REGTESTS: ssl: Move all the SSL certificates, keys, crt-lists inside "certs" directory

Move all these files and others for OCSP tests found into reg-tests/ssl
to reg-test/ssl/certs and adapt all the VTC files which use them.

This patch is needed by other tests which have to include the SSL tests.
Indeed, some VTC commands contain paths to these files which cannot
be customized with environment variables, depending on the location the VTC file
is runi from, because VTC does not resolve the environment variables. Only macros
as ${testdir} can be resolved.

For instance this command run from a VTC file from reg-tests/ssl directory cannot
be reused from another directory, except if we add a symbolic link for each certs,
key etc.

 haproxy h1 -cli {
   send "del ssl crt-list ${testdir}/localhost.crt-list ${testdir}/common.pem:1"
 }

This is not what we want. We add a symbolic link to reg-test/ssl/certs to the
directory and modify the command above as follows:

 haproxy h1 -cli {
   send "del ssl crt-list ${testdir}/certs/localhost.crt-list ${testdir}/certs/common.pem:1"
 }

.github/h2spec.config

@@ -19,7 +19,7 @@ defaults
 
 frontend h2
     mode http
-    bind 127.0.0.1:8443 ssl crt reg-tests/ssl/common.pem alpn h2,http/1.1
+    bind 127.0.0.1:8443 ssl crt reg-tests/ssl/certs/common.pem alpn h2,http/1.1
     default_backend h2b
 
 backend h2b

reg-tests/checks/certs

@@ -0,0 +1 @@
+../ssl/certs/

reg-tests/checks/common.pem

@@ -1 +0,0 @@
-../ssl/common.pem

reg-tests/checks/ssl-hello-check.vtc

@@ -39,7 +39,7 @@ haproxy htst -conf {
         timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
 
     frontend fe1
-        bind "fd@${fe1}" ssl crt ${testdir}/common.pem
+        bind "fd@${fe1}" ssl crt ${testdir}/certs/common.pem
 
     frontend fe2
         bind "fd@${fe2}"

reg-tests/checks/tcp-check-client-hello.vtc

@@ -45,10 +45,10 @@ haproxy htst -conf {
        server fe1 ${htst_fe1_addr}:${htst_fe1_port}
 
     frontend fe1
-        bind "fd@${fe1}" ssl crt ${testdir}/common.pem curves P-256:P-384
+        bind "fd@${fe1}" ssl crt ${testdir}/certs/common.pem curves P-256:P-384
 
     frontend fe3
-        bind "fd@${fe3}" ssl crt ${testdir}/common.pem
+        bind "fd@${fe3}" ssl crt ${testdir}/certs/common.pem
 } -start
 
 haproxy h1 -conf {

reg-tests/checks/tcp-check-ssl.vtc

@@ -62,7 +62,7 @@ haproxy htst -conf {
 	server fe1 ${htst_fe1_addr}:${htst_fe1_port}
 
     frontend fe1
-        bind "fd@${fe1}" ssl crt ${testdir}/common.pem
+        bind "fd@${fe1}" ssl crt ${testdir}/certs/common.pem
 
 } -start
 

reg-tests/checks/tls_health_checks.vtc

@@ -60,15 +60,15 @@ haproxy h1 -conf {
     frontend fe1
         option httplog
         log ${S1_addr}:${S1_port} len 2048 local0 debug err
-        bind "fd@${fe1}" ssl crt ${testdir}/common.pem
+        bind "fd@${fe1}" ssl crt ${testdir}/certs/common.pem
         use_backend be1
 
     frontend fe2
-        bind "fd@${fe2}" ssl crt ${testdir}/common.pem
+        bind "fd@${fe2}" ssl crt ${testdir}/certs/common.pem
         use_backend be2
 
     frontend fe3
-        bind "fd@${fe3}" ssl crt ${testdir}/common.pem
+        bind "fd@${fe3}" ssl crt ${testdir}/certs/common.pem
         use_backend be3
 } -start
 
@@ -108,19 +108,19 @@ haproxy h2 -conf {
         option httpchk OPTIONS * HTTP/1.1
         http-check send hdr Host www
         log ${S2_addr}:${S2_port} daemon
-        server srv1 ${h1_fe1_addr}:${h1_fe1_port} ssl crt ${testdir}/common.pem verify none check
+        server srv1 ${h1_fe1_addr}:${h1_fe1_port} ssl crt ${testdir}/certs/common.pem verify none check
 
     backend be4
         option log-health-checks
         log ${S4_addr}:${S4_port} daemon
-        server srv2 ${h1_fe2_addr}:${h1_fe2_port} ssl crt ${testdir}/common.pem verify none check-ssl check
+        server srv2 ${h1_fe2_addr}:${h1_fe2_port} ssl crt ${testdir}/certs/common.pem verify none check-ssl check
 
     backend be6
         option log-health-checks
         option httpchk OPTIONS * HTTP/1.1
         http-check send hdr Host www
         log ${S6_addr}:${S6_port} daemon
-        server srv3 127.0.0.1:80 crt ${testdir}/common.pem verify none check check-ssl port ${h1_fe3_port} addr ${h1_fe3_addr}:80
+        server srv3 127.0.0.1:80 crt ${testdir}/certs/common.pem verify none check check-ssl port ${h1_fe3_port} addr ${h1_fe3_addr}:80
 } -start
 
