Tom Lane wrote:
> Kris Jurka <[EMAIL PROTECTED]> writes:
> > On Thu, 4 May 2006, Tom Lane wrote:
> >> Don't try to compile SSL CRL support if local SSL installation hasn't
> >> got it.  Per buildfarm failure on 'canary'.
> 
> > It seems a little bit dangerous to just not check the CRL without so much 
> > as a warning message.
> 
> [ shrug... ]  Anyone who's running openssl 0.9.6, or whatever that is on
> canary, isn't expecting CRL support anyway.  And all I did is restore
> the behavior we've had for lo these past many years.

The problem is that we now document that we support CRL, so either we
log if we skip it, or we have to document which versions of OpenSSL do
not support CRL (yuck).

The attached patch checks for the file, and either user it or generates
a log message that it was skipped.

-- 
  Bruce Momjian   http://candle.pha.pa.us
  EnterpriseDB    http://www.enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +
Index: src/backend/libpq/be-secure.c
===================================================================
RCS file: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v
retrieving revision 1.67
diff -c -c -r1.67 be-secure.c
*** src/backend/libpq/be-secure.c       4 May 2006 22:18:38 -0000       1.67
--- src/backend/libpq/be-secure.c       5 May 2006 18:26:37 -0000
***************
*** 795,801 ****
        }
        else
        {
- #ifdef X509_V_FLAG_CRL_CHECK
                /*
                 *      Check the Certificate Revocation List (CRL) if file 
exists.
                 *      
http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html
--- 795,800 ----
***************
*** 804,813 ****
  
                if (cvstore)
                {
                        if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, 
NULL) != 0)
!                          /* setting the flags to check against the complete 
CRL chain */
!                          X509_STORE_set_flags(cvstore,
                                                        
X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
                        else
                        {
                                /* Not fatal - we do not require CRL */
--- 803,820 ----
  
                if (cvstore)
                {
+                  /* Set the flags to check against the complete CRL chain */
                        if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, 
NULL) != 0)
! /* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
! #ifdef X509_V_FLAG_CRL_CHECK
!                               X509_STORE_set_flags(cvstore,
                                                        
X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
+ #else
+                               ereport(LOG,
+                                       (errmsg("SSL Certificate Revocation 
List (CRL) file \"%s\" ignored",
+                                                       ROOT_CRL_FILE),
+                                        errdetail("Installed SSL library does 
not support CRL.")));
+ #endif
                        else
                        {
                                /* Not fatal - we do not require CRL */
***************
*** 817,823 ****
                                         errdetail("Will not check certificates 
against CRL.")));
                        }
                }
- #endif /* X509_V_FLAG_CRL_CHECK */
  
                SSL_CTX_set_verify(SSL_context,
                                                   (SSL_VERIFY_PEER |
--- 824,829 ----
---------------------------(end of broadcast)---------------------------
TIP 3: Have you checked our extensive FAQ?

               http://www.postgresql.org/docs/faq

Reply via email to