From db28bdab0614c37afccd430db614d36d24301208 Mon Sep 17 00:00:00 2001 From: Daniel Gustafsson Date: Wed, 19 Jul 2023 13:00:21 +0200 Subject: [PATCH v1] Remove backend warnings when running SSL tests The SSL tests were not using role and database names according to the regression test naming conventions, which led to warnings being issued when running with ENFORCE_REGRESSION_TEST_NAME_RESTRICTIONS. WARNING: roles created by regression test cases should have names starting with "regress_" WARNING: databases created by regression test cases should have names including "regression" Fix by renaming all roles with a regress_ prefix and databases with a regression_ prefix, certificates and regenerated to match the new usernames. --- src/test/ssl/conf/client-dn.config | 4 +- src/test/ssl/conf/client-revoked.config | 2 +- src/test/ssl/conf/client.config | 4 +- src/test/ssl/conf/client_ext.config | 4 +- src/test/ssl/ssl/client+client_ca.crt | 30 +++--- src/test/ssl/ssl/client-crldir/9bb9e3c3.r0 | 20 ++-- src/test/ssl/ssl/client-dn.crt | 32 +++---- src/test/ssl/ssl/client-revoked.crt | 30 +++--- src/test/ssl/ssl/client.crl | 20 ++-- src/test/ssl/ssl/client.crt | 30 +++--- src/test/ssl/ssl/client_ext.crt | 36 +++---- .../ssl/ssl/root+client-crldir/9bb9e3c3.r0 | 20 ++-- src/test/ssl/ssl/root+client.crl | 20 ++-- src/test/ssl/t/001_ssltests.pl | 94 +++++++++---------- src/test/ssl/t/002_scram.pl | 28 +++--- src/test/ssl/t/003_sslinfo.pl | 36 +++---- src/test/ssl/t/SSL/Server.pm | 63 +++++++------ 17 files changed, 238 insertions(+), 235 deletions(-) diff --git a/src/test/ssl/conf/client-dn.config b/src/test/ssl/conf/client-dn.config index 0c71d83127..7cf6de758f 100644 --- a/src/test/ssl/conf/client-dn.config +++ b/src/test/ssl/conf/client-dn.config @@ -1,6 +1,6 @@ # An OpenSSL format CSR config file for creating a client certificate. # -# The certificate is for user "ssltestuser-dn" with a multi-part DN +# The certificate is for user "regress_ssltestuser-dn" with a multi-part DN [ req ] distinguished_name = req_distinguished_name @@ -10,6 +10,6 @@ prompt = no O = PGDG 0.OU = Engineering 1.OU = Testing -CN = ssltestuser-dn +CN = regress_ssltestuser-dn # no extensions in client certs diff --git a/src/test/ssl/conf/client-revoked.config b/src/test/ssl/conf/client-revoked.config index 3b82b57103..218d3c60d7 100644 --- a/src/test/ssl/conf/client-revoked.config +++ b/src/test/ssl/conf/client-revoked.config @@ -8,6 +8,6 @@ distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] -CN = ssltestuser +CN = regress_ssltestuser # no extensions in client certs diff --git a/src/test/ssl/conf/client.config b/src/test/ssl/conf/client.config index 26fc2571f5..71c1d70d86 100644 --- a/src/test/ssl/conf/client.config +++ b/src/test/ssl/conf/client.config @@ -1,12 +1,12 @@ # An OpenSSL format CSR config file for creating a client certificate. # -# The certificate is for user "ssltestuser". +# The certificate is for user "regress_ssltestuser". [ req ] distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] -CN = ssltestuser +CN = regress_ssltestuser # no extensions in client certs diff --git a/src/test/ssl/conf/client_ext.config b/src/test/ssl/conf/client_ext.config index c2dbfef9a8..add4a36500 100644 --- a/src/test/ssl/conf/client_ext.config +++ b/src/test/ssl/conf/client_ext.config @@ -1,6 +1,6 @@ # An OpenSSL format CSR config file for creating a client certificate. # -# The certificate is for user "ssltestuser" and intends to test client +# The certificate is for user "regress_ssltestuser" and intends to test client # certificate with extensions. [ req ] @@ -9,7 +9,7 @@ req_extensions = client_ext prompt = no [ req_distinguished_name ] -CN = ssltestuser +CN = regress_ssltestuser [ client_ext ] basicConstraints = critical,CA:false diff --git a/src/test/ssl/ssl/client+client_ca.crt b/src/test/ssl/ssl/client+client_ca.crt index 7fafa14de1..fdb42266e9 100644 --- a/src/test/ssl/ssl/client+client_ca.crt +++ b/src/test/ssl/ssl/client+client_ca.crt @@ -1,20 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIC0zCCAbsCCCAhAwMUEgcAMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl +MIIC3TCCAcUCCCAjBxkROQUAMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg -Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjAWMRQwEgYDVQQD -DAtzc2x0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALSL -oC6h8sBABL8kWRjFQJHZNcwmuRRWjzhBYR4gDKcBThCBIuEr5PZEkkXnJniXKHct -bCzaBarUwG+bWGg6BiFWX3PP5MZvLG7ExP9yTrDjdwjKozkJCNWSow0hdYLaxkpm -rYI6rDJ5T1CZBRLD4RYOjU39WVIxYkHlhJYtH0Cdv5PuzCOEtLdKQySSVq6heJen -koLvK7AaF1x8uDiwM+o9t69pORWbOh/6aCCPeYmvhPIRvEqyZjGvPJ2kXau4R1vN -NmepRIZ0VjQ/rQxo7dGWk38cfgsTeFI4G26DiYn08pFR47swUdfiMyx3MaGQiz9X -I2nUqjM+W84iUxrR82MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEACSZo32raJHcB -rYHeomzynmzgMVBHSA4XsXZVQw4+zBUER+/ZdQbtw6F/qdeWRvTl8TJjwoydta7u -4gUkgAnQhYm2f8XEBe/+MUegH+y54Yk6rtmkdLxJLGKZ0IUfYkn20sg/NZrltbog -A8glWRGVD8cEOaxUaNSQ4Xqmqsqjd6Kh8snVfIIcWgKgnTNgyapM5ePBpS2IREhN -u9fjikQQf6F/dycsm22OP7aWsp1XPs3nqnoq9ZnhQrITMwsGcjbU7+v8La2GbiJV -8yAy136NSXUujIG/8eqhICWZPqj+KbdVZupOsUeVoeuSwLXJjm4GWY0xH92emqCI -ac+HriJv5w== +Y2VydHMwIBcNMjMwNzE5MDkzOTA1WhgPMjA1MDEyMDQwOTM5MDVaMB4xHDAaBgNV +BAMME3JlZ3Jlc3Nfc3NsdGVzdHVzZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQC0i6AuofLAQAS/JFkYxUCR2TXMJrkUVo84QWEeIAynAU4QgSLhK+T2 +RJJF5yZ4lyh3LWws2gWq1MBvm1hoOgYhVl9zz+TGbyxuxMT/ck6w43cIyqM5CQjV +kqMNIXWC2sZKZq2COqwyeU9QmQUSw+EWDo1N/VlSMWJB5YSWLR9Anb+T7swjhLS3 +SkMkklauoXiXp5KC7yuwGhdcfLg4sDPqPbevaTkVmzof+mggj3mJr4TyEbxKsmYx +rzydpF2ruEdbzTZnqUSGdFY0P60MaO3RlpN/HH4LE3hSOBtug4mJ9PKRUeO7MFHX +4jMsdzGhkIs/VyNp1KozPlvOIlMa0fNjAgMBAAEwDQYJKoZIhvcNAQELBQADggEB +AFQ2QYDvWgYEK+Jdlc1d5psbpYnXlNTgxZExiWSj+xhPBhPgEMjHW2g4WDMiAV+4 +aGDG5G5bxlWhlt6mNwPMbQdHBOv0W05xV0E6+IT16ZJmlKnv/v6SobYxfa/gwIyR +obwoTkAM0D2RChqDXofZ4TzazZfM6PVSIzxGk3y7aVjJlhoCXdEYSuubgNwcTbxd +hCcqboaSzwgfJ2OkCvDATwZRF0LSpeK3bMAgq5/hJuE8fjh/N/OkMSrrCVLnReln +NmQR4O9YMDqMVzM6g3yayaS6pWm/jug/EZqIj25v/DaAMIBeUWFxcfiPEIN4JqOS +mKhJJVZOKKM1gPnstMyc3hw= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDFDCCAfygAwIBAgIIICEDAxQSBwEwDQYJKoZIhvcNAQELBQAwQDE+MDwGA1UE diff --git a/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0 b/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0 index f75eb1c0bc..ada3fb7ff8 100644 --- a/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0 +++ b/src/test/ssl/ssl/client-crldir/9bb9e3c3.r0 @@ -1,12 +1,12 @@ -----BEGIN X509 CRL----- -MIIBwDCBqTANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ -b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMjA3 -MTgyMjI4MTVaFw00OTEyMDMyMjI4MTVaMDYwGQIIICEDAxQSBwEXDTIyMDcxODIy -MjgxNVowGQIIICIHGBUoFQAXDTIyMDcxODIyMjgxNVowDQYJKoZIhvcNAQELBQAD -ggEBAFDH3m9AHpDjkEFjO6svnLJ2bTliGeKZaJW8/RAN4mWvWDhXDQfzqGcFHN2a -SIL57Xc4PdwTiXuU4QEP4RvWW90LYKdcrcT8uh0AN3i7ShMwcV7I7owzF5+CBuT7 -Ev0MU4QIz0PjXoybXP6b3wHhZbEjYTLYdnYdqjrsAchUpyDQn6fiC0C7FgjCi4HL -rNm2kMchFpzd6K9e41kxWVp7xCPXgqUK8OrxlW56ObkX8UpBIZzyU6RisJKOZJAn -/+lwT43yTtU739atdXdSMvGHT9Y7LsrSDz9zgp2/iMTmfctnPcp81J/6jQZEP8kx -OyPyZz4xy/EShWy+KUklfOoKRo8= +MIIBwjCBqzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ +b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMzA3 +MTkwOTM5MDVaGA8yMDUwMTIwNDA5MzkwNVowNjAZAgggIgcYFSgVABcNMjMwNzE5 +MDkzOTA1WjAZAgggIwcZETkFAhcNMjMwNzE5MDkzOTA1WjANBgkqhkiG9w0BAQsF +AAOCAQEAdXmr81S5WTpITFvJI5TwWBVLCXp45lsvEeyEA71rBwXD5V2HNWK0sWSK +a5Xuh8Mf1aU6dwBsIrFiHEa50VufZwKnCgOs6ao+ehx4awmqW2MDIkcZ5OrZiteV +xD4jRFLjbRyfCr+qcCWeBw+8TuKX3Ygfk13z9fTmwR5CKiAgG2UQURZ5Gu/ToPHV +RIbaiUvvZT11kPspK5dkTsr5UsWN3Q/dtltDUbSIEIwZ+ecw+ggHFL9VcPh86RvK +iDWPqI9RNPWlFrHwtBH8rqdJb6EJZPBks4g5TLIqPo69lnXGFPIqhxW413DQsZW7 +rfBCnARHEvqKTnZiAqoS86Sxlq3lWw== -----END X509 CRL----- diff --git a/src/test/ssl/ssl/client-dn.crt b/src/test/ssl/ssl/client-dn.crt index 0db14e5977..da6fc0d614 100644 --- a/src/test/ssl/ssl/client-dn.crt +++ b/src/test/ssl/ssl/client-dn.crt @@ -1,19 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIDDTCCAfUCCCAhBikTA0IAMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl +MIIDFzCCAf8CCCAjBxkROQUBMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg -Y2VydHMwHhcNMjEwNjI5MjAwMzQyWhcNNDgxMTE0MjAwMzQyWjBQMQ0wCwYDVQQK -DARQR0RHMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEQMA4GA1UECwwHVGVzdGluZzEX -MBUGA1UEAwwOc3NsdGVzdHVzZXItZG4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw -ggEKAoIBAQDES64qtkofPjeG4VbUVKfzABLC0CurvxqLTEpokq/St9WAWDrzc8PJ -YireEZp4ec5rHVyQVvHqzzaZFAMvbRUQgMdGKG4Vgkn8l96KxHa4Q6yxYoQOts10 -AuvU9LuGKT0lxndMggHDmREUOAkFYKp7IeypseUGkJ6sWs+DlTwK1hST+EUAU/5f -q/pAngJ+oar20m8WNxaAhJUKtBBecdRdqYy/h3Ab43iPhj+N9IFXiSV9EWhteBae -L/TEE+s7/4L74xwvJe2EiVETo3lMy2aVJ4/4pOMq7U+Gr/0wxk0jqRrOahAE6pOI -cQFBFsOkyUaC4dzqtjeSrsw5igQbJC19AgMBAAEwDQYJKoZIhvcNAQELBQADggEB -AECbQQ9rBzCexNI3VKDVA+CZa0ib48XbcJwXmva3spvjjCB5cGPToyF1B+4mVg1H -1uM/XRAoQmNRtB+xKEAceMSxJA02tBlwMOclXlO0oGLYyc+S61K+UEPSk6Kka4aC -NpeLSqN5ahC9z8C5uMJl36pFf13aU05uRkXKcI4gkn02I4jRc/a8gF7URdhdf920 -KmYSUh1V0B3pPAB6ArqJ60iHOqkCYIIIbi2EpVP53IKkoB9tr4ud8oMoN6ggIXU1 -2oHvnaKJ7RZaQNefS3WweyHxr4cCVtEour/ELph48OuW6Y5jqPT+5Ln3Qz0e6KW9 -o3thBx0aKSYlmt9gH254M9M= +Y2VydHMwIBcNMjMwNzE5MDkzOTA1WhgPMjA1MDEyMDQwOTM5MDVaMFgxDTALBgNV +BAoMBFBHREcxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRAwDgYDVQQLDAdUZXN0aW5n +MR8wHQYDVQQDDBZyZWdyZXNzX3NzbHRlc3R1c2VyLWRuMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAxEuuKrZKHz43huFW1FSn8wASwtArq78ai0xKaJKv +0rfVgFg683PDyWIq3hGaeHnOax1ckFbx6s82mRQDL20VEIDHRihuFYJJ/JfeisR2 +uEOssWKEDrbNdALr1PS7hik9JcZ3TIIBw5kRFDgJBWCqeyHsqbHlBpCerFrPg5U8 +CtYUk/hFAFP+X6v6QJ4CfqGq9tJvFjcWgISVCrQQXnHUXamMv4dwG+N4j4Y/jfSB +V4klfRFobXgWni/0xBPrO/+C++McLyXthIlRE6N5TMtmlSeP+KTjKu1Phq/9MMZN +I6kazmoQBOqTiHEBQRbDpMlGguHc6rY3kq7MOYoEGyQtfQIDAQABMA0GCSqGSIb3 +DQEBCwUAA4IBAQBdEm4gkzi4iAEdi5wgzgploXpFqwTuqf7g+uTrIp2OoWBtr5sR +qpP7d0fbTiWOMrMly9kof946mRN2FRpfd+sDVN3AbFnGtTZ9JX2Lb6AWYoG0zfui +FjdoTBtzCPKuYGRYcGB9LGa7iYR8BhgIfhD6usv2y2GXtTYD6OgctF5HJcfmEu9X +cwVb+WGZjqaMAvz5AaZImwavcw5BD2FM3tpd00/q5ODDBdPR+eP3S+fqQc8kgqo9 +c8qevLrWFn+d6eT1+gWbxIBL2l66+lIWqf6Wk1yI4L259dBwx+8OMpxEqdA46oEb +cTxS87ubr0FiY0DxmBm4WbW0+vcC0PvFHt/R -----END CERTIFICATE----- diff --git a/src/test/ssl/ssl/client-revoked.crt b/src/test/ssl/ssl/client-revoked.crt index 51ebe924a6..96448336de 100644 --- a/src/test/ssl/ssl/client-revoked.crt +++ b/src/test/ssl/ssl/client-revoked.crt @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- -MIIC0zCCAbsCCCAhAwMUEgcBMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl +MIIC3TCCAcUCCCAjBxkROQUCMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg -Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjAWMRQwEgYDVQQD -DAtzc2x0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKAX -JmNmfqmvpVAeWEmJxi7feku2sZKA7yMyyZMCboBqsNVO9gOpQFE8gD1Z7bJm4aDK -QxByuspYPFOBwty9YW4UqRa4kyEyd08x+PsHQx9SmWJTNpNIH6yq5LCcme37QMrg -b8wUZRWwXsaKUfVUI6oALjSgcibMJXTntCsD9J5m/07U/ZZALe1460rreTFHsxVZ -708Wm5u7UHIgxvvEKhNG/JR9zd1Tl1mVgnlz0a8G6Dt22gJnLnuFdtDdACwET/kG -TRJQWuyavpe+1TY53kZNO442hOzwhlZVnz4IKaWaLNQMtbG9iYStEvaWa8p0E/3J -N6oRuELiqXJp/wW3v/MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAcVhPcu55HcSf -Mci38T/fOBaiDUvzWwG/XlQRzFxcS+ZY/vYMbgor6PliGlCFBF4Mca2qtTs7zXRz -8aLNVX53p98Cnnn97mW4aYNbNdM87R76IqJdj40brEolu1JNOyFJRYzoaebABf9r -R64FTt3YVM9qjJrHG/apYwKwgAMxVzZ/M+3ujahP/8mOYD/Utj+lYHnXJmuHAYE6 -EnTxTSb2J+IsK8KuPoGjUPNZRW8zIUE0luMpJahvtmFVW91Vue7dW0AOmHpjmGUB -J9Vwxe7KJRW5/4dz6kMD2pKY3D9sBgXeku/QDVz/hdyB5YT0WChFiZn20DZyhOtu -moHgw8OJzg== +Y2VydHMwIBcNMjMwNzE5MDkzOTA1WhgPMjA1MDEyMDQwOTM5MDVaMB4xHDAaBgNV +BAMME3JlZ3Jlc3Nfc3NsdGVzdHVzZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQCgFyZjZn6pr6VQHlhJicYu33pLtrGSgO8jMsmTAm6AarDVTvYDqUBR +PIA9We2yZuGgykMQcrrKWDxTgcLcvWFuFKkWuJMhMndPMfj7B0MfUpliUzaTSB+s +quSwnJnt+0DK4G/MFGUVsF7GilH1VCOqAC40oHImzCV057QrA/SeZv9O1P2WQC3t +eOtK63kxR7MVWe9PFpubu1ByIMb7xCoTRvyUfc3dU5dZlYJ5c9GvBug7dtoCZy57 +hXbQ3QAsBE/5Bk0SUFrsmr6XvtU2Od5GTTuONoTs8IZWVZ8+CCmlmizUDLWxvYmE +rRL2lmvKdBP9yTeqEbhC4qlyaf8Ft7/zAgMBAAEwDQYJKoZIhvcNAQELBQADggEB +ABacCI5EHE8Hk5w9KZN6y6OmZcsLWvmpoOaXwZYmPcG3Pk8TmYRX5PxOixQDEI4f +kv2Oo7Y2kJXqoK+ZR15NYEY3fIGNT/gOULOlbJjsSx3ZEfgdR0Aq64ZBnqpqhFyc +hBqFHebVYnqRW/WKh9I/E7QGewi6GuLyYh9z82MBXfl9/64mBZJvKROqlc0nASir +U1Ot5toTaNSCRiGgA+OJT7+pQLgWAyVU1AkVrgFPHiYPI1xdd1boXHZ8cICml8Lg +762SvdVT5X3UyxIr/jXiiyDPkkfqm/EnDN/FZvez41/J/ul1iKxgK1evrM8aBPzp +m9tJx9roNNwWKoY7GMtCZGM= -----END CERTIFICATE----- diff --git a/src/test/ssl/ssl/client.crl b/src/test/ssl/ssl/client.crl index f75eb1c0bc..ada3fb7ff8 100644 --- a/src/test/ssl/ssl/client.crl +++ b/src/test/ssl/ssl/client.crl @@ -1,12 +1,12 @@ -----BEGIN X509 CRL----- -MIIBwDCBqTANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ -b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMjA3 -MTgyMjI4MTVaFw00OTEyMDMyMjI4MTVaMDYwGQIIICEDAxQSBwEXDTIyMDcxODIy -MjgxNVowGQIIICIHGBUoFQAXDTIyMDcxODIyMjgxNVowDQYJKoZIhvcNAQELBQAD -ggEBAFDH3m9AHpDjkEFjO6svnLJ2bTliGeKZaJW8/RAN4mWvWDhXDQfzqGcFHN2a -SIL57Xc4PdwTiXuU4QEP4RvWW90LYKdcrcT8uh0AN3i7ShMwcV7I7owzF5+CBuT7 -Ev0MU4QIz0PjXoybXP6b3wHhZbEjYTLYdnYdqjrsAchUpyDQn6fiC0C7FgjCi4HL -rNm2kMchFpzd6K9e41kxWVp7xCPXgqUK8OrxlW56ObkX8UpBIZzyU6RisJKOZJAn -/+lwT43yTtU739atdXdSMvGHT9Y7LsrSDz9zgp2/iMTmfctnPcp81J/6jQZEP8kx -OyPyZz4xy/EShWy+KUklfOoKRo8= +MIIBwjCBqzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ +b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMzA3 +MTkwOTM5MDVaGA8yMDUwMTIwNDA5MzkwNVowNjAZAgggIgcYFSgVABcNMjMwNzE5 +MDkzOTA1WjAZAgggIwcZETkFAhcNMjMwNzE5MDkzOTA1WjANBgkqhkiG9w0BAQsF +AAOCAQEAdXmr81S5WTpITFvJI5TwWBVLCXp45lsvEeyEA71rBwXD5V2HNWK0sWSK +a5Xuh8Mf1aU6dwBsIrFiHEa50VufZwKnCgOs6ao+ehx4awmqW2MDIkcZ5OrZiteV +xD4jRFLjbRyfCr+qcCWeBw+8TuKX3Ygfk13z9fTmwR5CKiAgG2UQURZ5Gu/ToPHV +RIbaiUvvZT11kPspK5dkTsr5UsWN3Q/dtltDUbSIEIwZ+ecw+ggHFL9VcPh86RvK +iDWPqI9RNPWlFrHwtBH8rqdJb6EJZPBks4g5TLIqPo69lnXGFPIqhxW413DQsZW7 +rfBCnARHEvqKTnZiAqoS86Sxlq3lWw== -----END X509 CRL----- diff --git a/src/test/ssl/ssl/client.crt b/src/test/ssl/ssl/client.crt index 1f6ae05fe4..9e68d59397 100644 --- a/src/test/ssl/ssl/client.crt +++ b/src/test/ssl/ssl/client.crt @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- -MIIC0zCCAbsCCCAhAwMUEgcAMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl +MIIC3TCCAcUCCCAjBxkROQUAMA0GCSqGSIb3DQEBCwUAMEIxQDA+BgNVBAMMN1Rl c3QgQ0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBjbGllbnQg -Y2VydHMwHhcNMjEwMzAzMjIxMjA3WhcNNDgwNzE5MjIxMjA3WjAWMRQwEgYDVQQD -DAtzc2x0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALSL -oC6h8sBABL8kWRjFQJHZNcwmuRRWjzhBYR4gDKcBThCBIuEr5PZEkkXnJniXKHct -bCzaBarUwG+bWGg6BiFWX3PP5MZvLG7ExP9yTrDjdwjKozkJCNWSow0hdYLaxkpm -rYI6rDJ5T1CZBRLD4RYOjU39WVIxYkHlhJYtH0Cdv5PuzCOEtLdKQySSVq6heJen -koLvK7AaF1x8uDiwM+o9t69pORWbOh/6aCCPeYmvhPIRvEqyZjGvPJ2kXau4R1vN -NmepRIZ0VjQ/rQxo7dGWk38cfgsTeFI4G26DiYn08pFR47swUdfiMyx3MaGQiz9X -I2nUqjM+W84iUxrR82MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEACSZo32raJHcB -rYHeomzynmzgMVBHSA4XsXZVQw4+zBUER+/ZdQbtw6F/qdeWRvTl8TJjwoydta7u -4gUkgAnQhYm2f8XEBe/+MUegH+y54Yk6rtmkdLxJLGKZ0IUfYkn20sg/NZrltbog -A8glWRGVD8cEOaxUaNSQ4Xqmqsqjd6Kh8snVfIIcWgKgnTNgyapM5ePBpS2IREhN -u9fjikQQf6F/dycsm22OP7aWsp1XPs3nqnoq9ZnhQrITMwsGcjbU7+v8La2GbiJV -8yAy136NSXUujIG/8eqhICWZPqj+KbdVZupOsUeVoeuSwLXJjm4GWY0xH92emqCI -ac+HriJv5w== +Y2VydHMwIBcNMjMwNzE5MDkzOTA1WhgPMjA1MDEyMDQwOTM5MDVaMB4xHDAaBgNV +BAMME3JlZ3Jlc3Nfc3NsdGVzdHVzZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQC0i6AuofLAQAS/JFkYxUCR2TXMJrkUVo84QWEeIAynAU4QgSLhK+T2 +RJJF5yZ4lyh3LWws2gWq1MBvm1hoOgYhVl9zz+TGbyxuxMT/ck6w43cIyqM5CQjV +kqMNIXWC2sZKZq2COqwyeU9QmQUSw+EWDo1N/VlSMWJB5YSWLR9Anb+T7swjhLS3 +SkMkklauoXiXp5KC7yuwGhdcfLg4sDPqPbevaTkVmzof+mggj3mJr4TyEbxKsmYx +rzydpF2ruEdbzTZnqUSGdFY0P60MaO3RlpN/HH4LE3hSOBtug4mJ9PKRUeO7MFHX +4jMsdzGhkIs/VyNp1KozPlvOIlMa0fNjAgMBAAEwDQYJKoZIhvcNAQELBQADggEB +AFQ2QYDvWgYEK+Jdlc1d5psbpYnXlNTgxZExiWSj+xhPBhPgEMjHW2g4WDMiAV+4 +aGDG5G5bxlWhlt6mNwPMbQdHBOv0W05xV0E6+IT16ZJmlKnv/v6SobYxfa/gwIyR +obwoTkAM0D2RChqDXofZ4TzazZfM6PVSIzxGk3y7aVjJlhoCXdEYSuubgNwcTbxd +hCcqboaSzwgfJ2OkCvDATwZRF0LSpeK3bMAgq5/hJuE8fjh/N/OkMSrrCVLnReln +NmQR4O9YMDqMVzM6g3yayaS6pWm/jug/EZqIj25v/DaAMIBeUWFxcfiPEIN4JqOS +mKhJJVZOKKM1gPnstMyc3hw= -----END CERTIFICATE----- diff --git a/src/test/ssl/ssl/client_ext.crt b/src/test/ssl/ssl/client_ext.crt index 9874ce49b9..995a46ff8c 100644 --- a/src/test/ssl/ssl/client_ext.crt +++ b/src/test/ssl/ssl/client_ext.crt @@ -1,21 +1,21 @@ -----BEGIN CERTIFICATE----- -MIIDezCCAmOgAwIBAgIIICEREAQyQQAwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UE +MIIDhTCCAm2gAwIBAgIIICMHGRE5BQMwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UE Aww3VGVzdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IGNs -aWVudCBjZXJ0czAeFw0yMTExMTAwMzMyNDFaFw00OTAzMjgwMzMyNDFaMBYxFDAS -BgNVBAMMC3NzbHRlc3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEArCHikkEQLFITbn3ZfO8X2RW3fELeaImgy8W4Pkkc4LxdHCWjdCML/vtE/ZVu -Op74qrQQWT0HKXFVUiZLbjAgV2PONS6VFHhc3sTFxuTaBnVdY+K98hoFnXskINt/ -wgwUhRcRZuKPcZvEHiqF6e3g3lQa99l1nVKPGPLOCvVhSgoV0Gwgxok0t7s25BCV -ZmpMAwSTxpeviLF0e2MsttuyClQ4nuD92EHZX3BuG0WNPLxiwikV96uMffpMRGsx -uiAHzD5ykYM7/b3eU0bjfi0J0qcfTSeytqFuRCNEukJpmtUmyYGqsFJ7HN7ejCY7 -ObAlBn8h+4bgwBRaeZDZLTMaYQIDAQABo4GgMIGdMAwGA1UdEwEB/wQCMAAwEwYD -VR0lBAwwCgYIKwYBBQUHAwIwHQYDVR0OBBYEFPPv1n7k1Vd9BBC4eoGWPZwVz2Lx -MFkGA1UdIwRSMFChRKRCMEAxPjA8BgNVBAMMNVRlc3Qgcm9vdCBDQSBmb3IgUG9z -dGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHN1aXRlggggIQMDFBIHATANBgkq -hkiG9w0BAQsFAAOCAQEAtqIeTmUhtHyCt5k2yx88F0dKshYq4Z+LQI+agyZ1fRE6 -Ux5p+SBGbzvc+NcUvc7yGG6w2G/nTVnGwSHN9NtQa2T2XbHJysJ/dwCfmRsachKz -4kCp0zAHEDrEmZua0sy5BLwwVCk5WNBR0lZ35WmIEuRA+5G/2lCywtrb9W4YnbAM -nH7BtZE8qPbK4OicB40I2NXz6KhG3755oKN03VC1IaX9JFQxf37ac7jVK5bsjfaF -0xCAeuDN6wDiVHZj6q1GhhmNLzaF5zmU2e/cI1nTI5tfGKnygavlZIz2VvAlcypt -YZdMDy69VbTWUa57UPCspghgvm5M2/Hjmz50CXGMvw== +aWVudCBjZXJ0czAgFw0yMzA3MTkwOTM5MDVaGA8yMDUwMTIwNDA5MzkwNVowHjEc +MBoGA1UEAwwTcmVncmVzc19zc2x0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAKwh4pJBECxSE2592XzvF9kVt3xC3miJoMvFuD5JHOC8XRwl +o3QjC/77RP2Vbjqe+Kq0EFk9BylxVVImS24wIFdjzjUulRR4XN7Excbk2gZ1XWPi +vfIaBZ17JCDbf8IMFIUXEWbij3GbxB4qhent4N5UGvfZdZ1Sjxjyzgr1YUoKFdBs +IMaJNLe7NuQQlWZqTAMEk8aXr4ixdHtjLLbbsgpUOJ7g/dhB2V9wbhtFjTy8YsIp +FferjH36TERrMbogB8w+cpGDO/293lNG434tCdKnH00nsrahbkQjRLpCaZrVJsmB +qrBSexze3owmOzmwJQZ/IfuG4MAUWnmQ2S0zGmECAwEAAaOBoDCBnTAMBgNVHRMB +Af8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBTz79Z+5NVXfQQQ +uHqBlj2cFc9i8TBZBgNVHSMEUjBQoUSkQjBAMT4wPAYDVQQDDDVUZXN0IHJvb3Qg +Q0EgZm9yIFBvc3RncmVTUUwgU1NMIHJlZ3Jlc3Npb24gdGVzdCBzdWl0ZYIIICED +AxQSBwEwDQYJKoZIhvcNAQELBQADggEBAF8566ldlyP2nYBQOhbqZhTkR/1/T4K7 +cmgfb/WGyBFyVHzMXnNwqAcruWmNG9kEulekj9SUHgHr5kCg2FUrgbc8FoV3Dn2U +U+GiTPdVi44kMG081SHvT9598rCscmWyRjzpwJhJrXSNAgiNUnlFKjSSBRSJV3cC +j7MMxGLVGGQQdT89vCW7LdlD2VxLD8zycSY59/l9cTU6wfvkzUC50sHfOWziq+xu +t8zD8ynL9KYRYs+z9P5DMIJJ+PUu2BI1VAS6UqhwvMZnAQoZhhCLL9o2e8Q4HR6Z +WKrXCbRH9v6nUUls7z1aqRfOZbT0QYUI2yoDRy1dXZmdya1dsLMyRCQ= -----END CERTIFICATE----- diff --git a/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0 b/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0 index f75eb1c0bc..ada3fb7ff8 100644 --- a/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0 +++ b/src/test/ssl/ssl/root+client-crldir/9bb9e3c3.r0 @@ -1,12 +1,12 @@ -----BEGIN X509 CRL----- -MIIBwDCBqTANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ -b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMjA3 -MTgyMjI4MTVaFw00OTEyMDMyMjI4MTVaMDYwGQIIICEDAxQSBwEXDTIyMDcxODIy -MjgxNVowGQIIICIHGBUoFQAXDTIyMDcxODIyMjgxNVowDQYJKoZIhvcNAQELBQAD -ggEBAFDH3m9AHpDjkEFjO6svnLJ2bTliGeKZaJW8/RAN4mWvWDhXDQfzqGcFHN2a -SIL57Xc4PdwTiXuU4QEP4RvWW90LYKdcrcT8uh0AN3i7ShMwcV7I7owzF5+CBuT7 -Ev0MU4QIz0PjXoybXP6b3wHhZbEjYTLYdnYdqjrsAchUpyDQn6fiC0C7FgjCi4HL -rNm2kMchFpzd6K9e41kxWVp7xCPXgqUK8OrxlW56ObkX8UpBIZzyU6RisJKOZJAn -/+lwT43yTtU739atdXdSMvGHT9Y7LsrSDz9zgp2/iMTmfctnPcp81J/6jQZEP8kx -OyPyZz4xy/EShWy+KUklfOoKRo8= +MIIBwjCBqzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ +b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMzA3 +MTkwOTM5MDVaGA8yMDUwMTIwNDA5MzkwNVowNjAZAgggIgcYFSgVABcNMjMwNzE5 +MDkzOTA1WjAZAgggIwcZETkFAhcNMjMwNzE5MDkzOTA1WjANBgkqhkiG9w0BAQsF +AAOCAQEAdXmr81S5WTpITFvJI5TwWBVLCXp45lsvEeyEA71rBwXD5V2HNWK0sWSK +a5Xuh8Mf1aU6dwBsIrFiHEa50VufZwKnCgOs6ao+ehx4awmqW2MDIkcZ5OrZiteV +xD4jRFLjbRyfCr+qcCWeBw+8TuKX3Ygfk13z9fTmwR5CKiAgG2UQURZ5Gu/ToPHV +RIbaiUvvZT11kPspK5dkTsr5UsWN3Q/dtltDUbSIEIwZ+ecw+ggHFL9VcPh86RvK +iDWPqI9RNPWlFrHwtBH8rqdJb6EJZPBks4g5TLIqPo69lnXGFPIqhxW413DQsZW7 +rfBCnARHEvqKTnZiAqoS86Sxlq3lWw== -----END X509 CRL----- diff --git a/src/test/ssl/ssl/root+client.crl b/src/test/ssl/ssl/root+client.crl index 459f48da43..629dc9c539 100644 --- a/src/test/ssl/ssl/root+client.crl +++ b/src/test/ssl/ssl/root+client.crl @@ -10,14 +10,14 @@ SBNr2rpYp7Coc3GeCoWPcClgSrABD3Z5GY1YAdLGiXVKaH3CmdJTznhEPagE4z5R +GrJP3XxJ1OC -----END X509 CRL----- -----BEGIN X509 CRL----- -MIIBwDCBqTANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ -b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMjA3 -MTgyMjI4MTVaFw00OTEyMDMyMjI4MTVaMDYwGQIIICEDAxQSBwEXDTIyMDcxODIy -MjgxNVowGQIIICIHGBUoFQAXDTIyMDcxODIyMjgxNVowDQYJKoZIhvcNAQELBQAD -ggEBAFDH3m9AHpDjkEFjO6svnLJ2bTliGeKZaJW8/RAN4mWvWDhXDQfzqGcFHN2a -SIL57Xc4PdwTiXuU4QEP4RvWW90LYKdcrcT8uh0AN3i7ShMwcV7I7owzF5+CBuT7 -Ev0MU4QIz0PjXoybXP6b3wHhZbEjYTLYdnYdqjrsAchUpyDQn6fiC0C7FgjCi4HL -rNm2kMchFpzd6K9e41kxWVp7xCPXgqUK8OrxlW56ObkX8UpBIZzyU6RisJKOZJAn -/+lwT43yTtU739atdXdSMvGHT9Y7LsrSDz9zgp2/iMTmfctnPcp81J/6jQZEP8kx -OyPyZz4xy/EShWy+KUklfOoKRo8= +MIIBwjCBqzANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDDDdUZXN0IENBIGZvciBQ +b3N0Z3JlU1FMIFNTTCByZWdyZXNzaW9uIHRlc3QgY2xpZW50IGNlcnRzFw0yMzA3 +MTkwOTM5MDVaGA8yMDUwMTIwNDA5MzkwNVowNjAZAgggIgcYFSgVABcNMjMwNzE5 +MDkzOTA1WjAZAgggIwcZETkFAhcNMjMwNzE5MDkzOTA1WjANBgkqhkiG9w0BAQsF +AAOCAQEAdXmr81S5WTpITFvJI5TwWBVLCXp45lsvEeyEA71rBwXD5V2HNWK0sWSK +a5Xuh8Mf1aU6dwBsIrFiHEa50VufZwKnCgOs6ao+ehx4awmqW2MDIkcZ5OrZiteV +xD4jRFLjbRyfCr+qcCWeBw+8TuKX3Ygfk13z9fTmwR5CKiAgG2UQURZ5Gu/ToPHV +RIbaiUvvZT11kPspK5dkTsr5UsWN3Q/dtltDUbSIEIwZ+ecw+ggHFL9VcPh86RvK +iDWPqI9RNPWlFrHwtBH8rqdJb6EJZPBks4g5TLIqPo69lnXGFPIqhxW413DQsZW7 +rfBCnARHEvqKTnZiAqoS86Sxlq3lWw== -----END X509 CRL----- diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl index 76442de063..d4c174abc3 100644 --- a/src/test/ssl/t/001_ssltests.pl +++ b/src/test/ssl/t/001_ssltests.pl @@ -138,7 +138,7 @@ my $default_ssl_connstr = "sslkey=invalid sslcert=invalid sslrootcert=invalid sslcrl=invalid sslcrldir=invalid"; $common_connstr = - "$default_ssl_connstr user=ssltestuser dbname=trustdb hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test"; + "$default_ssl_connstr user=regress_ssltestuser dbname=regression_trustdb hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test"; # The server should not accept non-SSL connections. $node->connect_fails( @@ -251,7 +251,7 @@ $node->connect_ok( # Check that connecting with verify-full fails, when the hostname doesn't # match the hostname in the server's certificate. $common_connstr = - "$default_ssl_connstr user=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR"; + "$default_ssl_connstr user=regress_ssltestuser dbname=regression_trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR"; $node->connect_ok("$common_connstr sslmode=require host=wronghost.test", "mismatch between host name and server certificate sslmode=require"); @@ -270,7 +270,7 @@ $node->connect_fails( switch_server_cert($node, certfile => 'server-ip-cn-only'); $common_connstr = - "$default_ssl_connstr user=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full"; + "$default_ssl_connstr user=regress_ssltestuser dbname=regression_trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full"; $node->connect_ok("$common_connstr host=192.0.2.1", "IP address in the Common Name"); @@ -293,7 +293,7 @@ $node->connect_ok("$common_connstr host=192.0.2.1", switch_server_cert($node, certfile => 'server-multiple-alt-names'); $common_connstr = - "$default_ssl_connstr user=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full"; + "$default_ssl_connstr user=regress_ssltestuser dbname=regression_trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full"; $node->connect_ok( "$common_connstr host=dns1.alt-name.pg-ssltest.test", @@ -322,7 +322,7 @@ $node->connect_fails( switch_server_cert($node, certfile => 'server-single-alt-name'); $common_connstr = - "$default_ssl_connstr user=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full"; + "$default_ssl_connstr user=regress_ssltestuser dbname=regression_trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full"; $node->connect_ok( "$common_connstr host=single.alt-name.pg-ssltest.test", @@ -397,7 +397,7 @@ SKIP: switch_server_cert($node, certfile => 'server-cn-and-alt-names'); $common_connstr = - "$default_ssl_connstr user=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full"; + "$default_ssl_connstr user=regress_ssltestuser dbname=regression_trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full"; $node->connect_ok("$common_connstr host=dns1.alt-name.pg-ssltest.test", "certificate with both a CN and SANs 1"); @@ -456,7 +456,7 @@ $node->connect_ok( # not a very sensible certificate, but libpq should handle it gracefully. switch_server_cert($node, certfile => 'server-no-names'); $common_connstr = - "$default_ssl_connstr user=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR"; + "$default_ssl_connstr user=regress_ssltestuser dbname=regression_trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR"; $node->connect_ok( "$common_connstr sslmode=verify-ca host=common-name.pg-ssltest.test", @@ -475,7 +475,7 @@ switch_server_cert( keyfile => 'server-cn-only', cafile => 'root_ca'); $common_connstr = - "$default_ssl_connstr user=ssltestuser dbname=trustdb sslrootcert=system hostaddr=$SERVERHOSTADDR"; + "$default_ssl_connstr user=regress_ssltestuser dbname=regression_trustdb sslrootcert=system hostaddr=$SERVERHOSTADDR"; # By default our custom-CA-signed certificate should not be trusted. # OpenSSL 3.0 reports a missing/invalid system CA as "unregistered schema" @@ -516,7 +516,7 @@ SKIP: switch_server_cert($node, certfile => 'server-revoked'); $common_connstr = - "$default_ssl_connstr user=ssltestuser dbname=trustdb hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test"; + "$default_ssl_connstr user=regress_ssltestuser dbname=regression_trustdb hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test"; # Without the CRL, succeeds. With it, fails. $node->connect_ok( @@ -571,31 +571,31 @@ $node->connect_fails( note "running server tests"; $common_connstr = - "$default_ssl_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR host=localhost"; + "$default_ssl_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=regression_certdb hostaddr=$SERVERHOSTADDR host=localhost"; # no client cert $node->connect_fails( - "$common_connstr user=ssltestuser sslcert=invalid", + "$common_connstr user=regress_ssltestuser sslcert=invalid", "certificate authorization fails without client cert", expected_stderr => qr/connection requires a valid client certificate/); # correct client cert in unencrypted PEM $node->connect_ok( - "$common_connstr user=ssltestuser sslcert=ssl/client.crt " + "$common_connstr user=regress_ssltestuser sslcert=ssl/client.crt " . sslkey('client.key'), "certificate authorization succeeds with correct client cert in PEM format" ); # correct client cert in unencrypted DER $node->connect_ok( - "$common_connstr user=ssltestuser sslcert=ssl/client.crt " + "$common_connstr user=regress_ssltestuser sslcert=ssl/client.crt " . sslkey('client-der.key'), "certificate authorization succeeds with correct client cert in DER format" ); # correct client cert in encrypted PEM $node->connect_ok( - "$common_connstr user=ssltestuser sslcert=ssl/client.crt " + "$common_connstr user=regress_ssltestuser sslcert=ssl/client.crt " . sslkey('client-encrypted-pem.key') . " sslpassword='dUmmyP^#+'", "certificate authorization succeeds with correct client cert in encrypted PEM format" @@ -603,7 +603,7 @@ $node->connect_ok( # correct client cert in encrypted DER $node->connect_ok( - "$common_connstr user=ssltestuser sslcert=ssl/client.crt " + "$common_connstr user=regress_ssltestuser sslcert=ssl/client.crt " . sslkey('client-encrypted-der.key') . " sslpassword='dUmmyP^#+'", "certificate authorization succeeds with correct client cert in encrypted DER format" @@ -613,27 +613,27 @@ $node->connect_ok( if ($supports_sslcertmode_require) { $node->connect_ok( - "$common_connstr user=ssltestuser sslcertmode=require sslcert=ssl/client.crt " + "$common_connstr user=regress_ssltestuser sslcertmode=require sslcert=ssl/client.crt " . sslkey('client.key'), "certificate authorization succeeds with correct client cert and sslcertmode=require" ); } $node->connect_ok( - "$common_connstr user=ssltestuser sslcertmode=allow sslcert=ssl/client.crt " + "$common_connstr user=regress_ssltestuser sslcertmode=allow sslcert=ssl/client.crt " . sslkey('client.key'), "certificate authorization succeeds with correct client cert and sslcertmode=allow" ); # client cert is not sent if sslcertmode=disable. $node->connect_fails( - "$common_connstr user=ssltestuser sslcertmode=disable sslcert=ssl/client.crt " + "$common_connstr user=regress_ssltestuser sslcertmode=disable sslcert=ssl/client.crt " . sslkey('client.key'), "certificate authorization fails with correct client cert and sslcertmode=disable", expected_stderr => qr/connection requires a valid client certificate/); # correct client cert in encrypted PEM with wrong password $node->connect_fails( - "$common_connstr user=ssltestuser sslcert=ssl/client.crt " + "$common_connstr user=regress_ssltestuser sslcert=ssl/client.crt " . sslkey('client-encrypted-pem.key') . " sslpassword='wrong'", "certificate authorization fails with correct client cert and wrong password in encrypted PEM format", @@ -642,34 +642,34 @@ $node->connect_fails( # correct client cert using whole DN -my $dn_connstr = "$common_connstr dbname=certdb_dn"; +my $dn_connstr = "$common_connstr dbname=regression_certdb_dn"; $node->connect_ok( - "$dn_connstr user=ssltestuser sslcert=ssl/client-dn.crt " + "$dn_connstr user=regress_ssltestuser sslcert=ssl/client-dn.crt " . sslkey('client-dn.key'), "certificate authorization succeeds with DN mapping", log_like => [ - qr/connection authenticated: identity="CN=ssltestuser-dn,OU=Testing,OU=Engineering,O=PGDG" method=cert/ + qr/connection authenticated: identity="CN=regress_ssltestuser-dn,OU=Testing,OU=Engineering,O=PGDG" method=cert/ ],); # same thing but with a regex -$dn_connstr = "$common_connstr dbname=certdb_dn_re"; +$dn_connstr = "$common_connstr dbname=regression_certdb_dn_re"; $node->connect_ok( - "$dn_connstr user=ssltestuser sslcert=ssl/client-dn.crt " + "$dn_connstr user=regress_ssltestuser sslcert=ssl/client-dn.crt " . sslkey('client-dn.key'), "certificate authorization succeeds with DN regex mapping"); # same thing but using explicit CN -$dn_connstr = "$common_connstr dbname=certdb_cn"; +$dn_connstr = "$common_connstr dbname=regression_certdb_cn"; $node->connect_ok( - "$dn_connstr user=ssltestuser sslcert=ssl/client-dn.crt " + "$dn_connstr user=regress_ssltestuser sslcert=ssl/client-dn.crt " . sslkey('client-dn.key'), "certificate authorization succeeds with CN mapping", # the full DN should still be used as the authenticated identity log_like => [ - qr/connection authenticated: identity="CN=ssltestuser-dn,OU=Testing,OU=Engineering,O=PGDG" method=cert/ + qr/connection authenticated: identity="CN=regress_ssltestuser-dn,OU=Testing,OU=Engineering,O=PGDG" method=cert/ ],); @@ -683,7 +683,7 @@ TODO: # correct client cert in encrypted PEM with empty password $node->connect_fails( - "$common_connstr user=ssltestuser sslcert=ssl/client.crt " + "$common_connstr user=regress_ssltestuser sslcert=ssl/client.crt " . sslkey('client-encrypted-pem.key') . " sslpassword=''", "certificate authorization fails with correct client cert and empty password in encrypted PEM format", @@ -693,7 +693,7 @@ TODO: # correct client cert in encrypted PEM with no password $node->connect_fails( - "$common_connstr user=ssltestuser sslcert=ssl/client.crt " + "$common_connstr user=regress_ssltestuser sslcert=ssl/client.crt " . sslkey('client-encrypted-pem.key'), "certificate authorization fails with correct client cert and no password in encrypted PEM format", expected_stderr => @@ -740,13 +740,13 @@ command_like( '-P', 'null=_null_', '-d', - "$common_connstr user=ssltestuser sslcert=ssl/client.crt " + "$common_connstr user=regress_ssltestuser sslcert=ssl/client.crt " . sslkey('client.key'), '-c', "SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()" ], qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn\r?\n - ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,/?CN=ssltestuser,$serialno,/?\QCN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx, + ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,/?CN=regress_ssltestuser,$serialno,/?\QCN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx, 'pg_stat_ssl with client certificate'); # client key with wrong permissions @@ -755,7 +755,7 @@ SKIP: skip "Permissions check not enforced on Windows", 2 if ($windows_os); $node->connect_fails( - "$common_connstr user=ssltestuser sslcert=ssl/client.crt " + "$common_connstr user=regress_ssltestuser sslcert=ssl/client.crt " . sslkey('client_wrongperms.key'), "certificate authorization fails because of file permissions", expected_stderr => @@ -765,27 +765,27 @@ SKIP: # client cert belonging to another user $node->connect_fails( - "$common_connstr user=anotheruser sslcert=ssl/client.crt " + "$common_connstr user=regress_anotheruser sslcert=ssl/client.crt " . sslkey('client.key'), "certificate authorization fails with client cert belonging to another user", expected_stderr => - qr/certificate authentication failed for user "anotheruser"/, + qr/certificate authentication failed for user "regress_anotheruser"/, # certificate authentication should be logged even on failure # temporarily(?) skip this check due to timing issue # log_like => - # [qr/connection authenticated: identity="CN=ssltestuser" method=cert/], + # [qr/connection authenticated: identity="CN=regress_ssltestuser" method=cert/], ); # revoked client cert $node->connect_fails( - "$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt " + "$common_connstr user=regress_ssltestuser sslcert=ssl/client-revoked.crt " . sslkey('client-revoked.key'), "certificate authorization fails with revoked client cert", expected_stderr => qr/SSL error: sslv3 alert certificate revoked/, # temporarily(?) skip this check due to timing issue # log_like => [ # qr{Client certificate verification failed at depth 0: certificate revoked}, - # qr{Failed certificate data \(unverified\): subject "/CN=ssltestuser", serial number 2315134995201656577, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"}, + # qr{Failed certificate data \(unverified\): subject "/CN=regress_ssltestuser", serial number 2315134995201656577, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"}, # ], # revoked certificates should not authenticate the user log_unlike => [qr/connection authenticated:/],); @@ -794,28 +794,28 @@ $node->connect_fails( # works, iff username matches Common Name # fails, iff username doesn't match Common Name. $common_connstr = - "$default_ssl_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=verifydb hostaddr=$SERVERHOSTADDR host=localhost"; + "$default_ssl_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=regression_verifydb hostaddr=$SERVERHOSTADDR host=localhost"; $node->connect_ok( - "$common_connstr user=ssltestuser sslcert=ssl/client.crt " + "$common_connstr user=regress_ssltestuser sslcert=ssl/client.crt " . sslkey('client.key'), "auth_option clientcert=verify-full succeeds with matching username and Common Name", # verify-full does not provide authentication log_unlike => [qr/connection authenticated:/],); $node->connect_fails( - "$common_connstr user=anotheruser sslcert=ssl/client.crt " + "$common_connstr user=regress_anotheruser sslcert=ssl/client.crt " . sslkey('client.key'), "auth_option clientcert=verify-full fails with mismatching username and Common Name", expected_stderr => - qr/FATAL: .* "trust" authentication failed for user "anotheruser"/, + qr/FATAL: .* "trust" authentication failed for user "regress_anotheruser"/, # verify-full does not provide authentication log_unlike => [qr/connection authenticated:/],); # Check that connecting with auth-option verify-ca in pg_hba : # works, when username doesn't match Common Name $node->connect_ok( - "$common_connstr user=yetanotheruser sslcert=ssl/client.crt " + "$common_connstr user=regress_yetanotheruser sslcert=ssl/client.crt " . sslkey('client.key'), "auth_option clientcert=verify-ca succeeds with mismatching username and Common Name", # verify-full does not provide authentication @@ -824,7 +824,7 @@ $node->connect_ok( # intermediate client_ca.crt is provided by client, and isn't in server's ssl_ca_file switch_server_cert($node, certfile => 'server-cn-only', cafile => 'root_ca'); $common_connstr = - "$default_ssl_connstr user=ssltestuser dbname=certdb " + "$default_ssl_connstr user=regress_ssltestuser dbname=regression_certdb " . sslkey('client.key') . " sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR host=localhost"; @@ -839,7 +839,7 @@ $node->connect_fails( # temporarily(?) skip this check due to timing issue # log_like => [ # qr{Client certificate verification failed at depth 0: unable to get local issuer certificate}, - # qr{Failed certificate data \(unverified\): subject "/CN=ssltestuser", serial number 2315134995201656576, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"}, + # qr{Failed certificate data \(unverified\): subject "/CN=regress_ssltestuser", serial number 2315134995201656576, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"}, # ] ); @@ -883,20 +883,20 @@ switch_server_cert( # revoked client cert $node->connect_fails( - "$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt " + "$common_connstr user=regress_ssltestuser sslcert=ssl/client-revoked.crt " . sslkey('client-revoked.key'), "certificate authorization fails with revoked client cert with server-side CRL directory", expected_stderr => qr/SSL error: sslv3 alert certificate revoked/, # temporarily(?) skip this check due to timing issue # log_like => [ # qr{Client certificate verification failed at depth 0: certificate revoked}, - # qr{Failed certificate data \(unverified\): subject "/CN=ssltestuser", serial number 2315134995201656577, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"}, + # qr{Failed certificate data \(unverified\): subject "/CN=regress_ssltestuser", serial number 2315134995201656577, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"}, # ] ); # revoked client cert, non-ASCII subject $node->connect_fails( - "$common_connstr user=ssltestuser sslcert=ssl/client-revoked-utf8.crt " + "$common_connstr user=regress_ssltestuser sslcert=ssl/client-revoked-utf8.crt " . sslkey('client-revoked-utf8.key'), "certificate authorization fails with revoked UTF-8 client cert with server-side CRL directory", expected_stderr => qr/SSL error: sslv3 alert certificate revoked/, diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl index 27abd02abf..34cf39ef7d 100644 --- a/src/test/ssl/t/002_scram.pl +++ b/src/test/ssl/t/002_scram.pl @@ -73,26 +73,26 @@ $ssl_server->configure_test_server_for_ssl( switch_server_cert($node, certfile => 'server-cn-only'); $ENV{PGPASSWORD} = "pass"; $common_connstr = - "dbname=trustdb sslmode=require sslcert=invalid sslrootcert=invalid hostaddr=$SERVERHOSTADDR host=localhost"; + "dbname=regression_trustdb sslmode=require sslcert=invalid sslrootcert=invalid hostaddr=$SERVERHOSTADDR host=localhost"; # Default settings $node->connect_ok( - "$common_connstr user=ssltestuser", + "$common_connstr user=regress_ssltestuser", "Basic SCRAM authentication with SSL"); # Test channel_binding $node->connect_fails( - "$common_connstr user=ssltestuser channel_binding=invalid_value", + "$common_connstr user=regress_ssltestuser channel_binding=invalid_value", "SCRAM with SSL and channel_binding=invalid_value", expected_stderr => qr/invalid channel_binding value: "invalid_value"/); -$node->connect_ok("$common_connstr user=ssltestuser channel_binding=disable", +$node->connect_ok("$common_connstr user=regress_ssltestuser channel_binding=disable", "SCRAM with SSL and channel_binding=disable"); -$node->connect_ok("$common_connstr user=ssltestuser channel_binding=require", +$node->connect_ok("$common_connstr user=regress_ssltestuser channel_binding=require", "SCRAM with SSL and channel_binding=require"); # Now test when the user has an MD5-encrypted password; should fail $node->connect_fails( - "$common_connstr user=md5testuser channel_binding=require", + "$common_connstr user=regress_md5testuser channel_binding=require", "MD5 with SSL and channel_binding=require", expected_stderr => qr/channel binding required but not supported by server's authentication request/ @@ -111,7 +111,7 @@ chmod 0600, "$cert_tempdir/client_scram.key" or die "failed to change permissions on $cert_tempdir/client_scram.key: $!"; $client_tmp_key =~ s!\\!/!g if $PostgreSQL::Test::Utils::windows_os; $node->connect_fails( - "sslcert=ssl/client.crt sslkey=$client_tmp_key sslrootcert=invalid hostaddr=$SERVERHOSTADDR host=localhost dbname=certdb user=ssltestuser channel_binding=require", + "sslcert=ssl/client.crt sslkey=$client_tmp_key sslrootcert=invalid hostaddr=$SERVERHOSTADDR host=localhost dbname=regression_certdb user=regress_ssltestuser channel_binding=require", "Cert authentication and channel_binding=require", expected_stderr => qr/channel binding required, but server authenticated client without channel binding/ @@ -119,25 +119,25 @@ $node->connect_fails( # Certificate verification at the connection level should still work fine. $node->connect_ok( - "sslcert=ssl/client.crt sslkey=$client_tmp_key sslrootcert=invalid hostaddr=$SERVERHOSTADDR host=localhost dbname=verifydb user=ssltestuser", + "sslcert=ssl/client.crt sslkey=$client_tmp_key sslrootcert=invalid hostaddr=$SERVERHOSTADDR host=localhost dbname=regression_verifydb user=regress_ssltestuser", "SCRAM with clientcert=verify-full", log_like => [ - qr/connection authenticated: identity="ssltestuser" method=scram-sha-256/ + qr/connection authenticated: identity="regress_ssltestuser" method=scram-sha-256/ ]); # channel_binding should continue to work independently of require_auth. $node->connect_ok( - "$common_connstr user=ssltestuser channel_binding=disable require_auth=scram-sha-256", + "$common_connstr user=regress_ssltestuser channel_binding=disable require_auth=scram-sha-256", "SCRAM with SSL, channel_binding=disable, and require_auth=scram-sha-256" ); $node->connect_fails( - "$common_connstr user=md5testuser require_auth=md5 channel_binding=require", + "$common_connstr user=regress_md5testuser require_auth=md5 channel_binding=require", "channel_binding can fail even when require_auth succeeds", expected_stderr => qr/channel binding required but not supported by server's authentication request/ ); $node->connect_ok( - "$common_connstr user=ssltestuser channel_binding=require require_auth=scram-sha-256", + "$common_connstr user=regress_ssltestuser channel_binding=require require_auth=scram-sha-256", "SCRAM with SSL, channel_binding=require, and require_auth=scram-sha-256" ); @@ -148,10 +148,10 @@ if ($supports_rsapss_certs) { switch_server_cert($node, certfile => 'server-rsapss'); $node->connect_ok( - "$common_connstr user=ssltestuser channel_binding=require", + "$common_connstr user=regress_ssltestuser channel_binding=require", "SCRAM with SSL and channel_binding=require, server certificate uses 'rsassaPss'", log_like => [ - qr/connection authenticated: identity="ssltestuser" method=scram-sha-256/ + qr/connection authenticated: identity="regress_ssltestuser" method=scram-sha-256/ ]); } done_testing(); diff --git a/src/test/ssl/t/003_sslinfo.pl b/src/test/ssl/t/003_sslinfo.pl index 5306aad802..fd0ecdcd21 100644 --- a/src/test/ssl/t/003_sslinfo.pl +++ b/src/test/ssl/t/003_sslinfo.pl @@ -78,8 +78,8 @@ my $default_ssl_connstr = "sslkey=invalid sslcert=invalid sslrootcert=invalid sslcrl=invalid sslcrldir=invalid"; $common_connstr = - "$default_ssl_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR host=localhost " - . "user=ssltestuser sslcert=ssl/client_ext.crt " + "$default_ssl_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=regression_certdb hostaddr=$SERVERHOSTADDR host=localhost " + . "user=regress_ssltestuser sslcert=ssl/client_ext.crt " . sslkey('client_ext.key'); # Make sure we can connect even though previous test suites have established this @@ -91,13 +91,13 @@ $node->connect_ok( my $result; $result = $node->safe_psql( - "certdb", + "regression_certdb", "SELECT ssl_is_used();", connstr => $common_connstr); is($result, 't', "ssl_is_used() for TLS connection"); $result = $node->safe_psql( - "certdb", + "regression_certdb", "SELECT ssl_version();", connstr => $common_connstr . " ssl_min_protocol_version=TLSv1.2 " @@ -105,68 +105,68 @@ $result = $node->safe_psql( is($result, 'TLSv1.2', "ssl_version() correctly returning TLS protocol"); $result = $node->safe_psql( - "certdb", + "regression_certdb", "SELECT ssl_cipher() = cipher FROM pg_stat_ssl WHERE pid = pg_backend_pid();", connstr => $common_connstr); is($result, 't', "ssl_cipher() compared with pg_stat_ssl"); $result = $node->safe_psql( - "certdb", + "regression_certdb", "SELECT ssl_client_cert_present();", connstr => $common_connstr); is($result, 't', "ssl_client_cert_present() for connection with cert"); $result = $node->safe_psql( - "trustdb", + "regression_trustdb", "SELECT ssl_client_cert_present();", connstr => "$default_ssl_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require " - . "dbname=trustdb hostaddr=$SERVERHOSTADDR user=ssltestuser host=localhost" + . "dbname=regression_trustdb hostaddr=$SERVERHOSTADDR user=regress_ssltestuser host=localhost" ); is($result, 'f', "ssl_client_cert_present() for connection without cert"); $result = $node->safe_psql( - "certdb", + "regression_certdb", "SELECT ssl_client_serial() = client_serial FROM pg_stat_ssl WHERE pid = pg_backend_pid();", connstr => $common_connstr); is($result, 't', "ssl_client_serial() compared with pg_stat_ssl"); # Must not use safe_psql since we expect an error here $result = $node->psql( - "certdb", + "regression_certdb", "SELECT ssl_client_dn_field('invalid');", connstr => $common_connstr); is($result, '3', "ssl_client_dn_field() for an invalid field"); $result = $node->safe_psql( - "trustdb", + "regression_trustdb", "SELECT ssl_client_dn_field('commonName');", connstr => "$default_ssl_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require " - . "dbname=trustdb hostaddr=$SERVERHOSTADDR user=ssltestuser host=localhost" + . "dbname=regression_trustdb hostaddr=$SERVERHOSTADDR user=regress_ssltestuser host=localhost" ); is($result, '', "ssl_client_dn_field() for connection without cert"); $result = $node->safe_psql( - "certdb", + "regression_certdb", "SELECT '/CN=' || ssl_client_dn_field('commonName') = client_dn FROM pg_stat_ssl WHERE pid = pg_backend_pid();", connstr => $common_connstr); is($result, 't', "ssl_client_dn_field() for commonName"); $result = $node->safe_psql( - "certdb", + "regression_certdb", "SELECT ssl_issuer_dn() = issuer_dn FROM pg_stat_ssl WHERE pid = pg_backend_pid();", connstr => $common_connstr); is($result, 't', "ssl_issuer_dn() for connection with cert"); $result = $node->safe_psql( - "certdb", + "regression_certdb", "SELECT '/CN=' || ssl_issuer_field('commonName') = issuer_dn FROM pg_stat_ssl WHERE pid = pg_backend_pid();", connstr => $common_connstr); is($result, 't', "ssl_issuer_field() for commonName"); $result = $node->safe_psql( - "certdb", + "regression_certdb", "SELECT value, critical FROM ssl_extension_info() WHERE name = 'basicConstraints';", connstr => $common_connstr); is($result, 'CA:FALSE|t', 'extract extension from cert'); @@ -184,9 +184,9 @@ if ($supports_sslcertmode_require) foreach my $c (@cases) { $result = $node->safe_psql( - "trustdb", + "regression_trustdb", "SELECT ssl_client_cert_present();", - connstr => "$common_connstr dbname=trustdb $c->{'opts'}"); + connstr => "$common_connstr dbname=regression_trustdb $c->{'opts'}"); is($result, $c->{'present'}, "ssl_client_cert_present() for $c->{'opts'}"); } diff --git a/src/test/ssl/t/SSL/Server.pm b/src/test/ssl/t/SSL/Server.pm index 2c5c055222..eb2f29317d 100644 --- a/src/test/ssl/t/SSL/Server.pm +++ b/src/test/ssl/t/SSL/Server.pm @@ -127,14 +127,16 @@ sub sslkey =item $server->configure_test_server_for_ssl(node, host, cidr, auth, params) Configure the cluster specified by B or listening on SSL connections. -The following databases will be created in the cluster: trustdb, certdb, -certdb_dn, certdb_dn_re, certdb_cn, verifydb. The following users will be -created in the cluster: ssltestuser, md5testuser, anotheruser, yetanotheruser. -If B<< $params{password} >> is set, it will be used as password for all users -with the password encoding B<< $params{password_enc} >> (except for md5testuser -which always have MD5). Extensions defined in B<< @{$params{extension}} >> -will be created in all the above created databases. B is used for -C and B for configuring C. +The following databases will be created in the cluster: regression_trustdb, +regression_certdb, regression_certdb_dn, regression_certdb_dn_re, +regression_certdb_cn and regressiomn_verifydb. The following users will be +created in the cluster: regress_ssltestuser, regress_md5testuser, +regress_anotheruser and regress_yetanotheruser. If B<< $params{password} >> is +set, it will be used as password for all users with the password encoding B<< +$params{password_enc} >> (except for regress_md5testuser which always have +MD5). Extensions defined in B<< @{$params{extension}} >> will be created in +all the above created databases. B is used for C and +B for configuring C. =cut @@ -146,14 +148,15 @@ sub configure_test_server_for_ssl my $pgdata = $node->data_dir; my @databases = ( - 'trustdb', 'certdb', 'certdb_dn', 'certdb_dn_re', - 'certdb_cn', 'verifydb'); + 'regression_trustdb', 'regression_certdb', 'regression_certdb_dn', + 'regression_certdb_dn_re', 'regression_certdb_cn', + 'regression_verifydb'); # Create test users and databases - $node->psql('postgres', "CREATE USER ssltestuser"); - $node->psql('postgres', "CREATE USER md5testuser"); - $node->psql('postgres', "CREATE USER anotheruser"); - $node->psql('postgres', "CREATE USER yetanotheruser"); + $node->psql('postgres', "CREATE USER regress_ssltestuser"); + $node->psql('postgres', "CREATE USER regress_md5testuser"); + $node->psql('postgres', "CREATE USER regress_anotheruser"); + $node->psql('postgres', "CREATE USER regress_yetanotheruser"); foreach my $db (@databases) { @@ -167,14 +170,14 @@ sub configure_test_server_for_ssl unless defined($params{password_enc}); $node->psql('postgres', - "SET password_encryption='$params{password_enc}'; ALTER USER ssltestuser PASSWORD '$params{password}';" + "SET password_encryption='$params{password_enc}'; ALTER USER regress_ssltestuser PASSWORD '$params{password}';" ); # A special user that always has an md5-encrypted password $node->psql('postgres', - "SET password_encryption='md5'; ALTER USER md5testuser PASSWORD '$params{password}';" + "SET password_encryption='md5'; ALTER USER regress_md5testuser PASSWORD '$params{password}';" ); $node->psql('postgres', - "SET password_encryption='$params{password_enc}'; ALTER USER anotheruser PASSWORD '$params{password}';" + "SET password_encryption='$params{password_enc}'; ALTER USER regress_anotheruser PASSWORD '$params{password}';" ); } @@ -314,35 +317,35 @@ sub _configure_hba_for_ssl # Only accept SSL connections from $servercidr. Our tests don't depend on this # but seems best to keep it as narrow as possible for security reasons. # - # When connecting to certdb, also check the client certificate. + # When connecting to regression_certdb, also check the client certificate. open my $hba, '>', "$pgdata/pg_hba.conf"; print $hba "# TYPE DATABASE USER ADDRESS METHOD OPTIONS\n"; print $hba - "hostssl trustdb md5testuser $servercidr md5\n"; + "hostssl regression_trustdb regress_md5testuser $servercidr md5\n"; print $hba - "hostssl trustdb all $servercidr $authmethod\n"; + "hostssl regression_trustdb all $servercidr $authmethod\n"; print $hba - "hostssl verifydb ssltestuser $servercidr $authmethod clientcert=verify-full\n"; + "hostssl regression_verifydb regress_ssltestuser $servercidr $authmethod clientcert=verify-full\n"; print $hba - "hostssl verifydb anotheruser $servercidr $authmethod clientcert=verify-full\n"; + "hostssl regression_verifydb regress_anotheruser $servercidr $authmethod clientcert=verify-full\n"; print $hba - "hostssl verifydb yetanotheruser $servercidr $authmethod clientcert=verify-ca\n"; + "hostssl regression_verifydb regress_yetanotheruser $servercidr $authmethod clientcert=verify-ca\n"; print $hba - "hostssl certdb all $servercidr cert\n"; + "hostssl regression_certdb all $servercidr cert\n"; print $hba - "hostssl certdb_dn all $servercidr cert clientname=DN map=dn\n", - "hostssl certdb_dn_re all $servercidr cert clientname=DN map=dnre\n", - "hostssl certdb_cn all $servercidr cert clientname=CN map=cn\n"; + "hostssl regression_certdb_dn all $servercidr cert clientname=DN map=dn\n", + "hostssl regression_certdb_dn_re all $servercidr cert clientname=DN map=dnre\n", + "hostssl regression_certdb_cn all $servercidr cert clientname=CN map=cn\n"; close $hba; # Also set the ident maps. Note: fields with commas must be quoted open my $map, ">", "$pgdata/pg_ident.conf"; print $map "# MAPNAME SYSTEM-USERNAME PG-USERNAME\n", - "dn \"CN=ssltestuser-dn,OU=Testing,OU=Engineering,O=PGDG\" ssltestuser\n", - "dnre \"/^.*OU=Testing,.*\$\" ssltestuser\n", - "cn ssltestuser-dn ssltestuser\n"; + "dn \"CN=regress_ssltestuser-dn,OU=Testing,OU=Engineering,O=PGDG\" regress_ssltestuser\n", + "dnre \"/^.*OU=Testing,.*\$\" regress_ssltestuser\n", + "cn regress_ssltestuser-dn regress_ssltestuser\n"; return; } -- 2.32.1 (Apple Git-133)