diff --git a/reg-tests/quic/ocsp_auto_update.vtc b/reg-tests/quic/ocsp_auto_update.vtc new file mode 100644 index 000000000..d1e719e75 --- /dev/null +++ b/reg-tests/quic/ocsp_auto_update.vtc @@ -0,0 +1,36 @@ +#REGTEST_TYPE=slow +# reg-test is around ~2.5s + +# broken with BoringSSL. + +# With QUIC listeners. +# This reg-test focuses on the OCSP response auto-update functionality. It does +# not test the full scope of the feature because most of it is based on +# expiration times and long delays between updates of valid OCSP responses. +# Automatic update of valid OCSP responses loaded during init will not be +# tested because by design, such a response would no be automatically updated +# until init+1H. +# +# This test will then focus on certificates that have a specified OCSP URI but +# no known OCSP response. For those certificates, OCSP requests are sent as +# soon as possible by the update task. +# +# The ocsp responder used in all the tests will be an openssl using the +# certificate database in ocsp_update/index.txt. It will listen on port 12345 +# which was specified explicitly in the certificates used in the tests. +# The synchronization will be based on the logs emitted by the OCSP update task +# directly. When this log is created, we will know that the update was +# effective and the updated OCSP response is loaded in the tree. So any +# following call to "show ssl ocsp-response" will display the latest response +# information. +# +# If this test does not work anymore: +# - Check that you have openssl and socat + +varnishtest "Test the OCSP auto update feature" +feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(3.0-dev0)'" +feature cmd "command -v openssl && command -v socat" +feature cmd "$HAPROXY_PROGRAM -cc 'feature(QUIC) && !feature(QUIC_OPENSSL_COMPAT) && !feature(OPENSSL_WOLFSSL)'" + +setenv VTC_SOCK_TYPE quic +include ${testdir}/../ssl/ocsp_auto_update.vtci diff --git a/reg-tests/ssl/ocsp_auto_update.vtc b/reg-tests/ssl/ocsp_auto_update.vtc index 4d1f45fb0..0fe69c9e3 100644 --- a/reg-tests/ssl/ocsp_auto_update.vtc +++ b/reg-tests/ssl/ocsp_auto_update.vtc @@ -30,772 +30,6 @@ varnishtest "Test the OCSP auto update feature" feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(3.0-dev0)'" feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(BoringSSL) && !ssllib_name_startswith(LibreSSL) && openssl_version_atleast(1.1.1)'" feature cmd "command -v openssl && command -v socat" -feature ignore_unknown_macro - -################### -# # -# FIRST TEST CASE # -# # -################### - -# No automatic update should occur in this test case since we load two already -# valid OCSP responses during init which have a "Next Update" date really far -# in the future. So they should only be updated after one hour. -# This test will only be the most basic one where we check that ocsp response -# loading still works as expected. - -haproxy h1 -conf { - global - .if feature(THREAD) - thread-groups 1 - .endif - - .if !ssllib_name_startswith(AWS-LC) - tune.ssl.default-dh-param 2048 - .endif - tune.ssl.capture-buffer-size 1 - stats socket "${tmpdir}/h1/stats" level admin - crt-base ${testdir}/certs/ocsp_update - - defaults - mode http - option httplog - log stderr local0 debug err - option logasap - timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" - timeout client "${HAPROXY_TEST_TIMEOUT-5s}" - timeout server "${HAPROXY_TEST_TIMEOUT-5s}" - - frontend ssl-fe - bind "${tmpdir}/ssl.sock" ssl crt multicert/server_ocsp.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all - http-request return status 200 -} -start - - -# We should have two distinct ocsp responses known that were loaded at build time -haproxy h1 -cli { - send "show ssl ocsp-response" - expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" - send "show ssl ocsp-response" - expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" - - send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" - expect ~ "Cert Status: revoked" - - send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" - expect ~ "Cert Status: good" -} - -haproxy h1 -wait - - - -#################### -# # -# SECOND TEST CASE # -# # -#################### - -# This test will focus on two separate certificates that have the same OCSP uri -# (http://ocsp.haproxy.com:12345) but no OCSP response loaded at build time. -# The update mode is set to 'on' in the two crt-lists used. The two ocsp -# responses should then be fetched automatically after init. -# We rely on the OCSP logs to ensure that the two updates are over before -# calling "show ssl ocsp-response". This is done through the Syslog_ocsp -# listener and a dedicated barrier. - -process p2 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start - -barrier b2 cond 2 -cyclic - -syslog Syslog_ocsp -level notice { - recv - expect ~ " ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem 1 \"Update successful\" 0 1" - - recv - expect ~ " ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1" - - barrier b2 sync -} -start - -haproxy h2 -conf { - global - .if feature(THREAD) - thread-groups 1 - .endif - - .if !ssllib_name_startswith(AWS-LC) - tune.ssl.default-dh-param 2048 - .endif - tune.ssl.capture-buffer-size 1 - stats socket "${tmpdir}/h2/stats" level admin - crt-base ${testdir}/certs/ocsp_update - log ${Syslog_ocsp_addr}:${Syslog_ocsp_port} local0 notice notice - - defaults - mode http - option httplog - log stderr local0 debug err - timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" - timeout client "${HAPROXY_TEST_TIMEOUT-5s}" - timeout server "${HAPROXY_TEST_TIMEOUT-5s}" - - frontend ssl-rsa-fe - bind "${tmpdir}/ssl2.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all - http-request return status 200 - - frontend ssl-ecdsa-fe - bind "${tmpdir}/ssl3.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all - http-request return status 200 -} -start - -barrier b2 sync - -# We should have two distinct ocsp IDs known that were loaded at build time and -# the responses' contents should have been filled automatically by the ocsp -# update task after init -haproxy h2 -cli { - send "show ssl ocsp-response" - expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" - send "show ssl ocsp-response" - expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" - - send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" - expect ~ "Cert Status: revoked" - - send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" - expect ~ "Cert Status: revoked" -} - -haproxy h2 -wait -process p2 -wait -expect-exit 0 - - -################### -# # -# THIRD TEST CASE # -# # -################### - -# This test will be roughly the same as the second one but one of the crt-lists -# will not enable ocsp-update on its certificate. Only one request should then -# be sent. - -process p3 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start - -barrier b3 cond 2 -cyclic - -syslog Syslog_ocsp3 -level notice { - recv - expect ~ " ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem 1 \"Update successful\" 0 1" - barrier b3 sync -} -start - -haproxy h3 -conf { - global - .if feature(THREAD) - thread-groups 1 - .endif - - .if !ssllib_name_startswith(AWS-LC) - tune.ssl.default-dh-param 2048 - .endif - tune.ssl.capture-buffer-size 1 - stats socket "${tmpdir}/h3/stats" level admin - crt-base ${testdir}/certs/ocsp_update - log ${Syslog_ocsp3_addr}:${Syslog_ocsp3_port} local0 notice notice - - defaults - mode http - option httplog - log stderr local0 debug err - timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" - timeout client "${HAPROXY_TEST_TIMEOUT-5s}" - timeout server "${HAPROXY_TEST_TIMEOUT-5s}" - - frontend ssl-rsa-fe - bind "${tmpdir}/ssl4.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all - http-request return status 200 - - frontend ssl-ecdsa-fe - bind "${tmpdir}/ssl5.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all - http-request return status 200 -} -start - -barrier b3 sync - -# We should have a single ocsp ID known that was loaded at build time and the -# response should be filled -haproxy h3 -cli { - send "show ssl ocsp-response" - expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" - send "show ssl ocsp-response" - expect !~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" - - send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" - expect ~ "Cert Status: revoked" -} - -haproxy h3 -wait -process p3 -wait - - - -#################### -# # -# FOURTH TEST CASE # -# (CLI COMMAND) # -# # -#################### -# This test focuses on the "update ssl ocsp-response" CLI command and tests two -# certificates that have a known OCSP response loaded during init but no OCSP -# auto update. The only difference between the two certificates is that one has -# a separate .issuer file while the other one has the issuer certificate -# directly in the main .pem file. -# We store the original "Produced At" date of the responses loaded during init -# in haproxy proc variables in order to compare them to their new value after -# the update is performed. - -process p4 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start - -barrier b4 cond 2 -cyclic - -syslog Syslog_ocsp4 -level notice { - recv - expect ~ " ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa 1 \"Update successful\" 0 1" - - recv - expect ~ " ${testdir}/certs/ocsp_update/multicert/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1" - barrier b4 sync -} -start - -haproxy h4 -conf { - global - .if feature(THREAD) - thread-groups 1 - .endif - - .if !ssllib_name_startswith(AWS-LC) - tune.ssl.default-dh-param 2048 - .endif - tune.ssl.capture-buffer-size 1 - stats socket "${tmpdir}/h4/stats" level admin - crt-base ${testdir}/certs/ocsp_update - log ${Syslog_ocsp4_addr}:${Syslog_ocsp4_port} local0 notice notice - - defaults - mode http - option httplog - log stderr local0 debug err - timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" - timeout client "${HAPROXY_TEST_TIMEOUT-5s}" - timeout server "${HAPROXY_TEST_TIMEOUT-5s}" - - frontend ssl-rsa-ocsp - bind "${tmpdir}/ssl5.sock" ssl crt ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all - http-request return status 200 - - frontend ssl-ecdsa-ocsp - bind "${tmpdir}/ssl6.sock" ssl crt ${testdir}/certs/ocsp_update/multicert/server_ocsp_ecdsa.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all - http-request return status 200 -} -start - -# We need to "enable" the cli with a first cli call before using it only through socats -haproxy h4 -cli { - send "show ssl cert" - expect ~ "" -} - -# We should have two OCSP responses loaded during init -shell { - responses=$(echo "show ssl ocsp-response" | socat "${tmpdir}/h4/stats" -) - - [ $(echo "$responses" | grep -c "^Certificate ID key") -eq 2 ] && \ - echo "$responses" | grep "Serial Number: 1016" && \ - echo "$responses" | grep "Serial Number: 1015" -} - -haproxy h4 -cli { - send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" - expect ~ "Cert Status: revoked" - - send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" - expect ~ "Cert Status: good" -} - -# Update the first ocsp response (ckch_data has a non-NULL ocsp_issuer pointer) -shell { - # Store the current "Produced At" in order to ensure that after the update - # the OCSP response actually changed - produced_at1=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" - | grep "Produced At" | tr -d ' ') - - echo "update ssl ocsp-response ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h4/stats" - - - # Update the second ocsp response (ckch_data has a NULL ocsp_issuer pointer) - # Store the current "Produced At" in order to ensure that after the update - # the OCSP response actually changed - produced_at2=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" - | grep "Produced At" | tr -d ' ') - - echo "update ssl ocsp-response ${testdir}/certs/ocsp_update/multicert/server_ocsp_ecdsa.pem" | socat "${tmpdir}/h4/stats" - - - echo "experimental-mode on;set var proc.produced_at1 str($produced_at1)" | socat "${tmpdir}/h4/stats" - - echo "experimental-mode on;set var proc.produced_at2 str($produced_at2)" | socat "${tmpdir}/h4/stats" - -} - -barrier b4 sync - -shell { - produced_at1_after=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" - | grep "Produced At" | tr -d ' ') - produced_at2_after=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" - | grep "Produced At" | tr -d ' ') - - ocsp_response1=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" -) - ocsp_response2=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" -) - - echo "$ocsp_response1" | grep -q "Serial Number: 1015" && \ - echo "$ocsp_response1" | grep -q "Cert Status: revoked" && \ - echo "$ocsp_response2" | grep -q "Serial Number: 1016" && \ - echo "$ocsp_response2" | grep -q "Cert Status: revoked" && \ - [ "$produced_at1_after" != "$(echo \"experimental-mode on; get var proc.produced_at1\" | socat \"${tmpdir}/h4/stats\")" ] && \ - [ "$produced_at2_after" != "$(echo \"experimental-mode on; get var proc.produced_at2\" | socat \"${tmpdir}/h4/stats\")" ] - -} - -haproxy h4 -wait -process p4 -wait - - -#################### -# # -# FIFTH TEST CASE # -# (CLI COMMAND) # -# # -#################### - -# Test the "show ssl ocsp-updates" command as well as the new 'base64' parameter -# to the "show ssl ocsp-response" command. - - -process p5 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start - -barrier b5 cond 2 -cyclic - -syslog Syslog_ocsp5 -level notice { - recv - expect ~ " .