Re: SSL regression test suite

On 2014-08-12 14:01:18 +0300, Heikki Linnakangas wrote:
> On 08/05/2014 10:46 PM, Robert Haas wrote:
> >Why can't you make it work over 127.0.0.1?
> 
> I wanted it to be easy to run the client and the server on different hosts.
> As soon as we have more than one SSL implementation, it would be really nice
> to do interoperability testing between a client and a server using different
> implementations.
> 
> Also, to test sslmode=verify-full, where the client checks that the server
> certificate's hostname matches the hostname that it connected to, you need
> to have two aliases for the same server, one that matches the certificate
> and one that doesn't. But I think I found a way around that part; if the
> certificate is set up for "localhost", and connect to "127.0.0.1", you get a
> mismatch.

Alternatively, and to e.g. test wildcard certs and such, I think you can
specify both host and hostaddr to connect to connect without actually
doing a dns lookup.

Greetings,

Andres Freund

-- Andres Freund                       http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training &
Services