Add support for SSL Certificate Revocation List (CRL) files, root.crl.

Libor Hoho?
2006-04-27 02:29:14 +00:00 · 2006-04-27 02:29:14 +00:00 · e747f4935a
commit e747f4935a
parent 1a84275a7b
2 changed files with 31 additions and 6 deletions
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.370 2006/04/11 21:04:52 momjian Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.371 2006/04/27 02:29:14 momjian Exp $ -->

 <chapter Id="runtime">
 <title>Operating System Environment</title>
@ -1553,7 +1553,9 @@ chmod og-rwx server.key
   the file <filename>root.crt</filename> in the data directory.  When
   present, a client certificate will be requested from the client
   during SSL connection startup, and it must have been signed by one of the
-   certificates present in <filename>root.crt</filename>.
+   certificates present in <filename>root.crt</filename>.  Certificate 
+   Revocation List (CRL) entries are also checked if the file 
+   <filename>root.crl</filename> exists.
  </para>

  <para>
@ -1564,9 +1566,9 @@ chmod og-rwx server.key

  <para>
   The files <filename>server.key</>, <filename>server.crt</>,
-   and <filename>root.crt</filename> are only examined during server
-   start; so you must restart the server to make changes in them take
-   effect.
+   <filename>root.crt</filename>, and <filename>root.crl</filename>
+   are only examined during server start; so you must restart 
+   the server to make changes in them take effect.
  </para>
 </sect1>

--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@ -11,7 +11,7 @@
 *
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.63 2006/03/21 18:18:35 neilc Exp $
+ *	  $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.64 2006/04/27 02:29:14 momjian Exp $
 *
 *	  Since the server static private key ($DataDir/server.key)
 *	  will normally be stored unencrypted so that the database
@ -102,6 +102,7 @@
 #ifdef USE_SSL

 #define ROOT_CERT_FILE			"root.crt"
+#define ROOT_CRL_FILE			"root.crl"
 #define SERVER_CERT_FILE		"server.crt"
 #define SERVER_PRIVATE_KEY_FILE "server.key"

@ -794,6 +795,28 @@ initialize_SSL(void)
 	}
 	else
 	{
+		/*
+		 *	Check the Certificate Revocation List (CRL) if file exists.
+		 *	http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html
+		 */
+		X509_STORE *cvstore = SSL_CTX_get_cert_store(SSL_context);
+
+		if (cvstore)
+		{
+			if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
+			   /* setting the flags to check against the complete CRL chain */
+			   X509_STORE_set_flags(cvstore,
+							X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
+			else
+			{
+				/* Not fatal - we do not require CRL */
+				ereport(LOG,
+					(errmsg("SSL Certificate Revocation List (CRL) file \"%s\" not found, skipping: %s",
+							ROOT_CRL_FILE, SSLerrmessage()),
+					 errdetail("Will not check certificates against CRL.")));
+			}
+		}
+
 		SSL_CTX_set_verify(SSL_context,
 						   (SSL_VERIFY_PEER |
 							SSL_VERIFY_FAIL_IF_NO_PEER_CERT |