diff --git a/.github/h2spec.config b/.github/h2spec.config index 73a875197..4bd42eb6d 100644 --- a/.github/h2spec.config +++ b/.github/h2spec.config @@ -19,7 +19,7 @@ defaults frontend h2 mode http - bind 127.0.0.1:8443 ssl crt reg-tests/ssl/common.pem alpn h2,http/1.1 + bind 127.0.0.1:8443 ssl crt reg-tests/ssl/certs/common.pem alpn h2,http/1.1 default_backend h2b backend h2b diff --git a/reg-tests/checks/certs b/reg-tests/checks/certs new file mode 120000 index 000000000..836191727 --- /dev/null +++ b/reg-tests/checks/certs @@ -0,0 +1 @@ +../ssl/certs/ \ No newline at end of file diff --git a/reg-tests/checks/common.pem b/reg-tests/checks/common.pem deleted file mode 120000 index a4433d562..000000000 --- a/reg-tests/checks/common.pem +++ /dev/null @@ -1 +0,0 @@ -../ssl/common.pem \ No newline at end of file diff --git a/reg-tests/checks/ssl-hello-check.vtc b/reg-tests/checks/ssl-hello-check.vtc index 1bb16a2a8..b3d74e345 100644 --- a/reg-tests/checks/ssl-hello-check.vtc +++ b/reg-tests/checks/ssl-hello-check.vtc @@ -39,7 +39,7 @@ haproxy htst -conf { timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" frontend fe1 - bind "fd@${fe1}" ssl crt ${testdir}/common.pem + bind "fd@${fe1}" ssl crt ${testdir}/certs/common.pem frontend fe2 bind "fd@${fe2}" diff --git a/reg-tests/checks/tcp-check-client-hello.vtc b/reg-tests/checks/tcp-check-client-hello.vtc index 9ca9abd98..85dd38991 100644 --- a/reg-tests/checks/tcp-check-client-hello.vtc +++ b/reg-tests/checks/tcp-check-client-hello.vtc @@ -45,10 +45,10 @@ haproxy htst -conf { server fe1 ${htst_fe1_addr}:${htst_fe1_port} frontend fe1 - bind "fd@${fe1}" ssl crt ${testdir}/common.pem curves P-256:P-384 + bind "fd@${fe1}" ssl crt ${testdir}/certs/common.pem curves P-256:P-384 frontend fe3 - bind "fd@${fe3}" ssl crt ${testdir}/common.pem + bind "fd@${fe3}" ssl crt ${testdir}/certs/common.pem } -start haproxy h1 -conf { diff --git a/reg-tests/checks/tcp-check-ssl.vtc b/reg-tests/checks/tcp-check-ssl.vtc index 540637ed2..c0e33aaa5 100644 --- a/reg-tests/checks/tcp-check-ssl.vtc +++ b/reg-tests/checks/tcp-check-ssl.vtc @@ -62,7 +62,7 @@ haproxy htst -conf { server fe1 ${htst_fe1_addr}:${htst_fe1_port} frontend fe1 - bind "fd@${fe1}" ssl crt ${testdir}/common.pem + bind "fd@${fe1}" ssl crt ${testdir}/certs/common.pem } -start diff --git a/reg-tests/checks/tls_health_checks.vtc b/reg-tests/checks/tls_health_checks.vtc index 6155b04ec..324218e37 100644 --- a/reg-tests/checks/tls_health_checks.vtc +++ b/reg-tests/checks/tls_health_checks.vtc @@ -60,15 +60,15 @@ haproxy h1 -conf { frontend fe1 option httplog log ${S1_addr}:${S1_port} len 2048 local0 debug err - bind "fd@${fe1}" ssl crt ${testdir}/common.pem + bind "fd@${fe1}" ssl crt ${testdir}/certs/common.pem use_backend be1 frontend fe2 - bind "fd@${fe2}" ssl crt ${testdir}/common.pem + bind "fd@${fe2}" ssl crt ${testdir}/certs/common.pem use_backend be2 frontend fe3 - bind "fd@${fe3}" ssl crt ${testdir}/common.pem + bind "fd@${fe3}" ssl crt ${testdir}/certs/common.pem use_backend be3 } -start @@ -108,19 +108,19 @@ haproxy h2 -conf { option httpchk OPTIONS * HTTP/1.1 http-check send hdr Host www log ${S2_addr}:${S2_port} daemon - server srv1 ${h1_fe1_addr}:${h1_fe1_port} ssl crt ${testdir}/common.pem verify none check + server srv1 ${h1_fe1_addr}:${h1_fe1_port} ssl crt ${testdir}/certs/common.pem verify none check backend be4 option log-health-checks log ${S4_addr}:${S4_port} daemon - server srv2 ${h1_fe2_addr}:${h1_fe2_port} ssl crt ${testdir}/common.pem verify none check-ssl check + server srv2 ${h1_fe2_addr}:${h1_fe2_port} ssl crt ${testdir}/certs/common.pem verify none check-ssl check backend be6 option log-health-checks option httpchk OPTIONS * HTTP/1.1 http-check send hdr Host www log ${S6_addr}:${S6_port} daemon - server srv3 127.0.0.1:80 crt ${testdir}/common.pem verify none check check-ssl port ${h1_fe3_port} addr ${h1_fe3_addr}:80 + server srv3 127.0.0.1:80 crt ${testdir}/certs/common.pem verify none check check-ssl port ${h1_fe3_port} addr ${h1_fe3_addr}:80 } -start syslog S1 -wait diff --git a/reg-tests/compression/certs b/reg-tests/compression/certs new file mode 120000 index 000000000..836191727 --- /dev/null +++ b/reg-tests/compression/certs @@ -0,0 +1 @@ +../ssl/certs/ \ No newline at end of file diff --git a/reg-tests/compression/common.pem b/reg-tests/compression/common.pem deleted file mode 120000 index a4433d562..000000000 --- a/reg-tests/compression/common.pem +++ /dev/null @@ -1 +0,0 @@ -../ssl/common.pem \ No newline at end of file diff --git a/reg-tests/compression/lua_validation.vtc b/reg-tests/compression/lua_validation.vtc index 11bae8377..ff2840eeb 100644 --- a/reg-tests/compression/lua_validation.vtc +++ b/reg-tests/compression/lua_validation.vtc @@ -22,7 +22,7 @@ defaults mode http frontend main-https - bind "fd@${fe1}" ssl crt ${testdir}/common.pem + bind "fd@${fe1}" ssl crt ${testdir}/certs/common.pem compression algo gzip compression type text/html text/plain application/json application/javascript compression offload diff --git a/reg-tests/connection/ca-auth.crt b/reg-tests/connection/ca-auth.crt deleted file mode 120000 index 815a970f5..000000000 --- a/reg-tests/connection/ca-auth.crt +++ /dev/null @@ -1 +0,0 @@ -../ssl/ca-auth.crt \ No newline at end of file diff --git a/reg-tests/connection/certs b/reg-tests/connection/certs new file mode 120000 index 000000000..836191727 --- /dev/null +++ b/reg-tests/connection/certs @@ -0,0 +1 @@ +../ssl/certs/ \ No newline at end of file diff --git a/reg-tests/connection/client1.pem b/reg-tests/connection/client1.pem deleted file mode 120000 index c4d14f042..000000000 --- a/reg-tests/connection/client1.pem +++ /dev/null @@ -1 +0,0 @@ -../ssl/client1.pem \ No newline at end of file diff --git a/reg-tests/connection/common.pem b/reg-tests/connection/common.pem deleted file mode 120000 index a4433d562..000000000 --- a/reg-tests/connection/common.pem +++ /dev/null @@ -1 +0,0 @@ -../ssl/common.pem \ No newline at end of file diff --git a/reg-tests/connection/http_reuse_conn_hash.vtc b/reg-tests/connection/http_reuse_conn_hash.vtc index 37fc0513f..d67d3c568 100644 --- a/reg-tests/connection/http_reuse_conn_hash.vtc +++ b/reg-tests/connection/http_reuse_conn_hash.vtc @@ -47,7 +47,7 @@ haproxy h1 -conf { listen receiver bind "fd@${feR}" - bind "fd@${feR_ssl}" ssl crt ${testdir}/common.pem + bind "fd@${feR_ssl}" ssl crt ${testdir}/certs/common.pem bind "fd@${feR_proxy}" accept-proxy http-request return status 200 http-after-response set-header http_first_request %[http_first_req] diff --git a/reg-tests/connection/proxy_protocol_send_unique_id_alpn.vtc b/reg-tests/connection/proxy_protocol_send_unique_id_alpn.vtc index ab650948a..fa2f7d454 100644 --- a/reg-tests/connection/proxy_protocol_send_unique_id_alpn.vtc +++ b/reg-tests/connection/proxy_protocol_send_unique_id_alpn.vtc @@ -24,7 +24,7 @@ haproxy h1 -conf { server example ${h1_feR_addr}:${h1_feR_port} send-proxy-v2 proxy-v2-options unique-id ssl alpn XXX verify none listen receiver - bind "fd@${feR}" ssl crt ${testdir}/common.pem accept-proxy + bind "fd@${feR}" ssl crt ${testdir}/certs/common.pem accept-proxy http-request set-var(txn.proxy_unique_id) fc_pp_unique_id http-after-response set-header proxy_unique_id %[var(txn.proxy_unique_id)] diff --git a/reg-tests/connection/reverse_server_name.vtc b/reg-tests/connection/reverse_server_name.vtc index a37307a22..f13418438 100644 --- a/reg-tests/connection/reverse_server_name.vtc +++ b/reg-tests/connection/reverse_server_name.vtc @@ -29,7 +29,7 @@ backend be-reverse server dev rhttp@ ssl sni hdr(x-name) verify none frontend priv - bind "fd@${priv}" ssl crt ${testdir}/common.pem verify required ca-verify-file ${testdir}/ca-auth.crt alpn h2 + bind "fd@${priv}" ssl crt ${testdir}/certs/common.pem verify required ca-verify-file ${testdir}/certs/ca-auth.crt alpn h2 tcp-request session attach-srv be-reverse/dev name ssl_c_s_dn(CN) } -start @@ -45,7 +45,7 @@ defaults listen li bind "fd@${li}" - server h_edge "${h_edge_priv_addr}:${h_edge_priv_port}" ssl crt ${testdir}/client1.pem verify none alpn h2 + server h_edge "${h_edge_priv_addr}:${h_edge_priv_port}" ssl crt ${testdir}/certs/client1.pem verify none alpn h2 } -start # Run a client through private endpoint diff --git a/reg-tests/http-messaging/certs b/reg-tests/http-messaging/certs new file mode 120000 index 000000000..836191727 --- /dev/null +++ b/reg-tests/http-messaging/certs @@ -0,0 +1 @@ +../ssl/certs/ \ No newline at end of file diff --git a/reg-tests/http-messaging/common.pem b/reg-tests/http-messaging/common.pem deleted file mode 120000 index a4433d562..000000000 --- a/reg-tests/http-messaging/common.pem +++ /dev/null @@ -1 +0,0 @@ -../ssl/common.pem \ No newline at end of file diff --git a/reg-tests/http-messaging/srv_ws.vtc b/reg-tests/http-messaging/srv_ws.vtc index 5f1de0aea..40c4115fc 100644 --- a/reg-tests/http-messaging/srv_ws.vtc +++ b/reg-tests/http-messaging/srv_ws.vtc @@ -22,7 +22,7 @@ haproxy hapsrv -conf { frontend fe bind "fd@${fe}" - bind "fd@${fessl}" ssl crt ${testdir}/common.pem alpn h2,http/1.1 + bind "fd@${fessl}" ssl crt ${testdir}/certs/common.pem alpn h2,http/1.1 capture request header sec-websocket-key len 128 http-request set-var(txn.ver) req.ver use_backend be diff --git a/reg-tests/lua/certs b/reg-tests/lua/certs new file mode 120000 index 000000000..836191727 --- /dev/null +++ b/reg-tests/lua/certs @@ -0,0 +1 @@ +../ssl/certs/ \ No newline at end of file diff --git a/reg-tests/lua/common.pem b/reg-tests/lua/common.pem deleted file mode 120000 index a4433d562..000000000 --- a/reg-tests/lua/common.pem +++ /dev/null @@ -1 +0,0 @@ -../ssl/common.pem \ No newline at end of file diff --git a/reg-tests/lua/txn_get_priv-thread.vtc b/reg-tests/lua/txn_get_priv-thread.vtc index c58f93a55..6d7e67ba7 100644 --- a/reg-tests/lua/txn_get_priv-thread.vtc +++ b/reg-tests/lua/txn_get_priv-thread.vtc @@ -32,7 +32,7 @@ haproxy h1 -conf { frontend fe2 mode http - bind ":8443" ssl crt ${testdir}/common.pem + bind ":8443" ssl crt ${testdir}/certs/common.pem stats enable stats uri / diff --git a/reg-tests/lua/txn_get_priv.vtc b/reg-tests/lua/txn_get_priv.vtc index 24ac96252..076ecb4a6 100644 --- a/reg-tests/lua/txn_get_priv.vtc +++ b/reg-tests/lua/txn_get_priv.vtc @@ -26,7 +26,7 @@ haproxy h1 -conf { frontend fe2 mode http - bind ":8443" ssl crt ${testdir}/common.pem + bind ":8443" ssl crt ${testdir}/certs/common.pem stats enable stats uri / diff --git a/reg-tests/peers/certs b/reg-tests/peers/certs new file mode 120000 index 000000000..9b744ba4f --- /dev/null +++ b/reg-tests/peers/certs @@ -0,0 +1 @@ +../ssl/certs \ No newline at end of file diff --git a/reg-tests/peers/common.pem b/reg-tests/peers/common.pem deleted file mode 120000 index a4433d562..000000000 --- a/reg-tests/peers/common.pem +++ /dev/null @@ -1 +0,0 @@ -../ssl/common.pem \ No newline at end of file diff --git a/reg-tests/peers/tls_basic_sync.vtc b/reg-tests/peers/tls_basic_sync.vtc index 1618ef6db..4d81a73e4 100644 --- a/reg-tests/peers/tls_basic_sync.vtc +++ b/reg-tests/peers/tls_basic_sync.vtc @@ -19,8 +19,8 @@ haproxy h1 -arg "-L A" -conf { stick-table type string size 10m store server_id,gpc0,conn_cur,conn_rate(50000) peers peers peers peers - default-server ssl crt ${testdir}/common.pem verify none - bind "fd@${A}" ssl crt ${testdir}/common.pem + default-server ssl crt ${testdir}/certs/common.pem verify none + bind "fd@${A}" ssl crt ${testdir}/certs/common.pem server A server B ${h2_B_addr}:${h2_B_port} server C ${h3_C_addr}:${h3_C_port} @@ -49,8 +49,8 @@ haproxy h2 -arg "-L B" -conf { stick-table type string size 10m store server_id,gpc0,conn_cur,conn_rate(50000) peers peers peers peers - default-server ssl crt ${testdir}/common.pem verify none - bind "fd@${B}" ssl crt ${testdir}/common.pem + default-server ssl crt ${testdir}/certs/common.pem verify none + bind "fd@${B}" ssl crt ${testdir}/certs/common.pem server A ${h1_A_addr}:${h1_A_port} server B server C ${h3_C_addr}:${h3_C_port} @@ -78,8 +78,8 @@ haproxy h3 -arg "-L C" -conf { stick-table type string size 10m store server_id,gpc0,conn_cur,conn_rate(50000) peers peers peers peers - default-server ssl crt ${testdir}/common.pem verify none - bind "fd@${C}" ssl crt ${testdir}/common.pem + default-server ssl crt ${testdir}/certs/common.pem verify none + bind "fd@${C}" ssl crt ${testdir}/certs/common.pem server A ${h1_A_addr}:${h1_A_port} server B ${h2_B_addr}:${h2_B_port} server C diff --git a/reg-tests/peers/tls_basic_sync_wo_stkt_backend.vtc b/reg-tests/peers/tls_basic_sync_wo_stkt_backend.vtc index 2b5bcacbe..4a6358e26 100644 --- a/reg-tests/peers/tls_basic_sync_wo_stkt_backend.vtc +++ b/reg-tests/peers/tls_basic_sync_wo_stkt_backend.vtc @@ -17,8 +17,8 @@ haproxy h1 -arg "-L A" -conf { peers peers table stkt type string size 10m store server_id,gpc0,conn_cur,conn_rate(50000) - default-server ssl crt ${testdir}/common.pem verify none - bind "fd@${A}" ssl crt ${testdir}/common.pem + default-server ssl crt ${testdir}/certs/common.pem verify none + bind "fd@${A}" ssl crt ${testdir}/certs/common.pem server A server B ${h2_B_addr}:${h2_B_port} server C ${h3_C_addr}:${h3_C_port} @@ -45,8 +45,8 @@ haproxy h2 -arg "-L B" -conf { peers peers table stkt type string size 10m store server_id,gpc0,conn_cur,conn_rate(50000) - default-server ssl crt ${testdir}/common.pem verify none - bind "fd@${B}" ssl crt ${testdir}/common.pem + default-server ssl crt ${testdir}/certs/common.pem verify none + bind "fd@${B}" ssl crt ${testdir}/certs/common.pem server A ${h1_A_addr}:${h1_A_port} server B server C ${h3_C_addr}:${h3_C_port} @@ -72,8 +72,8 @@ haproxy h3 -arg "-L C" -conf { peers peers table stkt type string size 10m store server_id,gpc0,conn_cur,conn_rate(50000) - default-server ssl crt ${testdir}/common.pem verify none - bind "fd@${C}" ssl crt ${testdir}/common.pem + default-server ssl crt ${testdir}/certs/common.pem verify none + bind "fd@${C}" ssl crt ${testdir}/certs/common.pem server A ${h1_A_addr}:${h1_A_port} server B ${h2_B_addr}:${h2_B_port} server C diff --git a/reg-tests/quic/certs b/reg-tests/quic/certs new file mode 120000 index 000000000..9b744ba4f --- /dev/null +++ b/reg-tests/quic/certs @@ -0,0 +1 @@ +../ssl/certs \ No newline at end of file diff --git a/reg-tests/quic/common.pem b/reg-tests/quic/common.pem deleted file mode 120000 index a4433d562..000000000 --- a/reg-tests/quic/common.pem +++ /dev/null @@ -1 +0,0 @@ -../ssl/common.pem \ No newline at end of file diff --git a/reg-tests/quic/retry.vtc b/reg-tests/quic/retry.vtc index 15d2d554f..89a3b08de 100644 --- a/reg-tests/quic/retry.vtc +++ b/reg-tests/quic/retry.vtc @@ -28,11 +28,11 @@ haproxy ha2 -conf { timeout server "${HAPROXY_TEST_TIMEOUT-5s}" listen quic_lstnr - bind "quic+fd@${fe_quic}" ssl crt ${testdir}/common.pem + bind "quic+fd@${fe_quic}" ssl crt ${testdir}/certs/common.pem server srv ${s1_addr}:${s1_port} listen quic_lstnr_retry - bind "quic+fd@${fe_quic_retry}" ssl crt ${testdir}/common.pem quic-force-retry + bind "quic+fd@${fe_quic_retry}" ssl crt ${testdir}/certs/common.pem quic-force-retry server srv ${s1_addr}:${s1_port} } -start diff --git a/reg-tests/server/certs b/reg-tests/server/certs new file mode 120000 index 000000000..836191727 --- /dev/null +++ b/reg-tests/server/certs @@ -0,0 +1 @@ +../ssl/certs/ \ No newline at end of file diff --git a/reg-tests/server/cli_add_ssl_server.vtc b/reg-tests/server/cli_add_ssl_server.vtc index bfff7af7d..a8afd301e 100644 --- a/reg-tests/server/cli_add_ssl_server.vtc +++ b/reg-tests/server/cli_add_ssl_server.vtc @@ -47,7 +47,7 @@ haproxy h1 -conf { # frontend used to respond to ssl connection frontend fe-ssl-term - bind "fd@${feSslTerm}" ssl crt ${testdir}/common.pem + bind "fd@${feSslTerm}" ssl crt ${testdir}/certs/common.pem http-request return status 200 } -start @@ -63,7 +63,7 @@ client c1 -connect ${h1_feSsl_sock} { shell { echo "new ssl ca-file common.pem" | socat "${tmpdir}/h1/stats" - - printf "set ssl ca-file common.pem <<\n$(cat ${testdir}/common.pem)\n\n" | socat "${tmpdir}/h1/stats" - + printf "set ssl ca-file common.pem <<\n$(cat ${testdir}/certs/common.pem)\n\n" | socat "${tmpdir}/h1/stats" - echo "commit ssl ca-file common.pem" | socat "${tmpdir}/h1/stats" - } -run diff --git a/reg-tests/server/common.pem b/reg-tests/server/common.pem deleted file mode 120000 index a4433d562..000000000 --- a/reg-tests/server/common.pem +++ /dev/null @@ -1 +0,0 @@ -../ssl/common.pem \ No newline at end of file diff --git a/reg-tests/ssl/add_ssl_crt-list.vtc b/reg-tests/ssl/add_ssl_crt-list.vtc index 5dd2d9506..e5eaaaacc 100644 --- a/reg-tests/ssl/add_ssl_crt-list.vtc +++ b/reg-tests/ssl/add_ssl_crt-list.vtc @@ -30,7 +30,7 @@ haproxy h1 -conf { tune.ssl.default-dh-param 2048 .endif tune.ssl.capture-buffer-size 1 - crt-base ${testdir} + crt-base ${testdir}/certs stats socket "${tmpdir}/h1/stats" level admin defaults @@ -52,15 +52,15 @@ haproxy h1 -conf { listen ssl-lst mode http - bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/localhost.crt-list + bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list "${testdir}/certs/localhost.crt-list" server s1 ${s1_addr}:${s1_port} - server s2 ${s1_addr}:${s1_port} ssl crt "${testdir}/common.pem" weight 0 verify none + server s2 ${s1_addr}:${s1_port} ssl crt "${testdir}/certs/common.pem" weight 0 verify none } -start haproxy h1 -cli { - send "show ssl cert ${testdir}/common.pem" + send "show ssl cert ${testdir}/certs/common.pem" expect ~ ".