mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-12-02 16:21:27 +01:00
0839fb46db
Move all these files and others for OCSP tests found into reg-tests/ssl
to reg-test/ssl/certs and adapt all the VTC files which use them.
This patch is needed by other tests which have to include the SSL tests.
Indeed, some VTC commands contain paths to these files which cannot
be customized with environment variables, depending on the location the VTC file
is runi from, because VTC does not resolve the environment variables. Only macros
as ${testdir} can be resolved.
For instance this command run from a VTC file from reg-tests/ssl directory cannot
be reused from another directory, except if we add a symbolic link for each certs,
key etc.
haproxy h1 -cli {
send "del ssl crt-list ${testdir}/localhost.crt-list ${testdir}/common.pem:1"
}
This is not what we want. We add a symbolic link to reg-test/ssl/certs to the
directory and modify the command above as follows:
haproxy h1 -cli {
send "del ssl crt-list ${testdir}/certs/localhost.crt-list ${testdir}/certs/common.pem:1"
}
255 lines
8.3 KiB
Plaintext
255 lines
8.3 KiB
Plaintext
#REGTEST_TYPE=devel
|
|
|
|
# This reg-tests checks that the DH-related mechanisms works properly.
|
|
# When no DH is specified, either directly in the server's PEM or through a
|
|
# ssl-dh-param-file global option, and no tune.ssl.default-dh-param is defined,
|
|
# DHE ciphers are disabled.
|
|
# If a default-dh-param is defined, we will use DH parameters of the same size
|
|
# as the server's RSA or DSA key, or default-dh-param if it is smaller.
|
|
# This test has three distinct HAProxy instances, one with no DH-related option
|
|
# used, one with the tune.ssl.default-dh-param global parameter set, and one
|
|
# with an ssl-dh-param-file global option.
|
|
# We use "openssl s_client" calls in order to check the size of the "Server
|
|
# Temp Key" (which will be the same as the DH parameters in case a DHE cipher
|
|
# is used).
|
|
#
|
|
# The main goal of this test was to check that the newly added OpenSSLv3
|
|
# specific DH code worked as before, since it needed to be created in order to
|
|
# stop using deprecated APIs.
|
|
|
|
varnishtest "Test the DH related SSL options"
|
|
# AWS-LC does not support any FFDH ciphersuites
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(AWS-LC)' && !ssllib_name_startswith(wolfSSL)'"
|
|
feature cmd "command -v openssl && command -v grep && command -v socat"
|
|
feature ignore_unknown_macro
|
|
|
|
server s1 -repeat 8 {
|
|
rxreq
|
|
txresp
|
|
} -start
|
|
|
|
|
|
haproxy h1 -conf {
|
|
global
|
|
.if feature(THREAD)
|
|
thread-groups 1
|
|
.endif
|
|
|
|
stats socket "${tmpdir}/h1/stats" level admin
|
|
|
|
defaults
|
|
mode http
|
|
option httpslog
|
|
log stderr local0 debug err
|
|
option logasap
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
retries 0
|
|
|
|
frontend clear-fe
|
|
bind "fd@${clearlst}"
|
|
use_backend gen_cert_be if { path /gencert }
|
|
default_backend dflt_be
|
|
|
|
backend dflt_be
|
|
server s1 "${tmpdir}/ssl_dflt.sock" ssl verify none ssl-max-ver TLSv1.2
|
|
|
|
backend gen_cert_be
|
|
