NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit199ca68

committed

Fix failures in SSL tests caused by out-of-tree keys and certificates

This issue is environment-sensitive, where the SSL tests could fail invarious way by feeding on defaults provided by sslcert, sslkey,sslrootkey, sslrootcert, sslcrl and sslcrldir coming from a local setup,as of ~/.postgresql/ by default. Horiguchi-san has reported twofailures, but more advanced testing from me (aka inclusion of garbageSSL configuration in ~/.postgresql/ for all the configurationparameters) has showed dozens of failures that can be triggered in thewhole test suite.History has showed that we are not good when it comes to address suchissues, fixing them locally like indd87799, and such problems keepappearing. This commit strengthens the entire test suite to put an endto this set of problems by embedding invalid default values in all theconnection strings used in the tests. The invalid values are prefixedin each connection string, relying on the follow-up values passed in theconnection string to enforce any invalid value previously set. Notethat two tests related to CRLs are required to fail with certain pre-setconfigurations, but we can rely on enforcing an empty value insteadafter the invalid set of values.Reported-by: Kyotaro HoriguchiReviewed-by: Andrew Dunstan, Daniel Gustafsson, Kyotaro HoriguchiDiscussion:https://postgr.es/m/20220316.163658.1122740600489097632.horikyota.ntt@gmail.combackpatch-through: 10

1 parent69c88e2 commit199ca68Copy full SHA for 199ca68

File tree

1 file changed

+15

-10

lines changed

src/test/ssl/t
- 001_ssltests.pl

1 file changed

+15

-10

lines changed

`‎src/test/ssl/t/001_ssltests.pl`

Lines changed: 15 additions & 10 deletions

Original file line number	Diff line number	Diff line change
`@@ -97,8 +97,13 @@`
`97`	`97`
`98`	`98`	`switch_server_cert($node,'server-cn-only');`
`99`	`99`
	`100`	`+# Set of default settings for SSL parameters in connection string. This`
	`101`	`+# makes the tests protected against any defaults the environment may have`
	`102`	`+# in ~/.postgresql/.`
	`103`	`+my$default_ssl_connstr ="sslkey=invalid sslcert=invalid sslrootcert=invalid sslcrl=invalid";`
	`104`	`+`
`100`	`105`	`$common_connstr =`
`101`		`-"user=ssltestuser dbname=trustdb sslcert=invalid hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";`
	`106`	`+"$default_ssl_connstruser=ssltestuser dbname=trustdb hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";`
`102`	`107`
`103`	`108`	`# The server should not accept non-SSL connections.`
`104`	`109`	`test_connect_fails(`
`@@ -190,7 +195,7 @@`
`190`	`195`	`# Check that connecting with verify-full fails, when the hostname doesn't`
`191`	`196`	`# match the hostname in the server's certificate.`
`192`	`197`	`$common_connstr =`
`193`		`-"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";`
	`198`	`+"$default_ssl_connstruser=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";`
`194`	`199`
`195`	`200`	`test_connect_ok(`
`196`	`201`	`$common_connstr,`
`@@ -210,7 +215,7 @@`
`210`	`215`	`switch_server_cert($node,'server-multiple-alt-names');`
`211`	`216`
`212`	`217`	`$common_connstr =`
`213`		`-"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";`
	`218`	`+"$default_ssl_connstruser=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";`
`214`	`219`
`215`	`220`	`test_connect_ok(`
`216`	`221`	`$common_connstr,`
`@@ -241,7 +246,7 @@`
`241`	`246`	`switch_server_cert($node,'server-single-alt-name');`
`242`	`247`
`243`	`248`	`$common_connstr =`
`244`		`-"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";`
	`249`	`+"$default_ssl_connstruser=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";`
`245`	`250`
`246`	`251`	`test_connect_ok(`
`247`	`252`	`$common_connstr,`
`@@ -265,7 +270,7 @@`
`265`	`270`	`switch_server_cert($node,'server-cn-and-alt-names');`
`266`	`271`
`267`	`272`	`$common_connstr =`
`268`		`-"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";`
	`273`	`+"$default_ssl_connstruser=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";`
`269`	`274`
`270`	`275`	`test_connect_ok(`
`271`	`276`	`$common_connstr,`
`@@ -285,7 +290,7 @@`
`285`	`290`	`# not a very sensible certificate, but libpq should handle it gracefully.`
`286`	`291`	`switch_server_cert($node,'server-no-names');`
`287`	`292`	`$common_connstr =`
`288`		`-"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";`
	`293`	`+"$default_ssl_connstruser=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";`
`289`	`294`
`290`	`295`	`test_connect_ok(`
`291`	`296`	`$common_connstr,`
`@@ -301,7 +306,7 @@`
`301`	`306`	`switch_server_cert($node,'server-revoked');`
`302`	`307`
`303`	`308`	`$common_connstr =`
`304`		`-"user=ssltestuser dbname=trustdb sslcert=invalid hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";`
	`309`	`+"$default_ssl_connstruser=ssltestuser dbname=trustdb hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";`
`305`	`310`
`306`	`311`	`# Without the CRL, succeeds. With it, fails.`
`307`	`312`	`test_connect_ok(`
`@@ -335,7 +340,7 @@`
`335`	`340`	`note"running server tests";`
`336`	`341`
`337`	`342`	`$common_connstr =`
`338`		`-"sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR";`
	`343`	`+"$default_ssl_connstrsslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR";`
`339`	`344`
`340`	`345`	`# no client cert`
`341`	`346`	`test_connect_fails(`
`@@ -400,7 +405,7 @@`
`400`	`405`	`# works, iff username matches Common Name`
`401`	`406`	`# fails, iff username doesn't match Common Name.`
`402`	`407`	`$common_connstr =`
`403`		`-"sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=verifydb hostaddr=$SERVERHOSTADDR";`
	`408`	`+"$default_ssl_connstrsslrootcert=ssl/root+server_ca.crt sslmode=require dbname=verifydb hostaddr=$SERVERHOSTADDR";`
`404`	`409`
`405`	`410`	`test_connect_ok(`
`406`	`411`	`$common_connstr,`
`@@ -426,7 +431,7 @@`
`426`	`431`	`# intermediate client_ca.crt is provided by client, and isn't in server's ssl_ca_file`
`427`	`432`	`switch_server_cert($node,'server-cn-only','root_ca');`
`428`	`433`	`$common_connstr =`
`429`		`-"user=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";`
	`434`	`+"$default_ssl_connstruser=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";`
`430`	`435`
`431`	`436`	`test_connect_ok(`
`432`	`437`	`$common_connstr,`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit199ca68

File tree

1 file changed

1 file changed

`‎src/test/ssl/t/001_ssltests.pl`

0 commit comments