public inbox for [email protected]  
help / color / mirror / Atom feed
From: Kyotaro Horiguchi <[email protected]>
To: [email protected]
Cc: [email protected]
Cc: [email protected]
Subject: Re: Out-of-tree certificate interferes ssltest
Date: Thu, 17 Mar 2022 17:05:10 +0900 (JST)
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
	<YjLOPibZ/[email protected]>
	<[email protected]>

At Thu, 17 Mar 2022 16:22:14 +0900, Michael Paquier <[email protected]> wrote in 
> On Thu, Mar 17, 2022 at 02:59:26PM +0900, Michael Paquier wrote:
> > In both cases, enforcing sslcrl to a value of "invalid" interferes
> > with the failure scenario we expect from sslcrldir.  It is possible to
> > bypass that with something like the attached, but that's a kind of
> > ugly hack.  Another alternative would be to drop those two tests, and
> > I am not sure how much we care about these two negative scenarios.
> 
> Actually, there is a trick I have recalled here: we can enforce sslcrl
> to an empty value in the connection string after the default.  This
> still ensures that the test won't pick up any SSL data from the local
> environment and avoids any interferences of OpenSSL's
> X509_STORE_load_locations().  This gives a much simpler and cleaner
> patch.
> 
> Thoughts?

Ah! I didn't have a thought that we can specify the same parameter
twice.  It looks like clean and robust.  $default_ssl_connstr contains
all required options in PQconninfoOptions[].

The same method worked for 003_sslinfo.pl, too. (of course).

regards.

-- 
Kyotaro Horiguchi
NTT Open Source Software Center






view thread (9+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected]
  Subject: Re: Out-of-tree certificate interferes ssltest
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox