mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-07 15:47:01 +02:00
Code Issues Projects Releases Wiki Activity

REGTEST: ssl: remove curl from the "add ssl crt-list" test

Browse Source 
Using curl for SSL tests can be a problem if it wasn't compiled with the
right SSL library and if it didn't share any cipher with HAProxy. To
have more robust tests we now use HAProxy as an SSL client, so we are
sure that the client and the server share the same SSL requirements.

This patch also adds timeouts in the default section, logs on stderr and
fix some indentation issues.
This commit is contained in:
William Lallemand 2020-04-30 09:47:08 +02:00
parent 8aa825a356
commit 3ed722f03c
1 changed files with 58 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
reg-tests/ssl/add_ssl_crt-list.vtc
View File

@ -1,31 +1,57 @@
#REGTEST_TYPE=devel #REGTEST_TYPE=devel
# This reg-test uses the "add ssl crt-list" command to add a certificate over the CLI. # This reg-test uses the "add ssl crt-list" command to add a certificate over the CLI.
# It requires socat and curl to upload and validate that the certificate was well updated # It requires socat to upload the certificate
# this check does 2 requests, the first one will use "www.test1.com" as SNI, and
# the second one will use "localhost". Since vtest can't do SSL, we use haproxy
# as an SSL client with 2 chained listen section.
# If this test does not work anymore: # If this test does not work anymore:
# - Check that you have socat and curl # - Check that you have socat
# - Check if haproxy and curl use the same ciphers
varnishtest "Test the 'add ssl crt-list' feature of the CLI" varnishtest "Test the 'add ssl crt-list' feature of the CLI"
#REQUIRE_VERSION=2.2 #REQUIRE_VERSION=2.2
#REQUIRE_OPTIONS=OPENSSL #REQUIRE_OPTIONS=OPENSSL
#REQUIRE_BINARIES=socat,curl #REQUIRE_BINARIES=socat
feature ignore_unknown_macro feature ignore_unknown_macro
server s1 -repeat 2 {
rxreq
txresp
} -start
haproxy h1 -conf { haproxy h1 -conf {
global global
tune.ssl.default-dh-param 2048 tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1 tune.ssl.capture-cipherlist-size 1
crt-base ${testdir} crt-base ${testdir}
stats socket "${tmpdir}/h1/stats" level admin stats socket "${tmpdir}/h1/stats" level admin
listen frt defaults
mode http mode http
${no-htx} option http-use-htx option httplog
bind "fd@${frt}" ssl strict-sni crt-list ${testdir}/localhost.crt-list ${no-htx} option http-use-htx
http-request redirect location / log stderr local0 debug err
option logasap
timeout connect 1s
timeout client 1s
timeout server 1s
listen clear-lst
bind "fd@${clearlst}"
balance roundrobin
server s1 "${tmpdir}/ssl.sock" ssl verify none sni str(www.test1.com)
server s2 "${tmpdir}/ssl.sock" ssl verify none sni str(localhost)
listen ssl-lst
mode http
${no-htx} option http-use-htx
bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/localhost.crt-list
server s1 ${s1_addr}:${s1_port}
} -start } -start
@ -34,23 +60,21 @@ haproxy h1 -cli {
expect ~ ".*SHA1 FingerPrint: 2195C9F0FD58470313013FC27C1B9CF9864BD1C6" expect ~ ".*SHA1 FingerPrint: 2195C9F0FD58470313013FC27C1B9CF9864BD1C6"
} }
shell { client c1 -connect ${h1_clearlst_sock} {
HOST=${h1_frt_addr} txreq
if [ "${h1_frt_addr}" = "::1" ] ; then rxresp
HOST="\[::1\]" expect resp.status == 200
fi } -run
curl -v -i -k --resolve www.test1.com:${h1_frt_port}:${h1_frt_addr} https://www.test1.com:${h1_frt_port}
}
shell { shell {
echo "new ssl cert ${testdir}/ecdsa.pem" | socat "${tmpdir}/h1/stats" - echo "new ssl cert ${testdir}/ecdsa.pem" | socat "${tmpdir}/h1/stats" -
printf "set ssl cert ${testdir}/ecdsa.pem <<\n$(cat ${testdir}/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" - printf "set ssl cert ${testdir}/ecdsa.pem <<\n$(cat ${testdir}/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" -
echo "commit ssl cert ${testdir}/ecdsa.pem" | socat "${tmpdir}/h1/stats" - echo "commit ssl cert ${testdir}/ecdsa.pem" | socat "${tmpdir}/h1/stats" -
printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem [verify none allow-0rtt] localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" - printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem [verify none allow-0rtt] localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" -
printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem [verify none allow-0rtt]\n\n" | socat "${tmpdir}/h1/stats" - printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem [verify none allow-0rtt]\n\n" | socat "${tmpdir}/h1/stats" -
printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" - printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" -
printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem\n\n" | socat "${tmpdir}/h1/stats" - printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem\n\n" | socat "${tmpdir}/h1/stats" -
printf "add ssl crt-list ${testdir}/localhost.crt-list ${testdir}/ecdsa.pem\n" | socat "${tmpdir}/h1/stats" - printf "add ssl crt-list ${testdir}/localhost.crt-list ${testdir}/ecdsa.pem\n" | socat "${tmpdir}/h1/stats" -
} }
haproxy h1 -cli { haproxy h1 -cli {
@ -64,10 +88,8 @@ haproxy h1 -cli {
expect ~ ".*${testdir}/ecdsa.pem \\[(?=.*verify none)(?=.*allow-0rtt).*\\](?=.*!www.test1.com)(?=.*localhost).*" expect ~ ".*${testdir}/ecdsa.pem \\[(?=.*verify none)(?=.*allow-0rtt).*\\](?=.*!www.test1.com)(?=.*localhost).*"
} }
shell { client c1 -connect ${h1_clearlst_sock} {
HOST=${h1_frt_addr} txreq
if [ "${h1_frt_addr}" = "::1" ] ; then rxresp
HOST="\[::1\]" expect resp.status == 200
fi } -run
curl -v -i -k --resolve localhost:${h1_frt_port}:${h1_frt_addr} https://localhost:${h1_frt_port}
}