[pgpool-hackers: 3562] Re: [PATCH] Feature: Support for CRL (Certificate Revocation List)

Tatsuo Ishii ishii at sraoss.co.jp
Mon Mar 23 09:13:27 JST 2020


Hi Umar Hayat,

Unfortunately still build farm is failing.

=========================================================================
* master  PostgreSQL 11  CentOS6
testing 024.cert_auth...failed.

* master  PostgreSQL 12  CentOS6
testing 024.cert_auth...failed.

* master  PostgreSQL 9.6  CentOS6
testing 024.cert_auth...failed.

* master  PostgreSQL 9.5  CentOS6
testing 024.cert_auth...failed.
=========================================================================

Subject: Re: [pgpool-hackers: 3551] Re: [PATCH] Feature: Support for CRL (Certificate Revocation List)
Date: Thu, 19 Mar 2020 15:25:03 +0500
Message-ID: <CACnGOt0xTAmyFy9azF44Z_2smdgwzKxjzFNkhY7mvp64CgPSKg at mail.gmail.com>

> I saw the logs and it is generating 512bit key for certificate on CentOS6
> and as result there is this error *"digest too big for rsa key".* On
> CentOS7 and Debian Openssl 1.1.1 generates 2048bit keys by default. AFAIK
> 512 keys is not supported with TLSv1.2.
> In patch attached, I updated defaults bits value to 2048, Hope this would
> fix the problem. Also printed openssl version to check what version is used
> on BF, and would help in future to debug.
> I will keep an eye on BF for tomorrows build to see results.
> 
> Regards
> Umar Hayat
> 
> On Thu, Mar 19, 2020 at 6:59 AM Tatsuo Ishii <ishii at sraoss.co.jp> wrote:
> 
>> After pushing this, build farm is conituouly failing with
>> 024.cert_auth on CentOS6. CentOS7 and 8 seem OK. For now, build farm
>> log and pgpool.log attached. (Full information can be otained from
>> https://pgpool.net/buildfarm/).
>>
>> From: Tatsuo Ishii <ishii at sraoss.co.jp>
>> Subject: [pgpool-hackers: 3551] Re: [PATCH] Feature: Support for CRL
>> (Certificate Revocation List)
>> Date: Sat, 14 Mar 2020 12:20:20 +0900 (JST)
>> Message-ID: <20200314.122020.1318630628622464420.t-ishii at sraoss.co.jp>
>>
>> > Hi Usama,
>> >
>> > Thank you for the confirmantion. I have pushed Umar's patch. I have
>> > made a small modification to the doc:
>> >
>> > +      Specifies the name of the file containing the SSL server
>> > +      certificate revocation list (CRL). The default is empty,
>> >
>> > to:
>> >
>> >       Specifies the path to the file containing the SSL server
>> >       certificate revocation list (CRL).
>> >
>> > because ssl_crl_file should be a full path to the CRL file, rather
>> > than just a file name.
>> >
>> > Also I have added a Japanese doc.
>> >
>> > Umar Hayat,
>> > Thank you for your contribution!
>> >
>> >> Hi Ishii-San
>> >>
>> >> The patch is good now and does what it is intended for.
>> >> We can commit it to the master branch.
>> >>
>> >> Thanks
>> >> Best regards
>> >> Muhammad Usama
>> >>
>> >>
>> >> On Wed, Mar 11, 2020 at 4:30 PM Tatsuo Ishii <ishii at sraoss.co.jp>
>> wrote:
>> >>
>> >>> Hi Umar,
>> >>>
>> >>> Now the regression test passed!
>> >>> Thank you for the update.
>> >>>
>> >>> Usama,
>> >>>
>> >>> Do you agree to commit this patch?
>> >>>
>> >>> Best regards,
>> >>> --
>> >>> Tatsuo Ishii
>> >>> SRA OSS, Inc. Japan
>> >>> English: http://www.sraoss.co.jp/index_en.php
>> >>> Japanese:http://www.sraoss.co.jp
>> >>>
>> >>> > Hi Ishii,
>> >>> > I guess I have to learn pgpool regression structure a bit more and It
>> >>> came
>> >>> > out not a good idea updating and existing test :-)
>> >>> > I was updating the 'ssl_crl_file' in pgpool.conf after calling
>> >>> './startall'
>> >>> > , which I suppose would not load the update configuration.
>> >>> > In latest patch I moved that update operation before './startall' and
>> >>> added
>> >>> > extra check to validate that pgpool configuration is correctly
>> updated.
>> >>> > I hope this patch would fix the issue. Please find attached.
>> >>> >
>> >>> > Regards
>> >>> > Umar Hayat
>> >>> >
>> >>> >
>> >>> >
>> >>> >
>> >>> > On Wed, Mar 11, 2020 at 3:04 AM Tatsuo Ishii <ishii at sraoss.co.jp>
>> wrote:
>> >>> >
>> >>> >> Unfortunately the regression test failed again.
>> >>> >>
>> >>> >> $ ./regress.sh 024
>> >>> >> creating pgpool-II temporary installation ...
>> >>> >> moving pgpool_setup to temporary installation path ...
>> >>> >> moving watchdog_setup to temporary installation path ...
>> >>> >> using pgpool-II at
>> >>> >>
>> >>>
>> /home/t-ishii/work/Pgpool-II/current/pgpool2/src/test/regression/temp/installed
>> >>> >> *************************
>> >>> >> REGRESSION MODE          : install
>> >>> >> PGPOOL-II                :
>> >>> >>
>> >>>
>> /home/t-ishii/work/Pgpool-II/current/pgpool2/src/test/regression/temp/installed
>> >>> >> PostgreSQL bin           : /usr/local/pgsql/bin
>> >>> >> PostgreSQL Major version : 12
>> >>> >> pgbench                  : /usr/local/pgsql/bin/pgbench
>> >>> >> PostgreSQL jdbc          :
>> >>> >> /usr/local/pgsql/share/postgresql-9.2-1003.jdbc4.jar
>> >>> >> *************************
>> >>> >> testing 024.cert_auth...failed.
>> >>> >> out of 1 ok:0 failed:1 timeout:0
>> >>> >>
>> >>> >> regression log attached.
>> >>> >>
>> >>> >> > Thanks Usama for feedback. updated patch with suggested changed
>> >>> attached.
>> >>> >> > Please see comments inline.
>> >>> >> >
>> >>> >> > Ishii,
>> >>> >> > IMO, tests were failing because some certificates generation and
>> >>> signing
>> >>> >> > was using global configuration. Previously, I only provided
>> >>> >> > minimum configuration for CRL generation.
>> >>> >> > Now I provided minimum custom configuration for Cert generation
>> and
>> >>> >> Signing
>> >>> >> > too. I hope now that last tests should be passing now.
>> >>> >> >
>> >>> >> > Regards
>> >>> >> > Umar Hayat
>> >>> >> >
>> >>> >> >
>> >>> >> > On Wed, Mar 4, 2020 at 7:19 PM Muhammad Usama <m.usama at gmail.com>
>> >>> wrote:
>> >>> >> >
>> >>> >> >> Hi
>> >>> >> >>
>> >>> >> >> I have looked into the patch and here are my two cents.
>> >>> >> >>
>> >>> >> >> 1- Does the "Certificate Revocation List (CRL)" have any effect
>> if
>> >>> we do
>> >>> >> >> not configure CA certificates?
>> >>> >> >> Meaning what would be the behavior of the system if someone
