NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit9ca234b

committed

Fix failures in SSL tests caused by out-of-tree keys and certificates

This issue is environment-sensitive, where the SSL tests could fail invarious way by feeding on defaults provided by sslcert, sslkey,sslrootkey, sslrootcert, sslcrl and sslcrldir coming from a local setup,as of ~/.postgresql/ by default. Horiguchi-san has reported twofailures, but more advanced testing from me (aka inclusion of garbageSSL configuration in ~/.postgresql/ for all the configurationparameters) has showed dozens of failures that can be triggered in thewhole test suite.History has showed that we are not good when it comes to address suchissues, fixing them locally like indd87799, and such problems keepappearing. This commit strengthens the entire test suite to put an endto this set of problems by embedding invalid default values in all theconnection strings used in the tests. The invalid values are prefixedin each connection string, relying on the follow-up values passed in theconnection string to enforce any invalid value previously set. Notethat two tests related to CRLs are required to fail with certain pre-setconfigurations, but we can rely on enforcing an empty value insteadafter the invalid set of values.Reported-by: Kyotaro HoriguchiReviewed-by: Andrew Dunstan, Daniel Gustafsson, Kyotaro HoriguchiDiscussion:https://postgr.es/m/20220316.163658.1122740600489097632.horikyota.ntt@gmail.combackpatch-through: 10

