4i9pPgUTYNyF4lzhXViw24bKZVsNBaeVbu6XXRamzkrLL/qYUrQAm2ZcDqnVxC
+GXLgOYwIvuN7hGyks3Jh+tWQQf5UuhbhyJrOju1Z8nTI2dDgiHjsEHVxbVM9vMYl
+IiwjoU68gR/Gc8tApiIJe/HDMmSbm2W58heXXKG7r5790u5MO0vdBiGTlj0WdktU
+dB/ltpt5sm17SoUvSDIKZkLjHv/cuetCh7tCVrs0Gi0mf2aWdlXhPDh+KnDzEhlf
+/vW2Btlq1LQtYfP0yzkrmGR2dt72pg6bN6e7qc5YDYMXQPXvEZBiQbsgBPMm75Mc
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/client_ca.crt b/src/test/ssl/ssl/client_ca.crt
index 1ef3771261..23bac28a0c 100644
--- a/src/test/ssl/ssl/client_ca.crt
+++ b/src/test/ssl/ssl/client_ca.crt
@@ -1,7 +1,7 @@
-----BEGIN CERTIFICATE-----
MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
+ZTAeFw0yMDA4MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMEIxQDA+BgNVBAMMN1Rl
c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
@@ -10,10 +10,10 @@ B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+AKsQncM/5JZez/dECPg7xp8T5Sj++mJSiFsFr2Isk3HjJBI+skvZfpWkJnkEUl4a
++BspqoeAD5K+Fad0/Xg/AyZztONpLU+haA4eQCpwYHVY/DSjasjEI5BbCV8mrrYP
+SLcKGIJrPW+beO8pbjdkJNxBiDTeYzMBTbfHvarBYLYAvur8ZvUgKExDWP5kGUe8
+zA9F4FJ/Nig03QzQgxaNjxXoy892fAs6KyWFoGZDqAXlXAFNuz83joTiGNzNTiW4
+qRKpBa6aitnPVeIs8m3z/SUcm5PdMWvXVlsrlA0Gx2EM/B02EWnPk/U+CHtNey7r
+h4LJ4NA9GngE2gewd/gNItc=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0 b/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
new file mode 100644
index 0000000000..b5c689e537
--- /dev/null
+++ b/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMDA4
+MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMBQwEgIBAhcNMjAwODMxMDYwNzIzWjAN
+BgkqhkiG9w0BAQsFAAOCAQEAQ3ZK9Bx9i2JBSR2XgEFSvy8JrtRurpGpGcnh0ann
+G/vLY+Kp/UGiVnh8jwJ35Q7VUVGYNTKv2gc+WFFmscZaoP69RrgA9fbl9gZ4yUic
+H+XXiR4mQKk03EEKuPlZdWA1PMGAoAZxA8aCrrDZobrRgXEiSRdoQl8sHEJ3f1W1
+EoL+F3w77GzirYQukfNyIfzA6YpfphrNUkDN8jjrNB5/XzTT7fysutpflVKs/tLl
+TKHmwkrCC+TXJ8P2/KaIdQ0QgJSv5XIKS0vn4GC+zgjoUC3D1fprfRqmrBeQyLXV
+eUJda/H6uldOPpAJ2yLNR7S7COvFkGvIxunG7uPZiGq1eg==
+-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0 b/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
new file mode 100644
index 0000000000..8cca69ba40
--- /dev/null
+++ b/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMDA4MzEw
+NjA3MjNaFw00ODAxMTcwNjA3MjNaMA0GCSqGSIb3DQEBCwUAA4IBAQB/pWC8moSA
+DL36OWwOig7/yEmbVdpFk2mPmAullbH0A6I/lWkrSrKbb0wk8tE04N2Pw0WDvtqd
+aWq5bx1mL1ve0su2SUkuM5Tb26ZVakI3WDCdDmJIEXAE32g6gmdnAZqaaK2Sy58y
+fEvCTe8Zxe0+8eHNv0VYfhl1ALUwMoO/VrVd453O1FWfXBopm+kkHPB6BDyo9ZbN
+PzLHGnGAP2L+1Ps5TP1AMk2ZEZ87QysB4G2qm1x4A6R4Jf6XBOC5y4YI+vsncUZ2
+UCajgatsFN6LZVHO+q1h5LhsVpSCs9yX8gjaoenJtOrY6XFis1DNHrm0QFSN/yNu
+Muuf3P8i5zl0
+-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+client.crl b/src/test/ssl/ssl/root+client.crl
index 854d77b71e..fdc00efebb 100644
--- a/src/test/ssl/ssl/root+client.crl
+++ b/src/test/ssl/ssl/root+client.crl
@@ -1,22 +1,22 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMDA4MzEw
+NjA3MjNaFw00ODAxMTcwNjA3MjNaMA0GCSqGSIb3DQEBCwUAA4IBAQB/pWC8moSA
+DL36OWwOig7/yEmbVdpFk2mPmAullbH0A6I/lWkrSrKbb0wk8tE04N2Pw0WDvtqd
+aWq5bx1mL1ve0su2SUkuM5Tb26ZVakI3WDCdDmJIEXAE32g6gmdnAZqaaK2Sy58y
+fEvCTe8Zxe0+8eHNv0VYfhl1ALUwMoO/VrVd453O1FWfXBopm+kkHPB6BDyo9ZbN
+PzLHGnGAP2L+1Ps5TP1AMk2ZEZ87QysB4G2qm1x4A6R4Jf6XBOC5y4YI+vsncUZ2
+UCajgatsFN6LZVHO+q1h5LhsVpSCs9yX8gjaoenJtOrY6XFis1DNHrm0QFSN/yNu
+Muuf3P8i5zl0
-----END X509 CRL-----
-----BEGIN X509 CRL-----
MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
-8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
-xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
-pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
-nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
-2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMDA4
+MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMBQwEgIBAhcNMjAwODMxMDYwNzIzWjAN
+BgkqhkiG9w0BAQsFAAOCAQEAQ3ZK9Bx9i2JBSR2XgEFSvy8JrtRurpGpGcnh0ann
+G/vLY+Kp/UGiVnh8jwJ35Q7VUVGYNTKv2gc+WFFmscZaoP69RrgA9fbl9gZ4yUic
+H+XXiR4mQKk03EEKuPlZdWA1PMGAoAZxA8aCrrDZobrRgXEiSRdoQl8sHEJ3f1W1
+EoL+F3w77GzirYQukfNyIfzA6YpfphrNUkDN8jjrNB5/XzTT7fysutpflVKs/tLl
+TKHmwkrCC+TXJ8P2/KaIdQ0QgJSv5XIKS0vn4GC+zgjoUC3D1fprfRqmrBeQyLXV
+eUJda/H6uldOPpAJ2yLNR7S7COvFkGvIxunG7uPZiGq1eg==
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+client_ca.crt b/src/test/ssl/ssl/root+client_ca.crt
index 1867cd9c31..c7c024eeba 100644
--- a/src/test/ssl/ssl/root+client_ca.crt
+++ b/src/test/ssl/ssl/root+client_ca.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUbDho+LuL8GrZ/iVFY16vdG6kNo0wDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjAwODMxMDYwNzIyWhcNNDgwMTE3MDYw
+NzIyWjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,17 +10,17 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAo5siIstgYy1MjyVaSHpxy6Cq7JT73RhYYudtAy8e
+XwVXqy3xuZtl+i2XaWnsojyHRZ83t+1rVCoesbZefyfz9d6qZJkCkWdKdjiVEu+s
+CJSo+tGyCZQ1ZTb+07WY01P97gfswP+VHN4EjxJmUnLdqJEJsdOckvL1mBfortt6
+CvL7adPwftppNivF64R0QZfOsLIaaOa0oi33DQDDNUdrx5f3xWwYmzw+f95lvbYR
+DXCytT647nc44Gu09erE4sWipIknFBvg3P1D0icFSIoEh44mU9o1lHUFsogXa09g
+8Vkho/rudYrHi/cwwzQlUjZyHPg6k1iU9oZGEaW5gVKxSw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMEIxQDA+BgNVBAMMN1Rl
+ZTAeFw0yMDA4MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMEIxQDA+BgNVBAMMN1Rl
c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg
Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC75x7yuQ1+gK8j
1aO6D2nGym2x2OFniztlnx4PlWWWivIrYlxy6xAhfrVdjwjc5mMtOCrVKllsdC+S
@@ -29,10 +29,10 @@ B2yipfW1PUxM9a7/p19CRBcDQ+LNW+YFqwARByHGq1wfatJzpM8TXe+XEnRfW9KX
P3a5PqR6evFQOzjcAf+QBJ0hAEddUDhdYECbs1GrApfsEHBuwXabdCH41j0F/0yc
kctydWfBl2Vbmd3sfsFMHjde+SJhqxyq6xiSL59jnx4ZKmtn9VSOYbGmBCdBdYK7
RTcnJQv9AgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AB6zh/Jw+t232100Tztr7wJoKH8DL1hnSm3e7omdj0WlKfuZwTqDuMzB3H4LOSnS
-A00XpyMAGAJC6yRjS8pt+pjY5Jt6ouSqf6wNq0mF0jiIDeg1k/GNEjigx+0ITqbE
-lUJ56AcpoBNhOwBjOCRFh4JuspHZqHXgUNYTEicClbV+lZwoMIIK1e6FYRZDqMtL
-+34GtZACImqvRkP5alqQg7hJUM1zbDVf2qebY4cfSu4OfTu6Og6KrL8Cu6bqR2et
-0a/TbthHYz1QGDYRoVTSP4uWoG9M1ZbsA/bNE2eqcrQj+dJ4AmIIr8Yl8mrwo/FZ
-SvgeLMlQY7UNwLUDtwy9QkI=
+AKsQncM/5JZez/dECPg7xp8T5Sj++mJSiFsFr2Isk3HjJBI+skvZfpWkJnkEUl4a
++BspqoeAD5K+Fad0/Xg/AyZztONpLU+haA4eQCpwYHVY/DSjasjEI5BbCV8mrrYP
+SLcKGIJrPW+beO8pbjdkJNxBiDTeYzMBTbfHvarBYLYAvur8ZvUgKExDWP5kGUe8
+zA9F4FJ/Nig03QzQgxaNjxXoy892fAs6KyWFoGZDqAXlXAFNuz83joTiGNzNTiW4
+qRKpBa6aitnPVeIs8m3z/SUcm5PdMWvXVlsrlA0Gx2EM/B02EWnPk/U+CHtNey7r
+h4LJ4NA9GngE2gewd/gNItc=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0 b/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
new file mode 100644
index 0000000000..8cca69ba40
--- /dev/null
+++ b/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMDA4MzEw
+NjA3MjNaFw00ODAxMTcwNjA3MjNaMA0GCSqGSIb3DQEBCwUAA4IBAQB/pWC8moSA
+DL36OWwOig7/yEmbVdpFk2mPmAullbH0A6I/lWkrSrKbb0wk8tE04N2Pw0WDvtqd
+aWq5bx1mL1ve0su2SUkuM5Tb26ZVakI3WDCdDmJIEXAE32g6gmdnAZqaaK2Sy58y
+fEvCTe8Zxe0+8eHNv0VYfhl1ALUwMoO/VrVd453O1FWfXBopm+kkHPB6BDyo9ZbN
+PzLHGnGAP2L+1Ps5TP1AMk2ZEZ87QysB4G2qm1x4A6R4Jf6XBOC5y4YI+vsncUZ2
+UCajgatsFN6LZVHO+q1h5LhsVpSCs9yX8gjaoenJtOrY6XFis1DNHrm0QFSN/yNu
+Muuf3P8i5zl0
+-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0 b/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
new file mode 100644
index 0000000000..9588d1e524
--- /dev/null
+++ b/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMDA4
+MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMBQwEgIBBhcNMjAwODMxMDYwNzIzWjAN
+BgkqhkiG9w0BAQsFAAOCAQEA2CBoLuLCpXcVSHqQtKnTcz25FyPsGkSO3luiUiG5
+jnI9HvZ9OzeQGGho6XBhVHAmEtwKOo6pcxqDe8Qkf6X7v0AUc19BWkxOXT+sCCdM
+yOvRhNPAhxJToGgKqp41noTSMhZPLsvFEfbbFTZEABScfX2K+XdvQlAYXa3U375E
+71jFenrNh8fNTKfcikmio1rsybQ4PG/ASsrUflQ5LAz3Nm3awdw01auGzRFezq3z
+Ivnq3z5b2q+m653PUsygNRMFVxCAgrvqAadKci7MK/QthCbocrLIhuc9Mmx1Nbkm
+Wnv+La3b5HeH8Zi9Q89IBr12rH70Y6K3hggCUAo9CoK3zw==
+-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+server.crl b/src/test/ssl/ssl/root+server.crl
index 9720b3023c..ba7994d1fa 100644
--- a/src/test/ssl/ssl/root+server.crl
+++ b/src/test/ssl/ssl/root+server.crl
@@ -1,22 +1,22 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMDA4MzEw
+NjA3MjNaFw00ODAxMTcwNjA3MjNaMA0GCSqGSIb3DQEBCwUAA4IBAQB/pWC8moSA
+DL36OWwOig7/yEmbVdpFk2mPmAullbH0A6I/lWkrSrKbb0wk8tE04N2Pw0WDvtqd
+aWq5bx1mL1ve0su2SUkuM5Tb26ZVakI3WDCdDmJIEXAE32g6gmdnAZqaaK2Sy58y
+fEvCTe8Zxe0+8eHNv0VYfhl1ALUwMoO/VrVd453O1FWfXBopm+kkHPB6BDyo9ZbN
+PzLHGnGAP2L+1Ps5TP1AMk2ZEZ87QysB4G2qm1x4A6R4Jf6XBOC5y4YI+vsncUZ2
+UCajgatsFN6LZVHO+q1h5LhsVpSCs9yX8gjaoenJtOrY6XFis1DNHrm0QFSN/yNu
+Muuf3P8i5zl0
-----END X509 CRL-----
-----BEGIN X509 CRL-----
MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMDA4
+MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMBQwEgIBBhcNMjAwODMxMDYwNzIzWjAN
+BgkqhkiG9w0BAQsFAAOCAQEA2CBoLuLCpXcVSHqQtKnTcz25FyPsGkSO3luiUiG5
+jnI9HvZ9OzeQGGho6XBhVHAmEtwKOo6pcxqDe8Qkf6X7v0AUc19BWkxOXT+sCCdM
+yOvRhNPAhxJToGgKqp41noTSMhZPLsvFEfbbFTZEABScfX2K+XdvQlAYXa3U375E
+71jFenrNh8fNTKfcikmio1rsybQ4PG/ASsrUflQ5LAz3Nm3awdw01auGzRFezq3z
+Ivnq3z5b2q+m653PUsygNRMFVxCAgrvqAadKci7MK/QthCbocrLIhuc9Mmx1Nbkm
+Wnv+La3b5HeH8Zi9Q89IBr12rH70Y6K3hggCUAo9CoK3zw==
