Postgres Pro
Downloads
Home   >   mailing lists

Re: [PATCH] test/ssl: rework the sslfiles Makefile target - Mailing list pgsql-hackers

From Daniel Gustafsson
Subject Re: [PATCH] test/ssl: rework the sslfiles Makefile target
Date
Msg-id ED876A09-E6F9-46D2-92B8-8C5F53A28C43@yesql.se
Whole thread Raw
In response to Re: [PATCH] test/ssl: rework the sslfiles Makefile target  (Jacob Champion <pchampion@vmware.com>)
Responses Re: [PATCH] test/ssl: rework the sslfiles Makefile target  (Michael Paquier <michael@paquier.xyz>)
List pgsql-hackers
Tree view 
> On 15 Sep 2021, at 00:14, Jacob Champion <pchampion@vmware.com> wrote:
> On Mon, 2021-09-13 at 15:04 +0200, Daniel Gustafsson wrote:

>> -# Convert client.key to encrypted PEM (X.509 text) and DER (X.509 ASN.1) formats
>> -# to test libpq's support for the sslpassword= option.
>> -ssl/client-encrypted-pem.key: outform := PEM
>> -ssl/client-encrypted-der.key: outform := DER
>> +# Convert client.key to encrypted PEM (X.509 text) and DER (X.509 ASN.1)
>> +# formats to test libpq's support for the sslpassword= option.
>> ssl/client-encrypted-pem.key ssl/client-encrypted-der.key: ssl/client.key
>> -       openssl rsa -in $< -outform $(outform) -aes128 -passout 'pass:dUmmyP^#+' -out $@
>> +       openssl rsa -in $< -outform PEM -aes256 -passout 'pass:dUmmyP^#+' -out $@
>> +ssl/client-encrypted-der.key: ssl/client.key
>> +       openssl rsa -in $< -outform DER -passout 'pass:dUmmyP^#+' -out $@
>
> 1. Should the DER key be AES256 as well?

It should, but then it fails to load by postgres, my email wasn't clear about
this, sorry.  The diff to revert from aes256 (and aes128 for that matter) is to
make the key load at all.

> 2. The ssl/client-encrypted-der.key target for the first recipe should
> be removed; I get a duplication warning from Make.

Interesting, I didn't see that, will check.

> 3. The new client key will need to be included in the patch; the one
> there now is still the AES128 version.

Good point, that's a reason to keep it aes128 until the encrypter DER key in
3.0.0 issue has been fixed.

> And one doc comment:
>
>> ssl/ subdirectory. The Makefile also contains a rule, "make sslfiles", to
>> -recreate them if you need to make changes.
>> +recreate them if you need to make changes. "make sslfiles-clean" is required
>> +in order to recreate.
>
> This is only true if you need to rebuild the entire tree; if you just
> want to recreate a single cert pair, you can just touch the config file
> for it (or remove the key, if you want to regenerate the pair) and
> `make sslfiles` again.

Correct.  In my head, "rebuild" is when dealing with individually changed files
and "recreate" means rebuild everything regardless.  Thats just my in my head
though, so clearly the wording should be expanded.  Will do.

--
Daniel Gustafsson        https://vmware.com/

pgsql-hackers by date:

Previous
From: Michael Paquier
Date:
Subject: Re: Remove duplicate static function check_permissions in slotfuncs.c and logicalfuncs.c
Next
From: Mark Dilger
Date:
Subject: Re: [Patch] ALTER SYSTEM READ ONLY