WIP: REGTESTS: add ssl_ciphersuites.vtc (TCP & QUIC)

2025-12-08 03:01:14 +01:00 · 2025-12-04 21:05:23 +01:00 · 2025-12-04 21:05:23 +01:00 · 193a75cf04
commit 193a75cf04
parent ca65abcc0e
3 changed files with 160 additions and 0 deletions
--- a/reg-tests/quic/ssl_ciphersuites.vtc
+++ b/reg-tests/quic/ssl_ciphersuites.vtc
@ -0,0 +1,7 @@
+#REGTEST_TYPE=devel
+varnishtest "Tests for ssl-default-ciphersuites global option"
+
+feature cmd "$HAPROXY_PROGRAM -cc 'feature(QUIC) && !feature(QUIC_OPENSSL_COMPAT) && !feature(OPENSSL_WOLFSSL)'"
+
+setenv VTC_SOCK_TYPE quic
+include ${testdir}/../ssl/ssl_ciphersuites.vtci
--- a/reg-tests/ssl/ssl_ciphersuites.vtc
+++ b/reg-tests/ssl/ssl_ciphersuites.vtc
@ -0,0 +1,7 @@
+#REGTEST_TYPE=devel
+varnishtest "Tests for ssl-default-ciphersuites global option"
+
+feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL_WOLFSSL) || feature(OPENSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'"
+
+setenv VTC_SOCK_TYPE stream
+include ${testdir}/ssl_ciphersuites.vtci
--- a/reg-tests/ssl/ssl_ciphersuites.vtci
+++ b/reg-tests/ssl/ssl_ciphersuites.vtci
@ -0,0 +1,146 @@
+#REGTEST_TYPE=devel
+varnishtest "Tests for ssl-default-ciphersuites global option"
+
+feature ignore_unknown_macro
+
+barrier b1 cond 2 -cyclic
+
+server s1 -repeat 10 {
+    rxreq
+    txresp
+} -start
+
+haproxy h1 -conf {
+    global
+    .if streq("$VTC_SOCK_TYPE",quic)
+        # required for backend connections
+        expose-experimental-directives
+    .endif
+    .if feature(THREAD)
+        thread-groups 1
+    .endif
+
+    defaults
+        mode http
+        option httpslog
+        log stderr local0 debug err
+        option logasap
+        timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
+        timeout client  "${HAPROXY_TEST_TIMEOUT-5s}"
+        timeout server  "${HAPROXY_TEST_TIMEOUT-5s}"
+        retries 0
+
+    listen clearlst
+        bind fd@${clearlst}
+        use_backend aes_128_gcm_sha256-be if { path /aes_128_gcm_sha256 }
+        use_backend aes_256_gcm_sha384-be if { path /aes_256_gcm_sha384 }
+        use_backend aes_chacha20_poly1305_sha256-be if { path /aes_chacha20_poly1305_sha256 }
+        use_backend aes_128_ccm_sha256-be if { path /aes_128_ccm_sha256 }
+        use_backend wrong-be1 if { path /wrong-be1 }
+
+	# Backend and listener for TLS_AES_128_GCM_SHA256
+    global
+        ssl-default-bind-ciphersuites   TLS_AES_128_GCM_SHA256
+        ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256
+
+    backend aes_128_gcm_sha256-be
+        server s1 ${VTC_SOCK_TYPE}+${h1_aes_128_gcm_sha256_lst_sock} ssl verify none
+    listen aes_128_gcm_sha256_lst
+        http-response add-header x-cipher %[ssl_fc_cipher]
+        bind ${VTC_SOCK_TYPE}+fd@${aes_128_gcm_sha256_lst} ssl crt ${testdir}/certs/common.pem
+        server s1 ${s1_sock}
+
+	# Backend and listener for TLS_AES_256_GCM_SHA384
+    global
+        ssl-default-bind-ciphersuites   TLS_AES_256_GCM_SHA384
+        ssl-default-server-ciphersuites TLS_AES_256_GCM_SHA384
+
+    backend aes_256_gcm_sha384-be
+        server s1 ${VTC_SOCK_TYPE}+${h1_aes_256_gcm_sha384_lst_sock} ssl verify none
+    listen aes_256_gcm_sha384_lst
+        http-response add-header x-cipher %[ssl_fc_cipher]
