mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2024-12-24 13:42:16 +00:00
a6c0a59e9a
Instead of having a dedicated httpclient instance and its own code decorrelated from the actual auto update one, the "update ssl ocsp-response" will now use the update task in order to perform updates. Since the cli command allows to update responses that were never included in the auto update tree, a new flag was added to the certificate_ocsp structure so that the said entry can be inserted into the tree "by hand" and it won't be reinserted back into the tree after the update process is performed. The 'update_once' flag "stole" a bit from the 'fail_count' counter since it is the one less likely to reach UINT_MAX among the ocsp counters of the certificate_ocsp structure. This new logic required that every certificate_ocsp entry contained all the ocsp-related information at all time since entries that are not supposed to be configured automatically can still be updated through the cli. The logic of the ssl_sock_load_ocsp was changed accordingly.
536 lines
22 KiB
Plaintext
536 lines
22 KiB
Plaintext
#REGTEST_TYPE=slow
|
|
|
|
# broken with BoringSSL.
|
|
|
|
# This reg-test focuses on the OCSP response auto-update functionality. It does
|
|
# not test the full scope of the feature because most of it is based on
|
|
# expiration times and long delays between updates of valid OCSP responses.
|
|
# Automatic update of valid OCSP responses loaded during init will not be
|
|
# tested because by design, such a response would no be automatically updated
|
|
# until init+1H.
|
|
#
|
|
# This test will then focus on certificates that have a specified OCSP URI but
|
|
# no known OCSP response. For those certificates, OCSP requests are sent as
|
|
# soon as possible by the update task.
|
|
#
|
|
# The ocsp responder used in all the tests will be an openssl using the
|
|
# certificate database in ocsp_update/index.txt. It will listen on port 12346
|
|
# which is not the same as the one specified in the certificates' OCSP URI
|
|
# which point to port 12345. The link from port 12345 to port 12346 will be
|
|
# ensured through HAProxy instances that will enable logs, later used as a
|
|
# synchronization mean.
|
|
#
|
|
# Unfortunately some arbitrary "sleep" calls are still needed to leave some
|
|
# time for the ocsp update task to actually process the ocsp responses and
|
|
# reinsert them into the tree. This explains why the test's mode is set to
|
|
# "slow".
|
|
#
|
|
# The fourth test case focuses on the "update ssl ocsp-response" CLI command
|
|
# and tests two certificates that have a known OCSP response loaded during init
|
|
# but no OCSP auto update. The only difference between the two certificates is
|
|
# that one has a separate .issuer file while the other one has the issuer
|
|
# certificate directly in the main .pem file.
|
|
#
|
|
# If this test does not work anymore:
|
|
# - Check that you have openssl and socat
|
|
|
|
varnishtest "Test the OCSP auto update feature"
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.7-dev0)'"
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(BoringSSL) && openssl_version_atleast(1.1.1)'"
|
|
feature cmd "command -v openssl && command -v socat"
|
|
feature ignore_unknown_macro
|
|
|
|
|
|
###################
|
|
# #
|
|
# FIRST TEST CASE #
|
|
# #
|
|
###################
|
|
|
|
# No automatic update should occur in this test case since we load two already
|
|
# valid OCSP responses during init which have a "Next Update" date really far
|
|
# in the future. So they should only be updated after one hour.
|
|
# This test will only be the most basic one where we check that ocsp response
|
|
# loading still works as expected.
|
|
|
|
haproxy h1 -conf {
|
|
global
|
|
tune.ssl.default-dh-param 2048
|
|
tune.ssl.capture-buffer-size 1
|
|
stats socket "${tmpdir}/h1/stats" level admin
|
|
crt-base ${testdir}/ocsp_update
|
|
|
|
defaults
|
|
mode http
|
|
option httplog
|
|
log stderr local0 debug err
|
|
option logasap
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
frontend ssl-fe
|
|
bind "${tmpdir}/ssl.sock" ssl crt multicert/server_ocsp.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
http-request return status 200
|
|
} -start
|
|
|
|
|
|
# We should have two distinct ocsp responses known that were loaded at build time
|
|
haproxy h1 -cli {
|
|
send "show ssl ocsp-response"
|
|
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
|
|
send "show ssl ocsp-response"
|
|
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
|
|
|
|
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
|
|
expect ~ "Cert Status: revoked"
|
|
|
|
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
|
|
expect ~ "Cert Status: good"
