Re: BUG #17391: While using --with-ssl=openssl and PG_TEST_EXTRA='ssl' options, SSL tests fail on OpenBSD 7.0

> On 3 Feb 2022, at 06:41, Tom Lane <tgl@sss.pgh.pa.us> wrote:

> However, PG believes that the library only supports up to 1.2,
> because TLS1_3_VERSION isn't defined.  I found this in
> /usr/include/openssl/tls1.h:
>
> #if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
> #define TLS1_3_VERSION                  0x0304
> #endif
>
> LIBRESSL_HAS_TLS1_3 is not defined anywhere; in
> /usr/include/openssl/opensslfeatures.h I find
>
> /*
> * Feature flags for LibreSSL... so you can actually tell when things
> * are enabled, rather than not being able to tell when things are
> * enabled (or possibly not yet not implemented, or removed!).
> */
> /* #define LIBRESSL_HAS_TLS1_3 */
>
> which is about the best example I've seen lately of crappy code
> falsifying the adjacent comment.

AFAICT from reading their (not too extensive) docs is that they consider 1.3
supporting starting with 3.4 which supports the OpenSSL 1.1.1 API.  Recent
reports [0] on their -portable Github repo are saying it still doesn't work.  I
haven't dug too far in to this yet, but will have a look.

Adding host=localhost to the connection string in the tests make all the tests
but two pass for me:

t/001_ssltests.pl .. 93/110
#   Failed test 'certificate authorization fails with revoked client cert: matches'
#   at t/001_ssltests.pl line 565.
#                   'psql: error: connection to server at "127.0.0.1", port 50547 failed: server closed the connection
unexpectedly
#     This probably means the server terminated abnormally
#     before or while processing the request.
# SSL SYSCALL error: Broken pipe'
#     doesn't match '(?^:SSL error: sslv3 alert certificate revoked)'

#   Failed test 'certificate authorization fails with revoked client cert with server-side CRL directory: matches'
#   at t/001_ssltests.pl line 618.
#                   'psql: error: connection to server at "127.0.0.1", port 50547 failed: server closed the connection
unexpectedly
#     This probably means the server terminated abnormally
#     before or while processing the request.
# SSL SYSCALL error: Broken pipe
# connection to server at "127.0.0.1", port 50547 failed: FATAL:  no pg_hba.conf entry for host "127.0.0.1", user
"ssltestuser",database "certdb", no encryption' 
#     doesn't match '(?^:SSL error: sslv3 alert certificate revoked)'
# Looks like you failed 2 tests of 110.
t/001_ssltests.pl .. Dubious, test returned 2 (wstat 512, 0x200)
Failed 2/110 subtests
t/002_scram.pl ..... ok
t/003_sslinfo.pl ... ok

The remaining tests are both CRL tests, but I haven't had time yet to dig into
why those are failing (the logs weren't terribly helpful on a quick glance).

--
Daniel Gustafsson        https://vmware.com/

[0] https://github.com/libressl-portable/portable/issues/228