diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/backend/catalog/system_views.sql | 1 | ||||
| -rw-r--r-- | src/backend/libpq/be-secure-openssl.c | 12 | ||||
| -rw-r--r-- | src/backend/postmaster/pgstat.c | 1 | ||||
| -rw-r--r-- | src/backend/utils/adt/pgstatfuncs.c | 36 | ||||
| -rw-r--r-- | src/backend/utils/init/postinit.c | 5 | ||||
| -rw-r--r-- | src/bin/psql/command.c | 7 | ||||
| -rw-r--r-- | src/include/catalog/catversion.h | 2 | ||||
| -rw-r--r-- | src/include/catalog/pg_proc.dat | 6 | ||||
| -rw-r--r-- | src/include/libpq/libpq-be.h | 1 | ||||
| -rw-r--r-- | src/include/pgstat.h | 1 | ||||
| -rw-r--r-- | src/interfaces/libpq/fe-connect.c | 11 | ||||
| -rw-r--r-- | src/interfaces/libpq/fe-secure-openssl.c | 15 | ||||
| -rw-r--r-- | src/interfaces/libpq/libpq-int.h | 1 | ||||
| -rw-r--r-- | src/test/regress/expected/rules.out | 9 | ||||
| -rw-r--r-- | src/test/ssl/t/001_ssltests.pl | 17 |
15 files changed, 57 insertions, 68 deletions
diff --git a/src/backend/catalog/system_views.sql b/src/backend/catalog/system_views.sql index fc94a73a54a..fb1116d09ad 100644 --- a/src/backend/catalog/system_views.sql +++ b/src/backend/catalog/system_views.sql @@ -863,7 +863,6 @@ CREATE VIEW pg_stat_ssl AS S.sslversion AS version, S.sslcipher AS cipher, S.sslbits AS bits, - S.sslcompression AS compression, S.ssl_client_dn AS client_dn, S.ssl_client_serial AS client_serial, S.ssl_issuer_dn AS issuer_dn diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 4c4f025eb1a..8c37381add3 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -245,6 +245,9 @@ be_tls_init(bool isServerStart) /* disallow SSL session caching, too */ SSL_CTX_set_session_cache_mode(context, SSL_SESS_CACHE_OFF); + /* disallow SSL compression */ + SSL_CTX_set_options(context, SSL_OP_NO_COMPRESSION); + /* set up ephemeral DH and ECDH keys */ if (!initialize_dh(context, isServerStart)) goto error; @@ -1182,15 +1185,6 @@ be_tls_get_cipher_bits(Port *port) return 0; } -bool -be_tls_get_compression(Port *port) -{ - if (port->ssl) - return (SSL_get_current_compression(port->ssl) != NULL); - else - return false; -} - const char * be_tls_get_version(Port *port) { diff --git a/src/backend/postmaster/pgstat.c b/src/backend/postmaster/pgstat.c index f75b52719dd..9259dc9d3e1 100644 --- a/src/backend/postmaster/pgstat.c +++ b/src/backend/postmaster/pgstat.c @@ -3215,7 +3215,6 @@ pgstat_bestart(void) { lbeentry.st_ssl = true; lsslstatus.ssl_bits = be_tls_get_cipher_bits(MyProcPort); - lsslstatus.ssl_compression = be_tls_get_compression(MyProcPort); strlcpy(lsslstatus.ssl_version, be_tls_get_version(MyProcPort), NAMEDATALEN); strlcpy(lsslstatus.ssl_cipher, be_tls_get_cipher(MyProcPort), NAMEDATALEN); be_tls_get_peer_subject_name(MyProcPort, lsslstatus.ssl_client_dn, NAMEDATALEN); diff --git a/src/backend/utils/adt/pgstatfuncs.c b/src/backend/utils/adt/pgstatfuncs.c index 62bff52638d..318ce154fd2 100644 --- a/src/backend/utils/adt/pgstatfuncs.c +++ b/src/backend/utils/adt/pgstatfuncs.c @@ -569,7 +569,7 @@ pg_stat_get_progress_info(PG_FUNCTION_ARGS) Datum pg_stat_get_activity(PG_FUNCTION_ARGS) { -#define PG_STAT_GET_ACTIVITY_COLS 30 +#define PG_STAT_GET_ACTIVITY_COLS 29 int num_backends = pgstat_fetch_stat_numbackends(); int curr_backend; int pid = PG_ARGISNULL(0) ? -1 : PG_GETARG_INT32(0); @@ -708,7 +708,7 @@ pg_stat_get_activity(PG_FUNCTION_ARGS) pfree(clipped_activity); /* leader_pid */ - nulls[29] = true; + nulls[28] = true; proc = BackendPidGetProc(beentry->st_procpid); @@ -745,8 +745,8 @@ pg_stat_get_activity(PG_FUNCTION_ARGS) */ if (leader && leader->pid != beentry->st_procpid) { - values[29] = Int32GetDatum(leader->pid); - nulls[29] = false; + values[28] = Int32GetDatum(leader->pid); + nulls[28] = false; } } @@ -875,44 +875,43 @@ pg_stat_get_activity(PG_FUNCTION_ARGS) values[19] = CStringGetTextDatum(beentry->st_sslstatus->ssl_version); values[20] = CStringGetTextDatum(beentry->st_sslstatus->ssl_cipher); values[21] = Int32GetDatum(beentry->st_sslstatus->ssl_bits); - values[22] = BoolGetDatum(beentry->st_sslstatus->ssl_compression); if (beentry->st_sslstatus->ssl_client_dn[0]) - values[23] = CStringGetTextDatum(beentry->st_sslstatus->ssl_client_dn); + values[22] = CStringGetTextDatum(beentry->st_sslstatus->ssl_client_dn); else - nulls[23] = true; + nulls[22] = true; if (beentry->st_sslstatus->ssl_client_serial[0]) - values[24] = DirectFunctionCall3(numeric_in, + values[23] = DirectFunctionCall3(numeric_in, CStringGetDatum(beentry->st_sslstatus->ssl_client_serial), ObjectIdGetDatum(InvalidOid), Int32GetDatum(-1)); else - nulls[24] = true; + nulls[23] = true; if (beentry->st_sslstatus->ssl_issuer_dn[0]) - values[25] = CStringGetTextDatum(beentry->st_sslstatus->ssl_issuer_dn); + values[24] = CStringGetTextDatum(beentry->st_sslstatus->ssl_issuer_dn); else - nulls[25] = true; + nulls[24] = true; } else { values[18] = BoolGetDatum(false); /* ssl */ - nulls[19] = nulls[20] = nulls[21] = nulls[22] = nulls[23] = nulls[24] = nulls[25] = true; + nulls[19] = nulls[20] = nulls[21] = nulls[22] = nulls[23] = nulls[24] = true; } /* GSSAPI information */ if (beentry->st_gss) { - values[26] = BoolGetDatum(beentry->st_gssstatus->gss_auth); /* gss_auth */ - values[27] = CStringGetTextDatum(beentry->st_gssstatus->gss_princ); - values[28] = BoolGetDatum(beentry->st_gssstatus->gss_enc); /* GSS Encryption in use */ + values[25] = BoolGetDatum(beentry->st_gssstatus->gss_auth); /* gss_auth */ + values[26] = CStringGetTextDatum(beentry->st_gssstatus->gss_princ); + values[27] = BoolGetDatum(beentry->st_gssstatus->gss_enc); /* GSS Encryption in use */ } else { - values[26] = BoolGetDatum(false); /* gss_auth */ - nulls[27] = true; /* No GSS principal */ - values[28] = BoolGetDatum(false); /* GSS Encryption not in + values[25] = BoolGetDatum(false); /* gss_auth */ + nulls[26] = true; /* No GSS principal */ + values[27] = BoolGetDatum(false); /* GSS Encryption not in * use */ } } @@ -942,7 +941,6 @@ pg_stat_get_activity(PG_FUNCTION_ARGS) nulls[26] = true; nulls[27] = true; nulls[28] = true; - nulls[29] = true; } tuplestore_putvalues(tupstore, tupdesc, values, nulls); diff --git a/src/backend/utils/init/postinit.c b/src/backend/utils/init/postinit.c index e5965bc517d..7abeccb5362 100644 --- a/src/backend/utils/init/postinit.c +++ b/src/backend/utils/init/postinit.c @@ -264,11 +264,10 @@ PerformAuthentication(Port *port) #ifdef USE_SSL if (port->ssl_in_use) - appendStringInfo(&logmsg, _(" SSL enabled (protocol=%s, cipher=%s, bits=%d, compression=%s)"), + appendStringInfo(&logmsg, _(" SSL enabled (protocol=%s, cipher=%s, bits=%d)"), be_tls_get_version(port), be_tls_get_cipher(port), - be_tls_get_cipher_bits(port), - be_tls_get_compression(port) ? _("on") : _("off")); + be_tls_get_cipher_bits(port)); #endif #ifdef ENABLE_GSS if (port->gss) diff --git a/src/bin/psql/command.c b/src/bin/psql/command.c index c98e3d31d0c..8d6970a4f34 100644 --- a/src/bin/psql/command.c +++ b/src/bin/psql/command.c @@ -3509,7 +3509,6 @@ printSSLInfo(void) const char *protocol; const char *cipher; const char *bits; - const char *compression; if (!PQsslInUse(pset.db)) return; /* no SSL */ @@ -3517,13 +3516,11 @@ printSSLInfo(void) protocol = PQsslAttribute(pset.db, "protocol"); cipher = PQsslAttribute(pset.db, "cipher"); bits = PQsslAttribute(pset.db, "key_bits"); - compression = PQsslAttribute(pset.db, "compression"); - printf(_("SSL connection (protocol: %s, cipher: %s, bits: %s, compression: %s)\n"), + printf(_("SSL connection (protocol: %s, cipher: %s, bits: %s)\n"), protocol ? protocol : _("unknown"), cipher ? cipher : _("unknown"), - bits ? bits : _("unknown"), - (compression && strcmp(compression, "off") != 0) ? _("on") : _("off")); + bits ? bits : _("unknown")); } /* diff --git a/src/include/catalog/catversion.h b/src/include/catalog/catversion.h index e28bbf1317d..81fd68348d5 100644 --- a/src/include/catalog/catversion.h +++ b/src/include/catalog/catversion.h @@ -53,6 +53,6 @@ */ /* yyyymmddN */ -#define CATALOG_VERSION_NO 202103081 +#define CATALOG_VERSION_NO 202103091 #endif diff --git a/src/include/catalog/pg_proc.dat b/src/include/catalog/pg_proc.dat index a0fe0851c41..2ccc3e7c7c7 100644 --- a/src/include/catalog/pg_proc.dat +++ b/src/include/catalog/pg_proc.dat @@ -5249,9 +5249,9 @@ proname => 'pg_stat_get_activity', prorows => '100', proisstrict => 'f', proretset => 't', provolatile => 's', proparallel => 'r', prorettype => 'record', proargtypes => 'int4', - proallargtypes => '{int4,oid,int4,oid,text,text,text,text,text,timestamptz,timestamptz,timestamptz,timestamptz,inet,text,int4,xid,xid,text,bool,text,text,int4,bool,text,numeric,text,bool,text,bool,int4}', - proargmodes => '{i,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o}', - proargnames => '{pid,datid,pid,usesysid,application_name,state,query,wait_event_type,wait_event,xact_start,query_start,backend_start,state_change,client_addr,client_hostname,client_port,backend_xid,backend_xmin,backend_type,ssl,sslversion,sslcipher,sslbits,sslcompression,ssl_client_dn,ssl_client_serial,ssl_issuer_dn,gss_auth,gss_princ,gss_enc,leader_pid}', + proallargtypes => '{int4,oid,int4,oid,text,text,text,text,text,timestamptz,timestamptz,timestamptz,timestamptz,inet,text,int4,xid,xid,text,bool,text,text,int4,text,numeric,text,bool,text,bool,int4}', + proargmodes => '{i,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o}', + proargnames => '{pid,datid,pid,usesysid,application_name,state,query,wait_event_type,wait_event,xact_start,query_start,backend_start,state_change,client_addr,client_hostname,client_port,backend_xid,backend_xmin,backend_type,ssl,sslversion,sslcipher,sslbits,ssl_client_dn,ssl_client_serial,ssl_issuer_dn,gss_auth,gss_princ,gss_enc,leader_pid}', prosrc => 'pg_stat_get_activity' }, { oid => '3318', descr => 'statistics: information about progress of backends running maintenance command', diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h index 7be1a67d692..30fb4e613da 100644 --- a/src/include/libpq/libpq-be.h +++ b/src/include/libpq/libpq-be.h @@ -266,7 +266,6 @@ extern ssize_t be_tls_write(Port *port, void *ptr, size_t len, int *waitfor); * Return information about the SSL connection. */ extern int be_tls_get_cipher_bits(Port *port); -extern bool be_tls_get_compression(Port *port); extern const char *be_tls_get_version(Port *port); extern const char *be_tls_get_cipher(Port *port); extern void be_tls_get_peer_subject_name(Port *port, char *ptr, size_t len); diff --git a/src/include/pgstat.h b/src/include/pgstat.h index 724068cf87e..e0c70d221be 100644 --- a/src/include/pgstat.h +++ b/src/include/pgstat.h @@ -1135,7 +1135,6 @@ typedef struct PgBackendSSLStatus { /* Information about SSL connection */ int ssl_bits; - bool ssl_compression; char ssl_version[NAMEDATALEN]; char ssl_cipher[NAMEDATALEN]; char ssl_client_dn[NAMEDATALEN]; diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c index f83af03d0a7..fed06bb038c 100644 --- a/src/interfaces/libpq/fe-connect.c +++ b/src/interfaces/libpq/fe-connect.c @@ -293,9 +293,12 @@ static const internalPQconninfoOption PQconninfoOptions[] = { "SSL-Mode", "", 12, /* sizeof("verify-full") == 12 */ offsetof(struct pg_conn, sslmode)}, - {"sslcompression", "PGSSLCOMPRESSION", "0", NULL, - "SSL-Compression", "", 1, - offsetof(struct pg_conn, sslcompression)}, + /* + * "sslcompression" is no longer used, but keep it present for backwards + * compatibility. + */ + {"sslcompression", NULL, NULL, NULL, + "SSL-Compression", "D", 1, -1}, {"sslcert", "PGSSLCERT", NULL, NULL, "SSL-Client-Cert", "", 64, @@ -4080,8 +4083,6 @@ freePGconn(PGconn *conn) free(conn->sslcrl); if (conn->sslcrldir) free(conn->sslcrldir); - if (conn->sslcompression) - free(conn->sslcompression); if (conn->requirepeer) free(conn->requirepeer); if (conn->ssl_min_protocol_version) diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 0fa10a23b4a..c88dd3a1183 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -1257,13 +1257,8 @@ initialize_SSL(PGconn *conn) if (have_rootcert) SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, verify_cb); - /* - * Set compression option if necessary. - */ - if (conn->sslcompression && conn->sslcompression[0] == '0') - SSL_set_options(conn->ssl, SSL_OP_NO_COMPRESSION); - else - SSL_clear_options(conn->ssl, SSL_OP_NO_COMPRESSION); + /* disable SSL compression */ + SSL_set_options(conn->ssl, SSL_OP_NO_COMPRESSION); return 0; } @@ -1553,8 +1548,12 @@ PQsslAttribute(PGconn *conn, const char *attribute_name) if (strcmp(attribute_name, "cipher") == 0) return SSL_get_cipher(conn->ssl); + /* + * SSL compression is disabled, so even if connecting to an older server + * which still supports it, it will not be active. + */ if (strcmp(attribute_name, "compression") == 0) - return SSL_get_current_compression(conn->ssl) ? "on" : "off"; + return "off"; if (strcmp(attribute_name, "protocol") == 0) return SSL_get_version(conn->ssl); diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h index 8d51e6ed9ff..cca98c14bf8 100644 --- a/src/interfaces/libpq/libpq-int.h +++ b/src/interfaces/libpq/libpq-int.h @@ -360,7 +360,6 @@ struct pg_conn char *keepalives_count; /* maximum number of TCP keepalive * retransmits */ char *sslmode; /* SSL mode (require,prefer,allow,disable) */ - char *sslcompression; /* SSL compression (0 or 1) */ char *sslkey; /* client key filename */ char *sslcert; /* client certificate filename */ char *sslpassword; /* client key file password */ diff --git a/src/test/regress/expected/rules.out b/src/test/regress/expected/rules.out index b1c9b7bdfe3..dd5cc9c2213 100644 --- a/src/test/regress/expected/rules.out +++ b/src/test/regress/expected/rules.out @@ -1764,7 +1764,7 @@ pg_stat_activity| SELECT s.datid, s.backend_xmin, s.query, s.backend_type - FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, sslcompression, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, leader_pid) + FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, leader_pid) LEFT JOIN pg_database d ON ((s.datid = d.oid))) LEFT JOIN pg_authid u ON ((s.usesysid = u.oid))); pg_stat_all_indexes| SELECT c.oid AS relid, @@ -1876,7 +1876,7 @@ pg_stat_gssapi| SELECT s.pid, s.gss_auth AS gss_authenticated, s.gss_princ AS principal, s.gss_enc AS encrypted - FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, sslcompression, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, leader_pid) + FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, leader_pid) WHERE (s.client_port IS NOT NULL); pg_stat_progress_analyze| SELECT s.pid, s.datid, @@ -2033,7 +2033,7 @@ pg_stat_replication| SELECT s.pid, w.sync_priority, w.sync_state, w.reply_time - FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, sslcompression, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, leader_pid) + FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, leader_pid) JOIN pg_stat_get_wal_senders() w(pid, state, sent_lsn, write_lsn, flush_lsn, replay_lsn, write_lag, flush_lag, replay_lag, sync_priority, sync_state, reply_time) ON ((s.pid = w.pid))) LEFT JOIN pg_authid u ON ((s.usesysid = u.oid))); pg_stat_replication_slots| SELECT s.slot_name, @@ -2060,11 +2060,10 @@ pg_stat_ssl| SELECT s.pid, s.sslversion AS version, s.sslcipher AS cipher, s.sslbits AS bits, - s.sslcompression AS compression, s.ssl_client_dn AS client_dn, s.ssl_client_serial AS client_serial, s.ssl_issuer_dn AS issuer_dn - FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, sslcompression, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, leader_pid) + FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, leader_pid) WHERE (s.client_port IS NOT NULL); pg_stat_subscription| SELECT su.oid AS subid, su.subname, diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl index 864f6e209f5..ee97f6f0697 100644 --- a/src/test/ssl/t/001_ssltests.pl +++ b/src/test/ssl/t/001_ssltests.pl @@ -17,7 +17,7 @@ if ($ENV{with_ssl} ne 'openssl') } else { - plan tests => 100; + plan tests => 101; } #### Some configuration @@ -157,6 +157,13 @@ test_connect_fails( qr/root certificate file "invalid" does not exist/, "connect without server root cert sslmode=verify-full"); +# Test deprecated SSL parameters, still accepted for backwards +# compatibility. +test_connect_ok( + $common_connstr, + "sslrootcert=invalid sslmode=require sslcompression=1 requiressl=1", + "connect with deprecated connection parameters"); + # Try with wrong root cert, should fail. (We're using the client CA as the # root, but the server's key is signed by the server CA.) test_connect_fails($common_connstr, @@ -376,8 +383,8 @@ command_like( "$common_connstr sslrootcert=invalid", '-c', "SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()" ], - qr{^pid,ssl,version,cipher,bits,compression,client_dn,client_serial,issuer_dn\r?\n - ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,f,_null_,_null_,_null_\r?$}mx, + qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn\r?\n + ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,_null_,_null_,_null_\r?$}mx, 'pg_stat_ssl view without client certificate'); # Test min/max SSL protocol versions. @@ -493,8 +500,8 @@ command_like( '-c', "SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()" ], - qr{^pid,ssl,version,cipher,bits,compression,client_dn,client_serial,issuer_dn\r?\n - ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,f,/CN=ssltestuser,1,\Q/CN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx, + qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn\r?\n + ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,/CN=ssltestuser,1,\Q/CN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx, 'pg_stat_ssl with client certificate'); # client key with wrong permissions |