Participants
Kyotaro Horiguchi
Kyotaro Horiguchi
Michael Paquier
Michael Paquier
Attachments
  • #1Aug 04, 2020
    0001-Avoid-using-foreign-certificates-in-a-ssl-test.patch
Thread Outline
#1Kyotaro HoriguchiKyotaro Horiguchi
Aug 04, 2020
#2Michael PaquierMichael Paquierto Kyotaro Horiguchi (#1)
Aug 04, 2020
#3Kyotaro HoriguchiKyotaro Horiguchito Michael Paquier (#2)
Aug 04, 2020

SSL TAP test fails due to default client certs.

Started by Kyotaro Horiguchiover 5 years ago3 messages
#1Kyotaro Horiguchi
Kyotaro Horiguchi
horikyota.ntt@gmail.com
1 attachment(s)

Hello.

While poking at ssl code, I noticed that 002_scram.pl fails if
~/.postgresql/root.crt exists. This has been fixed once but
d6e612f837 reintroduced one. The attached fixes that. Applies to
14devel and 13.

regards.

--
Kyotaro Horiguchi
NTT Open Source Software Center

Attachments:

0001-Avoid-using-foreign-certificates-in-a-ssl-test.patchtext/x-patch; charset=us-asciiDownload
From a29eceb4732ecef0e74058e5f7032882df7cd325 Mon Sep 17 00:00:00 2001
From: Kyotaro Horiguchi <horikyoga.ntt@gmail.com>
Date: Mon, 3 Aug 2020 23:32:38 +0900
Subject: [PATCH] Avoid using foreign certificates in a ssl test.

To prevent default files from being used during tests, the connection
options sslcert, sslkey and sslrootcert should be explicitly
invalidated if not in-use. One of the test forgets to do that and
fails from such alien certificates. Fix it.
---
 src/test/ssl/t/002_scram.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl
index 01231f8ba0..20ab0d5b0b 100644
--- a/src/test/ssl/t/002_scram.pl
+++ b/src/test/ssl/t/002_scram.pl
@@ -97,7 +97,7 @@ my $client_tmp_key = "ssl/client_scram_tmp.key";
 copy("ssl/client.key", $client_tmp_key);
 chmod 0600, $client_tmp_key;
 test_connect_fails(
-	"sslcert=ssl/client.crt sslkey=$client_tmp_key hostaddr=$SERVERHOSTADDR",
+	"sslcert=ssl/client.crt sslkey=$client_tmp_key sslrootcert=invalid hostaddr=$SERVERHOSTADDR",
 	"dbname=certdb user=ssltestuser channel_binding=require",
 	qr/channel binding required, but server authenticated client without channel binding/,
 	"Cert authentication and channel_binding=require");
-- 
2.18.4
#2Michael Paquier
Michael Paquier
michael@paquier.xyz
In reply to: Kyotaro Horiguchi (#1)
Re: SSL TAP test fails due to default client certs.

On Tue, Aug 04, 2020 at 12:00:33PM +0900, Kyotaro Horiguchi wrote:

While poking at ssl code, I noticed that 002_scram.pl fails if
~/.postgresql/root.crt exists. This has been fixed once but
d6e612f837 reintroduced one. The attached fixes that. Applies to
14devel and 13.

Indeed, applied. I can reproduce the failure easily, and bdd6e9b is
the previous fix you are mentioning. It is the only test where we
don't rely on an $common_connstr that sets sslcert and sslrootcert to
an invalid value, so the rest looks fine.
--
Michael

#3Kyotaro Horiguchi
Kyotaro Horiguchi
horikyota.ntt@gmail.com
In reply to: Michael Paquier (#2)
Re: SSL TAP test fails due to default client certs.

At Tue, 4 Aug 2020 14:43:58 +0900, Michael Paquier <michael@paquier.xyz> wrote in

On Tue, Aug 04, 2020 at 12:00:33PM +0900, Kyotaro Horiguchi wrote:

While poking at ssl code, I noticed that 002_scram.pl fails if
~/.postgresql/root.crt exists. This has been fixed once but
d6e612f837 reintroduced one. The attached fixes that. Applies to
14devel and 13.

Indeed, applied. I can reproduce the failure easily, and bdd6e9b is
the previous fix you are mentioning. It is the only test where we
don't rely on an $common_connstr that sets sslcert and sslrootcert to
an invalid value, so the rest looks fine.

Agreed. Thanks for committing!

--
Kyotaro Horiguchi
NTT Open Source Software Center

← Back to Topics