postgresql/src/test/ssl/t/001_ssltests.pl

908 lines
35 KiB
Perl

# Copyright (c) 2021-2024, PostgreSQL Global Development Group
use strict;
use warnings FATAL => 'all';
use Config qw ( %Config );
use PostgreSQL::Test::Cluster;
use PostgreSQL::Test::Utils;
use Test::More;
use FindBin;
use lib $FindBin::RealBin;
use SSL::Server;
if ($ENV{with_ssl} ne 'openssl')
{
plan skip_all => 'OpenSSL not supported by this build';
}
elsif (!$ENV{PG_TEST_EXTRA} || $ENV{PG_TEST_EXTRA} !~ /\bssl\b/)
{
plan skip_all =>
'Potentially unsafe test SSL not enabled in PG_TEST_EXTRA';
}
my $ssl_server = SSL::Server->new();
sub sslkey
{
return $ssl_server->sslkey(@_);
}
sub switch_server_cert
{
$ssl_server->switch_server_cert(@_);
}
# Determine whether this build uses OpenSSL or LibreSSL. As a heuristic, the
# HAVE_SSL_CTX_SET_CERT_CB macro isn't defined for LibreSSL. (Nor for OpenSSL
# 1.0.1, but that's old enough that accommodating it isn't worth the cost.)
my $libressl = not check_pg_config("#define HAVE_SSL_CTX_SET_CERT_CB 1");
#### Some configuration
# This is the hostname used to connect to the server. This cannot be a
# hostname, because the server certificate is always for the domain
# postgresql-ssl-regression.test.
my $SERVERHOSTADDR = '127.0.0.1';
# This is the pattern to use in pg_hba.conf to match incoming connections.
my $SERVERHOSTCIDR = '127.0.0.1/32';
# Determine whether build supports sslcertmode=require.
my $supports_sslcertmode_require =
check_pg_config("#define HAVE_SSL_CTX_SET_CERT_CB 1");
# Allocation of base connection string shared among multiple tests.
my $common_connstr;
#### Set up the server.
note "setting up data directory";
my $node = PostgreSQL::Test::Cluster->new('primary');
$node->init;
# PGHOST is enforced here to set up the node, subsequent connections
# will use a dedicated connection string.
$ENV{PGHOST} = $node->host;
$ENV{PGPORT} = $node->port;
$node->start;
# Run this before we lock down access below.
my $result = $node->safe_psql('postgres', "SHOW ssl_library");
is($result, $ssl_server->ssl_library(), 'ssl_library parameter');
$ssl_server->configure_test_server_for_ssl($node, $SERVERHOSTADDR,
$SERVERHOSTCIDR, 'trust');
note "testing password-protected keys";
switch_server_cert(
$node,
certfile => 'server-cn-only',
cafile => 'root+client_ca',
keyfile => 'server-password',
passphrase_cmd => 'echo wrongpassword',
restart => 'no');
$result = $node->restart(fail_ok => 1);
is($result, 0, 'restart fails with password-protected key file with wrong password');
switch_server_cert(
$node,
certfile => 'server-cn-only',
cafile => 'root+client_ca',
keyfile => 'server-password',
passphrase_cmd => 'echo secret1',
restart => 'no');
$result = $node->restart(fail_ok => 1);
is($result, 1, 'restart succeeds with password-protected key file');
# Test compatibility of SSL protocols.
# TLSv1.1 is lower than TLSv1.2, so it won't work.
$node->append_conf(
'postgresql.conf',
qq{ssl_min_protocol_version='TLSv1.2'
ssl_max_protocol_version='TLSv1.1'});
$result = $node->restart(fail_ok => 1);
is($result, 0, 'restart fails with incorrect SSL protocol bounds');
# Go back to the defaults, this works.
$node->append_conf(
'postgresql.conf',
qq{ssl_min_protocol_version='TLSv1.2'
ssl_max_protocol_version=''});
$result = $node->restart(fail_ok => 1);
is($result, 1, 'restart succeeds with correct SSL protocol bounds');
### Run client-side tests.
###
### Test that libpq accepts/rejects the connection correctly, depending
### on sslmode and whether the server's certificate looks correct. No
### client certificate is used in these tests.
note "running client tests";
switch_server_cert($node, certfile => 'server-cn-only');
# Set of default settings for SSL parameters in connection string. This
# makes the tests protected against any defaults the environment may have
# in ~/.postgresql/.
my $default_ssl_connstr =
"sslkey=invalid sslcert=invalid sslrootcert=invalid sslcrl=invalid sslcrldir=invalid";
$common_connstr =
"$default_ssl_connstr user=ssltestuser dbname=trustdb hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";
# The server should not accept non-SSL connections.
$node->connect_fails(
"$common_connstr sslmode=disable",
"server doesn't accept non-SSL connections",
expected_stderr => qr/\Qno pg_hba.conf entry\E/);
# Try without a root cert. In sslmode=require, this should work. In verify-ca
# or verify-full mode it should fail.
$node->connect_ok(
"$common_connstr sslrootcert=invalid sslmode=require",
"connect without server root cert sslmode=require");
$node->connect_fails(
"$common_connstr sslrootcert=invalid sslmode=verify-ca",
"connect without server root cert sslmode=verify-ca",
expected_stderr => qr/root certificate file "invalid" does not exist/);
$node->connect_fails(
"$common_connstr sslrootcert=invalid sslmode=verify-full",
"connect without server root cert sslmode=verify-full",
expected_stderr => qr/root certificate file "invalid" does not exist/);
# Try with wrong root cert, should fail. (We're using the client CA as the
# root, but the server's key is signed by the server CA.)
$node->connect_fails(
"$common_connstr sslrootcert=ssl/client_ca.crt sslmode=require",
"connect with wrong server root cert sslmode=require",
expected_stderr => qr/SSL error: certificate verify failed/);
$node->connect_fails(
"$common_connstr sslrootcert=ssl/client_ca.crt sslmode=verify-ca",
"connect with wrong server root cert sslmode=verify-ca",
expected_stderr => qr/SSL error: certificate verify failed/);
$node->connect_fails(
"$common_connstr sslrootcert=ssl/client_ca.crt sslmode=verify-full",
"connect with wrong server root cert sslmode=verify-full",
expected_stderr => qr/SSL error: certificate verify failed/);
# Try with just the server CA's cert. This fails because the root file
# must contain the whole chain up to the root CA.
$node->connect_fails(
"$common_connstr sslrootcert=ssl/server_ca.crt sslmode=verify-ca",
"connect with server CA cert, without root CA",
expected_stderr => qr/SSL error: certificate verify failed/);
# And finally, with the correct root cert.
$node->connect_ok(
"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require",
"connect with correct server CA cert file sslmode=require");
$node->connect_ok(
"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca",
"connect with correct server CA cert file sslmode=verify-ca");
$node->connect_ok(
"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-full",
"connect with correct server CA cert file sslmode=verify-full");
# Test with cert root file that contains two certificates. The client should
# be able to pick the right one, regardless of the order in the file.
$node->connect_ok(
"$common_connstr sslrootcert=ssl/both-cas-1.crt sslmode=verify-ca",
"cert root file that contains two certificates, order 1");
$node->connect_ok(
"$common_connstr sslrootcert=ssl/both-cas-2.crt sslmode=verify-ca",
"cert root file that contains two certificates, order 2");
# sslcertmode=allow and disable should both work without a client certificate.
$node->connect_ok(
"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require sslcertmode=disable",
"connect with sslcertmode=disable");
$node->connect_ok(
"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require sslcertmode=allow",
"connect with sslcertmode=allow");
# sslcertmode=require, however, should fail.
$node->connect_fails(
"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require sslcertmode=require",
"connect with sslcertmode=require fails without a client certificate",
expected_stderr => $supports_sslcertmode_require
? qr/server accepted connection without a valid SSL certificate/
: qr/sslcertmode value "require" is not supported/);
# CRL tests
# Invalid CRL filename is the same as no CRL, succeeds
$node->connect_ok(
"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=invalid",
"sslcrl option with invalid file name");
# A CRL belonging to a different CA is not accepted, fails
$node->connect_fails(
"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/client.crl",
"CRL belonging to a different CA",
expected_stderr => qr/SSL error: certificate verify failed/);
# The same for CRL directory. sslcrl='' is added here to override the
# invalid default, so as this does not interfere with this case.
$node->connect_fails(
"$common_connstr sslcrl='' sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/client-crldir",
"directory CRL belonging to a different CA",
expected_stderr => qr/SSL error: certificate verify failed/);
# With the correct CRL, succeeds (this cert is not revoked)
$node->connect_ok(
"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl",
"CRL with a non-revoked cert");
# The same for CRL directory
$node->connect_ok(
"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/root+server-crldir",
"directory CRL with a non-revoked cert");
# Check that connecting with verify-full fails, when the hostname doesn't
# match the hostname in the server's certificate.
$common_connstr =
"$default_ssl_connstr user=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
$node->connect_ok("$common_connstr sslmode=require host=wronghost.test",
"mismatch between host name and server certificate sslmode=require");
$node->connect_ok(
"$common_connstr sslmode=verify-ca host=wronghost.test",
"mismatch between host name and server certificate sslmode=verify-ca");
$node->connect_fails(
"$common_connstr sslmode=verify-full host=wronghost.test",
"mismatch between host name and server certificate sslmode=verify-full",
expected_stderr =>
qr/\Qserver certificate for "common-name.pg-ssltest.test" does not match host name "wronghost.test"\E/
);
# Test with an IP address in the Common Name. This is a strange corner case that
# nevertheless is supported, as long as the address string matches exactly.
switch_server_cert($node, certfile => 'server-ip-cn-only');
$common_connstr =
"$default_ssl_connstr user=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
$node->connect_ok("$common_connstr host=192.0.2.1",
"IP address in the Common Name");
$node->connect_fails(
"$common_connstr host=192.000.002.001",
"mismatch between host name and server certificate IP address",
expected_stderr =>
qr/\Qserver certificate for "192.0.2.1" does not match host name "192.000.002.001"\E/
);
# Similarly, we'll also match an IP address in a dNSName SAN. (This is
# long-standing behavior.)
switch_server_cert($node, certfile => 'server-ip-in-dnsname');
$node->connect_ok("$common_connstr host=192.0.2.1",
"IP address in a dNSName");
# Test Subject Alternative Names.
switch_server_cert($node, certfile => 'server-multiple-alt-names');
$common_connstr =
"$default_ssl_connstr user=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
$node->connect_ok(
"$common_connstr host=dns1.alt-name.pg-ssltest.test",
"host name matching with X.509 Subject Alternative Names 1");
$node->connect_ok(
"$common_connstr host=dns2.alt-name.pg-ssltest.test",
"host name matching with X.509 Subject Alternative Names 2");
$node->connect_ok("$common_connstr host=foo.wildcard.pg-ssltest.test",
"host name matching with X.509 Subject Alternative Names wildcard");
$node->connect_fails(
"$common_connstr host=wronghost.alt-name.pg-ssltest.test",
"host name not matching with X.509 Subject Alternative Names",
expected_stderr =>
qr/\Qserver certificate for "dns1.alt-name.pg-ssltest.test" (and 2 other names) does not match host name "wronghost.alt-name.pg-ssltest.test"\E/
);
$node->connect_fails(
"$common_connstr host=deep.subdomain.wildcard.pg-ssltest.test",
"host name not matching with X.509 Subject Alternative Names wildcard",
expected_stderr =>
qr/\Qserver certificate for "dns1.alt-name.pg-ssltest.test" (and 2 other names) does not match host name "deep.subdomain.wildcard.pg-ssltest.test"\E/
);
# Test certificate with a single Subject Alternative Name. (this gives a
# slightly different error message, that's all)
switch_server_cert($node, certfile => 'server-single-alt-name');
$common_connstr =
"$default_ssl_connstr user=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
$node->connect_ok(
"$common_connstr host=single.alt-name.pg-ssltest.test",
"host name matching with a single X.509 Subject Alternative Name");
$node->connect_fails(
"$common_connstr host=wronghost.alt-name.pg-ssltest.test",
"host name not matching with a single X.509 Subject Alternative Name",
expected_stderr =>
qr/\Qserver certificate for "single.alt-name.pg-ssltest.test" does not match host name "wronghost.alt-name.pg-ssltest.test"\E/
);
$node->connect_fails(
"$common_connstr host=deep.subdomain.wildcard.pg-ssltest.test",
"host name not matching with a single X.509 Subject Alternative Name wildcard",
expected_stderr =>
qr/\Qserver certificate for "single.alt-name.pg-ssltest.test" does not match host name "deep.subdomain.wildcard.pg-ssltest.test"\E/
);
SKIP:
{
skip 'IPv6 addresses in certificates not support on this platform', 1
unless check_pg_config('#define HAVE_INET_PTON 1');
# Test certificate with IP addresses in the SANs.
switch_server_cert($node, certfile => 'server-ip-alt-names');
$node->connect_ok("$common_connstr host=192.0.2.1",
"host matching an IPv4 address (Subject Alternative Name 1)");
$node->connect_ok(
"$common_connstr host=192.000.002.001",
"host matching an IPv4 address in alternate form (Subject Alternative Name 1)"
);
$node->connect_fails(
"$common_connstr host=192.0.2.2",
"host not matching an IPv4 address (Subject Alternative Name 1)",
expected_stderr =>
qr/\Qserver certificate for "192.0.2.1" (and 1 other name) does not match host name "192.0.2.2"\E/
);
$node->connect_ok("$common_connstr host=2001:DB8::1",
"host matching an IPv6 address (Subject Alternative Name 2)");
$node->connect_ok(
"$common_connstr host=2001:db8:0:0:0:0:0:1",
"host matching an IPv6 address in alternate form (Subject Alternative Name 2)"
);
$node->connect_ok(
"$common_connstr host=2001:db8::0.0.0.1",
"host matching an IPv6 address in mixed form (Subject Alternative Name 2)"
);
$node->connect_fails(
"$common_connstr host=::1",
"host not matching an IPv6 address (Subject Alternative Name 2)",
expected_stderr =>
qr/\Qserver certificate for "192.0.2.1" (and 1 other name) does not match host name "::1"\E/
);
$node->connect_fails(
"$common_connstr host=2001:DB8::1/128",
"IPv6 host with CIDR mask does not match",
expected_stderr =>
qr/\Qserver certificate for "192.0.2.1" (and 1 other name) does not match host name "2001:DB8::1\/128"\E/
);
}
# Test server certificate with a CN and DNS SANs. Per RFCs 2818 and 6125, the CN
# should be ignored when the certificate has both.
switch_server_cert($node, certfile => 'server-cn-and-alt-names');
$common_connstr =
"$default_ssl_connstr user=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
$node->connect_ok("$common_connstr host=dns1.alt-name.pg-ssltest.test",
"certificate with both a CN and SANs 1");
$node->connect_ok("$common_connstr host=dns2.alt-name.pg-ssltest.test",
"certificate with both a CN and SANs 2");
$node->connect_fails(
"$common_connstr host=common-name.pg-ssltest.test",
"certificate with both a CN and SANs ignores CN",
expected_stderr =>
qr/\Qserver certificate for "dns1.alt-name.pg-ssltest.test" (and 1 other name) does not match host name "common-name.pg-ssltest.test"\E/
);
SKIP:
{
skip 'IPv6 addresses in certificates not support on this platform', 1
unless check_pg_config('#define HAVE_INET_PTON 1');
# But we will fall back to check the CN if the SANs contain only IP addresses.
switch_server_cert($node, certfile => 'server-cn-and-ip-alt-names');
$node->connect_ok(
"$common_connstr host=common-name.pg-ssltest.test",
"certificate with both a CN and IP SANs matches CN");
$node->connect_ok("$common_connstr host=192.0.2.1",
"certificate with both a CN and IP SANs matches SAN 1");
$node->connect_ok("$common_connstr host=2001:db8::1",
"certificate with both a CN and IP SANs matches SAN 2");
# And now the same tests, but with IP addresses and DNS names swapped.
switch_server_cert($node, certfile => 'server-ip-cn-and-alt-names');
$node->connect_ok("$common_connstr host=192.0.2.2",
"certificate with both an IP CN and IP SANs 1");
$node->connect_ok("$common_connstr host=2001:db8::1",
"certificate with both an IP CN and IP SANs 2");
$node->connect_fails(
"$common_connstr host=192.0.2.1",
"certificate with both an IP CN and IP SANs ignores CN",
expected_stderr =>
qr/\Qserver certificate for "192.0.2.2" (and 1 other name) does not match host name "192.0.2.1"\E/
);
}
switch_server_cert($node, certfile => 'server-ip-cn-and-dns-alt-names');
$node->connect_ok("$common_connstr host=192.0.2.1",
"certificate with both an IP CN and DNS SANs matches CN");
$node->connect_ok(
"$common_connstr host=dns1.alt-name.pg-ssltest.test",
"certificate with both an IP CN and DNS SANs matches SAN 1");
$node->connect_ok(
"$common_connstr host=dns2.alt-name.pg-ssltest.test",
"certificate with both an IP CN and DNS SANs matches SAN 2");
