[WIP] SSL Error testing

grai-server/docker-compose.yml

@@ -105,14 +105,17 @@ services:
       - POSTGRES_USER=grai
       - POSTGRES_PASSWORD=grai
       - POSTGRES_DB=grai
+    volumes:
+      - "./test-certs/server.crt:/var/lib/postgresql/server.crt:ro"
+      - "./test-certs/server.key:/var/lib/postgresql/server.key:ro"
     ports:
       - 5432:5432
     healthcheck:
       test: "pg_isready -U grai"
       interval: 2s
       timeout: 2s
       retries: 15
-    command: ["postgres", "-c", "log_statement=none"]
+    command: ["postgres", "-c", "log_statement=none", "-c", "ssl=on", "-c", "ssl_cert_file=/var/lib/postgresql/server.crt", "-c", "ssl_key_file=/var/lib/postgresql/server.key"]
 
   redis:
     image: redis/redis-stack:latest

grai-server/test-certs/generate_certs.sh

@@ -0,0 +1,8 @@
+# generate the server.key and server.crt
+openssl req -new -text -passout pass:abcd -subj /CN=localhost -out server.req
+openssl rsa -in privkey.pem -passin pass:abcd -out server.key
+openssl req -x509 -in server.req -text -key server.key -out server.crt
+
+# set postgres (alpine) user as owner of the server.key and permissions to 600
+#chown 0:70 server.key
+chmod 600 server.key

grai-server/test-certs/privkey.pem

@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQImQyFkqnl2cICAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECPusWKiU8EYgBIIEyExY/5Yx1kLX
+9ET1iAN4djvS9n3Yo6sJ3fkoQGAg1buYuZX6Q4qU9ukJwhV0ZsdKPnJ+makMBuYD
+qBbfw49+txxvKa16NF1aOaKmewgMMmLsaTiO5iegeZkbBmJs/ntUhtUvWXKmus7i
+Kv8HQicbiLQefxJ8tDRY8b+7HVV/Lyu50Q+XEDP7MUxW2TVviGMX1fDjKmwWEG2w
+ttWLIHIAwF2eApQdsAk1ZGpx+NUrBV2cgO/si5RdxhrDNiKzMI/GlirQj7ZNCfRP
+2YVEg0uOjUlbJamBPjIUTU5F/BCh3FNdP4EGT/kCSxX/PL65NHgLYpqsFEUAY/vt
+jpWtSYTjBgB+L5G52duOYZob04SDzoHCSTua6qHGk04SsBPEASqHPr/579Emel+v
+Kjz5oIYZqeSloEL9p5tLyLac288HQFxLmMXULEzPUGbNoY+2B6ftXiJp+Vopq/pV
+GsPxB01e693UJAfHjKEOvOkdMRXDth8rQZfN3wWGQk1Pp6/P/exwZXhfr462j2Hj
+DgklYRmvL9edt48ktKnHygiHiPpL5bet8kEyzH+VDrAggu55q9kZHLYHLhkIuam+
+ght3c2Ex/OC40VBlCgABqScVXFejr48a0iNPN4oTjFlqw1VclqUY1Vtu5CeW2WR0
+jL8bfO60j0FGOP9EB+T9H7VUmgtB1+SqIf7sYTmrPZyZ/N/nmfhyZNsMv6H4hHh0
+SsQG0IgKHJ9tkhXnjl7Gn35kIv2yFGOhWRhLgO9OFSvVctCffxUtOl/dWvZtpprX
+Ra2jQSTKddozu4SN0MKzCmOyvbGXbevd92FQ2N4EmHvPZlr2EwIMuCxbE/h/c6Bs
+9gIy5VXyr1fxno35AoNoZlh2QoOLozidlaKM1EmVEy3xVhDgflDPRjdh3wnQ5bXQ
+J4InIcDFa+ysRb7UXrFfVDt7VU90U/+xCBCYI0hI6bsstLo+9lXDGmHia/1mJt50
+eVb05yq7Mx+Lhun2GXUyUNtl/t0rzoC0SpGthblFhmfc4pkDYq4S73lUILwhtarz
+YFOz7J7hds0Gj4eln4fYyXG3TlzBjL/V2Sse5UgcmWQFBI6eaR8xyNIhzfqz7HoS
+J3rD4uk1w0DxsC3k+9Ml2k9BikC1pb9th4zDsMgqHFKhEMiE1Yc29Bj+VV0bFcTW
+2yyz61Cdun+K/7VKGpepHsn8C9phfq5BMtbFqRW6v1V5+rS1iebuubrcfI44jCBh
+ukTbxX6BuFynVU028AuwT8eyYdnoej97441pshSZk+3y4UTcgb8usFwqNgyl/lES
+62Z0qZwyYCAGaeVpBF0NXZ4/GkyhwBzfaAbcf1SeEt8mO/pEgkWf8a10n1ptmei5
+EDQ+qDDTQQlSDL/F9Eal6VhuwN3flVATbhCvTRGnKW1f+cSTr3p5IbQbdcB9FSBN
+gAE4Nz+zXuGn5kwjrxFqB44qVobd/vNvG4wWptuEBjce+KFD+GPlu0q4ai57WXeS
+mhGsWtYjr3YHb+nQbl7l4/I8vw1KE6DieLoNDtoniDPowdYB78sGOMscoSIvYohA
+Y1HVf0S3EERi0N4RaPNt7/w8FSn0QpWPOxuHIiaPQqfa4bpHInRyczdfjJwbreTo
+ma9EKzTUYWm4dlI0ZugnCw==
+-----END ENCRYPTED PRIVATE KEY-----

grai-server/test-certs/server.crt

@@ -0,0 +1,77 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            35:a2:d1:80:11:19:b7:a4:d3:54:7f:f4:30:a7:49:4b:e4:d3:2b:3a
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN = localhost
+        Validity
+            Not Before: Aug  2 15:52:36 2023 GMT
+            Not After : Sep  1 15:52:36 2023 GMT
+        Subject: CN = localhost
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c6:ea:75:fa:68:cc:f9:d2:6a:44:e3:24:7c:1e:
+                    f4:5e:1a:b6:b3:b3:32:90:e0:06:7d:ca:8a:a8:a1:
+                    63:87:82:d2:dd:76:a2:9d:12:18:3a:d9:78:70:9e:
+                    f9:e5:c7:ee:fa:2d:94:69:d2:94:4d:08:32:59:7f:
+                    12:5a:81:6d:d2:65:a1:13:0a:a7:fc:fd:60:12:37:
+                    42:db:9c:ea:17:a3:3a:61:32:83:c7:79:08:f3:e8:
+                    7c:fb:a5:ac:5c:19:52:0a:c5:24:d1:67:8c:f7:c3:
+                    7a:e7:f0:9c:c8:f3:0b:1e:e5:67:8c:e0:cd:38:1f:
+                    6c:50:69:5e:93:f5:ca:bf:d8:33:27:7c:20:48:f8:
+                    a2:17:b7:51:47:59:39:46:d6:ae:a5:da:c2:67:cf:
+                    23:36:9d:1c:98:e8:2e:31:8c:3f:26:00:7b:03:57:
+                    45:cb:8f:8e:b3:41:7e:88:b7:f0:0b:1f:6a:9f:8e:
+                    00:71:43:f4:cb:ad:ed:a5:d0:d4:81:83:2e:cd:de:
+                    0c:7e:9a:cf:7d:c8:f5:70:da:9b:6e:ce:7f:78:d8:
+                    62:79:72:67:77:98:90:85:96:d8:f2:e2:59:75:c6:
+                    1b:42:cc:81:b5:01:fc:32:62:75:0b:b2:fe:dd:24:
+                    15:95:ee:d7:15:ce:70:41:1d:0c:fa:88:35:7d:c0:
+                    cf:b1
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier:
+                D7:21:73:0C:BD:72:2C:86:4C:77:60:DB:CB:81:52:E6:85:6B:88:A7
+            X509v3 Authority Key Identifier:
+                D7:21:73:0C:BD:72:2C:86:4C:77:60:DB:CB:81:52:E6:85:6B:88:A7
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        3a:6a:30:53:de:3a:b8:e8:77:e3:8e:5a:86:3b:9d:a9:30:08:
