Re: Is it worth accepting multiple CRLs?

Thanks for committing this!

At Thu, 18 Feb 2021 08:24:23 +0100, Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com> wrote in
> On 2021-02-17 05:05, Kyotaro Horiguchi wrote:
> > The commit fe61df7f82 shot down this.
> > This patch allows a new GUC ssl_crl_dir and a new libpq connection
> > option sslcrldir to specify CRL directory, which stores multiple files
> > that contains one CRL. With that method server loads only CRLs for the
> > CA of the certificate being validated.
> > Along with rebasing, the documentation is slightly reworded.
>
> Committed this.
>
> I changed the documentation a bit. Instead of having a separate
> section describing the CRL options, I put that information directly
> into the libpq and GUC sections. Some of the information, such as
> that the directory files are loaded on demand, isn't so obviously
> useful in the libpq case, so I found that a bit confusing. Also, I

Agreed.

> got the impression that the hashed directory format is sort of
> internal to OpenSSL, and there are several versions of that format, so
> I didn't want to copy over the description of these internals.
> Instead, I referred to the openssl rehash/c_rehash commands for
> information. If we get support for non-OpenSSL providers, we'll
> probably have to revisit this.

Thanks. I'm fine with that, either.

regards.

--
Kyotaro Horiguchi
NTT Open Source Software Center