pgsql: Update ssl test certificates and keys
Update ssl test certificates and keys
Debian testing and newer now require that RSA and DHE keys are at
least 2048 bit long and no longer allow SHA-1 for signatures in
certificates. This is currently causing the ssl tests to fail there
because the test certificates and keys have been created in violation
of those conditions.
Update the parameters to create the test files and create a new set of
test files.
Author: Kyotaro HORIGUCHI <horiguchi.kyotaro@lab.ntt.co.jp>
Reported-by: Michael Paquier <michael@paquier.xyz>
Discussion: /messages/by-id/20180917131340.GE31460@paquier.xyz
Branch
------
master
Details
-------
https://git.postgresql.org/pg/commitdiff/f17889b2214194d7bd33900509bf08959d5a7efa
Modified Files
--------------
src/test/ssl/Makefile | 2 +-
src/test/ssl/cas.config | 6 +-
src/test/ssl/ssl/both-cas-1.crt | 77 ++++++++++++++++----------
src/test/ssl/ssl/both-cas-2.crt | 77 ++++++++++++++++----------
src/test/ssl/ssl/client+client_ca.crt | 47 ++++++++++------
src/test/ssl/ssl/client-revoked.crt | 23 +++++---
src/test/ssl/ssl/client-revoked.key | 38 ++++++++-----
src/test/ssl/ssl/client.crl | 16 +++---
src/test/ssl/ssl/client.crt | 23 +++++---
src/test/ssl/ssl/client.key | 38 ++++++++-----
src/test/ssl/ssl/client_ca.crt | 24 +++++---
src/test/ssl/ssl/client_ca.key | 38 ++++++++-----
src/test/ssl/ssl/root+client.crl | 31 ++++++-----
src/test/ssl/ssl/root+client_ca.crt | 53 +++++++++++-------
src/test/ssl/ssl/root+server.crl | 31 ++++++-----
src/test/ssl/ssl/root+server_ca.crt | 53 +++++++++++-------
src/test/ssl/ssl/root.crl | 15 +++--
src/test/ssl/ssl/root_ca.crt | 29 ++++++----
src/test/ssl/ssl/root_ca.key | 38 ++++++++-----
src/test/ssl/ssl/server-cn-and-alt-names.crt | 27 +++++----
src/test/ssl/ssl/server-cn-and-alt-names.key | 38 ++++++++-----
src/test/ssl/ssl/server-cn-only.crt | 27 +++++----
src/test/ssl/ssl/server-cn-only.key | 38 ++++++++-----
src/test/ssl/ssl/server-multiple-alt-names.crt | 29 ++++++----
src/test/ssl/ssl/server-multiple-alt-names.key | 38 ++++++++-----
src/test/ssl/ssl/server-no-names.crt | 26 +++++----
src/test/ssl/ssl/server-no-names.key | 38 ++++++++-----
src/test/ssl/ssl/server-password.key | 40 ++++++++-----
src/test/ssl/ssl/server-revoked.crt | 27 +++++----
src/test/ssl/ssl/server-revoked.key | 38 ++++++++-----
src/test/ssl/ssl/server-single-alt-name.crt | 26 +++++----
src/test/ssl/ssl/server-single-alt-name.key | 38 ++++++++-----
src/test/ssl/ssl/server-ss.crt | 28 ++++++----
src/test/ssl/ssl/server-ss.key | 38 ++++++++-----
src/test/ssl/ssl/server.crl | 16 +++---
src/test/ssl/ssl/server_ca.crt | 24 +++++---
src/test/ssl/ssl/server_ca.key | 38 ++++++++-----
37 files changed, 769 insertions(+), 464 deletions(-)
On Tue, Nov 27, 2018 at 02:21:39PM +0000, Peter Eisentraut wrote:
Update ssl test certificates and keys
Debian testing and newer now require that RSA and DHE keys are at
least 2048 bit long and no longer allow SHA-1 for signatures in
certificates. This is currently causing the ssl tests to fail there
because the test certificates and keys have been created in violation
of those conditions.Update the parameters to create the test files and create a new set of
test files.
