haproxy/reg-tests/ssl/ocsp_compat_check.vtc
William Lallemand d33a5f8e14 REGTESTS: ocsp-update: change the reg-test to support the new crt-store mode
Update the ocsp-update tests for the recent changes:

- Incompatibilities check string changed to match the crt-store one
- The "good configurations" are not good anymore because the
  ckch_conf_cmp() does not compare anymore with a global value.
2024-05-17 17:35:51 +02:00

402 lines
11 KiB
Plaintext

#REGTEST_TYPE=devel
# broken with BoringSSL.
#
# This reg-test tries loading multiple configurations that make use of the
# 'ocsp-update' crt-list option and the global 'ocsp-update.mode'
# option. It ensures that an error message is raised when the user provides an
# incoherent configuration. Any configuration in which a given certificate has
# the ocsp auto update mode set to 'on' as well as 'off' simultaneously should
# raise an ALERT type message and not start.
# The first batch of configurations should all raise errors and the second
# batch should all load properly. We do not focus on the actual auto update in
# this reg-test though so no actual proxy instance will be launched.
varnishtest "Test the OCSP auto update feature"
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(3.0-dev0)'"
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(BoringSSL) && openssl_version_atleast(1.1.1)'"
feature ignore_unknown_macro
#############################
# #
# WRONG CONFIGURATIONS #
# #
#############################
# test1
# global_option OFF
# bind line DFLT (OFF) (first)
# crt-list ON (second)
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
# ocsp-update.mode on
defaults
log stderr local0 debug err
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list
server s1 127.0.0.1:80
EOF
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
haproxy_ret=$?
echo "==== test 1"
echo "$haproxy_output"
echo "HAProxy return code: $haproxy_ret"
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
}
# test2
# global_option ON
# bind line DFLT/ON (first)
# crt-list OFF (second)
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem [ocsp-update off] foo.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
ocsp-update.mode on
defaults
log stderr local0 debug err
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list
server s1 127.0.0.1:80
EOF
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
haproxy_ret=$?
echo "==== test 2"
echo "$haproxy_output"
echo "HAProxy return code: $haproxy_ret"
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
}
# test3
# global_option OFF
# bind line DFLT/OFF(first)
# crt-list ON (second)
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
ocsp-update.mode off
defaults
log stderr local0 debug err
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list
server s1 127.0.0.1:80
EOF
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
haproxy_ret=$?
echo "==== test 3"
echo "$haproxy_output"
echo "HAProxy return code: $haproxy_ret"
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
}
# test4
# global_option OFF
# bind line DFLT OFF (second)
# crt-list ON (first)
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
# ocsp-update.mode off
defaults
log stderr local0 debug err
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem
server s1 127.0.0.1:80
EOF
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
haproxy_ret=$?
echo "==== test 4"
echo "$haproxy_output"
echo "HAProxy return code: $haproxy_ret"
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
}
# test5
# global_option ON
# bind line DFLT (second)
# crt-list OFF (first)
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem [ocsp-update off] foo.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
ocsp-update.mode on
defaults
log stderr local0 debug err
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem
server s1 127.0.0.1:80
EOF
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
haproxy_ret=$?
echo "==== test 5"
echo "$haproxy_output"
echo "HAProxy return code: $haproxy_ret"
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
}
# test6
# global_option OFF
# bind line DFLT (second)
# crt-list ON (first)
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
ocsp-update.mode off
defaults
log stderr local0 debug err
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem
server s1 127.0.0.1:80
EOF
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
haproxy_ret=$?
echo "==== test 6"
echo "$haproxy_output"
echo "HAProxy return code: $haproxy_ret"
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
}
# test7
# global_option DFLT
# bind line -
# crt-list ON
# crt-list DFLT
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
server_ocsp_ecdsa.pem bar.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
# ocsp-update.mode off
defaults
log stderr local0 debug err
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
server s1 127.0.0.1:80
EOF
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
haproxy_ret=$?
echo "==== test 7"
echo "$haproxy_output"
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
}
# test8
# global_option DFLT
# bind line -
# crt-list DFLT
# crt-list ON
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem bar.com
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
# ocsp-update.mode off
defaults
log stderr local0 debug err
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
server s1 127.0.0.1:80
EOF
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
haproxy_ret=$?
echo "==== test 8"
echo "$haproxy_output"
echo "HAProxy return code: $haproxy_ret"
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
}
# test9
# global_option ON
# bind line -
# crt-list OFF
# crt-list DFLT
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem [ocsp-update off] foo.com
server_ocsp_ecdsa.pem bar.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
ocsp-update.mode on
defaults
log stderr local0 debug err
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
server s1 127.0.0.1:80
EOF
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
haproxy_ret=$?
echo "==== test 9"
echo "$haproxy_output"
echo "HAProxy return code: $haproxy_ret"
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
}
# test10
# global_option ON
# bind line -
# crt-list DFLT
# crt-list OFF
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem bar.com
server_ocsp_ecdsa.pem [ocsp-update off] foo.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
ocsp-update.mode on
defaults
log stderr local0 debug err
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
server s1 127.0.0.1:80
EOF
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
haproxy_ret=$?
echo "==== test 10"
echo "$haproxy_output"
echo "HAProxy return code: $haproxy_ret"
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
}
# test11
# global_option OFF
# bind line -
# crt-list ON
# crt-list DFLT
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
server_ocsp_ecdsa.pem bar.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
ocsp-update.mode off
defaults
log stderr local0 debug err
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
server s1 127.0.0.1:80
EOF
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
haproxy_ret=$?
echo "==== test 11"
echo "$haproxy_output"
echo "HAProxy return code: $haproxy_ret"
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
}
# test12
# global_option OFF
# bind line -
# crt-list DFLT
# crt-list ON
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem bar.com
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
ocsp-update.mode off
defaults
log stderr local0 debug err
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
server s1 127.0.0.1:80
EOF
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
haproxy_ret=$?
echo "==== test 12"
echo "$haproxy_output"
echo "HAProxy return code: $haproxy_ret"
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
}