| From: | Michael Paquier <michael(at)paquier(dot)xyz> |
|---|---|
| To: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
| Cc: | Kyotaro Horiguchi <horikyota(dot)ntt(at)gmail(dot)com>, pgsql-hackers(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Out-of-tree certificate interferes ssltest |
| Date: | 2022-03-17 07:22:14 |
| Message-ID: | YjLhpog7Q0kRQq1K@paquier.xyz |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Thu, Mar 17, 2022 at 02:59:26PM +0900, Michael Paquier wrote:
> In both cases, enforcing sslcrl to a value of "invalid" interferes
> with the failure scenario we expect from sslcrldir. It is possible to
> bypass that with something like the attached, but that's a kind of
> ugly hack. Another alternative would be to drop those two tests, and
> I am not sure how much we care about these two negative scenarios.
Actually, there is a trick I have recalled here: we can enforce sslcrl
to an empty value in the connection string after the default. This
still ensures that the test won't pick up any SSL data from the local
environment and avoids any interferences of OpenSSL's
X509_STORE_load_locations(). This gives a much simpler and cleaner
patch.
Thoughts?
--
Michael
| Attachment | Content-Type | Size |
|---|---|---|
| ssltest-tap-2.patch | text/x-diff | 7.4 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andres Freund | 2022-03-17 07:36:52 | Re: shared-memory based stats collector - v66 |
| Previous Message | Pavan Deolasee | 2022-03-17 07:12:58 | Shmem queue is not flushed if receiver is not yet attached |