mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-12-04 09:11:02 +01:00
Code Issues Projects Releases Wiki Activity
haproxy/reg-tests/ssl/set_ssl_cert.vtc
Frederic Lecaille 0839fb46db REGTESTS: ssl: Move all the SSL certificates, keys, crt-lists inside "certs" directory 
Move all these files and others for OCSP tests found into reg-tests/ssl
to reg-test/ssl/certs and adapt all the VTC files which use them.

This patch is needed by other tests which have to include the SSL tests.
Indeed, some VTC commands contain paths to these files which cannot
be customized with environment variables, depending on the location the VTC file
is runi from, because VTC does not resolve the environment variables. Only macros
as ${testdir} can be resolved.

For instance this command run from a VTC file from reg-tests/ssl directory cannot
be reused from another directory, except if we add a symbolic link for each certs,
key etc.

 haproxy h1 -cli {
   send "del ssl crt-list ${testdir}/localhost.crt-list ${testdir}/common.pem:1"
 }

This is not what we want. We add a symbolic link to reg-test/ssl/certs to the
directory and modify the command above as follows:

 haproxy h1 -cli {
   send "del ssl crt-list ${testdir}/certs/localhost.crt-list ${testdir}/certs/common.pem:1"
 }
2025-11-28 12:24:25 +01:00

212 lines
7.0 KiB
Plaintext
Raw Blame History

#REGTEST_TYPE=devel
# This reg-test uses the "set ssl cert" command to update a certificate over the CLI.
# It requires socat to upload the certificate
#
# This check has two separate parts.
# In the first part, there are 3 requests, the first one will use "www.test1.com" as SNI,
# the second one with the same but that must fail and the third one will use
# "localhost". Since vtest can't do SSL, we use haproxy as an SSL client with 2
# chained listen section.
#
# In the second part, we check the update of a default certificate in a crt-list.
# This corresponds to a bug raised in https://github.com/haproxy/haproxy/issues/1143.
# A certificate is used as default certificate as well as regular one, and during the update
# the default certificate would not be properly updated if the default instance did not have
# any SNI. The test consists in checking that the used certificate is the right one after
# updating it via a "set ssl cert" call.
#
# If this test does not work anymore:
# - Check that you have socat
varnishtest "Test the 'set ssl cert' feature of the CLI"
#REQUIRE_OPTIONS=OPENSSL
feature cmd "command -v socat"
feature ignore_unknown_macro
server s1 -repeat 9 {
rxreq
txresp
} -start
haproxy h1 -conf {
global
.if feature(THREAD)
thread-groups 1
.endif
.if !ssllib_name_startswith(AWS-LC)
tune.ssl.default-dh-param 2048
.endif
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
crt-base ${testdir}/certs
defaults
mode http
option httplog
retries 0
log stderr local0 debug err
option logasap
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
listen clear-lst
bind "fd@${clearlst}"
balance roundrobin
http-response set-header X-SSL-Server-SHA1 %[ssl_s_sha1,hex]
retries 0 # 2nd SSL connection must fail so skip the retry
server s1 "${tmpdir}/ssl.sock" ssl verify none sni str(www.test1.com)
server s2 "${tmpdir}/ssl.sock" ssl verify none sni str(www.test1.com)
server s3 "${tmpdir}/ssl.sock" ssl verify none sni str(localhost)
server s4 "${tmpdir}/other-ssl.sock" ssl verify none sni str(www.test1.com)
server s5 "${tmpdir}/other-ssl.sock" ssl verify none sni str(other.test1.com) # uses the default certificate
server s6 "${tmpdir}/other-ssl.sock" ssl verify none sni str(www.test1.com)
server s7 "${tmpdir}/other-ssl.sock" ssl verify none sni str(other.test1.com) # uses the default certificate
server s8 "${tmpdir}/other-ssl.sock" ssl verify none sni str(www.test1.com)
server s9 "${tmpdir}/other-ssl.sock" ssl verify none sni str(other.test1.com) # uses the default certificate
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/common.pem strict-sni
server s1 ${s1_addr}:${s1_port}
# dummy server used to test a change when the same crt is used as server and bind
server s2 ${s1_addr}:${s1_port} ssl crt ${testdir}/certs/common.pem verify none weight 0
listen other-ssl-lst
bind "${tmpdir}/other-ssl.sock" ssl crt-list ${testdir}/certs/set_default_cert.crt-list
server s1 ${s1_addr}:${s1_port}
} -start
haproxy h1 -cli {
send "show ssl cert ${testdir}/certs/common.pem"
expect ~ ".*SHA1 FingerPrint: DF3B6E847A7BF83DFAAFCFEC65EE9BC36230D3EA"
}
client c1 -connect ${h1_clearlst_sock} {
txreq
rxresp
expect resp.status == 200
} -run
shell {
printf "set ssl cert ${testdir}/certs/common.pem <<\n$(cat ${testdir}/certs/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" -
echo "commit ssl cert ${testdir}/certs/common.pem" | socat "${tmpdir}/h1/stats" -
}
haproxy h1 -cli {
send "show ssl cert ${testdir}/certs/common.pem"
expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1"
}
# check that the "www.test1.com" SNI was removed
client c1 -connect ${h1_clearlst_sock} {
txreq
rxresp
expect resp.status == 503
} -run
client c1 -connect ${h1_clearlst_sock} {
txreq
rxresp
expect resp.status == 200
} -run
shell {
printf "set ssl cert ${testdir}/certs/common.pem <<\n$(cat ${testdir}/certs/common.pem)\n\n" | socat "${tmpdir}/h1/stats" -
echo "abort ssl cert ${testdir}/certs/common.pem" | socat "${tmpdir}/h1/stats" -
}
haproxy h1 -cli {
send "show ssl cert ${testdir}/certs/common.pem"
expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1"
}
# The following requests are aimed at a backend that uses the set_default_cert.crt-list file
# Uses the www.test1.com sni
client c1 -connect ${h1_clearlst_sock} {
txreq
rxresp
expect resp.http.X-SSL-Server-SHA1 == "9DC18799428875976DDE706E9956035EE88A4CB3"
expect resp.status == 200
} -run
# Uses the other.test1.com sni and the default line of the crt-list
client c1 -connect ${h1_clearlst_sock} {
txreq
rxresp
expect resp.http.X-SSL-Server-SHA1 == "9DC18799428875976DDE706E9956035EE88A4CB3"
expect resp.status == 200
} -run
shell {
printf "set ssl cert ${testdir}/certs/set_default_cert.pem <<\n$(cat ${testdir}/certs/common.pem)\n\n" | socat "${tmpdir}/h1/stats" -
}
# Certificate should not have changed yet
haproxy h1 -cli {
send "show ssl cert ${testdir}/certs/set_default_cert.pem"
expect ~ ".*SHA1 FingerPrint: 9DC18799428875976DDE706E9956035EE88A4CB3"
}
shell {
echo "commit ssl cert ${testdir}/certs/set_default_cert.pem" | socat "${tmpdir}/h1/stats" -
}
haproxy h1 -cli {
send "show ssl cert ${testdir}/certs/set_default_cert.pem"
expect ~ ".*SHA1 FingerPrint: DF3B6E847A7BF83DFAAFCFEC65EE9BC36230D3EA"
}
# Uses the www.test1.com sni
client c1 -connect ${h1_clearlst_sock} {
txreq
rxresp
expect resp.http.X-SSL-Server-SHA1 == "DF3B6E847A7BF83DFAAFCFEC65EE9BC36230D3EA"
expect resp.status == 200
} -run
# Uses the other.test1.com sni and the default line of the crt-list
client c1 -connect ${h1_clearlst_sock} {
txreq
rxresp
expect resp.http.X-SSL-Server-SHA1 == "DF3B6E847A7BF83DFAAFCFEC65EE9BC36230D3EA"
expect resp.status == 200
} -run
# Restore original certificate
shell {
printf "set ssl cert ${testdir}/certs/set_default_cert.pem <<\n$(cat ${testdir}/certs/set_default_cert.pem)\n\n" | socat "${tmpdir}/h1/stats" -
echo "commit ssl cert ${testdir}/certs/set_default_cert.pem" | socat "${tmpdir}/h1/stats" -
}
haproxy h1 -cli {
send "show ssl cert ${testdir}/certs/set_default_cert.pem"
expect ~ ".*SHA1 FingerPrint: 9DC18799428875976DDE706E9956035EE88A4CB"
}
# Uses the www.test1.com sni
client c1 -connect ${h1_clearlst_sock} {
txreq
rxresp
expect resp.http.X-SSL-Server-SHA1 == "9DC18799428875976DDE706E9956035EE88A4CB3"
expect resp.status == 200
} -run
# Uses the other.test1.com sni and the default line of the crt-list
client c1 -connect ${h1_clearlst_sock} {
txreq
rxresp
expect resp.http.X-SSL-Server-SHA1 == "9DC18799428875976DDE706E9956035EE88A4CB3"
expect resp.status == 200
} -run
Reference in New Issue View Git Blame Copy Permalink