feature ignore_unknown_macro server s1 -repeat 3 { rxreq txresp } -start haproxy h1 -conf { global .if streq("$VTC_SOCK_TYPE",quic) # required for backend connections expose-experimental-directives .endif .if feature(THREAD) thread-groups 1 .endif .if !ssllib_name_startswith(AWS-LC) tune.ssl.default-dh-param 2048 .endif defaults mode http option httplog log stderr local0 debug err option logasap timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" timeout client "${HAPROXY_TEST_TIMEOUT-5s}" timeout server "${HAPROXY_TEST_TIMEOUT-5s}" listen clear-lst bind "fd@${clearlst}" balance roundrobin # crt: certificate sent for a client certificate request server s1 "${VTC_SOCK_TYPE}+${h1_ssl_sock}" ssl verify none crt ${testdir}/certs/client1.pem server s2 "${VTC_SOCK_TYPE}+${h1_ssl_sock}" ssl verify none crt ${testdir}/certs/client2_expired.pem # expired server s3 "${VTC_SOCK_TYPE}+${h1_ssl_sock}" ssl verify none crt ${testdir}/certs/client3_revoked.pem # revoked listen ssl-lst # crt: certificate of the server # ca-file: CA used for client authentication request # crl-file: revocation list for client auth: the client1 certificate is revoked bind "${VTC_SOCK_TYPE}+fd@${ssl}" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/ca-auth.crt verify optional crt-ignore-err X509_V_ERR_CERT_REVOKED,X509_V_ERR_CERT_HAS_EXPIRED crl-file ${testdir}/certs/crl-auth.pem http-response add-header X-SSL %[ssl_c_verify,x509_v_err_str] server s1 ${s1_addr}:${s1_port} } -start client c1 -connect ${h1_clearlst_sock} { txreq rxresp expect resp.status == 200 expect resp.http.x-ssl == "X509_V_OK" } -run client c1 -connect ${h1_clearlst_sock} { txreq rxresp expect resp.status == 200 expect resp.http.x-ssl == "X509_V_ERR_CERT_HAS_EXPIRED" } -run client c1 -connect ${h1_clearlst_sock} { txreq rxresp expect resp.status == 200 expect resp.http.x-ssl == "X509_V_ERR_CERT_REVOKED" } -run