github.com/unigraph-dev/dgraph@v1.1.1-0.20200923154953-8b52b426f765/contrib/tlstest/README.md

github.com/unigraph-dev/dgraph@v1.1.1-0.20200923154953-8b52b426f765/contrib/tlstest/README.md (about)

     1  # Semiautomatic tests of TLS configuration
     2  
     3  This directory contains several scripts, that helps with testing of tls functionality in dgraph.
     4  
     5  - `Makefile` - cleans up the directory, creates CA, client and server keys and signed certs, executes the tests
     6  - `server_nopass.sh` - starts server that use unencryped private key
     7  - `server_nopass_client_auth.sh` - starts server that use unencryped private key, and require client authentication
     8  - `server_pass.sh` - starts server that use encrypted/password protected private key
     9  - `server_11.sh` - starts server with maximum TLS version set to 1.1
    10  - `client_nopass.sh` - executes dgraph-live-loader configured to use unencrypted privae key
    11  - `client_pass.sh` - executes dgraph-live-loader configured to use encrypted/password protected private key
    12  - `client_nocert.sh` - executes dgraph-live-loader without configured client certificate
    13  - `client_12.sh` - executes dgraph-live-loader with minimum TLS version set to 1.2
    14  
    15  ## Notes
    16  Go x509 package supports only encrypted private keys conaining "DEK-Info". By default, openssl doesn't include it in generated keys. Fortunately, if encryption method is explicitly set in the command line, openssl adds "DEK-Info" header.
    17  
    18  `server_pass.sh` should be used with `client_pass.sh`. This enable testing of `tls_server_name` configuration option. Mixing `_pass` and `_nopass` client/server shows that server name is verified by the client.
    19  
    20  For testing purposes, DNS names for server1.dgraph.io and server2.dgraph.io has to be resolvable. Editing /etc/hosts is the simplest way to achieve this.