<div dir="ltr"><div>Hi Tatsuo,</div><div><br></div><div>Thanks for the review. Please see reply inline. </div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Feb 12, 2020 at 6:35 AM Tatsuo Ishii <<a href="mailto:ishii@sraoss.co.jp">ishii@sraoss.co.jp</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Umar,<br>
<br>
Thank you for the patch. I made a quick review on this patch.<br>
<br>
- Is there any reason for the doc to differe from PostgreSQL's doc?<br>
(besides the context on when the parameter can be changed)<br>
<br>
Patch:<br>
+ Specifies the path to a <acronym>PEM</acronym><br>
+ format <acronym>CRL</acronym> file, which can be used<br>
+ to verify the client certificate is valid and not revoked<br>
+ by <acronym>CA</acronym><br>
<br>
PostgreSQL:<br>
Specifies the name of the file containing the SSL server certificate<br>
revocation list (CRL). Relative paths are relative to the data<br>
directory. This parameter can only be set in the postgresql.conf file<br>
or on the server command line. The default is empty, meaning no CRL<br>
file is loaded.<br>
</blockquote><div class="gmail_quote"><br></div>I just followed the description pattern used for other ssl variables. We can use PostgreSQL doc if we remove following two line from that:</div><div class="gmail_quote">"Relative paths are relative to the data<br>
directory. This parameter can only be set in the postgresql.conf file<br>
or on the server command line.<br></div><div class="gmail_quote">"</div><div class="gmail_quote"><br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
- It would be nice to include regression test patch. See<br>
src/test/023.ssl_connection for an example.<br>
</blockquote><div class="gmail_quote"><br></div><div class="gmail_quote">Sure, I will create and send test patch in src/test/023.ssl_connection. </div><div class="gmail_quote">I will try to generate CRL file for existing certification file in this this test. If thats not possible, then I have to generate new certification and CRL file. </div><br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Best regards,<br>
--<br>
Tatsuo Ishii<br>
SRA OSS, Inc. Japan<br>
English: <a href="http://www.sraoss.co.jp/index_en.php" rel="noreferrer" target="_blank">http://www.sraoss.co.jp/index_en.php</a><br>
Japanese:<a href="http://www.sraoss.co.jp" rel="noreferrer" target="_blank">http://www.sraoss.co.jp</a><br>
<br>
> Hi Hackers,<br>
> <br>
> I saw "Support for CRL (Certificate Revocation List)" feature in PgPool-II<br>
> TODO list<br>
> <<a href="https://pgpool.net/mediawiki/index.php/TODO#Support_for_CRL_(Certificate_Revocation_List)" rel="noreferrer" target="_blank">https://pgpool.net/mediawiki/index.php/TODO#Support_for_CRL_(Certificate_Revocation_List)</a>>,<br>
> so I implemented the CRL support. Please find attached patch for feature.<br>
> <br>
> A new configuration variable *'ssl_crl_file'* is introduced to specify CRL<br>
> file path (same os PostgreSQL). CRL will be loaded start up, as other ssl<br>
> files, so change in *'ssl_crl_file' *will require restart.<br>
> <br>
> If *'ssl_crl_file' *is define and there is a revocation entry in CRL file,<br>
> authentication will fail with error *"error: could not connect to server:<br>
> SSL error: sslv3 alert certificate revoked".*<br>
> <br>
> Patch Include:<br>
> CRL Feature implementation<br>
> Documentation updates<br>
> Sample configuration updates<br>
> <br>
> Regards,<br>
> <br>
> Umar Hayat<br></blockquote><div><br></div><div>Regards</div><div>Umar Hayat</div></div></div>