REGTEST: ssl: improve the "set ssl cert" test

Improve the test by removing the curl command and using the same proxy
chaining technique as in commit 3ed722f ("REGTEST: ssl: remove curl from
the "add ssl crt-list" test").

A 3rd request was added which must fail, to ensure that the SNI was
effectively removed from HAProxy.

This patch also adds timeouts in the default section, logs on stderr and
fix some indentation issues.
This commit is contained in:
William Lallemand 2020-04-30 10:19:40 +02:00
parent 3ed722f03c
commit a911548715

View File

@ -1,30 +1,55 @@
#REGTEST_TYPE=devel
# This reg-test uses the "set ssl cert" command to update a certificate over the CLI.
# It requires socat and curl to upload and validate that the certificate was well updated
# It requires socat to upload the certificate
#
# this check does 3 requests, the first one will use "www.test1.com" as SNI,
# the second one with the same but that must fail and the third one will use
# "localhost". Since vtest can't do SSL, we use haproxy as an SSL client with 2
# chained listen section.
#
# If this test does not work anymore:
# - Check that you have socat and curl
# - Check that the curl -v option still return the SSL CN
# - Check that you have socat
varnishtest "Test the 'set ssl cert' feature of the CLI"
#REQUIRE_VERSION=2.2
#REQUIRE_OPTIONS=OPENSSL
#REQUIRE_BINARIES=socat,curl
#REQUIRE_BINARIES=socat
feature ignore_unknown_macro
server s1 -repeat 3 {
rxreq
txresp
} -start
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1
stats socket "${tmpdir}/h1/stats" level admin
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1
stats socket "${tmpdir}/h1/stats" level admin
listen frt
mode http
${no-htx} option http-use-htx
bind "fd@${frt}" ssl crt ${testdir}/common.pem
http-request redirect location /
defaults
mode http
option httplog
${no-htx} option http-use-htx
log stderr local0 debug err
option logasap
timeout connect 100ms
timeout client 1s
timeout server 1s
listen clear-lst
bind "fd@${clearlst}"
balance roundrobin
retries 0 # 2nd SSL connection must fail so skip the retry
server s1 "${tmpdir}/ssl.sock" ssl verify none sni str(www.test1.com)
server s2 "${tmpdir}/ssl.sock" ssl verify none sni str(www.test1.com)
server s3 "${tmpdir}/ssl.sock" ssl verify none sni str(localhost)
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem strict-sni
server s1 ${s1_addr}:${s1_port}
} -start
@ -33,17 +58,15 @@ haproxy h1 -cli {
expect ~ ".*SHA1 FingerPrint: 2195C9F0FD58470313013FC27C1B9CF9864BD1C6"
}
shell {
HOST=${h1_frt_addr}
if [ "${h1_frt_addr}" = "::1" ] ; then
HOST="\[::1\]"
fi
curl -v -i -k https://$HOST:${h1_frt_port} 2>&1 | grep CN=www.test1.com
}
client c1 -connect ${h1_clearlst_sock} {
txreq
rxresp
expect resp.status == 200
} -run
shell {
printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" -
echo "commit ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h1/stats" -
printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" -
echo "commit ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h1/stats" -
}
haproxy h1 -cli {
@ -51,10 +74,15 @@ haproxy h1 -cli {
expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1"
}
shell {
HOST=${h1_frt_addr}
if [ "${h1_frt_addr}" = "::1" ] ; then
HOST="\[::1\]"
fi
curl -v -i -k https://$HOST:${h1_frt_port} 2>&1 | grep CN=localhost
}
# check that the "www.test1.com" SNI was removed
client c1 -connect ${h1_clearlst_sock} {
txreq
rxresp
expect resp.status == 503
} -run
client c1 -connect ${h1_clearlst_sock} {
txreq
rxresp
expect resp.status == 200
} -run