Thread: Re: pgsql: Update ssl test certificates and keys
On Tue, Nov 27, 2018 at 02:21:39PM +0000, Peter Eisentraut wrote: > Update ssl test certificates and keys > > Debian testing and newer now require that RSA and DHE keys are at > least 2048 bit long and no longer allow SHA-1 for signatures in > certificates. This is currently causing the ssl tests to fail there > because the test certificates and keys have been created in violation > of those conditions. > > Update the parameters to create the test files and create a new set of > test files. Peter, would it make sense to back-patch this commit down to where the SSL tests have been introduced? If /etc/ssl/ is not correctly configured, this results in failures across branches on Debian if the default is used. -- Michael
Attachment
On 23/12/2018 09:04, Michael Paquier wrote: > On Tue, Nov 27, 2018 at 02:21:39PM +0000, Peter Eisentraut wrote: >> Update ssl test certificates and keys >> >> Debian testing and newer now require that RSA and DHE keys are at >> least 2048 bit long and no longer allow SHA-1 for signatures in >> certificates. This is currently causing the ssl tests to fail there >> because the test certificates and keys have been created in violation >> of those conditions. >> >> Update the parameters to create the test files and create a new set of >> test files. > > Peter, would it make sense to back-patch this commit down to where the > SSL tests have been introduced? If /etc/ssl/ is not correctly > configured, this results in failures across branches on Debian if the > default is used. done -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
On Fri, Jan 4, 2019 at 3:36 AM Peter Eisentraut <peter.eisentraut@2ndquadrant.com> wrote: > On 23/12/2018 09:04, Michael Paquier wrote: > > On Tue, Nov 27, 2018 at 02:21:39PM +0000, Peter Eisentraut wrote: > >> Update ssl test certificates and keys > >> > >> Debian testing and newer now require that RSA and DHE keys are at > >> least 2048 bit long and no longer allow SHA-1 for signatures in > >> certificates. This is currently causing the ssl tests to fail there > >> because the test certificates and keys have been created in violation > >> of those conditions. > >> > >> Update the parameters to create the test files and create a new set of > >> test files. > > > > Peter, would it make sense to back-patch this commit down to where the > > SSL tests have been introduced? If /etc/ssl/ is not correctly > > configured, this results in failures across branches on Debian if the > > default is used. > > done Thanks. FWIW I've just updated eelpout (a Debian testing BF animal that runs all the extra tests including SSL) to use libssl-dev (instead of libssl1.0-dev), and cleared its accache files. Let's see if that works... -- Thomas Munro http://www.enterprisedb.com
On Thu, Jan 03, 2019 at 03:36:36PM +0100, Peter Eisentraut wrote: > done Thanks, Peter. -- Michael
Attachment
On Fri, Jan 4, 2019 at 10:08 AM Thomas Munro
<thomas.munro@enterprisedb.com> wrote:
> On Fri, Jan 4, 2019 at 3:36 AM Peter Eisentraut
> <peter.eisentraut@2ndquadrant.com> wrote:
> > On 23/12/2018 09:04, Michael Paquier wrote:
> > > On Tue, Nov 27, 2018 at 02:21:39PM +0000, Peter Eisentraut wrote:
> > >> Update ssl test certificates and keys
> > >>
> > >> Debian testing and newer now require that RSA and DHE keys are at
> > >> least 2048 bit long and no longer allow SHA-1 for signatures in
> > >> certificates. This is currently causing the ssl tests to fail there
> > >> because the test certificates and keys have been created in violation
> > >> of those conditions.
> > >>
> > >> Update the parameters to create the test files and create a new set of
> > >> test files.
> > >
> > > Peter, would it make sense to back-patch this commit down to where the
> > > SSL tests have been introduced? If /etc/ssl/ is not correctly
> > > configured, this results in failures across branches on Debian if the
> > > default is used.
> >
> > done
>
> Thanks. FWIW I've just updated eelpout (a Debian testing BF animal
> that runs all the extra tests including SSL) to use libssl-dev
> (instead of libssl1.0-dev), and cleared its accache files. Let's see
> if that works...
Since that upgrade (to libssl 1.1.1a-1), there are have been a few
intermittent failures in the SSL tests on that animal (thanks Tom for
pointing that out off-list). In a quick check, I was able to
reproduce the failure after about 8 successful runs of "make check"
under src/test/ssl on that machine. I couldn't immediately see what
the problem was and I'm away from computers and work this week, so
I'll have to investigate properly early next week. The main unusual
thing about that animal is that it's an ARM CPU. FWIW I run that test
by having this in build-farm.conf (I mention this in case someone
wants to do the same on a Debian buster/testing x86 system to see if
it has a similar problem, if there isn't one like that already):
$ENV{PG_TEST_EXTRA} = "ssl ldap kerberos";
--
Thomas Munro
http://www.enterprisedb.com