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+server_ca.crt b/src/test/ssl/ssl/root+server_ca.crt
index 861eba80d0..2c5c2d9a76 100644
--- a/src/test/ssl/ssl/root+server_ca.crt
+++ b/src/test/ssl/ssl/root+server_ca.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUbDho+LuL8GrZ/iVFY16vdG6kNo0wDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjAwODMxMDYwNzIyWhcNNDgwMTE3MDYw
+NzIyWjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,17 +10,17 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAo5siIstgYy1MjyVaSHpxy6Cq7JT73RhYYudtAy8e
+XwVXqy3xuZtl+i2XaWnsojyHRZ83t+1rVCoesbZefyfz9d6qZJkCkWdKdjiVEu+s
+CJSo+tGyCZQ1ZTb+07WY01P97gfswP+VHN4EjxJmUnLdqJEJsdOckvL1mBfortt6
+CvL7adPwftppNivF64R0QZfOsLIaaOa0oi33DQDDNUdrx5f3xWwYmzw+f95lvbYR
+DXCytT647nc44Gu09erE4sWipIknFBvg3P1D0icFSIoEh44mU9o1lHUFsogXa09g
+8Vkho/rudYrHi/cwwzQlUjZyHPg6k1iU9oZGEaW5gVKxSw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
+ZTAeFw0yMDA4MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMEIxQDA+BgNVBAMMN1Rl
c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
@@ -29,10 +29,10 @@ t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+AArYO305zkNZc+vdbeXNpgi1/FrOHl2b0DvG4i2gcUVDvvjIHUnVLf2cak+81vER
+CqlCkutXxB+/fyxVXYtLKXQh0D/68QikH+ImEavrUrANXvQRvoixIjrfub/nZB75
+EiOTIR2N0/m6ndjCHJU0W8N7Tt9qob31e3bVJBZOc+9e80y8GDQiMKYACmet9zUR
+hR/yvJhUsH/u5Y7OwrvcyCs+PJXzPnZTSsatSkHI4KY22+7K+ZhscLIaBKjqlIDj
++fHBrutW9jtog1E3JUO9ZHokB1qlRLs4YhpQ8YzHRabEBaX892ZPLNwtmFLOWK1p
+9klR7/RXnu13nStNIYAHk20=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/root.crl b/src/test/ssl/ssl/root.crl
index e879cf25a7..8cca69ba40 100644
--- a/src/test/ssl/ssl/root.crl
+++ b/src/test/ssl/ssl/root.crl
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
-b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
-MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
-qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
-4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
-lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
-pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
-PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
-AlO+O0a4SpYS
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0yMDA4MzEw
+NjA3MjNaFw00ODAxMTcwNjA3MjNaMA0GCSqGSIb3DQEBCwUAA4IBAQB/pWC8moSA
+DL36OWwOig7/yEmbVdpFk2mPmAullbH0A6I/lWkrSrKbb0wk8tE04N2Pw0WDvtqd
+aWq5bx1mL1ve0su2SUkuM5Tb26ZVakI3WDCdDmJIEXAE32g6gmdnAZqaaK2Sy58y
+fEvCTe8Zxe0+8eHNv0VYfhl1ALUwMoO/VrVd453O1FWfXBopm+kkHPB6BDyo9ZbN
+PzLHGnGAP2L+1Ps5TP1AMk2ZEZ87QysB4G2qm1x4A6R4Jf6XBOC5y4YI+vsncUZ2
+UCajgatsFN6LZVHO+q1h5LhsVpSCs9yX8gjaoenJtOrY6XFis1DNHrm0QFSN/yNu
+Muuf3P8i5zl0
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root_ca.crt b/src/test/ssl/ssl/root_ca.crt
index 402d7dab89..92000763a9 100644
--- a/src/test/ssl/ssl/root_ca.crt
+++ b/src/test/ssl/ssl/root_ca.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDHjCCAgagAwIBAgIUEAgXJ/ibw6TVTUoomlBsPMfVTlMwDQYJKoZIhvcNAQEL
+MIIDHjCCAgagAwIBAgIUbDho+LuL8GrZ/iVFY16vdG6kNo0wDQYJKoZIhvcNAQEL
BQAwQDE+MDwGA1UEAww1VGVzdCByb290IENBIGZvciBQb3N0Z3JlU1FMIFNTTCBy
-ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYwNDE0MTM0
-MDU0WjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
+ZWdyZXNzaW9uIHRlc3Qgc3VpdGUwHhcNMjAwODMxMDYwNzIyWhcNNDgwMTE3MDYw
+NzIyWjBAMT4wPAYDVQQDDDVUZXN0IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NM
IHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALZ81vKKBJlxgjwuNoK67I4IE9zfSLb0eHbgZwZxDVzdmFejARrHlWk3
+MK7Nav7RLSJ990am33zb58CTHc7YYVlBp07+PwLXzypqWkhYfok1OYYjyjCrFDs
@@ -10,10 +10,10 @@ sjcJI3hRCZNEz+wYsG+tdYWJ+gRPQOWfh0YfO2rFgXAIMLiF6lyWzf1eOM+OjYrF
/eyzwbMaJkkGa/AyZKz3wZiPq0jTuYLVmH4MK7MBOsUfSmsBsn/ohyRCQzM+ol0v
Qlsrulj8usponRPDh9ng4PB5OSgR79YimQZnASQzJxiUvMADrKL5L6KwLxJlzbqY
R0b5mLh8KBzBQmSh3Aj2e2I7Z17hdaMCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
-BgkqhkiG9w0BAQsFAAOCAQEASzA7ApbuKn8lkC706gRL37a33yTZZ8rjZ4dnvCtq
-6OltlYDJ8IndotKbLH0SUEAxrvcaFnMt7AX9pRf2sGBKbY8zcxqPfsvzVehgx4Ea
-1RYksFW4h97jj1a1RKukTKuEOEEipbxwo0rLxfjvdaf2izqchJsLGtbocIZf0bD8
-djbE9jOLkx7saL08qC8ECrf9utsee+LJCsUYbNgYyIItEy6yVnmF/ICz93Utn1cI
-RfqZr1lM2Ia2LP9eDTmiuR9m+/MzkeRvvJHonNrRJHlcggtYHICvYioh9/jALBcm
-wZ+hTUePVqy4hOCBJ975CXjfKFN4MKQAdeB3EO5eBYAD3Q==
+BgkqhkiG9w0BAQsFAAOCAQEAo5siIstgYy1MjyVaSHpxy6Cq7JT73RhYYudtAy8e
+XwVXqy3xuZtl+i2XaWnsojyHRZ83t+1rVCoesbZefyfz9d6qZJkCkWdKdjiVEu+s
+CJSo+tGyCZQ1ZTb+07WY01P97gfswP+VHN4EjxJmUnLdqJEJsdOckvL1mBfortt6
+CvL7adPwftppNivF64R0QZfOsLIaaOa0oi33DQDDNUdrx5f3xWwYmzw+f95lvbYR
+DXCytT647nc44Gu09erE4sWipIknFBvg3P1D0icFSIoEh44mU9o1lHUFsogXa09g
+8Vkho/rudYrHi/cwwzQlUjZyHPg6k1iU9oZGEaW5gVKxSw==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-cn-and-alt-names.crt b/src/test/ssl/ssl/server-cn-and-alt-names.crt
index 2bb206e413..406d50dbca 100644
--- a/src/test/ssl/ssl/server-cn-and-alt-names.crt
+++ b/src/test/ssl/ssl/server-cn-and-alt-names.crt
@@ -1,7 +1,7 @@
-----BEGIN CERTIFICATE-----
MIIDTjCCAjagAwIBAgIBATANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0
IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
-cnRzMB4XDTE4MTEyNzEzNDA1NFoXDTQ2MDQxNDEzNDA1NFowRjEeMBwGA1UECwwV
+cnRzMB4XDTIwMDgzMTA2MDcyM1oXDTQ4MDExNzA2MDcyM1owRjEeMBwGA1UECwwV
UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMSQwIgYDVQQDDBtjb21tb24tbmFtZS5wZy1z
c2x0ZXN0LnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBURL6
YPWJjVQEZY0uy4HEaTI4ZMjVf+xdwJRntos4aRcdhq2JRNwitI00BLnIK9ur8D8L
@@ -11,10 +11,10 @@ YsWwHgcuEIZk3z287hxuyU3j5isYoRwd5cZZFrG/qBJdukSBRil5/PP5AHsB6lTl
pae2bdf4TXB7kActIpyTBR0G5Pm5iCZlxgD+QILj/1FLTaNOW7hV+t1J6YfC6jZR
Dk4MnHMCFasSXcXhAgMBAAGjSzBJMEcGA1UdEQRAMD6CHWRuczEuYWx0LW5hbWUu
cGctc3NsdGVzdC50ZXN0gh1kbnMyLmFsdC1uYW1lLnBnLXNzbHRlc3QudGVzdDAN
-BgkqhkiG9w0BAQsFAAOCAQEAQeKHXoyipubldf4HUDCXrcIk6KiEs9DMH1DXRk7L
-z2Hr0TljmKoGG5P6OrF4eP82bhXZlQmwHVclB7Pfo5DvoMYmYjSHxcEAeyJ7etxb
-pV11yEkMkCbQpBVtdMqyTpckXM49GTwqD9US5p1E350snq4Duj3O7fSpE4HMfSd8
-dCkYdaCHq2NWH4/MfEBRy096oOIFxqgm6tRCU95ZI8KeeK4WwPXiGV2mb2rHj1kv
-uBRC+sJGSnsLdbZzkpdAN1qnWrJoLezAMdhTmNRUJ7Cq8hAkroFIp+LE+JyxR9Nw
-m6jD3eEwCAQi0pPGLEn4Rq4B8kxzL5F/jTq7PONRvOAdIg==
+BgkqhkiG9w0BAQsFAAOCAQEAdXbTpv6xPsy7YMB5AWwmV50aWJ1J7cNSF2mEhQxK
+LNYQi5Z1Ov/MuWxCYbW5EeMQlSS/XJbBnFJR8dFgUXd36uQoe8jHDjf5ceG/CeVb
+AFCvMu2dgbA/PisONnlJJ5jL3eEHA0hIg7EvBzPA0Y2GseeZfTECPrXYOF8kJHyN
+cQjsLsOJuhkeKXsvpASlAuRx+e/7FebXw2Ak/9tMo2TekiFokuVymhcZbH4YrcGO
+dT60+cMm8+Cd9to/uatbF/f0LOKFgQ8LNDb+ZAytJ4NxXw7DB6LwAXyXQlPS6iMg
+q7A/owJO3mtuHgy5XGhtKnP/0l9pKlGASykYJNIMmSCNgQ==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-cn-only.crt b/src/test/ssl/ssl/server-cn-only.crt
index 67bf0b1645..a185b50b0a 100644
--- a/src/test/ssl/ssl/server-cn-only.crt
+++ b/src/test/ssl/ssl/server-cn-only.crt
@@ -1,7 +1,7 @@
-----BEGIN CERTIFICATE-----
MIIC/DCCAeQCAQIwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNlcnZlciBjZXJ0czAe
-Fw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEYxHjAcBgNVBAsMFVBvc3Rn
+Fw0yMDA4MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMEYxHjAcBgNVBAsMFVBvc3Rn
cmVTUUwgdGVzdCBzdWl0ZTEkMCIGA1UEAwwbY29tbW9uLW5hbWUucGctc3NsdGVz
dC50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1bNU8yTuLl/5
bR4Rp1ET5NMC2wgrTwKQsxSeOzvMmTGeebpEYFc/Hq8rcCQAiL7AbhiZeNg/ca4y
@@ -9,10 +9,10 @@ JdouOdaHaTMFJ8hFDI1tNOGeFK7ecOMBWQ97GxKs/KIqKYW42AN+QZ7l1Apr0CDZ
K5VTi931JjE4wCIgUgLi2zgwtZYl/kP896F1K5zR7kx773U2dvP3SeV2ziUe+4NH
5oqdmVMeZyHfB+Fe/uU1AiYgHN/CXfop39tYHR8ARUWx7eJlaaKBoj/0UqH/9Yir
jdM0vGfrw4JCjIx78caNkNH9fCjesTqODr+IDBJaJv3Jpt9g8puqrYagXLppiaYS
-q5oOAu5fuQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCTxkqpNNuO15osb+Lyw2aQ
-RikYZiSJ4uJcOIya6DqSYSNf8wrgGMJAKz9TkCGEG7SszLCASaSIS/s+sR1+bE19
-f6BxoBnppPW8uIkTtQvmGhhcWHO13zMUs8bmg9OY7MvFYJdQAmSqfYebUCYR73So
-OthALxV8h+boW5/xc2XM1NObpcuShQ9/uynm2dL3EbrNjvcoXOwu865FmVMffEn9
-+zhE8xl4kMKObQvB3r2utCmlAmJLaU2ejADncS9Y4ZwRMa7x+vfvekF/FvLEXUal
-QcDlfrZ0xsw/HK7n0/UFXf5fUXq3hgUGcXEdWW7/yTA43qNxednfa+fMqlFztupt
+q5oOAu5fuQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQB8TNuHgAscHJWExsswCCFX
+qfKjpnF/SKD5DGSj+NKfI2CGxWg4X9D67V470OkgHtQqujKb0sIOrbXz2tCg0Z6u
+rbeNctGXKATCawae1nmlz81xBV5cIjlB2mNMQLY0c0zjWozyEq8kEk6bDZ7Nj3bZ
+bf7QK9xdBfWXRhXWSfk45KasxZU/MN+sdIu/xFyBwSEtqVQsfbBK7kOOmDG2SU48
+MA4km6tPVf86BHQshu8vDkB2zWAdECkMVKudkdPT9sT3u26FSGmboXnWNOlfR7TP
+G9BRh+r0zOntkGhJsqUZcEdoOIShKy+69ly2QP7K78EaWvw5Q2ZUqekAvaA7McPb
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-crldir/a836cc2d.r0 b/src/test/ssl/ssl/server-crldir/a836cc2d.r0
new file mode 100644
index 0000000000..9588d1e524
--- /dev/null
+++ b/src/test/ssl/ssl/server-crldir/a836cc2d.r0
@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMDA4
+MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMBQwEgIBBhcNMjAwODMxMDYwNzIzWjAN
+BgkqhkiG9w0BAQsFAAOCAQEA2CBoLuLCpXcVSHqQtKnTcz25FyPsGkSO3luiUiG5
+jnI9HvZ9OzeQGGho6XBhVHAmEtwKOo6pcxqDe8Qkf6X7v0AUc19BWkxOXT+sCCdM
+yOvRhNPAhxJToGgKqp41noTSMhZPLsvFEfbbFTZEABScfX2K+XdvQlAYXa3U375E
+71jFenrNh8fNTKfcikmio1rsybQ4PG/ASsrUflQ5LAz3Nm3awdw01auGzRFezq3z
+Ivnq3z5b2q+m653PUsygNRMFVxCAgrvqAadKci7MK/QthCbocrLIhuc9Mmx1Nbkm
