Re: Is it worth accepting multiple CRLs?

At Fri, 15 Jan 2021 08:56:27 +0100, Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com> wrote in
> On 2020-08-31 11:03, Kyotaro Horiguchi wrote:
> > At Tue, 18 Aug 2020 16:43:47 +0900 (JST), Kyotaro Horiguchi
> > <horikyota(dot)ntt(at)gmail(dot)com> wrote in
> >> Thank you very much. I'll do that after some polishing.
> >>
> >> A near-by discussion about OpenSSL3.0 conflicts with this but it's
> >> easy to follow.
> > Rebased. Fixed bogus tests and strange tentative API change of
> > SSLServer.pm. Corrected a (maybe) spelling mistake. I'm going to
> > register this to the coming CF.
>
> Other systems that offer both a CRL file and a CRL directory usually
> specify those using two separate configuration settings. Examples:
>
> https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_ssl_crlpath
> https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationpath
>
> These are then presumably both passed to X509_STORE_load_locations(),
> which supports specifying a file and directory concurrently.
>
> I think that would be a preferable approach. In practical terms, it
> would allow a user to introduce the directory method gradually without
> having to convert the existing CRL file at the same time.

Thank you for the information. The only reason for sharing the same
variable for both file and directory is to avoid additional variable
only for this reason. I'll post a new version where new GUC
ssl_crl_path is added.

By the way we can do the same thing on CA file/dir, but I personally
think that the benefit from the specify-by-directory for CA files is
far less than CRL files. So I'm not going to do this for CA files for
now.

regards.

--
Kyotaro Horiguchi
NTT Open Source Software Center