From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Michael Paquier <michael(at)paquier(dot)xyz> |
Cc: | pgsql-committers(at)lists(dot)postgresql(dot)org |
Subject: | Re: pgsql: Remove support for OpenSSL 0.9.8 and 1.0.0 |
Date: | 2020-01-07 00:14:49 |
Message-ID: | 1899.1578356089@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-committers |
I wrote:
> * gaur fell over in the ssl test [2]. I had not asked it to run that
> test before, so this may well be a pre-existing issue not something
> new with the version change. It looks like something in that test
> is assuming that we have IPv6 support, which maybe it shouldn't be,
> even in 2020.
Yeah ... SSLServer.pm has code like this:
print $hba
"hostssl trustdb all $serverhost/32 $authmethod\n";
print $hba
"hostssl trustdb all ::1/128 $authmethod\n";
This seems to me to be approximately the worst of all possible worlds.
Not only will this not work on a machine where IPv6 isn't working, but
it's not possible to actually use IPv6 if you want to, because the netmask
for $serverhost is hard-wired. Furthermore, because the client side of
the tests always connects to $serverhost, the IPv6 entries are useless.
All they're doing is letting in connections we don't want, contrary to
the clear comment just above this.
I propose the attached, which removes the unnecessary entries
and puts full control of the IPv4/IPv6 decision in one place
(well, two places). The test will still always connect over IPv4,
but at least there's now a clear route to changing that if
someone wants to.
regards, tom lane
Attachment | Content-Type | Size |
---|---|---|
rationalize-address-usage-in-ssl-tests.patch | text/x-diff | 4.7 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | Michael Paquier | 2020-01-07 00:25:57 | Re: pgsql: Remove support for OpenSSL 0.9.8 and 1.0.0 |
Previous Message | Tom Lane | 2020-01-06 23:06:28 | Re: pgsql: Add basic TAP tests for psql's tab-completion logic. |