On Mon, Nov 26, 2018 at 6:56 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Thomas Munro <thomas.munro@enterprisedb.com> writes:
> > Fix pushed.
> > By way of penance, I have now configured PG_TEST_EXTRA="ssl ldap
> > kerberos" for my build farm animals elver and eelpout. elver should
> > pass at the next build, as I just tested it with --nosend, but eelpout
> > is so slow I'll just take my chances see if that works.
>
> Nope :-(. Looks like something about key length ... probably just
> misconfiguration?
It seems that we have keys in our tree that are unacceptable to
OpenSSL 1.1.1 as shipped in Debian buster:
2018-11-25 20:32:22.519 UTC [26882] FATAL: could not load server
certificate file "server-cn-only.crt": ee key too small
That's what you get if you use the libssl-dev package (1.1.1a-1), but
you can still install libssl1.0-dev (which uninstalls 1.1's dev
package). I've done that and it the ssl test passes on that machine,
so fingers crossed for the next build farm run.
I see now that Michael already wrote about this recently[1], but that
thread hasn't yet reached a conclusion.
[1] https://www.postgresql.org/message-id/flat/20180917131340.GE31460%40paquier.xyz
--
Thomas Munro
http://www.enterprisedb.com
