public inbox for [email protected]
help / color / mirror / Atom feedFrom: Tom Lane <[email protected]>
To: Daniel Gustafsson <[email protected]>
Cc: Thomas Munro <[email protected]>
Cc: Andrew Dunstan <[email protected]>
Cc: PostgreSQL Hackers <[email protected]>
Cc: Jacob Champion <[email protected]>
Subject: Re: disabled SSL log_like tests
Date: Thu, 08 May 2025 20:15:24 -0400
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<CA+hUKG+fLqyweHqFSBcErueUVT0vDuSNWui-ySz3+d_APmq7dw@mail.gmail.com>
<[email protected]>
<[email protected]>
<CA+hUKGJkUJAwckjBr-=B9oUdDgjSEH+3njd__OnPoPuAtze3Qg@mail.gmail.com>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
Daniel Gustafsson <[email protected]> writes:
> Maybe the ssl_library function should return a hash with backend => 'OpenSSL'
> and library => <the actual implementation used>?
I don't love doing it exactly like that: seems like it adds notational
complexity for little gain. Also, it forces ssl_library to expend
work detecting things the current caller may not care about.
I was thinking about just transposing the existing test down to the
backend layer, more or less as attached. Not wedded to these names
of course.
> If we were to end up with a
> Libressl libtls implementation in libpq we'd still have to test with Libressl
> against the OpenSSL compat layer in libssl since it could act as both. Not a
> bridge we have to cross today but might be worth at least keeping in mind when
> designing something to not make it impossible in the future.
Right. I think the attached would be amenable to that.
Further down the road, it seems inevitable that we'll need to have a
way of detecting the SSL library version --- for example, assuming
the LibreSSL folk eventually fix their RSA-PSS code, we'll need a
version-dependent test. That could be another new backend method,
I guess.
regards, tom lane
Attachments:
[text/x-diff] v1-detect-libressl-more-nicely.patch (2.1K, ../[email protected]/2-v1-detect-libressl-more-nicely.patch)
download | inline diff:
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 8b0de2d8e7e..60b5c3630b0 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -35,9 +35,8 @@ sub switch_server_cert
$ssl_server->switch_server_cert(@_);
}
-# Determine whether this build uses OpenSSL or LibreSSL. As a heuristic, the
-# HAVE_SSL_CTX_SET_CERT_CB macro isn't defined for LibreSSL.
-my $libressl = not check_pg_config("#define HAVE_SSL_CTX_SET_CERT_CB 1");
+# Determine whether this build uses OpenSSL or LibreSSL.
+my $libressl = $ssl_server->is_libressl;
#### Some configuration
diff --git a/src/test/ssl/t/SSL/Backend/OpenSSL.pm b/src/test/ssl/t/SSL/Backend/OpenSSL.pm
index e044318531f..4159addb700 100644
--- a/src/test/ssl/t/SSL/Backend/OpenSSL.pm
+++ b/src/test/ssl/t/SSL/Backend/OpenSSL.pm
@@ -26,6 +26,7 @@ package SSL::Backend::OpenSSL;
use strict;
use warnings FATAL => 'all';
+use PostgreSQL::Test::Utils;
use File::Basename;
use File::Copy;
@@ -205,6 +206,23 @@ sub get_library
return $self->{_library};
}
+=pod
+
+=item $backend->library_is_libressl()
+
+Detect whether the SSL library is LibreSSL.
+
+=cut
+
+sub library_is_libressl
+{
+ my ($self) = @_;
+
+ # The HAVE_SSL_CTX_SET_CERT_CB macro isn't defined for LibreSSL.
+ # We may eventually need a less-bogus heuristic.
+ return not check_pg_config("#define HAVE_SSL_CTX_SET_CERT_CB 1");
+}
+
# Internal method for copying a set of files, taking into account wildcards
sub _copy_files
{
diff --git a/src/test/ssl/t/SSL/Server.pm b/src/test/ssl/t/SSL/Server.pm
index 14277418419..33975b28e8c 100644
--- a/src/test/ssl/t/SSL/Server.pm
+++ b/src/test/ssl/t/SSL/Server.pm
@@ -244,6 +244,23 @@ sub ssl_library
=pod
+=item $server->is_libressl()
+
+Detect whether the currently used SSL backend is LibreSSL.
+(Ideally we'd not need this hack, but presently we do.)
+
+=cut
+
+sub is_libressl
+{
+ my $self = shift;
+ my $backend = $self->{backend};
+
+ return $backend->library_is_libressl();
+}
+
+=pod
+
=item switch_server_cert(params)
Change the configuration to use the given set of certificate, key, ca and
view thread (30+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: Re: disabled SSL log_like tests
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox