mirror of
https://github.com/postgres/postgres.git
synced 2026-03-11 02:34:28 -04:00
1caef31d9e
The original code was a bit clunky; make it more amenable for further reuse by creating a new Perl package PostgresNode, which is an object-oriented representation of a single server, with some support routines such as init, start, stop, psql. This serves as a better basis on which to build further test code, and enables writing tests that use more than one server without too much complication. This commit modifies a lot of the existing test files, mostly to remove explicit calls to system commands (pg_ctl) replacing them with method calls of a PostgresNode object. The result is quite a bit more straightforward. Also move some initialization code to BEGIN and INIT blocks instead of having it straight in as top-level code. This commit also introduces package RecursiveCopy so that we can copy whole directories without having to depend on packages that may not be present on vanilla Perl 5.8 installations. I also ran perltidy on the modified files, which changes some code sites that are not otherwise touched by this patch. I tried to avoid this, but it ended up being more trouble than it's worth. Authors: Michael Paquier, Álvaro Herrera Review: Noah Misch |
||
|---|---|---|
| .. | ||
| ssl | ||
| t | ||
| .gitignore | ||
| cas.config | ||
| client.config | ||
| client_ca.config | ||
| Makefile | ||
| README | ||
| root_ca.config | ||
| server-cn-and-alt-names.config | ||
| server-cn-only.config | ||
| server-multiple-alt-names.config | ||
| server-no-names.config | ||
| server-revoked.config | ||
| server-single-alt-name.config | ||
| server_ca.config | ||
| ServerSetup.pm | ||
src/test/ssl/README
SSL regression tests
====================
This directory contains a test suite for SSL support. It tests both
client-side functionality, i.e. verifying server certificates, and
server-side functionality, i.e. certificate authorization.
Running the tests
=================
make check
NOTE: This creates a temporary installation, and sets it up to listen for TCP
connections on localhost. Any user on the same host is allowed to log in to
the test installation while the tests are running. Do not run this suite
on a multi-user system where you don't trust all local users!
Certificates
============
The test suite needs a set of public/private key pairs and certificates to
run:
root_ca
root CA, use to sign the server and client CA certificates.
server_ca
CA used to sign server certificates.
client_ca
CA used to sign client certificates.
server-cn-only
server-cn-and-alt-names
server-single-alt-name
server-multiple-alt-names
server-no-names
server certificates, with small variations in the hostnames present
in the certificate. Signed by server_ca.
server-ss
same as server-cn-only, but self-signed.
client
a client certificate, for user "ssltestuser". Signed by client_ca.
client-revoked
like "client", but marked as revoked in the client CA's CRL.
In addition, there are a few files that combine various certificates together
in the same file:
both-cas-1
Contains root_ca.crt, client_ca.crt and server_ca.crt, in that order.
both-cas-2
Contains root_ca.crt, server_ca.crt and client_ca.crt, in that order.
root+server_ca
Contains root_crt and server_ca.crt. For use as client's "sslrootcert"
option.
root+client_ca
Contains root_crt and client_ca.crt. For use as server's "ssl_ca_file".
There are also CRLs for each of the CAs: root.crl, server.crl and client.crl.
For convenience, all of these keypairs and certificates are included in the
ssl/ subdirectory. The Makefile also contains a rule, "make sslfiles", to
recreate them if you need to make changes.
TODO
====
* Allow the client-side of the tests to be run on different host easily.
Currently, you have to manually set up the certificates for the right
hostname, and modify the test file to skip setting up the server. And you
have to modify the server to accept connections from the client host.
* Test having multiple server certificates, so that the private key chooses
the certificate to present to clients. (And the same in the client-side.)