mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-12-02 08:11:29 +01:00
0839fb46db
Move all these files and others for OCSP tests found into reg-tests/ssl
to reg-test/ssl/certs and adapt all the VTC files which use them.
This patch is needed by other tests which have to include the SSL tests.
Indeed, some VTC commands contain paths to these files which cannot
be customized with environment variables, depending on the location the VTC file
is runi from, because VTC does not resolve the environment variables. Only macros
as ${testdir} can be resolved.
For instance this command run from a VTC file from reg-tests/ssl directory cannot
be reused from another directory, except if we add a symbolic link for each certs,
key etc.
haproxy h1 -cli {
send "del ssl crt-list ${testdir}/localhost.crt-list ${testdir}/common.pem:1"
}
This is not what we want. We add a symbolic link to reg-test/ssl/certs to the
directory and modify the command above as follows:
haproxy h1 -cli {
send "del ssl crt-list ${testdir}/certs/localhost.crt-list ${testdir}/certs/common.pem:1"
}
174 lines
6.6 KiB
Plaintext
174 lines
6.6 KiB
Plaintext
#REGTEST_TYPE=devel
|
|
|
|
# This reg-test checks that the 'generate-certificates' SSL option works
|
|
# properly. This option allows to generate server-side certificates on the fly
|
|
# for clients that use an SNI for which no certificate was specified in the
|
|
# configuration file.
|
|
# This test also aims at checking that the 'generate-certificates' and the
|
|
# 'ecdhe' bind options work correctly together.
|
|
# Any bind line having a 'generate-certificates' needs to have a ca-sign-file
|
|
# option as well that specifies the path to a CA pem file (containing a
|
|
# certificate as well as its private key). For this reason, a new
|
|
# ssl_gen_ca.pem CA certificate was created, along with the ssl_gen_server.pem
|
|
# server certificate signed by the CA. This server certificate will be used as
|
|
# a default certificate and will serve as a base for any newly created
|
|
# certificate.
|
|
|
|
varnishtest "Test the 'generate-certificates' SSL option"
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(wolfSSL)'"
|
|
feature cmd "command -v openssl && command -v grep"
|
|
feature ignore_unknown_macro
|
|
|
|
server s1 -repeat 6 {
|
|
rxreq
|
|
txresp
|
|
} -start
|
|
|
|
|
|
haproxy h1 -conf {
|
|
global
|
|
.if feature(THREAD)
|
|
thread-groups 1
|
|
.endif
|
|
|
|
.if !ssllib_name_startswith(AWS-LC)
|
|
tune.ssl.default-dh-param 2048
|
|
.endif
|
|
tune.ssl.capture-buffer-size 2048
|
|
|
|
defaults
|
|
mode http
|
|
option httpslog
|
|
log stderr local0 debug err
|
|
option logasap
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
listen clear-lst
|
|
bind "fd@${clearlst}"
|
|
http-request set-var(sess.sni) hdr(x-sni)
|
|
|
|
use_backend P-384_backend if { path /P-384 }
|
|
default_backend default_backend
|
|
|
|
backend default_backend
|
|
server s1 "${tmpdir}/ssl.sock" ssl verify none ssl-max-ver TLSv1.2 sni var(sess.sni)
|
|
|
|
backend P-384_backend
|
|
server s1 "${tmpdir}/ssl_P-384.sock" ssl verify none ssl-max-ver TLSv1.2 sni var(sess.sni)
|
|
|
|
listen ssl-lst
|
|
bind "${tmpdir}/ssl.sock" ssl generate-certificates crt ${testdir}/certs/generate_certificates/gen_cert_server.pem ca-sign-file ${testdir}/certs/generate_certificates/gen_cert_ca.pem ca-file ${testdir}/certs/generate_certificates/gen_cert_ca.pem verify optional
|
|
http-response add-header x-ssl-s_dn %[ssl_f_s_dn(CN)]
|
|
http-response add-header x-ssl-i_dn %[ssl_f_i_dn(CN)]
|
|
http-response add-header x-ssl-sig_alg %[ssl_f_sig_alg]
|
|
http-response add-header x-ssl-key_alg %[ssl_f_key_alg]
|
|
http-response add-header x-ssl-sha1 %[ssl_f_sha1,hex]
|
|
|
|
server s1 ${s1_addr}:${s1_port}
|
|
|
|
listen ssl-lst-P-384
|
|
bind "${tmpdir}/ssl_P-384.sock" ssl generate-certificates crt ${testdir}/certs/generate_certificates/gen_cert_server.pem ca-sign-file ${testdir}/certs/generate_certificates/gen_cert_ca.pem ca-file ${testdir}/certs/generate_certificates/gen_cert_ca.pem verify optional ecdhe secp384r1
|
|
http-response add-header x-ssl-s_dn %[ssl_f_s_dn(CN)]
|
|
http-response add-header x-ssl-i_dn %[ssl_f_i_dn(CN)]
|
|
http-response add-header x-ssl-sig_alg %[ssl_f_sig_alg]
|
|
http-response add-header x-ssl-key_alg %[ssl_f_key_alg]
|
|
http-response add-header x-ssl-sha1 %[ssl_f_sha1,hex]
|
|
|
|
server s1 ${s1_addr}:${s1_port}
|
|
|
|
} -start
|
|
|
|
# Use default certificate
|
|
client c1 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"
|
|
expect resp.http.x-ssl-i_dn == "ECDSA CA"
|
|
expect resp.http.x-ssl-s_dn == "server.ecdsa.com"
|
|
expect resp.http.x-ssl-key_alg == "id-ecPublicKey"
|
|
expect resp.http.x-ssl-sha1 == "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11"
|
|
} -run
|
|
|
|
|
|
# Use default certificate's sni
|
|
client c2 -connect ${h1_clearlst_sock} {
|
|
txreq -hdr "x-sni: server.ecdsa.com"
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"
|
|
expect resp.http.x-ssl-i_dn == "ECDSA CA"
|
|
expect resp.http.x-ssl-s_dn == "server.ecdsa.com"
|
|
expect resp.http.x-ssl-key_alg == "id-ecPublicKey"
|
|
expect resp.http.x-ssl-sha1 == "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11"
|
|
} -run
|
|
|
|
|
|
|
|
# Use another SNI - the server certificate should be generated and different
|
|
# than the default one
|
|
client c3 -connect ${h1_clearlst_sock} {
|
|
txreq -hdr "x-sni: unknown-sni.com"
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"
|
|
expect resp.http.x-ssl-i_dn == "ECDSA CA"
|
|
expect resp.http.x-ssl-s_dn == "ECDSA CA"
|
|
expect resp.http.x-ssl-key_alg == "id-ecPublicKey"
|
|
expect resp.http.x-ssl-sha1 != "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11"
|
|
} -run
|
|
|
|
|
|
# Use default certificate
|
|
client c4 -connect ${h1_clearlst_sock} {
|
|
txreq -url "/P-384"
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"
|
|
expect resp.http.x-ssl-i_dn == "ECDSA CA"
|
|
expect resp.http.x-ssl-s_dn == "server.ecdsa.com"
|
|
expect resp.http.x-ssl-key_alg == "id-ecPublicKey"
|
|
expect resp.http.x-ssl-sha1 == "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11"
|
|
} -run
|
|
|
|
|
|
# Use default certificate's sni
|
|
client c5 -connect ${h1_clearlst_sock} {
|
|
txreq -url "/P-384" -hdr "x-sni: server.ecdsa.com"
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"
|
|
expect resp.http.x-ssl-i_dn == "ECDSA CA"
|
|
expect resp.http.x-ssl-s_dn == "server.ecdsa.com"
|
|
expect resp.http.x-ssl-key_alg == "id-ecPublicKey"
|
|
expect resp.http.x-ssl-sha1 == "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11"
|
|
} -run
|
|
|
|
|
|
# Use another SNI - the server certificate should be generated and different
|
|
# than the default one
|
|
client c6 -connect ${h1_clearlst_sock} {
|
|
txreq -url "/P-384" -hdr "x-sni: unknown-sni.com"
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"
|
|
expect resp.http.x-ssl-i_dn == "ECDSA CA"
|
|
expect resp.http.x-ssl-s_dn == "ECDSA CA"
|
|
expect resp.http.x-ssl-key_alg == "id-ecPublicKey"
|
|
expect resp.http.x-ssl-sha1 != "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11"
|
|
} -run
|
|
|
|
# Check that the curves that the server accepts to use correspond to what we
|
|
# expect it to be (according to ecdhe option).
|
|
# The curve with the highest priority is X25519 for OpenSSL 1.1.1 and later,
|
|
# and P-256 for OpenSSL 1.0.2.
|
|
shell {
|
|
echo "Q" | openssl s_client -unix "${tmpdir}/ssl.sock" -servername server.ecdsa.com -tls1_2 2>/dev/null | grep -E "Server Temp Key: (ECDH, P-256, 256 bits|ECDH, prime256v1, 256 bits|X25519, 253 bits)"
|
|
}
|
|
|
|
shell {
|
|
echo "Q" | openssl s_client -unix "${tmpdir}/ssl_P-384.sock" -servername server.ecdsa.com 2>/dev/null| grep -E "Temp Key: ECDH,.+, 384 bits"
|
|
}
|