Hi Tatsuo,

Please let me know if you need any assistance with updating your test cases. I am be happy to help.

Thanks,
Bob


On Thu, Apr 2, 2026 at 9:57 PM Bob Ross <bob.ross.19821@gmail.com> wrote:
Hi Tatsuo, 

Thanks for putting together the regression tests. 

Thoughts on your questions: 
- CA Certificates - Yes, adding a cert auth test is highly recommended. We could test this by generating two different dummy CA certificates. Start pgpool trusting CA #1, swap the config to CA #2, reload and verify if client connection correctly gets rejected. 
- DH parameters - perhaps we can test this by providing a non-existent file path and then use grep to check pgpool.log for specific warning message (per pool_ssl.c it’s “DH: could not load DH parameters”) when pgpool tries to load the file. 

Regards,
Bob


On Wednesday, April 1, 2026, Tatsuo Ishii <ishii@postgresql.org> wrote:
Hi Bob,

> Hi Tatsuo,
>
> Thanks for double-checking! Please feel free to go ahead and write the
> regression tests if you're up for it. I'd really appreciate the help.

I have written the first version of the regression test. This test
performs:

1. Set bad value (fixed string "bad_value") to a config param and
   restart pgpool so that SSL connection does not establish between
   client and pgpool.

2. Set good value to the config and reload pgpool so that SSL
   connection establishes.

The test is run against:
ssl_cert
ssl_ciphers
ssl_crl_file
ssl_ecdh_curve
ssl_key

It does not test ssl_ca_cert and ssl_ca_cert_dir because the test is
based on 023.ssl_connection which does not check cert auth. Should we
test cert auth as well?

Also this does not test followings:

- ssl_dh_params_file
If bad value is set to the parameter, it falls back to a builtin
value. So it is not possible to set a bad value to the parameter.
Do you have an idea to test this?

- ssl_passphrase_command
Our cert does not require pass passphrase.

- ssl_prefer_server_ciphers
This only affects server side (backend) ciphers. The test only tests
SSL connection between client and pgpool.

Attached is the v1 patch including your patch (I have remove "-----"
from your commit message. Otherwise the commit message cuts in the
middle)  and the test script.
What do you think?

Regards,
--
Tatsuo Ishii
SRA OSS K.K.
English: http://www.sraoss.co.jp/index_en/
Japanese:http://www.sraoss.co.jp