Re: Support for NSS as a libpq TLS backend

Mon, 14 Jun 2021 15:16:09 -0700 

On Fri, 2021-05-28 at 11:04 +0200, Daniel Gustafsson wrote:
> Attached is a rebase to keep bitrot at bay.

I get a failure during one of the CRL directory tests due to a missing
database -- it looks like the Makefile is missing an entry. (I'm
dusting off my build after a few months away, so I don't know if this
latest rebase introduced it or not.)

Attached is a quick patch; does it work on your machine?

--Jacob

From 7a7b8904ef22212190bb988fab1ef696fe1a59de Mon Sep 17 00:00:00 2001
From: Jacob Champion <pchamp...@vmware.com>
Date: Mon, 14 Jun 2021 15:04:26 -0700
Subject: [PATCH] test/ssl: fix NSS server-side CRL test

Make sure the database is created during `make nssfiles`, and expect a
revocation failure message.
---
 src/test/ssl/Makefile          | 2 ++
 src/test/ssl/t/001_ssltests.pl | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile
index 14ca1f8bf3..557cbe223f 100644
--- a/src/test/ssl/Makefile
+++ b/src/test/ssl/Makefile
@@ -45,6 +45,7 @@ NSSFILES := ssl/nss/client_ca.crt.db \
        ssl/nss/client-revoked.crt__client-revoked.key.db \
        ssl/nss/server-cn-only.crt__server-password.key.db \
        ssl/nss/server-cn-only.crt__server-cn-only.key.db \
+       ssl/nss/server-cn-only.crt__server-cn-only.key.crldir.db \
        ssl/nss/root.crl \
        ssl/nss/server.crl \
        ssl/nss/client.crl \
@@ -167,6 +168,7 @@ ssl/nss/server-cn-only.crt__server-cn-only.key.db: 
ssl/server-cn-only.crt ssl/se
        pk12util -i ssl/nss/server-cn-only.pfx -d "sql:$@" -W ''
 
 ssl/nss/server-cn-only.crt__server-cn-only.key.crldir.db: 
ssl/nss/server-cn-only.crt__server-cn-only.key.db
+       cp -R $< $@
        for c in $(shell ls ssl/root+client-crldir) ; do \
                echo $${c} ; \
                openssl crl -in ssl/root+client-crldir/$${c} -outform der -out 
ssl/nss/$${c} ; \
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 4105a67b94..aec99e7bf6 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -664,7 +664,7 @@ $node->connect_fails(
        "$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt 
sslkey=ssl/client-revoked_tmp.key 
ssldatabase=ssl/nss/client-revoked.crt__client-revoked.key.db",
        "certificate authorization fails with revoked client cert with 
server-side CRL directory",
        expected_stderr =>
-         qr/SSL error: sslv3 alert certificate revoked|SSL error: Encountered 
end of file/);
+         qr/SSL error: sslv3 alert certificate revoked|SSL peer rejected your 
certificate as revoked/);
 
 # clean up
 
-- 
2.25.1

Reply via email to