mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-12-02 16:21:27 +01:00
Code Issues Projects Releases Wiki Activity
haproxy/reg-tests/ssl/ssl_curves.vtc
Frederic Lecaille 0839fb46db REGTESTS: ssl: Move all the SSL certificates, keys, crt-lists inside "certs" directory 
Move all these files and others for OCSP tests found into reg-tests/ssl
to reg-test/ssl/certs and adapt all the VTC files which use them.

This patch is needed by other tests which have to include the SSL tests.
Indeed, some VTC commands contain paths to these files which cannot
be customized with environment variables, depending on the location the VTC file
is runi from, because VTC does not resolve the environment variables. Only macros
as ${testdir} can be resolved.

For instance this command run from a VTC file from reg-tests/ssl directory cannot
be reused from another directory, except if we add a symbolic link for each certs,
key etc.

 haproxy h1 -cli {
   send "del ssl crt-list ${testdir}/localhost.crt-list ${testdir}/common.pem:1"
 }

This is not what we want. We add a symbolic link to reg-test/ssl/certs to the
directory and modify the command above as follows:

 haproxy h1 -cli {
   send "del ssl crt-list ${testdir}/certs/localhost.crt-list ${testdir}/certs/common.pem:1"
 }
2025-11-28 12:24:25 +01:00

141 lines
5.0 KiB
Plaintext
Raw Blame History

#REGTEST_TYPE=devel
# This reg-test checks the behaviour of the 'curves' and 'ecdhe' options on a
# bind line. Its main point is to ensure that the default curve used in
# HAProxy is indeed prime256v1 (or P-256 depending on the curve's
# representation). In order to check this, is uses two ssl frontends that have
# different lists of accepted curves, one of them accepting this default curve
# while the other one does not. A backend tries to connect to those two
# frontends by using the default curve, and it should succeed in one case and
# fail in the other.
# For some strange reason, OpenSSL 1.0.2 does not behave the same way as later
# versions when it comes to ECDH and curves related matters. Instead of trying
# to make it work the same way as the other (more used) versions, we will
# ignore it and disable this test on OpenSSL 1.0.2.
# For the same reason, this test is disabled for other SSL libraries as well.
#
varnishtest "Test the 'curves' and 'ecdhe' options and default curve value"
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'"
feature ignore_unknown_macro
server s1 -repeat 2 {
rxreq
txresp
} -start
barrier b1 cond 2 -cyclic
syslog Slg_cust_fmt -level info {
recv
expect ~ "ERROR.*conn_status:\"34:SSL handshake failure\" hsk_err:\".*wrong curve\".*"
barrier b1 sync
recv
expect ~ "ERROR ECDHE.*conn_status:\"34:SSL handshake failure\" hsk_err:\".*wrong curve\".*"
} -start
haproxy h1 -conf {
global
.if feature(THREAD)
thread-groups 1
.endif
.if !ssllib_name_startswith(AWS-LC)
tune.ssl.default-dh-param 2048
.endif
defaults
mode http
option httpslog
log stderr local0 debug err
option logasap
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
retries 0
listen clear-lst
bind "fd@${clearlst}"
use_backend ssl-curves-be if { path /curves }
use_backend ssl-ecdhe-521-be if { path /ecdhe-521 }
use_backend ssl-ecdhe-256-be if { path /ecdhe-256 }
default_backend ssl-be
backend ssl-be
server s1 "${tmpdir}/ssl1.sock" ssl verify none crt ${testdir}/certs/client.ecdsa.pem force-tlsv12 curves P-256:P-384
backend ssl-curves-be
server s1 "${tmpdir}/ssl2.sock" ssl verify none crt ${testdir}/certs/client.ecdsa.pem force-tlsv12 curves P-384
backend ssl-ecdhe-256-be
server s1 "${tmpdir}/ssl-ecdhe-256.sock" ssl verify none crt ${testdir}/certs/client.ecdsa.pem force-tlsv12
backend ssl-ecdhe-521-be
server s1 "${tmpdir}/ssl-ecdhe-521.sock" ssl verify none crt ${testdir}/certs/client.ecdsa.pem force-tlsv12
listen ssl1-lst
bind "${tmpdir}/ssl1.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify optional curves P-256:P-384
server s1 ${s1_addr}:${s1_port}
# The prime256v1 curve, which is used by default by a backend when no
# 'curves' or 'ecdhe' option is specified, is not allowed on this listener
listen ssl2-lst
log ${Slg_cust_fmt_addr}:${Slg_cust_fmt_port} local0
error-log-format "ERROR conn_status:\"%[fc_err]:%[fc_err_str]\" hsk_err:%{+Q}[ssl_fc_err_str]"
bind "${tmpdir}/ssl2.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify optional curves P-384
server s1 ${s1_addr}:${s1_port}
listen ssl-ecdhe-521-lst
log ${Slg_cust_fmt_addr}:${Slg_cust_fmt_port} local0
error-log-format "ERROR ECDHE-521 conn_status:\"%[fc_err]:%[fc_err_str]\" hsk_err:%{+Q}[ssl_fc_err_str]"
bind "${tmpdir}/ssl-ecdhe-521.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify optional ecdhe secp521r1
server s1 ${s1_addr}:${s1_port}
listen ssl-ecdhe-256-lst
log ${Slg_cust_fmt_addr}:${Slg_cust_fmt_port} local0
error-log-format "ERROR ECDHE-256 conn_status:\"%[fc_err]:%[fc_err_str]\" hsk_err:%{+Q}[ssl_fc_err_str]"
bind "${tmpdir}/ssl-ecdhe-256.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify optional ecdhe prime256v1
server s1 ${s1_addr}:${s1_port}
} -start
client c1 -connect ${h1_clearlst_sock} {
txreq
rxresp
expect resp.status == 200
} -run
# The backend tries to use the prime256v1 curve that is not accepted by the
# frontend so the handshake should fail.
client c2 -connect ${h1_clearlst_sock} {
txreq -url "/curves"
rxresp
expect resp.status == 503
} -run
barrier b1 sync
# The backend tries to use the prime256v1 curve that is not accepted by the
# frontend so the handshake should fail.
client c3 -connect ${h1_clearlst_sock} {
txreq -url "/ecdhe-521"
rxresp
expect resp.status == 503
} -run
client c4 -connect ${h1_clearlst_sock} {
txreq -url "/ecdhe-256"
rxresp
expect resp.status == 200
} -run
syslog Slg_cust_fmt -wait
Reference in New Issue View Git Blame Copy Permalink