| From: | Michael Paquier <michael(at)paquier(dot)xyz> |
|---|---|
| To: | Jacob Champion <jchampion(at)timescale(dot)com> |
| Cc: | Gunnar Nick Bluth <gunnar(dot)bluth(at)pro-open(dot)de>, Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Subject: | Re: BUG #17760: SCRAM authentication fails with "modern" (rsassaPss signature) server certificate |
| Date: | 2023-02-15 01:22:54 |
| Message-ID: | Y+wz7kNLIYnvEBgB@paquier.xyz |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Mon, Feb 13, 2023 at 09:44:03AM -0800, Jacob Champion wrote:
> LGTM too, thanks Michael! I tested against LibreSSL 3.5.3 to
> double-check the fallback.
Thanks for checking with this one, I don't have LibreSSL in my
environment, at least not now. Perhaps I should.. So, I have spent a
couple of hours on that, and backpatched the fix down to 11. There
were different conflicts for each branch.
The new tests have been added in 15~, where the generation of the cert
and key files is more straight-forward than ~14. Actually, make
sslfiles fails on these branches when using OpenSSL 1.1.1~. Perhaps
that may be worth addressing, but the existing tests pass anyway when
relying on X509_get_signature_info(), as much as they pass with older
versions of OpenSSL. I have done some manual checks with RSA-PSS
certs and keys to make sure that channel binding works correctly for
these versions (one can just reuse the ones generated on HEAD or
REL_15_STABLE in src/test/ssl/ for that).
--
Michael
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2023-02-15 02:00:32 | Re: BUG #17793: Query with large number of joins crashes PostgreSQL |
| Previous Message | Andres Freund | 2023-02-14 21:04:59 | Re: BUG #17791: Assert on procarray.c |