Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uCmit-002D64-OP for pgsql-hackers@arkaria.postgresql.org; Wed, 07 May 2025 21:54:40 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1uCmis-00GlLz-QO for pgsql-hackers@arkaria.postgresql.org; Wed, 07 May 2025 21:54:38 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uCmis-00GlLr-Gb for pgsql-hackers@lists.postgresql.org; Wed, 07 May 2025 21:54:38 +0000 Received: from sss.pgh.pa.us ([68.162.161.243]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1uCmip-000hhg-2R for pgsql-hackers@postgresql.org; Wed, 07 May 2025 21:54:38 +0000 Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1]) by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 547LsVZZ080138; Wed, 7 May 2025 17:54:32 -0400 From: Tom Lane To: Daniel Gustafsson cc: Thomas Munro , Andrew Dunstan , PostgreSQL Hackers , Jacob Champion Subject: Re: disabled SSL log_like tests In-reply-to: <8293D36E-8027-4DB8-AB41-5EA2C2A9A788@yesql.se> References: <984fca80-85a8-4c6f-a5cc-bb860950b435@dunslane.net> <2199758.1744901785@sss.pgh.pa.us> <1ce11d3f-624c-4003-a032-1b10cc138305@dunslane.net> <2814408.1745005558@sss.pgh.pa.us> <2859105.1745015195@sss.pgh.pa.us> <1120735.1745350422@sss.pgh.pa.us> <3058990.1746485124@sss.pgh.pa.us> <3227092.1746580691@sss.pgh.pa.us> <3248136.1746592452@sss.pgh.pa.us> <3004EFB2-8FFA-429A-AC5E-E3F40E002A94@yesql.se> <3320404.1746633879@sss.pgh.pa.us> <8E3E58BF-CC99-4C45-9FB8-3BA83AA6FDC8@yesql.se> <51363.1746646179@sss.pgh.pa.us> <8293D36E-8027-4DB8-AB41-5EA2C2A9A788@yesql.se> Comments: In-reply-to Daniel Gustafsson message dated "Wed, 07 May 2025 21:33:18 +0200" MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----- =_aaaaaaaaaa0" Content-ID: <80118.1746654857.0@sss.pgh.pa.us> Date: Wed, 07 May 2025 17:54:31 -0400 Message-ID: <80137.1746654871@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk ------- =_aaaaaaaaaa0 Content-Type: text/plain; charset="us-ascii" Content-ID: <80118.1746654857.1@sss.pgh.pa.us> Content-Transfer-Encoding: quoted-printable Daniel Gustafsson writes: > I haven't looked at the test in question yet, but we do skip some SSL te= sts if > running against libressl already so I assume this will be able to follow= the > same pattern. Ah, thanks for the tip. I propose the attached, which disables the RSA-PSS test altogether on LibreSSL, and modifies the intermediate-cert test to accept the result we're actually getting on LibreSSL. We could revert that one if anyone can figure out how to make it better, but I don't wish to put any more time into it myself. regards, tom lane ------- =_aaaaaaaaaa0 Content-Type: text/x-diff; name="v1-disable-broken-tests-on-libressl.patch"; charset="us-ascii" Content-ID: <80118.1746654857.2@sss.pgh.pa.us> Content-Description: v1-disable-broken-tests-on-libressl.patch Content-Transfer-Encoding: quoted-printable diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.= pl index 8b0de2d8e7e..ccf8ef9bf2e 100644 --- a/src/test/ssl/t/001_ssltests.pl +++ b/src/test/ssl/t/001_ssltests.pl @@ -895,14 +895,30 @@ switch_server_cert( = # intermediate CA is provided but doesn't have a trusted root (checks err= or # logging for cert chain depths > 0) -$node->connect_fails( - "$common_connstr sslmode=3Drequire sslcert=3Dssl/client+client_ca.crt", - "intermediate client certificate is untrusted", - expected_stderr =3D> qr/SSL error: tlsv1 alert unknown ca/, - log_like =3D> [ - qr{Client certificate verification failed at depth 1: unable to get loc= al issuer certificate}, - qr{Failed certificate data \(unverified\): subject "/CN=3DTest CA for P= ostgreSQL SSL regression test client certs", serial number \d+, issuer "/C= N=3DTest root CA for PostgreSQL SSL regression test suite"}, - ]); +# As of 5/2025, LibreSSL reports a different cert as being at fault; +# it's probably wrong, but seems to be their bug not ours +if (!$libressl) +{ + $node->connect_fails( + "$common_connstr sslmode=3Drequire sslcert=3Dssl/client+client_ca.crt", + "intermediate client certificate is untrusted", + expected_stderr =3D> qr/SSL error: tlsv1 alert unknown ca/, + log_like =3D> [ + qr{Client certificate verification failed at depth 1: unable to get lo= cal issuer certificate}, + qr{Failed certificate data \(unverified\): subject "/CN=3DTest CA for = PostgreSQL SSL regression test client certs", serial number \d+, issuer "/= CN=3DTest root CA for PostgreSQL SSL regression test suite"}, + ]); +} +else +{ + $node->connect_fails( + "$common_connstr sslmode=3Drequire sslcert=3Dssl/client+client_ca.crt", + "intermediate client certificate is untrusted", + expected_stderr =3D> qr/SSL error: tlsv1 alert unknown ca/, + log_like =3D> [ + qr{Client certificate verification failed at depth 1: unable to get lo= cal issuer certificate}, + qr{Failed certificate data \(unverified\): subject "/CN=3Dssltestuser"= , serial number \d+, issuer "/CN=3DTest CA for PostgreSQL SSL regression t= est client certs"}, + ]); +} = # test server-side CRL directory switch_server_cert( diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl index 9e4947f4e3c..73d45909e31 100644 --- a/src/test/ssl/t/002_scram.pl +++ b/src/test/ssl/t/002_scram.pl @@ -49,6 +49,13 @@ my $SERVERHOSTCIDR =3D '127.0.0.1/32'; my $supports_rsapss_certs =3D check_pg_config("#define HAVE_X509_GET_SIGNATURE_INFO 1"); = +# Determine whether this build uses OpenSSL or LibreSSL. As a heuristic, = the +# HAVE_SSL_CTX_SET_CERT_CB macro isn't defined for LibreSSL. +my $libressl =3D not check_pg_config("#define HAVE_SSL_CTX_SET_CERT_CB 1"= ); + +# As of 5/2025, LibreSSL doesn't actually work for RSA-PSS certificates. +$supports_rsapss_certs =3D 0 if $libressl; + # Allocation of base connection string shared among multiple tests. my $common_connstr; = ------- =_aaaaaaaaaa0--