+Wnv+La3b5HeH8Zi9Q89IBr12rH70Y6K3hggCUAo9CoK3zw==
+-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/server-multiple-alt-names.crt b/src/test/ssl/ssl/server-multiple-alt-names.crt
index 158153d10c..3a392bc7bc 100644
--- a/src/test/ssl/ssl/server-multiple-alt-names.crt
+++ b/src/test/ssl/ssl/server-multiple-alt-names.crt
@@ -1,7 +1,7 @@
-----BEGIN CERTIFICATE-----
MIIDRDCCAiygAwIBAgIBBDANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0
IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
-cnRzMB4XDTE4MTEyNzEzNDA1NFoXDTQ2MDQxNDEzNDA1NFowIDEeMBwGA1UECwwV
+cnRzMB4XDTIwMDgzMTA2MDcyM1oXDTQ4MDExNzA2MDcyM1owIDEeMBwGA1UECwwV
UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA10iQpfVf4nCqjkRcLXP9ONQqdhMPMdjHasKqmsFTx83SZLKUzKMOb56j
3bg83stqGoId4MIxtqnDKaSg1+kseQ1HCi0cu/E3lHLEkPibl9dyVGhXVnPDBdOp
@@ -11,10 +11,10 @@ YXOKjP4+fWr18HdZLrzsa4xPRa9XcsDNyffjWvQTfptR/2vFKN8Ffv3XUqxUx6av
VCyRKa8xAUS/pHVGnzFQY+oqWREn2wIDAQABo2cwZTBjBgNVHREEXDBagh1kbnMx
LmFsdC1uYW1lLnBnLXNzbHRlc3QudGVzdIIdZG5zMi5hbHQtbmFtZS5wZy1zc2x0
ZXN0LnRlc3SCGioud2lsZGNhcmQucGctc3NsdGVzdC50ZXN0MA0GCSqGSIb3DQEB
-CwUAA4IBAQAuV+4TNADB/AinkjQVyzPtmeWDWZJDByRSGIzGlrYtzzrJzdRkohlL
-svZi0QQWbYq3pkRoUncYXXp/JvS48Ft1jRi87RpLRiPRxJC9Eq77kMS5UKCIs86W
-0nuYQ2tNmgHb7gnLHEr2t9gFEXcLwUAnRfNJK56KVmCl/v3/4kcVDLlL6L+pL80r
-WGKGvixNy3bDCJ/YGJu6NH+H7NMlqFcg07nEWUHgMzETGGycTcPy3S6mY5P/1Ep1
-MCSTucUKoBIte2t5p9vM6bsFIioQDAYABhacmC62Z5xNW8evmNVtBDPLR1THsWhq
-UjzdIzjpDgv1KUCVEPc1uVrZ5eju+aoU
+CwUAA4IBAQBORmS+8OIlqJVyquIl4El7OHuC4f2e4s0/uLnEMgIzuXFyi1E7XgXr
+vqHFNIux6/jFnkgT1kvR6I2yZc2UTmU88cjGp2nLb4qglWN0TQonBpm3Ibd3q6Zk
+h2/Z3z2d0CVZKVeKwmX6sWDx3QBmalLTI9UfmnF+3PM7NXWAEyh+HAUAsQFnq7g0
+hAGZnAcGTpVMPDgw6RPwS0LyRW7+pGUWqunoz5ORgC4kPlS/xDlmtCXJNp1Elar9
+Pt/ovjkHyNMMIQV2HgWqnTtfqUoFQsAejFvVmNHVRBrJwi5+tG10f1UI4ST+Ky+I
+4ECOGan/YOKxWzXMy6B2QInFAcaTflQQ
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-no-names.crt b/src/test/ssl/ssl/server-no-names.crt
index 97e11176f6..6682d9f25e 100644
--- a/src/test/ssl/ssl/server-no-names.crt
+++ b/src/test/ssl/ssl/server-no-names.crt
@@ -1,18 +1,18 @@
-----BEGIN CERTIFICATE-----
MIIC1jCCAb4CAQUwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNlcnZlciBjZXJ0czAe
-Fw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMCAxHjAcBgNVBAsMFVBvc3Rn
+Fw0yMDA4MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMCAxHjAcBgNVBAsMFVBvc3Rn
cmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJ85/vh52iDZAeQmWt47o0kR7VVlRLGf4sF4cfxPl+eIWIzhib1fajdcqFiy81LC
+t9bAyRqMyR3dve9RGK6IDFjMH/0DBf3tFSRnxN+5TdSAhKIJslmtUdOl8kS/smF
4+BikCg509aq0U+ac79e/q42OyvH9X/cI6i9SPd4hzJDMCX54LZT1Of/90nSQX6E
Oc5Hcj/d7psBugmMBW8uXYAGvJpq14e5RoK78F/mYbUNqtc1c8pi4/4quSMeEfQp
Dgmzee7ts8SIbQT8mYJHjnaPvZYpv4+Ikc7F0wzLO1neTpsYaVvDrSMLBCdQkCU8
-vgb1T6WlVgbp/sfE5okSxx8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAh+erODlf
-+mEK2toZhaAmikNJ3Toj9P7I0C0Mo/tl2aVz8jQc/ft5t3blwZHfRzC9WmgnZLdY
-yiCVgUlf9Kwhi836Btbczj3cK6MrngQneFBzSnCzsj40CuQAw5TOI8XRFFGL+fpl
-o7ZnbmMZRhkPqDmNWXfpu7CYOFQyExkDoo0lTfqM+tF8zuKVTmsuWWvZpjuvqWFQ
-/L+XRXi0cvhh+DY9vJiKNRg4exF7/tSedTJmLA8skuaXgAVez4rqzX4k1XnQo6Vi
-YpAIQ4dGiijY24fDq2I/6pO3xlWtN+Lwu44Mnn2vWRtXijT69P5R12W8XS7+ciTU
-NXu/iOo8f7mNDA==
+vgb1T6WlVgbp/sfE5okSxx8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAvRq8eCJl
+gAu2LT21OKmuhiMLPWyNVbyHo+A8UOKBXo1WwRbU4W0u2Ki5LenriekpW2A4qiZ1
+HDxpLaSquSIzPwtDvnMqtQ4BDEaikwmGxEl5EIR2+75riV9BNFgA0g+zVTPN+I33
+/OdNbI9XvIVkyOfxgaoE9kcWF6wRLB70oOYtuInUajEuG8GEKR5vrWXPa6sZoUxh
+ziGM/FHSNs3XqLDJxcUx7FMJH7iz9IlhJVN4aEEYX/L3cVnIWCnlNYp1UMHBTBqD
+aaGVTS7I8cIqOT1I0MxRqKBnTDXgfKb6yHYCgdQUzuFH3BcM08D7G6iuH6DCL3ib
+w5kP06Ufd7oOlA==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-revoked.crt b/src/test/ssl/ssl/server-revoked.crt
index 1ca5e6d3ef..2fa1a6ea71 100644
--- a/src/test/ssl/ssl/server-revoked.crt
+++ b/src/test/ssl/ssl/server-revoked.crt
@@ -1,7 +1,7 @@
-----BEGIN CERTIFICATE-----
MIIC/DCCAeQCAQYwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAww3VGVzdCBDQSBm
b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNlcnZlciBjZXJ0czAe
-Fw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEYxHjAcBgNVBAsMFVBvc3Rn
+Fw0yMDA4MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMEYxHjAcBgNVBAsMFVBvc3Rn
cmVTUUwgdGVzdCBzdWl0ZTEkMCIGA1UEAwwbY29tbW9uLW5hbWUucGctc3NsdGVz
dC50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAooPO8lSz434p
4PBYBbTN8jkLW3cHEpTCH4yvC0V40hzGEl30HPLp82e+kxr+Q0+gd82fvc4Yth5I
@@ -9,10 +9,10 @@ PKINznp28GMs5/E9cUU3hMK4jFhKLMiOeIve3M/9ryHK874qpNjJoSxxPz7+s2eq
WoFc2px0KFIamTTLfi7Ju9aPb/AMlZNsUnbRsj7fQc7EJ8rwOnezw2Wy5VK4soX+
qpuJ0Nm44ApzT8YmjYX/kAX0yQxgQuYbpcBWr9cOQjegu3FAqHqRh9ye7d8jQzCv
34Wg/ar4rkqyQDcokuWAE7KQbnk51t7omzhM8eswFOAL1pas/8jWBvy0VjYVU34P
-9aXxP8GiHQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAS9abT/PhJgwAnm46Rzu16
-lL7tDb3SeR1RL25xZLzCexHcYJFi7aDZix3QlLRvf6HPqqUPuPYRICTBF4+fieEh
-r5LotdAnadfYONwoB5GiYy2d93VGqlLosI27R6/tVvImXupviPpIYMDgBBRr1pZc
-ykQOjog6T+xk9TqsfFQDe2/VKF7a5RxOA/V77GZ5qge5Nlx9jSXQ/WUG9vDQj9BA
-d4nOwvjauKlcSqUU/3uVKntXQTNjmyq7S75eBitS920LLfjTL9LInLugDikFa/J/
-yPBkJLa/+rNMPikcnF3ci4Oi/XwLA8kGdGZAADuiIOeyORMuLFoTk7KpOYGKS5/U
+9aXxP8GiHQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQANC+ABgpTg8mHipdTBhhUH
+klkvnmPwzUyfTMfjAMpM/aMXY12R2pcKbDm7uSFZQPyL4w2W6sa56rbFzXLER9U1
+woOdlUfpREtISaC+wI+plhPLvERW9Id57IWNuOpPaAP2KWOVa9gtRVIBj/Z09+3w
+nB3aqHxCl7GKI78ruqR8VGAhSl58KAVzG7TS25848nYIijZ4Aeoqr99x6EuHAVhf
+47xShRQTQZTzANaXqMaqeR4UoPxb5GUt1I2+4Q9Q0FC3M4CVgCbxgaKqmNms88k9
+yrXx+BA5fDXMhcyX/R09t+aPBnKhC+dmLohmB9cV0jgQLAGaN81+ZXyyghXk3iCV
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-single-alt-name.crt b/src/test/ssl/ssl/server-single-alt-name.crt
index e7403f3a6b..6637fa467b 100644
--- a/src/test/ssl/ssl/server-single-alt-name.crt
+++ b/src/test/ssl/ssl/server-single-alt-name.crt
@@ -1,7 +1,7 @@
-----BEGIN CERTIFICATE-----
MIIDCzCCAfOgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0
IENBIGZvciBQb3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNl
-cnRzMB4XDTE4MTEyNzEzNDA1NFoXDTQ2MDQxNDEzNDA1NFowIDEeMBwGA1UECwwV
+cnRzMB4XDTIwMDgzMTA2MDcyM1oXDTQ4MDExNzA2MDcyM1owIDEeMBwGA1UECwwV
UG9zdGdyZVNRTCB0ZXN0IHN1aXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAxYocLWWuiDsDzJ7wLc0zfwkGJAEy4hlHjTA5GXSEnGPlOnx1fxejZOGL
1HLff5h8zB+SQXrplHCcwwRrxVgGY7P59kXMXX1akTwXUJHc/EoTtqLO+6fHLygz
@@ -9,11 +9,11 @@ F1d0i5NPO3xrk1wMt7bYLhiPbWpplWiHXzbJy8wf3dXgzCwtxXf8Z1UqjtCnA/Zk
J/kPWuHJxzH5OvDJvZsq+Fbkl3catFpwUlAV9TKsC78W/K5I+afzppsmSvsIKAWW
Dp7g71IVjvJeI6Aui2yhDn9iuJMuKe9RMYIwJLFqiX3urHcjaBSkJm6Lsf7gO30v
kVwIyyGXRNTfZ2yPDoSXVZvOnq+gKwIDAQABoy4wLDAqBgNVHREEIzAhgh9zaW5n
-bGUuYWx0LW5hbWUucGctc3NsdGVzdC50ZXN0MA0GCSqGSIb3DQEBCwUAA4IBAQBU
-8wp8KZfS8vClx2gYSRlbXu3J1oAu4EBh45OuuRuLOJUhQZYcjFB3d/s0R1kcCQkB
-EekV9X1iQSzk/HQq4uWi6ViUzxTR67Q6TXEFo8iuqJ6Rag7R7G6fhRD1upf1lev+
-rz7F9GsoWLyLAg8//DUfq1kfQUyy6TxamoRs0vipZ4s0p4G8rbRCxKT1WTRLJFdd
-fSDVuMNuQQKTQXNdp6cYn+ikEhbUv/gG2S7Xiy2UM8oR7DR54nZBAKxgujWJZPfX
-/ieSwLxnLFyePwtwgk9xMmywFBjHWTxSdyI1UnJwWC917BSw4M00djsRv5COsBX7
-v/Co7oiMyTrCqyCsWOBu
+bGUuYWx0LW5hbWUucGctc3NsdGVzdC50ZXN0MA0GCSqGSIb3DQEBCwUAA4IBAQBP
+tJo8pTdcrsvooz15feSdJpxxmUut7/ub4ddRZQj08jL7SrUtAfmiUFBqaR618lr7
++7L30XkVv4j0p6U5jaE6V0L/r/GH6XyFLoH7ygTa4mmSrK8BWU1h2PvcqswxbxBY
+5Bu7pTajip2JuQ+6+rKfEvchGsELtWc1526QIa3LFsHTL8eWCFny16K7zlMkfFB1
+w58suL8ucTWfEcRByKkLD7wcZpAFvQD80BU7TvErr4ydEiNfH5NwrrUzycracPnc
+WKTjbAkRO615ht1z5E/TTLXENPlmibu08/g+Y8wu61S2Bjhn5LM33zKb/OrpVraY
+vVEKKU2NkD8bb+ztzu/H
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-ss.crt b/src/test/ssl/ssl/server-ss.crt
index d775e6029a..6662afe3af 100644
--- a/src/test/ssl/ssl/server-ss.crt
+++ b/src/test/ssl/ssl/server-ss.crt
@@ -1,8 +1,8 @@
-----BEGIN CERTIFICATE-----
-MIIDGDCCAgCgAwIBAgIUVR71MjsbvBO6T1gJQaL/6hMwhqQwDQYJKoZIhvcNAQEL
+MIIDGDCCAgCgAwIBAgIUby7HZZ6t7KHCu15JC/MVcj8VEYcwDQYJKoZIhvcNAQEL
BQAwRjEkMCIGA1UEAwwbY29tbW9uLW5hbWUucGctc3NsdGVzdC50ZXN0MR4wHAYD
-VQQLDBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUwHhcNMTgxMTI3MTM0MDU0WhcNNDYw
-NDE0MTM0MDU0WjBGMSQwIgYDVQQDDBtjb21tb24tbmFtZS5wZy1zc2x0ZXN0LnRl
+VQQLDBVQb3N0Z3JlU1FMIHRlc3Qgc3VpdGUwHhcNMjAwODMxMDYwNzIzWhcNNDgw
+MTE3MDYwNzIzWjBGMSQwIgYDVQQDDBtjb21tb24tbmFtZS5wZy1zc2x0ZXN0LnRl
c3QxHjAcBgNVBAsMFVBvc3RncmVTUUwgdGVzdCBzdWl0ZTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBANWzVPMk7i5f+W0eEadRE+TTAtsIK08CkLMUnjs7
zJkxnnm6RGBXPx6vK3AkAIi+wG4YmXjYP3GuMiXaLjnWh2kzBSfIRQyNbTThnhSu
@@ -10,10 +10,10 @@ zJkxnnm6RGBXPx6vK3AkAIi+wG4YmXjYP3GuMiXaLjnWh2kzBSfIRQyNbTThnhSu
Jf5D/PehdSuc0e5Me+91Nnbz90nlds4lHvuDR+aKnZlTHmch3wfhXv7lNQImIBzf
wl36Kd/bWB0fAEVFse3iZWmigaI/9FKh//WIq43TNLxn68OCQoyMe/HGjZDR/Xwo
3rE6jg6/iAwSWib9yabfYPKbqq2GoFy6aYmmEquaDgLuX7kCAwEAATANBgkqhkiG
-9w0BAQsFAAOCAQEAtHR6o4UIO/aWEAzcmnJKsQDC999jbQGiqs9+v62mz5TvCk/1
-gL9/s/yfGY+pnDGW1ijI2xiL9KCJzjd8YB+F8iUViVQ6uHBxghxC1H2qOIr2UPFQ
-gQRu7d0DByQBsiXMOdw10luGo1oHhqMe5J7VyMVG/7aRpr6zYKrH7PzsB8ucvxzv
-Lm8ez0WBPebV69sim431iJcVcxxBbFd4qUJ9cHIc7VO2mSaazsIOzbd400POF/vk
-gfpDs48GfnZ+X3hgoQA4u7eudLqttI+j1xV+IHlCtaa1nDHymUrN/FhI1x+6c1SU
