Use more verbose matching patterns for errors in SSL TAP tests

michaelpq · michaelpq · commit 8d3a4c3eae53 · 2021-04-03T20:49:08.000+09:00
The TAP tests of src/test/ssl/ have been using rather generic matching patterns to check some failure scenarios, like "SSL error" or just "FATAL". These have been introduced in 081bfc1. Those messages are not wrong per se, but when working on the integration of new SSL libraries it becomes hard to know if those errors are legit or not, and existing scenarios may fail in incorrect ways. This commit makes all those messages more verbose by adding the information generated by OpenSSL. Fortunately, the same error messages are used for all the versions supported on HEAD (checked that after running the tests from 1.0.1 to 1.1.1), so the change is straight-forward. Reported-by: Jacob Champion, Álvaro Herrera Discussion: https://postgr.es/m/YGU3AxQh0zBMMW8m@paquier.xyz
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
@@ -158,22 +158,22 @@
 # root, but the server's key is signed by the server CA.)
 $node->connect_fails(
 	"$common_connstr sslrootcert=ssl/client_ca.crt sslmode=require",
-	qr/SSL error/,
+	qr/SSL error: certificate verify failed/,
 	"connect with wrong server root cert sslmode=require");
 $node->connect_fails(
 	"$common_connstr sslrootcert=ssl/client_ca.crt sslmode=verify-ca",
-	qr/SSL error/,
+	qr/SSL error: certificate verify failed/,
 	"connect with wrong server root cert sslmode=verify-ca");
 $node->connect_fails(
 	"$common_connstr sslrootcert=ssl/client_ca.crt sslmode=verify-full",
-	qr/SSL error/,
+	qr/SSL error: certificate verify failed/,
 	"connect with wrong server root cert sslmode=verify-full");
 
 # Try with just the server CA's cert. This fails because the root file
 # must contain the whole chain up to the root CA.
 $node->connect_fails(
 	"$common_connstr sslrootcert=ssl/server_ca.crt sslmode=verify-ca",
-	qr/SSL error/,
+	qr/SSL error: certificate verify failed/,
 	"connect with server CA cert, without root CA");
 
 # And finally, with the correct root cert.
@@ -206,13 +206,13 @@
 # A CRL belonging to a different CA is not accepted, fails
 $node->connect_fails(
 	"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/client.crl",
-	qr/SSL error/,
+	qr/SSL error: certificate verify failed/,
 	"CRL belonging to a different CA");
 
 # The same for CRL directory
 $node->connect_fails(
 	"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/client-crldir",
-	qr/SSL error/,
+	qr/SSL error: certificate verify failed/,
 	"directory CRL belonging to a different CA");
 
 # With the correct CRL, succeeds (this cert is not revoked)
@@ -328,11 +328,11 @@
 	"connects without client-side CRL");
 $node->connect_fails(
 	"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl",
-	qr/SSL error/,
+	qr/SSL error: certificate verify failed/,
 	"does not connect with client-side CRL file");
 $node->connect_fails(
 	"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/root+server-crldir",
-	qr/SSL error/,
+	qr/SSL error: certificate verify failed/,
 	"does not connect with client-side CRL directory");
 
 # pg_stat_ssl
@@ -499,7 +499,7 @@
 # revoked client cert
 $node->connect_fails(
 	"$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked_tmp.key",
-	qr/SSL error/,
+	qr/SSL error: sslv3 alert certificate revoked/,
 	"certificate authorization fails with revoked client cert");
 
 # Check that connecting with auth-option verify-full in pg_hba:
@@ -515,7 +515,7 @@
 
 $node->connect_fails(
 	"$common_connstr user=anotheruser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key",
-	qr/FATAL/,
+	qr/FATAL: .* "trust" authentication failed for user "anotheruser"/,
 	"auth_option clientcert=verify-full fails with mismatching username and Common Name"
 );
 
@@ -536,15 +536,15 @@
 	"intermediate client certificate is provided by client");
 $node->connect_fails(
 	$common_connstr . " " . "sslmode=require sslcert=ssl/client.crt",
-	qr/SSL error/, "intermediate client certificate is missing");
+	qr/SSL error: tlsv1 alert unknown ca/, "intermediate client certificate is missing");
 
 # test server-side CRL directory
 switch_server_cert($node, 'server-cn-only', undef, undef, 'root+client-crldir');
 
 # revoked client cert
 $node->connect_fails(
 	"$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked_tmp.key",
-	qr/SSL error/,
+	qr/SSL error: sslv3 alert certificate revoked/,
 	"certificate authorization fails with revoked client cert with server-side CRL directory");
 
 # clean up
