I am now wondering if fe-secure.c, the front-end code, should also check
for "root.crl".  The attached patch implents it.  Is it a good idea?

Also, if you look in interfaces/libpq/fe-secure.c at some NOT_USED
macros you can see there are a few things we don't implement.  Can that
be improved?

---------------------------------------------------------------------------

> Patch adjusted and applied.  Thanks.
> 
> I added documentation about SSL Certificate Revocation List (CRL) files.
> 
> We throw a log message of "root.crl" does exist.  Perhaps we should just
> silently say nothing, but that seems dangerous.
> 
> ---------------------------------------------------------------------------
> 
> 
> 
> Libor Hoho<B9> wrote:
> >     Hello PG folks,
> > the attachement contains a simple patch to adding of verification of
> client's certificate(s)
> > against CRL on server side in mutual SSL authentication.
> > The CRL file has name "root.crl" and it must be stored in PGDATA
> directory.

-- 
  Bruce Momjian   http://candle.pha.pa.us
  EnterpriseDB    http://www.enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +
Index: src/interfaces/libpq/fe-secure.c
===================================================================
RCS file: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v
retrieving revision 1.79
diff -c -c -r1.79 fe-secure.c
*** src/interfaces/libpq/fe-secure.c    27 Apr 2006 14:02:36 -0000      1.79
--- src/interfaces/libpq/fe-secure.c    27 Apr 2006 14:08:18 -0000
***************
*** 125,135 ****
--- 125,137 ----
  #define USER_CERT_FILE                ".postgresql/postgresql.crt"
  #define USER_KEY_FILE         ".postgresql/postgresql.key"
  #define ROOT_CERT_FILE                ".postgresql/root.crt"
+ #define ROOT_CRL_FILE         ".postgresql/root.crl"
  #else
  /* On Windows, the "home" directory is already PostgreSQL-specific */
  #define USER_CERT_FILE                "postgresql.crt"
  #define USER_KEY_FILE         "postgresql.key"
  #define ROOT_CERT_FILE                "root.crt"
+ #define ROOT_CRL_FILE         "root.crl"
  #endif
  
  #ifdef NOT_USED
***************
*** 784,789 ****
--- 786,793 ----
                snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, 
ROOT_CERT_FILE);
                if (stat(fnbuf, &buf) == 0)
                {
+                       X509_STORE *cvstore;
+                       
                        if (!SSL_CTX_load_verify_locations(SSL_context, fnbuf, 
NULL))
                        {
                                char       *err = SSLerrmessage();
***************
*** 795,800 ****
--- 799,813 ----
                                return -1;
                        }
  
+                       if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != 
NULL)
+                       {
+                               if (X509_STORE_load_locations(cvstore, 
ROOT_CRL_FILE, NULL) != 0)
+                                  /* setting the flags to check against the 
complete CRL chain */
+                                  X509_STORE_set_flags(cvstore,
+                                                               
X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
+                               /* if not found, silently ignore;  we do not 
require CRL */
+                       }
+       
                        SSL_CTX_set_verify(SSL_context, SSL_VERIFY_PEER, 
verify_cb);
                }
        }
---------------------------(end of broadcast)---------------------------
TIP 6: explain analyze is your friend

Reply via email to