Hi,
The SSL test suite (src/test/ssl) is broken in the master since commit
9a1d0af4ad2cbd419115b453d811c141b80d872b, which is Robert's refactoring
of getting the server hostname for GSS, SSPI, and SSL in libpq.
The error we get in the test suite:
# Running: psql -X -A -t -c SELECT 'connected with user=ssltestuser
dbname=trustdb sslcert=invalid hostaddr=127.0.0.1
host=common-name.pg-ssltest.test sslrootcert=ssl/root+server_ca.crt
sslmode=verify-full' -d user=ssltestuser dbname=trustdb sslcert=invalid
hostaddr=127.0.0.1 host=common-name.pg-ssltest.test
sslrootcert=ssl/root+server_ca.crt sslmode=verify-full
psql: server certificate for "common-name.pg-ssltest.test" does not
match host name "127.0.0.1"
As you can see, after the patch libpq will now look at hostaddr rather
than host when validating the server certificate because that is what is
stored in the first (and only) entry of conn->connhost, and therefore
what PQhost() return.
To me it feels like the proper fix would be to make PQHost() return the
value of the host parameter rather than the hostaddr (maybe add a new
field in the pg_conn_host struct). But would be a behaviour change which
might break someones application. Thoughts?
Andreas