Re: SSL tests failing with "ee key too small" error on Debian SID

Hello.

At Mon, 17 Sep 2018 22:13:40 +0900, Michael Paquier <michael(at)paquier(dot)xyz> wrote in <20180917131340(dot)GE31460(at)paquier(dot)xyz>
> Hi all,
>
> On a rather freshly-updated Debian SID server, I am able to see failures
> for the SSL TAP tests:
> 2018-09-17 22:00:27.389 JST [13072] LOG: database system is shut down
> 2018-09-17 22:00:27.506 JST [13082] FATAL: could not load server
> certificate file "server-cn-only.crt": ee key too small
> 2018-09-17 22:00:27.506 JST [13082] LOG: database system is shut down
> 2018-09-17 22:00:27.720 JST [13084] FATAL: could not load server
> certificate file "server-cn-only.crt": ee key too small
>
> Wouldn't it be better to rework the rules used to generate the different
> certificates and reissue them in the tree? It seems to me that this is
> just waiting to fail in other platforms as well..

I agree that we could get into the same trouble sooner or later.

Do you mean that cert/key files are generated on-the-fly while
running 'make check'? It sounds reasonable as long as just
replaceing existing files with those with longer (2048bits?) keys
doesn't work for all supported platforms.

regards.

--
Kyotaro Horiguchi
NTT Open Source Software Center