public inbox for [email protected]  

help / color / mirror / Atom feed

From: Cary Huang <[email protected]>
To: Daniel Gustafsson <[email protected]>
Cc: Michael Paquier <[email protected]>
Cc: PostgreSQL-development <[email protected]>
Subject: Re: PostgreSQL and OpenSSL 4.0.0
Date: Thu, 07 May 2026 12:32:51 -0700
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
	<[email protected]>
	<[email protected]>

Hi

I tried the patch and Postgres and sslinfo compiled with no warnings as
expected.

However, in OpenSSL 4.0, I noticed that it reports certificate revocation
errors differently from previous versions, causing the SSL tests to fail.
The test expects "ssl alert certificate revoked", but OpenSSL 4.0 returns
"tls alert certificate revoked" instead.

I made a patch to make the ssl tests compatible with OpenSSL 4.0 as well.

thanks!

Cary Huang
-------------
HighGo Software Inc. (Canada)
[email protected]
www.highgo.ca


Attachments:

  [application/octet-stream] 0001-fix-ssl-test-on-openssl-4.0.patch (2.8K, 2-0001-fix-ssl-test-on-openssl-4.0.patch)
  download | inline diff:
From f73b87ea3036f3cebc9aa4f16d41e07d7af1b166 Mon Sep 17 00:00:00 2001
From: Cary Huang <[email protected]>
Date: Thu, 7 May 2026 12:24:27 -0700
Subject: [PATCH] support OpenSSL 4.0.0 style revocation message:
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

OpenSSL 4.0 reports revoked certificates as “tls alert certificate revoked”
instead of “ssl... alert certificate revoked”. Update the test regex to accept
both variants to avoid false failures.
---
 src/test/ssl/t/001_ssltests.pl | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 0af887caa6..b12ad1f8df 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -885,7 +885,7 @@ $node->connect_fails(
 	"$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt "
 	  . sslkey('client-revoked.key'),
 	"certificate authorization fails with revoked client cert",
-	expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|,
+	expected_stderr => qr|SSL error: (?:ssl\|tls)[a-z0-9/]* alert certificate revoked|,
 	log_like => [
 		qr{Client certificate verification failed at depth 0: certificate revoked},
 		qr{Failed certificate data \(unverified\): subject "/CN=ssltestuser", serial number \d+, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"},
@@ -987,7 +987,7 @@ $node->connect_fails(
 	"$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt "
 	  . sslkey('client-revoked.key'),
 	"certificate authorization fails with revoked client cert with server-side CRL directory",
-	expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|,
+	expected_stderr => qr|SSL error: (?:ssl\|tls)[a-z0-9/]* alert certificate revoked|,
 	log_like => [
 		qr{Client certificate verification failed at depth 0: certificate revoked},
 		qr{Failed certificate data \(unverified\): subject "/CN=ssltestuser", serial number \d+, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"},
@@ -998,7 +998,7 @@ $node->connect_fails(
 	"$common_connstr user=ssltestuser sslcert=ssl/client-revoked-utf8.crt "
 	  . sslkey('client-revoked-utf8.key'),
 	"certificate authorization fails with revoked UTF-8 client cert with server-side CRL directory",
-	expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|,
+	expected_stderr => qr|SSL error: (?:ssl\|tls)[a-z0-9/]* alert certificate revoked|,
 	log_like => [
 		qr{Client certificate verification failed at depth 0: certificate revoked},
 		qr{Failed certificate data \(unverified\): subject "/CN=\\xce\\x9f\\xce\\xb4\\xcf\\x85\\xcf\\x83\\xcf\\x83\\xce\\xad\\xce\\xb1\\xcf\\x82", serial number \d+, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"},
-- 
2.34.1

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected]
  Subject: Re: PostgreSQL and OpenSSL 4.0.0
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox