feature ignore_unknown_macro

server s1 -repeat 2 {
    rxreq
    txresp
} -start

haproxy h1 -conf {
    global
    .if streq("$VTC_SOCK_TYPE",quic)
        # required for backend connections
        expose-experimental-directives
    .endif
    .if feature(THREAD)
        thread-groups 1
    .endif

    .if !ssllib_name_startswith(AWS-LC)
        tune.ssl.default-dh-param 2048
    .endif
        tune.ssl.capture-buffer-size 1
        crt-base ${testdir}/certs
        stats socket "${tmpdir}/h1/stats" level admin

    defaults
        mode http
        option httplog
        log stderr local0 debug err
        option logasap
        timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
        timeout client  "${HAPROXY_TEST_TIMEOUT-5s}"
        timeout server  "${HAPROXY_TEST_TIMEOUT-5s}"


    listen clear-lst
        bind "fd@${clearlst}"
        balance roundrobin
        server s1 "${VTC_SOCK_TYPE}+${h1_ssl_sock}" ssl verify none sni str(www.test1.com)
        server s2 "${VTC_SOCK_TYPE}+${h1_ssl_sock}" ssl verify none sni str(localhost)


    listen ssl-lst
        mode http
        bind "${VTC_SOCK_TYPE}+fd@${ssl}" ssl strict-sni crt-list "${testdir}/certs/localhost.crt-list"

        server s1 ${s1_addr}:${s1_port}
        server s2 ${s1_addr}:${s1_port} ssl crt "${testdir}/certs/common.pem" weight 0 verify none
} -start


haproxy h1 -cli {
    send "show ssl cert ${testdir}/certs/common.pem"
    expect ~ ".*SHA1 FingerPrint: DF3B6E847A7BF83DFAAFCFEC65EE9BC36230D3EA"
}

client c1 -connect ${h1_clearlst_sock} {
    txreq
    rxresp
    expect resp.status == 200
} -run

shell {
    echo "new ssl cert ${testdir}/certs/ecdsa.pem" | socat "${tmpdir}/h1/stats" -
    printf "set ssl cert ${testdir}/certs/ecdsa.pem <<\n$(cat ${testdir}/certs/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" -
    echo "commit ssl cert ${testdir}/certs/ecdsa.pem" | socat "${tmpdir}/h1/stats" -
    printf "add ssl crt-list ${testdir}/certs/localhost.crt-list/ <<\n${testdir}/certs/common.pem [ssl-min-ver SSLv3 verify none allow-0rtt] !*\n\n" | socat "${tmpdir}/h1/stats" -
    printf "add ssl crt-list ${testdir}/certs/localhost.crt-list/ <<\n${testdir}/certs/ecdsa.pem [ssl-min-ver SSLv3 verify none allow-0rtt] localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" -
    printf "add ssl crt-list ${testdir}/certs/localhost.crt-list <<\n${testdir}/certs/ecdsa.pem [verify none allow-0rtt]\n\n" | socat "${tmpdir}/h1/stats" -
    printf "add ssl crt-list ${testdir}/certs/localhost.crt-list/// <<\n${testdir}/certs/ecdsa.pem localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" -
    printf "add ssl crt-list ${testdir}/certs/localhost.crt-list///// <<\n${testdir}/certs/ecdsa.pem\n\n" | socat "${tmpdir}/h1/stats" -
    printf "add ssl crt-list ${testdir}/certs/localhost.crt-list// ${testdir}/certs/ecdsa.pem\n" | socat "${tmpdir}/h1/stats" -
}

haproxy h1 -cli {
    send "show ssl cert ${testdir}/certs/ecdsa.pem"
    expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1"
}

haproxy h1 -cli {
    send "show ssl crt-list ${testdir}/certs/localhost.crt-list//"
    # check the options and the filters in any order
    expect ~ ".*${testdir}/certs/ecdsa.pem \\[(?=.*verify none)(?=.*allow-0rtt)(?=.*ssl-min-ver SSLv3).*\\](?=.*!www.test1.com)(?=.*localhost).*"
}

client c1 -connect ${h1_clearlst_sock} {
    txreq
    rxresp
    expect resp.status == 200
} -run


# Try to add a new line that mentions an "unknown" CA file (not loaded yet).
# It should fail since no disk access are allowed during runtime.
shell {
    printf "add ssl crt-list ${testdir}/certs/localhost.crt-list/ <<\n${testdir}/certs/ecdsa.pem [ca-file ${testdir}/certs/ca-auth.crt] localhost\n\n" | socat "${tmpdir}/h1/stats" - | grep "unable to load ${testdir}/certs/ca-auth.crt"
}
shell {
    printf "add ssl crt-list ${testdir}/certs/localhost.crt-list/ <<\n${testdir}/certs/ecdsa.pem [ca-verify-file ${testdir}/certs/ca-auth.crt] localhost\n\n" | socat "${tmpdir}/h1/stats" - | grep "unable to load ${testdir}/certs/ca-auth.crt"
}
shell {
    printf "add ssl crt-list ${testdir}/certs/localhost.crt-list/ <<\n${testdir}/certs/ecdsa.pem [crl-file ${testdir}/certs/ca-auth.crt] localhost\n\n" | socat "${tmpdir}/h1/stats" - | grep "unable to load ${testdir}/certs/ca-auth.crt"
}

# Check that the new line was not added to the crt-list.
haproxy h1 -cli {
    send "show ssl crt-list ${testdir}/certs/localhost.crt-list//"
    expect !~ ".*ca-file ${testdir}/certs/ca-auth.crt"
}