REGTESTS: ssl: Add "show ssl ocsp-response" test
This file adds tests for the new "show ssl ocsp-response" command and the new "show ssl cert foo.pem.ocsp" and "show ssl cert *foo.pem.ocsp" special cases. They are all used to display information about an OCSP response, committed or not.
This commit is contained in:
Remi Tricot-Le Breton
William Lallemand
parent
6056e61ae2
commit
2a77c62c18
|
|
@ -0,0 +1,119 @@
|
|||
Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
Serial Number: 4111 (0x100f)
|
||||
Signature Algorithm: sha256WithRSAEncryption
|
||||
Issuer: C=FR, O=HAProxy Technologies, CN=Root CA
|
||||
Validity
|
||||
Not Before: Jun 10 08:54:19 2021 GMT
|
||||
Not After : Oct 26 08:54:19 2048 GMT
|
||||
Subject: C=FR, O=HAProxy Technologies, CN=Server Certificate
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: rsaEncryption
|
||||
RSA Public-Key: (2048 bit)
|
||||
Modulus:
|
||||
00:e9:88:7e:5e:ec:81:d0:f7:2b:9b:c9:5d:81:ea:
|
||||
9c:ff:61:2f:4b:a2:ad:08:4d:44:7c:65:fa:ab:3a:
|
||||
f2:be:63:ac:34:5c:c4:05:35:be:d4:79:af:a5:fc:
|
||||
9e:92:10:75:b1:4d:70:d6:82:a3:7e:7e:b0:e6:2c:
|
||||
ba:ec:1b:e9:7f:55:f3:98:6e:d5:b2:00:37:05:76:
|
||||
df:28:be:3e:89:52:ec:47:58:45:7a:dd:7d:89:ae:
|
||||
7f:43:d6:a5:ce:f6:8d:8d:32:fe:33:dc:16:15:01:
|
||||
82:23:d1:77:12:75:a2:e2:2a:08:eb:cd:32:1e:5b:
|
||||
54:12:68:83:21:3a:6e:07:f5:99:f4:e7:79:eb:f7:
|
||||
d0:d9:71:f2:1d:79:08:a2:63:df:ab:59:f3:ac:33:
|
||||
18:d6:0a:9c:48:0b:9a:b0:ae:79:7b:8e:5a:1d:d2:
|
||||
fc:5c:6c:a5:d5:61:88:e8:50:c2:0f:f2:5b:0d:0c:
|
||||
82:18:c8:a1:98:19:8a:fc:28:c6:27:e7:94:de:3d:
|
||||
13:44:16:12:9e:e1:a8:b0:17:a1:4d:14:84:3e:44:
|
||||
bc:76:5d:cd:4e:67:9c:e6:69:0b:5a:fe:cf:08:bb:
|
||||
6d:0b:be:d6:8e:5d:c6:fc:53:e2:ab:34:28:2f:ef:
|
||||
03:5a:c4:ad:b7:e8:4e:1c:89:67:78:f5:a4:41:fd:
|
||||
80:f3
|
||||
Exponent: 65537 (0x10001)
|
||||
X509v3 extensions:
|
||||
Authority Information Access:
|
||||
OCSP - URI:http://ocsp.haproxy.com
|
||||
|
||||
Signature Algorithm: sha256WithRSAEncryption
|
||||
14:c3:1a:2c:37:d4:91:74:10:be:eb:f3:1e:f3:da:cf:ed:0d:
|
||||
b1:37:8e:e8:0c:44:cb:28:ce:4b:5c:ed:02:35:13:55:e1:34:
|
||||
93:aa:7d:91:fa:4c:a7:31:09:6a:23:b7:0a:d3:37:70:dd:48:
|
||||
9c:b6:af:31:d7:28:c1:cf:7d:44:f0:d5:ac:58:56:74:40:48:
|
||||
a6:21:85:ea:bf:38:52:fc:8e:16:7c:4d:79:d3:b4:18:11:90:
|
||||
95:a7:f4:b6:5f:91:dc:3e:bd:e7:58:96:ff:c2:d2:59:20:ed:
|
||||
4e:de:e5:92:c9:a6:5a:37:a1:fd:00:cb:13:51:ef:ce:98:c8:
|
||||
01:b5:a1:9a:74:63:a0:da:dc:39:1e:08:8b:60:04:7f:96:c8:
|
||||
02:cd:cc:dc:04:a4:4c:84:8f:a1:30:49:99:e1:6c:0c:39:65:
|
||||
2c:03:f8:60:46:cb:28:42:6a:c4:b0:bb:7f:be:67:de:1e:55:
|
||||
10:2a:55:1f:58:d4:fc:b0:74:9e:11:95:0b:c0:cc:f6:fc:6d:
|
||||
ce:25:17:48:dc:30:5e:b3:29:44:10:11:2d:47:2d:06:81:21:
|
||||
51:55:4a:4d:72:79:49:ad:29:77:64:92:e7:4e:c9:4f:4c:25:
|
||||
4d:24:3c:49:07:af:53:74:b5:14:05:e2:f2:fc:ba:d7:a0:db:
|
||||
e4:e4:38:74:fe:f0:34:98:78:f4:2c:68:2d:a6:1e:2d:16:d6:
|
||||
2b:1d:95:3c:ac:9d:16:6a:7e:d4:cd:0c:94:2b:f4:94:1c:ef:
|
||||
3b:23:13:78:14:ea:ea:2f:08:f4:ed:21:3d:50:77:4b:50:fe:
|
||||
db:47:19:d1:36:92:7d:7e:e3:18:40:1d:65:0e:fe:95:4f:54:
|
||||
60:15:16:57:72:06:93:03:ee:8c:89:4e:7b:0b:13:a5:ef:52:
|
||||
c9:53:8d:77:b4:7f:11:f8:03:f1:ce:a0:f8:33:06:89:44:7b:
|
||||
f7:14:4a:51:ba:0e:35:88:ea:69:44:bd:3f:76:78:23:86:79:
|
||||
13:00:40:1a:d0:69:42:41:72:e6:81:a7:b2:11:25:37:73:15:
|
||||
89:a7:36:5d:75:3c:e9:1b:dc:ea:8c:98:6e:24:f9:98:e1:62:
|
||||
d6:12:34:a4:c1:bc:08:fd:4d:86:8e:43:a9:9a:36:26:ba:f5:
|
||||
ab:13:9c:08:09:8d:bf:13:84:a0:5f:52:78:fc:1d:11:0c:d6:
|
||||
e1:a3:0c:ce:4d:21:79:90:2a:bb:04:03:d9:76:71:81:36:2a:
|
||||
1c:56:79:e7:32:03:d8:41:cc:73:e5:6e:45:4e:2d:c9:b0:cc:
|
||||
70:6b:47:93:6b:00:d0:6d:94:5f:db:e1:d5:dd:73:11:9f:b7:
|
||||
c1:75:50:43:17:b5:e6:51
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIEOjCCAiKgAwIBAgICEA8wDQYJKoZIhvcNAQELBQAwPjELMAkGA1UEBhMCRlIx
|
||||
HTAbBgNVBAoMFEhBUHJveHkgVGVjaG5vbG9naWVzMRAwDgYDVQQDDAdSb290IENB
|
||||
MB4XDTIxMDYxMDA4NTQxOVoXDTQ4MTAyNjA4NTQxOVowSTELMAkGA1UEBhMCRlIx
|
||||
HTAbBgNVBAoMFEhBUHJveHkgVGVjaG5vbG9naWVzMRswGQYDVQQDDBJTZXJ2ZXIg
|
||||
Q2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDpiH5e
|
||||
7IHQ9yubyV2B6pz/YS9Loq0ITUR8ZfqrOvK+Y6w0XMQFNb7Uea+l/J6SEHWxTXDW
|
||||
gqN+frDmLLrsG+l/VfOYbtWyADcFdt8ovj6JUuxHWEV63X2Jrn9D1qXO9o2NMv4z
|
||||
3BYVAYIj0XcSdaLiKgjrzTIeW1QSaIMhOm4H9Zn053nr99DZcfIdeQiiY9+rWfOs
|
||||
MxjWCpxIC5qwrnl7jlod0vxcbKXVYYjoUMIP8lsNDIIYyKGYGYr8KMYn55TePRNE
|
||||
FhKe4aiwF6FNFIQ+RLx2Xc1OZ5zmaQta/s8Iu20LvtaOXcb8U+KrNCgv7wNaxK23
|
||||
6E4ciWd49aRB/YDzAgMBAAGjNzA1MDMGCCsGAQUFBwEBBCcwJTAjBggrBgEFBQcw
|
||||
AYYXaHR0cDovL29jc3AuaGFwcm94eS5jb20wDQYJKoZIhvcNAQELBQADggIBABTD
|
||||
Giw31JF0EL7r8x7z2s/tDbE3jugMRMsozktc7QI1E1XhNJOqfZH6TKcxCWojtwrT
|
||||
N3DdSJy2rzHXKMHPfUTw1axYVnRASKYhheq/OFL8jhZ8TXnTtBgRkJWn9LZfkdw+
|
||||
vedYlv/C0lkg7U7e5ZLJplo3of0AyxNR786YyAG1oZp0Y6Da3DkeCItgBH+WyALN
|
||||
zNwEpEyEj6EwSZnhbAw5ZSwD+GBGyyhCasSwu3++Z94eVRAqVR9Y1PywdJ4RlQvA
|
||||
zPb8bc4lF0jcMF6zKUQQES1HLQaBIVFVSk1yeUmtKXdkkudOyU9MJU0kPEkHr1N0
|
||||
tRQF4vL8uteg2+TkOHT+8DSYePQsaC2mHi0W1isdlTysnRZqftTNDJQr9JQc7zsj
|
||||
E3gU6uovCPTtIT1Qd0tQ/ttHGdE2kn1+4xhAHWUO/pVPVGAVFldyBpMD7oyJTnsL
|
||||
E6XvUslTjXe0fxH4A/HOoPgzBolEe/cUSlG6DjWI6mlEvT92eCOGeRMAQBrQaUJB
|
||||
cuaBp7IRJTdzFYmnNl11POkb3OqMmG4k+ZjhYtYSNKTBvAj9TYaOQ6maNia69asT
|
||||
nAgJjb8ThKBfUnj8HREM1uGjDM5NIXmQKrsEA9l2cYE2KhxWeecyA9hBzHPlbkVO
|
||||
LcmwzHBrR5NrANBtlF/b4dXdcxGft8F1UEMXteZR
|
||||
-----END CERTIFICATE-----
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEpQIBAAKCAQEA6Yh+XuyB0Pcrm8ldgeqc/2EvS6KtCE1EfGX6qzryvmOsNFzE
|
||||
BTW+1HmvpfyekhB1sU1w1oKjfn6w5iy67Bvpf1XzmG7VsgA3BXbfKL4+iVLsR1hF
|
||||
et19ia5/Q9alzvaNjTL+M9wWFQGCI9F3EnWi4ioI680yHltUEmiDITpuB/WZ9Od5
|
||||
6/fQ2XHyHXkIomPfq1nzrDMY1gqcSAuasK55e45aHdL8XGyl1WGI6FDCD/JbDQyC
|
||||
GMihmBmK/CjGJ+eU3j0TRBYSnuGosBehTRSEPkS8dl3NTmec5mkLWv7PCLttC77W
|
||||
jl3G/FPiqzQoL+8DWsStt+hOHIlnePWkQf2A8wIDAQABAoIBAQDktypU2zrUpo6O
|
||||
F6u9xkIWl17Tq7HddJdDYjkbJDODJWkNK2FLXPTVcYwGe5/tm7M4f4iofe+Tvo6Q
|
||||
D3TOMxP/AvX872fY2f8JGf+7Dn9+zLjdsuTxTSVbB4xaq0lepffCNxPhRIZX8k87
|
||||
tzTv3kg1SkfMcP3J31Y6ZSMwEuKaZR9bkIT2MlLw89Qrg/o1Z1Yuu4CoJhgJ9x4Q
|
||||
smJmu6uu152i0tqQDK76nHfTgK6GTyHQpP/njXZ3gD/4vTOKsZPoXEtM9gq1Ihqm
|
||||
c7Pcy71q9nOBWfG3KUVhIlOahyVPewAFG7vNsPWVE0mN3FhCIEUPPLNnvAydSPaV
|
||||
vbwohs4BAoGBAPqXF6cTKWIfHTn4TrcOcKslKEzVSgJabZeYw1kTRsSLCsvV3ojx
|
||||
txW4A8FM+EVwX+K6FmpAxN9aKERVv1Ez3xvjmZf6czgREd8F2X2j6SwkcSwVZaxz
|
||||
FCl81jz6r/9CGP6Wbq0uVKGhEdNYddhc3RvR8oWwnMEgwIkOvfnpCevzAoGBAO6T
|
||||
IljTIzsZmLLFdhvS49C4bQ71vQbEnybqHENZcPdjrgbwRDLjQ4ZEGLm/O1zmKVZh
|
||||
C5rRqd/fWVtzMPmZJr0aNeVN3dYob/1SS6ixu/D55jRII6RtkTrm8bmOlUXIx3BB
|
||||
sgDOhG61U4LJ8n4Utcgv4go1feRNQkIo5qXkLFcBAoGALB0HE+liopxZl8fni4Am
|
||||
Q2qiIox1n95tZn+E/BxRm+3iM6ntp+vtUAx51MCJAChdKNubcI8AWVVUu1rg+BmK
|
||||
kC1L754uRFN08u7jr6N4O8YaiikmIeqMRRVt3YRAEU6AeejfiOscCOwC6FKtRC5s
|
||||
2iXmbLR/k9wBKN+IgAMPNRMCgYEA44MIxDBFbrzQM9u+8HXCr27RAe0y4Fttcszb
|
||||
Oxb2ddVnRlKmlujHoikaczh8wfD0Bt3xFSlQmKAENQO69qwolzmBoDULkolpkuiC
|
||||
IlOsaPfHoqAQ7WNXlhZa+puQmsYH+3OK7t4CyRi+lQFE8RuK52dSZm3wqmFLCJC8
|
||||
tALOjgECgYEAjREmEh/o/moOfIp8x18GYkYkJCv3+/UwMD8kJUu3KtXhER6Kgi2t
|
||||
GgqGV7nHm+sZjck+tcWdT7s+SJWQ2t8QkOf9xavy6mhG6ptJT7xoXSCxAUzNjLQZ
|
||||
WpoLVecRfaiAwj9DbbVWhjy8RDkyAHcHveVSIH40I7K0oTbNPqyJk6U=
|
||||
-----END RSA PRIVATE KEY-----
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIFGjCCAwKgAwIBAgIUHgviUJMgCZlOPOhVc09pZ4NhfxcwDQYJKoZIhvcNAQEL
|
||||
BQAwPjELMAkGA1UEBhMCRlIxHTAbBgNVBAoMFEhBUHJveHkgVGVjaG5vbG9naWVz
|
||||
MRAwDgYDVQQDDAdSb290IENBMB4XDTIxMDQyMjE0MDEyMFoXDTQ4MDkwNzE0MDEy
|
||||
MFowPjELMAkGA1UEBhMCRlIxHTAbBgNVBAoMFEhBUHJveHkgVGVjaG5vbG9naWVz
|
||||
MRAwDgYDVQQDDAdSb290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
|
||||
AgEAti+5onUeFJNyF5s6xlnBxDnFhw7Q5VbBestHeQttjBWN31zq5yaf/+CYXdu+
|
||||
lY6gNZj6JBiFJ5P7VXX3DqUIJBX6byXWfIUWM+auBAMKlTz0+hWrF/UxI/3uG67N
|
||||
+Z6NVffEPYbA4Emqozr0DIicWorRyHnrhEQQP87xBCUboUr3QEkNngfiJ0fPm3fj
|
||||
7HfQemGL2OnTA8qdy0q1l4aUhVr9bgedP2Klvs0XhbszCGLI0Gq5lyNadlH1MEiw
|
||||
SXa9rklE6NCNcyamO7Wt8LVrg6pxopa7oGnkLbnjzSuE+xsN0isOLaHH5LfYg6gT
|
||||
aAHpnBHiWuDZQIyzKc+Z37gNksd46/y9B+oBZoCTcYMOsn7PK+gPzTbu3ic4L9hO
|
||||
WCsTV0tn+qUGj6/J98gRgvuvZGA7NPDKNZU5p34oyApBPBUOgpn6pCuT5NlkPYAe
|
||||
Rp/ypiy5NCHp0JW3JWkJ4+wEasZM34TZUYrOsicA0GV4ZVkoQ3WYyAjmLvRXmo/w
|
||||
Z3sSlmHvCg9MrQ9pk24+OtvCbii0bb/Zmlx0Y4lU5TogcuJffJDVbj7oxTc2gRmI
|
||||
SIZsnYLv2qVoeBoMY5otj+ef0Y8v98mKCbiWe2MzBkC2h5wmwyWedez8RysTaFHS
|
||||
Z4yOYoCsEAtCxnib9d5fXf0+6aOuFtKMknkuWbYj6En647ECAwEAAaMQMA4wDAYD
|
||||
VR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAjVzxHzq/87uj24It5hYj4mq4
|
||||
ero0zix4fA4tJNuTpZ/5r7GUYaf/uT4xfDilBX2fGMsxVTxJC25KzhdFeTzg1Tde
|
||||
/N0LAeLWHfe6jR/P5XDATD0ZA73DQALOxRM5uRMeWJDVaUeco/aXsdQaCz2STDI3
|
||||
h7VVFoaOlmxQW3BBEvg2VUp9DS2UjqqdwsUDtzwKfrmj/FqyBvGrvNeIMv28HCu7
|
||||
r1WE1Z0UEJhpc1BPbu7F/vl60gRF3bQjh2tL8pWThxTJe6Qy+pLoSShyi85AM9XK
|
||||
scCmUtQWjy7KQDL8XVFvuCWvMzknZQjJcncbKddPaaSIDkKUpz9FDv+wSJj/LKf7
|
||||
bGSFPM6sblioLbLNJByRYI8G7VHvKDbUnYHbHp75NTGA2eDeNqx5bC2G/EJUTwLM
|
||||
bfcZr9hv+z1QpvSLEpar30kJjc1QMQcf60ToGYIC93rsVAKou2GPGry4h/nzwro0
|
||||
jjFWNgORTXllfcQDbDNOPkV1kFFibPbAU4faZMgC+xwIwDBsndvcvXjLaRUa4fmw
|
||||
1xNkOO5Lj9AuvTXdCc9yUXRzmPZhU6Q4YB2daWvs3vbMTtvkAXGyQL4b2HD+NYZs
|
||||
cMUtbteGgQzwM1gpMBn4GX53vhlCXq28r3cH1/1tLDweglSrxyvZbB7pZU7BAmLk
|
||||
TEj2fXcvdcX+TtYhC10=
|
||||
-----END CERTIFICATE-----
|
||||
Binary file not shown.
Binary file not shown.
|
|
@ -0,0 +1,133 @@
|
|||
#REGTEST_TYPE=devel
|
||||
|
||||
# This reg-test uses the "show ssl ocsp-response" command to display the details
|
||||
# of the OCSP responses used by HAProxy.
|
||||
# It also uses the new special cases of the "show ssl cert" command, where an OCSP
|
||||
# extension is provided to the certificate name (with or without preceding * for an
|
||||
# ongoing transaction).
|
||||
#
|
||||
# It uses the show_ocsp_server.pem server certificate, signed off by set_cafile_rootCA.crt,
|
||||
# which has two OCSP responses, show_ocsp_server.pem.ocsp which is loaded by default and in
|
||||
# which it is valid, and show_ocsp_server.pem.ocsp.revoked in which it is revoked.
|
||||
# The OSCP response is updated through the two means available in the CLI, the
|
||||
# "set ssl ocsp-response" command and the update through a "set ssl cert foo.ocsp".
|
||||
#
|
||||
# It requires socat to upload the new OCSP responses.
|
||||
#
|
||||
# If this test does not work anymore:
|
||||
# - Check that you have socat
|
||||
|
||||
varnishtest "Test the 'show ssl ocsp-response' and 'show ssl cert foo.pem.ocsp' features of the CLI"
|
||||
#REQUIRE_VERSION=2.5
|
||||
#REQUIRE_OPTIONS=OPENSSL
|
||||
#REQUIRE_BINARIES=socat
|
||||
feature ignore_unknown_macro
|
||||
|
||||
haproxy h1 -conf {
|
||||
global
|
||||
tune.ssl.default-dh-param 2048
|
||||
tune.ssl.capture-cipherlist-size 1
|
||||
stats socket "${tmpdir}/h1/stats" level admin
|
||||
|
||||
defaults
|
||||
mode http
|
||||
option httplog
|
||||
log stderr local0 debug err
|
||||
option logasap
|
||||
timeout connect 100ms
|
||||
timeout client 1s
|
||||
timeout server 1s
|
||||
|
||||
listen clear-lst
|
||||
bind "fd@${clearlst}"
|
||||
server s1 "${tmpdir}/ssl.sock" ssl ca-file ${testdir}/set_cafile_rootCA.crt verify none
|
||||
|
||||
listen ssl-lst
|
||||
# crt: certificate of the server
|
||||
# ca-file: CA used for client authentication request
|
||||
bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/show_ocsp_server.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
||||
http-response add-header X-SSL-Client-Verify %[ssl_c_verify]
|
||||
server s1 ${s1_addr}:${s1_port}
|
||||
} -start
|
||||
|
||||
|
||||
# Test the "show ssl ocsp-response" command
|
||||
haproxy h1 -cli {
|
||||
send "show ssl ocsp-response"
|
||||
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
|
||||
|
||||
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
|
||||
expect ~ "Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com"
|
||||
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
|
||||
expect ~ "Cert Status: good"
|
||||
}
|
||||
|
||||
# Test the "show ssl cert foo.pem.ocsp" command
|
||||
haproxy h1 -cli {
|
||||
send "show ssl cert"
|
||||
expect ~ ".*show_ocsp_server.pem"
|
||||
|
||||
send "show ssl cert ${testdir}/show_ocsp_server.pem"
|
||||
expect ~ "Serial: 100F"
|
||||
send "show ssl cert ${testdir}/show_ocsp_server.pem"
|
||||
expect ~ "OCSP Response Key: 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
|
||||
|
||||
send "show ssl cert ${testdir}/show_ocsp_server.pem.ocsp"
|
||||
expect ~ "Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com"
|
||||
send "show ssl cert ${testdir}/show_ocsp_server.pem.ocsp"
|
||||
expect ~ "Cert Status: good"
|
||||
}
|
||||
|
||||
|
||||
# Change the server certificate's OCSP response through "set ssl ocsp-response"
|
||||
shell {
|
||||
printf "set ssl ocsp-response <<\n$(base64 ${testdir}/show_ocsp_server.pem.ocsp.revoked)\n\n" | socat "${tmpdir}/h1/stats" -
|
||||
}
|
||||
|
||||
# Check that the change was taken into account
|
||||
haproxy h1 -cli {
|
||||
send "show ssl ocsp-response"
|
||||
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
|
||||
|
||||
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
|
||||
expect ~ "Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com"
|
||||
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
|
||||
expect ~ "Cert Status: revoked"
|
||||
|
||||
send "show ssl cert ${testdir}/show_ocsp_server.pem.ocsp"
|
||||
expect ~ "Cert Status: revoked"
|
||||
}
|
||||
|
||||
|
||||
# Change the server certificate's OCSP response through a transaction
|
||||
shell {
|
||||
printf "set ssl cert ${testdir}/show_ocsp_server.pem <<\n$(cat ${testdir}/show_ocsp_server.pem)\n\n" | socat "${tmpdir}/h1/stats" -
|
||||
printf "set ssl cert ${testdir}/show_ocsp_server.pem.ocsp <<\n$(base64 ${testdir}/show_ocsp_server.pem.ocsp)\n\n" | socat "${tmpdir}/h1/stats" -
|
||||
}
|
||||
|
||||
|
||||
# Check that the actual tree entry was not changed and that the uncommitted
|
||||
# transaction's OCSP response is the new one
|
||||
haproxy h1 -cli {
|
||||
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
|
||||
expect ~ "Cert Status: revoked"
|
||||
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
|
||||
expect ~ "This Update: Jun 10 08:57:45 2021 GMT"
|
||||
|
||||
send "show ssl cert *${testdir}/show_ocsp_server.pem.ocsp"
|
||||
expect ~ "Cert Status: good"
|
||||
send "show ssl cert *${testdir}/show_ocsp_server.pem.ocsp"
|
||||
expect ~ "This Update: Jun 10 08:55:04 2021 GMT"
|
||||
}
|
||||
|
||||
|
||||
# Commit the transaction and check that it was taken into account
|
||||
haproxy h1 -cli {
|
||||
send "commit ssl cert ${testdir}/show_ocsp_server.pem"
|
||||
expect ~ "Success!"
|
||||
|
||||
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
|
||||
expect ~ "Cert Status: good"
|
||||
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
|
||||
expect ~ "This Update: Jun 10 08:55:04 2021 GMT"
|
||||
}
|
||||
Loading…
Reference in New Issue