On 1/16/18 00:33, Michael Paquier wrote:
> On top of that, src/test/ssl does not provide any kind of coverage for
> that. It would be an area of improvement for those tests.
The tests already cover this:
# intermediate client_ca.crt is provided by client, and isn't in
server's ssl_ca_file
switch_server_cert($node, 'server-cn-only', 'root_ca');
$common_connstr =
"user=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key
sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
test_connect_ok($common_connstr,
"sslmode=require sslcert=ssl/client+client_ca.crt");
test_connect_fails($common_connstr, "sslmode=require
sslcert=ssl/client.crt");
If you change the Makefile rule for generating the client CA to omit the
-extensions v3_ca option, then the first test will fail.
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
