mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-12-03 00:31:00 +01:00
Code Issues Projects Releases Wiki Activity

REGTESTS: quic: ssl_default_server.vtc supported by QUIC

Browse Source 
ssl/ssl_default_server.vtc was renamed to ssl/ssl_default_server.vtci
to produce a common part runnable both for QUIC and TCP listeners.
Then ssl_default_server.vtc files were created both under ssl and quic directories
to call this .vtci file with correct VTC_SOCK_TYPE environment values
("quic" for QUIC listeners and "stream" for TCP listeners);
This commit is contained in:
Frederic Lecaille 2025-12-01 19:12:03 +01:00
parent 0b0e01f153
commit d8f2328cd4
3 changed files with 157 additions and 132 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
reg-tests/quic/ssl_default_server.vtc Normal file
View File

@ -0,0 +1,18 @@
#REGTEST_TYPE=devel
# This reg-test ensures that SSL related configuration specified in a
# default-server option are properly taken into account by the servers
# (frontend). It mainly focuses on the client certificate used by the frontend,
# that can either be defined in the server line itself, in the default-server
# line or in both.
#
# It was created following a bug raised in redmine (issue #3906) in which a
# server used an "empty" SSL context instead of the proper one.
#
varnishtest "Test the 'set ssl cert' feature of the CLI"
# QUIC backend are not supported with USE_QUIC_OPENSSL_COMPAT
feature cmd "$HAPROXY_PROGRAM -cc 'feature(QUIC) && !feature(QUIC_OPENSSL_COMPAT) && !feature(OPENSSL_WOLFSSL)'"
setenv VTC_SOCK_TYPE quic
include ${testdir}/../ssl/ssl_default_server.vtci

134
reg-tests/ssl/ssl_default_server.vtc
View File

@ -13,136 +13,6 @@
varnishtest "Test the 'set ssl cert' feature of the CLI" varnishtest "Test the 'set ssl cert' feature of the CLI"
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev0)'" feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev0)'"
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'" feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
feature ignore_unknown_macro
server s1 -repeat 7 { setenv VTC_SOCK_TYPE stream
rxreq include ${testdir}/ssl_default_server.vtci
txresp
} -start
haproxy h1 -conf {
global
.if feature(THREAD)
thread-groups 1
.endif
.if !ssllib_name_startswith(AWS-LC)
tune.ssl.default-dh-param 2048
.endif
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
crt-base ${testdir}/certs
ca-base ${testdir}/certs
defaults
mode http
option httplog
log stderr local0 debug err
option logasap
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
listen clear-lst
bind "fd@${clearlst}"
use_backend first_be if { path /first }
use_backend second_be if { path /second }
use_backend third_be if { path /third }
use_backend fourth_be if { path /fourth }
use_backend fifth_be if { path /fifth }
backend first_be
default-server ssl crt client1.pem ca-file ca-auth.crt verify none
server s1 "${tmpdir}/ssl.sock"
backend second_be
default-server ssl ca-file ca-auth.crt verify none
server s1 "${tmpdir}/ssl.sock" crt client1.pem
backend third_be
default-server ssl crt client1.pem ca-file ca-auth.crt verify none
server s1 "${tmpdir}/ssl.sock" crt client2_expired.pem
backend fourth_be
default-server ssl crt client1.pem verify none
server s1 "${tmpdir}/ssl.sock" ca-file ca-auth.crt
backend fifth_be
balance roundrobin
default-server ssl crt client1.pem verify none
server s1 "${tmpdir}/ssl.sock"
server s2 "${tmpdir}/ssl.sock" crt client2_expired.pem
server s3 "${tmpdir}/ssl.sock"
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/common.pem ca-file ca-auth.crt verify required crt-ignore-err all
acl cert_expired ssl_c_verify 10
acl cert_revoked ssl_c_verify 23
acl cert_ok ssl_c_verify 0
http-response add-header X-SSL Ok if cert_ok
http-response add-header X-SSL Expired if cert_expired
http-response add-header X-SSL Revoked if cert_revoked
server s1 ${s1_addr}:${s1_port}
} -start
client c1 -connect ${h1_clearlst_sock} {
txreq -url "/first"
rxresp
expect resp.status == 200
expect resp.http.x-ssl == "Ok"
} -run
client c1 -connect ${h1_clearlst_sock} {
txreq -url "/second"
txreq
rxresp
expect resp.status == 200
expect resp.http.x-ssl == "Ok"
} -run
client c1 -connect ${h1_clearlst_sock} {
txreq -url "/third"
txreq
rxresp
expect resp.status == 200
expect resp.http.x-ssl == "Expired"
} -run
client c1 -connect ${h1_clearlst_sock} {
txreq -url "/fourth"
txreq
rxresp
expect resp.status == 200
expect resp.http.x-ssl == "Ok"
} -run
client c1 -connect ${h1_clearlst_sock} {
txreq -url "/fifth"
txreq
rxresp
expect resp.status == 200
expect resp.http.x-ssl == "Ok"
} -run
client c1 -connect ${h1_clearlst_sock} {
txreq -url "/fifth"
txreq
rxresp
expect resp.status == 200
expect resp.http.x-ssl == "Expired"
} -run
client c1 -connect ${h1_clearlst_sock} {
txreq -url "/fifth"
txreq
rxresp
expect resp.status == 200
expect resp.http.x-ssl == "Ok"
} -run

