mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-12-02 16:21:27 +01:00
0839fb46db
Move all these files and others for OCSP tests found into reg-tests/ssl
to reg-test/ssl/certs and adapt all the VTC files which use them.
This patch is needed by other tests which have to include the SSL tests.
Indeed, some VTC commands contain paths to these files which cannot
be customized with environment variables, depending on the location the VTC file
is runi from, because VTC does not resolve the environment variables. Only macros
as ${testdir} can be resolved.
For instance this command run from a VTC file from reg-tests/ssl directory cannot
be reused from another directory, except if we add a symbolic link for each certs,
key etc.
haproxy h1 -cli {
send "del ssl crt-list ${testdir}/localhost.crt-list ${testdir}/common.pem:1"
}
This is not what we want. We add a symbolic link to reg-test/ssl/certs to the
directory and modify the command above as follows:
haproxy h1 -cli {
send "del ssl crt-list ${testdir}/certs/localhost.crt-list ${testdir}/certs/common.pem:1"
}
136 lines
4.4 KiB
Plaintext
136 lines
4.4 KiB
Plaintext
#REGTEST_TYPE=devel
|
|
|
|
# This reg-test uses the "set ssl cert" command to update a backend certificate over the CLI.
|
|
# It requires socat to upload the certificate
|
|
|
|
varnishtest "Test the 'set ssl cert' feature of the CLI"
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.4)'"
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(wolfSSL)'"
|
|
feature cmd "command -v socat"
|
|
feature ignore_unknown_macro
|
|
|
|
server s1 -repeat 4 {
|
|
rxreq
|
|
txresp
|
|
} -start
|
|
|
|
haproxy h1 -conf {
|
|
global
|
|
.if feature(THREAD)
|
|
thread-groups 1
|
|
.endif
|
|
|
|
.if !ssllib_name_startswith(AWS-LC)
|
|
tune.ssl.default-dh-param 2048
|
|
.endif
|
|
tune.ssl.capture-buffer-size 1
|
|
stats socket "${tmpdir}/h1/stats" level admin
|
|
nbthread 1
|
|
|
|
defaults
|
|
mode http
|
|
option httplog
|
|
log stderr local0 debug err
|
|
option logasap
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
listen clear-lst
|
|
bind "fd@${clearlst}"
|
|
retries 0 # 2nd SSL connection must fail so skip the retry
|
|
server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/client1.pem
|
|
|
|
listen ssl-lst
|
|
# crt: certificate of the server
|
|
# ca-file: CA used for client authentication request
|
|
# crl-file: revocation list for client auth: the client1 certificate is revoked
|
|
bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/ca-auth.crt verify optional crt-ignore-err all crl-file ${testdir}/certs/crl-auth.pem
|
|
|
|
acl cert_expired ssl_c_verify 10
|
|
acl cert_revoked ssl_c_verify 23
|
|
acl cert_ok ssl_c_verify 0
|
|
|
|
http-response add-header X-SSL Ok if cert_ok
|
|
http-response add-header X-SSL Expired if cert_expired
|
|
http-response add-header X-SSL Revoked if cert_revoked
|
|
http-response add-header x-ssl-sha1 %[ssl_c_sha1,hex]
|
|
|
|
server s1 ${s1_addr}:${s1_port}
|
|
} -start
|
|
|
|
client c1 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.http.x-ssl-sha1 == "D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4"
|
|
expect resp.http.x-ssl == "Ok"
|
|
} -run
|
|
|
|
haproxy h1 -cli {
|
|
send "show ssl cert ${testdir}/certs/client1.pem"
|
|
expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4"
|
|
}
|
|
|
|
# Replace certificate with an expired one
|
|
shell {
|
|
printf "set ssl cert ${testdir}/certs/client1.pem <<\n$(cat ${testdir}/certs/client2_expired.pem)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
echo "commit ssl cert ${testdir}/certs/client1.pem" | socat "${tmpdir}/h1/stats" -
|
|
}
|
|
|
|
haproxy h1 -cli {
|
|
send "show ssl cert ${testdir}/certs/client1.pem"
|
|
expect ~ ".*SHA1 FingerPrint: C625EB01A0A660294B9D7F44C5CEEE5AFC495BE4"
|
|
}
|
|
|
|
|
|
# The updated client certificate is an expired one so this request should fail
|
|
client c1 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.http.x-ssl-sha1 == "C625EB01A0A660294B9D7F44C5CEEE5AFC495BE4"
|
|
expect resp.http.x-ssl == "Expired"
|
|
} -run
|
|
|
|
# Replace certificate with a revoked one
|
|
shell {
|
|
printf "set ssl cert ${testdir}/certs/client1.pem <<\n$(cat ${testdir}/certs/client3_revoked.pem)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
echo "commit ssl cert ${testdir}/certs/client1.pem" | socat "${tmpdir}/h1/stats" -
|
|
}
|
|
|
|
haproxy h1 -cli {
|
|
send "show ssl cert ${testdir}/certs/client1.pem"
|
|
expect ~ ".*SHA1 FingerPrint: 992386628A40C9D49C89BAC0058B5D45D8575151"
|
|
}
|
|
|
|
# The updated client certificate is a revoked one so this request should fail
|
|
client c1 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.http.x-ssl-sha1 == "992386628A40C9D49C89BAC0058B5D45D8575151"
|
|
expect resp.http.x-ssl == "Revoked"
|
|
} -run
|
|
|
|
# Abort a transaction
|
|
shell {
|
|
printf "set ssl cert ${testdir}/certs/client1.pem <<\n$(cat ${testdir}/certs/client3_revoked.pem)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
echo "abort ssl cert ${testdir}/certs/client1.pem" | socat "${tmpdir}/h1/stats" -
|
|
}
|
|
|
|
haproxy h1 -cli {
|
|
send "show ssl cert ${testdir}/certs/client1.pem"
|
|
expect ~ ".*SHA1 FingerPrint: 992386628A40C9D49C89BAC0058B5D45D8575151"
|
|
}
|
|
|
|
# The certificate was not updated so it should still be revoked
|
|
client c1 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.http.x-ssl == "Revoked"
|
|
} -run
|
|
|
|
|