Thread

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. Update ssl test certificates and keys

  1. pgsql: Update ssl test certificates and keys

    Peter Eisentraut <peter_e@gmx.net> — 2018-11-27T14:21:39Z

    Update ssl test certificates and keys
    
    Debian testing and newer now require that RSA and DHE keys are at
    least 2048 bit long and no longer allow SHA-1 for signatures in
    certificates.  This is currently causing the ssl tests to fail there
    because the test certificates and keys have been created in violation
    of those conditions.
    
    Update the parameters to create the test files and create a new set of
    test files.
    
    Author: Kyotaro HORIGUCHI <horiguchi.kyotaro@lab.ntt.co.jp>
    Reported-by: Michael Paquier <michael@paquier.xyz>
    Discussion: https://www.postgresql.org/message-id/flat/20180917131340.GE31460%40paquier.xyz
    
    Branch
    ------
    master
    
    Details
    -------
    https://git.postgresql.org/pg/commitdiff/f17889b2214194d7bd33900509bf08959d5a7efa
    
    Modified Files
    --------------
    src/test/ssl/Makefile                          |  2 +-
    src/test/ssl/cas.config                        |  6 +-
    src/test/ssl/ssl/both-cas-1.crt                | 77 ++++++++++++++++----------
    src/test/ssl/ssl/both-cas-2.crt                | 77 ++++++++++++++++----------
    src/test/ssl/ssl/client+client_ca.crt          | 47 ++++++++++------
    src/test/ssl/ssl/client-revoked.crt            | 23 +++++---
    src/test/ssl/ssl/client-revoked.key            | 38 ++++++++-----
    src/test/ssl/ssl/client.crl                    | 16 +++---
    src/test/ssl/ssl/client.crt                    | 23 +++++---
    src/test/ssl/ssl/client.key                    | 38 ++++++++-----
    src/test/ssl/ssl/client_ca.crt                 | 24 +++++---
    src/test/ssl/ssl/client_ca.key                 | 38 ++++++++-----
    src/test/ssl/ssl/root+client.crl               | 31 ++++++-----
    src/test/ssl/ssl/root+client_ca.crt            | 53 +++++++++++-------
    src/test/ssl/ssl/root+server.crl               | 31 ++++++-----
    src/test/ssl/ssl/root+server_ca.crt            | 53 +++++++++++-------
    src/test/ssl/ssl/root.crl                      | 15 +++--
    src/test/ssl/ssl/root_ca.crt                   | 29 ++++++----
    src/test/ssl/ssl/root_ca.key                   | 38 ++++++++-----
    src/test/ssl/ssl/server-cn-and-alt-names.crt   | 27 +++++----
    src/test/ssl/ssl/server-cn-and-alt-names.key   | 38 ++++++++-----
    src/test/ssl/ssl/server-cn-only.crt            | 27 +++++----
    src/test/ssl/ssl/server-cn-only.key            | 38 ++++++++-----
    src/test/ssl/ssl/server-multiple-alt-names.crt | 29 ++++++----
    src/test/ssl/ssl/server-multiple-alt-names.key | 38 ++++++++-----
    src/test/ssl/ssl/server-no-names.crt           | 26 +++++----
    src/test/ssl/ssl/server-no-names.key           | 38 ++++++++-----
    src/test/ssl/ssl/server-password.key           | 40 ++++++++-----
    src/test/ssl/ssl/server-revoked.crt            | 27 +++++----
    src/test/ssl/ssl/server-revoked.key            | 38 ++++++++-----
    src/test/ssl/ssl/server-single-alt-name.crt    | 26 +++++----
    src/test/ssl/ssl/server-single-alt-name.key    | 38 ++++++++-----
    src/test/ssl/ssl/server-ss.crt                 | 28 ++++++----
    src/test/ssl/ssl/server-ss.key                 | 38 ++++++++-----
    src/test/ssl/ssl/server.crl                    | 16 +++---
    src/test/ssl/ssl/server_ca.crt                 | 24 +++++---
    src/test/ssl/ssl/server_ca.key                 | 38 ++++++++-----
    37 files changed, 769 insertions(+), 464 deletions(-)
    
    
  2. Re: pgsql: Update ssl test certificates and keys

    Michael Paquier <michael@paquier.xyz> — 2018-12-23T08:04:53Z

    On Tue, Nov 27, 2018 at 02:21:39PM +0000, Peter Eisentraut wrote:
    > Update ssl test certificates and keys
    > 
    > Debian testing and newer now require that RSA and DHE keys are at
    > least 2048 bit long and no longer allow SHA-1 for signatures in
    > certificates.  This is currently causing the ssl tests to fail there
    > because the test certificates and keys have been created in violation
    > of those conditions.
    > 
    > Update the parameters to create the test files and create a new set of
    > test files.
    