|
|
}
|
|
|
|
haproxy h1 -wait
|
|
|
|
|
|
|
|
####################
|
|
# #
|
|
# SECOND TEST CASE #
|
|
# #
|
|
####################
|
|
|
|
# This test will focus on two separate certificates that have the same OCSP uri
|
|
# (http://ocsp.haproxy.com:12345) but no OCSP response loaded at build time.
|
|
# The update mode is set to 'on' in the two crt-lists used. The two ocsp
|
|
# responses should then be fetched automatically after init. We use an http
|
|
# listener as a rebound on which http log is enabled towards Syslog_http. This
|
|
# ensures that two requests are sent by the ocsp auto update task and it
|
|
# enables to use a barrier to synchronize the ocsp task and the subsequent cli
|
|
# calls. Thanks to the barrier we know that when calling "show ssl
|
|
# ocsp-response" on the cli, the two answers should already have been received
|
|
# and processed.
|
|
|
|
process p1 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12346 -timeout 5" -start
|
|
|
|
barrier b1 cond 2 -cyclic
|
|
|
|
syslog Syslog_http -level info {
|
|
recv
|
|
expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAV HTTP/1.1"
|
|
|
|
recv
|
|
expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAW HTTP/1.1"
|
|
|
|
barrier b1 sync
|
|
} -start
|
|
|
|
haproxy h2 -conf {
|
|
global
|
|
tune.ssl.default-dh-param 2048
|
|
tune.ssl.capture-buffer-size 1
|
|
stats socket "${tmpdir}/h2/stats" level admin
|
|
crt-base ${testdir}/ocsp_update
|
|
|
|
defaults
|
|
mode http
|
|
option httplog
|
|
log stderr local0 debug err
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
frontend ssl-rsa-fe
|
|
bind "${tmpdir}/ssl2.sock" ssl crt-list ${testdir}/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
http-request return status 200
|
|
|
|
frontend ssl-ecdsa-fe
|
|
bind "${tmpdir}/ssl3.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
http-request return status 200
|
|
|
|
listen http_rebound_lst
|
|
mode http
|
|
option httplog
|
|
log ${Syslog_http_addr}:${Syslog_http_port} local0
|
|
bind "127.0.0.1:12345"
|
|
server s1 "127.0.0.1:12346"
|
|
} -start
|
|
|
|
barrier b1 sync
|
|
|
|
shell "sleep 1"
|
|
|
|
# We should have two distinct ocsp IDs known that were loaded at build time and
|
|
# the responses' contents should have been filled automatically by the ocsp
|
|
# update task after init
|
|
haproxy h2 -cli {
|
|
send "show ssl ocsp-response"
|
|
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
|
|
send "show ssl ocsp-response"
|
|
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
|
|
|
|
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
|
|
expect ~ "Cert Status: revoked"
|
|
|
|
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
|
|
expect ~ "Cert Status: revoked"
