-<!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.370 2006/04/11 21:04:52 momjian Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.371 2006/04/27 02:29:14 momjian Exp $ -->
<chapter Id="runtime">
<title>Operating System Environment</title>
the file <filename>root.crt</filename> in the data directory. When
present, a client certificate will be requested from the client
during SSL connection startup, and it must have been signed by one of the
- certificates present in <filename>root.crt</filename>.
+ certificates present in <filename>root.crt</filename>. Certificate
+ Revocation List (CRL) entries are also checked if the file
+ <filename>root.crl</filename> exists.
</para>
<para>
<para>
The files <filename>server.key</>, <filename>server.crt</>,
- and <filename>root.crt</filename> are only examined during server
- start; so you must restart the server to make changes in them take
- effect.
+ <filename>root.crt</filename>, and <filename>root.crl</filename>
+ are only examined during server start; so you must restart
+ the server to make changes in them take effect.
</para>
</sect1>
*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.63 2006/03/21 18:18:35 neilc Exp $
+ * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.64 2006/04/27 02:29:14 momjian Exp $
*
* Since the server static private key ($DataDir/server.key)
* will normally be stored unencrypted so that the database
#ifdef USE_SSL
#define ROOT_CERT_FILE "root.crt"
+#define ROOT_CRL_FILE "root.crl"
#define SERVER_CERT_FILE "server.crt"
#define SERVER_PRIVATE_KEY_FILE "server.key"
}
else
{
+ /*
+ * Check the Certificate Revocation List (CRL) if file exists.
+ * http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html
+ */
+ X509_STORE *cvstore = SSL_CTX_get_cert_store(SSL_context);
+
+ if (cvstore)
+ {
+ if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
+ /* setting the flags to check against the complete CRL chain */
+ X509_STORE_set_flags(cvstore,
+ X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
+ else
+ {
+ /* Not fatal - we do not require CRL */
+ ereport(LOG,
+ (errmsg("SSL Certificate Revocation List (CRL) file \"%s\" not found, skipping: %s",
+ ROOT_CRL_FILE, SSLerrmessage()),
+ errdetail("Will not check certificates against CRL.")));
+ }
+ }
+
SSL_CTX_set_verify(SSL_context,
(SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT |