John Scalia <jayknowsunix@gmail.com> writes:
> I've got SSL working without the crl file, but when I set ssl_crl_file to
> use the one I have, it says FATAL on a restart and no SSL error reported.
> This is not very helpful.
Did you look into the postmaster log? Experimenting with an intentionally
corrupted CRL file here, I get log messages along the lines of
2017-06-14 16:45:15.096 EDT [22759] LOG: parameter "ssl_crl_file" changed to "root+client.crl"
2017-06-14 16:45:15.102 EDT [22759] LOG: could not load SSL certificate revocation list file "root+client.crl": bad
base64decode
The actually useful part of that comes out of OpenSSL, and we don't have
a lot of control about how specific it is ... but there should be
*something*.
regards, tom lane