 syslog S1 -wait

reg-tests/compression/certs

@@ -0,0 +1 @@
+../ssl/certs/

reg-tests/compression/common.pem

@@ -1 +0,0 @@
-../ssl/common.pem

reg-tests/compression/lua_validation.vtc

@@ -22,7 +22,7 @@ defaults
 	mode			http
 
 frontend main-https
-	bind			"fd@${fe1}" ssl crt ${testdir}/common.pem
+	bind			"fd@${fe1}" ssl crt ${testdir}/certs/common.pem
 	compression algo gzip
 	compression type text/html text/plain application/json application/javascript
 	compression offload

reg-tests/connection/ca-auth.crt

@@ -1 +0,0 @@
-../ssl/ca-auth.crt

reg-tests/connection/certs

@@ -0,0 +1 @@
+../ssl/certs/

reg-tests/connection/client1.pem

@@ -1 +0,0 @@
-../ssl/client1.pem

reg-tests/connection/common.pem

@@ -1 +0,0 @@
-../ssl/common.pem

reg-tests/connection/http_reuse_conn_hash.vtc

@@ -47,7 +47,7 @@ haproxy h1 -conf {
 
 	listen receiver
 		bind "fd@${feR}"
-		bind "fd@${feR_ssl}" ssl crt ${testdir}/common.pem
+		bind "fd@${feR_ssl}" ssl crt ${testdir}/certs/common.pem
 		bind "fd@${feR_proxy}" accept-proxy
 		http-request return status 200
 		http-after-response set-header http_first_request %[http_first_req]

reg-tests/connection/proxy_protocol_send_unique_id_alpn.vtc

@@ -24,7 +24,7 @@ haproxy h1 -conf {
         server example ${h1_feR_addr}:${h1_feR_port} send-proxy-v2 proxy-v2-options unique-id ssl alpn XXX verify none
 
     listen receiver
-        bind "fd@${feR}" ssl crt ${testdir}/common.pem accept-proxy
+        bind "fd@${feR}" ssl crt ${testdir}/certs/common.pem accept-proxy
 
         http-request set-var(txn.proxy_unique_id) fc_pp_unique_id
         http-after-response set-header proxy_unique_id %[var(txn.proxy_unique_id)]

reg-tests/connection/reverse_server_name.vtc

@@ -29,7 +29,7 @@ backend be-reverse
 	server dev rhttp@ ssl sni hdr(x-name) verify none
 
 frontend priv
-	bind "fd@${priv}" ssl crt ${testdir}/common.pem verify required ca-verify-file ${testdir}/ca-auth.crt alpn h2
+	bind "fd@${priv}" ssl crt ${testdir}/certs/common.pem verify required ca-verify-file ${testdir}/certs/ca-auth.crt alpn h2
 	tcp-request session attach-srv be-reverse/dev name ssl_c_s_dn(CN)
 } -start
 
@@ -45,7 +45,7 @@ defaults
 
 listen li
 	bind "fd@${li}"
-	server h_edge "${h_edge_priv_addr}:${h_edge_priv_port}" ssl crt ${testdir}/client1.pem verify none alpn h2
+	server h_edge "${h_edge_priv_addr}:${h_edge_priv_port}" ssl crt ${testdir}/certs/client1.pem verify none alpn h2
 } -start
 
 # Run a client through private endpoint

reg-tests/http-messaging/certs

@@ -0,0 +1 @@
+../ssl/certs/

reg-tests/http-messaging/common.pem

@@ -1 +0,0 @@
-../ssl/common.pem

reg-tests/http-messaging/srv_ws.vtc

@@ -22,7 +22,7 @@ haproxy hapsrv -conf {
 
 	frontend fe
 		bind "fd@${fe}"
-		bind "fd@${fessl}" ssl crt ${testdir}/common.pem alpn h2,http/1.1
+		bind "fd@${fessl}" ssl crt ${testdir}/certs/common.pem alpn h2,http/1.1
 		capture request header sec-websocket-key len 128
 		http-request set-var(txn.ver) req.ver
 		use_backend be

reg-tests/lua/certs

@@ -0,0 +1 @@
+../ssl/certs/

reg-tests/lua/common.pem

@@ -1 +0,0 @@
-../ssl/common.pem

reg-tests/lua/txn_get_priv-thread.vtc

@@ -32,7 +32,7 @@ haproxy h1 -conf {
 
     frontend fe2
         mode http
-        bind ":8443" ssl crt ${testdir}/common.pem
+        bind ":8443" ssl crt ${testdir}/certs/common.pem
         stats enable
         stats uri /
 

reg-tests/lua/txn_get_priv.vtc

@@ -26,7 +26,7 @@ haproxy h1 -conf {
 
     frontend fe2
         mode http
-        bind ":8443" ssl crt ${testdir}/common.pem
+        bind ":8443" ssl crt ${testdir}/certs/common.pem
         stats enable
         stats uri /
 

reg-tests/peers/certs

@@ -0,0 +1 @@
+../ssl/certs

reg-tests/peers/common.pem

@@ -1 +0,0 @@
-../ssl/common.pem

reg-tests/peers/tls_basic_sync.vtc

@@ -19,8 +19,8 @@ haproxy h1 -arg "-L A" -conf {
         stick-table type string size 10m store server_id,gpc0,conn_cur,conn_rate(50000) peers peers
 
