public inbox for [email protected]
help / color / mirror / Atom feedSSL tests
9+ messages / 4 participants
[nested] [flat]
* SSL tests
@ 2024-04-04 09:43 Andrew Dunstan <[email protected]>
2024-04-04 10:49 ` Re: SSL tests Gael Le Mignot <[email protected]>
2024-04-04 13:59 ` Re: SSL tests Olaf Bohlen <[email protected]>
0 siblings, 2 replies; 9+ messages in thread
From: Andrew Dunstan @ 2024-04-04 09:43 UTC (permalink / raw)
To: buildfarm-members; +Cc: Daniel Gustafsson <[email protected]>
Hi Buildfarm owners,
It's been noted on the -hackers mailing list than most buildfarm animals
are not performing SSL tests even if they are building with SSL. That's
a sad gap in our test coverage.
The sample configuration file has this in the build_env section
# run extra TAP tests if listed here # These are the ones omitted
without the setting # on a secure single user system it makes sense
to enable these # PG_TEST_EXTRA => "ssl ldap kerberos",
In general, unless your animal is running on a multi-user system,
enabling these tests should be safe, which you could do by uncommenting
the last line above or inserting it into your config file if not present.
Please consider doing so for your animal(s), as we'd like to get
increased coverage of all these tests, but especially of the SSL tests.
cheers
andrew
--
Andrew Dunstan
EDB:https://www.enterprisedb.com
^ permalink raw reply [nested|flat] 9+ messages in thread
* Re: SSL tests
2024-04-04 09:43 SSL tests Andrew Dunstan <[email protected]>
@ 2024-04-04 10:49 ` Gael Le Mignot <[email protected]>
2024-04-04 11:11 ` Re: SSL tests Wolfgang Walther <[email protected]>
2024-04-04 13:26 ` Re: SSL tests Andrew Dunstan <[email protected]>
1 sibling, 2 replies; 9+ messages in thread
From: Gael Le Mignot @ 2024-04-04 10:49 UTC (permalink / raw)
To: Andrew Dunstan <[email protected]>; +Cc: buildfarm-members; Daniel Gustafsson <[email protected]>
Hello,
> Hi Buildfarm owners,
> It's been noted on the -hackers mailing list than most buildfarm
> animals are not performing SSL tests even if they are building with
> SSL. That's a sad gap in our test coverage.
> The sample configuration file has this in the build_env section
> # run extra TAP tests if listed here # These are the ones omitted
> without the setting # on a secure single user system it makes sense
> to enable these # PG_TEST_EXTRA => "ssl ldap kerberos",
I enabled this on my animal "mule", but I'm not sure how to check if the
additional tests were actually run or not.
Regards,
--
Gaël Le Mignot - [email protected]
Pilot Systems - 9 rue Anatole De La Forge - 75017 Paris
Tel : +33 1 44 53 05 55 - www.pilot-systems.net
Découvrez notre offre Cloud privé 100% infogéré - www.pilotsystems.net/cloud/
^ permalink raw reply [nested|flat] 9+ messages in thread
* Re: SSL tests
2024-04-04 09:43 SSL tests Andrew Dunstan <[email protected]>
2024-04-04 10:49 ` Re: SSL tests Gael Le Mignot <[email protected]>
@ 2024-04-04 11:11 ` Wolfgang Walther <[email protected]>
1 sibling, 0 replies; 9+ messages in thread
From: Wolfgang Walther @ 2024-04-04 11:11 UTC (permalink / raw)
To: Gael Le Mignot <[email protected]>; +Cc: buildfarm-members; Daniel Gustafsson <[email protected]>; Andrew Dunstan <[email protected]>
Gael Le Mignot:
> > # run extra TAP tests if listed here # These are the ones omitted
> > without the setting # on a secure single user system it makes sense
> > to enable these # PG_TEST_EXTRA => "ssl ldap kerberos",
>
> I enabled this on my animal "mule", but I'm not sure how to check if the
> additional tests were actually run or not.
You can see that the PG_TEST_EXTRA variable is set in your build_env now:
https://buildfarm.postgresql.org/cgi-bin/show_log.pl?nm=mule&dt=2024-04-04%2010%3A10%3A14
However, the test doesn't run, yet, I think. You'll need to add
--enable-tap-tests in config options to begin with.
