v1.1-0002-squash-Add-TLS-support-for-the-OAuth-tests.patch
application/octet-stream
Filename: v1.1-0002-squash-Add-TLS-support-for-the-OAuth-tests.patch
Type: application/octet-stream
Part: 1
Patch
Format: format-patch
Series: patch v1-0002
Subject: squash! Add TLS support for the OAuth tests
| File | + | − |
|---|---|---|
| src/test/modules/oauth_validator/Makefile | 1 | 0 |
| src/test/modules/oauth_validator/meson.build | 1 | 0 |
| src/test/modules/oauth_validator/t/001_server.pl | 43 | 7 |
| src/test/modules/oauth_validator/t/OAuth/Server.pm | 3 | 3 |
| src/test/modules/oauth_validator/t/oauth_server.py | 6 | 6 |
| src/test/ssl/conf/server-localhost-alt-names.config | 3 | 1 |
| src/test/ssl/sslfiles.mk | 1 | 1 |
| src/test/ssl/ssl/server-ip-localhost.crt | 0 | 20 |
| src/test/ssl/ssl/server-ip-localhost.key | 0 | 28 |
| src/test/ssl/ssl/server-localhost-alt-names.crt | 20 | 0 |
| src/test/ssl/ssl/server-localhost-alt-names.key | 28 | 0 |
From 403a2b99586f46cd3b22903c6bf5e5369544dbbf Mon Sep 17 00:00:00 2001
From: Jacob Champion <jacob.champion@enterprisedb.com>
Date: Fri, 27 Feb 2026 15:36:17 -0800
Subject: [PATCH v1.1 2/2] squash! Add TLS support for the OAuth tests
- inject certificate directory from build system
- keep the HTTP test, add a failed-HTTPS-verification test
- switch back to IPv4-only Issuer [1]
- blacken oauth_server.py
- add req_extensions = v3_req to get SANs working
- move `localhost` DNS name to SANs
- rename server-ip-localhost -> server-localhost-alt-names
[1] https://postgr.es/m/CAOYmi%2Bn4EDOOUL27_OqYT2-F2rS6S%2B3mK-ppWb2Ec92UEoUbYA%40mail.gmail.com
---
src/test/modules/oauth_validator/meson.build | 1 +
src/test/modules/oauth_validator/Makefile | 1 +
.../modules/oauth_validator/t/001_server.pl | 50 ++++++++++++++++---
.../modules/oauth_validator/t/OAuth/Server.pm | 6 +--
.../modules/oauth_validator/t/oauth_server.py | 12 ++---
...nfig => server-localhost-alt-names.config} | 4 +-
src/test/ssl/ssl/server-ip-localhost.crt | 20 --------
src/test/ssl/ssl/server-ip-localhost.key | 28 -----------
.../ssl/ssl/server-localhost-alt-names.crt | 20 ++++++++
.../ssl/ssl/server-localhost-alt-names.key | 28 +++++++++++
src/test/ssl/sslfiles.mk | 2 +-
11 files changed, 106 insertions(+), 66 deletions(-)
rename src/test/ssl/conf/{server-ip-localhost.config => server-localhost-alt-names.config} (73%)
delete mode 100644 src/test/ssl/ssl/server-ip-localhost.crt
delete mode 100644 src/test/ssl/ssl/server-ip-localhost.key
create mode 100644 src/test/ssl/ssl/server-localhost-alt-names.crt
create mode 100644 src/test/ssl/ssl/server-localhost-alt-names.key
diff --git a/src/test/modules/oauth_validator/meson.build b/src/test/modules/oauth_validator/meson.build
index c4b73e05297..506a9894b8d 100644
--- a/src/test/modules/oauth_validator/meson.build
+++ b/src/test/modules/oauth_validator/meson.build
@@ -80,6 +80,7 @@ tests += {
'PYTHON': python.full_path(),
'with_libcurl': oauth_flow_supported ? 'yes' : 'no',
'with_python': 'yes',
+ 'cert_dir': meson.project_source_root() / 'src/test/ssl/ssl',
},
'deps': [oauth_hook_client],
},
diff --git a/src/test/modules/oauth_validator/Makefile b/src/test/modules/oauth_validator/Makefile
index cb64f0f1437..0b39a88fd9f 100644
--- a/src/test/modules/oauth_validator/Makefile
+++ b/src/test/modules/oauth_validator/Makefile
@@ -36,5 +36,6 @@ include $(top_srcdir)/contrib/contrib-global.mk
export PYTHON
export with_libcurl
export with_python
+export cert_dir=$(top_srcdir)/src/test/ssl/ssl
endif
diff --git a/src/test/modules/oauth_validator/t/001_server.pl b/src/test/modules/oauth_validator/t/001_server.pl
index 12da59109bf..cdad2ae8011 100644
--- a/src/test/modules/oauth_validator/t/001_server.pl
+++ b/src/test/modules/oauth_validator/t/001_server.pl
@@ -14,7 +14,6 @@ use MIME::Base64 qw(encode_base64);
use PostgreSQL::Test::Cluster;
use PostgreSQL::Test::Utils;
use Test::More;
-use File::Basename;
use FindBin;
use lib $FindBin::RealBin;
@@ -72,8 +71,30 @@ END
$? = $exit_code;
}
+# To test against HTTPS with our custom CA, we need to enable PGOAUTHDEBUG and
+# PGOAUTHCAFILE. But first, check to make sure the client refuses HTTP and
+# untrusted HTTPS connections by default.
my $port = $webserver->port();
-my $issuer = "https://localhost:$port";
+my $issuer = "http://127.0.0.1:$port";
+
+unlink($node->data_dir . '/pg_hba.conf');
+$node->append_conf(
+ 'pg_hba.conf', qq{
+local all test oauth issuer="$issuer" scope="openid postgres"
+});
+$node->reload;
+
+my $log_start = $node->wait_for_log(qr/reloading configuration files/);
+
+$node->connect_fails(
+ "user=test dbname=postgres oauth_issuer=$issuer oauth_client_id=f02c6361-0635",
+ "HTTPS is required without debug mode",
+ expected_stderr =>
+ qr@OAuth discovery URI "\Q$issuer\E/.well-known/openid-configuration" must use HTTPS@
+);
+
+# Switch to HTTPS.
+$issuer = "https://127.0.0.1:$port";
unlink($node->data_dir . '/pg_hba.conf');
$node->append_conf(
@@ -84,7 +105,8 @@ local all testparam oauth issuer="$issuer/param" scope="openid postgres"
});
$node->reload;
-my $log_start = $node->wait_for_log(qr/reloading configuration files/);
+$log_start =
+ $node->wait_for_log(qr/reloading configuration files/, $log_start);
# Check pg_hba_file_rules() support.
my $contents = $bgconn->query_safe(
@@ -97,12 +119,26 @@ is( $contents,
3|oauth|\{issuer=$issuer/param,"scope=openid postgres",validator=validator\}},
"pg_hba_file_rules recreates OAuth HBA settings");
-# To test against HTTPS, we need to enable PGOAUTHDEBUG and provide the right
-# CA to be able to verify the server certificate
+# Make sure PGOAUTHDEBUG=UNSAFE doesn't disable certificate verification.
$ENV{PGOAUTHDEBUG} = "UNSAFE";
-my $certdir = dirname(__FILE__) . "/../../../ssl/ssl";
-$ENV{PGOAUTHCAFILE} = "$certdir/root+server_ca.crt";
+$node->connect_fails(
+ "user=test dbname=postgres oauth_issuer=$issuer oauth_client_id=f02c6361-0635",
+ "HTTPS trusts only system CA roots by default",
+ # Note that the latter half of this error message comes from Curl, which has
+ # had a few variants since 7.61:
+ #
+ # - SSL peer certificate or SSH remote key was not OK
+ # - Peer certificate cannot be authenticated with given CA certificates
+ # - Issuer check against peer certificate failed
+ #
+ # Key off of the "peer certificate" portion, since that seems to have
+ # remained constant over a long period of time.
+ expected_stderr =>
+ qr/failed to fetch OpenID discovery document:.*peer certificate/i);
+
+# Now we can use our alternative CA.
+$ENV{PGOAUTHCAFILE} = "$ENV{cert_dir}/root+server_ca.crt";
my $user = "test";
$node->connect_ok(
diff --git a/src/test/modules/oauth_validator/t/OAuth/Server.pm b/src/test/modules/oauth_validator/t/OAuth/Server.pm
index 84c62f38c6b..d923d4c5eb2 100644
--- a/src/test/modules/oauth_validator/t/OAuth/Server.pm
+++ b/src/test/modules/oauth_validator/t/OAuth/Server.pm
@@ -15,7 +15,7 @@ OAuth::Server - runs a mock OAuth authorization server for testing
$server->run;
my $port = $server->port;
- my $issuer = "https://localhost:$port";
+ my $issuer = "https://127.0.0.1:$port";
# test against $issuer...
@@ -27,8 +27,8 @@ This is glue API between the Perl tests and the Python authorization server
daemon implemented in t/oauth_server.py. (Python has a fairly usable HTTP server
in its standard library, so the implementation was ported from Perl.)
-This authorization server runs over TLS, so libpq will need to set
-PGOAUTHDEBUG=UNSAFE and PGOAUTHCAFILE with the right CA.
+This authorization server serves HTTPS on 127.0.0.1 (IPv4 only). libpq will need
+to set PGOAUTHDEBUG=UNSAFE and PGOAUTHCAFILE with the right CA.
=cut
diff --git a/src/test/modules/oauth_validator/t/oauth_server.py b/src/test/modules/oauth_validator/t/oauth_server.py
index d7de984535b..973d99b93f2 100755
--- a/src/test/modules/oauth_validator/t/oauth_server.py
+++ b/src/test/modules/oauth_validator/t/oauth_server.py
@@ -18,10 +18,10 @@ import urllib.parse
from collections import defaultdict
from typing import Dict
-oauth_server_dir = os.path.dirname(os.path.realpath(__file__))
-ssl_dir = os.path.join(oauth_server_dir, "../../../ssl/ssl")
-ssl_cert = ssl_dir + "/server-ip-localhost.crt"
-ssl_key = ssl_dir + "/server-ip-localhost.key"
+ssl_dir = os.getenv("cert_dir")
+ssl_cert = ssl_dir + "/server-localhost-alt-names.crt"
+ssl_key = ssl_dir + "/server-localhost-alt-names.key"
+
class OAuthHandler(http.server.BaseHTTPRequestHandler):
"""
@@ -300,7 +300,7 @@ class OAuthHandler(http.server.BaseHTTPRequestHandler):
def config(self) -> JsonObject:
port = self.server.socket.getsockname()[1]
- issuer = f"https://localhost:{port}"
+ issuer = f"https://127.0.0.1:{port}"
if self._alt_issuer:
issuer += "/alternate"
elif self._parameterized:
@@ -414,7 +414,7 @@ def main():
be printed to stdout.
"""
# To be able to listen over SSL we create the context and load the certificates
- ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+ ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
ssl_context.load_cert_chain(ssl_cert, ssl_key)
s = http.server.HTTPServer(("127.0.0.1", 0), OAuthHandler)
diff --git a/src/test/ssl/conf/server-ip-localhost.config b/src/test/ssl/conf/server-localhost-alt-names.config
similarity index 73%
rename from src/test/ssl/conf/server-ip-localhost.config
rename to src/test/ssl/conf/server-localhost-alt-names.config
index 61f10af0619..1c41c1ecb78 100644
--- a/src/test/ssl/conf/server-ip-localhost.config
+++ b/src/test/ssl/conf/server-localhost-alt-names.config
@@ -1,12 +1,13 @@
# An OpenSSL format CSR config file for creating a server certificate.
#
+# This certificate contains SANs for localhost (DNS, IPv4, and IPv6).
