mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2024-12-23 13:17:16 +00:00
REGTEST: ssl: improve the "set ssl cert" test
Improve the test by removing the curl command and using the same proxy
chaining technique as in commit 3ed722f
("REGTEST: ssl: remove curl from
the "add ssl crt-list" test").
A 3rd request was added which must fail, to ensure that the SNI was
effectively removed from HAProxy.
This patch also adds timeouts in the default section, logs on stderr and
fix some indentation issues.
This commit is contained in:
parent
3ed722f03c
commit
a911548715
@ -1,18 +1,26 @@
|
|||||||
#REGTEST_TYPE=devel
|
#REGTEST_TYPE=devel
|
||||||
|
|
||||||
# This reg-test uses the "set ssl cert" command to update a certificate over the CLI.
|
# This reg-test uses the "set ssl cert" command to update a certificate over the CLI.
|
||||||
# It requires socat and curl to upload and validate that the certificate was well updated
|
# It requires socat to upload the certificate
|
||||||
|
#
|
||||||
|
# this check does 3 requests, the first one will use "www.test1.com" as SNI,
|
||||||
|
# the second one with the same but that must fail and the third one will use
|
||||||
|
# "localhost". Since vtest can't do SSL, we use haproxy as an SSL client with 2
|
||||||
|
# chained listen section.
|
||||||
|
#
|
||||||
# If this test does not work anymore:
|
# If this test does not work anymore:
|
||||||
# - Check that you have socat and curl
|
# - Check that you have socat
|
||||||
# - Check that the curl -v option still return the SSL CN
|
|
||||||
|
|
||||||
varnishtest "Test the 'set ssl cert' feature of the CLI"
|
varnishtest "Test the 'set ssl cert' feature of the CLI"
|
||||||
#REQUIRE_VERSION=2.2
|
#REQUIRE_VERSION=2.2
|
||||||
#REQUIRE_OPTIONS=OPENSSL
|
#REQUIRE_OPTIONS=OPENSSL
|
||||||
#REQUIRE_BINARIES=socat,curl
|
#REQUIRE_BINARIES=socat
|
||||||
feature ignore_unknown_macro
|
feature ignore_unknown_macro
|
||||||
|
|
||||||
|
server s1 -repeat 3 {
|
||||||
|
rxreq
|
||||||
|
txresp
|
||||||
|
} -start
|
||||||
|
|
||||||
haproxy h1 -conf {
|
haproxy h1 -conf {
|
||||||
global
|
global
|
||||||
@ -20,11 +28,28 @@ haproxy h1 -conf {
|
|||||||
tune.ssl.capture-cipherlist-size 1
|
tune.ssl.capture-cipherlist-size 1
|
||||||
stats socket "${tmpdir}/h1/stats" level admin
|
stats socket "${tmpdir}/h1/stats" level admin
|
||||||
|
|
||||||
listen frt
|
defaults
|
||||||
mode http
|
mode http
|
||||||
|
option httplog
|
||||||
${no-htx} option http-use-htx
|
${no-htx} option http-use-htx
|
||||||
bind "fd@${frt}" ssl crt ${testdir}/common.pem
|
log stderr local0 debug err
|
||||||
http-request redirect location /
|
option logasap
|
||||||
|
timeout connect 100ms
|
||||||
|
timeout client 1s
|
||||||
|
timeout server 1s
|
||||||
|
|
||||||
|
listen clear-lst
|
||||||
|
bind "fd@${clearlst}"
|
||||||
|
balance roundrobin
|
||||||
|
retries 0 # 2nd SSL connection must fail so skip the retry
|
||||||
|
server s1 "${tmpdir}/ssl.sock" ssl verify none sni str(www.test1.com)
|
||||||
|
server s2 "${tmpdir}/ssl.sock" ssl verify none sni str(www.test1.com)
|
||||||
|
server s3 "${tmpdir}/ssl.sock" ssl verify none sni str(localhost)
|
||||||
|
|
||||||
|
listen ssl-lst
|
||||||
|
bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem strict-sni
|
||||||
|
|
||||||
|
server s1 ${s1_addr}:${s1_port}
|
||||||
} -start
|
} -start
|
||||||
|
|
||||||
|
|
||||||
@ -33,13 +58,11 @@ haproxy h1 -cli {
|
|||||||
expect ~ ".*SHA1 FingerPrint: 2195C9F0FD58470313013FC27C1B9CF9864BD1C6"
|
expect ~ ".*SHA1 FingerPrint: 2195C9F0FD58470313013FC27C1B9CF9864BD1C6"
|
||||||
}
|
}
|
||||||
|
|
||||||
shell {
|
client c1 -connect ${h1_clearlst_sock} {
|
||||||
HOST=${h1_frt_addr}
|
txreq
|
||||||
if [ "${h1_frt_addr}" = "::1" ] ; then
|
rxresp
|
||||||
HOST="\[::1\]"
|
expect resp.status == 200
|
||||||
fi
|
} -run
|
||||||
curl -v -i -k https://$HOST:${h1_frt_port} 2>&1 | grep CN=www.test1.com
|
|
||||||
}
|
|
||||||
|
|
||||||
shell {
|
shell {
|
||||||
printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" -
|
printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" -
|
||||||
@ -51,10 +74,15 @@ haproxy h1 -cli {
|
|||||||
expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1"
|
expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1"
|
||||||
}
|
}
|
||||||
|
|
||||||
shell {
|
# check that the "www.test1.com" SNI was removed
|
||||||
HOST=${h1_frt_addr}
|
client c1 -connect ${h1_clearlst_sock} {
|
||||||
if [ "${h1_frt_addr}" = "::1" ] ; then
|
txreq
|
||||||
HOST="\[::1\]"
|
rxresp
|
||||||
fi
|
expect resp.status == 503
|
||||||
curl -v -i -k https://$HOST:${h1_frt_port} 2>&1 | grep CN=localhost
|
} -run
|
||||||
}
|
|
||||||
|
client c1 -connect ${h1_clearlst_sock} {
|
||||||
|
txreq
|
||||||
|
rxresp
|
||||||
|
expect resp.status == 200
|
||||||
|
} -run
|
||||||
|
Loading…
Reference in New Issue
Block a user