|
138 | 138 |
|
139 | 139 | switch_server_cert($node, 'server-cn-only');
|
140 | 140 |
|
| 141 | +# Set of default settings for SSL parameters in connection string. This |
| 142 | +# makes the tests protected against any defaults the environment may have |
| 143 | +# in ~/.postgresql/. |
| 144 | +my $default_ssl_connstr = "sslkey=invalid sslcert=invalid sslrootcert=invalid sslcrl=invalid sslcrldir=invalid"; |
| 145 | + |
141 | 146 | $common_connstr =
|
142 |
| - "user=ssltestuser dbname=trustdb sslcert=invalid hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test"; |
| 147 | + "$default_ssl_connstr user=ssltestuser dbname=trustdb hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test"; |
143 | 148 |
|
144 | 149 | # The server should not accept non-SSL connections.
|
145 | 150 | $node->connect_fails(
|
|
216 | 221 | "CRL belonging to a different CA",
|
217 | 222 | expected_stderr => qr/SSL error: certificate verify failed/);
|
218 | 223 |
|
219 |
| -# The same for CRL directory |
| 224 | +# The same for CRL directory. sslcrl='' is added here to override the |
| 225 | +# invalid default, so as this does not interfere with this case. |
220 | 226 | $node->connect_fails(
|
221 |
| - "$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/client-crldir", |
| 227 | + "$common_connstr sslcrl='' sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/client-crldir", |
222 | 228 | "directory CRL belonging to a different CA",
|
223 | 229 | expected_stderr => qr/SSL error: certificate verify failed/);
|
224 | 230 |
|
|
235 | 241 | # Check that connecting with verify-full fails, when the hostname doesn't
|
236 | 242 | # match the hostname in the server's certificate.
|
237 | 243 | $common_connstr =
|
238 |
| - "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR"; |
| 244 | + "$default_ssl_connstr user=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR"; |
239 | 245 |
|
240 | 246 | $node->connect_ok("$common_connstr sslmode=require host=wronghost.test",
|
241 | 247 | "mismatch between host name and server certificate sslmode=require");
|
|
253 | 259 | switch_server_cert($node, 'server-multiple-alt-names');
|
254 | 260 |
|
255 | 261 | $common_connstr =
|
256 |
| - "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full"; |
| 262 | + "$default_ssl_connstr user=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full"; |
257 | 263 |
|
258 | 264 | $node->connect_ok(
|
259 | 265 | "$common_connstr host=dns1.alt-name.pg-ssltest.test",
|
|
282 | 288 | switch_server_cert($node, 'server-single-alt-name');
|
283 | 289 |
|
284 | 290 | $common_connstr =
|
285 |
| - "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full"; |
| 291 | + "$default_ssl_connstr user=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full"; |
286 | 292 |
|
287 | 293 | $node->connect_ok(
|
288 | 294 | "$common_connstr host=single.alt-name.pg-ssltest.test",
|
|
306 | 312 | switch_server_cert($node, 'server-cn-and-alt-names');
|
307 | 313 |
|
308 | 314 | $common_connstr =
|
309 |
| - "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full"; |
| 315 | + "$default_ssl_connstr user=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full"; |
310 | 316 |
|
311 | 317 | $node->connect_ok("$common_connstr host=dns1.alt-name.pg-ssltest.test",
|
312 | 318 | "certificate with both a CN and SANs 1");
|
|
323 | 329 | # not a very sensible certificate, but libpq should handle it gracefully.
|
324 | 330 | switch_server_cert($node, 'server-no-names');
|
325 | 331 | $common_connstr =
|
326 |
| - "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR"; |
| 332 | + "$default_ssl_connstr user=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR"; |
327 | 333 |
|
328 | 334 | $node->connect_ok(
|
329 | 335 | "$common_connstr sslmode=verify-ca host=common-name.pg-ssltest.test",
|
|
339 | 345 | switch_server_cert($node, 'server-revoked');
|
340 | 346 |
|
341 | 347 | $common_connstr =
|
342 |
| - "user=ssltestuser dbname=trustdb sslcert=invalid hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test"; |
| 348 | + "$default_ssl_connstr user=ssltestuser dbname=trustdb hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test"; |
343 | 349 |
|
344 | 350 | # Without the CRL, succeeds. With it, fails.
|
345 | 351 | $node->connect_ok(
|
|
349 | 355 | "$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl",
|
350 | 356 | "does not connect with client-side CRL file",
|
351 | 357 | expected_stderr => qr/SSL error: certificate verify failed/);
|
| 358 | +# sslcrl='' is added here to override the invalid default, so as this |
| 359 | +# does not interfere with this case. |
352 | 360 | $node->connect_fails(
|
353 |
| - "$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/root+server-crldir", |
| 361 | + "$common_connstr sslcrl='' sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/root+server-crldir", |
354 | 362 | "does not connect with client-side CRL directory",
|
355 | 363 | expected_stderr => qr/SSL error: certificate verify failed/);
|
356 | 364 |
|
|
392 | 400 | note "running server tests";
|
393 | 401 |
|
394 | 402 | $common_connstr =
|
395 |
| - "sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR host=localhost"; |
| 403 | + "$default_ssl_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR host=localhost"; |
396 | 404 |
|
397 | 405 | # no client cert
|
398 | 406 | $node->connect_fails(
|
|
569 | 577 | # works, iff username matches Common Name
|
570 | 578 | # fails, iff username doesn't match Common Name.
|
571 | 579 | $common_connstr =
|
572 |
| - "sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=verifydb hostaddr=$SERVERHOSTADDR host=localhost"; |
| 580 | + "$default_ssl_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=verifydb hostaddr=$SERVERHOSTADDR host=localhost"; |
573 | 581 |
|
574 | 582 | $node->connect_ok(
|
575 | 583 | "$common_connstr user=ssltestuser sslcert=ssl/client.crt sslkey=$key{'client.key'}",
|
|
596 | 604 | # intermediate client_ca.crt is provided by client, and isn't in server's ssl_ca_file
|
597 | 605 | switch_server_cert($node, 'server-cn-only', 'root_ca');
|
598 | 606 | $common_connstr =
|
599 |
| - "user=ssltestuser dbname=certdb sslkey=$key{'client.key'} sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR host=localhost"; |
| 607 | + "$default_ssl_connstr user=ssltestuser dbname=certdb sslkey=$key{'client.key'} sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR host=localhost"; |
600 | 608 |
|
601 | 609 | $node->connect_ok(
|
602 | 610 | "$common_connstr sslmode=require sslcert=ssl/client+client_ca.crt",
|
|
0 commit comments