From 0839fb46db389c2fb2146e43fadc51492e0ecedb Mon Sep 17 00:00:00 2001 From: Frederic Lecaille Date: Wed, 26 Nov 2025 15:21:51 +0100 Subject: [PATCH] REGTESTS: ssl: Move all the SSL certificates, keys, crt-lists inside "certs" directory Move all these files and others for OCSP tests found into reg-tests/ssl to reg-test/ssl/certs and adapt all the VTC files which use them. This patch is needed by other tests which have to include the SSL tests. Indeed, some VTC commands contain paths to these files which cannot be customized with environment variables, depending on the location the VTC file is runi from, because VTC does not resolve the environment variables. Only macros as ${testdir} can be resolved. For instance this command run from a VTC file from reg-tests/ssl directory cannot be reused from another directory, except if we add a symbolic link for each certs, key etc. haproxy h1 -cli { send "del ssl crt-list ${testdir}/localhost.crt-list ${testdir}/common.pem:1" } This is not what we want. We add a symbolic link to reg-test/ssl/certs to the directory and modify the command above as follows: haproxy h1 -cli { send "del ssl crt-list ${testdir}/certs/localhost.crt-list ${testdir}/certs/common.pem:1" } --- .github/h2spec.config | 2 +- reg-tests/checks/certs | 1 + reg-tests/checks/common.pem | 1 - reg-tests/checks/ssl-hello-check.vtc | 2 +- reg-tests/checks/tcp-check-client-hello.vtc | 4 +- reg-tests/checks/tcp-check-ssl.vtc | 2 +- reg-tests/checks/tls_health_checks.vtc | 12 +- reg-tests/compression/certs | 1 + reg-tests/compression/common.pem | 1 - reg-tests/compression/lua_validation.vtc | 2 +- reg-tests/connection/ca-auth.crt | 1 - reg-tests/connection/certs | 1 + reg-tests/connection/client1.pem | 1 - reg-tests/connection/common.pem | 1 - reg-tests/connection/http_reuse_conn_hash.vtc | 2 +- .../proxy_protocol_send_unique_id_alpn.vtc | 2 +- reg-tests/connection/reverse_server_name.vtc | 4 +- reg-tests/http-messaging/certs | 1 + reg-tests/http-messaging/common.pem | 1 - reg-tests/http-messaging/srv_ws.vtc | 2 +- reg-tests/lua/certs | 1 + reg-tests/lua/common.pem | 1 - reg-tests/lua/txn_get_priv-thread.vtc | 2 +- reg-tests/lua/txn_get_priv.vtc | 2 +- reg-tests/peers/certs | 1 + reg-tests/peers/common.pem | 1 - reg-tests/peers/tls_basic_sync.vtc | 12 +- .../peers/tls_basic_sync_wo_stkt_backend.vtc | 12 +- reg-tests/quic/certs | 1 + reg-tests/quic/common.pem | 1 - reg-tests/quic/retry.vtc | 4 +- reg-tests/server/certs | 1 + reg-tests/server/cli_add_ssl_server.vtc | 4 +- reg-tests/server/common.pem | 1 - reg-tests/ssl/add_ssl_crt-list.vtc | 42 +++--- reg-tests/ssl/{ => certs}/bug-2265.crt | 0 reg-tests/ssl/{ => certs}/ca-auth.crt | 0 .../{ => certs}/cert1-example.com.pem.ecdsa | 0 .../ssl/{ => certs}/cert1-example.com.pem.rsa | 0 .../{ => certs}/cert2-example.com.pem.ecdsa | 0 .../ssl/{ => certs}/cert2-example.com.pem.rsa | 0 reg-tests/ssl/{ => certs}/client.ecdsa.pem | 0 reg-tests/ssl/{ => certs}/client1.pem | 0 reg-tests/ssl/{ => certs}/client2_expired.pem | 0 reg-tests/ssl/{ => certs}/client3_revoked.pem | 0 reg-tests/ssl/{ => certs}/common.4096.dh | 0 reg-tests/ssl/{ => certs}/common.crt | 0 reg-tests/ssl/{ => certs}/common.key | 0 reg-tests/ssl/{ => certs}/common.pem | 0 reg-tests/ssl/{ => certs}/crl-auth.pem | 0 reg-tests/ssl/{ => certs}/ecdsa.crt | 0 reg-tests/ssl/{ => certs}/ecdsa.key | 0 reg-tests/ssl/{ => certs}/ecdsa.pem | 0 reg-tests/ssl/{ => certs}/filters.crt-list | 0 .../generate_certificates/gen_cert_ca.pem | 0 .../generate_certificates/gen_cert_server.pem | 0 reg-tests/ssl/{ => certs}/interCA1_crl.pem | 0 .../ssl/{ => certs}/interCA1_crl_empty.pem | 0 reg-tests/ssl/{ => certs}/interCA2_crl.pem | 0 .../ssl/{ => certs}/interCA2_crl_empty.pem | 0 .../{ => certs}/issuers-chain-path/ca/ca.crt | 0 .../{ => certs}/issuers-chain-path/server.pem | 0 reg-tests/ssl/{ => certs}/localhost.crt-list | 0 .../ssl/{ => certs}/ocsp_update/index.txt | 0 .../multicert/server_ocsp.pem.ecdsa | 0 .../multicert/server_ocsp.pem.ecdsa.issuer | 0 .../multicert/server_ocsp.pem.ecdsa.ocsp | Bin .../ocsp_update/multicert/server_ocsp.pem.rsa | 0 .../multicert/server_ocsp.pem.rsa.issuer | 0 .../multicert/server_ocsp.pem.rsa.ocsp | Bin .../multicert/server_ocsp_ecdsa.pem | 0 .../multicert/server_ocsp_ecdsa.pem.ocsp | Bin .../ocsp_update/multicert_both_certs.crt-list | 0 .../ocsp_update/multicert_ecdsa.crt-list | 0 .../multicert_ecdsa_no_update.crt-list | 0 .../multicert_no_ocsp/server_ocsp_ecdsa.pem | 0 .../multicert_no_ocsp/server_ocsp_rsa.pem | 0 .../ocsp_update/multicert_rsa.crt-list | 0 .../ocsp_update/ocsp.haproxy.com.pem | 0 .../ocsp_update/ocsp_update_rootca.crt | 0 reg-tests/ssl/{ => certs}/rootCA_crl.pem | 0 .../ssl/{ => certs}/set_cafile_client.pem | 0 .../ssl/{ => certs}/set_cafile_interCA1.crt | 0 .../ssl/{ => certs}/set_cafile_interCA2.crt | 0 .../ssl/{ => certs}/set_cafile_rootCA.crt | 0 .../ssl/{ => certs}/set_cafile_server.pem | 0 .../ssl/{ => certs}/set_default_cert.crt-list | 0 .../ssl/{ => certs}/set_default_cert.pem | 0 .../ssl/{ => certs}/show_ocsp_server.pem | 0 .../{ => certs}/show_ocsp_server.pem.issuer | 0 .../ssl/{ => certs}/show_ocsp_server.pem.ocsp | Bin .../show_ocsp_server.pem.ocsp.revoked | Bin reg-tests/ssl/{ => certs}/simple.crt-list | 0 reg-tests/ssl/crt_store.vtc | 8 +- reg-tests/ssl/del_ssl_crt-list.vtc | 20 +-- reg-tests/ssl/dynamic_server_ssl.vtc | 24 ++-- reg-tests/ssl/issuers_chain_path.vtc | 8 +- reg-tests/ssl/log_forward_ssl.vtc | 2 +- reg-tests/ssl/new_del_ssl_cafile.vtc | 26 ++-- reg-tests/ssl/new_del_ssl_crlfile.vtc | 22 +-- reg-tests/ssl/ocsp_auto_update.vtc | 132 +++++++++--------- reg-tests/ssl/ocsp_compat_check.vtc | 24 ++-- reg-tests/ssl/set_ssl_bug_2265.vtc | 10 +- reg-tests/ssl/set_ssl_cafile.vtc | 48 +++---- reg-tests/ssl/set_ssl_cert.vtc | 36 ++--- reg-tests/ssl/set_ssl_cert_bundle.vtc | 18 +-- reg-tests/ssl/set_ssl_cert_noext.vtc | 12 +- reg-tests/ssl/set_ssl_crlfile.vtc | 36 ++--- reg-tests/ssl/set_ssl_server_cert.vtc | 24 ++-- reg-tests/ssl/show_ssl_ocspresponse.vtc | 30 ++-- reg-tests/ssl/ssl-0rtt.vtci | 8 +- reg-tests/ssl/ssl_alpn.vtc | 10 +- reg-tests/ssl/ssl_client_auth.vtc | 8 +- reg-tests/ssl/ssl_client_samples.vtc | 4 +- reg-tests/ssl/ssl_crt-list_filters.vtc | 6 +- reg-tests/ssl/ssl_curve_name.vtc | 6 +- reg-tests/ssl/ssl_curves.vtc | 16 +-- reg-tests/ssl/ssl_default_server.vtc | 6 +- reg-tests/ssl/ssl_dh.vtc | 22 +-- reg-tests/ssl/ssl_errors.vtc | 56 ++++---- reg-tests/ssl/ssl_frontend_samples.vtc | 3 +- reg-tests/ssl/ssl_generate_certificate.vtc | 4 +- reg-tests/ssl/ssl_reuse.vtci | 4 +- reg-tests/ssl/ssl_server_samples.vtc | 4 +- reg-tests/ssl/ssl_simple_crt-list.vtc | 4 +- reg-tests/ssl/ssl_sni_auto.vtc | 4 +- reg-tests/ssl/wrong_ctx_storage.vtc | 2 +- 127 files changed, 387 insertions(+), 390 deletions(-) create mode 120000 reg-tests/checks/certs delete mode 120000 reg-tests/checks/common.pem create mode 120000 reg-tests/compression/certs delete mode 120000 reg-tests/compression/common.pem delete mode 120000 reg-tests/connection/ca-auth.crt create mode 120000 reg-tests/connection/certs delete mode 120000 reg-tests/connection/client1.pem delete mode 120000 reg-tests/connection/common.pem create mode 120000 reg-tests/http-messaging/certs delete mode 120000 reg-tests/http-messaging/common.pem create mode 120000 reg-tests/lua/certs delete mode 120000 reg-tests/lua/common.pem create mode 120000 reg-tests/peers/certs delete mode 120000 reg-tests/peers/common.pem create mode 120000 reg-tests/quic/certs delete mode 120000 reg-tests/quic/common.pem create mode 120000 reg-tests/server/certs delete mode 120000 reg-tests/server/common.pem rename reg-tests/ssl/{ => certs}/bug-2265.crt (100%) rename reg-tests/ssl/{ => certs}/ca-auth.crt (100%) rename reg-tests/ssl/{ => certs}/cert1-example.com.pem.ecdsa (100%) rename reg-tests/ssl/{ => certs}/cert1-example.com.pem.rsa (100%) rename reg-tests/ssl/{ => certs}/cert2-example.com.pem.ecdsa (100%) rename reg-tests/ssl/{ => certs}/cert2-example.com.pem.rsa (100%) rename reg-tests/ssl/{ => certs}/client.ecdsa.pem (100%) rename reg-tests/ssl/{ => certs}/client1.pem (100%) rename reg-tests/ssl/{ => certs}/client2_expired.pem (100%) rename reg-tests/ssl/{ => certs}/client3_revoked.pem (100%) rename reg-tests/ssl/{ => certs}/common.4096.dh (100%) rename reg-tests/ssl/{ => certs}/common.crt (100%) rename reg-tests/ssl/{ => certs}/common.key (100%) rename reg-tests/ssl/{ => certs}/common.pem (100%) rename reg-tests/ssl/{ => certs}/crl-auth.pem (100%) rename reg-tests/ssl/{ => certs}/ecdsa.crt (100%) rename reg-tests/ssl/{ => certs}/ecdsa.key (100%) rename reg-tests/ssl/{ => certs}/ecdsa.pem (100%) rename reg-tests/ssl/{ => certs}/filters.crt-list (100%) rename reg-tests/ssl/{ => certs}/generate_certificates/gen_cert_ca.pem (100%) rename reg-tests/ssl/{ => certs}/generate_certificates/gen_cert_server.pem (100%) rename reg-tests/ssl/{ => certs}/interCA1_crl.pem (100%) rename reg-tests/ssl/{ => certs}/interCA1_crl_empty.pem (100%) rename reg-tests/ssl/{ => certs}/interCA2_crl.pem (100%) rename reg-tests/ssl/{ => certs}/interCA2_crl_empty.pem (100%) rename reg-tests/ssl/{ => certs}/issuers-chain-path/ca/ca.crt (100%) rename reg-tests/ssl/{ => certs}/issuers-chain-path/server.pem (100%) rename reg-tests/ssl/{ => certs}/localhost.crt-list (100%) rename reg-tests/ssl/{ => certs}/ocsp_update/index.txt (100%) rename reg-tests/ssl/{ => certs}/ocsp_update/multicert/server_ocsp.pem.ecdsa (100%) rename reg-tests/ssl/{ => certs}/ocsp_update/multicert/server_ocsp.pem.ecdsa.issuer (100%) rename reg-tests/ssl/{ => certs}/ocsp_update/multicert/server_ocsp.pem.ecdsa.ocsp (100%) rename reg-tests/ssl/{ => certs}/ocsp_update/multicert/server_ocsp.pem.rsa (100%) rename reg-tests/ssl/{ => certs}/ocsp_update/multicert/server_ocsp.pem.rsa.issuer (100%) rename reg-tests/ssl/{ => certs}/ocsp_update/multicert/server_ocsp.pem.rsa.ocsp (100%) rename reg-tests/ssl/{ => certs}/ocsp_update/multicert/server_ocsp_ecdsa.pem (100%) rename reg-tests/ssl/{ => certs}/ocsp_update/multicert/server_ocsp_ecdsa.pem.ocsp (100%) rename reg-tests/ssl/{ => certs}/ocsp_update/multicert_both_certs.crt-list (100%) rename reg-tests/ssl/{ => certs}/ocsp_update/multicert_ecdsa.crt-list (100%) rename reg-tests/ssl/{ => certs}/ocsp_update/multicert_ecdsa_no_update.crt-list (100%) rename reg-tests/ssl/{ => certs}/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem (100%) rename reg-tests/ssl/{ => certs}/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem (100%) rename reg-tests/ssl/{ => certs}/ocsp_update/multicert_rsa.crt-list (100%) rename reg-tests/ssl/{ => certs}/ocsp_update/ocsp.haproxy.com.pem (100%) rename reg-tests/ssl/{ => certs}/ocsp_update/ocsp_update_rootca.crt (100%) rename reg-tests/ssl/{ => certs}/rootCA_crl.pem (100%) rename reg-tests/ssl/{ => certs}/set_cafile_client.pem (100%) rename reg-tests/ssl/{ => certs}/set_cafile_interCA1.crt (100%) rename reg-tests/ssl/{ => certs}/set_cafile_interCA2.crt (100%) rename reg-tests/ssl/{ => certs}/set_cafile_rootCA.crt (100%) rename reg-tests/ssl/{ => certs}/set_cafile_server.pem (100%) rename reg-tests/ssl/{ => certs}/set_default_cert.crt-list (100%) rename reg-tests/ssl/{ => certs}/set_default_cert.pem (100%) rename reg-tests/ssl/{ => certs}/show_ocsp_server.pem (100%) rename reg-tests/ssl/{ => certs}/show_ocsp_server.pem.issuer (100%) rename reg-tests/ssl/{ => certs}/show_ocsp_server.pem.ocsp (100%) rename reg-tests/ssl/{ => certs}/show_ocsp_server.pem.ocsp.revoked (100%) rename reg-tests/ssl/{ => certs}/simple.crt-list (100%) diff --git a/.github/h2spec.config b/.github/h2spec.config index 73a875197..4bd42eb6d 100644 --- a/.github/h2spec.config +++ b/.github/h2spec.config @@ -19,7 +19,7 @@ defaults frontend h2 mode http - bind 127.0.0.1:8443 ssl crt reg-tests/ssl/common.pem alpn h2,http/1.1 + bind 127.0.0.1:8443 ssl crt reg-tests/ssl/certs/common.pem alpn h2,http/1.1 default_backend h2b backend h2b diff --git a/reg-tests/checks/certs b/reg-tests/checks/certs new file mode 120000 index 000000000..836191727 --- /dev/null +++ b/reg-tests/checks/certs @@ -0,0 +1 @@ +../ssl/certs/ \ No newline at end of file diff --git a/reg-tests/checks/common.pem b/reg-tests/checks/common.pem deleted file mode 120000 index a4433d562..000000000 --- a/reg-tests/checks/common.pem +++ /dev/null @@ -1 +0,0 @@ -../ssl/common.pem \ No newline at end of file diff --git a/reg-tests/checks/ssl-hello-check.vtc b/reg-tests/checks/ssl-hello-check.vtc index 1bb16a2a8..b3d74e345 100644 --- a/reg-tests/checks/ssl-hello-check.vtc +++ b/reg-tests/checks/ssl-hello-check.vtc @@ -39,7 +39,7 @@ haproxy htst -conf { timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" frontend fe1 - bind "fd@${fe1}" ssl crt ${testdir}/common.pem + bind "fd@${fe1}" ssl crt ${testdir}/certs/common.pem frontend fe2 bind "fd@${fe2}" diff --git a/reg-tests/checks/tcp-check-client-hello.vtc b/reg-tests/checks/tcp-check-client-hello.vtc index 9ca9abd98..85dd38991 100644 --- a/reg-tests/checks/tcp-check-client-hello.vtc +++ b/reg-tests/checks/tcp-check-client-hello.vtc @@ -45,10 +45,10 @@ haproxy htst -conf { server fe1 ${htst_fe1_addr}:${htst_fe1_port} frontend fe1 - bind "fd@${fe1}" ssl crt ${testdir}/common.pem curves P-256:P-384 + bind "fd@${fe1}" ssl crt ${testdir}/certs/common.pem curves P-256:P-384 frontend fe3 - bind "fd@${fe3}" ssl crt ${testdir}/common.pem + bind "fd@${fe3}" ssl crt ${testdir}/certs/common.pem } -start haproxy h1 -conf { diff --git a/reg-tests/checks/tcp-check-ssl.vtc b/reg-tests/checks/tcp-check-ssl.vtc index 540637ed2..c0e33aaa5 100644 --- a/reg-tests/checks/tcp-check-ssl.vtc +++ b/reg-tests/checks/tcp-check-ssl.vtc @@ -62,7 +62,7 @@ haproxy htst -conf { server fe1 ${htst_fe1_addr}:${htst_fe1_port} frontend fe1 - bind "fd@${fe1}" ssl crt ${testdir}/common.pem + bind "fd@${fe1}" ssl crt ${testdir}/certs/common.pem } -start diff --git a/reg-tests/checks/tls_health_checks.vtc b/reg-tests/checks/tls_health_checks.vtc index 6155b04ec..324218e37 100644 --- a/reg-tests/checks/tls_health_checks.vtc +++ b/reg-tests/checks/tls_health_checks.vtc @@ -60,15 +60,15 @@ haproxy h1 -conf { frontend fe1 option httplog log ${S1_addr}:${S1_port} len 2048 local0 debug err - bind "fd@${fe1}" ssl crt ${testdir}/common.pem + bind "fd@${fe1}" ssl crt ${testdir}/certs/common.pem use_backend be1 frontend fe2 - bind "fd@${fe2}" ssl crt ${testdir}/common.pem + bind "fd@${fe2}" ssl crt ${testdir}/certs/common.pem use_backend be2 frontend fe3 - bind "fd@${fe3}" ssl crt ${testdir}/common.pem + bind "fd@${fe3}" ssl crt ${testdir}/certs/common.pem use_backend be3 } -start @@ -108,19 +108,19 @@ haproxy h2 -conf { option httpchk OPTIONS * HTTP/1.1 http-check send hdr Host www log ${S2_addr}:${S2_port} daemon - server srv1 ${h1_fe1_addr}:${h1_fe1_port} ssl crt ${testdir}/common.pem verify none check + server srv1 ${h1_fe1_addr}:${h1_fe1_port} ssl crt ${testdir}/certs/common.pem verify none check backend be4 option log-health-checks log ${S4_addr}:${S4_port} daemon - server srv2 ${h1_fe2_addr}:${h1_fe2_port} ssl crt ${testdir}/common.pem verify none check-ssl check + server srv2 ${h1_fe2_addr}:${h1_fe2_port} ssl crt ${testdir}/certs/common.pem verify none check-ssl check backend be6 option log-health-checks option httpchk OPTIONS * HTTP/1.1 http-check send hdr Host www log ${S6_addr}:${S6_port} daemon - server srv3 127.0.0.1:80 crt ${testdir}/common.pem verify none check check-ssl port ${h1_fe3_port} addr ${h1_fe3_addr}:80 + server srv3 127.0.0.1:80 crt ${testdir}/certs/common.pem verify none check check-ssl port ${h1_fe3_port} addr ${h1_fe3_addr}:80 } -start syslog S1 -wait diff --git a/reg-tests/compression/certs b/reg-tests/compression/certs new file mode 120000 index 000000000..836191727 --- /dev/null +++ b/reg-tests/compression/certs @@ -0,0 +1 @@ +../ssl/certs/ \ No newline at end of file diff --git a/reg-tests/compression/common.pem b/reg-tests/compression/common.pem deleted file mode 120000 index a4433d562..000000000 --- a/reg-tests/compression/common.pem +++ /dev/null @@ -1 +0,0 @@ -../ssl/common.pem \ No newline at end of file diff --git a/reg-tests/compression/lua_validation.vtc b/reg-tests/compression/lua_validation.vtc index 11bae8377..ff2840eeb 100644 --- a/reg-tests/compression/lua_validation.vtc +++ b/reg-tests/compression/lua_validation.vtc @@ -22,7 +22,7 @@ defaults mode http frontend main-https - bind "fd@${fe1}" ssl crt ${testdir}/common.pem + bind "fd@${fe1}" ssl crt ${testdir}/certs/common.pem compression algo gzip compression type text/html text/plain application/json application/javascript compression offload diff --git a/reg-tests/connection/ca-auth.crt b/reg-tests/connection/ca-auth.crt deleted file mode 120000 index 815a970f5..000000000 --- a/reg-tests/connection/ca-auth.crt +++ /dev/null @@ -1 +0,0 @@ -../ssl/ca-auth.crt \ No newline at end of file diff --git a/reg-tests/connection/certs b/reg-tests/connection/certs new file mode 120000 index 000000000..836191727 --- /dev/null +++ b/reg-tests/connection/certs @@ -0,0 +1 @@ +../ssl/certs/ \ No newline at end of file diff --git a/reg-tests/connection/client1.pem b/reg-tests/connection/client1.pem deleted file mode 120000 index c4d14f042..000000000 --- a/reg-tests/connection/client1.pem +++ /dev/null @@ -1 +0,0 @@ -../ssl/client1.pem \ No newline at end of file diff --git a/reg-tests/connection/common.pem b/reg-tests/connection/common.pem deleted file mode 120000 index a4433d562..000000000 --- a/reg-tests/connection/common.pem +++ /dev/null @@ -1 +0,0 @@ -../ssl/common.pem \ No newline at end of file diff --git a/reg-tests/connection/http_reuse_conn_hash.vtc b/reg-tests/connection/http_reuse_conn_hash.vtc index 37fc0513f..d67d3c568 100644 --- a/reg-tests/connection/http_reuse_conn_hash.vtc +++ b/reg-tests/connection/http_reuse_conn_hash.vtc @@ -47,7 +47,7 @@ haproxy h1 -conf { listen receiver bind "fd@${feR}" - bind "fd@${feR_ssl}" ssl crt ${testdir}/common.pem + bind "fd@${feR_ssl}" ssl crt ${testdir}/certs/common.pem bind "fd@${feR_proxy}" accept-proxy http-request return status 200 http-after-response set-header http_first_request %[http_first_req] diff --git a/reg-tests/connection/proxy_protocol_send_unique_id_alpn.vtc b/reg-tests/connection/proxy_protocol_send_unique_id_alpn.vtc index ab650948a..fa2f7d454 100644 --- a/reg-tests/connection/proxy_protocol_send_unique_id_alpn.vtc +++ b/reg-tests/connection/proxy_protocol_send_unique_id_alpn.vtc @@ -24,7 +24,7 @@ haproxy h1 -conf { server example ${h1_feR_addr}:${h1_feR_port} send-proxy-v2 proxy-v2-options unique-id ssl alpn XXX verify none listen receiver - bind "fd@${feR}" ssl crt ${testdir}/common.pem accept-proxy + bind "fd@${feR}" ssl crt ${testdir}/certs/common.pem accept-proxy http-request set-var(txn.proxy_unique_id) fc_pp_unique_id http-after-response set-header proxy_unique_id %[var(txn.proxy_unique_id)] diff --git a/reg-tests/connection/reverse_server_name.vtc b/reg-tests/connection/reverse_server_name.vtc index a37307a22..f13418438 100644 --- a/reg-tests/connection/reverse_server_name.vtc +++ b/reg-tests/connection/reverse_server_name.vtc @@ -29,7 +29,7 @@ backend be-reverse server dev rhttp@ ssl sni hdr(x-name) verify none frontend priv - bind "fd@${priv}" ssl crt ${testdir}/common.pem verify required ca-verify-file ${testdir}/ca-auth.crt alpn h2 + bind "fd@${priv}" ssl crt ${testdir}/certs/common.pem verify required ca-verify-file ${testdir}/certs/ca-auth.crt alpn h2 tcp-request session attach-srv be-reverse/dev name ssl_c_s_dn(CN) } -start @@ -45,7 +45,7 @@ defaults listen li bind "fd@${li}" - server h_edge "${h_edge_priv_addr}:${h_edge_priv_port}" ssl crt ${testdir}/client1.pem verify none alpn h2 + server h_edge "${h_edge_priv_addr}:${h_edge_priv_port}" ssl crt ${testdir}/certs/client1.pem verify none alpn h2 } -start # Run a client through private endpoint diff --git a/reg-tests/http-messaging/certs b/reg-tests/http-messaging/certs new file mode 120000 index 000000000..836191727 --- /dev/null +++ b/reg-tests/http-messaging/certs @@ -0,0 +1 @@ +../ssl/certs/ \ No newline at end of file diff --git a/reg-tests/http-messaging/common.pem b/reg-tests/http-messaging/common.pem deleted file mode 120000 index a4433d562..000000000 --- a/reg-tests/http-messaging/common.pem +++ /dev/null @@ -1 +0,0 @@ -../ssl/common.pem \ No newline at end of file diff --git a/reg-tests/http-messaging/srv_ws.vtc b/reg-tests/http-messaging/srv_ws.vtc index 5f1de0aea..40c4115fc 100644 --- a/reg-tests/http-messaging/srv_ws.vtc +++ b/reg-tests/http-messaging/srv_ws.vtc @@ -22,7 +22,7 @@ haproxy hapsrv -conf { frontend fe bind "fd@${fe}" - bind "fd@${fessl}" ssl crt ${testdir}/common.pem alpn h2,http/1.1 + bind "fd@${fessl}" ssl crt ${testdir}/certs/common.pem alpn h2,http/1.1 capture request header sec-websocket-key len 128 http-request set-var(txn.ver) req.ver use_backend be diff --git a/reg-tests/lua/certs b/reg-tests/lua/certs new file mode 120000 index 000000000..836191727 --- /dev/null +++ b/reg-tests/lua/certs @@ -0,0 +1 @@ +../ssl/certs/ \ No newline at end of file diff --git a/reg-tests/lua/common.pem b/reg-tests/lua/common.pem deleted file mode 120000 index a4433d562..000000000 --- a/reg-tests/lua/common.pem +++ /dev/null @@ -1 +0,0 @@ -../ssl/common.pem \ No newline at end of file diff --git a/reg-tests/lua/txn_get_priv-thread.vtc b/reg-tests/lua/txn_get_priv-thread.vtc index c58f93a55..6d7e67ba7 100644 --- a/reg-tests/lua/txn_get_priv-thread.vtc +++ b/reg-tests/lua/txn_get_priv-thread.vtc @@ -32,7 +32,7 @@ haproxy h1 -conf { frontend fe2 mode http - bind ":8443" ssl crt ${testdir}/common.pem + bind ":8443" ssl crt ${testdir}/certs/common.pem stats enable stats uri / diff --git a/reg-tests/lua/txn_get_priv.vtc b/reg-tests/lua/txn_get_priv.vtc index 24ac96252..076ecb4a6 100644 --- a/reg-tests/lua/txn_get_priv.vtc +++ b/reg-tests/lua/txn_get_priv.vtc @@ -26,7 +26,7 @@ haproxy h1 -conf { frontend fe2 mode http - bind ":8443" ssl crt ${testdir}/common.pem + bind ":8443" ssl crt ${testdir}/certs/common.pem stats enable stats uri / diff --git a/reg-tests/peers/certs b/reg-tests/peers/certs new file mode 120000 index 000000000..9b744ba4f --- /dev/null +++ b/reg-tests/peers/certs @@ -0,0 +1 @@ +../ssl/certs \ No newline at end of file diff --git a/reg-tests/peers/common.pem b/reg-tests/peers/common.pem deleted file mode 120000 index a4433d562..000000000 --- a/reg-tests/peers/common.pem +++ /dev/null @@ -1 +0,0 @@ -../ssl/common.pem \ No newline at end of file diff --git a/reg-tests/peers/tls_basic_sync.vtc b/reg-tests/peers/tls_basic_sync.vtc index 1618ef6db..4d81a73e4 100644 --- a/reg-tests/peers/tls_basic_sync.vtc +++ b/reg-tests/peers/tls_basic_sync.vtc @@ -19,8 +19,8 @@ haproxy h1 -arg "-L A" -conf { stick-table type string size 10m store server_id,gpc0,conn_cur,conn_rate(50000) peers peers peers peers - default-server ssl crt ${testdir}/common.pem verify none - bind "fd@${A}" ssl crt ${testdir}/common.pem + default-server ssl crt ${testdir}/certs/common.pem verify none + bind "fd@${A}" ssl crt ${testdir}/certs/common.pem server A server B ${h2_B_addr}:${h2_B_port} server C ${h3_C_addr}:${h3_C_port} @@ -49,8 +49,8 @@ haproxy h2 -arg "-L B" -conf { stick-table type string size 10m store server_id,gpc0,conn_cur,conn_rate(50000) peers peers peers peers - default-server ssl crt ${testdir}/common.pem verify none - bind "fd@${B}" ssl crt ${testdir}/common.pem + default-server ssl crt ${testdir}/certs/common.pem verify none + bind "fd@${B}" ssl crt ${testdir}/certs/common.pem server A ${h1_A_addr}:${h1_A_port} server B server C ${h3_C_addr}:${h3_C_port} @@ -78,8 +78,8 @@ haproxy h3 -arg "-L C" -conf { stick-table type string size 10m store server_id,gpc0,conn_cur,conn_rate(50000) peers peers peers peers - default-server ssl crt ${testdir}/common.pem verify none - bind "fd@${C}" ssl crt ${testdir}/common.pem + default-server ssl crt ${testdir}/certs/common.pem verify none + bind "fd@${C}" ssl crt ${testdir}/certs/common.pem server A ${h1_A_addr}:${h1_A_port} server B ${h2_B_addr}:${h2_B_port} server C diff --git a/reg-tests/peers/tls_basic_sync_wo_stkt_backend.vtc b/reg-tests/peers/tls_basic_sync_wo_stkt_backend.vtc index 2b5bcacbe..4a6358e26 100644 --- a/reg-tests/peers/tls_basic_sync_wo_stkt_backend.vtc +++ b/reg-tests/peers/tls_basic_sync_wo_stkt_backend.vtc @@ -17,8 +17,8 @@ haproxy h1 -arg "-L A" -conf { peers peers table stkt type string size 10m store server_id,gpc0,conn_cur,conn_rate(50000) - default-server ssl crt ${testdir}/common.pem verify none - bind "fd@${A}" ssl crt ${testdir}/common.pem + default-server ssl crt ${testdir}/certs/common.pem verify none + bind "fd@${A}" ssl crt ${testdir}/certs/common.pem server A server B ${h2_B_addr}:${h2_B_port} server C ${h3_C_addr}:${h3_C_port} @@ -45,8 +45,8 @@ haproxy h2 -arg "-L B" -conf { peers peers table stkt type string size 10m store server_id,gpc0,conn_cur,conn_rate(50000) - default-server ssl crt ${testdir}/common.pem verify none - bind "fd@${B}" ssl crt ${testdir}/common.pem + default-server ssl crt ${testdir}/certs/common.pem verify none + bind "fd@${B}" ssl crt ${testdir}/certs/common.pem server A ${h1_A_addr}:${h1_A_port} server B server C ${h3_C_addr}:${h3_C_port} @@ -72,8 +72,8 @@ haproxy h3 -arg "-L C" -conf { peers peers table stkt type string size 10m store server_id,gpc0,conn_cur,conn_rate(50000) - default-server ssl crt ${testdir}/common.pem verify none - bind "fd@${C}" ssl crt ${testdir}/common.pem + default-server ssl crt ${testdir}/certs/common.pem verify none + bind "fd@${C}" ssl crt ${testdir}/certs/common.pem server A ${h1_A_addr}:${h1_A_port} server B ${h2_B_addr}:${h2_B_port} server C diff --git a/reg-tests/quic/certs b/reg-tests/quic/certs new file mode 120000 index 000000000..9b744ba4f --- /dev/null +++ b/reg-tests/quic/certs @@ -0,0 +1 @@ +../ssl/certs \ No newline at end of file diff --git a/reg-tests/quic/common.pem b/reg-tests/quic/common.pem deleted file mode 120000 index a4433d562..000000000 --- a/reg-tests/quic/common.pem +++ /dev/null @@ -1 +0,0 @@ -../ssl/common.pem \ No newline at end of file diff --git a/reg-tests/quic/retry.vtc b/reg-tests/quic/retry.vtc index 15d2d554f..89a3b08de 100644 --- a/reg-tests/quic/retry.vtc +++ b/reg-tests/quic/retry.vtc @@ -28,11 +28,11 @@ haproxy ha2 -conf { timeout server "${HAPROXY_TEST_TIMEOUT-5s}" listen quic_lstnr - bind "quic+fd@${fe_quic}" ssl crt ${testdir}/common.pem + bind "quic+fd@${fe_quic}" ssl crt ${testdir}/certs/common.pem server srv ${s1_addr}:${s1_port} listen quic_lstnr_retry - bind "quic+fd@${fe_quic_retry}" ssl crt ${testdir}/common.pem quic-force-retry + bind "quic+fd@${fe_quic_retry}" ssl crt ${testdir}/certs/common.pem quic-force-retry server srv ${s1_addr}:${s1_port} } -start diff --git a/reg-tests/server/certs b/reg-tests/server/certs new file mode 120000 index 000000000..836191727 --- /dev/null +++ b/reg-tests/server/certs @@ -0,0 +1 @@ +../ssl/certs/ \ No newline at end of file diff --git a/reg-tests/server/cli_add_ssl_server.vtc b/reg-tests/server/cli_add_ssl_server.vtc index bfff7af7d..a8afd301e 100644 --- a/reg-tests/server/cli_add_ssl_server.vtc +++ b/reg-tests/server/cli_add_ssl_server.vtc @@ -47,7 +47,7 @@ haproxy h1 -conf { # frontend used to respond to ssl connection frontend fe-ssl-term - bind "fd@${feSslTerm}" ssl crt ${testdir}/common.pem + bind "fd@${feSslTerm}" ssl crt ${testdir}/certs/common.pem http-request return status 200 } -start @@ -63,7 +63,7 @@ client c1 -connect ${h1_feSsl_sock} { shell { echo "new ssl ca-file common.pem" | socat "${tmpdir}/h1/stats" - - printf "set ssl ca-file common.pem <<\n$(cat ${testdir}/common.pem)\n\n" | socat "${tmpdir}/h1/stats" - + printf "set ssl ca-file common.pem <<\n$(cat ${testdir}/certs/common.pem)\n\n" | socat "${tmpdir}/h1/stats" - echo "commit ssl ca-file common.pem" | socat "${tmpdir}/h1/stats" - } -run diff --git a/reg-tests/server/common.pem b/reg-tests/server/common.pem deleted file mode 120000 index a4433d562..000000000 --- a/reg-tests/server/common.pem +++ /dev/null @@ -1 +0,0 @@ -../ssl/common.pem \ No newline at end of file diff --git a/reg-tests/ssl/add_ssl_crt-list.vtc b/reg-tests/ssl/add_ssl_crt-list.vtc index 5dd2d9506..e5eaaaacc 100644 --- a/reg-tests/ssl/add_ssl_crt-list.vtc +++ b/reg-tests/ssl/add_ssl_crt-list.vtc @@ -30,7 +30,7 @@ haproxy h1 -conf { tune.ssl.default-dh-param 2048 .endif tune.ssl.capture-buffer-size 1 - crt-base ${testdir} + crt-base ${testdir}/certs stats socket "${tmpdir}/h1/stats" level admin defaults @@ -52,15 +52,15 @@ haproxy h1 -conf { listen ssl-lst mode http - bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/localhost.crt-list + bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list "${testdir}/certs/localhost.crt-list" server s1 ${s1_addr}:${s1_port} - server s2 ${s1_addr}:${s1_port} ssl crt "${testdir}/common.pem" weight 0 verify none + server s2 ${s1_addr}:${s1_port} ssl crt "${testdir}/certs/common.pem" weight 0 verify none } -start haproxy h1 -cli { - send "show ssl cert ${testdir}/common.pem" + send "show ssl cert ${testdir}/certs/common.pem" expect ~ ".*SHA1 FingerPrint: DF3B6E847A7BF83DFAAFCFEC65EE9BC36230D3EA" } @@ -71,26 +71,26 @@ client c1 -connect ${h1_clearlst_sock} { } -run shell { - echo "new ssl cert ${testdir}/ecdsa.pem" | socat "${tmpdir}/h1/stats" - - printf "set ssl cert ${testdir}/ecdsa.pem <<\n$(cat ${testdir}/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl cert ${testdir}/ecdsa.pem" | socat "${tmpdir}/h1/stats" - - printf "add ssl crt-list ${testdir}/localhost.crt-list/ <<\n${testdir}/common.pem [ssl-min-ver SSLv3 verify none allow-0rtt] !*\n\n" | socat "${tmpdir}/h1/stats" - - printf "add ssl crt-list ${testdir}/localhost.crt-list/ <<\n${testdir}/ecdsa.pem [ssl-min-ver SSLv3 verify none allow-0rtt] localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" - - printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem [verify none allow-0rtt]\n\n" | socat "${tmpdir}/h1/stats" - - printf "add ssl crt-list ${testdir}/localhost.crt-list/// <<\n${testdir}/ecdsa.pem localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" - - printf "add ssl crt-list ${testdir}/localhost.crt-list///// <<\n${testdir}/ecdsa.pem\n\n" | socat "${tmpdir}/h1/stats" - - printf "add ssl crt-list ${testdir}/localhost.crt-list// ${testdir}/ecdsa.pem\n" | socat "${tmpdir}/h1/stats" - + echo "new ssl cert ${testdir}/certs/ecdsa.pem" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/ecdsa.pem <<\n$(cat ${testdir}/certs/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/certs/ecdsa.pem" | socat "${tmpdir}/h1/stats" - + printf "add ssl crt-list ${testdir}/certs/localhost.crt-list/ <<\n${testdir}/certs/common.pem [ssl-min-ver SSLv3 verify none allow-0rtt] !*\n\n" | socat "${tmpdir}/h1/stats" - + printf "add ssl crt-list ${testdir}/certs/localhost.crt-list/ <<\n${testdir}/certs/ecdsa.pem [ssl-min-ver SSLv3 verify none allow-0rtt] localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" - + printf "add ssl crt-list ${testdir}/certs/localhost.crt-list <<\n${testdir}/certs/ecdsa.pem [verify none allow-0rtt]\n\n" | socat "${tmpdir}/h1/stats" - + printf "add ssl crt-list ${testdir}/certs/localhost.crt-list/// <<\n${testdir}/certs/ecdsa.pem localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" - + printf "add ssl crt-list ${testdir}/certs/localhost.crt-list///// <<\n${testdir}/certs/ecdsa.pem\n\n" | socat "${tmpdir}/h1/stats" - + printf "add ssl crt-list ${testdir}/certs/localhost.crt-list// ${testdir}/certs/ecdsa.pem\n" | socat "${tmpdir}/h1/stats" - } haproxy h1 -cli { - send "show ssl cert ${testdir}/ecdsa.pem" + send "show ssl cert ${testdir}/certs/ecdsa.pem" expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1" } haproxy h1 -cli { - send "show ssl crt-list ${testdir}/localhost.crt-list//" + send "show ssl crt-list ${testdir}/certs/localhost.crt-list//" # check the options and the filters in any order - expect ~ ".*${testdir}/ecdsa.pem \\[(?=.*verify none)(?=.*allow-0rtt)(?=.*ssl-min-ver SSLv3).*\\](?=.*!www.test1.com)(?=.*localhost).*" + expect ~ ".*${testdir}/certs/ecdsa.pem \\[(?=.*verify none)(?=.*allow-0rtt)(?=.*ssl-min-ver SSLv3).*\\](?=.*!www.test1.com)(?=.*localhost).*" } client c1 -connect ${h1_clearlst_sock} { @@ -103,17 +103,17 @@ client c1 -connect ${h1_clearlst_sock} { # Try to add a new line that mentions an "unknown" CA file (not loaded yet). # It should fail since no disk access are allowed during runtime. shell { - printf "add ssl crt-list ${testdir}/localhost.crt-list/ <<\n${testdir}/ecdsa.pem [ca-file ${testdir}/ca-auth.crt] localhost\n\n" | socat "${tmpdir}/h1/stats" - | grep "unable to load ${testdir}/ca-auth.crt" + printf "add ssl crt-list ${testdir}/certs/localhost.crt-list/ <<\n${testdir}/certs/ecdsa.pem [ca-file ${testdir}/certs/ca-auth.crt] localhost\n\n" | socat "${tmpdir}/h1/stats" - | grep "unable to load ${testdir}/certs/ca-auth.crt" } shell { - printf "add ssl crt-list ${testdir}/localhost.crt-list/ <<\n${testdir}/ecdsa.pem [ca-verify-file ${testdir}/ca-auth.crt] localhost\n\n" | socat "${tmpdir}/h1/stats" - | grep "unable to load ${testdir}/ca-auth.crt" + printf "add ssl crt-list ${testdir}/certs/localhost.crt-list/ <<\n${testdir}/certs/ecdsa.pem [ca-verify-file ${testdir}/certs/ca-auth.crt] localhost\n\n" | socat "${tmpdir}/h1/stats" - | grep "unable to load ${testdir}/certs/ca-auth.crt" } shell { - printf "add ssl crt-list ${testdir}/localhost.crt-list/ <<\n${testdir}/ecdsa.pem [crl-file ${testdir}/ca-auth.crt] localhost\n\n" | socat "${tmpdir}/h1/stats" - | grep "unable to load ${testdir}/ca-auth.crt" + printf "add ssl crt-list ${testdir}/certs/localhost.crt-list/ <<\n${testdir}/certs/ecdsa.pem [crl-file ${testdir}/certs/ca-auth.crt] localhost\n\n" | socat "${tmpdir}/h1/stats" - | grep "unable to load ${testdir}/certs/ca-auth.crt" } # Check that the new line was not added to the crt-list. haproxy h1 -cli { - send "show ssl crt-list ${testdir}/localhost.crt-list//" - expect !~ ".*ca-file ${testdir}/ca-auth.crt" + send "show ssl crt-list ${testdir}/certs/localhost.crt-list//" + expect !~ ".