235 lines
7.9 KiB
Plaintext
235 lines
7.9 KiB
Plaintext
#REGTEST_TYPE=devel
|
|
|
|
# This reg-tests checks that the DH-related mechanisms works properly.
|
|
# When no DH is specified, either directly in the server's PEM or through a
|
|
# ssl-dh-param-file global option, and no tune.ssl.default-dh-param is defined,
|
|
# DHE ciphers are disabled.
|
|
# If a default-dh-param is defined, we will use DH parameters of the same size
|
|
# as the server's RSA or DSA key, or default-dh-param if it is smaller.
|
|
# This test has three distinct HAProxy instances, one with no DH-related option
|
|
# used, one with the tune.ssl.default-dh-param global parameter set, and one
|
|
# with an ssl-dh-param-file global option.
|
|
# We use "openssl s_client" calls in order to check the size of the "Server
|
|
# Temp Key" (which will be the same as the DH parameters in case a DHE cipher
|
|
# is used).
|
|
#
|
|
# The main goal of this test was to check that the newly added OpenSSLv3
|
|
# specific DH code worked as before, since it needed to be created in order to
|
|
# stop using deprecated APIs.
|
|
|
|
varnishtest "Test the DH related SSL options"
|
|
# AWS-LC does not support any FFDH ciphersuites
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(AWS-LC)'"
|
|
feature cmd "command -v openssl && command -v grep && command -v socat"
|
|
feature ignore_unknown_macro
|
|
|
|
server s1 -repeat 8 {
|
|
rxreq
|
|
txresp
|
|
} -start
|
|
|
|
|
|
haproxy h1 -conf {
|
|
global
|
|
stats socket "${tmpdir}/h1/stats" level admin
|
|
|
|
defaults
|
|
mode http
|
|
option httpslog
|
|
log stderr local0 debug err
|
|
option logasap
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
retries 0
|
|
|
|
frontend clear-fe
|
|
bind "fd@${clearlst}"
|
|
use_backend gen_cert_be if { path /gencert }
|
|
default_backend dflt_be
|
|
|
|
backend dflt_be
|
|
server s1 "${tmpdir}/ssl_dflt.sock" ssl verify none ssl-max-ver TLSv1.2
|
|
|
|
backend gen_cert_be
|
|
server s1 "${tmpdir}/ssl_dflt_gencert.sock" ssl verify none ssl-max-ver TLSv1.2
|
|
|
|
listen ssl-dflt-lst
|
|
bind "${tmpdir}/ssl_dflt.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/set_cafile_rootCA.crt verify optional ciphers "DHE-RSA-AES256-GCM-SHA384" ssl-max-ver TLSv1.2
|
|
http-response set-header x-ssl-cipher %[ssl_fc_cipher]
|
|
server s1 ${s1_addr}:${s1_port}
|
|
|
|
listen ssl-dflt-gencert-lst
|
|
bind "${tmpdir}/ssl_dflt_gencert.sock" ssl generate-certificates crt ${testdir}/common.pem ca-file ${testdir}/set_cafile_rootCA.crt ca-sign-file ${testdir}/generate_certificates/gen_cert_ca.pem verify optional ciphers "DHE-RSA-AES256-GCM-SHA384" ssl-max-ver TLSv1.2
|
|
http-response set-header x-ssl-cipher %[ssl_fc_cipher]
|
|
server s1 ${s1_addr}:${s1_port}
|
|
} -start
|
|
|
|
haproxy h2 -conf {
|
|
global
|
|
stats socket "${tmpdir}/h2/stats" level admin
|
|
|
|
global
|
|
tune.ssl.default-dh-param 4096
|
|
|
|
defaults
|
|
mode http
|
|
option httpslog
|
|
log stderr local0 debug err
|
|
option logasap
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
retries 0
|
|
|
|
listen clear-lst
|
|
bind "fd@${clearlst_dfltdh}"
|
|
server s1 "${tmpdir}/ssl_dfltdh.sock" ssl verify none ssl-max-ver TLSv1.2
|
|
|
|
listen ssl-4096dh-dflt-lst
|
|
bind "${tmpdir}/ssl_dfltdh.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/set_cafile_rootCA.crt verify optional ciphers "DHE-RSA-AES256-GCM-SHA384" ssl-max-ver TLSv1.2
|
|
http-response set-header x-ssl-cipher %[ssl_fc_cipher]
|
|
server s1 ${s1_addr}:${s1_port}
|
|
} -start
|
|
|
|
haproxy h3 -conf {
|
|
global
|
|
stats socket "${tmpdir}/h3/stats" level admin
|
|
|
|
global
|
|
ssl-dh-param-file ${testdir}/common.4096.dh
|
|
|
|
defaults
|
|
mode http
|
|
option httpslog
|
|
log stderr local0 debug err
|
|
option logasap
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
retries 0
|
|
|
|
listen clear-lst
|
|
bind "fd@${clearlst_dhfile}"
|
|
server s1 "${tmpdir}/ssl_dhfile.sock" ssl verify none ssl-max-ver TLSv1.2
|
|
|
|
