Skip site navigation (1) Skip section navigation (2)

Re: File format for SSL CRL file

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: Alvaro Herrera <alvherre(at)commandprompt(dot)com>
Cc: Greg Smith <greg(at)2ndquadrant(dot)com>, Pg Docs <pgsql-docs(at)postgresql(dot)org>, Pg Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: File format for SSL CRL file
Date: 2012-07-03 08:01:02
Message-ID: CABUevEzqmvxzrZakm4BwECPXDw2ZMHoj0AJKxUS5M=5OybEynA@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-docspgsql-hackers
On Tuesday, July 3, 2012, Alvaro Herrera wrote:

>
> Excerpts from Greg Smith's message of lun jul 02 20:30:07 -0400 2012:
> > A documentation comment came in recently about ssl-tcp.html not
> > specifying what format is expected for the CRL file.  Seems like
> > something that could be described better now that I look at it, so I'm
> > passing that along with just wording edits from me; this is from user
> > "oneironautics":
> >
> > The root.crl needs to be in PEM (and not DER) format.  If a certificate
> > file exists but is the wrong type, you will be told it cannot find the
> > file when it exists, with this sort of error in the log:
> >
> > LOG:  SSL certificate revocation list file "root.crl" not found,
> > skipping: no SSL error reported
>
> HEAD is different in this area -- it dies with a FATAL instead of just
> skipping it.
>

Yes, and if somebody forgot, that was an intentional change :)


Also, the error message seems rather poor.  Maybe the code should call
> X509_STORE_CTX_get_error() instead of SSLerrmessage (which calls
> ERR_get_error; apparently not the right thing to do).
>
>
I don't see how that would work - X509_STORE_CTX_get_error() takes an
X509_STORE_CTX as parameter ,and we don't have one of those.

And unfortunately the function we use to load the store seems to be
undocumented, so it's hard to know what we're supposed to use..

(I do agree we should try to figure out a better error message, of course..)

//Magnus



-- 
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/

In response to

pgsql-docs by date

Next:From: Bruce MomjianDate: 2012-07-03 16:02:11
Subject: Re: outdated legal notice in SGML docs?
Previous:From: Alvaro HerreraDate: 2012-07-03 02:44:00
Subject: Re: File format for SSL CRL file

pgsql-hackers by date

Next:From: Daniel FarinaDate: 2012-07-03 08:24:42
Subject: xlog filename formatting functions in recovery
Previous:From: Kohei KaiGaiDate: 2012-07-03 07:54:20
Subject: Re: pgsql_fdw in contrib

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group