+        bind ${VTC_SOCK_TYPE}+fd@${aes_256_gcm_sha384_lst} ssl crt ${testdir}/certs/common.pem
+        server s1 ${s1_sock}
+
+	# Backend and listener for TLS_CHACHA20_POLY1305_SHA256
+    global
+        ssl-default-bind-ciphersuites   TLS_CHACHA20_POLY1305_SHA256
+        ssl-default-server-ciphersuites TLS_CHACHA20_POLY1305_SHA256
+
+    backend aes_chacha20_poly1305_sha256-be
+        server s1 ${VTC_SOCK_TYPE}+${h1_aes_chacha20_poly1305_sha256_lst_sock} ssl verify none
+    listen aes_chacha20_poly1305_sha256_lst
+        http-response add-header x-cipher %[ssl_fc_cipher]
+        bind ${VTC_SOCK_TYPE}+fd@${aes_chacha20_poly1305_sha256_lst} ssl crt ${testdir}/certs/common.pem
+        server s1 ${s1_sock}
+
+	# Backend and listener for TLS_AES_128_CCM_SHA256
+    global
+        ssl-default-bind-ciphersuites   TLS_AES_128_CCM_SHA256
+        ssl-default-server-ciphersuites TLS_AES_128_CCM_SHA256
+
+    backend aes_128_ccm_sha256-be
+        server s1 ${VTC_SOCK_TYPE}+${h1_aes_128_ccm_sha256_lst_sock} ssl verify none
+    listen aes_128_ccm_sha256_lst
+        http-response add-header x-cipher %[ssl_fc_cipher]
+        bind ${VTC_SOCK_TYPE}+fd@${aes_128_ccm_sha256_lst} ssl crt ${testdir}/certs/common.pem
+        server s1 ${s1_sock}
+
+    listen own_cipher_suites_lst
+        http-response add-header x-cipher %[ssl_fc_cipher]
+        bind ${VTC_SOCK_TYPE}+fd@${own_cipher_suites_lst} ssl crt ${testdir}/certs/common.pem ciphersuites TLS_CHACHA20_POLY1305_SHA256
+        server s1 ${s1_sock}
+
+
+	backend wrong-be1
+		balance roundrobin
+		server s1 ${VTC_SOCK_TYPE}+${h1_aes_128_ccm_sha256_lst_sock} ssl verify none ciphersuites TLS_AES_128_GCM_SHA256
+		server s2 ${VTC_SOCK_TYPE}+${h1_aes_128_ccm_sha256_lst_sock} ssl verify none ciphersuites TLS_AES_256_GCM_SHA384
+		server s3 ${VTC_SOCK_TYPE}+${h1_aes_128_ccm_sha256_lst_sock} ssl verify none ciphersuites TLS_CHACHA20_POLY1305_SHA256
+
+		server s4 ${VTC_SOCK_TYPE}+${h1_own_cipher_suites_lst_sock} ssl verify none ciphersuites TLS_AES_128_GCM_SHA256
+		server s5 ${VTC_SOCK_TYPE}+${h1_own_cipher_suites_lst_sock} ssl verify none ciphersuites TLS_AES_256_GCM_SHA384
+		server s6 ${VTC_SOCK_TYPE}+${h1_own_cipher_suites_lst_sock} ssl verify none ciphersuites TLS_CHACHA20_POLY1305_SHA256
+} -start
+
+
+client c1 -connect ${h1_clearlst_sock} {
+    txreq -url "/aes_128_gcm_sha256"
+    rxresp
+    expect resp.http.x-cipher == TLS_AES_128_GCM_SHA256
+    expect resp.status == 200
+} -run
+
+client c1 -connect ${h1_clearlst_sock} {
+    txreq -url "/aes_256_gcm_sha384"
+    rxresp
+    expect resp.http.x-cipher == TLS_AES_256_GCM_SHA384
+    expect resp.status == 200
+} -run
+
+client c1 -connect ${h1_clearlst_sock} {
+    txreq -url "/aes_chacha20_poly1305_sha256"
+    rxresp
+    expect resp.http.x-cipher == TLS_CHACHA20_POLY1305_SHA256
+    expect resp.status == 200
+} -run
+
+client c1 -connect ${h1_clearlst_sock} {
+    txreq -url "/aes_128_ccm_sha256"
+    rxresp
+    expect resp.http.x-cipher == TLS_AES_128_CCM_SHA256
+    expect resp.status == 200
+} -run
+
+client c2 -connect ${h1_clearlst_sock} -repeat 5 {
+    txreq -url "/wrong-be1"
+    rxresp
+    expect resp.status == 503
+} -run
+
+client c3 -connect ${h1_clearlst_sock} {
+    txreq -url "/wrong-be1"
+    rxresp
+    expect resp.status == 200
+} -run
+