-V12eHqVatPMe0d+OCJPqIL9lbe+sGXlxDkMqAQ==
+9w0BAQsFAAOCAQEAO68c0amf+x5U7o6nZfNcwwMEY3wPt/NYWnfwp0+/5R50KY2L
+ZKqKxN26BQPFID2j/H84ve5idcJoilzy3W4/P5hs7R53sTyID/fFz6xB7p3eQnJO
+I6YT8D+dcNnipjK3O0O4Htqq7L25idkmYM8HxeSVWC65MzbUI9nLzqg4FRv3pM+m
+AM9Cpq41j8mhN3NS2vhpgy9T6qrM8v0usJuoAMMnwp0yXo3/ZfpoT80BaGhlWR5g
+Wm36rA50Z0Vz1zgRJb/xXl9SEnySWAM/WIuRiAHRw9J5K3ye8U8aW+xV3/uQEtG2
+s7h6mW3YqdIh2o5Gc83rLEvPOHLFohKMvFmJTA==
-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server.crl b/src/test/ssl/ssl/server.crl
index 717951c26a..9588d1e524 100644
--- a/src/test/ssl/ssl/server.crl
+++ b/src/test/ssl/ssl/server.crl
@@ -1,11 +1,11 @@
-----BEGIN X509 CRL-----
MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
-b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
-MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
-BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
-xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
-nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
-RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
-SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
-41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0yMDA4
+MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMBQwEgIBBhcNMjAwODMxMDYwNzIzWjAN
+BgkqhkiG9w0BAQsFAAOCAQEA2CBoLuLCpXcVSHqQtKnTcz25FyPsGkSO3luiUiG5
+jnI9HvZ9OzeQGGho6XBhVHAmEtwKOo6pcxqDe8Qkf6X7v0AUc19BWkxOXT+sCCdM
+yOvRhNPAhxJToGgKqp41noTSMhZPLsvFEfbbFTZEABScfX2K+XdvQlAYXa3U375E
+71jFenrNh8fNTKfcikmio1rsybQ4PG/ASsrUflQ5LAz3Nm3awdw01auGzRFezq3z
+Ivnq3z5b2q+m653PUsygNRMFVxCAgrvqAadKci7MK/QthCbocrLIhuc9Mmx1Nbkm
+Wnv+La3b5HeH8Zi9Q89IBr12rH70Y6K3hggCUAo9CoK3zw==
-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/server_ca.crt b/src/test/ssl/ssl/server_ca.crt
index 9f727bf9e9..94da6cd092 100644
--- a/src/test/ssl/ssl/server_ca.crt
+++ b/src/test/ssl/ssl/server_ca.crt
@@ -1,7 +1,7 @@
-----BEGIN CERTIFICATE-----
MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMT4wPAYDVQQDDDVUZXN0
IHJvb3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0
-ZTAeFw0xODExMjcxMzQwNTRaFw00NjA0MTQxMzQwNTRaMEIxQDA+BgNVBAMMN1Rl
+ZTAeFw0yMDA4MzEwNjA3MjNaFw00ODAxMTcwNjA3MjNaMEIxQDA+BgNVBAMMN1Rl
c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzZXJ2ZXIg
Y2VydHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiSnYZbmc9vpCt
Ku1sKV9l663JCceubhMw8Gg16kV0hXEFf/TgGC4zkiYNHN7+G45YD7Nq0kBCq3dH
@@ -10,10 +10,10 @@ t2wPCc6c8pQoI64dfprVqPkvzoe1WBpZNetkUTk20v08jNeRa7XdRbRR6we1s9VG
QW9YWdH9N5ctaUXMG6lLV2OAjs+W1smpKfpIpMCA1lPGlElu70hynon/nQQvBP77
SfQpZVc0esM18jkZpr5LEKUCw+x6LaMsqmBHpAULfCffxn2r0uMBW4L4VaGg3W6F
h6iuJwRfAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
-AFlcKTaU/Ug3Q0hr3P1UQ6dWyK4aVn9rs4jvVfFl0a0RnbBowqK2C+zQVUWYTcjo
-KHREVje65goj6VzRB6ko/9mAQ6PZP8jRuRhfCmvmvSQ/mWdgPzSRsUh9MwgEm9c2
-vNbqwaznEU8cYZnLpHiR9O5S7/qWWxehjYtxk5Eb4J006YglYfHnhrRFJvPbiqlf
-IOEivZ7gIVfvaOTbLjmN2kLOnzdlwpXGjxxg4Nu9ZhXOhfrplzUvRfmqvVsDiHXb
-USIdX+OFZZqr64IKG4drT4K4Bt2wupOEyX4ZFsUXXd+Hgq83SWmV4wzflcpmGkLC
-JZ3CEMu8/WA5uQBXdQUozlE=
+AArYO305zkNZc+vdbeXNpgi1/FrOHl2b0DvG4i2gcUVDvvjIHUnVLf2cak+81vER
+CqlCkutXxB+/fyxVXYtLKXQh0D/68QikH+ImEavrUrANXvQRvoixIjrfub/nZB75
+EiOTIR2N0/m6ndjCHJU0W8N7Tt9qob31e3bVJBZOc+9e80y8GDQiMKYACmet9zUR
+hR/yvJhUsH/u5Y7OwrvcyCs+PJXzPnZTSsatSkHI4KY22+7K+ZhscLIaBKjqlIDj
++fHBrutW9jtog1E3JUO9ZHokB1qlRLs4YhpQ8YzHRabEBaX892ZPLNwtmFLOWK1p
+9klR7/RXnu13nStNIYAHk20=
-----END CERTIFICATE-----
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index fd2727b568..4f36bf9dc0 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -13,7 +13,7 @@ use SSLServer;
if ($ENV{with_openssl} eq 'yes')
{
- plan tests => 93;
+ plan tests => 100;
}
else
{
@@ -214,6 +214,12 @@ test_connect_fails(
"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/client.crl",
qr/SSL error/,
"CRL belonging to a different CA");
+# The same for CRL directory, fails
+test_connect_fails(
+ $common_connstr,
+ "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/client-crldir",
+ qr/SSL error/,
+ "directory CRL belonging to a different CA");
# With the correct CRL, succeeds (this cert is not revoked)
test_connect_ok(
@@ -221,6 +227,12 @@ test_connect_ok(
"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl",
"CRL with a non-revoked cert");
+# With the correct server CRL directory, succeeds (this cert is not revoked)
+test_connect_ok(
+ $common_connstr,
+ "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/root+server-crldir",
+ "directory CRL with a non-revoked cert");
+
# Check that connecting with verify-full fails, when the hostname doesn't
# match the hostname in the server's certificate.
$common_connstr =
@@ -346,7 +358,12 @@ test_connect_fails(
$common_connstr,
"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl",
qr/SSL error/,
- "does not connect with client-side CRL");
+ "does not connect with client-side CRL file");
+test_connect_fails(
+ $common_connstr,
+ "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/root+server-crldir",
+ qr/SSL error/,
+ "does not connect with client-side CRL directory");
# pg_stat_ssl
command_like(
@@ -545,6 +562,16 @@ test_connect_ok(
test_connect_fails($common_connstr, "sslmode=require sslcert=ssl/client.crt",
qr/SSL error/, "intermediate client certificate is missing");
+# test server-side CRL directory
+switch_server_cert($node, 'server-cn-only', undef, undef, 'root+client-crldir');
+
+# revoked client cert
+test_connect_fails(
+ $common_connstr,
+ "user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked_tmp.key",
+ qr/SSL error/,
+ "certificate authorization fails with revoked client cert with server-side CRL directory");
+
# clean up
foreach my $key (@keys)
{
diff --git a/src/test/ssl/t/SSLServer.pm b/src/test/ssl/t/SSLServer.pm
index f5987a003e..8b23e18497 100644
--- a/src/test/ssl/t/SSLServer.pm
+++ b/src/test/ssl/t/SSLServer.pm
@@ -150,6 +150,8 @@ sub configure_test_server_for_ssl
copy_files("ssl/root+client_ca.crt", $pgdata);
copy_files("ssl/root_ca.crt", $pgdata);
copy_files("ssl/root+client.crl", $pgdata);
+ mkdir("$pgdata/root+client-crldir");
+ copy_files("ssl/root+client-crldir/*", "$pgdata/root+client-crldir/");
# Stop and restart server to load new listen_addresses.
$node->restart;
@@ -167,14 +169,24 @@ sub switch_server_cert
my $node = $_[0];
my $certfile = $_[1];
my $cafile = $_[2] || "root+client_ca";
+ my $crlfile = "root+client.crl";
+ my $crldir;
my $pgdata = $node->data_dir;
+ # defaults to use crl file
+ if (defined $_[3] || defined $_[4])
+ {
+ $crlfile = $_[3];
+ $crldir = $_[4];
+ }
+
open my $sslconf, '>', "$pgdata/sslconfig.conf";
print $sslconf "ssl=on\n";
print $sslconf "ssl_ca_file='$cafile.crt'\n";
print $sslconf "ssl_cert_file='$certfile.crt'\n";
print $sslconf "ssl_key_file='$certfile.key'\n";
- print $sslconf "ssl_crl_file='root+client.crl'\n";
+ print $sslconf "ssl_crl_file='$crlfile'\n" if (defined $crlfile);
+ print $sslconf "ssl_crl_dir='$crldir'\n" if (defined $crldir);
close $sslconf;
$node->restart;
--
2.27.0
On 2021-01-19 09:32, Kyotaro Horiguchi wrote: > At Tue, 19 Jan 2021 09:17:34 +0900 (JST), Kyotaro Horiguchi <horikyota.ntt@gmail.com> wrote in >> By the way we can do the same thing on CA file/dir, but I personally >> think that the benefit from the specify-by-directory for CA files is >> far less than CRL files. So I'm not going to do this for CA files for >> now. > > This is it. A new guc ssl_crl_dir and connection option crldir are > added. This looks pretty good to me overall. You need to update the expected result of the postgres_fdw test. Also check your patch for whitespace errors with git diff --check or similar. > One problem raised upthread is the footprint for test is quite large > because all certificate and key files are replaced by this patch. I > think we can shrink the footprint by generating that files on-demand > but that needs openssl frontend to be installed on the development > environment. I don't understand why you need to recreate all these files. All your patch should contain are the new *.r0 files that are computed from the existing *.crl files. Nothing else should change, AIUI. Some of the makefile rules for generating the CRL files need some refinement. In +ssl/root+server-crldir: ssl/server.crl + mkdir ssl/root+server-crldir + cp ssl/server.crl ssl/root+server-crldir/`openssl crl -hash -noout -in ssl/server.crl`.r0 + cp ssl/root.crl ssl/root+server-crldir/`openssl crl -hash -noout -in ssl/root.crl`.r0 +ssl/root+client-crldir: ssl/client.crl + mkdir ssl/root+client-crldir + cp ssl/client.crl ssl/root+client-crldir/`openssl crl -hash -noout -in ssl/client.crl`.r0 + cp ssl/root.crl ssl/root+client-crldir/`openssl crl -hash -noout -in ssl/root.crl`.r0 the rules should also have a dependency on ssl/root.crl in addition to ssl/server.crl. By the way: - print $sslconf "ssl_crl_file='root+client.crl'\n"; + print $sslconf "ssl_crl_file='$crlfile'\n" if (defined $crlfile); + print $sslconf "ssl_crl_dir='$crldir'\n" if (defined $crldir); Trailing "if" doesn't need parentheses.