# Finally, test a server certificate that has no CN or SANs. Of course, that's
# not a very sensible certificate, but libpq should handle it gracefully.
switch_server_cert($node, certfile => 'server-no-names');
$common_connstr =
"$default_ssl_connstr user=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
$node->connect_ok(
"$common_connstr sslmode=verify-ca host=common-name.pg-ssltest.test",
"server certificate without CN or SANs sslmode=verify-ca");
$node->connect_fails(
$common_connstr . " "
. "sslmode=verify-full host=common-name.pg-ssltest.test",
"server certificate without CN or SANs sslmode=verify-full",
expected_stderr =>
qr/could not get server's host name from server certificate/);
# Test system trusted roots.
switch_server_cert(
$node,
certfile => 'server-cn-only+server_ca',
keyfile => 'server-cn-only',
cafile => 'root_ca');
$common_connstr =
"$default_ssl_connstr user=ssltestuser dbname=trustdb sslrootcert=system hostaddr=$SERVERHOSTADDR";
# By default our custom-CA-signed certificate should not be trusted.
# OpenSSL 3.0 reports a missing/invalid system CA as "unregistered schema"
# instead of a failed certificate verification.
$node->connect_fails(
"$common_connstr sslmode=verify-full host=common-name.pg-ssltest.test",
"sslrootcert=system does not connect with private CA",
expected_stderr =>
qr/SSL error: (certificate verify failed|unregistered scheme)/);
# Modes other than verify-full cannot be mixed with sslrootcert=system.
$node->connect_fails(
"$common_connstr sslmode=verify-ca host=common-name.pg-ssltest.test",
"sslrootcert=system only accepts sslmode=verify-full",
expected_stderr =>
qr/weak sslmode "verify-ca" may not be used with sslrootcert=system/);
SKIP:
{
skip "SSL_CERT_FILE is not supported with LibreSSL" if $libressl;
# We can modify the definition of "system" to get it trusted again.
local $ENV{SSL_CERT_FILE} = $node->data_dir . "/root_ca.crt";
$node->connect_ok(
"$common_connstr sslmode=verify-full host=common-name.pg-ssltest.test",
"sslrootcert=system connects with overridden SSL_CERT_FILE");
# verify-full mode should be the default for system CAs.
$node->connect_fails(
"$common_connstr host=common-name.pg-ssltest.test.bad",
"sslrootcert=system defaults to sslmode=verify-full",
expected_stderr =>
qr/server certificate for "common-name.pg-ssltest.test" does not match host name "common-name.pg-ssltest.test.bad"/
);
}
# Test that the CRL works
switch_server_cert($node, certfile => 'server-revoked');
$common_connstr =
"$default_ssl_connstr user=ssltestuser dbname=trustdb hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";
# Without the CRL, succeeds. With it, fails.
$node->connect_ok(
"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca",
"connects without client-side CRL");
$node->connect_fails(
"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl",
"does not connect with client-side CRL file",
expected_stderr => qr/SSL error: certificate verify failed/);
# sslcrl='' is added here to override the invalid default, so as this
# does not interfere with this case.
$node->connect_fails(
"$common_connstr sslcrl='' sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/root+server-crldir",
"does not connect with client-side CRL directory",
expected_stderr => qr/SSL error: certificate verify failed/);
# pg_stat_ssl
command_like(
[
'psql', '-X',
'-A', '-F',
',', '-P',
'null=_null_', '-d',
"$common_connstr sslrootcert=invalid", '-c',
"SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()"
],
qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn\r?\n
^\d+,t,TLSv[\d.]+,[\w-]+,\d+,_null_,_null_,_null_\r?$}mx,
'pg_stat_ssl view without client certificate');
# Test min/max SSL protocol versions.
$node->connect_ok(
"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=TLSv1.2 ssl_max_protocol_version=TLSv1.2",
"connection success with correct range of TLS protocol versions");
$node->connect_fails(
"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=TLSv1.2 ssl_max_protocol_version=TLSv1.1",
"connection failure with incorrect range of TLS protocol versions",
expected_stderr => qr/invalid SSL protocol version range/);
$node->connect_fails(
"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=incorrect_tls",
"connection failure with an incorrect SSL protocol minimum bound",
expected_stderr => qr/invalid ssl_min_protocol_version value/);
$node->connect_fails(
"$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_max_protocol_version=incorrect_tls",
"connection failure with an incorrect SSL protocol maximum bound",
expected_stderr => qr/invalid ssl_max_protocol_version value/);
