diff --git a/reg-tests/ssl/set_ssl_cert.vtc b/reg-tests/ssl/set_ssl_cert.vtc index dc981a507..0e84058ba 100644 --- a/reg-tests/ssl/set_ssl_cert.vtc +++ b/reg-tests/ssl/set_ssl_cert.vtc @@ -1,30 +1,55 @@ #REGTEST_TYPE=devel # This reg-test uses the "set ssl cert" command to update a certificate over the CLI. -# It requires socat and curl to upload and validate that the certificate was well updated - +# It requires socat to upload the certificate +# +# this check does 3 requests, the first one will use "www.test1.com" as SNI, +# the second one with the same but that must fail and the third one will use +# "localhost". Since vtest can't do SSL, we use haproxy as an SSL client with 2 +# chained listen section. +# # If this test does not work anymore: -# - Check that you have socat and curl -# - Check that the curl -v option still return the SSL CN +# - Check that you have socat varnishtest "Test the 'set ssl cert' feature of the CLI" #REQUIRE_VERSION=2.2 #REQUIRE_OPTIONS=OPENSSL -#REQUIRE_BINARIES=socat,curl +#REQUIRE_BINARIES=socat feature ignore_unknown_macro +server s1 -repeat 3 { + rxreq + txresp +} -start haproxy h1 -conf { - global - tune.ssl.default-dh-param 2048 - tune.ssl.capture-cipherlist-size 1 - stats socket "${tmpdir}/h1/stats" level admin + global + tune.ssl.default-dh-param 2048 + tune.ssl.capture-cipherlist-size 1 + stats socket "${tmpdir}/h1/stats" level admin - listen frt - mode http - ${no-htx} option http-use-htx - bind "fd@${frt}" ssl crt ${testdir}/common.pem - http-request redirect location / + defaults + mode http + option httplog + ${no-htx} option http-use-htx + log stderr local0 debug err + option logasap + timeout connect 100ms + timeout client 1s + timeout server 1s + + listen clear-lst + bind "fd@${clearlst}" + balance roundrobin + retries 0 # 2nd SSL connection must fail so skip the retry + server s1 "${tmpdir}/ssl.sock" ssl verify none sni str(www.test1.com) + server s2 "${tmpdir}/ssl.sock" ssl verify none sni str(www.test1.com) + server s3 "${tmpdir}/ssl.sock" ssl verify none sni str(localhost) + + listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem strict-sni + + server s1 ${s1_addr}:${s1_port} } -start @@ -33,17 +58,15 @@ haproxy h1 -cli { expect ~ ".*SHA1 FingerPrint: 2195C9F0FD58470313013FC27C1B9CF9864BD1C6" } -shell { - HOST=${h1_frt_addr} - if [ "${h1_frt_addr}" = "::1" ] ; then - HOST="\[::1\]" - fi - curl -v -i -k https://$HOST:${h1_frt_port} 2>&1 | grep CN=www.test1.com -} +client c1 -connect ${h1_clearlst_sock} { + txreq + rxresp + expect resp.status == 200 +} -run shell { - printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h1/stats" - } haproxy h1 -cli { @@ -51,10 +74,15 @@ haproxy h1 -cli { expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1" } -shell { - HOST=${h1_frt_addr} - if [ "${h1_frt_addr}" = "::1" ] ; then - HOST="\[::1\]" - fi - curl -v -i -k https://$HOST:${h1_frt_port} 2>&1 | grep CN=localhost -} +# check that the "www.test1.com" SNI was removed +client c1 -connect ${h1_clearlst_sock} { + txreq + rxresp + expect resp.status == 503 +} -run + +client c1 -connect ${h1_clearlst_sock} { + txreq + rxresp + expect resp.status == 200 +} -run