mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2025-02-01 11:01:46 +00:00
a89a2d8902
Regtest ocsp_auto_update.vtc used to fail here on FreeBSD because the base64 utility was not installed by default. Once installed it would still fail because the utility doesn't support -w to wrap lines. Since the regtest already relies on openssl base64 for a few commands, let's just rely on it for the other ones. The only limitation is that openssl freezes on lines longer than 1024 bytes, and doesn't seem to process more than 255 chars at once, which might be the reason for using base64 -w 1000 in the first place (the script was probably tested like this). Instead sed is efficient at wrapping long lines and does the job pretty well. The output was fixed at 72 chars so that the output is also readable on a terminal for debugging.
766 lines
31 KiB
Plaintext
766 lines
31 KiB
Plaintext
#REGTEST_TYPE=slow
|
|
# reg-test is around ~2.5s
|
|
|
|
# broken with BoringSSL.
|
|
|
|
# This reg-test focuses on the OCSP response auto-update functionality. It does
|
|
# not test the full scope of the feature because most of it is based on
|
|
# expiration times and long delays between updates of valid OCSP responses.
|
|
# Automatic update of valid OCSP responses loaded during init will not be
|
|
# tested because by design, such a response would no be automatically updated
|
|
# until init+1H.
|
|
#
|
|
# This test will then focus on certificates that have a specified OCSP URI but
|
|
# no known OCSP response. For those certificates, OCSP requests are sent as
|
|
# soon as possible by the update task.
|
|
#
|
|
# The ocsp responder used in all the tests will be an openssl using the
|
|
# certificate database in ocsp_update/index.txt. It will listen on port 12345
|
|
# which was specified explicitly in the certificates used in the tests.
|
|
# The synchronization will be based on the logs emitted by the OCSP update task
|
|
# directly. When this log is created, we will know that the update was
|
|
# effective and the updated OCSP response is loaded in the tree. So any
|
|
# following call to "show ssl ocsp-response" will display the latest response
|
|
# information.
|
|
#
|
|
# If this test does not work anymore:
|
|
# - Check that you have openssl and socat
|
|
|
|
varnishtest "Test the OCSP auto update feature"
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(3.0-dev0)'"
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(BoringSSL) && !ssllib_name_startswith(LibreSSL) && openssl_version_atleast(1.1.1)'"
|
|
feature cmd "command -v openssl && command -v socat"
|
|
feature ignore_unknown_macro
|
|
|
|
|
|
###################
|
|
# #
|
|
# FIRST TEST CASE #
|
|
# #
|
|
###################
|
|
|
|
# No automatic update should occur in this test case since we load two already
|
|
# valid OCSP responses during init which have a "Next Update" date really far
|
|
# in the future. So they should only be updated after one hour.
|
|
# This test will only be the most basic one where we check that ocsp response
|
|
# loading still works as expected.
|
|
|
|
haproxy h1 -conf {
|
|
global
|
|
.if !ssllib_name_startswith(AWS-LC)
|
|
tune.ssl.default-dh-param 2048
|
|
.endif
|
|
tune.ssl.capture-buffer-size 1
|
|
stats socket "${tmpdir}/h1/stats" level admin
|
|
crt-base ${testdir}/ocsp_update
|
|
|
|
defaults
|
|
mode http
|
|
option httplog
|
|
log stderr local0 debug err
|
|
option logasap
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
frontend ssl-fe
|
|
bind "${tmpdir}/ssl.sock" ssl crt multicert/server_ocsp.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
http-request return status 200
|
|
} -start
|
|
|
|
|
|
# We should have two distinct ocsp responses known that were loaded at build time
|
|
haproxy h1 -cli {
|
|
send "show ssl ocsp-response"
|
|
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
|
|
send "show ssl ocsp-response"
|
|
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
|
|
|
|
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
|
|
expect ~ "Cert Status: revoked"
|
|
|
|
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
|
|
expect ~ "Cert Status: good"
|
|
}
|
|
|
|
haproxy h1 -wait
|
|
|
|
|
|
|
|
####################
|
|
# #
|
|
# SECOND TEST CASE #
|
|
# #
|
|
####################
|
|
|
|
# This test will focus on two separate certificates that have the same OCSP uri
|
|
# (http://ocsp.haproxy.com:12345) but no OCSP response loaded at build time.
|
|
# The update mode is set to 'on' in the two crt-lists used. The two ocsp
|
|
# responses should then be fetched automatically after init.
|
|
# We rely on the OCSP logs to ensure that the two updates are over before
|
|
# calling "show ssl ocsp-response". This is done through the Syslog_ocsp
|
|
# listener and a dedicated barrier.
|
|
|
|
process p2 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start
|
|
|
|
barrier b2 cond 2 -cyclic
|
|
|
|
syslog Syslog_ocsp -level notice {
|
|
recv
|
|
expect ~ "<OCSP-UPDATE> ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem 1 \"Update successful\" 0 1"
|
|
|
|
recv
|
|
expect ~ "<OCSP-UPDATE> ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1"
|
|
|
|
barrier b2 sync
|
|
} -start
|
|
|
|
haproxy h2 -conf {
|
|
global
|
|
.if !ssllib_name_startswith(AWS-LC)
|
|
tune.ssl.default-dh-param 2048
|
|
.endif
|
|
tune.ssl.capture-buffer-size 1
|
|
stats socket "${tmpdir}/h2/stats" level admin
|
|
crt-base ${testdir}/ocsp_update
|
|
log ${Syslog_ocsp_addr}:${Syslog_ocsp_port} local0 notice notice
|
|
|
|
defaults
|
|
mode http
|
|
option httplog
|
|
log stderr local0 debug err
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
frontend ssl-rsa-fe
|
|
bind "${tmpdir}/ssl2.sock" ssl crt-list ${testdir}/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
http-request return status 200
|
|
|
|
frontend ssl-ecdsa-fe
|
|
bind "${tmpdir}/ssl3.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
http-request return status 200
|
|
} -start
|
|
|
|
barrier b2 sync
|
|
|
|
# We should have two distinct ocsp IDs known that were loaded at build time and
|
|
# the responses' contents should have been filled automatically by the ocsp
|
|
# update task after init
|
|
haproxy h2 -cli {
|
|
send "show ssl ocsp-response"
|
|
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
|
|
send "show ssl ocsp-response"
|
|
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
|
|
|
|
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
|
|
expect ~ "Cert Status: revoked"
|
|
|
|
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
|
|
expect ~ "Cert Status: revoked"
|
|
}
|
|
|
|
haproxy h2 -wait
|
|
process p2 -wait -expect-exit 0
|
|
|
|
|
|
###################
|
|
# #
|
|
# THIRD TEST CASE #
|
|
# #
|
|
###################
|
|
|
|
# This test will be roughly the same as the second one but one of the crt-lists
|
|
# will not enable ocsp-update on its certificate. Only one request should then
|
|
# be sent.
|
|
|
|
process p3 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start
|
|
|
|
barrier b3 cond 2 -cyclic
|
|
|
|
syslog Syslog_ocsp3 -level notice {
|
|
recv
|
|
expect ~ "<OCSP-UPDATE> ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem 1 \"Update successful\" 0 1"
|
|
barrier b3 sync
|
|
} -start
|
|
|
|
haproxy h3 -conf {
|
|
global
|
|
.if !ssllib_name_startswith(AWS-LC)
|
|
tune.ssl.default-dh-param 2048
|
|
.endif
|
|
tune.ssl.capture-buffer-size 1
|
|
stats socket "${tmpdir}/h3/stats" level admin
|
|
crt-base ${testdir}/ocsp_update
|
|
log ${Syslog_ocsp3_addr}:${Syslog_ocsp3_port} local0 notice notice
|
|
|
|
defaults
|
|
mode http
|
|
option httplog
|
|
log stderr local0 debug err
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
frontend ssl-rsa-fe
|
|
bind "${tmpdir}/ssl4.sock" ssl crt-list ${testdir}/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
http-request return status 200
|
|
|
|
frontend ssl-ecdsa-fe
|
|
bind "${tmpdir}/ssl5.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
http-request return status 200
|
|
} -start
|
|
|
|
barrier b3 sync
|
|
|
|
# We should have a single ocsp ID known that was loaded at build time and the
|
|
# response should be filled
|
|
haproxy h3 -cli {
|
|
send "show ssl ocsp-response"
|
|
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
|
|
send "show ssl ocsp-response"
|
|
expect !~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
|
|
|
|
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
|
|
expect ~ "Cert Status: revoked"
|
|
}
|
|
|
|
haproxy h3 -wait
|
|
process p3 -wait
|
|
|
|
|
|
|
|
####################
|
|
# #
|
|
# FOURTH TEST CASE #
|
|
# (CLI COMMAND) #
|
|
# #
|
|
####################
|
|
# This test focuses on the "update ssl ocsp-response" CLI command and tests two
|
|
# certificates that have a known OCSP response loaded during init but no OCSP
|
|
# auto update. The only difference between the two certificates is that one has
|
|
# a separate .issuer file while the other one has the issuer certificate
|
|
# directly in the main .pem file.
|
|
# We store the original "Produced At" date of the responses loaded during init
|
|
# in haproxy proc variables in order to compare them to their new value after
|
|
# the update is performed.
|
|
|
|
process p4 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start
|
|
|
|
barrier b4 cond 2 -cyclic
|
|
|
|
syslog Syslog_ocsp4 -level notice {
|
|
recv
|
|
expect ~ "<OCSP-UPDATE> ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa 1 \"Update successful\" 0 1"
|
|
|
|
recv
|
|
expect ~ "<OCSP-UPDATE> ${testdir}/ocsp_update/multicert/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1"
|
|
barrier b4 sync
|
|
} -start
|
|
|
|
haproxy h4 -conf {
|
|
global
|
|
.if !ssllib_name_startswith(AWS-LC)
|
|
tune.ssl.default-dh-param 2048
|
|
.endif
|
|
tune.ssl.capture-buffer-size 1
|
|
stats socket "${tmpdir}/h4/stats" level admin
|
|
crt-base ${testdir}/ocsp_update
|
|
log ${Syslog_ocsp4_addr}:${Syslog_ocsp4_port} local0 notice notice
|
|
|
|
defaults
|
|
mode http
|
|
option httplog
|
|
log stderr local0 debug err
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
frontend ssl-rsa-ocsp
|
|
bind "${tmpdir}/ssl5.sock" ssl crt ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
http-request return status 200
|
|
|
|
frontend ssl-ecdsa-ocsp
|
|
bind "${tmpdir}/ssl6.sock" ssl crt ${testdir}/ocsp_update/multicert/server_ocsp_ecdsa.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
http-request return status 200
|
|
} -start
|
|
|
|
# We need to "enable" the cli with a first cli call before using it only through socats
|
|
haproxy h4 -cli {
|
|
send "show ssl cert"
|
|
expect ~ ""
|
|
}
|
|
|
|
# We should have two OCSP responses loaded during init
|
|
shell {
|
|
responses=$(echo "show ssl ocsp-response" | socat "${tmpdir}/h4/stats" -)
|
|
|
|
[ $(echo "$responses" | grep -c "^Certificate ID key") -eq 2 ] && \
|
|
echo "$responses" | grep "Serial Number: 1016" && \
|
|
echo "$responses" | grep "Serial Number: 1015"
|
|
}
|
|
|
|
haproxy h4 -cli {
|
|
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
|
|
expect ~ "Cert Status: revoked"
|
|
|
|
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
|
|
expect ~ "Cert Status: good"
|
|
}
|
|
|
|
# Update the first ocsp response (ckch_data has a non-NULL ocsp_issuer pointer)
|
|
shell {
|
|
# Store the current "Produced At" in order to ensure that after the update
|
|
# the OCSP response actually changed
|
|
produced_at1=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" - | grep "Produced At" | tr -d ' ')
|
|
|
|
echo "update ssl ocsp-response ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h4/stats" -
|
|
|
|
# Update the second ocsp response (ckch_data has a NULL ocsp_issuer pointer)
|
|
# Store the current "Produced At" in order to ensure that after the update
|
|
# the OCSP response actually changed
|
|
produced_at2=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" - | grep "Produced At" | tr -d ' ')
|
|
|
|
echo "update ssl ocsp-response ${testdir}/ocsp_update/multicert/server_ocsp_ecdsa.pem" | socat "${tmpdir}/h4/stats" -
|
|
|
|
echo "experimental-mode on;set var proc.produced_at1 str($produced_at1)" | socat "${tmpdir}/h4/stats" -
|
|
echo "experimental-mode on;set var proc.produced_at2 str($produced_at2)" | socat "${tmpdir}/h4/stats" -
|
|
}
|
|
|
|
barrier b4 sync
|
|
|
|
shell {
|
|
produced_at1_after=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" - | grep "Produced At" | tr -d ' ')
|
|
produced_at2_after=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" - | grep "Produced At" | tr -d ' ')
|
|
|
|
ocsp_response1=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" -)
|
|
ocsp_response2=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" -)
|
|
|
|
echo "$ocsp_response1" | grep -q "Serial Number: 1015" && \
|
|
echo "$ocsp_response1" | grep -q "Cert Status: revoked" && \
|
|
echo "$ocsp_response2" | grep -q "Serial Number: 1016" && \
|
|
echo "$ocsp_response2" | grep -q "Cert Status: revoked" && \
|
|
[ "$produced_at1_after" != "$(echo \"experimental-mode on; get var proc.produced_at1\" | socat \"${tmpdir}/h4/stats\")" ] && \
|
|
[ "$produced_at2_after" != "$(echo \"experimental-mode on; get var proc.produced_at2\" | socat \"${tmpdir}/h4/stats\")" ]
|
|
|
|
}
|
|
|
|
haproxy h4 -wait
|
|
process p4 -wait
|
|
|
|
|
|
####################
|
|
# #
|
|
# FIFTH TEST CASE #
|
|
# (CLI COMMAND) #
|
|
# #
|
|
####################
|
|
|
|
# Test the "show ssl ocsp-updates" command as well as the new 'base64' parameter
|
|
# to the "show ssl ocsp-response" command.
|
|
|
|
|
|
process p5 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start
|
|
|
|
barrier b5 cond 2 -cyclic
|
|
|
|
syslog Syslog_ocsp5 -level notice {
|
|
recv
|
|
expect ~ "<OCSP-UPDATE> .*/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem 1 \"Update successful\" 0 1"
|
|
|
|
recv
|
|
expect ~ "<OCSP-UPDATE> .*/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1"
|
|
|
|
barrier b5 sync
|
|
} -start
|
|
|
|
haproxy h5 -conf {
|
|
global
|
|
.if !ssllib_name_startswith(AWS-LC)
|
|
tune.ssl.default-dh-param 2048
|
|
.endif
|
|
tune.ssl.capture-buffer-size 1
|
|
stats socket "${tmpdir}/h5/stats" level admin
|
|
crt-base ${testdir}/ocsp_update
|
|
log ${Syslog_ocsp5_addr}:${Syslog_ocsp5_port} local0 notice notice
|
|
|
|
defaults
|
|
mode http
|
|
option httplog
|
|
log stderr local0 debug err
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
frontend ssl-rsa-fe
|
|
bind "${tmpdir}/ssl7.sock" ssl crt-list ${testdir}/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
http-request return status 200
|
|
|
|
frontend ssl-ecdsa-fe
|
|
bind "${tmpdir}/ssl8.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
http-request return status 200
|
|
} -start
|
|
|
|
barrier b5 sync
|
|
|
|
# Use "show ssl ocsp-updates" CLI command
|
|
# We should have one line per OCSP response and each one of them should have been successfully updated once
|
|
# The command's output follows this format:
|
|
# OCSP Certid | Next Update | Last Update | Successes | Failures | Last Update Status | Last Update Status (str)
|
|
haproxy h5 -cli {
|
|
send "show ssl ocsp-updates"
|
|
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 .*| 1 | 0 | 1 | Update successful"
|
|
|
|
send "show ssl ocsp-updates"
|
|
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*| 1 | 0 | 1 | Update successful"
|
|
}
|
|
|
|
# Use "show ssl ocsp-response" command to dump an OCSP response in base64
|
|
shell {
|
|
ocsp_resp_file="${tmpdir}.ocsp_resp.der"
|
|
|
|
echo "show ssl ocsp-response base64 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h5/stats" - | sed -e 's/.\{72\}/&\n/g' | openssl base64 -d | tee /tmp/with-o64 > $ocsp_resp_file
|
|
|
|
if [ $? -eq 0 ]
|
|
then
|
|
ocsp_resp_txt="$(openssl ocsp -respin $ocsp_resp_file -noverify -text)"
|
|
echo "$ocsp_resp_txt" | grep "Issuer Name Hash: 8A83E0060FAFF709CA7E9B95522A2E81635FDA0A" && \
|
|
echo "$ocsp_resp_txt" | grep "Issuer Key Hash: F652B0E435D5EA923851508F0ADBE92D85DE007A" && \
|
|
echo "$ocsp_resp_txt" | grep "Serial Number: 1015" && \
|
|
echo "$ocsp_resp_txt" | grep "Cert Status: revoked"
|
|
else
|
|
return 1
|
|
fi
|
|
}
|
|
|
|
haproxy h5 -wait
|
|
process p5 -wait
|
|
|
|
|
|
####################
|
|
# #
|
|
# SIXTH TEST CASE #
|
|
# #
|
|
####################
|
|
|
|
# Check that a new certificate added via the CLI to a crt-list with
|
|
# the 'ocsp-update on' option will be taken into account by the OCSP
|
|
# auto update task
|
|
#
|
|
process p6 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start
|
|
|
|
barrier b6 cond 2 -cyclic
|
|
|
|
syslog Syslog_ocsp6 -level notice {
|
|
recv
|
|
expect ~ "<OCSP-UPDATE> ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa 1 \"Update successful\" 0 1"
|
|
|
|
barrier b6 sync
|
|
} -start
|
|
|
|
haproxy h6 -conf {
|
|
global
|
|
.if !ssllib_name_startswith(AWS-LC)
|
|
tune.ssl.default-dh-param 2048
|
|
.endif
|
|
tune.ssl.capture-buffer-size 1
|
|
stats socket "${tmpdir}/h6/stats" level admin
|
|
crt-base ${testdir}
|
|
log ${Syslog_ocsp6_addr}:${Syslog_ocsp6_port} local0 notice notice
|
|
|
|
defaults
|
|
mode http
|
|
option httplog
|
|
log stderr local0 debug err
|
|
option logasap
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
frontend ssl-fe
|
|
bind "${tmpdir}/ssl9.sock" ssl crt-list ${testdir}/simple.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
http-request return status 200
|
|
|
|
} -start
|
|
|
|
# We need to "enable" the cli with a first cli call before using it only through socats
|
|
haproxy h6 -cli {
|
|
send "show ssl cert"
|
|
expect ~ ""
|
|
}
|
|
|
|
# Create a new certificate that has an OCSP uri and add it to the
|
|
# existing CLI with the 'ocsp-update on' command.
|
|
shell {
|
|
echo "new ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h6/stats" -
|
|
printf "set ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa <<\n$(cat ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h6/stats" -
|
|
printf "set ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa.issuer <<\n$(cat ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa.issuer)\n\n" | socat "${tmpdir}/h6/stats" -
|
|
echo "commit ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h6/stats" -
|
|
|
|
printf "add ssl crt-list ${testdir}/simple.crt-list <<\n${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa [ocsp-update on] foo.com\n\n" | socat "${tmpdir}/h6/stats" -
|
|
}
|
|
|
|
barrier b6 sync
|
|
|
|
haproxy h6 -cli {
|
|
send "show ssl ocsp-updates"
|
|
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*| 1 | 0 | 1 | Update successful"
|
|
}
|
|
|
|
haproxy h6 -wait
|
|
process p6 -wait
|
|
|
|
|
|
######################
|
|
# #
|
|
# SEVENTH TEST CASE #
|
|
# #
|
|
######################
|
|
|
|
# Check that the global "tune.ocsp-update.mode" option works and that it
|
|
# applies to certificates added via the CLI as well.
|
|
#
|
|
process p7 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start
|
|
|
|
barrier b7 cond 2 -cyclic
|
|
|
|
syslog Syslog_ocsp7 -level notice {
|
|
recv
|
|
expect ~ "<OCSP-UPDATE> ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1"
|
|
|
|
barrier b7 sync
|
|
|
|
recv
|
|
expect ~ "<OCSP-UPDATE> ${testdir}/server_ocsp_rsa.pem 1 \"Update successful\" 0 1"
|
|
|
|
barrier b7 sync
|
|
} -start
|
|
|
|
haproxy h7 -conf {
|
|
global
|
|
.if !ssllib_name_startswith(AWS-LC)
|
|
tune.ssl.default-dh-param 2048
|
|
.endif
|
|
tune.ssl.capture-buffer-size 1
|
|
stats socket "${tmpdir}/h7/stats" level admin
|
|
crt-base ${testdir}
|
|
ocsp-update.mode on
|
|
log ${Syslog_ocsp7_addr}:${Syslog_ocsp7_port} local0 notice notice
|
|
|
|
defaults
|
|
mode http
|
|
option httplog
|
|
log stderr local0 debug err
|
|
option logasap
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
frontend ssl-fe
|
|
bind "${tmpdir}/ssl_h7.sock" ssl crt ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
bind "${tmpdir}/ssl_h7_2.sock" ssl crt-list ${testdir}/simple.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
