mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-06 15:17:01 +02:00
Code Issues Projects Releases Wiki Activity

REGTESTS: ocsp-update: change the reg-test to support the new crt-store mode

Browse Source 
Update the ocsp-update tests for the recent changes:

- Incompatibilities check string changed to match the crt-store one
- The "good configurations" are not good anymore because the
  ckch_conf_cmp() does not compare anymore with a global value.
This commit is contained in:
William Lallemand 2024-05-07 09:55:02 +02:00
parent 55e9e95914
commit d33a5f8e14
2 changed files with 20 additions and 380 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
reg-tests/ssl/ocsp_auto_update.vtc
View File

@ -1,4 +1,4 @@
#REGTEST_TYPE=broken #REGTEST_TYPE=slow
# reg-test is around ~2.5s # reg-test is around ~2.5s
# broken with BoringSSL. # broken with BoringSSL.
@ -653,7 +653,7 @@ haproxy h8 -cli {
# Check that the auto update option consistency check work even when crt-list # Check that the auto update option consistency check work even when crt-list
# lines are added through the cli # lines are added through the cli
shell { shell {
printf "add ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa foo.foo\n\n" | socat "${tmpdir}/h8/stats" - | grep "Incompatibilities found in OCSP update mode for certificate" printf "add ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa foo.foo\n\n" | socat "${tmpdir}/h8/stats" - | grep "different parameter 'ocsp-update'"
} }
haproxy h8 -wait haproxy h8 -wait

396
reg-tests/ssl/ocsp_compat_check.vtc
View File

@ -1,4 +1,4 @@
#REGTEST_TYPE=broken #REGTEST_TYPE=devel
# broken with BoringSSL. # broken with BoringSSL.
# #
@ -26,8 +26,8 @@ feature ignore_unknown_macro
# test1 # test1
# global_option DFLT # global_option OFF
# bind line DFLT (first) # bind line DFLT (OFF) (first)
# crt-list ON (second) # crt-list ON (second)
shell { shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list cat << EOF > ${tmpdir}/ocsp_compat_check.list
@ -52,7 +52,7 @@ EOF
echo "==== test 1" echo "==== test 1"
echo "$haproxy_output" echo "$haproxy_output"
echo "HAProxy return code: $haproxy_ret" echo "HAProxy return code: $haproxy_ret"
! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate" [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
} }
# test2 # test2
@ -82,7 +82,7 @@ EOF
echo "==== test 2" echo "==== test 2"
echo "$haproxy_output" echo "$haproxy_output"
echo "HAProxy return code: $haproxy_ret" echo "HAProxy return code: $haproxy_ret"
! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate" [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
} }
# test3 # test3
@ -112,13 +112,13 @@ EOF
echo "==== test 3" echo "==== test 3"
echo "$haproxy_output" echo "$haproxy_output"
echo "HAProxy return code: $haproxy_ret" echo "HAProxy return code: $haproxy_ret"
! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate" [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
} }
# test4 # test4
# global_option DFLT # global_option OFF
# bind line DFLT (second) # bind line DFLT OFF (second)
# crt-list ON (first) # crt-list ON (first)
shell { shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem [ocsp-update on] foo.com server_ocsp_ecdsa.pem [ocsp-update on] foo.com
@ -143,7 +143,7 @@ EOF
echo "==== test 4" echo "==== test 4"
echo "$haproxy_output" echo "$haproxy_output"
echo "HAProxy return code: $haproxy_ret" echo "HAProxy return code: $haproxy_ret"
! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate" [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
} }
# test5 # test5
@ -174,7 +174,7 @@ EOF
echo "==== test 5" echo "==== test 5"
echo "$haproxy_output" echo "$haproxy_output"
echo "HAProxy return code: $haproxy_ret" echo "HAProxy return code: $haproxy_ret"
! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate" [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
} }
# test6 # test6
@ -205,7 +205,7 @@ EOF
echo "==== test 6" echo "==== test 6"
echo "$haproxy_output" echo "$haproxy_output"
echo "HAProxy return code: $haproxy_ret" echo "HAProxy return code: $haproxy_ret"
! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate" [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
} }
# test7 # test7
@ -236,8 +236,7 @@ EOF
haproxy_ret=$? haproxy_ret=$?
echo "==== test 7" echo "==== test 7"
echo "$haproxy_output" echo "$haproxy_output"
echo "HAProxy return code: $haproxy_ret" [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate"
} }
# test8 # test8
@ -269,7 +268,7 @@ EOF
echo "==== test 8" echo "==== test 8"
echo "$haproxy_output" echo "$haproxy_output"
echo "HAProxy return code: $haproxy_ret" echo "HAProxy return code: $haproxy_ret"
! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate" [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
} }
# test9 # test9
@ -301,7 +300,7 @@ EOF
echo "==== test 9" echo "==== test 9"
echo "$haproxy_output" echo "$haproxy_output"
echo "HAProxy return code: $haproxy_ret" echo "HAProxy return code: $haproxy_ret"
! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate" [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
} }
# test10 # test10
@ -333,7 +332,7 @@ EOF
echo "==== test 10" echo "==== test 10"
echo "$haproxy_output" echo "$haproxy_output"
echo "HAProxy return code: $haproxy_ret" echo "HAProxy return code: $haproxy_ret"
! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate" [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
} }
# test11 # test11
@ -365,7 +364,7 @@ EOF
echo "==== test 11" echo "==== test 11"
echo "$haproxy_output" echo "$haproxy_output"
echo "HAProxy return code: $haproxy_ret" echo "HAProxy return code: $haproxy_ret"
! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate" [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
} }
# test12 # test12
@ -397,365 +396,6 @@ EOF
echo "==== test 12" echo "==== test 12"
echo "$haproxy_output" echo "$haproxy_output"
echo "HAProxy return code: $haproxy_ret" echo "HAProxy return code: $haproxy_ret"
! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate" [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
} }
###########################
# #
# GOOD CONFIGURATIONS #
# #
###########################
# test1
# global_option DFLT
# bind line DFLT (first)
# crt-list OFF (second)
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem [ocsp-update off] foo.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
# ocsp-update.mode on
defaults
log stderr local0 debug err
timeout connect 1s
timeout client 1s
timeout server 1s
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list
server s1 127.0.0.1:80
EOF
$HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
}
# test2
# global_option ON
# bind line DFLT/ON (first)
# crt-list ON (second)
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
ocsp-update.mode on
defaults
log stderr local0 debug err
timeout connect 1s
timeout client 1s
timeout server 1s
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list
server s1 127.0.0.1:80
EOF
$HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
}
# test3
# global_option OFF
# bind line DFLT/OFF(first)
# crt-list OFF (second)
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem [ocsp-update off] foo.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
ocsp-update.mode off
defaults
log stderr local0 debug err
timeout connect 1s
timeout client 1s
timeout server 1s
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list
server s1 127.0.0.1:80
EOF
$HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
}
# test4
# global_option DFLT
# bind line DFLT (second)
# crt-list OFF (first)
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem [ocsp-update off] foo.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
# ocsp-update.mode off
defaults
log stderr local0 debug err
timeout connect 1s
timeout client 1s
timeout server 1s
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem
server s1 127.0.0.1:80
EOF
$HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
}
# test5
# global_option ON
# bind line DFLT (second)
# crt-list ON (first)
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
ocsp-update.mode on
defaults
log stderr local0 debug err
timeout connect 1s
timeout client 1s
timeout server 1s
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem
server s1 127.0.0.1:80
EOF
$HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
}
# test6
# global_option OFF
# bind line DFLT (second)
# crt-list OFF (first)
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem [ocsp-update off] foo.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
ocsp-update.mode off
defaults
log stderr local0 debug err
timeout connect 1s
timeout client 1s
timeout server 1s
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem
server s1 127.0.0.1:80
EOF
$HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
}
# test7
# global_option DFLT
# bind line -
# crt-list OFF
# crt-list DFLT
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem [ocsp-update off] foo.com
server_ocsp_ecdsa.pem foo.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
# ocsp-update.mode off
defaults
log stderr local0 debug err
timeout connect 1s
timeout client 1s
timeout server 1s
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
server s1 127.0.0.1:80
EOF
$HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
}
# test8
# global_option DFLT
# bind line -
# crt-list DFLT
# crt-list OFF
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem foo.com
server_ocsp_ecdsa.pem [ocsp-update off] foo.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
# ocsp-update.mode off
defaults
log stderr local0 debug err
timeout connect 1s
timeout client 1s
timeout server 1s
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
server s1 127.0.0.1:80
EOF
$HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
}
# test9
# global_option ON
# bind line -
# crt-list ON
# crt-list DFLT
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
server_ocsp_ecdsa.pem foo.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
ocsp-update.mode on
defaults
log stderr local0 debug err
timeout connect 1s
timeout client 1s
timeout server 1s
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
server s1 127.0.0.1:80
EOF
$HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
}
# test10
# global_option ON
# bind line -
# crt-list DFLT
# crt-list ON
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem foo.com
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
ocsp-update.mode on
defaults
log stderr local0 debug err
timeout connect 1s
timeout client 1s
timeout server 1s
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
server s1 127.0.0.1:80
EOF
$HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
}
# test11
# global_option OFF
# bind line -
# crt-list OFF
# crt-list DFLT
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem [ocsp-update off] foo.com
server_ocsp_ecdsa.pem foo.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
ocsp-update.mode off
defaults
log stderr local0 debug err
timeout connect 1s
timeout client 1s
timeout server 1s
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
server s1 127.0.0.1:80
EOF
$HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
}
# test12
# global_option OFF
# bind line -
# crt-list DFLT
# crt-list OFF
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem foo.com
server_ocsp_ecdsa.pem [ocsp-update off] foo.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
ocsp-update.mode off
defaults
log stderr local0 debug err
timeout connect 1s
timeout client 1s
timeout server 1s
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
server s1 127.0.0.1:80
EOF
$HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
}