Re: Out-of-tree certificate interferes ssltest
Michael Paquier <michael@paquier.xyz>
From: Michael Paquier <michael@paquier.xyz>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Kyotaro Horiguchi <horikyota.ntt@gmail.com>, pgsql-hackers@lists.postgresql.org
Date: 2022-03-18T01:02:52Z
Lists: pgsql-hackers
Attachments
- ssltest-tap-3.patch (text/x-diff) patch
On Thu, Mar 17, 2022 at 02:28:49PM +0100, Daniel Gustafsson wrote: > One small concern though. This hunk: > > +my $default_ssl_connstr = "sslkey=invalid sslcert=invalid sslrootcert=invalid sslcrl=invalid sslcrldir=invalid"; > + > $common_connstr = > - "user=ssltestuser dbname=trustdb sslcert=invalid hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test"; > + "$default_ssl_connstr user=ssltestuser dbname=trustdb hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test"; > > ..together with the following changes along the lines of: > > - "$common_connstr sslrootcert=invalid sslmode=require", > + "$common_connstr sslmode=require", > > ..is making it fairly hard to read the test and visualize what the connection > string is and how the test should behave. I don't have a better idea off the > top of my head right now, but I think this is an area to revisit and improve > on. I agree that this makes this set of three tests harder to follow, as we expect a root cert to *not* be set locally. Keeping the behavior documented in each individual string would be better, even if that duplicates more the keys in those final strings. Another thing that Horiguchi-san has pointed out upthread (?) is 003, where it is also possible to trigger failures once the environment is hijacked. The attached allows the full test suite to pass without issues on my side. -- Michael
Commits
-
Fix failures in SSL tests caused by out-of-tree keys and certificates
- 8138bd4a567e 10.21 landed
- 635abe6cd4d5 11.16 landed
- 199ca68c9245 12.11 landed
- f32be9938ca4 13.7 landed
- fdb1be4962ca 14.3 landed
- 9ca234bae793 15.0 landed