Re: Is it worth accepting multiple CRLs?
| От | Peter Eisentraut |
|---|---|
| Тема | Re: Is it worth accepting multiple CRLs? |
| Дата | |
| Msg-id | 516cf19c-840b-3db6-3320-4145d49c24d8@enterprisedb.com обсуждение исходный текст |
| Ответ на | Re: Is it worth accepting multiple CRLs? (Kyotaro Horiguchi <horikyota.ntt@gmail.com>) |
| Ответы |
Re: Is it worth accepting multiple CRLs?
|
| Список | pgsql-hackers |
On 2021-01-19 09:32, Kyotaro Horiguchi wrote: > At Tue, 19 Jan 2021 09:17:34 +0900 (JST), Kyotaro Horiguchi <horikyota.ntt@gmail.com> wrote in >> By the way we can do the same thing on CA file/dir, but I personally >> think that the benefit from the specify-by-directory for CA files is >> far less than CRL files. So I'm not going to do this for CA files for >> now. > > This is it. A new guc ssl_crl_dir and connection option crldir are > added. This looks pretty good to me overall. You need to update the expected result of the postgres_fdw test. Also check your patch for whitespace errors with git diff --check or similar. > One problem raised upthread is the footprint for test is quite large > because all certificate and key files are replaced by this patch. I > think we can shrink the footprint by generating that files on-demand > but that needs openssl frontend to be installed on the development > environment. I don't understand why you need to recreate all these files. All your patch should contain are the new *.r0 files that are computed from the existing *.crl files. Nothing else should change, AIUI. Some of the makefile rules for generating the CRL files need some refinement. In +ssl/root+server-crldir: ssl/server.crl + mkdir ssl/root+server-crldir + cp ssl/server.crl ssl/root+server-crldir/`openssl crl -hash -noout -in ssl/server.crl`.r0 + cp ssl/root.crl ssl/root+server-crldir/`openssl crl -hash -noout -in ssl/root.crl`.r0 +ssl/root+client-crldir: ssl/client.crl + mkdir ssl/root+client-crldir + cp ssl/client.crl ssl/root+client-crldir/`openssl crl -hash -noout -in ssl/client.crl`.r0 + cp ssl/root.crl ssl/root+client-crldir/`openssl crl -hash -noout -in ssl/root.crl`.r0 the rules should also have a dependency on ssl/root.crl in addition to ssl/server.crl. By the way: - print $sslconf "ssl_crl_file='root+client.crl'\n"; + print $sslconf "ssl_crl_file='$crlfile'\n" if (defined $crlfile); + print $sslconf "ssl_crl_dir='$crldir'\n" if (defined $crldir); Trailing "if" doesn't need parentheses.
В списке pgsql-hackers по дате отправления: