Readyset is a MySQL and Postgres wire-compatible caching layer that sits in front of existing databases to speed up queries and horizontally scale read throughput. Under the hood, ReadySet caches the results of cached select statements and incrementally updates these results over time as the underlying data changes.
At some point, the macOS security framework changed enough such that it
apparently cannot be convinced to accept a TLS cert without a password.
That meant that some tests involving TLS were failing on macs because
our test cert had no password on it. This update creates a new cert
with password "password", and updates the tests that use it.
Furthermore, OpenSSL 3 dropped compatibility with certain encryption
ciphers by default, meaning that pkcs12 certs created with it couldn't
be verified by the macOS security framework. The web-recommended
solution is to run openssl pkcs12 with the -legacy option.
Unfortunately, while solving the problem for macOS, this produced a cert
that was too out-of-date for OpenSSL3 on linux. More specific cipher
selection per the Magic Incantations(tm) below generates a cert that
will pass tests on both macOS and Linux... but may not be safe for
any other purpose. Apply only to affected area. In case of hemorrhage,
seek emergency medical help immediately.
For reference, the commands below were used to create this cert on macOS
using OpenSSL 3.3.1 installed with homebrew:
# Make a new private key
openssl genrsa -out private.key 2048
# Generate a signing request.
openssl req -new -key private.key -out cert.csr
# Generate an x5509 cert from the signing request (good for 10 years)
openssl x509 -req -days 3650 -in cert.csr -signkey private.key \
-out certificate.crt
# Export the pkcs12 file with password "password"
openssl pkcs12 -export -out certificate.p12 -inkey private.key \
-in certificate.crt -passout pass:password \
-keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -macalg sha1
At some point, the macOS security framework changed enough such that it apparently cannot be convinced to accept a TLS cert without a password. That meant that some tests involving TLS were failing on macs because our test cert had no password on it. This update creates a new cert with password "password", and updates the tests that use it.
Furthermore, OpenSSL 3 dropped compatibility with certain encryption ciphers by default, meaning that pkcs12 certs created with it couldn't be verified by the macOS security framework. The web-recommended solution is to run
openssl pkcs12
with the-legacy
option. Unfortunately, while solving the problem for macOS, this produced a cert that was too out-of-date for OpenSSL3 on linux. More specific cipher selection per the Magic Incantations(tm) below generates a cert that will pass tests on both macOS and Linux... but may not be safe for any other purpose. Apply only to affected area. In case of hemorrhage, seek emergency medical help immediately.For reference, the commands below were used to create this cert on macOS using OpenSSL 3.3.1 installed with
homebrew
: