*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.67 2006/05/04 22:18:38 tgl Exp $
+ * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.68 2006/05/06 01:31:38 momjian Exp $
*
* Since the server static private key ($DataDir/server.key)
* will normally be stored unencrypted so that the database
}
else
{
-#ifdef X509_V_FLAG_CRL_CHECK
/*
* Check the Certificate Revocation List (CRL) if file exists.
* http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html
if (cvstore)
{
+ /* Set the flags to check against the complete CRL chain */
if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
- /* setting the flags to check against the complete CRL chain */
- X509_STORE_set_flags(cvstore,
+/* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
+#ifdef X509_V_FLAG_CRL_CHECK
+ X509_STORE_set_flags(cvstore,
X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
+#else
+ ereport(LOG,
+ (errmsg("SSL Certificate Revocation List (CRL) file \"%s\" ignored",
+ ROOT_CRL_FILE),
+ errdetail("Installed SSL library does not support CRL.")));
+#endif
else
{
/* Not fatal - we do not require CRL */
errdetail("Will not check certificates against CRL.")));
}
}
-#endif /* X509_V_FLAG_CRL_CHECK */
SSL_CTX_set_verify(SSL_context,
(SSL_VERIFY_PEER |
projects / postgresql.git / commitdiff