rdelaage/postgresql
1
0
Fork 0
mirror of https://git.postgresql.org/git/postgresql.git synced 2024-09-30 09:11:23 +02:00
Code Issues Packages Projects Releases Wiki Activity
c0cbe00fee
postgresql/src/test/ssl
History
Peter Eisentraut 8a3d942529 Add ssl_passphrase_command setting 
This allows specifying an external command for prompting for or
otherwise obtaining passphrases for SSL key files.  This is useful
because in many cases there is no TTY easily available during service
startup.

Also add a setting ssl_passphrase_command_supports_reload, which allows
supporting SSL configuration reload even if SSL files need passphrases.

Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
2018-03-17 08:28:51 -04:00
..
ssl Add ssl_passphrase_command setting 2018-03-17 08:28:51 -04:00
t Add ssl_passphrase_command setting 2018-03-17 08:28:51 -04:00
.gitignore
cas.config
client_ca.config
client.config
Makefile Add ssl_passphrase_command setting 2018-03-17 08:28:51 -04:00
README Add ssl_passphrase_command setting 2018-03-17 08:28:51 -04:00
root_ca.config
server_ca.config
server-cn-and-alt-names.config
server-cn-only.config
server-multiple-alt-names.config
server-no-names.config
server-revoked.config
server-single-alt-name.config
ServerSetup.pm In SSL tests, restart after pg_hba.conf changes 2018-03-03 08:54:46 -05:00

README 

src/test/ssl/README

SSL regression tests
====================

This directory contains a test suite for SSL support. It tests both
client-side functionality, i.e. verifying server certificates, and
server-side functionality, i.e. certificate authorization.

Running the tests
=================

    make check

or

    make installcheck

NOTE: This creates a temporary installation (in the case of "check"),
and sets it up to listen for TCP connections on localhost. Any user on
the same host is allowed to log in to the test installation while the
tests are running. Do not run this suite on a multi-user system where
you don't trust all local users!

Certificates
============

The test suite needs a set of public/private key pairs and certificates to
run:

root_ca
	root CA, use to sign the server and client CA certificates.

server_ca
	CA used to sign server certificates.

client_ca
	CA used to sign client certificates.

server-cn-only
server-cn-and-alt-names
server-single-alt-name
server-multiple-alt-names
server-no-names
	server certificates, with small variations in the hostnames present
        in the certificate. Signed by server_ca.

server-ss
	same as server-cn-only, but self-signed.

server-password
	same as server-cn-only, but password-protected.

client
	a client certificate, for user "ssltestuser". Signed by client_ca.

client-revoked
	like "client", but marked as revoked in the client CA's CRL.

In addition, there are a few files that combine various certificates together
in the same file:

both-cas-1
	Contains root_ca.crt, client_ca.crt and server_ca.crt, in that order.

both-cas-2
	Contains root_ca.crt, server_ca.crt and client_ca.crt, in that order.

root+server_ca
	Contains root_crt and server_ca.crt. For use as client's "sslrootcert"
	option.

root+client_ca
	Contains root_crt and client_ca.crt. For use as server's "ssl_ca_file".

client+client_ca
	Contains client.crt and client_ca.crt in that order. For use as client's
	certificate chain.

There are also CRLs for each of the CAs: root.crl, server.crl and client.crl.

For convenience, all of these keypairs and certificates are included in the
ssl/ subdirectory. The Makefile also contains a rule, "make sslfiles", to
recreate them if you need to make changes.

TODO
====

* Allow the client-side of the tests to be run on different host easily.
  Currently, you have to manually set up the certificates for the right
  hostname, and modify the test file to skip setting up the server. And you
  have to modify the server to accept connections from the client host.

* Test having multiple server certificates, so that the private key chooses
  the certificate to present to clients. (And the same in the client-side.)