#REGTEST_TYPE=slow # broken with BoringSSL. # This reg-test focuses on the OCSP response auto-update functionality. It does # not test the full scope of the feature because most of it is based on # expiration times and long delays between updates of valid OCSP responses. # Automatic update of valid OCSP responses loaded during init will not be # tested because by design, such a response would no be automatically updated # until init+1H. # # This test will then focus on certificates that have a specified OCSP URI but # no known OCSP response. For those certificates, OCSP requests are sent as # soon as possible by the update task. # # The ocsp responder used in all the tests will be an openssl using the # certificate database in ocsp_update/index.txt. It will listen on port 12346 # which is not the same as the one specified in the certificates' OCSP URI # which point to port 12345. The link from port 12345 to port 12346 will be # ensured through HAProxy instances that will enable logs, later used as a # synchronization mean. # # Unfortunately some arbitrary "sleep" calls are still needed to leave some # time for the ocsp update task to actually process the ocsp responses and # reinsert them into the tree. This explains why the test's mode is set to # "slow". # # The fourth test case focuses on the "update ssl ocsp-response" CLI command # and tests two certificates that have a known OCSP response loaded during init # but no OCSP auto update. The only difference between the two certificates is # that one has a separate .issuer file while the other one has the issuer # certificate directly in the main .pem file. # # If this test does not work anymore: # - Check that you have openssl and socat varnishtest "Test the OCSP auto update feature" feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.7-dev0)'" feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(BoringSSL) && openssl_version_atleast(1.1.1)'" feature cmd "command -v openssl && command -v socat" feature ignore_unknown_macro ################### # # # FIRST TEST CASE # # # ################### # No automatic update should occur in this test case since we load two already # valid OCSP responses during init which have a "Next Update" date really far # in the future. So they should only be updated after one hour. # This test will only be the most basic one where we check that ocsp response # loading still works as expected. haproxy h1 -conf { global tune.ssl.default-dh-param 2048 tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h1/stats" level admin crt-base ${testdir}/ocsp_update defaults mode http option httplog log stderr local0 debug err option logasap timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" timeout client "${HAPROXY_TEST_TIMEOUT-5s}" timeout server "${HAPROXY_TEST_TIMEOUT-5s}" frontend ssl-fe bind "${tmpdir}/ssl.sock" ssl crt multicert/server_ocsp.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 } -start # We should have two distinct ocsp responses known that were loaded at build time haproxy h1 -cli { send "show ssl ocsp-response" expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" send "show ssl ocsp-response" expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" expect ~ "Cert Status: revoked" send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" expect ~ "Cert Status: good" } haproxy h1 -wait #################### # # # SECOND TEST CASE # # # #################### # This test will focus on two separate certificates that have the same OCSP uri # (http://ocsp.haproxy.com:12345) but no OCSP response loaded at build time. # The update mode is set to 'on' in the two crt-lists used. The two ocsp # responses should then be fetched automatically after init. We use an http # listener as a rebound on which http log is enabled towards Syslog_http. This # ensures that two requests are sent by the ocsp auto update task and it # enables to use a barrier to synchronize the ocsp task and the subsequent cli # calls. Thanks to the barrier we know that when calling "show ssl # ocsp-response" on the cli, the two answers should already have been received # and processed. process p1 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12346 -timeout 5" -start barrier b1 cond 2 -cyclic syslog Syslog_http -level info { recv expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAV HTTP/1.1" recv expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAW HTTP/1.1" barrier b1 sync } -start haproxy h2 -conf { global tune.ssl.default-dh-param 2048 tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h2/stats" level admin crt-base ${testdir}/ocsp_update defaults mode http option httplog log stderr local0 debug err timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" timeout client "${HAPROXY_TEST_TIMEOUT-5s}" timeout server "${HAPROXY_TEST_TIMEOUT-5s}" frontend ssl-rsa-fe bind "${tmpdir}/ssl2.sock" ssl crt-list ${testdir}/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 frontend ssl-ecdsa-fe bind "${tmpdir}/ssl3.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 listen http_rebound_lst mode http option httplog log ${Syslog_http_addr}:${Syslog_http_port} local0 bind "127.0.0.1:12345" server s1 "127.0.0.1:12346" } -start barrier b1 sync shell "sleep 1" # We should have two distinct ocsp IDs known that were loaded at build time and # the responses' contents should have been filled automatically by the ocsp # update task after init haproxy h2 -cli { send "show ssl ocsp-response" expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" send "show ssl ocsp-response" expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" expect ~ "Cert Status: revoked" send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" expect ~ "Cert Status: revoked" } haproxy h2 -wait process p1 -wait -expect-exit 0 ################### # # # THIRD TEST CASE # # # ################### # This test will be roughly the same as the second one but one of the crt-lists # will not enable ocsp-update on its certificate. Only one request should then # be sent. process p2 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12346 -timeout 5" -start barrier b2 cond 2 -cyclic syslog Syslog_http2 -level info { recv expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAV HTTP/1.1" barrier b2 sync } -start haproxy h3 -conf { global tune.ssl.default-dh-param 2048 tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h3/stats" level admin crt-base ${testdir}/ocsp_update defaults mode http option httplog log stderr local0 debug err timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" timeout client "${HAPROXY_TEST_TIMEOUT-5s}" timeout server "${HAPROXY_TEST_TIMEOUT-5s}" frontend ssl-rsa-fe bind "${tmpdir}/ssl4.sock" ssl crt-list ${testdir}/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 frontend ssl-ecdsa-fe bind "${tmpdir}/ssl5.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 listen http_rebound_lst mode http option httplog log ${Syslog_http2_addr}:${Syslog_http2_port} local0 bind "127.0.0.1:12345" server s1 "127.0.0.1:12346" } -start barrier b2 sync shell "sleep 1" # We should have a single ocsp ID known that was loaded at build time and the # response should be filled haproxy h3 -cli { send "show ssl ocsp-response" expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" send "show ssl ocsp-response" expect !~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" expect ~ "Cert Status: revoked" } haproxy h3 -wait process p2 -wait #################### # # # FOURTH TEST CASE # # (CLI COMMAND) # # # #################### process p3 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12346 -timeout 5" -start haproxy h4 -conf { global tune.ssl.default-dh-param 2048 tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h4/stats" level admin crt-base ${testdir}/ocsp_update defaults mode http option httplog log stderr local0 debug err timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" timeout client "${HAPROXY_TEST_TIMEOUT-5s}" timeout server "${HAPROXY_TEST_TIMEOUT-5s}" frontend ssl-rsa-ocsp bind "${tmpdir}/ssl5.sock" ssl crt ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 frontend ssl-ecdsa-ocsp bind "${tmpdir}/ssl6.sock" ssl crt ${testdir}/ocsp_update/multicert/server_ocsp_ecdsa.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 listen http_rebound_lst mode http option httplog bind "127.0.0.1:12345" server s1 "127.0.0.1:12346" } -start # We need to "enable" the cli with a first cli call before using it only through socats haproxy h4 -cli { send "show ssl ocsp-response" expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" } # We should have two OCSP responses loaded during init shell { responses=$(echo "show ssl ocsp-response" | socat "${tmpdir}/h4/stats" -) [ $(echo "$responses" | grep -c "^Certificate ID key") -eq 2 ] && \ echo "$responses" | grep "Serial Number: 1016" && \ echo "$responses" | grep "Serial Number: 1015" } shell { echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" - | grep "Cert Status: revoked" } shell { echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" - | grep "Cert Status: good" } # Update the first ocsp response (ckch_data has a non-NULL ocsp_issuer pointer) shell { # Store the current "Produced At" in order to ensure that after the update # the OCSP response actually changed produced_at=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" - | grep "Produced At") # We should receive the OCSP response's details on the standard output when calling # 'update ssl ocsp-response' ocsp_response=$(echo "update ssl ocsp-response ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h4/stats" -) new_produced_at=$(echo "$ocsp_response" | grep "Produced At") echo "$ocsp_response" | grep -q "Serial Number: 1015" && \ echo "$ocsp_response" | grep -q "Cert Status: revoked" && \ [ "$new_produced_at" != "$produced_at" ] } # Update the second ocsp response (ckch_data has a NULL ocsp_issuer pointer) shell { # Store the current "Produced At" in order to ensure that after the update # the OCSP response actually changed produced_at=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" - | grep "Produced At") # We should receive the OCSP response's details on the standard output when calling # 'update ssl ocsp-response' ocsp_response=$(echo "update ssl ocsp-response ${testdir}/ocsp_update/multicert/server_ocsp_ecdsa.pem" | socat "${tmpdir}/h4/stats" -) new_produced_at=$(echo "$ocsp_response" | grep "Produced At") echo "$ocsp_response" | grep -q "Serial Number: 1016" && \ echo "$ocsp_response" | grep -q "Cert Status: revoked" && \ [ "$new_produced_at" != "$produced_at" ] } haproxy h4 -wait process p3 -wait #################### # # # FIFTH TEST CASE # # (CLI COMMAND) # # # #################### # Test the "show ssl ocsp-updates" command as well as the new 'base64' parameter # to the "show ssl ocsp-response" command. process p5 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12346 -timeout 5" -start barrier b5 cond 2 -cyclic syslog Syslog_http5 -level info { recv expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAV HTTP/1.1" recv expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAW HTTP/1.1" barrier b5 sync } -start haproxy h5 -conf { global tune.ssl.default-dh-param 2048 tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h5/stats" level admin crt-base ${testdir}/ocsp_update defaults mode http option httplog log stderr local0 debug err timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" timeout client "${HAPROXY_TEST_TIMEOUT-5s}" timeout server "${HAPROXY_TEST_TIMEOUT-5s}" frontend ssl-rsa-fe bind "${tmpdir}/ssl7.sock" ssl crt-list ${testdir}/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 frontend ssl-ecdsa-fe bind "${tmpdir}/ssl8.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 listen http_rebound_lst mode http option httplog log ${Syslog_http5_addr}:${Syslog_http5_port} local0 bind "127.0.0.1:12345" server s1 "127.0.0.1:12346" } -start barrier b5 sync shell "sleep 1" # Use "show ssl ocsp-updates" CLI command # We should have one line per OCSP response and each one of them should have been successfully updated once # The command's output follows this format: # OCSP Certid | Next Update | Last Update | Successes | Failures | Last Update Status | Last Update Status (str) haproxy h5 -cli { send "show ssl ocsp-updates" expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 .*| 1 | 0 | 1 | Update successful" send "show ssl ocsp-updates" expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*| 1 | 0 | 1 | Update successful" } # Use "show ssl ocsp-response" command to dump an OCSP response in base64 shell { ocsp_resp_file="${tmpdir}.ocsp_resp.der" echo "show ssl ocsp-response base64 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h5/stats" - | base64 -d > $ocsp_resp_file if [ $? -eq 0 ] then ocsp_resp_txt="$(openssl ocsp -respin $ocsp_resp_file -noverify -text)" echo "$ocsp_resp_txt" | grep "Issuer Name Hash: 8A83E0060FAFF709CA7E9B95522A2E81635FDA0A" && \ echo "$ocsp_resp_txt" | grep "Issuer Key Hash: F652B0E435D5EA923851508F0ADBE92D85DE007A" && \ echo "$ocsp_resp_txt" | grep "Serial Number: 1015" && \ echo "$ocsp_resp_txt" | grep "Cert Status: revoked" else return 1 fi } haproxy h5 -wait process p5 -wait #################### # # # SIXTH TEST CASE # # # #################### # Check that a new certificate added via the CLI to a crt-list with # the 'ocsp-update on' option will be taken into account by the OCSP # auto update task # process p6 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12346 -timeout 5" -start barrier b6 cond 2 -cyclic syslog Syslog_http6 -level info { recv expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAV HTTP/1.1" barrier b6 sync } -start haproxy h6 -conf { global tune.ssl.default-dh-param 2048 tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h6/stats" level admin crt-base ${testdir} defaults mode http option httplog log stderr local0 debug err option logasap timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" timeout client "${HAPROXY_TEST_TIMEOUT-5s}" timeout server "${HAPROXY_TEST_TIMEOUT-5s}" frontend ssl-fe bind "${tmpdir}/ssl.sock" ssl crt-list ${testdir}/simple.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all http-request return status 200 listen http_rebound_lst mode http option httplog log ${Syslog_http6_addr}:${Syslog_http6_port} local0 bind "127.0.0.1:12345" server s1 "127.0.0.1:12346" } -start # We need to "enable" the cli with a first cli call before using it only through socats haproxy h6 -cli { send "show ssl cert" expect ~ "" } # Create a new certificate that has an OCSP uri and add it to the # existing CLI with the 'ocsp-update on' command. shell { echo "new ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h6/stats" - printf "set ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa <<\n$(cat ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h6/stats" - printf "set ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa.issuer <<\n$(cat ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa.issuer)\n\n" | socat "${tmpdir}/h6/stats" - echo "commit ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h6/stats" - printf "add ssl crt-list ${testdir}/simple.crt-list <<\n${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa [ocsp-update on] foo.com\n\n" | socat "${tmpdir}/h6/stats" - } barrier b6 sync shell "sleep 1" haproxy h6 -cli { send "show ssl ocsp-updates" expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*| 1 | 0 | 1 | Update successful" }