Commit Graph

28 Commits

Author SHA1 Message Date
William Dauchy
a598b500b4 MINOR: ssl: add ssl_{c,s}_chain_der fetch methods
Following work from Arjen and Mathilde, it adds ssl_{c,s}_chain_der
methods; it returns DER encoded certs from SSL_get_peer_cert_chain

Also update existing vtc tests to add random intermediate certificates

When getting the result through this header:
  http-response add-header x-ssl-chain-der %[ssl_c_chain_der,hex]
One can parse it with any lib accepting ASN.1 DER data, such as in go:
  bin, err := encoding/hex.DecodeString(cert)
  certs_parsed, err := x509.ParseCertificates(bin)

Cc: Arjen Nienhuis <arjen@zorgdoc.nl>
Signed-off-by: Mathilde Gilles <m.gilles@criteo.com>
Signed-off-by: William Dauchy <w.dauchy@criteo.com>
2020-08-07 15:38:40 +02:00
William Lallemand
86bc9539f2 REGTEST: ssl: add some ssl_c_* sample fetches test
Test the following ssl sample fetches:

ssl_c_der, ssl_c_sha1,hex, ssl_c_notafter, ssl_c_notbefore,
ssl_c_sig_alg, ssl_c_i_dn, ssl_c_s_dn, ssl_c_serial,hex, ssl_c_key_alg,
ssl_c_version

This reg-test could be used as far as haproxy 1.6.
2020-06-26 12:11:39 +02:00
William Lallemand
6e56b2cd8a REGTEST: ssl: tests the ssl_f_* sample fetches
Test the following ssl sample fetches:

ssl_f_der, ssl_f_sha1,hex, ssl_f_notafter, ssl_f_notbefore,
ssl_f_sig_alg, ssl_f_i_dn, ssl_f_s_dn, ssl_f_serial,hex, ssl_f_key_alg,
ssl_f_version

This reg-test could be used as far as haproxy 1.5.
2020-06-26 11:33:59 +02:00
William Lallemand
bfa3e81a7b MINOR: ssl: add the ssl_s_* sample fetches for server side certificate
This commit adds some sample fetches that were lacking on the server
side:

ssl_s_key_alg, ssl_s_notafter, ssl_s_notbefore, ssl_s_sig_alg,
ssl_s_i_dn, ssl_s_s_dn, ssl_s_serial, ssl_s_sha1, ssl_s_der,
ssl_s_version
2020-06-25 21:22:24 +02:00
William Lallemand
99cc21851f MINOR: cli/ssl: handle trailing slashes in crt-list commands
Trailing slashes were not handled in crt-list commands on CLI which can
be useful when you use the commands with a directory.

Strip the slashes before looking for the crtlist in the tree.
2020-06-25 15:40:10 +02:00
William Lallemand
8177ad9895 MINOR: ssl: split config and runtime variable for ssl-{min,max}-ver
In the CLI command 'show ssl crt-list', the ssl-min-ver and the
ssl-min-max arguments were always displayed because the dumped versions
were the actual version computed and used by haproxy, instead of the
version found in the configuration.

To fix the problem, this patch separates the variables to have one with
the configured version, and one with the actual version used. The dump
only shows the configured version.
2020-05-20 16:49:02 +02:00
William Lallemand
a911548715 REGTEST: ssl: improve the "set ssl cert" test
Improve the test by removing the curl command and using the same proxy
chaining technique as in commit 3ed722f ("REGTEST: ssl: remove curl from
the "add ssl crt-list" test").

A 3rd request was added which must fail, to ensure that the SNI was
effectively removed from HAProxy.

This patch also adds timeouts in the default section, logs on stderr and
fix some indentation issues.
2020-04-30 10:28:34 +02:00
William Lallemand
3ed722f03c REGTEST: ssl: remove curl from the "add ssl crt-list" test
Using curl for SSL tests can be a problem if it wasn't compiled with the
right SSL library and if it didn't share any cipher with HAProxy. To
have more robust tests we now use HAProxy as an SSL client, so we are
sure that the client and the server share the same SSL requirements.

This patch also adds timeouts in the default section, logs on stderr and
fix some indentation issues.
2020-04-30 09:53:48 +02:00
William Lallemand
2e0dbb7412 REGTEST: ssl: test the client certificate authentication
This reg-test tests the client auth feature of HAProxy for both the
backend and frontend section with a CRL list.

This reg-test uses 2 chained listeners because vtest does not handle the
SSL. Test the frontend client auth and the backend side at the same
time.

It sends 3 requests: one with a correct certificate, one with an expired
one and one which was revoked. The client then checks if we received the
right one with the right error.

Certificates, CA and CRL are expiring in 2050 so it should be fine for
the CI.

This test could be backported as far as HAProxy 1.6
2020-04-28 22:04:13 +02:00
William Lallemand
4fd9433fb0 REGTEST: ssl/cli: add other cases of 'add ssl crt-list'
Add some certificates in the crt-list with no filters and/or no options
so we can test more cases.
2020-04-02 15:40:19 +02:00
William Lallemand
785325141d REGTEST: ssl: pollute the crt-list file
Pollute localhost.crt-list with extra spaces, empty lines and comments
so the parser of the crt-list could be tested in a better way.
2020-04-01 20:10:53 +02:00
William Lallemand
fdb6db4850 REGTEST: ssl/cli: tests options and filters w/ add ssl crt-list
Now that the 'add ssl crt-list' command supports filters and options,
add some in the vtc file to test them.
2020-04-01 20:10:53 +02:00
William Lallemand
4781fad407 REGTEST: ssl/cli: change test type to devel
Change the type of test from slow to devel for add_ssl-crt-list.vtc and
set_ssl_cert.vtc.
2020-03-31 14:52:22 +02:00
William Lallemand
2be4a2e02d REGTEST: ssl/cli: test the 'add ssl crt-list' command
Test the 'add ssl crt-list' feature by inserting the ecdsa.pem
certificate and verifying with curl and strict-sni that it works.
2020-03-31 12:32:18 +02:00
Willy Tarreau
fa10ffdd12 REGTESTS: make the set_ssl_cert test require version 2.2
It doesn't only use "set ssl cert" but also relies on "show ssl cert"
which is only available in 2.2.
2020-01-24 14:29:08 +01:00
Ilya Shipitsin
3e34ac7d09 REGTEST: set_ssl_cert.vtc: replace "echo" with "printf"
"echo -e" for some reason does not work on travis-ci, so let us switch
to "printf"

Fixes: #423
2020-01-09 05:56:04 +01:00
Willy Tarreau
8c4c1d4299 REGTEST: make the "set ssl cert" require version 2.1
This test fails on 2.0 and earlier since the feature was introduced in 2.1,
let's add the REQUIRE_VERSION tag.
2019-12-20 14:35:18 +01:00
William Lallemand
d5b464bfee REGTEST: run-regtests: implement #REQUIRE_BINARIES
Implement #REQUIRE_BINARIES for vtc files.

The run-regtests.sh script will check if the binary is available in the
environment, if not, it wil disable the vtc.
2019-12-19 14:36:46 +01:00
William Lallemand
9c1aa0a2a1 REGTEST: ssl: test the "set ssl cert" CLI command
Add a reg-test which test the update of a certificate over the CLI. This
test requires socat and curl.

This commit also adds an ECDSA certificate in the ssl directory.
2019-12-19 13:51:38 +01:00
Frédéric Lécaille
d7a8f14145 REGTEST: rename the reg test files.
We rename all the VTC files to avoid name collisions when importing/backporting.
2019-04-23 15:37:03 +02:00
Frédéric Lécaille
dc1a3bd999 REGTEST: replace LEVEL option by a more human readable one.
This patch replaces LEVEL variable by REGTESTS_TYPES variable which is more
mnemonic and human readable. It is uses as a filter to run the reg tests scripts
where a commented #REGTEST_TYPE may be defined to designate their types.
Running the following command:

    $ REGTESTS_TYPES=slow,default

will start all the reg tests where REGTEST_TYPE is defines as 'slow' or 'default'.
Note that 'default' is also the default value of REGTEST_TYPE when not specified
dedicated to run all the current h*.vtc files. When REGTESTS_TYPES is not specified
there is no filter at all. All the tests are run.

This patches also defines REGTEST_TYPE with 'slow' value for all the s*.vtc files,
'bug' value for al the b*.vtc files, 'broken' value for all the k*.vtc files.
2019-04-23 15:14:52 +02:00
Ilya Shipitsin
9ab3138d71 REGTESTS: exclude tests that require ssl, pcre if no such feature is enabled
Signed-off-by: Ilya Shipitsin <chipitsine@gmail.com>
2019-04-17 11:01:58 +02:00
Christopher Faulet
8f16148df7 REGTEST: Add option to use HTX prefixed by the macro 'no-htx'
So some tests have been removed.
2018-12-20 10:37:32 +01:00
Frédéric Lécaille
9931634e71 REGTEST/MINOR: Add a new class of regression testing files.
Add LEVEL #4 regression testing files which is dedicated to
VTC files in relation with bugs they help to reproduce.
At the date of this commit, all VTC files are LEVEL 4 VTC files.
2018-08-23 15:47:10 +02:00
Frédéric Lécaille
faf4aac742 REGTEST/MINOR: Unexpected curl URL globling.
With certain curl versions URLs which contain brackets may be interpreted
by the "URL globbing parser". This patch ensures that such brackets
are escaped.

Thank you to Ilya Shipitsin for having reported this issue.
2018-07-13 11:00:32 +02:00
Frédéric Lécaille
49076c3b71 REGTEST/MINOR: Wrong URI syntax.
Ilya Shipitsin reported that with some curl versions this reg test
may fail due to a wrong URI syntax with ::1 ipv6 local address in
this varnishtest script. This patch fixes this syntax issue and
replaces the iteration of "procees" commands by a "shell" command
to start curl processes (must be faster).

Thanks to Ilya Shipitsin for having reported this VTC file bug.
2018-07-12 17:52:27 +02:00
Frédéric Lécaille
6983be32f7 REGTEST/MINOR: Wrong URI in a reg test for SSL/TLS.
Fix typos where http:// URIs were used in place of https://.
2018-06-25 22:04:27 +02:00
Frédéric Lécaille
9b53b4cd1f MINOR: reg-tests: Add a few regression testing files. 2018-06-20 10:03:24 +02:00