Menu
▾
▴
Tree [d74f08] master / certdir / History
| File | Date | Author | Commit |
|---|---|---|---|
| server | 2011-11-17 |
Dave Cramer
|
[5779b2] SSL implementation from Andras Bodor more close... |
| README | 2011-11-28 |
Dave Cramer
|
[e05f92] removed Override to compile with java 1.4 added... |
| badclient.crt | 2011-11-17 |
Dave Cramer
|
[5779b2] SSL implementation from Andras Bodor more close... |
| badclient.key | 2011-11-17 |
Dave Cramer
|
[5779b2] SSL implementation from Andras Bodor more close... |
| badclient.pk8 | 2011-11-17 |
Dave Cramer
|
[5779b2] SSL implementation from Andras Bodor more close... |
| badroot.crt | 2011-11-17 |
Dave Cramer
|
[5779b2] SSL implementation from Andras Bodor more close... |
| goodclient.crt | 2011-11-17 |
Dave Cramer
|
[5779b2] SSL implementation from Andras Bodor more close... |
| goodclient.key | 2011-11-17 |
Dave Cramer
|
[5779b2] SSL implementation from Andras Bodor more close... |
| goodclient.pk8 | 2011-11-17 |
Dave Cramer
|
[5779b2] SSL implementation from Andras Bodor more close... |
| goodroot.crt | 2011-11-17 |
Dave Cramer
|
[5779b2] SSL implementation from Andras Bodor more close... |
Read Me
To run the SSL tests, the following properties are used: certdir: directory where the certificates and keys are store ssl<TYPE><gh|bh><8|9>: a connection string to the appropiate database TYPE is the TYPE or METHOD field from pg_hba.conf that is: host, hostnossl, hostssl and the special types hostsslcert, that corresponds to a hostssl type with clientcert=1 and cert that corresponds to a hostssl type with cert authentication. 'gh' means, the server certificate matches the hostname (good hostname), 'bh' means it is not (bad hostname). It can be simulated with a single database, if two names can be used i.e. localhost and 127.0.0.1. ssloff points to a database, where ssl is off. The last number is the server major version For each connection, the following files should be placed into certdir: goodclient.crt, badclient.crt, goodclient.pk8, badclient.pk8, goodroot.crt, badroot.crt optionally prefixed by the value of ssl<TYPE><gh|bh>prefix property, if different files are necessary for different connect strings. This directory contains example certificates generated by the following commands: openssl req -x509 -newkey rsa:1024 -days 3650 -keyout goodclient.key -out goodclient.crt #Common name is test, password is sslpwd openssl req -x509 -newkey rsa:1024 -days 3650 -keyout badclient.key -out badclient.crt #Common name is test, password is sslpwd openssl req -x509 -newkey rsa:1024 -days 3650 -nodes -keyout badroot.key -out badroot.crt #Common name is localhost rm badroot.key openssl pkcs8 -topk8 -in goodclient.key -out goodclient.pk8 -outform DER -v1 PBE-MD5-DES openssl pkcs8 -topk8 -in badclient.key -out badclient.pk8 -outform DER -v1 PBE-MD5-DES cp goodclient.crt server/root.crt cd server openssl req -x509 -newkey rsa:1024 -nodes -days 3650 -keyout server.key -out server.crt cp server.crt ../goodroot.crt #Common name is localhost, no password The subdirectory server contains what should be copied to the PGDATA directory. If you do not overwrite the pg_hba.conf then remember to comment out all lines starting with "host all". For the tests the sslinfo module must be installed into every database. The ssl=on must be set in postgresql.conf The following command creates the databases and installs the sslinfo module. for db in hostssldb hostnossldb certdb hostsslcertdb; do createdb $db psql $db -c "create extension sslinfo" done The username for connecting to postgres as specified in build.local.properties tests has to be "test".