At Sat, 30 Jan 2021 22:20:19 +0100, Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote in
> On 2021-01-19 09:32, Kyotaro Horiguchi wrote:
> > At Tue, 19 Jan 2021 09:17:34 +0900 (JST), Kyotaro Horiguchi
> > <horikyota.ntt@gmail.com> wrote in
> >> By the way we can do the same thing on CA file/dir, but I personally
> >> think that the benefit from the specify-by-directory for CA files is
> >> far less than CRL files. So I'm not going to do this for CA files for
> >> now.
> > This is it. A new guc ssl_crl_dir and connection option crldir are
> > added.
>
> This looks pretty good to me overall.
Thanks!
> You need to update the expected result of the postgres_fdw test.
Oops. Fixed.
> Also check your patch for whitespace errors with git diff --check or
> similar.
Sorry for forgetting that. I found an extra new line in
be-secure-openssl.c and remved it.
> > One problem raised upthread is the footprint for test is quite large
> > because all certificate and key files are replaced by this patch. I
> > think we can shrink the footprint by generating that files on-demand
> > but that needs openssl frontend to be installed on the development
> > environment.
>
> I don't understand why you need to recreate all these files. All your
> patch should contain are the new *.r0 files that are computed from the
> existing *.crl files. Nothing else should change, AIUI.
Ah. If I ran make with this patch, it complains of
ssl/root_ca-certindex lacking and I ran "make clean" to avoid the
complaint. Instead, I created the additional crl directories by
manually executing the recipes of the additional rules.
v3: 41 files changed, 496 insertions(+), 255 deletions(-)
v4: 21 files changed, 258 insertions(+), 18 deletions(-)
I checked that 001_ssltests.pl succedds both with the preexisting ssl/
files and with the files created by "make sslfiles" after "make
sslfiles-clean".
> Some of the makefile rules for generating the CRL files need some
> refinement. In
>
> +ssl/root+server-crldir: ssl/server.crl
> + mkdir ssl/root+server-crldir
> + cp ssl/server.crl ssl/root+server-crldir/`openssl crl -hash -noout
> -in ssl/server.crl`.r0
> + cp ssl/root.crl ssl/root+server-crldir/`openssl crl -hash -noout -in
> ssl/root.crl`.r0
> +ssl/root+client-crldir: ssl/client.crl
> + mkdir ssl/root+client-crldir
> + cp ssl/client.crl ssl/root+client-crldir/`openssl crl -hash -noout
> -in ssl/client.crl`.r0
> + cp ssl/root.crl ssl/root+client-crldir/`openssl crl -hash -noout -in
> ssl/root.crl`.r0
>
> the rules should also have a dependency on ssl/root.crl in addition to
> ssl/server.crl.
Right. Added.
> By the way:
>
> - print $sslconf "ssl_crl_file='root+client.crl'\n";
> + print $sslconf "ssl_crl_file='$crlfile'\n" if (defined $crlfile);
> + print $sslconf "ssl_crl_dir='$crldir'\n" if (defined $crldir);
>
> Trailing "if" doesn't need parentheses.
I know. However I preferred to have them at the time, I don't have a
strong opinion about how it should be. Ripped off them.
regards.
--
Kyotaro Horiguchi
NTT Open Source Software Center
From 9168e29fa6bd957171cfa53553ae406eb44bb936 Mon Sep 17 00:00:00 2001
From: Kyotaro Horiguchi <horikyota.ntt@gmail.com>
Date: Mon, 1 Feb 2021 11:16:41 +0900
Subject: [PATCH v4] Allow to specify CRL directory
We have the ssl_crl_file GUC variable and the sslcrl connection option
to specify a CRL file. X509_STORE_load_locations accepts a directory,
which leads to on-demand loading method with which method only
relevant CRLs are loaded. Allow server and client to use the hashed
directory method. We could use the existing variable and option to
specify the direcotry name but allowing to use both methods at the
same time gives operation flexibility to users.
---
.../postgres_fdw/expected/postgres_fdw.out | 2 +-
doc/src/sgml/config.sgml | 21 +++++++++++-
doc/src/sgml/libpq.sgml | 20 +++++++++--
doc/src/sgml/runtime.sgml | 33 +++++++++++++++++++
src/backend/libpq/be-secure-openssl.c | 26 +++++++++++++--
src/backend/libpq/be-secure.c | 1 +
src/backend/utils/misc/guc.c | 10 ++++++
src/include/libpq/libpq.h | 1 +
src/interfaces/libpq/fe-connect.c | 6 ++++
src/interfaces/libpq/fe-secure-openssl.c | 24 ++++++++++----
src/interfaces/libpq/libpq-int.h | 1 +
src/test/ssl/Makefile | 20 ++++++++++-
src/test/ssl/ssl/client-crldir/9bb9e3c3.r0 | 11 +++++++
.../ssl/ssl/root+client-crldir/9bb9e3c3.r0 | 11 +++++++
.../ssl/ssl/root+client-crldir/a3d11bff.r0 | 11 +++++++
.../ssl/ssl/root+server-crldir/a3d11bff.r0 | 11 +++++++
.../ssl/ssl/root+server-crldir/a836cc2d.r0 | 11 +++++++
src/test/ssl/ssl/server-crldir/a836cc2d.r0 | 11 +++++++
src/test/ssl/t/001_ssltests.pl | 31 +++++++++++++++--
src/test/ssl/t/SSLServer.pm | 14 +++++++-
20 files changed, 258 insertions(+), 18 deletions(-)
create mode 100644 src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
create mode 100644 src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
create mode 100644 src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
create mode 100644 src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
create mode 100644 src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
create mode 100644 src/test/ssl/ssl/server-crldir/a836cc2d.r0
diff --git a/contrib/postgres_fdw/expected/postgres_fdw.out b/contrib/postgres_fdw/expected/postgres_fdw.out
index b09dce63f5..85d1d0dfab 100644
--- a/contrib/postgres_fdw/expected/postgres_fdw.out
+++ b/contrib/postgres_fdw/expected/postgres_fdw.out
@@ -8928,7 +8928,7 @@ DO $d$
END;
$d$;
ERROR: invalid option "password"
-HINT: Valid options in this context are: service, passfile, channel_binding, connect_timeout, dbname, host, hostaddr,
port,options, application_name, keepalives, keepalives_idle, keepalives_interval, keepalives_count, tcp_user_timeout,
sslmode,sslcompression, sslcert, sslkey, sslrootcert, sslcrl, requirepeer, ssl_min_protocol_version,
ssl_max_protocol_version,gssencmode, krbsrvname, gsslib, target_session_attrs, use_remote_estimate, fdw_startup_cost,
fdw_tuple_cost,extensions, updatable, fetch_size, batch_size
+HINT: Valid options in this context are: service, passfile, channel_binding, connect_timeout, dbname, host, hostaddr,
port,options, application_name, keepalives, keepalives_idle, keepalives_interval, keepalives_count, tcp_user_timeout,
sslmode,sslcompression, sslcert, sslkey, sslrootcert, sslcrl, sslcrldir, requirepeer, ssl_min_protocol_version,
ssl_max_protocol_version,gssencmode, krbsrvname, gsslib, target_session_attrs, use_remote_estimate, fdw_startup_cost,
fdw_tuple_cost,extensions, updatable, fetch_size, batch_size
CONTEXT: SQL statement "ALTER SERVER loopback_nopw OPTIONS (ADD password 'dummypw')"
PL/pgSQL function inline_code_block line 3 at EXECUTE
-- If we add a password for our user mapping instead, we should get a different
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index e17cdcc816..67052bcbab 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1216,7 +1216,26 @@ include_dir 'conf.d'
Relative paths are relative to the data directory.
This parameter can only be set in the <filename>postgresql.conf</filename>
file or on the server command line.
- The default is empty, meaning no CRL file is loaded.
+ The default is empty, meaning no CRL file is loaded unless
+ <xref linkend="guc-ssl-crl-dir"/> is set.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="guc-ssl-crl-dir" xreflabel="ssl_crl_dir">
+ <term><varname>ssl_crl_dir</varname> (<type>string</type>)
+ <indexterm>
+ <primary><varname>ssl_crl_dir</varname> configuration parameter</primary>
+ </indexterm>
+ </term>
+ <listitem>
+ <para>
+ Specifies the name of the directory containing the SSL server
+ certificate revocation list (CRL). Relative paths are relative to the
+ data directory. This parameter can only be set in
+ the <filename>postgresql.conf</filename> file or on the server command
+ line. The default is empty, meaning no CRL file is loaded unless
+ <xref linkend="guc-ssl-crl-file"/> is set.
</para>
</listitem>
</varlistentry>
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index b7a82453f0..7646756556 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -1723,8 +1723,24 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
This parameter specifies the file name of the SSL certificate
revocation list (CRL). Certificates listed in this file, if it
exists, will be rejected while attempting to authenticate the
- server's certificate. The default is
- <filename>~/.postgresql/root.crl</filename>.
+ server's certificate. If both <xref linkend='libpq-connect-sslcrl'/>
+ and <xref linkend='libpq-connect-sslcrldir'/> are not set, this
+ setting is assumed to be
+ <filename>~/.postgresql/root.crl</filename>. See
+ <xref linkend="ssl-crl-files"/> for details.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="libpq-connect-sslcrldir" xreflabel="sslcrldir">
+ <term><literal>sslcrldir</literal></term>
+ <listitem>
+ <para>
+ This parameter specifies the directory name of the SSL certificate
+ revocation list (CRL). Certificates listed in the files in this
+ directory, if it exists, will be rejected while attempting to
+ authenticate the server's certificate. See
+ <xref linkend="ssl-crl-files"/> for details.
</para>
</listitem>
</varlistentry>
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index bf877c0e0c..4dc921779e 100644
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -2552,6 +2552,39 @@ openssl x509 -req -in server.csr -text -days 365 \
</para>
</sect2>
+ <sect2 id="ssl-crl-files">
+ <title>Certification Revocation List files</title>
+
+ <para> The server setting <xref linkend="guc-ssl-crl-file"/> and
+ <xref linkend="guc-ssl-crl-dir"/>, and the connection option
+ <xref linkend="libpq-connect-sslcrl"/> and
+ <xref linkend="libpq-connect-sslcrldir"/> specify a file containing one or
+ more CRL, or a directory containing a separate file for every CRL
+ respectively. Settings for CRL file and CRL directory can be specified
+ together. In the first method, file method, the all CRLs in the file is
+ loaded at server start time or by reloading config file (<command>pg_ctl
+ reload</command>). In the second method, hashed directory method, CRL
+ files are loaded on-demand, that is, only the relevant CRL files are
+ loaded at connection time.
+ </para>
+ <para>
+ The CRL file used for the file method can contain multiple CRLs, like
+ certificates, by just concatenated if it is in PEM format. In the hashed
+ directory method, every file in the directory has the name
+ with <parameter>hash</parameter>.r<parameter>N</parameter> format,
+ where <parameter>hash</parameter> is the hash value of the issuer of the
+ CRL and <parameter>N</parameter> is a sequence number that starts at
+ zero. The hash value is calculated using openssl command. In both cases
+ the CRLs from all CAs involved in a certificate chain are needed to verify
+ a certificate, even if some or all of them are empty.
+<programlisting>
+$ openssl crl -hash -noout -in foo.crl
+98668507
+$ cp foo.crl $PGDATA/crldir/98668507.r0
+</programlisting>
+ </para>
+ </sect2>
+
</sect1>
<sect1 id="gssapi-enc">
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 1e2ecc6e7a..ac471f3eeb 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -285,19 +285,22 @@ be_tls_init(bool isServerStart)
* http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html
*----------
*/
- if (ssl_crl_file[0])
+ if (ssl_crl_file[0] || ssl_crl_dir[0])
{
X509_STORE *cvstore = SSL_CTX_get_cert_store(context);
if (cvstore)
{
/* Set the flags to check against the complete CRL chain */
- if (X509_STORE_load_locations(cvstore, ssl_crl_file, NULL) == 1)
+ if (X509_STORE_load_locations(cvstore,
+ ssl_crl_file[0] ? ssl_crl_file : NULL,
+ ssl_crl_dir[0] ? ssl_crl_dir : NULL)
+ == 1)
{
X509_STORE_set_flags(cvstore,
X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
}
- else
+ else if (ssl_crl_dir[0] == 0)
{
ereport(isServerStart ? FATAL : LOG,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
@@ -305,6 +308,23 @@ be_tls_init(bool isServerStart)
ssl_crl_file, SSLerrmessage(ERR_get_error()))));
goto error;
}
+ else if (ssl_crl_file[0] == 0)
+ {
+ ereport(isServerStart ? FATAL : LOG,
+ (errcode(ERRCODE_CONFIG_FILE_ERROR),
+ errmsg("could not load SSL certificate revocation list directory \"%s\": %s",
+ ssl_crl_dir, SSLerrmessage(ERR_get_error()))));
+ goto error;
+ }
+ else
+ {
+ ereport(isServerStart ? FATAL : LOG,
+ (errcode(ERRCODE_CONFIG_FILE_ERROR),
+ errmsg("could not load SSL certificate revocation list file \"%s\" and/or directory \"%s\":
%s",
+ ssl_crl_file, ssl_crl_dir,
+ SSLerrmessage(ERR_get_error()))));
+ goto error;
+ }
}
}
diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c
index 4cf139a223..3ad6890f70 100644
--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@@ -42,6 +42,7 @@ char *ssl_cert_file;
char *ssl_key_file;
char *ssl_ca_file;
char *ssl_crl_file;
+char *ssl_crl_dir;
char *ssl_dh_params_file;
char *ssl_passphrase_command;
bool ssl_passphrase_command_supports_reload;
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index eafdb1118e..00018abb7d 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -4355,6 +4355,16 @@ static struct config_string ConfigureNamesString[] =
NULL, NULL, NULL
},
+ {
+ {"ssl_crl_dir", PGC_SIGHUP, CONN_AUTH_SSL,
+ gettext_noop("Location of the SSL certificate revocation list directory."),
+ NULL
+ },
+ &ssl_crl_dir,
+ "",
+ NULL, NULL, NULL
+ },
+
{
{"stats_temp_directory", PGC_SIGHUP, STATS_COLLECTOR,
gettext_noop("Writes temporary statistics files to the specified directory."),
diff --git a/src/include/libpq/libpq.h b/src/include/libpq/libpq.h
index a55898c85a..b41b10620a 100644
--- a/src/include/libpq/libpq.h
+++ b/src/include/libpq/libpq.h
@@ -82,6 +82,7 @@ extern char *ssl_cert_file;
extern char *ssl_key_file;
extern char *ssl_ca_file;
extern char *ssl_crl_file;
+extern char *ssl_crl_dir;
extern char *ssl_dh_params_file;
extern PGDLLIMPORT char *ssl_passphrase_command;
extern PGDLLIMPORT bool ssl_passphrase_command_supports_reload;
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index 8ca0583aa9..db71fea169 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -317,6 +317,10 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
"SSL-Revocation-List", "", 64,
offsetof(struct pg_conn, sslcrl)},
+ {"sslcrldir", "PGSSLCRLDIR", NULL, NULL,
+ "SSL-Revocation-List-Dir", "", 64,
+ offsetof(struct pg_conn, sslcrldir)},
+
{"requirepeer", "PGREQUIREPEER", NULL, NULL,
"Require-Peer", "", 10,
offsetof(struct pg_conn, requirepeer)},
@@ -3998,6 +4002,8 @@ freePGconn(PGconn *conn)
free(conn->sslrootcert);
if (conn->sslcrl)
free(conn->sslcrl);
+ if (conn->sslcrldir)
+ free(conn->sslcrldir);
if (conn->sslcompression)
free(conn->sslcompression);
if (conn->requirepeer)
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 5b4a4157d5..0fa10a23b4 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -794,7 +794,8 @@ initialize_SSL(PGconn *conn)
if (!(conn->sslcert && strlen(conn->sslcert) > 0) ||
!(conn->sslkey && strlen(conn->sslkey) > 0) ||
!(conn->sslrootcert && strlen(conn->sslrootcert) > 0) ||
- !(conn->sslcrl && strlen(conn->sslcrl) > 0))
+ !((conn->sslcrl && strlen(conn->sslcrl) > 0) ||
+ (conn->sslcrldir && strlen(conn->sslcrldir) > 0)))
have_homedir = pqGetHomeDirectory(homedir, sizeof(homedir));
else /* won't need it */
have_homedir = false;
@@ -936,20 +937,29 @@ initialize_SSL(PGconn *conn)
if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != NULL)
{
+ char *fname = NULL;
+ char *dname = NULL;
+
if (conn->sslcrl && strlen(conn->sslcrl) > 0)
- strlcpy(fnbuf, conn->sslcrl, sizeof(fnbuf));
- else if (have_homedir)
+ fname = conn->sslcrl;
+ if (conn->sslcrldir && strlen(conn->sslcrldir) > 0)
+ dname = conn->sslcrldir;
+
+ /* defaults to use the default CRL file */
+ if (!fname && !dname && have_homedir)
+ {
snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CRL_FILE);
- else
- fnbuf[0] = '\0';
+ fname = fnbuf;
+ }
/* Set the flags to check against the complete CRL chain */
- if (fnbuf[0] != '\0' &&
- X509_STORE_load_locations(cvstore, fnbuf, NULL) == 1)
+ if ((fname || dname) &&
+ X509_STORE_load_locations(cvstore, fname, dname) == 1)
{
X509_STORE_set_flags(cvstore,
X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
}
+
/* if not found, silently ignore; we do not require CRL */
ERR_clear_error();
}
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 4db498369c..ce36aabd25 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -362,6 +362,7 @@ struct pg_conn
char *sslpassword; /* client key file password */
char *sslrootcert; /* root certificate filename */
char *sslcrl; /* certificate revocation list filename */
+ char *sslcrldir; /* certificate revocation list directory name */
char *requirepeer; /* required peer credentials for local sockets */
char *gssencmode; /* GSS mode (require,prefer,disable) */
char *krbsrvname; /* Kerberos service name */
diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile
index 93335b1ea2..bc953a0bec 100644
--- a/src/test/ssl/Makefile
+++ b/src/test/ssl/Makefile
@@ -30,12 +30,15 @@ SSLFILES := $(CERTIFICATES:%=ssl/%.key) $(CERTIFICATES:%=ssl/%.crt) \
ssl/client+client_ca.crt ssl/client-der.key \
ssl/client-encrypted-pem.key ssl/client-encrypted-der.key
+SSLDIRS := ssl/client-crldir ssl/server-crldir \
+ ssl/root+client-crldir ssl/root+server-crldir
+
# This target re-generates all the key and certificate files. Usually we just
# use the ones that are committed to the tree without rebuilding them.
#
# This target will fail unless preceded by sslfiles-clean.
#
-sslfiles: $(SSLFILES)
+sslfiles: $(SSLFILES) $(SSLDIRS)
# OpenSSL requires a directory to put all generated certificates in. We don't
# use this for anything, but we need a location.
@@ -146,10 +149,25 @@ ssl/root+server.crl: ssl/root.crl ssl/server.crl
cat $^ > $@
ssl/root+client.crl: ssl/root.crl ssl/client.crl
cat $^ > $@
+ssl/root+server-crldir: ssl/server.crl ssl/root.crl
+ mkdir ssl/root+server-crldir
+ cp ssl/server.crl ssl/root+server-crldir/`openssl crl -hash -noout -in ssl/server.crl`.r0
+ cp ssl/root.crl ssl/root+server-crldir/`openssl crl -hash -noout -in ssl/root.crl`.r0
+ssl/root+client-crldir: ssl/client.crl ssl/root.crl
+ mkdir ssl/root+client-crldir
+ cp ssl/client.crl ssl/root+client-crldir/`openssl crl -hash -noout -in ssl/client.crl`.r0
+ cp ssl/root.crl ssl/root+client-crldir/`openssl crl -hash -noout -in ssl/root.crl`.r0
+ssl/server-crldir: ssl/server.crl
+ mkdir ssl/server-crldir
+ cp ssl/server.crl ssl/server-crldir/`openssl crl -hash -noout -in ssl/server.crl`.r0
+ssl/client-crldir: ssl/client.crl
+ mkdir ssl/client-crldir
+ cp ssl/client.crl ssl/client-crldir/`openssl crl -hash -noout -in ssl/client.crl`.r0
.PHONY: sslfiles-clean
sslfiles-clean:
rm -f $(SSLFILES) ssl/client_ca.srl ssl/server_ca.srl ssl/client_ca-certindex* ssl/server_ca-certindex*
ssl/root_ca-certindex*ssl/root_ca.srl ssl/temp_ca.crt ssl/temp_ca_signed.crt
+ rm -rf $(SSLDIRS)
clean distclean maintainer-clean:
rm -rf tmp_check
diff --git a/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0 b/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
new file mode 100644
index 0000000000..a667680e04
--- /dev/null
+++ b/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
+MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
+BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
+8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
+xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
+pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
+nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
+2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0 b/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
new file mode 100644
index 0000000000..a667680e04
--- /dev/null
+++ b/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
+MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
+BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
+8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
+xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
+pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
+nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
+2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0 b/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
new file mode 100644
index 0000000000..e879cf25a7
--- /dev/null
+++ b/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
+MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
+qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
+4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
+lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
+pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
+PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
+AlO+O0a4SpYS
+-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0 b/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
new file mode 100644
index 0000000000..e879cf25a7
--- /dev/null
+++ b/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
+MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
+qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
+4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
+lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
+pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
+PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
+AlO+O0a4SpYS
+-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0 b/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
new file mode 100644
index 0000000000..717951c26a
--- /dev/null
+++ b/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
+MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
+BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
+xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
+nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
+RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
+SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
+41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/server-crldir/a836cc2d.r0 b/src/test/ssl/ssl/server-crldir/a836cc2d.r0
new file mode 100644
index 0000000000..717951c26a
--- /dev/null
+++ b/src/test/ssl/ssl/server-crldir/a836cc2d.r0
@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
+MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
+BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
+xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
+nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
+RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
+SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
+41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+-----END X509 CRL-----
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index fd2727b568..4f36bf9dc0 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -13,7 +13,7 @@ use SSLServer;
if ($ENV{with_openssl} eq 'yes')
{
- plan tests => 93;
+ plan tests => 100;
}
else
{
@@ -214,6 +214,12 @@ test_connect_fails(
"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/client.crl",
qr/SSL error/,
"CRL belonging to a different CA");
+# The same for CRL directory, fails
+test_connect_fails(
+ $common_connstr,
+ "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/client-crldir",
+ qr/SSL error/,
+ "directory CRL belonging to a different CA");
# With the correct CRL, succeeds (this cert is not revoked)
test_connect_ok(
@@ -221,6 +227,12 @@ test_connect_ok(
"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl",
"CRL with a non-revoked cert");
+# With the correct server CRL directory, succeeds (this cert is not revoked)
+test_connect_ok(
+ $common_connstr,
+ "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/root+server-crldir",
+ "directory CRL with a non-revoked cert");
+
# Check that connecting with verify-full fails, when the hostname doesn't
# match the hostname in the server's certificate.
$common_connstr =
@@ -346,7 +358,12 @@ test_connect_fails(
$common_connstr,
"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl",
qr/SSL error/,
- "does not connect with client-side CRL");
+ "does not connect with client-side CRL file");
+test_connect_fails(
+ $common_connstr,
+ "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/root+server-crldir",
+ qr/SSL error/,
+ "does not connect with client-side CRL directory");
# pg_stat_ssl
command_like(
@@ -545,6 +562,16 @@ test_connect_ok(
test_connect_fails($common_connstr, "sslmode=require sslcert=ssl/client.crt",
qr/SSL error/, "intermediate client certificate is missing");
+# test server-side CRL directory
+switch_server_cert($node, 'server-cn-only', undef, undef, 'root+client-crldir');
+
+# revoked client cert
+test_connect_fails(
+ $common_connstr,
+ "user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked_tmp.key",
+ qr/SSL error/,
+ "certificate authorization fails with revoked client cert with server-side CRL directory");
+
# clean up
foreach my $key (@keys)
{
diff --git a/src/test/ssl/t/SSLServer.pm b/src/test/ssl/t/SSLServer.pm
index f5987a003e..5ec5e0dac8 100644
--- a/src/test/ssl/t/SSLServer.pm
+++ b/src/test/ssl/t/SSLServer.pm
@@ -150,6 +150,8 @@ sub configure_test_server_for_ssl
copy_files("ssl/root+client_ca.crt", $pgdata);
copy_files("ssl/root_ca.crt", $pgdata);
copy_files("ssl/root+client.crl", $pgdata);
+ mkdir("$pgdata/root+client-crldir");
+ copy_files("ssl/root+client-crldir/*", "$pgdata/root+client-crldir/");
# Stop and restart server to load new listen_addresses.
$node->restart;
@@ -167,14 +169,24 @@ sub switch_server_cert
my $node = $_[0];
my $certfile = $_[1];
my $cafile = $_[2] || "root+client_ca";
+ my $crlfile = "root+client.crl";
+ my $crldir;
my $pgdata = $node->data_dir;
+ # defaults to use crl file
+ if (defined $_[3] || defined $_[4])
+ {
+ $crlfile = $_[3];
+ $crldir = $_[4];
+ }
+
open my $sslconf, '>', "$pgdata/sslconfig.conf";
print $sslconf "ssl=on\n";
print $sslconf "ssl_ca_file='$cafile.crt'\n";
print $sslconf "ssl_cert_file='$certfile.crt'\n";
print $sslconf "ssl_key_file='$certfile.key'\n";
- print $sslconf "ssl_crl_file='root+client.crl'\n";
+ print $sslconf "ssl_crl_file='$crlfile'\n" if defined $crlfile;
+ print $sslconf "ssl_crl_dir='$crldir'\n" if defined $crldir;
close $sslconf;
$node->restart;
--
2.27.0
The commit fe61df7f82 shot down this.
This patch allows a new GUC ssl_crl_dir and a new libpq connection
option sslcrldir to specify CRL directory, which stores multiple files
that contains one CRL. With that method server loads only CRLs for the
CA of the certificate being validated.
Along with rebasing, the documentation is slightly reworded.
revocation list (CRL). Certificates listed in this file, if it
exists, will be rejected while attempting to authenticate the
- server's certificate. If both sslcrl and sslcrldir are not set,
- this setting is assumed to be
+ server's certificate. If neither sslcrl sslcrldir is set, this
+ setting is assumed to be
<filename>~/.postgresql/root.crl</filename>. See
And added a line for the new variable in postgresql.conf.sample.
regards.
