#REGTEST_TYPE=devel # This reg-test checks that the 'generate-certificates' SSL option works # properly. This option allows to generate server-side certificates on the fly # for clients that use an SNI for which no certificate was specified in the # configuration file. # This test also aims at checking that the 'generate-certificates' and the # 'ecdhe' bind options work correctly together. # Any bind line having a 'generate-certificates' needs to have a ca-sign-file # option as well that specifies the path to a CA pem file (containing a # certificate as well as its private key). For this reason, a new # ssl_gen_ca.pem CA certificate was created, along with the ssl_gen_server.pem # server certificate signed by the CA. This server certificate will be used as # a default certificate and will serve as a base for any newly created # certificate. varnishtest "Test the 'generate-certificates' SSL option" feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'" feature cmd "command -v openssl && command -v grep" feature ignore_unknown_macro server s1 -repeat 6 { rxreq txresp } -start haproxy h1 -conf { global tune.ssl.default-dh-param 2048 tune.ssl.capture-buffer-size 2048 defaults mode http option httpslog log stderr local0 debug err option logasap timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" timeout client "${HAPROXY_TEST_TIMEOUT-5s}" timeout server "${HAPROXY_TEST_TIMEOUT-5s}" option httpslog listen clear-lst bind "fd@${clearlst}" http-request set-var(sess.sni) hdr(x-sni) use_backend P-384_backend if { path /P-384 } default_backend default_backend backend default_backend server s1 "${tmpdir}/ssl.sock" ssl verify none ssl-max-ver TLSv1.2 sni var(sess.sni) backend P-384_backend server s1 "${tmpdir}/ssl_P-384.sock" ssl verify none ssl-max-ver TLSv1.2 sni var(sess.sni) listen ssl-lst bind "${tmpdir}/ssl.sock" ssl generate-certificates crt ${testdir}/generate_certificates/gen_cert_server.pem ca-sign-file ${testdir}/generate_certificates/gen_cert_ca.pem ca-file ${testdir}/generate_certificates/gen_cert_ca.pem verify optional http-response add-header x-ssl-s_dn %[ssl_f_s_dn(CN)] http-response add-header x-ssl-i_dn %[ssl_f_i_dn(CN)] http-response add-header x-ssl-sig_alg %[ssl_f_sig_alg] http-response add-header x-ssl-key_alg %[ssl_f_key_alg] http-response add-header x-ssl-sha1 %[ssl_f_sha1,hex] server s1 ${s1_addr}:${s1_port} listen ssl-lst-P-384 bind "${tmpdir}/ssl_P-384.sock" ssl generate-certificates crt ${testdir}/generate_certificates/gen_cert_server.pem ca-sign-file ${testdir}/generate_certificates/gen_cert_ca.pem ca-file ${testdir}/generate_certificates/gen_cert_ca.pem verify optional ecdhe secp384r1 http-response add-header x-ssl-s_dn %[ssl_f_s_dn(CN)] http-response add-header x-ssl-i_dn %[ssl_f_i_dn(CN)] http-response add-header x-ssl-sig_alg %[ssl_f_sig_alg] http-response add-header x-ssl-key_alg %[ssl_f_key_alg] http-response add-header x-ssl-sha1 %[ssl_f_sha1,hex] server s1 ${s1_addr}:${s1_port} } -start # Use default certificate client c1 -connect ${h1_clearlst_sock} { txreq rxresp expect resp.status == 200 expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256" expect resp.http.x-ssl-i_dn == "ECDSA CA" expect resp.http.x-ssl-s_dn == "server.ecdsa.com" expect resp.http.x-ssl-key_alg == "id-ecPublicKey" expect resp.http.x-ssl-sha1 == "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11" } -run # Use default certificate's sni client c2 -connect ${h1_clearlst_sock} { txreq -hdr "x-sni: server.ecdsa.com" rxresp expect resp.status == 200 expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256" expect resp.http.x-ssl-i_dn == "ECDSA CA" expect resp.http.x-ssl-s_dn == "server.ecdsa.com" expect resp.http.x-ssl-key_alg == "id-ecPublicKey" expect resp.http.x-ssl-sha1 == "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11" } -run # Use another SNI - the server certificate should be generated and different # than the default one client c3 -connect ${h1_clearlst_sock} { txreq -hdr "x-sni: unknown-sni.com" rxresp expect resp.status == 200 expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256" expect resp.http.x-ssl-i_dn == "ECDSA CA" expect resp.http.x-ssl-s_dn == "ECDSA CA" expect resp.http.x-ssl-key_alg == "id-ecPublicKey" expect resp.http.x-ssl-sha1 != "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11" } -run # Use default certificate client c4 -connect ${h1_clearlst_sock} { txreq -url "/P-384" rxresp expect resp.status == 200 expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256" expect resp.http.x-ssl-i_dn == "ECDSA CA" expect resp.http.x-ssl-s_dn == "server.ecdsa.com" expect resp.http.x-ssl-key_alg == "id-ecPublicKey" expect resp.http.x-ssl-sha1 == "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11" } -run # Use default certificate's sni client c5 -connect ${h1_clearlst_sock} { txreq -url "/P-384" -hdr "x-sni: server.ecdsa.com" rxresp expect resp.status == 200 expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256" expect resp.http.x-ssl-i_dn == "ECDSA CA" expect resp.http.x-ssl-s_dn == "server.ecdsa.com" expect resp.http.x-ssl-key_alg == "id-ecPublicKey" expect resp.http.x-ssl-sha1 == "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11" } -run # Use another SNI - the server certificate should be generated and different # than the default one client c6 -connect ${h1_clearlst_sock} { txreq -url "/P-384" -hdr "x-sni: unknown-sni.com" rxresp expect resp.status == 200 expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256" expect resp.http.x-ssl-i_dn == "ECDSA CA" expect resp.http.x-ssl-s_dn == "ECDSA CA" expect resp.http.x-ssl-key_alg == "id-ecPublicKey" expect resp.http.x-ssl-sha1 != "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11" } -run # Check that the curves that the server accepts to use correspond to what we # expect it to be (according to ecdhe option). # The curve with the highest priority is X25519 for OpenSSL 1.1.1 and later, # and P-256 for OpenSSL 1.0.2. shell { echo "Q" | openssl s_client -unix "${tmpdir}/ssl.sock" -servername server.ecdsa.com -tls1_2 2>/dev/null | grep -E "Server Temp Key: (ECDH, P-256, 256 bits|X25519, 253 bits)" } shell { echo "Q" | openssl s_client -unix "${tmpdir}/ssl_P-384.sock" -servername server.ecdsa.com 2>/dev/null| grep "Server Temp Key: ECDH, P-384, 384 bits" }