Add support for SSL Certificate Revocation List (CRL) files, root.crl.

Libor Hoho?

diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index 75e70aa2377239643066346df01bf73572a3ccff..a18914ac10db08ff0376b9c13af052de7b53a890 100644 (file)
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.370 2006/04/11 21:04:52 momjian Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.371 2006/04/27 02:29:14 momjian Exp $ -->
 
 <chapter Id="runtime">
  <title>Operating System Environment</title>
@@ -1553,7 +1553,9 @@ chmod og-rwx server.key
    the file <filename>root.crt</filename> in the data directory.  When
    present, a client certificate will be requested from the client
    during SSL connection startup, and it must have been signed by one of the
-   certificates present in <filename>root.crt</filename>.
+   certificates present in <filename>root.crt</filename>.  Certificate 
+   Revocation List (CRL) entries are also checked if the file 
+   <filename>root.crl</filename> exists.
   </para>
 
   <para>
@@ -1564,9 +1566,9 @@ chmod og-rwx server.key
 
   <para>
    The files <filename>server.key</>, <filename>server.crt</>,
-   and <filename>root.crt</filename> are only examined during server
-   start; so you must restart the server to make changes in them take
-   effect.
+   <filename>root.crt</filename>, and <filename>root.crl</filename>
+   are only examined during server start; so you must restart 
+   the server to make changes in them take effect.
   </para>
  </sect1>
 

diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c
index 42d7414df326d71be19867124c15259d0eeec8af..d51154d980fb806e56b2c61e1f635d81c66a519a 100644 (file)
--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@@ -11,7 +11,7 @@
  *
  *
  * IDENTIFICATION
- *   $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.63 2006/03/21 18:18:35 neilc Exp $
+ *   $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.64 2006/04/27 02:29:14 momjian Exp $
  *
  *   Since the server static private key ($DataDir/server.key)
  *   will normally be stored unencrypted so that the database
@@ -102,6 +102,7 @@
 #ifdef USE_SSL
 
 #define ROOT_CERT_FILE         "root.crt"
+#define ROOT_CRL_FILE          "root.crl"
 #define SERVER_CERT_FILE       "server.crt"
 #define SERVER_PRIVATE_KEY_FILE "server.key"
 
@@ -794,6 +795,28 @@ initialize_SSL(void)
    }
    else
    {
+       /*
+        *  Check the Certificate Revocation List (CRL) if file exists.
+        *  http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html
+        */
+       X509_STORE *cvstore = SSL_CTX_get_cert_store(SSL_context);
+
+       if (cvstore)
+       {
+           if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
+              /* setting the flags to check against the complete CRL chain */
+              X509_STORE_set_flags(cvstore,
+                           X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
+           else
+           {
+               /* Not fatal - we do not require CRL */
+               ereport(LOG,
+                   (errmsg("SSL Certificate Revocation List (CRL) file \"%s\" not found, skipping: %s",
+                           ROOT_CRL_FILE, SSLerrmessage()),
+                    errdetail("Will not check certificates against CRL.")));
+           }
+       }
+
        SSL_CTX_set_verify(SSL_context,
                           (SSL_VERIFY_PEER |
                            SSL_VERIFY_FAIL_IF_NO_PEER_CERT |