--
Kyotaro Horiguchi
NTT Open Source Software Center
From 9fbe390297174390f30fb1cc31b0cb543b335ae8 Mon Sep 17 00:00:00 2001
From: Kyotaro Horiguchi <horikyota.ntt@gmail.com>
Date: Mon, 1 Feb 2021 11:16:41 +0900
Subject: [PATCH v5] Allow to specify CRL directory
This patch adds another method to specify CRLs, hashed directory
method for both on server and client side. This offers a means for
server or libpq to load only CRLs that are required to verify a
certificate. The CRL directory is specifed by separate GUC variable or
connection option from existing ssl_crl_file and sslcrl so both method
can be used at the same time.
---
.../postgres_fdw/expected/postgres_fdw.out | 2 +-
doc/src/sgml/config.sgml | 21 +++++++++++-
doc/src/sgml/libpq.sgml | 21 ++++++++++--
doc/src/sgml/runtime.sgml | 33 +++++++++++++++++++
src/backend/libpq/be-secure-openssl.c | 26 +++++++++++++--
src/backend/libpq/be-secure.c | 1 +
src/backend/utils/misc/guc.c | 10 ++++++
src/backend/utils/misc/postgresql.conf.sample | 1 +
src/include/libpq/libpq.h | 1 +
src/interfaces/libpq/fe-connect.c | 6 ++++
src/interfaces/libpq/fe-secure-openssl.c | 24 ++++++++++----
src/interfaces/libpq/libpq-int.h | 1 +
src/test/ssl/Makefile | 20 ++++++++++-
src/test/ssl/ssl/client-crldir/9bb9e3c3.r0 | 11 +++++++
.../ssl/ssl/root+client-crldir/9bb9e3c3.r0 | 11 +++++++
.../ssl/ssl/root+client-crldir/a3d11bff.r0 | 11 +++++++
.../ssl/ssl/root+server-crldir/a3d11bff.r0 | 11 +++++++
.../ssl/ssl/root+server-crldir/a836cc2d.r0 | 11 +++++++
src/test/ssl/ssl/server-crldir/a836cc2d.r0 | 11 +++++++
src/test/ssl/t/001_ssltests.pl | 31 +++++++++++++++--
src/test/ssl/t/SSLServer.pm | 14 +++++++-
21 files changed, 260 insertions(+), 18 deletions(-)
create mode 100644 src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
create mode 100644 src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
create mode 100644 src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
create mode 100644 src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
create mode 100644 src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
create mode 100644 src/test/ssl/ssl/server-crldir/a836cc2d.r0
diff --git a/contrib/postgres_fdw/expected/postgres_fdw.out b/contrib/postgres_fdw/expected/postgres_fdw.out
index 60c7e115d6..c779c84634 100644
--- a/contrib/postgres_fdw/expected/postgres_fdw.out
+++ b/contrib/postgres_fdw/expected/postgres_fdw.out
@@ -8946,7 +8946,7 @@ DO $d$
END;
$d$;
ERROR: invalid option "password"
-HINT: Valid options in this context are: service, passfile, channel_binding, connect_timeout, dbname, host, hostaddr,
port,options, application_name, keepalives, keepalives_idle, keepalives_interval, keepalives_count, tcp_user_timeout,
sslmode,sslcompression, sslcert, sslkey, sslrootcert, sslcrl, requirepeer, ssl_min_protocol_version,
ssl_max_protocol_version,gssencmode, krbsrvname, gsslib, target_session_attrs, use_remote_estimate, fdw_startup_cost,
fdw_tuple_cost,extensions, updatable, fetch_size, batch_size
+HINT: Valid options in this context are: service, passfile, channel_binding, connect_timeout, dbname, host, hostaddr,
port,options, application_name, keepalives, keepalives_idle, keepalives_interval, keepalives_count, tcp_user_timeout,
sslmode,sslcompression, sslcert, sslkey, sslrootcert, sslcrl, sslcrldir, requirepeer, ssl_min_protocol_version,
ssl_max_protocol_version,gssencmode, krbsrvname, gsslib, target_session_attrs, use_remote_estimate, fdw_startup_cost,
fdw_tuple_cost,extensions, updatable, fetch_size, batch_size
CONTEXT: SQL statement "ALTER SERVER loopback_nopw OPTIONS (ADD password 'dummypw')"
PL/pgSQL function inline_code_block line 3 at EXECUTE
-- If we add a password for our user mapping instead, we should get a different
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 4df1405d2e..5c2900485c 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1216,7 +1216,26 @@ include_dir 'conf.d'
Relative paths are relative to the data directory.
This parameter can only be set in the <filename>postgresql.conf</filename>
file or on the server command line.
- The default is empty, meaning no CRL file is loaded.
+ The default is empty, meaning no CRL file is loaded unless
+ <xref linkend="guc-ssl-crl-dir"/> is set.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="guc-ssl-crl-dir" xreflabel="ssl_crl_dir">
+ <term><varname>ssl_crl_dir</varname> (<type>string</type>)
+ <indexterm>
+ <primary><varname>ssl_crl_dir</varname> configuration parameter</primary>
+ </indexterm>
+ </term>
+ <listitem>
+ <para>
+ Specifies the name of the directory containing the SSL server
+ certificate revocation list (CRL). Relative paths are relative to the
+ data directory. This parameter can only be set in
+ the <filename>postgresql.conf</filename> file or on the server command
+ line. The default is empty, meaning no CRL file is loaded unless
+ <xref linkend="guc-ssl-crl-file"/> is set.
</para>
</listitem>
</varlistentry>
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index b7a82453f0..3b92229781 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -1723,8 +1723,25 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
This parameter specifies the file name of the SSL certificate
revocation list (CRL). Certificates listed in this file, if it
exists, will be rejected while attempting to authenticate the
- server's certificate. The default is
- <filename>~/.postgresql/root.crl</filename>.
+ server's certificate. If neither
+ <xref linkend='libpq-connect-sslcrl'/> nor
+ <xref linkend='libpq-connect-sslcrldir'/> is set, this setting is
+ assumed to be
+ <filename>~/.postgresql/root.crl</filename>. See
+ <xref linkend="ssl-crl-files"/> for details.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="libpq-connect-sslcrldir" xreflabel="sslcrldir">
+ <term><literal>sslcrldir</literal></term>
+ <listitem>
+ <para>
+ This parameter specifies the directory name of the SSL certificate
+ revocation list (CRL). Certificates listed in the files in this
+ directory, if it exists, will be rejected while attempting to
+ authenticate the server's certificate. See
+ <xref linkend="ssl-crl-files"/> for details.
</para>
</listitem>
</varlistentry>
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index bf877c0e0c..4dc921779e 100644
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -2552,6 +2552,39 @@ openssl x509 -req -in server.csr -text -days 365 \
</para>
</sect2>
+ <sect2 id="ssl-crl-files">
+ <title>Certification Revocation List files</title>
+
+ <para> The server setting <xref linkend="guc-ssl-crl-file"/> and
+ <xref linkend="guc-ssl-crl-dir"/>, and the connection option
+ <xref linkend="libpq-connect-sslcrl"/> and
+ <xref linkend="libpq-connect-sslcrldir"/> specify a file containing one or
+ more CRL, or a directory containing a separate file for every CRL
+ respectively. Settings for CRL file and CRL directory can be specified
+ together. In the first method, file method, the all CRLs in the file is
+ loaded at server start time or by reloading config file (<command>pg_ctl
+ reload</command>). In the second method, hashed directory method, CRL
+ files are loaded on-demand, that is, only the relevant CRL files are
+ loaded at connection time.
+ </para>
+ <para>
+ The CRL file used for the file method can contain multiple CRLs, like
+ certificates, by just concatenated if it is in PEM format. In the hashed
+ directory method, every file in the directory has the name
+ with <parameter>hash</parameter>.r<parameter>N</parameter> format,
+ where <parameter>hash</parameter> is the hash value of the issuer of the
+ CRL and <parameter>N</parameter> is a sequence number that starts at
+ zero. The hash value is calculated using openssl command. In both cases
+ the CRLs from all CAs involved in a certificate chain are needed to verify
+ a certificate, even if some or all of them are empty.
+<programlisting>
+$ openssl crl -hash -noout -in foo.crl
+98668507
+$ cp foo.crl $PGDATA/crldir/98668507.r0
+</programlisting>
+ </para>
+ </sect2>
+
</sect1>
<sect1 id="gssapi-enc">
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 1e2ecc6e7a..ac471f3eeb 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -285,19 +285,22 @@ be_tls_init(bool isServerStart)
* http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html
*----------
*/
- if (ssl_crl_file[0])
+ if (ssl_crl_file[0] || ssl_crl_dir[0])
{
X509_STORE *cvstore = SSL_CTX_get_cert_store(context);
if (cvstore)
{
/* Set the flags to check against the complete CRL chain */
- if (X509_STORE_load_locations(cvstore, ssl_crl_file, NULL) == 1)
+ if (X509_STORE_load_locations(cvstore,
+ ssl_crl_file[0] ? ssl_crl_file : NULL,
+ ssl_crl_dir[0] ? ssl_crl_dir : NULL)
+ == 1)
{
X509_STORE_set_flags(cvstore,
X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
}
- else
+ else if (ssl_crl_dir[0] == 0)
{
ereport(isServerStart ? FATAL : LOG,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
@@ -305,6 +308,23 @@ be_tls_init(bool isServerStart)
ssl_crl_file, SSLerrmessage(ERR_get_error()))));
goto error;
}
+ else if (ssl_crl_file[0] == 0)
+ {
+ ereport(isServerStart ? FATAL : LOG,
+ (errcode(ERRCODE_CONFIG_FILE_ERROR),
+ errmsg("could not load SSL certificate revocation list directory \"%s\": %s",
+ ssl_crl_dir, SSLerrmessage(ERR_get_error()))));
+ goto error;
+ }
+ else
+ {
+ ereport(isServerStart ? FATAL : LOG,
+ (errcode(ERRCODE_CONFIG_FILE_ERROR),
+ errmsg("could not load SSL certificate revocation list file \"%s\" and/or directory \"%s\":
%s",
+ ssl_crl_file, ssl_crl_dir,
+ SSLerrmessage(ERR_get_error()))));
+ goto error;
+ }
}
}
diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c
index 4cf139a223..3ad6890f70 100644
--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@@ -42,6 +42,7 @@ char *ssl_cert_file;
char *ssl_key_file;
char *ssl_ca_file;
char *ssl_crl_file;
+char *ssl_crl_dir;
char *ssl_dh_params_file;
char *ssl_passphrase_command;
bool ssl_passphrase_command_supports_reload;
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index eafdb1118e..00018abb7d 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -4355,6 +4355,16 @@ static struct config_string ConfigureNamesString[] =
NULL, NULL, NULL
},
+ {
+ {"ssl_crl_dir", PGC_SIGHUP, CONN_AUTH_SSL,
+ gettext_noop("Location of the SSL certificate revocation list directory."),
+ NULL
+ },
+ &ssl_crl_dir,
+ "",
+ NULL, NULL, NULL
+ },
+
{
{"stats_temp_directory", PGC_SIGHUP, STATS_COLLECTOR,
gettext_noop("Writes temporary statistics files to the specified directory."),
diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
index db6db376eb..ee06528bb0 100644
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -101,6 +101,7 @@
#ssl_ca_file = ''
#ssl_cert_file = 'server.crt'
#ssl_crl_file = ''
+#ssl_crl_dir = ''
#ssl_key_file = 'server.key'
#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
#ssl_prefer_server_ciphers = on
diff --git a/src/include/libpq/libpq.h b/src/include/libpq/libpq.h
index a55898c85a..b41b10620a 100644
--- a/src/include/libpq/libpq.h
+++ b/src/include/libpq/libpq.h
@@ -82,6 +82,7 @@ extern char *ssl_cert_file;
extern char *ssl_key_file;
extern char *ssl_ca_file;
extern char *ssl_crl_file;
+extern char *ssl_crl_dir;
extern char *ssl_dh_params_file;
extern PGDLLIMPORT char *ssl_passphrase_command;
extern PGDLLIMPORT bool ssl_passphrase_command_supports_reload;
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index 8ca0583aa9..db71fea169 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -317,6 +317,10 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
"SSL-Revocation-List", "", 64,
offsetof(struct pg_conn, sslcrl)},
+ {"sslcrldir", "PGSSLCRLDIR", NULL, NULL,
+ "SSL-Revocation-List-Dir", "", 64,
+ offsetof(struct pg_conn, sslcrldir)},
+
{"requirepeer", "PGREQUIREPEER", NULL, NULL,
"Require-Peer", "", 10,
offsetof(struct pg_conn, requirepeer)},
@@ -3998,6 +4002,8 @@ freePGconn(PGconn *conn)
free(conn->sslrootcert);
if (conn->sslcrl)
free(conn->sslcrl);
+ if (conn->sslcrldir)
+ free(conn->sslcrldir);
if (conn->sslcompression)
free(conn->sslcompression);
if (conn->requirepeer)
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 5b4a4157d5..0fa10a23b4 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -794,7 +794,8 @@ initialize_SSL(PGconn *conn)
if (!(conn->sslcert && strlen(conn->sslcert) > 0) ||
!(conn->sslkey && strlen(conn->sslkey) > 0) ||
!(conn->sslrootcert && strlen(conn->sslrootcert) > 0) ||
- !(conn->sslcrl && strlen(conn->sslcrl) > 0))
+ !((conn->sslcrl && strlen(conn->sslcrl) > 0) ||
+ (conn->sslcrldir && strlen(conn->sslcrldir) > 0)))
have_homedir = pqGetHomeDirectory(homedir, sizeof(homedir));
else /* won't need it */
have_homedir = false;
@@ -936,20 +937,29 @@ initialize_SSL(PGconn *conn)
if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != NULL)
{
+ char *fname = NULL;
+ char *dname = NULL;
+
if (conn->sslcrl && strlen(conn->sslcrl) > 0)
- strlcpy(fnbuf, conn->sslcrl, sizeof(fnbuf));
- else if (have_homedir)
+ fname = conn->sslcrl;
+ if (conn->sslcrldir && strlen(conn->sslcrldir) > 0)
+ dname = conn->sslcrldir;
+
+ /* defaults to use the default CRL file */
+ if (!fname && !dname && have_homedir)
+ {
snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CRL_FILE);
- else
- fnbuf[0] = '\0';
+ fname = fnbuf;
+ }
/* Set the flags to check against the complete CRL chain */
- if (fnbuf[0] != '\0' &&
- X509_STORE_load_locations(cvstore, fnbuf, NULL) == 1)
+ if ((fname || dname) &&
+ X509_STORE_load_locations(cvstore, fname, dname) == 1)
{
X509_STORE_set_flags(cvstore,
X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
}
+
/* if not found, silently ignore; we do not require CRL */
ERR_clear_error();
}
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 4db498369c..ce36aabd25 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -362,6 +362,7 @@ struct pg_conn
char *sslpassword; /* client key file password */
char *sslrootcert; /* root certificate filename */
char *sslcrl; /* certificate revocation list filename */
+ char *sslcrldir; /* certificate revocation list directory name */
char *requirepeer; /* required peer credentials for local sockets */
char *gssencmode; /* GSS mode (require,prefer,disable) */
char *krbsrvname; /* Kerberos service name */
diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile
index d545382eea..80dc6efaa2 100644
--- a/src/test/ssl/Makefile
+++ b/src/test/ssl/Makefile
@@ -30,12 +30,15 @@ SSLFILES := $(CERTIFICATES:%=ssl/%.key) $(CERTIFICATES:%=ssl/%.crt) \