server s1 "${tmpdir}/ssl_dflt_gencert.sock" ssl verify none ssl-max-ver TLSv1.2
|
|
|
|
listen ssl-dflt-lst
|
|
bind "${tmpdir}/ssl_dflt.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify optional ciphers "DHE-RSA-AES256-GCM-SHA384" ssl-max-ver TLSv1.2
|
|
http-response set-header x-ssl-cipher %[ssl_fc_cipher]
|
|
server s1 ${s1_addr}:${s1_port}
|
|
|
|
listen ssl-dflt-gencert-lst
|
|
bind "${tmpdir}/ssl_dflt_gencert.sock" ssl generate-certificates crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt ca-sign-file ${testdir}/certs/generate_certificates/gen_cert_ca.pem verify optional ciphers "DHE-RSA-AES256-GCM-SHA384" ssl-max-ver TLSv1.2
|
|
http-response set-header x-ssl-cipher %[ssl_fc_cipher]
|
|
server s1 ${s1_addr}:${s1_port}
|
|
} -start
|
|
|
|
haproxy h2 -conf {
|
|
global
|
|
.if feature(THREAD)
|
|
thread-groups 1
|
|
.endif
|
|
|
|
stats socket "${tmpdir}/h2/stats" level admin
|
|
|
|
global
|
|
.if feature(THREAD)
|
|
thread-groups 1
|
|
.endif
|
|
|
|
tune.ssl.default-dh-param 4096
|
|
|
|
defaults
|
|
mode http
|
|
option httpslog
|
|
log stderr local0 debug err
|
|
option logasap
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
retries 0
|
|
|
|
listen clear-lst
|
|
bind "fd@${clearlst_dfltdh}"
|
|
server s1 "${tmpdir}/ssl_dfltdh.sock" ssl verify none ssl-max-ver TLSv1.2
|
|
|
|
listen ssl-4096dh-dflt-lst
|
|
bind "${tmpdir}/ssl_dfltdh.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify optional ciphers "DHE-RSA-AES256-GCM-SHA384" ssl-max-ver TLSv1.2
|
|
http-response set-header x-ssl-cipher %[ssl_fc_cipher]
|
|
server s1 ${s1_addr}:${s1_port}
|
|
} -start
|
|
|
|
haproxy h3 -conf {
|
|
global
|
|
.if feature(THREAD)
|
|
thread-groups 1
|
|
.endif
|
|
|
|
stats socket "${tmpdir}/h3/stats" level admin
|
|
|
|
global
|
|
.if feature(THREAD)
|
|
thread-groups 1
|
|
.endif
|
|
|
|
ssl-dh-param-file ${testdir}/certs/common.4096.dh
|
|
|
|
defaults
|
|
mode http
|
|
option httpslog
|
|
log stderr local0 debug err
|
|
option logasap
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
retries 0
|
|
|
|
listen clear-lst
|
|
bind "fd@${clearlst_dhfile}"
|
|
server s1 "${tmpdir}/ssl_dhfile.sock" ssl verify none ssl-max-ver TLSv1.2
|
|
|
|
listen ssl-dhfile-lst
|
|
bind "${tmpdir}/ssl_dhfile.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify optional ciphers "DHE-RSA-AES256-GCM-SHA384" ssl-max-ver TLSv1.2
|
|
http-response set-header x-ssl-cipher %[ssl_fc_cipher]
|
|
server s1 ${s1_addr}:${s1_port}
|
|
} -start
|
|
|
|
#
|
|
# Check that all the SSL backend <-> SSL frontend connections work
|
|
#
|
|
client c1 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
rxresp
|
|
# No DH parameters are defined, DHE ciphers are unavailable
|
|
expect resp.status == 503
|
|
} -run
|
|
|
|
client c2 -connect ${h2_clearlst_dfltdh_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.http.x-ssl-cipher == "DHE-RSA-AES256-GCM-SHA384"
|
|
} -run
|
|
|
|
client c3 -connect ${h3_clearlst_dhfile_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.http.x-ssl-cipher == "DHE-RSA-AES256-GCM-SHA384"
|
|
} -run
|
|
|
|
client c4 -connect ${h1_clearlst_sock} {
|
|
txreq -url "/gencert"
|
|
rxresp
|
|
# No DH parameters are defined, DHE ciphers are unavailable
|
|
expect resp.status == 503
|
|
} -run
|
|
|
|
|
|
# On the second HAProxy instance, even if default-dh-param is set to 4096, this
|
|
# value is only considered as a maximum DH key length and we will always try to
|
|
# match the server's certificate key length in our DHE key exchange (2048 bits
|
|
# in the case of common.pem).
|
|
shell {
|
|
echo "Q" | openssl s_client -unix "${tmpdir}/ssl_dfltdh.sock" -tls1_2 2>/dev/null | grep -E "Server Temp Key: DH, 2048 bits"
|
|
}
|
|
|
|
shell {
|
|
echo "Q" | openssl s_client -unix "${tmpdir}/ssl_dhfile.sock" -tls1_2 2>/dev/null | grep -E "Server Temp Key: DH, 4096 bits"
|
|
}
|
|
|
|
|
|
#
|
|
# Add a custom DH to the server's PEM certificate
|
|
#
|
|
shell {
|
|
printf "set ssl cert ${testdir}/certs/common.pem <<\n$(cat ${testdir}/certs/common.pem)\n$(cat ${testdir}/certs/common.4096.dh)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
echo "commit ssl cert ${testdir}/certs/common.pem" | socat "${tmpdir}/h1/stats" -
|
|
|
|
printf "set ssl cert ${testdir}/certs/common.pem <<\n$(cat ${testdir}/certs/common.pem)\n$(cat ${testdir}/certs/common.4096.dh)\n\n" | socat "${tmpdir}/h2/stats" -
|
|
echo "commit ssl cert ${testdir}/certs/common.pem" | socat "${tmpdir}/h2/stats" -
|
|
|
|
printf "set ssl cert ${testdir}/certs/common.pem <<\n$(cat ${testdir}/certs/common.pem)\n$(cat ${testdir}/certs/common.4096.dh)\n\n" | socat "${tmpdir}/h3/stats" -
|
|
echo "commit ssl cert ${testdir}/certs/common.pem" | socat "${tmpdir}/h3/stats" -
|
|
}
|
|
|
|
|
|
#
|
|
# Check that all the SSL backend <-> SSL frontend connections still work
|
|
# Common.pem now contains DH parameters so the first instance's frontends
|
|
# can now use DHE ciphers.
|
|
#
|
|
client c5 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.http.x-ssl-cipher == "DHE-RSA-AES256-GCM-SHA384"
|
|
} -run
|
|
|
|
client c6 -connect ${h2_clearlst_dfltdh_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.http.x-ssl-cipher == "DHE-RSA-AES256-GCM-SHA384"
|
|
} -run
|
|
|
|
client c7 -connect ${h3_clearlst_dhfile_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.http.x-ssl-cipher == "DHE-RSA-AES256-GCM-SHA384"
|
|
} -run
|
|
|
|
client c8 -connect ${h1_clearlst_sock} {
|
|
txreq -url "/gencert"
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.http.x-ssl-cipher == "DHE-RSA-AES256-GCM-SHA384"
|
|
} -run
|
|
|
|
|
|
|
|
#
|
|
# Check the new size of the DH key
|
|
#
|
|
shell {
|
|
echo "Q" | openssl s_client -unix "${tmpdir}/ssl_dflt.sock" -tls1_2 2>/dev/null | grep -E "Server Temp Key: DH, 4096 bits"
|
|
}
|
|
|
|
shell {
|
|
echo "Q" | openssl s_client -unix "${tmpdir}/ssl_dfltdh.sock" -tls1_2 2>/dev/null | grep -E "Server Temp Key: DH, 4096 bits"
|
|
}
|
|
|
|
shell {
|
|
echo "Q" | openssl s_client -unix "${tmpdir}/ssl_dhfile.sock" -tls1_2 2>/dev/null | grep -E "Server Temp Key: DH, 4096 bits"
|
|
}
|
|
|
|
shell {
|
|
echo "Q" | openssl s_client -unix "${tmpdir}/ssl_dflt_gencert.sock" -tls1_2 2>/dev/null | grep -E "Server Temp Key: DH, 4096 bits"
|
|
}
|