On 08/12/2014 03:53 PM, Heikki Linnakangas wrote:
> On 08/12/2014 02:28 PM, Andres Freund wrote:
>> On 2014-08-12 14:01:18 +0300, Heikki Linnakangas wrote:
>>> Also, to test sslmode=verify-full, where the client checks that the server
>>> certificate's hostname matches the hostname that it connected to, you need
>>> to have two aliases for the same server, one that matches the certificate
>>> and one that doesn't. But I think I found a way around that part; if the
>>> certificate is set up for "localhost", and connect to "127.0.0.1", you get a
>>> mismatch.
>>
>> Alternatively, and to e.g. test wildcard certs and such, I think you can
>> specify both host and hostaddr to connect to connect without actually
>> doing a dns lookup.
>
> Oh, I didn't know that's possible! Yeah, that's a good solution.
Here's a new version of the SSL regression suite I wrote earlier. It now
specifies both host and hostaddr in the connection string as Andres
suggested, so it no longer requires changes to network configuration. I
added a bunch of tests for the SAN feature that Alexey Klyukin wrote and
was committed earlier. Plus a lot of miscellaneous cleanup.
This probably needs some further cleanup before it's ready for
committing. One issues is that it creates a temporary cluster that
listens for TCP connections on localhost, which isn't safe on a
multi-user system.
- Heikki