Re: [PATCH] test/ssl: rework the sslfiles Makefile target - Mailing list pgsql-hackers

From Daniel Gustafsson
Subject Re: [PATCH] test/ssl: rework the sslfiles Makefile target
Date
Msg-id 223071F9-618F-48AF-BE40-EFF76F5CE45F@yesql.se
Whole thread Raw
Responses Re: [PATCH] test/ssl: rework the sslfiles Makefile target
List pgsql-hackers
> On 4 Mar 2021, at 01:03, Jacob Champion <pchampion@vmware.com> wrote:

> Andrew pointed out elsewhere [1] that it's pretty difficult to add new
> certificates to the test/ssl suite without blowing away the current
> state and starting over. I needed new cases for the NSS backend work,
> and ran into the same pain, so here is my attempt to improve the
> situation.

Thanks for working on this, I second the pain cited.  I've just started to look
at this, so only a few comments thus far.

> The unused server-ss certificate has been removed entirely.

Nice catch, this seems to have been unused since the original import of the SSL
test suite.  To cut down scope of the patch (even if only a small bit) I
propose to apply this separately first, as per the attached.

> - Serial number collisions are less likely, thanks to Andrew's idea to
> use the current clock time as the initial serial number in a series.

+my $serialno = `openssl x509 -serial -noout -in ssl/client.crt`;
+$serialno =~ s/^serial=//;
+$serialno = hex($serialno); # OpenSSL prints serial numbers in hexadecimal

Will that work on Windows?  We don't currently require the openssl binary to be
in PATH unless one wants to rebuild sslfiles (which it is quite likely to be
but there should at least be errorhandling covering when it's not).

> - I am making _heavy_ use of GNU Make-isms, which does not improve
> long-term maintainability.

GNU Make is already a requirement, I don't see this shifting the needle in any
direction.

--
Daniel Gustafsson        https://vmware.com/


Attachment

pgsql-hackers by date:

Previous
From: Tomas Vondra
Date:
Subject: Re: Showing applied extended statistics in explain
Next
From: Bryn Llewellyn
Date:
Subject: Re: Have I found an interval arithmetic bug?