From fadac33bb8de1cb9005aed07cdd059ba1fa9c6f8 Mon Sep 17 00:00:00 2001 From: Daniel Gustafsson Date: Fri, 3 Dec 2021 14:15:50 +0100 Subject: [PATCH] Doc: Fix misleading wording of CRL parameters ssl_crl_file and ssl_crl_dir are both used to for client certificate revocation, not server certificates. The description for the params could be easily misread to mean the opposite however, as evidenced by the bugreport leading to this fix. Similarly, expand sslcrl and and sslcrldir to explicitly mention server certificates. While there also mention sslcrldir where previously only sslcrl was discussed. Backpatch down to v10, with the CRL dir fixes down to 14 where they were introduced. Author: Kyotaro Horiguchi Reviewed-by: Peter Eisentraut Discussion: https://postgr.es/m/20211202.135441.590555657708629486.horikyota.ntt@gmail.com Discussion: https://postgr.es/m/CABWY_HCBUCjY1EJHrEGePGEaSZ5b29apgTohCyygtsqe_ySYng@mail.gmail.com Backpatch-through: 10 --- doc/src/sgml/config.sgml | 4 ++-- doc/src/sgml/libpq.sgml | 6 ++++-- doc/src/sgml/runtime.sgml | 3 ++- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index ab617c7b86..4ac617615c 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -1248,7 +1248,7 @@ include_dir 'conf.d' - Specifies the name of the file containing the SSL server certificate + Specifies the name of the file containing the SSL client certificate revocation list (CRL). Relative paths are relative to the data directory. This parameter can only be set in the postgresql.conf @@ -1267,7 +1267,7 @@ include_dir 'conf.d' - Specifies the name of the directory containing the SSL server + Specifies the name of the directory containing the SSL client certificate revocation list (CRL). Relative paths are relative to the data directory. This parameter can only be set in the postgresql.conf file or on the server command diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml index c17d33a54f..14f35d37f6 100644 --- a/doc/src/sgml/libpq.sgml +++ b/doc/src/sgml/libpq.sgml @@ -1742,7 +1742,7 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname sslcrl - This parameter specifies the file name of the SSL certificate + This parameter specifies the file name of the SSL server certificate revocation list (CRL). Certificates listed in this file, if it exists, will be rejected while attempting to authenticate the server's certificate. If neither @@ -1758,7 +1758,7 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname sslcrldir - This parameter specifies the directory name of the SSL certificate + This parameter specifies the directory name of the SSL server certificate revocation list (CRL). Certificates listed in the files in this directory, if it exists, will be rejected while attempting to authenticate the server's certificate. @@ -8374,6 +8374,8 @@ ldap://ldap.acme.com/cn=dbserver,cn=hosts?pgconnectinfo?base?(objectclass=*) setting the connection parameters sslrootcert and sslcrl or the environment variables PGSSLROOTCERT and PGSSLCRL. + sslcrldir or the environment variable PGSSLCRLDIR + can also be used to specify a directory containing CRL files. diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml index 58150996b8..f77ed24204 100644 --- a/doc/src/sgml/runtime.sgml +++ b/doc/src/sgml/runtime.sgml @@ -2337,7 +2337,8 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433 you wish to avoid storing them on clients (assuming the root and intermediate certificates were created with v3_ca extensions). Certificate Revocation List (CRL) entries are also - checked if the parameter is set. + checked if the parameter or + is set.