From: Bruce Momjian Date: Sat, 6 May 2006 01:31:38 +0000 (+0000) Subject: Issue a log message if a CRL file exists and the SSL library does not X-Git-Tag: REL8_2_BETA1~1004 X-Git-Url: http://git.postgresql.org/gitweb/?a=commitdiff_plain;h=3ecfdceaec956db3196967b468f281d4ff849b1b;p=postgresql.git Issue a log message if a CRL file exists and the SSL library does not support CRL certificates. --- diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c index 93f5d168250..75e3240f912 100644 --- a/src/backend/libpq/be-secure.c +++ b/src/backend/libpq/be-secure.c @@ -11,7 +11,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.67 2006/05/04 22:18:38 tgl Exp $ + * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.68 2006/05/06 01:31:38 momjian Exp $ * * Since the server static private key ($DataDir/server.key) * will normally be stored unencrypted so that the database @@ -795,7 +795,6 @@ initialize_SSL(void) } else { -#ifdef X509_V_FLAG_CRL_CHECK /* * Check the Certificate Revocation List (CRL) if file exists. * http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html @@ -804,10 +803,18 @@ initialize_SSL(void) if (cvstore) { + /* Set the flags to check against the complete CRL chain */ if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0) - /* setting the flags to check against the complete CRL chain */ - X509_STORE_set_flags(cvstore, +/* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */ +#ifdef X509_V_FLAG_CRL_CHECK + X509_STORE_set_flags(cvstore, X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); +#else + ereport(LOG, + (errmsg("SSL Certificate Revocation List (CRL) file \"%s\" ignored", + ROOT_CRL_FILE), + errdetail("Installed SSL library does not support CRL."))); +#endif else { /* Not fatal - we do not require CRL */ @@ -817,7 +824,6 @@ initialize_SSL(void) errdetail("Will not check certificates against CRL."))); } } -#endif /* X509_V_FLAG_CRL_CHECK */ SSL_CTX_set_verify(SSL_context, (SSL_VERIFY_PEER |