mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-11-03 01:51:00 +01:00
61b6a4da6c
WolfSSL does not seem to work correctly with the generate-certificates
features. This patch disables it temporarly.
ssl-max-ver TLSv1.2 seems to be a problem in the reg-test and
wolfSSL but without it it's not able to generate correctly the cert:
*** h1 debug|00000004:clear-lst.accept(0007)=0028 from [127.0.0.1:35956] ALPN=<none>
*** h1 debug|00000004:clear-lst.clireq[0028:ffffffff]: GET / HTTP/1.1
*** h1 debug|00000004:clear-lst.clihdr[0028:ffffffff]: x-sni: unknown-sni.com
*** h1 debug|00000004:clear-lst.clihdr[0028:ffffffff]: host: 127.0.0.1
*** h1 debug|fd[0x29] OpenSSL error[0x13d] : need the private key
*** h1 debug|<134>Sep 20 15:42:58 haproxy[165743]: unix:1 [20/Sep/2023:15:42:58.042] ssl-lst/1: SSL handshake failure (need the private key)
**** dT 1.072
*** h1 debug|fd[0x2a] OpenSSL error[0x13d] : need the private key
*** h1 debug|<134>Sep 20 15:42:59 haproxy[165743]: unix:1 [20/Sep/2023:15:42:59.044] ssl-lst/1: SSL handshake failure (need the private key)
**** dT 2.075
*** h1 debug|fd[0x29] OpenSSL error[0x13d] : need the private key
*** h1 debug|<134>Sep 20 15:43:00 haproxy[165743]: unix:1 [20/Sep/2023:15:43:00.046] ssl-lst/1: SSL handshake failure (need the private key)
**** dT 3.079
*** h1 debug|fd[0x29] OpenSSL error[0x13d] : need the private key
*** h1 debug|<134>Sep 20 15:43:01 haproxy[165743]: unix:1 [20/Sep/2023:15:43:01.050] ssl-lst/1: SSL handshake failure (need the private key)
**** dT 3.080
*** h1 debug|00000004:default_backend.clicls[0028:0023]
*** h1 debug|00000004:default_backend.closed[0028:0023]
*** h1 debug|<134>Sep 20 15:43:01 haproxy[165743]: 127.0.0.1:35956 [20/Sep/2023:15:42:58.042] clear-lst default_backend/s1 0/0/-1/-1/+3009 503 +217 - - SC-- 3/1/0/0/3 0/0 "GET / HTTP/1.1" 0/-/-/-/0 -/-/-
**** c3 rxhdr|HTTP/1.1 503 Service Unavailable\r
**** c3 rxhdr|content-length: 107\r
**** c3 rxhdr|cache-control: no-cache\r
**** c3 rxhdr|content-type: text/html\r
**** c3 rxhdr|\r
169 lines
6.5 KiB
Plaintext
169 lines
6.5 KiB
Plaintext
#REGTEST_TYPE=devel
|
|
|
|
# This reg-test checks that the 'generate-certificates' SSL option works
|
|
# properly. This option allows to generate server-side certificates on the fly
|
|
# for clients that use an SNI for which no certificate was specified in the
|
|
# configuration file.
|
|
# This test also aims at checking that the 'generate-certificates' and the
|
|
# 'ecdhe' bind options work correctly together.
|
|
# Any bind line having a 'generate-certificates' needs to have a ca-sign-file
|
|
# option as well that specifies the path to a CA pem file (containing a
|
|
# certificate as well as its private key). For this reason, a new
|
|
# ssl_gen_ca.pem CA certificate was created, along with the ssl_gen_server.pem
|
|
# server certificate signed by the CA. This server certificate will be used as
|
|
# a default certificate and will serve as a base for any newly created
|
|
# certificate.
|
|
|
|
varnishtest "Test the 'generate-certificates' SSL option"
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(wolfSSL)'"
|
|
feature cmd "command -v openssl && command -v grep"
|
|
feature ignore_unknown_macro
|
|
|
|
server s1 -repeat 6 {
|
|
rxreq
|
|
txresp
|
|
} -start
|
|
|
|
|
|
haproxy h1 -conf {
|
|
global
|
|
tune.ssl.default-dh-param 2048
|
|
tune.ssl.capture-buffer-size 2048
|
|
|
|
defaults
|
|
mode http
|
|
option httpslog
|
|
log stderr local0 debug err
|
|
option logasap
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
option httpslog
|
|
|
|
listen clear-lst
|
|
bind "fd@${clearlst}"
|
|
http-request set-var(sess.sni) hdr(x-sni)
|
|
|
|
use_backend P-384_backend if { path /P-384 }
|
|
default_backend default_backend
|
|
|
|
backend default_backend
|
|
server s1 "${tmpdir}/ssl.sock" ssl verify none ssl-max-ver TLSv1.2 sni var(sess.sni)
|
|
|
|
backend P-384_backend
|
|
server s1 "${tmpdir}/ssl_P-384.sock" ssl verify none ssl-max-ver TLSv1.2 sni var(sess.sni)
|
|
|
|
listen ssl-lst
|
|
bind "${tmpdir}/ssl.sock" ssl generate-certificates crt ${testdir}/generate_certificates/gen_cert_server.pem ca-sign-file ${testdir}/generate_certificates/gen_cert_ca.pem ca-file ${testdir}/generate_certificates/gen_cert_ca.pem verify optional
|
|
http-response add-header x-ssl-s_dn %[ssl_f_s_dn(CN)]
|
|
http-response add-header x-ssl-i_dn %[ssl_f_i_dn(CN)]
|
|
http-response add-header x-ssl-sig_alg %[ssl_f_sig_alg]
|
|
http-response add-header x-ssl-key_alg %[ssl_f_key_alg]
|
|
http-response add-header x-ssl-sha1 %[ssl_f_sha1,hex]
|
|
|
|
server s1 ${s1_addr}:${s1_port}
|
|
|
|
listen ssl-lst-P-384
|
|
bind "${tmpdir}/ssl_P-384.sock" ssl generate-certificates crt ${testdir}/generate_certificates/gen_cert_server.pem ca-sign-file ${testdir}/generate_certificates/gen_cert_ca.pem ca-file ${testdir}/generate_certificates/gen_cert_ca.pem verify optional ecdhe secp384r1
|
|
http-response add-header x-ssl-s_dn %[ssl_f_s_dn(CN)]
|
|
http-response add-header x-ssl-i_dn %[ssl_f_i_dn(CN)]
|
|
http-response add-header x-ssl-sig_alg %[ssl_f_sig_alg]
|
|
http-response add-header x-ssl-key_alg %[ssl_f_key_alg]
|
|
http-response add-header x-ssl-sha1 %[ssl_f_sha1,hex]
|
|
|
|
server s1 ${s1_addr}:${s1_port}
|
|
|
|
} -start
|
|
|
|
# Use default certificate
|
|
client c1 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"
|
|
expect resp.http.x-ssl-i_dn == "ECDSA CA"
|
|
expect resp.http.x-ssl-s_dn == "server.ecdsa.com"
|
|
expect resp.http.x-ssl-key_alg == "id-ecPublicKey"
|
|
expect resp.http.x-ssl-sha1 == "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11"
|
|
} -run
|
|
|
|
|
|
# Use default certificate's sni
|
|
client c2 -connect ${h1_clearlst_sock} {
|
|
txreq -hdr "x-sni: server.ecdsa.com"
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"
|
|
expect resp.http.x-ssl-i_dn == "ECDSA CA"
|
|
expect resp.http.x-ssl-s_dn == "server.ecdsa.com"
|
|
expect resp.http.x-ssl-key_alg == "id-ecPublicKey"
|
|
expect resp.http.x-ssl-sha1 == "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11"
|
|
} -run
|
|
|
|
|
|
|
|
# Use another SNI - the server certificate should be generated and different
|
|
# than the default one
|
|
client c3 -connect ${h1_clearlst_sock} {
|
|
txreq -hdr "x-sni: unknown-sni.com"
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"
|
|
expect resp.http.x-ssl-i_dn == "ECDSA CA"
|
|
expect resp.http.x-ssl-s_dn == "ECDSA CA"
|
|
expect resp.http.x-ssl-key_alg == "id-ecPublicKey"
|
|
expect resp.http.x-ssl-sha1 != "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11"
|
|
} -run
|
|
|
|
|
|
# Use default certificate
|
|
client c4 -connect ${h1_clearlst_sock} {
|
|
txreq -url "/P-384"
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"
|
|
expect resp.http.x-ssl-i_dn == "ECDSA CA"
|
|
expect resp.http.x-ssl-s_dn == "server.ecdsa.com"
|
|
expect resp.http.x-ssl-key_alg == "id-ecPublicKey"
|
|
expect resp.http.x-ssl-sha1 == "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11"
|
|
} -run
|
|
|
|
|
|
# Use default certificate's sni
|
|
client c5 -connect ${h1_clearlst_sock} {
|
|
txreq -url "/P-384" -hdr "x-sni: server.ecdsa.com"
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"
|
|
expect resp.http.x-ssl-i_dn == "ECDSA CA"
|
|
expect resp.http.x-ssl-s_dn == "server.ecdsa.com"
|
|
expect resp.http.x-ssl-key_alg == "id-ecPublicKey"
|
|
expect resp.http.x-ssl-sha1 == "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11"
|
|
} -run
|
|
|
|
|
|
# Use another SNI - the server certificate should be generated and different
|
|
# than the default one
|
|
client c6 -connect ${h1_clearlst_sock} {
|
|
txreq -url "/P-384" -hdr "x-sni: unknown-sni.com"
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"
|
|
expect resp.http.x-ssl-i_dn == "ECDSA CA"
|
|
expect resp.http.x-ssl-s_dn == "ECDSA CA"
|
|
expect resp.http.x-ssl-key_alg == "id-ecPublicKey"
|
|
expect resp.http.x-ssl-sha1 != "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11"
|
|
} -run
|
|
|
|
# Check that the curves that the server accepts to use correspond to what we
|
|
# expect it to be (according to ecdhe option).
|
|
# The curve with the highest priority is X25519 for OpenSSL 1.1.1 and later,
|
|
# and P-256 for OpenSSL 1.0.2.
|
|
shell {
|
|
echo "Q" | openssl s_client -unix "${tmpdir}/ssl.sock" -servername server.ecdsa.com -tls1_2 2>/dev/null | grep -E "Server Temp Key: (ECDH, P-256, 256 bits|ECDH, prime256v1, 256 bits|X25519, 253 bits)"
|
|
}
|
|
|
|
shell {
|
|
echo "Q" | openssl s_client -unix "${tmpdir}/ssl_P-384.sock" -servername server.ecdsa.com 2>/dev/null| grep -E "Temp Key: ECDH,.+, 384 bits"
|
|
}
|