mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-08-07 07:37:02 +02:00
e1b61090a0
In order for the test to run with OpenSSL 1.0.2 the test will now mostly use TLSv1.2 and use TLS 1.3 only on some specific tests (covered by preconditions).
385 lines
14 KiB
Plaintext
385 lines
14 KiB
Plaintext
#REGTEST_TYPE=devel
|
|
|
|
# This reg-test checks that the connection and SSL sample fetches related to
|
|
# errors are functioning properly. It also tests the proper behaviour of the
|
|
# default HTTPS log format and of the error-log-format option which allows to
|
|
# define a specific log format used only in case of connection error (otherwise
|
|
# a line following the configured log-format is output).
|
|
#
|
|
# It works by sending request through three different paths, one using a custom
|
|
# log-format line that contains the connection error and SSL handshake error
|
|
# sample fetches, one using the default HTTPS log-format and one using the
|
|
# legacy error log format.
|
|
#
|
|
# The output log lines are caught by syslog blocks (one for each path) and
|
|
# compared to an expected format.
|
|
# Since the syslog is not by design synchronized with the Varnish clients and
|
|
# servers, synchronization is achieved through barriers, which ensure that
|
|
# syslog messages arrive in the right order.
|
|
#
|
|
# In order to ensure that the log line raised in case of connection error if an
|
|
# error-log-format is defined still follows the log-separate-error option, the
|
|
# log lines raised by the https_fmt_lst listener will be sent to two separate
|
|
# syslog servers.
|
|
#
|
|
|
|
varnishtest "Test the connection and SSL error fetches."
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev2)'"
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && ssllib_name_startswith(OpenSSL)'"
|
|
feature cmd "command -v socat"
|
|
feature ignore_unknown_macro
|
|
|
|
server s1 -repeat 4 {
|
|
rxreq
|
|
txresp
|
|
} -start
|
|
|
|
barrier b1 cond 4 -cyclic
|
|
barrier b2 cond 2 -cyclic
|
|
|
|
|
|
syslog Slg_cust_fmt -level info {
|
|
recv
|
|
expect ~ ".*conn_status:\"0:Success\" hsk_err:\"0:-\" CN=\"/C=FR/O=HAProxy Technologies/CN=Client\",serial=1007,hash=063DCC2E6A9159E66994B325D6D2EF3D17A75B6F"
|
|
|
|
barrier b1 sync
|
|
|
|
recv
|
|
expect ~ "ERROR.*conn_status:\"30:SSL client CA chain cannot be verified\" hsk_err:\"134:.*:certificate verify failed\" CN=\"/C=FR/O=HAProxy Technologies/CN=Client\",serial=1007,hash=063DCC2E6A9159E66994B325D6D2EF3D17A75B6F"
|
|
|
|
barrier b1 sync
|
|
|
|
recv
|
|
expect ~ "ERROR.*conn_status:\"31:SSL client certificate not trusted\" hsk_err:\"134:.*:certificate verify failed\" CN=\"/C=FR/O=HAProxy Technologies/CN=Client\",serial=1007,hash=063DCC2E6A9159E66994B325D6D2EF3D17A75B6F"