*ca-file ${testdir}/certs/ca-auth.crt" } diff --git a/reg-tests/ssl/bug-2265.crt b/reg-tests/ssl/certs/bug-2265.crt similarity index 100% rename from reg-tests/ssl/bug-2265.crt rename to reg-tests/ssl/certs/bug-2265.crt diff --git a/reg-tests/ssl/ca-auth.crt b/reg-tests/ssl/certs/ca-auth.crt similarity index 100% rename from reg-tests/ssl/ca-auth.crt rename to reg-tests/ssl/certs/ca-auth.crt diff --git a/reg-tests/ssl/cert1-example.com.pem.ecdsa b/reg-tests/ssl/certs/cert1-example.com.pem.ecdsa similarity index 100% rename from reg-tests/ssl/cert1-example.com.pem.ecdsa rename to reg-tests/ssl/certs/cert1-example.com.pem.ecdsa diff --git a/reg-tests/ssl/cert1-example.com.pem.rsa b/reg-tests/ssl/certs/cert1-example.com.pem.rsa similarity index 100% rename from reg-tests/ssl/cert1-example.com.pem.rsa rename to reg-tests/ssl/certs/cert1-example.com.pem.rsa diff --git a/reg-tests/ssl/cert2-example.com.pem.ecdsa b/reg-tests/ssl/certs/cert2-example.com.pem.ecdsa similarity index 100% rename from reg-tests/ssl/cert2-example.com.pem.ecdsa rename to reg-tests/ssl/certs/cert2-example.com.pem.ecdsa diff --git a/reg-tests/ssl/cert2-example.com.pem.rsa b/reg-tests/ssl/certs/cert2-example.com.pem.rsa similarity index 100% rename from reg-tests/ssl/cert2-example.com.pem.rsa rename to reg-tests/ssl/certs/cert2-example.com.pem.rsa diff --git a/reg-tests/ssl/client.ecdsa.pem b/reg-tests/ssl/certs/client.ecdsa.pem similarity index 100% rename from reg-tests/ssl/client.ecdsa.pem rename to reg-tests/ssl/certs/client.ecdsa.pem diff --git a/reg-tests/ssl/client1.pem b/reg-tests/ssl/certs/client1.pem similarity index 100% rename from reg-tests/ssl/client1.pem rename to reg-tests/ssl/certs/client1.pem diff --git a/reg-tests/ssl/client2_expired.pem b/reg-tests/ssl/certs/client2_expired.pem similarity index 100% rename from reg-tests/ssl/client2_expired.pem rename to reg-tests/ssl/certs/client2_expired.pem diff --git a/reg-tests/ssl/client3_revoked.pem b/reg-tests/ssl/certs/client3_revoked.pem similarity index 100% rename from reg-tests/ssl/client3_revoked.pem rename to reg-tests/ssl/certs/client3_revoked.pem diff --git a/reg-tests/ssl/common.4096.dh b/reg-tests/ssl/certs/common.4096.dh similarity index 100% rename from reg-tests/ssl/common.4096.dh rename to reg-tests/ssl/certs/common.4096.dh diff --git a/reg-tests/ssl/common.crt b/reg-tests/ssl/certs/common.crt similarity index 100% rename from reg-tests/ssl/common.crt rename to reg-tests/ssl/certs/common.crt diff --git a/reg-tests/ssl/common.key b/reg-tests/ssl/certs/common.key similarity index 100% rename from reg-tests/ssl/common.key rename to reg-tests/ssl/certs/common.key diff --git a/reg-tests/ssl/common.pem b/reg-tests/ssl/certs/common.pem similarity index 100% rename from reg-tests/ssl/common.pem rename to reg-tests/ssl/certs/common.pem diff --git a/reg-tests/ssl/crl-auth.pem b/reg-tests/ssl/certs/crl-auth.pem similarity index 100% rename from reg-tests/ssl/crl-auth.pem rename to reg-tests/ssl/certs/crl-auth.pem diff --git a/reg-tests/ssl/ecdsa.crt b/reg-tests/ssl/certs/ecdsa.crt similarity index 100% rename from reg-tests/ssl/ecdsa.crt rename to reg-tests/ssl/certs/ecdsa.crt diff --git a/reg-tests/ssl/ecdsa.key b/reg-tests/ssl/certs/ecdsa.key similarity index 100% rename from reg-tests/ssl/ecdsa.key rename to reg-tests/ssl/certs/ecdsa.key diff --git a/reg-tests/ssl/ecdsa.pem b/reg-tests/ssl/certs/ecdsa.pem similarity index 100% rename from reg-tests/ssl/ecdsa.pem rename to reg-tests/ssl/certs/ecdsa.pem diff --git a/reg-tests/ssl/filters.crt-list b/reg-tests/ssl/certs/filters.crt-list similarity index 100% rename from reg-tests/ssl/filters.crt-list rename to reg-tests/ssl/certs/filters.crt-list diff --git a/reg-tests/ssl/generate_certificates/gen_cert_ca.pem b/reg-tests/ssl/certs/generate_certificates/gen_cert_ca.pem similarity index 100% rename from reg-tests/ssl/generate_certificates/gen_cert_ca.pem rename to reg-tests/ssl/certs/generate_certificates/gen_cert_ca.pem diff --git a/reg-tests/ssl/generate_certificates/gen_cert_server.pem b/reg-tests/ssl/certs/generate_certificates/gen_cert_server.pem similarity index 100% rename from reg-tests/ssl/generate_certificates/gen_cert_server.pem rename to reg-tests/ssl/certs/generate_certificates/gen_cert_server.pem diff --git a/reg-tests/ssl/interCA1_crl.pem b/reg-tests/ssl/certs/interCA1_crl.pem similarity index 100% rename from reg-tests/ssl/interCA1_crl.pem rename to reg-tests/ssl/certs/interCA1_crl.pem diff --git a/reg-tests/ssl/interCA1_crl_empty.pem b/reg-tests/ssl/certs/interCA1_crl_empty.pem similarity index 100% rename from reg-tests/ssl/interCA1_crl_empty.pem rename to reg-tests/ssl/certs/interCA1_crl_empty.pem diff --git a/reg-tests/ssl/interCA2_crl.pem b/reg-tests/ssl/certs/interCA2_crl.pem similarity index 100% rename from reg-tests/ssl/interCA2_crl.pem rename to reg-tests/ssl/certs/interCA2_crl.pem diff --git a/reg-tests/ssl/interCA2_crl_empty.pem b/reg-tests/ssl/certs/interCA2_crl_empty.pem similarity index 100% rename from reg-tests/ssl/interCA2_crl_empty.pem rename to reg-tests/ssl/certs/interCA2_crl_empty.pem diff --git a/reg-tests/ssl/issuers-chain-path/ca/ca.crt b/reg-tests/ssl/certs/issuers-chain-path/ca/ca.crt similarity index 100% rename from reg-tests/ssl/issuers-chain-path/ca/ca.crt rename to reg-tests/ssl/certs/issuers-chain-path/ca/ca.crt diff --git a/reg-tests/ssl/issuers-chain-path/server.pem b/reg-tests/ssl/certs/issuers-chain-path/server.pem similarity index 100% rename from reg-tests/ssl/issuers-chain-path/server.pem rename to reg-tests/ssl/certs/issuers-chain-path/server.pem diff --git a/reg-tests/ssl/localhost.crt-list b/reg-tests/ssl/certs/localhost.crt-list similarity index 100% rename from reg-tests/ssl/localhost.crt-list rename to reg-tests/ssl/certs/localhost.crt-list diff --git a/reg-tests/ssl/ocsp_update/index.txt b/reg-tests/ssl/certs/ocsp_update/index.txt similarity index 100% rename from reg-tests/ssl/ocsp_update/index.txt rename to reg-tests/ssl/certs/ocsp_update/index.txt diff --git a/reg-tests/ssl/ocsp_update/multicert/server_ocsp.pem.ecdsa b/reg-tests/ssl/certs/ocsp_update/multicert/server_ocsp.pem.ecdsa similarity index 100% rename from reg-tests/ssl/ocsp_update/multicert/server_ocsp.pem.ecdsa rename to reg-tests/ssl/certs/ocsp_update/multicert/server_ocsp.pem.ecdsa diff --git a/reg-tests/ssl/ocsp_update/multicert/server_ocsp.pem.ecdsa.issuer b/reg-tests/ssl/certs/ocsp_update/multicert/server_ocsp.pem.ecdsa.issuer similarity index 100% rename from reg-tests/ssl/ocsp_update/multicert/server_ocsp.pem.ecdsa.issuer rename to reg-tests/ssl/certs/ocsp_update/multicert/server_ocsp.pem.ecdsa.issuer diff --git a/reg-tests/ssl/ocsp_update/multicert/server_ocsp.pem.ecdsa.ocsp b/reg-tests/ssl/certs/ocsp_update/multicert/server_ocsp.pem.ecdsa.ocsp similarity index 100% rename from reg-tests/ssl/ocsp_update/multicert/server_ocsp.pem.ecdsa.ocsp rename to reg-tests/ssl/certs/ocsp_update/multicert/server_ocsp.pem.ecdsa.ocsp diff --git a/reg-tests/ssl/ocsp_update/multicert/server_ocsp.pem.rsa b/reg-tests/ssl/certs/ocsp_update/multicert/server_ocsp.pem.rsa similarity index 100% rename from reg-tests/ssl/ocsp_update/multicert/server_ocsp.pem.rsa rename to reg-tests/ssl/certs/ocsp_update/multicert/server_ocsp.pem.rsa diff --git a/reg-tests/ssl/ocsp_update/multicert/server_ocsp.pem.rsa.issuer b/reg-tests/ssl/certs/ocsp_update/multicert/server_ocsp.pem.rsa.issuer similarity index 100% rename from reg-tests/ssl/ocsp_update/multicert/server_ocsp.pem.rsa.issuer rename to reg-tests/ssl/certs/ocsp_update/multicert/server_ocsp.pem.rsa.issuer diff --git a/reg-tests/ssl/ocsp_update/multicert/server_ocsp.pem.rsa.ocsp b/reg-tests/ssl/certs/ocsp_update/multicert/server_ocsp.pem.rsa.ocsp similarity index 100% rename from reg-tests/ssl/ocsp_update/multicert/server_ocsp.pem.rsa.ocsp rename to reg-tests/ssl/certs/ocsp_update/multicert/server_ocsp.pem.rsa.ocsp diff --git a/reg-tests/ssl/ocsp_update/multicert/server_ocsp_ecdsa.pem b/reg-tests/ssl/certs/ocsp_update/multicert/server_ocsp_ecdsa.pem similarity index 100% rename from reg-tests/ssl/ocsp_update/multicert/server_ocsp_ecdsa.pem rename to reg-tests/ssl/certs/ocsp_update/multicert/server_ocsp_ecdsa.pem diff --git a/reg-tests/ssl/ocsp_update/multicert/server_ocsp_ecdsa.pem.ocsp b/reg-tests/ssl/certs/ocsp_update/multicert/server_ocsp_ecdsa.pem.ocsp similarity index 100% rename from reg-tests/ssl/ocsp_update/multicert/server_ocsp_ecdsa.pem.ocsp rename to reg-tests/ssl/certs/ocsp_update/multicert/server_ocsp_ecdsa.pem.ocsp diff --git a/reg-tests/ssl/ocsp_update/multicert_both_certs.crt-list b/reg-tests/ssl/certs/ocsp_update/multicert_both_certs.crt-list similarity index 100% rename from reg-tests/ssl/ocsp_update/multicert_both_certs.crt-list rename to reg-tests/ssl/certs/ocsp_update/multicert_both_certs.crt-list diff --git a/reg-tests/ssl/ocsp_update/multicert_ecdsa.crt-list b/reg-tests/ssl/certs/ocsp_update/multicert_ecdsa.crt-list similarity index 100% rename from reg-tests/ssl/ocsp_update/multicert_ecdsa.crt-list rename to reg-tests/ssl/certs/ocsp_update/multicert_ecdsa.crt-list diff --git a/reg-tests/ssl/ocsp_update/multicert_ecdsa_no_update.crt-list b/reg-tests/ssl/certs/ocsp_update/multicert_ecdsa_no_update.crt-list similarity index 100% rename from reg-tests/ssl/ocsp_update/multicert_ecdsa_no_update.crt-list rename to reg-tests/ssl/certs/ocsp_update/multicert_ecdsa_no_update.crt-list diff --git a/reg-tests/ssl/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem b/reg-tests/ssl/certs/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem similarity index 100% rename from reg-tests/ssl/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem rename to reg-tests/ssl/certs/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem diff --git a/reg-tests/ssl/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem b/reg-tests/ssl/certs/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem similarity index 100% rename from reg-tests/ssl/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem rename to reg-tests/ssl/certs/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem diff --git a/reg-tests/ssl/ocsp_update/multicert_rsa.crt-list b/reg-tests/ssl/certs/ocsp_update/multicert_rsa.crt-list similarity index 100% rename from reg-tests/ssl/ocsp_update/multicert_rsa.crt-list rename to reg-tests/ssl/certs/ocsp_update/multicert_rsa.crt-list diff --git a/reg-tests/ssl/ocsp_update/ocsp.haproxy.com.pem b/reg-tests/ssl/certs/ocsp_update/ocsp.haproxy.com.pem similarity index 100% rename from reg-tests/ssl/ocsp_update/ocsp.haproxy.com.pem rename to reg-tests/ssl/certs/ocsp_update/ocsp.haproxy.com.pem diff --git a/reg-tests/ssl/ocsp_update/ocsp_update_rootca.crt b/reg-tests/ssl/certs/ocsp_update/ocsp_update_rootca.crt similarity index 100% rename from reg-tests/ssl/ocsp_update/ocsp_update_rootca.crt rename to reg-tests/ssl/certs/ocsp_update/ocsp_update_rootca.crt diff --git a/reg-tests/ssl/rootCA_crl.pem b/reg-tests/ssl/certs/rootCA_crl.pem similarity index 100% rename from reg-tests/ssl/rootCA_crl.pem rename to reg-tests/ssl/certs/rootCA_crl.pem diff --git a/reg-tests/ssl/set_cafile_client.pem b/reg-tests/ssl/certs/set_cafile_client.pem similarity index 100% rename from reg-tests/ssl/set_cafile_client.pem rename to reg-tests/ssl/certs/set_cafile_client.pem diff --git a/reg-tests/ssl/set_cafile_interCA1.crt b/reg-tests/ssl/certs/set_cafile_interCA1.crt similarity index 100% rename from reg-tests/ssl/set_cafile_interCA1.crt rename to reg-tests/ssl/certs/set_cafile_interCA1.crt diff --git a/reg-tests/ssl/set_cafile_interCA2.crt b/reg-tests/ssl/certs/set_cafile_interCA2.crt similarity index 100% rename from reg-tests/ssl/set_cafile_interCA2.crt rename to reg-tests/ssl/certs/set_cafile_interCA2.crt diff --git a/reg-tests/ssl/set_cafile_rootCA.crt b/reg-tests/ssl/certs/set_cafile_rootCA.crt similarity index 100% rename from reg-tests/ssl/set_cafile_rootCA.crt rename to reg-tests/ssl/certs/set_cafile_rootCA.crt diff --git a/reg-tests/ssl/set_cafile_server.pem b/reg-tests/ssl/certs/set_cafile_server.pem similarity index 100% rename from reg-tests/ssl/set_cafile_server.pem rename to reg-tests/ssl/certs/set_cafile_server.pem diff --git a/reg-tests/ssl/set_default_cert.crt-list b/reg-tests/ssl/certs/set_default_cert.crt-list similarity index 100% rename from reg-tests/ssl/set_default_cert.crt-list rename to reg-tests/ssl/certs/set_default_cert.crt-list diff --git a/reg-tests/ssl/set_default_cert.pem b/reg-tests/ssl/certs/set_default_cert.pem similarity index 100% rename from reg-tests/ssl/set_default_cert.pem rename to reg-tests/ssl/certs/set_default_cert.pem diff --git a/reg-tests/ssl/show_ocsp_server.pem b/reg-tests/ssl/certs/show_ocsp_server.pem similarity index 100% rename from reg-tests/ssl/show_ocsp_server.pem rename to reg-tests/ssl/certs/show_ocsp_server.pem diff --git a/reg-tests/ssl/show_ocsp_server.pem.issuer b/reg-tests/ssl/certs/show_ocsp_server.pem.issuer similarity index 100% rename from reg-tests/ssl/show_ocsp_server.pem.issuer rename to reg-tests/ssl/certs/show_ocsp_server.pem.issuer diff --git a/reg-tests/ssl/show_ocsp_server.pem.ocsp b/reg-tests/ssl/certs/show_ocsp_server.pem.ocsp similarity index 100% rename from reg-tests/ssl/show_ocsp_server.pem.ocsp rename to reg-tests/ssl/certs/show_ocsp_server.pem.ocsp diff --git a/reg-tests/ssl/show_ocsp_server.pem.ocsp.revoked b/reg-tests/ssl/certs/show_ocsp_server.pem.ocsp.revoked similarity index 100% rename from reg-tests/ssl/show_ocsp_server.pem.ocsp.revoked rename to reg-tests/ssl/certs/show_ocsp_server.pem.ocsp.revoked diff --git a/reg-tests/ssl/simple.crt-list b/reg-tests/ssl/certs/simple.crt-list similarity index 100% rename from reg-tests/ssl/simple.crt-list rename to reg-tests/ssl/certs/simple.crt-list diff --git a/reg-tests/ssl/crt_store.vtc b/reg-tests/ssl/crt_store.vtc index eecdcc45d..46208073a 100644 --- a/reg-tests/ssl/crt_store.vtc +++ b/reg-tests/ssl/crt_store.vtc @@ -17,7 +17,7 @@ haproxy h1 -arg -V -conf-OK { .endif crt-store - load crt "${testdir}/common.crt" key "${testdir}/common.key" + load crt "${testdir}/certs/common.crt" key "${testdir}/certs/common.key" defaults timeout client 30s @@ -25,17 +25,17 @@ haproxy h1 -arg -V -conf-OK { timeout connect 30s listen ssl-lst - bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.crt strict-sni + bind "${tmpdir}/ssl.sock" ssl crt "${testdir}/certs/common.crt" strict-sni } haproxy h2 -arg -V -conf-BAD {} { listen ssl-lst - bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem strict-sni + bind "${tmpdir}/ssl.sock" ssl crt "${testdir}/certs/common.pem" strict-sni crt-store - load crt "${testdir}/common.pem" key "${testdir}/common.key" + load crt "${testdir}/certs/common.pem" key "${testdir}/certs/common.key" } diff --git a/reg-tests/ssl/del_ssl_crt-list.vtc b/reg-tests/ssl/del_ssl_crt-list.vtc index df0a51a21..ba9fbcbf4 100644 --- a/reg-tests/ssl/del_ssl_crt-list.vtc +++ b/reg-tests/ssl/del_ssl_crt-list.vtc @@ -28,7 +28,7 @@ haproxy h1 -conf { tune.ssl.default-dh-param 2048 .endif tune.ssl.capture-buffer-size 1 - crt-base ${testdir} + crt-base ${testdir}/certs stats socket "${tmpdir}/h1/stats" level admin ssl-default-bind-options strict-sni @@ -54,12 +54,12 @@ haproxy h1 -conf { listen first-ssl-fe # note: strict-sni is enforced from ssl-default-bind-options above mode http - bind "${tmpdir}/first-ssl.sock" ssl crt-list ${testdir}/simple.crt-list + bind "${tmpdir}/first-ssl.sock" ssl crt-list ${testdir}/certs/simple.crt-list server s1 ${s1_addr}:${s1_port} listen second-ssl-fe mode http - bind "${tmpdir}/second-ssl.sock" ssl no-strict-sni crt-list ${testdir}/localhost.crt-list + bind "${tmpdir}/second-ssl.sock" ssl no-strict-sni crt-list ${testdir}/certs/localhost.crt-list server s1 ${s1_addr}:${s1_port} } -start @@ -78,12 +78,12 @@ client c1 -connect ${h1_clearlst_sock} { } -run haproxy h1 -cli { - send "del ssl crt-list ${testdir}/simple.crt-list ${testdir}/common.pem:2" - expect ~ "Entry '${testdir}/common.pem' deleted in crtlist '${testdir}/simple.crt-list'!" + send "del ssl crt-list ${testdir}/certs/simple.crt-list ${testdir}/certs/common.pem:2" + expect ~ "Entry '${testdir}/certs/common.pem' deleted in crtlist '${testdir}/certs/simple.crt-list'!" } haproxy h1 -cli { - send "show ssl crt-list -n ${testdir}/simple.crt-list" + send "show ssl crt-list -n ${testdir}/certs/simple.crt-list" expect !~ "common.pem:2" } @@ -98,12 +98,12 @@ client c1 -connect ${h1_clearlst_sock} { # We should not be able to delete the crt-list's first line since it is the # default certificate of this bind line and the strict-sni option is not enabled. haproxy h1 -cli { - send "del ssl crt-list ${testdir}/localhost.crt-list ${testdir}/common.pem:1" - expect ~ "Can't delete the entry: certificate '${testdir}/common.pem' cannot be deleted, it is used as default certificate by the following frontends:" + send "del ssl crt-list ${testdir}/certs/localhost.crt-list ${testdir}/certs/common.pem:1" + expect ~ "Can't delete the entry: certificate '${testdir}/certs/common.pem' cannot be deleted, it is used as default certificate by the following frontends:" } # We should be able to delete any line of the crt-list since the strict-sni option is enabled. haproxy h1 -cli { - send "del ssl crt-list ${testdir}/simple.crt-list ${testdir}/common.pem:1" - expect ~ "Entry '${testdir}/common.pem' deleted in crtlist '${testdir}/simple.crt-list'!" + send "del ssl crt-list ${testdir}/certs/simple.crt-list ${testdir}/certs/common.pem:1" + expect ~ "Entry '${testdir}/certs/common.pem' deleted in crtlist '${testdir}/certs/simple.crt-list'!" } diff --git a/reg-tests/ssl/dynamic_server_ssl.vtc b/reg-tests/ssl/dynamic_server_ssl.vtc index 2529e9450..23b5605b4 100644 --- a/reg-tests/ssl/dynamic_server_ssl.vtc +++ b/reg-tests/ssl/dynamic_server_ssl.vtc @@ -36,20 +36,20 @@ haproxy h1 -conf { default_backend test backend test - server s1 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem" - server s2 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem" - server s3 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem" + server s1 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/certs/client1.pem" + server s2 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/certs/client1.pem" + server s3 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/certs/client1.pem" listen ssl-lst - bind "${tmpdir}/ssl.sock" ssl crt "${testdir}/common.pem" + bind "${tmpdir}/ssl.sock" ssl crt "${testdir}/certs/common.pem" server s1 ${s1_addr}:${s1_port} } -start haproxy h1 -cli { - send "show ssl cert ${testdir}/client1.pem" + send "show ssl cert ${testdir}/certs/client1.pem" expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4" } client c1 -connect ${h1_feS_sock} { @@ -59,7 +59,7 @@ client c1 -connect ${h1_feS_sock} { } -run haproxy h1 -cli { - send "show ssl cert ${testdir}/client1.pem" + send "show ssl cert ${testdir}/certs/client1.pem" expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4" } @@ -83,26 +83,26 @@ haproxy h1 -cli { # Replace certificate with an expired one shell { - printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client2_expired.pem)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl cert ${testdir}/client1.pem" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/client1.pem <<\n$(cat ${testdir}/certs/client2_expired.pem)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/certs/client1.pem" | socat "${tmpdir}/h1/stats" - } haproxy h1 -cli { - send "show ssl cert ${testdir}/client1.pem" + send "show ssl cert ${testdir}/certs/client1.pem" expect ~ ".*SHA1 FingerPrint: C625EB01A0A660294B9D7F44C5CEEE5AFC495BE4" } haproxy h1 -cli { - send "show ssl cert ${testdir}/client1.pem" + send "show ssl cert ${testdir}/certs/client1.pem" expect ~ ".*Status: Unused" } haproxy h1 -cli { - send "add server test/s1 ${tmpdir}/ssl.sock ssl verify none crt ${testdir}/client1.pem" + send "add server test/s1 ${tmpdir}/ssl.sock ssl verify none crt ${testdir}/certs/client1.pem" expect ~ "New server registered." send "enable server test/s1" expect ~ ".*" - send "show ssl cert ${testdir}/client1.pem" + send "show ssl cert ${testdir}/certs/client1.pem" expect ~ ".*Status: Used" } diff --git a/reg-tests/ssl/issuers_chain_path.vtc b/reg-tests/ssl/issuers_chain_path.vtc index ee63b9a1e..6c7de0a1c 100644 --- a/reg-tests/ssl/issuers_chain_path.vtc +++ b/reg-tests/ssl/issuers_chain_path.vtc @@ -14,8 +14,8 @@ haproxy h1 -conf { .endif stats socket "${tmpdir}/h1/stats" level admin - issuers-chain-path "${testdir}/issuers-chain-path/ca/" - crt-base "${testdir}/issuers-chain-path" + issuers-chain-path "${testdir}/certs/issuers-chain-path/ca/" + crt-base "${testdir}/certs/issuers-chain-path" defaults mode http @@ -34,9 +34,9 @@ haproxy h1 -conf { # We should have two distinct ocsp responses known that were loaded at build time haproxy h1 -cli { - send "show ssl cert ${testdir}/issuers-chain-path/server.pem" + send "show ssl cert ${testdir}/certs/issuers-chain-path/server.pem" expect ~ ".*Chain Filename.*" - send "show ssl cert ${testdir}/issuers-chain-path/server.pem" + send "show ssl cert ${testdir}/certs/issuers-chain-path/server.pem" expect ~ ".*Chain Subject.*" } diff --git a/reg-tests/ssl/log_forward_ssl.vtc b/reg-tests/ssl/log_forward_ssl.vtc index 0d59780de..b8958ace0 100644 --- a/reg-tests/ssl/log_forward_ssl.vtc +++ b/reg-tests/ssl/log_forward_ssl.vtc @@ -51,7 +51,7 @@ haproxy h1 -conf { log ring@myring local0 # To TCP log log-forward syslog2local - bind 127.0.0.1:2514 ssl crt ${testdir}/common.pem + bind 127.0.0.1:2514 ssl crt ${testdir}/certs/common.pem log ${Slg1_addr}:${Slg1_port} local0 # To VTest syslog } -start diff --git a/reg-tests/ssl/new_del_ssl_cafile.vtc b/reg-tests/ssl/new_del_ssl_cafile.vtc index f81bf7ee0..edab4744d 100644 --- a/reg-tests/ssl/new_del_ssl_cafile.vtc +++ b/reg-tests/ssl/new_del_ssl_cafile.vtc @@ -30,7 +30,7 @@ haproxy h1 -conf { .endif tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h1/stats" level admin - crt-base ${testdir} + crt-base ${testdir}/certs defaults mode http @@ -49,13 +49,13 @@ haproxy h1 -conf { default_backend default_be backend default_be - server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/set_cafile_client.pem sni str(www.test1.com) + server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/set_cafile_client.pem sni str(www.test1.com) backend with_ca_be - server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/set_cafile_client.pem sni str(with-ca.com) + server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/set_cafile_client.pem sni str(with-ca.com) listen ssl-lst - bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/localhost.crt-list ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA2.crt verify required crt-ignore-err all + bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/certs/localhost.crt-list ca-verify-file ${testdir}/certs/set_cafile_rootCA.crt ca-file ${testdir}/certs/set_cafile_interCA2.crt verify required crt-ignore-err all http-response add-header X-SSL-Client-Verify %[ssl_c_verify] server s1 ${s1_addr}:${s1_port} } -start @@ -83,7 +83,7 @@ haproxy h1 -cli { } shell { - printf "set ssl ca-file new_cafile.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - + printf "set ssl ca-file new_cafile.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - echo "commit ssl ca-file new_cafile.crt" | socat "${tmpdir}/h1/stats" - } @@ -98,12 +98,12 @@ haproxy h1 -cli { } shell { - printf "add ssl ca-file new_cafile.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - + printf "add ssl ca-file new_cafile.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - echo "commit ssl ca-file new_cafile.crt" | socat "${tmpdir}/h1/stats" - } shell { - printf "set ssl ca-file new_cafile.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - + printf "set ssl ca-file new_cafile.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - echo "commit ssl ca-file new_cafile.crt" | socat "${tmpdir}/h1/stats" - } @@ -124,14 +124,14 @@ client c1 -connect ${h1_clearlst_sock} { # Add a new certificate that will use the new CA file shell { - echo "new ssl cert ${testdir}/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" - - printf "set ssl cert ${testdir}/set_cafile_server.pem <<\n$(cat ${testdir}/set_cafile_server.pem)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl cert ${testdir}/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" - + echo "new ssl cert ${testdir}/certs/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/set_cafile_server.pem <<\n$(cat ${testdir}/certs/set_cafile_server.pem)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/certs/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" - } # Create a new crt-list line that will use the new CA file shell { - printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/set_cafile_server.pem [ca-file new_cafile.crt] with-ca.com\n\n" | socat "${tmpdir}/h1/stats" - + printf "add ssl crt-list ${testdir}/certs/localhost.crt-list <<\n${testdir}/certs/set_cafile_server.pem [ca-file new_cafile.crt] with-ca.com\n\n" | socat "${tmpdir}/h1/stats" - } client c1 -connect ${h1_clearlst_sock} { @@ -144,8 +144,8 @@ client c1 -connect ${h1_clearlst_sock} { # Delete the newly added crt-list line and CA file haproxy h1 -cli { - send "del ssl crt-list ${testdir}/localhost.crt-list ${testdir}/set_cafile_server.pem" - expect ~ "Entry '${testdir}/set_cafile_server.pem' deleted in crtlist '${testdir}/localhost.crt-list'!" + send "del ssl crt-list ${testdir}/certs/localhost.crt-list ${testdir}/certs/set_cafile_server.pem" + expect ~ "Entry '${testdir}/certs/set_cafile_server.pem' deleted in crtlist '${testdir}/certs/localhost.crt-list'!" send "del ssl ca-file new_cafile.crt" expect ~ "CA file 'new_cafile.crt' deleted!" diff --git a/reg-tests/ssl/new_del_ssl_crlfile.vtc b/reg-tests/ssl/new_del_ssl_crlfile.vtc index 42bc08810..ce8187102 100644 --- a/reg-tests/ssl/new_del_ssl_crlfile.vtc +++ b/reg-tests/ssl/new_del_ssl_crlfile.vtc @@ -30,7 +30,7 @@ haproxy h1 -conf { .endif tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h1/stats" level admin - crt-base ${testdir} + crt-base ${testdir}/certs defaults mode http @@ -49,13 +49,13 @@ haproxy h1 -conf { default_backend default_be backend default_be - server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client3_revoked.pem sni str(www.test1.com) + server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/client3_revoked.pem sni str(www.test1.com) backend with_crl_be - server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client3_revoked.pem sni str(with-crl.com) + server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/client3_revoked.pem sni str(with-crl.com) listen ssl-lst - bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/localhost.crt-list ca-file ${testdir}/ca-auth.crt verify required crt-ignore-err all + bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/certs/localhost.crt-list ca-file ${testdir}/certs/ca-auth.crt verify required crt-ignore-err all http-response add-header X-SSL-Client-Verify %[ssl_c_verify] server s1 ${s1_addr}:${s1_port} } -start @@ -83,7 +83,7 @@ haproxy h1 -cli { } shell { - printf "set ssl crl-file new_crlfile.crt <<\n$(cat ${testdir}/crl-auth.pem)\n\n" | socat "${tmpdir}/h1/stats" - + printf "set ssl crl-file new_crlfile.crt <<\n$(cat ${testdir}/certs/crl-auth.pem)\n\n" | socat "${tmpdir}/h1/stats" - echo "commit ssl crl-file new_crlfile.crt" | socat "${tmpdir}/h1/stats" - } @@ -97,14 +97,14 @@ haproxy h1 -cli { # Add a new certificate that will use the new CA file shell { - echo "new ssl cert ${testdir}/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" - - printf "set ssl cert ${testdir}/set_cafile_server.pem <<\n$(cat ${testdir}/set_cafile_server.pem)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl cert ${testdir}/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" - + echo "new ssl cert ${testdir}/certs/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/set_cafile_server.pem <<\n$(cat ${testdir}/certs/set_cafile_server.pem)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/certs/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" - } # Create a new crt-list line that will use the new CA file shell { - printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/set_cafile_server.pem [crl-file new_crlfile.crt] with-crl.com\n\n" | socat "${tmpdir}/h1/stats" - + printf "add ssl crt-list ${testdir}/certs/localhost.crt-list <<\n${testdir}/certs/set_cafile_server.pem [crl-file new_crlfile.crt] with-crl.com\n\n" | socat "${tmpdir}/h1/stats" - } client c1 -connect ${h1_clearlst_sock} { @@ -126,8 +126,8 @@ client c1 -connect ${h1_clearlst_sock} { # Delete the newly added crt-list line and CRL file haproxy h1 -cli { - send "del ssl crt-list ${testdir}/localhost.crt-list ${testdir}/set_cafile_server.pem" - expect ~ "Entry '${testdir}/set_cafile_server.pem' deleted in crtlist '${testdir}/localhost.crt-list'!" + send "del ssl crt-list ${testdir}/certs/localhost.crt-list ${testdir}/certs/set_cafile_server.pem" + expect ~ "Entry '${testdir}/certs/set_cafile_server.pem' deleted in crtlist '${testdir}/certs/localhost.crt-list'!" send "del ssl crl-file new_crlfile.crt" expect ~ "CRL file 'new_crlfile.crt' deleted!" diff --git a/reg-tests/ssl/ocsp_auto_update.vtc b/reg-tests/ssl/ocsp_auto_update.vtc index 710149794..4d1f45fb0 100644 --- a/reg-tests/ssl/ocsp_auto_update.vtc +++ b/reg-tests/ssl/ocsp_auto_update.vtc @@ -56,7 +56,7 @@ haproxy h1 -conf { .endif tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h1/stats" level admin - crt-base ${testdir}/ocsp_update + crt-base ${testdir}/certs/ocsp_update defaults mode http @@ -68,7 +68,7 @@ haproxy h1 -conf { timeout server "${HAPROXY_TEST_TIMEOUT-5s}" frontend ssl-fe - bind "${tmpdir}/ssl.sock" ssl crt multicert/server_ocsp.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + bind "${tmpdir}/ssl.sock" ssl crt multicert/server_ocsp.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 } -start @@ -105,16 +105,16 @@ haproxy h1 -wait # calling "show ssl ocsp-response". This is done through the Syslog_ocsp # listener and a dedicated barrier. -process p2 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start +process p2 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start barrier b2 cond 2 -cyclic syslog Syslog_ocsp -level notice { recv - expect ~ " ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem 1 \"Update successful\" 0 1" + expect ~ " ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem 1 \"Update successful\" 0 1" recv - expect ~ " ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1" + expect ~ " ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1" barrier b2 sync } -start @@ -130,7 +130,7 @@ haproxy h2 -conf { .endif tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h2/stats" level admin - crt-base ${testdir}/ocsp_update + crt-base ${testdir}/certs/ocsp_update log ${Syslog_ocsp_addr}:${Syslog_ocsp_port} local0 notice notice defaults @@ -142,11 +142,11 @@ haproxy h2 -conf { timeout server "${HAPROXY_TEST_TIMEOUT-5s}" frontend ssl-rsa-fe - bind "${tmpdir}/ssl2.sock" ssl crt-list ${testdir}/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + bind "${tmpdir}/ssl2.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 frontend ssl-ecdsa-fe - bind "${tmpdir}/ssl3.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + bind "${tmpdir}/ssl3.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 } -start @@ -182,13 +182,13 @@ process p2 -wait -expect-exit 0 # will not enable ocsp-update on its certificate. Only one request should then # be sent. -process p3 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start +process p3 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start barrier b3 cond 2 -cyclic syslog Syslog_ocsp3 -level notice { recv - expect ~ " ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem 1 \"Update successful\" 0 1" + expect ~ " ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem 1 \"Update successful\" 0 1" barrier b3 sync } -start @@ -203,7 +203,7 @@ haproxy h3 -conf { .endif tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h3/stats" level admin - crt-base ${testdir}/ocsp_update + crt-base ${testdir}/certs/ocsp_update log ${Syslog_ocsp3_addr}:${Syslog_ocsp3_port} local0 notice notice defaults @@ -215,11 +215,11 @@ haproxy h3 -conf { timeout server "${HAPROXY_TEST_TIMEOUT-5s}" frontend ssl-rsa-fe - bind "${tmpdir}/ssl4.sock" ssl crt-list ${testdir}/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + bind "${tmpdir}/ssl4.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 frontend ssl-ecdsa-fe - bind "${tmpdir}/ssl5.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + bind "${tmpdir}/ssl5.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 } -start @@ -257,16 +257,16 @@ process p3 -wait # in haproxy proc variables in order to compare them to their new value after # the update is performed. -process p4 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start +process p4 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start barrier b4 cond 2 -cyclic syslog Syslog_ocsp4 -level notice { recv - expect ~ " ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa 1 \"Update successful\" 0 1" + expect ~ " ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa 1 \"Update successful\" 0 1" recv - expect ~ " ${testdir}/ocsp_update/multicert/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1" + expect ~ " ${testdir}/certs/ocsp_update/multicert/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1" barrier b4 sync } -start @@ -281,7 +281,7 @@ haproxy h4 -conf { .endif tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h4/stats" level admin - crt-base ${testdir}/ocsp_update + crt-base ${testdir}/certs/ocsp_update log ${Syslog_ocsp4_addr}:${Syslog_ocsp4_port} local0 notice notice defaults @@ -293,11 +293,11 @@ haproxy h4 -conf { timeout server "${HAPROXY_TEST_TIMEOUT-5s}" frontend ssl-rsa-ocsp - bind "${tmpdir}/ssl5.sock" ssl crt ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + bind "${tmpdir}/ssl5.sock" ssl crt ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 frontend ssl-ecdsa-ocsp - bind "${tmpdir}/ssl6.sock" ssl crt ${testdir}/ocsp_update/multicert/server_ocsp_ecdsa.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + bind "${tmpdir}/ssl6.sock" ssl crt ${testdir}/certs/ocsp_update/multicert/server_ocsp_ecdsa.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 } -start @@ -330,14 +330,14 @@ shell { # the OCSP response actually changed produced_at1=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" - | grep "Produced At" | tr -d ' ') - echo "update ssl ocsp-response ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h4/stats" - + echo "update ssl ocsp-response ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h4/stats" - # Update the second ocsp response (ckch_data has a NULL ocsp_issuer pointer) # Store the current "Produced At" in order to ensure that after the update # the OCSP response actually changed produced_at2=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" - | grep "Produced At" | tr -d ' ') - echo "update ssl ocsp-response ${testdir}/ocsp_update/multicert/server_ocsp_ecdsa.pem" | socat "${tmpdir}/h4/stats" - + echo "update ssl ocsp-response ${testdir}/certs/ocsp_update/multicert/server_ocsp_ecdsa.pem" | socat "${tmpdir}/h4/stats" - echo "experimental-mode on;set var proc.produced_at1 str($produced_at1)" | socat "${tmpdir}/h4/stats" - echo "experimental-mode on;set var proc.produced_at2 str($produced_at2)" | socat "${tmpdir}/h4/stats" - @@ -376,7 +376,7 @@ process p4 -wait # to the "show ssl ocsp-response" command. -process p5 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start +process p5 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start barrier b5 cond 2 -cyclic @@ -401,7 +401,7 @@ haproxy h5 -conf { .endif tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h5/stats" level admin - crt-base ${testdir}/ocsp_update + crt-base ${testdir}/certs/ocsp_update log ${Syslog_ocsp5_addr}:${Syslog_ocsp5_port} local0 notice notice defaults @@ -413,11 +413,11 @@ haproxy h5 -conf { timeout server "${HAPROXY_TEST_TIMEOUT-5s}" frontend ssl-rsa-fe - bind "${tmpdir}/ssl7.sock" ssl crt-list ${testdir}/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + bind "${tmpdir}/ssl7.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 frontend ssl-ecdsa-fe - bind "${tmpdir}/ssl8.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + bind "${tmpdir}/ssl8.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 } -start @@ -467,13 +467,13 @@ process p5 -wait # the 'ocsp-update on' option will be taken into account by the OCSP # auto update task # -process p6 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start +process p6 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start barrier b6 cond 2 -cyclic syslog Syslog_ocsp6 -level notice { recv - expect ~ " ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa 1 \"Update successful\" 0 1" + expect ~ " ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa 1 \"Update successful\" 0 1" barrier b6 sync } -start @@ -489,7 +489,7 @@ haproxy h6 -conf { .endif tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h6/stats" level admin - crt-base ${testdir} + crt-base ${testdir}/certs log ${Syslog_ocsp6_addr}:${Syslog_ocsp6_port} local0 notice notice defaults @@ -502,7 +502,7 @@ haproxy h6 -conf { timeout server "${HAPROXY_TEST_TIMEOUT-5s}" frontend ssl-fe - bind "${tmpdir}/ssl9.sock" ssl crt-list ${testdir}/simple.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + bind "${tmpdir}/ssl9.sock" ssl crt-list ${testdir}/certs/simple.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 } -start @@ -516,12 +516,12 @@ haproxy h6 -cli { # Create a new certificate that has an OCSP uri and add it to the # existing CLI with the 'ocsp-update on' command. shell { - echo "new ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h6/stats" - - printf "set ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa <<\n$(cat ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h6/stats" - - printf "set ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa.issuer <<\n$(cat ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa.issuer)\n\n" | socat "${tmpdir}/h6/stats" - - echo "commit ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h6/stats" - + echo "new ssl cert ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h6/stats" - + printf "set ssl cert ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa <<\n$(cat ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h6/stats" - + printf "set ssl cert ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa.issuer <<\n$(cat ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa.issuer)\n\n" | socat "${tmpdir}/h6/stats" - + echo "commit ssl cert ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h6/stats" - - printf "add ssl crt-list ${testdir}/simple.crt-list <<\n${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa [ocsp-update on] foo.com\n\n" | socat "${tmpdir}/h6/stats" - + printf "add ssl crt-list ${testdir}/certs/simple.crt-list <<\n${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa [ocsp-update on] foo.com\n\n" | socat "${tmpdir}/h6/stats" - } barrier b6 sync @@ -544,18 +544,18 @@ process p6 -wait # Check that the global "tune.ocsp-update.mode" option works and that it # applies to certificates added via the CLI as well. # -process p7 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start +process p7 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start barrier b7 cond 2 -cyclic syslog Syslog_ocsp7 -level notice { recv - expect ~ " ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1" + expect ~ " ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1" barrier b7 sync recv - expect ~ " ${testdir}/server_ocsp_rsa.pem 1 \"Update successful\" 0 1" + expect ~ " ${testdir}/certs/server_ocsp_rsa.pem 1 \"Update successful\" 0 1" barrier b7 sync } -start @@ -571,7 +571,7 @@ haproxy h7 -conf { .endif tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h7/stats" level admin - crt-base ${testdir} + crt-base ${testdir}/certs ocsp-update.mode on log ${Syslog_ocsp7_addr}:${Syslog_ocsp7_port} local0 notice notice @@ -585,8 +585,8 @@ haproxy h7 -conf { timeout server "${HAPROXY_TEST_TIMEOUT-5s}" frontend ssl-fe - bind "${tmpdir}/ssl_h7.sock" ssl crt ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all - bind "${tmpdir}/ssl_h7_2.sock" ssl crt-list ${testdir}/simple.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + bind "${tmpdir}/ssl_h7.sock" ssl crt ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all + bind "${tmpdir}/ssl_h7_2.sock" ssl crt-list ${testdir}/certs/simple.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 } -start @@ -595,22 +595,22 @@ barrier b7 sync # Create a new certificate that has an OCSP uri and add it to the # existing CLI with the 'ocsp-update on' command. shell { - echo "new ssl cert ${testdir}/server_ocsp_rsa.pem" | socat "${tmpdir}/h7/stats" - - printf "set ssl cert ${testdir}/server_ocsp_rsa.pem <<\n$(cat ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem)\n\n" | socat "${tmpdir}/h7/stats" - - echo "commit ssl cert ${testdir}/server_ocsp_rsa.pem" | socat "${tmpdir}/h7/stats" - + echo "new ssl cert ${testdir}/certs/server_ocsp_rsa.pem" | socat "${tmpdir}/h7/stats" - + printf "set ssl cert ${testdir}/certs/server_ocsp_rsa.pem <<\n$(cat ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem)\n\n" | socat "${tmpdir}/h7/stats" - + echo "commit ssl cert ${testdir}/certs/server_ocsp_rsa.pem" | socat "${tmpdir}/h7/stats" - # We should have ocsp-update enabled via the global option - printf "add ssl crt-list ${testdir}/simple.crt-list <<\n${testdir}/server_ocsp_rsa.pem foo.com\n\n" | socat "${tmpdir}/h7/stats" - + printf "add ssl crt-list ${testdir}/certs/simple.crt-list <<\n${testdir}/certs/server_ocsp_rsa.pem foo.com\n\n" | socat "${tmpdir}/h7/stats" - } barrier b7 sync haproxy h7 -cli { send "show ssl ocsp-updates" - expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 | ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem .*| 1 | 0 | 1 | Update successful" + expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 | ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem .*| 1 | 0 | 1 | Update successful" send "show ssl ocsp-updates" - expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 | ${testdir}/server_ocsp_rsa.pem .*| 1 | 0 | 1 | Update successful" + expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 | ${testdir}/certs/server_ocsp_rsa.pem .*| 1 | 0 | 1 | Update successful" } haproxy h7 -wait @@ -640,7 +640,7 @@ haproxy h8 -conf { .endif tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h8/stats" level admin - crt-base ${testdir}/ocsp_update + crt-base ${testdir}/certs/ocsp_update defaults mode http @@ -652,7 +652,7 @@ haproxy h8 -conf { timeout server "${HAPROXY_TEST_TIMEOUT-5s}" frontend ssl-fe - bind "${tmpdir}/ssl-h8.sock" ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + bind "${tmpdir}/ssl-h8.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_both_certs.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 listen http_rebound_lst @@ -674,7 +674,7 @@ haproxy h8 -cli { # ocsp response was removed from the auto update list but is still present in the # system haproxy h8 -cli { - send "del ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list ${testdir}/ocsp_update/multicert/server_ocsp.pem.ecdsa" + send "del ssl crt-list ${testdir}/certs/ocsp_update/multicert_both_certs.crt-list ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.ecdsa" expect ~ "Entry.*deleted in crtlist" send "show ssl ocsp-updates" @@ -683,14 +683,14 @@ haproxy h8 -cli { send "show ssl ocsp-response" expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" - send "show ssl ocsp-response ${testdir}/ocsp_update/multicert/server_ocsp.pem.ecdsa" + send "show ssl ocsp-response ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.ecdsa" expect ~ ".* Cert Status: good.*" } # Add the previously removed crt-list line with auto-update enabled and check that # the ocsp response appears in the auto update list shell { - printf "add ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa [ocsp-update on] foo.bar\n\n" | socat "${tmpdir}/h8/stats" - | grep "Inserting certificate.*in crt-list" + printf "add ssl crt-list ${testdir}/certs/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa [ocsp-update on] foo.bar\n\n" | socat "${tmpdir}/h8/stats" - | grep "Inserting certificate.*in crt-list" } haproxy h8 -cli { @@ -701,7 +701,7 @@ haproxy h8 -cli { # Check that the auto update option consistency check work even when crt-list # lines are added through the cli shell { - printf "add ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa foo.foo\n\n" | socat "${tmpdir}/h8/stats" - | grep "different parameter 'ocsp-update'" + printf "add ssl crt-list ${testdir}/certs/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa foo.foo\n\n" | socat "${tmpdir}/h8/stats" - | grep "different parameter 'ocsp-update'" } haproxy h8 -wait @@ -717,13 +717,13 @@ haproxy h8 -wait # update enabled can be updated via "update ssl ocsp-response" command. # -process p9 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start +process p9 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start barrier b9 cond 2 -cyclic syslog Syslog_ocsp9 -level notice { recv - expect ~ " ${testdir}/ocsp_update/rsa.pem 1 \"Update successful\" 0 1" + expect ~ " ${testdir}/certs/ocsp_update/rsa.pem 1 \"Update successful\" 0 1" barrier b9 sync } -start @@ -740,7 +740,7 @@ haproxy h9 -conf { .endif tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h9/stats" level admin - crt-base ${testdir}/ocsp_update + crt-base ${testdir}/certs/ocsp_update log ${Syslog_ocsp9_addr}:${Syslog_ocsp9_port} local0 notice notice defaults @@ -753,7 +753,7 @@ haproxy h9 -conf { timeout server "${HAPROXY_TEST_TIMEOUT-5s}" frontend ssl-fe - bind "${tmpdir}/ssl-h9.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + bind "${tmpdir}/ssl-h9.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 } -start @@ -765,19 +765,19 @@ haproxy h9 -cli { # Create a new certificate and add it in the crt-list with ocsp auto-update enabled shell { - echo "new ssl cert ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" - - printf "set ssl cert ${testdir}/ocsp_update/rsa.pem <<\n$(cat ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h9/stats" - - printf "set ssl cert ${testdir}/ocsp_update/rsa.pem.issuer <<\n$(cat ${testdir}/ocsp_update/ocsp_update_rootca.crt)\n\n" | socat "${tmpdir}/h9/stats" - - printf "set ssl cert ${testdir}/ocsp_update/rsa.pem.ocsp <<\n$(openssl base64 < ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa.ocsp)\n\n" | socat "${tmpdir}/h9/stats" - - echo "commit ssl cert ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" - + echo "new ssl cert ${testdir}/certs/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" - + printf "set ssl cert ${testdir}/certs/ocsp_update/rsa.pem <<\n$(cat ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h9/stats" - + printf "set ssl cert ${testdir}/certs/ocsp_update/rsa.pem.issuer <<\n$(cat ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt)\n\n" | socat "${tmpdir}/h9/stats" - + printf "set ssl cert ${testdir}/certs/ocsp_update/rsa.pem.ocsp <<\n$(openssl base64 < ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa.ocsp)\n\n" | socat "${tmpdir}/h9/stats" - + echo "commit ssl cert ${testdir}/certs/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" - - printf "add ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list <<\nrsa.pem [ocsp-update off] foo.bar\n\n" | socat "${tmpdir}/h9/stats" - + printf "add ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa_no_update.crt-list <<\nrsa.pem [ocsp-update off] foo.bar\n\n" | socat "${tmpdir}/h9/stats" - } # Check that the line is in the crt-list haproxy h9 -cli { - send "show ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list" - expect ~ "${testdir}/ocsp_update/rsa.pem.*ocsp-update off.*foo.bar" + send "show ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa_no_update.crt-list" + expect ~ "${testdir}/certs/ocsp_update/rsa.pem.*ocsp-update off.*foo.bar" } # Check that the new certificate is NOT in the auto update list @@ -787,13 +787,13 @@ haproxy h9 -cli { } shell { - echo "update ssl ocsp-response ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" - + echo "update ssl ocsp-response ${testdir}/certs/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" - } barrier b9 sync haproxy h9 -cli { - send "show ssl ocsp-response ${testdir}/ocsp_update/rsa.pem" + send "show ssl ocsp-response ${testdir}/certs/ocsp_update/rsa.pem" expect ~ ".* Cert Status: revoked.*" } diff --git a/reg-tests/ssl/ocsp_compat_check.vtc b/reg-tests/ssl/ocsp_compat_check.vtc index 2768821aa..475d22e2f 100644 --- a/reg-tests/ssl/ocsp_compat_check.vtc +++ b/reg-tests/ssl/ocsp_compat_check.vtc @@ -40,7 +40,7 @@ global thread-groups 1 .endif - crt-base ${testdir}/ocsp_update/multicert + crt-base ${testdir}/certs/ocsp_update/multicert # ocsp-update.mode on defaults @@ -75,7 +75,7 @@ global thread-groups 1 .endif - crt-base ${testdir}/ocsp_update/multicert + crt-base ${testdir}/certs/ocsp_update/multicert ocsp-update.mode on defaults @@ -110,7 +110,7 @@ global thread-groups 1 .endif - crt-base ${testdir}/ocsp_update/multicert + crt-base ${testdir}/certs/ocsp_update/multicert ocsp-update.mode off defaults @@ -145,7 +145,7 @@ global thread-groups 1 .endif - crt-base ${testdir}/ocsp_update/multicert + crt-base ${testdir}/certs/ocsp_update/multicert # ocsp-update.mode off defaults @@ -181,7 +181,7 @@ global thread-groups 1 .endif - crt-base ${testdir}/ocsp_update/multicert + crt-base ${testdir}/certs/ocsp_update/multicert ocsp-update.mode on defaults @@ -217,7 +217,7 @@ global thread-groups 1 .endif - crt-base ${testdir}/ocsp_update/multicert + crt-base ${testdir}/certs/ocsp_update/multicert ocsp-update.mode off defaults @@ -255,7 +255,7 @@ global thread-groups 1 .endif - crt-base ${testdir}/ocsp_update/multicert + crt-base ${testdir}/certs/ocsp_update/multicert # ocsp-update.mode off defaults @@ -291,7 +291,7 @@ global thread-groups 1 .endif - crt-base ${testdir}/ocsp_update/multicert + crt-base ${testdir}/certs/ocsp_update/multicert # ocsp-update.mode off defaults @@ -328,7 +328,7 @@ global thread-groups 1 .endif - crt-base ${testdir}/ocsp_update/multicert + crt-base ${testdir}/certs/ocsp_update/multicert ocsp-update.mode on defaults @@ -365,7 +365,7 @@ global thread-groups 1 .endif - crt-base ${testdir}/ocsp_update/multicert + crt-base ${testdir}/certs/ocsp_update/multicert ocsp-update.mode on defaults @@ -402,7 +402,7 @@ global thread-groups 1 .endif - crt-base ${testdir}/ocsp_update/multicert + crt-base ${testdir}/certs/ocsp_update/multicert ocsp-update.mode off defaults @@ -439,7 +439,7 @@ global thread-groups 1 .endif - crt-base ${testdir}/ocsp_update/multicert + crt-base ${testdir}/certs/ocsp_update/multicert ocsp-update.mode off defaults diff --git a/reg-tests/ssl/set_ssl_bug_2265.vtc b/reg-tests/ssl/set_ssl_bug_2265.vtc index 2bd8652b3..588bc29f6 100644 --- a/reg-tests/ssl/set_ssl_bug_2265.vtc +++ b/reg-tests/ssl/set_ssl_bug_2265.vtc @@ -54,14 +54,14 @@ haproxy h1 -conf { server s3 "${tmpdir}/ssl.sock" ssl verify none sni str(localhost) listen ssl-lst - bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/bug-2265.crt strict-sni + bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/bug-2265.crt strict-sni server s1 ${s1_addr}:${s1_port} } -start haproxy h1 -cli { - send "show ssl cert ${testdir}/bug-2265.crt" + send "show ssl cert ${testdir}/certs/bug-2265.crt" expect ~ ".*SHA1 FingerPrint: DF3B6E847A7BF83DFAAFCFEC65EE9BC36230D3EA" } @@ -72,12 +72,12 @@ client c1 -connect ${h1_clearlst_sock} { } -run shell { - printf "set ssl cert ${testdir}/bug-2265.crt <<\n$(cat ${testdir}/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl cert ${testdir}/bug-2265.crt" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/bug-2265.crt <<\n$(cat ${testdir}/certs/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/certs/bug-2265.crt" | socat "${tmpdir}/h1/stats" - } haproxy h1 -cli { - send "show ssl cert ${testdir}/bug-2265.crt" + send "show ssl cert ${testdir}/certs/bug-2265.crt" expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1" } diff --git a/reg-tests/ssl/set_ssl_cafile.vtc b/reg-tests/ssl/set_ssl_cafile.vtc index 66511ded8..af16c353c 100644 --- a/reg-tests/ssl/set_ssl_cafile.vtc +++ b/reg-tests/ssl/set_ssl_cafile.vtc @@ -50,17 +50,17 @@ haproxy h1 -conf { listen clear-lst bind "fd@${clearlst}" # dummy bind used to test a change when the same crt is used as server and bind - bind "fd@${foobarlst}" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA1.crt verify none - server s1 "${tmpdir}/ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA1.crt verify none no-sni-auto + bind "fd@${foobarlst}" ssl crt ${testdir}/certs/set_cafile_client.pem ca-file ${testdir}/certs/set_cafile_interCA1.crt verify none + server s1 "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/set_cafile_client.pem ca-file ${testdir}/certs/set_cafile_interCA1.crt verify none no-sni-auto listen clear-verified-lst bind "fd@${clearverifiedlst}" - server s1 "${tmpdir}/ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA1.crt verify required no-sni-auto + server s1 "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/set_cafile_client.pem ca-file ${testdir}/certs/set_cafile_interCA1.crt verify required no-sni-auto listen ssl-lst # crt: certificate of the server # ca-file: CA used for client authentication request - bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA2.crt verify required crt-ignore-err all + bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/set_cafile_server.pem ca-verify-file ${testdir}/certs/set_cafile_rootCA.crt ca-file ${testdir}/certs/set_cafile_interCA2.crt verify required crt-ignore-err all http-response add-header X-SSL-Client-Verify %[ssl_c_verify] server s1 ${s1_addr}:${s1_port} } -start @@ -69,11 +69,11 @@ haproxy h1 -conf { # Test the "show ssl ca-file" command haproxy h1 -cli { send "show ssl ca-file" - expect ~ ".*${testdir}/set_cafile_interCA1.crt - 1 certificate.*" + expect ~ ".*${testdir}/certs/set_cafile_interCA1.crt - 1 certificate.*" send "show ssl ca-file" - expect ~ ".*${testdir}/set_cafile_interCA2.crt - 1 certificate.*" + expect ~ ".*${testdir}/certs/set_cafile_interCA2.crt - 1 certificate.*" - send "show ssl ca-file ${testdir}/set_cafile_interCA2.crt" + send "show ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt" expect ~ ".*SHA1 FingerPrint: 3D3D1D10AD74A8135F05A818E10E5FA91433954D" } @@ -90,21 +90,21 @@ client c1 -connect ${h1_clearlst_sock} { # Set a new ca-file without committing it and check that the new ca-file is not taken into account shell { - printf "set ssl ca-file ${testdir}/set_cafile_interCA2.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - + printf "set ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - } # Test the "show ssl ca-file" command # The transaction should be mentioned in the list haproxy h1 -cli { send "show ssl ca-file" - expect ~ "\\*${testdir}/set_cafile_interCA2.crt - 1 certificate.*" + expect ~ "\\*${testdir}/certs/set_cafile_interCA2.crt - 1 certificate.*" # The original CA file did not change - send "show ssl ca-file ${testdir}/set_cafile_interCA2.crt" + send "show ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt" expect ~ ".*SHA1 FingerPrint: 3D3D1D10AD74A8135F05A818E10E5FA91433954D" # Only the current transaction displays a new certificate - send "show ssl ca-file *${testdir}/set_cafile_interCA2.crt" + send "show ssl ca-file *${testdir}/certs/set_cafile_interCA2.crt" expect ~ ".*SHA1 FingerPrint: 4FFF535278883264693CEA72C4FAD13F995D0098" } @@ -118,17 +118,17 @@ client c1 -connect ${h1_clearlst_sock} { } -run haproxy h1 -cli { - send "abort ssl ca-file ${testdir}/set_cafile_interCA2.crt" - expect ~ "Transaction aborted for certificate '${testdir}/set_cafile_interCA2.crt'!" - send "commit ssl ca-file ${testdir}/set_cafile_interCA2.crt" + send "abort ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt" + expect ~ "Transaction aborted for certificate '${testdir}/certs/set_cafile_interCA2.crt'!" + send "commit ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt" expect ~ "No ongoing transaction!" } # Update the bind line's ca-file in order to accept the client certificate shell { - printf "set ssl ca-file ${testdir}/set_cafile_interCA2.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n$(cat ${testdir}/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl ca-file ${testdir}/set_cafile_interCA2.crt" | socat "${tmpdir}/h1/stats" - + printf "set ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n$(cat ${testdir}/certs/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt" | socat "${tmpdir}/h1/stats" - } @@ -144,23 +144,23 @@ client c1 -connect ${h1_clearverifiedlst_sock} { # Update the server line's ca-file. The server certificate should now be accepted by # the frontend. We replace the single CA by a list of CAs that includes the correct one. shell { - printf "set ssl ca-file ${testdir}/set_cafile_interCA1.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - - printf "add ssl ca-file ${testdir}/set_cafile_interCA1.crt <<\n$(cat ${testdir}/set_cafile_interCA2.crt)\n\n" | socat "${tmpdir}/h1/stats" - - printf "add ssl ca-file ${testdir}/set_cafile_interCA1.crt <<\n$(cat ${testdir}/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl ca-file ${testdir}/set_cafile_interCA1.crt" | socat "${tmpdir}/h1/stats" - + printf "set ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - + printf "add ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA2.crt)\n\n" | socat "${tmpdir}/h1/stats" - + printf "add ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt <<\n$(cat ${testdir}/certs/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt" | socat "${tmpdir}/h1/stats" - } # Test the "show ssl ca-file" with a certificate index haproxy h1 -cli { send "show ssl ca-file" - expect ~ ".*${testdir}/set_cafile_interCA1.crt - 3 certificate.*" + expect ~ ".*${testdir}/certs/set_cafile_interCA1.crt - 3 certificate.*" - send "show ssl ca-file ${testdir}/set_cafile_interCA1.crt:1" + send "show ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt:1" expect ~ ".*SHA1 FingerPrint: 4FFF535278883264693CEA72C4FAD13F995D0098" - send "show ssl ca-file ${testdir}/set_cafile_interCA1.crt:2" + send "show ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt:2" expect !~ ".*SHA1 FingerPrint: 4FFF535278883264693CEA72C4FAD13F995D0098" - send "show ssl ca-file ${testdir}/set_cafile_interCA1.crt:2" + send "show ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt:2" expect ~ ".*SHA1 FingerPrint: 3D3D1D10AD74A8135F05A818E10E5FA91433954D" } diff --git a/reg-tests/ssl/set_ssl_cert.vtc b/reg-tests/ssl/set_ssl_cert.vtc index bdc5fba59..1dd58bac7 100644 --- a/reg-tests/ssl/set_ssl_cert.vtc +++ b/reg-tests/ssl/set_ssl_cert.vtc @@ -40,7 +40,7 @@ haproxy h1 -conf { .endif tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h1/stats" level admin - crt-base ${testdir} + crt-base ${testdir}/certs defaults mode http @@ -72,20 +72,20 @@ haproxy h1 -conf { server s9 "${tmpdir}/other-ssl.sock" ssl verify none sni str(other.test1.com) # uses the default certificate listen ssl-lst - bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem strict-sni + bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/common.pem strict-sni server s1 ${s1_addr}:${s1_port} # dummy server used to test a change when the same crt is used as server and bind - server s2 ${s1_addr}:${s1_port} ssl crt ${testdir}/common.pem verify none weight 0 + server s2 ${s1_addr}:${s1_port} ssl crt ${testdir}/certs/common.pem verify none weight 0 listen other-ssl-lst - bind "${tmpdir}/other-ssl.sock" ssl crt-list ${testdir}/set_default_cert.crt-list + bind "${tmpdir}/other-ssl.sock" ssl crt-list ${testdir}/certs/set_default_cert.crt-list server s1 ${s1_addr}:${s1_port} } -start haproxy h1 -cli { - send "show ssl cert ${testdir}/common.pem" + send "show ssl cert ${testdir}/certs/common.pem" expect ~ ".*SHA1 FingerPrint: DF3B6E847A7BF83DFAAFCFEC65EE9BC36230D3EA" } @@ -96,12 +96,12 @@ client c1 -connect ${h1_clearlst_sock} { } -run shell { - printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/common.pem <<\n$(cat ${testdir}/certs/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/certs/common.pem" | socat "${tmpdir}/h1/stats" - } haproxy h1 -cli { - send "show ssl cert ${testdir}/common.pem" + send "show ssl cert ${testdir}/certs/common.pem" expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1" } @@ -119,12 +119,12 @@ client c1 -connect ${h1_clearlst_sock} { } -run shell { - printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/common.pem)\n\n" | socat "${tmpdir}/h1/stats" - - echo "abort ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/common.pem <<\n$(cat ${testdir}/certs/common.pem)\n\n" | socat "${tmpdir}/h1/stats" - + echo "abort ssl cert ${testdir}/certs/common.pem" | socat "${tmpdir}/h1/stats" - } haproxy h1 -cli { - send "show ssl cert ${testdir}/common.pem" + send "show ssl cert ${testdir}/certs/common.pem" expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1" } @@ -149,21 +149,21 @@ client c1 -connect ${h1_clearlst_sock} { } -run shell { - printf "set ssl cert ${testdir}/set_default_cert.pem <<\n$(cat ${testdir}/common.pem)\n\n" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/set_default_cert.pem <<\n$(cat ${testdir}/certs/common.pem)\n\n" | socat "${tmpdir}/h1/stats" - } # Certificate should not have changed yet haproxy h1 -cli { - send "show ssl cert ${testdir}/set_default_cert.pem" + send "show ssl cert ${testdir}/certs/set_default_cert.pem" expect ~ ".*SHA1 FingerPrint: 9DC18799428875976DDE706E9956035EE88A4CB3" } shell { - echo "commit ssl cert ${testdir}/set_default_cert.pem" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/certs/set_default_cert.pem" | socat "${tmpdir}/h1/stats" - } haproxy h1 -cli { - send "show ssl cert ${testdir}/set_default_cert.pem" + send "show ssl cert ${testdir}/certs/set_default_cert.pem" expect ~ ".*SHA1 FingerPrint: DF3B6E847A7BF83DFAAFCFEC65EE9BC36230D3EA" } @@ -185,12 +185,12 @@ client c1 -connect ${h1_clearlst_sock} { # Restore original certificate shell { - printf "set ssl cert ${testdir}/set_default_cert.pem <<\n$(cat ${testdir}/set_default_cert.pem)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl cert ${testdir}/set_default_cert.pem" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/set_default_cert.pem <<\n$(cat ${testdir}/certs/set_default_cert.pem)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/certs/set_default_cert.pem" | socat "${tmpdir}/h1/stats" - } haproxy h1 -cli { - send "show ssl cert ${testdir}/set_default_cert.pem" + send "show ssl cert ${testdir}/certs/set_default_cert.pem" expect ~ ".*SHA1 FingerPrint: 9DC18799428875976DDE706E9956035EE88A4CB" } diff --git a/reg-tests/ssl/set_ssl_cert_bundle.vtc b/reg-tests/ssl/set_ssl_cert_bundle.vtc index 8e145ef73..37fc41b04 100644 --- a/reg-tests/ssl/set_ssl_cert_bundle.vtc +++ b/reg-tests/ssl/set_ssl_cert_bundle.vtc @@ -62,16 +62,16 @@ haproxy h1 -conf { server s4 "${tmpdir}/ssl.sock" ssl verify none sni str(example.com) force-tlsv12 ciphers ECDHE-ECDSA-AES256-GCM-SHA384 listen ssl-lst - bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/cert1-example.com.pem + bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/cert1-example.com.pem server s1 ${s1_addr}:${s1_port} } -start haproxy h1 -cli { - send "show ssl cert ${testdir}/cert1-example.com.pem.rsa" + send "show ssl cert ${testdir}/certs/cert1-example.com.pem.rsa" expect ~ ".*SHA1 FingerPrint: 94F720DACA71B8B1A0AC9BD48C65BA688FF047DE" - send "show ssl cert ${testdir}/cert1-example.com.pem.ecdsa" + send "show ssl cert ${testdir}/certs/cert1-example.com.pem.ecdsa" expect ~ ".*SHA1 FingerPrint: C1BA055D452F92EB02D449F0498C289F50698300" } @@ -89,16 +89,16 @@ client c1 -connect ${h1_clearlst_sock} { } -run shell { - printf "set ssl cert ${testdir}/cert1-example.com.pem.rsa <<\n$(cat ${testdir}/cert2-example.com.pem.rsa)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl cert ${testdir}/cert1-example.com.pem.rsa" | socat "${tmpdir}/h1/stats" - - printf "set ssl cert ${testdir}/cert1-example.com.pem.ecdsa <<\n$(cat ${testdir}/cert2-example.com.pem.ecdsa)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl cert ${testdir}/cert1-example.com.pem.ecdsa" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/cert1-example.com.pem.rsa <<\n$(cat ${testdir}/certs/cert2-example.com.pem.rsa)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/certs/cert1-example.com.pem.rsa" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/cert1-example.com.pem.ecdsa <<\n$(cat ${testdir}/certs/cert2-example.com.pem.ecdsa)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/certs/cert1-example.com.pem.ecdsa" | socat "${tmpdir}/h1/stats" - } haproxy h1 -cli { - send "show ssl cert ${testdir}/cert1-example.com.pem.rsa" + send "show ssl cert ${testdir}/certs/cert1-example.com.pem.rsa" expect ~ ".*SHA1 FingerPrint: ADC863817FC40C2A9CA913CE45C9A92232558F90" - send "show ssl cert ${testdir}/cert1-example.com.pem.ecdsa" + send "show ssl cert ${testdir}/certs/cert1-example.com.pem.ecdsa" expect ~ ".*SHA1 FingerPrint: F49FFA446D072262445C197B85D2F400B3F58808" } diff --git a/reg-tests/ssl/set_ssl_cert_noext.vtc b/reg-tests/ssl/set_ssl_cert_noext.vtc index 65773d89e..878813c09 100644 --- a/reg-tests/ssl/set_ssl_cert_noext.vtc +++ b/reg-tests/ssl/set_ssl_cert_noext.vtc @@ -53,14 +53,14 @@ haproxy h1 -conf { server s3 "${tmpdir}/ssl.sock" ssl verify none sni str(localhost) listen ssl-lst - bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.crt strict-sni + bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/common.crt strict-sni server s1 ${s1_addr}:${s1_port} } -start haproxy h1 -cli { - send "show ssl cert ${testdir}/common.crt" + send "show ssl cert ${testdir}/certs/common.crt" expect ~ ".*SHA1 FingerPrint: 2195C9F0FD58470313013FC27C1B9CF9864BD1C6" } @@ -71,13 +71,13 @@ client c1 -connect ${h1_clearlst_sock} { } -run shell { - printf "set ssl cert ${testdir}/common.crt <<\n$(cat ${testdir}/ecdsa.crt)\n\n" | socat "${tmpdir}/h1/stats" - - printf "set ssl cert ${testdir}/common.key <<\n$(cat ${testdir}/ecdsa.key)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl cert ${testdir}/common.crt" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/common.crt <<\n$(cat ${testdir}/certs/ecdsa.crt)\n\n" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/common.key <<\n$(cat ${testdir}/certs/ecdsa.key)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/certs/common.crt" | socat "${tmpdir}/h1/stats" - } haproxy h1 -cli { - send "show ssl cert ${testdir}/common.crt" + send "show ssl cert ${testdir}/certs/common.crt" expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1" } diff --git a/reg-tests/ssl/set_ssl_crlfile.vtc b/reg-tests/ssl/set_ssl_crlfile.vtc index 23537918c..b81fb1ef9 100644 --- a/reg-tests/ssl/set_ssl_crlfile.vtc +++ b/reg-tests/ssl/set_ssl_crlfile.vtc @@ -52,13 +52,13 @@ haproxy h1 -conf { listen clear-lst bind "fd@${clearlst}" - server s1 "${tmpdir}/ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt crl-file ${testdir}/interCA2_crl_empty.pem verify required no-sni-auto + server s1 "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/set_cafile_client.pem ca-file ${testdir}/certs/set_cafile_interCA2.crt crl-file ${testdir}/certs/interCA2_crl_empty.pem verify required no-sni-auto listen ssl-lst # crt: certificate of the server # ca-file: CA used for client authentication request # crl-file: revocation list for client auth - bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-file ${testdir}/set_cafile_interCA1.crt ca-verify-file ${testdir}/set_cafile_rootCA.crt crl-file ${testdir}/interCA1_crl_empty.pem verify required crt-ignore-err all + bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/set_cafile_server.pem ca-file ${testdir}/certs/set_cafile_interCA1.crt ca-verify-file ${testdir}/certs/set_cafile_rootCA.crt crl-file ${testdir}/certs/interCA1_crl_empty.pem verify required crt-ignore-err all http-response add-header X-SSL-Client-Verify %[ssl_c_verify] server s1 ${s1_addr}:${s1_port} } -start @@ -66,23 +66,23 @@ haproxy h1 -conf { # Test the "show ssl ca-file" command haproxy h1 -cli { send "show ssl ca-file" - expect ~ ".*${testdir}/set_cafile_interCA1.crt - 1 certificate.*" + expect ~ ".*${testdir}/certs/set_cafile_interCA1.crt - 1 certificate.*" send "show ssl ca-file" - expect ~ ".*${testdir}/set_cafile_interCA2.crt - 1 certificate.*" + expect ~ ".*${testdir}/certs/set_cafile_interCA2.crt - 1 certificate.*" } # Add the rootCA certificate to set_cafile_interCA2.crt in order for the frontend to # be able to validate the server's certificate shell { - printf "set ssl ca-file ${testdir}/set_cafile_interCA2.crt <<\n$(cat ${testdir}/set_cafile_interCA2.crt)\n$(cat ${testdir}/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl ca-file ${testdir}/set_cafile_interCA2.crt" | socat "${tmpdir}/h1/stats" - + printf "set ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA2.crt)\n$(cat ${testdir}/certs/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt" | socat "${tmpdir}/h1/stats" - } haproxy h1 -cli { send "show ssl ca-file" - expect ~ ".*${testdir}/set_cafile_interCA2.crt - 2 certificate.*" + expect ~ ".*${testdir}/certs/set_cafile_interCA2.crt - 2 certificate.*" - send "show ssl ca-file ${testdir}/set_cafile_interCA2.crt" + send "show ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt" expect ~ ".*Subject.*/CN=Root CA" } @@ -96,17 +96,17 @@ client c1 -connect ${h1_clearlst_sock} { # Change the frontend's crl-file to one in which the server certificate is revoked shell { - printf "set ssl crl-file ${testdir}/interCA2_crl_empty.pem <<\n$(cat ${testdir}/interCA2_crl.pem)\n\n" | socat "${tmpdir}/h1/stats" - + printf "set ssl crl-file ${testdir}/certs/interCA2_crl_empty.pem <<\n$(cat ${testdir}/certs/interCA2_crl.pem)\n\n" | socat "${tmpdir}/h1/stats" - } # Check that the transaction is displayed in the output of "show ssl crl-list" haproxy h1 -cli { send "show ssl crl-file" - expect ~ "\\*${testdir}/interCA2_crl_empty.pem" + expect ~ "\\*${testdir}/certs/interCA2_crl_empty.pem" - send "show ssl crl-file \\*${testdir}/interCA2_crl_empty.pem" + send "show ssl crl-file \\*${testdir}/certs/interCA2_crl_empty.pem" expect ~ "Revoked Certificates:" - send "show ssl crl-file \\*${testdir}/interCA2_crl_empty.pem:1" + send "show ssl crl-file \\*${testdir}/certs/interCA2_crl_empty.pem:1" expect ~ "Serial Number: 1008" } @@ -119,8 +119,8 @@ client c1 -connect ${h1_clearlst_sock} { } -run haproxy h1 -cli { - send "commit ssl crl-file ${testdir}/interCA2_crl_empty.pem" - expect ~ "Committing ${testdir}/interCA2_crl_empty.pem" + send "commit ssl crl-file ${testdir}/certs/interCA2_crl_empty.pem" + expect ~ "Committing ${testdir}/certs/interCA2_crl_empty.pem" } # This connection should fail, the server's certificate is revoked in the newly updated CRL file @@ -132,14 +132,14 @@ client c1 -connect ${h1_clearlst_sock} { # Restore the frontend's CRL shell { - printf "set ssl crl-file ${testdir}/interCA2_crl_empty.pem <<\n$(cat ${testdir}/interCA2_crl_empty.pem)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl crl-file ${testdir}/interCA2_crl_empty.pem" | socat "${tmpdir}/h1/stats" - + printf "set ssl crl-file ${testdir}/certs/interCA2_crl_empty.pem <<\n$(cat ${testdir}/certs/interCA2_crl_empty.pem)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl crl-file ${testdir}/certs/interCA2_crl_empty.pem" | socat "${tmpdir}/h1/stats" - } # Change the backend's CRL file to one in which the frontend's certificate is revoked shell { - printf "set ssl crl-file ${testdir}/interCA1_crl_empty.pem <<\n$(cat ${testdir}/interCA1_crl.pem)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl crl-file ${testdir}/interCA1_crl_empty.pem" | socat "${tmpdir}/h1/stats" - + printf "set ssl crl-file ${testdir}/certs/interCA1_crl_empty.pem <<\n$(cat ${testdir}/certs/interCA1_crl.pem)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl crl-file ${testdir}/certs/interCA1_crl_empty.pem" | socat "${tmpdir}/h1/stats" - } # This connection should fail, the client's certificate is revoked in the newly updated CRL file diff --git a/reg-tests/ssl/set_ssl_server_cert.vtc b/reg-tests/ssl/set_ssl_server_cert.vtc index db23e705b..65af8c6b8 100644 --- a/reg-tests/ssl/set_ssl_server_cert.vtc +++ b/reg-tests/ssl/set_ssl_server_cert.vtc @@ -39,13 +39,13 @@ haproxy h1 -conf { listen clear-lst bind "fd@${clearlst}" retries 0 # 2nd SSL connection must fail so skip the retry - server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client1.pem + server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/client1.pem listen ssl-lst # crt: certificate of the server # ca-file: CA used for client authentication request # crl-file: revocation list for client auth: the client1 certificate is revoked - bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/ca-auth.crt verify optional crt-ignore-err all crl-file ${testdir}/crl-auth.pem + bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/ca-auth.crt verify optional crt-ignore-err all crl-file ${testdir}/certs/crl-auth.pem acl cert_expired ssl_c_verify 10 acl cert_revoked ssl_c_verify 23 @@ -68,18 +68,18 @@ client c1 -connect ${h1_clearlst_sock} { } -run haproxy h1 -cli { - send "show ssl cert ${testdir}/client1.pem" + send "show ssl cert ${testdir}/certs/client1.pem" expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4" } # Replace certificate with an expired one shell { - printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client2_expired.pem)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl cert ${testdir}/client1.pem" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/client1.pem <<\n$(cat ${testdir}/certs/client2_expired.pem)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/certs/client1.pem" | socat "${tmpdir}/h1/stats" - } haproxy h1 -cli { - send "show ssl cert ${testdir}/client1.pem" + send "show ssl cert ${testdir}/certs/client1.pem" expect ~ ".*SHA1 FingerPrint: C625EB01A0A660294B9D7F44C5CEEE5AFC495BE4" } @@ -95,12 +95,12 @@ client c1 -connect ${h1_clearlst_sock} { # Replace certificate with a revoked one shell { - printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client3_revoked.pem)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl cert ${testdir}/client1.pem" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/client1.pem <<\n$(cat ${testdir}/certs/client3_revoked.pem)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/certs/client1.pem" | socat "${tmpdir}/h1/stats" - } haproxy h1 -cli { - send "show ssl cert ${testdir}/client1.pem" + send "show ssl cert ${testdir}/certs/client1.pem" expect ~ ".*SHA1 FingerPrint: 992386628A40C9D49C89BAC0058B5D45D8575151" } @@ -115,12 +115,12 @@ client c1 -connect ${h1_clearlst_sock} { # Abort a transaction shell { - printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client3_revoked.pem)\n\n" | socat "${tmpdir}/h1/stats" - - echo "abort ssl cert ${testdir}/client1.pem" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/client1.pem <<\n$(cat ${testdir}/certs/client3_revoked.pem)\n\n" | socat "${tmpdir}/h1/stats" - + echo "abort ssl cert ${testdir}/certs/client1.pem" | socat "${tmpdir}/h1/stats" - } haproxy h1 -cli { - send "show ssl cert ${testdir}/client1.pem" + send "show ssl cert ${testdir}/certs/client1.pem" expect ~ ".*SHA1 FingerPrint: 992386628A40C9D49C89BAC0058B5D45D8575151" } diff --git a/reg-tests/ssl/show_ssl_ocspresponse.vtc b/reg-tests/ssl/show_ssl_ocspresponse.vtc index 47d2ec002..b9e4c05be 100644 --- a/reg-tests/ssl/show_ssl_ocspresponse.vtc +++ b/reg-tests/ssl/show_ssl_ocspresponse.vtc @@ -48,12 +48,12 @@ haproxy h1 -conf { listen clear-lst bind "fd@${clearlst}" - server s1 "${tmpdir}/ssl.sock" ssl ca-file ${testdir}/set_cafile_rootCA.crt verify none + server s1 "${tmpdir}/ssl.sock" ssl ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none listen ssl-lst # crt: certificate of the server # ca-file: CA used for client authentication request - bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/show_ocsp_server.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/show_ocsp_server.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all http-response add-header X-SSL-Client-Verify %[ssl_c_verify] server s1 ${s1_addr}:${s1_port} } -start @@ -72,7 +72,7 @@ haproxy h1 -cli { # Test the "show ssl ocsp-response" command with a certificate path as parameter shell { - ocsp_response=$(echo "show ssl ocsp-response ${testdir}/show_ocsp_server.pem" | socat "${tmpdir}/h1/stats" -) + ocsp_response=$(echo "show ssl ocsp-response ${testdir}/certs/show_ocsp_server.pem" | socat "${tmpdir}/h1/stats" -) echo "$ocsp_response" | grep "Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com" && echo "$ocsp_response" | grep "Cert Status: good" @@ -83,21 +83,21 @@ haproxy h1 -cli { send "show ssl cert" expect ~ ".*show_ocsp_server.pem" - send "show ssl cert ${testdir}/show_ocsp_server.pem" + send "show ssl cert ${testdir}/certs/show_ocsp_server.pem" expect ~ "Serial: 100F" - send "show ssl cert ${testdir}/show_ocsp_server.pem" + send "show ssl cert ${testdir}/certs/show_ocsp_server.pem" expect ~ "OCSP Response Key: 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f" - send "show ssl cert ${testdir}/show_ocsp_server.pem.ocsp" + send "show ssl cert ${testdir}/certs/show_ocsp_server.pem.ocsp" expect ~ "Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com" - send "show ssl cert ${testdir}/show_ocsp_server.pem.ocsp" + send "show ssl cert ${testdir}/certs/show_ocsp_server.pem.ocsp" expect ~ "Cert Status: good" } # Change the server certificate's OCSP response through "set ssl ocsp-response" shell { - printf "set ssl ocsp-response <<\n$(cat ${testdir}/show_ocsp_server.pem.ocsp.revoked|openssl base64)\n\n" | socat "${tmpdir}/h1/stats" - + printf "set ssl ocsp-response <<\n$(cat ${testdir}/certs/show_ocsp_server.pem.ocsp.revoked|openssl base64)\n\n" | socat "${tmpdir}/h1/stats" - } # Check that the change was taken into account @@ -110,16 +110,16 @@ haproxy h1 -cli { send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f" expect ~ "Cert Status: revoked" - send "show ssl cert ${testdir}/show_ocsp_server.pem.ocsp" + send "show ssl cert ${testdir}/certs/show_ocsp_server.pem.ocsp" expect ~ "Cert Status: revoked" } # Change the server certificate's OCSP response through a transaction shell { - printf "set ssl cert ${testdir}/show_ocsp_server.pem <<\n$(cat ${testdir}/show_ocsp_server.pem | sed '/^$/d')\n\n" | socat "${tmpdir}/h1/stats" - - printf "set ssl cert ${testdir}/show_ocsp_server.pem.issuer <<\n$(cat ${testdir}/show_ocsp_server.pem.issuer | sed '/^$/d')\n\n" | socat "${tmpdir}/h1/stats" - - printf "set ssl cert ${testdir}/show_ocsp_server.pem.ocsp <<\n$(cat ${testdir}/show_ocsp_server.pem.ocsp|openssl base64)\n\n" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/show_ocsp_server.pem <<\n$(cat ${testdir}/certs/show_ocsp_server.pem | sed '/^$/d')\n\n" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/show_ocsp_server.pem.issuer <<\n$(cat ${testdir}/certs/show_ocsp_server.pem.issuer | sed '/^$/d')\n\n" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/show_ocsp_server.pem.ocsp <<\n$(cat ${testdir}/certs/show_ocsp_server.pem.ocsp|openssl base64)\n\n" | socat "${tmpdir}/h1/stats" - } @@ -131,16 +131,16 @@ haproxy h1 -cli { send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f" expect ~ "This Update: Jun 10 08:57:45 2021 GMT" - send "show ssl cert *${testdir}/show_ocsp_server.pem.ocsp" + send "show ssl cert *${testdir}/certs/show_ocsp_server.pem.ocsp" expect ~ "Cert Status: good" - send "show ssl cert *${testdir}/show_ocsp_server.pem.ocsp" + send "show ssl cert *${testdir}/certs/show_ocsp_server.pem.ocsp" expect ~ "This Update: Jun 10 08:55:04 2021 GMT" } # Commit the transaction and check that it was taken into account haproxy h1 -cli { - send "commit ssl cert ${testdir}/show_ocsp_server.pem" + send "commit ssl cert ${testdir}/certs/show_ocsp_server.pem" expect ~ "Success!" send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f" diff --git a/reg-tests/ssl/ssl-0rtt.vtci b/reg-tests/ssl/ssl-0rtt.vtci index 78ca036fc..ca04590a6 100644 --- a/reg-tests/ssl/ssl-0rtt.vtci +++ b/reg-tests/ssl/ssl-0rtt.vtci @@ -102,10 +102,10 @@ haproxy h1 -conf { listen ssl # socket names indicate their capabilities and are used below in regex # (0r means 0rtt OK, 1r means 0rtt not accepted) - bind "${VTC_SOCK_TYPE}+fd@${sv_sf_1r}" name sf_1r ssl crt ${testdir}/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" - bind "${VTC_SOCK_TYPE}+fd@${sv_sl_1r}" name sl_1r ssl crt ${testdir}/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" no-tls-tickets - bind "${VTC_SOCK_TYPE}+fd@${sv_sf_0r}" name sf_0r ssl crt ${testdir}/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" allow-0rtt - bind "${VTC_SOCK_TYPE}+fd@${sv_sl_0r}" name sl_0r ssl crt ${testdir}/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" allow-0rtt no-tls-tickets + bind "${VTC_SOCK_TYPE}+fd@${sv_sf_1r}" name sf_1r ssl crt ${testdir}/certs/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" + bind "${VTC_SOCK_TYPE}+fd@${sv_sl_1r}" name sl_1r ssl crt ${testdir}/certs/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" no-tls-tickets + bind "${VTC_SOCK_TYPE}+fd@${sv_sf_0r}" name sf_0r ssl crt ${testdir}/certs/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" allow-0rtt + bind "${VTC_SOCK_TYPE}+fd@${sv_sl_0r}" name sl_0r ssl crt ${testdir}/certs/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" allow-0rtt no-tls-tickets # expect early-data TLS version supports it and both the client and the listener support it http-request add-header x-expect-early 1 if { int("$ZRTT_SUPP") eq 1 } { ssl_fc_is_resumed } { req.hdr(x-from) -m reg '^cl_0r' } { so_name -m reg '0r$' } diff --git a/reg-tests/ssl/ssl_alpn.vtc b/reg-tests/ssl/ssl_alpn.vtc index 36cbc38e7..7ad3c33e0 100644 --- a/reg-tests/ssl/ssl_alpn.vtc +++ b/reg-tests/ssl/ssl_alpn.vtc @@ -77,11 +77,11 @@ haproxy h1 -conf { server s34 "${tmpdir}/ssl4.sock" alpn h2,http/1.1 frontend fe-ssl - bind "${tmpdir}/ssl0.sock" ssl crt ${testdir}/common.pem - bind "${tmpdir}/ssl1.sock" ssl crt ${testdir}/common.pem alpn http/1.1 - bind "${tmpdir}/ssl2.sock" ssl crt ${testdir}/common.pem alpn h2 - bind "${tmpdir}/ssl3.sock" ssl crt ${testdir}/common.pem alpn h2,http/1.1 - bind "${tmpdir}/ssl4.sock" ssl crt ${testdir}/common.pem no-alpn + bind "${tmpdir}/ssl0.sock" ssl crt ${testdir}/certs/common.pem + bind "${tmpdir}/ssl1.sock" ssl crt ${testdir}/certs/common.pem alpn http/1.1 + bind "${tmpdir}/ssl2.sock" ssl crt ${testdir}/certs/common.pem alpn h2 + bind "${tmpdir}/ssl3.sock" ssl crt ${testdir}/certs/common.pem alpn h2,http/1.1 + bind "${tmpdir}/ssl4.sock" ssl crt ${testdir}/certs/common.pem no-alpn http-request return status 200 hdr x-alpn _%[ssl_fc_alpn] hdr x-path %[path] hdr x-ver _%[req.ver] } -start diff --git a/reg-tests/ssl/ssl_client_auth.vtc b/reg-tests/ssl/ssl_client_auth.vtc index ec555651d..64d60380b 100644 --- a/reg-tests/ssl/ssl_client_auth.vtc +++ b/reg-tests/ssl/ssl_client_auth.vtc @@ -46,15 +46,15 @@ haproxy h1 -conf { bind "fd@${clearlst}" balance roundrobin # crt: certificate sent for a client certificate request - server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client1.pem - server s2 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client2_expired.pem # expired - server s3 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client3_revoked.pem # revoked + server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/client1.pem + server s2 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/client2_expired.pem # expired + server s3 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/client3_revoked.pem # revoked listen ssl-lst # crt: certificate of the server # ca-file: CA used for client authentication request # crl-file: revocation list for client auth: the client1 certificate is revoked - bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/ca-auth.crt verify optional crt-ignore-err X509_V_ERR_CERT_REVOKED,X509_V_ERR_CERT_HAS_EXPIRED crl-file ${testdir}/crl-auth.pem + bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/ca-auth.crt verify optional crt-ignore-err X509_V_ERR_CERT_REVOKED,X509_V_ERR_CERT_HAS_EXPIRED crl-file ${testdir}/certs/crl-auth.pem http-response add-header X-SSL %[ssl_c_verify,x509_v_err_str] server s1 ${s1_addr}:${s1_port} diff --git a/reg-tests/ssl/ssl_client_samples.vtc b/reg-tests/ssl/ssl_client_samples.vtc index db3589f36..fc5e77a70 100644 --- a/reg-tests/ssl/ssl_client_samples.vtc +++ b/reg-tests/ssl/ssl_client_samples.vtc @@ -35,7 +35,7 @@ haproxy h1 -conf { listen clear-lst bind "fd@${clearlst}" balance roundrobin - server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client1.pem + server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/client1.pem listen ssl-lst mode http @@ -53,7 +53,7 @@ haproxy h1 -conf { http-response add-header x-ssl-key_alg %[ssl_c_key_alg] http-response add-header x-ssl-version %[ssl_c_version] - bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/ca-auth.crt verify optional crt-ignore-err all crl-file ${testdir}/crl-auth.pem + bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/ca-auth.crt verify optional crt-ignore-err all crl-file ${testdir}/certs/crl-auth.pem server s1 ${s1_addr}:${s1_port} } -start diff --git a/reg-tests/ssl/ssl_crt-list_filters.vtc b/reg-tests/ssl/ssl_crt-list_filters.vtc index a911f0395..19921f38f 100644 --- a/reg-tests/ssl/ssl_crt-list_filters.vtc +++ b/reg-tests/ssl/ssl_crt-list_filters.vtc @@ -23,7 +23,7 @@ haproxy h1 -conf { .if !ssllib_name_startswith(AWS-LC) tune.ssl.default-dh-param 2048 .endif - crt-base ${testdir} + crt-base ${testdir}/certs stats socket "${tmpdir}/h1/stats" level admin defaults @@ -62,8 +62,8 @@ haproxy h1 -conf { listen ssl-lst mode http - bind "${tmpdir}/ssl.sock" ssl strict-sni ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.2 crt-list ${testdir}/filters.crt-list - bind "${tmpdir}/ssl2.sock" ssl strict-sni ssl-min-ver TLSv1.3 ssl-max-ver TLSv1.3 crt-list ${testdir}/filters.crt-list + bind "${tmpdir}/ssl.sock" ssl strict-sni ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.2 crt-list ${testdir}/certs/filters.crt-list + bind "${tmpdir}/ssl2.sock" ssl strict-sni ssl-min-ver TLSv1.3 ssl-max-ver TLSv1.3 crt-list ${testdir}/certs/filters.crt-list server s1 ${s1_addr}:${s1_port} } -start diff --git a/reg-tests/ssl/ssl_curve_name.vtc b/reg-tests/ssl/ssl_curve_name.vtc index ee017b9db..7215c6412 100644 --- a/reg-tests/ssl/ssl_curve_name.vtc +++ b/reg-tests/ssl/ssl_curve_name.vtc @@ -19,7 +19,7 @@ haproxy h1 -conf { tune.ssl.default-dh-param 2048 .endif tune.ssl.capture-buffer-size 1 - crt-base ${testdir} + crt-base ${testdir}/certs defaults mode http @@ -35,12 +35,12 @@ haproxy h1 -conf { bind "fd@${clearlst}" balance roundrobin http-response add-header x-ssl-bc-curve-name %[ssl_bc_curve] - server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client.ecdsa.pem + server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/client.ecdsa.pem listen ssl-lst mode http http-response add-header x-ssl-fc-curve-name %[ssl_fc_curve] - bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/set_cafile_rootCA.crt verify optional curves X25519:P-256:P-384 + bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify optional curves X25519:P-256:P-384 server s1 ${s1_addr}:${s1_port} } -start diff --git a/reg-tests/ssl/ssl_curves.vtc b/reg-tests/ssl/ssl_curves.vtc index da0054e7e..340ea2ddd 100644 --- a/reg-tests/ssl/ssl_curves.vtc +++ b/reg-tests/ssl/ssl_curves.vtc @@ -66,20 +66,20 @@ haproxy h1 -conf { default_backend ssl-be backend ssl-be - server s1 "${tmpdir}/ssl1.sock" ssl verify none crt ${testdir}/client.ecdsa.pem force-tlsv12 curves P-256:P-384 + server s1 "${tmpdir}/ssl1.sock" ssl verify none crt ${testdir}/certs/client.ecdsa.pem force-tlsv12 curves P-256:P-384 backend ssl-curves-be - server s1 "${tmpdir}/ssl2.sock" ssl verify none crt ${testdir}/client.ecdsa.pem force-tlsv12 curves P-384 + server s1 "${tmpdir}/ssl2.sock" ssl verify none crt ${testdir}/certs/client.ecdsa.pem force-tlsv12 curves P-384 backend ssl-ecdhe-256-be - server s1 "${tmpdir}/ssl-ecdhe-256.sock" ssl verify none crt ${testdir}/client.ecdsa.pem force-tlsv12 + server s1 "${tmpdir}/ssl-ecdhe-256.sock" ssl verify none crt ${testdir}/certs/client.ecdsa.pem force-tlsv12 backend ssl-ecdhe-521-be - server s1 "${tmpdir}/ssl-ecdhe-521.sock" ssl verify none crt ${testdir}/client.ecdsa.pem force-tlsv12 + server s1 "${tmpdir}/ssl-ecdhe-521.sock" ssl verify none crt ${testdir}/certs/client.ecdsa.pem force-tlsv12 listen ssl1-lst - bind "${tmpdir}/ssl1.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/set_cafile_rootCA.crt verify optional curves P-256:P-384 + bind "${tmpdir}/ssl1.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify optional curves P-256:P-384 server s1 ${s1_addr}:${s1_port} # The prime256v1 curve, which is used by default by a backend when no @@ -88,21 +88,21 @@ haproxy h1 -conf { log ${Slg_cust_fmt_addr}:${Slg_cust_fmt_port} local0 error-log-format "ERROR conn_status:\"%[fc_err]:%[fc_err_str]\" hsk_err:%{+Q}[ssl_fc_err_str]" - bind "${tmpdir}/ssl2.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/set_cafile_rootCA.crt verify optional curves P-384 + bind "${tmpdir}/ssl2.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify optional curves P-384 server s1 ${s1_addr}:${s1_port} listen ssl-ecdhe-521-lst log ${Slg_cust_fmt_addr}:${Slg_cust_fmt_port} local0 error-log-format "ERROR ECDHE-521 conn_status:\"%[fc_err]:%[fc_err_str]\" hsk_err:%{+Q}[ssl_fc_err_str]" - bind "${tmpdir}/ssl-ecdhe-521.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/set_cafile_rootCA.crt verify optional ecdhe secp521r1 + bind "${tmpdir}/ssl-ecdhe-521.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify optional ecdhe secp521r1 server s1 ${s1_addr}:${s1_port} listen ssl-ecdhe-256-lst log ${Slg_cust_fmt_addr}:${Slg_cust_fmt_port} local0 error-log-format "ERROR ECDHE-256 conn_status:\"%[fc_err]:%[fc_err_str]\" hsk_err:%{+Q}[ssl_fc_err_str]" - bind "${tmpdir}/ssl-ecdhe-256.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/set_cafile_rootCA.crt verify optional ecdhe prime256v1 + bind "${tmpdir}/ssl-ecdhe-256.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify optional ecdhe prime256v1 server s1 ${s1_addr}:${s1_port} } -start diff --git a/reg-tests/ssl/ssl_default_server.vtc b/reg-tests/ssl/ssl_default_server.vtc index 0f49b1b80..ed14dea1a 100644 --- a/reg-tests/ssl/ssl_default_server.vtc +++ b/reg-tests/ssl/ssl_default_server.vtc @@ -31,8 +31,8 @@ haproxy h1 -conf { .endif tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h1/stats" level admin - crt-base ${testdir} - ca-base ${testdir} + crt-base ${testdir}/certs + ca-base ${testdir}/certs defaults mode http @@ -77,7 +77,7 @@ haproxy h1 -conf { listen ssl-lst - bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem ca-file ca-auth.crt verify required crt-ignore-err all + bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/common.pem ca-file ca-auth.crt verify required crt-ignore-err all acl cert_expired ssl_c_verify 10 acl cert_revoked ssl_c_verify 23 diff --git a/reg-tests/ssl/ssl_dh.vtc b/reg-tests/ssl/ssl_dh.vtc index b569f8a1d..29dbaf071 100644 --- a/reg-tests/ssl/ssl_dh.vtc +++ b/reg-tests/ssl/ssl_dh.vtc @@ -59,12 +59,12 @@ haproxy h1 -conf { server s1 "${tmpdir}/ssl_dflt_gencert.sock" ssl verify none ssl-max-ver TLSv1.2 listen ssl-dflt-lst - bind "${tmpdir}/ssl_dflt.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/set_cafile_rootCA.crt verify optional ciphers "DHE-RSA-AES256-GCM-SHA384" ssl-max-ver TLSv1.2 + bind "${tmpdir}/ssl_dflt.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify optional ciphers "DHE-RSA-AES256-GCM-SHA384" ssl-max-ver TLSv1.2 http-response set-header x-ssl-cipher %[ssl_fc_cipher] server s1 ${s1_addr}:${s1_port} listen ssl-dflt-gencert-lst - bind "${tmpdir}/ssl_dflt_gencert.sock" ssl generate-certificates crt ${testdir}/common.pem ca-file ${testdir}/set_cafile_rootCA.crt ca-sign-file ${testdir}/generate_certificates/gen_cert_ca.pem verify optional ciphers "DHE-RSA-AES256-GCM-SHA384" ssl-max-ver TLSv1.2 + bind "${tmpdir}/ssl_dflt_gencert.sock" ssl generate-certificates crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt ca-sign-file ${testdir}/certs/generate_certificates/gen_cert_ca.pem verify optional ciphers "DHE-RSA-AES256-GCM-SHA384" ssl-max-ver TLSv1.2 http-response set-header x-ssl-cipher %[ssl_fc_cipher] server s1 ${s1_addr}:${s1_port} } -start @@ -99,7 +99,7 @@ haproxy h2 -conf { server s1 "${tmpdir}/ssl_dfltdh.sock" ssl verify none ssl-max-ver TLSv1.2 listen ssl-4096dh-dflt-lst - bind "${tmpdir}/ssl_dfltdh.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/set_cafile_rootCA.crt verify optional ciphers "DHE-RSA-AES256-GCM-SHA384" ssl-max-ver TLSv1.2 + bind "${tmpdir}/ssl_dfltdh.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify optional ciphers "DHE-RSA-AES256-GCM-SHA384" ssl-max-ver TLSv1.2 http-response set-header x-ssl-cipher %[ssl_fc_cipher] server s1 ${s1_addr}:${s1_port} } -start @@ -117,7 +117,7 @@ haproxy h3 -conf { thread-groups 1 .endif - ssl-dh-param-file ${testdir}/common.4096.dh + ssl-dh-param-file ${testdir}/certs/common.4096.dh defaults mode http @@ -134,7 +134,7 @@ haproxy h3 -conf { server s1 "${tmpdir}/ssl_dhfile.sock" ssl verify none ssl-max-ver TLSv1.2 listen ssl-dhfile-lst - bind "${tmpdir}/ssl_dhfile.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/set_cafile_rootCA.crt verify optional ciphers "DHE-RSA-AES256-GCM-SHA384" ssl-max-ver TLSv1.2 + bind "${tmpdir}/ssl_dhfile.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify optional ciphers "DHE-RSA-AES256-GCM-SHA384" ssl-max-ver TLSv1.2 http-response set-header x-ssl-cipher %[ssl_fc_cipher] server s1 ${s1_addr}:${s1_port} } -start @@ -188,14 +188,14 @@ shell { # Add a custom DH to the server's PEM certificate # shell { - printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/common.pem)\n$(cat ${testdir}/common.4096.dh)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/common.pem <<\n$(cat ${testdir}/certs/common.pem)\n$(cat ${testdir}/certs/common.4096.dh)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/certs/common.pem" | socat "${tmpdir}/h1/stats" - - printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/common.pem)\n$(cat ${testdir}/common.4096.dh)\n\n" | socat "${tmpdir}/h2/stats" - - echo "commit ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h2/stats" - + printf "set ssl cert ${testdir}/certs/common.pem <<\n$(cat ${testdir}/certs/common.pem)\n$(cat ${testdir}/certs/common.4096.dh)\n\n" | socat "${tmpdir}/h2/stats" - + echo "commit ssl cert ${testdir}/certs/common.pem" | socat "${tmpdir}/h2/stats" - - printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/common.pem)\n$(cat ${testdir}/common.4096.dh)\n\n" | socat "${tmpdir}/h3/stats" - - echo "commit ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h3/stats" - + printf "set ssl cert ${testdir}/certs/common.pem <<\n$(cat ${testdir}/certs/common.pem)\n$(cat ${testdir}/certs/common.4096.dh)\n\n" | socat "${tmpdir}/h3/stats" - + echo "commit ssl cert ${testdir}/certs/common.pem" | socat "${tmpdir}/h3/stats" - } diff --git a/reg-tests/ssl/ssl_errors.vtc b/reg-tests/ssl/ssl_errors.vtc index 8025dbd96..55ef811ff 100644 --- a/reg-tests/ssl/ssl_errors.vtc +++ b/reg-tests/ssl/ssl_errors.vtc @@ -191,7 +191,7 @@ haproxy h1 -conf { listen clear_lst bind "fd@${clearlst}" - default-server ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none no-ssl-reuse force-tlsv12 sni str(foo.com) + default-server ssl crt ${testdir}/certs/set_cafile_client.pem ca-file ${testdir}/certs/set_cafile_interCA2.crt verify none no-ssl-reuse force-tlsv12 sni str(foo.com) balance roundrobin server cust_fmt "${tmpdir}/cust_logfmt_ssl.sock" @@ -201,7 +201,7 @@ haproxy h1 -conf { listen clear_wrong_ciphers_lst bind "fd@${wrongcipherslst}" - default-server ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none no-ssl-reuse force-tlsv12 ciphers "aECDSA" sni str(foo.com) + default-server ssl crt ${testdir}/certs/set_cafile_client.pem ca-file ${testdir}/certs/set_cafile_interCA2.crt verify none no-ssl-reuse force-tlsv12 ciphers "aECDSA" sni str(foo.com) balance roundrobin server cust_fmt "${tmpdir}/cust_logfmt_ssl.sock" @@ -217,20 +217,20 @@ haproxy h1 -conf { error-log-format "ERROR bc_err:%[bc_err]:%{+Q}[bc_err_str]\ ssl_bc_err:%[ssl_bc_err,and(proc.ssl_error_mask)]:%[ssl_bc_err_str]" balance roundrobin - server no_err "${tmpdir}/no_err_ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify required sni str(Server) - server srv_cert_rejected "${tmpdir}/srv_rejected_ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA1.crt verify required sni str(foo.com) - server mismatch_frontend "${tmpdir}/mismatch_fe_ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify required sni str(foo.com) verifyhost str(toto) # We force TLSv1.2 for this specific case because server-side + server no_err "${tmpdir}/no_err_ssl.sock" ssl crt ${testdir}/certs/set_cafile_client.pem ca-file ${testdir}/certs/set_cafile_interCA2.crt verify required sni str(Server) + server srv_cert_rejected "${tmpdir}/srv_rejected_ssl.sock" ssl crt ${testdir}/certs/set_cafile_client.pem ca-file ${testdir}/certs/set_cafile_interCA1.crt verify required sni str(foo.com) + server mismatch_frontend "${tmpdir}/mismatch_fe_ssl.sock" ssl crt ${testdir}/certs/set_cafile_client.pem ca-file ${testdir}/certs/set_cafile_interCA2.crt verify required sni str(foo.com) verifyhost str(toto) # We force TLSv1.2 for this specific case because server-side # verification errors cannot be caught by the backend fetches when # using TLSv1.3 - server clt_cert_rejected "${tmpdir}/rejected_ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none force-tlsv12 sni str(foo.com) - server wrong_ciphers "${tmpdir}/wrong_ciphers_ssl.sock" ssl verify none crt ${testdir}/client1.pem ca-file ${testdir}/ca-auth.crt force-tlsv12 ciphers "aECDSA" sni str(foo.com) + server clt_cert_rejected "${tmpdir}/rejected_ssl.sock" ssl crt ${testdir}/certs/set_cafile_client.pem ca-file ${testdir}/certs/set_cafile_interCA2.crt verify none force-tlsv12 sni str(foo.com) + server wrong_ciphers "${tmpdir}/wrong_ciphers_ssl.sock" ssl verify none crt ${testdir}/certs/client1.pem ca-file ${testdir}/certs/ca-auth.crt force-tlsv12 ciphers "aECDSA" sni str(foo.com) # No TLSv1.3 support with OpenSSL 1.0.2 so we duplicate the previous # wrong cipher test in this case so that the error log remains the same .if openssl_version_before(1.1.1) - server wrong_ciphers2 "${tmpdir}/wrong_ciphers_ssl.sock" ssl verify none crt ${testdir}/client1.pem ca-file ${testdir}/ca-auth.crt force-tlsv12 ciphers "aECDSA" sni str(foo.com) + server wrong_ciphers2 "${tmpdir}/wrong_ciphers_ssl.sock" ssl verify none crt ${testdir}/certs/client1.pem ca-file ${testdir}/certs/ca-auth.crt force-tlsv12 ciphers "aECDSA" sni str(foo.com) .else - server wrong_ciphers_tls13 "${tmpdir}/wrong_ciphers_tls13_ssl.sock" ssl verify none crt ${testdir}/client1.pem ca-file ${testdir}/ca-auth.crt ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" force-tlsv13 sni str(foo.com) + server wrong_ciphers_tls13 "${tmpdir}/wrong_ciphers_tls13_ssl.sock" ssl verify none crt ${testdir}/certs/client1.pem ca-file ${testdir}/certs/ca-auth.crt ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" force-tlsv13 sni str(foo.com) .endif @@ -241,7 +241,7 @@ haproxy h1 -conf { mode http log-format "conn_status:\"%[fc_err]:%[fc_err_str]\" hsk_err:\"%[ssl_fc_err]:%[ssl_fc_err_str]\" CN=%{+Q}[ssl_c_s_dn],serial=%[ssl_c_serial,hex],hash=%[ssl_c_sha1,hex]" error-log-format "ERROR conn_status:\"%[fc_err]:%[fc_err_str]\" hsk_err:\"%[ssl_fc_err,and(proc.ssl_error_mask)]:%[ssl_fc_err_str]\" CN=%{+Q}[ssl_c_s_dn],serial=%[ssl_c_serial,hex],hash=%[ssl_c_sha1,hex]" - bind "${tmpdir}/cust_logfmt_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA1.crt verify required ciphers "kRSA" + bind "${tmpdir}/cust_logfmt_ssl.sock" ssl crt ${testdir}/certs/set_cafile_server.pem ca-verify-file ${testdir}/certs/set_cafile_rootCA.crt ca-file ${testdir}/certs/set_cafile_interCA1.crt verify required ciphers "kRSA" server s1 ${s1_addr}:${s1_port} listen https_logfmt_ssl_lst @@ -251,14 +251,14 @@ haproxy h1 -conf { mode http option httpslog error-log-format "ERROR %ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %[fc_err]/%[ssl_fc_err,and(proc.ssl_error_mask),hex]/%[ssl_c_err]/%[ssl_c_ca_err]/%[ssl_fc_is_resumed] %[ssl_fc_sni]/%sslv/%sslc" - bind "${tmpdir}/https_logfmt_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA1.crt verify required ciphers "kRSA" + bind "${tmpdir}/https_logfmt_ssl.sock" ssl crt ${testdir}/certs/set_cafile_server.pem ca-verify-file ${testdir}/certs/set_cafile_rootCA.crt ca-file ${testdir}/certs/set_cafile_interCA1.crt verify required ciphers "kRSA" server s1 ${s1_addr}:${s1_port} listen logconnerror_ssl_lst log ${Slg_logconnerror_addr}:${Slg_logconnerror_port} local0 info mode http option httplog - bind "${tmpdir}/logconnerror_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA1.crt verify required ciphers "kRSA" + bind "${tmpdir}/logconnerror_ssl.sock" ssl crt ${testdir}/certs/set_cafile_server.pem ca-verify-file ${testdir}/certs/set_cafile_rootCA.crt ca-file ${testdir}/certs/set_cafile_interCA1.crt verify required ciphers "kRSA" server s1 ${s1_addr}:${s1_port} @@ -274,28 +274,28 @@ haproxy h1 -conf { # The following listeners allow to test backend error fetches listen no_backend_err_ssl_lst from bknd_err_dflt - bind "${tmpdir}/no_err_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none + bind "${tmpdir}/no_err_ssl.sock" ssl crt ${testdir}/certs/set_cafile_server.pem ca-file ${testdir}/certs/set_cafile_interCA2.crt verify none server s1 ${s1_addr}:${s1_port} listen srv_rejected_ssl_lst from bknd_err_dflt - bind "${tmpdir}/srv_rejected_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none + bind "${tmpdir}/srv_rejected_ssl.sock" ssl crt ${testdir}/certs/set_cafile_server.pem ca-file ${testdir}/certs/set_cafile_interCA2.crt verify none server s1 ${s1_addr}:${s1_port} listen mismatch_fe_ssl_lst from bknd_err_dflt - bind "${tmpdir}/mismatch_fe_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none + bind "${tmpdir}/mismatch_fe_ssl.sock" ssl crt ${testdir}/certs/set_cafile_server.pem ca-file ${testdir}/certs/set_cafile_interCA2.crt verify none server s1 ${s1_addr}:${s1_port} listen rejected_clt_ssl_lst from bknd_err_dflt - bind "${tmpdir}/rejected_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-file ${testdir}/set_cafile_interCA2.crt verify required + bind "${tmpdir}/rejected_ssl.sock" ssl crt ${testdir}/certs/set_cafile_server.pem ca-file ${testdir}/certs/set_cafile_interCA2.crt verify required server s1 ${s1_addr}:${s1_port} listen wrong_ciphers_ssl_lst from bknd_err_dflt - bind "${tmpdir}/wrong_ciphers_ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/ca-auth.crt verify none force-tlsv12 ciphers "kRSA" + bind "${tmpdir}/wrong_ciphers_ssl.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/ca-auth.crt verify none force-tlsv12 ciphers "kRSA" server s1 ${s1_addr}:${s1_port} .if openssl_version_atleast(1.1.1) listen wrong_ciphers_tls13_ssl_lst from bknd_err_dflt - bind "${tmpdir}/wrong_ciphers_tls13_ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/ca-auth.crt verify none force-tlsv13 ciphersuites "TLS_AES_128_GCM_SHA256" + bind "${tmpdir}/wrong_ciphers_tls13_ssl.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/ca-auth.crt verify none force-tlsv13 ciphersuites "TLS_AES_128_GCM_SHA256" server s1 ${s1_addr}:${s1_port} .endif @@ -327,8 +327,8 @@ barrier b1 sync # Change the root CA in the frontends shell { - printf "set ssl ca-file ${testdir}/set_cafile_rootCA.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl ca-file ${testdir}/set_cafile_rootCA.crt" | socat "${tmpdir}/h1/stats" - + printf "set ssl ca-file ${testdir}/certs/set_cafile_rootCA.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl ca-file ${testdir}/certs/set_cafile_rootCA.crt" | socat "${tmpdir}/h1/stats" - } client c4 -connect ${h1_clearlst_sock} { @@ -352,14 +352,14 @@ barrier b1 sync # Restore the root CA shell { - printf "set ssl ca-file ${testdir}/set_cafile_rootCA.crt <<\n$(cat ${testdir}/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl ca-file ${testdir}/set_cafile_rootCA.crt" | socat "${tmpdir}/h1/stats" - + printf "set ssl ca-file ${testdir}/certs/set_cafile_rootCA.crt <<\n$(cat ${testdir}/certs/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl ca-file ${testdir}/certs/set_cafile_rootCA.crt" | socat "${tmpdir}/h1/stats" - } # Change the intermediate CA in the frontends shell { - printf "set ssl ca-file ${testdir}/set_cafile_interCA1.crt <<\n$(cat ${testdir}/set_cafile_interCA2.crt)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl ca-file ${testdir}/set_cafile_interCA1.crt" | socat "${tmpdir}/h1/stats" - + printf "set ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA2.crt)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt" | socat "${tmpdir}/h1/stats" - } client c7 -connect ${h1_clearlst_sock} { @@ -382,8 +382,8 @@ barrier b1 sync # Restore the intermediate CA in the frontends shell { - printf "set ssl ca-file ${testdir}/set_cafile_interCA1.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl ca-file ${testdir}/set_cafile_interCA1.crt" | socat "${tmpdir}/h1/stats" - + printf "set ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt" | socat "${tmpdir}/h1/stats" - } # "No shared cipher" errors @@ -402,8 +402,8 @@ client c12 -connect ${h1_wrongcipherslst_sock} { shell { - printf "set ssl ca-file ${testdir}/set_cafile_interCA2.crt <<\n$(cat ${testdir}/set_cafile_interCA2.crt)\n$(cat ${testdir}/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl ca-file ${testdir}/set_cafile_interCA2.crt" | socat "${tmpdir}/h1/stats" - + printf "set ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA2.crt)\n$(cat ${testdir}/certs/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt" | socat "${tmpdir}/h1/stats" - } client c13 -connect ${h1_backenderrorslst_sock} { diff --git a/reg-tests/ssl/ssl_frontend_samples.vtc b/reg-tests/ssl/ssl_frontend_samples.vtc index 118795b15..de0714501 100644 --- a/reg-tests/ssl/ssl_frontend_samples.vtc +++ b/reg-tests/ssl/ssl_frontend_samples.vtc @@ -19,7 +19,6 @@ haproxy h1 -conf { tune.ssl.default-dh-param 2048 .endif tune.ssl.capture-buffer-size 1 - crt-base ${testdir} defaults mode http @@ -50,7 +49,7 @@ haproxy h1 -conf { http-response add-header x-ssl-key_alg %[ssl_f_key_alg] http-response add-header x-ssl-version %[ssl_f_version] - bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem + bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/common.pem server s1 ${s1_addr}:${s1_port} } -start diff --git a/reg-tests/ssl/ssl_generate_certificate.vtc b/reg-tests/ssl/ssl_generate_certificate.vtc index 0bd6fbc44..03fba5458 100644 --- a/reg-tests/ssl/ssl_generate_certificate.vtc +++ b/reg-tests/ssl/ssl_generate_certificate.vtc @@ -59,7 +59,7 @@ haproxy h1 -conf { server s1 "${tmpdir}/ssl_P-384.sock" ssl verify none ssl-max-ver TLSv1.2 sni var(sess.sni) listen ssl-lst - bind "${tmpdir}/ssl.sock" ssl generate-certificates crt ${testdir}/generate_certificates/gen_cert_server.pem ca-sign-file ${testdir}/generate_certificates/gen_cert_ca.pem ca-file ${testdir}/generate_certificates/gen_cert_ca.pem verify optional + bind "${tmpdir}/ssl.sock" ssl generate-certificates crt ${testdir}/certs/generate_certificates/gen_cert_server.pem ca-sign-file ${testdir}/certs/generate_certificates/gen_cert_ca.pem ca-file ${testdir}/certs/generate_certificates/gen_cert_ca.pem verify optional http-response add-header x-ssl-s_dn %[ssl_f_s_dn(CN)] http-response add-header x-ssl-i_dn %[ssl_f_i_dn(CN)] http-response add-header x-ssl-sig_alg %[ssl_f_sig_alg] @@ -69,7 +69,7 @@ haproxy h1 -conf { server s1 ${s1_addr}:${s1_port} listen ssl-lst-P-384 - bind "${tmpdir}/ssl_P-384.sock" ssl generate-certificates crt ${testdir}/generate_certificates/gen_cert_server.pem ca-sign-file ${testdir}/generate_certificates/gen_cert_ca.pem ca-file ${testdir}/generate_certificates/gen_cert_ca.pem verify optional ecdhe secp384r1 + bind "${tmpdir}/ssl_P-384.sock" ssl generate-certificates crt ${testdir}/certs/generate_certificates/gen_cert_server.pem ca-sign-file ${testdir}/certs/generate_certificates/gen_cert_ca.pem ca-file ${testdir}/certs/generate_certificates/gen_cert_ca.pem verify optional ecdhe secp384r1 http-response add-header x-ssl-s_dn %[ssl_f_s_dn(CN)] http-response add-header x-ssl-i_dn %[ssl_f_i_dn(CN)] http-response add-header x-ssl-sig_alg %[ssl_f_sig_alg] diff --git a/reg-tests/ssl/ssl_reuse.vtci b/reg-tests/ssl/ssl_reuse.vtci index f7218588f..8da16ba2d 100644 --- a/reg-tests/ssl/ssl_reuse.vtci +++ b/reg-tests/ssl/ssl_reuse.vtci @@ -42,8 +42,8 @@ haproxy h1 -conf { http-response add-header x-ssl-bc-resumed %[ssl_bc_is_resumed] listen ssl - bind "${VTC_SOCK_TYPE}+fd@${fe3}" ssl crt ${testdir}/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" - bind "${VTC_SOCK_TYPE}+fd@${fe4}" ssl crt ${testdir}/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" no-tls-tickets + bind "${VTC_SOCK_TYPE}+fd@${fe3}" ssl crt ${testdir}/certs/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" + bind "${VTC_SOCK_TYPE}+fd@${fe4}" ssl crt ${testdir}/certs/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" no-tls-tickets http-response add-header x-ssl-resumed %[ssl_fc_is_resumed] server s1 ${s1_addr}:${s1_port} diff --git a/reg-tests/ssl/ssl_server_samples.vtc b/reg-tests/ssl/ssl_server_samples.vtc index c8c52081b..9e1fe9268 100644 --- a/reg-tests/ssl/ssl_server_samples.vtc +++ b/reg-tests/ssl/ssl_server_samples.vtc @@ -19,7 +19,7 @@ haproxy h1 -conf { tune.ssl.default-dh-param 2048 .endif tune.ssl.capture-buffer-size 1 - crt-base ${testdir} + crt-base ${testdir}/certs stats socket "${tmpdir}/h1/stats" level admin defaults @@ -52,7 +52,7 @@ haproxy h1 -conf { listen ssl-lst mode http - bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/localhost.crt-list + bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/certs/localhost.crt-list server s1 ${s1_addr}:${s1_port} } -start diff --git a/reg-tests/ssl/ssl_simple_crt-list.vtc b/reg-tests/ssl/ssl_simple_crt-list.vtc index fa6c767b1..356e4f491 100644 --- a/reg-tests/ssl/ssl_simple_crt-list.vtc +++ b/reg-tests/ssl/ssl_simple_crt-list.vtc @@ -19,7 +19,7 @@ haproxy h1 -conf { .if !ssllib_name_startswith(AWS-LC) tune.ssl.default-dh-param 2048 .endif - crt-base ${testdir} + crt-base ${testdir}/certs stats socket "${tmpdir}/h1/stats" level admin defaults @@ -42,7 +42,7 @@ haproxy h1 -conf { listen ssl-lst mode http - bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/simple.crt-list + bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/certs/simple.crt-list server s1 ${s1_addr}:${s1_port} } -start diff --git a/reg-tests/ssl/ssl_sni_auto.vtc b/reg-tests/ssl/ssl_sni_auto.vtc index 709b9599e..4c6c48fc5 100644 --- a/reg-tests/ssl/ssl_sni_auto.vtc +++ b/reg-tests/ssl/ssl_sni_auto.vtc @@ -71,7 +71,7 @@ haproxy h1 -conf { default-server inter 100ms frontend fe_ssl - bind "fd@${fe_ssl}" ssl crt ${testdir}/common.pem + bind "fd@${fe_ssl}" ssl crt ${testdir}/certs/common.pem http-request return status 200 if { path /test1 } { ssl_fc_sni www.test1.org } http-request return status 500 if { path /test2 } { ssl_fc_sni -m found } @@ -79,7 +79,7 @@ haproxy h1 -conf { http-request deny listen li_check_ssl - bind "fd@${li_check_ssl}" ssl crt ${testdir}/common.pem + bind "fd@${li_check_ssl}" ssl crt ${testdir}/certs/common.pem http-request set-header x-sni %[ssl_fc_sni] if { ssl_fc_sni -m found } use-server s1 if { path /test1 } diff --git a/reg-tests/ssl/wrong_ctx_storage.vtc b/reg-tests/ssl/wrong_ctx_storage.vtc index 1522e0211..156eb03e1 100644 --- a/reg-tests/ssl/wrong_ctx_storage.vtc +++ b/reg-tests/ssl/wrong_ctx_storage.vtc @@ -40,7 +40,7 @@ haproxy h1 -conf { listen frt mode http - bind "fd@${frt}" ssl crt ${testdir}/common.pem + bind "fd@${frt}" ssl crt ${testdir}/certs/common.pem http-request redirect location / } -start