*SHA1 FingerPrint: DF3B6E847A7BF83DFAAFCFEC65EE9BC36230D3EA" } @@ -71,26 +71,26 @@ client c1 -connect ${h1_clearlst_sock} { } -run shell { - echo "new ssl cert ${testdir}/ecdsa.pem" | socat "${tmpdir}/h1/stats" - - printf "set ssl cert ${testdir}/ecdsa.pem <<\n$(cat ${testdir}/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl cert ${testdir}/ecdsa.pem" | socat "${tmpdir}/h1/stats" - - printf "add ssl crt-list ${testdir}/localhost.crt-list/ <<\n${testdir}/common.pem [ssl-min-ver SSLv3 verify none allow-0rtt] !*\n\n" | socat "${tmpdir}/h1/stats" - - printf "add ssl crt-list ${testdir}/localhost.crt-list/ <<\n${testdir}/ecdsa.pem [ssl-min-ver SSLv3 verify none allow-0rtt] localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" - - printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem [verify none allow-0rtt]\n\n" | socat "${tmpdir}/h1/stats" - - printf "add ssl crt-list ${testdir}/localhost.crt-list/// <<\n${testdir}/ecdsa.pem localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" - - printf "add ssl crt-list ${testdir}/localhost.crt-list///// <<\n${testdir}/ecdsa.pem\n\n" | socat "${tmpdir}/h1/stats" - - printf "add ssl crt-list ${testdir}/localhost.crt-list// ${testdir}/ecdsa.pem\n" | socat "${tmpdir}/h1/stats" - + echo "new ssl cert ${testdir}/certs/ecdsa.pem" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/ecdsa.pem <<\n$(cat ${testdir}/certs/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/certs/ecdsa.pem" | socat "${tmpdir}/h1/stats" - + printf "add ssl crt-list ${testdir}/certs/localhost.crt-list/ <<\n${testdir}/certs/common.pem [ssl-min-ver SSLv3 verify none allow-0rtt] !*\n\n" | socat "${tmpdir}/h1/stats" - + printf "add ssl crt-list ${testdir}/certs/localhost.crt-list/ <<\n${testdir}/certs/ecdsa.pem [ssl-min-ver SSLv3 verify none allow-0rtt] localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" - + printf "add ssl crt-list ${testdir}/certs/localhost.crt-list <<\n${testdir}/certs/ecdsa.pem [verify none allow-0rtt]\n\n" | socat "${tmpdir}/h1/stats" - + printf "add ssl crt-list ${testdir}/certs/localhost.crt-list/// <<\n${testdir}/certs/ecdsa.pem localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" - + printf "add ssl crt-list ${testdir}/certs/localhost.crt-list///// <<\n${testdir}/certs/ecdsa.pem\n\n" | socat "${tmpdir}/h1/stats" - + printf "add ssl crt-list ${testdir}/certs/localhost.crt-list// ${testdir}/certs/ecdsa.pem\n" | socat "${tmpdir}/h1/stats" - } haproxy h1 -cli { - send "show ssl cert ${testdir}/ecdsa.pem" + send "show ssl cert ${testdir}/certs/ecdsa.pem" expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1" } haproxy h1 -cli { - send "show ssl crt-list ${testdir}/localhost.crt-list//" + send "show ssl crt-list ${testdir}/certs/localhost.crt-list//" # check the options and the filters in any order - expect ~ ".*${testdir}/ecdsa.pem \\[(?=.*verify none)(?=.*allow-0rtt)(?=.*ssl-min-ver SSLv3).*\\](?=.*!www.test1.com)(?=.*localhost).*" + expect ~ ".*${testdir}/certs/ecdsa.pem \\[(?=.*verify none)(?=.*allow-0rtt)(?=.*ssl-min-ver SSLv3).*\\](?=.*!www.test1.com)(?=.*localhost).*" } client c1 -connect ${h1_clearlst_sock} { @@ -103,17 +103,17 @@ client c1 -connect ${h1_clearlst_sock} { # Try to add a new line that mentions an "unknown" CA file (not loaded yet). # It should fail since no disk access are allowed during runtime. shell { - printf "add ssl crt-list ${testdir}/localhost.crt-list/ <<\n${testdir}/ecdsa.pem [ca-file ${testdir}/ca-auth.crt] localhost\n\n" | socat "${tmpdir}/h1/stats" - | grep "unable to load ${testdir}/ca-auth.crt" + printf "add ssl crt-list ${testdir}/certs/localhost.crt-list/ <<\n${testdir}/certs/ecdsa.pem [ca-file ${testdir}/certs/ca-auth.crt] localhost\n\n" | socat "${tmpdir}/h1/stats" - | grep "unable to load ${testdir}/certs/ca-auth.crt" } shell { - printf "add ssl crt-list ${testdir}/localhost.crt-list/ <<\n${testdir}/ecdsa.pem [ca-verify-file ${testdir}/ca-auth.crt] localhost\n\n" | socat "${tmpdir}/h1/stats" - | grep "unable to load ${testdir}/ca-auth.crt" + printf "add ssl crt-list ${testdir}/certs/localhost.crt-list/ <<\n${testdir}/certs/ecdsa.pem [ca-verify-file ${testdir}/certs/ca-auth.crt] localhost\n\n" | socat "${tmpdir}/h1/stats" - | grep "unable to load ${testdir}/certs/ca-auth.crt" } shell { - printf "add ssl crt-list ${testdir}/localhost.crt-list/ <<\n${testdir}/ecdsa.pem [crl-file ${testdir}/ca-auth.crt] localhost\n\n" | socat "${tmpdir}/h1/stats" - | grep "unable to load ${testdir}/ca-auth.crt" + printf "add ssl crt-list ${testdir}/certs/localhost.crt-list/ <<\n${testdir}/certs/ecdsa.pem [crl-file ${testdir}/certs/ca-auth.crt] localhost\n\n" | socat "${tmpdir}/h1/stats" - | grep "unable to load ${testdir}/certs/ca-auth.crt" } # Check that the new line was not added to the crt-list. haproxy h1 -cli { - send "show ssl crt-list ${testdir}/localhost.crt-list//" - expect !~ ".*ca-file ${testdir}/ca-auth.crt" + send "show ssl crt-list ${testdir}/certs/localhost.crt-list//" + expect !~ ".*ca-file ${testdir}/certs/ca-auth.crt" } diff --git a/reg-tests/ssl/bug-2265.crt b/reg-tests/ssl/certs/bug-2265.crt similarity index 100% rename from reg-tests/ssl/bug-2265.crt rename to reg-tests/ssl/certs/bug-2265.crt diff --git a/reg-tests/ssl/ca-auth.crt b/reg-tests/ssl/certs/ca-auth.crt similarity index 100% rename from reg-tests/ssl/ca-auth.crt rename to reg-tests/ssl/certs/ca-auth.crt diff --git a/reg-tests/ssl/cert1-example.com.pem.ecdsa b/reg-tests/ssl/certs/cert1-example.com.pem.ecdsa similarity index 100% rename from reg-tests/ssl/cert1-example.com.pem.ecdsa rename to reg-tests/ssl/certs/cert1-example.com.pem.ecdsa diff --git a/reg-tests/ssl/cert1-example.com.pem.rsa b/reg-tests/ssl/certs/cert1-example.com.pem.rsa similarity index 100% rename from reg-tests/ssl/cert1-example.com.pem.rsa rename to reg-tests/ssl/certs/cert1-example.com.pem.rsa diff --git a/reg-tests/ssl/cert2-example.com.pem.ecdsa b/reg-tests/ssl/certs/cert2-example.com.pem.ecdsa similarity index 100% rename from reg-tests/ssl/cert2-example.com.pem.ecdsa rename to reg-tests/ssl/certs/cert2-example.com.pem.ecdsa diff --git a/reg-tests/ssl/cert2-example.com.pem.rsa b/reg-tests/ssl/certs/cert2-example.com.pem.rsa similarity index 100% rename from reg-tests/ssl/cert2-example.com.pem.rsa rename to reg-tests/ssl/certs/cert2-example.com.pem.rsa diff --git a/reg-tests/ssl/client.ecdsa.pem b/reg-tests/ssl/certs/client.ecdsa.pem similarity index 100% rename from reg-tests/ssl/client.ecdsa.pem rename to reg-tests/ssl/certs/client.ecdsa.pem diff --git a/reg-tests/ssl/client1.pem b/reg-tests/ssl/certs/client1.pem similarity index 100% rename from reg-tests/ssl/client1.pem rename to reg-tests/ssl/certs/client1.pem diff --git a/reg-tests/ssl/client2_expired.pem b/reg-tests/ssl/certs/client2_expired.pem similarity index 100% rename from reg-tests/ssl/client2_expired.pem rename to reg-tests/ssl/certs/client2_expired.pem diff --git a/reg-tests/ssl/client3_revoked.pem b/reg-tests/ssl/certs/client3_revoked.pem similarity index 100% rename from reg-tests/ssl/client3_revoked.pem rename to reg-tests/ssl/certs/client3_revoked.pem diff --git a/reg-tests/ssl/common.4096.dh b/reg-tests/ssl/certs/common.4096.dh similarity index 100% rename from reg-tests/ssl/common.4096.dh rename to reg-tests/ssl/certs/common.4096.dh diff --git a/reg-tests/ssl/common.crt b/reg-tests/ssl/certs/common.crt similarity index 100% rename from reg-tests/ssl/common.crt rename to reg-tests/ssl/certs/common.crt diff --git a/reg-tests/ssl/common.key b/reg-tests/ssl/certs/common.key similarity index 100% rename from reg-tests/ssl/common.key rename to reg-tests/ssl/certs/common.key diff --git a/reg-tests/ssl/common.pem b/reg-tests/ssl/certs/common.pem similarity index 100% rename from reg-tests/ssl/common.pem rename to reg-tests/ssl/certs/common.pem diff --git a/reg-tests/ssl/crl-auth.pem b/reg-tests/ssl/certs/crl-auth.pem similarity index 100% rename from reg-tests/ssl/crl-auth.pem rename to reg-tests/ssl/certs/crl-auth.pem diff --git a/reg-tests/ssl/ecdsa.crt b/reg-tests/ssl/certs/ecdsa.crt similarity index 100% rename from reg-tests/ssl/ecdsa.crt rename to reg-tests/ssl/certs/ecdsa.crt diff --git a/reg-tests/ssl/ecdsa.key b/reg-tests/ssl/certs/ecdsa.key similarity index 100% rename from reg-tests/ssl/ecdsa.key rename to reg-tests/ssl/certs/ecdsa.key diff --git a/reg-tests/ssl/ecdsa.pem b/reg-tests/ssl/certs/ecdsa.pem similarity index 100% rename from reg-tests/ssl/ecdsa.pem rename to reg-tests/ssl/certs/ecdsa.pem diff --git a/reg-tests/ssl/filters.crt-list b/reg-tests/ssl/certs/filters.crt-list similarity index 100% rename from reg-tests/ssl/filters.crt-list rename to reg-tests/ssl/certs/filters.crt-list diff --git a/reg-tests/ssl/generate_certificates/gen_cert_ca.pem b/reg-tests/ssl/certs/generate_certificates/gen_cert_ca.pem similarity index 100% rename from reg-tests/ssl/generate_certificates/gen_cert_ca.pem rename to reg-tests/ssl/certs/generate_certificates/gen_cert_ca.pem diff --git a/reg-tests/ssl/generate_certificates/gen_cert_server.pem b/reg-tests/ssl/certs/generate_certificates/gen_cert_server.pem similarity index 100% rename from reg-tests/ssl/generate_certificates/gen_cert_server.pem rename to reg-tests/ssl/certs/generate_certificates/gen_cert_server.pem diff --git a/reg-tests/ssl/interCA1_crl.pem b/reg-tests/ssl/certs/interCA1_crl.pem similarity index 100% rename from reg-tests/ssl/interCA1_crl.pem rename to reg-tests/ssl/certs/interCA1_crl.pem diff --git a/reg-tests/ssl/interCA1_crl_empty.pem b/reg-tests/ssl/certs/interCA1_crl_empty.pem similarity index 100% rename from reg-tests/ssl/interCA1_crl_empty.pem rename to reg-tests/ssl/certs/interCA1_crl_empty.pem diff --git a/reg-tests/ssl/interCA2_crl.pem b/reg-tests/ssl/certs/interCA2_crl.pem similarity index 100% rename from reg-tests/ssl/interCA2_crl.pem rename to reg-tests/ssl/certs/interCA2_crl.pem diff --git a/reg-tests/ssl/interCA2_crl_empty.pem b/reg-tests/ssl/certs/interCA2_crl_empty.pem similarity index 100% rename from reg-tests/ssl/interCA2_crl_empty.pem rename to reg-tests/ssl/certs/interCA2_crl_empty.pem diff --git a/reg-tests/ssl/issuers-chain-path/ca/ca.crt b/reg-tests/ssl/certs/issuers-chain-path/ca/ca.crt similarity index 100% rename from reg-tests/ssl/issuers-chain-path/ca/ca.crt rename to reg-tests/ssl/certs/issuers-chain-path/ca/ca.crt diff --git a/reg-tests/ssl/issuers-chain-path/server.pem b/reg-tests/ssl/certs/issuers-chain-path/server.pem similarity index 100% rename from reg-tests/ssl/issuers-chain-path/server.pem rename to reg-tests/ssl/certs/issuers-chain-path/server.pem diff --git a/reg-tests/ssl/localhost.crt-list b/reg-tests/ssl/certs/localhost.crt-list similarity index 100% rename from reg-tests/ssl/localhost.crt-list rename to reg-tests/ssl/certs/localhost.crt-list diff --git a/reg-tests/ssl/ocsp_update/index.txt b/reg-tests/ssl/certs/ocsp_update/index.txt similarity index 100% rename from reg-tests/ssl/ocsp_update/index.txt rename to reg-tests/ssl/certs/ocsp_update/index.txt diff --git a/reg-tests/ssl/ocsp_update/multicert/server_ocsp.pem.ecdsa b/reg-tests/ssl/certs/ocsp_update/multicert/server_ocsp.pem.ecdsa similarity index 100% rename from reg-tests/ssl/ocsp_update/multicert/server_ocsp.pem.ecdsa rename to reg-tests/ssl/certs/ocsp_update/multicert/server_ocsp.pem.ecdsa diff --git a/reg-tests/ssl/ocsp_update/multicert/server_ocsp.pem.ecdsa.issuer b/reg-tests/ssl/certs/ocsp_update/multicert/server_ocsp.pem.ecdsa.issuer similarity index 100% rename from reg-tests/ssl/ocsp_update/multicert/server_ocsp.pem.ecdsa.issuer rename to reg-tests/ssl/certs/ocsp_update/multicert/server_ocsp.pem.ecdsa.issuer diff --git a/reg-tests/ssl/ocsp_update/multicert/server_ocsp.pem.ecdsa.ocsp b/reg-tests/ssl/certs/ocsp_update/multicert/server_ocsp.pem.ecdsa.ocsp similarity index 100% rename from reg-tests/ssl/ocsp_update/multicert/server_ocsp.pem.ecdsa.ocsp rename to reg-tests/ssl/certs/ocsp_update/multicert/server_ocsp.pem.ecdsa.ocsp diff --git a/reg-tests/ssl/ocsp_update/multicert/server_ocsp.pem.rsa b/reg-tests/ssl/certs/ocsp_update/multicert/server_ocsp.pem.rsa similarity index 100% rename from reg-tests/ssl/ocsp_update/multicert/server_ocsp.pem.rsa rename to reg-tests/ssl/certs/ocsp_update/multicert/server_ocsp.pem.rsa diff --git a/reg-tests/ssl/ocsp_update/multicert/server_ocsp.pem.rsa.issuer b/reg-tests/ssl/certs/ocsp_update/multicert/server_ocsp.pem.rsa.issuer similarity index 100% rename from reg-tests/ssl/ocsp_update/multicert/server_ocsp.pem.rsa.issuer rename to reg-tests/ssl/certs/ocsp_update/multicert/server_ocsp.pem.rsa.issuer diff --git a/reg-tests/ssl/ocsp_update/multicert/server_ocsp.pem.rsa.ocsp b/reg-tests/ssl/certs/ocsp_update/multicert/server_ocsp.pem.rsa.ocsp similarity index 100% rename from reg-tests/ssl/ocsp_update/multicert/server_ocsp.pem.rsa.ocsp rename to reg-tests/ssl/certs/ocsp_update/multicert/server_ocsp.pem.rsa.ocsp diff --git a/reg-tests/ssl/ocsp_update/multicert/server_ocsp_ecdsa.pem b/reg-tests/ssl/certs/ocsp_update/multicert/server_ocsp_ecdsa.pem similarity index 100% rename from reg-tests/ssl/ocsp_update/multicert/server_ocsp_ecdsa.pem rename to reg-tests/ssl/certs/ocsp_update/multicert/server_ocsp_ecdsa.pem diff --git a/reg-tests/ssl/ocsp_update/multicert/server_ocsp_ecdsa.pem.ocsp b/reg-tests/ssl/certs/ocsp_update/multicert/server_ocsp_ecdsa.pem.ocsp similarity index 100% rename from reg-tests/ssl/ocsp_update/multicert/server_ocsp_ecdsa.pem.ocsp rename to reg-tests/ssl/certs/ocsp_update/multicert/server_ocsp_ecdsa.pem.ocsp diff --git a/reg-tests/ssl/ocsp_update/multicert_both_certs.crt-list b/reg-tests/ssl/certs/ocsp_update/multicert_both_certs.crt-list similarity index 100% rename from reg-tests/ssl/ocsp_update/multicert_both_certs.crt-list rename to reg-tests/ssl/certs/ocsp_update/multicert_both_certs.crt-list diff --git a/reg-tests/ssl/ocsp_update/multicert_ecdsa.crt-list b/reg-tests/ssl/certs/ocsp_update/multicert_ecdsa.crt-list similarity index 100% rename from reg-tests/ssl/ocsp_update/multicert_ecdsa.crt-list rename to reg-tests/ssl/certs/ocsp_update/multicert_ecdsa.crt-list diff --git a/reg-tests/ssl/ocsp_update/multicert_ecdsa_no_update.crt-list b/reg-tests/ssl/certs/ocsp_update/multicert_ecdsa_no_update.crt-list similarity index 100% rename from reg-tests/ssl/ocsp_update/multicert_ecdsa_no_update.crt-list rename to reg-tests/ssl/certs/ocsp_update/multicert_ecdsa_no_update.crt-list diff --git a/reg-tests/ssl/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem b/reg-tests/ssl/certs/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem similarity index 100% rename from reg-tests/ssl/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem rename to reg-tests/ssl/certs/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem diff --git a/reg-tests/ssl/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem b/reg-tests/ssl/certs/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem similarity index 100% rename from reg-tests/ssl/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem rename to reg-tests/ssl/certs/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem diff --git a/reg-tests/ssl/ocsp_update/multicert_rsa.crt-list b/reg-tests/ssl/certs/ocsp_update/multicert_rsa.crt-list similarity index 100% rename from reg-tests/ssl/ocsp_update/multicert_rsa.crt-list rename to reg-tests/ssl/certs/ocsp_update/multicert_rsa.crt-list diff --git a/reg-tests/ssl/ocsp_update/ocsp.haproxy.com.pem b/reg-tests/ssl/certs/ocsp_update/ocsp.haproxy.com.pem similarity index 100% rename from reg-tests/ssl/ocsp_update/ocsp.haproxy.com.pem rename to reg-tests/ssl/certs/ocsp_update/ocsp.haproxy.com.pem diff --git a/reg-tests/ssl/ocsp_update/ocsp_update_rootca.crt b/reg-tests/ssl/certs/ocsp_update/ocsp_update_rootca.crt similarity index 100% rename from reg-tests/ssl/ocsp_update/ocsp_update_rootca.crt rename to reg-tests/ssl/certs/ocsp_update/ocsp_update_rootca.crt diff --git a/reg-tests/ssl/rootCA_crl.pem b/reg-tests/ssl/certs/rootCA_crl.pem similarity index 100% rename from reg-tests/ssl/rootCA_crl.pem rename to reg-tests/ssl/certs/rootCA_crl.pem diff --git a/reg-tests/ssl/set_cafile_client.pem b/reg-tests/ssl/certs/set_cafile_client.pem similarity index 100% rename from reg-tests/ssl/set_cafile_client.pem