     peers peers
-        default-server ssl crt ${testdir}/common.pem verify none
-        bind "fd@${A}" ssl crt ${testdir}/common.pem
+        default-server ssl crt ${testdir}/certs/common.pem verify none
+        bind "fd@${A}" ssl crt ${testdir}/certs/common.pem
         server A
         server B ${h2_B_addr}:${h2_B_port}
         server C ${h3_C_addr}:${h3_C_port}
@@ -49,8 +49,8 @@ haproxy h2 -arg "-L B" -conf {
         stick-table type string size 10m store server_id,gpc0,conn_cur,conn_rate(50000) peers peers
 
     peers peers
-        default-server ssl crt ${testdir}/common.pem verify none
-        bind "fd@${B}" ssl crt ${testdir}/common.pem
+        default-server ssl crt ${testdir}/certs/common.pem verify none
+        bind "fd@${B}" ssl crt ${testdir}/certs/common.pem
         server A ${h1_A_addr}:${h1_A_port}
         server B
         server C ${h3_C_addr}:${h3_C_port}
@@ -78,8 +78,8 @@ haproxy h3 -arg "-L C" -conf {
         stick-table type string size 10m store server_id,gpc0,conn_cur,conn_rate(50000) peers peers
 
     peers peers
-        default-server ssl crt ${testdir}/common.pem verify none
-        bind "fd@${C}" ssl crt ${testdir}/common.pem
+        default-server ssl crt ${testdir}/certs/common.pem verify none
+        bind "fd@${C}" ssl crt ${testdir}/certs/common.pem
         server A ${h1_A_addr}:${h1_A_port}
         server B ${h2_B_addr}:${h2_B_port}
         server C

reg-tests/peers/tls_basic_sync_wo_stkt_backend.vtc

@@ -17,8 +17,8 @@ haproxy h1 -arg "-L A" -conf {
 
     peers peers
         table stkt type string size 10m store server_id,gpc0,conn_cur,conn_rate(50000)
-        default-server ssl crt ${testdir}/common.pem verify none
-        bind "fd@${A}" ssl crt ${testdir}/common.pem
+        default-server ssl crt ${testdir}/certs/common.pem verify none
+        bind "fd@${A}" ssl crt ${testdir}/certs/common.pem
         server A
         server B ${h2_B_addr}:${h2_B_port}
         server C ${h3_C_addr}:${h3_C_port}
@@ -45,8 +45,8 @@ haproxy h2 -arg "-L B" -conf {
 
     peers peers
         table stkt type string size 10m store server_id,gpc0,conn_cur,conn_rate(50000)
-        default-server ssl crt ${testdir}/common.pem verify none
-        bind "fd@${B}" ssl crt ${testdir}/common.pem
+        default-server ssl crt ${testdir}/certs/common.pem verify none
+        bind "fd@${B}" ssl crt ${testdir}/certs/common.pem
         server A ${h1_A_addr}:${h1_A_port}
         server B
         server C ${h3_C_addr}:${h3_C_port}
@@ -72,8 +72,8 @@ haproxy h3 -arg "-L C" -conf {
 
     peers peers
         table stkt type string size 10m store server_id,gpc0,conn_cur,conn_rate(50000)
-        default-server ssl crt ${testdir}/common.pem verify none
-        bind "fd@${C}" ssl crt ${testdir}/common.pem
+        default-server ssl crt ${testdir}/certs/common.pem verify none
+        bind "fd@${C}" ssl crt ${testdir}/certs/common.pem
         server A ${h1_A_addr}:${h1_A_port}
         server B ${h2_B_addr}:${h2_B_port}
         server C

reg-tests/quic/certs

@@ -0,0 +1 @@
+../ssl/certs

reg-tests/quic/common.pem

@@ -1 +0,0 @@
-../ssl/common.pem

reg-tests/quic/retry.vtc

@@ -28,11 +28,11 @@ haproxy ha2 -conf {
         timeout server  "${HAPROXY_TEST_TIMEOUT-5s}"
 
     listen quic_lstnr
-        bind "quic+fd@${fe_quic}" ssl crt ${testdir}/common.pem
+        bind "quic+fd@${fe_quic}" ssl crt ${testdir}/certs/common.pem
         server srv ${s1_addr}:${s1_port}
 
     listen quic_lstnr_retry
-        bind "quic+fd@${fe_quic_retry}" ssl crt ${testdir}/common.pem quic-force-retry
+        bind "quic+fd@${fe_quic_retry}" ssl crt ${testdir}/certs/common.pem quic-force-retry
         server srv ${s1_addr}:${s1_port}
 } -start
 

reg-tests/server/certs

@@ -0,0 +1 @@
+../ssl/certs/

reg-tests/server/cli_add_ssl_server.vtc

@@ -47,7 +47,7 @@ haproxy h1 -conf {
 
 	# frontend used to respond to ssl connection
 	frontend fe-ssl-term
-		bind "fd@${feSslTerm}" ssl crt ${testdir}/common.pem
+		bind "fd@${feSslTerm}" ssl crt ${testdir}/certs/common.pem
 		http-request return status 200
 } -start
 