[ req ]
distinguished_name = req_distinguished_name
+req_extensions = v3_req
prompt = no
[ req_distinguished_name ]
-CN = localhost
OU = PostgreSQL test suite
# For Subject Alternative Names
@@ -14,5 +15,6 @@ OU = PostgreSQL test suite
subjectAltName = @alt_names
[ alt_names ]
+DNS.1 = localhost
IP.1 = 127.0.0.1
IP.2 = ::1
diff --git a/src/test/ssl/ssl/server-ip-localhost.crt b/src/test/ssl/ssl/server-ip-localhost.crt
deleted file mode 100644
index c6e4dadcef8..00000000000
--- a/src/test/ssl/ssl/server-ip-localhost.crt
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDPDCCAiSgAwIBAgIIICYCJxcTNAAwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UE
-Aww3VGVzdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNl
-cnZlciBjZXJ0czAgFw0yNjAyMjcxNjEzMzRaGA8yMDUzMDcxNTE2MTMzNFowNDEe
-MBwGA1UECwwVUG9zdGdyZVNRTCB0ZXN0IHN1aXRlMRIwEAYDVQQDDAlsb2NhbGhv
-c3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDC3bW97F0OjQR1E+CW
-TLqPsBngwy02IBbcPZNr19HYodby82mKavwvU7IDkTCCNTU89zlHbzlF4NsnWuvA
-zQlPk/kfg9OeDj2G3PKYvHe2G9xkuBEgusKsq+FkQcx3o4S93fAZKyCztgBVptfm
-/q8CeJ4nsNlQI7uAYZ9s3R36PrX92qS50NvOOIm5zxRtCXX51gMVqWS7t/iyvXU2
-EVGyXLRyOArCoVkfY9AbBAJJzftzEQjqUVS7W2INUr8KLkRRJOKrzkBLg8T2+YmR
-PNKdqhVMhn5uozjTgA0viQN1rVJZvxahR8zAhhqChO7+84xWEcZTl9Lc5uWDV+O4
-w4bPAgMBAAGjQjBAMB0GA1UdDgQWBBQWXk4bIK8qHwQpAQTmvNX4B/h5ozAfBgNV
-HSMEGDAWgBTyjzpmQFBkSCLXLoL/Vp7Cs+50CjANBgkqhkiG9w0BAQsFAAOCAQEA
-Kh0pDHJfQ/5daLpmLiOwZD3KqN8FQd5QNVJjlGD3Qh3QblVRGNl1csLSWb4BnENO
-3Kq6zKkNBSoAA6bFqVhXcdL1utrnGk2fLpInGMA5B+r+BpZkUVSKu6BPn/HNnImt
-PCZ3sjQyTZ1QXjDjxiOynGkDl9G+3RKDsDhdOHxoqCKUDlHkC9oi3FxkNgvvwpVu
-ybio+haTmoRbOr7U5MFNbtQOglgjV4/QeFjzSm3mrSuCEJVTI4/CovbboM5xZ144
-FNunyccqdaFA9O3lKsmj03zEIkI9kNRL8IRNVf/xoVRdivNMdHhG+KrO9pqIYuYM
-3Vsjv+Men06w2B0StaazZg==
------END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-ip-localhost.key b/src/test/ssl/ssl/server-ip-localhost.key
deleted file mode 100644
index 748cf7a59b4..00000000000
