since-v24.diff
text/x-patch
Filename: since-v24.diff
Type: text/x-patch
Part: 0
Patch
Format: unified
Series: patch v24
| File | + | − |
|---|---|---|
| src/test/ssl/Makefile | 1 | 0 |
| src/test/ssl/t/001_ssltests.pl | 6 | 10 |
| src/test/ssl/t/002_scram.pl | 29 | 36 |
commit 093bb937736cdfc871d8fd479748f93f18108ae0
Author: Jacob Champion <pchampion@vmware.com>
Date: Fri Jan 29 09:32:27 2021 -0800
test/ssl: fix final TODOs and SKIPs
The server-cn-only database didn't have the root CA installed to be able
to verify client certificates. Note that this changes the error message
printed during the invalid-root tests, because the server is now sending
the root of the chain (so the issuer is untrusted rather than
unrecognized).
diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile
index d275c89672..c8032a2c13 100644
--- a/src/test/ssl/Makefile
+++ b/src/test/ssl/Makefile
@@ -147,6 +147,7 @@ ssl/nss/server-cn-only.crt__server-cn-only.key.db: ssl/server-cn-only.crt ssl/se
certutil -d "sql:$@" -N --empty-password
certutil -d "sql:$@" -A -n ssl/server-cn-only.crt -i ssl/server-cn-only.crt -t "CT,C,C"
certutil -d "sql:$@" -A -n server_ca.crt -i ssl/server_ca.crt -t "CT,C,C"
+ certutil -d "sql:$@" -A -n root_ca.crt -i ssl/root_ca.crt -t "CT,C,C"
openssl pkcs12 -export -out ssl/nss/server-cn-only.pfx -inkey ssl/server-cn-only.key -in ssl/server-cn-only.crt -certfile ssl/server_ca.crt -passout pass:
pk12util -i ssl/nss/server-cn-only.pfx -d "sql:$@" -W ''
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 6b8bca2846..5a83a1d277 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -159,12 +159,12 @@ test_connect_ok(
test_connect_fails(
$common_connstr,
"sslrootcert=invalid sslmode=verify-ca",
- qr/root certificate file "invalid" does not exist|Peer's Certificate issuer is not recognized/,
+ qr/root certificate file "invalid" does not exist|Peer's certificate issuer has been marked as not trusted by the user/,
"connect without server root cert sslmode=verify-ca");
test_connect_fails(
$common_connstr,
"sslrootcert=invalid sslmode=verify-full",
- qr/root certificate file "invalid" does not exist|Peer's Certificate issuer is not recognized/,
+ qr/root certificate file "invalid" does not exist|Peer's certificate issuer has been marked as not trusted by the user/,
"connect without server root cert sslmode=verify-full");
# Try with wrong root cert, should fail. (We're using the client CA as the
@@ -604,14 +604,10 @@ switch_server_cert($node, 'server-cn-only', 'root_ca');
$common_connstr =
"user=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR cert_database=ssl/nss/client+client_ca.crt__client.key.db";
-TODO:
-{
- local $TODO = "WIP failure cause currently unknown";
- test_connect_ok(
- $common_connstr,
- "sslmode=require sslcert=ssl/client+client_ca.crt",
- "intermediate client certificate is provided by client");
-}
+test_connect_ok(
+ $common_connstr,
+ "sslmode=require sslcert=ssl/client+client_ca.crt",
+ "intermediate client certificate is provided by client");
test_connect_fails(
$common_connstr,
diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl
index 4d7874d420..43565bdf6e 100644
--- a/src/test/ssl/t/002_scram.pl
+++ b/src/test/ssl/t/002_scram.pl
@@ -29,7 +29,8 @@ if ($ENV{with_ssl} eq 'openssl')
elsif ($ENV{with_ssl} eq 'nss')
{
$nss = 1;
- plan tests => 8;
+ $supports_tls_server_end_point = 1;
+ plan tests => 9;
}
else
{
@@ -79,24 +80,20 @@ test_connect_ok(
"user=ssltestuser channel_binding=disable",
"SCRAM with SSL and channel_binding=disable");
-SKIP:
+if ($supports_tls_server_end_point)
{
- skip "NSS support for TLS server endpoing is not implemented", 1 if ($nss);
- if ($supports_tls_server_end_point)
- {
- test_connect_ok(
- $common_connstr,
- "user=ssltestuser channel_binding=require",
- "SCRAM with SSL and channel_binding=require");
- }
- else
- {
- test_connect_fails(
- $common_connstr,
- "user=ssltestuser channel_binding=require",
- qr/channel binding is required, but server did not offer an authentication method that supports channel binding/,
- "SCRAM with SSL and channel_binding=require");
- }
+ test_connect_ok(
+ $common_connstr,
+ "user=ssltestuser channel_binding=require",
+ "SCRAM with SSL and channel_binding=require");
+}
+else
+{
+ test_connect_fails(
+ $common_connstr,
+ "user=ssltestuser channel_binding=require",
+ qr/channel binding is required, but server did not offer an authentication method that supports channel binding/,
+ "SCRAM with SSL and channel_binding=require");
}
# Now test when the user has an MD5-encrypted password; should fail
@@ -106,21 +103,17 @@ test_connect_fails(
qr/channel binding required but not supported by server's authentication request/,
"MD5 with SSL and channel_binding=require");
-SKIP:
-{
- skip "NSS support not implemented yet", 1 if ($nss);
- # Now test with auth method 'cert' by connecting to 'certdb'. Should fail,
- # because channel binding is not performed. Note that ssl/client.key may
- # be used in a different test, so the name of this temporary client key
- # is chosen here to be unique.
- my $client_tmp_key = "ssl/client_scram_tmp.key";
- copy("ssl/client.key", $client_tmp_key);
- chmod 0600, $client_tmp_key;
- test_connect_fails(
- "sslcert=ssl/client.crt sslkey=$client_tmp_key sslrootcert=invalid hostaddr=$SERVERHOSTADDR",
- "dbname=certdb user=ssltestuser channel_binding=require",
- qr/channel binding required, but server authenticated client without channel binding/,
- "Cert authentication and channel_binding=require");
- # clean up
- unlink($client_tmp_key);
-}
+# Now test with auth method 'cert' by connecting to 'certdb'. Should fail,
+# because channel binding is not performed. Note that ssl/client.key may
+# be used in a different test, so the name of this temporary client key
+# is chosen here to be unique.
+my $client_tmp_key = "ssl/client_scram_tmp.key";
+copy("ssl/client.key", $client_tmp_key);
+chmod 0600, $client_tmp_key;
+test_connect_fails(
+ "sslcert=ssl/client.crt sslkey=$client_tmp_key sslrootcert=invalid hostaddr=$SERVERHOSTADDR cert_database=ssl/nss/client.crt__client.key.db",
+ "dbname=certdb user=ssltestuser channel_binding=require",
+ qr/channel binding required, but server authenticated client without channel binding/,
+ "Cert authentication and channel_binding=require");
+# clean up
+unlink($client_tmp_key);