Re: sslinfo extension - add notbefore and notafter timestamps

> On 12 Sep 2023, at 21:40, Jacob Champion <jchampion(at)timescale(dot)com> wrote:
>
> Hello,
>
> On 7/25/23 07:21, Daniel Gustafsson wrote:
>> The attached version passes ssl tests for me on 1.0.2 through OpenSSL Git HEAD.
>
> Tests pass for me too, including LibreSSL 3.8.

Thanks for testing!

>> + /* Calculate the diff from the epoch to the certificat timestamp */
>
> "certificate"

Fixed.

>> + <function>ssl_client_get_notbefore() returns text</function>
>> ...> + <function>ssl_client_get_notafter() returns text</function>
>
> I think this should say timestamptz rather than text? Ditto for the
> pg_stat_ssl documentation.
>
> Speaking of which: is the use of `timestamp` rather than `timestamptz`
> in pg_proc.dat intentional? Will that cause problems with comparisons?

It should be timestamptz, it was a tyop on my part. Fixed.

> I haven't been able to poke any holes in the ASN1_TIME_to_timestamp()
> implementations themselves. I went down a rabbit hole trying to find out
> whether leap seconds could cause problems for us when we switch to
> `struct tm` in the future, but it turns out OpenSSL rejects leap seconds
> in the Validity fields. That seems weird -- as far as I can tell, RFC
> 5280 defers to ASN.1 which defers to ISO 8601 which appears to allow
> leap seconds -- but I don't plan to worry about it anymore. (I do idly
> wonder whether some CA, somewhere, has ever had a really Unhappy New
> Year due to that.)

That's an interesting thought, maybe the CA's have adapted given the
marketshare of OpenSSL?

Thanks for reviewing, the attached v8 contains the fixes from this review along
with a fresh rebase and some attempts at making tests more stable in the face
of timezones by casting to date.

--
Daniel Gustafsson