Add support for SSL Certificate Revocation List (CRL) files, root.crl.

bmomjian · bmomjian · commit e747f4935a74 · 2006-04-27T02:29:14.000Z
Libor Hoho?
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.370 2006/04/11 21:04:52 momjian Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.371 2006/04/27 02:29:14 momjian Exp $ -->
 
 <chapter Id="runtime">
  <title>Operating System Environment</title>
@@ -1553,7 +1553,9 @@ chmod og-rwx server.key
    the file <filename>root.crt</filename> in the data directory.  When
    present, a client certificate will be requested from the client
    during SSL connection startup, and it must have been signed by one of the
-   certificates present in <filename>root.crt</filename>.
+   certificates present in <filename>root.crt</filename>.  Certificate 
+   Revocation List (CRL) entries are also checked if the file 
+   <filename>root.crl</filename> exists.
   </para>
 
   <para>
@@ -1564,9 +1566,9 @@ chmod og-rwx server.key
 
   <para>
    The files <filename>server.key</>, <filename>server.crt</>,
-   and <filename>root.crt</filename> are only examined during server
-   start; so you must restart the server to make changes in them take
-   effect.
+   <filename>root.crt</filename>, and <filename>root.crl</filename>
+   are only examined during server start; so you must restart 
+   the server to make changes in them take effect.
   </para>
  </sect1>
 
diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c
@@ -11,7 +11,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.63 2006/03/21 18:18:35 neilc Exp $
+ *	  $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.64 2006/04/27 02:29:14 momjian Exp $
  *
  *	  Since the server static private key ($DataDir/server.key)
  *	  will normally be stored unencrypted so that the database
@@ -102,6 +102,7 @@
 #ifdef USE_SSL
 
 #define ROOT_CERT_FILE			"root.crt"
+#define ROOT_CRL_FILE			"root.crl"
 #define SERVER_CERT_FILE		"server.crt"
 #define SERVER_PRIVATE_KEY_FILE "server.key"
 
@@ -794,6 +795,28 @@ initialize_SSL(void)
 	}
 	else
 	{
+		/*
+		 *	Check the Certificate Revocation List (CRL) if file exists.
+		 *	http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html
+		 */
+		X509_STORE *cvstore = SSL_CTX_get_cert_store(SSL_context);
+
+		if (cvstore)
+		{
+			if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
+			   /* setting the flags to check against the complete CRL chain */
+			   X509_STORE_set_flags(cvstore,
+							X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
+			else
+			{
+				/* Not fatal - we do not require CRL */
+				ereport(LOG,
+					(errmsg("SSL Certificate Revocation List (CRL) file \"%s\" not found, skipping: %s",
+							ROOT_CRL_FILE, SSLerrmessage()),
+					 errdetail("Will not check certificates against CRL.")));
+			}
+		}
+
 		SSL_CTX_set_verify(SSL_context,
 						   (SSL_VERIFY_PEER |
 							SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