*/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem 1 \"Update successful\" 0 1" - - recv - expect ~ " .*/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1" - - barrier b5 sync -} -start - -haproxy h5 -conf { - global - .if feature(THREAD) - thread-groups 1 - .endif - - .if !ssllib_name_startswith(AWS-LC) - tune.ssl.default-dh-param 2048 - .endif - tune.ssl.capture-buffer-size 1 - stats socket "${tmpdir}/h5/stats" level admin - crt-base ${testdir}/certs/ocsp_update - log ${Syslog_ocsp5_addr}:${Syslog_ocsp5_port} local0 notice notice - - defaults - mode http - option httplog - log stderr local0 debug err - timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" - timeout client "${HAPROXY_TEST_TIMEOUT-5s}" - timeout server "${HAPROXY_TEST_TIMEOUT-5s}" - - frontend ssl-rsa-fe - bind "${tmpdir}/ssl7.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all - http-request return status 200 - - frontend ssl-ecdsa-fe - bind "${tmpdir}/ssl8.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all - http-request return status 200 -} -start - -barrier b5 sync - -# Use "show ssl ocsp-updates" CLI command -# We should have one line per OCSP response and each one of them should have been successfully updated once -# The command's output follows this format: -# OCSP Certid | Next Update | Last Update | Successes | Failures | Last Update Status | Last Update Status (str) -haproxy h5 -cli { - send "show ssl ocsp-updates" - expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 .*| 1 | 0 | 1 | Update successful" - - send "show ssl ocsp-updates" - expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*| 1 | 0 | 1 | Update successful" -} - -# Use "show ssl ocsp-response" command to dump an OCSP response in base64 -shell { - ocsp_resp_file="${tmpdir}.ocsp_resp.der" - - echo "show ssl ocsp-response base64 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h5/stats" - | sed -e 's/.\{72\}/&\n/g' | openssl base64 -d | tee /tmp/with-o64 > $ocsp_resp_file - - if [ $? -eq 0 ] - then - ocsp_resp_txt="$(openssl ocsp -respin $ocsp_resp_file -noverify -text)" - echo "$ocsp_resp_txt" | grep "Issuer Name Hash: 8A83E0060FAFF709CA7E9B95522A2E81635FDA0A" && \ - echo "$ocsp_resp_txt" | grep "Issuer Key Hash: F652B0E435D5EA923851508F0ADBE92D85DE007A" && \ - echo "$ocsp_resp_txt" | grep "Serial Number: 1015" && \ - echo "$ocsp_resp_txt" | grep "Cert Status: revoked" - else - return 1 - fi -} - -haproxy h5 -wait -process p5 -wait - - -#################### -# # -# SIXTH TEST CASE # -# # -#################### - -# Check that a new certificate added via the CLI to a crt-list with -# the 'ocsp-update on' option will be taken into account by the OCSP -# auto update task -# -process p6 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start - -barrier b6 cond 2 -cyclic - -syslog Syslog_ocsp6 -level notice { - recv - expect ~ " ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa 1 \"Update successful\" 0 1" - - barrier b6 sync -} -start - -haproxy h6 -conf { - global - .if feature(THREAD) - thread-groups 1 - .endif - - .if !ssllib_name_startswith(AWS-LC) - tune.ssl.default-dh-param 2048 - .endif - tune.ssl.capture-buffer-size 1 - stats socket "${tmpdir}/h6/stats" level admin - crt-base ${testdir}/certs - log ${Syslog_ocsp6_addr}:${Syslog_ocsp6_port} local0 notice notice - - defaults - mode http - option httplog - log stderr local0 debug err - option logasap - timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" - timeout client "${HAPROXY_TEST_TIMEOUT-5s}" - timeout server "${HAPROXY_TEST_TIMEOUT-5s}" - - frontend ssl-fe - bind "${tmpdir}/ssl9.sock" ssl crt-list ${testdir}/certs/simple.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all - http-request return status 200 - -} -start - -# We need to "enable" the cli with a first cli call before using it only through socats -haproxy h6 -cli { - send "show ssl cert" - expect ~ "" -} - -# Create a new certificate that has an OCSP uri and add it to the -# existing CLI with the 'ocsp-update on' command. -shell { - echo "new ssl cert ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h6/stats" - - printf "set ssl cert ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa <<\n$(cat ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h6/stats" - - printf "set ssl cert ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa.issuer <<\n$(cat ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa.issuer)\n\n" | socat "${tmpdir}/h6/stats" - - echo "commit ssl cert ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h6/stats" - - - printf "add ssl crt-list ${testdir}/certs/simple.crt-list <<\n${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa [ocsp-update on] foo.com\n\n" | socat "${tmpdir}/h6/stats" - -} - -barrier b6 sync - -haproxy h6 -cli { - send "show ssl ocsp-updates" - expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*| 1 | 0 | 1 | Update successful" -} - -haproxy h6 -wait -process p6 -wait - - -###################### -# # -# SEVENTH TEST CASE # -# # -###################### - -# Check that the global "tune.ocsp-update.mode" option works and that it -# applies to certificates added via the CLI as well. -# -process p7 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start - -barrier b7 cond 2 -cyclic - -syslog Syslog_ocsp7 -level notice { - recv - expect ~ " ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1" - - barrier b7 sync - - recv - expect ~ " ${testdir}/certs/server_ocsp_rsa.pem 1 \"Update successful\" 0 1" - - barrier b7 sync -} -start - -haproxy h7 -conf { - global - .if feature(THREAD) - thread-groups 1 - .endif - - .if !ssllib_name_startswith(AWS-LC) - tune.ssl.default-dh-param 2048 - .endif - tune.ssl.capture-buffer-size 1 - stats socket "${tmpdir}/h7/stats" level admin - crt-base ${testdir}/certs - ocsp-update.mode on - log ${Syslog_ocsp7_addr}:${Syslog_ocsp7_port} local0 notice notice - - defaults - mode http - option httplog - log stderr local0 debug err - option logasap - timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" - timeout client "${HAPROXY_TEST_TIMEOUT-5s}" - timeout server "${HAPROXY_TEST_TIMEOUT-5s}" - - frontend ssl-fe - bind "${tmpdir}/ssl_h7.sock" ssl crt ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all - bind "${tmpdir}/ssl_h7_2.sock" ssl crt-list ${testdir}/certs/simple.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all - http-request return status 200 -} -start - -barrier b7 sync - -# Create a new certificate that has an OCSP uri and add it to the -# existing CLI with the 'ocsp-update on' command. -shell { - echo "new ssl cert ${testdir}/certs/server_ocsp_rsa.pem" | socat "${tmpdir}/h7/stats" - - printf "set ssl cert ${testdir}/certs/server_ocsp_rsa.pem <<\n$(cat ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem)\n\n" | socat "${tmpdir}/h7/stats" - - echo "commit ssl cert ${testdir}/certs/server_ocsp_rsa.pem" | socat "${tmpdir}/h7/stats" - - - # We should have ocsp-update enabled via the global option - printf "add ssl crt-list ${testdir}/certs/simple.crt-list <<\n${testdir}/certs/server_ocsp_rsa.pem foo.com\n\n" | socat "${tmpdir}/h7/stats" - -} - -barrier b7 sync - -haproxy h7 -cli { - send "show ssl ocsp-updates" - expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 | ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem .*| 1 | 0 | 1 | Update successful" - - send "show ssl ocsp-updates" - expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 | ${testdir}/certs/server_ocsp_rsa.pem .*| 1 | 0 | 1 | Update successful" -} - -haproxy h7 -wait -process p7 -wait - - -###################### -# # -# EIGHTH TEST CASE # -# # -###################### - -# -# Check that removing crt-list instances does not remove the OCSP responses -# from the tree but that they will not be auto updated anymore if the last -# instance is removed (via del ssl crt-list). -# - -haproxy h8 -conf { - global - .if feature(THREAD) - thread-groups 1 - .endif - - .if !ssllib_name_startswith(AWS-LC) - tune.ssl.default-dh-param 2048 - .endif - tune.ssl.capture-buffer-size 1 - stats socket "${tmpdir}/h8/stats" level admin - crt-base ${testdir}/certs/ocsp_update - - defaults - mode http - option httplog - log stderr local0 debug err - option logasap - timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" - timeout client "${HAPROXY_TEST_TIMEOUT-5s}" - timeout server "${HAPROXY_TEST_TIMEOUT-5s}" - - frontend ssl-fe - bind "${tmpdir}/ssl-h8.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_both_certs.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all - http-request return status 200 - - listen http_rebound_lst - mode http - bind "127.0.0.1:12345" - server s1 "127.0.0.1:12346" -} -start - -# Check that the two certificates are taken into account in the auto update process -haproxy h8 -cli { - send "show ssl ocsp-updates" - expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 .*" - - send "show ssl ocsp-updates" - expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*" -} - -# Remove the second line from the crt-list and check that the corresponding -# ocsp response was removed from the auto update list but is still present in the -# system -haproxy h8 -cli { - send "del ssl crt-list ${testdir}/certs/ocsp_update/multicert_both_certs.crt-list ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.ecdsa" - expect ~ "Entry.*deleted in crtlist" - - send "show ssl ocsp-updates" - expect !~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*" - - send "show ssl ocsp-response" - expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" - - send "show ssl ocsp-response ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.ecdsa" - expect ~ ".* Cert Status: good.*" -} - -# Add the previously removed crt-list line with auto-update enabled and check that -# the ocsp response appears in the auto update list -shell { - printf "add ssl crt-list ${testdir}/certs/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa [ocsp-update on] foo.bar\n\n" | socat "${tmpdir}/h8/stats" - | grep "Inserting certificate.*in crt-list" -} - -haproxy h8 -cli { - send "show ssl ocsp-updates" - expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*" -} - -# Check that the auto update option consistency check work even when crt-list -# lines are added through the cli -shell { - printf "add ssl crt-list ${testdir}/certs/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa foo.foo\n\n" | socat "${tmpdir}/h8/stats" - | grep "different parameter 'ocsp-update'" -} - -haproxy h8 -wait - -#################### -# # -# NINTH TEST CASE # -# # -#################### - -# -# Check that a certificate created through the CLI and which does not have ocsp -# update enabled can be updated via "update ssl ocsp-response" command. -# - -process p9 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start - -barrier b9 cond 2 -cyclic - -syslog Syslog_ocsp9 -level notice { - recv - expect ~ " ${testdir}/certs/ocsp_update/rsa.pem 1 \"Update successful\" 0 1" - - barrier b9 sync -} -start - - -haproxy h9 -conf { - global - .if feature(THREAD) - thread-groups 1 - .endif - - .if !ssllib_name_startswith(AWS-LC) - tune.ssl.default-dh-param 2048 - .endif - tune.ssl.capture-buffer-size 1 - stats socket "${tmpdir}/h9/stats" level admin - crt-base ${testdir}/certs/ocsp_update - log ${Syslog_ocsp9_addr}:${Syslog_ocsp9_port} local0 notice notice - - defaults - mode http - option httplog - log stderr local0 debug err - option logasap - timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" - timeout client "${HAPROXY_TEST_TIMEOUT-5s}" - timeout server "${HAPROXY_TEST_TIMEOUT-5s}" - - frontend ssl-fe - bind "${tmpdir}/ssl-h9.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all - http-request return status 200 -} -start - -# We need to "enable" the cli with a first cli call before using it only through socats -haproxy h9 -cli { - send "show ssl cert" - expect ~ "" -} - -# Create a new certificate and add it in the crt-list with ocsp auto-update enabled -shell { - echo "new ssl cert ${testdir}/certs/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" - - printf "set ssl cert ${testdir}/certs/ocsp_update/rsa.pem <<\n$(cat ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h9/stats" - - printf "set ssl cert ${testdir}/certs/ocsp_update/rsa.pem.issuer <<\n$(cat ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt)\n\n" | socat "${tmpdir}/h9/stats" - - printf "set ssl cert ${testdir}/certs/ocsp_update/rsa.pem.ocsp <<\n$(openssl base64 < ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa.ocsp)\n\n" | socat "${tmpdir}/h9/stats" - - echo "commit ssl cert ${testdir}/certs/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" - - - printf "add ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa_no_update.crt-list <<\nrsa.pem [ocsp-update off] foo.bar\n\n" | socat "${tmpdir}/h9/stats" - -} - -# Check that the line is in the crt-list -haproxy h9 -cli { - send "show ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa_no_update.crt-list" - expect ~ "${testdir}/certs/ocsp_update/rsa.pem.