Re: Out-of-tree certificate interferes ssltest
Kyotaro Horiguchi <horikyota.ntt@gmail.com>
From: Kyotaro Horiguchi <horikyota.ntt@gmail.com>
To: michael@paquier.xyz
Cc: daniel@yesql.se, pgsql-hackers@lists.postgresql.org
Date: 2022-03-17T08:05:10Z
Lists: pgsql-hackers
At Thu, 17 Mar 2022 16:22:14 +0900, Michael Paquier <michael@paquier.xyz> wrote in > On Thu, Mar 17, 2022 at 02:59:26PM +0900, Michael Paquier wrote: > > In both cases, enforcing sslcrl to a value of "invalid" interferes > > with the failure scenario we expect from sslcrldir. It is possible to > > bypass that with something like the attached, but that's a kind of > > ugly hack. Another alternative would be to drop those two tests, and > > I am not sure how much we care about these two negative scenarios. > > Actually, there is a trick I have recalled here: we can enforce sslcrl > to an empty value in the connection string after the default. This > still ensures that the test won't pick up any SSL data from the local > environment and avoids any interferences of OpenSSL's > X509_STORE_load_locations(). This gives a much simpler and cleaner > patch. > > Thoughts? Ah! I didn't have a thought that we can specify the same parameter twice. It looks like clean and robust. $default_ssl_connstr contains all required options in PQconninfoOptions[]. The same method worked for 003_sslinfo.pl, too. (of course). regards. -- Kyotaro Horiguchi NTT Open Source Software Center
Commits
-
Fix failures in SSL tests caused by out-of-tree keys and certificates
- 8138bd4a567e 10.21 landed
- 635abe6cd4d5 11.16 landed
- 199ca68c9245 12.11 landed
- f32be9938ca4 13.7 landed
- fdb1be4962ca 14.3 landed
- 9ca234bae793 15.0 landed