| From: | Thomas Munro <thomas(dot)munro(at)enterprisedb(dot)com> |
|---|---|
| To: | Michael Paquier <michael(at)paquier(dot)xyz> |
| Cc: | Kyotaro HORIGUCHI <horiguchi(dot)kyotaro(at)lab(dot)ntt(dot)co(dot)jp>, Pg Hackers <pgsql-hackers(at)postgresql(dot)org>, Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
| Subject: | Re: SSL tests failing with "ee key too small" error on Debian SID |
| Date: | 2018-11-26 00:17:24 |
| Message-ID: | CAEepm=0=9BW5ZgEsk_5_fGarDtVGR8NguKg1VEyZo_J3aQv4Ng@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Oct 3, 2018 at 1:32 PM Michael Paquier <michael(at)paquier(dot)xyz> wrote:
> On Mon, Oct 01, 2018 at 09:18:01PM +0900, Kyotaro HORIGUCHI wrote:
> > The attached second patch just changes key size to 2048 bits and
> > "ee key too small" are eliminated in 001_ssltests_master, but
> > instead I got "ca md too weak" error. This is eliminated by using
> > sha256 instead of sha1 in cas.config. (third attached)
>
> I find your suggestion quite tempting at the end instead of having to
> tweak the global system's configuration. That should normally work with
> any configuration. This would require regenerating the certs in the
> tree. Any thoughts from others?
I don't really have opinion here, but I wanted to point out that
src/test/ldap/t/001_auth.pl creates new certs on the fly, which is a
bit inconsistent with the SSL test's approach of certs-in-the-tree.
Which is better?
--
Thomas Munro
http://www.enterprisedb.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Paquier | 2018-11-26 00:28:49 | Re: pgsql: Integrate recovery.conf into postgresql.conf |
| Previous Message | Michael Paquier | 2018-11-26 00:13:29 | Re: allow online change primary_conninfo |