*ocsp-update off.*foo.bar" -} - -# Check that the new certificate is NOT in the auto update list -haproxy h9 -cli { - send "show ssl ocsp-updates" - expect !~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015.*" -} - -shell { - echo "update ssl ocsp-response ${testdir}/certs/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" - -} - -barrier b9 sync - -haproxy h9 -cli { - send "show ssl ocsp-response ${testdir}/certs/ocsp_update/rsa.pem" - expect ~ ".* Cert Status: revoked.*" -} - -haproxy h9 -wait -process p9 -wait +setenv VTC_SOCK_TYPE stream +include ${testdir}/ocsp_auto_update.vtci diff --git a/reg-tests/ssl/ocsp_auto_update.vtci b/reg-tests/ssl/ocsp_auto_update.vtci new file mode 100644 index 000000000..b5bbba46e --- /dev/null +++ b/reg-tests/ssl/ocsp_auto_update.vtci @@ -0,0 +1,769 @@ +feature ignore_unknown_macro + + +################### +# # +# FIRST TEST CASE # +# # +################### + +# No automatic update should occur in this test case since we load two already +# valid OCSP responses during init which have a "Next Update" date really far +# in the future. So they should only be updated after one hour. +# This test will only be the most basic one where we check that ocsp response +# loading still works as expected. + +haproxy h1 -conf { + global + .if feature(THREAD) + thread-groups 1 + .endif + + .if !ssllib_name_startswith(AWS-LC) + tune.ssl.default-dh-param 2048 + .endif + tune.ssl.capture-buffer-size 1 + stats socket "${tmpdir}/h1/stats" level admin + crt-base ${testdir}/certs/ocsp_update + + defaults + mode http + option httplog + log stderr local0 debug err + option logasap + timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" + timeout client "${HAPROXY_TEST_TIMEOUT-5s}" + timeout server "${HAPROXY_TEST_TIMEOUT-5s}" + + frontend ssl-fe + bind "${VTC_SOCK_TYPE}+fd@${ssl}" ssl crt multicert/server_ocsp.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all + http-request return status 200 +} -start + + +# We should have two distinct ocsp responses known that were loaded at build time +haproxy h1 -cli { + send "show ssl ocsp-response" + expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" + send "show ssl ocsp-response" + expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" + + send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" + expect ~ "Cert Status: revoked" + + send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" + expect ~ "Cert Status: good" +} + +haproxy h1 -wait + + + +#################### +# # +# SECOND TEST CASE # +# # +#################### + +# This test will focus on two separate certificates that have the same OCSP uri +# (http://ocsp.haproxy.com:12345) but no OCSP response loaded at build time. +# The update mode is set to 'on' in the two crt-lists used. The two ocsp +# responses should then be fetched automatically after init. +# We rely on the OCSP logs to ensure that the two updates are over before +# calling "show ssl ocsp-response". This is done through the Syslog_ocsp +# listener and a dedicated barrier. + +process p2 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start + +barrier b2 cond 2 -cyclic + +syslog Syslog_ocsp -level notice { + recv + expect ~ " ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem 1 \"Update successful\" 0 1" + + recv + expect ~ " ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1" + + barrier b2 sync +} -start + +haproxy h2 -conf { + global + .if feature(THREAD) + thread-groups 1 + .endif + + .if !ssllib_name_startswith(AWS-LC) + tune.ssl.default-dh-param 2048 + .endif + tune.ssl.capture-buffer-size 1 + stats socket "${tmpdir}/h2/stats" level admin + crt-base ${testdir}/certs/ocsp_update + log ${Syslog_ocsp_addr}:${Syslog_ocsp_port} local0 notice notice + + defaults + mode http + option httplog + log stderr local0 debug err + timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" + timeout client "${HAPROXY_TEST_TIMEOUT-5s}" + timeout server "${HAPROXY_TEST_TIMEOUT-5s}" + + frontend ssl-rsa-fe + bind "${VTC_SOCK_TYPE}+fd@${ssl_rsa}" ssl crt-list ${testdir}/certs/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all + http-request return status 200 + + frontend ssl-ecdsa-fe + bind "${VTC_SOCK_TYPE}+fd@${ssl_ecdsa}" ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all + http-request return status 200 +} -start + +barrier b2 sync + +# We should have two distinct ocsp IDs known that were loaded at build time and +# the responses' contents should have been filled automatically by the ocsp +# update task after init +haproxy h2 -cli { + send "show ssl ocsp-response" + expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" + send "show ssl ocsp-response" + expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" + + send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" + expect ~ "Cert Status: revoked" + + send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" + expect ~ "Cert Status: revoked" +} + +haproxy h2 -wait +process p2 -wait -expect-exit 0 + + +################### +# # +# THIRD TEST CASE # +# # +################### + +# This test will be roughly the same as the second one but one of the crt-lists +# will not enable ocsp-update on its certificate. Only one request should then +# be sent. + +process p3 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start + +barrier b3 cond 2 -cyclic + +syslog Syslog_ocsp3 -level notice { + recv + expect ~ " ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem 1 \"Update successful\" 0 1" + barrier b3 sync +} -start + +haproxy h3 -conf { + global + .if feature(THREAD) + thread-groups 1 + .endif + + .if !ssllib_name_startswith(AWS-LC) + tune.ssl.default-dh-param 2048 + .endif + tune.ssl.capture-buffer-size 1 + stats socket "${tmpdir}/h3/stats" level admin + crt-base ${testdir}/certs/ocsp_update + log ${Syslog_ocsp3_addr}:${Syslog_ocsp3_port} local0 notice notice + + defaults + mode http + option httplog + log stderr local0 debug err + timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" + timeout client "${HAPROXY_TEST_TIMEOUT-5s}" + timeout server "${HAPROXY_TEST_TIMEOUT-5s}" + + frontend ssl-rsa-fe + bind "${VTC_SOCK_TYPE}+fd@${ssl_rsa}" ssl crt-list ${testdir}/certs/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all + http-request return status 200 + + frontend ssl-ecdsa-fe + bind "${VTC_SOCK_TYPE}+fd@${ssl_ecdsa}" ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all + http-request return status 200 +} -start + +barrier b3 sync + +# We should have a single ocsp ID known that was loaded at build time and the +# response should be filled +haproxy h3 -cli { + send "show ssl ocsp-response" + expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" + send "show ssl ocsp-response" + expect !