|
158 | 158 | # root, but the server's key is signed by the server CA.)
|
159 | 159 | $node->connect_fails(
|
160 | 160 | "$common_connstr sslrootcert=ssl/client_ca.crt sslmode=require",
|
161 |
| - qr/SSL error/, |
| 161 | + qr/SSL error: certificate verify failed/, |
162 | 162 | "connect with wrong server root cert sslmode=require");
|
163 | 163 | $node->connect_fails(
|
164 | 164 | "$common_connstr sslrootcert=ssl/client_ca.crt sslmode=verify-ca",
|
165 |
| - qr/SSL error/, |
| 165 | + qr/SSL error: certificate verify failed/, |
166 | 166 | "connect with wrong server root cert sslmode=verify-ca");
|
167 | 167 | $node->connect_fails(
|
168 | 168 | "$common_connstr sslrootcert=ssl/client_ca.crt sslmode=verify-full",
|
169 |
| - qr/SSL error/, |
| 169 | + qr/SSL error: certificate verify failed/, |
170 | 170 | "connect with wrong server root cert sslmode=verify-full");
|
171 | 171 |
|
172 | 172 | # Try with just the server CA's cert. This fails because the root file
|
173 | 173 | # must contain the whole chain up to the root CA.
|
174 | 174 | $node->connect_fails(
|
175 | 175 | "$common_connstr sslrootcert=ssl/server_ca.crt sslmode=verify-ca",
|
176 |
| - qr/SSL error/, |
| 176 | + qr/SSL error: certificate verify failed/, |
177 | 177 | "connect with server CA cert, without root CA");
|
178 | 178 |
|
179 | 179 | # And finally, with the correct root cert.
|
|
206 | 206 | # A CRL belonging to a different CA is not accepted, fails
|
207 | 207 | $node->connect_fails(
|
208 | 208 | "$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/client.crl",
|
209 |
| - qr/SSL error/, |
| 209 | + qr/SSL error: certificate verify failed/, |
210 | 210 | "CRL belonging to a different CA");
|
211 | 211 |
|
212 | 212 | # The same for CRL directory
|
213 | 213 | $node->connect_fails(
|
214 | 214 | "$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/client-crldir",
|
215 |
| - qr/SSL error/, |
| 215 | + qr/SSL error: certificate verify failed/, |
216 | 216 | "directory CRL belonging to a different CA");
|
217 | 217 |
|
218 | 218 | # With the correct CRL, succeeds (this cert is not revoked)
|
|
328 | 328 | "connects without client-side CRL");
|
329 | 329 | $node->connect_fails(
|
330 | 330 | "$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl",
|
331 |
| - qr/SSL error/, |
| 331 | + qr/SSL error: certificate verify failed/, |
332 | 332 | "does not connect with client-side CRL file");
|
333 | 333 | $node->connect_fails(
|
334 | 334 | "$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/root+server-crldir",
|
335 |
| - qr/SSL error/, |
| 335 | + qr/SSL error: certificate verify failed/, |
336 | 336 | "does not connect with client-side CRL directory");
|
337 | 337 |
|
338 | 338 | # pg_stat_ssl
|
|
499 | 499 | # revoked client cert
|
500 | 500 | $node->connect_fails(
|
501 | 501 | "$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked_tmp.key",
|
502 |
| - qr/SSL error/, |
| 502 | + qr/SSL error: sslv3 alert certificate revoked/, |
503 | 503 | "certificate authorization fails with revoked client cert");
|
504 | 504 |
|
505 | 505 | # Check that connecting with auth-option verify-full in pg_hba:
|
|
515 | 515 |
|
516 | 516 | $node->connect_fails(
|
517 | 517 | "$common_connstr user=anotheruser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key",
|
518 |
| - qr/FATAL/, |
| 518 | + qr/FATAL: .* "trust" authentication failed for user "anotheruser"/, |
519 | 519 | "auth_option clientcert=verify-full fails with mismatching username and Common Name"
|
520 | 520 | );
|
521 | 521 |
|
|
536 | 536 | "intermediate client certificate is provided by client");
|
537 | 537 | $node->connect_fails(
|
538 | 538 | $common_connstr . " " . "sslmode=require sslcert=ssl/client.crt",
|
539 |
| - qr/SSL error/, "intermediate client certificate is missing"); |
| 539 | + qr/SSL error: tlsv1 alert unknown ca/, "intermediate client certificate is missing"); |
540 | 540 |
|
541 | 541 | # test server-side CRL directory
|
542 | 542 | switch_server_cert($node, 'server-cn-only', undef, undef, 'root+client-crldir');
|
543 | 543 |
|
544 | 544 | # revoked client cert
|
545 | 545 | $node->connect_fails(
|
546 | 546 | "$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked_tmp.key",
|
547 |
| - qr/SSL error/, |
| 547 | + qr/SSL error: sslv3 alert certificate revoked/, |
548 | 548 | "certificate authorization fails with revoked client cert with server-side CRL directory");
|
549 | 549 |
|
550 | 550 | # clean up
|
|
0 commit comments