mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2024-12-29 08:02:08 +00:00
4895fdac5a
This patch reverts 2 fixes that were made in an attempt to fix the
ocsp-update feature used with the 'commit ssl cert' command.
The patches crash the worker when doing a soft-stop when the 'set ssl
ocsp-response' command was used, or during runtime if the ocsp-update
was used.
This was reported in issue #2462 and #2442.
The last patch reverted is the associated reg-test.
Revert "BUG/MEDIUM: ssl: Fix crash when calling "update ssl ocsp-response" when an update is ongoing"
This reverts commit 5e66bf26ec
.
Revert "BUG/MEDIUM: ocsp: Separate refcount per instance and per store"
This reverts commit 04b77f84d1b52185fc64735d7d81137479d68b00.
Revert "REGTESTS: ssl: Add OCSP related tests"
This reverts commit acd1b85d3442fc58164bd0fb96e72f3d4b501d15.
536 lines
22 KiB
Plaintext
536 lines
22 KiB
Plaintext
#REGTEST_TYPE=slow
|
|
|
|
# broken with BoringSSL.
|
|
|
|
# This reg-test focuses on the OCSP response auto-update functionality. It does
|
|
# not test the full scope of the feature because most of it is based on
|
|
# expiration times and long delays between updates of valid OCSP responses.
|
|
# Automatic update of valid OCSP responses loaded during init will not be
|
|
# tested because by design, such a response would no be automatically updated
|
|
# until init+1H.
|
|
#
|
|
# This test will then focus on certificates that have a specified OCSP URI but
|
|
# no known OCSP response. For those certificates, OCSP requests are sent as
|
|
# soon as possible by the update task.
|
|
#
|
|
# The ocsp responder used in all the tests will be an openssl using the
|
|
# certificate database in ocsp_update/index.txt. It will listen on port 12346
|
|
# which is not the same as the one specified in the certificates' OCSP URI
|
|
# which point to port 12345. The link from port 12345 to port 12346 will be
|
|
# ensured through HAProxy instances that will enable logs, later used as a
|
|
# synchronization mean.
|
|
#
|
|
# Unfortunately some arbitrary "sleep" calls are still needed to leave some
|
|
# time for the ocsp update task to actually process the ocsp responses and
|
|
# reinsert them into the tree. This explains why the test's mode is set to
|
|
# "slow".
|
|
#
|
|
# The fourth test case focuses on the "update ssl ocsp-response" CLI command
|
|
# and tests two certificates that have a known OCSP response loaded during init
|
|
# but no OCSP auto update. The only difference between the two certificates is
|
|
# that one has a separate .issuer file while the other one has the issuer
|
|
# certificate directly in the main .pem file.
|
|
#
|
|
# If this test does not work anymore:
|
|
# - Check that you have openssl and socat
|
|
|
|
varnishtest "Test the OCSP auto update feature"
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.7-dev0)'"
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(BoringSSL) && openssl_version_atleast(1.1.1)'"
|
|
feature cmd "command -v openssl && command -v socat"
|
|
feature ignore_unknown_macro
|
|
|
|
|
|
###################
|
|
# #
|
|
# FIRST TEST CASE #
|
|
# #
|
|
###################
|
|
|
|
# No automatic update should occur in this test case since we load two already
|
|
# valid OCSP responses during init which have a "Next Update" date really far
|
|
# in the future. So they should only be updated after one hour.
|
|
# This test will only be the most basic one where we check that ocsp response
|
|
# loading still works as expected.
|
|
|
|
haproxy h1 -conf {
|
|
global
|
|
tune.ssl.default-dh-param 2048
|
|
tune.ssl.capture-buffer-size 1
|
|
stats socket "${tmpdir}/h1/stats" level admin
|
|
crt-base ${testdir}/ocsp_update
|
|
|
|
defaults
|
|
mode http
|
|
option httplog
|
|
log stderr local0 debug err
|
|
option logasap
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
frontend ssl-fe
|
|
bind "${tmpdir}/ssl.sock" ssl crt multicert/server_ocsp.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
http-request return status 200
|
|
} -start
|
|
|
|
|
|
# We should have two distinct ocsp responses known that were loaded at build time
|
|
haproxy h1 -cli {
|
|
send "show ssl ocsp-response"
|
|
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
|
|
send "show ssl ocsp-response"
|
|
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
|
|
|
|
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
|
|
expect ~ "Cert Status: revoked"
|
|
|
|
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
|
|
expect ~ "Cert Status: good"
|
|
}
|
|
|
|
haproxy h1 -wait
|
|
|
|
|
|
|
|
####################
|
|
# #
|
|
# SECOND TEST CASE #
|
|
# #
|
|
####################
|
|
|
|
# This test will focus on two separate certificates that have the same OCSP uri
|
|
# (http://ocsp.haproxy.com:12345) but no OCSP response loaded at build time.
|
|
# The update mode is set to 'on' in the two crt-lists used. The two ocsp
|
|
# responses should then be fetched automatically after init. We use an http
|
|
# listener as a rebound on which http log is enabled towards Syslog_http. This
|
|
# ensures that two requests are sent by the ocsp auto update task and it
|
|
# enables to use a barrier to synchronize the ocsp task and the subsequent cli
|
|
# calls. Thanks to the barrier we know that when calling "show ssl
|
|
# ocsp-response" on the cli, the two answers should already have been received
|
|
# and processed.
|
|
|
|
process p1 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12346 -timeout 5" -start
|
|
|
|
barrier b1 cond 2 -cyclic
|
|
|
|
syslog Syslog_http -level info {
|
|
recv
|
|
expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAV HTTP/1.1"
|
|
|
|
recv
|
|
expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAW HTTP/1.1"
|
|
|
|
barrier b1 sync
|
|
} -start
|
|
|
|
haproxy h2 -conf {
|
|
global
|
|
tune.ssl.default-dh-param 2048
|
|
tune.ssl.capture-buffer-size 1
|
|
stats socket "${tmpdir}/h2/stats" level admin
|
|
crt-base ${testdir}/ocsp_update
|
|
|
|
defaults
|
|
mode http
|
|
option httplog
|
|
log stderr local0 debug err
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
frontend ssl-rsa-fe
|
|
bind "${tmpdir}/ssl2.sock" ssl crt-list ${testdir}/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
http-request return status 200
|
|
|
|
frontend ssl-ecdsa-fe
|
|
bind "${tmpdir}/ssl3.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
http-request return status 200
|
|
|
|
listen http_rebound_lst
|
|
mode http
|
|
option httplog
|
|
log ${Syslog_http_addr}:${Syslog_http_port} local0
|
|
bind "127.0.0.1:12345"
|
|
server s1 "127.0.0.1:12346"
|
|
} -start
|
|
|
|
barrier b1 sync
|
|
|
|
shell "sleep 1"
|
|
|
|
# We should have two distinct ocsp IDs known that were loaded at build time and
|
|
# the responses' contents should have been filled automatically by the ocsp
|
|
# update task after init
|
|
haproxy h2 -cli {
|
|
send "show ssl ocsp-response"
|
|
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
|
|
send "show ssl ocsp-response"
|
|
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
|
|
|
|
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
|
|
expect ~ "Cert Status: revoked"
|
|
|
|
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
|
|
expect ~ "Cert Status: revoked"
|
|
}
|
|
|
|
haproxy h2 -wait
|
|
process p1 -wait -expect-exit 0
|
|
|
|
|
|
###################
|
|
# #
|
|
# THIRD TEST CASE #
|
|
# #
|
|
###################
|
|
|
|
# This test will be roughly the same as the second one but one of the crt-lists
|
|
# will not enable ocsp-update on its certificate. Only one request should then
|
|
# be sent.
|
|
|
|
process p2 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12346 -timeout 5" -start
|
|
|
|
barrier b2 cond 2 -cyclic
|
|
|
|
syslog Syslog_http2 -level info {
|
|
recv
|
|
expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAV HTTP/1.1"
|
|
|
|
barrier b2 sync
|
|
} -start
|
|
|
|
haproxy h3 -conf {
|
|
global
|
|
tune.ssl.default-dh-param 2048
|
|
tune.ssl.capture-buffer-size 1
|
|
stats socket "${tmpdir}/h3/stats" level admin
|
|
crt-base ${testdir}/ocsp_update
|
|
|
|
defaults
|
|
mode http
|
|
option httplog
|
|
log stderr local0 debug err
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
frontend ssl-rsa-fe
|
|
bind "${tmpdir}/ssl4.sock" ssl crt-list ${testdir}/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
http-request return status 200
|
|
|
|
frontend ssl-ecdsa-fe
|
|
bind "${tmpdir}/ssl5.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
http-request return status 200
|
|
|
|
listen http_rebound_lst
|
|
mode http
|
|
option httplog
|
|
log ${Syslog_http2_addr}:${Syslog_http2_port} local0
|
|
bind "127.0.0.1:12345"
|
|
server s1 "127.0.0.1:12346"
|
|
} -start
|
|
|
|
barrier b2 sync
|
|
|
|
shell "sleep 1"
|
|
|
|
# We should have a single ocsp ID known that was loaded at build time and the
|
|
# response should be filled
|
|
haproxy h3 -cli {
|
|
send "show ssl ocsp-response"
|
|
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
|
|
send "show ssl ocsp-response"
|
|
expect !~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
|
|
|
|
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
|
|
expect ~ "Cert Status: revoked"
|
|
}
|
|
|
|
haproxy h3 -wait
|
|
process p2 -wait
|
|
|
|
|
|
|
|
####################
|
|
# #
|
|
# FOURTH TEST CASE #
|
|
# (CLI COMMAND) #
|
|
# #
|
|
####################
|
|
|
|
process p3 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12346 -timeout 5" -start
|
|
|
|
haproxy h4 -conf {
|
|
global
|
|
tune.ssl.default-dh-param 2048
|
|
tune.ssl.capture-buffer-size 1
|
|
stats socket "${tmpdir}/h4/stats" level admin
|
|
crt-base ${testdir}/ocsp_update
|
|
|
|
defaults
|
|
mode http
|
|
option httplog
|
|
log stderr local0 debug err
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
frontend ssl-rsa-ocsp
|
|
bind "${tmpdir}/ssl5.sock" ssl crt ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
http-request return status 200
|
|
|
|
frontend ssl-ecdsa-ocsp
|
|
bind "${tmpdir}/ssl6.sock" ssl crt ${testdir}/ocsp_update/multicert/server_ocsp_ecdsa.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
http-request return status 200
|
|
|
|
listen http_rebound_lst
|
|
mode http
|
|
option httplog
|
|
bind "127.0.0.1:12345"
|
|
http-response set-var(proc.processed) int(1)
|
|
server s1 "127.0.0.1:12346"
|
|
} -start
|
|
|
|
# We need to "enable" the cli with a first cli call before using it only through socats
|
|
haproxy h4 -cli {
|
|
send "show ssl ocsp-response"
|
|
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
|
|
}
|
|
|
|
# We should have two OCSP responses loaded during init
|
|
shell {
|
|
responses=$(echo "show ssl ocsp-response" | socat "${tmpdir}/h4/stats" -)
|
|
|
|
[ $(echo "$responses" | grep -c "^Certificate ID key") -eq 2 ] && \
|
|
echo "$responses" | grep "Serial Number: 1016" && \
|
|
echo "$responses" | grep "Serial Number: 1015"
|
|
}
|
|
|
|
shell {
|
|
echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" - | grep "Cert Status: revoked"
|
|
}
|
|
|
|
shell {
|
|
echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" - | grep "Cert Status: good"
|
|
}
|
|
|
|
# Update the first ocsp response (ckch_data has a non-NULL ocsp_issuer pointer)
|
|
shell {
|
|
# Store the current "Produced At" in order to ensure that after the update
|
|
# the OCSP response actually changed
|
|
produced_at=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" - | grep "Produced At")
|
|
|
|
echo "update ssl ocsp-response ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h4/stats" -
|
|
while ! echo "get var proc.processed" | socat "${tmpdir}/h4/stats" - | grep 'proc.processed: type=sint value=<1>'
|
|
do
|
|
echo "get var proc.processed" | socat "${tmpdir}/h4/stats" - >> /tmp/toto
|
|
sleep 0.5
|
|
done
|
|
|
|
echo "experimental-mode on;set var proc.processed int(0)" | socat "${tmpdir}/h4/stats" -
|
|
|
|
ocsp_response=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" -)
|
|
new_produced_at=$(echo "$ocsp_response" | grep "Produced At")
|
|
|
|
echo "$ocsp_response" | grep -q "Serial Number: 1015" && \
|
|
echo "$ocsp_response" | grep -q "Cert Status: revoked" && \
|
|
[ "$new_produced_at" != "$produced_at" ]
|
|
}
|
|
|
|
# Update the second ocsp response (ckch_data has a NULL ocsp_issuer pointer)
|
|
shell {
|
|
# Store the current "Produced At" in order to ensure that after the update
|
|
# the OCSP response actually changed
|
|
produced_at=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" - | grep "Produced At")
|
|
|
|
echo "update ssl ocsp-response ${testdir}/ocsp_update/multicert/server_ocsp_ecdsa.pem" | socat "${tmpdir}/h4/stats" -
|
|
while ! echo "get var proc.processed" | socat "${tmpdir}/h4/stats" - | grep 'proc.processed: type=sint value=<1>'
|
|
do
|
|
echo "get var proc.processed" | socat "${tmpdir}/h4/stats" - >> /tmp/toto
|
|
sleep 0.5
|
|
done
|
|
|
|
echo "experimental-mode on;set var proc.processed int(0)" | socat "${tmpdir}/h4/stats" -
|
|
|
|
ocsp_response=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" -)
|
|
new_produced_at=$(echo "$ocsp_response" | grep "Produced At")
|
|
|
|
echo "$ocsp_response" | grep -q "Serial Number: 1016" && \
|
|
echo "$ocsp_response" | grep -q "Cert Status: revoked" && \
|
|
[ "$new_produced_at" != "$produced_at" ]
|
|
}
|
|
|
|
haproxy h4 -wait
|
|
process p3 -wait
|
|
|
|
|
|
####################
|
|
# #
|
|
# FIFTH TEST CASE #
|
|
# (CLI COMMAND) #
|
|
# #
|
|
####################
|
|
|
|
# Test the "show ssl ocsp-updates" command as well as the new 'base64' parameter
|
|
# to the "show ssl ocsp-response" command.
|
|
|
|
|
|
process p5 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12346 -timeout 5" -start
|
|
|
|
barrier b5 cond 2 -cyclic
|
|
|
|
syslog Syslog_http5 -level info {
|
|
recv
|
|
expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAV HTTP/1.1"
|
|
|
|
recv
|
|
expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAW HTTP/1.1"
|
|
|
|
barrier b5 sync
|
|
} -start
|
|
|
|
haproxy h5 -conf {
|
|
global
|
|
tune.ssl.default-dh-param 2048
|
|
tune.ssl.capture-buffer-size 1
|
|
stats socket "${tmpdir}/h5/stats" level admin
|
|
crt-base ${testdir}/ocsp_update
|
|
|
|
defaults
|
|
mode http
|
|
option httplog
|
|
log stderr local0 debug err
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
frontend ssl-rsa-fe
|
|
bind "${tmpdir}/ssl7.sock" ssl crt-list ${testdir}/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
http-request return status 200
|
|
|
|
frontend ssl-ecdsa-fe
|
|
bind "${tmpdir}/ssl8.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
http-request return status 200
|
|
|
|
listen http_rebound_lst
|
|
mode http
|
|
option httplog
|
|
log ${Syslog_http5_addr}:${Syslog_http5_port} local0
|
|
bind "127.0.0.1:12345"
|
|
server s1 "127.0.0.1:12346"
|
|
} -start
|
|
|
|
barrier b5 sync
|
|
|
|
shell "sleep 1"
|
|
|
|
# Use "show ssl ocsp-updates" CLI command
|
|
# We should have one line per OCSP response and each one of them should have been successfully updated once
|
|
# The command's output follows this format:
|
|
# OCSP Certid | Next Update | Last Update | Successes | Failures | Last Update Status | Last Update Status (str)
|
|
haproxy h5 -cli {
|
|
send "show ssl ocsp-updates"
|
|
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 .*| 1 | 0 | 1 | Update successful"
|
|
|
|
send "show ssl ocsp-updates"
|
|
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*| 1 | 0 | 1 | Update successful"
|
|
}
|
|
|
|
# Use "show ssl ocsp-response" command to dump an OCSP response in base64
|
|
shell {
|
|
ocsp_resp_file="${tmpdir}.ocsp_resp.der"
|
|
|
|
echo "show ssl ocsp-response base64 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h5/stats" - | base64 -d > $ocsp_resp_file
|
|
|
|
if [ $? -eq 0 ]
|
|
then
|
|
ocsp_resp_txt="$(openssl ocsp -respin $ocsp_resp_file -noverify -text)"
|
|
echo "$ocsp_resp_txt" | grep "Issuer Name Hash: 8A83E0060FAFF709CA7E9B95522A2E81635FDA0A" && \
|
|
echo "$ocsp_resp_txt" | grep "Issuer Key Hash: F652B0E435D5EA923851508F0ADBE92D85DE007A" && \
|
|
echo "$ocsp_resp_txt" | grep "Serial Number: 1015" && \
|
|
echo "$ocsp_resp_txt" | grep "Cert Status: revoked"
|
|
else
|
|
return 1
|
|
fi
|
|
}
|
|
|
|
haproxy h5 -wait
|
|
process p5 -wait
|
|
|
|
|
|
####################
|
|
# #
|
|
# SIXTH TEST CASE #
|
|
# #
|
|
####################
|
|
|
|
# Check that a new certificate added via the CLI to a crt-list with
|
|
# the 'ocsp-update on' option will be taken into account by the OCSP
|
|
# auto update task
|
|
#
|
|
process p6 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12346 -timeout 5" -start
|
|
|
|
barrier b6 cond 2 -cyclic
|
|
|
|
syslog Syslog_http6 -level info {
|
|
recv
|
|
expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAV HTTP/1.1"
|
|
|
|
barrier b6 sync
|
|
} -start
|
|
|
|
haproxy h6 -conf {
|
|
global
|
|
tune.ssl.default-dh-param 2048
|
|
tune.ssl.capture-buffer-size 1
|
|
stats socket "${tmpdir}/h6/stats" level admin
|
|
crt-base ${testdir}
|
|
|
|
defaults
|
|
mode http
|
|
option httplog
|
|
log stderr local0 debug err
|
|
option logasap
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
frontend ssl-fe
|
|
bind "${tmpdir}/ssl9.sock" ssl crt-list ${testdir}/simple.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
http-request return status 200
|
|
|
|
listen http_rebound_lst
|
|
mode http
|
|
option httplog
|
|
log ${Syslog_http6_addr}:${Syslog_http6_port} local0
|
|
bind "127.0.0.1:12345"
|
|
server s1 "127.0.0.1:12346"
|
|
} -start
|
|
|
|
# We need to "enable" the cli with a first cli call before using it only through socats
|
|
haproxy h6 -cli {
|
|
send "show ssl cert"
|
|
expect ~ ""
|
|
}
|
|
|
|
# Create a new certificate that has an OCSP uri and add it to the
|
|
# existing CLI with the 'ocsp-update on' command.
|
|
shell {
|
|
echo "new ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h6/stats" -
|
|
printf "set ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa <<\n$(cat ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h6/stats" -
|
|
printf "set ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa.issuer <<\n$(cat ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa.issuer)\n\n" | socat "${tmpdir}/h6/stats" -
|
|
echo "commit ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h6/stats" -
|
|
|
|
printf "add ssl crt-list ${testdir}/simple.crt-list <<\n${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa [ocsp-update on] foo.com\n\n" | socat "${tmpdir}/h6/stats" -
|
|
}
|
|
|
|
barrier b6 sync
|
|
|
|
shell "sleep 1"
|
|
|
|
haproxy h6 -cli {
|
|
send "show ssl ocsp-updates"
|
|
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*| 1 | 0 | 1 | Update successful"
|
|
}
|