[pgpool-hackers: 3507] Re: [PATCH] Feature: Support for CRL (Certificate Revocation List)
Tatsuo Ishii
ishii at sraoss.co.jp
Wed Feb 12 10:35:03 JST 2020
Hi Umar,
Thank you for the patch. I made a quick review on this patch.
- Is there any reason for the doc to differe from PostgreSQL's doc?
(besides the context on when the parameter can be changed)
Patch:
+ Specifies the path to a <acronym>PEM</acronym>
+ format <acronym>CRL</acronym> file, which can be used
+ to verify the client certificate is valid and not revoked
+ by <acronym>CA</acronym>
PostgreSQL:
Specifies the name of the file containing the SSL server certificate
revocation list (CRL). Relative paths are relative to the data
directory. This parameter can only be set in the postgresql.conf file
or on the server command line. The default is empty, meaning no CRL
file is loaded.
- It would be nice to include regression test patch. See
src/test/023.ssl_connection for an example.
Best regards,
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese:http://www.sraoss.co.jp
> Hi Hackers,
>
> I saw "Support for CRL (Certificate Revocation List)" feature in PgPool-II
> TODO list
> <https://pgpool.net/mediawiki/index.php/TODO#Support_for_CRL_(Certificate_Revocation_List)>,
> so I implemented the CRL support. Please find attached patch for feature.
>
> A new configuration variable *'ssl_crl_file'* is introduced to specify CRL
> file path (same os PostgreSQL). CRL will be loaded start up, as other ssl
> files, so change in *'ssl_crl_file' *will require restart.
>
> If *'ssl_crl_file' *is define and there is a revocation entry in CRL file,
> authentication will fail with error *"error: could not connect to server:
> SSL error: sslv3 alert certificate revoked".*
>
> Patch Include:
> CRL Feature implementation
> Documentation updates
> Sample configuration updates
>
> Regards,
>
> Umar Hayat
More information about the pgpool-hackers
mailing list