REGTESTS: ssl: Add OCSP update compatibility tests

Add tests that focus on the incompatibility checks on ocsp-update mode. This test will only call "haproxy -c" on multiple configurations that combine the crt-list 'ocsp-update' option and the global 'tune.ssl.ocsp-update.mode'.
2025-03-04 02:19:09 +00:00 · 2024-03-25 16:50:26 +01:00 · 2024-03-25 16:50:26 +01:00 · c42132b3d5
commit c42132b3d5
parent 7359c0c7f4
1 changed files with 737 additions and 0 deletions
--- a/reg-tests/ssl/ocsp_compat_check.vtc
+++ b/reg-tests/ssl/ocsp_compat_check.vtc
@ -0,0 +1,737 @@
+#REGTEST_TYPE=devel
+
+# broken with BoringSSL.
+#
+# This reg-test tries loading multiple configurations that make use of the
+# 'ocsp-update' crt-list option and the global 'tune.ssl.ocsp-update.mode'
+# option. It ensures that an error message is raised when the user provides an
+# incoherent configuration. Any configuration in which a given certificate has
+# the ocsp auto update mode set to 'on' as well as 'off' simultaneously should
+# raise an ALERT type message and not start.
+# The first batch of configurations should all raise errors and the second
+# batch should all load properly. We do not focus on the actual auto update in
+# this reg-test though so no actual proxy instance will be launched.
+
+varnishtest "Test the OCSP auto update feature"
+feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(3.0-dev0)'"
+feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(BoringSSL) && openssl_version_atleast(1.1.1)'"
+feature ignore_unknown_macro
+
+
+#############################
+#                           #
+#   WRONG CONFIGURATIONS    #
+#                           #
+#############################
+
+
+# test1
+#    global_option   DFLT
+#    bind line       DFLT    (first)
+#    crt-list        ON      (second)
+shell {
+    cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem [ocsp-update on] foo.com
+EOF
+
+    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+    crt-base ${testdir}/ocsp_update/multicert
+#    tune.ssl.ocsp-update.mode on
+
+defaults
+    log stderr local0 debug err
+
+listen ssl-lst
+    bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list
+    server s1 127.0.0.1:80
+EOF
+
+    haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
+    haproxy_ret=$?
+
+    ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate"
+}
+
+# test2
+#    global_option   ON
+#    bind line       DFLT/ON (first)
+#    crt-list        OFF     (second)
+shell {
+    cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem [ocsp-update off] foo.com
+EOF
+
+    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+    crt-base ${testdir}/ocsp_update/multicert
+    tune.ssl.ocsp-update.mode on
+
+defaults
+    log stderr local0 debug err
+
+listen ssl-lst
+    bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list
+    server s1 127.0.0.1:80
+EOF
+
+    haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
+    haproxy_ret=$?
+
+    ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate"
+}
+
+# test3
+#    global_option   OFF
+#    bind line       DFLT/OFF(first)
+#    crt-list        ON      (second)
+shell {
+    cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem [ocsp-update on] foo.com
+EOF
+
+    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+    crt-base ${testdir}/ocsp_update/multicert
+    tune.ssl.ocsp-update.mode off
+
+defaults
+    log stderr local0 debug err
+
+listen ssl-lst
+    bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list
+    server s1 127.0.0.1:80
+EOF
+
+    haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
+    haproxy_ret=$?
+
+    ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate"
+}
+
+# test4
+#    global_option   DFLT
+#    bind line       DFLT    (second)
+#    crt-list        ON      (first)
+shell {
+    cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem [ocsp-update on] foo.com
+EOF
+
+    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+    crt-base ${testdir}/ocsp_update/multicert
+#    tune.ssl.ocsp-update.mode off
+
+defaults
+    log stderr local0 debug err
+
+listen ssl-lst
+    bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
+    bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem
+    server s1 127.0.0.1:80
+EOF
+
+    haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
+    haproxy_ret=$?
