mirror of
https://git.postgresql.org/git/postgresql.git
synced 2024-10-02 05:41:20 +02:00
8bb14cdd33
There were several issues with the old coding: 1. There was a race condition, if two threads opened a connection at the same time. We used a mutex around SSL_CTX_* calls, but that was not enough, e.g. if one thread SSL_CTX_load_verify_locations() with one path, and another thread set it with a different path, before the first thread got to establish the connection. 2. Opening two different connections, with different sslrootcert settings, seemed to fail outright with "SSL error: block type is not 01". Not sure why. 3. We created the SSL object, before calling SSL_CTX_load_verify_locations and SSL_CTX_use_certificate_chain_file on the SSL context. That was wrong, because the options set on the SSL context are propagated to the SSL object, when the SSL object is created. If they are set after the SSL object has already been created, they won't take effect until the next connection. (This is bug #14329) At least some of these could've been fixed while still using a shared context, but it would've been more complicated and error-prone. To keep things simple, let's just use a separate SSL context for each connection, and accept the overhead. Backpatch to all supported versions. Report, analysis and test case by Kacper Zuk. Discussion: <20160920101051.1355.79453@wrigleys.postgresql.org>
88 lines
2.5 KiB
Plaintext
88 lines
2.5 KiB
Plaintext
src/test/ssl/README
|
|
|
|
SSL regression tests
|
|
====================
|
|
|
|
This directory contains a test suite for SSL support. It tests both
|
|
client-side functionality, i.e. verifying server certificates, and
|
|
server-side functionality, i.e. certificate authorization.
|
|
|
|
Running the tests
|
|
=================
|
|
|
|
make check
|
|
|
|
NOTE: This creates a temporary installation, and sets it up to listen for TCP
|
|
connections on localhost. Any user on the same host is allowed to log in to
|
|
the test installation while the tests are running. Do not run this suite
|
|
on a multi-user system where you don't trust all local users!
|
|
|
|
Certificates
|
|
============
|
|
|
|
The test suite needs a set of public/private key pairs and certificates to
|
|
run:
|
|
|
|
root_ca
|
|
root CA, use to sign the server and client CA certificates.
|
|
|
|
server_ca
|
|
CA used to sign server certificates.
|
|
|
|
client_ca
|
|
CA used to sign client certificates.
|
|
|
|
server-cn-only
|
|
server-cn-and-alt-names
|
|
server-single-alt-name
|
|
server-multiple-alt-names
|
|
server-no-names
|
|
server certificates, with small variations in the hostnames present
|
|
in the certificate. Signed by server_ca.
|
|
|
|
server-ss
|
|
same as server-cn-only, but self-signed.
|
|
|
|
client
|
|
a client certificate, for user "ssltestuser". Signed by client_ca.
|
|
|
|
client-revoked
|
|
like "client", but marked as revoked in the client CA's CRL.
|
|
|
|
In addition, there are a few files that combine various certificates together
|
|
in the same file:
|
|
|
|
both-cas-1
|
|
Contains root_ca.crt, client_ca.crt and server_ca.crt, in that order.
|
|
|
|
both-cas-2
|
|
Contains root_ca.crt, server_ca.crt and client_ca.crt, in that order.
|
|
|
|
root+server_ca
|
|
Contains root_crt and server_ca.crt. For use as client's "sslrootcert"
|
|
option.
|
|
|
|
root+client_ca
|
|
Contains root_crt and client_ca.crt. For use as server's "ssl_ca_file".
|
|
|
|
client+client_ca
|
|
Contains client.crt and client_ca.crt in that order. For use as client's
|
|
certificate chain.
|
|
|
|
There are also CRLs for each of the CAs: root.crl, server.crl and client.crl.
|
|
|
|
For convenience, all of these keypairs and certificates are included in the
|
|
ssl/ subdirectory. The Makefile also contains a rule, "make sslfiles", to
|
|
recreate them if you need to make changes.
|
|
|
|
TODO
|
|
====
|
|
|
|
* Allow the client-side of the tests to be run on different host easily.
|
|
Currently, you have to manually set up the certificates for the right
|
|
hostname, and modify the test file to skip setting up the server. And you
|
|
have to modify the server to accept connections from the client host.
|
|
|
|
* Test having multiple server certificates, so that the private key chooses
|
|
the certificate to present to clients. (And the same in the client-side.)
|