|
|
}
|
|
|
|
haproxy h2 -wait
|
|
process p1 -wait -expect-exit 0
|
|
|
|
|
|
###################
|
|
# #
|
|
# THIRD TEST CASE #
|
|
# #
|
|
###################
|
|
|
|
# This test will be roughly the same as the second one but one of the crt-lists
|
|
# will not enable ocsp-update on its certificate. Only one request should then
|
|
# be sent.
|
|
|
|
process p2 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12346 -timeout 5" -start
|
|
|
|
barrier b2 cond 2 -cyclic
|
|
|
|
syslog Syslog_http2 -level info {
|
|
recv
|
|
expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAV HTTP/1.1"
|
|
|
|
barrier b2 sync
|
|
} -start
|
|
|
|
haproxy h3 -conf {
|
|
global
|
|
tune.ssl.default-dh-param 2048
|
|
tune.ssl.capture-buffer-size 1
|
|
stats socket "${tmpdir}/h3/stats" level admin
|
|
crt-base ${testdir}/ocsp_update
|
|
|
|
defaults
|
|
mode http
|
|
option httplog
|
|
log stderr local0 debug err
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
frontend ssl-rsa-fe
|
|
bind "${tmpdir}/ssl4.sock" ssl crt-list ${testdir}/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
http-request return status 200
|
|
|
|
frontend ssl-ecdsa-fe
|
|
bind "${tmpdir}/ssl5.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
http-request return status 200
|
|
|
|
listen http_rebound_lst
|
|
mode http
|
|
option httplog
|
|
log ${Syslog_http2_addr}:${Syslog_http2_port} local0
|
|
bind "127.0.0.1:12345"
|
|
server s1 "127.0.0.1:12346"
|
|
} -start
|
|
|
|
barrier b2 sync
|
|
|
|
shell "sleep 1"
|
|
|
|
# We should have a single ocsp ID known that was loaded at build time and the
|
|
# response should be filled
|
|
haproxy h3 -cli {
|
|
send "show ssl ocsp-response"
|
|
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
|
|
send "show ssl ocsp-response"
|
|
expect !~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
|
|
|
|
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
|
|
expect ~ "Cert Status: revoked"
|
|
}
|
|
|
|
haproxy h3 -wait
|
|
process p2 -wait
|
|
|
|
|
|
|
|
####################
|
|
# #
|
|
# FOURTH TEST CASE #
|
|
# (CLI COMMAND) #
|
|
# #
|
|
####################
|
|
|
|
process p3 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12346 -timeout 5" -start
|
|
|
|
haproxy h4 -conf {
|
|
global
|
|
tune.ssl.default-dh-param 2048
|
|
tune.ssl.capture-buffer-size 1
|
|
stats socket "${tmpdir}/h4/stats" level admin
|
|
crt-base ${testdir}/ocsp_update
|
|
|
|
defaults
|
|
mode http
|
|
option httplog
|
|
log stderr local0 debug err
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
frontend ssl-rsa-ocsp
|
|
bind "${tmpdir}/ssl5.sock" ssl crt ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
http-request return status 200
|
|
|
|
frontend ssl-ecdsa-ocsp
|
|
bind "${tmpdir}/ssl6.sock" ssl crt ${testdir}/ocsp_update/multicert/server_ocsp_ecdsa.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
http-request return status 200
|
|
|
|
listen http_rebound_lst
|
|
mode http
|
|
option httplog
|
|
bind "127.0.0.1:12345"
|
|
http-response set-var(proc.processed) int(1)
|
|
server s1 "127.0.0.1:12346"
|
|
} -start
|
|
|
|
# We need to "enable" the cli with a first cli call before using it only through socats
|
|
haproxy h4 -cli {
|
|
send "show ssl ocsp-response"
|
|
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
|
|
}
|
|
|
|
# We should have two OCSP responses loaded during init
|
|
shell {
|
|
responses=$(echo "show ssl ocsp-response" | socat "${tmpdir}/h4/stats" -)
|
|
|
|
[ $(echo "$responses" | grep -c "^Certificate ID key") -eq 2 ] && \
|
|
echo "$responses" | grep "Serial Number: 1016" && \
|
|
echo "$responses" | grep "Serial Number: 1015"
|
|
}
|
|
|
|
shell {
|
|
echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" - | grep "Cert Status: revoked"
|
|
}
|
|
|
|
shell {
|
|
echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" - | grep "Cert Status: good"
|
|
}
|
|
|
|
# Update the first ocsp response (ckch_data has a non-NULL ocsp_issuer pointer)
|
|
shell {
|
|
# Store the current "Produced At" in order to ensure that after the update
|
|
# the OCSP response actually changed
|
|
produced_at=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" - | grep "Produced At")
|
|
|
|
echo "update ssl ocsp-response ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h4/stats" -
|
|
while ! echo "get var proc.processed" | socat "${tmpdir}/h4/stats" - | grep 'proc.processed: type=sint value=<1>'
|
|
do
|
|
echo "get var proc.processed" | socat "${tmpdir}/h4/stats" - >> /tmp/toto
|
|
sleep 0.5
|
|
done
|
|
|
|
echo "experimental-mode on;set var proc.processed int(0)" | socat "${tmpdir}/h4/stats" -
|
|
|
|
ocsp_response=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" -)
|
|
new_produced_at=$(echo "$ocsp_response" | grep "Produced At")
|
|
|
|
echo "$ocsp_response" | grep -q "Serial Number: 1015" && \
|
|
echo "$ocsp_response" | grep -q "Cert Status: revoked" && \
|
|
[ "$new_produced_at" != "$produced_at" ]
|
|
}
|
|
|
|
# Update the second ocsp response (ckch_data has a NULL ocsp_issuer pointer)
|
|
shell {
|
|
# Store the current "Produced At" in order to ensure that after the update
|
|
# the OCSP response actually changed
|
|
produced_at=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" - | grep "Produced At")
|
|
|
|
echo "update ssl ocsp-response ${testdir}/ocsp_update/multicert/server_ocsp_ecdsa.pem" | socat "${tmpdir}/h4/stats" -
|
|
while ! echo "get var proc.processed" | socat "${tmpdir}/h4/stats" - | grep 'proc.processed: type=sint value=<1>'
|
|
do
|
|
echo "get var proc.processed" | socat "${tmpdir}/h4/stats" - >> /tmp/toto
|
|
sleep 0.5
|
|
done
|
|
|
|
echo "experimental-mode on;set var proc.processed int(0)" | socat "${tmpdir}/h4/stats" -
|
|
|
|
ocsp_response=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" -)
|
|
new_produced_at=$(echo "$ocsp_response" | grep "Produced At")
|
|
|
|
echo "$ocsp_response" | grep -q "Serial Number: 1016" && \
|
|
echo "$ocsp_response" | grep -q "Cert Status: revoked" && \
|
|
[ "$new_produced_at" != "$produced_at" ]
|
|
}
|
|
|
|
haproxy h4 -wait
|
|
process p3 -wait
|
|
|
|
|
|
####################
|
|
# #
|
|
# FIFTH TEST CASE #
|
|
# (CLI COMMAND) #
|
|
# #
|
|
####################
|
|
|
|
# Test the "show ssl ocsp-updates" command as well as the new 'base64' parameter
|
|
# to the "show ssl ocsp-response" command.
|
|
|
|
|
|
process p5 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12346 -timeout 5" -start
|
|
|
|
barrier b5 cond 2 -cyclic
|
|
|
|
syslog Syslog_http5 -level info {
|
|
recv
|
|
expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAV HTTP/1.1"
|
|
|
|
recv
|
|
expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAW HTTP/1.1"
|
|
|
|
barrier b5 sync
|
|
} -start
|
|
|
|
haproxy h5 -conf {
|
|
global
|
|
tune.ssl.default-dh-param 2048
|
|
tune.ssl.capture-buffer-size 1
|
|
stats socket "${tmpdir}/h5/stats" level admin
|
|
crt-base ${testdir}/ocsp_update
|
|
|
|
defaults
|
|
mode http
|
|
option httplog
|
|
log stderr local0 debug err
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
frontend ssl-rsa-fe
|
|
bind "${tmpdir}/ssl7.sock" ssl crt-list ${testdir}/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
http-request return status 200
|
|
|
|
frontend ssl-ecdsa-fe
|
|
bind "${tmpdir}/ssl8.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
http-request return status 200
|
|
|
|
listen http_rebound_lst
|
|
mode http
|
|
option httplog
|
|
log ${Syslog_http5_addr}:${Syslog_http5_port} local0
|
|
bind "127.0.0.1:12345"
|
|
server s1 "127.0.0.1:12346"
|
|
} -start
|
|
|
|
barrier b5 sync
|
|
|
|
shell "sleep 1"
|
|
|
|
# Use "show ssl ocsp-updates" CLI command
|
