diff options
| author | Tatsuo Ishii | 2024-11-23 10:13:06 +0000 |
|---|---|---|
| committer | Tatsuo Ishii | 2024-11-23 10:25:57 +0000 |
| commit | dd5a79aef8081bea74f9be7c4beb54ef34637ec9 (patch) | |
| tree | ba51a39c6f03e44a07b6cac61c4c2f7031b1023b /src | |
| parent | 8343af575acf67b26613332adb04a49dcff378f5 (diff) | |
Test: fix recent 024.cert_auth regression test failure.
Starting from Thu, 21 Nov 2024 16:11:06 +0900, buildfarm's
024.cert_auth have started failed on RockyLinux9 regardless the
Pgpool-II versions or PostgreSQL versions. It seems at the timing the
test platform was updated from RockyLinux9.4 to RockyLinux9.5 and
openssl version was updated from 3.0 to 3.2 as well. The test firstly
revokes the frontend certificate using openssl ca -revoke, and then
generate a separate CRL file using openssl ca -gencrl command. I
suspect that openssl 3.2 now checks the revoked certificate itself and
decides that it is not valid.
Let's see how buildfarm reacts.
Diffstat (limited to 'src')
| -rwxr-xr-x | src/test/regression/tests/024.cert_auth/cert.sh | 4 | ||||
| -rwxr-xr-x | src/test/regression/tests/024.cert_auth/test.sh | 9 |
2 files changed, 10 insertions, 3 deletions
diff --git a/src/test/regression/tests/024.cert_auth/cert.sh b/src/test/regression/tests/024.cert_auth/cert.sh index f50466bce..dbc3cdcab 100755 --- a/src/test/regression/tests/024.cert_auth/cert.sh +++ b/src/test/regression/tests/024.cert_auth/cert.sh @@ -71,6 +71,6 @@ openssl ca -batch -in frontend.req -config crl_openssl.conf -days 375 -notext -m # Generate clean CRL (No revocation so far) openssl ca -gencrl -config crl_openssl.conf -out server.crl -cert root.crt -keyfile root.key # Revoke Frontend Cert -openssl ca -revoke frontend.crt -config crl_openssl.conf -keyfile root.key -cert root.crt -out root.crl +#openssl ca -revoke frontend.crt -config crl_openssl.conf -keyfile root.key -cert root.crt -out root.crl # Generate CRL after revocation -openssl ca -gencrl -config crl_openssl.conf -out server_revoked.crl -cert root.crt -keyfile root.key +#openssl ca -gencrl -config crl_openssl.conf -out server_revoked.crl -cert root.crt -keyfile root.key diff --git a/src/test/regression/tests/024.cert_auth/test.sh b/src/test/regression/tests/024.cert_auth/test.sh index 8f5082a0a..452301973 100755 --- a/src/test/regression/tests/024.cert_auth/test.sh +++ b/src/test/regression/tests/024.cert_auth/test.sh @@ -35,7 +35,7 @@ cp -p ../$SSL_KEY etc/ chmod og-rwx etc/$SSL_KEY cp -p ../$SSL_CRT etc/ cp -p ../$SSL_CRL etc/ -cp -p ../$SSL_CRL2 etc/ +#cp -p ../$SSL_CRL2 etc/ cp -p ../$ROOT_CRT etc/ echo "ssl = on" >> etc/pgpool.conf @@ -77,6 +77,7 @@ echo "Checking cert auth between Pgpool-II and frontend was ok." # Starting CRL verification + # Adding valid CRL file in pgpool.conf file. echo "ssl_crl_file = '$SSL_CRL'" >> etc/pgpool.conf @@ -116,6 +117,12 @@ echo "Checking cert auth between Pgpool-II and frontend with clean CRL was ok." # Adding CRL file with revoked certification entry in pgpool.conf file. echo "Updating pgpool.conf with revoked CRL file" +# Revoke Frontend Cert +(cd ..;openssl ca -revoke frontend.crt -config crl_openssl.conf -keyfile root.key -cert root.crt -out root.crl) +# Generate CRL after revocation +(cd ..; openssl ca -gencrl -config crl_openssl.conf -out server_revoked.crl -cert root.crt -keyfile root.key) +cp -p ../$SSL_CRL2 etc/ + sed -i 's/server.crl/server_revoked.crl/' etc/pgpool.conf # Check pgpool configuration is updated successfully |