I am now wondering if fe-secure.c, the front-end code, should also check
for "root.crl". The attached patch implents it. Is it a good idea?
Also, if you look in interfaces/libpq/fe-secure.c at some NOT_USED
macros you can see there are a few things we don't implement. Can that
be improved?
---------------------------------------------------------------------------
> Patch adjusted and applied. Thanks.
>
> I added documentation about SSL Certificate Revocation List (CRL) files.
>
> We throw a log message of "root.crl" does exist. Perhaps we should just
> silently say nothing, but that seems dangerous.
>
> ---------------------------------------------------------------------------
>
>
>
> Libor Hoho<B9> wrote:
> > Hello PG folks,
> > the attachement contains a simple patch to adding of verification of
> client's certificate(s)
> > against CRL on server side in mutual SSL authentication.
> > The CRL file has name "root.crl" and it must be stored in PGDATA
> directory.
--
Bruce Momjian http://candle.pha.pa.us
EnterpriseDB http://www.enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
Index: src/interfaces/libpq/fe-secure.c
===================================================================
RCS file: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v
retrieving revision 1.79
diff -c -c -r1.79 fe-secure.c
*** src/interfaces/libpq/fe-secure.c 27 Apr 2006 14:02:36 -0000 1.79
--- src/interfaces/libpq/fe-secure.c 27 Apr 2006 14:08:18 -0000
***************
*** 125,135 ****
--- 125,137 ----
#define USER_CERT_FILE ".postgresql/postgresql.crt"
#define USER_KEY_FILE ".postgresql/postgresql.key"
#define ROOT_CERT_FILE ".postgresql/root.crt"
+ #define ROOT_CRL_FILE ".postgresql/root.crl"
#else
/* On Windows, the "home" directory is already PostgreSQL-specific */
#define USER_CERT_FILE "postgresql.crt"
#define USER_KEY_FILE "postgresql.key"
#define ROOT_CERT_FILE "root.crt"
+ #define ROOT_CRL_FILE "root.crl"
#endif
#ifdef NOT_USED
***************
*** 784,789 ****
--- 786,793 ----
snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir,
ROOT_CERT_FILE);
if (stat(fnbuf, &buf) == 0)
{
+ X509_STORE *cvstore;
+
if (!SSL_CTX_load_verify_locations(SSL_context, fnbuf,
NULL))
{
char *err = SSLerrmessage();
***************
*** 795,800 ****
--- 799,813 ----
return -1;
}
+ if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) !=
NULL)
+ {
+ if (X509_STORE_load_locations(cvstore,
ROOT_CRL_FILE, NULL) != 0)
+ /* setting the flags to check against the
complete CRL chain */
+ X509_STORE_set_flags(cvstore,
+
X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
+ /* if not found, silently ignore; we do not
require CRL */
+ }
+
SSL_CTX_set_verify(SSL_context, SSL_VERIFY_PEER,
verify_cb);
}
}
---------------------------(end of broadcast)---------------------------
TIP 6: explain analyze is your friend