>> specifies
>> >>> >> >> "ssl_crl_file" but leave out the ssl_ca_cert config?
>> >>> >> >>
>> >>> >> >> If CA is not configure then certification validation will fail
>> while
>> >>> >> > validating certification.
>> >>> >> >
>> >>> >> >>
>> >>> >> >> 2- In the patch you are loading the Certificate Revocation List
>> after
>> >>> >> >> configuring
>> >>> >> >> SSL library to ask for client certificates
>> >>> >> >> i.e after calling SSL_CTX_set_verify and
>> SSL_CTX_set_client_CA_list
>> >>> >> >> functions
>> >>> >> >>
>> >>> >> >> Although I am not able to find any related SSL documentation on
>> the
>> >>> >> >> subject and not sure if it can cause any problem. But in the
>> normal
>> >>> >> >> sequence, we always load
>> >>> >> >> the CA and other certificated before SSL_CTX_set_verify and
>> >>> >> >> SSL_CTX_set_client_CA_list functions.
>> >>> >> >>
>> >>> >> >> So I guess the safe bet is to move the loading of Certificate
>> >>> Revocation
>> >>> >> >> List before
>> >>> >> >> SSL_CTX_set_verify.
>> >>> >> >>
>> >>> >> >> I wasn't sure either that would matter as we are just registering
>> >>> event
>> >>> >> at
>> >>> >> > that state, but as suggest i reorder the code as you suggested (
>> as
>> >>> >> > Postgres does too )
>> >>> >> >
>> >>> >> >> 3- The comment /* OpenSSL 0.96 does not support
>> >>> X509_V_FLAG_CRL_CHECK */
>> >>> >> >> mentions
>> >>> >> >> OpenSSL version as 0.96, which is wrong and should be 0.9.6
>> >>> >> >>
>> >>> >> >> Comment fixed.
>> >>> >> >
>> >>> >> >> 4- In the test case you are only exporting PGSSLCERT and PGSSLKEY
>> >>> >> >> environment variables
>> >>> >> >> that means the test case will try to pick up the root certificate
>> >>> from
>> >>> >> the
>> >>> >> >> default location
>> >>> >> >> and on the systems where the root certificate would not be found
>> >>> there,
>> >>> >> >> the test case will fail.
>> >>> >> >>
>> >>> >> >> So I think you need to modify the test case and use PGSSLROOTCERT
>> >>> >> >> environment variable to
>> >>> >> >> explicitly specify the root certificate as well.
>> >>> >> >>
>> >>> >> >>  PGSSLROOTCERT defined.
>> >>> >> >
>> >>> >> >> These comments are on top of Ishii-San's review comments.
>> >>> >> >>
>> >>> >> >> Thanks
>> >>> >> >> Best Regards
>> >>> >> >> Muhammad Usama
>> >>> >> >>
>> >>> >> >>
>> >>> >> >> On Wed, Mar 4, 2020 at 12:11 PM Tatsuo Ishii <ishii at sraoss.co.jp
>> >
>> >>> >> wrote:
>> >>> >> >>
>> >>> >> >>> Hi Umar,
>> >>> >> >>>
>> >>> >> >>> Any update on this?
>> >>> >> >>>
>> >>> >> >>> From: Tatsuo Ishii <ishii at sraoss.co.jp>
>> >>> >> >>> Subject: [pgpool-hackers: 3523] Re: [PATCH] Feature: Support
>> for CRL
>> >>> >> >>> (Certificate Revocation List)
>> >>> >> >>> Date: Fri, 28 Feb 2020 14:27:55 +0900 (JST)
>> >>> >> >>> Message-ID: <
>> >>> 20200228.142755.205379439290164558.t-ishii at sraoss.co.jp>
>> >>> >> >>>
>> >>> >> >>> > Here are comments on your patch.
>> >>> >> >>> >
>> >>> >> >>> > - There are some extra trailing spaces.
>> >>> >> >>> >
>> >>> >> >>> > $ git apply ~/crl_support_with_testcase.diff
