On Thu, Jan 25, 2018 at 10:59:23PM -0500, Peter Eisentraut wrote: > On 1/16/18 00:33, Michael Paquier wrote: > > On top of that, src/test/ssl does not provide any kind of coverage for > > that. It would be an area of improvement for those tests. > > The tests already cover this: > > # intermediate client_ca.crt is provided by client, and isn't in > server's ssl_ca_file > switch_server_cert($node, 'server-cn-only', 'root_ca'); > $common_connstr = > "user=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key > sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR"; > > test_connect_ok($common_connstr, > "sslmode=require sslcert=ssl/client+client_ca.crt"); > test_connect_fails($common_connstr, "sslmode=require > sslcert=ssl/client.crt"); > > If you change the Makefile rule for generating the client CA to omit the > -extensions v3_ca option, then the first test will fail.
Oh, very good! -- Bruce Momjian <br...@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Ancient Roman grave inscription +