+
+    ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate"
+}
+
+# test5
+#    global_option   ON
+#    bind line       DFLT    (second)
+#    crt-list        OFF     (first)
+shell {
+    cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem [ocsp-update off] foo.com
+EOF
+
+    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+    crt-base ${testdir}/ocsp_update/multicert
+    tune.ssl.ocsp-update.mode on
+
+defaults
+    log stderr local0 debug err
+
+listen ssl-lst
+    bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
+    bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem
+    server s1 127.0.0.1:80
+EOF
+
+    haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
+    haproxy_ret=$?
+
+    ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate"
+}
+
+# test6
+#    global_option   OFF
+#    bind line       DFLT    (second)
+#    crt-list        ON      (first)
+shell {
+    cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem [ocsp-update on] foo.com
+EOF
+
+    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+    crt-base ${testdir}/ocsp_update/multicert
+    tune.ssl.ocsp-update.mode off
+
+defaults
+    log stderr local0 debug err
+
+listen ssl-lst
+    bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
+    bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem
+    server s1 127.0.0.1:80
+EOF
+
+    haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
+    haproxy_ret=$?
+
+    ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate"
+}
+
+# test7
+#    global_option   DFLT
+#    bind line       -
+#    crt-list        ON
+#    crt-list        DFLT
+shell {
+    cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem [ocsp-update on] foo.com
+server_ocsp_ecdsa.pem bar.com
+EOF
+
+    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+    crt-base ${testdir}/ocsp_update/multicert
+#    tune.ssl.ocsp-update.mode off
+
+defaults
+    log stderr local0 debug err
+
+listen ssl-lst
+    bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
+    server s1 127.0.0.1:80
+EOF
+
+    haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
+    haproxy_ret=$?
+
+    ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate"
+}
+
+# test8
+#    global_option   DFLT
+#    bind line       -
+#    crt-list        DFLT
+#    crt-list        ON
+shell {
+    cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem bar.com
+server_ocsp_ecdsa.pem [ocsp-update on] foo.com
+EOF
+
+    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+    crt-base ${testdir}/ocsp_update/multicert
+#    tune.ssl.ocsp-update.mode off
+
+defaults
+    log stderr local0 debug err
+
+listen ssl-lst
+    bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
+    server s1 127.0.0.1:80
+EOF
+
+    haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
+    haproxy_ret=$?
+
+    ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate"
+}
+
+# test9
+#    global_option   ON
+#    bind line       -
+#    crt-list        OFF
+#    crt-list        DFLT
+shell {
+    cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem [ocsp-update off] foo.com
+server_ocsp_ecdsa.pem bar.com
+EOF
+
+    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+    crt-base ${testdir}/ocsp_update/multicert
+    tune.ssl.ocsp-update.mode on
+
+defaults
+    log stderr local0 debug err
+
+listen ssl-lst
+    bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
+    server s1 127.0.0.1:80
+EOF
+
+    haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
+    haproxy_ret=$?
+
+    ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate"
+}
+
+# test10
+#    global_option   ON
+#    bind line       -
+#    crt-list        DFLT
+#    crt-list        OFF
+shell {
+    cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem bar.com
+server_ocsp_ecdsa.pem [ocsp-update off] foo.com
+EOF
+
+    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+    crt-base ${testdir}/ocsp_update/multicert
+    tune.ssl.ocsp-update.mode on
+
+defaults
+    log stderr local0 debug err
+
+listen ssl-lst
+    bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
+    server s1 127.0.0.1:80
+EOF
+
+    haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
+    haproxy_ret=$?
+
+    ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate"
+}
+
+# test11
+#    global_option   OFF
+#    bind line       -
+#    crt-list        ON
+#    crt-list        DFLT
+shell {
+    cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem [ocsp-update on] foo.com
+server_ocsp_ecdsa.pem bar.com
+EOF
+
+    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+    crt-base ${testdir}/ocsp_update/multicert
+    tune.ssl.ocsp-update.mode off
+
+defaults
+    log stderr local0 debug err
+
+listen ssl-lst
+    bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
+    server s1 127.0.0.1:80
+EOF
+
+    haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
+    haproxy_ret=$?
