diff --git a/reg-tests/quic/ssl_ciphersuites.vtc b/reg-tests/quic/ssl_ciphersuites.vtc new file mode 100644 index 000000000..474cf49e4 --- /dev/null +++ b/reg-tests/quic/ssl_ciphersuites.vtc @@ -0,0 +1,7 @@ +#REGTEST_TYPE=devel +varnishtest "Tests for ssl-default-ciphersuites global option" + +feature cmd "$HAPROXY_PROGRAM -cc 'feature(QUIC) && !feature(QUIC_OPENSSL_COMPAT) && !feature(OPENSSL_WOLFSSL)'" + +setenv VTC_SOCK_TYPE quic +include ${testdir}/../ssl/ssl_ciphersuites.vtci diff --git a/reg-tests/ssl/ssl_ciphersuites.vtc b/reg-tests/ssl/ssl_ciphersuites.vtc new file mode 100644 index 000000000..cd9fbd8a8 --- /dev/null +++ b/reg-tests/ssl/ssl_ciphersuites.vtc @@ -0,0 +1,7 @@ +#REGTEST_TYPE=devel +varnishtest "Tests for ssl-default-ciphersuites global option" + +feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL_WOLFSSL) || feature(OPENSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'" + +setenv VTC_SOCK_TYPE stream +include ${testdir}/ssl_ciphersuites.vtci diff --git a/reg-tests/ssl/ssl_ciphersuites.vtci b/reg-tests/ssl/ssl_ciphersuites.vtci new file mode 100644 index 000000000..44b45636d --- /dev/null +++ b/reg-tests/ssl/ssl_ciphersuites.vtci @@ -0,0 +1,146 @@ +#REGTEST_TYPE=devel +varnishtest "Tests for ssl-default-ciphersuites global option" + +feature ignore_unknown_macro + +barrier b1 cond 2 -cyclic + +server s1 -repeat 10 { + rxreq + txresp +} -start + +haproxy h1 -conf { + global + .if streq("$VTC_SOCK_TYPE",quic) + # required for backend connections + expose-experimental-directives + .endif + .if feature(THREAD) + thread-groups 1 + .endif + + defaults + mode http + option httpslog + log stderr local0 debug err + option logasap + timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" + timeout client "${HAPROXY_TEST_TIMEOUT-5s}" + timeout server "${HAPROXY_TEST_TIMEOUT-5s}" + retries 0 + + listen clearlst + bind fd@${clearlst} + use_backend aes_128_gcm_sha256-be if { path /aes_128_gcm_sha256 } + use_backend aes_256_gcm_sha384-be if { path /aes_256_gcm_sha384 } + use_backend aes_chacha20_poly1305_sha256-be if { path /aes_chacha20_poly1305_sha256 } + use_backend aes_128_ccm_sha256-be if { path /aes_128_ccm_sha256 } + use_backend wrong-be1 if { path /wrong-be1 } + + # Backend and listener for TLS_AES_128_GCM_SHA256 + global + ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256 + ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256 + + backend aes_128_gcm_sha256-be + server s1 ${VTC_SOCK_TYPE}+${h1_aes_128_gcm_sha256_lst_sock} ssl verify none + listen aes_128_gcm_sha256_lst + http-response add-header x-cipher %[ssl_fc_cipher] + bind ${VTC_SOCK_TYPE}+fd@${aes_128_gcm_sha256_lst} ssl crt ${testdir}/certs/common.pem + server s1 ${s1_sock} + + # Backend and listener for TLS_AES_256_GCM_SHA384 + global + ssl-default-bind-ciphersuites TLS_AES_256_GCM_SHA384 + ssl-default-server-ciphersuites TLS_AES_256_GCM_SHA384 + + backend aes_256_gcm_sha384-be + server s1 ${VTC_SOCK_TYPE}+${h1_aes_256_gcm_sha384_lst_sock} ssl verify none + listen aes_256_gcm_sha384_lst + http-response add-header x-cipher %[ssl_fc_cipher] + bind ${VTC_SOCK_TYPE}+fd@${aes_256_gcm_sha384_lst} ssl crt ${testdir}/certs/common.pem + server s1 ${s1_sock} + + # Backend and listener for TLS_CHACHA20_POLY1305_SHA256 + global + ssl-default-bind-ciphersuites TLS_CHACHA20_POLY1305_SHA256 + ssl-default-server-ciphersuites TLS_CHACHA20_POLY1305_SHA256 + + backend aes_chacha20_poly1305_sha256-be + server s1 ${VTC_SOCK_TYPE}+${h1_aes_chacha20_poly1305_sha256_lst_sock} ssl verify none + listen aes_chacha20_poly1305_sha256_lst + http-response add-header x-cipher %[ssl_fc_cipher] + bind ${VTC_SOCK_TYPE}+fd@${aes_chacha20_poly1305_sha256_lst} ssl crt ${testdir}/certs/common.pem + server s1 ${s1_sock} + + # Backend and listener for TLS_AES_128_CCM_SHA256 + global + ssl-default-bind-ciphersuites TLS_AES_128_CCM_SHA256 + ssl-default-server-ciphersuites TLS_AES_128_CCM_SHA256 + + backend aes_128_ccm_sha256-be + server s1 ${VTC_SOCK_TYPE}+${h1_aes_128_ccm_sha256_lst_sock} ssl verify none + listen aes_128_ccm_sha256_lst + http-response add-header x-cipher %[ssl_fc_cipher] + bind ${VTC_SOCK_TYPE}+fd@${aes_128_ccm_sha256_lst} ssl crt ${testdir}/certs/common.pem + server s1 ${s1_sock} + + listen own_cipher_suites_lst + http-response add-header x-cipher %[ssl_fc_cipher] + bind ${VTC_SOCK_TYPE}+fd@${own_cipher_suites_lst} ssl crt ${testdir}/certs/common.pem ciphersuites TLS_CHACHA20_POLY1305_SHA256 + server s1 ${s1_sock} + + + backend wrong-be1 + balance roundrobin + server s1 ${VTC_SOCK_TYPE}+${h1_aes_128_ccm_sha256_lst_sock} ssl verify none ciphersuites TLS_AES_128_GCM_SHA256 + server s2 ${VTC_SOCK_TYPE}+${h1_aes_128_ccm_sha256_lst_sock} ssl verify none ciphersuites TLS_AES_256_GCM_SHA384 + server s3 ${VTC_SOCK_TYPE}+${h1_aes_128_ccm_sha256_lst_sock} ssl verify none ciphersuites TLS_CHACHA20_POLY1305_SHA256 + + server s4 ${VTC_SOCK_TYPE}+${h1_own_cipher_suites_lst_sock} ssl verify none ciphersuites TLS_AES_128_GCM_SHA256 + server s5 ${VTC_SOCK_TYPE}+${h1_own_cipher_suites_lst_sock} ssl verify none ciphersuites TLS_AES_256_GCM_SHA384 + server s6 ${VTC_SOCK_TYPE}+${h1_own_cipher_suites_lst_sock} ssl verify none ciphersuites TLS_CHACHA20_POLY1305_SHA256 +} -start + + +client c1 -connect ${h1_clearlst_sock} { + txreq -url "/aes_128_gcm_sha256" + rxresp + expect resp.http.x-cipher == TLS_AES_128_GCM_SHA256 + expect resp.status == 200 +} -run + +client c1 -connect ${h1_clearlst_sock} { + txreq -url "/aes_256_gcm_sha384" + rxresp + expect resp.http.x-cipher == TLS_AES_256_GCM_SHA384 + expect resp.status == 200 +} -run + +client c1 -connect ${h1_clearlst_sock} { + txreq -url "/aes_chacha20_poly1305_sha256" + rxresp + expect resp.http.x-cipher == TLS_CHACHA20_POLY1305_SHA256 + expect resp.status == 200 +} -run + +client c1 -connect ${h1_clearlst_sock} { + txreq -url "/aes_128_ccm_sha256" + rxresp + expect resp.http.x-cipher == TLS_AES_128_CCM_SHA256 + expect resp.status == 200 +} -run + +client c2 -connect ${h1_clearlst_sock} -repeat 5 { + txreq -url "/wrong-be1" + rxresp + expect resp.status == 503 +} -run + +client c3 -connect ${h1_clearlst_sock} { + txreq -url "/wrong-be1" + rxresp + expect resp.status == 200 +} -run +