rdelaage
/
postgresql
mirror of https://git.postgresql.org/git/postgresql.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
postgresql/src/test/ssl
History
Peter Eisentraut 721856ff24 Remove distprep 
A PostgreSQL release tarball contains a number of prebuilt files, in
particular files produced by bison, flex, perl, and well as html and
man documentation.  We have done this consistent with established
practice at the time to not require these tools for building from a
tarball.  Some of these tools were hard to get, or get the right
version of, from time to time, and shipping the prebuilt output was a
convenience to users.

Now this has at least two problems:

One, we have to make the build system(s) work in two modes: Building
from a git checkout and building from a tarball.  This is pretty
complicated, but it works so far for autoconf/make.  It does not
currently work for meson; you can currently only build with meson from
a git checkout.  Making meson builds work from a tarball seems very
difficult or impossible.  One particular problem is that since meson
requires a separate build directory, we cannot make the build update
files like gram.h in the source tree.  So if you were to build from a
tarball and update gram.y, you will have a gram.h in the source tree
and one in the build tree, but the way things work is that the
compiler will always use the one in the source tree.  So you cannot,
for example, make any gram.y changes when building from a tarball.
This seems impossible to fix in a non-horrible way.

Second, there is increased interest nowadays in precisely tracking the
origin of software.  We can reasonably track contributions into the
git tree, and users can reasonably track the path from a tarball to
packages and downloads and installs.  But what happens between the git
tree and the tarball is obscure and in some cases non-reproducible.

The solution for both of these issues is to get rid of the step that
adds prebuilt files to the tarball.  The tarball now only contains
what is in the git tree (*).  Getting the additional build
dependencies is no longer a problem nowadays, and the complications to
keep these dual build modes working are significant.  And of course we
want to get the meson build system working universally.

This commit removes the make distprep target altogether.  The make
dist target continues to do its job, it just doesn't call distprep
anymore.

(*) - The tarball also contains the INSTALL file that is built at make
dist time, but not by distprep.  This is unchanged for now.

The make maintainer-clean target, whose job it is to remove the
prebuilt files in addition to what make distclean does, is now just an
alias to make distprep.  (In practice, it is probably obsolete given
that git clean is available.)

The following programs are now hard build requirements in configure
(they were already required by meson.build):

- bison
- flex
- perl

Reviewed-by: Michael Paquier <michael@paquier.xyz>
Reviewed-by: Andres Freund <andres@anarazel.de>
Discussion: https://www.postgresql.org/message-id/flat/e07408d9-e5f2-d9fd-5672-f53354e9305e@eisentraut.org
 		2023-11-06 15:18:04 +01:00
..
conf Set fixed dates for test certificates validity 2023-07-20 16:04:27 +02:00
ssl Convert encrypted SSL test keys to PKCS#8 format 2023-08-28 07:37:43 +02:00
t Avoid using internal test methods in SSL tests 2023-09-22 13:35:37 +02:00
.gitignore Remove unused directory from test/ssl .gitignore 2021-07-29 12:05:54 +02:00
Makefile Remove distprep 2023-11-06 15:18:04 +01:00
README Fix handling of SCRAM-SHA-256's channel binding with RSA-PSS certificates 2023-02-15 10:12:16 +09:00
meson.build meson: Make auto the default of the ssl option 2023-03-13 07:04:11 +01:00
sslfiles.mk Remove distprep 2023-11-06 15:18:04 +01:00

README 

src/test/ssl/README

SSL regression tests
====================

This directory contains a test suite for SSL support. It tests both
client-side functionality, i.e. verifying server certificates, and
server-side functionality, i.e. certificate authorization.

CAUTION: The test server run by this test is configured to listen for
TCP connections on localhost. Any user on the same host is able to
log in to the test server while the tests are running. Do not run this
suite on a multi-user system where you don't trust all local users!

Running the tests
=================

NOTE: You must have given the --enable-tap-tests argument to configure.
Also, to use "make installcheck", you must have built and installed
contrib/sslinfo in addition to the core code.

Run
    make check PG_TEST_EXTRA=ssl
or
    make installcheck PG_TEST_EXTRA=ssl
You can use "make installcheck" if you previously did "make install".
In that case, the code in the installation tree is tested.  With
"make check", a temporary installation tree is built from the current
sources and then tested.

Either way, this test initializes, starts, and stops a test Postgres
cluster that is accessible to other local users!

See src/test/perl/README for more info about running these tests.

Certificates
============

The test suite needs a set of public/private key pairs and certificates to
run:

root_ca
	root CA, use to sign the server and client CA certificates.

server_ca
	CA used to sign server certificates.

client_ca
	CA used to sign client certificates.

server-cn-only
server-cn-and-alt-names
server-single-alt-name
server-multiple-alt-names
server-no-names
	server certificates, with small variations in the hostnames present
        in the certificate. Signed by server_ca.

server-password
	same as server-cn-only, but password-protected.

client
	a client certificate, for user "ssltestuser". Signed by client_ca.

client-revoked
	like "client", but marked as revoked in the client CA's CRL.

In addition, there are a few files that combine various certificates together
in the same file:

both-cas-1
	Contains root_ca.crt, client_ca.crt and server_ca.crt, in that order.

both-cas-2
	Contains root_ca.crt, server_ca.crt and client_ca.crt, in that order.

root+server_ca
	Contains root_crt and server_ca.crt. For use as client's "sslrootcert"
	option.

root+client_ca
	Contains root_crt and client_ca.crt. For use as server's "ssl_ca_file".

client+client_ca
	Contains client.crt and client_ca.crt in that order. For use as client's
	certificate chain.

There are also CRLs for each of the CAs: root.crl, server.crl and client.crl.

For convenience, all of these keypairs and certificates are included in the
ssl/ subdirectory. The Makefile also contains a rule, "make sslfiles", to
recreate them if you need to make changes. "make sslfiles-clean" is required
in order to recreate the full set of keypairs and certificates. To rebuild
separate files, touch (or remove) the files in question and run "make sslfiles".
This step requires at least OpenSSL 1.1.1.

Note
====

These certificates are also used in other tests, e.g. the LDAP tests.

TODO
====

* Allow the client-side of the tests to be run on different host easily.
  Currently, you have to manually set up the certificates for the right
  hostname, and modify the test file to skip setting up the server. And you
  have to modify the server to accept connections from the client host.

* Test having multiple server certificates, so that the private key chooses
  the certificate to present to clients. (And the same in the client-side.)