mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-12-07 10:40:59 +01:00
6d219c51f9
Move all these files and others for OCSP tests found into reg-tests/ssl
to reg-test/ssl/certs and adapt all the VTC files which use them.
This patch is needed by other tests which have to include the SSL tests.
Indeed, some VTC commands contain paths to these files which cannot
be customized with environment variables, depending on the location the VTC file
is runi from, because VTC does not resolve the environment variables. Only macros
as ${testdir} can be resolved.
For instance this command run from a VTC file from reg-tests/ssl directory cannot
be reused from another directory, except if we add a symbolic link for each certs,
key etc.
haproxy h1 -cli {
send "del ssl crt-list ${testdir}/localhost.crt-list ${testdir}/common.pem:1"
}
This is not what we want. We add a symbolic link to reg-test/ssl/certs to the
directory and modify the command above as follows:
haproxy h1 -cli {
send "del ssl crt-list ${testdir}/certs/localhost.crt-list ${testdir}/certs/common.pem:1"
}
151 lines
7.0 KiB
Plaintext
151 lines
7.0 KiB
Plaintext
#REGTEST_TYPE=devel
|
|
|
|
# broken with BoringSSL.
|
|
|
|
# This reg-test uses the "show ssl ocsp-response" command to display the details
|
|
# of the OCSP responses used by HAProxy.
|
|
# It also uses the new special cases of the "show ssl cert" command, where an OCSP
|
|
# extension is provided to the certificate name (with or without preceding * for an
|
|
# ongoing transaction).
|
|
#
|
|
# It uses the show_ocsp_server.pem server certificate, signed off by set_cafile_rootCA.crt,
|
|
# which has two OCSP responses, show_ocsp_server.pem.ocsp which is loaded by default and in
|
|
# which it is valid, and show_ocsp_server.pem.ocsp.revoked in which it is revoked.
|
|
# The OSCP response is updated through the two means available in the CLI, the
|
|
# "set ssl ocsp-response" command and the update through a "set ssl cert foo.ocsp".
|
|
#
|
|
# It requires socat to upload the new OCSP responses.
|
|
#
|
|
# If this test does not work anymore:
|
|
# - Check that you have socat
|
|
|
|
varnishtest "Test the 'show ssl ocsp-response' and 'show ssl cert foo.pem.ocsp' features of the CLI"
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev0)'"
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(BoringSSL) && !ssllib_name_startswith(wolfSSL)'"
|
|
feature cmd "command -v socat && command -v openssl"
|
|
feature ignore_unknown_macro
|
|
|
|
haproxy h1 -conf {
|
|
global
|
|
.if feature(THREAD)
|
|
thread-groups 1
|
|
.endif
|
|
|
|
.if !ssllib_name_startswith(AWS-LC)
|
|
tune.ssl.default-dh-param 2048
|
|
.endif
|
|
tune.ssl.capture-buffer-size 1
|
|
stats socket "${tmpdir}/h1/stats" level admin
|
|
|
|
defaults
|
|
mode http
|
|
option httplog
|
|
log stderr local0 debug err
|
|
option logasap
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
listen clear-lst
|
|
bind "fd@${clearlst}"
|
|
server s1 "${tmpdir}/ssl.sock" ssl ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none
|
|
|
|
listen ssl-lst
|
|
# crt: certificate of the server
|
|
# ca-file: CA used for client authentication request
|
|
bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/show_ocsp_server.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
http-response add-header X-SSL-Client-Verify %[ssl_c_verify]
|
|
server s1 ${s1_addr}:${s1_port}
|
|
} -start
|
|
|
|
|
|
# Test the "show ssl ocsp-response" command
|
|
haproxy h1 -cli {
|
|
send "show ssl ocsp-response"
|
|
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
|
|
|
|
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
|
|
expect ~ "Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com"
|
|
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
|
|
expect ~ "Cert Status: good"
|
|
}
|
|
|
|
# Test the "show ssl ocsp-response" command with a certificate path as parameter
|
|
shell {
|
|
ocsp_response=$(echo "show ssl ocsp-response ${testdir}/certs/show_ocsp_server.pem" | socat "${tmpdir}/h1/stats" -)
|
|
|
|
echo "$ocsp_response" | grep "Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com" &&
|
|
echo "$ocsp_response" | grep "Cert Status: good"
|
|
}
|
|
|
|
# Test the "show ssl cert foo.pem.ocsp" command
|
|
haproxy h1 -cli {
|
|
send "show ssl cert"
|
|
expect ~ ".*show_ocsp_server.pem"
|
|
|
|
send "show ssl cert ${testdir}/certs/show_ocsp_server.pem"
|
|
expect ~ "Serial: 100F"
|
|
send "show ssl cert ${testdir}/certs/show_ocsp_server.pem"
|
|
expect ~ "OCSP Response Key: 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
|
|
|
|
send "show ssl cert ${testdir}/certs/show_ocsp_server.pem.ocsp"
|
|
expect ~ "Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com"
|
|
send "show ssl cert ${testdir}/certs/show_ocsp_server.pem.ocsp"
|
|
expect ~ "Cert Status: good"
|
|
}
|
|
|
|
|
|
# Change the server certificate's OCSP response through "set ssl ocsp-response"
|
|
shell {
|
|
printf "set ssl ocsp-response <<\n$(cat ${testdir}/certs/show_ocsp_server.pem.ocsp.revoked|openssl base64)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
}
|
|
|
|
# Check that the change was taken into account
|
|
haproxy h1 -cli {
|
|
send "show ssl ocsp-response"
|
|
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
|
|
|
|
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
|
|
expect ~ "Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com"
|
|
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
|
|
expect ~ "Cert Status: revoked"
|
|
|
|
send "show ssl cert ${testdir}/certs/show_ocsp_server.pem.ocsp"
|
|
expect ~ "Cert Status: revoked"
|
|
}
|
|
|
|
|
|
# Change the server certificate's OCSP response through a transaction
|
|
shell {
|
|
printf "set ssl cert ${testdir}/certs/show_ocsp_server.pem <<\n$(cat ${testdir}/certs/show_ocsp_server.pem | sed '/^$/d')\n\n" | socat "${tmpdir}/h1/stats" -
|
|
printf "set ssl cert ${testdir}/certs/show_ocsp_server.pem.issuer <<\n$(cat ${testdir}/certs/show_ocsp_server.pem.issuer | sed '/^$/d')\n\n" | socat "${tmpdir}/h1/stats" -
|
|
printf "set ssl cert ${testdir}/certs/show_ocsp_server.pem.ocsp <<\n$(cat ${testdir}/certs/show_ocsp_server.pem.ocsp|openssl base64)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
}
|
|
|
|
|
|
# Check that the actual tree entry was not changed and that the uncommitted
|
|
# transaction's OCSP response is the new one
|
|
haproxy h1 -cli {
|
|
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
|
|
expect ~ "Cert Status: revoked"
|
|
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
|
|
expect ~ "This Update: Jun 10 08:57:45 2021 GMT"
|
|
|
|
send "show ssl cert *${testdir}/certs/show_ocsp_server.pem.ocsp"
|
|
expect ~ "Cert Status: good"
|
|
send "show ssl cert *${testdir}/certs/show_ocsp_server.pem.ocsp"
|
|
expect ~ "This Update: Jun 10 08:55:04 2021 GMT"
|
|
}
|
|
|
|
|
|
# Commit the transaction and check that it was taken into account
|
|
haproxy h1 -cli {
|
|
send "commit ssl cert ${testdir}/certs/show_ocsp_server.pem"
|
|
expect ~ "Success!"
|
|
|
|
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
|
|
expect ~ "Cert Status: good"
|
|
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
|
|
expect ~ "This Update: Jun 10 08:55:04 2021 GMT"
|
|
}
|