-- Citus uses ssl by default now. It does so by turning on ssl and if needed will generate
-- self-signed certificates.
-- To test this we will verify that SSL is set to ON for all machines, and we will make
-- sure connections to workers use SSL by having it required in citus.conn_nodeinfo and
-- lastly we will inspect the ssl state for connections to the workers
-- ssl can only be enabled by default on installations of postgres 10 and above that are
-- OpenSSL-enabled.
SHOW server_version \gset
SHOW ssl_ciphers \gset
WITH features AS (
    SELECT
        substring(:'server_version', '\d+')::int >= 10 AS version_ten_or_above,
        :'ssl_ciphers' != 'none' AS hasssl
)
SELECT (
    true
    AND version_ten_or_above
    AND hasssl
) AS ssl_by_default_supported FROM features;
 ssl_by_default_supported 
--------------------------
 t
(1 row)

SHOW ssl;
 ssl 
-----
 on
(1 row)

SELECT run_command_on_workers($$
    SHOW ssl;
$$);
 run_command_on_workers 
------------------------
 (localhost,57637,t,on)
 (localhost,57638,t,on)
(2 rows)

SHOW citus.node_conninfo;
 citus.node_conninfo 
---------------------
 sslmode=require
(1 row)

SELECT run_command_on_workers($$
    SHOW citus.node_conninfo;
$$);
       run_command_on_workers        
-------------------------------------
 (localhost,57637,t,sslmode=require)
 (localhost,57638,t,sslmode=require)
(2 rows)

SELECT run_command_on_workers($$
    SELECT ssl FROM pg_stat_ssl WHERE pid = pg_backend_pid();
$$);
 run_command_on_workers 
------------------------
 (localhost,57637,t,t)
 (localhost,57638,t,t)
(2 rows)

SHOW ssl_ciphers;
        ssl_ciphers         
----------------------------
 TLSv1.2+HIGH:!aNULL:!eNULL
(1 row)

SELECT run_command_on_workers($$
    SHOW ssl_ciphers;
$$);
             run_command_on_workers             
------------------------------------------------
 (localhost,57637,t,TLSv1.2+HIGH:!aNULL:!eNULL)
 (localhost,57638,t,TLSv1.2+HIGH:!aNULL:!eNULL)
(2 rows)