Re: BUG #17522: While using --with-ssl=openssl and PG_TEST_EXTRA='ssl' options, SSL test fails on OpenBSD 7.1

At Mon, 20 Jun 2022 14:22:09 +0200, Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com> wrote in
> On 20.06.22 05:05, Michael Paquier wrote:
> > On Fri, Jun 17, 2022 at 12:03:16PM +0000, PG Bug reporting form wrote:
> > Thanks for the report.
> >
> >> [11:41:29.100](0.001s) not ok 77 - IPv4 host with CIDR mask does not
> >> match:
> >> matches
> >> [11:41:29.100](0.000s)
> >> [11:41:29.100](0.000s) # Failed test 'IPv4 host with CIDR mask does
> >> not
> >> match: matches'
> >> # at t/001_ssltests.pl line 336.
> >> [11:41:29.100](0.000s) # 'psql: error: connection to
> >> server at "127.0.0.1", port 60779 failed: could not set SSL Server
> >> Name
> >> Indication (SNI): ssl3 ext invalid servername'
> >> # doesn't match '(?^:server\ certificate\ for\ \"192\.0\.2\.1\"\ \(and\
> >> 1\ other\ name\)\ does\ not\ match\ host\ name\ \"192\.0\.2\.1\/32\")'
> > There is only one failure. None of the buildfarm members running
> > OpneBSD check the SSL tests, but this specific test has been
> > introduced by c1932e5.
> > I am adding Peter and Jacob in CC. This is a new open item for v15.
>
> The test is
>
> $node->connect_fails(
> "$common_connstr host=192.0.2.1/32",
> "IPv4 host with CIDR mask does not match",
> expected_stderr =>
> qr/\Qserver certificate for "192.0.2.1" (and 1 other name) does not
> match host name "192.0.2.1\/32"\E/
> );
>
> which is not using a valid host name to begin with. What is the
> purpose of this test?

It checks if that such invalid name is properly rejected. The
certificate to match with is a IPv4 GEN_IPADD so the name
"192.0.2.1/32" is fed to inet_pton() and the function is supposed to
reject the invalid address.

OpenBSD 7.1's inet_aton() seems like accepting the address as valid.

regards.

--
Kyotaro Horiguchi
NTT Open Source Software Center