SSL tests failing for channel_binding with OpenSSL <= 1.0.1
Hi all,
(Jeff Davis in CC)
As $subject tells, any version of OpenSSL not including
X509_get_signature_nid() (version <= 1.0.1) causes the SSL tests to
fail. This has been introduced by d6e612f.
We need to do something similar to c3d41cc for the test, as per the
attached. I have tested that with OpenSSL 1.0.1 and 1.0.2 to stress
both scenarios.
Any objections to this fix?
Thanks,
--
Michael
Attachments:
channel-binding-tests.patchtext/x-diff; charset=us-asciiDownload
diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl
index 5fa2dbde1c..c08aa19aee 100644
--- a/src/test/ssl/t/002_scram.pl
+++ b/src/test/ssl/t/002_scram.pl
@@ -18,11 +18,15 @@ if ($ENV{with_openssl} ne 'yes')
plan skip_all => 'SSL not supported by this build';
}
-my $number_of_tests = 9;
-
# This is the hostname used to connect to the server.
my $SERVERHOSTADDR = '127.0.0.1';
+# Determine whether build supports tls-server-end-point.
+my $supports_tls_server_end_point =
+ check_pg_config("#define HAVE_X509_GET_SIGNATURE_NID 1");
+
+my $number_of_tests = $supports_tls_server_end_point ? 9 : 10;
+
# Allocation of base connection string shared among multiple tests.
my $common_connstr;
@@ -60,10 +64,21 @@ test_connect_ok(
$common_connstr,
"user=ssltestuser channel_binding=disable",
"SCRAM with SSL and channel_binding=disable");
-test_connect_ok(
- $common_connstr,
- "user=ssltestuser channel_binding=require",
- "SCRAM with SSL and channel_binding=require");
+if ($supports_tls_server_end_point)
+{
+ test_connect_ok(
+ $common_connstr,
+ "user=ssltestuser channel_binding=require",
+ "SCRAM with SSL and channel_binding=require");
+}
+else
+{
+ test_connect_fails(
+ $common_connstr,
+ "user=ssltestuser channel_binding=require",
+ qr/could not connect to server: channel binding is required, but server did not offer an authentication method that supports channel binding/,
+ "SCRAM with SSL and channel_binding=require");
+}
# Now test when the user has an MD5-encrypted password; should fail
test_connect_fails(
On Fri, Sep 27, 2019 at 11:44:57AM +0900, Michael Paquier wrote:
We need to do something similar to c3d41cc for the test, as per the
attached. I have tested that with OpenSSL 1.0.1 and 1.0.2 to stress
both scenarios.Any objections to this fix?
Committed as a12c75a1.
--
Michael
Michael Paquier <michael@paquier.xyz> writes:
On Fri, Sep 27, 2019 at 11:44:57AM +0900, Michael Paquier wrote:
We need to do something similar to c3d41cc for the test, as per the
attached. I have tested that with OpenSSL 1.0.1 and 1.0.2 to stress
both scenarios.
Any objections to this fix?
Committed as a12c75a1.
The committed fix looks odd: isn't the number of executed tests the
same in both code paths? (I didn't try it yet.)
regards, tom lane
On Mon, 2019-09-30 at 09:37 -0400, Tom Lane wrote:
Michael Paquier <michael@paquier.xyz> writes:
On Fri, Sep 27, 2019 at 11:44:57AM +0900, Michael Paquier wrote:
We need to do something similar to c3d41cc for the test, as per
the
attached. I have tested that with OpenSSL 1.0.1 and 1.0.2 to
stress
both scenarios.
Any objections to this fix?Committed as a12c75a1.
The committed fix looks odd: isn't the number of executed tests the
same in both code paths? (I didn't try it yet.)
test_connect_fails actually runs two tests, one for the failing exit
code and one for the error message.
Regards,
Jeff Davis
On Mon, Sep 30, 2019 at 11:08:20AM -0700, Jeff Davis wrote:
On Mon, 2019-09-30 at 09:37 -0400, Tom Lane wrote:
The committed fix looks odd: isn't the number of executed tests the
same in both code paths? (I didn't try it yet.)test_connect_fails actually runs two tests, one for the failing exit
code and one for the error message.
Yes. The committed code still works as I would expect. With OpenSSL
<= 1.0.1, I get 10 tests, and 9 with OpenSSL >= 1.0.2. You can check
the difference from test 5 "SCRAM with SSL and channel_binding=require".
--
Michael