| From: | Kyotaro Horiguchi <horikyota(dot)ntt(at)gmail(dot)com> |
|---|---|
| To: | sfrost(at)snowman(dot)net |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Is it worth accepting multiple CRLs? |
| Date: | 2020-08-04 08:37:08 |
| Message-ID: | 20200804.173708.930007886231591254.horikyota.ntt@gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
At Mon, 03 Aug 2020 16:20:40 +0900 (JST), Kyotaro Horiguchi <horikyota(dot)ntt(at)gmail(dot)com> wrote in
> Thanks for the opinion. I'll continue working on this.
This is it, but..
Looking closer I realized that certificates are verified in each
backend so CRL cache doesn't work at all for the hashed directory
method. Therefore, all CRL files relevant to a certificate to be
verfied are loaded every time a backend starts.
The only advantage of this is avoiding irrelevant CRLs from being
loaded in exchange of loading relevant CRLs at every session
start. Session startup gets slower by many delta CRLs from the same
CA.
Seems far from promising.
regards.
--
Kyotaro Horiguchi
NTT Open Source Software Center
| Attachment | Content-Type | Size |
|---|---|---|
| v1-0001-Allow-directory-name-for-GUC-ssl_crl_file-and-con.patch | text/x-patch | 15.5 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Kyotaro Horiguchi | 2020-08-04 08:41:12 | Re: SSL TAP test fails due to default client certs. |
| Previous Message | Konstantin Knizhnik | 2020-08-04 08:22:13 | LSM tree for Postgres |