Participants
Michael Paquier
Michael Paquier
Tom Lane
Tom Lane
Jeff Davis
Jeff Davis
Attachments
Download Latest Patchset
+21-6
Show all attachments
Thread Outline
#1Michael PaquierMichael Paquier
Sep 27, 2019
#2Michael PaquierMichael Paquierto Michael Paquier (#1)
Sep 30, 2019
#3Tom LaneTom Laneto Michael Paquier (#2)
Sep 30, 2019
#4Jeff DavisJeff Davisto Tom Lane (#3)
Sep 30, 2019
#5Michael PaquierMichael Paquierto Jeff Davis (#4)
Oct 01, 2019

SSL tests failing for channel_binding with OpenSSL <= 1.0.1

Started by Michael Paquierover 6 years ago5 messageshackers
Jump to latest
#1Michael Paquier
Michael Paquier
michael@paquier.xyz

Hi all,
(Jeff Davis in CC)

As $subject tells, any version of OpenSSL not including
X509_get_signature_nid() (version <= 1.0.1) causes the SSL tests to
fail. This has been introduced by d6e612f.

We need to do something similar to c3d41cc for the test, as per the
attached. I have tested that with OpenSSL 1.0.1 and 1.0.2 to stress
both scenarios.

Any objections to this fix?

Thanks,
--
Michael

Attachments:

channel-binding-tests.patchtext/x-diff; charset=us-asciiDownload+21-6
#2Michael Paquier
Michael Paquier
michael@paquier.xyz
In reply to: Michael Paquier (#1)
Re: SSL tests failing for channel_binding with OpenSSL <= 1.0.1

On Fri, Sep 27, 2019 at 11:44:57AM +0900, Michael Paquier wrote:

We need to do something similar to c3d41cc for the test, as per the
attached. I have tested that with OpenSSL 1.0.1 and 1.0.2 to stress
both scenarios.

Any objections to this fix?

Committed as a12c75a1.
--
Michael

#3Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Michael Paquier (#2)
Re: SSL tests failing for channel_binding with OpenSSL <= 1.0.1

Michael Paquier <michael@paquier.xyz> writes:

On Fri, Sep 27, 2019 at 11:44:57AM +0900, Michael Paquier wrote:

We need to do something similar to c3d41cc for the test, as per the
attached. I have tested that with OpenSSL 1.0.1 and 1.0.2 to stress
both scenarios.
Any objections to this fix?

Committed as a12c75a1.

The committed fix looks odd: isn't the number of executed tests the
same in both code paths? (I didn't try it yet.)

regards, tom lane

#4Jeff Davis
Jeff Davis
pgsql@j-davis.com
In reply to: Tom Lane (#3)
Re: SSL tests failing for channel_binding with OpenSSL <= 1.0.1

On Mon, 2019-09-30 at 09:37 -0400, Tom Lane wrote:

Michael Paquier <michael@paquier.xyz> writes:

On Fri, Sep 27, 2019 at 11:44:57AM +0900, Michael Paquier wrote:

We need to do something similar to c3d41cc for the test, as per
the
attached. I have tested that with OpenSSL 1.0.1 and 1.0.2 to
stress
both scenarios.
Any objections to this fix?

Committed as a12c75a1.

The committed fix looks odd: isn't the number of executed tests the
same in both code paths? (I didn't try it yet.)

test_connect_fails actually runs two tests, one for the failing exit
code and one for the error message.

Regards,
Jeff Davis

#5Michael Paquier
Michael Paquier
michael@paquier.xyz
In reply to: Jeff Davis (#4)
Re: SSL tests failing for channel_binding with OpenSSL <= 1.0.1

On Mon, Sep 30, 2019 at 11:08:20AM -0700, Jeff Davis wrote:

On Mon, 2019-09-30 at 09:37 -0400, Tom Lane wrote:

The committed fix looks odd: isn't the number of executed tests the
same in both code paths? (I didn't try it yet.)

test_connect_fails actually runs two tests, one for the failing exit
code and one for the error message.

Yes. The committed code still works as I would expect. With OpenSSL
<= 1.0.1, I get 10 tests, and 9 with OpenSSL >= 1.0.2. You can check
the difference from test 5 "SCRAM with SSL and channel_binding=require".
--
Michael

← Back to Topics