NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit6d503d2

committed

Set SNI ClientHello extension to localhost in tests

The connection strings in the SSL client tests were using the hostset up from Cluster.pm which is a temporary pathname. When SNI isenabled we pass the host to OpenSSL in order to set the server nameindication ClientHello extension via SSL_set_tlsext_host_name.OpenSSL doesn't validate the hostname apart from checking the maxlength, but LibreSSL checks for RFC 5890 conformance which resultsin errors during testing as the pathname from Cluster.pm is not avalid hostname.Fix by setting the host explicitly to localhost, as that's closerto the intent of the test.Backpatch through 14 where SNI support came in.Reported-by: Nazir Bilal Yavuz <byavuz81@gmail.com>Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us>Discussion:https://postgr.es/m/17391-304f81bcf724b58b@postgresql.orgBackpatch-through: 14

1 parent4c5c41b commit6d503d2Copy full SHA for 6d503d2

File tree

3 files changed

-9

lines changed

src/test/ssl/t

3 files changed

-9

lines changed

`‎src/test/ssl/t/001_ssltests.pl`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -396,7 +396,7 @@`
`396`	`396`	`note"running server tests";`
`397`	`397`
`398`	`398`	`$common_connstr =`
`399`		`-"sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR";`
	`399`	`+"sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR host=localhost";`
`400`	`400`
`401`	`401`	`# no client cert`
`402`	`402`	`$node->connect_fails(`
`@@ -573,7 +573,7 @@`
`573`	`573`	`# works, iff username matches Common Name`
`574`	`574`	`# fails, iff username doesn't match Common Name.`
`575`	`575`	`$common_connstr =`
`576`		`-"sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=verifydb hostaddr=$SERVERHOSTADDR";`
	`576`	`+"sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=verifydb hostaddr=$SERVERHOSTADDR host=localhost";`
`577`	`577`
`578`	`578`	`$node->connect_ok(`
`579`	`579`	`"$common_connstr user=ssltestuser sslcert=ssl/client.crt sslkey=$key{'client.key'}",`
`@@ -600,7 +600,7 @@`
`600`	`600`	`# intermediate client_ca.crt is provided by client, and isn't in server's ssl_ca_file`
`601`	`601`	`switch_server_cert($node,'server-cn-only','root_ca');`
`602`	`602`	`$common_connstr =`
`603`		`-"user=ssltestuser dbname=certdb sslkey=$key{'client.key'} sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";`
	`603`	`+"user=ssltestuser dbname=certdb sslkey=$key{'client.key'} sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR host=localhost";`
`604`	`604`
`605`	`605`	`$node->connect_ok(`
`606`	`606`	`"$common_connstr sslmode=require sslcert=ssl/client+client_ca.crt",`

`‎src/test/ssl/t/002_scram.pl`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,7 @@`
`53`	`53`	`switch_server_cert($node,'server-cn-only');`
`54`	`54`	`$ENV{PGPASSWORD} ="pass";`
`55`	`55`	`$common_connstr =`
`56`		`-"dbname=trustdb sslmode=require sslcert=invalid sslrootcert=invalid hostaddr=$SERVERHOSTADDR";`
	`56`	`+"dbname=trustdb sslmode=require sslcert=invalid sslrootcert=invalid hostaddr=$SERVERHOSTADDR host=localhost";`
`57`	`57`
`58`	`58`	`# Default settings`
`59`	`59`	`$node->connect_ok(`
`@@ -104,15 +104,15 @@`
`104`	`104`	`ordie"failed to change permissions on$cert_tempdir/client_scram.key:$!";`
`105`	`105`	`$client_tmp_key =~s!\\!/!gif$PostgreSQL::Test::Utils::windows_os;`
`106`	`106`	`$node->connect_fails(`
`107`		`-"sslcert=ssl/client.crt sslkey=$client_tmp_key sslrootcert=invalid hostaddr=$SERVERHOSTADDR dbname=certdb user=ssltestuser channel_binding=require",`
	`107`	`+"sslcert=ssl/client.crt sslkey=$client_tmp_key sslrootcert=invalid hostaddr=$SERVERHOSTADDRhost=localhostdbname=certdb user=ssltestuser channel_binding=require",`
`108`	`108`	`"Cert authentication and channel_binding=require",`
`109`	`109`	`expected_stderr=>`
`110`	`110`	`qr/channel binding required, but server authenticated client without channel binding/`
`111`	`111`	`);`
`112`	`112`
`113`	`113`	`# Certificate verification at the connection level should still work fine.`
`114`	`114`	`$node->connect_ok(`
`115`		`-"sslcert=ssl/client.crt sslkey=$client_tmp_key sslrootcert=invalid hostaddr=$SERVERHOSTADDR dbname=verifydb user=ssltestuser",`
	`115`	`+"sslcert=ssl/client.crt sslkey=$client_tmp_key sslrootcert=invalid hostaddr=$SERVERHOSTADDRhost=localhostdbname=verifydb user=ssltestuser",`
`116`	`116`	`"SCRAM with clientcert=verify-full",`
`117`	`117`	`log_like=> [`
`118`	`118`	`qr/connection authenticated: identity="ssltestuser" method=scram-sha-256/`

`‎src/test/ssl/t/003_sslinfo.pl`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -67,7 +67,7 @@`
`67`	`67`	`switch_server_cert($node,'server-revoked');`
`68`	`68`
`69`	`69`	`$common_connstr =`
`70`		`-"sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR" .`
	`70`	`+"sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDRhost=localhost" .`
`71`	`71`	`"user=ssltestuser sslcert=ssl/client_ext.crt sslkey=$client_tmp_key";`
`72`	`72`
`73`	`73`	`# Make sure we can connect even though previous test suites have established this`
`@@ -98,7 +98,7 @@`
`98`	`98`
`99`	`99`	`$result =$node->safe_psql("trustdb","SELECT ssl_client_cert_present();",`
`100`	`100`	`connstr=>"sslrootcert=ssl/root+server_ca.crt sslmode=require" .`
`101`		`-"dbname=trustdb hostaddr=$SERVERHOSTADDR user=ssltestuser");`
	`101`	`+"dbname=trustdb hostaddr=$SERVERHOSTADDR user=ssltestuser host=localhost");`
`102`	`102`	`is($result,'f',"ssl_client_cert_present() for connection without cert");`
`103`	`103`
`104`	`104`	`$result =$node->safe_psql("certdb",`
`@@ -113,7 +113,7 @@`
`113`	`113`
`114`	`114`	`$result =$node->safe_psql("trustdb","SELECT ssl_client_dn_field('commonName');",`
`115`	`115`	`connstr=>"sslrootcert=ssl/root+server_ca.crt sslmode=require" .`
`116`		`-"dbname=trustdb hostaddr=$SERVERHOSTADDR user=ssltestuser");`
	`116`	`+"dbname=trustdb hostaddr=$SERVERHOSTADDR user=ssltestuser host=localhost");`
`117`	`117`	`is($result,'',"ssl_client_dn_field() for connection without cert");`
`118`	`118`
`119`	`119`	`$result =$node->safe_psql("certdb",`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit6d503d2

File tree

3 files changed

3 files changed

`‎src/test/ssl/t/001_ssltests.pl`

`‎src/test/ssl/t/002_scram.pl`

`‎src/test/ssl/t/003_sslinfo.pl`

0 commit comments