Peter, would it make sense to back-patch this commit down to where the
SSL tests have been introduced? If /etc/ssl/ is not correctly
configured, this results in failures across branches on Debian if the
default is used.
--
Michael
On 23/12/2018 09:04, Michael Paquier wrote:
On Tue, Nov 27, 2018 at 02:21:39PM +0000, Peter Eisentraut wrote:
Update ssl test certificates and keys
Debian testing and newer now require that RSA and DHE keys are at
least 2048 bit long and no longer allow SHA-1 for signatures in
certificates. This is currently causing the ssl tests to fail there
because the test certificates and keys have been created in violation
of those conditions.Update the parameters to create the test files and create a new set of
test files.Peter, would it make sense to back-patch this commit down to where the
SSL tests have been introduced? If /etc/ssl/ is not correctly
configured, this results in failures across branches on Debian if the
default is used.
done
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
On Fri, Jan 4, 2019 at 3:36 AM Peter Eisentraut
<peter.eisentraut@2ndquadrant.com> wrote:
On 23/12/2018 09:04, Michael Paquier wrote:
On Tue, Nov 27, 2018 at 02:21:39PM +0000, Peter Eisentraut wrote:
Update ssl test certificates and keys
Debian testing and newer now require that RSA and DHE keys are at
least 2048 bit long and no longer allow SHA-1 for signatures in
certificates. This is currently causing the ssl tests to fail there
because the test certificates and keys have been created in violation
of those conditions.Update the parameters to create the test files and create a new set of
test files.Peter, would it make sense to back-patch this commit down to where the
SSL tests have been introduced? If /etc/ssl/ is not correctly
configured, this results in failures across branches on Debian if the
default is used.done
Thanks. FWIW I've just updated eelpout (a Debian testing BF animal
that runs all the extra tests including SSL) to use libssl-dev
(instead of libssl1.0-dev), and cleared its accache files. Let's see
if that works...
--
Thomas Munro
http://www.enterprisedb.com
On Thu, Jan 03, 2019 at 03:36:36PM +0100, Peter Eisentraut wrote:
done
Thanks, Peter.
--
Michael
On Fri, Jan 4, 2019 at 10:08 AM Thomas Munro
<thomas.munro@enterprisedb.com> wrote:
On Fri, Jan 4, 2019 at 3:36 AM Peter Eisentraut
<peter.eisentraut@2ndquadrant.com> wrote:On 23/12/2018 09:04, Michael Paquier wrote:
On Tue, Nov 27, 2018 at 02:21:39PM +0000, Peter Eisentraut wrote:
Update ssl test certificates and keys
Debian testing and newer now require that RSA and DHE keys are at
least 2048 bit long and no longer allow SHA-1 for signatures in
certificates. This is currently causing the ssl tests to fail there
because the test certificates and keys have been created in violation
of those conditions.Update the parameters to create the test files and create a new set of
test files.Peter, would it make sense to back-patch this commit down to where the
SSL tests have been introduced? If /etc/ssl/ is not correctly
configured, this results in failures across branches on Debian if the
default is used.done
Thanks. FWIW I've just updated eelpout (a Debian testing BF animal
that runs all the extra tests including SSL) to use libssl-dev
(instead of libssl1.0-dev), and cleared its accache files. Let's see
if that works...
Since that upgrade (to libssl 1.1.1a-1), there are have been a few
intermittent failures in the SSL tests on that animal (thanks Tom for
pointing that out off-list). In a quick check, I was able to
reproduce the failure after about 8 successful runs of "make check"
under src/test/ssl on that machine. I couldn't immediately see what
the problem was and I'm away from computers and work this week, so
I'll have to investigate properly early next week. The main unusual
thing about that animal is that it's an ARM CPU. FWIW I run that test
by having this in build-farm.conf (I mention this in case someone
wants to do the same on a Debian buster/testing x86 system to see if
it has a similar problem, if there isn't one like that already):
$ENV{PG_TEST_EXTRA} = "ssl ldap kerberos";
--
Thomas Munro
http://www.enterprisedb.com