haproxy/reg-tests/ssl/set_ssl_server_cert.vtc
William Lallemand a870a9cfdb REGTESTS: set_ssl_server_cert.vtc: remove SSL caching and set as working
In a previous commit this test was disabled because I though the
feature was broken, but in fact this is the test which is broken.

Indeed the connection between the server and the client was not
renegociated and was using the SSL cache or a ticket. To be work
correctly these 2 features must be disabled or a new connection must be
established after the ticket timeout, which is too long for a regtest.

Also a "nbthread 1" was added as it was easier to reproduce the problem
with it.
2021-02-01 14:50:17 +01:00

112 lines
3.5 KiB
Plaintext

#REGTEST_TYPE=devel
# This reg-test uses the "set ssl cert" command to update a backend certificate over the CLI.
# It requires socat to upload the certificate
varnishtest "Test the 'set ssl cert' feature of the CLI"
#REQUIRE_VERSION=2.4
#REQUIRE_OPTIONS=OPENSSL
#REQUIRE_BINARIES=socat
feature ignore_unknown_macro
server s1 -repeat 4 {
rxreq
txresp
} -start
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1
stats socket "${tmpdir}/h1/stats" level admin
nbthread 1
tune.ssl.cachesize 0
defaults
mode http
option httplog
${no-htx} option http-use-htx
log stderr local0 debug err
option logasap
timeout connect 100ms
timeout client 1s
timeout server 1s
listen clear-lst
bind "fd@${clearlst}"
retries 0 # 2nd SSL connection must fail so skip the retry
server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client1.pem
listen ssl-lst
# crt: certificate of the server
# ca-file: CA used for client authentication request
# crl-file: revocation list for client auth: the client1 certificate is revoked
bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/ca-auth.crt verify optional crt-ignore-err all crl-file ${testdir}/crl-auth.pem no-tls-tickets
acl cert_expired ssl_c_verify 10
acl cert_revoked ssl_c_verify 23
acl cert_ok ssl_c_verify 0
http-response add-header X-SSL Ok if cert_ok
http-response add-header X-SSL Expired if cert_expired
http-response add-header X-SSL Revoked if cert_revoked
http-response add-header x-ssl-sha1 %[ssl_c_sha1,hex]
server s1 ${s1_addr}:${s1_port}
} -start
client c1 -connect ${h1_clearlst_sock} {
txreq
rxresp
expect resp.status == 200
expect resp.http.x-ssl-sha1 == "D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4"
expect resp.http.x-ssl == "Ok"
} -run
haproxy h1 -cli {
send "show ssl cert ${testdir}/client1.pem"
expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4"
}
# Replace certificate with an expired one
shell {
printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client2_expired.pem)\n\n" | socat "${tmpdir}/h1/stats" -
echo "commit ssl cert ${testdir}/client1.pem" | socat "${tmpdir}/h1/stats" -
}
haproxy h1 -cli {
send "show ssl cert ${testdir}/client1.pem"
expect ~ ".*SHA1 FingerPrint: C625EB01A0A660294B9D7F44C5CEEE5AFC495BE4"
}
# The updated client certificate is an expired one so this request should fail
client c1 -connect ${h1_clearlst_sock} {
txreq
rxresp
expect resp.status == 200
expect resp.http.x-ssl-sha1 == "C625EB01A0A660294B9D7F44C5CEEE5AFC495BE4"
expect resp.http.x-ssl == "Expired"
} -run
# Replace certificate with a revoked one
shell {
printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client3_revoked.pem)\n\n" | socat "${tmpdir}/h1/stats" -
echo "commit ssl cert ${testdir}/client1.pem" | socat "${tmpdir}/h1/stats" -
}
haproxy h1 -cli {
send "show ssl cert ${testdir}/client1.pem"
expect ~ ".*SHA1 FingerPrint: 992386628A40C9D49C89BAC0058B5D45D8575151"
}
# The updated client certificate is a revoked one so this request should fail
client c1 -connect ${h1_clearlst_sock} {
txreq
rxresp
expect resp.status == 200
expect resp.http.x-ssl-sha1 == "992386628A40C9D49C89BAC0058B5D45D8575151"
expect resp.http.x-ssl == "Revoked"
} -run