| From: | Jacob Champion <jchampion(at)timescale(dot)com> |
|---|---|
| To: | Peter Eisentraut <peter(at)eisentraut(dot)org> |
| Cc: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Convert encrypted SSL test keys to PKCS#8 format |
| Date: | 2023-08-22 19:02:02 |
| Message-ID: | CAAWbhmh8GMZvhGy097cHiy584KUb9ee7Gs0x+gD8+w0hryJW+A@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, Aug 22, 2023 at 1:07 AM Peter Eisentraut <peter(at)eisentraut(dot)org> wrote:
> I have attached two patches, one to update the generation rules, and one
> where I have converted the existing test files. (I didn't generate them
> from scratch, so for example
> src/test/modules/ssl_passphrase_callback/server.crt that corresponds to
> one of the keys does not need to be updated.)
Looks good from here. I don't have a FIPS setup right now, but the new
files pass tests on OpenSSL 1.0.2u, 1.1.1v, 3.0.2-0ubuntu1.10, and
LibreSSL 3.8. Tests continue to pass after a full clean and rebuild of
the sslfiles.
> It's also interesting that if you generate all private keys from scratch
> using the existing rules on a new OpenSSL version (3+), they will be
> generated in PKCS#8 format by default. In those OpenSSL versions, the
> openssl-rsa command has a -traditional option to get the old format, but
> of course old OpenSSL versions don't have that. As OpenSSL 3 gets more
> widespread, we might need to rethink these rules anyway to make sure we
> get consistent behavior.
Yeah. Looks like OpenSSL 3 also adds new v3 extensions to the
certificates... For now they look benign, but I assume someone's going
to run into weirdness at some point.
Thanks!
--Jacob
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2023-08-22 19:14:31 | Re: PG 16 draft release notes ready |
| Previous Message | Andrew Dunstan | 2023-08-22 18:46:46 | Re: Make all Perl warnings fatal |