Daniel Gustafsson <dan...@yesql.se> writes:
> Maybe the ssl_library function should return a hash with backend => 'OpenSSL'
> and library => <the actual implementation used>?
I don't love doing it exactly like that: seems like it adds notational
complexity for little gain. Also, it forces ssl_library to expend
work detecting things the current caller may not care about.
I was thinking about just transposing the existing test down to the
backend layer, more or less as attached. Not wedded to these names
of course.
> If we were to end up with a
> Libressl libtls implementation in libpq we'd still have to test with Libressl
> against the OpenSSL compat layer in libssl since it could act as both. Not a
> bridge we have to cross today but might be worth at least keeping in mind when
> designing something to not make it impossible in the future.
Right. I think the attached would be amenable to that.
Further down the road, it seems inevitable that we'll need to have a
way of detecting the SSL library version --- for example, assuming
the LibreSSL folk eventually fix their RSA-PSS code, we'll need a
version-dependent test. That could be another new backend method,
I guess.
regards, tom lane
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 8b0de2d8e7e..60b5c3630b0 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -35,9 +35,8 @@ sub switch_server_cert
$ssl_server->switch_server_cert(@_);
}
-# Determine whether this build uses OpenSSL or LibreSSL. As a heuristic, the
-# HAVE_SSL_CTX_SET_CERT_CB macro isn't defined for LibreSSL.
-my $libressl = not check_pg_config("#define HAVE_SSL_CTX_SET_CERT_CB 1");
+# Determine whether this build uses OpenSSL or LibreSSL.
+my $libressl = $ssl_server->is_libressl;
#### Some configuration
diff --git a/src/test/ssl/t/SSL/Backend/OpenSSL.pm b/src/test/ssl/t/SSL/Backend/OpenSSL.pm
index e044318531f..4159addb700 100644
--- a/src/test/ssl/t/SSL/Backend/OpenSSL.pm
+++ b/src/test/ssl/t/SSL/Backend/OpenSSL.pm
@@ -26,6 +26,7 @@ package SSL::Backend::OpenSSL;
use strict;
use warnings FATAL => 'all';
+use PostgreSQL::Test::Utils;
use File::Basename;
use File::Copy;
@@ -205,6 +206,23 @@ sub get_library
return $self->{_library};
}
+=pod
+
+=item $backend->library_is_libressl()
+
+Detect whether the SSL library is LibreSSL.
+
+=cut
+
+sub library_is_libressl
+{
+ my ($self) = @_;
+
+ # The HAVE_SSL_CTX_SET_CERT_CB macro isn't defined for LibreSSL.
+ # We may eventually need a less-bogus heuristic.
+ return not check_pg_config("#define HAVE_SSL_CTX_SET_CERT_CB 1");
+}
+
# Internal method for copying a set of files, taking into account wildcards
sub _copy_files
{
diff --git a/src/test/ssl/t/SSL/Server.pm b/src/test/ssl/t/SSL/Server.pm
index 14277418419..33975b28e8c 100644
--- a/src/test/ssl/t/SSL/Server.pm
+++ b/src/test/ssl/t/SSL/Server.pm
@@ -244,6 +244,23 @@ sub ssl_library
=pod
+=item $server->is_libressl()
+
+Detect whether the currently used SSL backend is LibreSSL.
+(Ideally we'd not need this hack, but presently we do.)
+
+=cut
+
+sub is_libressl
+{
+ my $self = shift;
+ my $backend = $self->{backend};
+
+ return $backend->library_is_libressl();
+}
+
+=pod
+
=item switch_server_cert(params)
Change the configuration to use the given set of certificate, key, ca and