|
|
|
|
barrier b1 sync
|
|
|
|
# In case of an error occuring before the certificate verification process,
|
|
# the client certificate chain is never parsed and verified so we can't
|
|
# have information about the client's certificate.
|
|
recv
|
|
expect ~ "ERROR.*conn_status:\"34:SSL handshake failure\" hsk_err:\"193:.*:no shared cipher\" CN=\"\",serial=-,hash=-"
|
|
} -start
|
|
|
|
syslog Slg_https_fmt -level info {
|
|
recv
|
|
expect ~ ".*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/s1.*0/0000000000000000/0/0 TLSv1.2/AES256-GCM-SHA384"
|
|
|
|
barrier b1 sync
|
|
} -start
|
|
|
|
syslog Slg_https_fmt_err -level info {
|
|
recv
|
|
expect ~ "ERROR.*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/<NOSRV>.*30/0000000000000086/0/2 TLSv1.2/\\(NONE\\)"
|
|
|
|
barrier b1 sync
|
|
|
|
recv
|
|
expect ~ "ERROR.*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/<NOSRV>.*31/0000000000000086/20/0 TLSv1.2/\\(NONE\\)"
|
|
|
|
barrier b1 sync
|
|
|
|
recv
|
|
expect ~ "ERROR.*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/<NOSRV>.*34/00000000000000C1/0/0 TLSv1.2/\\(NONE\\)"
|
|
} -start
|
|
|
|
syslog Slg_logconnerror -level info {
|
|
recv
|
|
expect ~ ".*logconnerror_ssl_lst~ logconnerror_ssl_lst/s1"
|
|
|
|
barrier b1 sync
|
|
|
|
recv
|
|
expect ~ ".*logconnerror_ssl_lst/1: SSL client CA chain cannot be verified"
|
|
|
|
barrier b1 sync
|
|
|
|
recv
|
|
expect ~ ".*logconnerror_ssl_lst/1: SSL client certificate not trusted"
|
|
|
|
barrier b1 sync
|
|
|
|
recv
|
|
expect ~ ".*logconnerror_ssl_lst/1: SSL handshake failure"
|
|
} -start
|
|
|
|
syslog Slg_bcknd -level info {
|
|
recv
|
|
expect ~ ".*bc_conn_err:0:\"Success\" ssl_bc_err:0:"
|
|
|
|
barrier b2 sync
|
|
|
|
recv
|
|
expect ~ ".*bc_conn_err:34:\"SSL handshake failure\" ssl_bc_err:134:.*:certificate verify failed"
|
|
|
|
barrier b2 sync
|
|
|
|
recv
|
|
expect ~ ".*bc_conn_err:32:\"Server presented an SSL certificate different from the configured one\" ssl_bc_err:134:.*:certificate verify failed"
|
|
|
|
barrier b2 sync
|
|
|
|
# Verify errors on the server side cannot be caught when using TLSv1.3 but it works for TLSv1.2
|
|
recv
|
|
expect ~ ".*bc_conn_err:34:\"SSL handshake failure\" ssl_bc_err:1048:.*:tlsv1 alert unknown ca"
|
|
|
|
barrier b2 sync
|
|
|
|
recv
|
|
expect ~ ".*bc_conn_err:34:\"SSL handshake failure\" ssl_bc_err:1040:.*:sslv3 alert handshake failure"
|
|
|
|
barrier b2 sync
|
|
|
|
recv
|
|
expect ~ ".*bc_conn_err:34:\"SSL handshake failure\" ssl_bc_err:1040:.*:sslv3 alert handshake failure"
|
|
} -start
|
|
|
|
|
|
haproxy h1 -conf {
|
|
global
|
|
tune.ssl.default-dh-param 2048
|
|
tune.ssl.capture-buffer-size 1
|
|
stats socket "${tmpdir}/h1/stats" level admin
|
|
.if openssl_version_atleast(3.0.0)
|
|
set-var proc.ssl_error_mask str(7FFFFF),hex2i
|
|
.else
|
|
set-var proc.ssl_error_mask str(FFF),hex2i
|
|
.endif
|
|
|
|
defaults
|
|
timeout connect 100ms
|
|
timeout client 1s
|
|
timeout server 1s
|
|
retries 0
|
|
|
|
listen clear_lst
|
|
bind "fd@${clearlst}"
|
|
default-server ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none no-ssl-reuse force-tlsv12
|
|
|
|
balance roundrobin
|
|
server cust_fmt "${tmpdir}/cust_logfmt_ssl.sock"
|
|
server https_fmt "${tmpdir}/https_logfmt_ssl.sock"
|
|
server logconnerror "${tmpdir}/logconnerror_ssl.sock"
|
|
|
|
|
|
listen clear_wrong_ciphers_lst
|
|
bind "fd@${wrongcipherslst}"
|
|
default-server ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none no-ssl-reuse force-tlsv12 ciphers "aECDSA"
|
|
|
|
balance roundrobin
|
|
server cust_fmt "${tmpdir}/cust_logfmt_ssl.sock"
|
|
server https_fmt "${tmpdir}/https_logfmt_ssl.sock"
|
|
server logconnerror "${tmpdir}/logconnerror_ssl.sock"
|
|
|
|
|
|
# This listener will be used to test backend fetches (bc_conn_err and ssl_bc_err)
|
|
listen clear_backend_errors_lst
|
|
bind "fd@${backenderrorslst}"
|
|
log ${Slg_bcknd_addr}:${Slg_bcknd_port} local0
|
|