Best,
Wolfgang
^ permalink raw reply [nested|flat] 9+ messages in thread
* Re: SSL tests
2024-04-04 09:43 SSL tests Andrew Dunstan <[email protected]>
2024-04-04 10:49 ` Re: SSL tests Gael Le Mignot <[email protected]>
@ 2024-04-04 13:26 ` Andrew Dunstan <[email protected]>
2024-04-04 13:36 ` Re: SSL tests Gael Le Mignot <[email protected]>
1 sibling, 1 reply; 9+ messages in thread
From: Andrew Dunstan @ 2024-04-04 13:26 UTC (permalink / raw)
To: Gael Le Mignot <[email protected]>; +Cc: buildfarm-members; Daniel Gustafsson <[email protected]>
On 2024-04-04 Th 06:49, Gael Le Mignot wrote:
> Hello,
>
> > Hi Buildfarm owners,
> > It's been noted on the -hackers mailing list than most buildfarm
> > animals are not performing SSL tests even if they are building with
> > SSL. That's a sad gap in our test coverage.
>
> > The sample configuration file has this in the build_env section
>
> > # run extra TAP tests if listed here # These are the ones omitted
> > without the setting # on a secure single user system it makes sense
> > to enable these # PG_TEST_EXTRA => "ssl ldap kerberos",
>
> I enabled this on my animal "mule", but I'm not sure how to check if the
> additional tests were actually run or not.
I see this, which indicates the tests ran:
<https://buildfarm.postgresql.org/cgi-bin/show_stage_log.pl?nm=mule&dt=2024-04-04%2011%3A49%3A20&...;
(You do seem to be having issues with ldap and kerberos checks, though)
cheers
andrew
--
Andrew Dunstan
EDB: https://www.enterprisedb.com
^ permalink raw reply [nested|flat] 9+ messages in thread
* Re: SSL tests
2024-04-04 09:43 SSL tests Andrew Dunstan <[email protected]>
2024-04-04 10:49 ` Re: SSL tests Gael Le Mignot <[email protected]>
2024-04-04 13:26 ` Re: SSL tests Andrew Dunstan <[email protected]>
@ 2024-04-04 13:36 ` Gael Le Mignot <[email protected]>
0 siblings, 0 replies; 9+ messages in thread
From: Gael Le Mignot @ 2024-04-04 13:36 UTC (permalink / raw)
To: Andrew Dunstan <[email protected]>; +Cc: buildfarm-members; Daniel Gustafsson <[email protected]>
Hi Andrew,
> On 2024-04-04 Th 06:49, Gael Le Mignot wrote:
>> Hello,
>>
>> > Hi Buildfarm owners,
>> > It's been noted on the -hackers mailing list than most buildfarm
>> > animals are not performing SSL tests even if they are building with
>> > SSL. That's a sad gap in our test coverage.
>>
>> > The sample configuration file has this in the build_env section
>>
>> > # run extra TAP tests if listed here # These are the ones omitted
>> > without the setting # on a secure single user system it makes sense
>> > to enable these # PG_TEST_EXTRA => "ssl ldap kerberos",
>>
>> I enabled this on my animal "mule", but I'm not sure how to check if the
>> additional tests were actually run or not.
> I see this, which indicates the tests ran:
> <https://buildfarm.postgresql.org/cgi-bin/show_stage_log.pl?nm=mule&dt=2024-04-04%2011%3A49%3A20&...;
> (You do seem to be having issues with ldap and kerberos checks, though)
Yes, I was missing the binaries (slapd and kdb5_util), I had the
libraries and headers installed, but not the binaries. It seems to be
fixed for LDAP, and I'm re-running it for Kerberos.
Regards,
--
Gaël Le Mignot - [email protected]
Pilot Systems - 9 rue Anatole De La Forge - 75017 Paris
Tel : +33 1 44 53 05 55 - www.pilot-systems.net
Découvrez notre offre Cloud privé 100% infogéré - www.pilotsystems.net/cloud/
^ permalink raw reply [nested|flat] 9+ messages in thread
* Re: SSL tests
2024-04-04 09:43 SSL tests Andrew Dunstan <[email protected]>
@ 2024-04-04 13:59 ` Olaf Bohlen <[email protected]>
2024-04-04 14:17 ` Re: SSL tests Wolfgang Walther <[email protected]>
2024-04-04 14:29 ` Re: SSL tests Andrew Dunstan <[email protected]>
1 sibling, 2 replies; 9+ messages in thread
From: Olaf Bohlen @ 2024-04-04 13:59 UTC (permalink / raw)
To: Andrew Dunstan <[email protected]>; +Cc: buildfarm-members
Andrew Dunstan <[email protected]> writes:
Hi Andres,
> In general, unless your animal is running on a multi-user system,
> enabling these tests should be safe, which you could do by
> uncommenting the last line above or inserting it into your config file
> if not present.
Could you elaborate a bit on this? My animal is indeed running as
a Container on a multi-user system. Is it "just" extreme cpu
intensive or are there other aspects?
