Обсуждение: pgsql: Add notBefore and notAfter to SSL cert info display
Add notBefore and notAfter to SSL cert info display This adds the X509 attributes notBefore and notAfter to sslinfo as well as pg_stat_ssl to allow verifying and identifying the validity period of the current client certificate. OpenSSL has APIs for extracting notAfter and notBefore, but they are only supported in recent versions so we have to calculate the dates by hand in order to make this work for the older versions of OpenSSL that we still support. Original patch by Cary Huang with additional hacking by Jacob and myself. Author: Cary Huang <cary.huang@highgo.ca> Co-author: Jacob Champion <jacob.champion@enterprisedb.com> Co-author: Daniel Gustafsson <daniel@yesql.se> Discussion: https://postgr.es/m/182b8565486.10af1a86f158715.2387262617218380588@highgo.ca Branch ------ master Details ------- https://git.postgresql.org/pg/commitdiff/6acb0a628eccab8764e0306582c2b7e2a1441b9b Modified Files -------------- contrib/sslinfo/Makefile | 2 +- contrib/sslinfo/meson.build | 1 + contrib/sslinfo/sslinfo--1.2--1.3.sql | 12 ++++ contrib/sslinfo/sslinfo.c | 95 +++++++++++++++++++++++++++++ contrib/sslinfo/sslinfo.control | 2 +- doc/src/sgml/monitoring.sgml | 20 ++++++ doc/src/sgml/sslinfo.sgml | 30 +++++++++ src/backend/catalog/system_views.sql | 4 +- src/backend/libpq/be-secure-openssl.c | 78 +++++++++++++++++++++++ src/backend/utils/activity/backend_status.c | 2 + src/backend/utils/adt/pgstatfuncs.c | 46 ++++++++------ src/include/catalog/catversion.h | 2 +- src/include/catalog/pg_proc.dat | 6 +- src/include/libpq/libpq-be.h | 2 + src/include/utils/backend_status.h | 3 + src/test/regress/expected/rules.out | 12 ++-- src/test/ssl/t/001_ssltests.pl | 10 +-- src/test/ssl/t/003_sslinfo.pl | 14 +++++ src/tools/pgindent/typedefs.list | 1 + 19 files changed, 308 insertions(+), 34 deletions(-)
> On 22 Mar 2024, at 21:30, Daniel Gustafsson <dgustafsson@postgresql.org> wrote: > > Add notBefore and notAfter to SSL cert info display plover running OpenBSD 6.9 is unhappy since apparently LibreSSL only added ASN time diffing in the OpenBSD 7.1 release. Version 6.9 is out of support from OpenBSD with 7.4 being the latest (they support 2 releases), but I guess we are more forgiving in what we support? (We have only defined a minimum supported version of OpenSSL, we should do the same for LibreSSL since it's right now unclear what we support and for how long.) Adding checks for symbol existence in autoconf/meson seems like the only way forward for now. -- Daniel Gustafsson
On Fri, Mar 22, 2024 at 2:17 PM Daniel Gustafsson <daniel@yesql.se> wrote: > (We have only defined a minimum supported > version of OpenSSL, we should do the same for LibreSSL since it's right now > unclear what we support and for how long.) +1 > Adding checks for symbol existence > in autoconf/meson seems like the only way forward for now. Yeah... were you thinking we'd just return a zero timestamptz and let those columns be NULL? --Jacob
> On 22 Mar 2024, at 22:46, Jacob Champion <jacob.champion@enterprisedb.com> wrote: > > On Fri, Mar 22, 2024 at 2:17 PM Daniel Gustafsson <daniel@yesql.se> wrote: >> (We have only defined a minimum supported >> version of OpenSSL, we should do the same for LibreSSL since it's right now >> unclear what we support and for how long.) > > +1 > >> Adding checks for symbol existence >> in autoconf/meson seems like the only way forward for now. > > Yeah... were you thinking we'd just return a zero timestamptz and let > those columns be NULL? I don't think we have any other options really. For now I will revert this to make the buildfarm green again. -- Daniel Gustafsson