Participants
Kyotaro Horiguchi
Kyotaro Horiguchi
Daniel Gustafsson
Daniel Gustafsson
Peter Eisentraut
Peter Eisentraut
Attachments
Thread Outline
#1Kyotaro HoriguchiKyotaro Horiguchi
Dec 02, 2021
#2Kyotaro HoriguchiKyotaro Horiguchito Kyotaro Horiguchi (#1)
Dec 02, 2021
#3Daniel GustafssonDaniel Gustafssonto Kyotaro Horiguchi (#2)
Dec 02, 2021
#4Peter EisentrautPeter Eisentrautto Daniel Gustafsson (#3)
Dec 02, 2021
#5Daniel GustafssonDaniel Gustafssonto Peter Eisentraut (#4)
Dec 03, 2021
#6Kyotaro HoriguchiKyotaro Horiguchito Daniel Gustafsson (#5)
Dec 06, 2021

Is ssl_crl_file "SSL server cert revocation list"?

Started by Kyotaro Horiguchiabout 4 years ago6 messages
#1Kyotaro Horiguchi
Kyotaro Horiguchi
horikyota.ntt@gmail.com
1 attachment(s)

As discussed in the thread [1]/messages/by-id/20211202.134619.1052008069537649171.horikyota.ntt@gmail.com, I find the wording "SSL server
certificate revocation list" as misleading or plain wrong.

I used to read it as "SSL server certificate (of PostgreSQL client)
revocation list" but I find it misleading-ish from fresh eyes. So I'd
like to propose a change of the doc as attached.

What do you think about this?

[1]: /messages/by-id/20211202.134619.1052008069537649171.horikyota.ntt@gmail.com

regards.

--
Kyotaro Horiguchi
NTT Open Source Software Center

Attachments:

fix_crl_doc.patchtext/x-patch; charset=us-asciiDownload
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index ab617c7b86..4ac617615c 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1248,7 +1248,7 @@ include_dir 'conf.d'
       </term>
       <listitem>
        <para>
-        Specifies the name of the file containing the SSL server certificate
+        Specifies the name of the file containing the SSL client certificate
         revocation list (CRL).
         Relative paths are relative to the data directory.
         This parameter can only be set in the <filename>postgresql.conf</filename>
@@ -1267,7 +1267,7 @@ include_dir 'conf.d'
       </term>
       <listitem>
        <para>
-        Specifies the name of the directory containing the SSL server
+        Specifies the name of the directory containing the SSL client
         certificate revocation list (CRL).  Relative paths are relative to the
         data directory.  This parameter can only be set in
         the <filename>postgresql.conf</filename> file or on the server command
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index c17d33a54f..eb3a0c6b55 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -1742,11 +1742,10 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
       <term><literal>sslcrl</literal></term>
       <listitem>
        <para>
-        This parameter specifies the file name of the SSL certificate
+        This parameter specifies the file name of the SSL server certificate
         revocation list (CRL).  Certificates listed in this file, if it
-        exists, will be rejected while attempting to authenticate the
-        server's certificate.  If neither
-        <xref linkend='libpq-connect-sslcrl'/> nor
+        exists, will be rejected while attempting to authenticate the server's
+        certificate.  If neither <xref linkend='libpq-connect-sslcrl'/> nor
         <xref linkend='libpq-connect-sslcrldir'/> is set, this setting is
         taken as
         <filename>~/.postgresql/root.crl</filename>.
@@ -1758,9 +1757,9 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
       <term><literal>sslcrldir</literal></term>
       <listitem>
        <para>
-        This parameter specifies the directory name of the SSL certificate
-        revocation list (CRL).  Certificates listed in the files in this
-        directory, if it exists, will be rejected while attempting to
+        This parameter specifies the directory name of the SSL server
+        certificate revocation list (CRL).  Certificates listed in the files
+        in this directory, if it exists, will be rejected while attempting to
         authenticate the server's certificate.
        </para>
#2Kyotaro Horiguchi
Kyotaro Horiguchi
horikyota.ntt@gmail.com
In reply to: Kyotaro Horiguchi (#1)
Re: Is ssl_crl_file "SSL server cert revocation list"?

At Thu, 02 Dec 2021 13:54:41 +0900 (JST), Kyotaro Horiguchi <horikyota.ntt@gmail.com> wrote in

As discussed in the thread [1], I find the wording "SSL server
certificate revocation list" as misleading or plain wrong.

FWIW, I'm convinced that that's plain wrong after finding some
occurances of "(SSL) client certificate" in the doc.

regards.

--
Kyotaro Horiguchi
NTT Open Source Software Center

#3Daniel Gustafsson
Daniel Gustafsson
daniel@yesql.se
In reply to: Kyotaro Horiguchi (#2)
1 attachment(s)
Re: Is ssl_crl_file "SSL server cert revocation list"?

On 2 Dec 2021, at 06:07, Kyotaro Horiguchi <horikyota.ntt@gmail.com> wrote:

At Thu, 02 Dec 2021 13:54:41 +0900 (JST), Kyotaro Horiguchi <horikyota.ntt@gmail.com> wrote in

As discussed in the thread [1], I find the wording "SSL server
certificate revocation list" as misleading or plain wrong.

