On Tue, Aug 22, 2023 at 1:07 AM Peter Eisentraut <peter@eisentraut.org> wrote:
> I have attached two patches, one to update the generation rules, and one
> where I have converted the existing test files. (I didn't generate them
> from scratch, so for example
> src/test/modules/ssl_passphrase_callback/server.crt that corresponds to
> one of the keys does not need to be updated.)
Looks good from here. I don't have a FIPS setup right now, but the new
files pass tests on OpenSSL 1.0.2u, 1.1.1v, 3.0.2-0ubuntu1.10, and
LibreSSL 3.8. Tests continue to pass after a full clean and rebuild of
the sslfiles.
> It's also interesting that if you generate all private keys from scratch
> using the existing rules on a new OpenSSL version (3+), they will be
> generated in PKCS#8 format by default. In those OpenSSL versions, the
> openssl-rsa command has a -traditional option to get the old format, but
> of course old OpenSSL versions don't have that. As OpenSSL 3 gets more
> widespread, we might need to rethink these rules anyway to make sure we
> get consistent behavior.
Yeah. Looks like OpenSSL 3 also adds new v3 extensions to the
certificates... For now they look benign, but I assume someone's going
to run into weirdness at some point.
Thanks!
--Jacob