From d8325002d4dfeedd98f8f4e6066f08eb5f6a7ac8 Mon Sep 17 00:00:00 2001 From: Frederic Lecaille Date: Fri, 28 Nov 2025 17:37:43 +0100 Subject: [PATCH] REGTESTS: quic: new_del_ssl_cafile.vtc supported by QUIC ssl/new_del_ssl_cafile.vtc was rename to ssl/new_del_ssl_cafile.vtci to produce a common part runnable both for QUIC and TCP connections. Then new_del_ssl_cafile.vtc files were created both under ssl and quic directories to call this .vtci file with correct VTC_SOCK_TYPE environment values ("quic" for QUIC connection and "stream" for TCP connections); --- reg-tests/quic/new_del_ssl_cafile.vtc | 16 +++ reg-tests/ssl/new_del_ssl_cafile.vtc | 150 +------------------------ reg-tests/ssl/new_del_ssl_cafile.vtci | 156 ++++++++++++++++++++++++++ 3 files changed, 174 insertions(+), 148 deletions(-) create mode 100644 reg-tests/quic/new_del_ssl_cafile.vtc create mode 100644 reg-tests/ssl/new_del_ssl_cafile.vtci diff --git a/reg-tests/quic/new_del_ssl_cafile.vtc b/reg-tests/quic/new_del_ssl_cafile.vtc new file mode 100644 index 000000000..a9ec37eff --- /dev/null +++ b/reg-tests/quic/new_del_ssl_cafile.vtc @@ -0,0 +1,16 @@ +#REGTEST_TYPE=devel + +# This test uses the "new ssl ca-file" and "del ssl ca-file" commands to create +# a new CA file or delete an unused CA file. +# +# It requires socat to upload the CA file. +# +# If this test does not work anymore: +# - Check that you have socat + +varnishtest "Test the 'new ssl ca-file' and 'del ssl ca-file' commands of the CLI" +feature cmd "$HAPROXY_PROGRAM -cc 'feature(QUIC) && !feature(QUIC_OPENSSL_COMPAT) && !feature(OPENSSL_WOLFSSL)'" +feature cmd "command -v socat" + +setenv VTC_SOCK_TYPE quic +include ${testdir}/../ssl/new_del_ssl_cafile.vtci diff --git a/reg-tests/ssl/new_del_ssl_cafile.vtc b/reg-tests/ssl/new_del_ssl_cafile.vtc index edab4744d..08f6d6da2 100644 --- a/reg-tests/ssl/new_del_ssl_cafile.vtc +++ b/reg-tests/ssl/new_del_ssl_cafile.vtc @@ -12,152 +12,6 @@ varnishtest "Test the 'new ssl ca-file' and 'del ssl ca-file' commands of the CL feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev0)'" feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'" feature cmd "command -v socat" -feature ignore_unknown_macro - -server s1 -repeat 2 { - rxreq - txresp -} -start - -haproxy h1 -conf { - global - .if feature(THREAD) - thread-groups 1 - .endif - - .if !ssllib_name_startswith(AWS-LC) - tune.ssl.default-dh-param 2048 - .endif - tune.ssl.capture-buffer-size 1 - stats socket "${tmpdir}/h1/stats" level admin - crt-base ${testdir}/certs - - defaults - mode http - option httplog - retries 0 - log stderr local0 debug err - option logasap - timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" - timeout client "${HAPROXY_TEST_TIMEOUT-5s}" - timeout server "${HAPROXY_TEST_TIMEOUT-5s}" - - listen clear-lst - bind "fd@${clearlst}" - balance roundrobin - use_backend with_ca_be if { path /with-ca } - default_backend default_be - - backend default_be - server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/set_cafile_client.pem sni str(www.test1.com) - - backend with_ca_be - server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/set_cafile_client.pem sni str(with-ca.com) - - listen ssl-lst - bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/certs/localhost.crt-list ca-verify-file ${testdir}/certs/set_cafile_rootCA.crt ca-file ${testdir}/certs/set_cafile_interCA2.crt verify required crt-ignore-err all - http-response add-header X-SSL-Client-Verify %[ssl_c_verify] - server s1 ${s1_addr}:${s1_port} -} -start - -# Request using the default backend and the www.test1.com sni -client c1 -connect ${h1_clearlst_sock} { - txreq - rxresp - expect resp.status == 200 - # The CA file known by the frontend does not allow to verify the client's certificate - expect resp.http.X-SSL-Client-Verify ~ "20|21" -} -run - -# This connection should fail because the with-ca.com sni is not mentioned in the crt-list yet. -client c1 -connect ${h1_clearlst_sock} { - txreq -url "/with-ca" - rxresp - expect resp.status == 503 -} -run - -# Create a new unlinked CA file -haproxy h1 -cli { - send "new ssl ca-file new_cafile.crt" - expect ~ "New CA file created 'new_cafile.crt'!" -} - -shell { - printf "set ssl ca-file new_cafile.