database/postgres
database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-05-21 15:54:08 +03:00
Code

Set SNI ClientHello extension to localhost in tests

Browse Source 
The connection strings in the SSL client tests were using the host
set up from Cluster.pm which is a temporary pathname. When SNI is
enabled we pass the host to OpenSSL in order to set the server name
indication ClientHello extension via SSL_set_tlsext_host_name.

OpenSSL doesn't validate the hostname apart from checking the max
length, but LibreSSL checks for RFC 5890 conformance which results
in errors during testing as the pathname from Cluster.pm is not a
valid hostname.

Fix by setting the host explicitly to localhost, as that's closer
to the intent of the test.

Backpatch through 14 where SNI support came in.

Reported-by: Nazir Bilal Yavuz <byavuz81@gmail.com>
Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us>
Discussion: https://postgr.es/m/17391-304f81bcf724b58b@postgresql.org
Backpatch-through: 14
This commit is contained in:
Daniel Gustafsson 2022-02-10 14:23:36 +01:00
parent 4c5c41b4d9
commit 6d503d2a47
3 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/test/ssl/t/001_ssltests.pl
View File

@ -396,7 +396,7 @@ $node->connect_fails(
note "running server tests"; note "running server tests";
$common_connstr = $common_connstr =
"sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR"; "sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR host=localhost";
# no client cert # no client cert
$node->connect_fails( $node->connect_fails(
@ -573,7 +573,7 @@ $node->connect_fails(
# works, iff username matches Common Name # works, iff username matches Common Name
# fails, iff username doesn't match Common Name. # fails, iff username doesn't match Common Name.
$common_connstr = $common_connstr =
"sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=verifydb hostaddr=$SERVERHOSTADDR"; "sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=verifydb hostaddr=$SERVERHOSTADDR host=localhost";
$node->connect_ok( $node->connect_ok(
"$common_connstr user=ssltestuser sslcert=ssl/client.crt sslkey=$key{'client.key'}", "$common_connstr user=ssltestuser sslcert=ssl/client.crt sslkey=$key{'client.key'}",
@ -600,7 +600,7 @@ $node->connect_ok(
# intermediate client_ca.crt is provided by client, and isn't in server's ssl_ca_file # intermediate client_ca.crt is provided by client, and isn't in server's ssl_ca_file
switch_server_cert($node, 'server-cn-only', 'root_ca'); switch_server_cert($node, 'server-cn-only', 'root_ca');
$common_connstr = $common_connstr =
"user=ssltestuser dbname=certdb sslkey=$key{'client.key'} sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR"; "user=ssltestuser dbname=certdb sslkey=$key{'client.key'} sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR host=localhost";
$node->connect_ok( $node->connect_ok(
"$common_connstr sslmode=require sslcert=ssl/client+client_ca.crt", "$common_connstr sslmode=require sslcert=ssl/client+client_ca.crt",

