Re: SSL tests failing with "ee key too small" error on Debian SID

Hello.

At Mon, 17 Sep 2018 22:13:40 +0900, Michael Paquier <michael@paquier.xyz> wrote in
<20180917131340.GE31460@paquier.xyz>
> Hi all,
> 
> On a rather freshly-updated Debian SID server, I am able to see failures
> for the SSL TAP tests:
> 2018-09-17 22:00:27.389 JST [13072] LOG:  database system is shut down
> 2018-09-17 22:00:27.506 JST [13082] FATAL:  could not load server
> certificate file "server-cn-only.crt": ee key too small
> 2018-09-17 22:00:27.506 JST [13082] LOG:  database system is shut down
> 2018-09-17 22:00:27.720 JST [13084] FATAL:  could not load server
> certificate file "server-cn-only.crt": ee key too small
> 
> Wouldn't it be better to rework the rules used to generate the different
> certificates and reissue them in the tree?  It seems to me that this is
> just waiting to fail in other platforms as well..

I agree that we could get into the same trouble sooner or later.

Do you mean that cert/key files are generated on-the-fly while
running 'make check'? It sounds reasonable as long as just
replaceing existing files with those with longer (2048bits?) keys
doesn't work for all supported platforms.

regards.

-- 
Kyotaro Horiguchi
NTT Open Source Software Center