[pgpool-hackers: 3560] Re: [PATCH] Feature: Support for CRL (Certificate Revocation List)

Umar Hayat m.umarkiani at gmail.com
Thu Mar 19 19:25:03 JST 2020


I saw the logs and it is generating 512bit key for certificate on CentOS6
and as result there is this error *"digest too big for rsa key".* On
CentOS7 and Debian Openssl 1.1.1 generates 2048bit keys by default. AFAIK
512 keys is not supported with TLSv1.2.
In patch attached, I updated defaults bits value to 2048, Hope this would
fix the problem. Also printed openssl version to check what version is used
on BF, and would help in future to debug.
I will keep an eye on BF for tomorrows build to see results.

Regards
Umar Hayat

On Thu, Mar 19, 2020 at 6:59 AM Tatsuo Ishii <ishii at sraoss.co.jp> wrote:

> After pushing this, build farm is conituouly failing with
> 024.cert_auth on CentOS6. CentOS7 and 8 seem OK. For now, build farm
> log and pgpool.log attached. (Full information can be otained from
> https://pgpool.net/buildfarm/).
>
> From: Tatsuo Ishii <ishii at sraoss.co.jp>
> Subject: [pgpool-hackers: 3551] Re: [PATCH] Feature: Support for CRL
> (Certificate Revocation List)
> Date: Sat, 14 Mar 2020 12:20:20 +0900 (JST)
> Message-ID: <20200314.122020.1318630628622464420.t-ishii at sraoss.co.jp>
>
> > Hi Usama,
> >
> > Thank you for the confirmantion. I have pushed Umar's patch. I have
> > made a small modification to the doc:
> >
> > +      Specifies the name of the file containing the SSL server
> > +      certificate revocation list (CRL). The default is empty,
> >
> > to:
> >
> >       Specifies the path to the file containing the SSL server
> >       certificate revocation list (CRL).
> >
> > because ssl_crl_file should be a full path to the CRL file, rather
> > than just a file name.
> >
> > Also I have added a Japanese doc.
> >
> > Umar Hayat,
> > Thank you for your contribution!
> >
> >> Hi Ishii-San
> >>
> >> The patch is good now and does what it is intended for.
> >> We can commit it to the master branch.
> >>
> >> Thanks
> >> Best regards
> >> Muhammad Usama
> >>
> >>
> >> On Wed, Mar 11, 2020 at 4:30 PM Tatsuo Ishii <ishii at sraoss.co.jp>
> wrote:
> >>
> >>> Hi Umar,
> >>>
> >>> Now the regression test passed!
> >>> Thank you for the update.
> >>>
> >>> Usama,
> >>>
> >>> Do you agree to commit this patch?
> >>>
> >>> Best regards,
> >>> --
> >>> Tatsuo Ishii
> >>> SRA OSS, Inc. Japan
> >>> English: http://www.sraoss.co.jp/index_en.php
> >>> Japanese:http://www.sraoss.co.jp
> >>>
> >>> > Hi Ishii,
> >>> > I guess I have to learn pgpool regression structure a bit more and It
> >>> came
> >>> > out not a good idea updating and existing test :-)
> >>> > I was updating the 'ssl_crl_file' in pgpool.conf after calling
> >>> './startall'
> >>> > , which I suppose would not load the update configuration.
> >>> > In latest patch I moved that update operation before './startall' and
> >>> added
> >>> > extra check to validate that pgpool configuration is correctly
> updated.
> >>> > I hope this patch would fix the issue. Please find attached.
> >>> >
> >>> > Regards
> >>> > Umar Hayat
> >>> >
> >>> >
> >>> >
> >>> >
> >>> > On Wed, Mar 11, 2020 at 3:04 AM Tatsuo Ishii <ishii at sraoss.co.jp>
> wrote:
> >>> >
> >>> >> Unfortunately the regression test failed again.
> >>> >>
> >>> >> $ ./regress.sh 024
> >>> >> creating pgpool-II temporary installation ...
> >>> >> moving pgpool_setup to temporary installation path ...
> >>> >> moving watchdog_setup to temporary installation path ...
> >>> >> using pgpool-II at
> >>> >>
> >>>
> /home/t-ishii/work/Pgpool-II/current/pgpool2/src/test/regression/temp/installed
> >>> >> *************************
> >>> >> REGRESSION MODE          : install
> >>> >> PGPOOL-II                :
> >>> >>
> >>>
> /home/t-ishii/work/Pgpool-II/current/pgpool2/src/test/regression/temp/installed
> >>> >> PostgreSQL bin           : /usr/local/pgsql/bin
> >>> >> PostgreSQL Major version : 12
> >>> >> pgbench                  : /usr/local/pgsql/bin/pgbench
> >>> >> PostgreSQL jdbc          :
> >>> >> /usr/local/pgsql/share/postgresql-9.2-1003.jdbc4.jar
> >>> >> *************************
> >>> >> testing 024.cert_auth...failed.
