REGTEST: ssl/cli: test the 'add ssl crt-list' command

Test the 'add ssl crt-list' feature by inserting the ecdsa.pem certificate and verifying with curl and strict-sni that it works.
2020-03-31 12:13:34 +02:00 · 2020-03-31 12:13:34 +02:00 · 2be4a2e02d
parent e67c80be7f
commit 2be4a2e02d
2 changed files with 69 additions and 0 deletions
--- a/reg-tests/ssl/add_ssl_crt-list.vtc
+++ b/reg-tests/ssl/add_ssl_crt-list.vtc
@ -0,0 +1,68 @@
+#REGTEST_TYPE=slow
+
+# This reg-test uses the "add ssl crt-list" command to add a certificate over the CLI.
+# It requires socat and curl to upload and validate that the certificate was well updated
+
+# If this test does not work anymore:
+# - Check that you have socat and curl
+# - Check if haproxy and curl use the same ciphers
+
+varnishtest "Test the 'add ssl crt-list' feature of the CLI"
+#REQUIRE_VERSION=2.2
+#REQUIRE_OPTIONS=OPENSSL
+#REQUIRE_BINARIES=socat,curl
+feature ignore_unknown_macro
+
+
+haproxy h1 -conf {
+  global
+    tune.ssl.default-dh-param 2048
+    tune.ssl.capture-cipherlist-size 1
+    crt-base ${testdir}
+    stats socket "${tmpdir}/h1/stats" level admin
+
+  listen frt
+    mode http
+    ${no-htx} option http-use-htx
+    bind "fd@${frt}" ssl strict-sni crt-list ${testdir}/localhost.crt-list
+    http-request redirect location /
+} -start
+
+
+haproxy h1 -cli {
+    send "show ssl cert ${testdir}/common.pem"
+    expect ~ ".*SHA1 FingerPrint: 2195C9F0FD58470313013FC27C1B9CF9864BD1C6"
+}
+
+shell {
+    HOST=${h1_frt_addr}
+    if [ "${h1_frt_addr}" = "::1" ] ; then
+        HOST="\[::1\]"
+    fi
+    curl -v -i -k --resolve www.test1.com:${h1_frt_port}:${h1_frt_addr} https://www.test1.com:${h1_frt_port}
+}
+
+shell {
+   echo "new ssl cert ${testdir}/ecdsa.pem" | socat "${tmpdir}/h1/stats" -
+   printf "set ssl cert ${testdir}/ecdsa.pem <<\n$(cat ${testdir}/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" -
+   echo "commit ssl cert ${testdir}/ecdsa.pem" | socat "${tmpdir}/h1/stats" -
+   echo "add ssl crt-list ${testdir}/localhost.crt-list ${testdir}/ecdsa.pem" | socat "${tmpdir}/h1/stats" -
+}
+
+haproxy h1 -cli {
+    send "show ssl cert ${testdir}/ecdsa.pem"
+    expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1"
+}
+
+haproxy h1 -cli {
+    send "show ssl crt-list ${testdir}/localhost.crt-list"
+    expect ~ ".*${testdir}/ecdsa.pem"
+}
+
+shell {
+    HOST=${h1_frt_addr}
+    if [ "${h1_frt_addr}" = "::1" ] ; then
+        HOST="\[::1\]"
+    fi
+    curl -v -i -k --resolve localhost:${h1_frt_port}:${h1_frt_addr} https://localhost:${h1_frt_port}
+}
--- a/reg-tests/ssl/localhost.crt-list
+++ b/reg-tests/ssl/localhost.crt-list
@ -0,0 +1 @@
+common.pem !not.test1.com *.test1.com !localhost
				`@ -0,0 +1 @@`
				`common.pem !not.test1.com *.test1.com !localhost`