http-request return status 200
|
|
} -start
|
|
|
|
barrier b7 sync
|
|
|
|
# Create a new certificate that has an OCSP uri and add it to the
|
|
# existing CLI with the 'ocsp-update on' command.
|
|
shell {
|
|
echo "new ssl cert ${testdir}/server_ocsp_rsa.pem" | socat "${tmpdir}/h7/stats" -
|
|
printf "set ssl cert ${testdir}/server_ocsp_rsa.pem <<\n$(cat ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem)\n\n" | socat "${tmpdir}/h7/stats" -
|
|
echo "commit ssl cert ${testdir}/server_ocsp_rsa.pem" | socat "${tmpdir}/h7/stats" -
|
|
|
|
# We should have ocsp-update enabled via the global option
|
|
printf "add ssl crt-list ${testdir}/simple.crt-list <<\n${testdir}/server_ocsp_rsa.pem foo.com\n\n" | socat "${tmpdir}/h7/stats" -
|
|
}
|
|
|
|
barrier b7 sync
|
|
|
|
haproxy h7 -cli {
|
|
send "show ssl ocsp-updates"
|
|
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 | ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem .*| 1 | 0 | 1 | Update successful"
|
|
|
|
send "show ssl ocsp-updates"
|
|
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 | ${testdir}/server_ocsp_rsa.pem .*| 1 | 0 | 1 | Update successful"
|
|
}
|
|
|
|
haproxy h7 -wait
|
|
process p7 -wait
|
|
|
|
|
|
######################
|
|
# #
|
|
# EIGHTH TEST CASE #
|
|
# #
|
|
######################
|
|
|
|
#
|
|
# Check that removing crt-list instances does not remove the OCSP responses
|
|
# from the tree but that they will not be auto updated anymore if the last
|
|
# instance is removed (via del ssl crt-list).
|
|
#
|
|
|
|
haproxy h8 -conf {
|
|
global
|
|
.if !ssllib_name_startswith(AWS-LC)
|
|
tune.ssl.default-dh-param 2048
|
|
.endif
|
|
tune.ssl.capture-buffer-size 1
|
|
stats socket "${tmpdir}/h8/stats" level admin
|
|
crt-base ${testdir}/ocsp_update
|
|
|
|
defaults
|
|
mode http
|
|
option httplog
|
|
log stderr local0 debug err
|
|
option logasap
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
frontend ssl-fe
|
|
bind "${tmpdir}/ssl-h8.sock" ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
http-request return status 200
|
|
|
|
listen http_rebound_lst
|
|
mode http
|
|
bind "127.0.0.1:12345"
|
|
server s1 "127.0.0.1:12346"
|
|
} -start
|
|
|
|
# Check that the two certificates are taken into account in the auto update process
|
|
haproxy h8 -cli {
|
|
send "show ssl ocsp-updates"
|
|
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 .*"
|
|
|
|
send "show ssl ocsp-updates"
|
|
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*"
|
|
}
|
|
|
|
# Remove the second line from the crt-list and check that the corresponding
|
|
# ocsp response was removed from the auto update list but is still present in the
|
|
# system
|
|
haproxy h8 -cli {
|
|
send "del ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list ${testdir}/ocsp_update/multicert/server_ocsp.pem.ecdsa"
|
|
expect ~ "Entry.*deleted in crtlist"
|
|
|
|
send "show ssl ocsp-updates"
|
|
expect !~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*"
|
|
|
|
send "show ssl ocsp-response"
|
|
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
|
|
|
|
send "show ssl ocsp-response ${testdir}/ocsp_update/multicert/server_ocsp.pem.ecdsa"
|
|
expect ~ ".* Cert Status: good.*"
|
|
}
|
|
|
|
# Add the previously removed crt-list line with auto-update enabled and check that
|
|
# the ocsp response appears in the auto update list
|
|
shell {
|
|
printf "add ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa [ocsp-update on] foo.bar\n\n" | socat "${tmpdir}/h8/stats" - | grep "Inserting certificate.*in crt-list"
|
|
}
|
|
|
|
haproxy h8 -cli {
|
|
send "show ssl ocsp-updates"
|
|
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*"
|
|
}
|
|
|
|
# Check that the auto update option consistency check work even when crt-list
|
|
# lines are added through the cli
|
|
shell {
|
|
printf "add ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa foo.foo\n\n" | socat "${tmpdir}/h8/stats" - | grep "different parameter 'ocsp-update'"
|
|
}
|
|
|
|
haproxy h8 -wait
|
|
|
|
####################
|
|
# #
|
|
# NINTH TEST CASE #
|
|
# #
|
|
####################
|
|
|
|
#
|
|
# Check that a certificate created through the CLI and which does not have ocsp
|
|
# update enabled can be updated via "update ssl ocsp-response" command.
|
|
#
|
|
|
|
process p9 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start
|
|
|
|
barrier b9 cond 2 -cyclic
|
|
|
|
syslog Syslog_ocsp9 -level notice {
|
|
recv
|
|
expect ~ "<OCSP-UPDATE> ${testdir}/ocsp_update/rsa.pem 1 \"Update successful\" 0 1"
|
|
|
|
barrier b9 sync
|
|
} -start
|
|
|
|
|
|
haproxy h9 -conf {
|
|
global
|
|
.if !ssllib_name_startswith(AWS-LC)
|
|
tune.ssl.default-dh-param 2048
|
|
.endif
|
|
tune.ssl.capture-buffer-size 1
|
|
stats socket "${tmpdir}/h9/stats" level admin
|
|
crt-base ${testdir}/ocsp_update
|
|
log ${Syslog_ocsp9_addr}:${Syslog_ocsp9_port} local0 notice notice
|
|
|
|
defaults
|
|
mode http
|
|
option httplog
|
|
log stderr local0 debug err
|
|
option logasap
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
frontend ssl-fe
|
|
bind "${tmpdir}/ssl-h9.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
http-request return status 200
|
|
} -start
|
|
|
|
# We need to "enable" the cli with a first cli call before using it only through socats
|
|
haproxy h9 -cli {
|
|
send "show ssl cert"
|
|
expect ~ ""
|
|
}
|
|
|
|
# Create a new certificate and add it in the crt-list with ocsp auto-update enabled
|
|
shell {
|
|
echo "new ssl cert ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" -
|
|
printf "set ssl cert ${testdir}/ocsp_update/rsa.pem <<\n$(cat ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h9/stats" -
|
|
printf "set ssl cert ${testdir}/ocsp_update/rsa.pem.issuer <<\n$(cat ${testdir}/ocsp_update/ocsp_update_rootca.crt)\n\n" | socat "${tmpdir}/h9/stats" -
|
|
printf "set ssl cert ${testdir}/ocsp_update/rsa.pem.ocsp <<\n$(openssl base64 < ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa.ocsp)\n\n" | socat "${tmpdir}/h9/stats" -
|
|
echo "commit ssl cert ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" -
|
|
|
|
printf "add ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list <<\nrsa.pem [ocsp-update off] foo.bar\n\n" | socat "${tmpdir}/h9/stats" -
|
|
}
|
|
|
|
# Check that the line is in the crt-list
|
|
haproxy h9 -cli {
|
|
send "show ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list"
|
|
expect ~ "${testdir}/ocsp_update/rsa.pem.*ocsp-update off.*foo.bar"
|
|
}
|
|
|
|
# Check that the new certificate is NOT in the auto update list
|
|
haproxy h9 -cli {
|
|
send "show ssl ocsp-updates"
|
|
expect !~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015.*"
|
|
}
|
|
|
|
shell {
|
|
echo "update ssl ocsp-response ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" -
|
|
}
|
|
|
|
barrier b9 sync
|
|
|
|
haproxy h9 -cli {
|
|
send "show ssl ocsp-response ${testdir}/ocsp_update/rsa.pem"
|
|
expect ~ ".* Cert Status: revoked.*"
|
|
}
|
|
|
|
haproxy h9 -wait
|
|
process p9 -wait
|