From: | Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com> |
---|---|
To: | Kyotaro Horiguchi <horikyota(dot)ntt(at)gmail(dot)com> |
Cc: | sfrost(at)snowman(dot)net, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Is it worth accepting multiple CRLs? |
Date: | 2021-01-30 21:20:19 |
Message-ID: | 516cf19c-840b-3db6-3320-4145d49c24d8@enterprisedb.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 2021-01-19 09:32, Kyotaro Horiguchi wrote:
> At Tue, 19 Jan 2021 09:17:34 +0900 (JST), Kyotaro Horiguchi <horikyota(dot)ntt(at)gmail(dot)com> wrote in
>> By the way we can do the same thing on CA file/dir, but I personally
>> think that the benefit from the specify-by-directory for CA files is
>> far less than CRL files. So I'm not going to do this for CA files for
>> now.
>
> This is it. A new guc ssl_crl_dir and connection option crldir are
> added.
This looks pretty good to me overall.
You need to update the expected result of the postgres_fdw test.
Also check your patch for whitespace errors with git diff --check or
similar.
> One problem raised upthread is the footprint for test is quite large
> because all certificate and key files are replaced by this patch. I
> think we can shrink the footprint by generating that files on-demand
> but that needs openssl frontend to be installed on the development
> environment.
I don't understand why you need to recreate all these files. All your
patch should contain are the new *.r0 files that are computed from the
existing *.crl files. Nothing else should change, AIUI.
Some of the makefile rules for generating the CRL files need some
refinement. In
+ssl/root+server-crldir: ssl/server.crl
+ mkdir ssl/root+server-crldir
+ cp ssl/server.crl ssl/root+server-crldir/`openssl crl -hash -noout
-in ssl/server.crl`.r0
+ cp ssl/root.crl ssl/root+server-crldir/`openssl crl -hash -noout -in
ssl/root.crl`.r0
+ssl/root+client-crldir: ssl/client.crl
+ mkdir ssl/root+client-crldir
+ cp ssl/client.crl ssl/root+client-crldir/`openssl crl -hash -noout
-in ssl/client.crl`.r0
+ cp ssl/root.crl ssl/root+client-crldir/`openssl crl -hash -noout -in
ssl/root.crl`.r0
the rules should also have a dependency on ssl/root.crl in addition to
ssl/server.crl.
By the way:
- print $sslconf "ssl_crl_file='root+client.crl'\n";
+ print $sslconf "ssl_crl_file='$crlfile'\n" if (defined $crlfile);
+ print $sslconf "ssl_crl_dir='$crldir'\n" if (defined $crldir);
Trailing "if" doesn't need parentheses.
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2021-01-30 21:56:09 | Re: Add primary keys to system catalogs |
Previous Message | Andrew Dunstan | 2021-01-30 21:18:12 | Re: Allow matching whole DN from a client certificate |