> On 15 Sep 2021, at 00:14, Jacob Champion <pchampion@vmware.com> wrote:
> On Mon, 2021-09-13 at 15:04 +0200, Daniel Gustafsson wrote:
>> -# Convert client.key to encrypted PEM (X.509 text) and DER (X.509 ASN.1) formats
>> -# to test libpq's support for the sslpassword= option.
>> -ssl/client-encrypted-pem.key: outform := PEM
>> -ssl/client-encrypted-der.key: outform := DER
>> +# Convert client.key to encrypted PEM (X.509 text) and DER (X.509 ASN.1)
>> +# formats to test libpq's support for the sslpassword= option.
>> ssl/client-encrypted-pem.key ssl/client-encrypted-der.key: ssl/client.key
>> - openssl rsa -in $< -outform $(outform) -aes128 -passout 'pass:dUmmyP^#+' -out $@
>> + openssl rsa -in $< -outform PEM -aes256 -passout 'pass:dUmmyP^#+' -out $@
>> +ssl/client-encrypted-der.key: ssl/client.key
>> + openssl rsa -in $< -outform DER -passout 'pass:dUmmyP^#+' -out $@
>
> 1. Should the DER key be AES256 as well?
It should, but then it fails to load by postgres, my email wasn't clear about
this, sorry. The diff to revert from aes256 (and aes128 for that matter) is to
make the key load at all.
> 2. The ssl/client-encrypted-der.key target for the first recipe should
> be removed; I get a duplication warning from Make.
Interesting, I didn't see that, will check.
> 3. The new client key will need to be included in the patch; the one
> there now is still the AES128 version.
Good point, that's a reason to keep it aes128 until the encrypter DER key in
3.0.0 issue has been fixed.
> And one doc comment:
>
>> ssl/ subdirectory. The Makefile also contains a rule, "make sslfiles", to
>> -recreate them if you need to make changes.
>> +recreate them if you need to make changes. "make sslfiles-clean" is required
>> +in order to recreate.
>
> This is only true if you need to rebuild the entire tree; if you just
> want to recreate a single cert pair, you can just touch the config file
> for it (or remove the key, if you want to regenerate the pair) and
> `make sslfiles` again.
Correct. In my head, "rebuild" is when dealing with individually changed files
and "recreate" means rebuild everything regardless. Thats just my in my head
though, so clearly the wording should be expanded. Will do.
--
Daniel Gustafsson https://vmware.com/