Re: pgsql: Implement channel binding tls-server-end-point for SCRAM

From: Michael Paquier <michael(dot)paquier(at)gmail(dot)com>
To: Robert Haas <robertmhaas(at)gmail(dot)com>
Cc: Thomas Munro <thomas(dot)munro(at)enterprisedb(dot)com>, Peter Eisentraut <peter_e(at)gmx(dot)net>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: pgsql: Implement channel binding tls-server-end-point for SCRAM
Date: 2018-01-05 14:28:53
Message-ID: CAB7nPqShHkb+RXEkXfP5XV2dYt6zHhzkeWLVtW=exHa+aDgV8g@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-committers pgsql-hackers

On Fri, Jan 5, 2018 at 10:47 PM, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
> The SSL tests on chipmunk failed in the last run. I assume that's
> probably the fault of this patch, or one of the follow-on commits:

Thanks for the heads-up, Robert. I did not notice the failure. That's
the fault of 054e8c6c. Raspbian is using OpenSSL 1.0.1t (package list
can be downloaded in
http://archive.raspbian.org/raspbian/dists/wheezy/main/binary-armhf/Packages
for 38MB), which does not have the necessary facilities to implement
tls-server-end-point as upstream has added necessary APIs only in
1.0.2.

In order to do things cleanly, we should make this TAP test
conditional on the version of OpenSSL. There have been discussions in
the past to make a module dedicated to that, but no clear patch or
approach has showed up. This can be retrieved with SSLeay_version() or
"openssl version", but that seems not fun nor stable to rely on
openssl to be in PATH. I don't see disabling this test helping either,
but we could consider that without an appropriate module to track
dependencies in a build with its versions. I would be personally fine
with having an environment variable switch I could use to enable the
test as well as I use already a script to run all regression tests in
the tree (src/test/ssl is not run by default as it is unsecure for
shared environments, without counting on meltdowns).

Thoughts from others?
--
Michael

In response to

Responses

Browse pgsql-committers by date

  From Date Subject
Next Message Peter Eisentraut 2018-01-05 14:56:37 Re: pgsql: Implement channel binding tls-server-end-point for SCRAM
Previous Message Robert Haas 2018-01-05 13:47:44 Re: pgsql: Implement channel binding tls-server-end-point for SCRAM

Browse pgsql-hackers by date

  From Date Subject
Next Message Alvaro Herrera 2018-01-05 14:53:38 Re: Failed to delete old ReorderBuffer spilled files
Previous Message Simon Riggs 2018-01-05 14:27:18 Re: [HACKERS] Creating backup history files for backups taken from standbys