diff options
| author | Daniel Gustafsson | 2024-10-24 13:20:28 +0000 |
|---|---|---|
| committer | Daniel Gustafsson | 2024-10-24 13:20:28 +0000 |
| commit | 3d1ef3a15c3eb68dae44b94e89d04c422b26fc16 (patch) | |
| tree | a710673741765cd033447a36f5e06005fa3fdc38 /src/test | |
| parent | 6c66b7443cebf3ff09ea76416a20fb6bb1d32a52 (diff) | |
Support configuring multiple ECDH curves
The ssl_ecdh_curve GUC only accepts a single value, but the TLS
handshake can list multiple curves in the groups extension (the
extension has been renamed to contain more than elliptic curves).
This changes the GUC to accept a colon-separated list of curves.
This commit also renames the GUC to ssl_groups to match the new
nomenclature for the TLS extension.
Original patch by Erica Zhang with additional hacking by me.
Author: Erica Zhang <ericazhangy2021@qq.com>
Author: Daniel Gustafsson <daniel@yesql.se>
Reviewed-by: Jacob Champion <jacob.champion@enterprisedb.com>
Reviewed-by: Andres Freund <andres@anarazel.de>
Reviewed-by: Peter Eisentraut <peter@eisentraut.org>
Reviewed-by: Jelte Fennema-Nio <postgres@jeltef.nl>
Discussion: https://postgr.es/m/tencent_063F89FA72CCF2E48A0DF5338841988E9809@qq.com
Diffstat (limited to 'src/test')
| -rw-r--r-- | src/test/ssl/t/001_ssltests.pl | 12 | ||||
| -rw-r--r-- | src/test/ssl/t/SSL/Server.pm | 3 |
2 files changed, 15 insertions, 0 deletions
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl index 8eaf9deae79..131460a1fea 100644 --- a/src/test/ssl/t/001_ssltests.pl +++ b/src/test/ssl/t/001_ssltests.pl @@ -116,6 +116,18 @@ ssl_max_protocol_version=''}); $result = $node->restart(fail_ok => 1); is($result, 1, 'restart succeeds with correct SSL protocol bounds'); +# Test parsing colon-separated groups. Resetting to a default value to clear +# the error is fine since the call to switch_server_cert in the client side +# tests will overwrite ssl_groups with a known set of groups. +$node->append_conf('sslconfig.conf', qq{ssl_groups='bad:value'}); +my $log_size = -s $node->logfile; +$result = $node->restart(fail_ok => 1); +is($result, 0, 'restart fails with incorrect groups'); +ok($node->log_contains(qr/no SSL error reported/) == 0, + 'error message translated'); +$node->append_conf('ssl_config.conf', qq{ssl_groups='prime256v1'}); +$result = $node->restart(fail_ok => 1); + ### Run client-side tests. ### ### Test that libpq accepts/rejects the connection correctly, depending diff --git a/src/test/ssl/t/SSL/Server.pm b/src/test/ssl/t/SSL/Server.pm index de06f6f242f..c1b25a4ebf6 100644 --- a/src/test/ssl/t/SSL/Server.pm +++ b/src/test/ssl/t/SSL/Server.pm @@ -300,6 +300,9 @@ sub switch_server_cert ok(unlink($node->data_dir . '/sslconfig.conf')); $node->append_conf('sslconfig.conf', "ssl=on"); $node->append_conf('sslconfig.conf', $backend->set_server_cert(\%params)); + # use lists of ECDH curves for syntax testing + $node->append_conf('sslconfig.conf', 'ssl_groups=prime256v1:secp521r1'); + $node->append_conf('sslconfig.conf', "ssl_passphrase_command='" . $params{passphrase_cmd} . "'") if defined $params{passphrase_cmd}; |