+
+    ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate"
+}
+
+# test12
+#    global_option   OFF
+#    bind line       -
+#    crt-list        DFLT
+#    crt-list        ON
+shell {
+    cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem bar.com
+server_ocsp_ecdsa.pem [ocsp-update on] foo.com
+EOF
+
+    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+    crt-base ${testdir}/ocsp_update/multicert
+    tune.ssl.ocsp-update.mode off
+
+defaults
+    log stderr local0 debug err
+
+listen ssl-lst
+    bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
+    server s1 127.0.0.1:80
+EOF
+
+    haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
+    haproxy_ret=$?
+
+    ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate"
+}
+
+
+
+
+###########################
+#                         #
+#   GOOD CONFIGURATIONS   #
+#                         #
+###########################
+
+# test1
+#    global_option   DFLT
+#    bind line       DFLT    (first)
+#    crt-list        OFF     (second)
+shell {
+    cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem [ocsp-update off] foo.com
+EOF
+
+    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+    crt-base ${testdir}/ocsp_update/multicert
+#    tune.ssl.ocsp-update.mode on
+
+defaults
+    log stderr local0 debug err
+    timeout connect 1s
+    timeout client  1s
+    timeout server  1s
+
+listen ssl-lst
+    bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list
+    server s1 127.0.0.1:80
+EOF
+
+    $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
+}
+
+# test2
+#    global_option   ON
+#    bind line       DFLT/ON (first)
+#    crt-list        ON      (second)
+shell {
+    cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem [ocsp-update on] foo.com
+EOF
+
+    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+    crt-base ${testdir}/ocsp_update/multicert
+    tune.ssl.ocsp-update.mode on
+
+defaults
+    log stderr local0 debug err
+    timeout connect 1s
+    timeout client  1s
+    timeout server  1s
+
+listen ssl-lst
+    bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list
+    server s1 127.0.0.1:80
+EOF
+
+    $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
+}
+
+# test3
+#    global_option   OFF
+#    bind line       DFLT/OFF(first)
+#    crt-list        OFF     (second)
+shell {
+    cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem [ocsp-update off] foo.com
+EOF
+
+    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+    crt-base ${testdir}/ocsp_update/multicert
+    tune.ssl.ocsp-update.mode off
+
+defaults
+    log stderr local0 debug err
+    timeout connect 1s
+    timeout client  1s
+    timeout server  1s
+
+listen ssl-lst
+    bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list
+    server s1 127.0.0.1:80
+EOF
+
+    $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
+}
+
+# test4
+#    global_option   DFLT
+#    bind line       DFLT    (second)
+#    crt-list        OFF     (first)
+shell {
+    cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem [ocsp-update off] foo.com
+EOF
+
+    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+    crt-base ${testdir}/ocsp_update/multicert
+#    tune.ssl.ocsp-update.mode off
+
+defaults
+    log stderr local0 debug err
+    timeout connect 1s
+    timeout client  1s
+    timeout server  1s
+
+listen ssl-lst
+    bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
+    bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem
+    server s1 127.0.0.1:80
+EOF
+
+    $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
+}
+
+# test5
+#    global_option   ON
+#    bind line       DFLT    (second)
+#    crt-list        ON      (first)
+shell {
+    cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem [ocsp-update on] foo.com
+EOF
+
+    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+    crt-base ${testdir}/ocsp_update/multicert
+    tune.ssl.ocsp-update.mode on
+
+defaults
+    log stderr local0 debug err
+    timeout connect 1s
+    timeout client  1s
+    timeout server  1s
+
+listen ssl-lst
+    bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
+    bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem
+    server s1 127.0.0.1:80
+EOF
+
+    $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
+}
+
+# test6
+#    global_option   OFF
+#    bind line       DFLT    (second)
+#    crt-list        OFF     (first)
+shell {
+    cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem [ocsp-update off] foo.com
+EOF
+