rename to reg-tests/ssl/certs/set_cafile_client.pem diff --git a/reg-tests/ssl/set_cafile_interCA1.crt b/reg-tests/ssl/certs/set_cafile_interCA1.crt similarity index 100% rename from reg-tests/ssl/set_cafile_interCA1.crt rename to reg-tests/ssl/certs/set_cafile_interCA1.crt diff --git a/reg-tests/ssl/set_cafile_interCA2.crt b/reg-tests/ssl/certs/set_cafile_interCA2.crt similarity index 100% rename from reg-tests/ssl/set_cafile_interCA2.crt rename to reg-tests/ssl/certs/set_cafile_interCA2.crt diff --git a/reg-tests/ssl/set_cafile_rootCA.crt b/reg-tests/ssl/certs/set_cafile_rootCA.crt similarity index 100% rename from reg-tests/ssl/set_cafile_rootCA.crt rename to reg-tests/ssl/certs/set_cafile_rootCA.crt diff --git a/reg-tests/ssl/set_cafile_server.pem b/reg-tests/ssl/certs/set_cafile_server.pem similarity index 100% rename from reg-tests/ssl/set_cafile_server.pem rename to reg-tests/ssl/certs/set_cafile_server.pem diff --git a/reg-tests/ssl/set_default_cert.crt-list b/reg-tests/ssl/certs/set_default_cert.crt-list similarity index 100% rename from reg-tests/ssl/set_default_cert.crt-list rename to reg-tests/ssl/certs/set_default_cert.crt-list diff --git a/reg-tests/ssl/set_default_cert.pem b/reg-tests/ssl/certs/set_default_cert.pem similarity index 100% rename from reg-tests/ssl/set_default_cert.pem rename to reg-tests/ssl/certs/set_default_cert.pem diff --git a/reg-tests/ssl/show_ocsp_server.pem b/reg-tests/ssl/certs/show_ocsp_server.pem similarity index 100% rename from reg-tests/ssl/show_ocsp_server.pem rename to reg-tests/ssl/certs/show_ocsp_server.pem diff --git a/reg-tests/ssl/show_ocsp_server.pem.issuer b/reg-tests/ssl/certs/show_ocsp_server.pem.issuer similarity index 100% rename from reg-tests/ssl/show_ocsp_server.pem.issuer rename to reg-tests/ssl/certs/show_ocsp_server.pem.issuer diff --git a/reg-tests/ssl/show_ocsp_server.pem.ocsp b/reg-tests/ssl/certs/show_ocsp_server.pem.ocsp similarity index 100% rename from reg-tests/ssl/show_ocsp_server.pem.ocsp rename to reg-tests/ssl/certs/show_ocsp_server.pem.ocsp diff --git a/reg-tests/ssl/show_ocsp_server.pem.ocsp.revoked b/reg-tests/ssl/certs/show_ocsp_server.pem.ocsp.revoked similarity index 100% rename from reg-tests/ssl/show_ocsp_server.pem.ocsp.revoked rename to reg-tests/ssl/certs/show_ocsp_server.pem.ocsp.revoked diff --git a/reg-tests/ssl/simple.crt-list b/reg-tests/ssl/certs/simple.crt-list similarity index 100% rename from reg-tests/ssl/simple.crt-list rename to reg-tests/ssl/certs/simple.crt-list diff --git a/reg-tests/ssl/crt_store.vtc b/reg-tests/ssl/crt_store.vtc index eecdcc45d..46208073a 100644 --- a/reg-tests/ssl/crt_store.vtc +++ b/reg-tests/ssl/crt_store.vtc @@ -17,7 +17,7 @@ haproxy h1 -arg -V -conf-OK { .endif crt-store - load crt "${testdir}/common.crt" key "${testdir}/common.key" + load crt "${testdir}/certs/common.crt" key "${testdir}/certs/common.key" defaults timeout client 30s @@ -25,17 +25,17 @@ haproxy h1 -arg -V -conf-OK { timeout connect 30s listen ssl-lst - bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.crt strict-sni + bind "${tmpdir}/ssl.sock" ssl crt "${testdir}/certs/common.crt" strict-sni } haproxy h2 -arg -V -conf-BAD {} { listen ssl-lst - bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem strict-sni + bind "${tmpdir}/ssl.sock" ssl crt "${testdir}/certs/common.pem" strict-sni crt-store - load crt "${testdir}/common.pem" key "${testdir}/common.key" + load crt "${testdir}/certs/common.pem" key "${testdir}/certs/common.key" } diff --git a/reg-tests/ssl/del_ssl_crt-list.vtc b/reg-tests/ssl/del_ssl_crt-list.vtc index df0a51a21..ba9fbcbf4 100644 --- a/reg-tests/ssl/del_ssl_crt-list.vtc +++ b/reg-tests/ssl/del_ssl_crt-list.vtc @@ -28,7 +28,7 @@ haproxy h1 -conf { tune.ssl.default-dh-param 2048 .endif tune.ssl.capture-buffer-size 1 - crt-base ${testdir} + crt-base ${testdir}/certs stats socket "${tmpdir}/h1/stats" level admin ssl-default-bind-options strict-sni @@ -54,12 +54,12 @@ haproxy h1 -conf { listen first-ssl-fe # note: strict-sni is enforced from ssl-default-bind-options above mode http - bind "${tmpdir}/first-ssl.sock" ssl crt-list ${testdir}/simple.crt-list + bind "${tmpdir}/first-ssl.sock" ssl crt-list ${testdir}/certs/simple.crt-list server s1 ${s1_addr}:${s1_port} listen second-ssl-fe mode http - bind "${tmpdir}/second-ssl.sock" ssl no-strict-sni crt-list ${testdir}/localhost.crt-list + bind "${tmpdir}/second-ssl.sock" ssl no-strict-sni crt-list ${testdir}/certs/localhost.crt-list server s1 ${s1_addr}:${s1_port} } -start @@ -78,12 +78,12 @@ client c1 -connect ${h1_clearlst_sock} { } -run haproxy h1 -cli { - send "del ssl crt-list ${testdir}/simple.crt-list ${testdir}/common.pem:2" - expect ~ "Entry '${testdir}/common.pem' deleted in crtlist '${testdir}/simple.crt-list'!" + send "del ssl crt-list ${testdir}/certs/simple.crt-list ${testdir}/certs/common.pem:2" + expect ~ "Entry '${testdir}/certs/common.pem' deleted in crtlist '${testdir}/certs/simple.crt-list'!" } haproxy h1 -cli { - send "show ssl crt-list -n ${testdir}/simple.crt-list" + send "show ssl crt-list -n ${testdir}/certs/simple.crt-list" expect !~ "common.pem:2" } @@ -98,12 +98,12 @@ client c1 -connect ${h1_clearlst_sock} { # We should not be able to delete the crt-list's first line since it is the # default certificate of this bind line and the strict-sni option is not enabled. haproxy h1 -cli { - send "del ssl crt-list ${testdir}/localhost.crt-list ${testdir}/common.pem:1" - expect ~ "Can't delete the entry: certificate '${testdir}/common.pem' cannot be deleted, it is used as default certificate by the following frontends:" + send "del ssl crt-list ${testdir}/certs/localhost.crt-list ${testdir}/certs/common.pem:1" + expect ~ "Can't delete the entry: certificate '${testdir}/certs/common.pem' cannot be deleted, it is used as default certificate by the following frontends:" } # We should be able to delete any line of the crt-list since the strict-sni option is enabled. haproxy h1 -cli { - send "del ssl crt-list ${testdir}/simple.crt-list ${testdir}/common.pem:1" - expect ~ "Entry '${testdir}/common.pem' deleted in crtlist '${testdir}/simple.crt-list'!" + send "del ssl crt-list ${testdir}/certs/simple.crt-list ${testdir}/certs/common.pem:1" + expect ~ "Entry '${testdir}/certs/common.pem' deleted in crtlist '${testdir}/certs/simple.crt-list'!" } diff --git a/reg-tests/ssl/dynamic_server_ssl.vtc b/reg-tests/ssl/dynamic_server_ssl.vtc index 2529e9450..23b5605b4 100644 --- a/reg-tests/ssl/dynamic_server_ssl.vtc +++ b/reg-tests/ssl/dynamic_server_ssl.vtc @@ -36,20 +36,20 @@ haproxy h1 -conf { default_backend test backend test - server s1 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem" - server s2 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem" - server s3 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem" + server s1 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/certs/client1.pem" + server s2 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/certs/client1.pem" + server s3 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/certs/client1.pem" listen ssl-lst - bind "${tmpdir}/ssl.sock" ssl crt "${testdir}/common.pem" + bind "${tmpdir}/ssl.sock" ssl crt "${testdir}/certs/common.pem" server s1 ${s1_addr}:${s1_port} } -start haproxy h1 -cli { - send "show ssl cert ${testdir}/client1.pem" + send "show ssl cert ${testdir}/certs/client1.pem" expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4" } client c1 -connect ${h1_feS_sock} { @@ -59,7 +59,7 @@ client c1 -connect ${h1_feS_sock} { } -run haproxy h1 -cli { - send "show ssl cert ${testdir}/client1.pem" + send "show ssl cert ${testdir}/certs/client1.pem" expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4" } @@ -83,26 +83,26 @@ haproxy h1 -cli { # Replace certificate with an expired one shell { - printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client2_expired.pem)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl cert ${testdir}/client1.pem" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/client1.pem <<\n$(cat ${testdir}/certs/client2_expired.pem)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/certs/client1.pem" | socat "${tmpdir}/h1/stats" - } haproxy h1 -cli { - send "show ssl cert ${testdir}/client1.pem" + send "show ssl cert ${testdir}/certs/client1.pem" expect ~ ".*SHA1 FingerPrint: C625EB01A0A660294B9D7F44C5CEEE5AFC495BE4" } haproxy h1 -cli { - send "show ssl cert ${testdir}/client1.pem" + send "show ssl cert ${testdir}/certs/client1.pem" expect ~ ".*Status: Unused" } haproxy h1 -cli { - send "add server test/s1 ${tmpdir}/ssl.sock ssl verify none crt ${testdir}/client1.pem" + send "add server test/s1 ${tmpdir}/ssl.sock ssl verify none crt ${testdir}/certs/client1.pem" expect ~ "New server registered." send "enable server test/s1" expect ~ ".*" - send "show ssl cert ${testdir}/client1.pem" + send "show ssl cert ${testdir}/certs/client1.pem" expect ~ ".*Status: Used" } diff --git a/reg-tests/ssl/issuers_chain_path.vtc b/reg-tests/ssl/issuers_chain_path.vtc index ee63b9a1e..6c7de0a1c 100644 --- a/reg-tests/ssl/issuers_chain_path.vtc +++ b/reg-tests/ssl/issuers_chain_path.vtc @@ -14,8 +14,8 @@ haproxy h1 -conf { .endif stats socket "${tmpdir}/h1/stats" level admin - issuers-chain-path "${testdir}/issuers-chain-path/ca/" - crt-base "${testdir}/issuers-chain-path" + issuers-chain-path "${testdir}/certs/issuers-chain-path/ca/" + crt-base "${testdir}/certs/issuers-chain-path" defaults mode http @@ -34,9 +34,9 @@ haproxy h1 -conf { # We should have two distinct ocsp responses known that were loaded at build time haproxy h1 -cli { - send "show ssl cert ${testdir}/issuers-chain-path/server.pem" + send "show ssl cert ${testdir}/certs/issuers-chain-path/server.pem" expect ~ ".*Chain Filename.*" - send "show ssl cert ${testdir}/issuers-chain-path/server.pem" + send "show ssl cert ${testdir}/certs/issuers-chain-path/server.pem" expect ~ ".*Chain Subject.*" } diff --git a/reg-tests/ssl/log_forward_ssl.vtc b/reg-tests/ssl/log_forward_ssl.vtc index 0d59780de..b8958ace0 100644 --- a/reg-tests/ssl/log_forward_ssl.vtc +++ b/reg-tests/ssl/log_forward_ssl.vtc @@ -51,7 +51,7 @@ haproxy h1 -conf { log ring@myring local0 # To TCP log log-forward syslog2local - bind 127.0.0.1:2514 ssl crt ${testdir}/common.pem + bind 127.0.0.1:2514 ssl crt ${testdir}/certs/common.pem log ${Slg1_addr}:${Slg1_port} local0 # To VTest syslog } -start diff --git a/reg-tests/ssl/new_del_ssl_cafile.vtc b/reg-tests/ssl/new_del_ssl_cafile.vtc index f81bf7ee0..edab4744d 100644 --- a/reg-tests/ssl/new_del_ssl_cafile.vtc +++ b/reg-tests/ssl/new_del_ssl_cafile.vtc @@ -30,7 +30,7 @@ haproxy h1 -conf { .endif tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h1/stats" level admin - crt-base ${testdir} + crt-base ${testdir}/certs defaults mode http @@ -49,13 +49,13 @@ haproxy h1 -conf { default_backend default_be backend default_be - server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/set_cafile_client.pem sni str(www.test1.com) + server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/set_cafile_client.pem sni str(www.test1.com) backend with_ca_be - server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/set_cafile_client.pem sni str(with-ca.com) + server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/set_cafile_client.pem sni str(with-ca.com) listen ssl-lst - bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/localhost.crt-list ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA2.crt verify required crt-ignore-err all + bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/certs/localhost.crt-list ca-verify-file ${testdir}/certs/set_cafile_rootCA.crt ca-file ${testdir}/certs/set_cafile_interCA2.crt verify required crt-ignore-err all http-response add-header X-SSL-Client-Verify %[ssl_c_verify] server s1 ${s1_addr}:${s1_port} } -start @@ -83,7 +83,7 @@ haproxy h1 -cli { } shell { - printf "set ssl ca-file new_cafile.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - + printf "set ssl ca-file new_cafile.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - echo "commit ssl ca-file new_cafile.crt" | socat "${tmpdir}/h1/stats" - } @@ -98,12 +98,12 @@ haproxy h1 -cli { } shell { - printf "add ssl ca-file new_cafile.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - + printf "add ssl ca-file new_cafile.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - echo "commit ssl ca-file new_cafile.crt" | socat "${tmpdir}/h1/stats" - } shell { - printf "set ssl ca-file new_cafile.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - + printf "set ssl ca-file new_cafile.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - echo "commit ssl ca-file new_cafile.crt" | socat "${tmpdir}/h1/stats" - } @@ -124,14 +124,14 @@ client c1 -connect ${h1_clearlst_sock} { # Add a new certificate that will use the new CA file shell { - echo "new ssl cert ${testdir}/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" - - printf "set ssl cert ${testdir}/set_cafile_server.pem <<\n$(cat ${testdir}/set_cafile_server.pem)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl cert ${testdir}/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" - + echo "new ssl cert ${testdir}/certs/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/set_cafile_server.pem <<\n$(cat ${testdir}/certs/set_cafile_server.pem)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/certs/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" - } # Create a new crt-list line that will use the new CA file shell { - printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/set_cafile_server.pem [ca-file new_cafile.crt] with-ca.com\n\n" | socat "${tmpdir}/h1/stats" - + printf "add ssl crt-list ${testdir}/certs/localhost.crt-list <<\n${testdir}/certs/set_cafile_server.pem [ca-file new_cafile.crt] with-ca.com\n\n" | socat "${tmpdir}/h1/stats" - } client c1 -connect ${h1_clearlst_sock} { @@ -144,8 +144,8 @@ client c1 -connect ${h1_clearlst_sock} { # Delete the newly added crt-list line and CA file haproxy h1 -cli { - send "del ssl crt-list ${testdir}/localhost.crt-list ${testdir}/set_cafile_server.pem" - expect ~ "Entry '${testdir}/set_cafile_server.pem' deleted in crtlist '${testdir}/localhost.crt-list'!" + send "del ssl crt-list ${testdir}/certs/localhost.crt-list ${testdir}/certs/set_cafile_server.pem" + expect ~ "Entry '${testdir}/certs/set_cafile_server.pem' deleted in crtlist '${testdir}/certs/localhost.crt-list'!" send "del ssl ca-file new_cafile.crt" expect ~ "CA file 'new_cafile.crt' deleted!" diff --git a/reg-tests/ssl/new_del_ssl_crlfile.vtc b/reg-tests/ssl/new_del_ssl_crlfile.vtc index 42bc08810..ce8187102 100644 --- a/reg-tests/ssl/new_del_ssl_crlfile.vtc +++ b/reg-tests/ssl/new_del_ssl_crlfile.vtc @@ -30,7 +30,7 @@ haproxy h1 -conf { .endif tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h1/stats" level admin - crt-base ${testdir} + crt-base ${testdir}/certs defaults mode http @@ -49,13 +49,13 @@ haproxy h1 -conf { default_backend default_be backend default_be - server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client3_revoked.pem sni str(www.test1.com) + server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/client3_revoked.pem sni str(www.test1.com) backend with_crl_be - server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client3_revoked.pem sni str(with-crl.com) + server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/client3_revoked.pem sni str(with-crl.com) listen ssl-lst - bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/localhost.crt-list ca-file ${testdir}/ca-auth.crt verify required crt-ignore-err all + bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/certs/localhost.crt-list ca-file ${testdir}/certs/ca-auth.crt verify required crt-ignore-err all http-response add-header X-SSL-Client-Verify %[ssl_c_verify] server s1 ${s1_addr}:${s1_port} } -start @@ -83,7 +83,7 @@ haproxy h1 -cli { } shell { - printf "set ssl crl-file new_crlfile.crt <<\n$(cat ${testdir}/crl-auth.pem)\n\n" | socat "${tmpdir}/h1/stats" - + printf "set ssl crl-file new_crlfile.crt <<\n$(cat ${testdir}/certs/crl-auth.pem)\n\n" | socat "${tmpdir}/h1/stats" - echo "commit ssl crl-file new_crlfile.crt" | socat "${tmpdir}/h1/stats" - } @@ -97,14 +97,14 @@ haproxy h1 -cli { # Add a new certificate that will use the new CA file shell { - echo "new ssl cert ${testdir}/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" - - printf "set ssl cert ${testdir}/set_cafile_server.pem <<\n$(cat ${testdir}/set_cafile_server.pem)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl cert ${testdir}/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" - + echo "new ssl cert ${testdir}/certs/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/set_cafile_server.pem <<\n$(cat ${testdir}/certs/set_cafile_server.pem)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/certs/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" - } # Create a new crt-list line that will use the new CA file shell { - printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/set_cafile_server.pem [crl-file new_crlfile.crt] with-crl.com\n\n" | socat "${tmpdir}/h1/stats" - + printf "add ssl crt-list ${testdir}/certs/localhost.crt-list <<\n${testdir}/certs/set_cafile_server.pem [crl-file new_crlfile.crt] with-crl.com\n\n" | socat "${tmpdir}/h1/stats" - } client c1 -connect ${h1_clearlst_sock} { @@ -126,8 +126,8 @@ client c1 -connect ${h1_clearlst_sock} { # Delete the newly added crt-list line and CRL file haproxy h1 -cli { - send "del ssl crt-list ${testdir}/localhost.crt-list ${testdir}/set_cafile_server.pem" - expect ~ "Entry '${testdir}/set_cafile_server.pem' deleted in crtlist '${testdir}/localhost.crt-list'!" + send "del ssl crt-list ${testdir}/certs/localhost.crt-list ${testdir}/certs/set_cafile_server.pem" + expect ~ "Entry '${testdir}/certs/set_cafile_server.pem' deleted in crtlist '${testdir}/certs/localhost.crt-list'!" send "del ssl crl-file new_crlfile.crt" expect ~ "CRL file 'new_crlfile.crt' deleted!" diff --git a/reg-tests/ssl/ocsp_auto_update.vtc b/reg-tests/ssl/ocsp_auto_update.vtc index 710149794..4d1f45fb0 100644 --- a/reg-tests/ssl/ocsp_auto_update.vtc +++ b/reg-tests/ssl/ocsp_auto_update.vtc @@ -56,7 +56,7 @@ haproxy h1 -conf { .endif tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h1/stats" level admin - crt-base ${testdir}/ocsp_update + crt-base ${testdir}/certs/ocsp_update defaults mode http @@ -68,7 +68,7 @@ haproxy h1 -conf { timeout server "${HAPROXY_TEST_TIMEOUT-5s}" frontend ssl-fe - bind "${tmpdir}/ssl.sock" ssl crt multicert/server_ocsp.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + bind "${tmpdir}/ssl.sock" ssl crt multicert/server_ocsp.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 } -start @@ -105,16 +105,16 @@ haproxy h1 -wait # calling "show ssl ocsp-response". This is done through the Syslog_ocsp # listener and a dedicated barrier. -process p2 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start +process p2 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start barrier b2 cond 2 -cyclic syslog Syslog_ocsp -level notice { recv - expect ~ " ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem 1 \"Update successful\" 0 1" + expect ~ " ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem 1 \"Update successful\" 0 1" recv - expect ~ " ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1" + expect ~ " ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1" barrier b2 sync } -start @@ -130,7 +130,7 @@ haproxy h2 -conf { .endif tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h2/stats" level admin - crt-base ${testdir}/ocsp_update + crt-base ${testdir}/certs/ocsp_update log ${Syslog_ocsp_addr}:${Syslog_ocsp_port} local0 notice notice defaults @@ -142,11 +142,11 @@ haproxy h2 -conf { timeout server "${HAPROXY_TEST_TIMEOUT-5s}" frontend ssl-rsa-fe - bind "${tmpdir}/ssl2.sock" ssl crt-list ${testdir}/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + bind "${tmpdir}/ssl2.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 frontend ssl-ecdsa-fe - bind "${tmpdir}/ssl3.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + bind "${tmpdir}/ssl3.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 } -start @@ -182,13 +182,13 @@ process p2 -wait -expect-exit 0 # will not enable ocsp-update on its certificate. Only one request should then # be sent. -process p3 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start +process p3 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start barrier b3 cond 2 -cyclic syslog Syslog_ocsp3 -level notice { recv - expect ~ " ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem 1 \"Update successful\" 0 1" + expect ~ " ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem 1 \"Update successful\" 0 1" barrier b3 sync } -start @@ -203,7 +203,7 @@ haproxy h3 -conf { .endif tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h3/stats" level admin - crt-base ${testdir}/ocsp_update + crt-base ${testdir}/certs/ocsp_update log ${Syslog_ocsp3_addr}:${Syslog_ocsp3_port} local0 notice notice defaults @@ -215,11 +215,11 @@ haproxy h3 -conf { timeout server "${HAPROXY_TEST_TIMEOUT-5s}" frontend ssl-rsa-fe - bind "${tmpdir}/ssl4.sock" ssl crt-list ${testdir}/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + bind "${tmpdir}/ssl4.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 frontend ssl-ecdsa-fe - bind "${tmpdir}/ssl5.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + bind "${tmpdir}/ssl5.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 } -start @@ -257,16 +257,16 @@ process p3 -wait # in haproxy proc variables in order to compare them to their new value after # the update is performed. -process p4 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start +process p4 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start barrier b4 cond 2 -cyclic syslog Syslog_ocsp4 -level notice { recv - expect ~ " ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa 1 \"Update successful\" 0 1" + expect ~ " ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa 1 \"Update successful\" 0 1" recv - expect ~ " ${testdir}/ocsp_update/multicert/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1" + expect ~ " ${testdir}/certs/ocsp_update/multicert/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1" barrier b4 sync } -start @@ -281,7 +281,7 @@ haproxy h4 -conf { .endif tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h4/stats" level admin - crt-base ${testdir}/ocsp_update + crt-base ${testdir}/certs/ocsp_update log ${Syslog_ocsp4_addr}:${Syslog_ocsp4_port} local0 notice notice defaults @@ -293,11 +293,11 @@ haproxy h4 -conf { timeout server "${HAPROXY_TEST_TIMEOUT-5s}" frontend ssl-rsa-ocsp - bind "${tmpdir}/ssl5.sock" ssl crt ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + bind "${tmpdir}/ssl5.sock" ssl crt ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 frontend ssl-ecdsa-ocsp - bind "${tmpdir}/ssl6.sock" ssl crt ${testdir}/ocsp_update/multicert/server_ocsp_ecdsa.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + bind "${tmpdir}/ssl6.sock" ssl crt ${testdir}/certs/ocsp_update/multicert/server_ocsp_ecdsa.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 } -start @@ -330,14 +330,14 @@ shell { # the OCSP response actually changed produced_at1=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" - | grep "Produced At" | tr -d ' ') - echo "update ssl ocsp-response ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h4/stats" - + echo "update ssl ocsp-response ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h4/stats" - # Update the second ocsp response (ckch_data has a NULL ocsp_issuer pointer) # Store the current "Produced At" in order to ensure that after the update # the OCSP response actually changed produced_at2=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" - | grep "Produced At" | tr -d ' ') - echo "update ssl ocsp-response ${testdir}/ocsp_update/multicert/server_ocsp_ecdsa.pem" | socat "${tmpdir}/h4/stats" - + echo "update ssl ocsp-response ${testdir}/certs/ocsp_update/multicert/server_ocsp_ecdsa.pem" | socat "${tmpdir}/h4/stats" - echo "experimental-mode on;set var proc.produced_at1 str($produced_at1)" | socat "${tmpdir}/h4/stats" - echo "experimental-mode on;set var proc.produced_at2 str($produced_at2)" | socat "${tmpdir}/h4/stats" - @@ -376,7 +376,7 @@ process p4 -wait # to the "show ssl ocsp-response" command. -process p5 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start +process p5 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start barrier b5 cond 2 -cyclic @@ -401,7 +401,7 @@ haproxy h5 -conf { .endif tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h5/stats" level admin - crt-base ${testdir}/ocsp_update + crt-base ${testdir}/certs/ocsp_update log ${Syslog_ocsp5_addr}:${Syslog_ocsp5_port} local0 notice notice defaults @@ -413,11 +413,11 @@ haproxy h5 -conf { timeout server "${HAPROXY_TEST_TIMEOUT-5s}" frontend ssl-rsa-fe - bind "${tmpdir}/ssl7.sock" ssl crt-list ${testdir}/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + bind "${tmpdir}/ssl7.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 frontend ssl-ecdsa-fe - bind "${tmpdir}/ssl8.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + bind "${tmpdir}/ssl8.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 } -start @@ -467,13 +467,13 @@ process p5 -wait # the 'ocsp-update on' option will be taken into account by the OCSP # auto update task # -process p6 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start +process p6 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start barrier b6 cond 2 -cyclic syslog Syslog_ocsp6 -level notice { recv - expect ~ " ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa 1 \"Update successful\" 0 1" + expect ~ " ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa 1 \"Update successful\" 0 1" barrier b6 sync } -start @@ -489,7 +489,7 @@ haproxy h6 -conf { .endif tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h6/stats" level admin - crt-base ${testdir} + crt-base ${testdir}/certs log ${Syslog_ocsp6_addr}:${Syslog_ocsp6_port} local0 notice notice defaults @@ -502,7 +502,7 @@ haproxy h6 -conf { timeout server "${HAPROXY_TEST_TIMEOUT-5s}" frontend ssl-fe - bind "${tmpdir}/ssl9.sock" ssl crt-list ${testdir}/simple.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + bind "${tmpdir}/ssl9.sock" ssl crt-list ${testdir}/certs/simple.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 } -start @@ -516,12 +516,12 @@ haproxy h6 -cli { # Create a new certificate that has an OCSP uri and add it to the # existing CLI with the 'ocsp-update on' command. shell { - echo "new ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h6/stats" - - printf "set ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa <<\n$(cat ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h6/stats" - - printf "set ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa.issuer <<\n$(cat ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa.issuer)\n\n" | socat "${tmpdir}/h6/stats" - - echo "commit ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h6/stats" - + echo "new ssl cert ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h6/stats" - + printf "set ssl cert ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa <<\n$(cat ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h6/stats" - + printf "set ssl cert ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa.issuer <<\n$(cat ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa.issuer)\n\n" | socat "${tmpdir}/h6/stats" - + echo "commit ssl cert ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h6/stats" - - printf "add ssl crt-list ${testdir}/simple.crt-list <<\n${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa [ocsp-update on] foo.com\n\n" | socat "${tmpdir}/h6/stats" - + printf "add ssl crt-list ${testdir}/certs/simple.crt-list <<\n${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa [ocsp-update on] foo.com\n\n" | socat "${tmpdir}/h6/stats" - } barrier b6 sync @@ -544,18 +544,18 @@ process p6 -wait # Check that the global "tune.ocsp-update.mode" option works and that it # applies to certificates added via the CLI as well. # -process p7 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start +process p7 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start barrier b7 cond 2 -cyclic syslog Syslog_ocsp7 -level notice { recv - expect ~ " ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1" + expect ~ " ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1" barrier b7 sync recv - expect ~ " ${testdir}/server_ocsp_rsa.pem 1 \"Update successful\" 0 1" + expect ~ " ${testdir}/certs/server_ocsp_rsa.pem 1 \"Update successful\" 0 1" barrier b7 sync } -start @@ -571,7 +571,7 @@ haproxy h7 -conf { .endif tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h7/stats" level admin - crt-base ${testdir} + crt-base ${testdir}/certs ocsp-update.mode on log ${Syslog_ocsp7_addr}:${Syslog_ocsp7_port} local0 notice notice @@ -585,8 +585,8 @@ haproxy h7 -conf { timeout server "${HAPROXY_TEST_TIMEOUT-5s}" frontend ssl-fe - bind "${tmpdir}/ssl_h7.sock" ssl crt ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all - bind "${tmpdir}/ssl_h7_2.sock" ssl crt-list ${testdir}/simple.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + bind "${tmpdir}/ssl_h7.sock" ssl crt ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all + bind "${tmpdir}/ssl_h7_2.sock" ssl crt-list ${testdir}/certs/simple.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 } -start @@ -595,22 +595,22 @@ barrier b7 sync # Create a new certificate that has an OCSP uri and add it to the # existing CLI with the 'ocsp-update on' command. shell { - echo "new ssl cert ${testdir}/server_ocsp_rsa.pem" | socat "${tmpdir}/h7/stats" - - printf "set ssl cert ${testdir}/server_ocsp_rsa.pem <<\n$(cat ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem)\n\n" | socat "${tmpdir}/h7/stats" - - echo "commit ssl cert ${testdir}/server_ocsp_rsa.pem" | socat "${tmpdir}/h7/stats" - + echo "new ssl cert ${testdir}/certs/server_ocsp_rsa.pem" | socat "${tmpdir}/h7/stats" - + printf "set ssl cert ${testdir}/certs/server_ocsp_rsa.pem <<\n$(cat ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem)\n\n" | socat "${tmpdir}/h7/stats" - + echo "commit ssl cert ${testdir}/certs/server_ocsp_rsa.pem" | socat "${tmpdir}/h7/stats" - # We should have ocsp-update enabled via the global option - printf "add ssl crt-list ${testdir}/simple.crt-list <<\n${testdir}/server_ocsp_rsa.pem foo.com\n\n" | socat "${tmpdir}/h7/stats" - + printf "add ssl crt-list ${testdir}/certs/simple.crt-list <<\n${testdir}/certs/server_ocsp_rsa.pem foo.com\n\n" | socat "${tmpdir}/h7/stats" - } barrier b7 sync haproxy h7 -cli { send "show ssl ocsp-updates" - expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 | ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem .*| 1 | 0 | 1 | Update successful" + expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 | ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem .*| 1 | 0 | 1 | Update successful" send "show ssl ocsp-updates" - expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 | ${testdir}/server_ocsp_rsa.pem .*| 1 | 0 | 1 | Update successful" + expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 | ${testdir}/certs/server_ocsp_rsa.pem .*| 1 | 0 | 1 | Update successful" } haproxy h7 -wait @@ -640,7 +640,7 @@ haproxy h8 -conf { .endif tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h8/stats" level admin - crt-base ${testdir}/ocsp_update + crt-base ${testdir}/certs/ocsp_update defaults mode http @@ -652,7 +652,7 @@ haproxy h8 -conf { timeout server "${HAPROXY_TEST_TIMEOUT-5s}" frontend ssl-fe - bind "${tmpdir}/ssl-h8.sock" ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + bind "${tmpdir}/ssl-h8.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_both_certs.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 listen http_rebound_lst @@ -674,7 +674,7 @@ haproxy h8 -cli { # ocsp response was removed from the auto update list but is still present in the # system haproxy h8 -cli { - send "del ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list ${testdir}/ocsp_update/multicert/server_ocsp.pem.ecdsa" + send "del ssl crt-list ${testdir}/certs/ocsp_update/multicert_both_certs.crt-list ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.ecdsa" expect ~ "Entry.*deleted in crtlist" send "show ssl ocsp-updates" @@ -683,14 +683,14 @@ haproxy h8 -cli { send "show ssl ocsp-response" expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" - send "show ssl ocsp-response ${testdir}/ocsp_update/multicert/server_ocsp.pem.ecdsa" + send "show ssl ocsp-response ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.ecdsa" expect ~ ".* Cert Status: good.*" } # Add the previously removed crt-list line with auto-update enabled and check that # the ocsp response appears in the auto update list shell { - printf "add ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa [ocsp-update on] foo.bar\n\n" | socat "${tmpdir}/h8/stats" - | grep "Inserting certificate.*in crt-list" + printf "add ssl crt-list ${testdir}/certs/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa [ocsp-update on] foo.bar\n\n" | socat "${tmpdir}/h8/stats" - | grep "Inserting certificate.*in crt-list" } haproxy h8 -cli { @@ -701,7 +701,7 @@ haproxy h8 -cli { # Check that the auto update option consistency check work even when crt-list # lines are added through the cli shell { - printf "add ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa foo.foo\n\n" | socat "${tmpdir}/h8/stats" - | grep "different parameter 'ocsp-update'" + printf "add ssl crt-list ${testdir}/certs/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa foo.foo\n\n" | socat "${tmpdir}/h8/stats" - | grep "different parameter 'ocsp-update'" } haproxy h8 -wait @@ -717,13 +717,13 @@ haproxy h8 -wait # update enabled can be updated via "update ssl ocsp-response" command. # -process p9 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start +process p9 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start barrier b9 cond 2 -cyclic syslog Syslog_ocsp9 -level notice { recv - expect ~ " ${testdir}/ocsp_update/rsa.pem 1 \"Update successful\" 0 1" + expect ~ " ${testdir}/certs/ocsp_update/rsa.pem 1 \"Update successful\" 0 1" barrier b9 sync } -start @@ -740,7 +740,7 @@ haproxy h9 -conf { .endif tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h9/stats" level admin - crt-base ${testdir}/ocsp_update + crt-base ${testdir}/certs/ocsp_update log ${Syslog_ocsp9_addr}:${Syslog_ocsp9_port} local0 notice notice defaults @@ -753,7 +753,7 @@ haproxy h9 -conf { timeout server "${HAPROXY_TEST_TIMEOUT-5s}" frontend ssl-fe - bind "${tmpdir}/ssl-h9.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + bind "${tmpdir}/ssl-h9.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 } -start @@ -765,19 +765,19 @@ haproxy h9 -cli { # Create a new certificate and add it in the crt-list with ocsp auto-update enabled shell { - echo "new ssl cert ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" - - printf "set ssl cert ${testdir}/ocsp_update/rsa.pem <<\n$(cat ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h9/stats" - - printf "set ssl cert ${testdir}/ocsp_update/rsa.pem.issuer <<\n$(cat ${testdir}/ocsp_update/ocsp_update_rootca.crt)\n\n" | socat "${tmpdir}/h9/stats" - - printf "set ssl cert ${testdir}/ocsp_update/rsa.pem.ocsp <<\n$(openssl base64 < ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa.ocsp)\n\n" | socat "${tmpdir}/h9/stats" - - echo "commit ssl cert ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" - + echo "new ssl cert ${testdir}/certs/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" - + printf "set ssl cert ${testdir}/certs/ocsp_update/rsa.pem <<\n$(cat ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h9/stats" - + printf "set ssl cert ${testdir}/certs/ocsp_update/rsa.pem.issuer <<\n$(cat ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt)\n\n" | socat "${tmpdir}/h9/stats" - + printf "set ssl cert ${testdir}/certs/ocsp_update/rsa.pem.ocsp <<\n$(openssl base64 < ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa.ocsp)\n\n" | socat "${tmpdir}/h9/stats" - + echo "commit ssl cert ${testdir}/certs/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" - - printf "add ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list <<\nrsa.pem [ocsp-update off] foo.bar\n\n" | socat "${tmpdir}/h9/stats" - + printf "add ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa_no_update.crt-list <<\nrsa.pem [ocsp-update off] foo.bar\n\n" | socat "${tmpdir}/h9/stats" - } # Check that the line is in the crt-list haproxy h9 -cli { - send "show ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list" - expect ~ "${testdir}/ocsp_update/rsa.pem.*ocsp-update off.*foo.bar" + send "show ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa_no_update.crt-list" + expect ~ "${testdir}/certs/ocsp_update/rsa.pem.*ocsp-update off.*foo.bar" } # Check that the new certificate is NOT in the auto update list @@ -787,13 +787,13 @@ haproxy h9 -cli { } shell { - echo "update ssl ocsp-response ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" - + echo "update ssl ocsp-response ${testdir}/certs/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" - } barrier b9 sync haproxy h9 -cli { - send "show ssl ocsp-response ${testdir}/ocsp_update/rsa.pem" + send "show ssl ocsp-response ${testdir}/certs/ocsp_update/rsa.pem" expect ~ ".* Cert Status: revoked.*" } diff --git a/reg-tests/ssl/ocsp_compat_check.vtc b/reg-tests/ssl/ocsp_compat_check.vtc index 2768821aa..475d22e2f 100644 --- a/reg-tests/ssl/ocsp_compat_check.vtc +++ b/reg-tests/ssl/ocsp_compat_check.vtc @@ -40,7 +40,7 @@ global thread-groups 1 .endif - crt-base ${testdir}/ocsp_update/multicert + crt-base ${testdir}/certs/ocsp_update/multicert # ocsp-update.mode on defaults @@ -75,7 +75,7 @@ global thread-groups 1 .endif - crt-base ${testdir}/ocsp_update/multicert + crt-base ${testdir}/certs/ocsp_update/multicert ocsp-update.mode on defaults @@ -110,7 +110,7 @@ global thread-groups 1 .endif - crt-base ${testdir}/ocsp_update/multicert + crt-base ${testdir}/certs/ocsp_update/multicert ocsp-update.mode off defaults @@ -145,7 +145,7 @@ global thread-groups 1 .endif - crt-base ${testdir}/ocsp_update/multicert + crt-base ${testdir}/certs/ocsp_update/multicert # ocsp-update.mode off defaults @@ -181,7 +181,7 @@ global thread-groups 1 .endif - crt-base ${testdir}/ocsp_update/multicert + crt-base ${testdir}/certs/ocsp_update/multicert ocsp-update.mode on defaults @@ -217,7 +217,7 @@ global thread-groups 1 .endif - crt-base ${testdir}/ocsp_update/multicert + crt-base ${testdir}/certs/ocsp_update/multicert ocsp-update.mode off defaults @@ -255,7 +255,7 @@ global thread-groups 1 .endif - crt-base ${testdir}/ocsp_update/multicert + crt-base ${testdir}/certs/ocsp_update/multicert # ocsp-update.mode off defaults @@ -291,7 +291,7 @@ global thread-groups 1 .endif - crt-base ${testdir}/ocsp_update/multicert + crt-base ${testdir}/certs/ocsp_update/multicert # ocsp-update.mode off defaults @@ -328,7 +328,7 @@ global thread-groups 1 .endif - crt-base ${testdir}/ocsp_update/multicert + crt-base ${testdir}/certs/ocsp_update/multicert ocsp-update.mode on defaults @@ -365,7 +365,7 @@ global thread-groups 1 .endif - crt-base ${testdir}/ocsp_update/multicert + crt-base ${testdir}/certs/ocsp_update/multicert ocsp-update.mode on defaults @@ -402,7 +402,7 @@ global thread-groups 1 .endif - crt-base ${testdir}/ocsp_update/multicert + crt-base ${testdir}/certs/ocsp_update/multicert ocsp-update.mode off defaults @@ -439,7 +439,7 @@ global thread-groups 1 .endif - crt-base ${testdir}/ocsp_update/multicert + crt-base ${testdir}/certs/ocsp_update/multicert ocsp-update.mode off defaults diff --git a/reg-tests/ssl/set_ssl_bug_2265.vtc b/reg-tests/ssl/set_ssl_bug_2265.vtc index 2bd8652b3..588bc29f6 100644 --- a/reg-tests/ssl/set_ssl_bug_2265.vtc +++ b/reg-tests/ssl/set_ssl_bug_2265.vtc @@ -54,14 +54,14 @@ haproxy h1 -conf { server s3 "${tmpdir}/ssl.sock" ssl verify none sni str(localhost) listen ssl-lst - bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/bug-2265.crt strict-sni + bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/bug-2265.crt strict-sni server s1 ${s1_addr}:${s1_port} } -start haproxy h1 -cli { - send "show ssl cert ${testdir}/bug-2265.crt" + send "show ssl cert ${testdir}/certs/bug-2265.crt" expect ~ ".*SHA1 FingerPrint: DF3B6E847A7BF83DFAAFCFEC65EE9BC36230D3EA" } @@ -72,12 +72,12 @@ client c1 -connect ${h1_clearlst_sock} { } -run shell { - printf "set ssl cert ${testdir}/bug-2265.crt <<\n$(cat ${testdir}/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl cert ${testdir}/bug-2265.crt" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/bug-2265.crt <<\n$(cat ${testdir}/certs/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/certs/bug-2265.crt" | socat "${tmpdir}/h1/stats" - } haproxy h1 -cli { - send "show ssl cert ${testdir}/bug-2265.crt" + send "show ssl cert ${testdir}/certs/bug-2265.crt" expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1" } diff --git a/reg-tests/ssl/set_ssl_cafile.vtc b/reg-tests/ssl/set_ssl_cafile.vtc index 66511ded8..af16c353c 100644 --- a/reg-tests/ssl/set_ssl_cafile.vtc +++ b/reg-tests/ssl/set_ssl_cafile.vtc @@ -50,17 +50,17 @@ haproxy h1 -conf { listen clear-lst bind "fd@${clearlst}" # dummy bind used to test a change when the same crt is used as server and bind - bind "fd@${foobarlst}" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA1.crt verify none - server s1 "${tmpdir}/ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA1.crt verify none no-sni-auto + bind "fd@${foobarlst}" ssl crt ${testdir}/certs/set_cafile_client.pem ca-file ${testdir}/certs/set_cafile_interCA1.crt verify none + server s1 "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/set_cafile_client.pem ca-file ${testdir}/certs/set_cafile_interCA1.crt verify none no-sni-auto listen clear-verified-lst bind "fd@${clearverifiedlst}" - server s1 "${tmpdir}/ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA1.crt verify required no-sni-auto + server s1 "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/set_cafile_client.pem ca-file ${testdir}/certs/set_cafile_interCA1.crt verify required no-sni-auto listen ssl-lst # crt: certificate of the server # ca-file: CA used for client authentication request - bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA2.crt verify required crt-ignore-err all + bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/set_cafile_server.pem ca-verify-file ${testdir}/certs/set_cafile_rootCA.crt ca-file ${testdir}/certs/set_cafile_interCA2.crt verify required crt-ignore-err all http-response add-header X-SSL-Client-Verify %[ssl_c_verify] server s1 ${s1_addr}:${s1_port} } -start @@ -69,11 +69,11 @@ haproxy h1 -conf { # Test the "show ssl ca-file" command haproxy h1 -cli { send "show ssl ca-file" - expect ~ ".*${testdir}/set_cafile_interCA1.crt - 1 certificate.*" + expect ~ ".*${testdir}/certs/set_cafile_interCA1.crt - 1 certificate.*" send "show ssl ca-file" - expect ~ ".*${testdir}/set_cafile_interCA2.crt - 1 certificate.*" + expect ~ ".*${testdir}/certs/set_cafile_interCA2.crt - 1 certificate.*" - send "show ssl ca-file ${testdir}/set_cafile_interCA2.crt" + send "show ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt" expect ~ ".*SHA1 FingerPrint: 3D3D1D10AD74A8135F05A818E10E5FA91433954D" } @@ -90,21 +90,21 @@ client c1 -connect ${h1_clearlst_sock} { # Set a new ca-file without committing it and check that the new ca-file is not taken into account shell { - printf "set ssl ca-file ${testdir}/set_cafile_interCA2.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - + printf "set ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - } # Test the "show ssl ca-file" command # The transaction should be mentioned in the list haproxy h1 -cli { send "show ssl ca-file" - expect ~ "\\*${testdir}/set_cafile_interCA2.crt - 1 certificate.*" + expect ~ "\\*${testdir}/certs/set_cafile_interCA2.crt - 1 certificate.*" # The original CA file did not change - send "show ssl ca-file ${testdir}/set_cafile_interCA2.crt" + send "show ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt" expect ~ ".*SHA1 FingerPrint: 3D3D1D10AD74A8135F05A818E10E5FA91433954D" # Only the current transaction displays a new certificate - send "show ssl ca-file *${testdir}/set_cafile_interCA2.crt" + send "show ssl ca-file *${testdir}/certs/set_cafile_interCA2.crt" expect ~ ".*SHA1 FingerPrint: 4FFF535278883264693CEA72C4FAD13F995D0098" } @@ -118,17 +118,17 @@ client c1 -connect ${h1_clearlst_sock} { } -run haproxy h1 -cli { - send "abort ssl ca-file ${testdir}/set_cafile_interCA2.crt" - expect ~ "Transaction aborted for certificate '${testdir}/set_cafile_interCA2.crt'!" - send "commit ssl ca-file ${testdir}/set_cafile_interCA2.crt" + send "abort ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt" + expect ~ "Transaction aborted for certificate '${testdir}/certs/set_cafile_interCA2.crt'!" + send "commit ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt" expect ~ "No ongoing transaction!" } # Update the bind line's ca-file in order to accept the client certificate shell { - printf "set ssl ca-file ${testdir}/set_cafile_interCA2.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n$(cat ${testdir}/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl ca-file ${testdir}/set_cafile_interCA2.crt" | socat "${tmpdir}/h1/stats" - + printf "set ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n$(cat ${testdir}/certs/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt" | socat "${tmpdir}/h1/stats" - } @@ -144,23 +144,23 @@ client c1 -connect ${h1_clearverifiedlst_sock} { # Update the server line's ca-file. The server certificate should now be accepted by # the frontend. We replace the single CA by a list of CAs that includes the correct one. shell { - printf "set ssl ca-file ${testdir}/set_cafile_interCA1.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - - printf "add ssl ca-file ${testdir}/set_cafile_interCA1.crt <<\n$(cat ${testdir}/set_cafile_interCA2.crt)\n\n" | socat "${tmpdir}/h1/stats" - - printf "add ssl ca-file ${testdir}/set_cafile_interCA1.crt <<\n$(cat ${testdir}/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl ca-file ${testdir}/set_cafile_interCA1.crt" | socat "${tmpdir}/h1/stats" - + printf "set ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - + printf "add ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA2.crt)\n\n" | socat "${tmpdir}/h1/stats" - + printf "add ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt <<\n$(cat ${testdir}/certs/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt" | socat "${tmpdir}/h1/stats" - } # Test the "show ssl ca-file" with a certificate index haproxy h1 -cli { send "show ssl ca-file" - expect ~ ".*${testdir}/set_cafile_interCA1.crt - 3 certificate.*" + expect ~ ".*${testdir}/certs/set_cafile_interCA1.crt - 3 certificate.*" - send "show ssl ca-file ${testdir}/set_cafile_interCA1.crt:1" + send "show ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt:1" expect ~ ".*SHA1 FingerPrint: 4FFF535278883264693CEA72C4FAD13F995D0098" - send "show ssl ca-file ${testdir}/set_cafile_interCA1.crt:2" + send "show ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt:2" expect !~ ".*SHA1 FingerPrint: 4FFF535278883264693CEA72C4FAD13F995D0098" - send "show ssl ca-file ${testdir}/set_cafile_interCA1.crt:2" + send "show ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt:2" expect ~ ".*SHA1 FingerPrint: 3D3D1D10AD74A8135F05A818E10E5FA91433954D" } diff --git a/reg-tests/ssl/set_ssl_cert.vtc b/reg-tests/ssl/set_ssl_cert.vtc index bdc5fba59..1dd58bac7 100644 --- a/reg-tests/ssl/set_ssl_cert.vtc +++ b/reg-tests/ssl/set_ssl_cert.vtc @@ -40,7 +40,7 @@ haproxy h1 -conf { .endif tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h1/stats" level admin - crt-base ${testdir} + crt-base ${testdir}/certs defaults mode http @@ -72,20 +72,20 @@ haproxy h1 -conf { server s9 "${tmpdir}/other-ssl.sock" ssl verify none sni str(other.test1.com) # uses the default certificate listen ssl-lst - bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem strict-sni + bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/common.pem strict-sni server s1 ${s1_addr}:${s1_port} # dummy server used to test a change when the same crt is used as server and bind - server s2 ${s1_addr}:${s1_port} ssl crt ${testdir}/common.pem verify none weight 0 + server s2 ${s1_addr}:${s1_port} ssl crt ${testdir}/certs/common.pem verify none weight 0 listen other-ssl-lst - bind "${tmpdir}/other-ssl.sock" ssl crt-list ${testdir}/set_default_cert.crt-list + bind "${tmpdir}/other-ssl.sock" ssl crt-list ${testdir}/certs/set_default_cert.crt-list server s1 ${s1_addr}:${s1_port} } -start haproxy h1 -cli { - send "show ssl cert ${testdir}/common.pem" + send "show ssl cert ${testdir}/certs/common.pem" expect ~ ".*SHA1 FingerPrint: DF3B6E847A7BF83DFAAFCFEC65EE9BC36230D3EA" } @@ -96,12 +96,12 @@ client c1 -connect ${h1_clearlst_sock} { } -run shell { - printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/common.pem <<\n$(cat ${testdir}/certs/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/certs/common.pem" | socat "${tmpdir}/h1/stats" - } haproxy h1 -cli { - send "show ssl cert ${testdir}/common.pem" + send "show ssl cert ${testdir}/certs/common.pem" expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1" } @@ -119,12 +119,12 @@ client c1 -connect ${h1_clearlst_sock} { } -run shell { - printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/common.pem)\n\n" | socat "${tmpdir}/h1/stats" - - echo "abort ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/common.pem <<\n$(cat ${testdir}/certs/common.pem)\n\n" | socat "${tmpdir}/h1/stats" - + echo "abort ssl cert ${testdir}/certs/common.pem" | socat "${tmpdir}/h1/stats" - } haproxy h1 -cli { - send "show ssl cert ${testdir}/common.pem" + send "show ssl cert ${testdir}/certs/common.pem" expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1" } @@ -149,21 +149,21 @@ client c1 -connect ${h1_clearlst_sock} { } -run shell { - printf "set ssl cert ${testdir}/set_default_cert.pem <<\n$(cat ${testdir}/common.pem)\n\n" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/set_default_cert.pem <<\n$(cat ${testdir}/certs/common.pem)\n\n" | socat "${tmpdir}/h1/stats" - } # Certificate should not have changed yet haproxy h1 -cli { - send "show ssl cert ${testdir}/set_default_cert.pem" + send "show ssl cert ${testdir}/certs/set_default_cert.pem" expect ~ ".*SHA1 FingerPrint: 9DC18799428875976DDE706E9956035EE88A4CB3" } shell { - echo "commit ssl cert ${testdir}/set_default_cert.pem" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/certs/set_default_cert.pem" | socat "${tmpdir}/h1/stats" - } haproxy h1 -cli { - send "show ssl cert ${testdir}/set_default_cert.pem" + send "show ssl cert ${testdir}/certs/set_default_cert.pem" expect ~ ".*SHA1 FingerPrint: DF3B6E847A7BF83DFAAFCFEC65EE9BC36230D3EA" } @@ -185,12 +185,12 @@ client c1 -connect ${h1_clearlst_sock} { # Restore original certificate shell { - printf "set ssl cert ${testdir}/set_default_cert.pem <<\n$(cat ${testdir}/set_default_cert.pem)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl cert ${testdir}/set_default_cert.pem" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/set_default_cert.pem <<\n$(cat ${testdir}/certs/set_default_cert.pem)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/certs/set_default_cert.pem" | socat "${tmpdir}/h1/stats" - } haproxy h1 -cli { - send "show ssl cert ${testdir}/set_default_cert.pem" + send "show ssl cert ${testdir}/certs/set_default_cert.pem" expect ~ ".*SHA1 FingerPrint: 9DC18799428875976DDE706E9956035EE88A4CB" } diff --git a/reg-tests/ssl/set_ssl_cert_bundle.vtc b/reg-tests/ssl/set_ssl_cert_bundle.vtc index 8e145ef73..37fc41b04 100644 --- a/reg-tests/ssl/set_ssl_cert_bundle.vtc +++ b/reg-tests/ssl/set_ssl_cert_bundle.vtc @@ -62,16 +62,16 @@ haproxy h1 -conf { server s4 "${tmpdir}/ssl.sock" ssl verify none sni str(example.com) force-tlsv12 ciphers ECDHE-ECDSA-AES256-GCM-SHA384 listen ssl-lst - bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/cert1-example.com.pem + bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/cert1-example.com.pem server s1 ${s1_addr}:${s1_port} } -start haproxy h1 -cli { - send "show ssl cert ${testdir}/cert1-example.com.pem.rsa" + send "show ssl cert ${testdir}/certs/cert1-example.com.pem.rsa" expect ~ ".*SHA1 FingerPrint: 94F720DACA71B8B1A0AC9BD48C65BA688FF047DE" - send "show ssl cert ${testdir}/cert1-example.com.pem.ecdsa" + send "show ssl cert ${testdir}/certs/cert1-example.com.pem.ecdsa" expect ~ ".*SHA1 FingerPrint: C1BA055D452F92EB02D449F0498C289F50698300" } @@ -89,16 +89,16 @@ client c1 -connect ${h1_clearlst_sock} { } -run shell { - printf "set ssl cert ${testdir}/cert1-example.com.pem.rsa <<\n$(cat ${testdir}/cert2-example.com.pem.rsa)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl cert ${testdir}/cert1-example.com.pem.rsa" | socat "${tmpdir}/h1/stats" - - printf "set ssl cert ${testdir}/cert1-example.com.pem.ecdsa <<\n$(cat ${testdir}/cert2-example.com.pem.ecdsa)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl cert ${testdir}/cert1-example.com.pem.ecdsa" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/cert1-example.com.pem.rsa <<\n$(cat ${testdir}/certs/cert2-example.com.pem.rsa)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/certs/cert1-example.com.pem.rsa" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/cert1-example.com.pem.ecdsa <<\n$(cat ${testdir}/certs/cert2-example.com.pem.ecdsa)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/certs/cert1-example.com.pem.ecdsa" | socat "${tmpdir}/h1/stats" - } haproxy h1 -cli { - send "show ssl cert ${testdir}/cert1-example.com.pem.rsa" + send "show ssl cert ${testdir}/certs/cert1-example.com.pem.rsa" expect ~ ".*SHA1 FingerPrint: ADC863817FC40C2A9CA913CE45C9A92232558F90" - send "show ssl cert ${testdir}/cert1-example.com.pem.ecdsa" + send "show ssl cert ${testdir}/certs/cert1-example.com.pem.ecdsa" expect ~ ".*SHA1 FingerPrint: F49FFA446D072262445C197B85D2F400B3F58808" } diff --git a/reg-tests/ssl/set_ssl_cert_noext.vtc b/reg-tests/ssl/set_ssl_cert_noext.vtc index 65773d89e..878813c09 100644 --- a/reg-tests/ssl/set_ssl_cert_noext.vtc +++ b/reg-tests/ssl/set_ssl_cert_noext.vtc @@ -53,14 +53,14 @@ haproxy h1 -conf { server s3 "${tmpdir}/ssl.sock" ssl verify none sni str(localhost) listen ssl-lst - bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.crt strict-sni + bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/common.crt strict-sni server s1 ${s1_addr}:${s1_port} } -start haproxy h1 -cli { - send "show ssl cert ${testdir}/common.crt" + send "show ssl cert ${testdir}/certs/common.crt" expect ~ ".*SHA1 FingerPrint: 2195C9F0FD58470313013FC27C1B9CF9864BD1C6" } @@ -71,13 +71,13 @@ client c1 -connect ${h1_clearlst_sock} { } -run shell { - printf "set ssl cert ${testdir}/common.crt <<\n$(cat ${testdir}/ecdsa.crt)\n\n" | socat "${tmpdir}/h1/stats" - - printf "set ssl cert ${testdir}/common.key <<\n$(cat ${testdir}/ecdsa.key)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl cert ${testdir}/common.crt" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/common.crt <<\n$(cat ${testdir}/certs/ecdsa.crt)\n\n" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/common.key <<\n$(cat ${testdir}/certs/ecdsa.key)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/certs/common.crt" | socat "${tmpdir}/h1/stats" - } haproxy h1 -cli { - send "show ssl cert ${testdir}/common.crt" + send "show ssl cert ${testdir}/certs/common.crt" expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1" } diff --git a/reg-tests/ssl/set_ssl_crlfile.vtc b/reg-tests/ssl/set_ssl_crlfile.vtc index 23537918c..b81fb1ef9 100644 --- a/reg-tests/ssl/set_ssl_crlfile.vtc +++ b/reg-tests/ssl/set_ssl_crlfile.vtc @@ -52,13 +52,13 @@ haproxy h1 -conf { listen clear-lst bind "fd@${clearlst}" - server s1 "${tmpdir}/ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt crl-file ${testdir}/interCA2_crl_empty.pem verify required no-sni-auto + server s1 "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/set_cafile_client.pem ca-file ${testdir}/certs/set_cafile_interCA2.crt crl-file ${testdir}/certs/interCA2_crl_empty.pem verify required no-sni-auto listen ssl-lst # crt: certificate of the server # ca-file: CA used for client authentication request # crl-file: revocation list for client auth - bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-file ${testdir}/set_cafile_interCA1.crt ca-verify-file ${testdir}/set_cafile_rootCA.crt crl-file ${testdir}/interCA1_crl_empty.pem verify required crt-ignore-err all + bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/set_cafile_server.pem ca-file ${testdir}/certs/set_cafile_interCA1.crt ca-verify-file ${testdir}/certs/set_cafile_rootCA.crt crl-file ${testdir}/certs/interCA1_crl_empty.pem verify required crt-ignore-err all http-response add-header X-SSL-Client-Verify %[ssl_c_verify] server s1 ${s1_addr}:${s1_port} } -start @@ -66,23 +66,23 @@ haproxy h1 -conf { # Test the "show ssl ca-file" command haproxy h1 -cli { send "show ssl ca-file" - expect ~ ".*${testdir}/set_cafile_interCA1.crt - 1 certificate.*" + expect ~ ".*${testdir}/certs/set_cafile_interCA1.crt - 1 certificate.*" send "show ssl ca-file" - expect ~ ".*${testdir}/set_cafile_interCA2.crt - 1 certificate.*" + expect ~ ".*${testdir}/certs/set_cafile_interCA2.crt - 1 certificate.*" } # Add the rootCA certificate to set_cafile_interCA2.crt in order for the frontend to # be able to validate the server's certificate shell { - printf "set ssl ca-file ${testdir}/set_cafile_interCA2.crt <<\n$(cat ${testdir}/set_cafile_interCA2.crt)\n$(cat ${testdir}/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl ca-file ${testdir}/set_cafile_interCA2.crt" | socat "${tmpdir}/h1/stats" - + printf "set ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA2.crt)\n$(cat ${testdir}/certs/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt" | socat "${tmpdir}/h1/stats" - } haproxy h1 -cli { send "show ssl ca-file" - expect ~ ".*${testdir}/set_cafile_interCA2.crt - 2 certificate.*" + expect ~ ".*${testdir}/certs/set_cafile_interCA2.crt - 2 certificate.*" - send "show ssl ca-file ${testdir}/set_cafile_interCA2.crt" + send "show ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt" expect ~ ".*Subject.*/CN=Root CA" } @@ -96,17 +96,17 @@ client c1 -connect ${h1_clearlst_sock} { # Change the frontend's crl-file to one in which the server certificate is revoked shell { - printf "set ssl crl-file ${testdir}/interCA2_crl_empty.pem <<\n$(cat ${testdir}/interCA2_crl.pem)\n\n" | socat "${tmpdir}/h1/stats" - + printf "set ssl crl-file ${testdir}/certs/interCA2_crl_empty.pem <<\n$(cat ${testdir}/certs/interCA2_crl.pem)\n\n" | socat "${tmpdir}/h1/stats" - } # Check that the transaction is displayed in the output of "show ssl crl-list" haproxy h1 -cli { send "show ssl crl-file" - expect ~ "\\*${testdir}/interCA2_crl_empty.pem" + expect ~ "\\*${testdir}/certs/interCA2_crl_empty.pem" - send "show ssl crl-file \\*${testdir}/interCA2_crl_empty.pem" + send "show ssl crl-file \\*${testdir}/certs/interCA2_crl_empty.pem" expect ~ "Revoked Certificates:" - send "show ssl crl-file \\*${testdir}/interCA2_crl_empty.pem:1" + send "show ssl crl-file \\*${testdir}/certs/interCA2_crl_empty.pem:1" expect ~ "Serial Number: 1008" } @@ -119,8 +119,8 @@ client c1 -connect ${h1_clearlst_sock} { } -run haproxy h1 -cli { - send "commit ssl crl-file ${testdir}/interCA2_crl_empty.pem" - expect ~ "Committing ${testdir}/interCA2_crl_empty.pem" + send "commit ssl crl-file ${testdir}/certs/interCA2_crl_empty.pem" + expect ~ "Committing ${testdir}/certs/interCA2_crl_empty.pem" } # This connection should fail, the server's certificate is revoked in the newly updated CRL file @@ -132,14 +132,14 @@ client c1 -connect ${h1_clearlst_sock} { # Restore the frontend's CRL shell { - printf "set ssl crl-file ${testdir}/interCA2_crl_empty.pem <<\n$(cat ${testdir}/interCA2_crl_empty.pem)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl crl-file ${testdir}/interCA2_crl_empty.pem" | socat "${tmpdir}/h1/stats" - + printf "set ssl crl-file ${testdir}/certs/interCA2_crl_empty.pem <<\n$(cat ${testdir}/certs/interCA2_crl_empty.pem)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl crl-file ${testdir}/certs/interCA2_crl_empty.pem" | socat "${tmpdir}/h1/stats" - } # Change the backend's CRL file to one in which the frontend's certificate is revoked shell { - printf "set ssl crl-file ${testdir}/interCA1_crl_empty.pem <<\n$(cat ${testdir}/interCA1_crl.pem)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl crl-file ${testdir}/interCA1_crl_empty.pem" | socat "${tmpdir}/h1/stats" - + printf "set ssl crl-file ${testdir}/certs/interCA1_crl_empty.pem <<\n$(cat ${testdir}/certs/interCA1_crl.pem)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl crl-file ${testdir}/certs/interCA1_crl_empty.pem" | socat "${tmpdir}/h1/stats" - } # This connection should fail, the client's certificate is revoked in the newly updated CRL file diff --git a/reg-tests/ssl/set_ssl_server_cert.vtc b/reg-tests/ssl/set_ssl_server_cert.vtc index db23e705b..65af8c6b8 100644 --- a/reg-tests/ssl/set_ssl_server_cert.vtc +++ b/reg-tests/ssl/set_ssl_server_cert.vtc @@ -39,13 +39,13 @@ haproxy h1 -conf { listen clear-lst bind "fd@${clearlst}" retries 0 # 2nd SSL connection must fail so skip the retry - server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client1.pem + server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/client1.pem listen ssl-lst # crt: certificate of the server # ca-file: CA used for client authentication request # crl-file: revocation list for client auth: the client1 certificate is revoked - bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/ca-auth.crt verify optional crt-ignore-err all crl-file ${testdir}/crl-auth.pem + bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/ca-auth.crt verify optional crt-ignore-err all crl-file ${testdir}/certs/crl-auth.pem acl cert_expired ssl_c_verify 10 acl cert_revoked ssl_c_verify 23 @@ -68,18 +68,18 @@ client c1 -connect ${h1_clearlst_sock} { } -run haproxy h1 -cli { - send "show ssl cert ${testdir}/client1.pem" + send "show ssl cert ${testdir}/certs/client1.pem" expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4" } # Replace certificate with an expired one shell { - printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client2_expired.pem)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl cert ${testdir}/client1.pem" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/client1.pem <<\n$(cat ${testdir}/certs/client2_expired.pem)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/certs/client1.pem" | socat "${tmpdir}/h1/stats" - } haproxy h1 -cli { - send "show ssl cert ${testdir}/client1.pem" + send "show ssl cert ${testdir}/certs/client1.pem" expect ~ ".*SHA1 FingerPrint: C625EB01A0A660294B9D7F44C5CEEE5AFC495BE4" } @@ -95,12 +95,12 @@ client c1 -connect ${h1_clearlst_sock} { # Replace certificate with a revoked one shell { - printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client3_revoked.pem)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl cert ${testdir}/client1.pem" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/client1.pem <<\n$(cat ${testdir}/certs/client3_revoked.pem)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/certs/client1.pem" | socat "${tmpdir}/h1/stats" - } haproxy h1 -cli { - send "show ssl cert ${testdir}/client1.pem" + send "show ssl cert ${testdir}/certs/client1.pem" expect ~ ".*SHA1 FingerPrint: 992386628A40C9D49C89BAC0058B5D45D8575151" } @@ -115,12 +115,12 @@ client c1 -connect ${h1_clearlst_sock} { # Abort a transaction shell { - printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client3_revoked.pem)\n\n" | socat "${tmpdir}/h1/stats" - - echo "abort ssl cert ${testdir}/client1.pem" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/client1.pem <<\n$(cat ${testdir}/certs/client3_revoked.pem)\n\n" | socat "${tmpdir}/h1/stats" - + echo "abort ssl cert ${testdir}/certs/client1.pem" | socat "${tmpdir}/h1/stats" - } haproxy h1 -cli { - send "show ssl cert ${testdir}/client1.pem" + send "show ssl cert ${testdir}/certs/client1.pem" expect ~ ".*SHA1 FingerPrint: 992386628A40C9D49C89BAC0058B5D45D8575151" } diff --git a/reg-tests/ssl/show_ssl_ocspresponse.vtc b/reg-tests/ssl/show_ssl_ocspresponse.vtc index 47d2ec002..b9e4c05be 100644 --- a/reg-tests/ssl/show_ssl_ocspresponse.vtc +++ b/reg-tests/ssl/show_ssl_ocspresponse.vtc @@ -48,12 +48,12 @@ haproxy h1 -conf { listen clear-lst bind "fd@${clearlst}" - server s1 "${tmpdir}/ssl.sock" ssl ca-file ${testdir}/set_cafile_rootCA.crt verify none + server s1 "${tmpdir}/ssl.sock" ssl ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none listen ssl-lst # crt: certificate of the server # ca-file: CA used for client authentication request - bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/show_ocsp_server.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/show_ocsp_server.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all http-response add-header X-SSL-Client-Verify %[ssl_c_verify] server s1 ${s1_addr}:${s1_port} } -start @@ -72,7 +72,7 @@ haproxy h1 -cli { # Test the "show ssl ocsp-response" command with a certificate path as parameter shell { - ocsp_response=$(echo "show ssl ocsp-response ${testdir}/show_ocsp_server.pem" | socat "${tmpdir}/h1/stats" -) + ocsp_response=$(echo "show ssl ocsp-response ${testdir}/certs/show_ocsp_server.pem" | socat "${tmpdir}/h1/stats" -) echo "$ocsp_response" | grep "Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com" && echo "$ocsp_response" | grep "Cert Status: good" @@ -83,21 +83,21 @@ haproxy h1 -cli { send "show ssl cert" expect ~ ".*show_ocsp_server.pem" - send "show ssl cert ${testdir}/show_ocsp_server.pem" + send "show ssl cert ${testdir}/certs/show_ocsp_server.pem" expect ~ "Serial: 100F" - send "show ssl cert ${testdir}/show_ocsp_server.pem" + send "show ssl cert ${testdir}/certs/show_ocsp_server.pem" expect ~ "OCSP Response Key: 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f" - send "show ssl cert ${testdir}/show_ocsp_server.pem.ocsp" + send "show ssl cert ${testdir}/certs/show_ocsp_server.pem.ocsp" expect ~ "Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com" - send "show ssl cert ${testdir}/show_ocsp_server.pem.ocsp" + send "show ssl cert ${testdir}/certs/show_ocsp_server.pem.ocsp" expect ~ "Cert Status: good" } # Change the server certificate's OCSP response through "set ssl ocsp-response" shell { - printf "set ssl ocsp-response <<\n$(cat ${testdir}/show_ocsp_server.pem.ocsp.revoked|openssl base64)\n\n" | socat "${tmpdir}/h1/stats" - + printf "set ssl ocsp-response <<\n$(cat ${testdir}/certs/show_ocsp_server.pem.ocsp.revoked|openssl base64)\n\n" | socat "${tmpdir}/h1/stats" - } # Check that the change was taken into account @@ -110,16 +110,16 @@ haproxy h1 -cli { send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f" expect ~ "Cert Status: revoked" - send "show ssl cert ${testdir}/show_ocsp_server.pem.ocsp" + send "show ssl cert ${testdir}/certs/show_ocsp_server.pem.ocsp" expect ~ "Cert Status: revoked" } # Change the server certificate's OCSP response through a transaction shell { - printf "set ssl cert ${testdir}/show_ocsp_server.pem <<\n$(cat ${testdir}/show_ocsp_server.pem | sed '/^$/d')\n\n" | socat "${tmpdir}/h1/stats" - - printf "set ssl cert ${testdir}/show_ocsp_server.pem.issuer <<\n$(cat ${testdir}/show_ocsp_server.pem.issuer | sed '/^$/d')\n\n" | socat "${tmpdir}/h1/stats" - - printf "set ssl cert ${testdir}/show_ocsp_server.pem.ocsp <<\n$(cat ${testdir}/show_ocsp_server.pem.ocsp|openssl base64)\n\n" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/show_ocsp_server.pem <<\n$(cat ${testdir}/certs/show_ocsp_server.pem | sed '/^$/d')\n\n" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/show_ocsp_server.pem.issuer <<\n$(cat ${testdir}/certs/show_ocsp_server.pem.issuer | sed '/^$/d')\n\n" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/show_ocsp_server.pem.ocsp <<\n$(cat ${testdir}/certs/show_ocsp_server.pem.ocsp|openssl base64)\n\n" | socat "${tmpdir}/h1/stats" - } @@ -131,16 +131,16 @@ haproxy h1 -cli { send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f" expect ~ "This Update: Jun 10 08:57:45 2021 GMT" - send "show ssl cert *${testdir}/show_ocsp_server.pem.ocsp" + send "show ssl cert *${testdir}/certs/show_ocsp_server.pem.ocsp" expect ~ "Cert Status: good" - send "show ssl cert *${testdir}/show_ocsp_server.pem.ocsp" + send "show ssl cert *${testdir}/certs/show_ocsp_server.pem.ocsp" expect ~ "This Update: Jun 10 08:55:04 2021 GMT" } # Commit the transaction and check that it was taken into account haproxy h1 -cli { - send "commit ssl cert ${testdir}/show_ocsp_server.pem" + send "commit ssl cert ${testdir}/certs/show_ocsp_server.pem" expect ~ "Success!" send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f" diff --git a/reg-tests/ssl/ssl-0rtt.vtci b/reg-tests/ssl/ssl-0rtt.vtci index 78ca036fc..ca04590a6 100644 --- a/reg-tests/ssl/ssl-0rtt.vtci +++ b/reg-tests/ssl/ssl-0rtt.vtci @@ -102,10 +102,10 @@ haproxy h1 -conf { listen ssl # socket names indicate their capabilities and are used below in regex # (0r means 0rtt OK, 1r means 0rtt not accepted) - bind "${VTC_SOCK_TYPE}+fd@${sv_sf_1r}" name sf_1r ssl crt ${testdir}/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" - bind "${VTC_SOCK_TYPE}+fd@${sv_sl_1r}" name sl_1r ssl crt ${testdir}/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" no-tls-tickets - bind "${VTC_SOCK_TYPE}+fd@${sv_sf_0r}" name sf_0r ssl crt ${testdir}/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" allow-0rtt - bind "${VTC_SOCK_TYPE}+fd@${sv_sl_0r}" name sl_0r ssl crt ${testdir}/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" allow-0rtt no-tls-tickets + bind "${VTC_SOCK_TYPE}+fd@${sv_sf_1r}" name sf_1r ssl crt ${testdir}/certs/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" + bind "${VTC_SOCK_TYPE}+fd@${sv_sl_1r}" name sl_1r ssl crt ${testdir}/certs/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" no-tls-tickets + bind "${VTC_SOCK_TYPE}+fd@${sv_sf_0r}" name sf_0r ssl crt ${testdir}/certs/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" allow-0rtt + bind "${VTC_SOCK_TYPE}+fd@${sv_sl_0r}" name sl_0r ssl crt ${testdir}/certs/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" allow-0rtt no-tls-tickets # expect early-data TLS version supports it and both the client and the listener support it http-request add-header x-expect-early 1 if { int("$ZRTT_SUPP") eq 1 } { ssl_fc_is_resumed } { req.hdr(x-from) -m reg '^cl_0r' } { so_name -m reg '0r$' } diff --git a/reg-tests/ssl/ssl_alpn.vtc b/reg-tests/ssl/ssl_alpn.vtc index 36cbc38e7..7ad3c33e0 100644 --- a/reg-tests/ssl/ssl_alpn.vtc +++ b/reg-tests/ssl/ssl_alpn.vtc @@ -77,11 +77,11 @@ haproxy h1 -conf { server s34 "${tmpdir}/ssl4.sock" alpn h2,http/1.1 frontend fe-ssl - bind "${tmpdir}/ssl0.sock" ssl crt ${testdir}/common.pem - bind "${tmpdir}/ssl1.sock" ssl crt ${testdir}/common.pem alpn http/1.1 - bind "${tmpdir}/ssl2.sock" ssl crt ${testdir}/common.pem alpn h2 - bind "${tmpdir}/ssl3.sock" ssl crt ${testdir}/common.pem alpn h2,http/1.1 - bind "${tmpdir}/ssl4.sock" ssl crt ${testdir}/common.pem no-alpn + bind "${tmpdir}/ssl0.sock" ssl crt ${testdir}/certs/common.pem + bind "${tmpdir}/ssl1.sock" ssl crt ${testdir}/certs/common.pem alpn http/1.1 + bind "${tmpdir}/ssl2.sock" ssl crt ${testdir}/certs/common.pem alpn h2 + bind "${tmpdir}/ssl3.sock" ssl crt ${testdir}/certs/common.pem alpn h2,http/1.1 + bind "${tmpdir}/ssl4.sock" ssl crt ${testdir}/certs/common.pem no-alpn http-request return status 200 hdr x-alpn _%[ssl_fc_alpn] hdr x-path %[path] hdr x-ver _%[req.ver] } -start diff --git a/reg-tests/ssl/ssl_client_auth.vtc b/reg-tests/ssl/ssl_client_auth.vtc index ec555651d..64d60380b 100644 --- a/reg-tests/ssl/ssl_client_auth.vtc +++ b/reg-tests/ssl/ssl_client_auth.vtc @@ -46,15 +46,15 @@ haproxy h1 -conf { bind "fd@${clearlst}" balance roundrobin # crt: certificate sent for a client certificate request - server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client1.pem - server s2 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client2_expired.pem # expired - server s3 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client3_revoked.pem # revoked + server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/client1.pem + server s2 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/client2_expired.pem # expired + server s3 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/client3_revoked.pem # revoked listen ssl-lst # crt: certificate of the server # ca-file: CA used for client authentication request # crl-file: revocation list for client auth: the client1 certificate is revoked - bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/ca-auth.crt verify optional crt-ignore-err X509_V_ERR_CERT_REVOKED,X509_V_ERR_CERT_HAS_EXPIRED crl-file ${testdir}/crl-auth.pem + bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/ca-auth.crt verify optional crt-ignore-err X509_V_ERR_CERT_REVOKED,X509_V_ERR_CERT_HAS_EXPIRED crl-file ${testdir}/certs/crl-auth.pem http-response add-header X-SSL %[ssl_c_verify,x509_v_err_str] server s1 ${s1_addr}:${s1_port} diff --git a/reg-tests/ssl/ssl_client_samples.vtc b/reg-tests/ssl/ssl_client_samples.vtc index db3589f36..fc5e77a70 100644 --- a/reg-tests/ssl/ssl_client_samples.vtc +++ b/reg-tests/ssl/ssl_client_samples.vtc @@ -35,7 +35,7 @@ haproxy h1 -conf { listen clear-lst bind "fd@${clearlst}" balance roundrobin - server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client1.pem + server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/client1.pem listen ssl-lst mode http @@ -53,7 +53,7 @@ haproxy h1 -conf { http-response add-header x-ssl-key_alg %[ssl_c_key_alg] http-response add-header x-ssl-version %[ssl_c_version] - bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/ca-auth.crt verify optional crt-ignore-err all crl-file ${testdir}/crl-auth.pem + bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/ca-auth.crt verify optional crt-ignore-err all crl-file ${testdir}/certs/crl-auth.pem server s1 ${s1_addr}:${s1_port} } -start diff --git a/reg-tests/ssl/ssl_crt-list_filters.vtc b/reg-tests/ssl/ssl_crt-list_filters.vtc index a911f0395..19921f38f 100644 --- a/reg-tests/ssl/ssl_crt-list_filters.vtc +++ b/reg-tests/ssl/ssl_crt-list_filters.vtc @@ -23,7 +23,7 @@ haproxy h1 -conf { .if !ssllib_name_startswith(AWS-LC) tune.ssl.default-dh-param 2048 .endif - crt-base ${testdir} + crt-base ${testdir}/certs stats socket "${tmpdir}/h1/stats" level admin defaults @@ -62,8 +62,8 @@ haproxy h1 -conf { listen ssl-lst mode http - bind "${tmpdir}/ssl.sock" ssl strict-sni ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.2 crt-list ${testdir}/filters.crt-list - bind "${tmpdir}/ssl2.sock" ssl strict-sni ssl-min-ver TLSv1.3 ssl-max-ver TLSv1.3 crt-list ${testdir}/filters.crt-list + bind "${tmpdir}/ssl.sock" ssl strict-sni ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.2 crt-list ${testdir}/certs/filters.crt-list + bind "${tmpdir}/ssl2.sock" ssl strict-sni ssl-min-ver TLSv1.3 ssl-max-ver TLSv1.3 crt-list ${testdir}/certs/filters.crt-list server s1 ${s1_addr}:${s1_port} } -start diff --git a/reg-tests/ssl/ssl_curve_name.vtc b/reg-tests/ssl/ssl_curve_name.vtc index ee017b9db..7215c6412 100644 --- a/reg-tests/ssl/ssl_curve_name.vtc +++ b/reg-tests/ssl/ssl_curve_name.vtc @@ -19,7 +19,7 @@ haproxy h1 -conf { tune.ssl.default-dh-param 2048 .endif tune.ssl.capture-buffer-size 1 - crt-base ${testdir} + crt-base ${testdir}/certs defaults mode http @@ -35,12 +35,12 @@ haproxy h1 -conf { bind "fd@${clearlst}" balance roundrobin http-response add-header x-ssl-bc-curve-name %[ssl_bc_curve] - server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client.ecdsa.pem + server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/client.ecdsa.pem listen ssl-lst mode http http-response add-header x-ssl-fc-curve-name %[ssl_fc_curve] - bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/set_cafile_rootCA.crt verify optional curves X25519:P-256:P-384 + bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify optional curves X25519:P-256:P-384 server s1 ${s1_addr}:${s1_port} } -start diff --git a/reg-tests/ssl/ssl_curves.vtc b/reg-tests/ssl/ssl_curves.vtc index da0054e7e..340ea2ddd 100644 --- a/reg-tests/ssl/ssl_curves.vtc +++ b/reg-tests/ssl/ssl_curves.vtc @@ -66,20 +66,20 @@ haproxy h1 -conf { default_backend ssl-be backend ssl-be - server s1 "${tmpdir}/ssl1.sock" ssl verify none crt ${testdir}/client.ecdsa.pem force-tlsv12 curves P-256:P-384 + server s1 "${tmpdir}/ssl1.sock" ssl verify none crt ${testdir}/certs/client.ecdsa.pem force-tlsv12 curves P-256:P-384 backend ssl-curves-be - server s1 "${tmpdir}/ssl2.sock" ssl verify none crt ${testdir}/client.ecdsa.pem force-tlsv12 curves P-384 + server s1 "${tmpdir}/ssl2.sock" ssl verify none crt ${testdir}/certs/client.ecdsa.pem force-tlsv12 curves P-384 backend ssl-ecdhe-256-be - server s1 "${tmpdir}/ssl-ecdhe-256.sock" ssl verify none crt ${testdir}/client.ecdsa.pem force-tlsv12 + server s1 "${tmpdir}/ssl-ecdhe-256.sock" ssl verify none crt ${testdir}/certs/client.ecdsa.pem force-tlsv12 backend ssl-ecdhe-521-be - server s1 "${tmpdir}/ssl-ecdhe-521.sock" ssl verify none crt ${testdir}/client.ecdsa.pem force-tlsv12 + server s1 "${tmpdir}/ssl-ecdhe-521.sock" ssl verify none crt ${testdir}/certs/client.ecdsa.pem force-tlsv12 listen ssl1-lst - bind "${tmpdir}/ssl1.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/set_cafile_rootCA.crt verify optional curves P-256:P-384 + bind "${tmpdir}/ssl1.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify optional curves P-256:P-384 server s1 ${s1_addr}:${s1_port} # The prime256v1 curve, which is used by default by a backend when no @@ -88,21 +88,21 @@ haproxy h1 -conf { log ${Slg_cust_fmt_addr}:${Slg_cust_fmt_port} local0 error-log-format "ERROR conn_status:\"%[fc_err]:%[fc_err_str]\" hsk_err:%{+Q}[ssl_fc_err_str]" - bind "${tmpdir}/ssl2.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/set_cafile_rootCA.crt verify optional curves P-384 + bind "${tmpdir}/ssl2.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify optional curves P-384 server s1 ${s1_addr}:${s1_port} listen ssl-ecdhe-521-lst log ${Slg_cust_fmt_addr}:${Slg_cust_fmt_port} local0 error-log-format "ERROR ECDHE-521 conn_status:\"%[fc_err]:%[fc_err_str]\" hsk_err:%{+Q}[ssl_fc_err_str]" - bind "${tmpdir}/ssl-ecdhe-521.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/set_cafile_rootCA.crt verify optional ecdhe secp521r1 + bind "${tmpdir}/ssl-ecdhe-521.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify optional ecdhe secp521r1 server s1 ${s1_addr}:${s1_port} listen ssl-ecdhe-256-lst log ${Slg_cust_fmt_addr}:${Slg_cust_fmt_port} local0 error-log-format "ERROR ECDHE-256 conn_status:\"%[fc_err]:%[fc_err_str]\" hsk_err:%{+Q}[ssl_fc_err_str]" - bind "${tmpdir}/ssl-ecdhe-256.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/set_cafile_rootCA.crt verify optional ecdhe prime256v1 + bind "${tmpdir}/ssl-ecdhe-256.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify optional ecdhe prime256v1 server s1 ${s1_addr}:${s1_port} } -start diff --git a/reg-tests/ssl/ssl_default_server.vtc b/reg-tests/ssl/ssl_default_server.vtc index 0f49b1b80..ed14dea1a 100644 --- a/reg-tests/ssl/ssl_default_server.vtc +++ b/reg-tests/ssl/ssl_default_server.vtc @@ -31,8 +31,8 @@ haproxy h1 -conf { .endif tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h1/stats" level admin - crt-base ${testdir} - ca-base ${testdir} + crt-base ${testdir}/certs + ca-base ${testdir}/certs defaults mode http @@ -77,7 +77,7 @@ haproxy h1 -conf { listen ssl-lst - bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem ca-file ca-auth.crt verify required crt-ignore-err all + bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/common.pem ca-file ca-auth.crt verify required crt-ignore-err all acl cert_expired ssl_c_verify 10 acl cert_revoked ssl_c_verify 23 diff --git a/reg-tests/ssl/ssl_dh.vtc b/reg-tests/ssl/ssl_dh.vtc index b569f8a1d..29dbaf071 100644 --- a/reg-tests/ssl/ssl_dh.vtc +++ b/reg-tests/ssl/ssl_dh.vtc @@ -59,12 +59,12 @@ haproxy h1 -conf { server s1 "${tmpdir}/ssl_dflt_gencert.sock" ssl verify none ssl-max-ver TLSv1.2 listen ssl-dflt-lst - bind "${tmpdir}/ssl_dflt.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/set_cafile_rootCA.crt verify optional ciphers "DHE-RSA-AES256-GCM-SHA384" ssl-max-ver TLSv1.2 + bind "${tmpdir}/ssl_dflt.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify optional ciphers "DHE-RSA-AES256-GCM-SHA384" ssl-max-ver TLSv1.2 http-response set-header x-ssl-cipher %[ssl_fc_cipher] server s1 ${s1_addr}:${s1_port} listen ssl-dflt-gencert-lst - bind "${tmpdir}/ssl_dflt_gencert.sock" ssl generate-certificates crt ${testdir}/common.pem ca-file ${testdir}/set_cafile_rootCA.crt ca-sign-file ${testdir}/generate_certificates/gen_cert_ca.pem verify optional ciphers "DHE-RSA-AES256-GCM-SHA384" ssl-max-ver TLSv1.2 + bind "${tmpdir}/ssl_dflt_gencert.sock" ssl generate-certificates crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt ca-sign-file ${testdir}/certs/generate_certificates/gen_cert_ca.pem verify optional ciphers "DHE-RSA-AES256-GCM-SHA384" ssl-max-ver TLSv1.2 http-response set-header x-ssl-cipher %[ssl_fc_cipher] server s1 ${s1_addr}:${s1_port} } -start @@ -99,7 +99,7 @@ haproxy h2 -conf { server s1 "${tmpdir}/ssl_dfltdh.sock" ssl verify none ssl-max-ver TLSv1.2 listen ssl-4096dh-dflt-lst - bind "${tmpdir}/ssl_dfltdh.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/set_cafile_rootCA.crt verify optional ciphers "DHE-RSA-AES256-GCM-SHA384" ssl-max-ver TLSv1.2 + bind "${tmpdir}/ssl_dfltdh.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify optional ciphers "DHE-RSA-AES256-GCM-SHA384" ssl-max-ver TLSv1.2 http-response set-header x-ssl-cipher %[ssl_fc_cipher] server s1 ${s1_addr}:${s1_port} } -start @@ -117,7 +117,7 @@ haproxy h3 -conf { thread-groups 1 .endif - ssl-dh-param-file ${testdir}/common.4096.dh + ssl-dh-param-file ${testdir}/certs/common.4096.dh defaults mode http @@ -134,7 +134,7 @@ haproxy h3 -conf { server s1 "${tmpdir}/ssl_dhfile.sock" ssl verify none ssl-max-ver TLSv1.2 listen ssl-dhfile-lst - bind "${tmpdir}/ssl_dhfile.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/set_cafile_rootCA.crt verify optional ciphers "DHE-RSA-AES256-GCM-SHA384" ssl-max-ver TLSv1.2 + bind "${tmpdir}/ssl_dhfile.