~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" + + send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" + expect ~ "Cert Status: revoked" +} + +haproxy h3 -wait +process p3 -wait + + + +#################### +# # +# FOURTH TEST CASE # +# (CLI COMMAND) # +# # +#################### +# This test focuses on the "update ssl ocsp-response" CLI command and tests two +# certificates that have a known OCSP response loaded during init but no OCSP +# auto update. The only difference between the two certificates is that one has +# a separate .issuer file while the other one has the issuer certificate +# directly in the main .pem file. +# We store the original "Produced At" date of the responses loaded during init +# in haproxy proc variables in order to compare them to their new value after +# the update is performed. + +process p4 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start + +barrier b4 cond 2 -cyclic + +syslog Syslog_ocsp4 -level notice { + recv + expect ~ " ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa 1 \"Update successful\" 0 1" + + recv + expect ~ " ${testdir}/certs/ocsp_update/multicert/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1" + barrier b4 sync +} -start + +haproxy h4 -conf { + global + .if feature(THREAD) + thread-groups 1 + .endif + + .if !ssllib_name_startswith(AWS-LC) + tune.ssl.default-dh-param 2048 + .endif + tune.ssl.capture-buffer-size 1 + stats socket "${tmpdir}/h4/stats" level admin + crt-base ${testdir}/certs/ocsp_update + log ${Syslog_ocsp4_addr}:${Syslog_ocsp4_port} local0 notice notice + + defaults + mode http + option httplog + log stderr local0 debug err + timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" + timeout client "${HAPROXY_TEST_TIMEOUT-5s}" + timeout server "${HAPROXY_TEST_TIMEOUT-5s}" + + frontend ssl-rsa-ocsp + bind "${VTC_SOCK_TYPE}+fd@${ssl_rsa_ocsp}" ssl crt ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all + http-request return status 200 + + frontend ssl-ecdsa-ocsp + bind "${VTC_SOCK_TYPE}+fd@${ssl_ecdsa_ocsp}" ssl crt ${testdir}/certs/ocsp_update/multicert/server_ocsp_ecdsa.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all + http-request return status 200 +} -start + +# We need to "enable" the cli with a first cli call before using it only through socats +haproxy h4 -cli { + send "show ssl cert" + expect ~ "" +} + +# We should have two OCSP responses loaded during init +shell { + responses=$(echo "show ssl ocsp-response" | socat "${tmpdir}/h4/stats" -) + + [ $(echo "$responses" | grep -c "^Certificate ID key") -eq 2 ] && \ + echo "$responses" | grep "Serial Number: 1016" && \ + echo "$responses" | grep "Serial Number: 1015" +} + +haproxy h4 -cli { + send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" + expect ~ "Cert Status: revoked" + + send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" + expect ~ "Cert Status: good" +} + +# Update the first ocsp response (ckch_data has a non-NULL ocsp_issuer pointer) +shell { + # Store the current "Produced At" in order to ensure that after the update + # the OCSP response actually changed + produced_at1=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" - | grep "Produced At" | tr -d ' ') + + echo "update ssl ocsp-response ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h4/stats" - + + # Update the second ocsp response (ckch_data has a NULL ocsp_issuer pointer) + # Store the current "Produced At" in order to ensure that after the update + # the OCSP response actually changed + produced_at2=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" - | grep "Produced At" | tr -d ' ') + + echo "update ssl ocsp-response ${testdir}/certs/ocsp_update/multicert/server_ocsp_ecdsa.pem" | socat "${tmpdir}/h4/stats" - + + echo "experimental-mode on;set var proc.produced_at1 str($produced_at1)" | socat "${tmpdir}/h4/stats" - + echo "experimental-mode on;set var proc.produced_at2 str($produced_at2)" | socat "${tmpdir}/h4/stats" - +} + +barrier b4 sync + +shell { + produced_at1_after=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" - | grep "Produced At" | tr -d ' ') + produced_at2_after=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" - | grep "Produced At" | tr -d ' ') + + ocsp_response1=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" -) + ocsp_response2=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" -) + + echo "$ocsp_response1" | grep -q "Serial Number: 1015" && \ + echo "$ocsp_response1" | grep -q "Cert Status: revoked" && \ + echo "$ocsp_response2" | grep -q "Serial Number: 1016" && \ + echo "$ocsp_response2" | grep -q "Cert Status: revoked" && \ + [ "$produced_at1_after" != "$(echo \"experimental-mode on; get var proc.produced_at1\" | socat \"${tmpdir}/h4/stats\")" ] && \ + [ "$produced_at2_after" != "$(echo \"experimental-mode on; get var proc.produced_at2\" | socat \"${tmpdir}/h4/stats\")" ] + +} + +haproxy h4 -wait +process p4 -wait + + +#################### +# # +# FIFTH TEST CASE # +# (CLI COMMAND) # +# # +#################### + +# Test the "show ssl ocsp-updates" command as well as the new 'base64' parameter +# to the "show ssl ocsp-response" command. + + +process p5 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start + +barrier b5 cond 2 -cyclic + +syslog Syslog_ocsp5 -level notice { + recv + expect ~ " .*/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem 1 \"Update successful\" 0 1" + + recv + expect ~ " .*/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1" + + barrier b5 sync +} -start + +haproxy h5 -conf { + global + .if feature(THREAD) + thread-groups 1 + .endif + + .if !ssllib_name_startswith(AWS-LC) + tune.ssl.default-dh-param 2048 + .endif + tune.ssl.capture-buffer-size 1 + stats socket "${tmpdir}/h5/stats" level admin + crt-base ${testdir}/certs/ocsp_update + log ${Syslog_ocsp5_addr}:${Syslog_ocsp5_port} local0 notice notice + + defaults + mode http + option httplog + log stderr local0 debug err + timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" + timeout client "${HAPROXY_TEST_TIMEOUT-5s}" + timeout server "${HAPROXY_TEST_TIMEOUT-5s}" + + frontend ssl-rsa-fe + bind "${VTC_SOCK_TYPE}+fd@${ssl_rsa}" ssl crt-list ${testdir}/certs/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all + http-request return status 200 + + frontend ssl-ecdsa-fe + bind "${VTC_SOCK_TYPE}+fd@${ssl_ecdsa}" ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all + http-request return status 200 +} -start + +barrier b5 sync + +# Use "show ssl ocsp-updates" CLI command +# We should have one line per OCSP response and each one of them should have been successfully updated once +# The command's output follows this format: +# OCSP Certid | Next Update | Last Update | Successes | Failures | Last Update Status | Last Update Status (str) +haproxy h5 -cli { + send "show ssl ocsp-updates" + expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 .*| 1 | 0 | 1 | Update successful" + + send "show ssl ocsp-updates" + expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*| 1 | 0 | 1 | Update successful" +} + +# Use "show ssl ocsp-response" command to dump an OCSP response in base64 +shell { + ocsp_resp_file="${tmpdir}.ocsp_resp.der" + + echo "show ssl ocsp-response base64 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h5/stats" - | sed -e 's/.\{72\}/&\n/g' | openssl base64 -d | tee /tmp/with-o64 > $ocsp_resp_file + + if [ $? -eq 0 ] + then + ocsp_resp_txt="$(openssl ocsp -respin $ocsp_resp_file -noverify -text)" + echo "$ocsp_resp_txt" | grep "Issuer Name Hash: 8A83E0060FAFF709CA7E9B95522A2E81635FDA0A" && \ + echo "$ocsp_resp_txt" | grep "Issuer Key Hash: F652B0E435D5EA923851508F0ADBE92D85DE007A" && \ + echo "$ocsp_resp_txt" | grep "Serial Number: 1015" && \ + echo "$ocsp_resp_txt" | grep "Cert Status: revoked" + else + return 1 + fi +} + +haproxy h5 -wait +process p5 -wait + + +#################### +# # +# SIXTH TEST CASE # +# # +#################### + +# Check that a new certificate added via the CLI to a crt-list with +# the 'ocsp-update on' option will be taken into account by the OCSP +# auto update task +# +process p6 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start + +barrier b6 cond 2 -cyclic + +syslog Syslog_ocsp6 -level notice { + recv + expect ~ " ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa 1 \"Update successful\" 0 1" + + barrier b6 sync +} -start + +haproxy h6 -conf { + global + .if feature(THREAD) + thread-groups 1 + .endif + + .if !ssllib_name_startswith(AWS-LC) + tune.ssl.default-dh-param 2048 + .endif + tune.ssl.capture-buffer-size 1 + stats socket "${tmpdir}/h6/stats" level admin + crt-base ${testdir}/certs + log ${Syslog_ocsp6_addr}:${Syslog_ocsp6_port} local0 notice notice + + defaults + mode http + option httplog + log stderr local0 debug err + option logasap + timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" + timeout client "${HAPROXY_TEST_TIMEOUT-5s}" + timeout server "${HAPROXY_TEST_TIMEOUT-5s}" + + frontend ssl-fe + bind "${VTC_SOCK_TYPE}+fd@${ssl}" ssl crt-list ${testdir}/certs/simple.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all + http-request return status 200 + +} -start + +# We need to "enable" the cli with a first cli call before using it only through socats +haproxy h6 -cli { + send "show ssl cert" + expect ~ "" +} + +# Create a new certificate that has an OCSP uri and add it to the +# existing CLI with the 'ocsp-update on' command. +shell { + echo "new ssl cert ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h6/stats" - + printf "set ssl cert ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa <<\n$(cat ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h6/stats" - + printf "set ssl cert ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa.issuer <<\n$(cat ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa.issuer)\n\n" | socat "${tmpdir}/h6/stats" - + echo "commit ssl cert ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h6/stats" - + + printf "add ssl crt-list ${testdir}/certs/simple.crt-list <<\n${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa [ocsp-update on] foo.com\n\n" | socat "${tmpdir}/h6/stats" - +} + +barrier b6 sync + +haproxy h6 -cli { + send "show ssl ocsp-updates" + expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*| 1 | 0 | 1 | Update successful" +} + +haproxy h6 -wait +process p6 -wait + + +###################### +# # +# SEVENTH TEST CASE # +# # +###################### + +# Check that the global "tune.ocsp-update.mode" option works and that it +# applies to certificates added via the CLI as well. +# +process p7 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start + +barrier b7 cond 2 -cyclic + +syslog Syslog_ocsp7 -level notice { + recv + expect ~ " ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1" + + barrier b7 sync + + recv + expect ~ " ${testdir}/certs/server_ocsp_rsa.pem 1 \"Update successful\" 0 1" + + barrier b7 sync +} -start + +haproxy h7 -conf { + global + .if feature(THREAD) + thread-groups 1 + .endif + + .if !ssllib_name_startswith(AWS-LC) + tune.ssl.default-dh-param 2048 + .endif + tune.ssl.capture-buffer-size 1 + stats socket "${tmpdir}/h7/stats" level admin + crt-base ${testdir}/certs + ocsp-update.mode on + log ${Syslog_ocsp7_addr}:${Syslog_ocsp7_port} local0 notice notice + + defaults + mode http + option httplog + log stderr local0 debug err + option logasap + timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" + timeout client "${HAPROXY_TEST_TIMEOUT-5s}" + timeout server "${HAPROXY_TEST_TIMEOUT-5s}" + + frontend ssl-fe + bind "${VTC_SOCK_TYPE}+fd@${ssl}" ssl crt ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all + bind "${VTC_SOCK_TYPE}+fd@${ssl2}" ssl crt-list ${testdir}/certs/simple.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all + http-request return status 200 +} -start + +barrier b7 sync + +# Create a new certificate that has an OCSP uri and add it to the +# existing CLI with the 'ocsp-update on' command. +shell { + echo "new ssl cert ${testdir}/certs/server_ocsp_rsa.pem" | socat "${tmpdir}/h7/stats" - + printf "set ssl cert ${testdir}/certs/server_ocsp_rsa.pem <<\n$(cat ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem)\n\n" | socat "${tmpdir}/h7/stats" - + echo "commit ssl cert ${testdir}/certs/server_ocsp_rsa.pem" | socat "${tmpdir}/h7/stats" - + + # We should have ocsp-update enabled via the global option + printf "add ssl crt-list ${testdir}/certs/simple.crt-list <<\n${testdir}/certs/server_ocsp_rsa.pem foo.com\n\n" | socat "${tmpdir}/h7/stats" - +} + +barrier b7 sync + +haproxy h7 -cli { + send "show ssl ocsp-updates" + expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 | ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem .*| 1 | 0 | 1 | Update successful" + + send "show ssl ocsp-updates" + expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 | ${testdir}/certs/server_ocsp_rsa.pem .*| 1 | 0 | 1 | Update successful" +} + +haproxy h7 -wait +process p7 -wait + + +###################### +# # +# EIGHTH TEST CASE # +# # +###################### + +# +# Check that removing crt-list instances does not remove the OCSP responses +# from the tree but that they will not be auto updated anymore if the last +# instance is removed (via del ssl crt-list). +# + +haproxy h8 -conf { + global + .if feature(THREAD) + thread-groups 1 + .endif + + .if !ssllib_name_startswith(AWS-LC) + tune.ssl.default-dh-param 2048 + .endif + tune.ssl.capture-buffer-size 1 + stats socket "${tmpdir}/h8/stats" level admin + crt-base ${testdir}/certs/ocsp_update + + defaults + mode http + option httplog + log stderr local0 debug err + option logasap + timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" + timeout client "${HAPROXY_TEST_TIMEOUT-5s}" + timeout server "${HAPROXY_TEST_TIMEOUT-5s}" + + frontend ssl-fe + bind "${VTC_SOCK_TYPE}+fd@${ssl}" ssl crt-list ${testdir}/certs/ocsp_update/multicert_both_certs.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all + http-request return status 200 + + listen http_rebound_lst + mode http + bind "127.0.0.1:12345" + server s1 "127.0.0.1:12346" +} -start + +# Check that the two certificates are taken into account in the auto update process +haproxy h8 -cli { + send "show ssl ocsp-updates" + expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 .*" + + send "show ssl ocsp-updates" + expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*" +} + +# Remove the second line from the crt-list and check that the corresponding +# ocsp response was removed from the auto update list but is still present in the +# system +haproxy h8 -cli { + send "del ssl crt-list ${testdir}/certs/ocsp_update/multicert_both_certs.crt-list ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.ecdsa" + expect ~ "Entry.*deleted in crtlist" + + send "show ssl ocsp-updates" + expect !~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*" + + send "show ssl ocsp-response" + expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" + + send "show ssl ocsp-response ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.ecdsa" + expect ~ ".* Cert Status: good.*" +} + +# Add the previously removed crt-list line with auto-update enabled and check that +# the ocsp response appears in the auto update list +shell { + printf "add ssl crt-list ${testdir}/certs/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa [ocsp-update on] foo.bar\n\n" | socat "${tmpdir}/h8/stats" - | grep "Inserting certificate.*in crt-list" +} + +haproxy h8 -cli { + send "show ssl ocsp-updates" + expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*" +} + +# Check that the auto update option consistency check work even when crt-list +# lines are added through the cli +shell { + printf "add ssl crt-list ${testdir}/certs/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa foo.foo\n\n" | socat "${tmpdir}/h8/stats" - | grep "different parameter 'ocsp-update'" +} + +haproxy h8 -wait + +#################### +# # +# NINTH TEST CASE # +# # +#################### + +# +# Check that a certificate created through the CLI and which does not have ocsp +# update enabled can be updated via "update ssl ocsp-response" command. +# + +process p9 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start + +barrier b9 cond 2 -cyclic + +syslog Syslog_ocsp9 -level notice { + recv + expect ~ " ${testdir}/certs/ocsp_update/rsa.pem 1 \"Update successful\" 0 1" + + barrier b9 sync +} -start + + +haproxy h9 -conf { + global + .if feature(THREAD) + thread-groups 1 + .endif + + .if !ssllib_name_startswith(AWS-LC) + tune.ssl.default-dh-param 2048 + .endif + tune.ssl.capture-buffer-size 1 + stats socket "${tmpdir}/h9/stats" level admin + crt-base ${testdir}/certs/ocsp_update + log ${Syslog_ocsp9_addr}:${Syslog_ocsp9_port} local0 notice notice + + defaults + mode http + option httplog + log stderr local0 debug err + option logasap + timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" + timeout client "${HAPROXY_TEST_TIMEOUT-5s}" + timeout server "${HAPROXY_TEST_TIMEOUT-5s}" + + frontend ssl-fe + bind "${VTC_SOCK_TYPE}+fd@${ssl}" ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all + http-request return status 200 +} -start + +# We need to "enable" the cli with a first cli call before using it only through socats +haproxy h9 -cli { + send "show ssl cert" + expect ~ "" +} + +# Create a new certificate and add it in the crt-list with ocsp auto-update enabled +shell { + echo "new ssl cert ${testdir}/certs/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" - + printf "set ssl cert ${testdir}/certs/ocsp_update/rsa.pem <<\n$(cat ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h9/stats" - + printf "set ssl cert ${testdir}/certs/ocsp_update/rsa.pem.issuer <<\n$(cat ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt)\n\n" | socat "${tmpdir}/h9/stats" - + printf "set ssl cert ${testdir}/certs/ocsp_update/rsa.pem.ocsp <<\n$(openssl base64 < ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa.ocsp)\n\n" | socat "${tmpdir}/h9/stats" - + echo "commit ssl cert ${testdir}/certs/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" - + + printf "add ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa_no_update.crt-list <<\nrsa.pem [ocsp-update off] foo.bar\n\n" | socat "${tmpdir}/h9/stats" - +} + +# Check that the line is in the crt-list +haproxy h9 -cli { + send "show ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa_no_update.crt-list" + expect ~ "${testdir}/certs/ocsp_update/rsa.pem.*ocsp-update off.*foo.bar" +} + +# Check that the new certificate is NOT in the auto update list +haproxy h9 -cli { + send "show ssl ocsp-updates" + expect !~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015.*" +} + +shell { + echo "update ssl ocsp-response ${testdir}/certs/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" - +} + +barrier b9 sync + +haproxy h9 -cli { + send "show ssl ocsp-response ${testdir}/certs/ocsp_update/rsa.pem" + expect ~ ".* Cert Status: revoked.*" +} + +haproxy h9 -wait +process p9 -wait