diff options
| author | Peter Eisentraut <peter@eisentraut.org> | 2021-02-18 07:59:10 +0100 |
|---|---|---|
| committer | Peter Eisentraut <peter@eisentraut.org> | 2021-02-18 07:59:10 +0100 |
| commit | f5465fade90827534fbd0b795d18dc62e56939e9 (patch) | |
| tree | 71a2cc9b6804e78c2b2911f1c7426d096c9ca7af /src/backend/libpq/be-secure-openssl.c | |
| parent | 128dd901a5c87e11c6a8cbe227a806cdc3afd10d (diff) | |
Allow specifying CRL directory
Add another method to specify CRLs, hashed directory method, for both
server and client side. This offers a means for server or libpq to
load only CRLs that are required to verify a certificate. The CRL
directory is specifed by separate GUC variables or connection options
ssl_crl_dir and sslcrldir, alongside the existing ssl_crl_file and
sslcrl, so both methods can be used at the same time.
Author: Kyotaro Horiguchi <horikyota.ntt@gmail.com>
Discussion: https://www.postgresql.org/message-id/flat/20200731.173911.904649928639357911.horikyota.ntt@gmail.com
Diffstat (limited to 'src/backend/libpq/be-secure-openssl.c')
| -rw-r--r-- | src/backend/libpq/be-secure-openssl.c | 26 |
1 files changed, 23 insertions, 3 deletions
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 1e2ecc6e7ab..4c4f025eb1a 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -285,19 +285,22 @@ be_tls_init(bool isServerStart) * http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html *---------- */ - if (ssl_crl_file[0]) + if (ssl_crl_file[0] || ssl_crl_dir[0]) { X509_STORE *cvstore = SSL_CTX_get_cert_store(context); if (cvstore) { /* Set the flags to check against the complete CRL chain */ - if (X509_STORE_load_locations(cvstore, ssl_crl_file, NULL) == 1) + if (X509_STORE_load_locations(cvstore, + ssl_crl_file[0] ? ssl_crl_file : NULL, + ssl_crl_dir[0] ? ssl_crl_dir : NULL) + == 1) { X509_STORE_set_flags(cvstore, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); } - else + else if (ssl_crl_dir[0] == 0) { ereport(isServerStart ? FATAL : LOG, (errcode(ERRCODE_CONFIG_FILE_ERROR), @@ -305,6 +308,23 @@ be_tls_init(bool isServerStart) ssl_crl_file, SSLerrmessage(ERR_get_error())))); goto error; } + else if (ssl_crl_file[0] == 0) + { + ereport(isServerStart ? FATAL : LOG, + (errcode(ERRCODE_CONFIG_FILE_ERROR), + errmsg("could not load SSL certificate revocation list directory \"%s\": %s", + ssl_crl_dir, SSLerrmessage(ERR_get_error())))); + goto error; + } + else + { + ereport(isServerStart ? FATAL : LOG, + (errcode(ERRCODE_CONFIG_FILE_ERROR), + errmsg("could not load SSL certificate revocation list file \"%s\" or directory \"%s\": %s", + ssl_crl_file, ssl_crl_dir, + SSLerrmessage(ERR_get_error())))); + goto error; + } } } |