+    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+    crt-base ${testdir}/ocsp_update/multicert
+    tune.ssl.ocsp-update.mode off
+
+defaults
+    log stderr local0 debug err
+    timeout connect 1s
+    timeout client  1s
+    timeout server  1s
+
+listen ssl-lst
+    bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
+    bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem
+    server s1 127.0.0.1:80
+EOF
+
+    $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
+}
+
+# test7
+#    global_option   DFLT
+#    bind line       -
+#    crt-list        OFF
+#    crt-list        DFLT
+shell {
+    cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem [ocsp-update off] foo.com
+server_ocsp_ecdsa.pem foo.com
+EOF
+
+    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+    crt-base ${testdir}/ocsp_update/multicert
+#    tune.ssl.ocsp-update.mode off
+
+defaults
+    log stderr local0 debug err
+    timeout connect 1s
+    timeout client  1s
+    timeout server  1s
+
+listen ssl-lst
+    bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
+    server s1 127.0.0.1:80
+EOF
+
+    $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
+}
+
+# test8
+#    global_option   DFLT
+#    bind line       -
+#    crt-list        DFLT
+#    crt-list        OFF
+shell {
+    cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem foo.com
+server_ocsp_ecdsa.pem [ocsp-update off] foo.com
+EOF
+
+    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+    crt-base ${testdir}/ocsp_update/multicert
+#    tune.ssl.ocsp-update.mode off
+
+defaults
+    log stderr local0 debug err
+    timeout connect 1s
+    timeout client  1s
+    timeout server  1s
+
+listen ssl-lst
+    bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
+    server s1 127.0.0.1:80
+EOF
+
+    $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
+}
+
+# test9
+#    global_option   ON
+#    bind line       -
+#    crt-list        ON
+#    crt-list        DFLT
+shell {
+    cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem [ocsp-update on] foo.com
+server_ocsp_ecdsa.pem foo.com
+EOF
+
+    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+    crt-base ${testdir}/ocsp_update/multicert
+    tune.ssl.ocsp-update.mode on
+
+defaults
+    log stderr local0 debug err
+    timeout connect 1s
+    timeout client  1s
+    timeout server  1s
+
+listen ssl-lst
+    bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
+    server s1 127.0.0.1:80
+EOF
+
+    $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
+}
+
+# test10
+#    global_option   ON
+#    bind line       -
+#    crt-list        DFLT
+#    crt-list        ON
+shell {
+    cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem foo.com
+server_ocsp_ecdsa.pem [ocsp-update on] foo.com
+EOF
+
+    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+    crt-base ${testdir}/ocsp_update/multicert
+    tune.ssl.ocsp-update.mode on
+
+defaults
+    log stderr local0 debug err
+    timeout connect 1s
+    timeout client  1s
+    timeout server  1s
+
+listen ssl-lst
+    bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
+    server s1 127.0.0.1:80
+EOF
+
+    $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
+}
+
+# test11
+#    global_option   OFF
+#    bind line       -
+#    crt-list        OFF
+#    crt-list        DFLT
+shell {
+    cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem [ocsp-update off] foo.com
+server_ocsp_ecdsa.pem foo.com
+EOF
+
+    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+    crt-base ${testdir}/ocsp_update/multicert
+    tune.ssl.ocsp-update.mode off
+
+defaults
+    log stderr local0 debug err
+    timeout connect 1s
+    timeout client  1s
+    timeout server  1s
+
+listen ssl-lst
+    bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
+    server s1 127.0.0.1:80
+EOF
+
+    $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
+}
+
+# test12
+#    global_option   OFF
+#    bind line       -
+#    crt-list        DFLT
+#    crt-list        OFF
+shell {
+    cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem foo.com
+server_ocsp_ecdsa.pem [ocsp-update off] foo.com
+EOF
+
+    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+    crt-base ${testdir}/ocsp_update/multicert
+    tune.ssl.ocsp-update.mode off
+
+defaults
+    log stderr local0 debug err
+    timeout connect 1s
+    timeout client  1s
+    timeout server  1s
+
+listen ssl-lst
+    bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
+    server s1 127.0.0.1:80
+EOF
+
+    $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
+}