mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2024-12-23 13:17:16 +00:00
REGTEST: ssl/cli: test the 'add ssl crt-list' command
Test the 'add ssl crt-list' feature by inserting the ecdsa.pem certificate and verifying with curl and strict-sni that it works.
This commit is contained in:
parent
e67c80be7f
commit
2be4a2e02d
68
reg-tests/ssl/add_ssl_crt-list.vtc
Normal file
68
reg-tests/ssl/add_ssl_crt-list.vtc
Normal file
@ -0,0 +1,68 @@
|
||||
#REGTEST_TYPE=slow
|
||||
|
||||
# This reg-test uses the "add ssl crt-list" command to add a certificate over the CLI.
|
||||
# It requires socat and curl to upload and validate that the certificate was well updated
|
||||
|
||||
# If this test does not work anymore:
|
||||
# - Check that you have socat and curl
|
||||
# - Check if haproxy and curl use the same ciphers
|
||||
|
||||
varnishtest "Test the 'add ssl crt-list' feature of the CLI"
|
||||
#REQUIRE_VERSION=2.2
|
||||
#REQUIRE_OPTIONS=OPENSSL
|
||||
#REQUIRE_BINARIES=socat,curl
|
||||
feature ignore_unknown_macro
|
||||
|
||||
|
||||
haproxy h1 -conf {
|
||||
global
|
||||
tune.ssl.default-dh-param 2048
|
||||
tune.ssl.capture-cipherlist-size 1
|
||||
crt-base ${testdir}
|
||||
stats socket "${tmpdir}/h1/stats" level admin
|
||||
|
||||
listen frt
|
||||
mode http
|
||||
${no-htx} option http-use-htx
|
||||
bind "fd@${frt}" ssl strict-sni crt-list ${testdir}/localhost.crt-list
|
||||
http-request redirect location /
|
||||
} -start
|
||||
|
||||
|
||||
haproxy h1 -cli {
|
||||
send "show ssl cert ${testdir}/common.pem"
|
||||
expect ~ ".*SHA1 FingerPrint: 2195C9F0FD58470313013FC27C1B9CF9864BD1C6"
|
||||
}
|
||||
|
||||
shell {
|
||||
HOST=${h1_frt_addr}
|
||||
if [ "${h1_frt_addr}" = "::1" ] ; then
|
||||
HOST="\[::1\]"
|
||||
fi
|
||||
curl -v -i -k --resolve www.test1.com:${h1_frt_port}:${h1_frt_addr} https://www.test1.com:${h1_frt_port}
|
||||
}
|
||||
|
||||
shell {
|
||||
echo "new ssl cert ${testdir}/ecdsa.pem" | socat "${tmpdir}/h1/stats" -
|
||||
printf "set ssl cert ${testdir}/ecdsa.pem <<\n$(cat ${testdir}/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" -
|
||||
echo "commit ssl cert ${testdir}/ecdsa.pem" | socat "${tmpdir}/h1/stats" -
|
||||
echo "add ssl crt-list ${testdir}/localhost.crt-list ${testdir}/ecdsa.pem" | socat "${tmpdir}/h1/stats" -
|
||||
}
|
||||
|
||||
haproxy h1 -cli {
|
||||
send "show ssl cert ${testdir}/ecdsa.pem"
|
||||
expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1"
|
||||
}
|
||||
|
||||
haproxy h1 -cli {
|
||||
send "show ssl crt-list ${testdir}/localhost.crt-list"
|
||||
expect ~ ".*${testdir}/ecdsa.pem"
|
||||
}
|
||||
|
||||
shell {
|
||||
HOST=${h1_frt_addr}
|
||||
if [ "${h1_frt_addr}" = "::1" ] ; then
|
||||
HOST="\[::1\]"
|
||||
fi
|
||||
curl -v -i -k --resolve localhost:${h1_frt_port}:${h1_frt_addr} https://localhost:${h1_frt_port}
|
||||
}
|
1
reg-tests/ssl/localhost.crt-list
Normal file
1
reg-tests/ssl/localhost.crt-list
Normal file
@ -0,0 +1 @@
|
||||
common.pem !not.test1.com *.test1.com !localhost
|
Loading…
Reference in New Issue
Block a user