From: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
---|---|
To: | Cary Huang <cary(dot)huang(at)highgo(dot)ca> |
Cc: | PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: sslinfo extension - add notbefore and notafter timestamps |
Date: | 2023-07-03 09:56:35 |
Message-ID: | 513DF026-E3D9-48AC-86E0-CC30071D8EC2@yesql.se |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
> On 30 Jun 2023, at 20:12, Cary Huang <cary(dot)huang(at)highgo(dot)ca> wrote:
>
>> This needs to adjust the tests in src/test/ssl which now fails due to SELECT *
>> returning a row which doesn't match what the test was coded for.
>
> Thank you so much for pointing out. I have adjusted the extra ssl test to account for the extra columns returned. It should not fail now.
Thanks for the new version! It doesn't fail the ssl tests, but the Kerberos
test now fails. You can see the test reports from the CFBot here:
http://cfbot.cputube.org/cary-huang.html
This runs on submitted patches, you can also run the same CI checks in your own
Github clone using the supplied CI files in the postgres repo.
There are also some trivial whitespace issues shown with "git diff --check",
these can of course easily be addressed by a committer in a final-version patch
but when sending a new version you might as well fix those.
>> The new patchset isn't updating contrib/sslinfo/meson with the 1.3 update so it
>> fails to build with Meson.
>
> Thanks again for pointing out, I have adjusted the meson build file to include the 1.3 update
+ asn1_notbefore = X509_getm_notBefore(cert);
X509_getm_notBefore() and X509_getm_notAfter() are only available in OpenSSL
1.1.1 and onwards, but postgres support 1.0.2 (as of today with 8e278b6576).
X509_get_notAfter() is available in 1.0.2 but deprecated in 1.1.1 and turned
into an alias for X509_getm_notAfter() (same with _notBefore of course), and
since we set 1.0.2 as the API compatibility we should be able to use that
without warnings instead.
+ <function>ssl_client_get_notbefore() returns text</function>
+ <function>ssl_client_get_notafter() returns text</function>
These functions should IMO return timestamp data types to save the user from
having to convert them. Same with the additions to pg_stat_get_activity.
You should add tests for the new functions in src/test/ssl/t/003_sslinfo.pl.
--
Daniel Gustafsson
From | Date | Subject | |
---|---|---|---|
Next Message | Alvaro Herrera | 2023-07-03 09:58:25 | Re: Optionally using a better backtrace library? |
Previous Message | Jakub Wartak | 2023-07-03 09:53:56 | Re: Performance degradation on concurrent COPY into a single relation in PG16. |