Re: disabled SSL log_like tests
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Thomas Munro <thomas.munro@gmail.com>
Cc: Andrew Dunstan <andrew@dunslane.net>,
PostgreSQL-development <pgsql-hackers@postgresql.org>,
Jacob Champion <jacob.champion@enterprisedb.com>
Date: 2025-05-07T04:34:12Z
Lists: pgsql-hackers
Thomas Munro <thomas.munro@gmail.com> writes:
> On Wed, May 7, 2025 at 1:18 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> Anyone know anything about where to submit LibreSSL bugs?
> I think it's done with sendbug on an OpenBSD box, or perhaps you can
> just write a normal email to the bugs@openbsd.org or
> libressl@openbsd.org list, based on:
> https://www.openbsd.org/mail.html
Thanks, I'll look into reporting it tomorrow. In the meantime,
I couldn't help noticing that the backtraces went through
lib/libssl/tls13_legacy.c, which doesn't give a warm feeling
about how supported they think our usage is (and perhaps also
explains why they didn't detect this bug themselves). This is
evidently because we set up the SSL context with SSLv23_method(),
per this comment in be_tls_init():
* We use SSLv23_method() because it can negotiate use of the highest
* mutually supported protocol version, while alternatives like
* TLSv1_2_method() permit only one specific version. Note that we don't
* actually allow SSL v2 or v3, only TLS protocols (see below).
This choice seems to be more than 20 years old, though the above
comment defending it dates only to 2014. I wonder if it's time to
revisit that idea.
regards, tom lane
Commits
-
Skip RSA-PSS ssl test when using LibreSSL.
- cad781b3e5de 16.10 landed
- 95129709fd9b 18.0 landed
- 793aa989f8e4 15.14 landed
- 3007fee7f292 17.6 landed
-
Ooops ... add required configure support.
- 00811a96ac45 15.14 landed
-
Hack one ssl test case to pass with current LibreSSL.
- 75d73331d014 18.0 landed
-
Centralize ssl tests' check for whether we're using LibreSSL.
- 976a8c2170f1 17.6 landed
- 27fbf7cb6391 16.10 landed
- 1ddb9e14eadf 15.14 landed
- 0aaf69965dbd 18.0 landed
-
Re-enable SSL connect_fails tests, and fix related race conditions.
- e0f373ee42a4 18.0 landed
-
Disable unstable test cases in src/test/ssl/t/001_ssltests.pl.
- 55828a6b6084 16.0 cited