1src/test/ssl/README 2 3SSL regression tests 4==================== 5 6This directory contains a test suite for SSL support. It tests both 7client-side functionality, i.e. verifying server certificates, and 8server-side functionality, i.e. certificate authorization. 9 10CAUTION: The test server run by this test is configured to listen for 11TCP connections on localhost. Any user on the same host is able to 12log in to the test server while the tests are running. Do not run this 13suite on a multi-user system where you don't trust all local users! 14 15Running the tests 16================= 17 18NOTE: You must have given the --enable-tap-tests argument to configure. 19 20Run 21 make check 22or 23 make installcheck 24You can use "make installcheck" if you previously did "make install". 25In that case, the code in the installation tree is tested. With 26"make check", a temporary installation tree is built from the current 27sources and then tested. 28 29Either way, this test initializes, starts, and stops a test Postgres 30cluster that is accessible to other local users! 31 32Certificates 33============ 34 35The test suite needs a set of public/private key pairs and certificates to 36run: 37 38root_ca 39 root CA, use to sign the server and client CA certificates. 40 41server_ca 42 CA used to sign server certificates. 43 44client_ca 45 CA used to sign client certificates. 46 47server-cn-only 48server-cn-and-alt-names 49server-single-alt-name 50server-multiple-alt-names 51server-no-names 52 server certificates, with small variations in the hostnames present 53 in the certificate. Signed by server_ca. 54 55server-ss 56 same as server-cn-only, but self-signed. 57 58server-password 59 same as server-cn-only, but password-protected. 60 61client 62 a client certificate, for user "ssltestuser". Signed by client_ca. 63 64client-revoked 65 like "client", but marked as revoked in the client CA's CRL. 66 67In addition, there are a few files that combine various certificates together 68in the same file: 69 70both-cas-1 71 Contains root_ca.crt, client_ca.crt and server_ca.crt, in that order. 72 73both-cas-2 74 Contains root_ca.crt, server_ca.crt and client_ca.crt, in that order. 75 76root+server_ca 77 Contains root_crt and server_ca.crt. For use as client's "sslrootcert" 78 option. 79 80root+client_ca 81 Contains root_crt and client_ca.crt. For use as server's "ssl_ca_file". 82 83client+client_ca 84 Contains client.crt and client_ca.crt in that order. For use as client's 85 certificate chain. 86 87There are also CRLs for each of the CAs: root.crl, server.crl and client.crl. 88 89For convenience, all of these keypairs and certificates are included in the 90ssl/ subdirectory. The Makefile also contains a rule, "make sslfiles", to 91recreate them if you need to make changes. 92 93TODO 94==== 95 96* Allow the client-side of the tests to be run on different host easily. 97 Currently, you have to manually set up the certificates for the right 98 hostname, and modify the test file to skip setting up the server. And you 99 have to modify the server to accept connections from the client host. 100 101* Test having multiple server certificates, so that the private key chooses 102 the certificate to present to clients. (And the same in the client-side.) 103