REGTEST: ssl: Add test for 'update ssl ocsp-response' CLI command
This patch adds tests for the newly added 'update ssl ocsp-response' CLI command.
This commit is contained in:
parent
10f113ec55
commit
522841c47b
|
@ -25,13 +25,19 @@
|
|||
# reinsert them into the tree. This explains why the test's mode is set to
|
||||
# "slow".
|
||||
#
|
||||
# The fourth test case focuses on the "update ssl ocsp-response" CLI command
|
||||
# and tests two certificates that have a known OCSP response loaded during init
|
||||
# but no OCSP auto update. The only difference between the two certificates is
|
||||
# that one has a separate .issuer file while the other one has the issuer
|
||||
# certificate directly in the main .pem file.
|
||||
#
|
||||
# If this test does not work anymore:
|
||||
# - Check that you have openssl
|
||||
# - Check that you have openssl and socat
|
||||
|
||||
varnishtest "Test the OCSP auto update feature"
|
||||
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.7-dev0)'"
|
||||
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(BoringSSL) && openssl_version_atleast(1.1.1)'"
|
||||
feature cmd "command -v openssl"
|
||||
feature cmd "command -v openssl && command -v socat"
|
||||
feature ignore_unknown_macro
|
||||
|
||||
|
||||
|
@ -231,7 +237,7 @@ shell "sleep 1"
|
|||
|
||||
# We should have a single ocsp ID known that was loaded at build time and the
|
||||
# response should be filled
|
||||
haproxy h3 -cli {
|
||||
haproxy h3 -cli {
|
||||
send "show ssl ocsp-response"
|
||||
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
|
||||
send "show ssl ocsp-response"
|
||||
|
@ -243,3 +249,102 @@ shell "sleep 1"
|
|||
|
||||
haproxy h3 -wait
|
||||
process p2 -wait
|
||||
|
||||
|
||||
|
||||
####################
|
||||
# #
|
||||
# FOURTH TEST CASE #
|
||||
# (CLI COMMAND) #
|
||||
# #
|
||||
####################
|
||||
|
||||
process p3 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12346 -timeout 5" -start
|
||||
|
||||
haproxy h4 -conf {
|
||||
global
|
||||
tune.ssl.default-dh-param 2048
|
||||
tune.ssl.capture-buffer-size 1
|
||||
stats socket "${tmpdir}/h4/stats" level admin
|
||||
crt-base ${testdir}/ocsp_update
|
||||
|
||||
defaults
|
||||
mode http
|
||||
option httplog
|
||||
log stderr local0 debug err
|
||||
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
||||
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
||||
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
||||
|
||||
frontend ssl-rsa-ocsp
|
||||
bind "${tmpdir}/ssl5.sock" ssl crt ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
||||
http-request return status 200
|
||||
|
||||
frontend ssl-ecdsa-ocsp
|
||||
bind "${tmpdir}/ssl6.sock" ssl crt ${testdir}/ocsp_update/multicert/server_ocsp_ecdsa.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
||||
http-request return status 200
|
||||
|
||||
listen http_rebound_lst
|
||||
mode http
|
||||
option httplog
|
||||
bind "127.0.0.1:12345"
|
||||
server s1 "127.0.0.1:12346"
|
||||
} -start
|
||||
|
||||
# We need to "enable" the cli with a first cli call before using it only through socats
|
||||
haproxy h4 -cli {
|
||||
send "show ssl ocsp-response"
|
||||
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
|
||||
}
|
||||
|
||||
# We should have two OCSP responses loaded during init
|
||||
shell {