### Server-side tests.
###
### Test certificate authorization.
note "running server tests";
$common_connstr =
"$default_ssl_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR host=localhost";
# no client cert
$node->connect_fails(
"$common_connstr user=ssltestuser sslcert=invalid",
"certificate authorization fails without client cert",
expected_stderr => qr/connection requires a valid client certificate/);
# correct client cert in unencrypted PEM
$node->connect_ok(
"$common_connstr user=ssltestuser sslcert=ssl/client.crt "
. sslkey('client.key'),
"certificate authorization succeeds with correct client cert in PEM format"
);
# correct client cert in unencrypted DER
$node->connect_ok(
"$common_connstr user=ssltestuser sslcert=ssl/client.crt "
. sslkey('client-der.key'),
"certificate authorization succeeds with correct client cert in DER format"
);
# correct client cert in encrypted PEM
$node->connect_ok(
"$common_connstr user=ssltestuser sslcert=ssl/client.crt "
. sslkey('client-encrypted-pem.key')
. " sslpassword='dUmmyP^#+'",
"certificate authorization succeeds with correct client cert in encrypted PEM format"
);
# correct client cert in encrypted DER
$node->connect_ok(
"$common_connstr user=ssltestuser sslcert=ssl/client.crt "
. sslkey('client-encrypted-der.key')
. " sslpassword='dUmmyP^#+'",
"certificate authorization succeeds with correct client cert in encrypted DER format"
);
# correct client cert with sslcertmode=allow or require
if ($supports_sslcertmode_require)
{
$node->connect_ok(
"$common_connstr user=ssltestuser sslcertmode=require sslcert=ssl/client.crt "
. sslkey('client.key'),
"certificate authorization succeeds with correct client cert and sslcertmode=require"
);
}
$node->connect_ok(
"$common_connstr user=ssltestuser sslcertmode=allow sslcert=ssl/client.crt "
. sslkey('client.key'),
"certificate authorization succeeds with correct client cert and sslcertmode=allow"
);
# client cert is not sent if sslcertmode=disable.
$node->connect_fails(
"$common_connstr user=ssltestuser sslcertmode=disable sslcert=ssl/client.crt "
. sslkey('client.key'),
"certificate authorization fails with correct client cert and sslcertmode=disable",
expected_stderr => qr/connection requires a valid client certificate/);
# correct client cert in encrypted PEM with wrong password
$node->connect_fails(
"$common_connstr user=ssltestuser sslcert=ssl/client.crt "
. sslkey('client-encrypted-pem.key')
. " sslpassword='wrong'",
"certificate authorization fails with correct client cert and wrong password in encrypted PEM format",
expected_stderr =>
qr!private key file \".*client-encrypted-pem\.key\": bad decrypt!,);
# correct client cert using whole DN
my $dn_connstr = "$common_connstr dbname=certdb_dn";
$node->connect_ok(
"$dn_connstr user=ssltestuser sslcert=ssl/client-dn.crt "
. sslkey('client-dn.key'),
"certificate authorization succeeds with DN mapping",
log_like => [
qr/connection authenticated: identity="CN=ssltestuser-dn,OU=Testing,OU=Engineering,O=PGDG" method=cert/
],);
# same thing but with a regex
$dn_connstr = "$common_connstr dbname=certdb_dn_re";
$node->connect_ok(
"$dn_connstr user=ssltestuser sslcert=ssl/client-dn.crt "
. sslkey('client-dn.key'),
"certificate authorization succeeds with DN regex mapping");
# same thing but using explicit CN
$dn_connstr = "$common_connstr dbname=certdb_cn";
$node->connect_ok(
"$dn_connstr user=ssltestuser sslcert=ssl/client-dn.crt "
. sslkey('client-dn.key'),
"certificate authorization succeeds with CN mapping",
# the full DN should still be used as the authenticated identity
log_like => [
qr/connection authenticated: identity="CN=ssltestuser-dn,OU=Testing,OU=Engineering,O=PGDG" method=cert/
],);
TODO:
{
# these tests are left here waiting on us to get better pty support
# so they don't hang. For now they are not performed.
todo_skip "Need Pty support", 4;
# correct client cert in encrypted PEM with empty password
$node->connect_fails(
"$common_connstr user=ssltestuser sslcert=ssl/client.crt "
. sslkey('client-encrypted-pem.key')
. " sslpassword=''",
"certificate authorization fails with correct client cert and empty password in encrypted PEM format",
expected_stderr =>
qr!private key file \".*client-encrypted-pem\.key\": processing error!
