| From: | Cary Huang <cary(dot)huang(at)highgo(dot)ca> |
|---|---|
| To: | "Daniel Gustafsson" <daniel(at)yesql(dot)se> |
| Cc: | "PostgreSQL Hackers" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: sslinfo extension - add notbefore and notafter timestamps |
| Date: | 2023-07-10 23:09:51 |
| Message-ID: | 1894211830e.ef46f9012448790.7113590129448608981@highgo.ca |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> Thanks for the new version! It doesn't fail the ssl tests, but the Kerberos
> test now fails. You can see the test reports from the CFBot here:
Yes, kerberos tests failed due to the addition of notbefore and notafter values. The values array within "pg_stat_get_activity" function related to "pg_stat_gssapi" were not set correctly. It is now fixed
> This runs on submitted patches, you can also run the same CI checks in your own
> Github clone using the supplied CI files in the postgres repo.
Thank you for pointing this out. I followed the CI instruction as suggested and am able to run the same CI checks to reproduce the test failures.
> There are also some trivial whitespace issues shown with "git diff --check",
> these can of course easily be addressed by a committer in a final-version patch
> but when sending a new version you might as well fix those.
Yes, the white spaces issues should be addressed in the attached patches.
> X509_getm_notBefore() and X509_getm_notAfter() are only available in OpenSSL
> 1.1.1 and onwards, but postgres support 1.0.2 (as of today with 8e278b6576).
> X509_get_notAfter() is available in 1.0.2 but deprecated in 1.1.1 and turned
> into an alias for X509_getm_notAfter() (same with _notBefore of course), and
> since we set 1.0.2 as the API compatibility we should be able to use that
> without warnings instead.
Thank you so much for catching this openssl function compatibility issue. I have changed the function calls to:
- X509_get_notBefore()
- X509_get_notAfter()
which are compatible in OpenSSL v1.0.2 and also v1.1.1 where they will get translated to X509_getm_notBefore() and X509_getm_notAfter() respectively
> These functions should IMO return timestamp data types to save the user from
> having to convert them. Same with the additions to pg_stat_get_activity.
Yes, agreed, the attached patches have the output changed to timestamp datatype instead of text.
> You should add tests for the new functions in src/test/ssl/t/003_sslinfo.pl.
Yes, agreed, I added 2 additional tests in src/test/ssl/t/003_sslinfo.pl to compare the notbefore and notafter outputs from sslinfo extension and pg_stat_ssl outputs. Both should be tested equal.
Also added related documentation about the new not before and not after timestamps in pg_stat_ssl.
thank you
Cary Huang
-------------
HighGo Software Inc. (Canada)
cary(dot)huang(at)highgo(dot)ca
www.highgo.ca
| Attachment | Content-Type | Size |
|---|---|---|
| v4-0001-sslinfo-add-notbefore-and-notafter-timestamps.patch | application/octet-stream | 7.0 KB |
| v4-0002-pg-stat-ssl-add-notbefore-and-notafter-timestamps.patch | application/octet-stream | 18.4 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jacob Champion | 2023-07-10 23:21:58 | Re: [PoC] Federated Authn/z with OAUTHBEARER |
| Previous Message | Nathan Bossart | 2023-07-10 23:09:07 | Re: Reducing connection overhead in pg_upgrade compat check phase |