SEO

I am now wondering if fe-secure.c, the front-end code, should also check
for "root.crl". The attached patch implents it. Is it a good idea?

Also, if you look in interfaces/libpq/fe-secure.c at some NOT_USED
macros you can see there are a few things we don't implement. Can that
be improved?

---------------------------------------------------------------------------

> Patch adjusted and applied. Thanks.
>
> I added documentation about SSL Certificate Revocation List (CRL) files.
>
> We throw a log message of "root.crl" does exist. Perhaps we should just
> silently say nothing, but that seems dangerous.
>
> ---------------------------------------------------------------------------
>
>
>
> Libor Hoho<B9> wrote:
> > Hello PG folks,
> > the attachement contains a simple patch to adding of verification of
> client's certificate(s)
> > against CRL on server side in mutual SSL authentication.
> > The CRL file has name "root.crl" and it must be stored in PGDATA
> directory.

--
Bruce Momjian http://candle.pha.pa.us
EnterpriseDB http://www.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +

Index: src/interfaces/libpq/fe-secure.c
================================================== =================
RCS file: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v
retrieving revision 1.79
diff -c -c -r1.79 fe-secure.c
*** src/interfaces/libpq/fe-secure.c 27 Apr 2006 14:02:36 -0000 1.79
--- src/interfaces/libpq/fe-secure.c 27 Apr 2006 14:08:18 -0000
***************
*** 125,135 ****
--- 125,137 ----
#define USER_CERT_FILE ".postgresql/postgresql.crt"
#define USER_KEY_FILE ".postgresql/postgresql.key"
#define ROOT_CERT_FILE ".postgresql/root.crt"
+ #define ROOT_CRL_FILE ".postgresql/root.crl"
#else
/* On Windows, the "home" directory is already PostgreSQL-specific */
#define USER_CERT_FILE "postgresql.crt"
#define USER_KEY_FILE "postgresql.key"
#define ROOT_CERT_FILE "root.crt"
+ #define ROOT_CRL_FILE "root.crl"
#endif

#ifdef NOT_USED
***************
*** 784,789 ****
--- 786,793 ----
snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CERT_FILE);
if (stat(fnbuf, &buf) == 0)
{
+ X509_STORE *cvstore;
+
if (!SSL_CTX_load_verify_locations(SSL_context, fnbuf, NULL))
{
char *err = SSLerrmessage();
***************
*** 795,800 ****
--- 799,813 ----
return -1;
}

+ if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != NULL)
+ {
+ if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
+ /* setting the flags to check against the complete CRL chain */
+ X509_STORE_set_flags(cvstore,
+ X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
+ /* if not found, silently ignore; we do not require CRL */
+ }
+
SSL_CTX_set_verify(SSL_context, SSL_VERIFY_PEER, verify_cb);
}
}


---------------------------(end of broadcast)---------------------------
TIP 6: explain analyze is your friend

Bruce Momjian wrote:
>
> I am now wondering if fe-secure.c, the front-end code, should also check
> for "root.crl". The attached patch implents it.

Updated patch attached and applied. It adds CRL checking to libpq. It
returns an error if the CRL file exists, but the library can't process
it, just like the backend.

--
Bruce Momjian http://candle.pha.pa.us
EnterpriseDB http://www.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +


---------------------------(end of broadcast)---------------------------
TIP 5: don't forget to increase your free space map settings