haproxy/reg-tests/ssl
Remi Tricot-Le Breton 74f6ab6e87 MEDIUM: ssl: Keep a reference to the client's certificate for use in logs
Most of the SSL sample fetches related to the client certificate were
based on the SSL_get_peer_certificate function which returns NULL when
the verification process failed. This made it impossible to use those
fetches in a log format since they would always be empty.

The patch adds a reference to the X509 object representing the client
certificate in the SSL structure and makes use of this reference in the
fetches.

The reference can only be obtained in ssl_sock_bind_verifycbk which
means that in case of an SSL error occurring before the verification
process ("no shared cipher" for instance, which happens while processing
the Client Hello), we won't ever start the verification process and it
will be impossible to get information about the client certificate.

This patch also allows most of the ssl_c_XXX fetches to return a usable
value in case of connection failure (because of a verification error for
instance) by making the "conn->flags & CO_FL_WAIT_XPRT" test (which
requires a connection to be established) less strict.

Thanks to this patch, a log-format such as the following should return
usable information in case of an error occurring during the verification
process :
    log-format "DN=%{+Q}[ssl_c_s_dn] serial=%[ssl_c_serial,hex] \
                hash=%[ssl_c_sha1,hex]"

It should answer to GitHub issue #693.
2021-08-19 23:26:05 +02:00
..
README
add_ssl_crt-list.vtc REGTESTS: Replace REQUIRE_BINARIES with 'command -v' 2021-06-17 14:59:55 +02:00
ca-auth.crt REGTEST: ssl: test the client certificate authentication 2020-04-28 22:04:13 +02:00
cert1-example.com.pem.ecdsa REGTESTS: ssl: "set ssl cert" and multi-certificates bundle 2021-04-02 15:47:17 +02:00
cert1-example.com.pem.rsa REGTESTS: ssl: "set ssl cert" and multi-certificates bundle 2021-04-02 15:47:17 +02:00
cert2-example.com.pem.ecdsa REGTESTS: ssl: "set ssl cert" and multi-certificates bundle 2021-04-02 15:47:17 +02:00
cert2-example.com.pem.rsa REGTESTS: ssl: "set ssl cert" and multi-certificates bundle 2021-04-02 15:47:17 +02:00
client1.pem MINOR: ssl: add ssl_{c,s}_chain_der fetch methods 2020-08-07 15:38:40 +02:00
client2_expired.pem REGTEST: ssl: test the client certificate authentication 2020-04-28 22:04:13 +02:00
client3_revoked.pem REGTEST: ssl: test the client certificate authentication 2020-04-28 22:04:13 +02:00
common.crt REGTEST: ssl: test "set ssl cert" with separate key / crt 2020-10-23 18:41:08 +02:00
common.key REGTEST: ssl: test "set ssl cert" with separate key / crt 2020-10-23 18:41:08 +02:00
common.pem MINOR: ssl: add ssl_{c,s}_chain_der fetch methods 2020-08-07 15:38:40 +02:00
crl-auth.pem REGTEST: ssl: test the client certificate authentication 2020-04-28 22:04:13 +02:00
del_ssl_crt-list.vtc CLEANUP: reg-tests: Remove obsolete no-htx parameter for reg-tests 2021-06-04 15:41:21 +02:00
ecdsa.crt REGTEST: ssl: test "set ssl cert" with separate key / crt 2020-10-23 18:41:08 +02:00
ecdsa.key REGTEST: ssl: test "set ssl cert" with separate key / crt 2020-10-23 18:41:08 +02:00
ecdsa.pem
filters.crt-list REGTEST: ssl: test wildcard and multi-type + exclusions 2020-11-06 14:59:36 +01:00
interCA1_crl.pem REGTESTS: ssl: Add "set/commit ssl crl-file" test 2021-05-17 10:50:24 +02:00
interCA1_crl_empty.pem REGTESTS: ssl: Add "set/commit ssl crl-file" test 2021-05-17 10:50:24 +02:00
interCA2_crl.pem REGTESTS: ssl: Add "set/commit ssl crl-file" test 2021-05-17 10:50:24 +02:00
interCA2_crl_empty.pem REGTESTS: ssl: Add "set/commit ssl crl-file" test 2021-05-17 10:50:24 +02:00
localhost.crt-list
new_del_ssl_cafile.vtc REGTESTS: Replace REQUIRE_BINARIES with 'command -v' 2021-06-17 14:59:55 +02:00
new_del_ssl_crlfile.vtc REGTESTS: Replace REQUIRE_BINARIES with 'command -v' 2021-06-17 14:59:55 +02:00
rootCA_crl.pem REGTESTS: ssl: Add "set/commit ssl crl-file" test 2021-05-17 10:50:24 +02:00
set_cafile_client.pem REGTESTS: ssl: Add new ca-file update tests 2021-05-17 10:50:24 +02:00
set_cafile_interCA1.crt REGTESTS: ssl: Add new ca-file update tests 2021-05-17 10:50:24 +02:00
set_cafile_interCA2.crt REGTESTS: ssl: Add new ca-file update tests 2021-05-17 10:50:24 +02:00
set_cafile_rootCA.crt REGTESTS: ssl: Add new ca-file update tests 2021-05-17 10:50:24 +02:00
set_cafile_server.pem REGTESTS: ssl: Add new ca-file update tests 2021-05-17 10:50:24 +02:00
set_default_cert.crt-list BUG/MINOR: ssl: Fix update of default certificate 2021-03-26 13:06:29 +01:00
set_default_cert.pem BUG/MINOR: ssl: Fix update of default certificate 2021-03-26 13:06:29 +01:00
set_ssl_cafile.vtc REGTESTS: Replace REQUIRE_BINARIES with 'command -v' 2021-06-17 14:59:55 +02:00
set_ssl_cert.vtc REGTESTS: Replace REQUIRE_BINARIES with 'command -v' 2021-06-17 14:59:55 +02:00
set_ssl_cert_bundle.vtc REGTESTS: Replace REQUIRE_BINARIES with 'command -v' 2021-06-17 14:59:55 +02:00
set_ssl_cert_noext.vtc REGTESTS: Replace REQUIRE_BINARIES with 'command -v' 2021-06-17 14:59:55 +02:00
set_ssl_crlfile.vtc REGTESTS: Replace REQUIRE_BINARIES with 'command -v' 2021-06-17 14:59:55 +02:00
set_ssl_server_cert.vtc REGTESTS: Replace REQUIRE_BINARIES with 'command -v' 2021-06-17 14:59:55 +02:00
show_ocsp_server.pem REGTESTS: ssl: Add "show ssl ocsp-response" test 2021-06-10 16:44:11 +02:00
show_ocsp_server.pem.issuer REGTESTS: ssl: Add "show ssl ocsp-response" test 2021-06-10 16:44:11 +02:00
show_ocsp_server.pem.ocsp REGTESTS: ssl: Add "show ssl ocsp-response" test 2021-06-10 16:44:11 +02:00
show_ocsp_server.pem.ocsp.revoked REGTESTS: ssl: Add "show ssl ocsp-response" test 2021-06-10 16:44:11 +02:00
show_ssl_ocspresponse.vtc REGTESTS: Replace REQUIRE_BINARIES with 'command -v' 2021-06-17 14:59:55 +02:00
simple.crt-list BUG/MEDIUM: ssl/crt-list: correctly insert crt-list line if crt already loaded 2020-11-06 16:39:39 +01:00
ssl_client_auth.vtc REGTESTS: Remove REQUIRE_VERSION=1.6 from all tests 2021-06-11 19:21:28 +02:00
ssl_client_samples.vtc CLEANUP: reg-tests: Remove obsolete no-htx parameter for reg-tests 2021-06-04 15:41:21 +02:00
ssl_crt-list_filters.vtc CLEANUP: reg-tests: Remove obsolete no-htx parameter for reg-tests 2021-06-04 15:41:21 +02:00
ssl_default_server.vtc BUG/MINOR: ssl: Default-server configuration ignored by server 2021-07-13 18:35:38 +02:00
ssl_errors.vtc MEDIUM: ssl: Keep a reference to the client's certificate for use in logs 2021-08-19 23:26:05 +02:00
ssl_frontend_samples.vtc CLEANUP: reg-tests: Remove obsolete no-htx parameter for reg-tests 2021-06-04 15:41:21 +02:00
ssl_server_samples.vtc CLEANUP: reg-tests: Remove obsolete no-htx parameter for reg-tests 2021-06-04 15:41:21 +02:00
ssl_simple_crt-list.vtc CLEANUP: reg-tests: Remove obsolete no-htx parameter for reg-tests 2021-06-04 15:41:21 +02:00
wrong_ctx_storage.vtc CLEANUP: reg-tests: Remove obsolete no-htx parameter for reg-tests 2021-06-04 15:41:21 +02:00

README

File list:
 - common.pem: PEM file which may be used by most of the VTC files.