Commit Graph

15 Commits

Author SHA1 Message Date
William Lallemand
ae6547f65f REGTESTS: ssl: add the same cert for client/server
Add the same certificate in server and bind line so we can try to catch
problems like in issue #1748 when updating over the CLI.
2022-06-20 18:06:43 +02:00
Willy Tarreau
f673923629 REGTESTS: extend the default I/O timeouts and make them overridable
With the CI occasionally slowing down, we're starting to see again some
spurious failures despite the long 1-second timeouts. This reports false
positives that are disturbing and doesn't provide as much value as this
could. However at this delay it already becomes a pain for developers
to wait for the tests to complete.

This commit adds support for the new environment variable
HAPROXY_TEST_TIMEOUT that will allow anyone to modify the connect,
client and server timeouts. It was set to 5 seconds by default, which
should be plenty for quite some time in the CI. All relevant values
that were 200ms or above were replaced by this one. A few larger
values were left as they are special. One test for the set-timeout
action that used to rely on a fixed 1-sec value was extended to a
fixed 5-sec, as the timeout is normally not reached, but it needs
to be known to compare the old and new values.
2021-11-18 17:57:11 +01:00
Willy Tarreau
419c11728d REGTEST: set retries count to zero for all tests that expect at 503
Some tests expect a 503, typically those that check that wrong CA/CRL
will not be accepted between a server and a frontend. But such tests
tend to last very long simply because of the 1-second turn-around on
connection retries that happens during the failure. Let's properly set
the retries count to zero for these ones. One test purposely wants to
exhaust the retries so the retries was set to 1 instead.
2021-11-18 17:54:49 +01:00
Marcin Deranek
310a260e4a MEDIUM: config: Deprecate tune.ssl.capture-cipherlist-size
Deprecate tune.ssl.capture-cipherlist-size in favor of
tune.ssl.capture-buffer-size which better describes the purpose of the
setting.
2021-08-26 19:52:04 +02:00
Tim Duesterhus
4ee192f072 REGTESTS: Replace REQUIRE_BINARIES with 'command -v'
This migrates the tests to the native `feature cmd` functionality of VTest.
2021-06-17 14:59:55 +02:00
Tim Duesterhus
a9334df5a9 CLEANUP: reg-tests: Remove obsolete no-htx parameter for reg-tests
The legacy HTTP subsystem has been removed. HTX is always enabled.
2021-06-04 15:41:21 +02:00
Remi Tricot-Le Breton
8218aed90e BUG/MINOR: ssl: Fix update of default certificate
The default SSL_CTX used by a specific frontend is the one of the first
ckch instance created for this frontend. If this instance has SNIs, then
the SSL context is linked to the instance through the list of SNIs
contained in it. If the instance does not have any SNIs though, then the
SSL_CTX is only referenced by the bind_conf structure and the instance
itself has no link to it.
When trying to update a certificate used by the default instance through
a cli command, a new version of the default instance was rebuilt but the
default SSL context referenced in the bind_conf structure would not be
changed, resulting in a buggy behavior in which depending on the SNI
used by the client, he could either use the new version of the updated
certificate or the original one.

This patch adds a reference to the default SSL context in the default
ckch instances so that it can be hot swapped during a certificate
update.

This should fix GitHub issue #1143.

It can be backported as far as 2.2.
2021-03-26 13:06:29 +01:00
William Lallemand
8695ce0bae BUG/MEDIUM: ssl/cli: abort ssl cert is freeing the old store
The "abort ssl cert" command is buggy and removes the current ckch store,
and instances, leading to SNI removal. It must only removes the new one.

This patch also adds a check in set_ssl_cert.vtc and
set_ssl_server_cert.vtc.

Must be backported as far as 2.2.
2021-02-01 17:58:21 +01:00
William Lallemand
a911548715 REGTEST: ssl: improve the "set ssl cert" test
Improve the test by removing the curl command and using the same proxy
chaining technique as in commit 3ed722f ("REGTEST: ssl: remove curl from
the "add ssl crt-list" test").

A 3rd request was added which must fail, to ensure that the SNI was
effectively removed from HAProxy.

This patch also adds timeouts in the default section, logs on stderr and
fix some indentation issues.
2020-04-30 10:28:34 +02:00
William Lallemand
4781fad407 REGTEST: ssl/cli: change test type to devel
Change the type of test from slow to devel for add_ssl-crt-list.vtc and
set_ssl_cert.vtc.
2020-03-31 14:52:22 +02:00
Willy Tarreau
fa10ffdd12 REGTESTS: make the set_ssl_cert test require version 2.2
It doesn't only use "set ssl cert" but also relies on "show ssl cert"
which is only available in 2.2.
2020-01-24 14:29:08 +01:00
Ilya Shipitsin
3e34ac7d09 REGTEST: set_ssl_cert.vtc: replace "echo" with "printf"
"echo -e" for some reason does not work on travis-ci, so let us switch
to "printf"

Fixes: #423
2020-01-09 05:56:04 +01:00
Willy Tarreau
8c4c1d4299 REGTEST: make the "set ssl cert" require version 2.1
This test fails on 2.0 and earlier since the feature was introduced in 2.1,
let's add the REQUIRE_VERSION tag.
2019-12-20 14:35:18 +01:00
William Lallemand
d5b464bfee REGTEST: run-regtests: implement #REQUIRE_BINARIES
Implement #REQUIRE_BINARIES for vtc files.

The run-regtests.sh script will check if the binary is available in the
environment, if not, it wil disable the vtc.
2019-12-19 14:36:46 +01:00
William Lallemand
9c1aa0a2a1 REGTEST: ssl: test the "set ssl cert" CLI command
Add a reg-test which test the update of a certificate over the CLI. This
test requires socat and curl.

This commit also adds an ECDSA certificate in the ssl directory.
2019-12-19 13:51:38 +01:00