mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-12-02 08:11:29 +01:00
0839fb46db
Move all these files and others for OCSP tests found into reg-tests/ssl
to reg-test/ssl/certs and adapt all the VTC files which use them.
This patch is needed by other tests which have to include the SSL tests.
Indeed, some VTC commands contain paths to these files which cannot
be customized with environment variables, depending on the location the VTC file
is runi from, because VTC does not resolve the environment variables. Only macros
as ${testdir} can be resolved.
For instance this command run from a VTC file from reg-tests/ssl directory cannot
be reused from another directory, except if we add a symbolic link for each certs,
key etc.
haproxy h1 -cli {
send "del ssl crt-list ${testdir}/localhost.crt-list ${testdir}/common.pem:1"
}
This is not what we want. We add a symbolic link to reg-test/ssl/certs to the
directory and modify the command above as follows:
haproxy h1 -cli {
send "del ssl crt-list ${testdir}/certs/localhost.crt-list ${testdir}/certs/common.pem:1"
}
83 lines
2.7 KiB
Plaintext
83 lines
2.7 KiB
Plaintext
#REGTEST_TYPE=devel
|
|
|
|
# This reg-test tests the client auth feature of HAProxy for both the backend
|
|
# and frontend section with a CRL list
|
|
#
|
|
# This reg-test uses 2 chained listeners because vtest does not handle the SSL.
|
|
# Test the frontend client auth and the backend side at the same time.
|
|
#
|
|
# The sends 3 requests one with a correct certificate, one with an expired one and one which was revoked.
|
|
# The client then check if we received the right one with the right error.
|
|
#
|
|
# Certificates, CA and CRL are expiring in 2050 so it should be fine for the CI.
|
|
#
|
|
# Detail about configuration is explained there:
|
|
# https://www.haproxy.com/blog/ssl-client-certificate-management-at-application-level/
|
|
|
|
varnishtest "Test the client auth"
|
|
#REQUIRE_OPTIONS=OPENSSL
|
|
feature ignore_unknown_macro
|
|
|
|
server s1 -repeat 3 {
|
|
rxreq
|
|
txresp
|
|
} -start
|
|
|
|
haproxy h1 -conf {
|
|
global
|
|
.if feature(THREAD)
|
|
thread-groups 1
|
|
.endif
|
|
|
|
.if !ssllib_name_startswith(AWS-LC)
|
|
tune.ssl.default-dh-param 2048
|
|
.endif
|
|
|
|
defaults
|
|
mode http
|
|
option httplog
|
|
log stderr local0 debug err
|
|
option logasap
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
listen clear-lst
|
|
bind "fd@${clearlst}"
|
|
balance roundrobin
|
|
# crt: certificate sent for a client certificate request
|
|
server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/client1.pem
|
|
server s2 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/client2_expired.pem # expired
|
|
server s3 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/client3_revoked.pem # revoked
|
|
|
|
listen ssl-lst
|
|
# crt: certificate of the server
|
|
# ca-file: CA used for client authentication request
|
|
# crl-file: revocation list for client auth: the client1 certificate is revoked
|
|
bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/ca-auth.crt verify optional crt-ignore-err X509_V_ERR_CERT_REVOKED,X509_V_ERR_CERT_HAS_EXPIRED crl-file ${testdir}/certs/crl-auth.pem
|
|
|
|
http-response add-header X-SSL %[ssl_c_verify,x509_v_err_str]
|
|
server s1 ${s1_addr}:${s1_port}
|
|
} -start
|
|
|
|
client c1 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.http.x-ssl == "X509_V_OK"
|
|
} -run
|
|
|
|
client c1 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.http.x-ssl == "X509_V_ERR_CERT_HAS_EXPIRED"
|
|
} -run
|
|
|
|
client c1 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.http.x-ssl == "X509_V_ERR_CERT_REVOKED"
|
|
} -run
|