> >>> >> out of 1 ok:0 failed:1 timeout:0
> >>> >>
> >>> >> regression log attached.
> >>> >>
> >>> >> > Thanks Usama for feedback. updated patch with suggested changed
> >>> attached.
> >>> >> > Please see comments inline.
> >>> >> >
> >>> >> > Ishii,
> >>> >> > IMO, tests were failing because some certificates generation and
> >>> signing
> >>> >> > was using global configuration. Previously, I only provided
> >>> >> > minimum configuration for CRL generation.
> >>> >> > Now I provided minimum custom configuration for Cert generation
> and
> >>> >> Signing
> >>> >> > too. I hope now that last tests should be passing now.
> >>> >> >
> >>> >> > Regards
> >>> >> > Umar Hayat
> >>> >> >
> >>> >> >
> >>> >> > On Wed, Mar 4, 2020 at 7:19 PM Muhammad Usama <m.usama at gmail.com>
> >>> wrote:
> >>> >> >
> >>> >> >> Hi
> >>> >> >>
> >>> >> >> I have looked into the patch and here are my two cents.
> >>> >> >>
> >>> >> >> 1- Does the "Certificate Revocation List (CRL)" have any effect
> if
> >>> we do
> >>> >> >> not configure CA certificates?
> >>> >> >> Meaning what would be the behavior of the system if someone
> specifies
> >>> >> >> "ssl_crl_file" but leave out the ssl_ca_cert config?
> >>> >> >>
> >>> >> >> If CA is not configure then certification validation will fail
> while
> >>> >> > validating certification.
> >>> >> >
> >>> >> >>
> >>> >> >> 2- In the patch you are loading the Certificate Revocation List
> after
> >>> >> >> configuring
> >>> >> >> SSL library to ask for client certificates
> >>> >> >> i.e after calling SSL_CTX_set_verify and
> SSL_CTX_set_client_CA_list
> >>> >> >> functions
> >>> >> >>
> >>> >> >> Although I am not able to find any related SSL documentation on
> the
> >>> >> >> subject and not sure if it can cause any problem. But in the
> normal
> >>> >> >> sequence, we always load
> >>> >> >> the CA and other certificated before SSL_CTX_set_verify and
> >>> >> >> SSL_CTX_set_client_CA_list functions.
> >>> >> >>
> >>> >> >> So I guess the safe bet is to move the loading of Certificate
> >>> Revocation
> >>> >> >> List before
> >>> >> >> SSL_CTX_set_verify.
> >>> >> >>
> >>> >> >> I wasn't sure either that would matter as we are just registering
> >>> event
> >>> >> at
> >>> >> > that state, but as suggest i reorder the code as you suggested (
> as
> >>> >> > Postgres does too )
> >>> >> >
> >>> >> >> 3- The comment /* OpenSSL 0.96 does not support
> >>> X509_V_FLAG_CRL_CHECK */
> >>> >> >> mentions
> >>> >> >> OpenSSL version as 0.96, which is wrong and should be 0.9.6
> >>> >> >>
> >>> >> >> Comment fixed.
> >>> >> >
> >>> >> >> 4- In the test case you are only exporting PGSSLCERT and PGSSLKEY
> >>> >> >> environment variables
> >>> >> >> that means the test case will try to pick up the root certificate
> >>> from
> >>> >> the
> >>> >> >> default location
> >>> >> >> and on the systems where the root certificate would not be found
> >>> there,
> >>> >> >> the test case will fail.
> >>> >> >>
> >>> >> >> So I think you need to modify the test case and use PGSSLROOTCERT
> >>> >> >> environment variable to
> >>> >> >> explicitly specify the root certificate as well.
> >>> >> >>
> >>> >> >>  PGSSLROOTCERT defined.
> >>> >> >
> >>> >> >> These comments are on top of Ishii-San's review comments.
> >>> >> >>
> >>> >> >> Thanks
> >>> >> >> Best Regards
> >>> >> >> Muhammad Usama
> >>> >> >>
> >>> >> >>
> >>> >> >> On Wed, Mar 4, 2020 at 12:11 PM Tatsuo Ishii <ishii at sraoss.co.jp
> >
> >>> >> wrote:
> >>> >> >>
> >>> >> >>> Hi Umar,
> >>> >> >>>
> >>> >> >>> Any update on this?