137
reg-tests/ssl/ssl_default_server.vtci Normal file
View File

@ -0,0 +1,137 @@
feature ignore_unknown_macro
server s1 -repeat 7 {
rxreq
txresp
} -start
haproxy h1 -conf {
global
.if streq("$VTC_SOCK_TYPE",quic)
# required for backend connections
expose-experimental-directives
.endif
.if feature(THREAD)
thread-groups 1
.endif
.if !ssllib_name_startswith(AWS-LC)
tune.ssl.default-dh-param 2048
.endif
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
crt-base ${testdir}/certs
ca-base ${testdir}/certs
defaults
mode http
option httplog
log stderr local0 debug err
option logasap
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
listen clear-lst
bind "fd@${clearlst}"
use_backend first_be if { path /first }
use_backend second_be if { path /second }
use_backend third_be if { path /third }
use_backend fourth_be if { path /fourth }
use_backend fifth_be if { path /fifth }
backend first_be
default-server ssl crt client1.pem ca-file ca-auth.crt verify none
server s1 "${VTC_SOCK_TYPE}+${h1_ssl_sock}"
backend second_be
default-server ssl ca-file ca-auth.crt verify none
server s1 "${VTC_SOCK_TYPE}+${h1_ssl_sock}" crt client1.pem
backend third_be
default-server ssl crt client1.pem ca-file ca-auth.crt verify none
server s1 "${VTC_SOCK_TYPE}+${h1_ssl_sock}" crt client2_expired.pem
backend fourth_be
default-server ssl crt client1.pem verify none
server s1 "${VTC_SOCK_TYPE}+${h1_ssl_sock}" ca-file ca-auth.crt
backend fifth_be
balance roundrobin
default-server ssl crt client1.pem verify none
server s1 "${VTC_SOCK_TYPE}+${h1_ssl_sock}"
server s2 "${VTC_SOCK_TYPE}+${h1_ssl_sock}" crt client2_expired.pem
server s3 "${VTC_SOCK_TYPE}+${h1_ssl_sock}"
listen ssl-lst
bind "${VTC_SOCK_TYPE}+fd@${ssl}" ssl crt ${testdir}/certs/common.pem ca-file ca-auth.crt verify required crt-ignore-err all
acl cert_expired ssl_c_verify 10
acl cert_revoked ssl_c_verify 23
acl cert_ok ssl_c_verify 0
http-response add-header X-SSL Ok if cert_ok
http-response add-header X-SSL Expired if cert_expired
http-response add-header X-SSL Revoked if cert_revoked
server s1 ${s1_addr}:${s1_port}
} -start
client c1 -connect ${h1_clearlst_sock} {
txreq -url "/first"
rxresp
expect resp.status == 200
expect resp.http.x-ssl == "Ok"
} -run
client c1 -connect ${h1_clearlst_sock} {
txreq -url "/second"
txreq
rxresp
expect resp.status == 200
expect resp.http.x-ssl == "Ok"
} -run
client c1 -connect ${h1_clearlst_sock} {
txreq -url "/third"
txreq
rxresp
expect resp.status == 200
expect resp.http.x-ssl == "Expired"
} -run
client c1 -connect ${h1_clearlst_sock} {
txreq -url "/fourth"
txreq
rxresp
expect resp.status == 200
expect resp.http.x-ssl == "Ok"
} -run
client c1 -connect ${h1_clearlst_sock} {
txreq -url "/fifth"
txreq
rxresp
expect resp.status == 200
expect resp.http.x-ssl == "Ok"
} -run
client c1 -connect ${h1_clearlst_sock} {
txreq -url "/fifth"
txreq
rxresp
expect resp.status == 200
expect resp.http.x-ssl == "Expired"
} -run
client c1 -connect ${h1_clearlst_sock} {
txreq -url "/fifth"
txreq
rxresp
expect resp.status == 200
expect resp.http.x-ssl == "Ok"
} -run