Re: SSL patch

For the time beeing, you may create new certificates by issuing

openssl req -x509 -newkey -nodes -days 36500 -nodes -keyout server.key
-out server.crt

they will be good for 100 years. Or shall I send a new patch?

For the question of Magosányi Árpád, rigth now pkcs11 is not supported,
but it is not a complicated thing. We can return to it, when this patch works.
Andras

On Thu, Nov 10, 2011 at 4:55 PM, Dave Cramer <pg(at)fastcrypt(dot)com> wrote:
> Andras,
>
> I noticed that the server.crt in the patch is only good for 1 month
> and expires in Sept of this year.
>
> Dave Cramer
>
> dave.cramer(at)credativ(dot)ca
> http://www.credativ.ca
>
>
>
>
> On Thu, Nov 10, 2011 at 10:45 AM, Bodor András <bodri(dot)mh3(at)gmail(dot)com> wrote:
>> Can you send me some error log, and your database setup?
>>
>> On Thu, Nov 10, 2011 at 4:19 PM, Dave Cramer <pg(at)fastcrypt(dot)com> wrote:
>>> Hi Bodor,
>>>
>>> Understood.
>>>
>>> So now all the tests are failing some due to unknown ca, others to
>>> certificate expired ?
>>>
>>> Dave Cramer
>>>
>>> dave.cramer(at)credativ(dot)ca
>>> http://www.credativ.ca
>>>
>>>
>>>
>>>
>>> On Thu, Nov 10, 2011 at 9:30 AM, Bodor András <bodri(dot)mh3(at)gmail(dot)com> wrote:
>>>> Dear Dave,
>>>>
>>>> The installation of sslinfo is only necessary for the unit tests, it is
>>>> not used at all in the driver itself. Obviously I wanted to test weather
>>>> we were actually using ssl, but it is not essential. It can be removed,
>>>> or an additional option can be introduced to ssltest.properties.
>>>> The relevant lines are in
>>>> org.postgresql.test.ssl.SslTest.driver(String connstr, Object[]
>>>> expected)
>>>>
>>>> There are a few things still to be done with this patch.
>>>> 1. the jdbc datasource interface was not modified at all,
>>>> so it is unaware of the new options,
>>>> 2. it should be decided, what is the expected behaviour of sslmode=allow
>>>> or prefer (they might be omitted completely),
>>>> 3. I have not tested certificate chains yet,
>>>> 4. when a client certificate is available, the v8 and v9 servers
>>>> behave differently (BUG #5468 is fixed in v9) so different unit test are
>>>> needed to check this,
>>>> 5. there is a list of options somewhere in the code, this should
>>>> be updated as well,
>>>> 6. documentation.
>>>>
>>>>           Andras
>>>>
>>>> On Thu, Nov 10, 2011 at 2:56 PM, Dave Cramer <pg(at)fastcrypt(dot)com> wrote:
>>>>> Andras,
>>>>>
>>>>> I'm looking at your patch attached to this link
>>>>> http://archives.postgresql.org/pgsql-jdbc/2011-08/msg00067.php right
>>>>> now. Thanks by the way!
>>>>>
>>>>> The only thing I'd like to pose to the list is the necessity for
>>>>> sslinfo to be installed in any database. I can envision some
>>>>> production environments which this may not be possible ?
>>>>>
>>>>> Dave Cramer
>>>>>
>>>>> dave.cramer(at)credativ(dot)ca
>>>>> http://www.credativ.ca
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Thu, Sep 15, 2011 at 11:41 AM, Bodor Andras <bodri(dot)mh3(at)gmail(dot)com> wrote:
>>>>>>
>>>>>>  Yes, it is also included in the patch
>>>>>> (package org.postgresql.test.ssl). It
>>>>>> tries to connect to a series of databases
>>>>>> with different ssl properties. The connection
>>>>>> strings are given in the ssltest.properties
>>>>>> file in the root of the distribution. Just
>>>>>> comment out the connstrings, that you don't
>>>>>> want to run. Also read the certdir/README
>>>>>> file. (build.xml is modified to run this test.)
>>>>>>           Andras
>>>>>>
>>>>>>
>>>>>> Dave Cramer wrote:
>>>>>>>
>>>>>>> Hi Bodor,
>>>>>>>
>>>>>>> So do you have any test cases for this ?
>>>>>>>
>>>>>>> Dave Cramer
>>>>>>>
>>>>>>> dave.cramer(at)credativ(dot)ca
>>>>>>> http://www.credativ.ca
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> 2011/9/13 Bodor Andras<bodri(dot)mh3(at)gmail(dot)com>:
>>>>>>>>
>>>>>>>>  Hi!
>>>>>>>>
>>>>>>>>  Can You make any use of my SSL patch sent in on the 23th of August?
>>>>>>>>           Andras
>>>>>>>>
>>>>>>>> --
>>>>>>>> Sent via pgsql-jdbc mailing list (pgsql-jdbc(at)postgresql(dot)org)
>>>>>>>> To make changes to your subscription:
>>>>>>>> http://www.postgresql.org/mailpref/pgsql-jdbc
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Sent via pgsql-jdbc mailing list (pgsql-jdbc(at)postgresql(dot)org)
>>>>>> To make changes to your subscription:
>>>>>> http://www.postgresql.org/mailpref/pgsql-jdbc
>>>>>>
>>>>>
>>>>
>>>
>>
>