Re: [COMMITTERS] pgsql: Don't try to compile SSL CRL support if local

Tom Lane wrote:
> Kris Jurka <books@ejurka.com> writes:
> > On Thu, 4 May 2006, Tom Lane wrote:
> >> Don't try to compile SSL CRL support if local SSL installation hasn't
> >> got it.  Per buildfarm failure on 'canary'.
>
> > It seems a little bit dangerous to just not check the CRL without so much
> > as a warning message.
>
> [ shrug... ]  Anyone who's running openssl 0.9.6, or whatever that is on
> canary, isn't expecting CRL support anyway.  And all I did is restore
> the behavior we've had for lo these past many years.

The problem is that we now document that we support CRL, so either we
log if we skip it, or we have to document which versions of OpenSSL do
not support CRL (yuck).

The attached patch checks for the file, and either user it or generates
a log message that it was skipped.

--
  Bruce Momjian   http://candle.pha.pa.us
  EnterpriseDB    http://www.enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +
Index: src/backend/libpq/be-secure.c
===================================================================
RCS file: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v
retrieving revision 1.67
diff -c -c -r1.67 be-secure.c
*** src/backend/libpq/be-secure.c    4 May 2006 22:18:38 -0000    1.67
--- src/backend/libpq/be-secure.c    5 May 2006 18:26:37 -0000
***************
*** 795,801 ****
      }
      else
      {
- #ifdef X509_V_FLAG_CRL_CHECK
          /*
           *    Check the Certificate Revocation List (CRL) if file exists.
           *    http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html
--- 795,800 ----
***************
*** 804,813 ****

          if (cvstore)
          {
              if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
!                /* setting the flags to check against the complete CRL chain */
!                X509_STORE_set_flags(cvstore,
                              X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
              else
              {
                  /* Not fatal - we do not require CRL */
--- 803,820 ----

          if (cvstore)
          {
+            /* Set the flags to check against the complete CRL chain */
              if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
! /* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
! #ifdef X509_V_FLAG_CRL_CHECK
!                 X509_STORE_set_flags(cvstore,
                              X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
+ #else
+                 ereport(LOG,
+                     (errmsg("SSL Certificate Revocation List (CRL) file \"%s\" ignored",
+                             ROOT_CRL_FILE),
+                      errdetail("Installed SSL library does not support CRL.")));
+ #endif
              else
              {
                  /* Not fatal - we do not require CRL */
***************
*** 817,823 ****
                       errdetail("Will not check certificates against CRL.")));
              }
          }
- #endif /* X509_V_FLAG_CRL_CHECK */

          SSL_CTX_set_verify(SSL_context,
                             (SSL_VERIFY_PEER |
--- 824,829 ----