Tom Lane wrote:
> Kris Jurka <books@ejurka.com> writes:
> > On Thu, 4 May 2006, Tom Lane wrote:
> >> Don't try to compile SSL CRL support if local SSL installation hasn't
> >> got it. Per buildfarm failure on 'canary'.
>
> > It seems a little bit dangerous to just not check the CRL without so much
> > as a warning message.
>
> [ shrug... ] Anyone who's running openssl 0.9.6, or whatever that is on
> canary, isn't expecting CRL support anyway. And all I did is restore
> the behavior we've had for lo these past many years.

The problem is that we now document that we support CRL, so either we
log if we skip it, or we have to document which versions of OpenSSL do
not support CRL (yuck).

The attached patch checks for the file, and either user it or generates
a log message that it was skipped.

--
Bruce Momjian http://candle.pha.pa.us
EnterpriseDB http://www.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +

Index: src/backend/libpq/be-secure.c
================================================== =================
RCS file: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v
retrieving revision 1.67
diff -c -c -r1.67 be-secure.c
*** src/backend/libpq/be-secure.c 4 May 2006 22:18:38 -0000 1.67
--- src/backend/libpq/be-secure.c 5 May 2006 18:26:37 -0000
***************
*** 795,801 ****
}
else
{
- #ifdef X509_V_FLAG_CRL_CHECK
/*
* Check the Certificate Revocation List (CRL) if file exists.
* http://searchsecurity.techtarget.com...803160,00.html
--- 795,800 ----
***************
*** 804,813 ****

if (cvstore)
{
if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
! /* setting the flags to check against the complete CRL chain */
! X509_STORE_set_flags(cvstore,
X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
else
{
/* Not fatal - we do not require CRL */
--- 803,820 ----

if (cvstore)
{
+ /* Set the flags to check against the complete CRL chain */
if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
! /* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
! #ifdef X509_V_FLAG_CRL_CHECK
! X509_STORE_set_flags(cvstore,
X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
+ #else
+ ereport(LOG,
+ (errmsg("SSL Certificate Revocation List (CRL) file \"%s\" ignored",
+ ROOT_CRL_FILE),
+ errdetail("Installed SSL library does not support CRL.")));
+ #endif
else
{
/* Not fatal - we do not require CRL */
***************
*** 817,823 ****
errdetail("Will not check certificates against CRL.")));
}
}
- #endif /* X509_V_FLAG_CRL_CHECK */

SSL_CTX_set_verify(SSL_context,
(SSL_VERIFY_PEER |
--- 824,829 ----


---------------------------(end of broadcast)---------------------------
TIP 3: Have you checked our extensive FAQ?

http://www.postgresql.org/docs/faq

Bruce Momjian <pgman@candle.pha.pa.us> writes:
> The attached patch checks for the file, and either user it or generates
> a log message that it was skipped.

I still can't get excited about this. Who will it help? The DBA who is
silly enough to think his ancient SSL library supports CRL is probably
also silly enough not to read the postmaster log carefully. It would
make a whole lot more sense just to document that OpenSSL < whatever
doesn't support CRL.

regards, tom lane

---------------------------(end of broadcast)---------------------------
TIP 5: don't forget to increase your free space map settings

Tom Lane wrote:
> Bruce Momjian <pgman@candle.pha.pa.us> writes:
> > The attached patch checks for the file, and either user it or generates
> > a log message that it was skipped.
>
> I still can't get excited about this. Who will it help? The DBA who is
> silly enough to think his ancient SSL library supports CRL is probably
> also silly enough not to read the postmaster log carefully. It would
> make a whole lot more sense just to document that OpenSSL < whatever
> doesn't support CRL.

Why hard-code something if we can dynamically report it, and NetBSD 2.0
isn't that old.

--
Bruce Momjian http://candle.pha.pa.us
EnterpriseDB http://www.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +

---------------------------(end of broadcast)---------------------------
TIP 6: explain analyze is your friend