Issue a log message if a CRL file exists and the SSL library does not

support CRL certificates.

1 files changed, 11 insertions, 5 deletions

diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c
index 93f5d168250..75e3240f912 100644
--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@@ -11,7 +11,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.67 2006/05/04 22:18:38 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.68 2006/05/06 01:31:38 momjian Exp $
  *
  *	  Since the server static private key ($DataDir/server.key)
  *	  will normally be stored unencrypted so that the database
@@ -795,7 +795,6 @@ initialize_SSL(void)
 	}
 	else
 	{
-#ifdef X509_V_FLAG_CRL_CHECK
 		/*
 		 *	Check the Certificate Revocation List (CRL) if file exists.
 		 *	http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html
@@ -804,10 +803,18 @@ initialize_SSL(void)
 
 		if (cvstore)
 		{
+		   /* Set the flags to check against the complete CRL chain */
 			if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
-			   /* setting the flags to check against the complete CRL chain */
-			   X509_STORE_set_flags(cvstore,
+/* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
+#ifdef X509_V_FLAG_CRL_CHECK
+				X509_STORE_set_flags(cvstore,
 							X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
+#else
+				ereport(LOG,
+					(errmsg("SSL Certificate Revocation List (CRL) file \"%s\" ignored",
+							ROOT_CRL_FILE),
+					 errdetail("Installed SSL library does not support CRL.")));
+#endif
 			else
 			{
 				/* Not fatal - we do not require CRL */
@@ -817,7 +824,6 @@ initialize_SSL(void)
 					 errdetail("Will not check certificates against CRL.")));
 			}
 		}
-#endif /* X509_V_FLAG_CRL_CHECK */
 
 		SSL_CTX_set_verify(SSL_context,
 						   (SSL_VERIFY_PEER |