Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content

Commit 8d3a4c3

Browse files
committed
Use more verbose matching patterns for errors in SSL TAP tests
The TAP tests of src/test/ssl/ have been using rather generic matching patterns to check some failure scenarios, like "SSL error" or just "FATAL". These have been introduced in 081bfc1. Those messages are not wrong per se, but when working on the integration of new SSL libraries it becomes hard to know if those errors are legit or not, and existing scenarios may fail in incorrect ways. This commit makes all those messages more verbose by adding the information generated by OpenSSL. Fortunately, the same error messages are used for all the versions supported on HEAD (checked that after running the tests from 1.0.1 to 1.1.1), so the change is straight-forward. Reported-by: Jacob Champion, Álvaro Herrera Discussion: https://postgr.es/m/YGU3AxQh0zBMMW8m@paquier.xyz
1 parent e6bdfd9 commit 8d3a4c3

File tree

1 file changed

+12
-12
lines changed

1 file changed

+12
-12
lines changed

src/test/ssl/t/001_ssltests.pl

+12-12
Original file line numberDiff line numberDiff line change
@@ -158,22 +158,22 @@
158158
# root, but the server's key is signed by the server CA.)
159159
$node->connect_fails(
160160
"$common_connstr sslrootcert=ssl/client_ca.crt sslmode=require",
161-
qr/SSL error/,
161+
qr/SSL error: certificate verify failed/,
162162
"connect with wrong server root cert sslmode=require");
163163
$node->connect_fails(
164164
"$common_connstr sslrootcert=ssl/client_ca.crt sslmode=verify-ca",
165-
qr/SSL error/,
165+
qr/SSL error: certificate verify failed/,
166166
"connect with wrong server root cert sslmode=verify-ca");
167167
$node->connect_fails(
168168
"$common_connstr sslrootcert=ssl/client_ca.crt sslmode=verify-full",
169-
qr/SSL error/,
169+
qr/SSL error: certificate verify failed/,
170170
"connect with wrong server root cert sslmode=verify-full");
171171

172172
# Try with just the server CA's cert. This fails because the root file
173173
# must contain the whole chain up to the root CA.
174174
$node->connect_fails(
175175
"$common_connstr sslrootcert=ssl/server_ca.crt sslmode=verify-ca",
176-
qr/SSL error/,
176+
qr/SSL error: certificate verify failed/,
177177
"connect with server CA cert, without root CA");
178178

179179
# And finally, with the correct root cert.
@@ -206,13 +206,13 @@
206206
# A CRL belonging to a different CA is not accepted, fails
207207
$node->connect_fails(
208208
"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/client.crl",
209-
qr/SSL error/,
209+
qr/SSL error: certificate verify failed/,
210210
"CRL belonging to a different CA");
211211

212212
# The same for CRL directory
213213
$node->connect_fails(
214214
"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/client-crldir",
215-
qr/SSL error/,
215+
qr/SSL error: certificate verify failed/,
216216
"directory CRL belonging to a different CA");
217217

218218
# With the correct CRL, succeeds (this cert is not revoked)
@@ -328,11 +328,11 @@
328328
"connects without client-side CRL");
329329
$node->connect_fails(
330330
"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl",
331-
qr/SSL error/,
331+
qr/SSL error: certificate verify failed/,
332332
"does not connect with client-side CRL file");
333333
$node->connect_fails(
334334
"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/root+server-crldir",
335-
qr/SSL error/,
335+
qr/SSL error: certificate verify failed/,
336336
"does not connect with client-side CRL directory");
337337

338338
# pg_stat_ssl
@@ -499,7 +499,7 @@
499499
# revoked client cert
500500
$node->connect_fails(
501501
"$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked_tmp.key",
502-
qr/SSL error/,
502+
qr/SSL error: sslv3 alert certificate revoked/,
503503
"certificate authorization fails with revoked client cert");
504504

505505
# Check that connecting with auth-option verify-full in pg_hba:
@@ -515,7 +515,7 @@
515515

516516
$node->connect_fails(
517517
"$common_connstr user=anotheruser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key",
518-
qr/FATAL/,
518+
qr/FATAL: .* "trust" authentication failed for user "anotheruser"/,
519519
"auth_option clientcert=verify-full fails with mismatching username and Common Name"
520520
);
521521

@@ -536,15 +536,15 @@
536536
"intermediate client certificate is provided by client");
537537
$node->connect_fails(
538538
$common_connstr . " " . "sslmode=require sslcert=ssl/client.crt",
539-
qr/SSL error/, "intermediate client certificate is missing");
539+
qr/SSL error: tlsv1 alert unknown ca/, "intermediate client certificate is missing");
540540

541541
# test server-side CRL directory
542542
switch_server_cert($node, 'server-cn-only', undef, undef, 'root+client-crldir');
543543

544544
# revoked client cert
545545
$node->connect_fails(
546546
"$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked_tmp.key",
547-
qr/SSL error/,
547+
qr/SSL error: sslv3 alert certificate revoked/,
548548
"certificate authorization fails with revoked client cert with server-side CRL directory");
549549

550550
# clean up

0 commit comments

Comments
 (0)