@@ -63,7 +63,7 @@ client c1 -connect ${h1_feSsl_sock} {
 
 shell {
 	echo "new ssl ca-file common.pem" | socat "${tmpdir}/h1/stats" -
-	printf "set ssl ca-file common.pem <<\n$(cat ${testdir}/common.pem)\n\n" | socat "${tmpdir}/h1/stats" -
+	printf "set ssl ca-file common.pem <<\n$(cat ${testdir}/certs/common.pem)\n\n" | socat "${tmpdir}/h1/stats" -
 	echo "commit ssl ca-file common.pem" | socat "${tmpdir}/h1/stats" -
 } -run
 

reg-tests/server/common.pem

@@ -1 +0,0 @@
-../ssl/common.pem

reg-tests/ssl/add_ssl_crt-list.vtc

@@ -30,7 +30,7 @@ haproxy h1 -conf {
         tune.ssl.default-dh-param 2048
     .endif
         tune.ssl.capture-buffer-size 1
-        crt-base ${testdir}
+        crt-base ${testdir}/certs
         stats socket "${tmpdir}/h1/stats" level admin
 
     defaults
@@ -52,15 +52,15 @@ haproxy h1 -conf {
 
     listen ssl-lst
         mode http
-        bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/localhost.crt-list
+        bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list "${testdir}/certs/localhost.crt-list"
 
         server s1 ${s1_addr}:${s1_port}
-        server s2 ${s1_addr}:${s1_port} ssl crt "${testdir}/common.pem" weight 0 verify none
+        server s2 ${s1_addr}:${s1_port} ssl crt "${testdir}/certs/common.pem" weight 0 verify none
 } -start
 
 
 haproxy h1 -cli {
-    send "show ssl cert ${testdir}/common.pem"
+    send "show ssl cert ${testdir}/certs/common.pem"
     expect ~ ".*SHA1 FingerPrint: DF3B6E847A7BF83DFAAFCFEC65EE9BC36230D3EA"
 }
 
@@ -71,26 +71,26 @@ client c1 -connect ${h1_clearlst_sock} {
 } -run
 
 shell {
-    echo "new ssl cert ${testdir}/ecdsa.pem" | socat "${tmpdir}/h1/stats" -
-    printf "set ssl cert ${testdir}/ecdsa.pem <<\n$(cat ${testdir}/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" -
-    echo "commit ssl cert ${testdir}/ecdsa.pem" | socat "${tmpdir}/h1/stats" -
-    printf "add ssl crt-list ${testdir}/localhost.crt-list/ <<\n${testdir}/common.pem [ssl-min-ver SSLv3 verify none allow-0rtt] !*\n\n" | socat "${tmpdir}/h1/stats" -
-    printf "add ssl crt-list ${testdir}/localhost.crt-list/ <<\n${testdir}/ecdsa.pem [ssl-min-ver SSLv3 verify none allow-0rtt] localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" -
-    printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem [verify none allow-0rtt]\n\n" | socat "${tmpdir}/h1/stats" -
-    printf "add ssl crt-list ${testdir}/localhost.crt-list/// <<\n${testdir}/ecdsa.pem localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" -
-    printf "add ssl crt-list ${testdir}/localhost.crt-list///// <<\n${testdir}/ecdsa.pem\n\n" | socat "${tmpdir}/h1/stats" -
-    printf "add ssl crt-list ${testdir}/localhost.crt-list// ${testdir}/ecdsa.pem\n" | socat "${tmpdir}/h1/stats" -
+    echo "new ssl cert ${testdir}/certs/ecdsa.pem" | socat "${tmpdir}/h1/stats" -
+    printf "set ssl cert ${testdir}/certs/ecdsa.pem <<\n$(cat ${testdir}/certs/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" -
+    echo "commit ssl cert ${testdir}/certs/ecdsa.pem" | socat "${tmpdir}/h1/stats" -
+    printf "add ssl crt-list ${testdir}/certs/localhost.crt-list/ <<\n${testdir}/certs/common.pem [ssl-min-ver SSLv3 verify none allow-0rtt] !*\n\n" | socat "${tmpdir}/h1/stats" -
+    printf "add ssl crt-list ${testdir}/certs/localhost.crt-list/ <<\n${testdir}/certs/ecdsa.pem [ssl-min-ver SSLv3 verify none allow-0rtt] localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" -
+    printf "add ssl crt-list ${testdir}/certs/localhost.crt-list <<\n${testdir}/certs/ecdsa.pem [verify none allow-0rtt]\n\n" | socat "${tmpdir}/h1/stats" -
+    printf "add ssl crt-list ${testdir}/certs/localhost.crt-list/// <<\n${testdir}/certs/ecdsa.pem localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" -
+    printf "add ssl crt-list ${testdir}/certs/localhost.crt-list///// <<\n${testdir}/certs/ecdsa.pem\n\n" | socat "${tmpdir}/h1/stats" -
+    printf "add ssl crt-list ${testdir}/certs/localhost.crt-list// ${testdir}/certs/ecdsa.pem\n" | socat "${tmpdir}/h1/stats" -
 }
 
 haproxy h1 -cli {
-    send "show ssl cert ${testdir}/ecdsa.pem"
+    send "show ssl cert ${testdir}/certs/ecdsa.pem"
     expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1"
 }
 
 haproxy h1 -cli {
-    send "show ssl crt-list ${testdir}/localhost.crt-list//"
+    send "show ssl crt-list ${testdir}/certs/localhost.crt-list//"
     # check the options and the filters in any order
-    expect ~ ".*${testdir}/ecdsa.pem \\[(?=.*verify none)(?=.*allow-0rtt)(?=.*ssl-min-ver SSLv3).*\\](?=.*!www.test1.com)(?=.*localhost).*"
+    expect ~ ".*${testdir}/certs/ecdsa.pem \\[(?=.*verify none)(?=.*allow-0rtt)(?=.*ssl-min-ver SSLv3).*\\](?=.*!www.test1.com)(?=.*localhost).*"
 }
 
 client c1 -connect ${h1_clearlst_sock} {
@@ -103,17 +103,17 @@ client c1 -connect ${h1_clearlst_sock} {
 # Try to add a new line that mentions an "unknown" CA file (not loaded yet).
 # It should fail since no disk access are allowed during runtime.
 shell {
-    printf "add ssl crt-list ${testdir}/localhost.crt-list/ <<\n${testdir}/ecdsa.pem [ca-file ${testdir}/ca-auth.crt] localhost\n\n" | socat "${tmpdir}/h1/stats" - | grep "unable to load ${testdir}/ca-auth.crt"
+    printf "add ssl crt-list ${testdir}/certs/localhost.crt-list/ <<\n${testdir}/certs/ecdsa.pem [ca-file ${testdir}/certs/ca-auth.crt] localhost\n\n" | socat "${tmpdir}/h1/stats" - | grep "unable to load ${testdir}/certs/ca-auth.crt"
 }
 shell {
-    printf "add ssl crt-list ${testdir}/localhost.crt-list/ <<\n${testdir}/ecdsa.pem [ca-verify-file ${testdir}/ca-auth.crt] localhost\n\n" | socat "${tmpdir}/h1/stats" - | grep "unable to load ${testdir}/ca-auth.crt"
+    printf "add ssl crt-list ${testdir}/certs/localhost.crt-list/ <<\n${testdir}/certs/ecdsa.pem [ca-verify-file ${testdir}/certs/ca-auth.crt] localhost\n\n" | socat "${tmpdir}/h1/stats" - | grep "unable to load ${testdir}/certs/ca-auth.crt"
 }
 shell {
-    printf "add ssl crt-list ${testdir}/localhost.crt-list/ <<\n${testdir}/ecdsa.pem [crl-file ${testdir}/ca-auth.crt] localhost\n\n" | socat "${tmpdir}/h1/stats" - | grep "unable to load ${testdir}/ca-auth.crt"
+    printf "add ssl crt-list ${testdir}/certs/localhost.crt-list/ <<\n${testdir}/certs/ecdsa.pem [crl-file ${testdir}/certs/ca-auth.crt] localhost\n\n" | socat "${tmpdir}/h1/stats" - | grep "unable to load ${testdir}/certs/ca-auth.crt"
 }
 
 # Check that the new line was not added to the crt-list.
 haproxy h1 -cli {
-    send "show ssl crt-list ${testdir}/localhost.crt-list//"
-    expect !~ ".*ca-file ${testdir}/ca-auth.crt"
+    send "show ssl crt-list ${testdir}/certs/localhost.crt-list//"
+    expect !~ ".*ca-file ${testdir}/certs/ca-auth.crt"
 }

reg-tests/ssl/crt_store.vtc

@@ -17,7 +17,7 @@ haproxy h1 -arg -V -conf-OK {
     .endif
 
     crt-store
-       load crt "${testdir}/common.crt" key "${testdir}/common.key"
+       load crt "${testdir}/certs/common.crt" key "${testdir}/certs/common.key"
 
     defaults
         timeout client 30s
@@ -25,17 +25,17 @@ haproxy h1 -arg -V -conf-OK {
         timeout connect 30s
 
     listen ssl-lst
-        bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.crt strict-sni
+        bind "${tmpdir}/ssl.sock" ssl crt "${testdir}/certs/common.crt" strict-sni
 
 }
 
 haproxy h2 -arg -V -conf-BAD {} {
 
     listen ssl-lst
-        bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem strict-sni
+        bind "${tmpdir}/ssl.sock" ssl crt "${testdir}/certs/common.pem" strict-sni
 
     crt-store
-       load crt "${testdir}/common.pem" key "${testdir}/common.key"
+       load crt "${testdir}/certs/common.pem" key "${testdir}/certs/common.key"
 
 }
 

reg-tests/ssl/del_ssl_crt-list.vtc

@@ -28,7 +28,7 @@ haproxy h1 -conf {
         tune.ssl.default-dh-param 2048
     .endif
         tune.ssl.capture-buffer-size 1
-        crt-base ${testdir}
+        crt-base ${testdir}/certs
         stats socket "${tmpdir}/h1/stats" level admin
         ssl-default-bind-options strict-sni
 
