[pgpool-hackers: 3508] Re: [PATCH] Feature: Support for CRL (Certificate Revocation List)

Umar Hayat m.umarkiani at gmail.com
Thu Feb 13 01:55:47 JST 2020 

Hi Tatsuo,

Thanks for the review.  Please see reply inline.

On Wed, Feb 12, 2020 at 6:35 AM Tatsuo Ishii <ishii at sraoss.co.jp> wrote:

> Hi Umar,
>
> Thank you for the patch. I made a quick review on this patch.
>
> - Is there any reason for the doc to differe from PostgreSQL's doc?
>   (besides the context on when the parameter can be changed)
>
> Patch:
> +      Specifies the path to a <acronym>PEM</acronym>
> +      format <acronym>CRL</acronym> file, which can be used
> +      to verify the client certificate is valid and not revoked
> +      by <acronym>CA</acronym>
>
> PostgreSQL:
> Specifies the name of the file containing the SSL server certificate
> revocation list (CRL). Relative paths are relative to the data
> directory. This parameter can only be set in the postgresql.conf file
> or on the server command line. The default is empty, meaning no CRL
> file is loaded.
>

I just followed the description pattern used for other ssl variables. We
can use PostgreSQL doc if we remove following two line from that:
"Relative paths are relative to the data
directory. This parameter can only be set in the postgresql.conf file
or on the server command line.
"

- It would be nice to include regression test patch. See
>   src/test/023.ssl_connection for an example.
>

Sure, I will create and send test patch in src/test/023.ssl_connection.
I will try to generate CRL file for existing certification file in this
this test. If thats not possible, then I have to generate new certification
and CRL file.

Best regards,
> --
> Tatsuo Ishii
> SRA OSS, Inc. Japan
> English: http://www.sraoss.co.jp/index_en.php
> Japanese:http://www.sraoss.co.jp
>
> > Hi Hackers,
> >
> > I saw "Support for CRL (Certificate Revocation List)" feature in
> PgPool-II
> > TODO list
> > <
> https://pgpool.net/mediawiki/index.php/TODO#Support_for_CRL_(Certificate_Revocation_List)
> >,
> > so I implemented the CRL support. Please find attached patch for feature.
> >
> > A new configuration variable *'ssl_crl_file'* is introduced to specify
> CRL
> > file path (same os PostgreSQL).  CRL will be loaded start up, as other
> ssl
> > files, so change in *'ssl_crl_file' *will require restart.
> >
> > If  *'ssl_crl_file' *is define and there is a revocation entry in CRL
> file,
> > authentication will fail with error *"error: could not connect to server:
> > SSL error: sslv3 alert certificate revoked".*
> >
> > Patch Include:
> > CRL Feature implementation
> > Documentation updates
> > Sample configuration updates
> >
> > Regards,
> >
> > Umar Hayat
>

Regards
Umar Hayat
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.sraoss.jp/pipermail/pgpool-hackers/attachments/20200212/5bbeda25/attachment.html>

More information about the pgpool-hackers mailing list