Re: BUG #17391: While using --with-ssl=openssl and PG_TEST_EXTRA='ssl' options, SSL tests fail on OpenBSD 7.0
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Thomas Munro <thomas.munro@gmail.com>
Cc: Andres Freund <andres@anarazel.de>, byavuz81@gmail.com,
PostgreSQL mailing lists <pgsql-bugs@lists.postgresql.org>,
Heikki Linnakangas <heikki.linnakangas@iki.fi>,
Michael Paquier <michael@paquier.xyz>
Date: 2022-02-03T05:41:17Z
Lists: pgsql-bugs
I wrote: > I had an OpenBSD 6.8 image laying about, so I tried the ssl test > there, and it falls over in even more places: > ... > A lot of the errors look like they didn't yet have support for > TLS 1.2; this is typical: On further investigation, that's nonsense, because the postmaster logs show that most if not all of the connections that are succeeding are TLSv1.3, eg 2022-02-02 21:31:07.492 EST [96067] [unknown] LOG: 00000: connection authorized: user=ssltestuser database=trustdb application_name=001_ssltests.pl SSL enabled (protocol=TLSv1.3, cipher=AEAD-AES256-GCM-SHA384, bits=256) However, PG believes that the library only supports up to 1.2, because TLS1_3_VERSION isn't defined. I found this in /usr/include/openssl/tls1.h: #if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) #define TLS1_3_VERSION 0x0304 #endif LIBRESSL_HAS_TLS1_3 is not defined anywhere; in /usr/include/openssl/opensslfeatures.h I find /* * Feature flags for LibreSSL... so you can actually tell when things * are enabled, rather than not being able to tell when things are * enabled (or possibly not yet not implemented, or removed!). */ /* #define LIBRESSL_HAS_TLS1_3 */ which is about the best example I've seen lately of crappy code falsifying the adjacent comment. I added #define LIBRESSL_HAS_TLS1_3 1 to pg_config.h to see what would happen. It seems that about the same number of tests fall over, but now the errors are (mostly) not about TLS version. Some look like they might just be mismatched expectations of exactly what error will be issued: # Failed test 'connect with wrong server root cert sslmode=require: matches' # at t/001_ssltests.pl line 170. # 'psql: error: connection to server at "127.0.0.1", port 62542 failed: SSL error: tlsv1 alert unknown ca' # doesn't match '(?^:SSL error: certificate verify failed)' I get the impression though that there's still some mismatch about how to establish which CAs are trusted, and there are still a few "tlsv1 alert protocol version" errors with no obvious reason. I thought for awhile that the library might be forcing a minimum TLS version of 1.3 (despite the headers not even claiming to support it at all), because that would fit right in with OpenBSD's securer-than-thou ethos. I still suspect that something like that might be going on, but I don't have hard evidence. regards, tom lane
Commits
-
Move libpq's write_failed mechanism down to pqsecure_raw_write().
- faa189c932d5 15.0 landed
-
Fix thinko in PQisBusy().
- c9d35dc7f8a9 12.11 landed
- ae27b1acc43d 14.3 landed
- 51ee561f5671 13.7 landed
- 335fa5a26029 15.0 landed
-
Set SNI ClientHello extension to localhost in tests
- 6d503d2a4732 15.0 landed
- 5f00ef065ec8 14.3 landed
-
Improve worst-case performance of text_position_get_match_pos()
- b31e3f561365 15.0 cited