);
# correct client cert in encrypted PEM with no password
$node->connect_fails(
"$common_connstr user=ssltestuser sslcert=ssl/client.crt "
. sslkey('client-encrypted-pem.key'),
"certificate authorization fails with correct client cert and no password in encrypted PEM format",
expected_stderr =>
qr!private key file \".*client-encrypted-pem\.key\": processing error!
);
}
# pg_stat_ssl
my $serialno = `$ENV{OPENSSL} x509 -serial -noout -in ssl/client.crt`;
if ($? == 0)
{
# OpenSSL prints serial numbers in hexadecimal and converting the serial
# from hex requires a 64-bit capable Perl as the serialnumber is based on
# the current timestamp. On 32-bit fall back to checking for it being an
# integer like how we do when grabbing the serial fails.
if ($Config{ivsize} == 8)
{
no warnings qw(portable);
$serialno =~ s/^serial=//;
$serialno =~ s/\s+//g;
$serialno = hex($serialno);
}
else
{
$serialno = '\d+';
}
}
else
{
# OpenSSL isn't functioning on the user's PATH. This probably isn't worth
# skipping the test over, so just fall back to a generic integer match.
warn "couldn't run \"$ENV{OPENSSL} x509\" to get client cert serialno";
$serialno = '\d+';
}
command_like(
[
'psql',
'-X',
'-A',
'-F',
',',
'-P',
'null=_null_',
'-d',
"$common_connstr user=ssltestuser sslcert=ssl/client.crt "
. sslkey('client.key'),
'-c',
"SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()"
],
qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn\r?\n
^\d+,t,TLSv[\d.]+,[\w-]+,\d+,/?CN=ssltestuser,$serialno,/?\QCN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx,
'pg_stat_ssl with client certificate');
# client key with wrong permissions
SKIP:
{
skip "Permissions check not enforced on Windows", 2 if ($windows_os);
$node->connect_fails(
"$common_connstr user=ssltestuser sslcert=ssl/client.crt "
. sslkey('client_wrongperms.key'),
"certificate authorization fails because of file permissions",
expected_stderr =>
qr!private key file \".*client_wrongperms\.key\" has group or world access!
);
}
# client cert belonging to another user
$node->connect_fails(
"$common_connstr user=anotheruser sslcert=ssl/client.crt "
. sslkey('client.key'),
"certificate authorization fails with client cert belonging to another user",
expected_stderr =>
qr/certificate authentication failed for user "anotheruser"/,
# certificate authentication should be logged even on failure
# temporarily(?) skip this check due to timing issue
# log_like =>
# [qr/connection authenticated: identity="CN=ssltestuser" method=cert/],
);
# revoked client cert
$node->connect_fails(
"$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt "
. sslkey('client-revoked.key'),
"certificate authorization fails with revoked client cert",
expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|,
# temporarily(?) skip this check due to timing issue
# log_like => [
# qr{Client certificate verification failed at depth 0: certificate revoked},
# qr{Failed certificate data \(unverified\): subject "/CN=ssltestuser", serial number 2315134995201656577, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"},
# ],
# revoked certificates should not authenticate the user
log_unlike => [qr/connection authenticated:/],);
