| From: | Kyotaro Horiguchi <horikyota(dot)ntt(at)gmail(dot)com> |
|---|---|
| To: | peter(dot)eisentraut(at)enterprisedb(dot)com |
| Cc: | sfrost(at)snowman(dot)net, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Is it worth accepting multiple CRLs? |
| Date: | 2021-02-17 04:05:26 |
| Message-ID: | 20210217.130526.621475320443052460.horikyota.ntt@gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
The commit fe61df7f82 shot down this.
This patch allows a new GUC ssl_crl_dir and a new libpq connection
option sslcrldir to specify CRL directory, which stores multiple files
that contains one CRL. With that method server loads only CRLs for the
CA of the certificate being validated.
Along with rebasing, the documentation is slightly reworded.
revocation list (CRL). Certificates listed in this file, if it
exists, will be rejected while attempting to authenticate the
- server's certificate. If both sslcrl and sslcrldir are not set,
- this setting is assumed to be
+ server's certificate. If neither sslcrl sslcrldir is set, this
+ setting is assumed to be
<filename>~/.postgresql/root.crl</filename>. See
And added a line for the new variable in postgresql.conf.sample.
regards.
--
Kyotaro Horiguchi
NTT Open Source Software Center
| Attachment | Content-Type | Size |
|---|---|---|
| v5-0001-Allow-to-specify-CRL-directory.patch | text/x-patch | 26.4 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Paquier | 2021-02-17 04:52:09 | Re: ERROR: invalid spinlock number: 0 |
| Previous Message | Michael Paquier | 2021-02-17 03:00:49 | Re: [DOC] add missing "[ NO ]" to various "DEPENDS ON" synopses |