haproxy/reg-tests/ssl/ocsp_auto_update.vtc

748 lines
30 KiB
Plaintext
Raw Permalink Normal View History

#REGTEST_TYPE=slow
# reg-test is around ~2.5s
# broken with BoringSSL.
# This reg-test focuses on the OCSP response auto-update functionality. It does
# not test the full scope of the feature because most of it is based on
# expiration times and long delays between updates of valid OCSP responses.
# Automatic update of valid OCSP responses loaded during init will not be
# tested because by design, such a response would no be automatically updated
# until init+1H.
#
# This test will then focus on certificates that have a specified OCSP URI but
# no known OCSP response. For those certificates, OCSP requests are sent as
# soon as possible by the update task.
#
# The ocsp responder used in all the tests will be an openssl using the
# certificate database in ocsp_update/index.txt. It will listen on port 12345
# which was specified explicitly in the certificates used in the tests.
# The synchronization will be based on the logs emitted by the OCSP update task
# directly. When this log is created, we will know that the update was
# effective and the updated OCSP response is loaded in the tree. So any
# following call to "show ssl ocsp-response" will display the latest response
# information.
#
# If this test does not work anymore:
# - Check that you have openssl and socat
varnishtest "Test the OCSP auto update feature"
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(3.0-dev0)'"
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(BoringSSL) && !ssllib_name_startswith(LibreSSL) && openssl_version_atleast(1.1.1)'"
feature cmd "command -v openssl && command -v socat"
feature ignore_unknown_macro
###################
# #
# FIRST TEST CASE #
# #
###################
# No automatic update should occur in this test case since we load two already
# valid OCSP responses during init which have a "Next Update" date really far
# in the future. So they should only be updated after one hour.
# This test will only be the most basic one where we check that ocsp response
# loading still works as expected.
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
crt-base ${testdir}/ocsp_update
defaults
mode http
option httplog
log stderr local0 debug err
option logasap
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
frontend ssl-fe
bind "${tmpdir}/ssl.sock" ssl crt multicert/server_ocsp.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
} -start
# We should have two distinct ocsp responses known that were loaded at build time
haproxy h1 -cli {
send "show ssl ocsp-response"
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
send "show ssl ocsp-response"
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
expect ~ "Cert Status: revoked"
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
expect ~ "Cert Status: good"
}
haproxy h1 -wait
####################
# #
# SECOND TEST CASE #
# #
####################
# This test will focus on two separate certificates that have the same OCSP uri
# (http://ocsp.haproxy.com:12345) but no OCSP response loaded at build time.
# The update mode is set to 'on' in the two crt-lists used. The two ocsp
# responses should then be fetched automatically after init.
# We rely on the OCSP logs to ensure that the two updates are over before
# calling "show ssl ocsp-response". This is done through the Syslog_ocsp
# listener and a dedicated barrier.
process p2 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start
barrier b2 cond 2 -cyclic
syslog Syslog_ocsp -level notice {
recv
expect ~ "<OCSP-UPDATE> ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem 1 \"Update successful\" 0 1"
recv
expect ~ "<OCSP-UPDATE> ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1"
barrier b2 sync
} -start
haproxy h2 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h2/stats" level admin
crt-base ${testdir}/ocsp_update
log ${Syslog_ocsp_addr}:${Syslog_ocsp_port} local0 notice notice
defaults
mode http
option httplog
log stderr local0 debug err
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
frontend ssl-rsa-fe
bind "${tmpdir}/ssl2.sock" ssl crt-list ${testdir}/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
frontend ssl-ecdsa-fe
bind "${tmpdir}/ssl3.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
} -start
barrier b2 sync
# We should have two distinct ocsp IDs known that were loaded at build time and
# the responses' contents should have been filled automatically by the ocsp
# update task after init
haproxy h2 -cli {
send "show ssl ocsp-response"
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
send "show ssl ocsp-response"
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
expect ~ "Cert Status: revoked"
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
expect ~ "Cert Status: revoked"
}
haproxy h2 -wait
process p2 -wait -expect-exit 0
###################
# #
# THIRD TEST CASE #
# #
###################
# This test will be roughly the same as the second one but one of the crt-lists
# will not enable ocsp-update on its certificate. Only one request should then
# be sent.
process p3 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start
barrier b3 cond 2 -cyclic
syslog Syslog_ocsp3 -level notice {
recv
expect ~ "<OCSP-UPDATE> ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem 1 \"Update successful\" 0 1"
barrier b3 sync
} -start
haproxy h3 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h3/stats" level admin
crt-base ${testdir}/ocsp_update
log ${Syslog_ocsp3_addr}:${Syslog_ocsp3_port} local0 notice notice
defaults
mode http
option httplog
log stderr local0 debug err
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
frontend ssl-rsa-fe
bind "${tmpdir}/ssl4.sock" ssl crt-list ${testdir}/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
frontend ssl-ecdsa-fe
bind "${tmpdir}/ssl5.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
} -start
barrier b3 sync
# We should have a single ocsp ID known that was loaded at build time and the
# response should be filled
haproxy h3 -cli {
send "show ssl ocsp-response"
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
send "show ssl ocsp-response"
expect !~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
expect ~ "Cert Status: revoked"
}
haproxy h3 -wait
process p3 -wait
####################
# #
# FOURTH TEST CASE #
# (CLI COMMAND) #
# #
####################
# This test focuses on the "update ssl ocsp-response" CLI command and tests two
# certificates that have a known OCSP response loaded during init but no OCSP
# auto update. The only difference between the two certificates is that one has
# a separate .issuer file while the other one has the issuer certificate
# directly in the main .pem file.
# We store the original "Produced At" date of the responses loaded during init
# in haproxy proc variables in order to compare them to their new value after
# the update is performed.
process p4 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start
barrier b4 cond 2 -cyclic
syslog Syslog_ocsp4 -level notice {
recv
expect ~ "<OCSP-UPDATE> ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa 1 \"Update successful\" 0 1"
recv
expect ~ "<OCSP-UPDATE> ${testdir}/ocsp_update/multicert/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1"
barrier b4 sync
} -start
haproxy h4 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h4/stats" level admin
crt-base ${testdir}/ocsp_update
log ${Syslog_ocsp4_addr}:${Syslog_ocsp4_port} local0 notice notice
defaults
mode http
option httplog
log stderr local0 debug err
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
frontend ssl-rsa-ocsp
bind "${tmpdir}/ssl5.sock" ssl crt ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
frontend ssl-ecdsa-ocsp
bind "${tmpdir}/ssl6.sock" ssl crt ${testdir}/ocsp_update/multicert/server_ocsp_ecdsa.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
} -start
# We need to "enable" the cli with a first cli call before using it only through socats
haproxy h4 -cli {
send "show ssl cert"
expect ~ ""
}
# We should have two OCSP responses loaded during init
shell {
responses=$(echo "show ssl ocsp-response" | socat "${tmpdir}/h4/stats" -)
[ $(echo "$responses" | grep -c "^Certificate ID key") -eq 2 ] && \
echo "$responses" | grep "Serial Number: 1016" && \
echo "$responses" | grep "Serial Number: 1015"
}
haproxy h4 -cli {
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
expect ~ "Cert Status: revoked"
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
expect ~ "Cert Status: good"
}
# Update the first ocsp response (ckch_data has a non-NULL ocsp_issuer pointer)
shell {
# Store the current "Produced At" in order to ensure that after the update
# the OCSP response actually changed
produced_at1=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" - | grep "Produced At" | tr -d ' ')
echo "update ssl ocsp-response ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h4/stats" -
# Update the second ocsp response (ckch_data has a NULL ocsp_issuer pointer)
# Store the current "Produced At" in order to ensure that after the update
# the OCSP response actually changed
produced_at2=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" - | grep "Produced At" | tr -d ' ')
echo "update ssl ocsp-response ${testdir}/ocsp_update/multicert/server_ocsp_ecdsa.pem" | socat "${tmpdir}/h4/stats" -
echo "experimental-mode on;set var proc.produced_at1 str($produced_at1)" | socat "${tmpdir}/h4/stats" -
echo "experimental-mode on;set var proc.produced_at2 str($produced_at2)" | socat "${tmpdir}/h4/stats" -
}
barrier b4 sync
shell {
produced_at1_after=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" - | grep "Produced At" | tr -d ' ')
produced_at2_after=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" - | grep "Produced At" | tr -d ' ')
ocsp_response1=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" -)
ocsp_response2=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" -)
echo "$ocsp_response1" | grep -q "Serial Number: 1015" && \
echo "$ocsp_response1" | grep -q "Cert Status: revoked" && \
echo "$ocsp_response2" | grep -q "Serial Number: 1016" && \
echo "$ocsp_response2" | grep -q "Cert Status: revoked" && \
[ "$produced_at1_after" != "$(echo \"experimental-mode on; get var proc.produced_at1\" | socat \"${tmpdir}/h4/stats\")" ] && \
[ "$produced_at2_after" != "$(echo \"experimental-mode on; get var proc.produced_at2\" | socat \"${tmpdir}/h4/stats\")" ]
}
haproxy h4 -wait
process p4 -wait
####################
# #
# FIFTH TEST CASE #
# (CLI COMMAND) #
# #
####################
# Test the "show ssl ocsp-updates" command as well as the new 'base64' parameter
# to the "show ssl ocsp-response" command.
process p5 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start
barrier b5 cond 2 -cyclic
syslog Syslog_ocsp5 -level notice {
recv
expect ~ "<OCSP-UPDATE> .*/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem 1 \"Update successful\" 0 1"
recv
expect ~ "<OCSP-UPDATE> .*/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1"
barrier b5 sync
} -start
haproxy h5 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h5/stats" level admin
crt-base ${testdir}/ocsp_update
log ${Syslog_ocsp5_addr}:${Syslog_ocsp5_port} local0 notice notice
defaults
mode http
option httplog
log stderr local0 debug err
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
frontend ssl-rsa-fe
bind "${tmpdir}/ssl7.sock" ssl crt-list ${testdir}/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
frontend ssl-ecdsa-fe
bind "${tmpdir}/ssl8.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
} -start
barrier b5 sync
# Use "show ssl ocsp-updates" CLI command
# We should have one line per OCSP response and each one of them should have been successfully updated once
# The command's output follows this format:
# OCSP Certid | Next Update | Last Update | Successes | Failures | Last Update Status | Last Update Status (str)
haproxy h5 -cli {
send "show ssl ocsp-updates"
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 .*| 1 | 0 | 1 | Update successful"
send "show ssl ocsp-updates"
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*| 1 | 0 | 1 | Update successful"
}
# Use "show ssl ocsp-response" command to dump an OCSP response in base64
shell {
ocsp_resp_file="${tmpdir}.ocsp_resp.der"
echo "show ssl ocsp-response base64 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h5/stats" - | base64 -d > $ocsp_resp_file
if [ $? -eq 0 ]
then
ocsp_resp_txt="$(openssl ocsp -respin $ocsp_resp_file -noverify -text)"
echo "$ocsp_resp_txt" | grep "Issuer Name Hash: 8A83E0060FAFF709CA7E9B95522A2E81635FDA0A" && \
echo "$ocsp_resp_txt" | grep "Issuer Key Hash: F652B0E435D5EA923851508F0ADBE92D85DE007A" && \
echo "$ocsp_resp_txt" | grep "Serial Number: 1015" && \
echo "$ocsp_resp_txt" | grep "Cert Status: revoked"
else
return 1
fi
}
haproxy h5 -wait
process p5 -wait
####################
# #
# SIXTH TEST CASE #
# #
####################
# Check that a new certificate added via the CLI to a crt-list with
# the 'ocsp-update on' option will be taken into account by the OCSP
# auto update task
#
process p6 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start
barrier b6 cond 2 -cyclic
syslog Syslog_ocsp6 -level notice {
recv
expect ~ "<OCSP-UPDATE> ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa 1 \"Update successful\" 0 1"
barrier b6 sync
} -start
haproxy h6 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h6/stats" level admin
crt-base ${testdir}
log ${Syslog_ocsp6_addr}:${Syslog_ocsp6_port} local0 notice notice
defaults
mode http
option httplog
log stderr local0 debug err
option logasap
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
frontend ssl-fe
bind "${tmpdir}/ssl9.sock" ssl crt-list ${testdir}/simple.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
} -start
# We need to "enable" the cli with a first cli call before using it only through socats
haproxy h6 -cli {
send "show ssl cert"
expect ~ ""