FWIW, I'm convinced that that's plain wrong after finding some
occurances of "(SSL) client certificate" in the doc.

I agree with this, the concepts have been a bit muddled.

While in there I noticed that we omitted mentioning sslcrldir in a few cases.
The attached v2 adds these and removes the whitespace changes from your patch
for easier review.

--
Daniel Gustafsson https://vmware.com/

Attachments:

fix_crl_doc-v2.diffapplication/octet-stream; name=fix_crl_doc-v2.diff; x-unix-mode=0644Download
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index ab617c7b86..4ac617615c 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1248,7 +1248,7 @@ include_dir 'conf.d'
       </term>
       <listitem>
        <para>
-        Specifies the name of the file containing the SSL server certificate
+        Specifies the name of the file containing the SSL client certificate
         revocation list (CRL).
         Relative paths are relative to the data directory.
         This parameter can only be set in the <filename>postgresql.conf</filename>
@@ -1267,7 +1267,7 @@ include_dir 'conf.d'
       </term>
       <listitem>
        <para>
-        Specifies the name of the directory containing the SSL server
+        Specifies the name of the directory containing the SSL client
         certificate revocation list (CRL).  Relative paths are relative to the
         data directory.  This parameter can only be set in
         the <filename>postgresql.conf</filename> file or on the server command
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index c17d33a54f..14f35d37f6 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -1742,7 +1742,7 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
       <term><literal>sslcrl</literal></term>
       <listitem>
        <para>
-        This parameter specifies the file name of the SSL certificate
+        This parameter specifies the file name of the SSL server certificate
         revocation list (CRL).  Certificates listed in this file, if it
         exists, will be rejected while attempting to authenticate the
         server's certificate.  If neither
@@ -1758,7 +1758,7 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
       <term><literal>sslcrldir</literal></term>
       <listitem>
        <para>
-        This parameter specifies the directory name of the SSL certificate
+        This parameter specifies the directory name of the SSL server certificate
         revocation list (CRL).  Certificates listed in the files in this
         directory, if it exists, will be rejected while attempting to
         authenticate the server's certificate.
@@ -8374,6 +8374,8 @@ ldap://ldap.acme.com/cn=dbserver,cn=hosts?pgconnectinfo?base?(objectclass=*)
    setting
    the connection parameters <literal>sslrootcert</literal> and <literal>sslcrl</literal>
    or the environment variables <envar>PGSSLROOTCERT</envar> and <envar>PGSSLCRL</envar>.
+   <literal>sslcrldir</literal> or the environment variable <envar>PGSSLCRLDIR</envar>
+   can also be used to specify a directory containing CRL files.
   </para>
 
   <note>
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index 58150996b8..f77ed24204 100644
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -2337,7 +2337,8 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
    you wish to avoid storing them on clients (assuming the root and
    intermediate certificates were created with <literal>v3_ca</literal>
    extensions).  Certificate Revocation List (CRL) entries are also
-   checked if the parameter <xref linkend="guc-ssl-crl-file"/> is set.
+   checked if the parameter <xref linkend="guc-ssl-crl-file"/> or
+   <xref linkend="guc-ssl-crl-dir"/> is set.
   </para>
 
   <para>
#4Peter Eisentraut
Peter Eisentraut
peter.eisentraut@enterprisedb.com
In reply to: Daniel Gustafsson (#3)
Re: Is ssl_crl_file "SSL server cert revocation list"?

On 02.12.21 10:42, Daniel Gustafsson wrote:

On 2 Dec 2021, at 06:07, Kyotaro Horiguchi <horikyota.ntt@gmail.com> wrote:

At Thu, 02 Dec 2021 13:54:41 +0900 (JST), Kyotaro Horiguchi <horikyota.ntt@gmail.com> wrote in

As discussed in the thread [1], I find the wording "SSL server
certificate revocation list" as misleading or plain wrong.

FWIW, I'm convinced that that's plain wrong after finding some
occurances of "(SSL) client certificate" in the doc.

I agree with this, the concepts have been a bit muddled.

While in there I noticed that we omitted mentioning sslcrldir in a few cases.
The attached v2 adds these and removes the whitespace changes from your patch
for easier review.

This change looks correct to me.

#5Daniel Gustafsson
Daniel Gustafsson
daniel@yesql.se
In reply to: Peter Eisentraut (#4)
Re: Is ssl_crl_file "SSL server cert revocation list"?

On 2 Dec 2021, at 16:04, Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote:

This change looks correct to me.

Thanks for review, I've pushed this backpatched (in part) down to 10.

--
Daniel Gustafsson https://vmware.com/

#6Kyotaro Horiguchi
Kyotaro Horiguchi
horikyota.ntt@gmail.com
In reply to: Daniel Gustafsson (#5)
Re: Is ssl_crl_file "SSL server cert revocation list"?

At Fri, 3 Dec 2021 14:32:54 +0100, Daniel Gustafsson <daniel@yesql.se> wrote in

On 2 Dec 2021, at 16:04, Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote:

This change looks correct to me.

Thanks for review, I've pushed this backpatched (in part) down to 10.

Thanks for revising and comitting this.

regards.

--
Kyotaro Horiguchi
NTT Open Source Software Center

← Back to Topics