diff options
| -rw-r--r-- | src/backend/libpq/be-secure.c | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c index 93f5d168250..75e3240f912 100644 --- a/src/backend/libpq/be-secure.c +++ b/src/backend/libpq/be-secure.c @@ -11,7 +11,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.67 2006/05/04 22:18:38 tgl Exp $ + * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.68 2006/05/06 01:31:38 momjian Exp $ * * Since the server static private key ($DataDir/server.key) * will normally be stored unencrypted so that the database @@ -795,7 +795,6 @@ initialize_SSL(void) } else { -#ifdef X509_V_FLAG_CRL_CHECK /* * Check the Certificate Revocation List (CRL) if file exists. * http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html @@ -804,10 +803,18 @@ initialize_SSL(void) if (cvstore) { + /* Set the flags to check against the complete CRL chain */ if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0) - /* setting the flags to check against the complete CRL chain */ - X509_STORE_set_flags(cvstore, +/* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */ +#ifdef X509_V_FLAG_CRL_CHECK + X509_STORE_set_flags(cvstore, X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); +#else + ereport(LOG, + (errmsg("SSL Certificate Revocation List (CRL) file \"%s\" ignored", + ROOT_CRL_FILE), + errdetail("Installed SSL library does not support CRL."))); +#endif else { /* Not fatal - we do not require CRL */ @@ -817,7 +824,6 @@ initialize_SSL(void) errdetail("Will not check certificates against CRL."))); } } -#endif /* X509_V_FLAG_CRL_CHECK */ SSL_CTX_set_verify(SSL_context, (SSL_VERIFY_PEER | |