1 parent208c5d6 commit9ca234bCopy full SHA for 9ca234b

File tree

2 files changed

+29

-16

lines changed

src/test/ssl/t
- 001_ssltests.pl
- 003_sslinfo.pl

2 files changed

+29

-16

lines changed

`‎src/test/ssl/t/001_ssltests.pl`

Lines changed: 21 additions & 13 deletions

Original file line number	Diff line number	Diff line change
`@@ -138,8 +138,13 @@`
`138`	`138`
`139`	`139`	`switch_server_cert($node,'server-cn-only');`
`140`	`140`
	`141`	`+# Set of default settings for SSL parameters in connection string. This`
	`142`	`+# makes the tests protected against any defaults the environment may have`
	`143`	`+# in ~/.postgresql/.`
	`144`	`+my$default_ssl_connstr ="sslkey=invalid sslcert=invalid sslrootcert=invalid sslcrl=invalid sslcrldir=invalid";`
	`145`	`+`
`141`	`146`	`$common_connstr =`
`142`		`-"user=ssltestuser dbname=trustdb sslcert=invalid hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";`
	`147`	`+"$default_ssl_connstruser=ssltestuser dbname=trustdb hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";`
`143`	`148`
`144`	`149`	`# The server should not accept non-SSL connections.`
`145`	`150`	`$node->connect_fails(`
`@@ -216,9 +221,10 @@`
`216`	`221`	`"CRL belonging to a different CA",`
`217`	`222`	`expected_stderr=>qr/SSL error: certificate verify failed/);`
`218`	`223`
`219`		`-# The same for CRL directory`
	`224`	`+# The same for CRL directory. sslcrl='' is added here to override the`
	`225`	`+# invalid default, so as this does not interfere with this case.`
`220`	`226`	`$node->connect_fails(`
`221`		`-"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/client-crldir",`
	`227`	`+"$common_connstrsslcrl=''sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/client-crldir",`
`222`	`228`	`"directory CRL belonging to a different CA",`
`223`	`229`	`expected_stderr=>qr/SSL error: certificate verify failed/);`
`224`	`230`
`@@ -235,7 +241,7 @@`
`235`	`241`	`# Check that connecting with verify-full fails, when the hostname doesn't`
`236`	`242`	`# match the hostname in the server's certificate.`
`237`	`243`	`$common_connstr =`
`238`		`-"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";`
	`244`	`+"$default_ssl_connstruser=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";`
`239`	`245`
`240`	`246`	`$node->connect_ok("$common_connstr sslmode=require host=wronghost.test",`
`241`	`247`	`"mismatch between host name and server certificate sslmode=require");`
`@@ -253,7 +259,7 @@`
`253`	`259`	`switch_server_cert($node,'server-multiple-alt-names');`
`254`	`260`
`255`	`261`	`$common_connstr =`
`256`		`-"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";`
	`262`	`+"$default_ssl_connstruser=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";`
`257`	`263`
`258`	`264`	`$node->connect_ok(`
`259`	`265`	`"$common_connstr host=dns1.alt-name.pg-ssltest.test",`
`@@ -282,7 +288,7 @@`
`282`	`288`	`switch_server_cert($node,'server-single-alt-name');`
`283`	`289`
`284`	`290`	`$common_connstr =`
`285`		`-"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";`
	`291`	`+"$default_ssl_connstruser=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";`
`286`	`292`
`287`	`293`	`$node->connect_ok(`
`288`	`294`	`"$common_connstr host=single.alt-name.pg-ssltest.test",`
`@@ -306,7 +312,7 @@`
`306`	`312`	`switch_server_cert($node,'server-cn-and-alt-names');`
`307`	`313`
`308`	`314`	`$common_connstr =`
`309`		`-"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";`
	`315`	`+"$default_ssl_connstruser=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";`
`310`	`316`
`311`	`317`	`$node->connect_ok("$common_connstr host=dns1.alt-name.pg-ssltest.test",`
`312`	`318`	`"certificate with both a CN and SANs 1");`
`@@ -323,7 +329,7 @@`
`323`	`329`	`# not a very sensible certificate, but libpq should handle it gracefully.`
`324`	`330`	`switch_server_cert($node,'server-no-names');`
`325`	`331`	`$common_connstr =`
`326`		`-"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";`
	`332`	`+"$default_ssl_connstruser=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";`
`327`	`333`
`328`	`334`	`$node->connect_ok(`
`329`	`335`	`"$common_connstr sslmode=verify-ca host=common-name.pg-ssltest.test",`
`@@ -339,7 +345,7 @@`
`339`	`345`	`switch_server_cert($node,'server-revoked');`
`340`	`346`
`341`	`347`	`$common_connstr =`
`342`		`-"user=ssltestuser dbname=trustdb sslcert=invalid hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";`
	`348`	`+"$default_ssl_connstruser=ssltestuser dbname=trustdb hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";`
`343`	`349`
`344`	`350`	`# Without the CRL, succeeds. With it, fails.`
`345`	`351`	`$node->connect_ok(`
`@@ -349,8 +355,10 @@`
`349`	`355`	`"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl",`
`350`	`356`	`"does not connect with client-side CRL file",`
`351`	`357`	`expected_stderr=>qr/SSL error: certificate verify failed/);`
	`358`	`+# sslcrl='' is added here to override the invalid default, so as this`
	`359`	`+# does not interfere with this case.`
`352`	`360`	`$node->connect_fails(`
`353`		`-"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/root+server-crldir",`
	`361`	`+"$common_connstrsslcrl=''sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/root+server-crldir",`
`354`	`362`	`"does not connect with client-side CRL directory",`
`355`	`363`	`expected_stderr=>qr/SSL error: certificate verify failed/);`
`356`	`364`
`@@ -392,7 +400,7 @@`
`392`	`400`	`note"running server tests";`
`393`	`401`
`394`	`402`	`$common_connstr =`
`395`		`-"sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR host=localhost";`
	`403`	`+"$default_ssl_connstrsslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR host=localhost";`
`396`	`404`
`397`	`405`	`# no client cert`
`398`	`406`	`$node->connect_fails(`
`@@ -569,7 +577,7 @@`
`569`	`577`	`# works, iff username matches Common Name`
`570`	`578`	`# fails, iff username doesn't match Common Name.`
`571`	`579`	`$common_connstr =`
`572`		`-"sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=verifydb hostaddr=$SERVERHOSTADDR host=localhost";`
	`580`	`+"$default_ssl_connstrsslrootcert=ssl/root+server_ca.crt sslmode=require dbname=verifydb hostaddr=$SERVERHOSTADDR host=localhost";`
`573`	`581`
`574`	`582`	`$node->connect_ok(`
`575`	`583`	`"$common_connstr user=ssltestuser sslcert=ssl/client.crt sslkey=$key{'client.key'}",`
`@@ -596,7 +604,7 @@`
`596`	`604`	`# intermediate client_ca.crt is provided by client, and isn't in server's ssl_ca_file`
`597`	`605`	`switch_server_cert($node,'server-cn-only','root_ca');`
`598`	`606`	`$common_connstr =`
`599`		`-"user=ssltestuser dbname=certdb sslkey=$key{'client.key'} sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR host=localhost";`
	`607`	`+"$default_ssl_connstruser=ssltestuser dbname=certdb sslkey=$key{'client.key'} sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR host=localhost";`
`600`	`608`
`601`	`609`	`$node->connect_ok(`
`602`	`610`	`"$common_connstr sslmode=require sslcert=ssl/client+client_ca.crt",`

