NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit5f00ef0

committed

Set SNI ClientHello extension to localhost in tests

The connection strings in the SSL client tests were using the hostset up from Cluster.pm which is a temporary pathname. When SNI isenabled we pass the host to OpenSSL in order to set the server nameindication ClientHello extension via SSL_set_tlsext_host_name.OpenSSL doesn't validate the hostname apart from checking the maxlength, but LibreSSL checks for RFC 5890 conformance which resultsin errors during testing as the pathname from Cluster.pm is not avalid hostname.Fix by setting the host explicitly to localhost, as that's closerto the intent of the test.Backpatch through 14 where SNI support came in.Reported-by: Nazir Bilal Yavuz <byavuz81@gmail.com>Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us>Discussion:https://postgr.es/m/17391-304f81bcf724b58b@postgresql.orgBackpatch-through: 14

1 parent1a83297 commit5f00ef0Copy full SHA for 5f00ef0

File tree

2 files changed

-6

lines changed

src/test/ssl/t
- 001_ssltests.pl
- 002_scram.pl

2 files changed

-6

lines changed

`‎src/test/ssl/t/001_ssltests.pl`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -388,7 +388,7 @@`
`388`	`388`	`note"running server tests";`
`389`	`389`
`390`	`390`	`$common_connstr =`
`391`		`-"sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR";`
	`391`	`+"sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR host=localhost";`
`392`	`392`
`393`	`393`	`# no client cert`
`394`	`394`	`$node->connect_fails(`
`@@ -538,7 +538,7 @@`
`538`	`538`	`# works, iff username matches Common Name`
`539`	`539`	`# fails, iff username doesn't match Common Name.`
`540`	`540`	`$common_connstr =`
`541`		`-"sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=verifydb hostaddr=$SERVERHOSTADDR";`
	`541`	`+"sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=verifydb hostaddr=$SERVERHOSTADDR host=localhost";`
`542`	`542`
`543`	`543`	`$node->connect_ok(`
`544`	`544`	`"$common_connstr user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key",`
`@@ -565,7 +565,7 @@`
`565`	`565`	`# intermediate client_ca.crt is provided by client, and isn't in server's ssl_ca_file`
`566`	`566`	`switch_server_cert($node,'server-cn-only','root_ca');`
`567`	`567`	`$common_connstr =`
`568`		`-"user=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";`
	`568`	`+"user=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR host=localhost";`
`569`	`569`
`570`	`570`	`$node->connect_ok(`
`571`	`571`	`"$common_connstr sslmode=require sslcert=ssl/client+client_ca.crt",`

`‎src/test/ssl/t/002_scram.pl`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,7 @@`
`53`	`53`	`switch_server_cert($node,'server-cn-only');`
`54`	`54`	`$ENV{PGPASSWORD} ="pass";`
`55`	`55`	`$common_connstr =`
`56`		`-"dbname=trustdb sslmode=require sslcert=invalid sslrootcert=invalid hostaddr=$SERVERHOSTADDR";`
	`56`	`+"dbname=trustdb sslmode=require sslcert=invalid sslrootcert=invalid hostaddr=$SERVERHOSTADDR host=localhost";`
`57`	`57`
`58`	`58`	`# Default settings`
`59`	`59`	`$node->connect_ok(`
`@@ -99,15 +99,15 @@`
`99`	`99`	`copy("ssl/client.key",$client_tmp_key);`
`100`	`100`	`chmod 0600,$client_tmp_key;`
`101`	`101`	`$node->connect_fails(`
`102`		`-"sslcert=ssl/client.crt sslkey=$client_tmp_key sslrootcert=invalid hostaddr=$SERVERHOSTADDR dbname=certdb user=ssltestuser channel_binding=require",`
	`102`	`+"sslcert=ssl/client.crt sslkey=$client_tmp_key sslrootcert=invalid hostaddr=$SERVERHOSTADDRhost=localhostdbname=certdb user=ssltestuser channel_binding=require",`
`103`	`103`	`"Cert authentication and channel_binding=require",`
`104`	`104`	`expected_stderr=>`
`105`	`105`	`qr/channel binding required, but server authenticated client without channel binding/`
`106`	`106`	`);`
`107`	`107`
`108`	`108`	`# Certificate verification at the connection level should still work fine.`
`109`	`109`	`$node->connect_ok(`
`110`		`-"sslcert=ssl/client.crt sslkey=$client_tmp_key sslrootcert=invalid hostaddr=$SERVERHOSTADDR dbname=verifydb user=ssltestuser",`
	`110`	`+"sslcert=ssl/client.crt sslkey=$client_tmp_key sslrootcert=invalid hostaddr=$SERVERHOSTADDRhost=localhostdbname=verifydb user=ssltestuser",`
`111`	`111`	`"SCRAM with clientcert=verify-full",`
`112`	`112`	`log_like=> [`
`113`	`113`	`qr/connection authenticated: identity="ssltestuser" method=scram-sha-256/`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit5f00ef0

File tree

2 files changed

2 files changed

`‎src/test/ssl/t/001_ssltests.pl`

`‎src/test/ssl/t/002_scram.pl`

0 commit comments