From: | Yi Sun <yinan81(at)gmail(dot)com> |
---|---|
To: | Kyotaro Horiguchi <horikyota(dot)ntt(at)gmail(dot)com> |
Cc: | pgsql-general(at)postgresql(dot)org |
Subject: | Re: ssl_crl_file Certificate Revocation List doesn't work for postgresql 11 |
Date: | 2021-12-03 07:41:51 |
Message-ID: | CABWY_HAqdnV7va7a-jDhoz5efVFDh+wyqnZeFOyJ4uyAO5AbPA@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Hi Kyotaro,
Thank you for your explanation, after putting the crl file to client, it
works now, thanks.
Kyotaro Horiguchi <horikyota(dot)ntt(at)gmail(dot)com> 于2021年12月2日周四 下午12:46写道:
> Hi.
>
> At Thu, 2 Dec 2021 11:31:26 +0800, Yi Sun <yinan81(at)gmail(dot)com> wrote in
> > Hi Kyotaro
> >
> > From the description, seems ~/.postgresql/root.crl is store client
> > revoked certificate
>
> No. Revocation is checked on the peer. There's no point for a server
> to check for revocation of its own certificate, and actually that
> doesn't happen. Revocation of a client certificate is checked on
> server side referencing server.crl. Revocation of a server certificate
> is checked on client side referencing postgresql.crl. For example,
> some web browsers make use of CRL of web *servers*, which is
> automatically maintained in background.
>
> You will see it work if you duped the server.crl as
> ~/.postgresql/root.crl on the client. (I spelled this wrongly in the
> previous message..)
>
> > https://www.postgresql.org/docs/11/libpq-ssl.html
> > ~/.postgresql/root.crl certificates revoked by certificate authorities
> server
> > certificate must not be on this list
> > Just don't know why server parameter ssl_crl_file parameter configured
> but
> > don't take affect
>
> As explained above, it is because the CRL specified by ssl_crl_file
> can only be used to verify client certificates.
>
> >
> https://www.postgresql.org/docs/11/runtime-config-connection.html#GUC-SSL-CRL-FILE
> >
> > ssl_crl_file (string)
> >
> > Specifies the name of the file containing the SSL server certificate
> > revocation list (CRL). Relative paths are relative to the data directory.
> > This parameter can only be set in the postgresql.conf file or on the
> server
> > command line. The default is empty, meaning no CRL file is loaded.
>
> Ah, the "server" in "SSL server certificate revocation list" looks
> like a noise word, rather misleading, or plain wrong, I'm not sure
> which one it actually is.
>
>
> Anyway I propose change the rephrase as "SSL client certification
> revocation list" as attached.
>
> regards.
>
> --
> Kyotaro Horiguchi
> NTT Open Source Software Center
>
From | Date | Subject | |
---|---|---|---|
Next Message | Dilip Kumar | 2021-12-03 09:01:23 | Re: Max connections reached without max connections reached |
Previous Message | Sonai muthu raja M | 2021-12-03 04:05:01 | Re: Require details that how to find user creation date in postgresql Database |