+        76:4f:4c:30:20:f2:41:e4:06:9f:1a:1b:fd:8a:d7:28:7b:e8:
+        ef:21:54:11:d8:b4:0a:ce:2c:8e:1d:f2:11:20:4f:bc:e5:a4:
+        d8:e1:66:1a:c3:29:48:ee:fa:bd:1f:86:75:8a:c9:83:9d:12:
+        21:04:a0:3b:8b:0b:a6:3e:cb:0a:5e:49:ed:fa:e1:1c:ce:13:
+        98:77:6b:70:0a:75:9b:bf:55:39:b3:47:6b:23:77:91:c9:08:
+        54:0c:88:07:7f:10:cc:3e:81:e2:eb:db:40:31:85:f5:21:8a:
+        42:f4:f8:7c:a1:f6:2d:57:3b:91:1b:36:3a:d5:dd:82:9d:b1:
+        2f:62:99:06:96:97:37:ca:dc:79:4a:78:55:c4:09:b8:60:9a:
+        03:53:e7:c1:88:18:98:79:40:ae:98:c0:a2:c5:77:7d:7b:7f:
+        23:18:40:50:eb:4c:61:fb:8c:90:fb:1d:f1:fe:08:6b:65:46:
+        5a:ca:bc:6e:0f:84:eb:e9:ce:60:d4:e0:11:c8:ba:2a:c2:be:
+        b7:f1:13:62:ab:5b:7a:48:52:c3:21:b4:7f:5a:78:60:3f:ce:
+        67:d7:1f:73:8d:41:83:7b:e0:76:17:dd:d3:75:e1:d3:73:f0:
+        bd:49:53:bc
+-----BEGIN CERTIFICATE-----
+MIIDCTCCAfGgAwIBAgIUNaLRgBEZt6TTVH/0MKdJS+TTKzowDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIzMDgwMjE1NTIzNloXDTIzMDkw
+MTE1NTIzNlowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAxup1+mjM+dJqROMkfB70Xhq2s7MykOAGfcqKqKFjh4LS
+3XainRIYOtl4cJ755cfu+i2UadKUTQgyWX8SWoFt0mWhEwqn/P1gEjdC25zqF6M6
+YTKDx3kI8+h8+6WsXBlSCsUk0WeM98N65/CcyPMLHuVnjODNOB9sUGlek/XKv9gz
+J3wgSPiiF7dRR1k5RtaupdrCZ88jNp0cmOguMYw/JgB7A1dFy4+Os0F+iLfwCx9q
+n44AcUP0y63tpdDUgYMuzd4MfprPfcj1cNqbbs5/eNhieXJnd5iQhZbY8uJZdcYb
+QsyBtQH8MmJ1C7L+3SQVle7XFc5wQR0M+og1fcDPsQIDAQABo1MwUTAdBgNVHQ4E
+FgQU1yFzDL1yLIZMd2Dby4FS5oVriKcwHwYDVR0jBBgwFoAU1yFzDL1yLIZMd2Db
+y4FS5oVriKcwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAOmow
+U946uOh3445ahjudqTAIdk9MMCDyQeQGnxob/YrXKHvo7yFUEdi0Cs4sjh3yESBP
+vOWk2OFmGsMpSO76vR+GdYrJg50SIQSgO4sLpj7LCl5J7frhHM4TmHdrcAp1m79V
+ObNHayN3kckIVAyIB38QzD6B4uvbQDGF9SGKQvT4fKH2LVc7kRs2OtXdgp2xL2KZ
+BpaXN8rceUp4VcQJuGCaA1PnwYgYmHlArpjAosV3fXt/IxhAUOtMYfuMkPsd8f4I
+a2VGWsq8bg+E6+nOYNTgEci6KsK+t/ETYqtbekhSwyG0f1p4YD/OZ9cfc41Bg3vg
+dhfd03Xh03PwvUlTvA==
+-----END CERTIFICATE-----

grai-server/test-certs/server.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDG6nX6aMz50mpE
+4yR8HvReGrazszKQ4AZ9yoqooWOHgtLddqKdEhg62Xhwnvnlx+76LZRp0pRNCDJZ
+fxJagW3SZaETCqf8/WASN0LbnOoXozphMoPHeQjz6Hz7paxcGVIKxSTRZ4z3w3rn
+8JzI8wse5WeM4M04H2xQaV6T9cq/2DMnfCBI+KIXt1FHWTlG1q6l2sJnzyM2nRyY
+6C4xjD8mAHsDV0XLj46zQX6It/ALH2qfjgBxQ/TLre2l0NSBgy7N3gx+ms99yPVw
+2ptuzn942GJ5cmd3mJCFltjy4ll1xhtCzIG1AfwyYnULsv7dJBWV7tcVznBBHQz6
+iDV9wM+xAgMBAAECggEAFJabb/ftcVUbTTaCZftxORVEQEzFqNObMGVonSQZMGM0
+zpnTInVHPz4XlnaJ8IPVYx0ZHavfUCrPRU6e+HGpi4ub1KP3d7rE+RWxrJfs7dXl
++r33AEwxhkdTulsvQBgZ0wYNNcRlRZa8z6lqnOz1A3VklqME8rBj7l29nYxk+B6q
+g7qIC2CkZ6lEFQyJ5aDslW/az8D/rYXYWVXzngfQo2fsD54ZpJrIpSDVCQa8YUM7
+jSPmtWYbYYQy5W1lk6mPqEK3pD3fPJt/bgiYDsxpEPvlQuoXZNxHBtyHQ/sjlRUJ
+vBbl8MV9Y4d3+4bRlla09gS2a0WOkhgN+wG4VEb/kQKBgQDWJ0kd9XVKJs0QWg3C
+nr2xKkHlYlCPeGxXncTjZjoH7YWU2gPXF+eLt/7MAX5d6ssaWmh4j/xS6ajVjI3Q
+Wl3ybvNjEoV+ROA3c8i0InoS7ifNRjh2f1hREc7ZFIEIaMMC6JRoB0etKBbxBxsA
+LwayuwFr9GTFYT5mHb8P+GX0KQKBgQDtyO/LEZ8SX/CTSFtdEAWCIBbeL/Me8jlE
+C3o1joPdoueXcZUgwsr1e7p6YFx+SNbJrz66Wvq+0L3MDqVRw1Y11ssKE3Ddrpex
+rLh0yiC+f4n+asHD8pye7eV9D7gp1wx6/Zc2panZGhg1K3bJ7E8Fl1GtXWbEd0mT
+bvbRdIKwSQKBgHzYPjnm5M+ruxRzS15QKInl9rCBFjHtpEuXwDZJXD9O6vcR+fcl
+CmlbhIDtxft+a5Uba5gNaK31ZeXIoMv8QpSYte7l10j7YjMxnqnVB5GNoUp8S2JZ
+buUkGpBW8bozSKyjZhEXXWPG4Uj2OXlr8N21Q2jp+u1OeZASe1YWG2mxAoGAef4o
+AEAHI28zRuzNat5oZQ0/jjh9e/f7p0xYI5f9UT1dodX1E3y8kdsrndNIQMXv5ENT
+ZFp+4FzJsyIkcOFNnouXWZEFy8XiL5aUf96fk/xs+Kkexf/3mJYmsdXZvyWEUqk9
+5hxyGl8H4mdtJ0VkeVLb5ZzQt6UXi1tXp7glwHkCgYEAviunuDhfhuOMIQ2/osom
+DhT5zgRegd5soHc6NiarrgovXTxcwNgHW5oXvKWVaY28ksQ7tHoxX/47yiBlhMhL
+MabKqxw9X8G2F3WmoxWyX7G2oGGiEP/qTSH0TT+zb4cPrNC+QAqkhpQMWB9MBJ1m
+gtu+XEZM03N+5tahY6zwcyI=
+-----END PRIVATE KEY-----

