database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-07-31 22:04:40 +03:00
Code Activity

Add support for SSL Certificate Revocation List (CRL) files, root.crl.

Browse Source 
Libor Hoho?
This commit is contained in:
Bruce Momjian
2006-04-27 02:29:14 +00:00
parent 1a84275a7b
commit e747f4935a
2 changed files with 31 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
doc/src/sgml/runtime.sgml
View File

@ -1,4 +1,4 @@
<!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.370 2006/04/11 21:04:52 momjian Exp $ --> <!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.371 2006/04/27 02:29:14 momjian Exp $ -->
<chapter Id="runtime"> <chapter Id="runtime">
<title>Operating System Environment</title> <title>Operating System Environment</title>
@ -1553,7 +1553,9 @@ chmod og-rwx server.key
the file <filename>root.crt</filename> in the data directory. When the file <filename>root.crt</filename> in the data directory. When
present, a client certificate will be requested from the client present, a client certificate will be requested from the client
during SSL connection startup, and it must have been signed by one of the during SSL connection startup, and it must have been signed by one of the
certificates present in <filename>root.crt</filename>. certificates present in <filename>root.crt</filename>. Certificate
Revocation List (CRL) entries are also checked if the file
<filename>root.crl</filename> exists.
</para> </para>
<para> <para>
@ -1564,9 +1566,9 @@ chmod og-rwx server.key
<para> <para>
The files <filename>server.key</>, <filename>server.crt</>, The files <filename>server.key</>, <filename>server.crt</>,
and <filename>root.crt</filename> are only examined during server <filename>root.crt</filename>, and <filename>root.crl</filename>
start; so you must restart the server to make changes in them take are only examined during server start; so you must restart
effect. the server to make changes in them take effect.
</para> </para>
</sect1> </sect1>

25
src/backend/libpq/be-secure.c
View File

@ -11,7 +11,7 @@
* *
* *
* IDENTIFICATION * IDENTIFICATION
* $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.63 2006/03/21 18:18:35 neilc Exp $ * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.64 2006/04/27 02:29:14 momjian Exp $
* *
* Since the server static private key ($DataDir/server.key) * Since the server static private key ($DataDir/server.key)
* will normally be stored unencrypted so that the database * will normally be stored unencrypted so that the database
@ -102,6 +102,7 @@
#ifdef USE_SSL #ifdef USE_SSL
#define ROOT_CERT_FILE "root.crt" #define ROOT_CERT_FILE "root.crt"
#define ROOT_CRL_FILE "root.crl"
#define SERVER_CERT_FILE "server.crt" #define SERVER_CERT_FILE "server.crt"
#define SERVER_PRIVATE_KEY_FILE "server.key" #define SERVER_PRIVATE_KEY_FILE "server.key"
@ -794,6 +795,28 @@ initialize_SSL(void)
} }
else else
{ {
/*
* Check the Certificate Revocation List (CRL) if file exists.
* http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html
*/
X509_STORE *cvstore = SSL_CTX_get_cert_store(SSL_context);
if (cvstore)
{
if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
/* setting the flags to check against the complete CRL chain */
X509_STORE_set_flags(cvstore,
X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
else
{
/* Not fatal - we do not require CRL */
ereport(LOG,
(errmsg("SSL Certificate Revocation List (CRL) file \"%s\" not found, skipping: %s",
ROOT_CRL_FILE, SSLerrmessage()),
errdetail("Will not check certificates against CRL.")));
}
}
SSL_CTX_set_verify(SSL_context, SSL_CTX_set_verify(SSL_context,
(SSL_VERIFY_PEER | (SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_FAIL_IF_NO_PEER_CERT |