public inbox for [email protected]  
help / color / mirror / Atom feed
From: Tom Lane <[email protected]>
To: Daniel Gustafsson <[email protected]>
Cc: Thomas Munro <[email protected]>
Cc: Andrew Dunstan <[email protected]>
Cc: PostgreSQL Hackers <[email protected]>
Cc: Jacob Champion <[email protected]>
Subject: Re: disabled SSL log_like tests
Date: Thu, 08 May 2025 20:15:24 -0400
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<CA+hUKG+fLqyweHqFSBcErueUVT0vDuSNWui-ySz3+d_APmq7dw@mail.gmail.com>
	<[email protected]>
	<[email protected]>
	<CA+hUKGJkUJAwckjBr-=B9oUdDgjSEH+3njd__OnPoPuAtze3Qg@mail.gmail.com>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>

Daniel Gustafsson <[email protected]> writes:
> Maybe the ssl_library function should return a hash with backend => 'OpenSSL'
> and library => <the actual implementation used>?

I don't love doing it exactly like that: seems like it adds notational
complexity for little gain.  Also, it forces ssl_library to expend
work detecting things the current caller may not care about.

I was thinking about just transposing the existing test down to the
backend layer, more or less as attached.  Not wedded to these names
of course.

> If we were to end up with a
> Libressl libtls implementation in libpq we'd still have to test with Libressl
> against the OpenSSL compat layer in libssl since it could act as both.  Not a
> bridge we have to cross today but might be worth at least keeping in mind when
> designing something to not make it impossible in the future.

Right.  I think the attached would be amenable to that.

Further down the road, it seems inevitable that we'll need to have a
way of detecting the SSL library version --- for example, assuming
the LibreSSL folk eventually fix their RSA-PSS code, we'll need a
version-dependent test.  That could be another new backend method,
I guess.

			regards, tom lane



Attachments:

  [text/x-diff] v1-detect-libressl-more-nicely.patch (2.1K, ../[email protected]/2-v1-detect-libressl-more-nicely.patch)
  download | inline diff:
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 8b0de2d8e7e..60b5c3630b0 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -35,9 +35,8 @@ sub switch_server_cert
 	$ssl_server->switch_server_cert(@_);
 }
 
-# Determine whether this build uses OpenSSL or LibreSSL. As a heuristic, the
-# HAVE_SSL_CTX_SET_CERT_CB macro isn't defined for LibreSSL.
-my $libressl = not check_pg_config("#define HAVE_SSL_CTX_SET_CERT_CB 1");
+# Determine whether this build uses OpenSSL or LibreSSL.
+my $libressl = $ssl_server->is_libressl;
 
 #### Some configuration
 
diff --git a/src/test/ssl/t/SSL/Backend/OpenSSL.pm b/src/test/ssl/t/SSL/Backend/OpenSSL.pm
index e044318531f..4159addb700 100644
--- a/src/test/ssl/t/SSL/Backend/OpenSSL.pm
+++ b/src/test/ssl/t/SSL/Backend/OpenSSL.pm
@@ -26,6 +26,7 @@ package SSL::Backend::OpenSSL;
 
 use strict;
 use warnings FATAL => 'all';
+use PostgreSQL::Test::Utils;
 use File::Basename;
 use File::Copy;
 
@@ -205,6 +206,23 @@ sub get_library
 	return $self->{_library};
 }
 
+=pod
+
+=item $backend->library_is_libressl()
+
+Detect whether the SSL library is LibreSSL.
+
+=cut
+
+sub library_is_libressl
+{
+	my ($self) = @_;
+
+	# The HAVE_SSL_CTX_SET_CERT_CB macro isn't defined for LibreSSL.
+	# We may eventually need a less-bogus heuristic.
+	return not check_pg_config("#define HAVE_SSL_CTX_SET_CERT_CB 1");
+}
+
 # Internal method for copying a set of files, taking into account wildcards
 sub _copy_files
 {
diff --git a/src/test/ssl/t/SSL/Server.pm b/src/test/ssl/t/SSL/Server.pm
index 14277418419..33975b28e8c 100644
--- a/src/test/ssl/t/SSL/Server.pm
+++ b/src/test/ssl/t/SSL/Server.pm
@@ -244,6 +244,23 @@ sub ssl_library
 
 =pod
 
+=item $server->is_libressl()
+
+Detect whether the currently used SSL backend is LibreSSL.
+(Ideally we'd not need this hack, but presently we do.)
+
+=cut
+
+sub is_libressl
+{
+	my $self = shift;
+	my $backend = $self->{backend};
+
+	return $backend->library_is_libressl();
+}
+
+=pod
+
 =item switch_server_cert(params)
 
 Change the configuration to use the given set of certificate, key, ca and


view thread (30+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected], [email protected]
  Subject: Re: disabled SSL log_like tests
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox