RepoMirrors
/
haproxy
mirror of http://git.haproxy.org/git/haproxy.git/
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
haproxy/reg-tests
History
Remi Tricot-Le Breton 74f6ab6e87 MEDIUM: ssl: Keep a reference to the client's certificate for use in logs 
Most of the SSL sample fetches related to the client certificate were
based on the SSL_get_peer_certificate function which returns NULL when
the verification process failed. This made it impossible to use those
fetches in a log format since they would always be empty.

The patch adds a reference to the X509 object representing the client
certificate in the SSL structure and makes use of this reference in the
fetches.

The reference can only be obtained in ssl_sock_bind_verifycbk which
means that in case of an SSL error occurring before the verification
process ("no shared cipher" for instance, which happens while processing
the Client Hello), we won't ever start the verification process and it
will be impossible to get information about the client certificate.

This patch also allows most of the ssl_c_XXX fetches to return a usable
value in case of connection failure (because of a verification error for
instance) by making the "conn->flags & CO_FL_WAIT_XPRT" test (which
requires a connection to be established) less strict.

Thanks to this patch, a log-format such as the following should return
usable information in case of an error occurring during the verification
process :
    log-format "DN=%{+Q}[ssl_c_s_dn] serial=%[ssl_c_serial,hex] \
                hash=%[ssl_c_sha1,hex]"

It should answer to GitHub issue #693.
 		2021-08-19 23:26:05 +02:00
..
balance REGTEST: fix host part in balance-uri-path-only.vtc 2020-09-29 10:52:27 +02:00
cache BUG/MINOR: cache: Correctly handle existing-but-empty 'accept-encoding' header 2021-06-18 15:48:20 +02:00
checks REGTESTS: fix maxconn update with agent-check 2021-06-22 16:34:23 +02:00
compression REGTESTS: Remove REQUIRE_VERSION=1.6 from all tests 2021-06-11 19:21:28 +02:00
connection MAJOR: config: remove parsing of the global "nbproc" directive 2021-06-11 17:02:13 +02:00
contrib REGTESTS: contrib/prometheus-exporter: test well known labels 2021-02-19 18:03:59 +01:00
converter BUG/MINOR: mqtt: Support empty client ID in CONNECT message 2021-06-28 16:29:44 +02:00
filters CLEANUP: reg-tests: Remove obsolete no-htx parameter for reg-tests 2021-06-04 15:41:21 +02:00
http-capture CLEANUP: reg-tests: Remove obsolete no-htx parameter for reg-tests 2021-06-04 15:41:21 +02:00
http-cookies CLEANUP: reg-tests: Remove obsolete no-htx parameter for reg-tests 2021-06-04 15:41:21 +02:00
http-errorfiles BUG/MINOR: http-rules: Fix ACLs parsing for http deny rules 2020-06-30 09:32:03 +02:00
http-messaging REGTESTS: add a test to prevent h2 desync attacks 2021-08-17 10:22:20 +02:00
http-rules REGTESTS: Remove REQUIRE_VERSION=1.7 from all tests 2021-06-11 19:21:28 +02:00
http-set-timeout REGTESTS: Fix required versions for several scripts 2021-01-28 16:37:14 +01:00
log REGTESTS: Fix required versions for several scripts 2021-01-28 16:37:14 +01:00
lua CLEANUP: assorted typo fixes in the code and comments 2021-08-16 12:37:59 +02:00
mailers REGTESTS: Remove REQUIRE_VERSION=1.6 from all tests 2021-06-11 19:21:28 +02:00
mcli REGTESTS: Replace REQUIRE_BINARIES with 'command -v' 2021-06-17 14:59:55 +02:00
peers
sample_fetches REGTESTS: disable inter-thread idle connection sharing on sensitive tests 2021-05-09 14:41:41 +02:00
seamless-reload CLEANUP: reg-tests: Remove obsolete no-htx parameter for reg-tests 2021-06-04 15:41:21 +02:00
server REGTESTS: server: fix dynamic server with checks test 2021-08-06 15:34:04 +02:00
spoe
ssl MEDIUM: ssl: Keep a reference to the client's certificate for use in logs 2021-08-19 23:26:05 +02:00
startup REGTESTS: add more complex check conditions to check_conditions.vtc 2021-07-17 11:01:47 +02:00
stick-table CLEANUP: reg-tests: Remove obsolete no-htx parameter for reg-tests 2021-06-04 15:41:21 +02:00
stickiness CLEANUP: reg-tests: Remove obsolete no-htx parameter for reg-tests 2021-06-04 15:41:21 +02:00
stream
webstats REGTESTS: Remove REQUIRE_VERSION=1.6 from all tests 2021-06-11 19:21:28 +02:00
README CLEANUP: reg-tests: Remove obsolete no-htx parameter for reg-tests 2021-06-04 15:41:21 +02:00

README 

                 * Regression testing for HAProxy with VTest *


This little README file is about how to compile and run vtest test case files (VTC files)
to test HAProxy for any regression.

To do so, you will have to compile vtest program sources which depends on
Varnish cache application sources. vtest, formerly varnishtest, is a very useful
program which has been developed to test Varnish cache application. vtest has been
modified in collaboration with Varnish cache conceptor Poul-Henning Kamp to support
HAProxy in addition to Varnish cache.

See also: doc/regression-testing.txt

* vtest compilation *

    $ git clone https://github.com/vtest/VTest

    $ cd VTest

    $ make vtest

  Then vtest program may be found at the root directory of vtest sources directory.
  The Varnish cache manuals are located in 'man' directory of Varnish cache sources
  directory. You will have to have a look at varnishtest(7) and vtc(7) manuals to
  use vtest.

  Some information may also be found in doc/regression-testing.txt in HAProxy
  sources.

  Note that VTC files for Varnish cache may be found in bin/varnishtest/tests directory
  of Varnish cache sources directory which may be found here:
  https://github.com/varnishcache/varnish-cache


* vtest execution *

  You must set HAPROXY_PROGRAM environment variable to give the location
  of the HAProxy program to test to vtest:

    $ HAPROXY_PROGRAM=<my haproxy program> vtest ...

  The HAProxy VTC files found in HAProxy sources may be run with the reg-tests
  Makefile target. You must set the VTEST_PROGRAM environment variable to
  give the location of the vtest program which has been previously compiled.

    $ VTEST_PROGRAM=<my vtest program> make reg-tests

  "reg-tests" Makefile target run scripts/run-regtest.sh script.
  To get more information about this script run it with --help option.

  Note that vtest is run with -t10 and -l option. -l option is to keep
  keep vtest temporary directory in case of failed test cases. core files
  may be found in this directory (if enabled by ulimit).


* vtest patches for HAProxy VTC files *

  When producing a patch to add a VTC regression testing file to reg-tests directory,
  please follow these simple rules:

    - If your VTC file needs others files, if possible, use the same basename as that
      of the VTC file,
    - Put these files in a directory with the same name as the code area concerned
      by the bug ('peers', 'lua', 'acl' etc).