@@ -54,12 +54,12 @@ haproxy h1 -conf {
     listen first-ssl-fe
         # note: strict-sni is enforced from ssl-default-bind-options above
         mode http
-        bind "${tmpdir}/first-ssl.sock" ssl crt-list ${testdir}/simple.crt-list
+        bind "${tmpdir}/first-ssl.sock" ssl crt-list ${testdir}/certs/simple.crt-list
         server s1 ${s1_addr}:${s1_port}
 
     listen second-ssl-fe
         mode http
-        bind "${tmpdir}/second-ssl.sock" ssl no-strict-sni crt-list ${testdir}/localhost.crt-list
+        bind "${tmpdir}/second-ssl.sock" ssl no-strict-sni crt-list ${testdir}/certs/localhost.crt-list
         server s1 ${s1_addr}:${s1_port}
 } -start
 
@@ -78,12 +78,12 @@ client c1 -connect ${h1_clearlst_sock} {
 } -run
 
 haproxy h1 -cli {
-    send "del ssl crt-list ${testdir}/simple.crt-list ${testdir}/common.pem:2"
-    expect ~ "Entry '${testdir}/common.pem' deleted in crtlist '${testdir}/simple.crt-list'!"
+    send "del ssl crt-list ${testdir}/certs/simple.crt-list ${testdir}/certs/common.pem:2"
+    expect ~ "Entry '${testdir}/certs/common.pem' deleted in crtlist '${testdir}/certs/simple.crt-list'!"
 }
 
 haproxy h1 -cli {
-    send "show ssl crt-list -n ${testdir}/simple.crt-list"
+    send "show ssl crt-list -n ${testdir}/certs/simple.crt-list"
     expect !~ "common.pem:2"
 }
 
@@ -98,12 +98,12 @@ client c1 -connect ${h1_clearlst_sock} {
 # We should not be able to delete the crt-list's first line since it is the
 # default certificate of this bind line and the strict-sni option is not enabled.
 haproxy h1 -cli {
-    send "del ssl crt-list ${testdir}/localhost.crt-list ${testdir}/common.pem:1"
-    expect ~ "Can't delete the entry: certificate '${testdir}/common.pem' cannot be deleted, it is used as default certificate by the following frontends:"
+    send "del ssl crt-list ${testdir}/certs/localhost.crt-list ${testdir}/certs/common.pem:1"
+    expect ~ "Can't delete the entry: certificate '${testdir}/certs/common.pem' cannot be deleted, it is used as default certificate by the following frontends:"
 }
 
 # We should be able to delete any line of the crt-list since the strict-sni option is enabled.
 haproxy h1 -cli {
-    send "del ssl crt-list ${testdir}/simple.crt-list ${testdir}/common.pem:1"
-    expect ~ "Entry '${testdir}/common.pem' deleted in crtlist '${testdir}/simple.crt-list'!"
+    send "del ssl crt-list ${testdir}/certs/simple.crt-list ${testdir}/certs/common.pem:1"
+    expect ~ "Entry '${testdir}/certs/common.pem' deleted in crtlist '${testdir}/certs/simple.crt-list'!"
 }

reg-tests/ssl/dynamic_server_ssl.vtc

@@ -36,20 +36,20 @@ haproxy h1 -conf {
 		default_backend test
 
 	backend test
-		server s1 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem"
-		server s2 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem"
-		server s3 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem"
+		server s1 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/certs/client1.pem"
+		server s2 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/certs/client1.pem"
+		server s3 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/certs/client1.pem"
 
 
 	listen ssl-lst
-		bind "${tmpdir}/ssl.sock" ssl crt "${testdir}/common.pem"
+		bind "${tmpdir}/ssl.sock" ssl crt "${testdir}/certs/common.pem"
 		server s1 ${s1_addr}:${s1_port}
 
 } -start
 
 
 haproxy h1 -cli {
-    send "show ssl cert ${testdir}/client1.pem"
+    send "show ssl cert ${testdir}/certs/client1.pem"
     expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4"
 }
 client c1 -connect ${h1_feS_sock} {
@@ -59,7 +59,7 @@ client c1 -connect ${h1_feS_sock} {
 } -run
 
 haproxy h1 -cli {
-    send "show ssl cert ${testdir}/client1.pem"
+    send "show ssl cert ${testdir}/certs/client1.pem"
     expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4"
 }
 
@@ -83,26 +83,26 @@ haproxy h1 -cli {
 
 # Replace certificate with an expired one
 shell {
-    printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client2_expired.pem)\n\n" | socat "${tmpdir}/h1/stats" -
-    echo "commit ssl cert ${testdir}/client1.pem" | socat "${tmpdir}/h1/stats" -
+    printf "set ssl cert ${testdir}/certs/client1.pem <<\n$(cat ${testdir}/certs/client2_expired.pem)\n\n" | socat "${tmpdir}/h1/stats" -
+    echo "commit ssl cert ${testdir}/certs/client1.pem" | socat "${tmpdir}/h1/stats" -
 }
 
 haproxy h1 -cli {
-    send "show ssl cert ${testdir}/client1.pem"
+    send "show ssl cert ${testdir}/certs/client1.pem"
     expect ~ ".*SHA1 FingerPrint: C625EB01A0A660294B9D7F44C5CEEE5AFC495BE4"
 }
 
 haproxy h1 -cli {
-	send "show ssl cert ${testdir}/client1.pem"
+	send "show ssl cert ${testdir}/certs/client1.pem"
 	expect ~ ".*Status: Unused"
 }
 