--- a/src/test/ssl/ssl/server-ip-localhost.key
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDC3bW97F0OjQR1
-E+CWTLqPsBngwy02IBbcPZNr19HYodby82mKavwvU7IDkTCCNTU89zlHbzlF4Nsn
-WuvAzQlPk/kfg9OeDj2G3PKYvHe2G9xkuBEgusKsq+FkQcx3o4S93fAZKyCztgBV
-ptfm/q8CeJ4nsNlQI7uAYZ9s3R36PrX92qS50NvOOIm5zxRtCXX51gMVqWS7t/iy
-vXU2EVGyXLRyOArCoVkfY9AbBAJJzftzEQjqUVS7W2INUr8KLkRRJOKrzkBLg8T2
-+YmRPNKdqhVMhn5uozjTgA0viQN1rVJZvxahR8zAhhqChO7+84xWEcZTl9Lc5uWD
-V+O4w4bPAgMBAAECggEAAnJfIopWH08bU/A54+4bAzuZgPlu7UPFqpR/FvbYfPh9
-Ka+9TsuPZ3WBz+ZksPJfhUzRd7ayOBO5rtBHEyPzaSFdXXyRR/xRvs0slz3jnZvp
-Hxz6upkx5t/2Z00wz9BdsccjpS5M3OIFV1vkchCRmGCAFAzaOHckewW7/tV7Ugfa
-pNuYz0WjJT7N2sU362QINABgWtD1a3vPOyspsrSb8Gox1fzeGAgCZi8oKiI3QYuk
-ooyqwbs/lkXKHRZXmLc7lXMr1wWLLnMUUUGXZ/eC4vpPJ9rH33ymxShAfrUGWvXQ
-fXnuabLyMT0a/uhaJZh0/jAk1BOnUnjHCHuBpyHGrQKBgQD5mpYbpAChs9vN6yFP
-RPjc2q9xuJbLzsi9vTgTxRiYVUcYWJ2Lcz2wSg9nyBsHBZVFqH9uVGTCImOIDbba
-8lIZmvC4nNiMxhsD1jQZQBCOU03t0Ga5ImxUYexxq/lP809qJcGKdgVSGA93ufkC
-7FXJH6iWnwTk/jiM/YyaJhX/QwKBgQDH3Ap4aGf7CmkULvKei9435lt1a3YkmXmt
-NOBBimLUyXJtq1m//Thx/Gp9CVa38M3fd0NH6ZZvRJBPwO+43A3EqXv/qXn9dNcA
-xY2bYtRrm3LGilNuG2C/8T+cZ+T9hX4dSIwefJMYGPDkZNwgwl/tjRjbZZE+KWv8
-VGQ87HVjhQKBgQCMZW5vh7UvP1qwncQzsUkF+R/cKIbxhpOVXhxvylpGPRlrUVT0
-flLBmTbHGmBRd8t5zgg3h9LQ+8TeX1BuIQUbD/K89MQ9kqTZaKAPX+CwHZ1k2ecd
-1YX3hMkZOzFVzjbqLuiJOE9P2ObCYmH1SfgK0/rhFfsLzw8CBxASGMAgvwKBgBr6
-wlMUzQyfkCXQXKI4gWwMZcZJFm7EZR+Tpr5SPxs4goD5g6keNtN0Xq+4ZgN4t2H2
-SJfZmZw1pkGN6w6KbjVhJ8MQjs4/SpLpGD+krMZF+s2AeNjBS2M93vdvMwNiVO8B
-DyFCcdzr6QD7+JdXhfmcdYGQiXXZw6ERh2KODR69AoGBAPQ4IRTIh3jfBj2xZenI
-MDegCiOIAO516GTX0C1aB3jFhH4pcdbiN2R/2dffdvZvuQmJ4kCmyggvyx9QjUHL
-/Kxk0jacA14LFOmrnlihwET4gfeL8S3vzhJcNcv0GXOgWe4hP9LH+eaidICx/JlD
-hYX8HYSKQxIFmt5IUAxlUvoj
------END PRIVATE KEY-----
diff --git a/src/test/ssl/ssl/server-localhost-alt-names.crt b/src/test/ssl/ssl/server-localhost-alt-names.crt
new file mode 100644
index 00000000000..106dc34d7bb