Thanks,
Olaf
--
~ Olaf Bohlen - [email protected]
|~~ Het
/| \ Bruine
___/_|___\ Leven
\__n____/# DGCN2
^ permalink raw reply [nested|flat] 9+ messages in thread
* Re: SSL tests
2024-04-04 09:43 SSL tests Andrew Dunstan <[email protected]>
2024-04-04 13:59 ` Re: SSL tests Olaf Bohlen <[email protected]>
@ 2024-04-04 14:17 ` Wolfgang Walther <[email protected]>
1 sibling, 0 replies; 9+ messages in thread
From: Wolfgang Walther @ 2024-04-04 14:17 UTC (permalink / raw)
To: Olaf Bohlen <[email protected]>; Andrew Dunstan <[email protected]>; +Cc: buildfarm-members
Olaf Bohlen:
> Could you elaborate a bit on this? My animal is indeed running as
> a Container on a multi-user system. Is it "just" extreme cpu
> intensive or are there other aspects?
The docs [1] have more about this. For the three tests "ssl ldap
kerberors" it's about that they open TCP/IP listen sockets (and might
need more dependencies). This should be fine in a container.
Best,
Wolfgang
[1]:
https://www.postgresql.org/docs/current/regress-run.html#REGRESS-ADDITIONAL
^ permalink raw reply [nested|flat] 9+ messages in thread
* Re: SSL tests
2024-04-04 09:43 SSL tests Andrew Dunstan <[email protected]>
2024-04-04 13:59 ` Re: SSL tests Olaf Bohlen <[email protected]>
@ 2024-04-04 14:29 ` Andrew Dunstan <[email protected]>
2024-04-05 10:55 ` Re: SSL tests Olaf Bohlen <[email protected]>
1 sibling, 1 reply; 9+ messages in thread
From: Andrew Dunstan @ 2024-04-04 14:29 UTC (permalink / raw)
To: Olaf Bohlen <[email protected]>; +Cc: buildfarm-members
On 2024-04-04 Th 09:59, Olaf Bohlen wrote:
> Andrew Dunstan <[email protected]> writes:
>
> Hi Andres,
>
>> In general, unless your animal is running on a multi-user system,
>> enabling these tests should be safe, which you could do by
>> uncommenting the last line above or inserting it into your config file
>> if not present.
> Could you elaborate a bit on this? My animal is indeed running as
> a Container on a multi-user system. Is it "just" extreme cpu
> intensive or are there other aspects?
>
No, it's more a security issue. We have to run the server for SSL tests
with TCP enabled, meaning other users on the localhost can connect to
it. If untrusted users in your multi-user environment can connect to a
socket in your container, then you probably should not turn this on.
cheers
andrew
--
Andrew Dunstan
EDB: https://www.enterprisedb.com
^ permalink raw reply [nested|flat] 9+ messages in thread
* Re: SSL tests
2024-04-04 09:43 SSL tests Andrew Dunstan <[email protected]>
2024-04-04 13:59 ` Re: SSL tests Olaf Bohlen <[email protected]>
2024-04-04 14:29 ` Re: SSL tests Andrew Dunstan <[email protected]>
@ 2024-04-05 10:55 ` Olaf Bohlen <[email protected]>
0 siblings, 0 replies; 9+ messages in thread
From: Olaf Bohlen @ 2024-04-05 10:55 UTC (permalink / raw)
To: Andrew Dunstan <[email protected]>; +Cc: buildfarm-members
Andrew Dunstan <[email protected]> writes:
Dear Andrew and Wolfgang,
> No, it's more a security issue. We have to run the server for SSL
> tests with TCP enabled, meaning other users on the localhost can
> connect to it. If untrusted users in your multi-user environment can
> connect to a socket in your container, then you probably should not
> turn this on.
Thanks for the clarification, I'll turn on the checks then!
Best Regards,
Olaf
--
~ Olaf Bohlen - [email protected]
|~~ Het
/| \ Bruine
___/_|___\ Leven
\__n____/# DGCN2
^ permalink raw reply [nested|flat] 9+ messages in thread
end of thread, other threads:[~2024-04-05 10:55 UTC | newest]
Thread overview: 9+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2024-04-04 09:43 SSL tests Andrew Dunstan <[email protected]>
2024-04-04 10:49 ` Gael Le Mignot <[email protected]>
2024-04-04 11:11 ` Wolfgang Walther <[email protected]>
2024-04-04 13:26 ` Andrew Dunstan <[email protected]>
2024-04-04 13:36 ` Gael Le Mignot <[email protected]>
2024-04-04 13:59 ` Olaf Bohlen <[email protected]>
2024-04-04 14:17 ` Wolfgang Walther <[email protected]>
2024-04-04 14:29 ` Andrew Dunstan <[email protected]>
2024-04-05 10:55 ` Olaf Bohlen <[email protected]>
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox