src/test/ssl/README SSL regression tests ==================== This directory contains a test suite for SSL support. It tests both client-side functionality, i.e. verifying server certificates, and server-side functionality, i.e. certificate authorization. CAUTION: The test server run by this test is configured to listen for TCP connections on localhost. Any user on the same host is able to log in to the test server while the tests are running. Do not run this suite on a multi-user system where you don't trust all local users! Running the tests ================= NOTE: You must have given the --enable-tap-tests argument to configure. Also, to use "make installcheck", you must have built and installed contrib/sslinfo in addition to the core code. Run make check PG_TEST_EXTRA=ssl or make installcheck PG_TEST_EXTRA=ssl You can use "make installcheck" if you previously did "make install". In that case, the code in the installation tree is tested. With "make check", a temporary installation tree is built from the current sources and then tested. Either way, this test initializes, starts, and stops a test Postgres cluster that is accessible to other local users! See src/test/perl/README for more info about running these tests. Certificates ============ The test suite needs a set of public/private key pairs and certificates to run: root_ca root CA, use to sign the server and client CA certificates. server_ca CA used to sign server certificates. client_ca CA used to sign client certificates. server-cn-only server-cn-and-alt-names server-single-alt-name server-multiple-alt-names server-no-names server certificates, with small variations in the hostnames present in the certificate. Signed by server_ca. server-password same as server-cn-only, but password-protected. client a client certificate, for user "ssltestuser". Signed by client_ca. client-revoked like "client", but marked as revoked in the client CA's CRL. In addition, there are a few files that combine various certificates together in the same file: both-cas-1 Contains root_ca.crt, client_ca.crt and server_ca.crt, in that order. both-cas-2 Contains root_ca.crt, server_ca.crt and client_ca.crt, in that order. root+server_ca Contains root_crt and server_ca.crt. For use as client's "sslrootcert" option. root+client_ca Contains root_crt and client_ca.crt. For use as server's "ssl_ca_file". client+client_ca Contains client.crt and client_ca.crt in that order. For use as client's certificate chain. There are also CRLs for each of the CAs: root.crl, server.crl and client.crl. For convenience, all of these keypairs and certificates are included in the ssl/ subdirectory. The Makefile also contains a rule, "make sslfiles", to recreate them if you need to make changes. "make sslfiles-clean" is required in order to recreate the full set of keypairs and certificates. To rebuild separate files, touch (or remove) the files in question and run "make sslfiles". This step requires at least OpenSSL 1.1.1. Note ==== These certificates are also used in other tests, e.g. the LDAP tests. TODO ==== * Allow the client-side of the tests to be run on different host easily. Currently, you have to manually set up the certificates for the right hostname, and modify the test file to skip setting up the server. And you have to modify the server to accept connections from the client host. * Test having multiple server certificates, so that the private key chooses the certificate to present to clients. (And the same in the client-side.)