Add support for SSL Certificate Revocation List (CRL) files, root.crl.

Libor Hoho?

diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index 75e70aa..a18914a 100644 (file)
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.370 2006/04/11 21:04:52 momjian Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.371 2006/04/27 02:29:14 momjian Exp $ -->
 
 <chapter Id="runtime">
  <title>Operating System Environment</title>
@@ -1553,7 +1553,9 @@ chmod og-rwx server.key
    the file <filename>root.crt</filename> in the data directory.  When
    present, a client certificate will be requested from the client
    during SSL connection startup, and it must have been signed by one of the
-   certificates present in <filename>root.crt</filename>.
+   certificates present in <filename>root.crt</filename>.  Certificate 
+   Revocation List (CRL) entries are also checked if the file 
+   <filename>root.crl</filename> exists.
   </para>
 
   <para>
@@ -1564,9 +1566,9 @@ chmod og-rwx server.key
 
   <para>
    The files <filename>server.key</>, <filename>server.crt</>,
-   and <filename>root.crt</filename> are only examined during server
-   start; so you must restart the server to make changes in them take
-   effect.
+   <filename>root.crt</filename>, and <filename>root.crl</filename>
+   are only examined during server start; so you must restart 
+   the server to make changes in them take effect.
   </para>
  </sect1>
 

diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c
index 42d7414..d51154d 100644 (file)
--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@@ -11,7 +11,7 @@
  *
  *
  * IDENTIFICATION
- *       $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.63 2006/03/21 18:18:35 neilc Exp $
+ *       $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.64 2006/04/27 02:29:14 momjian Exp $
  *
  *       Since the server static private key ($DataDir/server.key)
  *       will normally be stored unencrypted so that the database
@@ -102,6 +102,7 @@
 #ifdef USE_SSL
 
 #define ROOT_CERT_FILE                 "root.crt"
+#define ROOT_CRL_FILE                  "root.crl"
 #define SERVER_CERT_FILE               "server.crt"
 #define SERVER_PRIVATE_KEY_FILE "server.key"
 
@@ -794,6 +795,28 @@ initialize_SSL(void)
        }
        else
        {
+               /*
+                *      Check the Certificate Revocation List (CRL) if file exists.
+                *      http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html
+                */
+               X509_STORE *cvstore = SSL_CTX_get_cert_store(SSL_context);
+
+               if (cvstore)
+               {
+                       if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
+                          /* setting the flags to check against the complete CRL chain */
+                          X509_STORE_set_flags(cvstore,
+                                                       X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
+                       else
+                       {
+                               /* Not fatal - we do not require CRL */
+                               ereport(LOG,
+                                       (errmsg("SSL Certificate Revocation List (CRL) file \"%s\" not found, skipping: %s",
+                                                       ROOT_CRL_FILE, SSLerrmessage()),
+                                        errdetail("Will not check certificates against CRL.")));
+                       }
+               }
+
                SSL_CTX_set_verify(SSL_context,
                                                   (SSL_VERIFY_PEER |
                                                        SSL_VERIFY_FAIL_IF_NO_PEER_CERT |