| From: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Thomas Munro <thomas(dot)munro(at)gmail(dot)com>, Andres Freund <andres(at)anarazel(dot)de>, byavuz81(at)gmail(dot)com, PostgreSQL mailing lists <pgsql-bugs(at)lists(dot)postgresql(dot)org>, Heikki Linnakangas <heikki(dot)linnakangas(at)iki(dot)fi>, Michael Paquier <michael(at)paquier(dot)xyz> |
| Subject: | Re: BUG #17391: While using --with-ssl=openssl and PG_TEST_EXTRA='ssl' options, SSL tests fail on OpenBSD 7.0 |
| Date: | 2022-02-03 14:25:59 |
| Message-ID: | C44CE9FB-B37E-47D3-924B-4AF808AE98B1@yesql.se |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
> On 3 Feb 2022, at 06:41, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> However, PG believes that the library only supports up to 1.2,
> because TLS1_3_VERSION isn't defined. I found this in
> /usr/include/openssl/tls1.h:
>
> #if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
> #define TLS1_3_VERSION 0x0304
> #endif
>
> LIBRESSL_HAS_TLS1_3 is not defined anywhere; in
> /usr/include/openssl/opensslfeatures.h I find
>
> /*
> * Feature flags for LibreSSL... so you can actually tell when things
> * are enabled, rather than not being able to tell when things are
> * enabled (or possibly not yet not implemented, or removed!).
> */
> /* #define LIBRESSL_HAS_TLS1_3 */
>
> which is about the best example I've seen lately of crappy code
> falsifying the adjacent comment.
AFAICT from reading their (not too extensive) docs is that they consider 1.3
supporting starting with 3.4 which supports the OpenSSL 1.1.1 API. Recent
reports [0] on their -portable Github repo are saying it still doesn't work. I
haven't dug too far in to this yet, but will have a look.
Adding host=localhost to the connection string in the tests make all the tests
but two pass for me:
t/001_ssltests.pl .. 93/110
# Failed test 'certificate authorization fails with revoked client cert: matches'
# at t/001_ssltests.pl line 565.
# 'psql: error: connection to server at "127.0.0.1", port 50547 failed: server closed the connection unexpectedly
# This probably means the server terminated abnormally
# before or while processing the request.
# SSL SYSCALL error: Broken pipe'
# doesn't match '(?^:SSL error: sslv3 alert certificate revoked)'
# Failed test 'certificate authorization fails with revoked client cert with server-side CRL directory: matches'
# at t/001_ssltests.pl line 618.
# 'psql: error: connection to server at "127.0.0.1", port 50547 failed: server closed the connection unexpectedly
# This probably means the server terminated abnormally
# before or while processing the request.
# SSL SYSCALL error: Broken pipe
# connection to server at "127.0.0.1", port 50547 failed: FATAL: no pg_hba.conf entry for host "127.0.0.1", user "ssltestuser", database "certdb", no encryption'
# doesn't match '(?^:SSL error: sslv3 alert certificate revoked)'
# Looks like you failed 2 tests of 110.
t/001_ssltests.pl .. Dubious, test returned 2 (wstat 512, 0x200)
Failed 2/110 subtests
t/002_scram.pl ..... ok
t/003_sslinfo.pl ... ok
The remaining tests are both CRL tests, but I haven't had time yet to dig into
why those are failing (the logs weren't terribly helpful on a quick glance).
--
Daniel Gustafsson https://vmware.com/
[0] https://github.com/libressl-portable/portable/issues/228
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Daniel Gustafsson | 2022-02-03 15:48:40 | Re: BUG #17391: While using --with-ssl=openssl and PG_TEST_EXTRA='ssl' options, SSL tests fail on OpenBSD 7.0 |
| Previous Message | PG Bug reporting form | 2022-02-03 13:26:03 | BUG #17393: Delete database after recovery with point-in-time is still missing datafiles |