Re: be-secure.c patch

I am now wondering if fe-secure.c, the front-end code, should also check
for "root.crl". The attached patch implents it. Is it a good idea?

Also, if you look in interfaces/libpq/fe-secure.c at some NOT_USED
macros you can see there are a few things we don't implement. Can that
be improved?

---------------------------------------------------------------------------

> Patch adjusted and applied. Thanks.
>
> I added documentation about SSL Certificate Revocation List (CRL) files.
>
> We throw a log message of "root.crl" does exist. Perhaps we should just
> silently say nothing, but that seems dangerous.
>
> ---------------------------------------------------------------------------
>
>
>
> Libor Hoho<B9> wrote:
> > Hello PG folks,
> > the attachement contains a simple patch to adding of verification of
> client's certificate(s)
> > against CRL on server side in mutual SSL authentication.
> > The CRL file has name "root.crl" and it must be stored in PGDATA
> directory.

--
Bruce Momjian http://candle.pha.pa.us
EnterpriseDB http://www.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +

Bruce Momjian wrote:
>
> I am now wondering if fe-secure.c, the front-end code, should also check
> for "root.crl". The attached patch implents it.

Updated patch attached and applied. It adds CRL checking to libpq. It
returns an error if the CRL file exists, but the library can't process
it, just like the backend.

--
Bruce Momjian http://candle.pha.pa.us
EnterpriseDB http://www.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +