Skip to content

P
Postgres FD Implementation
Commit e747f493 authored by Bruce Momjian's avatar Bruce Momjian
Browse files
Options

Add support for SSL Certificate Revocation List (CRL) files, root.crl. 

Libor Hoho?
parent 1a84275a
Show whitespace changes
Inline Side-by-side
Showing with 31 additions and 6 deletions
doc/src/sgml/runtime.sgml
View file @ e747f493
<!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.370 2006/04/11 21:04:52 momjian Exp $ --> <!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.371 2006/04/27 02:29:14 momjian Exp $ -->
<chapter Id="runtime"> <chapter Id="runtime">
<title>Operating System Environment</title> <title>Operating System Environment</title>
...@@ -1553,7 +1553,9 @@ chmod og-rwx server.key ...@@ -1553,7 +1553,9 @@ chmod og-rwx server.key
the file <filename>root.crt</filename> in the data directory. When the file <filename>root.crt</filename> in the data directory. When
present, a client certificate will be requested from the client present, a client certificate will be requested from the client
during SSL connection startup, and it must have been signed by one of the during SSL connection startup, and it must have been signed by one of the
certificates present in <filename>root.crt</filename>. certificates present in <filename>root.crt</filename>. Certificate
Revocation List (CRL) entries are also checked if the file
<filename>root.crl</filename> exists.
</para> </para>
<para> <para>
...@@ -1564,9 +1566,9 @@ chmod og-rwx server.key ...@@ -1564,9 +1566,9 @@ chmod og-rwx server.key
<para> <para>
The files <filename>server.key</>, <filename>server.crt</>, The files <filename>server.key</>, <filename>server.crt</>,
and <filename>root.crt</filename> are only examined during server <filename>root.crt</filename>, and <filename>root.crl</filename>
start; so you must restart the server to make changes in them take are only examined during server start; so you must restart
effect. the server to make changes in them take effect.
</para> </para>
</sect1> </sect1>
......
src/backend/libpq/be-secure.c
View file @ e747f493
...@@ -11,7 +11,7 @@ ...@@ -11,7 +11,7 @@
* *
* *
* IDENTIFICATION * IDENTIFICATION
* $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.63 2006/03/21 18:18:35 neilc Exp $ * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.64 2006/04/27 02:29:14 momjian Exp $
* *
* Since the server static private key ($DataDir/server.key) * Since the server static private key ($DataDir/server.key)
* will normally be stored unencrypted so that the database * will normally be stored unencrypted so that the database
...@@ -102,6 +102,7 @@ ...@@ -102,6 +102,7 @@
#ifdef USE_SSL #ifdef USE_SSL
#define ROOT_CERT_FILE "root.crt" #define ROOT_CERT_FILE "root.crt"
#define ROOT_CRL_FILE "root.crl"
#define SERVER_CERT_FILE "server.crt" #define SERVER_CERT_FILE "server.crt"
#define SERVER_PRIVATE_KEY_FILE "server.key" #define SERVER_PRIVATE_KEY_FILE "server.key"
...@@ -794,6 +795,28 @@ initialize_SSL(void) ...@@ -794,6 +795,28 @@ initialize_SSL(void)
} }
else else
{ {
/*
* Check the Certificate Revocation List (CRL) if file exists.
* http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html
*/
X509_STORE *cvstore = SSL_CTX_get_cert_store(SSL_context);
if (cvstore)
{
if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
/* setting the flags to check against the complete CRL chain */
X509_STORE_set_flags(cvstore,
X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
else
{
/* Not fatal - we do not require CRL */
ereport(LOG,
(errmsg("SSL Certificate Revocation List (CRL) file \"%s\" not found, skipping: %s",
ROOT_CRL_FILE, SSLerrmessage()),
errdetail("Will not check certificates against CRL.")));
}
}
SSL_CTX_set_verify(SSL_context, SSL_CTX_set_verify(SSL_context,
(SSL_VERIFY_PEER | (SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment