From f5465fade90827534fbd0b795d18dc62e56939e9 Mon Sep 17 00:00:00 2001 From: Peter Eisentraut Date: Thu, 18 Feb 2021 07:59:10 +0100 Subject: Allow specifying CRL directory Add another method to specify CRLs, hashed directory method, for both server and client side. This offers a means for server or libpq to load only CRLs that are required to verify a certificate. The CRL directory is specifed by separate GUC variables or connection options ssl_crl_dir and sslcrldir, alongside the existing ssl_crl_file and sslcrl, so both methods can be used at the same time. Author: Kyotaro Horiguchi Discussion: https://www.postgresql.org/message-id/flat/20200731.173911.904649928639357911.horikyota.ntt@gmail.com --- doc/src/sgml/config.sgml | 36 +++++++++++++++++++++++++++++++++++- doc/src/sgml/libpq.sgml | 28 +++++++++++++++++++++++++++- 2 files changed, 62 insertions(+), 2 deletions(-) (limited to 'doc/src') diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index 4df1405d2e2..e81141e45cf 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -1216,7 +1216,41 @@ include_dir 'conf.d' Relative paths are relative to the data directory. This parameter can only be set in the postgresql.conf file or on the server command line. - The default is empty, meaning no CRL file is loaded. + The default is empty, meaning no CRL file is loaded (unless + is set). + + + + + + ssl_crl_dir (string) + + ssl_crl_dir configuration parameter + + + + + Specifies the name of the directory containing the SSL server + certificate revocation list (CRL). Relative paths are relative to the + data directory. This parameter can only be set in + the postgresql.conf file or on the server command + line. The default is empty, meaning no CRLs are used (unless + is set). + + + + The directory needs to be prepared with the OpenSSL command + openssl rehash or c_rehash. See + its documentation for details. + + + + When using this setting, CRLs in the specified directory are loaded + on-demand at connection time. New CRLs can be added to the directory + and will be used immediately. This is unlike , which causes the CRL in the file to be + loaded at server start time or when the configuration is reloaded. + Both settings can be used together. diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml index b7a82453f0d..5e25f20843c 100644 --- a/doc/src/sgml/libpq.sgml +++ b/doc/src/sgml/libpq.sgml @@ -1723,12 +1723,38 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname This parameter specifies the file name of the SSL certificate revocation list (CRL). Certificates listed in this file, if it exists, will be rejected while attempting to authenticate the - server's certificate. The default is + server's certificate. If neither + nor + is set, this setting is + taken as ~/.postgresql/root.crl. + + sslcrldir + + + This parameter specifies the directory name of the SSL certificate + revocation list (CRL). Certificates listed in the files in this + directory, if it exists, will be rejected while attempting to + authenticate the server's certificate. + + + + The directory needs to be prepared with the OpenSSL command + openssl rehash or c_rehash. See + its documentation for details. + + + + Both sslcrl and sslcrldir can be + specified together. + + + + requirepeer -- cgit v1.2.3