"Jean-Yves F. Barbier" <12ukwn@gmail.com> writes:
> I followed the http://www.howtoforge.com/postgresql-ssl-certificates HOWTO
> and succeeded to install SSL certificates (although pg_hba.conf line should
> be: hostssl mydb myuser 0.0.0.0/0 cert (and not trust).)
> As I didn't already test revocation, I made a: touch root.crl but at svr
> start I've got these 2 log lines:
> SSL certificate revocation list file "root.crl" not found, \
> skipping: no SSL error reported
> Certificates will not be checked against revocation list.
> Is this behavior normal or not?
Hmmm ... I don't see that here, on a Fedora 13 machine (openssl-1.0.0d).
It appears from the message that X509_STORE_load_locations is returning
zero but not bothering to set up an OpenSSL error message. It's not
entirely surprising that they might consider an empty file as an error,
perhaps; but I'm thinking this might be a bug that's fixed in newer
OpenSSL releases.
regards, tom lane