mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2024-12-19 01:54:37 +00:00
acd546b07c
This test verifies that a certificate is in a "Unused" state once every server which uses it are dynamically removed.
113 lines
2.7 KiB
Plaintext
113 lines
2.7 KiB
Plaintext
#REGTEST_TYPE=bug
|
|
# Test if a certicate can be dynamically updated once a server which used it
|
|
# was removed.
|
|
#
|
|
varnishtest "Delete server via cli and update certificates"
|
|
|
|
feature ignore_unknown_macro
|
|
|
|
#REQUIRE_VERSION=2.4
|
|
#REQUIRE_OPTIONS=OPENSSL
|
|
feature cmd "command -v socat"
|
|
|
|
# static server
|
|
server s1 -repeat 3 {
|
|
rxreq
|
|
txresp \
|
|
-body "resp from s1"
|
|
} -start
|
|
|
|
haproxy h1 -conf {
|
|
global
|
|
stats socket "${tmpdir}/h1/stats" level admin
|
|
|
|
defaults
|
|
mode http
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
frontend fe
|
|
bind "fd@${feS}"
|
|
default_backend test
|
|
|
|
backend test
|
|
server s1 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem"
|
|
server s2 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem"
|
|
server s3 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem"
|
|
|
|
|
|
listen ssl-lst
|
|
bind "${tmpdir}/ssl.sock" ssl crt "${testdir}/common.pem"
|
|
server s1 ${s1_addr}:${s1_port}
|
|
|
|
} -start
|
|
|
|
|
|
haproxy h1 -cli {
|
|
send "show ssl cert ${testdir}/client1.pem"
|
|
expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4"
|
|
}
|
|
client c1 -connect ${h1_feS_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.body == "resp from s1"
|
|
} -run
|
|
|
|
haproxy h1 -cli {
|
|
send "show ssl cert ${testdir}/client1.pem"
|
|
expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4"
|
|
}
|
|
|
|
## delete the servers
|
|
haproxy h1 -cli {
|
|
send "disable server test/s1"
|
|
expect ~ ".*"
|
|
send "disable server test/s2"
|
|
expect ~ ".*"
|
|
send "disable server test/s3"
|
|
expect ~ ".*"
|
|
|
|
# valid command
|
|
send "experimental-mode on; del server test/s1"
|
|
expect ~ "Server deleted."
|
|
send "experimental-mode on; del server test/s2"
|
|
expect ~ "Server deleted."
|
|
send "experimental-mode on; del server test/s3"
|
|
expect ~ "Server deleted."
|
|
}
|
|
|
|
# Replace certificate with an expired one
|
|
shell {
|
|
printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client2_expired.pem)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
echo "commit ssl cert ${testdir}/client1.pem" | socat "${tmpdir}/h1/stats" -
|
|
}
|
|
|
|
haproxy h1 -cli {
|
|
send "show ssl cert ${testdir}/client1.pem"
|
|
expect ~ ".*SHA1 FingerPrint: C625EB01A0A660294B9D7F44C5CEEE5AFC495BE4"
|
|
}
|
|
|
|
haproxy h1 -cli {
|
|
send "show ssl cert ${testdir}/client1.pem"
|
|
expect ~ ".*Status: Unused"
|
|
}
|
|
|
|
haproxy h1 -cli {
|
|
send "experimental-mode on; add server test/s1 ${tmpdir}/ssl.sock ssl verify none crt ${testdir}/client1.pem"
|
|
expect ~ "New server registered."
|
|
send "enable server test/s1"
|
|
expect ~ ".*"
|
|
send "show ssl cert ${testdir}/client1.pem"
|
|
expect ~ ".*Status: Used"
|
|
}
|
|
|
|
|
|
# check that servers are active
|
|
client c1 -connect ${h1_feS_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.body == "resp from s1"
|
|
} -run
|
|
|