> >>> >> >>>
> >>> >> >>> From: Tatsuo Ishii <ishii at sraoss.co.jp>
> >>> >> >>> Subject: [pgpool-hackers: 3523] Re: [PATCH] Feature: Support
> for CRL
> >>> >> >>> (Certificate Revocation List)
> >>> >> >>> Date: Fri, 28 Feb 2020 14:27:55 +0900 (JST)
> >>> >> >>> Message-ID: <
> >>> 20200228.142755.205379439290164558.t-ishii at sraoss.co.jp>
> >>> >> >>>
> >>> >> >>> > Here are comments on your patch.
> >>> >> >>> >
> >>> >> >>> > - There are some extra trailing spaces.
> >>> >> >>> >
> >>> >> >>> > $ git apply ~/crl_support_with_testcase.diff
> >>> >> >>> > /home/t-ishii/crl_support_with_testcase.diff:42: trailing
> >>> whitespace.
> >>> >> >>> >       Specifies the name of the file containing the SSL server
> >>> >> >>> > /home/t-ishii/crl_support_with_testcase.diff:43: trailing
> >>> whitespace.
> >>> >> >>> >       certificate revocation list (CRL). The default is empty,
> >>> >> >>> > /home/t-ishii/crl_support_with_testcase.diff:199: new blank
> line
> >>> at
> >>> >> EOF.
> >>> >> >>> > +
> >>> >> >>> > warning: 3 lines add whitespace errors.
> >>> >> >>> >
> >>> >> >>> > - The pached source code compililes without any error.
> >>> >> >>> >
> >>> >> >>> > - the regression test (024.cert_auth) failed.
> >>> >> >>> >
> >>> >> >>> > ./regress.sh 024
> >>> >> >>> > creating pgpool-II temporary installation ...
> >>> >> >>> > moving pgpool_setup to temporary installation path ...
> >>> >> >>> > moving watchdog_setup to temporary installation path ...
> >>> >> >>> > using pgpool-II at
> >>> >> >>>
> >>> >>
> >>>
> /home/t-ishii/work/Pgpool-II/current/pgpool2/src/test/regression/temp/installed
> >>> >> >>> > *************************
> >>> >> >>> > REGRESSION MODE          : install
> >>> >> >>> > PGPOOL-II                :
> >>> >> >>>
> >>> >>
> >>>
> /home/t-ishii/work/Pgpool-II/current/pgpool2/src/test/regression/temp/installed
> >>> >> >>> > PostgreSQL bin           : /usr/local/pgsql/bin
> >>> >> >>> > PostgreSQL Major version : 12
> >>> >> >>> > pgbench                  : /usr/local/pgsql/bin/pgbench
> >>> >> >>> > PostgreSQL jdbc          :
> >>> >> >>> /usr/local/pgsql/share/postgresql-9.2-1003.jdbc4.jar
> >>> >> >>> > *************************
> >>> >> >>> > testing 024.cert_auth...failed.
> >>> >> >>> > out of 1 ok:0 failed:1 timeout:0
> >>> >> >>> >
> >>> >> >>> > This is Ubuntu 18.04.4 LTS.
> >>> >> >>> >
> >>> >> >>> > $ openssl version
> >>> >> >>> > OpenSSL 1.1.1  11 Sep 2018
> >>> >> >>> >
> >>> >> >>> > Please find attached log file for the
> >>> >> >>> > regression test.
> >>> >> >>> >
> >>> >> >>> > Best regards,
> >>> >> >>> > --
> >>> >> >>> > Tatsuo Ishii
> >>> >> >>> > SRA OSS, Inc. Japan
> >>> >> >>> > English: http://www.sraoss.co.jp/index_en.php
> >>> >> >>> > Japanese:http://www.sraoss.co.jp
> >>> >> >>> >
> >>> >> >>> >> Hi Umar,
> >>> >> >>> >>
> >>> >> >>> >> I seemed to miss your last email. I will take care your patch
> >>> >> >>> >> tomorrow morning.
> >>> >> >>> >>
> >>> >> >>> >> Best regards,
> >>> >> >>> >> --
> >>> >> >>> >> Tatsuo Ishii
> >>> >> >>> >> SRA OSS, Inc. Japan
> >>> >> >>> >> English: http://www.sraoss.co.jp/index_en.php
> >>> >> >>> >> Japanese:http://www.sraoss.co.jp
> >>> >> >>> >>
> >>> >> >>> >>> Hi Tatsuo,
> >>> >> >>> >>> Any update for last patch?
> >>> >> >>> >>> I will be sending more patches in the same area of SSL (
> for few
> >>> >> other
> >>> >> >>> >>> features ) and the those patches might create conflict on
> merge.
> >>> >> >>> >>>
> >>> >> >>> >>> Regards,
> >>> >> >>> >>> Umar Hayat
> >>> >> >>> >>> Principal Software Engineer
> >>> >> >>> >>> EnterpriseDB: https://www.enterprisedb.com
> >>> >> >>> >>>
> >>> >> >>> >>> On Wed, Feb 19, 2020 at 1:39 PM Umar Hayat <
> >>> m.umarkiani at gmail.com>
> >>> >> >>> wrote:
> >>> >> >>> >>>
> >>> >> >>> >>>> Hi Tatsuo,
> >>> >> >>> >>>> Please find the attached updated patch with following
> changes:
> >>> >> >>> >>>> 1. Updated the description of '*ssl_crl_file'*
> configuration
> >>> >> >>> variable.
> >>> >> >>> >>>> 2. Updated test case '024.cert_auth' which verify valid
> CRL and
> >>> >> >>> invalid
> >>> >> >>> >>>> CRL ( CRL with revocation entry )
> >>> >> >>> >>>>
> >>> >> >>> >>>> Regards,
> >>> >> >>> >>>> Umar Hayat
> >>> >> >>> >>>>
> >>> >> >>> >>>>
> >>> >> >>> >>>> On Thu, Feb 13, 2020 at 3:43 AM Tatsuo Ishii <
> >>> ishii at sraoss.co.jp>
> >>> >> >>> wrote:
> >>> >> >>> >>>>
> >>> >> >>> >>>>> > I just followed the description pattern used for other
> ssl
> >>> >> >>> variables. We
> >>> >> >>> >>>>> > can use PostgreSQL doc if we remove following two line
> from
> >>> >> that:
> >>> >> >>> >>>>> > "Relative paths are relative to the data
> >>> >> >>> >>>>> > directory. This parameter can only be set in the
> >>> >> postgresql.conf
> >>> >> >>> file
> >>> >> >>> >>>>> > or on the server command line.
> >>> >> >>> >>>>> > "
> >>> >> >>> >>>>>
> >>> >> >>> >>>>> Sounds good to me.
> >>> >> >>> >>>>>
> >>> >> >>> >>>>> > - It would be nice to include regression test patch. See
> >>> >> >>> >>>>> >>   src/test/023.ssl_connection for an example.
> >>> >> >>> >>>>> >>
> >>> >> >>> >>>>> >
> >>> >> >>> >>>>> > Sure, I will create and send test patch in
> >>> >> >>> src/test/023.ssl_connection.
> >>> >> >>> >>>>> > I will try to generate CRL file for existing
> certification
> >>> file
> >>> >> >>> in this
> >>> >> >>> >>>>> > this test. If thats not possible, then I have to
> generate
> >>> new
> >>> >> >>> >>>>> certification
> >>> >> >>> >>>>> > and CRL file.
> >>> >> >>> >>>>>
> >>> >> >>> >>>>> Thank you. Looking forward to the new patch.
> >>> >> >>> >>>>>
> >>> >> >>> >>>>> Best regards,
> >>> >> >>> >>>>> --
> >>> >> >>> >>>>> Tatsuo Ishii
> >>> >> >>> >>>>> SRA OSS, Inc. Japan
> >>> >> >>> >>>>> English: http://www.sraoss.co.jp/index_en.php
> >>> >> >>> >>>>> Japanese:http://www.sraoss.co.jp
> >>> >> >>> >>>>>
> >>> >> >>> >>>>
> >>> >> >>> >> _______________________________________________
> >>> >> >>> >> pgpool-hackers mailing list
> >>> >> >>> >> pgpool-hackers at pgpool.net
> >>> >> >>> >> http://www.pgpool.net/mailman/listinfo/pgpool-hackers
> >>> >> >>> _______________________________________________
> >>> >> >>> pgpool-hackers mailing list
> >>> >> >>> pgpool-hackers at pgpool.net
> >>> >> >>> http://www.pgpool.net/mailman/listinfo/pgpool-hackers
> >>> >> >>>
> >>> >> >>
> >>> >>
> >>>
> > _______________________________________________
> > pgpool-hackers mailing list
> > pgpool-hackers at pgpool.net
> > http://www.pgpool.net/mailman/listinfo/pgpool-hackers
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.sraoss.jp/pipermail/pgpool-hackers/attachments/20200319/432b92ee/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: regression-024-fix_CentOS6.diff
Type: application/octet-stream
Size: 629 bytes
Desc: not available
URL: <http://www.sraoss.jp/pipermail/pgpool-hackers/attachments/20200319/432b92ee/attachment-0001.obj>


More information about the pgpool-hackers mailing list