From 6251eab9b7a9bdde60b6a63c9ce949c817e0827f Mon Sep 17 00:00:00 2001 From: Mehmet YILMAZ Date: Mon, 3 Nov 2025 14:51:39 +0300 Subject: [PATCH] PG18: Make SSL tests resilient & validate TLSv1.3 cipher config (#8298) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit fixes #8277 https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=45188c2ea PostgreSQL 18 + newer OpenSSL builds surface `ssl_ciphers` as a **rule string** (e.g., `HIGH:MEDIUM:+3DES:!aNULL`) instead of an expanded cipher list. Our tests hard-pinned the literal list and started failing on PG18. Also, with TLS 1.3 in the picture, we need to assert that cipher configuration is sane without coupling to OpenSSL’s expansion. **What changed** * **sql/ssl_by_default.sql** * Replace brittle `SHOW ssl_ciphers` string matching with invariant checks: * non-empty ciphers: `current_setting('ssl_ciphers') <> ''` * looks like a rule/list: `position(':' in current_setting('ssl_ciphers')) > 0` * Run the same checks on **workers** via `run_command_on_workers`. * Keep existing validations for `ssl=on`, `sslmode=require` in `citus.node_conninfo`, and `pg_stat_ssl.ssl = true`. * **expected/ssl_by_default.out** * Update expected output to booleans for the new checks (less diff-prone across PG/SSL variants). --- src/test/regress/expected/ssl_by_default.out | 52 ++++++++++++++------ src/test/regress/sql/ssl_by_default.sql | 30 ++++++++--- 2 files changed, 60 insertions(+), 22 deletions(-) diff --git a/src/test/regress/expected/ssl_by_default.out b/src/test/regress/expected/ssl_by_default.out index 9a0357143..4738c2e5e 100644 --- a/src/test/regress/expected/ssl_by_default.out +++ b/src/test/regress/expected/ssl_by_default.out @@ -1,16 +1,21 @@ -- Citus uses ssl by default now. It does so by turning on ssl and if needed will generate -- self-signed certificates. --- To test this we will verify that SSL is set to ON for all machines, and we will make --- sure connections to workers use SSL by having it required in citus.conn_nodeinfo and --- lastly we will inspect the ssl state for connections to the workers --- ssl can only be enabled by default on installations that are OpenSSL-enabled. +-- +-- This test verifies: +-- 1) ssl=on on coordinator and workers +-- 2) coordinator->workers connections use SSL (pg_stat_ssl true) +-- 3) ssl_ciphers is non-empty and has a colon-separated rule/list on both coordinator and workers +-- (PG18/OpenSSL may report a rule string like HIGH:MEDIUM:+3DES:!aNULL instead of an expanded list) +-- 0) Is this an OpenSSL-enabled build? (if not, ssl_ciphers is 'none') +-- Keep the “hasssl” signal but don’t rely on the literal cipher list value. SHOW ssl_ciphers \gset -SELECT :'ssl_ciphers' != 'none' AS hasssl; +SELECT :'ssl_ciphers' <> 'none' AS hasssl; hasssl --------------------------------------------------------------------- t (1 row) +-- 1) ssl must be on (coordinator + workers) SHOW ssl; ssl --------------------------------------------------------------------- @@ -26,6 +31,7 @@ $$); (localhost,57638,t,on) (2 rows) +-- 2) connections to workers carry sslmode=require SHOW citus.node_conninfo; citus.node_conninfo --------------------------------------------------------------------- @@ -41,6 +47,7 @@ $$); (localhost,57638,t,sslmode=require) (2 rows) +-- 3) pg_stat_ssl says SSL is active on each worker connection SELECT run_command_on_workers($$ SELECT ssl FROM pg_stat_ssl WHERE pid = pg_backend_pid(); $$); @@ -50,18 +57,35 @@ $$); (localhost,57638,t,t) (2 rows) -SHOW ssl_ciphers; - ssl_ciphers +-- 4) ssl_ciphers checks (coordinator): non-empty and contains at least one ':' +SELECT current_setting('ssl_ciphers') <> '' AS has_ssl_ciphers; + has_ssl_ciphers --------------------------------------------------------------------- - ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384 + t (1 row) -SELECT run_command_on_workers($$ - SHOW ssl_ciphers; -$$); - run_command_on_workers +SELECT position(':' in current_setting('ssl_ciphers')) > 0 AS has_colon; + has_colon --------------------------------------------------------------------- - (localhost,57637,t,ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384) - (localhost,57638,t,ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384) + t +(1 row) + +-- 5) ssl_ciphers checks (workers) +SELECT run_command_on_workers($$ + SELECT current_setting('ssl_ciphers') <> '' AS has_ssl_ciphers +$$); + run_command_on_workers +--------------------------------------------------------------------- + (localhost,57637,t,t) + (localhost,57638,t,t) +(2 rows) + +SELECT run_command_on_workers($$ + SELECT position(':' in current_setting('ssl_ciphers')) > 0 AS has_at_least_two_ciphers +$$); + run_command_on_workers +--------------------------------------------------------------------- + (localhost,57637,t,t) + (localhost,57638,t,t) (2 rows) diff --git a/src/test/regress/sql/ssl_by_default.sql b/src/test/regress/sql/ssl_by_default.sql index 564b5f778..a7f2c8657 100644 --- a/src/test/regress/sql/ssl_by_default.sql +++ b/src/test/regress/sql/ssl_by_default.sql @@ -1,29 +1,43 @@ -- Citus uses ssl by default now. It does so by turning on ssl and if needed will generate -- self-signed certificates. +-- +-- This test verifies: +-- 1) ssl=on on coordinator and workers +-- 2) coordinator->workers connections use SSL (pg_stat_ssl true) +-- 3) ssl_ciphers is non-empty and has a colon-separated rule/list on both coordinator and workers +-- (PG18/OpenSSL may report a rule string like HIGH:MEDIUM:+3DES:!aNULL instead of an expanded list) --- To test this we will verify that SSL is set to ON for all machines, and we will make --- sure connections to workers use SSL by having it required in citus.conn_nodeinfo and --- lastly we will inspect the ssl state for connections to the workers - --- ssl can only be enabled by default on installations that are OpenSSL-enabled. +-- 0) Is this an OpenSSL-enabled build? (if not, ssl_ciphers is 'none') +-- Keep the “hasssl” signal but don’t rely on the literal cipher list value. SHOW ssl_ciphers \gset -SELECT :'ssl_ciphers' != 'none' AS hasssl; +SELECT :'ssl_ciphers' <> 'none' AS hasssl; +-- 1) ssl must be on (coordinator + workers) SHOW ssl; SELECT run_command_on_workers($$ SHOW ssl; $$); +-- 2) connections to workers carry sslmode=require SHOW citus.node_conninfo; SELECT run_command_on_workers($$ SHOW citus.node_conninfo; $$); +-- 3) pg_stat_ssl says SSL is active on each worker connection SELECT run_command_on_workers($$ SELECT ssl FROM pg_stat_ssl WHERE pid = pg_backend_pid(); $$); -SHOW ssl_ciphers; +-- 4) ssl_ciphers checks (coordinator): non-empty and contains at least one ':' +SELECT current_setting('ssl_ciphers') <> '' AS has_ssl_ciphers; +SELECT position(':' in current_setting('ssl_ciphers')) > 0 AS has_colon; + +-- 5) ssl_ciphers checks (workers) SELECT run_command_on_workers($$ - SHOW ssl_ciphers; + SELECT current_setting('ssl_ciphers') <> '' AS has_ssl_ciphers +$$); + +SELECT run_command_on_workers($$ + SELECT position(':' in current_setting('ssl_ciphers')) > 0 AS has_at_least_two_ciphers $$);