public inbox for [email protected]
help / color / mirror / Atom feedFrom: Daniel Gustafsson <[email protected]>
To: Tom Lane <[email protected]>
Cc: Thomas Munro <[email protected]>
Cc: Andrew Dunstan <[email protected]>
Cc: PostgreSQL Hackers <[email protected]>
Cc: Jacob Champion <[email protected]>
Subject: Re: disabled SSL log_like tests
Date: Thu, 8 May 2025 13:20:06 +0200
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<CA+hUKG+fLqyweHqFSBcErueUVT0vDuSNWui-ySz3+d_APmq7dw@mail.gmail.com>
<[email protected]>
<[email protected]>
<CA+hUKGJkUJAwckjBr-=B9oUdDgjSEH+3njd__OnPoPuAtze3Qg@mail.gmail.com>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
> On 7 May 2025, at 23:54, Tom Lane <[email protected]> wrote:
>
> Daniel Gustafsson <[email protected]> writes:
>> I haven't looked at the test in question yet, but we do skip some SSL tests if
>> running against libressl already so I assume this will be able to follow the
>> same pattern.
>
> Ah, thanks for the tip. I propose the attached, which disables the
> RSA-PSS test altogether on LibreSSL, and modifies the
> intermediate-cert test to accept the result we're actually getting
> on LibreSSL. We could revert that one if anyone can figure out
> how to make it better, but I don't wish to put any more time into
> it myself.
LGTM for now.
> +# Determine whether this build uses OpenSSL or LibreSSL. As a heuristic, the
> +# HAVE_SSL_CTX_SET_CERT_CB macro isn't defined for LibreSSL.
> +my $libressl = not check_pg_config("#define HAVE_SSL_CTX_SET_CERT_CB 1");
Longer term it would be nice to move this into SSL::Server and have the module
export a function or symbol which returns the underlying library and version,
but that's not for this patch.
> +
> +# As of 5/2025, LibreSSL doesn't actually work for RSA-PSS certificates.
Should we add a link to the relevant thread for future readers? OpenBSD refer
to MARC for archiving which I believe is stable enough for an inclusion.
https://marc.info/?l=libressl&m=174664225002441&w=2
--
Daniel Gustafsson
view thread (30+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: Re: disabled SSL log_like tests
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox