From 348020caa7beaa2e4b1bc10b1ea6eb2c97b894c0 Mon Sep 17 00:00:00 2001 From: Daniel Gustafsson Date: Wed, 26 Nov 2025 14:24:34 +0100 Subject: ssl: Add connection and reload tests for key passphrases MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ssl_passphrase_command_supports_reload was not covered by the SSL testsuite, and connection tests after unlocking secrets with the passphrase was also missing. This adds test coverage for reloads of passphrase commands as well as connection attempts which tests the different codepaths for Windows and non-EXEC_BACKEND builds. Author: Daniel Gustafsson Reviewed-by: Chao Li Reviewed-by: Álvaro Herrera Reviewed-by: Peter Eisentraut Discussion: https://postgr.es/m/5F301096-921A-427D-8EC1-EBAEC2A35082@yesql.se --- src/test/ssl/t/SSL/Server.pm | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'src/test/ssl/t/SSL/Server.pm') diff --git a/src/test/ssl/t/SSL/Server.pm b/src/test/ssl/t/SSL/Server.pm index efbd0dafaf6..a0a786c2ef2 100644 --- a/src/test/ssl/t/SSL/Server.pm +++ b/src/test/ssl/t/SSL/Server.pm @@ -296,6 +296,11 @@ The CRL directory to use. Implementation is SSL backend specific. The passphrase command to use. If not set, an empty passphrase command will be set. +=item passphrase_cmd_reload => B + +Whether or not to allow passphrase command reloading. If set the passphrase +command reload configuration setting will be set to the value. + =item restart => B If set to 'no', the server won't be restarted after updating the settings. @@ -315,7 +320,7 @@ sub switch_server_cert my $pgdata = $node->data_dir; ok(unlink($node->data_dir . '/sslconfig.conf')); - $node->append_conf('sslconfig.conf', "ssl=on"); + $node->append_conf('sslconfig.conf', 'ssl=on'); $node->append_conf('sslconfig.conf', $backend->set_server_cert(\%params)); # use lists of ECDH curves and cipher suites for syntax testing $node->append_conf('sslconfig.conf', @@ -324,9 +329,14 @@ sub switch_server_cert 'ssl_tls13_ciphers=TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256'); $node->append_conf('sslconfig.conf', - "ssl_passphrase_command='" . $params{passphrase_cmd} . "'") + 'ssl_passphrase_command=\'' . $params{passphrase_cmd} . '\'') if defined $params{passphrase_cmd}; + $node->append_conf('sslconfig.conf', + 'ssl_passphrase_command_supports_reload=\'' + . $params{passphrase_cmd_reload} . '\'') + if defined $params{passphrase_cmd_reload}; + return if (defined($params{restart}) && $params{restart} eq 'no'); $node->restart; -- cgit v1.2.3