Re: [COMMITTERS] pgsql: Don't try to compile SSL CRL support if local
От | Bruce Momjian |
---|---|
Тема | Re: [COMMITTERS] pgsql: Don't try to compile SSL CRL support if local |
Дата | |
Msg-id | 200605051828.k45ISDA10176@candle.pha.pa.us обсуждение исходный текст |
Ответы |
Re: [COMMITTERS] pgsql: Don't try to compile SSL CRL support if local
(Tom Lane <tgl@sss.pgh.pa.us>)
|
Список | pgsql-patches |
Tom Lane wrote: > Kris Jurka <books@ejurka.com> writes: > > On Thu, 4 May 2006, Tom Lane wrote: > >> Don't try to compile SSL CRL support if local SSL installation hasn't > >> got it. Per buildfarm failure on 'canary'. > > > It seems a little bit dangerous to just not check the CRL without so much > > as a warning message. > > [ shrug... ] Anyone who's running openssl 0.9.6, or whatever that is on > canary, isn't expecting CRL support anyway. And all I did is restore > the behavior we've had for lo these past many years. The problem is that we now document that we support CRL, so either we log if we skip it, or we have to document which versions of OpenSSL do not support CRL (yuck). The attached patch checks for the file, and either user it or generates a log message that it was skipped. -- Bruce Momjian http://candle.pha.pa.us EnterpriseDB http://www.enterprisedb.com + If your life is a hard drive, Christ can be your backup. + Index: src/backend/libpq/be-secure.c =================================================================== RCS file: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v retrieving revision 1.67 diff -c -c -r1.67 be-secure.c *** src/backend/libpq/be-secure.c 4 May 2006 22:18:38 -0000 1.67 --- src/backend/libpq/be-secure.c 5 May 2006 18:26:37 -0000 *************** *** 795,801 **** } else { - #ifdef X509_V_FLAG_CRL_CHECK /* * Check the Certificate Revocation List (CRL) if file exists. * http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html --- 795,800 ---- *************** *** 804,813 **** if (cvstore) { if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0) ! /* setting the flags to check against the complete CRL chain */ ! X509_STORE_set_flags(cvstore, X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); else { /* Not fatal - we do not require CRL */ --- 803,820 ---- if (cvstore) { + /* Set the flags to check against the complete CRL chain */ if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0) ! /* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */ ! #ifdef X509_V_FLAG_CRL_CHECK ! X509_STORE_set_flags(cvstore, X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); + #else + ereport(LOG, + (errmsg("SSL Certificate Revocation List (CRL) file \"%s\" ignored", + ROOT_CRL_FILE), + errdetail("Installed SSL library does not support CRL."))); + #endif else { /* Not fatal - we do not require CRL */ *************** *** 817,823 **** errdetail("Will not check certificates against CRL."))); } } - #endif /* X509_V_FLAG_CRL_CHECK */ SSL_CTX_set_verify(SSL_context, (SSL_VERIFY_PEER | --- 824,829 ----
В списке pgsql-patches по дате отправления:
Предыдущее
От: Martijn van OosterhoutДата:
Сообщение: Re: Have configure complain about unknown options
Следующее
От: Tom LaneДата:
Сообщение: Re: [COMMITTERS] pgsql: Don't try to compile SSL CRL support if local