Re: [DOCS] Default names for CRL and CA files in the backend

Поиск
Список
Период
Сортировка
От Michael Paquier
Тема Re: [DOCS] Default names for CRL and CA files in the backend
Дата
Msg-id CAB7nPqQ8xnF8UX8sk1ZMAi1Tb7S9sbb0ihtB0-4uVxh_pbctKQ@mail.gmail.com
обсуждение исходный текст
Ответ на [DOCS] Default names for CRL and CA files in the backend  (Daniel Gustafsson <daniel@yesql.se>)
Ответы Re: [DOCS] Default names for CRL and CA files in the backend  (Daniel Gustafsson <daniel@yesql.se>)
Список pgsql-docs
Дерево обсуждения 
On Thu, Aug 17, 2017 at 7:31 AM, Daniel Gustafsson <daniel@yesql.se> wrote:
> Commit a445cb92ef5b3a31313ebce30e18cc1d6e0bdecb removed the default names for
> serverside CRL and CA files, but the defaults were left in the "SSL Server File
> Usage” table with a small note.  I completely missed the note, even after
> having been fiddling about with the code in question.  Removing the filenames
> from the table, and altering the note per the attached patch, makes the docs
> clearer IHMO.

Here are additional notes on the matter.

From libpq.sgml:
  <para>
   In some cases, the client certificate might be signed by an
   <quote>intermediate</> certificate authority, rather than one that is
   directly trusted by the server.  To use such a certificate, append the
   certificate of the signing authority to the <filename>postgresql.crt</>
   file, then its parent authority's certificate, and so on up to a certificate
   authority, <quote>root</> or <quote>intermediate</>, that is trusted by
   the server, i.e. signed by a certificate in the server's
   <filename>root.crt</filename> file.
  </para>

Am I reading that correctly? The last sentence should not mention
root.crt as well. The paragraph after that assume that ssl_ca_file is
set to root.crt so it looks fine to use it. But that's not assumed
here.

In sslinfo.sgml:
    <para>
     This function is really useful only if you have more than one trusted CA
     certificate in your server's <filename>root.crt</> file, or if this CA
     has issued some intermediate certificate authority certificates.
    </para>

In runtime.sgml:
  <para>
   Note that the server's <filename>root.crt</filename> lists the top-level
   CAs that are considered trusted for signing client certificates.
   In principle it need
   not list the CA that signed the server's certificate, though in most cases
   that CA would also be trusted for client certificates.
  </para>
Perhaps this should be changed as well.

In config.sgml:
       <para>
        In previous releases of PostgreSQL, the name of this file was
    hard-coded as <filename>root.crt</filename>.
       </para>
[...]
       <para>
        In previous releases of PostgreSQL, the name of this file was
        hard-coded as <filename>root.crt</filename>.
       </para>
Why not mentioning the version of Postgres where the change has begun?
I find confusing not to precise such level of details.
--
Michael

В списке pgsql-docs по дате отправления:

Предыдущее
От: Daniel Gustafsson
Дата:
Сообщение: [DOCS] Default names for CRL and CA files in the backend
Следующее
От: Peter Eisentraut
Дата:
Сообщение: Re: [DOCS] Dead link for 'DocBook XSL Stylesheets'