haproxy/reg-tests/ssl
Remi Tricot-Le Breton 74f6ab6e87 MEDIUM: ssl: Keep a reference to the client's certificate for use in logs
Most of the SSL sample fetches related to the client certificate were
based on the SSL_get_peer_certificate function which returns NULL when
the verification process failed. This made it impossible to use those
fetches in a log format since they would always be empty.

The patch adds a reference to the X509 object representing the client
certificate in the SSL structure and makes use of this reference in the
fetches.

The reference can only be obtained in ssl_sock_bind_verifycbk which
means that in case of an SSL error occurring before the verification
process ("no shared cipher" for instance, which happens while processing
the Client Hello), we won't ever start the verification process and it
will be impossible to get information about the client certificate.

This patch also allows most of the ssl_c_XXX fetches to return a usable
value in case of connection failure (because of a verification error for
instance) by making the "conn->flags & CO_FL_WAIT_XPRT" test (which
requires a connection to be established) less strict.

Thanks to this patch, a log-format such as the following should return
usable information in case of an error occurring during the verification
process :
    log-format "DN=%{+Q}[ssl_c_s_dn] serial=%[ssl_c_serial,hex] \
                hash=%[ssl_c_sha1,hex]"

It should answer to GitHub issue #693.
2021-08-19 23:26:05 +02:00
..
README
add_ssl_crt-list.vtc REGTESTS: Replace REQUIRE_BINARIES with 'command -v' 2021-06-17 14:59:55 +02:00
ca-auth.crt
cert1-example.com.pem.ecdsa
cert1-example.com.pem.rsa
cert2-example.com.pem.ecdsa
cert2-example.com.pem.rsa
client1.pem
client2_expired.pem
client3_revoked.pem
common.crt
common.key
common.pem
crl-auth.pem
del_ssl_crt-list.vtc CLEANUP: reg-tests: Remove obsolete no-htx parameter for reg-tests 2021-06-04 15:41:21 +02:00
ecdsa.crt
ecdsa.key
ecdsa.pem
filters.crt-list
interCA1_crl.pem REGTESTS: ssl: Add "set/commit ssl crl-file" test 2021-05-17 10:50:24 +02:00
interCA1_crl_empty.pem REGTESTS: ssl: Add "set/commit ssl crl-file" test 2021-05-17 10:50:24 +02:00
interCA2_crl.pem REGTESTS: ssl: Add "set/commit ssl crl-file" test 2021-05-17 10:50:24 +02:00
interCA2_crl_empty.pem REGTESTS: ssl: Add "set/commit ssl crl-file" test 2021-05-17 10:50:24 +02:00
localhost.crt-list
new_del_ssl_cafile.vtc REGTESTS: Replace REQUIRE_BINARIES with 'command -v' 2021-06-17 14:59:55 +02:00
new_del_ssl_crlfile.vtc REGTESTS: Replace REQUIRE_BINARIES with 'command -v' 2021-06-17 14:59:55 +02:00
rootCA_crl.pem REGTESTS: ssl: Add "set/commit ssl crl-file" test 2021-05-17 10:50:24 +02:00
set_cafile_client.pem REGTESTS: ssl: Add new ca-file update tests 2021-05-17 10:50:24 +02:00
set_cafile_interCA1.crt REGTESTS: ssl: Add new ca-file update tests 2021-05-17 10:50:24 +02:00
set_cafile_interCA2.crt REGTESTS: ssl: Add new ca-file update tests 2021-05-17 10:50:24 +02:00
set_cafile_rootCA.crt REGTESTS: ssl: Add new ca-file update tests 2021-05-17 10:50:24 +02:00
set_cafile_server.pem REGTESTS: ssl: Add new ca-file update tests 2021-05-17 10:50:24 +02:00
set_default_cert.crt-list
set_default_cert.pem
set_ssl_cafile.vtc REGTESTS: Replace REQUIRE_BINARIES with 'command -v' 2021-06-17 14:59:55 +02:00
set_ssl_cert.vtc REGTESTS: Replace REQUIRE_BINARIES with 'command -v' 2021-06-17 14:59:55 +02:00
set_ssl_cert_bundle.vtc REGTESTS: Replace REQUIRE_BINARIES with 'command -v' 2021-06-17 14:59:55 +02:00
set_ssl_cert_noext.vtc REGTESTS: Replace REQUIRE_BINARIES with 'command -v' 2021-06-17 14:59:55 +02:00
set_ssl_crlfile.vtc REGTESTS: Replace REQUIRE_BINARIES with 'command -v' 2021-06-17 14:59:55 +02:00
set_ssl_server_cert.vtc REGTESTS: Replace REQUIRE_BINARIES with 'command -v' 2021-06-17 14:59:55 +02:00
show_ocsp_server.pem REGTESTS: ssl: Add "show ssl ocsp-response" test 2021-06-10 16:44:11 +02:00
show_ocsp_server.pem.issuer REGTESTS: ssl: Add "show ssl ocsp-response" test 2021-06-10 16:44:11 +02:00
show_ocsp_server.pem.ocsp REGTESTS: ssl: Add "show ssl ocsp-response" test 2021-06-10 16:44:11 +02:00
show_ocsp_server.pem.ocsp.revoked REGTESTS: ssl: Add "show ssl ocsp-response" test 2021-06-10 16:44:11 +02:00
show_ssl_ocspresponse.vtc REGTESTS: Replace REQUIRE_BINARIES with 'command -v' 2021-06-17 14:59:55 +02:00
simple.crt-list
ssl_client_auth.vtc REGTESTS: Remove REQUIRE_VERSION=1.6 from all tests 2021-06-11 19:21:28 +02:00
ssl_client_samples.vtc CLEANUP: reg-tests: Remove obsolete no-htx parameter for reg-tests 2021-06-04 15:41:21 +02:00
ssl_crt-list_filters.vtc CLEANUP: reg-tests: Remove obsolete no-htx parameter for reg-tests 2021-06-04 15:41:21 +02:00
ssl_default_server.vtc BUG/MINOR: ssl: Default-server configuration ignored by server 2021-07-13 18:35:38 +02:00
ssl_errors.vtc MEDIUM: ssl: Keep a reference to the client's certificate for use in logs 2021-08-19 23:26:05 +02:00
ssl_frontend_samples.vtc CLEANUP: reg-tests: Remove obsolete no-htx parameter for reg-tests 2021-06-04 15:41:21 +02:00
ssl_server_samples.vtc CLEANUP: reg-tests: Remove obsolete no-htx parameter for reg-tests 2021-06-04 15:41:21 +02:00
ssl_simple_crt-list.vtc CLEANUP: reg-tests: Remove obsolete no-htx parameter for reg-tests 2021-06-04 15:41:21 +02:00
wrong_ctx_storage.vtc CLEANUP: reg-tests: Remove obsolete no-htx parameter for reg-tests 2021-06-04 15:41:21 +02:00

README

File list:
 - common.pem: PEM file which may be used by most of the VTC files.