listen ssl-dhfile-lst
|
|
bind "${tmpdir}/ssl_dhfile.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/set_cafile_rootCA.crt verify optional ciphers "DHE-RSA-AES256-GCM-SHA384" ssl-max-ver TLSv1.2
|
|
http-response set-header x-ssl-cipher %[ssl_fc_cipher]
|
|
server s1 ${s1_addr}:${s1_port}
|
|
} -start
|
|
|
|
#
|
|
# Check that all the SSL backend <-> SSL frontend connections work
|
|
#
|
|
client c1 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
rxresp
|
|
# No DH parameters are defined, DHE ciphers are unavailable
|
|
expect resp.status == 503
|
|
} -run
|
|
|
|
client c2 -connect ${h2_clearlst_dfltdh_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.http.x-ssl-cipher == "DHE-RSA-AES256-GCM-SHA384"
|
|
} -run
|
|
|
|
client c3 -connect ${h3_clearlst_dhfile_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.http.x-ssl-cipher == "DHE-RSA-AES256-GCM-SHA384"
|
|
} -run
|
|
|
|
client c4 -connect ${h1_clearlst_sock} {
|
|
txreq -url "/gencert"
|
|
rxresp
|
|
# No DH parameters are defined, DHE ciphers are unavailable
|
|
expect resp.status == 503
|
|
} -run
|
|
|
|
|
|
# On the second HAProxy instance, even if default-dh-param is set to 4096, this
|
|
# value is only considered as a maximum DH key length and we will always try to
|
|
# match the server's certificate key length in our DHE key exchange (2048 bits
|
|
# in the case of common.pem).
|
|
shell {
|
|
echo "Q" | openssl s_client -unix "${tmpdir}/ssl_dfltdh.sock" -tls1_2 2>/dev/null | grep -E "Server Temp Key: DH, 2048 bits"
|
|
}
|
|
|
|
shell {
|
|
echo "Q" | openssl s_client -unix "${tmpdir}/ssl_dhfile.sock" -tls1_2 2>/dev/null | grep -E "Server Temp Key: DH, 4096 bits"
|
|
}
|
|
|
|
|
|
#
|
|
# Add a custom DH to the server's PEM certificate
|
|
#
|
|
shell {
|
|
printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/common.pem)\n$(cat ${testdir}/common.4096.dh)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
echo "commit ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h1/stats" -
|
|
|
|
printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/common.pem)\n$(cat ${testdir}/common.4096.dh)\n\n" | socat "${tmpdir}/h2/stats" -
|
|
echo "commit ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h2/stats" -
|
|
|
|
printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/common.pem)\n$(cat ${testdir}/common.4096.dh)\n\n" | socat "${tmpdir}/h3/stats" -
|
|
echo "commit ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h3/stats" -
|
|
}
|
|
|
|
|
|
#
|
|
# Check that all the SSL backend <-> SSL frontend connections still work
|
|
# Common.pem now contains DH parameters so the first instance's frontends
|
|
# can now use DHE ciphers.
|
|
#
|
|
client c5 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.http.x-ssl-cipher == "DHE-RSA-AES256-GCM-SHA384"
|
|
} -run
|
|
|
|
client c6 -connect ${h2_clearlst_dfltdh_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.http.x-ssl-cipher == "DHE-RSA-AES256-GCM-SHA384"
|
|
} -run
|
|
|
|
client c7 -connect ${h3_clearlst_dhfile_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.http.x-ssl-cipher == "DHE-RSA-AES256-GCM-SHA384"
|
|
} -run
|
|
|
|
client c8 -connect ${h1_clearlst_sock} {
|
|
txreq -url "/gencert"
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.http.x-ssl-cipher == "DHE-RSA-AES256-GCM-SHA384"
|
|
} -run
|
|
|
|
|
|
|
|
#
|
|
# Check the new size of the DH key
|
|
#
|
|
shell {
|
|
echo "Q" | openssl s_client -unix "${tmpdir}/ssl_dflt.sock" -tls1_2 2>/dev/null | grep -E "Server Temp Key: DH, 4096 bits"
|
|
}
|
|
|
|
shell {
|
|
echo "Q" | openssl s_client -unix "${tmpdir}/ssl_dfltdh.sock" -tls1_2 2>/dev/null | grep -E "Server Temp Key: DH, 4096 bits"
|
|
}
|
|
|
|
shell {
|
|
echo "Q" | openssl s_client -unix "${tmpdir}/ssl_dhfile.sock" -tls1_2 2>/dev/null | grep -E "Server Temp Key: DH, 4096 bits"
|
|
}
|
|
|
|
shell {
|
|
echo "Q" | openssl s_client -unix "${tmpdir}/ssl_dflt_gencert.sock" -tls1_2 2>/dev/null | grep -E "Server Temp Key: DH, 4096 bits"
|
|
}
|