NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commitfdb1be4

committed

Fix failures in SSL tests caused by out-of-tree keys and certificates

This issue is environment-sensitive, where the SSL tests could fail invarious way by feeding on defaults provided by sslcert, sslkey,sslrootkey, sslrootcert, sslcrl and sslcrldir coming from a local setup,as of ~/.postgresql/ by default. Horiguchi-san has reported twofailures, but more advanced testing from me (aka inclusion of garbageSSL configuration in ~/.postgresql/ for all the configurationparameters) has showed dozens of failures that can be triggered in thewhole test suite.History has showed that we are not good when it comes to address suchissues, fixing them locally like indd87799, and such problems keepappearing. This commit strengthens the entire test suite to put an endto this set of problems by embedding invalid default values in all theconnection strings used in the tests. The invalid values are prefixedin each connection string, relying on the follow-up values passed in theconnection string to enforce any invalid value previously set. Notethat two tests related to CRLs are required to fail with certain pre-setconfigurations, but we can rely on enforcing an empty value insteadafter the invalid set of values.Reported-by: Kyotaro HoriguchiReviewed-by: Andrew Dunstan, Daniel Gustafsson, Kyotaro HoriguchiDiscussion:https://postgr.es/m/20220316.163658.1122740600489097632.horikyota.ntt@gmail.combackpatch-through: 10

