| From: | Kyotaro Horiguchi <horikyota(dot)ntt(at)gmail(dot)com> |
|---|---|
| To: | hbhotz(at)oxy(dot)edu |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Is it worth accepting multiple CRLs? |
| Date: | 2020-08-03 09:17:56 |
| Message-ID: | 20200803.181756.829161885489632565.horikyota.ntt@gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Uggg.
At Mon, 03 Aug 2020 16:19:37 +0900 (JST), Kyotaro Horiguchi <horikyota(dot)ntt(at)gmail(dot)com> wrote in
> At Fri, 31 Jul 2020 05:53:53 -0700, Henry B Hotz <hbhotz(at)oxy(dot)edu> wrote in
> > A CA may issue a CRL infrequently, but issue a delta-CRL frequently. Does the logic support this properly?
>
> If you are talking about regsitering new revokations while server is
> running, it checks newer CRLs upon each lookup according to the
> documentation [1], so a new Delta-CRL can be added after server
> start. If server restart is allowed, the CRL file specified by
I didin't know that ssl files are reloaded by SIGHUP (pg_ctl
reload). So the ssl_crl_file is also reloaded on server reload.
> ssl_crl_file can contain multiple CRLs by just concatenation.
>
> [1]: https://www.openssl.org/docs/man1.1.1/man3/X509_LOOKUP_hash_dir.html
Still on-demand loading is the advantage of the hashed directory
method. I'll continue working..
regards.
--
Kyotaro Horiguchi
NTT Open Source Software Center
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Anastasia Lubennikova | 2020-08-03 09:29:36 | Re: COPY FREEZE and setting PD_ALL_VISIBLE/visibility map bits |
| Previous Message | David Rowley | 2020-08-03 09:05:52 | Re: Keep elog(ERROR) and ereport(ERROR) calls in the cold path |