Menu

Tree [d74f08] master / certdir /
 History

HTTPS access


File Date Author Commit
 server 2011-11-17 Dave Cramer Dave Cramer [5779b2] SSL implementation from Andras Bodor more close...
 README 2011-11-28 Dave Cramer Dave Cramer [e05f92] removed Override to compile with java 1.4 added...
 badclient.crt 2011-11-17 Dave Cramer Dave Cramer [5779b2] SSL implementation from Andras Bodor more close...
 badclient.key 2011-11-17 Dave Cramer Dave Cramer [5779b2] SSL implementation from Andras Bodor more close...
 badclient.pk8 2011-11-17 Dave Cramer Dave Cramer [5779b2] SSL implementation from Andras Bodor more close...
 badroot.crt 2011-11-17 Dave Cramer Dave Cramer [5779b2] SSL implementation from Andras Bodor more close...
 goodclient.crt 2011-11-17 Dave Cramer Dave Cramer [5779b2] SSL implementation from Andras Bodor more close...
 goodclient.key 2011-11-17 Dave Cramer Dave Cramer [5779b2] SSL implementation from Andras Bodor more close...
 goodclient.pk8 2011-11-17 Dave Cramer Dave Cramer [5779b2] SSL implementation from Andras Bodor more close...
 goodroot.crt 2011-11-17 Dave Cramer Dave Cramer [5779b2] SSL implementation from Andras Bodor more close...

Read Me

To run the SSL tests, the following properties are used:

certdir: directory where the certificates and keys are store

ssl<TYPE><gh|bh><8|9>: a connection string to the appropiate database
TYPE is the TYPE or METHOD field from pg_hba.conf that is: host, hostnossl,
hostssl and the special types hostsslcert, that corresponds
to a hostssl type with clientcert=1 and cert that corresponds
to a hostssl type with cert authentication. 'gh' means, the server certificate
matches the hostname (good hostname), 'bh' means it is not (bad
hostname). It can be simulated with a single database, if two names
can be used i.e. localhost and 127.0.0.1. ssloff points to a database,
where ssl is off. The last number is the server major version

For each connection, the following files should be placed into certdir:
goodclient.crt, badclient.crt, goodclient.pk8, badclient.pk8, goodroot.crt, badroot.crt
optionally prefixed by the value of ssl<TYPE><gh|bh>prefix property, if
different files are necessary for different connect strings.

This directory contains example certificates generated by the following
commands:

openssl req -x509 -newkey rsa:1024 -days 3650 -keyout goodclient.key -out goodclient.crt
#Common name is test, password is sslpwd

openssl req -x509 -newkey rsa:1024 -days 3650 -keyout badclient.key -out badclient.crt
#Common name is test, password is sslpwd

openssl req -x509 -newkey rsa:1024 -days 3650 -nodes -keyout badroot.key -out badroot.crt
#Common name is localhost
rm badroot.key

openssl pkcs8 -topk8 -in goodclient.key -out goodclient.pk8 -outform DER -v1 PBE-MD5-DES
openssl pkcs8 -topk8 -in badclient.key -out badclient.pk8 -outform DER -v1 PBE-MD5-DES
cp goodclient.crt server/root.crt
cd server
openssl req -x509 -newkey rsa:1024 -nodes -days 3650 -keyout server.key -out server.crt
cp server.crt ../goodroot.crt
#Common name is localhost, no password

The subdirectory server contains what should be copied to the PGDATA directory.
If you do not overwrite the pg_hba.conf then remember to comment out all lines
starting with "host all".

For the tests the sslinfo module must be installed into every database.
The ssl=on must be set in postgresql.conf

The following command creates the databases and installs the sslinfo module.

for db in hostssldb hostnossldb certdb hostsslcertdb; do
  createdb $db
  psql $db -c "create extension sslinfo"
done

The username for connecting to postgres as specified in build.local.properties tests has to be "test".

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.