mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-12-05 09:41:00 +01:00
0839fb46db
Move all these files and others for OCSP tests found into reg-tests/ssl
to reg-test/ssl/certs and adapt all the VTC files which use them.
This patch is needed by other tests which have to include the SSL tests.
Indeed, some VTC commands contain paths to these files which cannot
be customized with environment variables, depending on the location the VTC file
is runi from, because VTC does not resolve the environment variables. Only macros
as ${testdir} can be resolved.
For instance this command run from a VTC file from reg-tests/ssl directory cannot
be reused from another directory, except if we add a symbolic link for each certs,
key etc.
haproxy h1 -cli {
send "del ssl crt-list ${testdir}/localhost.crt-list ${testdir}/common.pem:1"
}
This is not what we want. We add a symbolic link to reg-test/ssl/certs to the
directory and modify the command above as follows:
haproxy h1 -cli {
send "del ssl crt-list ${testdir}/certs/localhost.crt-list ${testdir}/certs/common.pem:1"
}
118 lines
4.2 KiB
Plaintext
118 lines
4.2 KiB
Plaintext
#REGTEST_TYPE=devel
|
|
|
|
# This reg-test uses the "set ssl cert" command to update a multi-certificate
|
|
# bundle over the CLI.
|
|
# It requires socat to upload the certificate
|
|
#
|
|
# This regtests loads a multi-certificates bundle "cert1-example.com.pem"
|
|
# composed of a .rsa and a .ecdsa
|
|
#
|
|
# After verifying that the RSA and ECDSA algorithms were avalailble with the
|
|
# right certificate, the test changes the certificates and try new requests.
|
|
#
|
|
# If this test does not work anymore:
|
|
# - Check that you have socat
|
|
# - Check that you have at least OpenSSL 1.1.1
|
|
|
|
varnishtest "Test the 'set ssl cert' feature of the CLI with bundles"
|
|
# could work with haproxy 2.3 but the -cc is not available
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev9)'"
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1) || feature(OPENSSL_AWSLC)'"
|
|
feature cmd "command -v socat"
|
|
feature ignore_unknown_macro
|
|
|
|
server s1 -repeat 9 {
|
|
rxreq
|
|
txresp
|
|
} -start
|
|
|
|
haproxy h1 -conf {
|
|
global
|
|
.if feature(THREAD)
|
|
thread-groups 1
|
|
.endif
|
|
|
|
.if !ssllib_name_startswith(AWS-LC)
|
|
tune.ssl.default-dh-param 2048
|
|
.endif
|
|
tune.ssl.capture-buffer-size 1
|
|
stats socket "${tmpdir}/h1/stats" level admin
|
|
crt-base ${testdir}
|
|
|
|
defaults
|
|
mode http
|
|
option httplog
|
|
log stderr local0 debug err
|
|
option logasap
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
listen clear-lst
|
|
bind "fd@${clearlst}"
|
|
balance roundrobin
|
|
|
|
http-response set-header X-SSL-Server-SHA1 %[ssl_s_sha1,hex]
|
|
|
|
retries 0 # 2nd SSL connection must fail so skip the retry
|
|
server s1 "${tmpdir}/ssl.sock" ssl verify none sni str(example.com) force-tlsv12 ciphers ECDHE-RSA-AES128-GCM-SHA256
|
|
server s2 "${tmpdir}/ssl.sock" ssl verify none sni str(example.com) force-tlsv12 ciphers ECDHE-ECDSA-AES256-GCM-SHA384
|
|
|
|
server s3 "${tmpdir}/ssl.sock" ssl verify none sni str(example.com) force-tlsv12 ciphers ECDHE-RSA-AES128-GCM-SHA256
|
|
server s4 "${tmpdir}/ssl.sock" ssl verify none sni str(example.com) force-tlsv12 ciphers ECDHE-ECDSA-AES256-GCM-SHA384
|
|
|
|
listen ssl-lst
|
|
bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/cert1-example.com.pem
|
|
server s1 ${s1_addr}:${s1_port}
|
|
|
|
} -start
|
|
|
|
|
|
haproxy h1 -cli {
|
|
send "show ssl cert ${testdir}/certs/cert1-example.com.pem.rsa"
|
|
expect ~ ".*SHA1 FingerPrint: 94F720DACA71B8B1A0AC9BD48C65BA688FF047DE"
|
|
send "show ssl cert ${testdir}/certs/cert1-example.com.pem.ecdsa"
|
|
expect ~ ".*SHA1 FingerPrint: C1BA055D452F92EB02D449F0498C289F50698300"
|
|
}
|
|
|
|
client c1 -connect ${h1_clearlst_sock} {
|
|
# RSA
|
|
txreq
|
|
rxresp
|
|
expect resp.http.X-SSL-Server-SHA1 == "94F720DACA71B8B1A0AC9BD48C65BA688FF047DE"
|
|
expect resp.status == 200
|
|
# ECDSA
|
|
txreq
|
|
rxresp
|
|
expect resp.http.X-SSL-Server-SHA1 == "C1BA055D452F92EB02D449F0498C289F50698300"
|
|
expect resp.status == 200
|
|
} -run
|
|
|
|
shell {
|
|
printf "set ssl cert ${testdir}/certs/cert1-example.com.pem.rsa <<\n$(cat ${testdir}/certs/cert2-example.com.pem.rsa)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
echo "commit ssl cert ${testdir}/certs/cert1-example.com.pem.rsa" | socat "${tmpdir}/h1/stats" -
|
|
printf "set ssl cert ${testdir}/certs/cert1-example.com.pem.ecdsa <<\n$(cat ${testdir}/certs/cert2-example.com.pem.ecdsa)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
echo "commit ssl cert ${testdir}/certs/cert1-example.com.pem.ecdsa" | socat "${tmpdir}/h1/stats" -
|
|
}
|
|
|
|
haproxy h1 -cli {
|
|
send "show ssl cert ${testdir}/certs/cert1-example.com.pem.rsa"
|
|
expect ~ ".*SHA1 FingerPrint: ADC863817FC40C2A9CA913CE45C9A92232558F90"
|
|
send "show ssl cert ${testdir}/certs/cert1-example.com.pem.ecdsa"
|
|
expect ~ ".*SHA1 FingerPrint: F49FFA446D072262445C197B85D2F400B3F58808"
|
|
}
|
|
|
|
client c1 -connect ${h1_clearlst_sock} {
|
|
# RSA
|
|
txreq
|
|
rxresp
|
|
expect resp.http.X-SSL-Server-SHA1 == "ADC863817FC40C2A9CA913CE45C9A92232558F90"
|
|
expect resp.status == 200
|
|
# ECDSA
|
|
txreq
|
|
rxresp
|
|
expect resp.http.X-SSL-Server-SHA1 == "F49FFA446D072262445C197B85D2F400B3F58808"
|
|
expect resp.status == 200
|
|
} -run
|
|
|