Re: File format for SSL CRL file

Excerpts from Greg Smith's message of lun jul 02 20:30:07 -0400 2012:
> A documentation comment came in recently about ssl-tcp.html not
> specifying what format is expected for the CRL file. Seems like
> something that could be described better now that I look at it, so I'm
> passing that along with just wording edits from me; this is from user
> "oneironautics":
>
> The root.crl needs to be in PEM (and not DER) format. If a certificate
> file exists but is the wrong type, you will be told it cannot find the
> file when it exists, with this sort of error in the log:
>
> LOG: SSL certificate revocation list file "root.crl" not found,
> skipping: no SSL error reported

HEAD is different in this area -- it dies with a FATAL instead of just
skipping it.

Also, the error message seems rather poor. Maybe the code should call
X509_STORE_CTX_get_error() instead of SSLerrmessage (which calls
ERR_get_error; apparently not the right thing to do).

--
Álvaro Herrera <alvherre(at)commandprompt(dot)com>
The PostgreSQL Company - Command Prompt, Inc.
PostgreSQL Replication, Consulting, Custom Development, 24x7 support