|
# We should have one line per OCSP response and each one of them should have been successfully updated once
|
|
# The command's output follows this format:
|
|
# OCSP Certid | Next Update | Last Update | Successes | Failures | Last Update Status | Last Update Status (str)
|
|
haproxy h5 -cli {
|
|
send "show ssl ocsp-updates"
|
|
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 .*| 1 | 0 | 1 | Update successful"
|
|
|
|
send "show ssl ocsp-updates"
|
|
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*| 1 | 0 | 1 | Update successful"
|
|
}
|
|
|
|
# Use "show ssl ocsp-response" command to dump an OCSP response in base64
|
|
shell {
|
|
ocsp_resp_file="${tmpdir}.ocsp_resp.der"
|
|
|
|
echo "show ssl ocsp-response base64 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h5/stats" - | base64 -d > $ocsp_resp_file
|
|
|
|
if [ $? -eq 0 ]
|
|
then
|
|
ocsp_resp_txt="$(openssl ocsp -respin $ocsp_resp_file -noverify -text)"
|
|
echo "$ocsp_resp_txt" | grep "Issuer Name Hash: 8A83E0060FAFF709CA7E9B95522A2E81635FDA0A" && \
|
|
echo "$ocsp_resp_txt" | grep "Issuer Key Hash: F652B0E435D5EA923851508F0ADBE92D85DE007A" && \
|
|
echo "$ocsp_resp_txt" | grep "Serial Number: 1015" && \
|
|
echo "$ocsp_resp_txt" | grep "Cert Status: revoked"
|
|
else
|
|
return 1
|
|
fi
|
|
}
|
|
|
|
haproxy h5 -wait
|
|
process p5 -wait
|
|
|
|
|
|
####################
|
|
# #
|
|
# SIXTH TEST CASE #
|
|
# #
|
|
####################
|
|
|
|
# Check that a new certificate added via the CLI to a crt-list with
|
|
# the 'ocsp-update on' option will be taken into account by the OCSP
|
|
# auto update task
|
|
#
|
|
process p6 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12346 -timeout 5" -start
|
|
|
|
barrier b6 cond 2 -cyclic
|
|
|
|
syslog Syslog_http6 -level info {
|
|
recv
|
|
expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAV HTTP/1.1"
|
|
|
|
barrier b6 sync
|
|
} -start
|
|
|
|
haproxy h6 -conf {
|
|
global
|
|
tune.ssl.default-dh-param 2048
|
|
tune.ssl.capture-buffer-size 1
|
|
stats socket "${tmpdir}/h6/stats" level admin
|
|
crt-base ${testdir}
|
|
|
|
defaults
|
|
mode http
|
|
option httplog
|
|
log stderr local0 debug err
|
|
option logasap
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
frontend ssl-fe
|
|
bind "${tmpdir}/ssl9.sock" ssl crt-list ${testdir}/simple.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
http-request return status 200
|
|
|
|
listen http_rebound_lst
|
|
mode http
|
|
option httplog
|
|
log ${Syslog_http6_addr}:${Syslog_http6_port} local0
|
|
bind "127.0.0.1:12345"
|
|
server s1 "127.0.0.1:12346"
|
|
} -start
|
|
|
|
# We need to "enable" the cli with a first cli call before using it only through socats
|
|
haproxy h6 -cli {
|
|
send "show ssl cert"
|
|
expect ~ ""
|
|
}
|
|
|
|
# Create a new certificate that has an OCSP uri and add it to the
|
|
# existing CLI with the 'ocsp-update on' command.
|
|
shell {
|
|
echo "new ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h6/stats" -
|
|
printf "set ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa <<\n$(cat ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h6/stats" -
|
|
printf "set ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa.issuer <<\n$(cat ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa.issuer)\n\n" | socat "${tmpdir}/h6/stats" -
|
|
echo "commit ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h6/stats" -
|
|
|
|
printf "add ssl crt-list ${testdir}/simple.crt-list <<\n${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa [ocsp-update on] foo.com\n\n" | socat "${tmpdir}/h6/stats" -
|
|
}
|
|
|
|
barrier b6 sync
|
|
|
|
shell "sleep 1"
|
|
|
|
haproxy h6 -cli {
|
|
send "show ssl ocsp-updates"
|
|
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*| 1 | 0 | 1 | Update successful"
|
|
}
|