# Check that connecting with auth-option verify-full in pg_hba:
# works, iff username matches Common Name
# fails, iff username doesn't match Common Name.
$common_connstr =
"$default_ssl_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=verifydb hostaddr=$SERVERHOSTADDR host=localhost";
$node->connect_ok(
"$common_connstr user=ssltestuser sslcert=ssl/client.crt "
. sslkey('client.key'),
"auth_option clientcert=verify-full succeeds with matching username and Common Name",
log_like =>
[qr/connection authenticated: user="ssltestuser" method=trust/],);
$node->connect_fails(
"$common_connstr user=anotheruser sslcert=ssl/client.crt "
. sslkey('client.key'),
"auth_option clientcert=verify-full fails with mismatching username and Common Name",
expected_stderr =>
qr/FATAL: .* "trust" authentication failed for user "anotheruser"/,
# verify-full does not provide authentication
log_unlike => [qr/connection authenticated:/],);
# Check that connecting with auth-option verify-ca in pg_hba :
# works, when username doesn't match Common Name
$node->connect_ok(
"$common_connstr user=yetanotheruser sslcert=ssl/client.crt "
. sslkey('client.key'),
"auth_option clientcert=verify-ca succeeds with mismatching username and Common Name",
log_like =>
[qr/connection authenticated: user="yetanotheruser" method=trust/],);
# intermediate client_ca.crt is provided by client, and isn't in server's ssl_ca_file
switch_server_cert($node, certfile => 'server-cn-only', cafile => 'root_ca');
$common_connstr =
"$default_ssl_connstr user=ssltestuser dbname=certdb "
. sslkey('client.key')
. " sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR host=localhost";
$node->connect_ok(
"$common_connstr sslmode=require sslcert=ssl/client+client_ca.crt",
"intermediate client certificate is provided by client");
$node->connect_fails(
$common_connstr . " " . "sslmode=require sslcert=ssl/client.crt",
"intermediate client certificate is missing",
expected_stderr => qr/SSL error: tlsv1 alert unknown ca/,
# temporarily(?) skip this check due to timing issue
# log_like => [
# qr{Client certificate verification failed at depth 0: unable to get local issuer certificate},
# qr{Failed certificate data \(unverified\): subject "/CN=ssltestuser", serial number 2315134995201656576, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"},
# ]
);
$node->connect_fails(
"$common_connstr sslmode=require sslcert=ssl/client-long.crt "
. sslkey('client-long.key'),
"logged client certificate Subjects are truncated if they're too long",
expected_stderr => qr/SSL error: tlsv1 alert unknown ca/,
# temporarily(?) skip this check due to timing issue
# log_like => [
# qr{Client certificate verification failed at depth 0: unable to get local issuer certificate},
# qr{Failed certificate data \(unverified\): subject "\.\.\./CN=ssl-123456789012345678901234567890123456789012345678901234567890", serial number 2315418733629425152, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"},
# ]
);
# Use an invalid cafile here so that the next test won't be able to verify the
# client CA.
switch_server_cert(
$node,
certfile => 'server-cn-only',
cafile => 'server-cn-only');
# intermediate CA is provided but doesn't have a trusted root (checks error
# logging for cert chain depths > 0)
$node->connect_fails(
"$common_connstr sslmode=require sslcert=ssl/client+client_ca.crt",
"intermediate client certificate is untrusted",
expected_stderr => qr/SSL error: tlsv1 alert unknown ca/,
# temporarily(?) skip this check due to timing issue
# log_like => [
# qr{Client certificate verification failed at depth 1: unable to get local issuer certificate},
# qr{Failed certificate data \(unverified\): subject "/CN=Test CA for PostgreSQL SSL regression test client certs", serial number 2315134995201656577, issuer "/CN=Test root CA for PostgreSQL SSL regression test suite"},
# ]
);
# test server-side CRL directory
switch_server_cert(
$node,
certfile => 'server-cn-only',
crldir => 'root+client-crldir');
# revoked client cert
$node->connect_fails(
"$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt "
. sslkey('client-revoked.key'),
"certificate authorization fails with revoked client cert with server-side CRL directory",
expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|,
# temporarily(?) skip this check due to timing issue
# log_like => [
# qr{Client certificate verification failed at depth 0: certificate revoked},
# qr{Failed certificate data \(unverified\): subject "/CN=ssltestuser", serial number 2315134995201656577, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"},
# ]
);
# revoked client cert, non-ASCII subject
$node->connect_fails(
"$common_connstr user=ssltestuser sslcert=ssl/client-revoked-utf8.crt "
. sslkey('client-revoked-utf8.key'),
"certificate authorization fails with revoked UTF-8 client cert with server-side CRL directory",
expected_stderr => qr|SSL error: ssl[a-z0-9/]* alert certificate revoked|,
# temporarily(?) skip this check due to timing issue
# log_like => [
# qr{Client certificate verification failed at depth 0: certificate revoked},
# qr{Failed certificate data \(unverified\): subject "/CN=\\xce\\x9f\\xce\\xb4\\xcf\\x85\\xcf\\x83\\xcf\\x83\\xce\\xad\\xce\\xb1\\xcf\\x82", serial number 2315420958437414144, issuer "/CN=Test CA for PostgreSQL SSL regression test client certs"},
# ]
);
done_testing();