grai-server/test-certs/server.req

@@ -0,0 +1,62 @@
+Certificate Request:
+    Data:
+        Version: 1 (0x0)
+        Subject: CN = localhost
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c6:ea:75:fa:68:cc:f9:d2:6a:44:e3:24:7c:1e:
+                    f4:5e:1a:b6:b3:b3:32:90:e0:06:7d:ca:8a:a8:a1:
+                    63:87:82:d2:dd:76:a2:9d:12:18:3a:d9:78:70:9e:
+                    f9:e5:c7:ee:fa:2d:94:69:d2:94:4d:08:32:59:7f:
+                    12:5a:81:6d:d2:65:a1:13:0a:a7:fc:fd:60:12:37:
+                    42:db:9c:ea:17:a3:3a:61:32:83:c7:79:08:f3:e8:
+                    7c:fb:a5:ac:5c:19:52:0a:c5:24:d1:67:8c:f7:c3:
+                    7a:e7:f0:9c:c8:f3:0b:1e:e5:67:8c:e0:cd:38:1f:
+                    6c:50:69:5e:93:f5:ca:bf:d8:33:27:7c:20:48:f8:
+                    a2:17:b7:51:47:59:39:46:d6:ae:a5:da:c2:67:cf:
+                    23:36:9d:1c:98:e8:2e:31:8c:3f:26:00:7b:03:57:
+                    45:cb:8f:8e:b3:41:7e:88:b7:f0:0b:1f:6a:9f:8e:
+                    00:71:43:f4:cb:ad:ed:a5:d0:d4:81:83:2e:cd:de:
+                    0c:7e:9a:cf:7d:c8:f5:70:da:9b:6e:ce:7f:78:d8:
+                    62:79:72:67:77:98:90:85:96:d8:f2:e2:59:75:c6:
+                    1b:42:cc:81:b5:01:fc:32:62:75:0b:b2:fe:dd:24:
+                    15:95:ee:d7:15:ce:70:41:1d:0c:fa:88:35:7d:c0:
+                    cf:b1
+                Exponent: 65537 (0x10001)
+        Attributes:
+            (none)
+            Requested Extensions:
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        16:a2:bb:77:b4:4b:e9:71:f5:8a:81:69:b5:38:ce:29:c0:b4:
+        c8:b6:39:a8:bc:a6:c9:72:9f:05:13:0e:cb:9e:9b:ed:71:33:
+        ef:ea:3f:43:e4:2f:25:c4:fd:5d:73:a1:26:0a:0b:21:5d:cd:
+        3f:e1:26:9d:08:9d:b6:79:7d:dc:f7:a9:b8:3d:2e:68:16:9a:
+        14:06:04:b6:2e:3f:2d:c0:94:60:a1:72:a3:5d:ef:54:09:6f:
+        56:56:08:3c:d9:42:c1:ef:ba:c2:00:22:b1:e0:1c:ae:6b:92:
+        bf:4a:c5:18:5b:04:7b:17:b3:62:19:bf:b8:ac:d7:dd:b6:7d:
+        35:50:e4:cc:50:d0:24:a3:d6:bf:8c:da:1e:f8:1d:14:b9:01:
+        fe:37:ec:cd:17:3f:f7:74:58:dd:a4:1c:fb:57:d3:53:17:c2:
+        75:cf:6c:11:ed:67:74:73:a0:19:05:cf:fc:99:1b:e5:bf:61:
+        f0:1c:57:87:70:27:c2:e1:7e:c9:17:42:cb:66:4b:7e:b8:92:
+        86:69:9e:97:ce:4f:d6:2f:10:e8:74:e8:c0:d1:e5:6c:49:cf:
+        a4:8b:2c:21:a7:61:fa:a9:18:43:e2:3e:e6:f5:a0:9c:c0:3c:
+        41:cb:7c:d3:54:d8:ca:5e:13:0a:bc:d0:c2:82:46:2a:3a:1c:
+        39:10:9d:d2
+-----BEGIN CERTIFICATE REQUEST-----
+MIICWTCCAUECAQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAxup1+mjM+dJqROMkfB70Xhq2s7MykOAGfcqKqKFj
+h4LS3XainRIYOtl4cJ755cfu+i2UadKUTQgyWX8SWoFt0mWhEwqn/P1gEjdC25zq
+F6M6YTKDx3kI8+h8+6WsXBlSCsUk0WeM98N65/CcyPMLHuVnjODNOB9sUGlek/XK
+v9gzJ3wgSPiiF7dRR1k5RtaupdrCZ88jNp0cmOguMYw/JgB7A1dFy4+Os0F+iLfw
+Cx9qn44AcUP0y63tpdDUgYMuzd4MfprPfcj1cNqbbs5/eNhieXJnd5iQhZbY8uJZ
+dcYbQsyBtQH8MmJ1C7L+3SQVle7XFc5wQR0M+og1fcDPsQIDAQABoAAwDQYJKoZI
+hvcNAQELBQADggEBABaiu3e0S+lx9YqBabU4zinAtMi2Oai8pslynwUTDsuem+1x
+M+/qP0PkLyXE/V1zoSYKCyFdzT/hJp0InbZ5fdz3qbg9LmgWmhQGBLYuPy3AlGCh
+cqNd71QJb1ZWCDzZQsHvusIAIrHgHK5rkr9KxRhbBHsXs2IZv7is1922fTVQ5MxQ
+0CSj1r+M2h74HRS5Af437M0XP/d0WN2kHPtX01MXwnXPbBHtZ3RzoBkFz/yZG+W/
+YfAcV4dwJ8LhfskXQstmS364koZpnpfOT9YvEOh06MDR5WxJz6SLLCGnYfqpGEPi
+Pub1oJzAPEHLfNNU2MpeEwq80MKCRio6HDkQndI=
+-----END CERTIFICATE REQUEST-----