From 55828a6b6084724b08675615a4e911ad4d421cd1 Mon Sep 17 00:00:00 2001
From: Tom Lane <tgl@sss.pgh.pa.us>
Date: Sat, 16 Jul 2022 18:26:25 -0400
Subject: [PATCH] Disable unstable test cases in
 src/test/ssl/t/001_ssltests.pl.

Some of the test cases added by commit 3a0e38504 are failing
intermittently in CI testing.  It looks like, when a connection
attempt fails, it's possible for psql to exit and the test script
to slurp up the postmaster's log file before the connected backend
has managed to write the log entry we're expecting to see.

It's not clear whether that's fixable in any robust way.  Pending
more thought, just comment out the log_like checks.  The ones in
connect_ok tests should be fine, since surely the log entry should
be emitted before we complete the client auth sequence.  I took
out all the ones in connect_fails tests though.

Discussion: https://postgr.es/m/E1oCNLk-000LCH-Af@gemulon.postgresql.org
---
 src/test/ssl/t/001_ssltests.pl | 45 ++++++++++++++++++++--------------
 1 file changed, 27 insertions(+), 18 deletions(-)

diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 90ba5a75155..6ddc10596f0 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -674,8 +674,10 @@ $node->connect_fails(
 	expected_stderr =>
 	  qr/certificate authentication failed for user "anotheruser"/,
 	# certificate authentication should be logged even on failure
-	log_like =>
-	  [qr/connection authenticated: identity="CN=ssltestuser" method=cert/],);
+	# temporarily(?) skip this check due to timing issue
+#	log_like =>
+#	  [qr/connection authenticated: identity="CN=ssltestuser" method=cert/],
+);
 
 # revoked client cert
 $node->connect_fails(
@@ -683,10 +685,11 @@ $node->connect_fails(
 	  . sslkey('client-revoked.key'),
 	"certificate authorization fails with revoked client cert",
 	expected_stderr => qr/SSL error: sslv3 alert certificate revoked/,
-	log_like => [
-		qr{Client certificate verification failed at depth 0: certificate revoked},
-		qr{Failed certificate data \(unverified\): subject "/CN=ssltestuser", serial number 2315134995201656577, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"},
-	],
+	# temporarily(?) skip this check due to timing issue
+#	log_like => [
+#		qr{Client certificate verification failed at depth 0: certificate revoked},
+#		qr{Failed certificate data \(unverified\): subject "/CN=ssltestuser", serial number 2315134995201656577, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"},
+#	],
 	# revoked certificates should not authenticate the user
 	log_unlike => [qr/connection authenticated:/],);
 
@@ -744,10 +747,12 @@ $node->connect_fails(
 	"$common_connstr sslmode=require sslcert=ssl/client-long.crt " . sslkey('client-long.key'),
 	"logged client certificate Subjects are truncated if they're too long",
 	expected_stderr => qr/SSL error: tlsv1 alert unknown ca/,
-	log_like => [
-		qr{Client certificate verification failed at depth 0: unable to get local issuer certificate},
-		qr{Failed certificate data \(unverified\): subject "\.\.\./CN=ssl-123456789012345678901234567890123456789012345678901234567890", serial number 2315418733629425152, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"},
-	]);
+	# temporarily(?) skip this check due to timing issue
+#	log_like => [
+#		qr{Client certificate verification failed at depth 0: unable to get local issuer certificate},
+#		qr{Failed certificate data \(unverified\): subject "\.\.\./CN=ssl-123456789012345678901234567890123456789012345678901234567890", serial number 2315418733629425152, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"},
+#	]
+);
 
 # Use an invalid cafile here so that the next test won't be able to verify the
 # client CA.
@@ -759,10 +764,12 @@ $node->connect_fails(
 	"$common_connstr sslmode=require sslcert=ssl/client+client_ca.crt",
 	"intermediate client certificate is untrusted",
 	expected_stderr => qr/SSL error: tlsv1 alert unknown ca/,
-	log_like => [
-		qr{Client certificate verification failed at depth 1: unable to get local issuer certificate},
-		qr{Failed certificate data \(unverified\): subject "/CN=Test CA for PostgreSQL SSL regression test client certs", serial number 2315134995201656577, issuer "/CN=Test root CA for PostgreSQL SSL regression test suite"},
-	]);
+	# temporarily(?) skip this check due to timing issue
+#	log_like => [
+#		qr{Client certificate verification failed at depth 1: unable to get local issuer certificate},
+#		qr{Failed certificate data \(unverified\): subject "/CN=Test CA for PostgreSQL SSL regression test client certs", serial number 2315134995201656577, issuer "/CN=Test root CA for PostgreSQL SSL regression test suite"},
+#	]
+);
 
 # test server-side CRL directory
 switch_server_cert(
@@ -776,9 +783,11 @@ $node->connect_fails(
 	  . sslkey('client-revoked.key'),
 	"certificate authorization fails with revoked client cert with server-side CRL directory",
 	expected_stderr => qr/SSL error: sslv3 alert certificate revoked/,
-	log_like => [
-		qr{Client certificate verification failed at depth 0: certificate revoked},
-		qr{Failed certificate data \(unverified\): subject "/CN=ssltestuser", serial number 2315134995201656577, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"},
-	]);
+	# temporarily(?) skip this check due to timing issue
+#	log_like => [
+#		qr{Client certificate verification failed at depth 0: certificate revoked},
+#		qr{Failed certificate data \(unverified\): subject "/CN=ssltestuser", serial number 2315134995201656577, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"},
+#	]
+);
 
 done_testing();
-- 
2.39.5