`‎src/test/ssl/t/003_sslinfo.pl`

Lines changed: 8 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -62,8 +62,13 @@`
`62`	`62`	`# 001 test does.`
`63`	`63`	`switch_server_cert($node,'server-revoked');`
`64`	`64`
	`65`	`+# Set of default settings for SSL parameters in connection string. This`
	`66`	`+# makes the tests protected against any defaults the environment may have`
	`67`	`+# in ~/.postgresql/.`
	`68`	`+my$default_ssl_connstr ="sslkey=invalid sslcert=invalid sslrootcert=invalid sslcrl=invalid sslcrldir=invalid";`
	`69`	`+`
`65`	`70`	`$common_connstr =`
`66`		`-"sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR host=localhost" .`
	`71`	`+"$default_ssl_connstrsslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR host=localhost" .`
`67`	`72`	`"user=ssltestuser sslcert=ssl/client_ext.crt sslkey=$client_tmp_key";`
`68`	`73`
`69`	`74`	`# Make sure we can connect even though previous test suites have established this`
`@@ -93,7 +98,7 @@`
`93`	`98`	`is($result,'t',"ssl_client_cert_present() for connection with cert");`
`94`	`99`
`95`	`100`	`$result =$node->safe_psql("trustdb","SELECT ssl_client_cert_present();",`
`96`		`-connstr=>"sslrootcert=ssl/root+server_ca.crt sslmode=require" .`
	`101`	`+connstr=>"$default_ssl_connstrsslrootcert=ssl/root+server_ca.crt sslmode=require" .`
`97`	`102`	`"dbname=trustdb hostaddr=$SERVERHOSTADDR user=ssltestuser host=localhost");`
`98`	`103`	`is($result,'f',"ssl_client_cert_present() for connection without cert");`
`99`	`104`
`@@ -108,7 +113,7 @@`
`108`	`113`	`is($result,'3',"ssl_client_dn_field() for an invalid field");`
`109`	`114`
`110`	`115`	`$result =$node->safe_psql("trustdb","SELECT ssl_client_dn_field('commonName');",`
`111`		`-connstr=>"sslrootcert=ssl/root+server_ca.crt sslmode=require" .`
	`116`	`+connstr=>"$default_ssl_connstrsslrootcert=ssl/root+server_ca.crt sslmode=require" .`
`112`	`117`	`"dbname=trustdb hostaddr=$SERVERHOSTADDR user=ssltestuser host=localhost");`
`113`	`118`	`is($result,'',"ssl_client_dn_field() for connection without cert");`
`114`	`119`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit9ca234b

File tree

2 files changed

2 files changed

`‎src/test/ssl/t/001_ssltests.pl`

`‎src/test/ssl/t/003_sslinfo.pl`

0 commit comments