Re: Default names for CRL and CA files in the backend

> On 17 Aug 2017, at 03:26, Michael Paquier <michael(dot)paquier(at)gmail(dot)com> wrote:
>
> On Thu, Aug 17, 2017 at 7:31 AM, Daniel Gustafsson <daniel(at)yesql(dot)se> wrote:
>> Commit a445cb92ef5b3a31313ebce30e18cc1d6e0bdecb removed the default names for
>> serverside CRL and CA files, but the defaults were left in the "SSL Server File
>> Usage” table with a small note. I completely missed the note, even after
>> having been fiddling about with the code in question. Removing the filenames
>> from the table, and altering the note per the attached patch, makes the docs
>> clearer IHMO.
>
> Here are additional notes on the matter.

Thanks, I should learn to not hit send before having coffee.

> From libpq.sgml:
> <para>
> In some cases, the client certificate might be signed by an
> <quote>intermediate</> certificate authority, rather than one that is
> directly trusted by the server. To use such a certificate, append the
> certificate of the signing authority to the <filename>postgresql.crt</>
> file, then its parent authority's certificate, and so on up to a certificate
> authority, <quote>root</> or <quote>intermediate</>, that is trusted by
> the server, i.e. signed by a certificate in the server's
> <filename>root.crt</filename> file.
> </para>
>
> Am I reading that correctly? The last sentence should not mention
> root.crt as well.

Agreed.

> The paragraph after that assume that ssl_ca_file is
> set to root.crt so it looks fine to use it. But that's not assumed
> here.

Right, it should perhaps be made clearer that root.crt is a proposed filename
in this example which could’ve been chosen as something else, but I can’t see a
good way off the cuff. Did a tiny amount of wordsmithing here though to
indicate that it’s not a file the user should expect to have already.

> In sslinfo.sgml:
> <para>
> This function is really useful only if you have more than one trusted CA
> certificate in your server's <filename>root.crt</> file, or if this CA
> has issued some intermediate certificate authority certificates.
> </para>
>
> In runtime.sgml:
> <para>
> Note that the server's <filename>root.crt</filename> lists the top-level
> CAs that are considered trusted for signing client certificates.
> In principle it need
> not list the CA that signed the server's certificate, though in most cases
> that CA would also be trusted for client certificates.
> </para>
> Perhaps this should be changed as well.

Agreed.

> In config.sgml:
> <para>
> In previous releases of PostgreSQL, the name of this file was
> hard-coded as <filename>root.crt</filename>.
> </para>
> [...]
> <para>
> In previous releases of PostgreSQL, the name of this file was
> hard-coded as <filename>root.crt</filename>.
> </para>
> Why not mentioning the version of Postgres where the change has begun?
> I find confusing not to precise such level of details.

Since all supported versions have this as a parameter, this seems to mainly
serve as a help for anyone upgrading from 9.1 (or earlier) so mentioning when
the change happened makes sense. I added a note here (and on root.crl) stating
the version.

cheers ./daniel