From c42132b3d5806f44159650bf9eadc56c4d88023f Mon Sep 17 00:00:00 2001 From: Remi Tricot-Le Breton Date: Mon, 25 Mar 2024 16:50:26 +0100 Subject: [PATCH] REGTESTS: ssl: Add OCSP update compatibility tests Add tests that focus on the incompatibility checks on ocsp-update mode. This test will only call "haproxy -c" on multiple configurations that combine the crt-list 'ocsp-update' option and the global 'tune.ssl.ocsp-update.mode'. --- reg-tests/ssl/ocsp_compat_check.vtc | 737 ++++++++++++++++++++++++++++ 1 file changed, 737 insertions(+) create mode 100644 reg-tests/ssl/ocsp_compat_check.vtc diff --git a/reg-tests/ssl/ocsp_compat_check.vtc b/reg-tests/ssl/ocsp_compat_check.vtc new file mode 100644 index 000000000..f54c3ada4 --- /dev/null +++ b/reg-tests/ssl/ocsp_compat_check.vtc @@ -0,0 +1,737 @@ +#REGTEST_TYPE=devel + +# broken with BoringSSL. +# +# This reg-test tries loading multiple configurations that make use of the +# 'ocsp-update' crt-list option and the global 'tune.ssl.ocsp-update.mode' +# option. It ensures that an error message is raised when the user provides an +# incoherent configuration. Any configuration in which a given certificate has +# the ocsp auto update mode set to 'on' as well as 'off' simultaneously should +# raise an ALERT type message and not start. +# The first batch of configurations should all raise errors and the second +# batch should all load properly. We do not focus on the actual auto update in +# this reg-test though so no actual proxy instance will be launched. + +varnishtest "Test the OCSP auto update feature" +feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(3.0-dev0)'" +feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(BoringSSL) && openssl_version_atleast(1.1.1)'" +feature ignore_unknown_macro + + +############################# +# # +# WRONG CONFIGURATIONS # +# # +############################# + + +# test1 +# global_option DFLT +# bind line DFLT (first) +# crt-list ON (second) +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem [ocsp-update on] foo.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert +# tune.ssl.ocsp-update.mode on + +defaults + log stderr local0 debug err + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list + server s1 127.0.0.1:80 +EOF + + haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)" + haproxy_ret=$? + + ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate" +} + +# test2 +# global_option ON +# bind line DFLT/ON (first) +# crt-list OFF (second) +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem [ocsp-update off] foo.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert + tune.ssl.ocsp-update.mode on + +defaults + log stderr local0 debug err + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list + server s1 127.0.0.1:80 +EOF + + haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)" + haproxy_ret=$? + + ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate" +} + +# test3 +# global_option OFF +# bind line DFLT/OFF(first) +# crt-list ON (second) +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem [ocsp-update on] foo.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert + tune.ssl.ocsp-update.mode off + +defaults + log stderr local0 debug err + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list + server s1 127.0.0.1:80 +EOF + + haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)" + haproxy_ret=$? + + ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate" +} + +# test4 +# global_option DFLT +# bind line DFLT (second) +# crt-list ON (first) +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem [ocsp-update on] foo.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert +# tune.ssl.ocsp-update.mode off + +defaults + log stderr local0 debug err + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list + bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem + server s1 127.0.0.1:80 +EOF + + haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)" + haproxy_ret=$? + + ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate" +} + +# test5 +# global_option ON +# bind line DFLT (second) +# crt-list OFF (first) +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem [ocsp-update off] foo.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert + tune.ssl.ocsp-update.mode on + +defaults + log stderr local0 debug err + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list + bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem + server s1 127.0.0.1:80 +EOF + + haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)" + haproxy_ret=$? + + ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate" +} + +# test6 +# global_option OFF +# bind line DFLT (second) +# crt-list ON (first) +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem [ocsp-update on] foo.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert + tune.ssl.ocsp-update.mode off + +defaults + log stderr local0 debug err + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list + bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem + server s1 127.0.0.1:80 +EOF + + haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)" + haproxy_ret=$? + + ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate" +} + +# test7 +# global_option DFLT +# bind line - +# crt-list ON +# crt-list DFLT +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem [ocsp-update on] foo.com +server_ocsp_ecdsa.pem bar.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert +# tune.ssl.ocsp-update.mode off + +defaults + log stderr local0 debug err + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list + server s1 127.0.0.1:80 +EOF + + haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)" + haproxy_ret=$? + + ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate" +} + +# test8 +# global_option DFLT +# bind line - +# crt-list DFLT +# crt-list ON +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem bar.com +server_ocsp_ecdsa.pem [ocsp-update on] foo.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert +# tune.ssl.ocsp-update.mode off + +defaults + log stderr local0 debug err + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list + server s1 127.0.0.1:80 +EOF + + haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)" + haproxy_ret=$? + + ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate" +} + +# test9 +# global_option ON +# bind line - +# crt-list OFF +# crt-list DFLT +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem [ocsp-update off] foo.com +server_ocsp_ecdsa.pem bar.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert + tune.ssl.ocsp-update.mode on + +defaults + log stderr local0 debug err + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list + server s1 127.0.0.1:80 +EOF + + haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)" + haproxy_ret=$? + + ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate" +} + +# test10 +# global_option ON +# bind line - +# crt-list DFLT +# crt-list OFF +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem bar.com +server_ocsp_ecdsa.pem [ocsp-update off] foo.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert + tune.ssl.ocsp-update.mode on + +defaults + log stderr local0 debug err + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list + server s1 127.0.0.1:80 +EOF + + haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)" + haproxy_ret=$? + + ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate" +} + +# test11 +# global_option OFF +# bind line - +# crt-list ON +# crt-list DFLT +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem [ocsp-update on] foo.com +server_ocsp_ecdsa.pem bar.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert + tune.ssl.ocsp-update.mode off + +defaults + log stderr local0 debug err + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list + server s1 127.0.0.1:80 +EOF + + haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)" + haproxy_ret=$? + + ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate" +} + +# test12 +# global_option OFF +# bind line - +# crt-list DFLT +# crt-list ON +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem bar.com +server_ocsp_ecdsa.pem [ocsp-update on] foo.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert + tune.ssl.ocsp-update.mode off + +defaults + log stderr local0 debug err + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list + server s1 127.0.0.1:80 +EOF + + haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)" + haproxy_ret=$? + + ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate" +} + + + + +########################### +# # +# GOOD CONFIGURATIONS # +# # +########################### + +# test1 +# global_option DFLT +# bind line DFLT (first) +# crt-list OFF (second) +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem [ocsp-update off] foo.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert +# tune.ssl.ocsp-update.mode on + +defaults + log stderr local0 debug err + timeout connect 1s + timeout client 1s + timeout server 1s + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list + server s1 127.0.0.1:80 +EOF + + $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c +} + +# test2 +# global_option ON +# bind line DFLT/ON (first) +# crt-list ON (second) +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem [ocsp-update on] foo.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert + tune.ssl.ocsp-update.mode on + +defaults + log stderr local0 debug err + timeout connect 1s + timeout client 1s + timeout server 1s + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list + server s1 127.0.0.1:80 +EOF + + $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c +} + +# test3 +# global_option OFF +# bind line DFLT/OFF(first) +# crt-list OFF (second) +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem [ocsp-update off] foo.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert + tune.ssl.ocsp-update.mode off + +defaults + log stderr local0 debug err + timeout connect 1s + timeout client 1s + timeout server 1s + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list + server s1 127.0.0.1:80 +EOF + + $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c +} + +# test4 +# global_option DFLT +# bind line DFLT (second) +# crt-list OFF (first) +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem [ocsp-update off] foo.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert +# tune.ssl.ocsp-update.mode off + +defaults + log stderr local0 debug err + timeout connect 1s + timeout client 1s + timeout server 1s + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list + bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem + server s1 127.0.0.1:80 +EOF + + $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c +} + +# test5 +# global_option ON +# bind line DFLT (second) +# crt-list ON (first) +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem [ocsp-update on] foo.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert + tune.ssl.ocsp-update.mode on + +defaults + log stderr local0 debug err + timeout connect 1s + timeout client 1s + timeout server 1s + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list + bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem + server s1 127.0.0.1:80 +EOF + + $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c +} + +# test6 +# global_option OFF +# bind line DFLT (second) +# crt-list OFF (first) +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem [ocsp-update off] foo.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert + tune.ssl.ocsp-update.mode off + +defaults + log stderr local0 debug err + timeout connect 1s + timeout client 1s + timeout server 1s + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list + bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem + server s1 127.0.0.1:80 +EOF + + $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c +} + +# test7 +# global_option DFLT +# bind line - +# crt-list OFF +# crt-list DFLT +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem [ocsp-update off] foo.com +server_ocsp_ecdsa.pem foo.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert +# tune.ssl.ocsp-update.mode off + +defaults + log stderr local0 debug err + timeout connect 1s + timeout client 1s + timeout server 1s + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list + server s1 127.0.0.1:80 +EOF + + $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c +} + +# test8 +# global_option DFLT +# bind line - +# crt-list DFLT +# crt-list OFF +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem foo.com +server_ocsp_ecdsa.pem [ocsp-update off] foo.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert +# tune.ssl.ocsp-update.mode off + +defaults + log stderr local0 debug err + timeout connect 1s + timeout client 1s + timeout server 1s + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list + server s1 127.0.0.1:80 +EOF + + $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c +} + +# test9 +# global_option ON +# bind line - +# crt-list ON +# crt-list DFLT +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem [ocsp-update on] foo.com +server_ocsp_ecdsa.pem foo.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert + tune.ssl.ocsp-update.mode on + +defaults + log stderr local0 debug err + timeout connect 1s + timeout client 1s + timeout server 1s + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list + server s1 127.0.0.1:80 +EOF + + $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c +} + +# test10 +# global_option ON +# bind line - +# crt-list DFLT +# crt-list ON +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem foo.com +server_ocsp_ecdsa.pem [ocsp-update on] foo.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert + tune.ssl.ocsp-update.mode on + +defaults + log stderr local0 debug err + timeout connect 1s + timeout client 1s + timeout server 1s + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list + server s1 127.0.0.1:80 +EOF + + $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c +} + +# test11 +# global_option OFF +# bind line - +# crt-list OFF +# crt-list DFLT +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem [ocsp-update off] foo.com +server_ocsp_ecdsa.pem foo.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert + tune.ssl.ocsp-update.mode off + +defaults + log stderr local0 debug err + timeout connect 1s + timeout client 1s + timeout server 1s + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list + server s1 127.0.0.1:80 +EOF + + $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c +} + +# test12 +# global_option OFF +# bind line - +# crt-list DFLT +# crt-list OFF +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem foo.com +server_ocsp_ecdsa.pem [ocsp-update off] foo.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert + tune.ssl.ocsp-update.mode off + +defaults + log stderr local0 debug err + timeout connect 1s + timeout client 1s + timeout server 1s + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list + server s1 127.0.0.1:80 +EOF + + $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c +}