Re: BUG #17391: While using --with-ssl=openssl and PG_TEST_EXTRA='ssl' options, SSL tests fail on OpenBSD 7.0

From: Daniel Gustafsson <daniel(at)yesql(dot)se>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Thomas Munro <thomas(dot)munro(at)gmail(dot)com>, Andres Freund <andres(at)anarazel(dot)de>, byavuz81(at)gmail(dot)com, PostgreSQL mailing lists <pgsql-bugs(at)lists(dot)postgresql(dot)org>, Heikki Linnakangas <heikki(dot)linnakangas(at)iki(dot)fi>, Michael Paquier <michael(at)paquier(dot)xyz>
Subject: Re: BUG #17391: While using --with-ssl=openssl and PG_TEST_EXTRA='ssl' options, SSL tests fail on OpenBSD 7.0
Date: 2022-02-03 14:25:59
Message-ID: C44CE9FB-B37E-47D3-924B-4AF808AE98B1@yesql.se
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

> On 3 Feb 2022, at 06:41, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:

> However, PG believes that the library only supports up to 1.2,
> because TLS1_3_VERSION isn't defined. I found this in
> /usr/include/openssl/tls1.h:
>
> #if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
> #define TLS1_3_VERSION 0x0304
> #endif
>
> LIBRESSL_HAS_TLS1_3 is not defined anywhere; in
> /usr/include/openssl/opensslfeatures.h I find
>
> /*
> * Feature flags for LibreSSL... so you can actually tell when things
> * are enabled, rather than not being able to tell when things are
> * enabled (or possibly not yet not implemented, or removed!).
> */
> /* #define LIBRESSL_HAS_TLS1_3 */
>
> which is about the best example I've seen lately of crappy code
> falsifying the adjacent comment.

AFAICT from reading their (not too extensive) docs is that they consider 1.3
supporting starting with 3.4 which supports the OpenSSL 1.1.1 API. Recent
reports [0] on their -portable Github repo are saying it still doesn't work. I
haven't dug too far in to this yet, but will have a look.

Adding host=localhost to the connection string in the tests make all the tests
but two pass for me:

t/001_ssltests.pl .. 93/110
# Failed test 'certificate authorization fails with revoked client cert: matches'
# at t/001_ssltests.pl line 565.
# 'psql: error: connection to server at "127.0.0.1", port 50547 failed: server closed the connection unexpectedly
# This probably means the server terminated abnormally
# before or while processing the request.
# SSL SYSCALL error: Broken pipe'
# doesn't match '(?^:SSL error: sslv3 alert certificate revoked)'

# Failed test 'certificate authorization fails with revoked client cert with server-side CRL directory: matches'
# at t/001_ssltests.pl line 618.
# 'psql: error: connection to server at "127.0.0.1", port 50547 failed: server closed the connection unexpectedly
# This probably means the server terminated abnormally
# before or while processing the request.
# SSL SYSCALL error: Broken pipe
# connection to server at "127.0.0.1", port 50547 failed: FATAL: no pg_hba.conf entry for host "127.0.0.1", user "ssltestuser", database "certdb", no encryption'
# doesn't match '(?^:SSL error: sslv3 alert certificate revoked)'
# Looks like you failed 2 tests of 110.
t/001_ssltests.pl .. Dubious, test returned 2 (wstat 512, 0x200)
Failed 2/110 subtests
t/002_scram.pl ..... ok
t/003_sslinfo.pl ... ok

The remaining tests are both CRL tests, but I haven't had time yet to dig into
why those are failing (the logs weren't terribly helpful on a quick glance).

--
Daniel Gustafsson https://vmware.com/

[0] https://github.com/libressl-portable/portable/issues/228

In response to

Responses

Browse pgsql-bugs by date

  From Date Subject
Next Message Daniel Gustafsson 2022-02-03 15:48:40 Re: BUG #17391: While using --with-ssl=openssl and PG_TEST_EXTRA='ssl' options, SSL tests fail on OpenBSD 7.0
Previous Message PG Bug reporting form 2022-02-03 13:26:03 BUG #17393: Delete database after recovery with point-in-time is still missing datafiles