mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2024-12-14 07:24:32 +00:00
a870a9cfdb
In a previous commit this test was disabled because I though the feature was broken, but in fact this is the test which is broken. Indeed the connection between the server and the client was not renegociated and was using the SSL cache or a ticket. To be work correctly these 2 features must be disabled or a new connection must be established after the ticket timeout, which is too long for a regtest. Also a "nbthread 1" was added as it was easier to reproduce the problem with it.
112 lines
3.5 KiB
Plaintext
112 lines
3.5 KiB
Plaintext
#REGTEST_TYPE=devel
|
|
|
|
# This reg-test uses the "set ssl cert" command to update a backend certificate over the CLI.
|
|
# It requires socat to upload the certificate
|
|
|
|
varnishtest "Test the 'set ssl cert' feature of the CLI"
|
|
#REQUIRE_VERSION=2.4
|
|
#REQUIRE_OPTIONS=OPENSSL
|
|
#REQUIRE_BINARIES=socat
|
|
feature ignore_unknown_macro
|
|
|
|
server s1 -repeat 4 {
|
|
rxreq
|
|
txresp
|
|
} -start
|
|
|
|
haproxy h1 -conf {
|
|
global
|
|
tune.ssl.default-dh-param 2048
|
|
tune.ssl.capture-cipherlist-size 1
|
|
stats socket "${tmpdir}/h1/stats" level admin
|
|
nbthread 1
|
|
tune.ssl.cachesize 0
|
|
|
|
defaults
|
|
mode http
|
|
option httplog
|
|
${no-htx} option http-use-htx
|
|
log stderr local0 debug err
|
|
option logasap
|
|
timeout connect 100ms
|
|
timeout client 1s
|
|
timeout server 1s
|
|
|
|
listen clear-lst
|
|
bind "fd@${clearlst}"
|
|
retries 0 # 2nd SSL connection must fail so skip the retry
|
|
server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client1.pem
|
|
|
|
listen ssl-lst
|
|
# crt: certificate of the server
|
|
# ca-file: CA used for client authentication request
|
|
# crl-file: revocation list for client auth: the client1 certificate is revoked
|
|
bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/ca-auth.crt verify optional crt-ignore-err all crl-file ${testdir}/crl-auth.pem no-tls-tickets
|
|
|
|
acl cert_expired ssl_c_verify 10
|
|
acl cert_revoked ssl_c_verify 23
|
|
acl cert_ok ssl_c_verify 0
|
|
|
|
http-response add-header X-SSL Ok if cert_ok
|
|
http-response add-header X-SSL Expired if cert_expired
|
|
http-response add-header X-SSL Revoked if cert_revoked
|
|
http-response add-header x-ssl-sha1 %[ssl_c_sha1,hex]
|
|
|
|
server s1 ${s1_addr}:${s1_port}
|
|
} -start
|
|
|
|
client c1 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.http.x-ssl-sha1 == "D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4"
|
|
expect resp.http.x-ssl == "Ok"
|
|
} -run
|
|
|
|
haproxy h1 -cli {
|
|
send "show ssl cert ${testdir}/client1.pem"
|
|
expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4"
|
|
}
|
|
|
|
# Replace certificate with an expired one
|
|
shell {
|
|
printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client2_expired.pem)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
echo "commit ssl cert ${testdir}/client1.pem" | socat "${tmpdir}/h1/stats" -
|
|
}
|
|
|
|
haproxy h1 -cli {
|
|
send "show ssl cert ${testdir}/client1.pem"
|
|
expect ~ ".*SHA1 FingerPrint: C625EB01A0A660294B9D7F44C5CEEE5AFC495BE4"
|
|
}
|
|
|
|
|
|
# The updated client certificate is an expired one so this request should fail
|
|
client c1 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.http.x-ssl-sha1 == "C625EB01A0A660294B9D7F44C5CEEE5AFC495BE4"
|
|
expect resp.http.x-ssl == "Expired"
|
|
} -run
|
|
|
|
# Replace certificate with a revoked one
|
|
shell {
|
|
printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client3_revoked.pem)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
echo "commit ssl cert ${testdir}/client1.pem" | socat "${tmpdir}/h1/stats" -
|
|
}
|
|
|
|
haproxy h1 -cli {
|
|
send "show ssl cert ${testdir}/client1.pem"
|
|
expect ~ ".*SHA1 FingerPrint: 992386628A40C9D49C89BAC0058B5D45D8575151"
|
|
}
|
|
|
|
# The updated client certificate is a revoked one so this request should fail
|
|
client c1 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.http.x-ssl-sha1 == "992386628A40C9D49C89BAC0058B5D45D8575151"
|
|
expect resp.http.x-ssl == "Revoked"
|
|
} -run
|
|
|