RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2024-12-11 22:15:14 +00:00
Code Issues Packages Projects Releases Wiki Activity
4ab27a2403
haproxy/reg-tests/ssl/ocsp_auto_update.vtc
Remi Tricot-Le Breton a6c0a59e9a MINOR: ssl: Use ocsp update task for "update ssl ocsp-response" command 
Instead of having a dedicated httpclient instance and its own code
decorrelated from the actual auto update one, the "update ssl
ocsp-response" will now use the update task in order to perform updates.

Since the cli command allows to update responses that were never
included in the auto update tree, a new flag was added to the
certificate_ocsp structure so that the said entry can be inserted into
the tree "by hand" and it won't be reinserted back into the tree after
the update process is performed. The 'update_once' flag "stole" a bit
from the 'fail_count' counter since it is the one less likely to reach
UINT_MAX among the ocsp counters of the certificate_ocsp structure.

This new logic required that every certificate_ocsp entry contained all
the ocsp-related information at all time since entries that are not
supposed to be configured automatically can still be updated through the
cli. The logic of the ssl_sock_load_ocsp was changed accordingly.
2023-03-14 11:07:32 +01:00

536 lines
22 KiB
Plaintext
Raw Blame History

#REGTEST_TYPE=slow
# broken with BoringSSL.
# This reg-test focuses on the OCSP response auto-update functionality. It does
# not test the full scope of the feature because most of it is based on
# expiration times and long delays between updates of valid OCSP responses.
# Automatic update of valid OCSP responses loaded during init will not be
# tested because by design, such a response would no be automatically updated
# until init+1H.
#
# This test will then focus on certificates that have a specified OCSP URI but
# no known OCSP response. For those certificates, OCSP requests are sent as
# soon as possible by the update task.
#
# The ocsp responder used in all the tests will be an openssl using the
# certificate database in ocsp_update/index.txt. It will listen on port 12346
# which is not the same as the one specified in the certificates' OCSP URI
# which point to port 12345. The link from port 12345 to port 12346 will be
# ensured through HAProxy instances that will enable logs, later used as a
# synchronization mean.
#
# Unfortunately some arbitrary "sleep" calls are still needed to leave some
# time for the ocsp update task to actually process the ocsp responses and
# reinsert them into the tree. This explains why the test's mode is set to
# "slow".
#
# The fourth test case focuses on the "update ssl ocsp-response" CLI command
# and tests two certificates that have a known OCSP response loaded during init
# but no OCSP auto update. The only difference between the two certificates is
# that one has a separate .issuer file while the other one has the issuer
# certificate directly in the main .pem file.
#
# If this test does not work anymore:
# - Check that you have openssl and socat
varnishtest "Test the OCSP auto update feature"
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.7-dev0)'"
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(BoringSSL) && openssl_version_atleast(1.1.1)'"
feature cmd "command -v openssl && command -v socat"
feature ignore_unknown_macro
###################
# #
# FIRST TEST CASE #
# #
###################
# No automatic update should occur in this test case since we load two already
# valid OCSP responses during init which have a "Next Update" date really far
# in the future. So they should only be updated after one hour.
# This test will only be the most basic one where we check that ocsp response
# loading still works as expected.
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
crt-base ${testdir}/ocsp_update
defaults
mode http
option httplog
log stderr local0 debug err
option logasap
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
frontend ssl-fe
bind "${tmpdir}/ssl.sock" ssl crt multicert/server_ocsp.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
} -start
# We should have two distinct ocsp responses known that were loaded at build time
haproxy h1 -cli {
send "show ssl ocsp-response"
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
send "show ssl ocsp-response"
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
expect ~ "Cert Status: revoked"
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
expect ~ "Cert Status: good"
}
haproxy h1 -wait
####################
# #
# SECOND TEST CASE #
# #
####################
# This test will focus on two separate certificates that have the same OCSP uri
# (http://ocsp.haproxy.com:12345) but no OCSP response loaded at build time.
# The update mode is set to 'on' in the two crt-lists used. The two ocsp
# responses should then be fetched automatically after init. We use an http
# listener as a rebound on which http log is enabled towards Syslog_http. This
# ensures that two requests are sent by the ocsp auto update task and it
# enables to use a barrier to synchronize the ocsp task and the subsequent cli
# calls. Thanks to the barrier we know that when calling "show ssl
# ocsp-response" on the cli, the two answers should already have been received
# and processed.
process p1 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12346 -timeout 5" -start
barrier b1 cond 2 -cyclic
syslog Syslog_http -level info {
recv
expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAV HTTP/1.1"
recv
expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAW HTTP/1.1"
barrier b1 sync
} -start
haproxy h2 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h2/stats" level admin
crt-base ${testdir}/ocsp_update
defaults
mode http
option httplog
log stderr local0 debug err
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
frontend ssl-rsa-fe
bind "${tmpdir}/ssl2.sock" ssl crt-list ${testdir}/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
frontend ssl-ecdsa-fe
bind "${tmpdir}/ssl3.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
listen http_rebound_lst
mode http
option httplog
log ${Syslog_http_addr}:${Syslog_http_port} local0
bind "127.0.0.1:12345"
server s1 "127.0.0.1:12346"
} -start
barrier b1 sync
shell "sleep 1"
# We should have two distinct ocsp IDs known that were loaded at build time and
# the responses' contents should have been filled automatically by the ocsp
# update task after init
haproxy h2 -cli {
send "show ssl ocsp-response"
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
send "show ssl ocsp-response"
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
expect ~ "Cert Status: revoked"
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
expect ~ "Cert Status: revoked"
}
haproxy h2 -wait
process p1 -wait -expect-exit 0
###################
# #
# THIRD TEST CASE #
# #
###################
# This test will be roughly the same as the second one but one of the crt-lists
# will not enable ocsp-update on its certificate. Only one request should then
# be sent.
process p2 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12346 -timeout 5" -start
barrier b2 cond 2 -cyclic
syslog Syslog_http2 -level info {
recv
expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAV HTTP/1.1"
barrier b2 sync
} -start
haproxy h3 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h3/stats" level admin
crt-base ${testdir}/ocsp_update
defaults
mode http
option httplog
log stderr local0 debug err
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
frontend ssl-rsa-fe
bind "${tmpdir}/ssl4.sock" ssl crt-list ${testdir}/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
frontend ssl-ecdsa-fe
bind "${tmpdir}/ssl5.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
listen http_rebound_lst
mode http
option httplog
log ${Syslog_http2_addr}:${Syslog_http2_port} local0
bind "127.0.0.1:12345"
server s1 "127.0.0.1:12346"
} -start
barrier b2 sync
shell "sleep 1"
# We should have a single ocsp ID known that was loaded at build time and the
# response should be filled
haproxy h3 -cli {
send "show ssl ocsp-response"
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
send "show ssl ocsp-response"
expect !~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
expect ~ "Cert Status: revoked"
}
haproxy h3 -wait
process p2 -wait
####################
# #
# FOURTH TEST CASE #
# (CLI COMMAND) #
# #
####################
process p3 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12346 -timeout 5" -start
haproxy h4 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h4/stats" level admin
crt-base ${testdir}/ocsp_update
defaults
mode http
option httplog
log stderr local0 debug err
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
frontend ssl-rsa-ocsp
bind "${tmpdir}/ssl5.sock" ssl crt ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
frontend ssl-ecdsa-ocsp
bind "${tmpdir}/ssl6.sock" ssl crt ${testdir}/ocsp_update/multicert/server_ocsp_ecdsa.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
listen http_rebound_lst
mode http
option httplog
bind "127.0.0.1:12345"
http-response set-var(proc.processed) int(1)
server s1 "127.0.0.1:12346"
} -start
# We need to "enable" the cli with a first cli call before using it only through socats
haproxy h4 -cli {
send "show ssl ocsp-response"
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
}
# We should have two OCSP responses loaded during init
shell {
responses=$(echo "show ssl ocsp-response" | socat "${tmpdir}/h4/stats" -)
[ $(echo "$responses" | grep -c "^Certificate ID key") -eq 2 ] && \
echo "$responses" | grep "Serial Number: 1016" && \
echo "$responses" | grep "Serial Number: 1015"
}
shell {
echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" - | grep "Cert Status: revoked"
}
shell {
echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" - | grep "Cert Status: good"
}
# Update the first ocsp response (ckch_data has a non-NULL ocsp_issuer pointer)
shell {
# Store the current "Produced At" in order to ensure that after the update
# the OCSP response actually changed
produced_at=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" - | grep "Produced At")
echo "update ssl ocsp-response ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h4/stats" -
while ! echo "get var proc.processed" | socat "${tmpdir}/h4/stats" - | grep 'proc.processed: type=sint value=<1>'
do
echo "get var proc.processed" | socat "${tmpdir}/h4/stats" - >> /tmp/toto
sleep 0.5
done
echo "experimental-mode on;set var proc.processed int(0)" | socat "${tmpdir}/h4/stats" -
ocsp_response=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" -)
new_produced_at=$(echo "$ocsp_response" | grep "Produced At")
echo "$ocsp_response" | grep -q "Serial Number: 1015" && \
echo "$ocsp_response" | grep -q "Cert Status: revoked" && \
[ "$new_produced_at" != "$produced_at" ]
}
# Update the second ocsp response (ckch_data has a NULL ocsp_issuer pointer)
shell {
# Store the current "Produced At" in order to ensure that after the update
# the OCSP response actually changed
produced_at=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" - | grep "Produced At")
echo "update ssl ocsp-response ${testdir}/ocsp_update/multicert/server_ocsp_ecdsa.pem" | socat "${tmpdir}/h4/stats" -
while ! echo "get var proc.processed" | socat "${tmpdir}/h4/stats" - | grep 'proc.processed: type=sint value=<1>'
do
echo "get var proc.processed" | socat "${tmpdir}/h4/stats" - >> /tmp/toto
sleep 0.5
done
echo "experimental-mode on;set var proc.processed int(0)" | socat "${tmpdir}/h4/stats" -
ocsp_response=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" -)
new_produced_at=$(echo "$ocsp_response" | grep "Produced At")
echo "$ocsp_response" | grep -q "Serial Number: 1016" && \
echo "$ocsp_response" | grep -q "Cert Status: revoked" && \
[ "$new_produced_at" != "$produced_at" ]
}
haproxy h4 -wait
process p3 -wait
####################
# #
# FIFTH TEST CASE #
# (CLI COMMAND) #
# #
####################
# Test the "show ssl ocsp-updates" command as well as the new 'base64' parameter
# to the "show ssl ocsp-response" command.
process p5 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12346 -timeout 5" -start
barrier b5 cond 2 -cyclic
syslog Syslog_http5 -level info {
recv
expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAV HTTP/1.1"
recv
expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAW HTTP/1.1"
barrier b5 sync
} -start
haproxy h5 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h5/stats" level admin
crt-base ${testdir}/ocsp_update
defaults
mode http
option httplog
log stderr local0 debug err
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
frontend ssl-rsa-fe
bind "${tmpdir}/ssl7.sock" ssl crt-list ${testdir}/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
frontend ssl-ecdsa-fe
bind "${tmpdir}/ssl8.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
listen http_rebound_lst
mode http
option httplog
log ${Syslog_http5_addr}:${Syslog_http5_port} local0
bind "127.0.0.1:12345"
server s1 "127.0.0.1:12346"
} -start
barrier b5 sync
shell "sleep 1"
# Use "show ssl ocsp-updates" CLI command
# We should have one line per OCSP response and each one of them should have been successfully updated once
# The command's output follows this format:
# OCSP Certid | Next Update | Last Update | Successes | Failures | Last Update Status | Last Update Status (str)
haproxy h5 -cli {
send "show ssl ocsp-updates"
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 .*| 1 | 0 | 1 | Update successful"
send "show ssl ocsp-updates"
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*| 1 | 0 | 1 | Update successful"
}
# Use "show ssl ocsp-response" command to dump an OCSP response in base64
shell {
ocsp_resp_file="${tmpdir}.ocsp_resp.der"
echo "show ssl ocsp-response base64 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h5/stats" - | base64 -d > $ocsp_resp_file
if [ $? -eq 0 ]
then
ocsp_resp_txt="$(openssl ocsp -respin $ocsp_resp_file -noverify -text)"
echo "$ocsp_resp_txt" | grep "Issuer Name Hash: 8A83E0060FAFF709CA7E9B95522A2E81635FDA0A" && \
echo "$ocsp_resp_txt" | grep "Issuer Key Hash: F652B0E435D5EA923851508F0ADBE92D85DE007A" && \
echo "$ocsp_resp_txt" | grep "Serial Number: 1015" && \
echo "$ocsp_resp_txt" | grep "Cert Status: revoked"
else
return 1
fi
}
haproxy h5 -wait
process p5 -wait
####################
# #
# SIXTH TEST CASE #
# #
####################
# Check that a new certificate added via the CLI to a crt-list with
# the 'ocsp-update on' option will be taken into account by the OCSP
# auto update task
#
process p6 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12346 -timeout 5" -start
barrier b6 cond 2 -cyclic
syslog Syslog_http6 -level info {
recv
expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAV HTTP/1.1"
barrier b6 sync
} -start
haproxy h6 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h6/stats" level admin
crt-base ${testdir}
defaults
mode http
option httplog
log stderr local0 debug err
option logasap
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
frontend ssl-fe
bind "${tmpdir}/ssl9.sock" ssl crt-list ${testdir}/simple.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
listen http_rebound_lst
mode http
option httplog
log ${Syslog_http6_addr}:${Syslog_http6_port} local0
bind "127.0.0.1:12345"
server s1 "127.0.0.1:12346"
} -start
# We need to "enable" the cli with a first cli call before using it only through socats
haproxy h6 -cli {
send "show ssl cert"
expect ~ ""
}
# Create a new certificate that has an OCSP uri and add it to the
# existing CLI with the 'ocsp-update on' command.
shell {
echo "new ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h6/stats" -
printf "set ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa <<\n$(cat ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h6/stats" -
printf "set ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa.issuer <<\n$(cat ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa.issuer)\n\n" | socat "${tmpdir}/h6/stats" -
echo "commit ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h6/stats" -
printf "add ssl crt-list ${testdir}/simple.crt-list <<\n${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa [ocsp-update on] foo.com\n\n" | socat "${tmpdir}/h6/stats" -
}
barrier b6 sync
shell "sleep 1"
haproxy h6 -cli {
send "show ssl ocsp-updates"
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*| 1 | 0 | 1 | Update successful"
}
Reference in New Issue View Git Blame Copy Permalink