Thomas Munro <thomas.munro@gmail.com> writes:
> Anyway, I can also reproduce this problem on my Vagrant image (OpenBSD
> 6.9 'cause I haven't got around to setting up 7).
I had an OpenBSD 6.8 image laying about, so I tried the ssl test
there, and it falls over in even more places:
Test Summary Report
-------------------
t/001_ssltests.pl (Wstat: 8448 Tests: 110 Failed: 33)
Failed tests: 14, 16, 18-20, 28, 30-32, 58, 60, 72-76
79-83, 88-90, 94-95, 97, 99, 102, 104, 106
108, 110
Non-zero exit status: 33
t/002_scram.pl (Wstat: 1792 Tests: 11 Failed: 7)
Failed tests: 1, 4-5, 7, 9-11
Non-zero exit status: 7
t/003_sslinfo.pl (Wstat: 7424 Tests: 1 Failed: 1)
Failed test: 1
Non-zero exit status: 29
Parse errors: Bad plan. You planned 13 tests but ran 1.
A lot of the errors look like they didn't yet have support for
TLS 1.2; this is typical:
# Failed test 'pg_stat_ssl with client certificate: no stderr'
# at t/001_ssltests.pl line 523.
# got: 'psql: error: connection to server at "127.0.0.1", port 57105 failed: SSL error: tlsv1 alert protocol
version
# This may indicate that the server does not support any SSL protocol version between TLSv1.2 and TLSv1.2.
The postmaster log entries corresponding to this look like
2022-02-02 20:13:49.420 EST [16352] [unknown] LOG: connection received: host=localhost port=39596
2022-02-02 20:13:49.429 EST [16352] [unknown] LOG: could not accept SSL connection: sslv3 alert illegal parameter
I don't see anything in /etc/ssl/openssl.cnf that looks related
to TLS protocol restrictions.
Perhaps 6.8 is too old to be of interest anymore, but that's
what I've got handy.
BTW, I also reproduced something that seems odd from the OP's
postmaster logs: there are what seem a quite excessive number
of checkpoints happening during these tests. That happens
on my Linux box too, so it's not an OpenBSD issue. It looks
like there are two per CREATE DATABASE --- I could understand
one maybe, but why two?
regards, tom lane