Re: BUG #17391: While using --with-ssl=openssl and PG_TEST_EXTRA='ssl' options, SSL tests fail on OpenBSD 7.0
Daniel Gustafsson <daniel@yesql.se>
From: Daniel Gustafsson <daniel@yesql.se>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Thomas Munro <thomas.munro@gmail.com>,
Andres Freund <andres@anarazel.de>,
byavuz81@gmail.com,
PostgreSQL mailing lists <pgsql-bugs@lists.postgresql.org>,
Heikki Linnakangas <heikki.linnakangas@iki.fi>,
Michael Paquier <michael@paquier.xyz>
Date: 2022-02-03T14:25:59Z
Lists: pgsql-bugs
> On 3 Feb 2022, at 06:41, Tom Lane <tgl@sss.pgh.pa.us> wrote: > However, PG believes that the library only supports up to 1.2, > because TLS1_3_VERSION isn't defined. I found this in > /usr/include/openssl/tls1.h: > > #if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) > #define TLS1_3_VERSION 0x0304 > #endif > > LIBRESSL_HAS_TLS1_3 is not defined anywhere; in > /usr/include/openssl/opensslfeatures.h I find > > /* > * Feature flags for LibreSSL... so you can actually tell when things > * are enabled, rather than not being able to tell when things are > * enabled (or possibly not yet not implemented, or removed!). > */ > /* #define LIBRESSL_HAS_TLS1_3 */ > > which is about the best example I've seen lately of crappy code > falsifying the adjacent comment. AFAICT from reading their (not too extensive) docs is that they consider 1.3 supporting starting with 3.4 which supports the OpenSSL 1.1.1 API. Recent reports [0] on their -portable Github repo are saying it still doesn't work. I haven't dug too far in to this yet, but will have a look. Adding host=localhost to the connection string in the tests make all the tests but two pass for me: t/001_ssltests.pl .. 93/110 # Failed test 'certificate authorization fails with revoked client cert: matches' # at t/001_ssltests.pl line 565. # 'psql: error: connection to server at "127.0.0.1", port 50547 failed: server closed the connection unexpectedly # This probably means the server terminated abnormally # before or while processing the request. # SSL SYSCALL error: Broken pipe' # doesn't match '(?^:SSL error: sslv3 alert certificate revoked)' # Failed test 'certificate authorization fails with revoked client cert with server-side CRL directory: matches' # at t/001_ssltests.pl line 618. # 'psql: error: connection to server at "127.0.0.1", port 50547 failed: server closed the connection unexpectedly # This probably means the server terminated abnormally # before or while processing the request. # SSL SYSCALL error: Broken pipe # connection to server at "127.0.0.1", port 50547 failed: FATAL: no pg_hba.conf entry for host "127.0.0.1", user "ssltestuser", database "certdb", no encryption' # doesn't match '(?^:SSL error: sslv3 alert certificate revoked)' # Looks like you failed 2 tests of 110. t/001_ssltests.pl .. Dubious, test returned 2 (wstat 512, 0x200) Failed 2/110 subtests t/002_scram.pl ..... ok t/003_sslinfo.pl ... ok The remaining tests are both CRL tests, but I haven't had time yet to dig into why those are failing (the logs weren't terribly helpful on a quick glance). -- Daniel Gustafsson https://vmware.com/ [0] https://github.com/libressl-portable/portable/issues/228
Commits
-
Move libpq's write_failed mechanism down to pqsecure_raw_write().
- faa189c932d5 15.0 landed
-
Fix thinko in PQisBusy().
- c9d35dc7f8a9 12.11 landed
- ae27b1acc43d 14.3 landed
- 51ee561f5671 13.7 landed
- 335fa5a26029 15.0 landed
-
Set SNI ClientHello extension to localhost in tests
- 6d503d2a4732 15.0 landed
- 5f00ef065ec8 14.3 landed
-
Improve worst-case performance of text_position_get_match_pos()
- b31e3f561365 15.0 cited