 haproxy h1 -cli {
-	send "add server test/s1 ${tmpdir}/ssl.sock ssl verify none crt ${testdir}/client1.pem"
+	send "add server test/s1 ${tmpdir}/ssl.sock ssl verify none crt ${testdir}/certs/client1.pem"
 	expect ~ "New server registered."
 	send "enable server test/s1"
 	expect ~ ".*"
-	send "show ssl cert ${testdir}/client1.pem"
+	send "show ssl cert ${testdir}/certs/client1.pem"
 	expect ~ ".*Status: Used"
 }
 

reg-tests/ssl/issuers_chain_path.vtc

@@ -14,8 +14,8 @@ haproxy h1 -conf {
     .endif
 
         stats socket "${tmpdir}/h1/stats" level admin
-        issuers-chain-path "${testdir}/issuers-chain-path/ca/"
-        crt-base "${testdir}/issuers-chain-path"
+        issuers-chain-path "${testdir}/certs/issuers-chain-path/ca/"
+        crt-base "${testdir}/certs/issuers-chain-path"
 
     defaults
         mode http
@@ -34,9 +34,9 @@ haproxy h1 -conf {
 
 # We should have two distinct ocsp responses known that were loaded at build time
 haproxy h1 -cli {
-	send "show ssl cert ${testdir}/issuers-chain-path/server.pem"
+	send "show ssl cert ${testdir}/certs/issuers-chain-path/server.pem"
 	expect ~ ".*Chain Filename.*"
-	send "show ssl cert ${testdir}/issuers-chain-path/server.pem"
+	send "show ssl cert ${testdir}/certs/issuers-chain-path/server.pem"
 	expect ~ ".*Chain Subject.*"
 }
 

reg-tests/ssl/log_forward_ssl.vtc

@@ -51,7 +51,7 @@ haproxy h1 -conf {
 		log ring@myring local0 # To TCP log
 
 	log-forward syslog2local
-		bind 127.0.0.1:2514 ssl crt ${testdir}/common.pem
+		bind 127.0.0.1:2514 ssl crt ${testdir}/certs/common.pem
 		log ${Slg1_addr}:${Slg1_port} local0 # To VTest syslog
 } -start
 

reg-tests/ssl/new_del_ssl_cafile.vtc

@@ -30,7 +30,7 @@ haproxy h1 -conf {
     .endif
         tune.ssl.capture-buffer-size 1
         stats socket "${tmpdir}/h1/stats" level admin
-        crt-base ${testdir}
+        crt-base ${testdir}/certs
 
     defaults
         mode http
@@ -49,13 +49,13 @@ haproxy h1 -conf {
         default_backend default_be
 
     backend default_be
-        server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/set_cafile_client.pem sni str(www.test1.com)
+        server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/set_cafile_client.pem sni str(www.test1.com)
 
     backend with_ca_be
-        server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/set_cafile_client.pem sni str(with-ca.com)
+        server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/set_cafile_client.pem sni str(with-ca.com)
 
     listen ssl-lst
-        bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/localhost.crt-list ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA2.crt verify required crt-ignore-err all
+        bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/certs/localhost.crt-list ca-verify-file ${testdir}/certs/set_cafile_rootCA.crt ca-file ${testdir}/certs/set_cafile_interCA2.crt verify required crt-ignore-err all
         http-response add-header X-SSL-Client-Verify %[ssl_c_verify]
         server s1 ${s1_addr}:${s1_port}
 } -start
@@ -83,7 +83,7 @@ haproxy h1 -cli {
 }
 
 shell {
-    printf "set ssl ca-file new_cafile.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
+    printf "set ssl ca-file new_cafile.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
     echo "commit ssl ca-file new_cafile.crt" | socat "${tmpdir}/h1/stats" -
 }
 
@@ -98,12 +98,12 @@ haproxy h1 -cli {
 }
 
 shell {
-    printf "add ssl ca-file new_cafile.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
+    printf "add ssl ca-file new_cafile.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
     echo "commit ssl ca-file new_cafile.crt" | socat "${tmpdir}/h1/stats" -
 }
 
 shell {
-    printf "set ssl ca-file new_cafile.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
+    printf "set ssl ca-file new_cafile.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
     echo "commit ssl ca-file new_cafile.crt" | socat "${tmpdir}/h1/stats" -
 }
 
@@ -124,14 +124,14 @@ client c1 -connect ${h1_clearlst_sock} {
 
 # Add a new certificate that will use the new CA file
 shell {
-    echo "new ssl cert ${testdir}/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" -
-    printf "set ssl cert ${testdir}/set_cafile_server.pem <<\n$(cat ${testdir}/set_cafile_server.pem)\n\n" | socat "${tmpdir}/h1/stats" -
-    echo "commit ssl cert ${testdir}/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" -
+    echo "new ssl cert ${testdir}/certs/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" -
+    printf "set ssl cert ${testdir}/certs/set_cafile_server.pem <<\n$(cat ${testdir}/certs/set_cafile_server.pem)\n\n" | socat "${tmpdir}/h1/stats" -
+    echo "commit ssl cert ${testdir}/certs/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" -
 }
 
 # Create a new crt-list line that will use the new CA file
 shell {
-    printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/set_cafile_server.pem [ca-file new_cafile.crt] with-ca.com\n\n" | socat "${tmpdir}/h1/stats" -
+    printf "add ssl crt-list ${testdir}/certs/localhost.crt-list <<\n${testdir}/certs/set_cafile_server.pem [ca-file new_cafile.crt] with-ca.com\n\n" | socat "${tmpdir}/h1/stats" -
 }
 
 client c1 -connect ${h1_clearlst_sock} {
@@ -144,8 +144,8 @@ client c1 -connect ${h1_clearlst_sock} {
 
 # Delete the newly added crt-list line and CA file
 haproxy h1 -cli {
-    send "del ssl crt-list ${testdir}/localhost.crt-list ${testdir}/set_cafile_server.pem"
-    expect ~ "Entry '${testdir}/set_cafile_server.pem' deleted in crtlist '${testdir}/localhost.crt-list'!"
+    send "del ssl crt-list ${testdir}/certs/localhost.crt-list ${testdir}/certs/set_cafile_server.pem"
+    expect ~ "Entry '${testdir}/certs/set_cafile_server.pem' deleted in crtlist '${testdir}/certs/localhost.crt-list'!"
 
     send "del ssl ca-file new_cafile.crt"
     expect ~ "CA file 'new_cafile.crt' deleted!"

reg-tests/ssl/new_del_ssl_crlfile.vtc

@@ -30,7 +30,7 @@ haproxy h1 -conf {
     .endif
         tune.ssl.capture-buffer-size 1
         stats socket "${tmpdir}/h1/stats" level admin
-        crt-base ${testdir}
+        crt-base ${testdir}/certs
 
     defaults
         mode http
@@ -49,13 +49,13 @@ haproxy h1 -conf {
         default_backend default_be
 
     backend default_be
-        server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client3_revoked.pem sni str(www.test1.com)
+        server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/client3_revoked.pem sni str(www.test1.com)
 
     backend with_crl_be
-        server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client3_revoked.pem sni str(with-crl.com)
+        server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/client3_revoked.pem sni str(with-crl.com)
 
     listen ssl-lst
-        bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/localhost.crt-list ca-file ${testdir}/ca-auth.crt verify required crt-ignore-err all
+        bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/certs/localhost.crt-list ca-file ${testdir}/certs/ca-auth.crt verify required crt-ignore-err all
         http-response add-header X-SSL-Client-Verify %[ssl_c_verify]
         server s1 ${s1_addr}:${s1_port}
 } -start
@@ -83,7 +83,7 @@ haproxy h1 -cli {
 }
 
 shell {
-    printf "set ssl crl-file new_crlfile.crt <<\n$(cat ${testdir}/crl-auth.pem)\n\n" | socat "${tmpdir}/h1/stats" -
+    printf "set ssl crl-file new_crlfile.crt <<\n$(cat ${testdir}/certs/crl-auth.pem)\n\n" | socat "${tmpdir}/h1/stats" -
     echo "commit ssl crl-file new_crlfile.crt" | socat "${tmpdir}/h1/stats" -
 }
 
@@ -97,14 +97,14 @@ haproxy h1 -cli {
 
 # Add a new certificate that will use the new CA file
 shell {
-    echo "new ssl cert ${testdir}/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" -
-    printf "set ssl cert ${testdir}/set_cafile_server.pem <<\n$(cat ${testdir}/set_cafile_server.pem)\n\n" | socat "${tmpdir}/h1/stats" -
-    echo "commit ssl cert ${testdir}/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" -
+    echo "new ssl cert ${testdir}/certs/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" -
+    printf "set ssl cert ${testdir}/certs/set_cafile_server.pem <<\n$(cat ${testdir}/certs/set_cafile_server.pem)\n\n" | socat "${tmpdir}/h1/stats" -
+    echo "commit ssl cert ${testdir}/certs/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" -
 }
 
 # Create a new crt-list line that will use the new CA file
 shell {
-    printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/set_cafile_server.pem [crl-file new_crlfile.crt] with-crl.com\n\n" | socat "${tmpdir}/h1/stats" -
+    printf "add ssl crt-list ${testdir}/certs/localhost.crt-list <<\n${testdir}/certs/set_cafile_server.pem [crl-file new_crlfile.crt] with-crl.com\n\n" | socat "${tmpdir}/h1/stats" -
 }
 
 client c1 -connect ${h1_clearlst_sock} {
@@ -126,8 +126,8 @@ client c1 -connect ${h1_clearlst_sock} {
 
 # Delete the newly added crt-list line and CRL file
 haproxy h1 -cli {
-    send "del ssl crt-list ${testdir}/localhost.crt-list ${testdir}/set_cafile_server.pem"
-    expect ~ "Entry '${testdir}/set_cafile_server.pem' deleted in crtlist '${testdir}/localhost.crt-list'!"
+    send "del ssl crt-list ${testdir}/certs/localhost.crt-list ${testdir}/certs/set_cafile_server.pem"
+    expect ~ "Entry '${testdir}/certs/set_cafile_server.pem' deleted in crtlist '${testdir}/certs/localhost.crt-list'!"
 
     send "del ssl crl-file new_crlfile.crt"
     expect ~ "CRL file 'new_crlfile.crt' deleted!"