Re: BUG #17391: While using --with-ssl=openssl and PG_TEST_EXTRA='ssl' options, SSL tests fail on OpenBSD 7.0

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Thomas Munro <thomas(dot)munro(at)gmail(dot)com>
Cc: Andres Freund <andres(at)anarazel(dot)de>, byavuz81(at)gmail(dot)com, PostgreSQL mailing lists <pgsql-bugs(at)lists(dot)postgresql(dot)org>, Heikki Linnakangas <heikki(dot)linnakangas(at)iki(dot)fi>, Michael Paquier <michael(at)paquier(dot)xyz>
Subject: Re: BUG #17391: While using --with-ssl=openssl and PG_TEST_EXTRA='ssl' options, SSL tests fail on OpenBSD 7.0
Date: 2022-02-03 05:41:17
Message-ID: 203742.1643866877@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

I wrote:
> I had an OpenBSD 6.8 image laying about, so I tried the ssl test
> there, and it falls over in even more places:
> ...
> A lot of the errors look like they didn't yet have support for
> TLS 1.2; this is typical:

On further investigation, that's nonsense, because the postmaster logs
show that most if not all of the connections that are succeeding are
TLSv1.3, eg

2022-02-02 21:31:07.492 EST [96067] [unknown] LOG: 00000: connection authorized: user=ssltestuser database=trustdb application_name=001_ssltests.pl SSL enabled (protocol=TLSv1.3, cipher=AEAD-AES256-GCM-SHA384, bits=256)

However, PG believes that the library only supports up to 1.2,
because TLS1_3_VERSION isn't defined. I found this in
/usr/include/openssl/tls1.h:

#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
#define TLS1_3_VERSION 0x0304
#endif

LIBRESSL_HAS_TLS1_3 is not defined anywhere; in
/usr/include/openssl/opensslfeatures.h I find

/*
* Feature flags for LibreSSL... so you can actually tell when things
* are enabled, rather than not being able to tell when things are
* enabled (or possibly not yet not implemented, or removed!).
*/
/* #define LIBRESSL_HAS_TLS1_3 */

which is about the best example I've seen lately of crappy code
falsifying the adjacent comment.

I added

#define LIBRESSL_HAS_TLS1_3 1

to pg_config.h to see what would happen. It seems that about
the same number of tests fall over, but now the errors are
(mostly) not about TLS version. Some look like they might
just be mismatched expectations of exactly what error will
be issued:

# Failed test 'connect with wrong server root cert sslmode=require: matches'
# at t/001_ssltests.pl line 170.
# 'psql: error: connection to server at "127.0.0.1", port 62542 failed: SSL error: tlsv1 alert unknown ca'
# doesn't match '(?^:SSL error: certificate verify failed)'

I get the impression though that there's still some mismatch
about how to establish which CAs are trusted, and there are
still a few "tlsv1 alert protocol version" errors with no
obvious reason.

I thought for awhile that the library might be forcing a minimum
TLS version of 1.3 (despite the headers not even claiming to
support it at all), because that would fit right in with OpenBSD's
securer-than-thou ethos. I still suspect that something like that
might be going on, but I don't have hard evidence.

regards, tom lane

In response to

Responses

Browse pgsql-bugs by date

  From Date Subject
Next Message Etsuro Fujita 2022-02-03 06:32:24 Re: BUG #17355: Server crashes on ExecReScanForeignScan in postgres_fdw when accessing foreign partition
Previous Message Tom Lane 2022-02-03 04:50:41 Re: BUG #17384: ERROR: missing chunk number 0 for toast value 152073604 in pg_toast_2619