since-v24.diff

text/x-patch

Filename: since-v24.diff
Type: text/x-patch
Part: 0
Message: Re: Support for NSS as a libpq TLS backend

Patch

Format: unified
Series: patch v24
File+
src/test/ssl/Makefile 1 0
src/test/ssl/t/001_ssltests.pl 6 10
src/test/ssl/t/002_scram.pl 29 36
commit 093bb937736cdfc871d8fd479748f93f18108ae0
Author: Jacob Champion <pchampion@vmware.com>
Date:   Fri Jan 29 09:32:27 2021 -0800

    test/ssl: fix final TODOs and SKIPs
    
    The server-cn-only database didn't have the root CA installed to be able
    to verify client certificates. Note that this changes the error message
    printed during the invalid-root tests, because the server is now sending
    the root of the chain (so the issuer is untrusted rather than
    unrecognized).

diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile
index d275c89672..c8032a2c13 100644
--- a/src/test/ssl/Makefile
+++ b/src/test/ssl/Makefile
@@ -147,6 +147,7 @@ ssl/nss/server-cn-only.crt__server-cn-only.key.db: ssl/server-cn-only.crt ssl/se
 	certutil -d "sql:$@" -N --empty-password
 	certutil -d "sql:$@" -A -n ssl/server-cn-only.crt -i ssl/server-cn-only.crt -t "CT,C,C"
 	certutil -d "sql:$@" -A -n server_ca.crt -i ssl/server_ca.crt -t "CT,C,C"
+	certutil -d "sql:$@" -A -n root_ca.crt -i ssl/root_ca.crt -t "CT,C,C"
 	openssl pkcs12 -export -out ssl/nss/server-cn-only.pfx -inkey ssl/server-cn-only.key -in ssl/server-cn-only.crt -certfile ssl/server_ca.crt -passout pass:
 	pk12util -i ssl/nss/server-cn-only.pfx -d "sql:$@" -W ''
 
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 6b8bca2846..5a83a1d277 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -159,12 +159,12 @@ test_connect_ok(
 test_connect_fails(
 	$common_connstr,
 	"sslrootcert=invalid sslmode=verify-ca",
-	qr/root certificate file "invalid" does not exist|Peer's Certificate issuer is not recognized/,
+	qr/root certificate file "invalid" does not exist|Peer's certificate issuer has been marked as not trusted by the user/,
 	"connect without server root cert sslmode=verify-ca");
 test_connect_fails(
 	$common_connstr,
 	"sslrootcert=invalid sslmode=verify-full",
-	qr/root certificate file "invalid" does not exist|Peer's Certificate issuer is not recognized/,
+	qr/root certificate file "invalid" does not exist|Peer's certificate issuer has been marked as not trusted by the user/,
 	"connect without server root cert sslmode=verify-full");
 
 # Try with wrong root cert, should fail. (We're using the client CA as the
@@ -604,14 +604,10 @@ switch_server_cert($node, 'server-cn-only', 'root_ca');
 $common_connstr =
   "user=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR cert_database=ssl/nss/client+client_ca.crt__client.key.db";
 
-TODO:
-{
-	local $TODO = "WIP failure cause currently unknown";
-	test_connect_ok(
-		$common_connstr,
-		"sslmode=require sslcert=ssl/client+client_ca.crt",
-		"intermediate client certificate is provided by client");
-}
+test_connect_ok(
+	$common_connstr,
+	"sslmode=require sslcert=ssl/client+client_ca.crt",
+	"intermediate client certificate is provided by client");
 
 test_connect_fails(
 	$common_connstr,
diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl
index 4d7874d420..43565bdf6e 100644
--- a/src/test/ssl/t/002_scram.pl
+++ b/src/test/ssl/t/002_scram.pl
@@ -29,7 +29,8 @@ if ($ENV{with_ssl} eq 'openssl')
 elsif ($ENV{with_ssl} eq 'nss')
 {
 	$nss = 1;
-	plan tests => 8;
+	$supports_tls_server_end_point = 1;
+	plan tests => 9;
 }
 else
 {
@@ -79,24 +80,20 @@ test_connect_ok(
 	"user=ssltestuser channel_binding=disable",
 	"SCRAM with SSL and channel_binding=disable");
 
-SKIP:
+if ($supports_tls_server_end_point)
 {
-	skip "NSS support for TLS server endpoing is not implemented", 1 if ($nss);
-	if ($supports_tls_server_end_point)
-	{
-		test_connect_ok(
-			$common_connstr,
-			"user=ssltestuser channel_binding=require",
-			"SCRAM with SSL and channel_binding=require");
-	}
-	else
-	{
-		test_connect_fails(
-			$common_connstr,
-			"user=ssltestuser channel_binding=require",
-			qr/channel binding is required, but server did not offer an authentication method that supports channel binding/,
-			"SCRAM with SSL and channel_binding=require");
-	}
+	test_connect_ok(
+		$common_connstr,
+		"user=ssltestuser channel_binding=require",
+		"SCRAM with SSL and channel_binding=require");
+}
+else
+{
+	test_connect_fails(
+		$common_connstr,
+		"user=ssltestuser channel_binding=require",
+		qr/channel binding is required, but server did not offer an authentication method that supports channel binding/,
+		"SCRAM with SSL and channel_binding=require");
 }
 
 # Now test when the user has an MD5-encrypted password; should fail
@@ -106,21 +103,17 @@ test_connect_fails(
 	qr/channel binding required but not supported by server's authentication request/,
 	"MD5 with SSL and channel_binding=require");
 
-SKIP:
-{
-	skip "NSS support not implemented yet", 1 if ($nss);
-	# Now test with auth method 'cert' by connecting to 'certdb'. Should fail,
-	# because channel binding is not performed.  Note that ssl/client.key may
-	# be used in a different test, so the name of this temporary client key
-	# is chosen here to be unique.
-	my $client_tmp_key = "ssl/client_scram_tmp.key";
-	copy("ssl/client.key", $client_tmp_key);
-	chmod 0600, $client_tmp_key;
-	test_connect_fails(
-		"sslcert=ssl/client.crt sslkey=$client_tmp_key sslrootcert=invalid hostaddr=$SERVERHOSTADDR",
-		"dbname=certdb user=ssltestuser channel_binding=require",
-		qr/channel binding required, but server authenticated client without channel binding/,
-		"Cert authentication and channel_binding=require");
-	# clean up
-	unlink($client_tmp_key);
-}
+# Now test with auth method 'cert' by connecting to 'certdb'. Should fail,
+# because channel binding is not performed.  Note that ssl/client.key may
+# be used in a different test, so the name of this temporary client key
+# is chosen here to be unique.
+my $client_tmp_key = "ssl/client_scram_tmp.key";
+copy("ssl/client.key", $client_tmp_key);
+chmod 0600, $client_tmp_key;
+test_connect_fails(
+	"sslcert=ssl/client.crt sslkey=$client_tmp_key sslrootcert=invalid hostaddr=$SERVERHOSTADDR cert_database=ssl/nss/client.crt__client.key.db",
+	"dbname=certdb user=ssltestuser channel_binding=require",
+	qr/channel binding required, but server authenticated client without channel binding/,
+	"Cert authentication and channel_binding=require");
+# clean up
+unlink($client_tmp_key);