Patch adjusted and applied. Thanks.
I added documentation about SSL Certificate Revocation List (CRL) files.
We throw a log message of "root.crl" does exist. Perhaps we should just
silently say nothing, but that seems dangerous.
---------------------------------------------------------------------------
Libor Hoho? wrote:
> Hello PG folks,
> the attachement contains a simple patch to adding of verification of client's
> certificate(s)
> against CRL on server side in mutual SSL authentication.
> The CRL file has name "root.crl" and it must be stored in PGDATA directory.
>
> With best regards
> L. Hohos
[ Attachment, skipping... ]
>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Have you searched our list archives?
>
> http://archives.postgresql.org
--
Bruce Momjian http://candle.pha.pa.us
EnterpriseDB http://www.enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
Index: doc/src/sgml/runtime.sgml
===================================================================
RCS file: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v
retrieving revision 1.370
diff -c -c -r1.370 runtime.sgml
*** doc/src/sgml/runtime.sgml 11 Apr 2006 21:04:52 -0000 1.370
--- doc/src/sgml/runtime.sgml 27 Apr 2006 02:27:13 -0000
***************
*** 1553,1559 ****
the file <filename>root.crt</filename> in the data directory. When
present, a client certificate will be requested from the client
during SSL connection startup, and it must have been signed by one of the
! certificates present in <filename>root.crt</filename>.
</para>
<para>
--- 1553,1561 ----
the file <filename>root.crt</filename> in the data directory. When
present, a client certificate will be requested from the client
during SSL connection startup, and it must have been signed by one of the
! certificates present in <filename>root.crt</filename>. Certificate
! Revocation List (CRL) entries are also checked if the file
! <filename>root.crl</filename> exists.
</para>
<para>
***************
*** 1564,1572 ****
<para>
The files <filename>server.key</>, <filename>server.crt</>,
! and <filename>root.crt</filename> are only examined during server
! start; so you must restart the server to make changes in them take
! effect.
</para>
</sect1>
--- 1566,1574 ----
<para>
The files <filename>server.key</>, <filename>server.crt</>,
! <filename>root.crt</filename>, and <filename>root.crl</filename>
! are only examined during server start; so you must restart
! the server to make changes in them take effect.
</para>
</sect1>
Index: src/backend/libpq/be-secure.c
===================================================================
RCS file: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v
retrieving revision 1.63
diff -c -c -r1.63 be-secure.c
*** src/backend/libpq/be-secure.c 21 Mar 2006 18:18:35 -0000 1.63
--- src/backend/libpq/be-secure.c 27 Apr 2006 02:27:13 -0000
***************
*** 102,107 ****
--- 102,108 ----
#ifdef USE_SSL
#define ROOT_CERT_FILE "root.crt"
+ #define ROOT_CRL_FILE "root.crl"
#define SERVER_CERT_FILE "server.crt"
#define SERVER_PRIVATE_KEY_FILE "server.key"
***************
*** 794,799 ****
--- 795,822 ----
}
else
{
+ /*
+ * Check the Certificate Revocation List (CRL) if file exists.
+ * http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html
+ */
+ X509_STORE *cvstore = SSL_CTX_get_cert_store(SSL_context);
+
+ if (cvstore)
+ {
+ if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
+ /* setting the flags to check against the complete CRL chain */
+ X509_STORE_set_flags(cvstore,
+ X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
+ else
+ {
+ /* Not fatal - we do not require CRL */
+ ereport(LOG,
+ (errmsg("SSL Certificate Revocation List (CRL) file \"%s\" not found, skipping: %s",
+ ROOT_CRL_FILE, SSLerrmessage()),
+ errdetail("Will not check certificates against CRL.")));
+ }
+ }
+
SSL_CTX_set_verify(SSL_context,
(SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
---------------------------(end of broadcast)---------------------------
TIP 6: explain analyze is your friend
