Re: disabled SSL log_like tests

Daniel Gustafsson <daniel@yesql.se>

From: Daniel Gustafsson <daniel@yesql.se>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Thomas Munro <thomas.munro@gmail.com>, Andrew Dunstan <andrew@dunslane.net>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>, Jacob Champion <jacob.champion@enterprisedb.com>
Date: 2025-05-07T17:53:38Z
Lists: pgsql-hackers
> On 7 May 2025, at 18:04, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> 
> Daniel Gustafsson <daniel@yesql.se> writes:
>>> On 7 May 2025, at 06:34, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>>> I couldn't help noticing that the backtraces went through
>>> lib/libssl/tls13_legacy.c, which doesn't give a warm feeling
>>> about how supported they think our usage is (and perhaps also
>>> explains why they didn't detect this bug themselves).
> 
>> Since we no longer support 1.0.2 we can apply something like the (lightly
>> tested) attached which should be a no-op as we already use TLS_method() but via
>> an alias.
> 
> Yeah, I saw that SSLv23_method() was merely an alias for TLS_method()
> in LibreSSL as well.  That means unfortunately that your proposal is
> just cosmetic and doesn't get us out of using code that they're
> calling "legacy".  I wonder what it would take to get to the "modern"
> code paths.

AFAICT (it's not documented what I can see) the Libressl folks consider code
inherited from OpenSSL legacy.  Using current OpenSSL API's and moving away
from deprecated API's is probably our best bet.  On that note, TLS_method is
the current API to use in both OpenSSL and Libressl according to their
respective documentations.

A separate be-secure-libressl.c could move to use their libtls instead of the
libssl OpenSSL compatibility library, which may be an interesting excercise but
a very different project from what is discussed here.

--
Daniel Gustafsson




Commits

  1. Skip RSA-PSS ssl test when using LibreSSL.

  2. Ooops ... add required configure support.

  3. Hack one ssl test case to pass with current LibreSSL.

  4. Centralize ssl tests' check for whether we're using LibreSSL.

  5. Re-enable SSL connect_fails tests, and fix related race conditions.

  6. Disable unstable test cases in src/test/ssl/t/001_ssltests.pl.