--- /dev/null
+++ b/src/test/ssl/ssl/server-localhost-alt-names.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDVjCCAj6gAwIBAgIIICYCJxRTBwAwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UE
+Aww3VGVzdCBDQSBmb3IgUG9zdGdyZVNRTCBTU0wgcmVncmVzc2lvbiB0ZXN0IHNl
+cnZlciBjZXJ0czAgFw0yNjAyMjcyMjUzMDdaGA8yMDUzMDcxNTIyNTMwN1owIDEe
+MBwGA1UECwwVUG9zdGdyZVNRTCB0ZXN0IHN1aXRlMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEA3k/aT/OV8sbJrvhtSgz5eNMCuv7RKdUQw+f52DpZTs85
+lTXIRs+l3mXoKRjN1gqzqlHInnJlhxQipqGiJfz4Li8L6jma2yZztFHH+f+YF8Ke
+5fCYP1qMxbghqeIRkKgrCEjHUnOhbN5oMi/Ndt9AXWGG/39uk5Xec/Y/J5aZkPVV
+blqWYyQQ+4U783lwZs1EUWdfiTVRp8fYADT/2lHjaZaX08vAE5VvCbBv6mPhPfno
+F9FIaW+CRuwORisFK8Bd1q/0r5aPZGPi0lokCdaB/cRUHwJK1/HHgyB3N+Lk4swf
+z+MfSqj4IaNPW7zn3EV9hgpVwSmB5ES8rzojiGtMDQIDAQABo3AwbjAsBgNVHREE
+JTAjgglsb2NhbGhvc3SHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEwHQYDVR0OBBYE
+FOZ8KClKVbeYecn8lvAldBXOjQz6MB8GA1UdIwQYMBaAFPKPOmZAUGRIItcugv9W
+nsKz7nQKMA0GCSqGSIb3DQEBCwUAA4IBAQDE1FGw20H0Flo3gAGN0ND9G/6wDxWM
+MldbXRjqc1E0/+7+Zs6v1jPrNUNEvxy5kHWevUJCIt6y4SYt01JxE4wqEPJ3UBAv
+cM0p08mohmN/CHc/lswXx12MZMfaLA1/WRPqvtiGFOrOOPvaRKHO4ORiT1KWmtOO
+FgcW9E1Q1iJFK28xdz9NEEBWEurEIr5KGAsCwf9DfQxPJXiS9n98BDI8gPwlse7t
+VqyhGVSj+EPbdY2kqkSuPXacdnUGfO6EWo9PFKqhxWMxABLuK0UZzH6/1lMOh1m9
+Mm+gtwO5RLBX22V+KIs1uuDTNcveQ2DsZnMZh7lGD05eHYG9hwnC6GNZ
+-----END CERTIFICATE-----
diff --git a/src/test/ssl/ssl/server-localhost-alt-names.key b/src/test/ssl/ssl/server-localhost-alt-names.key
new file mode 100644
index 00000000000..4499a11928d
--- /dev/null
+++ b/src/test/ssl/ssl/server-localhost-alt-names.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDeT9pP85Xyxsmu
++G1KDPl40wK6/tEp1RDD5/nYOllOzzmVNchGz6XeZegpGM3WCrOqUciecmWHFCKm
+oaIl/PguLwvqOZrbJnO0Ucf5/5gXwp7l8Jg/WozFuCGp4hGQqCsISMdSc6Fs3mgy
+L81230BdYYb/f26Tld5z9j8nlpmQ9VVuWpZjJBD7hTvzeXBmzURRZ1+JNVGnx9gA
+NP/aUeNplpfTy8ATlW8JsG/qY+E9+egX0Uhpb4JG7A5GKwUrwF3Wr/Svlo9kY+LS
