From dab4f773df4e4df6d0f0f089f612bd0e553b4073 Mon Sep 17 00:00:00 2001 From: Frederic Lecaille Date: Mon, 1 Dec 2025 18:31:19 +0100 Subject: [PATCH] REGTESTS: quic: set_ssl_server_cert.vtc supported by QUIC ssl/set_ssl_server_cert.vtc was renamed to ssl/set_ssl_server_cert.vtci to produce a common part runnable both for QUIC and TCP listeners. Then set_ssl_server_cert.vtc files were created both under ssl and quic directories to call this .vtci file with correct VTC_SOCK_TYPE environment values ("quic" for QUIC listeners and "stream" for TCP listeners); --- reg-tests/quic/set_ssl_server_cert.vtc | 12 +++ reg-tests/ssl/set_ssl_server_cert.vtc | 127 +----------------------- reg-tests/ssl/set_ssl_server_cert.vtci | 130 +++++++++++++++++++++++++ 3 files changed, 144 insertions(+), 125 deletions(-) create mode 100644 reg-tests/quic/set_ssl_server_cert.vtc create mode 100644 reg-tests/ssl/set_ssl_server_cert.vtci diff --git a/reg-tests/quic/set_ssl_server_cert.vtc b/reg-tests/quic/set_ssl_server_cert.vtc new file mode 100644 index 000000000..e9210ac31 --- /dev/null +++ b/reg-tests/quic/set_ssl_server_cert.vtc @@ -0,0 +1,12 @@ +#REGTEST_TYPE=devel + +# This reg-test uses the "set ssl cert" command to update a backend certificate over the CLI. +# It requires socat to upload the certificate + +varnishtest "Test the 'set ssl cert' feature of the CLI" +# QUIC backend are not supported with USE_QUIC_OPENSSL_COMPAT +feature cmd "$HAPROXY_PROGRAM -cc 'feature(QUIC) && !feature(QUIC_OPENSSL_COMPAT) && !feature(OPENSSL_WOLFSSL)'" +feature cmd "command -v socat" + +setenv VTC_SOCK_TYPE quic +include ${testdir}/../ssl/set_ssl_server_cert.vtci diff --git a/reg-tests/ssl/set_ssl_server_cert.vtc b/reg-tests/ssl/set_ssl_server_cert.vtc index 65af8c6b8..11bc3db71 100644 --- a/reg-tests/ssl/set_ssl_server_cert.vtc +++ b/reg-tests/ssl/set_ssl_server_cert.vtc @@ -7,129 +7,6 @@ varnishtest "Test the 'set ssl cert' feature of the CLI" feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.4)'" feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(wolfSSL)'" feature cmd "command -v socat" -feature ignore_unknown_macro - -server s1 -repeat 4 { - rxreq - txresp -} -start - -haproxy h1 -conf { - global - .if feature(THREAD) - thread-groups 1 - .endif - - .if !ssllib_name_startswith(AWS-LC) - tune.ssl.default-dh-param 2048 - .endif - tune.ssl.capture-buffer-size 1 - stats socket "${tmpdir}/h1/stats" level admin - nbthread 1 - - defaults - mode http - option httplog - log stderr local0 debug err - option logasap - timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" - timeout client "${HAPROXY_TEST_TIMEOUT-5s}" - timeout server "${HAPROXY_TEST_TIMEOUT-5s}" - - listen clear-lst - bind "fd@${clearlst}" - retries 0 # 2nd SSL connection must fail so skip the retry - server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/client1.pem - - listen ssl-lst - # crt: certificate of the server - # ca-file: CA used for client authentication request - # crl-file: revocation list for client auth: the client1 certificate is revoked - bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/ca-auth.crt verify optional crt-ignore-err all crl-file ${testdir}/certs/crl-auth.pem - - acl cert_expired ssl_c_verify 10 - acl cert_revoked ssl_c_verify 23 - acl cert_ok ssl_c_verify 0 - - http-response add-header X-SSL Ok if cert_ok - http-response add-header X-SSL Expired if cert_expired - http-response add-header X-SSL Revoked if cert_revoked - http-response add-header x-ssl-sha1 %[ssl_c_sha1,hex] - - server s1 ${s1_addr}:${s1_port} -} -start - -client c1 -connect ${h1_clearlst_sock} { - txreq - rxresp - expect resp.status == 200 - expect resp.http.x-ssl-sha1 == "D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4" - expect resp.http.x-ssl == "Ok" -} -run - -haproxy h1 -cli { - send "show ssl cert ${testdir}/certs/client1.pem" - expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4" -} - -# Replace certificate with an expired one -shell { - printf "set ssl cert ${testdir}/certs/client1.pem <<\n$(cat ${testdir}/certs/client2_expired.pem)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl cert ${testdir}/certs/client1.pem" | socat "${tmpdir}/h1/stats" - -} - -haproxy h1 -cli { - send "show ssl cert ${testdir}/certs/client1.pem" - expect ~ ".*SHA1 FingerPrint: C625EB01A0A660294B9D7F44C5CEEE5AFC495BE4" -} - - -# The updated client certificate is an expired one so this request should fail -client c1 -connect ${h1_clearlst_sock} { - txreq - rxresp - expect resp.status == 200 - expect resp.http.x-ssl-sha1 == "C625EB01A0A660294B9D7F44C5CEEE5AFC495BE4" - expect resp.http.x-ssl == "Expired" -} -run - -# Replace certificate with a revoked one -shell { - printf "set ssl cert ${testdir}/certs/client1.pem <<\n$(cat ${testdir}/certs/client3_revoked.pem)\n\n" | socat "${tmpdir}/h1/stats" - - echo "commit ssl cert ${testdir}/certs/client1.pem" | socat "${tmpdir}/h1/stats" - -} - -haproxy h1 -cli { - send "show ssl cert ${testdir}/certs/client1.pem" - expect ~ ".*SHA1 FingerPrint: 992386628A40C9D49C89BAC0058B5D45D8575151" -} - -# The updated client certificate is a revoked one so this request should fail -client c1 -connect ${h1_clearlst_sock} { - txreq - rxresp - expect resp.status == 200 - expect resp.http.x-ssl-sha1 == "992386628A40C9D49C89BAC0058B5D45D8575151" - expect resp.http.x-ssl == "Revoked" -} -run - -# Abort a transaction -shell { - printf "set ssl cert ${testdir}/certs/client1.pem <<\n$(cat ${testdir}/certs/client3_revoked.pem)\n\n" | socat "${tmpdir}/h1/stats" - - echo "abort ssl cert ${testdir}/certs/client1.pem" | socat "${tmpdir}/h1/stats" - -} - -haproxy h1 -cli { - send "show ssl cert ${testdir}/certs/client1.pem" - expect ~ ".*SHA1 FingerPrint: 992386628A40C9D49C89BAC0058B5D45D8575151" -} - -# The certificate was not updated so it should still be revoked -client c1 -connect ${h1_clearlst_sock} { - txreq - rxresp - expect resp.status == 200 - expect resp.http.x-ssl == "Revoked" -} -run - +setenv VTC_SOCK_TYPE stream +include ${testdir}/set_ssl_server_cert.vtci diff --git a/reg-tests/ssl/set_ssl_server_cert.vtci b/reg-tests/ssl/set_ssl_server_cert.vtci new file mode 100644 index 000000000..5c458a26a --- /dev/null +++ b/reg-tests/ssl/set_ssl_server_cert.vtci @@ -0,0 +1,130 @@ +feature ignore_unknown_macro + +server s1 -repeat 4 { + rxreq + txresp +} -start + +haproxy h1 -conf { + global + .if streq("$VTC_SOCK_TYPE",quic) + # required for backend connections + expose-experimental-directives + .endif + .if feature(THREAD) + thread-groups 1 + .endif + + .if !ssllib_name_startswith(AWS-LC) + tune.ssl.default-dh-param 2048 + .endif + tune.ssl.capture-buffer-size 1 + stats socket "${tmpdir}/h1/stats" level admin + nbthread 1 + + defaults + mode http + option httplog + log stderr local0 debug err + option logasap + timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" + timeout