mirror of
https://git.postgresql.org/git/postgresql.git
synced 2024-10-04 07:16:49 +02:00
c992dca26e
Explain the difference between "make check" and "make installcheck". Mention the need for --enable-tap-tests (only some of these did so before). Standardize their wording about how to run the tests.
103 lines
3.0 KiB
Plaintext
103 lines
3.0 KiB
Plaintext
src/test/ssl/README
|
|
|
|
SSL regression tests
|
|
====================
|
|
|
|
This directory contains a test suite for SSL support. It tests both
|
|
client-side functionality, i.e. verifying server certificates, and
|
|
server-side functionality, i.e. certificate authorization.
|
|
|
|
CAUTION: The test server run by this test is configured to listen for
|
|
TCP connections on localhost. Any user on the same host is able to
|
|
log in to the test server while the tests are running. Do not run this
|
|
suite on a multi-user system where you don't trust all local users!
|
|
|
|
Running the tests
|
|
=================
|
|
|
|
NOTE: You must have given the --enable-tap-tests argument to configure.
|
|
|
|
Run
|
|
make check
|
|
or
|
|
make installcheck
|
|
You can use "make installcheck" if you previously did "make install".
|
|
In that case, the code in the installation tree is tested. With
|
|
"make check", a temporary installation tree is built from the current
|
|
sources and then tested.
|
|
|
|
Either way, this test initializes, starts, and stops a test Postgres
|
|
cluster that is accessible to other local users!
|
|
|
|
Certificates
|
|
============
|
|
|
|
The test suite needs a set of public/private key pairs and certificates to
|
|
run:
|
|
|
|
root_ca
|
|
root CA, use to sign the server and client CA certificates.
|
|
|
|
server_ca
|
|
CA used to sign server certificates.
|
|
|
|
client_ca
|
|
CA used to sign client certificates.
|
|
|
|
server-cn-only
|
|
server-cn-and-alt-names
|
|
server-single-alt-name
|
|
server-multiple-alt-names
|
|
server-no-names
|
|
server certificates, with small variations in the hostnames present
|
|
in the certificate. Signed by server_ca.
|
|
|
|
server-ss
|
|
same as server-cn-only, but self-signed.
|
|
|
|
server-password
|
|
same as server-cn-only, but password-protected.
|
|
|
|
client
|
|
a client certificate, for user "ssltestuser". Signed by client_ca.
|
|
|
|
client-revoked
|
|
like "client", but marked as revoked in the client CA's CRL.
|
|
|
|
In addition, there are a few files that combine various certificates together
|
|
in the same file:
|
|
|
|
both-cas-1
|
|
Contains root_ca.crt, client_ca.crt and server_ca.crt, in that order.
|
|
|
|
both-cas-2
|
|
Contains root_ca.crt, server_ca.crt and client_ca.crt, in that order.
|
|
|
|
root+server_ca
|
|
Contains root_crt and server_ca.crt. For use as client's "sslrootcert"
|
|
option.
|
|
|
|
root+client_ca
|
|
Contains root_crt and client_ca.crt. For use as server's "ssl_ca_file".
|
|
|
|
client+client_ca
|
|
Contains client.crt and client_ca.crt in that order. For use as client's
|
|
certificate chain.
|
|
|
|
There are also CRLs for each of the CAs: root.crl, server.crl and client.crl.
|
|
|
|
For convenience, all of these keypairs and certificates are included in the
|
|
ssl/ subdirectory. The Makefile also contains a rule, "make sslfiles", to
|
|
recreate them if you need to make changes.
|
|
|
|
TODO
|
|
====
|
|
|
|
* Allow the client-side of the tests to be run on different host easily.
|
|
Currently, you have to manually set up the certificates for the right
|
|
hostname, and modify the test file to skip setting up the server. And you
|
|
have to modify the server to accept connections from the client host.
|
|
|
|
* Test having multiple server certificates, so that the private key chooses
|
|
the certificate to present to clients. (And the same in the client-side.)
|