|
||||
responses=$(echo "show ssl ocsp-response" | socat "${tmpdir}/h4/stats" -)
|
||||
|
||||
[ $(echo "$responses" | grep -c "^Certificate ID key") -eq 2 ] && \
|
||||
echo "$responses" | grep "Serial Number: 1016" && \
|
||||
echo "$responses" | grep "Serial Number: 1015"
|
||||
}
|
||||
|
||||
shell {
|
||||
echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" - | grep "Cert Status: revoked"
|
||||
}
|
||||
|
||||
shell {
|
||||
echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" - | grep "Cert Status: good"
|
||||
}
|
||||
|
||||
# Update the first ocsp response (ckch_data has a non-NULL ocsp_issuer pointer)
|
||||
shell {
|
||||
# Store the current "Produced At" in order to ensure that after the update
|
||||
# the OCSP response actually changed
|
||||
produced_at=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" - | grep "Produced At")
|
||||
# We should receive the OCSP response's details on the standard output when calling
|
||||
# 'update ssl ocsp-response'
|
||||
ocsp_response=$(echo "update ssl ocsp-response ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h4/stats" -)
|
||||
|
||||
new_produced_at=$(echo "$ocsp_response" | grep "Produced At")
|
||||
|
||||
echo "$ocsp_response" | grep -q "Serial Number: 1015" && \
|
||||
echo "$ocsp_response" | grep -q "Cert Status: revoked" && \
|
||||
[ "$new_produced_at" != "$produced_at" ]
|
||||
}
|
||||
|
||||
# Update the second ocsp response (ckch_data has a NULL ocsp_issuer pointer)
|
||||
shell {
|
||||
# Store the current "Produced At" in order to ensure that after the update
|
||||
# the OCSP response actually changed
|
||||
produced_at=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" - | grep "Produced At")
|
||||
# We should receive the OCSP response's details on the standard output when calling
|
||||
# 'update ssl ocsp-response'
|
||||
ocsp_response=$(echo "update ssl ocsp-response ${testdir}/ocsp_update/multicert/server_ocsp_ecdsa.pem" | socat "${tmpdir}/h4/stats" -)
|
||||
|
||||
new_produced_at=$(echo "$ocsp_response" | grep "Produced At")
|
||||
|
||||
echo "$ocsp_response" | grep -q "Serial Number: 1016" && \
|
||||
echo "$ocsp_response" | grep -q "Cert Status: revoked" && \
|
||||
[ "$new_produced_at" != "$produced_at" ]
|
||||
}
|
||||
|
||||
haproxy h4 -wait
|
||||
process p3 -wait
|
||||
|
|
|
@ -0,0 +1,63 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIEODCCAiCgAwIBAgICEBYwDQYJKoZIhvcNAQELBQAwPjELMAkGA1UEBhMCRlIx
|
||||
HTAbBgNVBAoMFEhBUHJveHkgVGVjaG5vbG9naWVzMRAwDgYDVQQDDAdSb290IENB
|
||||
MCAXDTIyMTEyMzEwMzk1NloYDzIwNTAwNDEwMTAzOTU2WjBIMQswCQYDVQQGEwJG
|
||||
UjEdMBsGA1UECgwUSEFQcm94eSBUZWNobm9sb2dpZXMxGjAYBgNVBAMMEWVjZHNh
|
||||
LmhhcHJveHkuY29tMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQB5Id0dJy6Vubt
|
||||
/ICfwLOOwgvyeOHOvC/yrqU/NCBNDVZLcOXbncm8Lxzl9Rn2t0VV9pla82/Qlexu
|
||||
2jhx8LD3du8AmEn/4tkJMz85Jv4TN/eY7Tsfbqy2NtX17eBWkDA/S1v+9uw9m7UJ
|
||||
mzwHIkQHi4S+flXt2ZtQKwgmYcuFYsP6jSGjgbswgbgwMgYIKwYBBQUHAQEEJjAk
|
||||
MCIGCCsGAQUFBzABhhZodHRwOi8vMTI3LjAuMC4xOjEyMzQ1MB0GA1UdDgQWBBTS
|
||||
Tdzvp9SeMDDfWVNdLPzVCaE/oDBjBgNVHSMEXDBaoUKkQDA+MQswCQYDVQQGEwJG
|
||||
UjEdMBsGA1UECgwUSEFQcm94eSBUZWNobm9sb2dpZXMxEDAOBgNVBAMMB1Jvb3Qg
|
||||
Q0GCFB4L4lCTIAmZTjzoVXNPaWeDYX8XMA0GCSqGSIb3DQEBCwUAA4ICAQBsoRvT
|
||||
LPipFUSvGWWFphrqhri40e6GEKio2RNrHSwq6PBPd+FAjIan1yoZX3C/I/octhoq