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify optional ciphers "DHE-RSA-AES256-GCM-SHA384" ssl-max-ver TLSv1.2 http-response set-header x-ssl-cipher %[ssl_fc_cipher] server s1 ${s1_addr}:${s1_port} } -start @@ -188,14 +188,14 @@ shell { # Add a custom DH to the server's PEM certificate # shell { - printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/common.pem)\n$(cat ${testdir}/common.4096.dh)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/common.pem <<\n$(cat ${testdir}/certs/common.pem)\n$(cat ${testdir}/certs/common.4096.dh)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/certs/common.pem" | socat "${tmpdir}/h1/stats" - - printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/common.pem)\n$(cat ${testdir}/common.4096.dh)\n\n" | socat "${tmpdir}/h2/stats" - - echo "commit ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h2/stats" - + printf "set ssl cert ${testdir}/certs/common.pem <<\n$(cat ${testdir}/certs/common.pem)\n$(cat ${testdir}/certs/common.4096.dh)\n\n" | socat "${tmpdir}/h2/stats" - + echo "commit ssl cert ${testdir}/certs/common.pem" | socat "${tmpdir}/h2/stats" - - printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/common.pem)\n$(cat ${testdir}/common.4096.dh)\n\n" | socat "${tmpdir}/h3/stats" - - echo "commit ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h3/stats" - + printf "set ssl cert ${testdir}/certs/common.pem <<\n$(cat ${testdir}/certs/common.pem)\n$(cat ${testdir}/certs/common.4096.dh)\n\n" | socat "${tmpdir}/h3/stats" - + echo "commit ssl cert ${testdir}/certs/common.pem" | socat "${tmpdir}/h3/stats" - } diff --git a/reg-tests/ssl/ssl_errors.vtc b/reg-tests/ssl/ssl_errors.vtc index 8025dbd96..55ef811ff 100644 --- a/reg-tests/ssl/ssl_errors.vtc +++ b/reg-tests/ssl/ssl_errors.vtc @@ -191,7 +191,7 @@ haproxy h1 -conf { listen clear_lst bind "fd@${clearlst}" - default-server ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none no-ssl-reuse force-tlsv12 sni str(foo.com) + default-server ssl crt ${testdir}/certs/set_cafile_client.pem ca-file ${testdir}/certs/set_cafile_interCA2.crt verify none no-ssl-reuse force-tlsv12 sni str(foo.com) balance roundrobin server cust_fmt "${tmpdir}/cust_logfmt_ssl.sock" @@ -201,7 +201,7 @@ haproxy h1 -conf { listen clear_wrong_ciphers_lst bind "fd@${wrongcipherslst}" - default-server ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none no-ssl-reuse force-tlsv12 ciphers "aECDSA" sni str(foo.com) + default-server ssl crt ${testdir}/certs/set_cafile_client.pem ca-file ${testdir}/certs/set_cafile_interCA2.crt verify none no-ssl-reuse force-tlsv12 ciphers "aECDSA" sni str(foo.com) balance roundrobin server cust_fmt "${tmpdir}/cust_logfmt_ssl.sock" @@ -217,20 +217,20 @@ haproxy h1 -conf { error-log-format "ERROR bc_err:%[bc_err]:%{+Q}[bc_err_str]\ ssl_bc_err:%[ssl_bc_err,and(proc.ssl_error_mask)]:%[ssl_bc_err_str]" balance roundrobin - server no_err "${tmpdir}/no_err_ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify required sni str(Server) - server srv_cert_rejected "${tmpdir}/srv_rejected_ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA1.crt verify required sni str(foo.com) - server mismatch_frontend "${tmpdir}/mismatch_fe_ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify required sni str(foo.com) verifyhost str(toto) # We force TLSv1.2 for this specific case because server-side + server no_err "${tmpdir}/no_err_ssl.sock" ssl crt ${testdir}/certs/set_cafile_client.pem ca-file ${testdir}/certs/set_cafile_interCA2.crt verify required sni str(Server) + server srv_cert_rejected "${tmpdir}/srv_rejected_ssl.sock" ssl crt ${testdir}/certs/set_cafile_client.pem ca-file ${testdir}/certs/set_cafile_interCA1.crt verify required sni str(foo.com) + server mismatch_frontend "${tmpdir}/mismatch_fe_ssl.sock" ssl crt ${testdir}/certs/set_cafile_client.pem ca-file ${testdir}/certs/set_cafile_interCA2.crt verify required sni str(foo.com) verifyhost str(toto) # We force TLSv1.2 for this specific case because server-side # verification errors cannot be caught by the backend fetches when # using TLSv1.3 - server clt_cert_rejected "${tmpdir}/rejected_ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none force-tlsv12 sni str(foo.com) - server wrong_ciphers "${tmpdir}/wrong_ciphers_ssl.sock" ssl verify none crt ${testdir}/client1.pem ca-file ${testdir}/ca-auth.crt force-tlsv12 ciphers "aECDSA" sni str(foo.com) + server clt_cert_rejected "${tmpdir}/rejected_ssl.sock" ssl crt ${testdir}/certs/set_cafile_client.pem ca-file ${testdir}/certs/set_cafile_interCA2.crt verify none force-tlsv12 sni str(foo.com) + server wrong_ciphers "${tmpdir}/wrong_ciphers_ssl.sock" ssl verify none crt ${testdir}/certs/client1.pem ca-file ${testdir}/certs/ca-auth.crt force-tlsv12 ciphers "aECDSA" sni str(foo.com) # No TLSv1.3 support with OpenSSL 1.0.2 so we duplicate the previous # wrong cipher test in this case so that the error log remains the same .if openssl_version_before(1.1.1) - server wrong_ciphers2 "${tmpdir}/wrong_ciphers_ssl.sock" ssl verify none crt ${testdir}/client1.pem ca-file ${testdir}/ca-auth.crt force-tlsv12 ciphers "aECDSA" sni str(foo.com) + server wrong_ciphers2 "${tmpdir}/wrong_ciphers_ssl.sock" ssl verify none crt ${testdir}/certs/client1.pem ca-file ${testdir}/certs/ca-auth.crt force-tlsv12 ciphers "aECDSA" sni str(foo.com) .else - server wrong_ciphers_tls13 "${tmpdir}/wrong_ciphers_tls13_ssl.sock" ssl verify none crt ${testdir}/client1.pem ca-file ${testdir}/ca-auth.crt ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" force-tlsv13 sni str(foo.com) + server wrong_ciphers_tls13 "${tmpdir}/wrong_ciphers_tls13_ssl.sock" ssl verify none crt ${testdir}/certs/client1.pem ca-file ${testdir}/certs/ca-auth.crt ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" force-tlsv13 sni str(foo.com) .endif @@ -241,7 +241,7 @@ haproxy h1 -conf { mode http log-format "conn_status:\"%[fc_err]:%[fc_err_str]\" hsk_err:\"%[ssl_fc_err]:%[ssl_fc_err_str]\" CN=%{+Q}[ssl_c_s_dn],serial=%[ssl_c_serial,hex],hash=%[ssl_c_sha1,hex]" error-log-format "ERROR conn_status:\"%[fc_err]:%[fc_err_str]\" hsk_err:\"%[ssl_fc_err,and(proc.ssl_error_mask)]:%[ssl_fc_err_str]\" CN=%{+Q}[ssl_c_s_dn],serial=%[ssl_c_serial,hex],hash=%[ssl_c_sha1,hex]" - bind "${tmpdir}/cust_logfmt_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA1.crt verify required ciphers "kRSA" + bind "${tmpdir}/cust_logfmt_ssl.sock" ssl crt ${testdir}/certs/set_cafile_server.pem ca-verify-file ${testdir}/certs/set_cafile_rootCA.crt ca-file ${testdir}/certs/set_cafile_interCA1.crt verify required ciphers "kRSA" server s1 ${s1_addr}:${s1_port} listen https_logfmt_ssl_lst @@ -251,14 +251,14 @@ haproxy h1 -conf { mode http option httpslog error-log-format "ERROR %ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %[fc_err]/%[ssl_fc_err,and(proc.ssl_error_mask),hex]/%[ssl_c_err]/%[ssl_c_ca_err]/%[ssl_fc_is_resumed] %[ssl_fc_sni]/%sslv/%sslc" - bind "${tmpdir}/https_logfmt_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA1.crt verify required ciphers "kRSA" + bind "${tmpdir}/https_logfmt_ssl.sock" ssl crt ${testdir}/certs/set_cafile_server.pem ca-verify-file ${testdir}/certs/set_cafile_rootCA.crt ca-file ${testdir}/certs/set_cafile_interCA1.crt verify required ciphers "kRSA" server s1 ${s1_addr}:${s1_port} listen logconnerror_ssl_lst log ${Slg_logconnerror_addr}:${Slg_logconnerror_port} local0 info mode http option httplog - bind "${tmpdir}/logconnerror_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA1.crt verify required ciphers "kRSA" + bind "${tmpdir}/logconnerror_ssl.sock" ssl crt ${testdir}/certs/set_cafile_server.pem ca-verify-file ${testdir}/certs/set_cafile_rootCA.crt ca-file ${testdir}/certs/set_cafile_interCA1.crt verify required ciphers "kRSA" server s1 ${s1_addr}:${s1_port} @@ -274,28 +274,28 @@ haproxy h1 -conf { # The following listeners allow to test backend error fetches listen no_backend_err_ssl_lst from bknd_err_dflt - bind "${tmpdir}/no_err_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none + bind "${tmpdir}/no_err_ssl.sock" ssl crt ${testdir}/certs/set_cafile_server.pem ca-file ${testdir}/certs/set_cafile_interCA2.crt verify none server s1 ${s1_addr}:${s1_port} listen srv_rejected_ssl_lst from bknd_err_dflt - bind "${tmpdir}/srv_rejected_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none + bind "${tmpdir}/srv_rejected_ssl.sock" ssl crt ${testdir}/certs/set_cafile_server.pem ca-file ${testdir}/certs/set_cafile_interCA2.crt verify none server s1 ${s1_addr}:${s1_port} listen mismatch_fe_ssl_lst from bknd_err_dflt - bind "${tmpdir}/mismatch_fe_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none + bind "${tmpdir}/mismatch_fe_ssl.sock" ssl crt ${testdir}/certs/set_cafile_server.pem ca-file ${testdir}/certs/set_cafile_interCA2.crt verify none server s1 ${s1_addr}:${s1_port} listen rejected_clt_ssl_lst from bknd_err_dflt - bind "${tmpdir}/rejected_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-file ${testdir}/set_cafile_interCA2.crt verify required + bind "${tmpdir}/rejected_ssl.sock" ssl crt ${testdir}/certs/set_cafile_server.pem ca-file ${testdir}/certs/set_cafile_interCA2.crt verify required server s1 ${s1_addr}:${s1_port} listen wrong_ciphers_ssl_lst from bknd_err_dflt - bind "${tmpdir}/wrong_ciphers_ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/ca-auth.crt verify none force-tlsv12 ciphers "kRSA" + bind "${tmpdir}/wrong_ciphers_ssl.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/ca-auth.crt verify none force-tlsv12 ciphers "kRSA" server s1 ${s1_addr}:${s1_port} .if openssl_version_atleast(1.1.1) listen wrong_ciphers_tls13_ssl_lst from bknd_err_dflt - bind "${tmpdir}/wrong_ciphers_tls13_ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/ca-auth.crt verify none force-tlsv13 ciphersuites "TLS_AES_128_GCM_SHA256" + bind "${tmpdir}/wrong_ciphers_tls13_ssl.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/ca-auth.crt verify none force-tlsv13 ciphersuites "TLS_AES_128_GCM_SHA256" server s1 ${s1_addr}:${s1_port} .endif @@ -327,8 +327,8 @@ barrier b1 sync # Change the root CA in the frontends shell { - printf "set ssl ca-file ${testdir}/set_cafile_rootCA.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl ca-file ${testdir}/set_cafile_rootCA.crt" | socat "${tmpdir}/h1/stats" - + printf "set ssl ca-file ${testdir}/certs/set_cafile_rootCA.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl ca-file ${testdir}/certs/set_cafile_rootCA.crt" | socat "${tmpdir}/h1/stats" - } client c4 -connect ${h1_clearlst_sock} { @@ -352,14 +352,14 @@ barrier b1 sync # Restore the root CA shell { - printf "set ssl ca-file ${testdir}/set_cafile_rootCA.crt <<\n$(cat ${testdir}/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl ca-file ${testdir}/set_cafile_rootCA.crt" | socat "${tmpdir}/h1/stats" - + printf "set ssl ca-file ${testdir}/certs/set_cafile_rootCA.crt <<\n$(cat ${testdir}/certs/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl ca-file ${testdir}/certs/set_cafile_rootCA.crt" | socat "${tmpdir}/h1/stats" - } # Change the intermediate CA in the frontends shell { - printf "set ssl ca-file ${testdir}/set_cafile_interCA1.crt <<\n$(cat ${testdir}/set_cafile_interCA2.crt)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl ca-file ${testdir}/set_cafile_interCA1.crt" | socat "${tmpdir}/h1/stats" - + printf "set ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA2.crt)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt" | socat "${tmpdir}/h1/stats" - } client c7 -connect ${h1_clearlst_sock} { @@ -382,8 +382,8 @@ barrier b1 sync # Restore the intermediate CA in the frontends shell { - printf "set ssl ca-file ${testdir}/set_cafile_interCA1.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl ca-file ${testdir}/set_cafile_interCA1.crt" | socat "${tmpdir}/h1/stats" - + printf "set ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt" | socat "${tmpdir}/h1/stats" - } # "No shared cipher" errors @@ -402,8 +402,8 @@ client c12 -connect ${h1_wrongcipherslst_sock} { shell { - printf "set ssl ca-file ${testdir}/set_cafile_interCA2.crt <<\n$(cat ${testdir}/set_cafile_interCA2.crt)\n$(cat ${testdir}/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl ca-file ${testdir}/set_cafile_interCA2.crt" | socat "${tmpdir}/h1/stats" - + printf "set ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA2.crt)\n$(cat ${testdir}/certs/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt" | socat "${tmpdir}/h1/stats" - } client c13 -connect ${h1_backenderrorslst_sock} { diff --git a/reg-tests/ssl/ssl_frontend_samples.vtc b/reg-tests/ssl/ssl_frontend_samples.vtc index 118795b15..de0714501 100644 --- a/reg-tests/ssl/ssl_frontend_samples.vtc +++ b/reg-tests/ssl/ssl_frontend_samples.vtc @@ -19,7 +19,6 @@ haproxy h1 -conf { tune.ssl.default-dh-param 2048 .endif tune.ssl.capture-buffer-size 1 - crt-base ${testdir} defaults mode http @@ -50,7 +49,7 @@ haproxy h1 -conf { http-response add-header x-ssl-key_alg %[ssl_f_key_alg] http-response add-header x-ssl-version %[ssl_f_version] - bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem + bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/common.pem server s1 ${s1_addr}:${s1_port} } -start diff --git a/reg-tests/ssl/ssl_generate_certificate.vtc b/reg-tests/ssl/ssl_generate_certificate.vtc index 0bd6fbc44..03fba5458 100644 --- a/reg-tests/ssl/ssl_generate_certificate.vtc +++ b/reg-tests/ssl/ssl_generate_certificate.vtc @@ -59,7 +59,7 @@ haproxy h1 -conf { server s1 "${tmpdir}/ssl_P-384.sock" ssl verify none ssl-max-ver TLSv1.2 sni var(sess.sni) listen ssl-lst - bind "${tmpdir}/ssl.sock" ssl generate-certificates crt ${testdir}/generate_certificates/gen_cert_server.pem ca-sign-file ${testdir}/generate_certificates/gen_cert_ca.pem ca-file ${testdir}/generate_certificates/gen_cert_ca.pem verify optional + bind "${tmpdir}/ssl.sock" ssl generate-certificates crt ${testdir}/certs/generate_certificates/gen_cert_server.pem ca-sign-file ${testdir}/certs/generate_certificates/gen_cert_ca.pem ca-file ${testdir}/certs/generate_certificates/gen_cert_ca.pem verify optional http-response add-header x-ssl-s_dn %[ssl_f_s_dn(CN)] http-response add-header x-ssl-i_dn %[ssl_f_i_dn(CN)] http-response add-header x-ssl-sig_alg %[ssl_f_sig_alg] @@ -69,7 +69,7 @@ haproxy h1 -conf { server s1 ${s1_addr}:${s1_port} listen ssl-lst-P-384 - bind "${tmpdir}/ssl_P-384.sock" ssl generate-certificates crt ${testdir}/generate_certificates/gen_cert_server.pem ca-sign-file ${testdir}/generate_certificates/gen_cert_ca.pem ca-file ${testdir}/generate_certificates/gen_cert_ca.pem verify optional ecdhe secp384r1 + bind "${tmpdir}/ssl_P-384.sock" ssl generate-certificates crt ${testdir}/certs/generate_certificates/gen_cert_server.pem ca-sign-file ${testdir}/certs/generate_certificates/gen_cert_ca.pem ca-file ${testdir}/certs/generate_certificates/gen_cert_ca.pem verify optional ecdhe secp384r1 http-response add-header x-ssl-s_dn %[ssl_f_s_dn(CN)] http-response add-header x-ssl-i_dn %[ssl_f_i_dn(CN)] http-response add-header x-ssl-sig_alg %[ssl_f_sig_alg] diff --git a/reg-tests/ssl/ssl_reuse.vtci b/reg-tests/ssl/ssl_reuse.vtci index f7218588f..8da16ba2d 100644 --- a/reg-tests/ssl/ssl_reuse.vtci +++ b/reg-tests/ssl/ssl_reuse.vtci @@ -42,8 +42,8 @@ haproxy h1 -conf { http-response add-header x-ssl-bc-resumed %[ssl_bc_is_resumed] listen ssl - bind "${VTC_SOCK_TYPE}+fd@${fe3}" ssl crt ${testdir}/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" - bind "${VTC_SOCK_TYPE}+fd@${fe4}" ssl crt ${testdir}/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" no-tls-tickets + bind "${VTC_SOCK_TYPE}+fd@${fe3}" ssl crt ${testdir}/certs/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" + bind "${VTC_SOCK_TYPE}+fd@${fe4}" ssl crt ${testdir}/certs/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" no-tls-tickets http-response add-header x-ssl-resumed %[ssl_fc_is_resumed] server s1 ${s1_addr}:${s1_port} diff --git a/reg-tests/ssl/ssl_server_samples.vtc b/reg-tests/ssl/ssl_server_samples.vtc index c8c52081b..9e1fe9268 100644 --- a/reg-tests/ssl/ssl_server_samples.vtc +++ b/reg-tests/ssl/ssl_server_samples.vtc @@ -19,7 +19,7 @@ haproxy h1 -conf { tune.ssl.default-dh-param 2048 .endif tune.ssl.capture-buffer-size 1 - crt-base ${testdir} + crt-base ${testdir}/certs stats socket "${tmpdir}/h1/stats" level admin defaults @@ -52,7 +52,7 @@ haproxy h1 -conf { listen ssl-lst mode http - bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/localhost.crt-list + bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/certs/localhost.crt-list server s1 ${s1_addr}:${s1_port} } -start diff --git a/reg-tests/ssl/ssl_simple_crt-list.vtc b/reg-tests/ssl/ssl_simple_crt-list.vtc index fa6c767b1..356e4f491 100644 --- a/reg-tests/ssl/ssl_simple_crt-list.vtc +++ b/reg-tests/ssl/ssl_simple_crt-list.vtc @@ -19,7 +19,7 @@ haproxy h1 -conf { .if !ssllib_name_startswith(AWS-LC) tune.ssl.default-dh-param 2048 .endif - crt-base ${testdir} + crt-base ${testdir}/certs stats socket "${tmpdir}/h1/stats" level admin defaults @@ -42,7 +42,7 @@ haproxy h1 -conf { listen ssl-lst mode http - bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/simple.crt-list + bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/certs/simple.crt-list server s1 ${s1_addr}:${s1_port} } -start diff --git a/reg-tests/ssl/ssl_sni_auto.vtc b/reg-tests/ssl/ssl_sni_auto.vtc index 709b9599e..4c6c48fc5 100644 --- a/reg-tests/ssl/ssl_sni_auto.vtc +++ b/reg-tests/ssl/ssl_sni_auto.vtc @@ -71,7 +71,7 @@ haproxy h1 -conf { default-server inter 100ms frontend fe_ssl - bind "fd@${fe_ssl}" ssl crt ${testdir}/common.pem + bind "fd@${fe_ssl}" ssl crt ${testdir}/certs/common.pem http-request return status 200 if { path /test1 } { ssl_fc_sni www.test1.org } http-request return status 500 if { path /test2 } { ssl_fc_sni -m found } @@ -79,7 +79,7 @@ haproxy h1 -conf { http-request deny listen li_check_ssl - bind "fd@${li_check_ssl}" ssl crt ${testdir}/common.pem + bind "fd@${li_check_ssl}" ssl crt ${testdir}/certs/common.pem http-request set-header x-sni %[ssl_fc_sni] if { ssl_fc_sni -m found } use-server s1 if { path /test1 } diff --git a/reg-tests/ssl/wrong_ctx_storage.vtc b/reg-tests/ssl/wrong_ctx_storage.vtc index 1522e0211..156eb03e1 100644 --- a/reg-tests/ssl/wrong_ctx_storage.vtc +++ b/reg-tests/ssl/wrong_ctx_storage.vtc @@ -40,7 +40,7 @@ haproxy h1 -conf { listen frt mode http - bind "fd@${frt}" ssl crt ${testdir}/common.pem + bind "fd@${frt}" ssl crt ${testdir}/certs/common.pem http-request redirect location / } -start