Re: Serverside SNI support in libpq

Mon, 24 Feb 2025 13:51:51 -0800 

On Wed, Feb 19, 2025 at 3:13 PM Daniel Gustafsson <[email protected]> wrote:
> Are there any blockers for getting this in?

> +           SSL_context = ssl_init_context(isServerStart, host);

I'm still not quite following the rationale behind the SSL_context
assignment. To maybe illustrate, attached are some tests that I
expected to pass, but don't.

After adding an additional host and reloading the config, the behavior
of the original fallback host seems to change. Am I misunderstanding
the designed fallback behavior, have I misdesigned my test, or is this
a bug?

Thanks,
--Jacob

diff --git a/src/test/ssl/t/004_sni.pl b/src/test/ssl/t/004_sni.pl
index 0542c59ebcb..e183a953ede 100644
--- a/src/test/ssl/t/004_sni.pl
+++ b/src/test/ssl/t/004_sni.pl
@@ -57,6 +57,32 @@ $node->connect_ok(
        "$connstr sslrootcert=ssl/root+server_ca.crt sslmode=require",
        "connect with correct server CA cert file sslmode=require");
 
+# This is added only for comparison with the same test case below.
+$node->connect_fails(
+       "$connstr sslrootcert=ssl/root_ca.crt sslmode=verify-ca",
+       "connect fails with fallback hostname, without intermediate",
+       expected_stderr => qr/certificate verify failed/);
+
+# example.org serves the server cert and its intermediate CA.
+$node->append_conf('pg_hosts.conf',
+       "example.org server-cn-only+server_ca.crt server-cn-only.key 
root_ca.crt"
+);
+$node->reload;
+
+$node->connect_ok(
+       "$connstr host=example.org sslrootcert=ssl/root_ca.crt 
sslmode=verify-ca",
+       "connect with configured hostname, serving intermediate server CA");
+
+# Why does this test fail?
+$node->connect_fails(
+       "$connstr sslrootcert=ssl/root_ca.crt sslmode=verify-ca",
+       "connect still fails with fallback hostname, without intermediate",
+       expected_stderr => qr/certificate verify failed/);
+
+$node->connect_ok(
+       "$connstr host=localhost sslrootcert=ssl/root+server_ca.crt 
sslmode=verify-ca",
+       "connect with fallback hostname, intermediate included");
+
 ok(unlink($node->data_dir . '/pg_hosts.conf'));
 $node->append_conf('pg_hosts.conf',
        "localhost server.crt server.key root.crt");

Reply via email to