Re: Convert encrypted SSL test keys to PKCS#8 format
Jacob Champion <jchampion@timescale.com>
From: Jacob Champion <jchampion@timescale.com>
To: Peter Eisentraut <peter@eisentraut.org>
Cc: pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2023-08-22T19:02:02Z
Lists: pgsql-hackers
On Tue, Aug 22, 2023 at 1:07 AM Peter Eisentraut <peter@eisentraut.org> wrote: > I have attached two patches, one to update the generation rules, and one > where I have converted the existing test files. (I didn't generate them > from scratch, so for example > src/test/modules/ssl_passphrase_callback/server.crt that corresponds to > one of the keys does not need to be updated.) Looks good from here. I don't have a FIPS setup right now, but the new files pass tests on OpenSSL 1.0.2u, 1.1.1v, 3.0.2-0ubuntu1.10, and LibreSSL 3.8. Tests continue to pass after a full clean and rebuild of the sslfiles. > It's also interesting that if you generate all private keys from scratch > using the existing rules on a new OpenSSL version (3+), they will be > generated in PKCS#8 format by default. In those OpenSSL versions, the > openssl-rsa command has a -traditional option to get the old format, but > of course old OpenSSL versions don't have that. As OpenSSL 3 gets more > widespread, we might need to rethink these rules anyway to make sure we > get consistent behavior. Yeah. Looks like OpenSSL 3 also adds new v3 extensions to the certificates... For now they look benign, but I assume someone's going to run into weirdness at some point. Thanks! --Jacob
Commits
-
Convert encrypted SSL test keys to PKCS#8 format
- 648c72956f98 17.0 landed