6
src/test/ssl/t/002_scram.pl
View File

@ -53,7 +53,7 @@ configure_test_server_for_ssl($node, $SERVERHOSTADDR, $SERVERHOSTCIDR,
switch_server_cert($node, 'server-cn-only'); switch_server_cert($node, 'server-cn-only');
$ENV{PGPASSWORD} = "pass"; $ENV{PGPASSWORD} = "pass";
$common_connstr = $common_connstr =
"dbname=trustdb sslmode=require sslcert=invalid sslrootcert=invalid hostaddr=$SERVERHOSTADDR"; "dbname=trustdb sslmode=require sslcert=invalid sslrootcert=invalid hostaddr=$SERVERHOSTADDR host=localhost";
# Default settings # Default settings
$node->connect_ok( $node->connect_ok(
@ -104,7 +104,7 @@ chmod 0600, "$cert_tempdir/client_scram.key"
or die "failed to change permissions on $cert_tempdir/client_scram.key: $!"; or die "failed to change permissions on $cert_tempdir/client_scram.key: $!";
$client_tmp_key =~ s!\\!/!g if $PostgreSQL::Test::Utils::windows_os; $client_tmp_key =~ s!\\!/!g if $PostgreSQL::Test::Utils::windows_os;
$node->connect_fails( $node->connect_fails(
"sslcert=ssl/client.crt sslkey=$client_tmp_key sslrootcert=invalid hostaddr=$SERVERHOSTADDR dbname=certdb user=ssltestuser channel_binding=require", "sslcert=ssl/client.crt sslkey=$client_tmp_key sslrootcert=invalid hostaddr=$SERVERHOSTADDR host=localhost dbname=certdb user=ssltestuser channel_binding=require",
"Cert authentication and channel_binding=require", "Cert authentication and channel_binding=require",
expected_stderr => expected_stderr =>
qr/channel binding required, but server authenticated client without channel binding/ qr/channel binding required, but server authenticated client without channel binding/
@ -112,7 +112,7 @@ $node->connect_fails(
# Certificate verification at the connection level should still work fine. # Certificate verification at the connection level should still work fine.
$node->connect_ok( $node->connect_ok(
"sslcert=ssl/client.crt sslkey=$client_tmp_key sslrootcert=invalid hostaddr=$SERVERHOSTADDR dbname=verifydb user=ssltestuser", "sslcert=ssl/client.crt sslkey=$client_tmp_key sslrootcert=invalid hostaddr=$SERVERHOSTADDR host=localhost dbname=verifydb user=ssltestuser",
"SCRAM with clientcert=verify-full", "SCRAM with clientcert=verify-full",
log_like => [ log_like => [
qr/connection authenticated: identity="ssltestuser" method=scram-sha-256/ qr/connection authenticated: identity="ssltestuser" method=scram-sha-256/

6
src/test/ssl/t/003_sslinfo.pl
View File

@ -67,7 +67,7 @@ configure_test_server_for_ssl($node, $SERVERHOSTADDR, $SERVERHOSTCIDR,
switch_server_cert($node, 'server-revoked'); switch_server_cert($node, 'server-revoked');
$common_connstr = $common_connstr =
"sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR " . "sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR host=localhost " .
"user=ssltestuser sslcert=ssl/client_ext.crt sslkey=$client_tmp_key"; "user=ssltestuser sslcert=ssl/client_ext.crt sslkey=$client_tmp_key";
# Make sure we can connect even though previous test suites have established this # Make sure we can connect even though previous test suites have established this
@ -98,7 +98,7 @@ is($result, 't', "ssl_client_cert_present() for connection with cert");
$result = $node->safe_psql("trustdb", "SELECT ssl_client_cert_present();", $result = $node->safe_psql("trustdb", "SELECT ssl_client_cert_present();",
connstr => "sslrootcert=ssl/root+server_ca.crt sslmode=require " . connstr => "sslrootcert=ssl/root+server_ca.crt sslmode=require " .
"dbname=trustdb hostaddr=$SERVERHOSTADDR user=ssltestuser"); "dbname=trustdb hostaddr=$SERVERHOSTADDR user=ssltestuser host=localhost");
is($result, 'f', "ssl_client_cert_present() for connection without cert"); is($result, 'f', "ssl_client_cert_present() for connection without cert");
$result = $node->safe_psql("certdb", $result = $node->safe_psql("certdb",
@ -113,7 +113,7 @@ is($result, '3', "ssl_client_dn_field() for an invalid field");
$result = $node->safe_psql("trustdb", "SELECT ssl_client_dn_field('commonName');", $result = $node->safe_psql("trustdb", "SELECT ssl_client_dn_field('commonName');",
connstr => "sslrootcert=ssl/root+server_ca.crt sslmode=require " . connstr => "sslrootcert=ssl/root+server_ca.crt sslmode=require " .
"dbname=trustdb hostaddr=$SERVERHOSTADDR user=ssltestuser"); "dbname=trustdb hostaddr=$SERVERHOSTADDR user=ssltestuser host=localhost");
is($result, '', "ssl_client_dn_field() for connection without cert"); is($result, '', "ssl_client_dn_field() for connection without cert");
$result = $node->safe_psql("certdb", $result = $node->safe_psql("certdb",