Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qYWev-001yNb-OJ for pgsql-hackers@arkaria.postgresql.org; Tue, 22 Aug 2023 19:03:21 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1qYWdw-0045pc-2C for pgsql-hackers@arkaria.postgresql.org; Tue, 22 Aug 2023 19:02:19 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qYWdv-0045pT-Ma for pgsql-hackers@lists.postgresql.org; Tue, 22 Aug 2023 19:02:19 +0000 Received: from mail-oo1-xc35.google.com ([2607:f8b0:4864:20::c35]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1qYWdq-000PyO-PS for pgsql-hackers@postgresql.org; Tue, 22 Aug 2023 19:02:18 +0000 Received: by mail-oo1-xc35.google.com with SMTP id 006d021491bc7-56d8bc0d909so3041052eaf.3 for ; Tue, 22 Aug 2023 12:02:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=timescale.com; s=google; t=1692730933; x=1693335733; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=9BSKZMg2XdZpUT+s/8q02q+v4Lp2+PXiMdpXufSVfaM=; b=G1vWmGeiXKvEX8QunXff7t2wYNriN3Ma/sH/X+pRIYLA03w7OAZS5NV+oXOsJXziYI xopay+KTgsI7562LHZnW1mjtJT9h5EvBwFQuEfglpQxNMpIswsH8B7CoqzSTFmLeFISn Fd5xwzzJsjcRcdoifFbXKZe0+MMYeme4sdtHNFzwOWENdxSyo01tYYEnEFwklWrd1H7H WC4s4bZ6wLL0jkGJkEvWvxitpkSO+HZfcBVOuhfBv0ezTfHSgmT/9r8CHFuE2AYve8lf H221ZkrK7OLz4S136MJ1Y7Muu9n3M4ATJGCe6DxuX0Q/1E0xhSGIpw7xycsPTlug4flh 2PwQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692730933; x=1693335733; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=9BSKZMg2XdZpUT+s/8q02q+v4Lp2+PXiMdpXufSVfaM=; b=ZeNzlNZjCPMoAIkcEyTKIMBGwixxiCFxYm/lObM8Cipv+fF9v8FbT9VN4KZiNj/p8V XLq8iZi4J1oJdaBKrndb2ZuTHMhfq1iTOfh6MnA7Qa7+X2iQgH1SLdlTX83jYZEJOTXB s9OIynKzdc9qlvqlOLQEnRx3D5ajHIYgx/r9mdn/m3YjBiOwJmInYL4VcdGDpxbKPCPD gWsCUMBUgtPrHYm/UYywC8mPgcPs2sbK1LaMt6A6HPGiqhUoBTG0ku1ktW5dh4Q9aMde PHchd8evL3jy03LW84VX7W5qYRGu+9WMpIk7TRHKzkO0jqPn0V6hv1qPr5dfuQ4gZnZI qoow== X-Gm-Message-State: AOJu0YzUnQFdOaqWcGv6tETC0REGeq4uW0DIR/O0CElc06/cF97WHYJY RvNeKCJOrkgqWC342IjO7FQSRL9sDGGUNDkiBIioqR9lBJH86mr2VytscA== X-Google-Smtp-Source: AGHT+IHz+8PhTSAGouvRI3ptqUjw97r3VThJ26h/c24sHzBJNmA3P8J0qpihki/ZgfuwyY1VI0qfbcQm/woQ40h4ngc= X-Received: by 2002:a4a:2a43:0:b0:56e:a164:bfad with SMTP id x3-20020a4a2a43000000b0056ea164bfadmr9971640oox.7.1692730932878; Tue, 22 Aug 2023 12:02:12 -0700 (PDT) MIME-Version: 1.0 References: <64de784b-8833-e055-3bd4-7420e6675351@eisentraut.org> In-Reply-To: <64de784b-8833-e055-3bd4-7420e6675351@eisentraut.org> From: Jacob Champion Date: Tue, 22 Aug 2023 12:02:02 -0700 Message-ID: Subject: Re: Convert encrypted SSL test keys to PKCS#8 format To: Peter Eisentraut Cc: pgsql-hackers Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Tue, Aug 22, 2023 at 1:07=E2=80=AFAM Peter Eisentraut wrote: > I have attached two patches, one to update the generation rules, and one > where I have converted the existing test files. (I didn't generate them > from scratch, so for example > src/test/modules/ssl_passphrase_callback/server.crt that corresponds to > one of the keys does not need to be updated.) Looks good from here. I don't have a FIPS setup right now, but the new files pass tests on OpenSSL 1.0.2u, 1.1.1v, 3.0.2-0ubuntu1.10, and LibreSSL 3.8. Tests continue to pass after a full clean and rebuild of the sslfiles. > It's also interesting that if you generate all private keys from scratch > using the existing rules on a new OpenSSL version (3+), they will be > generated in PKCS#8 format by default. In those OpenSSL versions, the > openssl-rsa command has a -traditional option to get the old format, but > of course old OpenSSL versions don't have that. As OpenSSL 3 gets more > widespread, we might need to rethink these rules anyway to make sure we > get consistent behavior. Yeah. Looks like OpenSSL 3 also adds new v3 extensions to the certificates... For now they look benign, but I assume someone's going to run into weirdness at some point. Thanks! --Jacob