client "${HAPROXY_TEST_TIMEOUT-5s}" + timeout server "${HAPROXY_TEST_TIMEOUT-5s}" + + listen clear-lst + bind "fd@${clearlst}" + retries 0 # 2nd SSL connection must fail so skip the retry + server s1 "${VTC_SOCK_TYPE}+${h1_ssl_sock}" ssl verify none crt ${testdir}/certs/client1.pem + + listen ssl-lst + # crt: certificate of the server + # ca-file: CA used for client authentication request + # crl-file: revocation list for client auth: the client1 certificate is revoked + bind "${VTC_SOCK_TYPE}+fd@${ssl}" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/ca-auth.crt verify optional crt-ignore-err all crl-file ${testdir}/certs/crl-auth.pem + + acl cert_expired ssl_c_verify 10 + acl cert_revoked ssl_c_verify 23 + acl cert_ok ssl_c_verify 0 + + http-response add-header X-SSL Ok if cert_ok + http-response add-header X-SSL Expired if cert_expired + http-response add-header X-SSL Revoked if cert_revoked + http-response add-header x-ssl-sha1 %[ssl_c_sha1,hex] + + server s1 ${s1_addr}:${s1_port} +} -start + +client c1 -connect ${h1_clearlst_sock} { + txreq + rxresp + expect resp.status == 200 + expect resp.http.x-ssl-sha1 == "D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4" + expect resp.http.x-ssl == "Ok" +} -run + +haproxy h1 -cli { + send "show ssl cert ${testdir}/certs/client1.pem" + expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4" +} + +# Replace certificate with an expired one +shell { + printf "set ssl cert ${testdir}/certs/client1.pem <<\n$(cat ${testdir}/certs/client2_expired.pem)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/certs/client1.pem" | socat "${tmpdir}/h1/stats" - +} + +haproxy h1 -cli { + send "show ssl cert ${testdir}/certs/client1.pem" + expect ~ ".*SHA1 FingerPrint: C625EB01A0A660294B9D7F44C5CEEE5AFC495BE4" +} + + +# The updated client certificate is an expired one so this request should fail +client c1 -connect ${h1_clearlst_sock} { + txreq + rxresp + expect resp.status == 200 + expect resp.http.x-ssl-sha1 == "C625EB01A0A660294B9D7F44C5CEEE5AFC495BE4" + expect resp.http.x-ssl == "Expired" +} -run + +# Replace certificate with a revoked one +shell { + printf "set ssl cert ${testdir}/certs/client1.pem <<\n$(cat ${testdir}/certs/client3_revoked.pem)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/certs/client1.pem" | socat "${tmpdir}/h1/stats" - +} + +haproxy h1 -cli { + send "show ssl cert ${testdir}/certs/client1.pem" + expect ~ ".*SHA1 FingerPrint: 992386628A40C9D49C89BAC0058B5D45D8575151" +} + +# The updated client certificate is a revoked one so this request should fail +client c1 -connect ${h1_clearlst_sock} { + txreq + rxresp + expect resp.status == 200 + expect resp.http.x-ssl-sha1 == "992386628A40C9D49C89BAC0058B5D45D8575151" + expect resp.http.x-ssl == "Revoked" +} -run + +# Abort a transaction +shell { + printf "set ssl cert ${testdir}/certs/client1.pem <<\n$(cat ${testdir}/certs/client3_revoked.pem)\n\n" | socat "${tmpdir}/h1/stats" - + echo "abort ssl cert ${testdir}/certs/client1.pem" | socat "${tmpdir}/h1/stats" - +} + +haproxy h1 -cli { + send "show ssl cert ${testdir}/certs/client1.pem" + expect ~ ".*SHA1 FingerPrint: 992386628A40C9D49C89BAC0058B5D45D8575151" +} + +# The certificate was not updated so it should still be revoked +client c1 -connect ${h1_clearlst_sock} { + txreq + rxresp + expect resp.status == 200 + expect resp.http.x-ssl == "Revoked" +} -run + +