database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-08-06 18:42:54 +03:00
Code Activity

Allow specifying CRL directory

Browse Source 
Add another method to specify CRLs, hashed directory method, for both
server and client side.  This offers a means for server or libpq to
load only CRLs that are required to verify a certificate.  The CRL
directory is specifed by separate GUC variables or connection options
ssl_crl_dir and sslcrldir, alongside the existing ssl_crl_file and
sslcrl, so both methods can be used at the same time.

Author: Kyotaro Horiguchi <horikyota.ntt@gmail.com>
Discussion: https://www.postgresql.org/message-id/flat/20200731.173911.904649928639357911.horikyota.ntt@gmail.com
This commit is contained in:
Peter Eisentraut
2021-02-18 07:59:10 +01:00
parent 128dd901a5
commit f5465fade9
20 changed files with 255 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
doc/src/sgml/config.sgml
View File

@@ -1216,7 +1216,41 @@ include_dir 'conf.d'
Relative paths are relative to the data directory.
This parameter can only be set in the <filename>postgresql.conf</filename>
file or on the server command line.
The default is empty, meaning no CRL file is loaded.
The default is empty, meaning no CRL file is loaded (unless
<xref linkend="guc-ssl-crl-dir"/> is set).
</para>
</listitem>
</varlistentry>
<varlistentry id="guc-ssl-crl-dir" xreflabel="ssl_crl_dir">
<term><varname>ssl_crl_dir</varname> (<type>string</type>)
<indexterm>
<primary><varname>ssl_crl_dir</varname> configuration parameter</primary>
</indexterm>
</term>
<listitem>
<para>
Specifies the name of the directory containing the SSL server
certificate revocation list (CRL). Relative paths are relative to the
data directory. This parameter can only be set in
the <filename>postgresql.conf</filename> file or on the server command
line. The default is empty, meaning no CRLs are used (unless
<xref linkend="guc-ssl-crl-file"/> is set).
</para>
<para>
The directory needs to be prepared with the OpenSSL command
<literal>openssl rehash</literal> or <literal>c_rehash</literal>. See
its documentation for details.
</para>
<para>
When using this setting, CRLs in the specified directory are loaded
on-demand at connection time. New CRLs can be added to the directory
and will be used immediately. This is unlike <xref
linkend="guc-ssl-crl-file"/>, which causes the CRL in the file to be
loaded at server start time or when the configuration is reloaded.
Both settings can be used together.
</para>
</listitem>
</varlistentry>

28
doc/src/sgml/libpq.sgml
View File

@@ -1723,12 +1723,38 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
This parameter specifies the file name of the SSL certificate
revocation list (CRL). Certificates listed in this file, if it
exists, will be rejected while attempting to authenticate the
server's certificate. The default is
server's certificate. If neither
<xref linkend='libpq-connect-sslcrl'/> nor
<xref linkend='libpq-connect-sslcrldir'/> is set, this setting is
taken as
<filename>~/.postgresql/root.crl</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry id="libpq-connect-sslcrldir" xreflabel="sslcrldir">
<term><literal>sslcrldir</literal></term>
<listitem>
<para>
This parameter specifies the directory name of the SSL certificate
revocation list (CRL). Certificates listed in the files in this
directory, if it exists, will be rejected while attempting to
authenticate the server's certificate.
</para>
<para>
The directory needs to be prepared with the OpenSSL command
<literal>openssl rehash</literal> or <literal>c_rehash</literal>. See
its documentation for details.
</para>
<para>
Both <literal>sslcrl</literal> and <literal>sslcrldir</literal> can be
specified together.
</para>
</listitem>
</varlistentry>
<varlistentry id="libpq-connect-requirepeer" xreflabel="requirepeer">
<term><literal>requirepeer</literal></term>
<listitem>