From 8d40494b33a3c993007295f4eb6135f34bf60290 Mon Sep 17 00:00:00 2001 From: Frederic Lecaille Date: Tue, 2 Dec 2025 17:36:33 +0100 Subject: [PATCH] REGTESTS: quic: ssl_sni_auto.vtc code provision for QUIC ssl/ssl_sni_auto.vtc was renamed to ssl/ssl_sni_auto.vtci to produce a common part runnable both for QUIC and TCP listeners. Then ssl_sni_auto.vtc files were created both under ssl and quic directories to call this .vtci file with correct VTC_SOCK_TYPE environment values ("quic" for QUIC listeners and "stream" for TCP listeners); Mark the test as broken for QUIC --- reg-tests/quic/ssl_sni_auto.vtc | 11 +++ reg-tests/ssl/ssl_sni_auto.vtc | 155 +------------------------------- reg-tests/ssl/ssl_sni_auto.vtci | 155 ++++++++++++++++++++++++++++++++ 3 files changed, 170 insertions(+), 151 deletions(-) create mode 100644 reg-tests/quic/ssl_sni_auto.vtc create mode 100644 reg-tests/ssl/ssl_sni_auto.vtci diff --git a/reg-tests/quic/ssl_sni_auto.vtc b/reg-tests/quic/ssl_sni_auto.vtc new file mode 100644 index 000000000..1096dec37 --- /dev/null +++ b/reg-tests/quic/ssl_sni_auto.vtc @@ -0,0 +1,11 @@ +# This teg-test verifies that automatic SNI selection for server connections and +# health checks. +#REGTEST_TYPE=broken + +varnishtest "Test the bind 'alpn' setting" +# QUIC backend are not supported with USE_QUIC_OPENSSL_COMPAT +feature cmd "$HAPROXY_PROGRAM -cc 'feature(QUIC) && !feature(QUIC_OPENSSL_COMPAT) && !feature(OPENSSL_WOLFSSL)'" + +setenv VTC_SOCK_TYPE quic +setenv SSL_OPT ssl +include ${testdir}/../ssl/ssl_sni_auto.vtci diff --git a/reg-tests/ssl/ssl_sni_auto.vtc b/reg-tests/ssl/ssl_sni_auto.vtc index 4c6c48fc5..978d7a122 100644 --- a/reg-tests/ssl/ssl_sni_auto.vtc +++ b/reg-tests/ssl/ssl_sni_auto.vtc @@ -1,157 +1,10 @@ -# This teg-test verifies that automatic SNI selection for server conncetions and +# This teg-test verifies that automatic SNI selection for server connections and # health checks. varnishtest "Test the bind 'alpn' setting" feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(3.3-dev8)'" feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'" -feature ignore_unknown_macro -barrier b1 cond 7 -cyclic - -server s1 { - rxreq - expect req.http.x-sni == - txresp -status 200 - barrier b1 sync -} -start - -server s2 { - rxreq - expect req.http.x-sni == "www.check2.org" - txresp -status 200 - barrier b1 sync -} -start - -server s3 { - rxreq - expect req.http.x-sni == "www.check3.org" - txresp -status 200 - barrier b1 sync -} -start - -server s4 { - rxreq - expect req.http.x-sni == "www.other.org" - txresp -status 200 - barrier b1 sync -} -start - -server s5 { - rxreq - expect req.http.x-sni == - txresp -status 200 - barrier b1 sync -} -start - -server s6 { - rxreq - expect req.http.x-sni == - txresp -status 200 - barrier b1 sync -} -start - - -haproxy h1 -conf { - global - .if feature(THREAD) - thread-groups 1 - .endif - - .if !ssllib_name_startswith(AWS-LC) - tune.ssl.default-dh-param 2048 - .endif - - defaults - mode http - option httplog - log stderr local0 debug err - timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" - timeout client "${HAPROXY_TEST_TIMEOUT-5s}" - timeout server "${HAPROXY_TEST_TIMEOUT-5s}" - default-server inter 100ms - - frontend fe_ssl - bind "fd@${fe_ssl}" ssl crt ${testdir}/certs/common.pem - - http-request return status 200 if { path /test1 } { ssl_fc_sni www.test1.org } - http-request return status 500 if { path /test2 } { ssl_fc_sni -m found } - http-request return status 200 if { path /test3 } { ssl_fc_sni www.other.org } - http-request deny - - listen li_check_ssl - bind "fd@${li_check_ssl}" ssl crt ${testdir}/certs/common.pem - http-request set-header x-sni %[ssl_fc_sni] if { ssl_fc_sni -m found } - - use-server s1 if { path /test1 } - use-server s2 if { path /test2 } - use-server s3 if { path /test3 } - use-server s4 if { path /test4 } - use-server s5 if { path /test5 } - use-server s6 if { path /test6 } - - server s1 ${s1_addr}:${s1_port} - server s2 ${s1_addr}:${s2_port} - server s3 ${s3_addr}:${s3_port} - server s4 ${s4_addr}:${s4_port} - server s5 ${s5_addr}:${s5_port} - server s6 ${s6_addr}:${s6_port} - - listen li - bind "fd@${li}" - use-server s1 if { path /test1 } - use-server s2 if { path /test2 } - use-server s3 if { path /test3 } - - server s1 ${h1_fe_ssl_addr}:${h1_fe_ssl_port} ssl verify none - server s2 ${h1_fe_ssl_addr}:${h1_fe_ssl_port} ssl verify none no-sni-auto - server s3 ${h1_fe_ssl_addr}:${h1_fe_ssl_port} ssl verify none sni str("www.other.org") - - backend be1 - option httpchk GET /test1 HTTP/1.1 - server chk1 ${h1_li_check_ssl_addr}:${h1_li_check_ssl_port} check check-ssl verify none - - backend be2 - option httpchk GET /test2 HTTP/1.1 www.check2.org:443 - server chk2 ${h1_li_check_ssl_addr}:${h1_li_check_ssl_port} check check-ssl verify none - - backend be3 - option httpchk - http-check send meth GET uri /test3 hdr host "www.check3.org:443" - server chk3 ${h1_li_check_ssl_addr}:${h1_li_check_ssl_port} check check-ssl verify none - - backend be4 - option httpchk - http-check send meth GET uri /test4 hdr host "www.check4.org:443" - server chk4 ${h1_li_check_ssl_addr}:${h1_li_check_ssl_port} check check-ssl verify none check-sni "www.other.org" - - backend be5 - option httpchk - http-check send meth GET uri /test5 hdr host "www.check5.org:443" - server chk5 ${h1_li_check_ssl_addr}:${h1_li_check_ssl_port} check check-ssl verify none no-check-sni-auto - - backend be6 - option httpchk GET /test6 HTTP/1.1 www.check6.org:443 - http-check connect default - server chk2 ${h1_li_check_ssl_addr}:${h1_li_check_ssl_port} check check-ssl verify none - -} -start - -barrier b1 sync - -client c1 -connect ${h1_li_sock} { - txreq -url "/test1" -hdr "host: www.test1.org:443" - rxresp - expect resp.status == 200 - - txreq -url "/test1" - rxresp - expect resp.status == 403 - - txreq -url "/test2" -hdr "host: www.test1.org" - rxresp - expect resp.status == 403 - - txreq -url "/test3" -hdr "host: www.test1.org" - rxresp - expect resp.status == 200 -} -run +setenv VTC_SOCK_TYPE stream +setenv SSL_OPT check-ssl +include ${testdir}/ssl_sni_auto.vtci diff --git a/reg-tests/ssl/ssl_sni_auto.vtci b/reg-tests/ssl/ssl_sni_auto.vtci new file mode 100644 index 000000000..d6a5d0ee0 --- /dev/null +++ b/reg-tests/ssl/ssl_sni_auto.vtci @@ -0,0 +1,155 @@ +feature ignore_unknown_macro + +barrier b1 cond 7 -cyclic + +server s1 { + rxreq + expect req.http.x-sni == + txresp -status 200 + barrier b1 sync +} -start + +server s2 { + rxreq + expect req.http.x-sni == "www.check2.org" + txresp -status 200 + barrier b1 sync +} -start + +server s3 { + rxreq + expect req.http.x-sni == "www.check3.org" + txresp -status 200 + barrier b1 sync +} -start + +server s4 { + rxreq + expect req.http.x-sni == "www.other.org" + txresp -status 200 + barrier b1 sync +} -start + +server s5 { + rxreq + expect req.http.x-sni == + txresp -status 200 + barrier b1 sync +} -start + +server s6 { + rxreq + expect req.http.x-sni == + txresp -status 200 + barrier b1 sync +} -start + + +haproxy h1 -conf { + global + .if streq("$VTC_SOCK_TYPE",quic) + # required for backend connections + expose-experimental-directives + .endif + .if feature(THREAD) + thread-groups 1 + .endif + + .if !ssllib_name_startswith(AWS-LC) + tune.ssl.default-dh-param 2048 + .endif + + defaults + mode http + option httplog + log stderr local0 debug err + timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" + timeout client "${HAPROXY_TEST_TIMEOUT-5s}" + timeout server "${HAPROXY_TEST_TIMEOUT-5s}" + default-server inter 100ms + + frontend fe_ssl + bind "${VTC_SOCK_TYPE}+fd@${fe_ssl}" ssl crt ${testdir}/certs/common.pem + + http-request return status 200 if { path /test1 } { ssl_fc_sni www.test1.org } + http-request return status 500 if { path /test2 } { ssl_fc_sni -m found } + http-request return status 200 if { path /test3 } { ssl_fc_sni www.other.org } + http-request deny + + listen li_check_ssl + bind "${VTC_SOCK_TYPE}+fd@${li_check_ssl}" ssl crt ${testdir}/certs/common.pem + http-request set-header x-sni %[ssl_fc_sni] if { ssl_fc_sni -m found } + + use-server s1 if { path /test1 } + use-server s2 if { path /test2 } + use-server s3 if { path /test3 } + use-server s4 if { path /test4 } + use-server s5 if { path /test5 } + use-server s6 if { path /test6 } + + server s1 ${s1_sock} + server s2 ${s2_sock} + server s3 ${s3_sock} + server s4 ${s4_sock} + server s5 ${s5_sock} + server s6 ${s6_sock} + + listen li + bind "fd@${li}" + use-server s1 if { path /test1 } + use-server s2 if { path /test2 } + use-server s3 if { path /test3 } + + server s1 "${VTC_SOCK_TYPE}+${h1_fe_ssl_sock}" ssl verify none + server s2 "${VTC_SOCK_TYPE}+${h1_fe_ssl_sock}" ssl verify none no-sni-auto + server s3 "${VTC_SOCK_TYPE}+${h1_fe_ssl_sock}" ssl verify none sni str("www.other.org") + + backend be1 + option httpchk GET /test1 HTTP/1.1 + server chk1 "${VTC_SOCK_TYPE}+${h1_li_check_ssl_sock}" check "${SSL_OPT}" verify none + + backend be2 + option httpchk GET /test2 HTTP/1.1 www.check2.org:443 + server chk2 "${VTC_SOCK_TYPE}+${h1_li_check_ssl_sock}" check "${SSL_OPT}" verify none + + backend be3 + option httpchk + http-check send meth GET uri /test3 hdr host "www.check3.org:443" + server chk3 "${VTC_SOCK_TYPE}+${h1_li_check_ssl_sock}" check "${SSL_OPT}" verify none + + backend be4 + option httpchk + http-check send meth GET uri /test4 hdr host "www.check4.org:443" + server chk4 "${VTC_SOCK_TYPE}+${h1_li_check_ssl_sock}" check "${SSL_OPT}" verify none check-sni "www.other.org" + + backend be5 + option httpchk + http-check send meth GET uri /test5 hdr host "www.check5.org:443" + server chk5 "${VTC_SOCK_TYPE}+${h1_li_check_ssl_sock}" check "${SSL_OPT}" verify none no-check-sni-auto + + backend be6 + option httpchk GET /test6 HTTP/1.1 www.check6.org:443 + http-check connect default + server chk2 "${VTC_SOCK_TYPE}+${h1_li_check_ssl_sock}" check "${SSL_OPT}" verify none + +} -start + +barrier b1 sync + +client c1 -connect ${h1_li_sock} { + txreq -url "/test1" -hdr "host: www.test1.org:443" + rxresp + expect resp.status == 200 + + txreq -url "/test1" + rxresp + expect resp.status == 403 + + txreq -url "/test2" -hdr "host: www.test1.org" + rxresp + expect resp.status == 403 + + txreq -url "/test3" -hdr "host: www.test1.org" + rxresp + expect resp.status == 200 +} -run