>> >>> >> >>> > /home/t-ishii/crl_support_with_testcase.diff:42: trailing
>> >>> whitespace.
>> >>> >> >>> >       Specifies the name of the file containing the SSL server
>> >>> >> >>> > /home/t-ishii/crl_support_with_testcase.diff:43: trailing
>> >>> whitespace.
>> >>> >> >>> >       certificate revocation list (CRL). The default is empty,
>> >>> >> >>> > /home/t-ishii/crl_support_with_testcase.diff:199: new blank
>> line
>> >>> at
>> >>> >> EOF.
>> >>> >> >>> > +
>> >>> >> >>> > warning: 3 lines add whitespace errors.
>> >>> >> >>> >
>> >>> >> >>> > - The pached source code compililes without any error.
>> >>> >> >>> >
>> >>> >> >>> > - the regression test (024.cert_auth) failed.
>> >>> >> >>> >
>> >>> >> >>> > ./regress.sh 024
>> >>> >> >>> > creating pgpool-II temporary installation ...
>> >>> >> >>> > moving pgpool_setup to temporary installation path ...
>> >>> >> >>> > moving watchdog_setup to temporary installation path ...
>> >>> >> >>> > using pgpool-II at
>> >>> >> >>>
>> >>> >>
>> >>>
>> /home/t-ishii/work/Pgpool-II/current/pgpool2/src/test/regression/temp/installed
>> >>> >> >>> > *************************
>> >>> >> >>> > REGRESSION MODE          : install
>> >>> >> >>> > PGPOOL-II                :
>> >>> >> >>>
>> >>> >>
>> >>>
>> /home/t-ishii/work/Pgpool-II/current/pgpool2/src/test/regression/temp/installed
>> >>> >> >>> > PostgreSQL bin           : /usr/local/pgsql/bin
>> >>> >> >>> > PostgreSQL Major version : 12
>> >>> >> >>> > pgbench                  : /usr/local/pgsql/bin/pgbench
>> >>> >> >>> > PostgreSQL jdbc          :
>> >>> >> >>> /usr/local/pgsql/share/postgresql-9.2-1003.jdbc4.jar
>> >>> >> >>> > *************************
>> >>> >> >>> > testing 024.cert_auth...failed.
>> >>> >> >>> > out of 1 ok:0 failed:1 timeout:0
>> >>> >> >>> >
>> >>> >> >>> > This is Ubuntu 18.04.4 LTS.
>> >>> >> >>> >
>> >>> >> >>> > $ openssl version
>> >>> >> >>> > OpenSSL 1.1.1  11 Sep 2018
>> >>> >> >>> >
>> >>> >> >>> > Please find attached log file for the
>> >>> >> >>> > regression test.
>> >>> >> >>> >
>> >>> >> >>> > Best regards,
>> >>> >> >>> > --
>> >>> >> >>> > Tatsuo Ishii
>> >>> >> >>> > SRA OSS, Inc. Japan
>> >>> >> >>> > English: http://www.sraoss.co.jp/index_en.php
>> >>> >> >>> > Japanese:http://www.sraoss.co.jp
>> >>> >> >>> >
>> >>> >> >>> >> Hi Umar,
>> >>> >> >>> >>
>> >>> >> >>> >> I seemed to miss your last email. I will take care your patch
>> >>> >> >>> >> tomorrow morning.
>> >>> >> >>> >>
>> >>> >> >>> >> Best regards,
>> >>> >> >>> >> --
>> >>> >> >>> >> Tatsuo Ishii
>> >>> >> >>> >> SRA OSS, Inc. Japan
>> >>> >> >>> >> English: http://www.sraoss.co.jp/index_en.php
>> >>> >> >>> >> Japanese:http://www.sraoss.co.jp
>> >>> >> >>> >>
>> >>> >> >>> >>> Hi Tatsuo,
>> >>> >> >>> >>> Any update for last patch?
>> >>> >> >>> >>> I will be sending more patches in the same area of SSL (
>> for few
>> >>> >> other
>> >>> >> >>> >>> features ) and the those patches might create conflict on
>> merge.
>> >>> >> >>> >>>
>> >>> >> >>> >>> Regards,
>> >>> >> >>> >>> Umar Hayat
>> >>> >> >>> >>> Principal Software Engineer
