作者
digoal
日期
2021-02-19
标签
PostgreSQL , ssl , 吊销证书 , 目录 , ssl_crl_dir , sslcrldir
背景
PostgreSQL 支持配置 ”SSL吊销证书列表文件 - crl“ 指定目录. 相关参数: ssl_crl_dir , 相关libpq配置: sslcrldir
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=f5465fade90827534fbd0b795d18dc62e56939e9
```
Allow specifying CRL directory
author Peter Eisentraut peter@eisentraut.org
Thu, 18 Feb 2021 06:59:10 +0000 (07:59 +0100)
committer Peter Eisentraut peter@eisentraut.org
Thu, 18 Feb 2021 06:59:10 +0000 (07:59 +0100)
commit f5465fade90827534fbd0b795d18dc62e56939e9
tree 71a2cc9b6804e78c2b2911f1c7426d096c9ca7af tree | snapshot
parent 128dd901a5c87e11c6a8cbe227a806cdc3afd10d commit | diff
Allow specifying CRL directory
Add another method to specify CRLs, hashed directory method, for both
server and client side. This offers a means for server or libpq to
load only CRLs that are required to verify a certificate. The CRL
directory is specifed by separate GUC variables or connection options
ssl_crl_dir and sslcrldir, alongside the existing ssl_crl_file and
sslcrl, so both methods can be used at the same time.
Author: Kyotaro Horiguchi horikyota.ntt@gmail.com
Discussion: https://www.postgresql.org/message-id/flat/20200731.173911.904649928639357911.horikyota.ntt@gmail.com
```
PostgreSQL ssl的用法详见:
《PostgreSQL sslutils插件 - 通过SQL接口管理ssl key,crt,crl》
《PostgreSQL ssl 证书配置 - 防止中间攻击者 - 以及如何使用证书无密码登录配置cert》
数据库端, 配置已吊销的客户端证书:
+ <varlistentry id="guc-ssl-crl-dir" xreflabel="ssl_crl_dir">
+ <term><varname>ssl_crl_dir</varname> (<type>string</type>)
+ <indexterm>
+ <primary><varname>ssl_crl_dir</varname> configuration parameter</primary>
+ </indexterm>
+ </term>
+ <listitem>
+ <para>
+ Specifies the name of the directory containing the SSL server
+ certificate revocation list (CRL). Relative paths are relative to the
+ data directory. This parameter can only be set in
+ the <filename>postgresql.conf</filename> file or on the server command
+ line. The default is empty, meaning no CRLs are used (unless
+ <xref linkend="guc-ssl-crl-file"/> is set).
+ </para>
+
+ <para>
+ The directory needs to be prepared with the OpenSSL command
+ <literal>openssl rehash</literal> or <literal>c_rehash</literal>. See
+ its documentation for details.
+ </para>
+
+ <para>
+ When using this setting, CRLs in the specified directory are loaded
+ on-demand at connection time. New CRLs can be added to the directory
+ and will be used immediately. This is unlike <xref
+ linkend="guc-ssl-crl-file"/>, which causes the CRL in the file to be
+ loaded at server start time or when the configuration is reloaded.
+ Both settings can be used together.
客户端, 配置已吊销的数据库端证书:
+ <varlistentry id="libpq-connect-sslcrldir" xreflabel="sslcrldir">
+ <term><literal>sslcrldir</literal></term>
+ <listitem>
+ <para>
+ This parameter specifies the directory name of the SSL certificate
+ revocation list (CRL). Certificates listed in the files in this
+ directory, if it exists, will be rejected while attempting to
+ authenticate the server's certificate.
+ </para>
+
+ <para>
+ The directory needs to be prepared with the OpenSSL command
+ <literal>openssl rehash</literal> or <literal>c_rehash</literal>. See
+ its documentation for details.
+ </para>
+
+ <para>
+ Both <literal>sslcrl</literal> and <literal>sslcrldir</literal> can be
+ specified together.
+ </para>
+ </listitem>
+ </varlistentry>
PostgreSQL 许愿链接
您的愿望将传达给PG kernel hacker、数据库厂商等, 帮助提高数据库产品质量和功能, 说不定下一个PG版本就有您提出的功能点. 针对非常好的提议,奖励限量版PG文化衫、纪念品、贴纸、PG热门书籍等,奖品丰富,快来许愿。开不开森.
9.9元购买3个月阿里云RDS PostgreSQL实例
PostgreSQL 解决方案集合
德哥 / digoal's github - 公益是一辈子的事.