    Peter, would it make sense to back-patch this commit down to where the
    SSL tests have been introduced?  If /etc/ssl/ is not correctly
    configured, this results in failures across branches on Debian if the
    default is used.
    --
    Michael
    
  3. Re: pgsql: Update ssl test certificates and keys

    Peter Eisentraut <peter.eisentraut@2ndquadrant.com> — 2019-01-03T14:36:36Z

    On 23/12/2018 09:04, Michael Paquier wrote:
    > On Tue, Nov 27, 2018 at 02:21:39PM +0000, Peter Eisentraut wrote:
    >> Update ssl test certificates and keys
    >>
    >> Debian testing and newer now require that RSA and DHE keys are at
    >> least 2048 bit long and no longer allow SHA-1 for signatures in
    >> certificates.  This is currently causing the ssl tests to fail there
    >> because the test certificates and keys have been created in violation
    >> of those conditions.
    >>
    >> Update the parameters to create the test files and create a new set of
    >> test files.
    > 
    > Peter, would it make sense to back-patch this commit down to where the
    > SSL tests have been introduced?  If /etc/ssl/ is not correctly
    > configured, this results in failures across branches on Debian if the
    > default is used.
    
    done
    
    -- 
    Peter Eisentraut              http://www.2ndQuadrant.com/
    PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
    
    
    
  4. Re: pgsql: Update ssl test certificates and keys

    Thomas Munro <thomas.munro@enterprisedb.com> — 2019-01-03T21:08:25Z

    On Fri, Jan 4, 2019 at 3:36 AM Peter Eisentraut
    <peter.eisentraut@2ndquadrant.com> wrote:
    > On 23/12/2018 09:04, Michael Paquier wrote:
    > > On Tue, Nov 27, 2018 at 02:21:39PM +0000, Peter Eisentraut wrote:
    > >> Update ssl test certificates and keys
    > >>
    > >> Debian testing and newer now require that RSA and DHE keys are at
    > >> least 2048 bit long and no longer allow SHA-1 for signatures in
    > >> certificates.  This is currently causing the ssl tests to fail there
    > >> because the test certificates and keys have been created in violation
    > >> of those conditions.
    > >>
    > >> Update the parameters to create the test files and create a new set of
    > >> test files.
    > >
    > > Peter, would it make sense to back-patch this commit down to where the
    > > SSL tests have been introduced?  If /etc/ssl/ is not correctly
    > > configured, this results in failures across branches on Debian if the
    > > default is used.
    >
    > done
    
    Thanks.  FWIW I've just updated eelpout (a Debian testing BF animal
    that runs all the extra tests including SSL) to use libssl-dev
    (instead of libssl1.0-dev), and cleared its accache files.  Let's see
    if that works...
    
    -- 
    Thomas Munro
    http://www.enterprisedb.com
    
    
    
  5. Re: pgsql: Update ssl test certificates and keys

    Michael Paquier <michael@paquier.xyz> — 2019-01-04T09:11:38Z

    On Thu, Jan 03, 2019 at 03:36:36PM +0100, Peter Eisentraut wrote:
    > done
    
    Thanks, Peter.
    --
    Michael
    
  6. Re: pgsql: Update ssl test certificates and keys

    Thomas Munro <thomas.munro@enterprisedb.com> — 2019-01-15T21:37:35Z

    On Fri, Jan 4, 2019 at 10:08 AM Thomas Munro
    <thomas.munro@enterprisedb.com> wrote:
    > On Fri, Jan 4, 2019 at 3:36 AM Peter Eisentraut
    > <peter.eisentraut@2ndquadrant.com> wrote:
    > > On 23/12/2018 09:04, Michael Paquier wrote:
    > > > On Tue, Nov 27, 2018 at 02:21:39PM +0000, Peter Eisentraut wrote:
    > > >> Update ssl test certificates and keys
    > > >>
    > > >> Debian testing and newer now require that RSA and DHE keys are at
    > > >> least 2048 bit long and no longer allow SHA-1 for signatures in
    > > >> certificates.  This is currently causing the ssl tests to fail there
    > > >> because the test certificates and keys have been created in violation
    > > >> of those conditions.
    > > >>
    > > >> Update the parameters to create the test files and create a new set of
    > > >> test files.
    > > >
    > > > Peter, would it make sense to back-patch this commit down to where the
    > > > SSL tests have been introduced?  If /etc/ssl/ is not correctly
    > > > configured, this results in failures across branches on Debian if the
    > > > default is used.
    > >
    > > done
    >
    > Thanks.  FWIW I've just updated eelpout (a Debian testing BF animal
    > that runs all the extra tests including SSL) to use libssl-dev
    > (instead of libssl1.0-dev), and cleared its accache files.  Let's see
    > if that works...
    
    Since that upgrade (to libssl 1.1.1a-1), there are have been a few
    intermittent failures in the SSL tests on that animal (thanks Tom for
    pointing that out off-list).  In a quick check, I was able to
    reproduce the failure after about 8 successful runs of "make check"
    under src/test/ssl on that machine.  I couldn't immediately see what
    the problem was and I'm away from computers and work this week, so
    I'll have to investigate properly early next week.  The main unusual
    thing about that animal is that it's an ARM CPU.  FWIW I run that test
    by having this in build-farm.conf (I mention this in case someone
    wants to do the same on a Debian buster/testing x86 system to see if
    it has a similar problem, if there isn't one like that already):
    
    $ENV{PG_TEST_EXTRA} = "ssl ldap kerberos";
    
    -- 
    Thomas Munro
    http://www.enterprisedb.com