To run the SSL tests, the following properties are used:
certdir: directory where the certificates and keys are store
ssl<TYPE><gh|bh><8|9>: a connection string to the appropiate database
TYPE is the TYPE or METHOD field from pg_hba.conf that is: host, hostnossl,
hostssl and the special types hostsslcert, that corresponds
to a hostssl type with clientcert=1 and cert that corresponds
to a hostssl type with cert authentication. 'gh' means, the server certificate
matches the hostname (good hostname), 'bh' means it is not (bad
hostname). It can be simulated with a single database, if two names
can be used i.e. localhost and 127.0.0.1. ssloff points to a database,
where ssl is off. The last number is the server major version
For each connection, the following files should be placed into certdir:
goodclient.crt, badclient.crt, goodclient.pk8, badclient.pk8, goodroot.crt, badroot.crt
optionally prefixed by the value of ssl<TYPE><gh|bh>prefix property, if
different files are necessary for different connect strings.
This directory contains example certificates generated by the following
commands:
openssl req -x509 -newkey rsa:1024 -days 3650 -keyout goodclient.key -out goodclient.crt
#Common name is test, password is sslpwd
openssl req -x509 -newkey rsa:1024 -days 3650 -keyout badclient.key -out badclient.crt
#Common name is test, password is sslpwd
openssl req -x509 -newkey rsa:1024 -days 3650 -nodes -keyout badroot.key -out badroot.crt
#Common name is localhost
rm badroot.key
openssl pkcs8 -topk8 -in goodclient.key -out goodclient.pk8 -outform DER -v1 PBE-MD5-DES
openssl pkcs8 -topk8 -in badclient.key -out badclient.pk8 -outform DER -v1 PBE-MD5-DES
cp goodclient.crt server/root.crt
cd server
openssl req -x509 -newkey rsa:1024 -nodes -days 3650 -keyout server.key -out server.crt
cp server.crt ../goodroot.crt
#Common name is localhost, no password
The subdirectory server contains what should be copied to the PGDATA directory.
If you do not overwrite the pg_hba.conf then remember to comment out all lines
starting with "host all".
For the tests the sslinfo module must be installed into every database.
The ssl=on must be set in postgresql.conf
The following command creates the databases and installs the sslinfo module.
for db in hostssldb hostnossldb certdb hostsslcertdb; do
createdb $db
psql $db -c "create extension sslinfo"
done
The username for connecting to postgres as specified in build.local.properties tests has to be "test".