log-format "bc_conn_err:%[bc_conn_err]:%{+Q}[bc_conn_err_str]\ ssl_bc_err:%[ssl_bc_err,and(proc.ssl_error_mask)]:%{+Q}[ssl_bc_err_str]"
|
|
error-log-format "ERROR bc_conn_err:%[bc_conn_err]:%{+Q}[bc_conn_err_str]\ ssl_bc_err:%[ssl_bc_err,and(proc.ssl_error_mask)]:%[ssl_bc_err_str]"
|
|
|
|
balance roundrobin
|
|
server no_err "${tmpdir}/no_err_ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify required
|
|
server srv_cert_rejected "${tmpdir}/srv_rejected_ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA1.crt verify required
|
|
server mismatch_frontend "${tmpdir}/mismatch_fe_ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify required verifyhost str(toto)
|
|
# We force TLSv1.2 for this specific case because server-side
|
|
# verification errors cannot be caught by the backend fetches when
|
|
# using TLSv1.3
|
|
server clt_cert_rejected "${tmpdir}/rejected_ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none force-tlsv12
|
|
server wrong_ciphers "${tmpdir}/wrong_ciphers_ssl.sock" ssl verify none crt ${testdir}/client1.pem ca-file ${testdir}/ca-auth.crt force-tlsv12 ciphers "aECDSA"
|
|
|
|
# No TLSv1.3 support with OpenSSL 1.0.2 so we duplicate the previous
|
|
# wrong cipher test in this case so that the error log remains the same
|
|
.if openssl_version_before(1.1.1)
|
|
server wrong_ciphers2 "${tmpdir}/wrong_ciphers_ssl.sock" ssl verify none crt ${testdir}/client1.pem ca-file ${testdir}/ca-auth.crt force-tlsv12 ciphers "aECDSA"
|
|
.else
|
|
server wrong_ciphers_tls13 "${tmpdir}/wrong_ciphers_tls13_ssl.sock" ssl verify none crt ${testdir}/client1.pem ca-file ${testdir}/ca-auth.crt ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" force-tlsv13
|
|
.endif
|
|
|
|
|
|
|
|
|
|
listen cust_logfmt_ssl_lst
|
|
log ${Slg_cust_fmt_addr}:${Slg_cust_fmt_port} local0
|
|
mode http
|
|
log-format "conn_status:\"%[fc_conn_err]:%[fc_conn_err_str]\" hsk_err:\"%[ssl_fc_err]:%[ssl_fc_err_str]\" CN=%{+Q}[ssl_c_s_dn],serial=%[ssl_c_serial,hex],hash=%[ssl_c_sha1,hex]"
|
|
error-log-format "ERROR conn_status:\"%[fc_conn_err]:%[fc_conn_err_str]\" hsk_err:\"%[ssl_fc_err,and(proc.ssl_error_mask)]:%[ssl_fc_err_str]\" CN=%{+Q}[ssl_c_s_dn],serial=%[ssl_c_serial,hex],hash=%[ssl_c_sha1,hex]"
|
|
bind "${tmpdir}/cust_logfmt_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA1.crt verify required ciphers "kRSA"
|
|
server s1 ${s1_addr}:${s1_port}
|
|
|
|
listen https_logfmt_ssl_lst
|
|
log ${Slg_https_fmt_addr}:${Slg_https_fmt_port} local0 info
|
|
log ${Slg_https_fmt_err_addr}:${Slg_https_fmt_err_port} local0 err info
|
|
option log-separate-errors
|
|
mode http
|
|
option httpslog
|
|
error-log-format "ERROR %ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %[fc_conn_err]/%[ssl_fc_err,and(proc.ssl_error_mask),hex]/%[ssl_c_err]/%[ssl_c_ca_err] %sslv/%sslc"
|
|
bind "${tmpdir}/https_logfmt_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA1.crt verify required ciphers "kRSA"
|
|
server s1 ${s1_addr}:${s1_port}
|
|
|
|
listen logconnerror_ssl_lst
|
|
log ${Slg_logconnerror_addr}:${Slg_logconnerror_port} local0 info
|
|
mode http
|
|
option httplog
|
|
bind "${tmpdir}/logconnerror_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA1.crt verify required ciphers "kRSA"
|
|
server s1 ${s1_addr}:${s1_port}
|
|
|
|
|
|
# The following listeners allow to test backend error fetches
|
|
listen no_backend_err_ssl_lst
|
|
bind "${tmpdir}/no_err_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none
|
|
server s1 ${s1_addr}:${s1_port}
|
|
|
|
listen srv_rejected_ssl_lst
|
|
bind "${tmpdir}/srv_rejected_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none
|
|
server s1 ${s1_addr}:${s1_port}
|
|
|
|
listen mismatch_fe_ssl_lst
|
|
bind "${tmpdir}/mismatch_fe_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none
|
|
server s1 ${s1_addr}:${s1_port}
|
|
|
|
listen rejected_clt_ssl_lst
|
|
bind "${tmpdir}/rejected_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-file ${testdir}/set_cafile_interCA2.crt verify required
|
|
server s1 ${s1_addr}:${s1_port}
|
|
|
|
listen wrong_ciphers_ssl_lst
|
|
bind "${tmpdir}/wrong_ciphers_ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/ca-auth.crt verify none force-tlsv12 ciphers "kRSA"
|
|
server s1 ${s1_addr}:${s1_port}
|
|
|
|
.if openssl_version_atleast(1.1.1)
|
|
listen wrong_ciphers_tls13_ssl_lst
|
|
bind "${tmpdir}/wrong_ciphers_tls13_ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/ca-auth.crt verify none force-tlsv13 ciphersuites "TLS_AES_128_GCM_SHA256"
|
|
server s1 ${s1_addr}:${s1_port}
|
|
.endif
|
|
|
|
} -start
|
|
|
|
|
|
# The three following requests should all succeed
|
|
client c1 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
} -run
|
|
|
|
client c2 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
} -run
|
|
|
|
client c3 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
} -run
|
|
|
|
|
|
barrier b1 sync
|
|
|
|
|
|
# Change the root CA in the frontends
|
|
shell {
|
|
printf "set ssl ca-file ${testdir}/set_cafile_rootCA.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
echo "commit ssl ca-file ${testdir}/set_cafile_rootCA.crt" | socat "${tmpdir}/h1/stats" -
|
|
}
|
|
|
|
client c4 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
} -run
|
|
|
|
client c5 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
} -run
|
|
|
|
client c6 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
} -run
|
|
|
|
barrier b1 sync
|
|
|
|
|
|
|
|
# Restore the root CA
|
|
shell {
|
|
printf "set ssl ca-file ${testdir}/set_cafile_rootCA.crt <<\n$(cat ${testdir}/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
echo "commit ssl ca-file ${testdir}/set_cafile_rootCA.crt" | socat "${tmpdir}/h1/stats" -
|
|
}
|
|
|
|
# Change the intermediate CA in the frontends
|
|
shell {
|
|
printf "set ssl ca-file ${testdir}/set_cafile_interCA1.crt <<\n$(cat ${testdir}/set_cafile_interCA2.crt)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
echo "commit ssl ca-file ${testdir}/set_cafile_interCA1.crt" | socat "${tmpdir}/h1/stats" -
|
|
}
|
|
|
|
client c7 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
} -run
|
|
|
|
client c8 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
} -run
|
|
|
|
client c9 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
} -run
|
|
|
|
barrier b1 sync
|
|
|
|
|
|
# Restore the intermediate CA in the frontends
|
|
shell {
|
|
printf "set ssl ca-file ${testdir}/set_cafile_interCA1.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
echo "commit ssl ca-file ${testdir}/set_cafile_interCA1.crt" | socat "${tmpdir}/h1/stats" -
|
|
}
|
|
|
|
# "No shared cipher" errors
|
|
client c10 -connect ${h1_wrongcipherslst_sock} {
|
|
txreq
|
|
} -run
|
|
client c11 -connect ${h1_wrongcipherslst_sock} {
|
|
txreq
|
|
} -run
|
|
client c12 -connect ${h1_wrongcipherslst_sock} {
|
|
txreq
|
|
} -run
|
|
|
|
|
|
shell {
|
|
printf "set ssl ca-file ${testdir}/set_cafile_interCA2.crt <<\n$(cat ${testdir}/set_cafile_interCA2.crt)\n$(cat ${testdir}/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
echo "commit ssl ca-file ${testdir}/set_cafile_interCA2.crt" | socat "${tmpdir}/h1/stats" -
|
|
}
|
|
|
|
client c13 -connect ${h1_backenderrorslst_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
} -run
|
|
barrier b2 sync
|
|
client c14 -connect ${h1_backenderrorslst_sock} {
|
|
txreq
|
|
} -run
|
|
barrier b2 sync
|
|
client c15 -connect ${h1_backenderrorslst_sock} {
|
|
txreq
|
|
} -run
|
|
barrier b2 sync
|
|
client c16 -connect ${h1_backenderrorslst_sock} {
|
|
txreq
|
|
} -run
|
|
barrier b2 sync
|
|
client c17 -connect ${h1_backenderrorslst_sock} {
|
|
txreq
|
|
} -run
|
|
barrier b2 sync
|
|
client c18 -connect ${h1_backenderrorslst_sock} {
|
|
txreq
|
|
} -run
|
|
|
|
syslog Slg_cust_fmt -wait
|
|
syslog Slg_https_fmt -wait
|
|
syslog Slg_https_fmt_err -wait
|
|
syslog Slg_logconnerror -wait
|
|
syslog Slg_bcknd -wait
|