From 3ecfdceaec956db3196967b468f281d4ff849b1b Mon Sep 17 00:00:00 2001 From: Bruce Momjian Date: Sat, 6 May 2006 01:31:38 +0000 Subject: [PATCH] Issue a log message if a CRL file exists and the SSL library does not support CRL certificates. --- src/backend/libpq/be-secure.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c index 93f5d16825..75e3240f91 100644 --- a/src/backend/libpq/be-secure.c +++ b/src/backend/libpq/be-secure.c @@ -11,7 +11,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.67 2006/05/04 22:18:38 tgl Exp $ + * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.68 2006/05/06 01:31:38 momjian Exp $ * * Since the server static private key ($DataDir/server.key) * will normally be stored unencrypted so that the database @@ -795,7 +795,6 @@ initialize_SSL(void) } else { -#ifdef X509_V_FLAG_CRL_CHECK /* * Check the Certificate Revocation List (CRL) if file exists. * http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html @@ -804,10 +803,18 @@ initialize_SSL(void) if (cvstore) { + /* Set the flags to check against the complete CRL chain */ if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0) - /* setting the flags to check against the complete CRL chain */ - X509_STORE_set_flags(cvstore, +/* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */ +#ifdef X509_V_FLAG_CRL_CHECK + X509_STORE_set_flags(cvstore, X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); +#else + ereport(LOG, + (errmsg("SSL Certificate Revocation List (CRL) file \"%s\" ignored", + ROOT_CRL_FILE), + errdetail("Installed SSL library does not support CRL."))); +#endif else { /* Not fatal - we do not require CRL */ @@ -817,7 +824,6 @@ initialize_SSL(void) errdetail("Will not check certificates against CRL."))); } } -#endif /* X509_V_FLAG_CRL_CHECK */ SSL_CTX_set_verify(SSL_context, (SSL_VERIFY_PEER | -- 2.11.0