Commit a12c75a1 authored by Michael Paquier's avatar Michael Paquier

Fix SSL test for libpq connection parameter channel_binding

When compiling Postgres with OpenSSL 1.0.1 or older versions, SCRAM's
channel binding cannot be supported as X509_get_signature_nid() is
needed, which causes a regression test with channel_binding='require' to
fail as the server cannot publish SCRAM-SHA-256-PLUS as SASL mechanism
over an SSL connection.

Fix the issue by using a method similar to c3d41ccf, making the test
result conditional.  The test passes if X509_get_signature_nid() is
present, and when missing we test for a connection failure.  Testing a
connection failure is more useful than skipping the test as we should
fail the connection if channel binding is required by the client but the
server does not support it.

Reported-by: Tom Lane, Michael Paquier
Author: Michael Paquier
Discussion: https://postgr.es/m/20190927024457.GA8485@paquier.xyz
Discussion: https://postgr.es/m/24857.1569775891@sss.pgh.pa.us
parent 7acf8a87
...@@ -18,11 +18,15 @@ if ($ENV{with_openssl} ne 'yes') ...@@ -18,11 +18,15 @@ if ($ENV{with_openssl} ne 'yes')
plan skip_all => 'SSL not supported by this build'; plan skip_all => 'SSL not supported by this build';
} }
my $number_of_tests = 9;
# This is the hostname used to connect to the server. # This is the hostname used to connect to the server.
my $SERVERHOSTADDR = '127.0.0.1'; my $SERVERHOSTADDR = '127.0.0.1';
# Determine whether build supports tls-server-end-point.
my $supports_tls_server_end_point =
check_pg_config("#define HAVE_X509_GET_SIGNATURE_NID 1");
my $number_of_tests = $supports_tls_server_end_point ? 9 : 10;
# Allocation of base connection string shared among multiple tests. # Allocation of base connection string shared among multiple tests.
my $common_connstr; my $common_connstr;
...@@ -60,10 +64,21 @@ test_connect_ok( ...@@ -60,10 +64,21 @@ test_connect_ok(
$common_connstr, $common_connstr,
"user=ssltestuser channel_binding=disable", "user=ssltestuser channel_binding=disable",
"SCRAM with SSL and channel_binding=disable"); "SCRAM with SSL and channel_binding=disable");
test_connect_ok( if ($supports_tls_server_end_point)
$common_connstr, {
"user=ssltestuser channel_binding=require", test_connect_ok(
"SCRAM with SSL and channel_binding=require"); $common_connstr,
"user=ssltestuser channel_binding=require",
"SCRAM with SSL and channel_binding=require");
}
else
{
test_connect_fails(
$common_connstr,
"user=ssltestuser channel_binding=require",
qr/could not connect to server: channel binding is required, but server did not offer an authentication method that supports channel binding/,
"SCRAM with SSL and channel_binding=require");
}
# Now test when the user has an MD5-encrypted password; should fail # Now test when the user has an MD5-encrypted password; should fail
test_connect_fails( test_connect_fails(
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment