Re: BUG #17522: While using --with-ssl=openssl and PG_TEST_EXTRA='ssl' options, SSL test fails on OpenBSD 7.1

At Mon, 20 Jun 2022 14:22:09 +0200, Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote in 
> On 20.06.22 05:05, Michael Paquier wrote:
> > On Fri, Jun 17, 2022 at 12:03:16PM +0000, PG Bug reporting form wrote:
> > Thanks for the report.
> > 
> >> [11:41:29.100](0.001s) not ok 77 - IPv4 host with CIDR mask does not
> >> match:
> >> matches
> >> [11:41:29.100](0.000s)
> >> [11:41:29.100](0.000s) # Failed test 'IPv4 host with CIDR mask does
> >> not
> >> match: matches'
> >> #   at t/001_ssltests.pl line 336.
> >> [11:41:29.100](0.000s) #                   'psql: error: connection to
> >> server at "127.0.0.1", port 60779 failed: could not set SSL Server
> >> Name
> >> Indication (SNI): ssl3 ext invalid servername'
> >> #     doesn't match '(?^:server\ certificate\ for\ \"192\.0\.2\.1\"\ \(and\
> >> 1\ other\ name\)\ does\ not\ match\ host\ name\ \"192\.0\.2\.1\/32\")'
> > There is only one failure.  None of the buildfarm members running
> > OpneBSD check the SSL tests, but this specific test has been
> > introduced by c1932e5.
> > I am adding Peter and Jacob in CC.  This is a new open item for v15.
> 
> The test is
> 
>     $node->connect_fails(
>         "$common_connstr host=192.0.2.1/32",
>         "IPv4 host with CIDR mask does not match",
>         expected_stderr =>
>           qr/\Qserver certificate for "192.0.2.1" (and 1 other name) does not
>           match host name "192.0.2.1\/32"\E/
>     );
> 
> which is not using a valid host name to begin with.  What is the
> purpose of this test?

It checks if that such invalid name is properly rejected. The
certificate to match with is a IPv4 GEN_IPADD so the name
"192.0.2.1/32" is fed to inet_pton() and the function is supposed to
reject the invalid address.

OpenBSD 7.1's inet_aton() seems like accepting the address as valid.

regards.

-- 
Kyotaro Horiguchi
NTT Open Source Software Center