+WiQJ1oH9xFQfAkrX8ceDIHc34uTizB/P4x9KqPgho09bvOfcRX2GClXBKYHkRLyv
+OiOIa0wNAgMBAAECggEAFchiPkJCV4r12RCbeM2DpjyawGLWcNBhN6jjuLWi6Y9x
+d3bRHGsdOAjpMhmtlYLv7sjbrPbNjupAqO4eerVqRfAzLSyeyUlfvfPjcdIC/5UA
+x8wGxvJi576ugbxWd0ObD9E9woz07LtwHzbC3ZprbprvRNqiJZDiPp+KuaDOhD7u
+6XAM8JilFqfiDN8+xbH2dWdVkdt2OD5wctJbqy6moH9VFVsWsMQr3/vJkSdUPLxa
+8ATUubFhO/sqE+KsMZESq5W1Xbj3NwMkvnA92yG9+ED60NPjFzgheZZWSmXe1B/c
+XB3G/upvCoHEgKbrnYt05b/ryUbXAZkvi5oL4fp9OwKBgQD4d+Qm4GiKEWvjZ5II
+ROfHEyoWOHw9z8ydJIrtOL8ICh5RH8D/v2IaMAacWV5eLoJ7aYC6yIYuWdHQljAi
+zltNFrsLFmWXLy91IWfUzIGnFLWeqOmI50vlM8xU54rD/cZ3qtvr2Qk9HHs0dsyB
+6cGRf0BPJi04aAEqSZqc8HCXAwKBgQDlDP0MW57bHpqQROQDLIgEX9/rzUNo48Z/
+1f27bCkKP+CpizE9eWvGs5rQmUxCNzWULFxIuBbgsubuVP7jO3piY6bRGnvSE6nD
+mW0V1mSypVO22Ci/Q8ekkY2+0ZVp3qLPO/cwtI/Ye8kp4xu41I2XgJE8Mo0hEEyJ
+N1/1vUJbrwKBgBp3gukVPG2An5JwpOCWnm3ZP8FwMOPQr8YJb3cHdWng0gvoKwHT
+HBsYBIxBBMlZgPKucVT0KT7kuHHUnboHazhR9Iig0R+CmjaK4WmMgz8N+K625XF8
+2dvHYbulkmWAMdTrcVO1IcPNtd4HzY8FHGZoPKxxr51zjrQ3dO3EuumLAoGATho2
+sx8OtPLji2wiP77QhoVWqmYspTh9+Bs00NLZz6fmaImQ+cBMcs3NbXHIYg/HUkYq
+FZXIH0iBnCUZYMxoN+J5AHZCYGjaC1tmqfqYDZ54RDHC+y0Wh1QmfDmk9Bu5cmal
+LFN1dUEIYCMT0duQiGeLnnYyT2LqZiOesgGd/fsCgYEA2GbKteq+io6HAEt2/yry
+xZGaRR8Twg0B8XtD9NHCbgizmZiD/mADgyhkgjUsDIkcMzEt+sA4IK9ORgIYqS+/
+q2eY1QRKpoZgJJfE8dU88B35YGqdZuXENR4I7w+JrKCCCk5jSiwylvsBsi1HX8Qu
+EdQBBRiwkRnxQ83hqRI3ymw=
+-----END PRIVATE KEY-----
diff --git a/src/test/ssl/sslfiles.mk b/src/test/ssl/sslfiles.mk
index 68fc0366df3..f32c53a76a1 100644
--- a/src/test/ssl/sslfiles.mk
+++ b/src/test/ssl/sslfiles.mk
@@ -29,9 +29,9 @@ SERVERS := server-cn-and-alt-names \
server-ip-cn-and-alt-names \
server-ip-cn-and-dns-alt-names \
server-ip-in-dnsname \
- server-ip-localhost \
server-single-alt-name \
server-multiple-alt-names \
+ server-localhost-alt-names \
server-no-names \
server-revoked
CLIENTS := client client-dn client-revoked client_ext client-long \
--
2.34.1