On Tue, Aug 22, 2023 at 1:07 AM Peter Eisentraut <pe...@eisentraut.org> wrote: > I have attached two patches, one to update the generation rules, and one > where I have converted the existing test files. (I didn't generate them > from scratch, so for example > src/test/modules/ssl_passphrase_callback/server.crt that corresponds to > one of the keys does not need to be updated.)
Looks good from here. I don't have a FIPS setup right now, but the new files pass tests on OpenSSL 1.0.2u, 1.1.1v, 3.0.2-0ubuntu1.10, and LibreSSL 3.8. Tests continue to pass after a full clean and rebuild of the sslfiles. > It's also interesting that if you generate all private keys from scratch > using the existing rules on a new OpenSSL version (3+), they will be > generated in PKCS#8 format by default. In those OpenSSL versions, the > openssl-rsa command has a -traditional option to get the old format, but > of course old OpenSSL versions don't have that. As OpenSSL 3 gets more > widespread, we might need to rethink these rules anyway to make sure we > get consistent behavior. Yeah. Looks like OpenSSL 3 also adds new v3 extensions to the certificates... For now they look benign, but I assume someone's going to run into weirdness at some point. Thanks! --Jacob
