Thread: Is ssl_crl_file "SSL server cert revocation list"?

Is ssl_crl_file "SSL server cert revocation list"?

From
Kyotaro Horiguchi
Date:
As discussed in the thread [1], I find the wording "SSL server
certificate revocation list" as misleading or plain wrong.

I used to read it as "SSL server certificate (of PostgreSQL client)
revocation list" but I find it misleading-ish from fresh eyes. So I'd
like to propose a change of the doc as attached.

What do you think about this?

[1] https://www.postgresql.org/message-id/20211202.134619.1052008069537649171.horikyota.ntt%40gmail.com

regards.

-- 
Kyotaro Horiguchi
NTT Open Source Software Center
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index ab617c7b86..4ac617615c 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1248,7 +1248,7 @@ include_dir 'conf.d'
       </term>
       <listitem>
        <para>
-        Specifies the name of the file containing the SSL server certificate
+        Specifies the name of the file containing the SSL client certificate
         revocation list (CRL).
         Relative paths are relative to the data directory.
         This parameter can only be set in the <filename>postgresql.conf</filename>
@@ -1267,7 +1267,7 @@ include_dir 'conf.d'
       </term>
       <listitem>
        <para>
-        Specifies the name of the directory containing the SSL server
+        Specifies the name of the directory containing the SSL client
         certificate revocation list (CRL).  Relative paths are relative to the
         data directory.  This parameter can only be set in
         the <filename>postgresql.conf</filename> file or on the server command
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index c17d33a54f..eb3a0c6b55 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -1742,11 +1742,10 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
       <term><literal>sslcrl</literal></term>
       <listitem>
        <para>
-        This parameter specifies the file name of the SSL certificate
+        This parameter specifies the file name of the SSL server certificate
         revocation list (CRL).  Certificates listed in this file, if it
-        exists, will be rejected while attempting to authenticate the
-        server's certificate.  If neither
-        <xref linkend='libpq-connect-sslcrl'/> nor
+        exists, will be rejected while attempting to authenticate the server's
+        certificate.  If neither <xref linkend='libpq-connect-sslcrl'/> nor
         <xref linkend='libpq-connect-sslcrldir'/> is set, this setting is
         taken as
         <filename>~/.postgresql/root.crl</filename>.
@@ -1758,9 +1757,9 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
       <term><literal>sslcrldir</literal></term>
       <listitem>
        <para>
-        This parameter specifies the directory name of the SSL certificate
-        revocation list (CRL).  Certificates listed in the files in this
-        directory, if it exists, will be rejected while attempting to
+        This parameter specifies the directory name of the SSL server
+        certificate revocation list (CRL).  Certificates listed in the files
+        in this directory, if it exists, will be rejected while attempting to
         authenticate the server's certificate.
        </para>


Re: Is ssl_crl_file "SSL server cert revocation list"?

From
Kyotaro Horiguchi
Date:
At Thu, 02 Dec 2021 13:54:41 +0900 (JST), Kyotaro Horiguchi <horikyota.ntt@gmail.com> wrote in 
> As discussed in the thread [1], I find the wording "SSL server
> certificate revocation list" as misleading or plain wrong.

FWIW, I'm convinced that that's plain wrong after finding some
occurances of "(SSL) client certificate" in the doc.

regards.

-- 
Kyotaro Horiguchi
NTT Open Source Software Center



Re: Is ssl_crl_file "SSL server cert revocation list"?

From
Daniel Gustafsson
Date:
> On 2 Dec 2021, at 06:07, Kyotaro Horiguchi <horikyota.ntt@gmail.com> wrote:
>
> At Thu, 02 Dec 2021 13:54:41 +0900 (JST), Kyotaro Horiguchi <horikyota.ntt@gmail.com> wrote in
>> As discussed in the thread [1], I find the wording "SSL server
>> certificate revocation list" as misleading or plain wrong.
>
> FWIW, I'm convinced that that's plain wrong after finding some
> occurances of "(SSL) client certificate" in the doc.

I agree with this, the concepts have been a bit muddled.

While in there I noticed that we omitted mentioning sslcrldir in a few cases.
The attached v2 adds these and removes the whitespace changes from your patch
for easier review.

--
Daniel Gustafsson        https://vmware.com/


Attachment

Re: Is ssl_crl_file "SSL server cert revocation list"?

From
Peter Eisentraut
Date:
On 02.12.21 10:42, Daniel Gustafsson wrote:
>> On 2 Dec 2021, at 06:07, Kyotaro Horiguchi <horikyota.ntt@gmail.com> wrote:
>>
>> At Thu, 02 Dec 2021 13:54:41 +0900 (JST), Kyotaro Horiguchi <horikyota.ntt@gmail.com> wrote in
>>> As discussed in the thread [1], I find the wording "SSL server
>>> certificate revocation list" as misleading or plain wrong.
>>
>> FWIW, I'm convinced that that's plain wrong after finding some
>> occurances of "(SSL) client certificate" in the doc.
> 
> I agree with this, the concepts have been a bit muddled.
> 
> While in there I noticed that we omitted mentioning sslcrldir in a few cases.
> The attached v2 adds these and removes the whitespace changes from your patch
> for easier review.

This change looks correct to me.



Re: Is ssl_crl_file "SSL server cert revocation list"?

From
Daniel Gustafsson
Date:
> On 2 Dec 2021, at 16:04, Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote:

> This change looks correct to me.

Thanks for review, I've pushed this backpatched (in part) down to 10.

--
Daniel Gustafsson        https://vmware.com/




Re: Is ssl_crl_file "SSL server cert revocation list"?

From
Kyotaro Horiguchi
Date:
At Fri, 3 Dec 2021 14:32:54 +0100, Daniel Gustafsson <daniel@yesql.se> wrote in 
> > On 2 Dec 2021, at 16:04, Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote:
> 
> > This change looks correct to me.
> 
> Thanks for review, I've pushed this backpatched (in part) down to 10.

Thanks for revising and comitting this.

regards.

-- 
Kyotaro Horiguchi
NTT Open Source Software Center