| From: | Kyotaro Horiguchi <horikyota(dot)ntt(at)gmail(dot)com> |
|---|---|
| To: | peter(dot)eisentraut(at)enterprisedb(dot)com |
| Cc: | sfrost(at)snowman(dot)net, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Is it worth accepting multiple CRLs? |
| Date: | 2021-01-19 08:32:00 |
| Message-ID: | 20210119.173200.1687041891704633506.horikyota.ntt@gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
At Tue, 19 Jan 2021 09:17:34 +0900 (JST), Kyotaro Horiguchi <horikyota(dot)ntt(at)gmail(dot)com> wrote in
> By the way we can do the same thing on CA file/dir, but I personally
> think that the benefit from the specify-by-directory for CA files is
> far less than CRL files. So I'm not going to do this for CA files for
> now.
This is it. A new guc ssl_crl_dir and connection option crldir are
added.
One problem raised upthread is the footprint for test is quite large
because all certificate and key files are replaced by this patch. I
think we can shrink the footprint by generating that files on-demand
but that needs openssl frontend to be installed on the development
environment.
If we agree that requirement, I'm going to go that direction.
regards.
--
Kyotaro Horiguchi
NTT Open Source Software Center
| Attachment | Content-Type | Size |
|---|---|---|
| v3-0001-Allow-to-specify-CRL-directory.patch | text/x-patch | 75.0 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Masahiro Ikeda | 2021-01-19 08:55:18 | Re: pg_stat_statements oddity with track = all |
| Previous Message | Julien Rouhaud | 2021-01-19 08:27:43 | Re: Paint some PG_USED_FOR_ASSERTS_ONLY in inline functions of ilist.h and bufpage.h |