Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uDBOo-007Q0T-49 for pgsql-hackers@arkaria.postgresql.org; Fri, 09 May 2025 00:15:34 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1uDBOn-006rRM-2R for pgsql-hackers@arkaria.postgresql.org; Fri, 09 May 2025 00:15:33 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uDBOm-006rRE-Og for pgsql-hackers@lists.postgresql.org; Fri, 09 May 2025 00:15:32 +0000 Received: from sss.pgh.pa.us ([68.162.161.243]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1uDBOj-000vVr-2i for pgsql-hackers@postgresql.org; Fri, 09 May 2025 00:15:32 +0000 Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1]) by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 5490FOGE274034; Thu, 8 May 2025 20:15:24 -0400 From: Tom Lane To: Daniel Gustafsson cc: Thomas Munro , Andrew Dunstan , PostgreSQL Hackers , Jacob Champion Subject: Re: disabled SSL log_like tests In-reply-to: <58BC3DE1-4D63-4D4E-823F-BE7BF74E272B@yesql.se> References: <984fca80-85a8-4c6f-a5cc-bb860950b435@dunslane.net> <2199758.1744901785@sss.pgh.pa.us> <1ce11d3f-624c-4003-a032-1b10cc138305@dunslane.net> <2814408.1745005558@sss.pgh.pa.us> <2859105.1745015195@sss.pgh.pa.us> <1120735.1745350422@sss.pgh.pa.us> <3058990.1746485124@sss.pgh.pa.us> <3227092.1746580691@sss.pgh.pa.us> <3248136.1746592452@sss.pgh.pa.us> <3004EFB2-8FFA-429A-AC5E-E3F40E002A94@yesql.se> <3320404.1746633879@sss.pgh.pa.us> <8E3E58BF-CC99-4C45-9FB8-3BA83AA6FDC8@yesql.se> <51363.1746646179@sss.pgh.pa.us> <8293D36E-8027-4DB8-AB41-5EA2C2A9A788@yesql.se> <80137.1746654871@sss.pgh.pa.us> <182014.1746712177@sss.pgh.pa.us> <2C91E50A-BBBF-4863-8582-6BF2C645CCC1@yesql.se> <222848.1746735871@sss.pgh.pa.us> <58BC3DE1-4D63-4D4E-823F-BE7BF74E272B@yesql.se> Comments: In-reply-to Daniel Gustafsson message dated "Thu, 08 May 2025 22:48:27 +0200" MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----- =_aaaaaaaaaa0" Content-ID: <274023.1746749718.0@sss.pgh.pa.us> Date: Thu, 08 May 2025 20:15:24 -0400 Message-ID: <274033.1746749724@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk ------- =_aaaaaaaaaa0 Content-Type: text/plain; charset="us-ascii" Content-ID: <274023.1746749718.1@sss.pgh.pa.us> Content-Transfer-Encoding: quoted-printable Daniel Gustafsson writes: > Maybe the ssl_library function should return a hash with backend =3D> 'O= penSSL' > and library =3D> ? I don't love doing it exactly like that: seems like it adds notational complexity for little gain. Also, it forces ssl_library to expend work detecting things the current caller may not care about. I was thinking about just transposing the existing test down to the backend layer, more or less as attached. Not wedded to these names of course. > If we were to end up with a > Libressl libtls implementation in libpq we'd still have to test with Lib= ressl > against the OpenSSL compat layer in libssl since it could act as both. = Not a > bridge we have to cross today but might be worth at least keeping in min= d when > designing something to not make it impossible in the future. Right. I think the attached would be amenable to that. Further down the road, it seems inevitable that we'll need to have a way of detecting the SSL library version --- for example, assuming the LibreSSL folk eventually fix their RSA-PSS code, we'll need a version-dependent test. That could be another new backend method, I guess. regards, tom lane ------- =_aaaaaaaaaa0 Content-Type: text/x-diff; name="v1-detect-libressl-more-nicely.patch"; charset="us-ascii" Content-ID: <274023.1746749718.2@sss.pgh.pa.us> Content-Description: v1-detect-libressl-more-nicely.patch Content-Transfer-Encoding: quoted-printable diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.= pl index 8b0de2d8e7e..60b5c3630b0 100644 --- a/src/test/ssl/t/001_ssltests.pl +++ b/src/test/ssl/t/001_ssltests.pl @@ -35,9 +35,8 @@ sub switch_server_cert $ssl_server->switch_server_cert(@_); } = -# Determine whether this build uses OpenSSL or LibreSSL. As a heuristic, = the -# HAVE_SSL_CTX_SET_CERT_CB macro isn't defined for LibreSSL. -my $libressl =3D not check_pg_config("#define HAVE_SSL_CTX_SET_CERT_CB 1"= ); +# Determine whether this build uses OpenSSL or LibreSSL. +my $libressl =3D $ssl_server->is_libressl; = #### Some configuration = diff --git a/src/test/ssl/t/SSL/Backend/OpenSSL.pm b/src/test/ssl/t/SSL/Ba= ckend/OpenSSL.pm index e044318531f..4159addb700 100644 --- a/src/test/ssl/t/SSL/Backend/OpenSSL.pm +++ b/src/test/ssl/t/SSL/Backend/OpenSSL.pm @@ -26,6 +26,7 @@ package SSL::Backend::OpenSSL; = use strict; use warnings FATAL =3D> 'all'; +use PostgreSQL::Test::Utils; use File::Basename; use File::Copy; = @@ -205,6 +206,23 @@ sub get_library return $self->{_library}; } = +=3Dpod + +=3Ditem $backend->library_is_libressl() + +Detect whether the SSL library is LibreSSL. + +=3Dcut + +sub library_is_libressl +{ + my ($self) =3D @_; + + # The HAVE_SSL_CTX_SET_CERT_CB macro isn't defined for LibreSSL. + # We may eventually need a less-bogus heuristic. + return not check_pg_config("#define HAVE_SSL_CTX_SET_CERT_CB 1"); +} + # Internal method for copying a set of files, taking into account wildcar= ds sub _copy_files { diff --git a/src/test/ssl/t/SSL/Server.pm b/src/test/ssl/t/SSL/Server.pm index 14277418419..33975b28e8c 100644 --- a/src/test/ssl/t/SSL/Server.pm +++ b/src/test/ssl/t/SSL/Server.pm @@ -244,6 +244,23 @@ sub ssl_library = =3Dpod = +=3Ditem $server->is_libressl() + +Detect whether the currently used SSL backend is LibreSSL. +(Ideally we'd not need this hack, but presently we do.) + +=3Dcut + +sub is_libressl +{ + my $self =3D shift; + my $backend =3D $self->{backend}; + + return $backend->library_is_libressl(); +} + +=3Dpod + =3Ditem switch_server_cert(params) = Change the configuration to use the given set of certificate, key, ca and ------- =_aaaaaaaaaa0--