rdelaage
/
postgresql
mirror of https://git.postgresql.org/git/postgresql.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
postgresql/src/test/ssl
History
Heikki Linnakangas 593d4e47db Support OpenSSL 1.1.0. 
Changes needed to build at all:

- Check for SSL_new in configure, now that SSL_library_init is a macro.
- Do not access struct members directly. This includes some new code in
  pgcrypto, to use the resource owner mechanism to ensure that we don't
  leak OpenSSL handles, now that we can't embed them in other structs
  anymore.
- RAND_SSLeay() -> RAND_OpenSSL()

Changes that were needed to silence deprecation warnings, but were not
strictly necessary:

- RAND_pseudo_bytes() -> RAND_bytes().
- SSL_library_init() and OpenSSL_config() -> OPENSSL_init_ssl()
- ASN1_STRING_data() -> ASN1_STRING_get0_data()
- DH_generate_parameters() -> DH_generate_parameters()
- Locking callbacks are not needed with OpenSSL 1.1.0 anymore. (Good
  riddance!)

Also change references to SSLEAY_VERSION_NUMBER with OPENSSL_VERSION_NUMBER,
for the sake of consistency. OPENSSL_VERSION_NUMBER has existed since time
immemorial.

Fix SSL test suite to work with OpenSSL 1.1.0. CA certificates must have
the "CA:true" basic constraint extension now, or OpenSSL will refuse them.
Regenerate the test certificates with that. The "openssl" binary, used to
generate the certificates, is also now more picky, and throws an error
if an X509 extension is specified in "req_extensions", but that section
is empty.

Backpatch to all supported branches, per popular demand. In back-branches,
we still support OpenSSL 0.9.7 and above. OpenSSL 0.9.6 should still work
too, but I didn't test it. In master, we only support 0.9.8 and above.

Patch by Andreas Karlsson, with additional changes by me.

Discussion: <20160627151604.GD1051@msg.df7cb.de>
 		2016-09-15 14:42:29 +03:00
..
ssl Support OpenSSL 1.1.0. 2016-09-15 14:42:29 +03:00
t PostgresNode: Add names to nodes 2016-01-20 14:13:11 -03:00
.gitignore Gitignore temp files generated by SSL regression suite 2015-04-09 22:02:21 +03:00
Makefile Support OpenSSL 1.1.0. 2016-09-15 14:42:29 +03:00
README Add a regression test suite for SSL support. 2014-12-09 17:37:20 +02:00
ServerSetup.pm Refactor Perl test code 2015-12-02 18:46:16 -03:00
cas.config Support OpenSSL 1.1.0. 2016-09-15 14:42:29 +03:00
client.config Add a regression test suite for SSL support. 2014-12-09 17:37:20 +02:00
client_ca.config Add a regression test suite for SSL support. 2014-12-09 17:37:20 +02:00
root_ca.config Support OpenSSL 1.1.0. 2016-09-15 14:42:29 +03:00
server-cn-and-alt-names.config Add a regression test suite for SSL support. 2014-12-09 17:37:20 +02:00
server-cn-only.config Support OpenSSL 1.1.0. 2016-09-15 14:42:29 +03:00
server-multiple-alt-names.config Add a regression test suite for SSL support. 2014-12-09 17:37:20 +02:00
server-no-names.config Support OpenSSL 1.1.0. 2016-09-15 14:42:29 +03:00
server-revoked.config Support OpenSSL 1.1.0. 2016-09-15 14:42:29 +03:00
server-single-alt-name.config Add a regression test suite for SSL support. 2014-12-09 17:37:20 +02:00
server_ca.config Add a regression test suite for SSL support. 2014-12-09 17:37:20 +02:00

README 

src/test/ssl/README

SSL regression tests
====================

This directory contains a test suite for SSL support. It tests both
client-side functionality, i.e. verifying server certificates, and
server-side functionality, i.e. certificate authorization.

Running the tests
=================

    make check

NOTE: This creates a temporary installation, and sets it up to listen for TCP
connections on localhost. Any user on the same host is allowed to log in to
the test installation while the tests are running. Do not run this suite
on a multi-user system where you don't trust all local users!

Certificates
============

The test suite needs a set of public/private key pairs and certificates to
run:

root_ca
	root CA, use to sign the server and client CA certificates.

server_ca
	CA used to sign server certificates.

client_ca
	CA used to sign client certificates.

server-cn-only
server-cn-and-alt-names
server-single-alt-name
server-multiple-alt-names
server-no-names
	server certificates, with small variations in the hostnames present
        in the certificate. Signed by server_ca.

server-ss
	same as server-cn-only, but self-signed.

client
	a client certificate, for user "ssltestuser". Signed by client_ca.

client-revoked
	like "client", but marked as revoked in the client CA's CRL.

In addition, there are a few files that combine various certificates together
in the same file:

both-cas-1
	Contains root_ca.crt, client_ca.crt and server_ca.crt, in that order.

both-cas-2
	Contains root_ca.crt, server_ca.crt and client_ca.crt, in that order.

root+server_ca
	Contains root_crt and server_ca.crt. For use as client's "sslrootcert"
	option.

root+client_ca
	Contains root_crt and client_ca.crt. For use as server's "ssl_ca_file".

There are also CRLs for each of the CAs: root.crl, server.crl and client.crl.

For convenience, all of these keypairs and certificates are included in the
ssl/ subdirectory. The Makefile also contains a rule, "make sslfiles", to
recreate them if you need to make changes.

TODO
====

* Allow the client-side of the tests to be run on different host easily.
  Currently, you have to manually set up the certificates for the right
  hostname, and modify the test file to skip setting up the server. And you
  have to modify the server to accept connections from the client host.

* Test having multiple server certificates, so that the private key chooses
  the certificate to present to clients. (And the same in the client-side.)