At Tue, 25 Sep 2018 14:26:42 +0900, Michael Paquier <[email protected]> wrote
in <[email protected]>
> On Tue, Sep 25, 2018 at 12:48:57PM +0900, Kyotaro HORIGUCHI wrote:
> > Do you mean that cert/key files are generated on-the-fly while
> > running 'make check'? It sounds reasonable as long as just
> > replaceing existing files with those with longer (2048bits?) keys
> > doesn't work for all supported platforms.
>
> The files are present by default in the tree, but can be regenerated
> easily by using the makefile rule "sslfiles". From what I can see, this
> is caused by OpenSSL 1.1.1 which Debian SID has visibly upgraded to
> recently. That's the version I have on my system. I have not dug much
> into the Makefile to see if things could get done right and change the
> openssl commands though..
# I have no experience in Debian..
In Debian /etc/ssl/openssl.cnf has been changed to
"CiperString=DEFAULT@SECLEVEL=2", which implies that "RSA and DHE
keys need to be at least 2048 bit long" according to the
following page.
https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1
It seems to be Debian's special feature and I suppose
(differently from the previous mail..) it won't happen on other
platforms.
Instead, I managed to cause "ee key too smal" by setting
ssl_ciphers in postgresql.conf as the follows with openssl
1.1.1. With the first attached it happens during
001_ssltests_master.
ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL@SECLEVEL=2' # allowed SSL ciphers
The attached second patch just changes key size to 2048 bits and
"ee key too small" are eliminated in 001_ssltests_master, but
instead I got "ca md too weak" error. This is eliminated by using
sha256 instead of sha1 in cas.config. (third attached)
By the way I got (with both 1.0.2k and 1.1.1) a "tlsv1 alert
unknown ca" error from 002_scram.pl. It is fixed for me by the
forth attached, but I'm not sure why we haven't have such a
complain. (It happens only for me?)
regards.
--
Kyotaro Horiguchi
NTT Open Source Software Center
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 2b875a3c95..6d267f994e 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -43,6 +43,10 @@ chmod 0644, "ssl/client_wrongperms_tmp.key";
note "setting up data directory";
my $node = get_new_node('master');
$node->init;
+#### ##### restrict cipher suites
+$node->append_conf("postgresql.conf", <<'EOF');
+ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL@SECLEVEL=2' # allowed SSL ciphers
+EOF
# PGHOST is enforced here to set up the node, subsequent connections
# will use a dedicated connection string.
diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile
index 97389c90f8..4b621e18b6 100644
--- a/src/test/ssl/Makefile
+++ b/src/test/ssl/Makefile
@@ -39,7 +39,7 @@ ssl/new_certs_dir:
# Rule for creating private/public key pairs.
ssl/%.key:
- openssl genrsa -out $@ 1024
+ openssl genrsa -out $@ 2048
chmod 0600 $@
# Root CA certificate
diff --git a/src/test/ssl/cas.config b/src/test/ssl/cas.config
index 013cebae16..8c0ef6d82b 100644
--- a/src/test/ssl/cas.config
+++ b/src/test/ssl/cas.config
@@ -13,7 +13,7 @@ basicConstraints = CA:true
dir = ./ssl/
database = ./ssl/root_ca-certindex
serial = ./ssl/root_ca.srl
-default_md = sha1
+default_md = sha256
default_days= 10000
default_crl_days= 10000
certificate = ./ssl/root_ca.crt
@@ -26,7 +26,7 @@ email_in_dn = no
[ server_ca ]
dir = ./ssl/
database = ./ssl/server_ca-certindex
-default_md = sha1
+default_md = sha256
default_days= 10000
default_crl_days= 10000
certificate = ./ssl/server_ca.crt
@@ -42,7 +42,7 @@ crl = ./ssl/server.crl
[ client_ca ]
dir = ./ssl/
database = ./ssl/client_ca-certindex
-default_md = sha1
+default_md = sha256
default_days= 10000
default_crl_days= 10000
certificate = ./ssl/client_ca.crt
diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl
index b460a7fa8a..147f51783d 100644
--- a/src/test/ssl/t/002_scram.pl
+++ b/src/test/ssl/t/002_scram.pl
@@ -39,7 +39,7 @@ configure_test_server_for_ssl($node, $SERVERHOSTADDR, "scram-sha-256",
switch_server_cert($node, 'server-cn-only');
$ENV{PGPASSWORD} = "pass";
$common_connstr =
- "user=ssltestuser dbname=trustdb sslmode=require hostaddr=$SERVERHOSTADDR";
+ "user=ssltestuser dbname=trustdb sslmode=require sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
# Default settings
test_connect_ok($common_connstr, '',