1 parent48b6035 commitfdb1be4Copy full SHA for fdb1be4

File tree

1 file changed

+21

-13

lines changed

src/test/ssl/t
- 001_ssltests.pl

1 file changed

+21

-13

lines changed

`‎src/test/ssl/t/001_ssltests.pl`

Lines changed: 21 additions & 13 deletions

Original file line number	Diff line number	Diff line change
`@@ -134,8 +134,13 @@`
`134`	`134`
`135`	`135`	`switch_server_cert($node,'server-cn-only');`
`136`	`136`
	`137`	`+# Set of default settings for SSL parameters in connection string. This`
	`138`	`+# makes the tests protected against any defaults the environment may have`
	`139`	`+# in ~/.postgresql/.`
	`140`	`+my$default_ssl_connstr ="sslkey=invalid sslcert=invalid sslrootcert=invalid sslcrl=invalid sslcrldir=invalid";`
	`141`	`+`
`137`	`142`	`$common_connstr =`
`138`		`-"user=ssltestuser dbname=trustdb sslcert=invalid hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";`
	`143`	`+"$default_ssl_connstruser=ssltestuser dbname=trustdb hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";`
`139`	`144`
`140`	`145`	`# The server should not accept non-SSL connections.`
`141`	`146`	`$node->connect_fails(`
`@@ -212,9 +217,10 @@`
`212`	`217`	`"CRL belonging to a different CA",`
`213`	`218`	`expected_stderr=>qr/SSL error: certificate verify failed/);`
`214`	`219`
`215`		`-# The same for CRL directory`
	`220`	`+# The same for CRL directory. sslcrl='' is added here to override the`
	`221`	`+# invalid default, so as this does not interfere with this case.`
`216`	`222`	`$node->connect_fails(`
`217`		`-"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/client-crldir",`
	`223`	`+"$common_connstrsslcrl=''sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/client-crldir",`
`218`	`224`	`"directory CRL belonging to a different CA",`
`219`	`225`	`expected_stderr=>qr/SSL error: certificate verify failed/);`
`220`	`226`
`@@ -231,7 +237,7 @@`
`231`	`237`	`# Check that connecting with verify-full fails, when the hostname doesn't`
`232`	`238`	`# match the hostname in the server's certificate.`
`233`	`239`	`$common_connstr =`
`234`		`-"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";`
	`240`	`+"$default_ssl_connstruser=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";`
`235`	`241`
`236`	`242`	`$node->connect_ok("$common_connstr sslmode=require host=wronghost.test",`
`237`	`243`	`"mismatch between host name and server certificate sslmode=require");`
`@@ -249,7 +255,7 @@`
`249`	`255`	`switch_server_cert($node,'server-multiple-alt-names');`
`250`	`256`
`251`	`257`	`$common_connstr =`
`252`		`-"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";`
	`258`	`+"$default_ssl_connstruser=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";`
`253`	`259`
`254`	`260`	`$node->connect_ok(`
`255`	`261`	`"$common_connstr host=dns1.alt-name.pg-ssltest.test",`
`@@ -278,7 +284,7 @@`
`278`	`284`	`switch_server_cert($node,'server-single-alt-name');`
`279`	`285`
`280`	`286`	`$common_connstr =`
`281`		`-"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";`
	`287`	`+"$default_ssl_connstruser=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";`
`282`	`288`
`283`	`289`	`$node->connect_ok(`
`284`	`290`	`"$common_connstr host=single.alt-name.pg-ssltest.test",`
`@@ -302,7 +308,7 @@`
`302`	`308`	`switch_server_cert($node,'server-cn-and-alt-names');`
`303`	`309`
`304`	`310`	`$common_connstr =`
`305`		`-"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";`
	`311`	`+"$default_ssl_connstruser=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";`
`306`	`312`
`307`	`313`	`$node->connect_ok("$common_connstr host=dns1.alt-name.pg-ssltest.test",`
`308`	`314`	`"certificate with both a CN and SANs 1");`
`@@ -319,7 +325,7 @@`
`319`	`325`	`# not a very sensible certificate, but libpq should handle it gracefully.`
`320`	`326`	`switch_server_cert($node,'server-no-names');`
`321`	`327`	`$common_connstr =`
`322`		`-"user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";`
	`328`	`+"$default_ssl_connstruser=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";`
`323`	`329`
`324`	`330`	`$node->connect_ok(`
`325`	`331`	`"$common_connstr sslmode=verify-ca host=common-name.pg-ssltest.test",`
`@@ -335,7 +341,7 @@`
`335`	`341`	`switch_server_cert($node,'server-revoked');`
`336`	`342`
`337`	`343`	`$common_connstr =`
`338`		`-"user=ssltestuser dbname=trustdb sslcert=invalid hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";`
	`344`	`+"$default_ssl_connstruser=ssltestuser dbname=trustdb hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";`
`339`	`345`
`340`	`346`	`# Without the CRL, succeeds. With it, fails.`
`341`	`347`	`$node->connect_ok(`
`@@ -345,8 +351,10 @@`
`345`	`351`	`"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl",`
`346`	`352`	`"does not connect with client-side CRL file",`
`347`	`353`	`expected_stderr=>qr/SSL error: certificate verify failed/);`
	`354`	`+# sslcrl='' is added here to override the invalid default, so as this`
	`355`	`+# does not interfere with this case.`
`348`	`356`	`$node->connect_fails(`
`349`		`-"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/root+server-crldir",`
	`357`	`+"$common_connstrsslcrl=''sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/root+server-crldir",`
`350`	`358`	`"does not connect with client-side CRL directory",`
`351`	`359`	`expected_stderr=>qr/SSL error: certificate verify failed/);`
`352`	`360`
`@@ -388,7 +396,7 @@`
`388`	`396`	`note"running server tests";`
`389`	`397`
`390`	`398`	`$common_connstr =`
`391`		`-"sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR host=localhost";`
	`399`	`+"$default_ssl_connstrsslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR host=localhost";`
`392`	`400`
`393`	`401`	`# no client cert`
`394`	`402`	`$node->connect_fails(`
`@@ -538,7 +546,7 @@`
`538`	`546`	`# works, iff username matches Common Name`
`539`	`547`	`# fails, iff username doesn't match Common Name.`
`540`	`548`	`$common_connstr =`
`541`		`-"sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=verifydb hostaddr=$SERVERHOSTADDR host=localhost";`
	`549`	`+"$default_ssl_connstrsslrootcert=ssl/root+server_ca.crt sslmode=require dbname=verifydb hostaddr=$SERVERHOSTADDR host=localhost";`
`542`	`550`
`543`	`551`	`$node->connect_ok(`
`544`	`552`	`"$common_connstr user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key",`
`@@ -565,7 +573,7 @@`
`565`	`573`	`# intermediate client_ca.crt is provided by client, and isn't in server's ssl_ca_file`
`566`	`574`	`switch_server_cert($node,'server-cn-only','root_ca');`
`567`	`575`	`$common_connstr =`
`568`		`-"user=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR host=localhost";`
	`576`	`+"$default_ssl_connstruser=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR host=localhost";`
`569`	`577`
`570`	`578`	`$node->connect_ok(`
`571`	`579`	`"$common_connstr sslmode=require sslcert=ssl/client+client_ca.crt",`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitfdb1be4

File tree

1 file changed

1 file changed

`‎src/test/ssl/t/001_ssltests.pl`

0 commit comments