}
# Create a new certificate that has an OCSP uri and add it to the
# existing CLI with the 'ocsp-update on' command.
shell {
echo "new ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h6/stats" -
printf "set ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa <<\n$(cat ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h6/stats" -
printf "set ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa.issuer <<\n$(cat ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa.issuer)\n\n" | socat "${tmpdir}/h6/stats" -
echo "commit ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h6/stats" -
printf "add ssl crt-list ${testdir}/simple.crt-list <<\n${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa [ocsp-update on] foo.com\n\n" | socat "${tmpdir}/h6/stats" -
}
barrier b6 sync
haproxy h6 -cli {
send "show ssl ocsp-updates"
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*| 1 | 0 | 1 | Update successful"
}
haproxy h6 -wait
process p6 -wait
######################
# #
# SEVENTH TEST CASE #
# #
######################
# Check that the global "tune.ocsp-update.mode" option works and that it
# applies to certificates added via the CLI as well.
#
process p7 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start
barrier b7 cond 2 -cyclic
syslog Syslog_ocsp7 -level notice {
recv
expect ~ "<OCSP-UPDATE> ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1"
barrier b7 sync
recv
expect ~ "<OCSP-UPDATE> ${testdir}/server_ocsp_rsa.pem 1 \"Update successful\" 0 1"
barrier b7 sync
} -start
haproxy h7 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h7/stats" level admin
crt-base ${testdir}
ocsp-update.mode on
log ${Syslog_ocsp7_addr}:${Syslog_ocsp7_port} local0 notice notice
defaults
mode http
option httplog
log stderr local0 debug err
option logasap
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
frontend ssl-fe
bind "${tmpdir}/ssl_h7.sock" ssl crt ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
bind "${tmpdir}/ssl_h7_2.sock" ssl crt-list ${testdir}/simple.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
} -start
barrier b7 sync
# Create a new certificate that has an OCSP uri and add it to the
# existing CLI with the 'ocsp-update on' command.
shell {
echo "new ssl cert ${testdir}/server_ocsp_rsa.pem" | socat "${tmpdir}/h7/stats" -
printf "set ssl cert ${testdir}/server_ocsp_rsa.pem <<\n$(cat ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem)\n\n" | socat "${tmpdir}/h7/stats" -
echo "commit ssl cert ${testdir}/server_ocsp_rsa.pem" | socat "${tmpdir}/h7/stats" -
# We should have ocsp-update enabled via the global option
printf "add ssl crt-list ${testdir}/simple.crt-list <<\n${testdir}/server_ocsp_rsa.pem foo.com\n\n" | socat "${tmpdir}/h7/stats" -
}
barrier b7 sync
haproxy h7 -cli {
send "show ssl ocsp-updates"
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 | ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem .*| 1 | 0 | 1 | Update successful"
send "show ssl ocsp-updates"
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 | ${testdir}/server_ocsp_rsa.pem .*| 1 | 0 | 1 | Update successful"
}
haproxy h7 -wait
process p7 -wait
######################
# #
# EIGHTH TEST CASE #
# #
######################
#
# Check that removing crt-list instances does not remove the OCSP responses
# from the tree but that they will not be auto updated anymore if the last
# instance is removed (via del ssl crt-list).
#
haproxy h8 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h8/stats" level admin
crt-base ${testdir}/ocsp_update
defaults
mode http
option httplog
log stderr local0 debug err
option logasap
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
frontend ssl-fe
bind "${tmpdir}/ssl-h8.sock" ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
listen http_rebound_lst
mode http
bind "127.0.0.1:12345"
server s1 "127.0.0.1:12346"
} -start
# Check that the two certificates are taken into account in the auto update process
haproxy h8 -cli {
send "show ssl ocsp-updates"
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 .*"
send "show ssl ocsp-updates"
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*"
}
# Remove the second line from the crt-list and check that the corresponding
# ocsp response was removed from the auto update list but is still present in the
# system
haproxy h8 -cli {
send "del ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list ${testdir}/ocsp_update/multicert/server_ocsp.pem.ecdsa"
expect ~ "Entry.*deleted in crtlist"
send "show ssl ocsp-updates"
expect !~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*"
send "show ssl ocsp-response"
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
send "show ssl ocsp-response ${testdir}/ocsp_update/multicert/server_ocsp.pem.ecdsa"
expect ~ ".* Cert Status: good.*"
}
# Add the previously removed crt-list line with auto-update enabled and check that
# the ocsp response appears in the auto update list
shell {
printf "add ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa [ocsp-update on] foo.bar\n\n" | socat "${tmpdir}/h8/stats" - | grep "Inserting certificate.*in crt-list"
}
haproxy h8 -cli {
send "show ssl ocsp-updates"
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*"
}
# Check that the auto update option consistency check work even when crt-list
# lines are added through the cli
shell {
printf "add ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa foo.foo\n\n" | socat "${tmpdir}/h8/stats" - | grep "different parameter 'ocsp-update'"
}
haproxy h8 -wait
####################
# #
# NINTH TEST CASE #
# #
####################
#
# Check that a certificate created through the CLI and which does not have ocsp
# update enabled can be updated via "update ssl ocsp-response" command.
#
process p9 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start
barrier b9 cond 2 -cyclic
syslog Syslog_ocsp9 -level notice {
recv
expect ~ "<OCSP-UPDATE> ${testdir}/ocsp_update/rsa.pem 1 \"Update successful\" 0 1"
barrier b9 sync
} -start
haproxy h9 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h9/stats" level admin
crt-base ${testdir}/ocsp_update
log ${Syslog_ocsp9_addr}:${Syslog_ocsp9_port} local0 notice notice
defaults
mode http
option httplog
log stderr local0 debug err
option logasap
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
frontend ssl-fe
bind "${tmpdir}/ssl-h9.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
} -start
# We need to "enable" the cli with a first cli call before using it only through socats
haproxy h9 -cli {
send "show ssl cert"
expect ~ ""
}
# Create a new certificate and add it in the crt-list with ocsp auto-update enabled
shell {
echo "new ssl cert ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" -
printf "set ssl cert ${testdir}/ocsp_update/rsa.pem <<\n$(cat ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h9/stats" -
printf "set ssl cert ${testdir}/ocsp_update/rsa.pem.issuer <<\n$(cat ${testdir}/ocsp_update/ocsp_update_rootca.crt)\n\n" | socat "${tmpdir}/h9/stats" -
printf "set ssl cert ${testdir}/ocsp_update/rsa.pem.ocsp <<\n$(base64 -w 1000 ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa.ocsp)\n\n" | socat "${tmpdir}/h9/stats" -
echo "commit ssl cert ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" -
printf "add ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list <<\nrsa.pem [ocsp-update off] foo.bar\n\n" | socat "${tmpdir}/h9/stats" -
}
# Check that the line is in the crt-list
haproxy h9 -cli {
send "show ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list"
expect ~ "${testdir}/ocsp_update/rsa.pem.*ocsp-update off.*foo.bar"
}
# Check that the new certificate is NOT in the auto update list
haproxy h9 -cli {
send "show ssl ocsp-updates"
expect !~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015.*"
}
shell {
echo "update ssl ocsp-response ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" -
}
barrier b9 sync
haproxy h9 -cli {
send "show ssl ocsp-response ${testdir}/ocsp_update/rsa.pem"
expect ~ ".* Cert Status: revoked.*"
}
haproxy h9 -wait
process p9 -wait