|
||||
/jHAlCB5GQzU3R3M/gaCyDk4x3wbR52zSNzgyh464B7HwlNyC9jCeh3yB8ylUZCu
|
||||
Lc8NRTYavceUoDq2ebO8wpWX0LBd0oh7hMcQzWQrmU1B0NYVsTn65Ogcfokz2r0M
|
||||
A3YjwT8vH9i9QFx1Fxy4OYJJQmskKrwAQ+MEtyBJvck2nthZA7KNX+OxuJjOh+lW
|
||||
+WpTudaoMUd188zHFFjeM4C40uPsePlf1gpdjuTdir1sIH8GNa9XP1wEtvD6mNFU
|
||||
6KCFSuZSkBqo2iD6yYzsd1H2DSMVQL67ATP8zSMjEccDYwkO72BR3InxWDFnFEQN
|
||||
wosdBFKqqKNKkkdSW1QUsVd90Bi5pHFW0l4FaDk2SJRfzwa1Dc+LfQv9Wf+LcENW
|
||||
6HOjqcRdU1PU1evVmq5xoHRDovQGNCStfwX3eW+jnHFYqovg51g5pEPEsmQccJXj
|
||||
DMCGoQjM+4i+R0GhyJZ/Kr2Lnj5RyT6RVK8hNCx5NjJBK5z/pJK9pbPGoS9fkK8N
|
||||
iQvPgw2+Y3rcVKHUw2epz/2mEzDb4rRiSIOIeuHB4PBL41jUNPwSxkjtjkPwVMuU
|
||||
TlD6A5wDj3Sq0B4MoxWgIOyWENABvGl+VBtDNQ==
|
||||
-----END CERTIFICATE-----
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MIHuAgEAMBAGByqGSM49AgEGBSuBBAAjBIHWMIHTAgEBBEIBkWJB8IW867HHc2iB
|
||||
7J714zyea0hVD1Z/MEuEyKRZ7aekbjEQKmUfc5MLlQS0nedCqmiLuXObG/PyxxWs
|
||||
mWTeH5qhgYkDgYYABAHkh3R0nLpW5u38gJ/As47CC/J44c68L/KupT80IE0NVktw
|
||||
5dudybwvHOX1Gfa3RVX2mVrzb9CV7G7aOHHwsPd27wCYSf/i2QkzPzkm/hM395jt
|
||||
Ox9urLY21fXt4FaQMD9LW/727D2btQmbPAciRAeLhL5+Ve3Zm1ArCCZhy4Viw/qN
|
||||
IQ==
|
||||
-----END PRIVATE KEY-----
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIFGjCCAwKgAwIBAgIUHgviUJMgCZlOPOhVc09pZ4NhfxcwDQYJKoZIhvcNAQEL
|
||||
BQAwPjELMAkGA1UEBhMCRlIxHTAbBgNVBAoMFEhBUHJveHkgVGVjaG5vbG9naWVz
|
||||
MRAwDgYDVQQDDAdSb290IENBMB4XDTIxMDQyMjE0MDEyMFoXDTQ4MDkwNzE0MDEy
|
||||
MFowPjELMAkGA1UEBhMCRlIxHTAbBgNVBAoMFEhBUHJveHkgVGVjaG5vbG9naWVz
|
||||
MRAwDgYDVQQDDAdSb290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
|
||||
AgEAti+5onUeFJNyF5s6xlnBxDnFhw7Q5VbBestHeQttjBWN31zq5yaf/+CYXdu+
|
||||
lY6gNZj6JBiFJ5P7VXX3DqUIJBX6byXWfIUWM+auBAMKlTz0+hWrF/UxI/3uG67N
|
||||
+Z6NVffEPYbA4Emqozr0DIicWorRyHnrhEQQP87xBCUboUr3QEkNngfiJ0fPm3fj
|
||||
7HfQemGL2OnTA8qdy0q1l4aUhVr9bgedP2Klvs0XhbszCGLI0Gq5lyNadlH1MEiw
|
||||
SXa9rklE6NCNcyamO7Wt8LVrg6pxopa7oGnkLbnjzSuE+xsN0isOLaHH5LfYg6gT
|
||||
aAHpnBHiWuDZQIyzKc+Z37gNksd46/y9B+oBZoCTcYMOsn7PK+gPzTbu3ic4L9hO
|
||||
WCsTV0tn+qUGj6/J98gRgvuvZGA7NPDKNZU5p34oyApBPBUOgpn6pCuT5NlkPYAe
|
||||
Rp/ypiy5NCHp0JW3JWkJ4+wEasZM34TZUYrOsicA0GV4ZVkoQ3WYyAjmLvRXmo/w
|
||||
Z3sSlmHvCg9MrQ9pk24+OtvCbii0bb/Zmlx0Y4lU5TogcuJffJDVbj7oxTc2gRmI
|
||||
SIZsnYLv2qVoeBoMY5otj+ef0Y8v98mKCbiWe2MzBkC2h5wmwyWedez8RysTaFHS
|
||||
Z4yOYoCsEAtCxnib9d5fXf0+6aOuFtKMknkuWbYj6En647ECAwEAAaMQMA4wDAYD
|
||||
VR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAjVzxHzq/87uj24It5hYj4mq4
|
||||
ero0zix4fA4tJNuTpZ/5r7GUYaf/uT4xfDilBX2fGMsxVTxJC25KzhdFeTzg1Tde
|
||||
/N0LAeLWHfe6jR/P5XDATD0ZA73DQALOxRM5uRMeWJDVaUeco/aXsdQaCz2STDI3
|
||||
h7VVFoaOlmxQW3BBEvg2VUp9DS2UjqqdwsUDtzwKfrmj/FqyBvGrvNeIMv28HCu7
|
||||
r1WE1Z0UEJhpc1BPbu7F/vl60gRF3bQjh2tL8pWThxTJe6Qy+pLoSShyi85AM9XK
|
||||
scCmUtQWjy7KQDL8XVFvuCWvMzknZQjJcncbKddPaaSIDkKUpz9FDv+wSJj/LKf7
|
||||
bGSFPM6sblioLbLNJByRYI8G7VHvKDbUnYHbHp75NTGA2eDeNqx5bC2G/EJUTwLM
|
||||
bfcZr9hv+z1QpvSLEpar30kJjc1QMQcf60ToGYIC93rsVAKou2GPGry4h/nzwro0
|
||||
jjFWNgORTXllfcQDbDNOPkV1kFFibPbAU4faZMgC+xwIwDBsndvcvXjLaRUa4fmw
|
||||
1xNkOO5Lj9AuvTXdCc9yUXRzmPZhU6Q4YB2daWvs3vbMTtvkAXGyQL4b2HD+NYZs
|
||||
cMUtbteGgQzwM1gpMBn4GX53vhlCXq28r3cH1/1tLDweglSrxyvZbB7pZU7BAmLk
|
||||
TEj2fXcvdcX+TtYhC10=
|
||||
-----END CERTIFICATE-----
|
Binary file not shown.
Loading…
Reference in New Issue