ssl/client+client_ca.crt ssl/client-der.key \
ssl/client-encrypted-pem.key ssl/client-encrypted-der.key
+SSLDIRS := ssl/client-crldir ssl/server-crldir \
+ ssl/root+client-crldir ssl/root+server-crldir
+
# This target re-generates all the key and certificate files. Usually we just
# use the ones that are committed to the tree without rebuilding them.
#
# This target will fail unless preceded by sslfiles-clean.
#
-sslfiles: $(SSLFILES)
+sslfiles: $(SSLFILES) $(SSLDIRS)
# OpenSSL requires a directory to put all generated certificates in. We don't
# use this for anything, but we need a location.
@@ -146,10 +149,25 @@ ssl/root+server.crl: ssl/root.crl ssl/server.crl
cat $^ > $@
ssl/root+client.crl: ssl/root.crl ssl/client.crl
cat $^ > $@
+ssl/root+server-crldir: ssl/server.crl ssl/root.crl
+ mkdir ssl/root+server-crldir
+ cp ssl/server.crl ssl/root+server-crldir/`openssl crl -hash -noout -in ssl/server.crl`.r0
+ cp ssl/root.crl ssl/root+server-crldir/`openssl crl -hash -noout -in ssl/root.crl`.r0
+ssl/root+client-crldir: ssl/client.crl ssl/root.crl
+ mkdir ssl/root+client-crldir
+ cp ssl/client.crl ssl/root+client-crldir/`openssl crl -hash -noout -in ssl/client.crl`.r0
+ cp ssl/root.crl ssl/root+client-crldir/`openssl crl -hash -noout -in ssl/root.crl`.r0
+ssl/server-crldir: ssl/server.crl
+ mkdir ssl/server-crldir
+ cp ssl/server.crl ssl/server-crldir/`openssl crl -hash -noout -in ssl/server.crl`.r0
+ssl/client-crldir: ssl/client.crl
+ mkdir ssl/client-crldir
+ cp ssl/client.crl ssl/client-crldir/`openssl crl -hash -noout -in ssl/client.crl`.r0
.PHONY: sslfiles-clean
sslfiles-clean:
rm -f $(SSLFILES) ssl/client_ca.srl ssl/server_ca.srl ssl/client_ca-certindex* ssl/server_ca-certindex*
ssl/root_ca-certindex*ssl/root_ca.srl ssl/temp_ca.crt ssl/temp_ca_signed.crt
+ rm -rf $(SSLDIRS)
clean distclean maintainer-clean:
rm -rf tmp_check
diff --git a/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0 b/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
new file mode 100644
index 0000000000..a667680e04
--- /dev/null
+++ b/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0
@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
+MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
+BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
+8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
+xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
+pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
+nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
+2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0 b/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
new file mode 100644
index 0000000000..a667680e04
--- /dev/null
+++ b/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0
@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0xODEx
+MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBAhcNMTgxMTI3MTM0MDU1WjAN
+BgkqhkiG9w0BAQsFAAOCAQEAXjLxA9Qc6gAudwUHBxMIq5EHBcuNEX5e3GNlkyNf
+8I0DtHTPfJPvmAG+i6lYz//hHmmjxK0dR2ucg79XgXI/6OpDqlxS/TG1Xv52wA1p
+xz6GaJ2hC8Lk4/vbJo/Rrzme2QsI7xqBWya0JWVrehttqhFxPzWA5wID8X7G4Kb4
+pjVnzqYzn8A9FBiV9t10oZg60aVLqt3kbyy+U3pefvjhj8NmQc7uyuVjWvYZA0vG
+nnDUo4EKJzHNIYLk+EfpzKWO2XAWBLOT9SyyNCeMuQ5p/2pdAt9jtWHenms2ajo9
+2iUsHS91e3TooP9yNYuNcN8/wXY6H2Xm+dCLcEnkcr7EEw==
+-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0 b/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
new file mode 100644
index 0000000000..e879cf25a7
--- /dev/null
+++ b/src/test/ssl/ssl/root+client-crldir/a3d11bff.r0
@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
+MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
+qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
+4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
+lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
+pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
+PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
+AlO+O0a4SpYS
+-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0 b/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
new file mode 100644
index 0000000000..e879cf25a7
--- /dev/null
+++ b/src/test/ssl/ssl/root+server-crldir/a3d11bff.r0
@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBhTBvMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBm
+b3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlFw0xODExMjcx
+MzQwNTVaFw00NjA0MTQxMzQwNTVaMA0GCSqGSIb3DQEBCwUAA4IBAQB8OSDym4/a
+qbZOrZvOOhmKrd7AJSTgAadtdK0CX3v58Ym3EmZK7gQFdBuFCXnvbue/x6avZHgz
+4pYFlJmL0IiD4QuTzsoo+LzifrmTzteO9oEJNLd2bjfEnpE5Wdaw6Yuy2Xb5edy5
+lQhNZdc8w3FiXhPOEUAi7EbdfDwn4G/fvEjpzyVb2wCujDUUePUGGayjKIM4PUu4
+pixM6gt9FFL27l47lQ3g0PbvB3TnU3oqcB3Y17FjbxjFc6AsGXholNetoEE2/49E
+PEYzOH7/PtxlZUtoCqZM+741LuI6Q7z4/P2X/IY33lMy6Iiyc41C94l/P7fCkMLG
+AlO+O0a4SpYS
+-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0 b/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
new file mode 100644
index 0000000000..717951c26a
--- /dev/null
+++ b/src/test/ssl/ssl/root+server-crldir/a836cc2d.r0
@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
+MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
+BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
+xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
+nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
+RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
+SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
+41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+-----END X509 CRL-----
diff --git a/src/test/ssl/ssl/server-crldir/a836cc2d.r0 b/src/test/ssl/ssl/server-crldir/a836cc2d.r0
new file mode 100644
index 0000000000..717951c26a
--- /dev/null
+++ b/src/test/ssl/ssl/server-crldir/a836cc2d.r0
@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBnjCBhzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ
+b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3Qgc2VydmVyIGNlcnRzFw0xODEx
+MjcxMzQwNTVaFw00NjA0MTQxMzQwNTVaMBQwEgIBBhcNMTgxMTI3MTM0MDU1WjAN
+BgkqhkiG9w0BAQsFAAOCAQEAbVuJXemxM6HLlIHGWlQvVmsmG4ZTQWiDnZjfmrND
+xB4XsvZNPXnFkjdBENDROrbDRwm60SJDW73AbDbfq1IXAzSpuEyuRz61IyYKo0wq
+nmObJtVdIu3bVlWIlDXaP5Emk3d7ouCj5f8Kyeb8gm4pL3N6e0eI63hCaS39hhE6
+RLGh9HU9ht1kKfgcTwmB5b2HTPb4M6z1AmSIaMVqZTjIspsUgNF2+GBm3fOnOaiZ
+SEXWtgjMRXiIHbtU0va3LhSH5OSW0mh+L9oGUQDYnyuudnWGpulhqIp4qVkJRDDu
+41HpD83dV2uRtBLvc25AFHj7kXBflbO3gvGZVPYf1zVghQ==
+-----END X509 CRL-----
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 7928de4e7c..f62d26efd6 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -17,7 +17,7 @@ if ($ENV{with_ssl} ne 'openssl')
}
else
{
- plan tests => 93;
+ plan tests => 100;
}
#### Some configuration
@@ -214,6 +214,12 @@ test_connect_fails(
"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/client.crl",
qr/SSL error/,
"CRL belonging to a different CA");
+# The same for CRL directory, fails
+test_connect_fails(
+ $common_connstr,
+ "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/client-crldir",
+ qr/SSL error/,
+ "directory CRL belonging to a different CA");
# With the correct CRL, succeeds (this cert is not revoked)
test_connect_ok(
@@ -221,6 +227,12 @@ test_connect_ok(
"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl",
"CRL with a non-revoked cert");
+# With the correct server CRL directory, succeeds (this cert is not revoked)
+test_connect_ok(
+ $common_connstr,
+ "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/root+server-crldir",
+ "directory CRL with a non-revoked cert");
+
# Check that connecting with verify-full fails, when the hostname doesn't
# match the hostname in the server's certificate.
$common_connstr =
@@ -346,7 +358,12 @@ test_connect_fails(
$common_connstr,
"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl",
qr/SSL error/,
- "does not connect with client-side CRL");
+ "does not connect with client-side CRL file");
+test_connect_fails(
+ $common_connstr,
+ "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/root+server-crldir",
+ qr/SSL error/,
+ "does not connect with client-side CRL directory");
# pg_stat_ssl
command_like(
@@ -545,6 +562,16 @@ test_connect_ok(
test_connect_fails($common_connstr, "sslmode=require sslcert=ssl/client.crt",
qr/SSL error/, "intermediate client certificate is missing");
+# test server-side CRL directory
+switch_server_cert($node, 'server-cn-only', undef, undef, 'root+client-crldir');
+
+# revoked client cert
+test_connect_fails(
+ $common_connstr,
+ "user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked_tmp.key",
+ qr/SSL error/,
+ "certificate authorization fails with revoked client cert with server-side CRL directory");
+
# clean up
foreach my $key (@keys)
{
diff --git a/src/test/ssl/t/SSLServer.pm b/src/test/ssl/t/SSLServer.pm
index f5987a003e..5ec5e0dac8 100644
--- a/src/test/ssl/t/SSLServer.pm
+++ b/src/test/ssl/t/SSLServer.pm
@@ -150,6 +150,8 @@ sub configure_test_server_for_ssl
copy_files("ssl/root+client_ca.crt", $pgdata);
copy_files("ssl/root_ca.crt", $pgdata);
copy_files("ssl/root+client.crl", $pgdata);
+ mkdir("$pgdata/root+client-crldir");
+ copy_files("ssl/root+client-crldir/*", "$pgdata/root+client-crldir/");
# Stop and restart server to load new listen_addresses.
$node->restart;
@@ -167,14 +169,24 @@ sub switch_server_cert
my $node = $_[0];
my $certfile = $_[1];
my $cafile = $_[2] || "root+client_ca";
+ my $crlfile = "root+client.crl";
+ my $crldir;
my $pgdata = $node->data_dir;
+ # defaults to use crl file
+ if (defined $_[3] || defined $_[4])
+ {
+ $crlfile = $_[3];
+ $crldir = $_[4];
+ }
+
open my $sslconf, '>', "$pgdata/sslconfig.conf";
print $sslconf "ssl=on\n";
print $sslconf "ssl_ca_file='$cafile.crt'\n";
print $sslconf "ssl_cert_file='$certfile.crt'\n";
print $sslconf "ssl_key_file='$certfile.key'\n";
- print $sslconf "ssl_crl_file='root+client.crl'\n";
+ print $sslconf "ssl_crl_file='$crlfile'\n" if defined $crlfile;
+ print $sslconf "ssl_crl_dir='$crldir'\n" if defined $crldir;
close $sslconf;
$node->restart;
--
2.27.0
On 2021-02-17 05:05, Kyotaro Horiguchi wrote: > The commit fe61df7f82 shot down this. > > This patch allows a new GUC ssl_crl_dir and a new libpq connection > option sslcrldir to specify CRL directory, which stores multiple files > that contains one CRL. With that method server loads only CRLs for the > CA of the certificate being validated. > > Along with rebasing, the documentation is slightly reworded. Committed this. I changed the documentation a bit. Instead of having a separate section describing the CRL options, I put that information directly into the libpq and GUC sections. Some of the information, such as that the directory files are loaded on demand, isn't so obviously useful in the libpq case, so I found that a bit confusing. Also, I got the impression that the hashed directory format is sort of internal to OpenSSL, and there are several versions of that format, so I didn't want to copy over the description of these internals. Instead, I referred to the openssl rehash/c_rehash commands for information. If we get support for non-OpenSSL providers, we'll probably have to revisit this.
Thanks for committing this! At Thu, 18 Feb 2021 08:24:23 +0100, Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote in > On 2021-02-17 05:05, Kyotaro Horiguchi wrote: > > The commit fe61df7f82 shot down this. > > This patch allows a new GUC ssl_crl_dir and a new libpq connection > > option sslcrldir to specify CRL directory, which stores multiple files > > that contains one CRL. With that method server loads only CRLs for the > > CA of the certificate being validated. > > Along with rebasing, the documentation is slightly reworded. > > Committed this. > > I changed the documentation a bit. Instead of having a separate > section describing the CRL options, I put that information directly > into the libpq and GUC sections. Some of the information, such as > that the directory files are loaded on demand, isn't so obviously > useful in the libpq case, so I found that a bit confusing. Also, I Agreed. > got the impression that the hashed directory format is sort of > internal to OpenSSL, and there are several versions of that format, so > I didn't want to copy over the description of these internals. > Instead, I referred to the openssl rehash/c_rehash commands for > information. If we get support for non-OpenSSL providers, we'll > probably have to revisit this. Thanks. I'm fine with that, either. regards. -- Kyotaro Horiguchi NTT Open Source Software Center