Re: Is it worth accepting multiple CRLs?
| От | Kyotaro Horiguchi |
|---|---|
| Тема | Re: Is it worth accepting multiple CRLs? |
| Дата | |
| Msg-id | 20200803.181756.829161885489632565.horikyota.ntt@gmail.com обсуждение исходный текст |
| Ответ на | Re: Is it worth accepting multiple CRLs? (Kyotaro Horiguchi <horikyota.ntt@gmail.com>) |
| Список | pgsql-hackers |
Uggg. At Mon, 03 Aug 2020 16:19:37 +0900 (JST), Kyotaro Horiguchi <horikyota.ntt@gmail.com> wrote in > At Fri, 31 Jul 2020 05:53:53 -0700, Henry B Hotz <hbhotz@oxy.edu> wrote in > > A CA may issue a CRL infrequently, but issue a delta-CRL frequently. Does the logic support this properly? > > If you are talking about regsitering new revokations while server is > running, it checks newer CRLs upon each lookup according to the > documentation [1], so a new Delta-CRL can be added after server > start. If server restart is allowed, the CRL file specified by I didin't know that ssl files are reloaded by SIGHUP (pg_ctl reload). So the ssl_crl_file is also reloaded on server reload. > ssl_crl_file can contain multiple CRLs by just concatenation. > > [1]: https://www.openssl.org/docs/man1.1.1/man3/X509_LOOKUP_hash_dir.html Still on-demand loading is the advantage of the hashed directory method. I'll continue working.. regards. -- Kyotaro Horiguchi NTT Open Source Software Center
В списке pgsql-hackers по дате отправления: