On Tue, 2018-04-10 at 18:35 +0200, Magnus Hagander wrote:
I've added three tests:
- verify-full specified, CN and username match -- should connect ok
- verify-full specified, CN and username do not match -- should fail
- verify-ca specified, CN and username do not match -- should connect ok (This is current behaviour)
Makes sense.
This wouldn't be desirable, I think...
Most applications will probably supply the password in the connection string anyway, so there would be only one connection, right?
It might definitely be worth shorting it yeah. For one, we can just use "cn" :)
I've shortened the clientcert=verify-full specific error-message to say:
"certificate validation (clientcert=verify-full) failed for user \"%s\": CN mismatch"
slightly offtopic opinion:
While creating the test cases, I stumbled upon the problem of missing depencies to run the tests...
It's complicated enough that the binaries used by these perl tests are not named similar to the packages which provide them (the 'prove' binary is supplied by 'Test-Harness'), so maybe in the interest of providing a lower entry-barrier to running these tests, we could give a more detailed error message in the configure script, when using --enable-tap-tests ?
Julian