#REGTEST_TYPE=devel # This test uses the "new ssl crl-file" and "del ssl crl-file" commands to create # a new CRL file or delete an unused CRL file. # # It requires socat to upload the CRL file. # # If this test does not work anymore: # - Check that you have socat varnishtest "Test the 'new ssl crl-file' and 'del ssl crl-file' commands of the CLI" feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev0)'" feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'" feature cmd "command -v socat" feature ignore_unknown_macro server s1 -repeat 3 { rxreq txresp } -start haproxy h1 -conf { global .if !ssllib_name_startswith(AWS-LC) tune.ssl.default-dh-param 2048 .endif tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h1/stats" level admin crt-base ${testdir} defaults mode http option httplog retries 0 log stderr local0 debug err option logasap timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" timeout client "${HAPROXY_TEST_TIMEOUT-5s}" timeout server "${HAPROXY_TEST_TIMEOUT-5s}" listen clear-lst bind "fd@${clearlst}" balance roundrobin use_backend with_crl_be if { path /with-crl } default_backend default_be backend default_be server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client3_revoked.pem sni str(www.test1.com) backend with_crl_be server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client3_revoked.pem sni str(with-crl.com) listen ssl-lst bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/localhost.crt-list ca-file ${testdir}/ca-auth.crt verify required crt-ignore-err all http-response add-header X-SSL-Client-Verify %[ssl_c_verify] server s1 ${s1_addr}:${s1_port} } -start # Request using the default backend and the www.test1.com sni client c1 -connect ${h1_clearlst_sock} { txreq rxresp expect resp.status == 200 # The backend has no CRL so the connection should succeed expect resp.http.X-SSL-Client-Verify == 0 } -run # This connection should fail because the with-crl.com sni is not mentioned in the crt-list yet. client c1 -connect ${h1_clearlst_sock} { txreq -url "/with-crl" rxresp expect resp.status == 503 } -run # Create a new unlinked CRL file haproxy h1 -cli { send "new ssl crl-file new_crlfile.crt" expect ~ "New CRL file created 'new_crlfile.crt'!" } shell { printf "set ssl crl-file new_crlfile.crt <<\n$(cat ${testdir}/crl-auth.pem)\n\n" | socat "${tmpdir}/h1/stats" - echo "commit ssl crl-file new_crlfile.crt" | socat "${tmpdir}/h1/stats" - } haproxy h1 -cli { send "show ssl crl-file" expect ~ ".*new_crlfile.crt" send "show ssl crl-file new_crlfile.crt" expect ~ ".*Issuer:.*/CN=HAProxy Technologies CA Test Client Auth" } # Add a new certificate that will use the new CA file shell { echo "new ssl cert ${testdir}/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" - printf "set ssl cert ${testdir}/set_cafile_server.pem <<\n$(cat ${testdir}/set_cafile_server.pem)\n\n" | socat "${tmpdir}/h1/stats" - echo "commit ssl cert ${testdir}/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" - } # Create a new crt-list line that will use the new CA file shell { printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/set_cafile_server.pem [crl-file new_crlfile.crt] with-crl.com\n\n" | socat "${tmpdir}/h1/stats" - } client c1 -connect ${h1_clearlst_sock} { txreq -url "/with-crl" rxresp expect resp.status == 200 # The frontend's certificate is revoked in the newly added CRL, connection should fail expect resp.http.X-SSL-Client-Verify == 23 } -run # Request using the default backend and the www.test1.com sni client c1 -connect ${h1_clearlst_sock} { txreq rxresp expect resp.status == 200 # The backend has no CRL for this SNI so the connection should still succeed expect resp.http.X-SSL-Client-Verify == 0 } -run # Delete the newly added crt-list line and CRL file haproxy h1 -cli { send "del ssl crt-list ${testdir}/localhost.crt-list ${testdir}/set_cafile_server.pem" expect ~ "Entry '${testdir}/set_cafile_server.pem' deleted in crtlist '${testdir}/localhost.crt-list'!" send "del ssl crl-file new_crlfile.crt" expect ~ "CRL file 'new_crlfile.crt' deleted!" send "show ssl crl-file" expect !~ "new_crlfile.crt" } # The connection should now fail since the crt-list line was deleted client c1 -connect ${h1_clearlst_sock} { txreq -url "/with-crl" rxresp expect resp.status == 503 } -run