From: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
---|---|
To: | Cary Huang <cary(dot)huang(at)highgo(dot)ca> |
Cc: | PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: sslinfo extension - add notbefore and notafter timestamps |
Date: | 2023-07-25 14:21:42 |
Message-ID: | F14BF1AC-A765-402E-B49F-A303A8B38C75@yesql.se |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
> On 20 Jul 2023, at 17:24, Daniel Gustafsson <daniel(at)yesql(dot)se> wrote:
>
>> On 17 Jul 2023, at 20:26, Cary Huang <cary(dot)huang(at)highgo(dot)ca> wrote:
>
>>>> Perhaps calling "tm2timestamp(&pgtm_time, 0, NULL, &ts)" without checking the return code would be just fine. I see some other usages of tm2timstamp() in other code areas also skip checking the return code.
>>>
>>> I think we want to know about any failures, btu we can probably make it into an
>>> elog() instead, as it should never fail.
>>
>> Yes, sure. I have corrected the error message to elog(ERROR, "timestamp out of range") on a rare tm2timestamp() failure.
>
> I went over this again and ended up pushing it along with a catversion bump.
> Due to a mistake in my testing I didn't however catch that it was using an API
> only present in OpenSSL 1.1.1 and higher, which caused buildfailures when using
> older OpenSSL versions, so I ended up reverting it again (leaving certificate
> changes in place) to keep the buildfarm green.
>
> Will look closer at an implementation which works across all supported versions
> of OpenSSL when I have more time.
Finally had some time, and have made an updated version of the patch.
OpenSSL 1.0.2 doens't expose a function for getting the timestamp, so the patch
instead resorts to the older trick of getting the timestamp by inspecing the
diff against the UNIX epoch. When doing this, OpenSSL internally use the same
function which later in 1.1.1 was exported for getting the timestamp.
The attached version passes ssl tests for me on 1.0.2 through OpenSSL Git HEAD.
--
Daniel Gustafsson
Attachment | Content-Type | Size |
---|---|---|
v7-0001-Add-notBefore-and-notAfter-to-SSL-cert-info-displ.patch | application/octet-stream | 27.0 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | Ranier Vilela | 2023-07-25 14:31:05 | Avoid possible memory leak (src/common/rmtree.c) |
Previous Message | Aleksander Alekseev | 2023-07-25 13:24:34 | [PATCH] Small refactoring of inval.c and inval.h |