public inbox for [email protected]
help / color / mirror / Atom feedFrom: Daniel Gustafsson <[email protected]>
To: Jacob Champion <[email protected]>
Cc: Zsolt Parragi <[email protected]>
Cc: Jelte Fennema-Nio <[email protected]>
Cc: Heikki Linnakangas <[email protected]>
Cc: Dewei Dai <[email protected]>
Cc: li.evan.chao <[email protected]>
Cc: Michael Paquier <[email protected]>
Cc: Andres Freund <[email protected]>
Cc: Pgsql Hackers <[email protected]>
Subject: Re: Serverside SNI support in libpq
Date: Wed, 18 Mar 2026 15:25:13 +0100
Message-ID: <[email protected]> (raw)
In-Reply-To: <CAOYmi+kXmCCgBWffzmSjaNhME5rD=gjyc_OP1FeWQTw2MmSNjg@mail.gmail.com>
References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<CAOYmi+mSrV8hRaQkvGDf1Df4cmpv5SeTbTxppyxeonMe6MW8nA@mail.gmail.com>
<[email protected]>
<aa7gx3mychf3m2g67mbslzbxjy3if4enpcflstoa5pol3432x5@ugqz45gsvurq>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<CAOYmi+m2Ks7D4obtXay3y-UNn6CkTNrmr_zWC25vKTdesatafA@mail.gmail.com>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<CAGECzQTWH-bzHcdPo=i09TL_P6_HBBNEkBmr+rpN_J9zVfR2Fw@mail.gmail.com>
<[email protected]>
<CAOYmi+=u=vS1beiog6p5e843uVdout9qZY=pRj4vo=jCVwgGTA@mail.gmail.com>
<[email protected]>
<CAOYmi+mZ=i55iH44zPqidZfoNDLwPBMD=PUtD03LR2ut+zMEag@mail.gmail.com>
<[email protected]>
<CAOYmi+m05X5fRaeV7w3y4VOePnJJQrihK9A_6ma3e5Pesa5mXA@mail.gmail.com>
<[email protected]>
<CAOYmi+nsqYiXLxN7G4A5edBJWXZ8qD=zFnaE2bEzuMj2_xBT7Q@mail.gmail.com>
<[email protected]>
<[email protected]>
<[email protected]>
<CAN4CZFOGiKAX_gD4Ck+o79n5hAVr3UmuTbYwaABcCuhWA3UehQ@mail.gmail.com>
<[email protected]>
<[email protected]>
<CAN4CZFOFAgfyjO7MtCajmtErL1uSzDrSEmxGHOwMFYY3J4Qp+A@mail.gmail.com>
<[email protected]>
<[email protected]>
<CAOYmi+kXmCCgBWffzmSjaNhME5rD=gjyc_OP1FeWQTw2MmSNjg@mail.gmail.com>
> On 18 Mar 2026, at 14:01, Jacob Champion <[email protected]> wrote:
>
> On Wed, Mar 18, 2026 at 5:19 AM Daniel Gustafsson <[email protected]> wrote:
>> longfin has so far reported a test failure which I am looking into.
>
> I took a quick look at culicidae and I think that's just due to the
> use of EXEC_BACKEND. Rather than $windows_os the SKIP logic should
> probably use something like 001_server's $exec_backend.
That's a bit embarrassing, I spent some time investigating passphrase reloading
under EXEC_BACKEND as part of this patchset..
The longfin issue is a bit more odd, I can reproduce it on macOS with OpenSSL
1.1.1 but nowhere else. Rather than reporting an SSL error for aborted
handshake it reports a SYSCALL error. Using SYSCALL error for when the server
close the connection abruptly is documented, but not really this case where it
does so with no error codes at all (which given OpenSSL documentation doesn't
really say much..). The change in the attached diff does fix it for me but I'm
a bit hesitant to apply something like that, I would be more inclined to the
change the expected output in the test. What are your thoughts?
--
Daniel Gustafsson
Attachments:
[application/octet-stream] bf_fixes.diff (1.6K, 2-bf_fixes.diff)
download | inline diff:
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index fbd3c63fb5d..943dd2d6767 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -1381,6 +1381,8 @@ open_client_SSL(PGconn *conn)
else if (r == -1 && save_errno != 0)
libpq_append_conn_error(conn, "SSL SYSCALL error: %s",
SOCK_STRERROR(save_errno, sebuf, sizeof(sebuf)));
+ else if (save_errno == 0 && vcode == X509_V_OK && ecode == 0)
+ libpq_append_conn_error(conn, "SSL error: handshake failure");
else
libpq_append_conn_error(conn, "SSL SYSCALL error: EOF detected");
pgtls_close(conn);
diff --git a/src/test/ssl/t/004_sni.pl b/src/test/ssl/t/004_sni.pl
index 4e06475b125..878e32ff107 100644
--- a/src/test/ssl/t/004_sni.pl
+++ b/src/test/ssl/t/004_sni.pl
@@ -47,6 +47,9 @@ $ENV{PGHOST} = $node->host;
$ENV{PGPORT} = $node->port;
$node->start;
+my $exec_backend = $node->safe_psql('postgres', 'SHOW debug_exec_backend');
+chomp($exec_backend);
+
$ssl_server->configure_test_server_for_ssl($node, $SERVERHOSTADDR,
$SERVERHOSTCIDR, 'trust');
@@ -320,9 +323,10 @@ unlike(
SKIP:
{
- # Passphrase reloads must be enabled on Windows to succeed even without a
- # restart
- skip "Passphrase command reload required on Windows", 1 if ($windows_os);
+ # Passphrase reloads must be enabled on Windows (and EXEC_BACKEND) to
+ # succeed even without a restart
+ skip "Passphrase command reload required on Windows", 1
+ if ($windows_os || $exec_backend =~ /on/);
$node->connect_ok(
"$connstr sslrootcert=ssl/root+server_ca.crt sslmode=require host=localhost",
view thread (58+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: Re: Serverside SNI support in libpq
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox