On Sat, Nov 12, 2016 at 3:42 AM, Andreas Karlsson <andr...@proxel.se> wrote: > On 11/11/2016 07:40 PM, Andreas Karlsson wrote: >> Here is a new version of the patch with the only differences; >> >> 1) The SSL tests have been changed to use reload rather than restart
Did you check if the tests pass? I am getting a couple of failures like this one: psql: server certificate for "common-name.pg-ssltest.test" does not match host name "127.0.0.1" not ok 11 - sslrootcert=ssl/root+server_ca.crt sslmode=verify-full Attached are the logs of the run I did, and the same behavior shows for macOS and Linux. The shape of the tests look correct to me after review. Still, seeing failing tests with sslmode=verify-full is a problem that needs to be addressed. This may be pointing to an incorrect CA load handling, though I could not spot a problem when going through the code. >> 2) Rebased on master > > And here with a fix to a comment. config.sgml needs an update as it still mentions that SSL parameter require a restart when updated. I have done a couple of tests on Linux, switching ssl mode between on and off and testing connection attempts with sslmode. Things are proving to work as I would expect them to be, so basically that's nice: - switching to off with sslmode=require triggers an error: psql: server does not support SSL, but SSL was required - switching to on with sslmode=require connects with SSL. - switching to off with sslmode=prefer connects without SSL. - switching to on with sslmode=prefer connects with SSL. I have done as well a couple of tests with Windows, where switching ssl between on and off is proving to work properly for each new connection. There is no surprise here, and that's as documented in the patch. -- Michael
regress_log_001_ssltests
Description: Binary data
001_ssltests_master.log
Description: Binary data
-- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers