Issue a log message if a CRL file exists and the SSL library does not

bmomjian · bmomjian · commit 3ecfdceaec95 · 2006-05-06T01:31:38.000Z
support CRL certificates.
diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c
@@ -11,7 +11,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.67 2006/05/04 22:18:38 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.68 2006/05/06 01:31:38 momjian Exp $
  *
  *	  Since the server static private key ($DataDir/server.key)
  *	  will normally be stored unencrypted so that the database
@@ -795,7 +795,6 @@ initialize_SSL(void)
 	}
 	else
 	{
-#ifdef X509_V_FLAG_CRL_CHECK
 		/*
 		 *	Check the Certificate Revocation List (CRL) if file exists.
 		 *	http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html
@@ -804,10 +803,18 @@ initialize_SSL(void)
 
 		if (cvstore)
 		{
+		   /* Set the flags to check against the complete CRL chain */
 			if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
-			   /* setting the flags to check against the complete CRL chain */
-			   X509_STORE_set_flags(cvstore,
+/* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
+#ifdef X509_V_FLAG_CRL_CHECK
+				X509_STORE_set_flags(cvstore,
 							X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
+#else
+				ereport(LOG,
+					(errmsg("SSL Certificate Revocation List (CRL) file \"%s\" ignored",
+							ROOT_CRL_FILE),
+					 errdetail("Installed SSL library does not support CRL.")));
+#endif
 			else
 			{
 				/* Not fatal - we do not require CRL */
@@ -817,7 +824,6 @@ initialize_SSL(void)
 					 errdetail("Will not check certificates against CRL.")));
 			}
 		}
-#endif /* X509_V_FLAG_CRL_CHECK */
 
 		SSL_CTX_set_verify(SSL_context,
 						   (SSL_VERIFY_PEER |

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@`
`11`	`11`	`*`
`12`	`12`	`*`
`13`	`13`	`* IDENTIFICATION`
`14`		`- * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.67 2006/05/04 22:18:38 tgl Exp $`
	`14`	`+ * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.68 2006/05/06 01:31:38 momjian Exp $`
`15`	`15`	`*`
`16`	`16`	`* Since the server static private key ($DataDir/server.key)`
`17`	`17`	`* will normally be stored unencrypted so that the database`
`@@ -795,7 +795,6 @@ initialize_SSL(void)`
`795`	`795`	`}`
`796`	`796`	`else`
`797`	`797`	`{`
`798`		`-#ifdef X509_V_FLAG_CRL_CHECK`
`799`	`798`	`/*`
`800`	`799`	`* Check the Certificate Revocation List (CRL) if file exists.`
`801`	`800`	`* http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html`
`@@ -804,10 +803,18 @@ initialize_SSL(void)`
`804`	`803`
`805`	`804`	`if (cvstore)`
`806`	`805`	`{`
	`806`	`+ /* Set the flags to check against the complete CRL chain */`
`807`	`807`	`if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)`
`808`		`- /* setting the flags to check against the complete CRL chain */`
`809`		`- X509_STORE_set_flags(cvstore,`
	`808`	`+/* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */`
	`809`	`+#ifdef X509_V_FLAG_CRL_CHECK`
	`810`	`+ X509_STORE_set_flags(cvstore,`
`810`	`811`	`X509_V_FLAG_CRL_CHECK\|X509_V_FLAG_CRL_CHECK_ALL);`
	`812`	`+#else`
	`813`	`+ ereport(LOG,`
	`814`	`+ (errmsg("SSL Certificate Revocation List (CRL) file \"%s\" ignored",`
	`815`	`+ ROOT_CRL_FILE),`
	`816`	`+ errdetail("Installed SSL library does not support CRL.")));`
	`817`	`+#endif`
`811`	`818`	`else`
`812`	`819`	`{`
`813`	`820`	`/* Not fatal - we do not require CRL */`
`@@ -817,7 +824,6 @@ initialize_SSL(void)`
`817`	`824`	`errdetail("Will not check certificates against CRL.")));`
`818`	`825`	`}`
`819`	`826`	`}`
`820`		`-#endif /* X509_V_FLAG_CRL_CHECK */`
`821`	`827`
`822`	`828`	`SSL_CTX_set_verify(SSL_context,`
`823`	`829`	`(SSL_VERIFY_PEER \|`