>> >>> >> >>> >>> EnterpriseDB: https://www.enterprisedb.com
>> >>> >> >>> >>>
>> >>> >> >>> >>> On Wed, Feb 19, 2020 at 1:39 PM Umar Hayat <
>> >>> m.umarkiani at gmail.com>
>> >>> >> >>> wrote:
>> >>> >> >>> >>>
>> >>> >> >>> >>>> Hi Tatsuo,
>> >>> >> >>> >>>> Please find the attached updated patch with following
>> changes:
>> >>> >> >>> >>>> 1. Updated the description of '*ssl_crl_file'*
>> configuration
>> >>> >> >>> variable.
>> >>> >> >>> >>>> 2. Updated test case '024.cert_auth' which verify valid
>> CRL and
>> >>> >> >>> invalid
>> >>> >> >>> >>>> CRL ( CRL with revocation entry )
>> >>> >> >>> >>>>
>> >>> >> >>> >>>> Regards,
>> >>> >> >>> >>>> Umar Hayat
>> >>> >> >>> >>>>
>> >>> >> >>> >>>>
>> >>> >> >>> >>>> On Thu, Feb 13, 2020 at 3:43 AM Tatsuo Ishii <
>> >>> ishii at sraoss.co.jp>
>> >>> >> >>> wrote:
>> >>> >> >>> >>>>
>> >>> >> >>> >>>>> > I just followed the description pattern used for other
>> ssl
>> >>> >> >>> variables. We
>> >>> >> >>> >>>>> > can use PostgreSQL doc if we remove following two line
>> from
>> >>> >> that:
>> >>> >> >>> >>>>> > "Relative paths are relative to the data
>> >>> >> >>> >>>>> > directory. This parameter can only be set in the
>> >>> >> postgresql.conf
>> >>> >> >>> file
>> >>> >> >>> >>>>> > or on the server command line.
>> >>> >> >>> >>>>> > "
>> >>> >> >>> >>>>>
>> >>> >> >>> >>>>> Sounds good to me.
>> >>> >> >>> >>>>>
>> >>> >> >>> >>>>> > - It would be nice to include regression test patch. See
>> >>> >> >>> >>>>> >>   src/test/023.ssl_connection for an example.
>> >>> >> >>> >>>>> >>
>> >>> >> >>> >>>>> >
>> >>> >> >>> >>>>> > Sure, I will create and send test patch in
>> >>> >> >>> src/test/023.ssl_connection.
>> >>> >> >>> >>>>> > I will try to generate CRL file for existing
>> certification
>> >>> file
>> >>> >> >>> in this
>> >>> >> >>> >>>>> > this test. If thats not possible, then I have to
>> generate
>> >>> new
>> >>> >> >>> >>>>> certification
>> >>> >> >>> >>>>> > and CRL file.
>> >>> >> >>> >>>>>
>> >>> >> >>> >>>>> Thank you. Looking forward to the new patch.
>> >>> >> >>> >>>>>
>> >>> >> >>> >>>>> Best regards,
>> >>> >> >>> >>>>> --
>> >>> >> >>> >>>>> Tatsuo Ishii
>> >>> >> >>> >>>>> SRA OSS, Inc. Japan
>> >>> >> >>> >>>>> English: http://www.sraoss.co.jp/index_en.php
>> >>> >> >>> >>>>> Japanese:http://www.sraoss.co.jp
>> >>> >> >>> >>>>>
>> >>> >> >>> >>>>
>> >>> >> >>> >> _______________________________________________
>> >>> >> >>> >> pgpool-hackers mailing list
>> >>> >> >>> >> pgpool-hackers at pgpool.net
>> >>> >> >>> >> http://www.pgpool.net/mailman/listinfo/pgpool-hackers
>> >>> >> >>> _______________________________________________
>> >>> >> >>> pgpool-hackers mailing list
>> >>> >> >>> pgpool-hackers at pgpool.net
>> >>> >> >>> http://www.pgpool.net/mailman/listinfo/pgpool-hackers
>> >>> >> >>>
>> >>> >> >>
>> >>> >>
>> >>>
>> > _______________________________________________
>> > pgpool-hackers mailing list
>> > pgpool-hackers at pgpool.net
>> > http://www.pgpool.net/mailman/listinfo/pgpool-hackers
>>


More information about the pgpool-hackers mailing list