Re: strange SSL msg

On Mon, 30 May 2011 23:06:18 -0400, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:

> "Jean-Yves F. Barbier" <12ukwn(at)gmail(dot)com> writes:
> > I followed the http://www.howtoforge.com/postgresql-ssl-certificates HOWTO
> > and succeeded to install SSL certificates (although pg_hba.conf line should
> > be: hostssl mydb myuser 0.0.0.0/0 cert (and not trust).)
>
> > As I didn't already test revocation, I made a: touch root.crl but at svr
> > start I've got these 2 log lines:
> > SSL certificate revocation list file "root.crl" not found, \
> > skipping: no SSL error reported
> > Certificates will not be checked against revocation list.
>
> > Is this behavior normal or not?
>
> Hmmm ... I don't see that here, on a Fedora 13 machine (openssl-1.0.0d).

Oops, sorry I forgot to tell I'm under Debian sid.

> It appears from the message that X509_STORE_load_locations is returning
> zero but not bothering to set up an OpenSSL error message. It's not
> entirely surprising that they might consider an empty file as an error,

No, it is pure missing:
I copied the client certificate id (generated in root.srl) into root.crl
and still nothing,
I also tested a copy of this file (instead a symlink) into
/var/lib/postgresql/9.0/main/,
and in /var/lib/postgresql/ (Debian postgres user home)
and also into /var/lib/postgresql/.postgresql/ !

> perhaps; but I'm thinking this might be a bug that's fixed in newer
> OpenSSL releases.

It may be that, as sid is unstable...

JY

--