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl ca-file new_cafile.crt" | socat "${tmpdir}/h1/stats" - -} - -# Remove the unliked CA file and create a new one with the "add ssl ca-file method" - -haproxy h1 -cli { - send "del ssl ca-file new_cafile.crt" - expect ~ "CA file 'new_cafile.crt' deleted!" - - send "new ssl ca-file new_cafile.crt" - expect ~ "New CA file created 'new_cafile.crt'!" -} - -shell { - printf "add ssl ca-file new_cafile.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl ca-file new_cafile.crt" | socat "${tmpdir}/h1/stats" - -} - -shell { - printf "set ssl ca-file new_cafile.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl ca-file new_cafile.crt" | socat "${tmpdir}/h1/stats" - -} - -haproxy h1 -cli { - send "show ssl ca-file" - expect ~ ".*new_cafile.crt - 1 certificate.*" - - send "show ssl ca-file new_cafile.crt" - expect ~ ".*SHA1 FingerPrint: 4FFF535278883264693CEA72C4FAD13F995D0098" -} - -# The new CA file is still not linked anywhere so the request should fail. -client c1 -connect ${h1_clearlst_sock} { - txreq -url "/with-ca" - rxresp - expect resp.status == 503 -} -run - -# Add a new certificate that will use the new CA file -shell { - echo "new ssl cert ${testdir}/certs/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" - - printf "set ssl cert ${testdir}/certs/set_cafile_server.pem <<\n$(cat ${testdir}/certs/set_cafile_server.pem)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl cert ${testdir}/certs/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" - -} - -# Create a new crt-list line that will use the new CA file -shell { - printf "add ssl crt-list ${testdir}/certs/localhost.crt-list <<\n${testdir}/certs/set_cafile_server.pem [ca-file new_cafile.crt] with-ca.com\n\n" | socat "${tmpdir}/h1/stats" - -} - -client c1 -connect ${h1_clearlst_sock} { - txreq -url "/with-ca" - rxresp - expect resp.status == 200 - # Thanks to the newly added CA file, the client's certificate can be verified - expect resp.http.X-SSL-Client-Verify == 0 -} -run - -# Delete the newly added crt-list line and CA file -haproxy h1 -cli { - send "del ssl crt-list ${testdir}/certs/localhost.crt-list ${testdir}/certs/set_cafile_server.pem" - expect ~ "Entry '${testdir}/certs/set_cafile_server.pem' deleted in crtlist '${testdir}/certs/localhost.crt-list'!" - - send "del ssl ca-file new_cafile.crt" - expect ~ "CA file 'new_cafile.crt' deleted!" - - send "show ssl ca-file" - expect !~ "new_cafile.crt" -} - -# The connection should now fail since the crt-list line was deleted -client c1 -connect ${h1_clearlst_sock} { - txreq -url "/with-ca" - rxresp - expect resp.status == 503 -} -run +setenv VTC_SOCK_TYPE stream +include ${testdir}/new_del_ssl_cafile.vtci diff --git a/reg-tests/ssl/new_del_ssl_cafile.vtci b/reg-tests/ssl/new_del_ssl_cafile.vtci new file mode 100644 index 000000000..6e5ba71dc --- /dev/null +++ b/reg-tests/ssl/new_del_ssl_cafile.vtci @@ -0,0 +1,156 @@ +#REGTEST_TYPE=devel + +# This test uses the "new ssl ca-file" and "del ssl ca-file" commands to create +feature ignore_unknown_macro + +server s1 -repeat 2 { + rxreq + txresp +} -start + +haproxy h1 -conf { + global + .if streq("$VTC_SOCK_TYPE",quic) + # required for backend connections + expose-experimental-directives + .endif + .if feature(THREAD) + thread-groups 1 + .endif + + .if !ssllib_name_startswith(AWS-LC) + tune.ssl.default-dh-param 2048 + .endif + tune.ssl.capture-buffer-size 1 + stats socket "${tmpdir}/h1/stats" level admin + crt-base ${testdir}/certs + + defaults + mode http + option httplog + retries 0 + log stderr local0 debug err + option logasap + timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" + timeout client "${HAPROXY_TEST_TIMEOUT-5s}" + timeout server "${HAPROXY_TEST_TIMEOUT-5s}" + + listen clear-lst + bind "fd@${clearlst}" + balance roundrobin + use_backend with_ca_be if { path /with-ca } + default_backend default_be + + backend default_be + server s1 "${VTC_SOCK_TYPE}+${h1_ssl_lst_sock}" ssl verify none crt ${testdir}/certs/set_cafile_client.pem sni str(www.test1.com) + + backend with_ca_be + server s1 "${VTC_SOCK_TYPE}+${h1_ssl_lst_sock}" ssl verify none crt ${testdir}/certs/set_cafile_client.pem sni str(with-ca.com) + + listen ssl-lst + bind "${VTC_SOCK_TYPE}+fd@${ssl_lst}" ssl strict-sni crt-list ${testdir}/certs/localhost.crt-list ca-verify-file ${testdir}/certs/set_cafile_rootCA.crt ca-file ${testdir}/certs/set_cafile_interCA2.crt verify required crt-ignore-err all + http-response add-header X-SSL-Client-Verify %[ssl_c_verify] + server s1 ${s1_addr}:${s1_port} +} -start + +# Request using the default backend and the www.test1.com sni +client c1 -connect ${h1_clearlst_sock} { + txreq + rxresp + expect resp.status == 200 + # The CA file known by the frontend does not allow to verify the client's certificate + expect resp.http.X-SSL-Client-Verify ~ "20|21" +} -run + +# This connection should fail because the with-ca.com sni is not mentioned in the crt-list yet. +client c1 -connect ${h1_clearlst_sock} { + txreq -url "/with-ca" + rxresp + expect resp.status == 503 +} -run + +# Create a new unlinked CA file +haproxy h1 -cli { + send "new ssl ca-file new_cafile.crt" + expect ~ "New CA file created 'new_cafile.crt'!" +} + +shell { + printf "set ssl ca-file new_cafile.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl ca-file new_cafile.crt" | socat "${tmpdir}/h1/stats" - +} + +# Remove the unliked CA file and create a new one with the "add ssl ca-file method" + +haproxy h1 -cli { + send "del ssl ca-file new_cafile.crt" + expect ~ "CA file 'new_cafile.crt' deleted!" + + send "new ssl ca-file new_cafile.crt" + expect ~ "New CA file created 'new_cafile.crt'!" +} + +shell { + printf "add ssl ca-file new_cafile.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl ca-file new_cafile.crt" | socat "${tmpdir}/h1/stats" - +} + +shell { + printf "set ssl ca-file new_cafile.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl ca-file new_cafile.crt" | socat "${tmpdir}/h1/stats" - +} + +haproxy h1 -cli { + send "show ssl ca-file" + expect ~ ".*new_cafile.crt - 1 certificate.*" + + send "show ssl ca-file new_cafile.crt" + expect ~ ".*SHA1 FingerPrint: 4FFF535278883264693CEA72C4FAD13F995D0098" +} + +# The new CA file is still not linked anywhere so the request should fail. +client c1 -connect ${h1_clearlst_sock} { + txreq -url "/with-ca" + rxresp + expect resp.status == 503 +} -run + +# Add a new certificate that will use the new CA file +shell { + echo "new ssl cert ${testdir}/certs/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" - + printf "set ssl cert ${testdir}/certs/set_cafile_server.pem <<\n$(cat ${testdir}/certs/set_cafile_server.pem)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/certs/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" - +} + +# Create a new crt-list line that will use the new CA file +shell { + printf "add ssl crt-list ${testdir}/certs/localhost.crt-list <<\n${testdir}/certs/set_cafile_server.pem [ca-file new_cafile.crt] with-ca.com\n\n" | socat "${tmpdir}/h1/stats" - +} + +client c1 -connect ${h1_clearlst_sock} { + txreq -url "/with-ca" + rxresp + expect resp.status == 200 + # Thanks to the newly added CA file, the client's certificate can be verified + expect resp.http.X-SSL-Client-Verify == 0 +} -run + +# Delete the newly added crt-list line and CA file +haproxy h1 -cli { + send "del ssl crt-list ${testdir}/certs/localhost.crt-list ${testdir}/certs/set_cafile_server.pem" + expect ~ "Entry '${testdir}/certs/set_cafile_server.pem' deleted in crtlist '${testdir}/certs/localhost.crt-list'!" + + send "del ssl ca-file new_cafile.crt" + expect ~ "CA file 'new_cafile.crt' deleted!" + + send "show ssl ca-file" + expect !~ "new_cafile.crt" +} + +# The connection should now fail since the crt-list line was deleted +client c1 -connect ${h1_clearlst_sock} { + txreq -url "/with-ca" + rxresp + expect resp.status == 503 +} -run +