mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2024-12-12 06:24:56 +00:00
1fe0fad88b
The ssl_bc_hsk_err sample fetch will need to raise more errors than only handshake related ones hence its renaming to a more generic ssl_bc_err. This patch is required because some handshake failures that should have been caught by this fetch (verify error on the server side for instance) were missed. This is caused by a change in TLS1.3 in which the 'Finished' state on the client is reached before its certificate is sent (and verified) on the server side (see the "Protocol Overview" part of RFC 8446). This means that the SSL_do_handshake call is finished long before the server can verify and potentially reject the client certificate. The ssl_bc_hsk_err will then need to be expanded to catch other types of errors. This change is also applied to the frontend fetches (ssl_fc_hsk_err becomes ssl_fc_err) and to their string counterparts.
368 lines
14 KiB
Plaintext
368 lines
14 KiB
Plaintext
#REGTEST_TYPE=broken
|
|
|
|
# This reg-test checks that the connection and SSL sample fetches related to
|
|
# errors are functioning properly. It also tests the proper behaviour of the
|
|
# default HTTPS log format and of the log-error-via-logformat option which enables
|
|
# or disables the output of a special error message in case of connection
|
|
# failure (otherwise a line following the configured log-format is output).
|
|
#
|
|
# It works by sending request through three different paths, one using a custom
|
|
# log-format line that contains the connection error and SSL handshake error
|
|
# sample fetches, one using the default HTTPS log-format and one using the
|
|
# legacy error log format.
|
|
#
|
|
# The output log lines are caught by syslog blocks (one for each path) and
|
|
# compared to an expected format.
|
|
# Since the syslog is not by design synchronized with the Varnish clients and
|
|
# servers, synchronization is achieved through barriers, which ensure that
|
|
# syslog messages arrive in the right order.
|
|
#
|
|
# In order to ensure that the log line raised in case of connection error if
|
|
# the log-error-via-logformat option is disabled still follows the
|
|
# log-separate-error option, the log lines raised by the https_fmt_lst listener
|
|
# will be sent to two separate syslog servers.
|
|
#
|
|
|
|
varnishtest "Test the connection and SSL error fetches."
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev2)'"
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
|
|
feature cmd "command -v socat"
|
|
feature ignore_unknown_macro
|
|
|
|
server s1 -repeat 4 {
|
|
rxreq
|
|
txresp
|
|
} -start
|
|
|
|
barrier b1 cond 4 -cyclic
|
|
barrier b2 cond 2 -cyclic
|
|
|
|
|
|
syslog Slg_cust_fmt -level info {
|
|
recv
|
|
expect ~ ".*conn_status:\"0:Success\" hsk_err:\"0:-\" CN=\"/C=FR/O=HAProxy Technologies/CN=Client\",serial=1007,hash=063DCC2E6A9159E66994B325D6D2EF3D17A75B6F"
|
|
|
|
barrier b1 sync
|
|
|
|
recv
|
|
expect ~ "ERROR.*conn_status:\"30:SSL client CA chain cannot be verified\" hsk_err:\"337100934:error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed\" CN=\"/C=FR/O=HAProxy Technologies/CN=Client\",serial=1007,hash=063DCC2E6A9159E66994B325D6D2EF3D17A75B6F"
|
|
|
|
barrier b1 sync
|
|
|
|
recv
|
|
expect ~ "ERROR.*conn_status:\"31:SSL client certificate not trusted\" hsk_err:\"337100934:error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed\" CN=\"/C=FR/O=HAProxy Technologies/CN=Client\",serial=1007,hash=063DCC2E6A9159E66994B325D6D2EF3D17A75B6F"
|
|
|
|
barrier b1 sync
|
|
|
|
# In case of an error occuring before the certificate verification process,
|
|
# the client certificate chain is never parsed and verified so we can't
|
|
# have information about the client's certificate.
|
|
recv
|
|
expect ~ "ERROR.*conn_status:\"34:SSL handshake failure\" hsk_err:\"337678529:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher\" CN=\"\",serial=-,hash=-"
|
|
} -start
|
|
|
|
syslog Slg_https_fmt -level info {
|
|
recv
|
|
expect ~ ".*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/s1.*0/0000000000000000/0/0 TLSv1.3/TLS_AES_256_GCM_SHA384"
|
|
|
|
barrier b1 sync
|
|
} -start
|
|
|
|
syslog Slg_https_fmt_err -level info {
|
|
recv
|
|
expect ~ "ERROR.*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/<NOSRV>.*30/000000001417C086/0/2 TLSv1.3/TLS_AES_256_GCM_SHA384"
|
|
|
|
barrier b1 sync
|
|
|
|
recv
|
|
expect ~ "ERROR.*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/<NOSRV>.*31/000000001417C086/20/0 TLSv1.3/TLS_AES_256_GCM_SHA384"
|
|
|
|
barrier b1 sync
|
|
|
|
recv
|
|
expect ~ "ERROR.*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/<NOSRV>.*34/00000000142090C1/0/0 TLSv1.3/\\(NONE\\)"
|
|
} -start
|
|
|
|
syslog Slg_logconnerror -level info {
|
|
recv
|
|
expect ~ ".*logconnerror_ssl_lst~ logconnerror_ssl_lst/s1"
|
|
|
|
barrier b1 sync
|
|
|
|
recv
|
|
expect ~ ".*logconnerror_ssl_lst/1: SSL client CA chain cannot be verified"
|
|
|
|
barrier b1 sync
|
|
|
|
recv
|
|
expect ~ ".*logconnerror_ssl_lst/1: SSL client certificate not trusted"
|
|
|
|
barrier b1 sync
|
|
|
|
recv
|
|
expect ~ ".*logconnerror_ssl_lst/1: SSL handshake failure"
|
|
} -start
|
|
|
|
syslog Slg_bcknd -level info {
|
|
recv
|
|
expect ~ ".*bc_conn_err:0:\"Success\" ssl_bc_err:0:\"\""
|
|
|
|
barrier b2 sync
|
|
|
|
recv
|
|
expect ~ ".*bc_conn_err:34:\"SSL handshake failure\" ssl_bc_err:337047686:\"error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed\""
|
|
|
|
barrier b2 sync
|
|
|
|
recv
|
|
expect ~ ".*bc_conn_err:32:\"Server presented an SSL certificate different from the configured one\" ssl_bc_err:337047686:\"error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed\""
|
|
|
|
barrier b2 sync
|
|
|
|
# Verify errors on the server side cannot be caught through those backend fetches yet
|
|
recv
|
|
expect ~ ".*bc_conn_err:0:\"Success\" ssl_bc_err:0:\"\""
|
|
|
|
barrier b2 sync
|
|
|
|
recv
|
|
expect ~ ".*bc_conn_err:34:\"SSL handshake failure\" ssl_bc_err:336151568:\"error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure\""
|
|
|
|
barrier b2 sync
|
|
|
|
recv
|
|
expect ~ ".*bc_conn_err:34:\"SSL handshake failure\" ssl_bc_err:336151568:\"error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure\""
|
|
} -start
|
|
|
|
|
|
haproxy h1 -conf {
|
|
global
|
|
tune.ssl.default-dh-param 2048
|
|
tune.ssl.capture-buffer-size 1
|
|
stats socket "${tmpdir}/h1/stats" level admin
|
|
|
|
defaults
|
|
timeout connect 100ms
|
|
timeout client 1s
|
|
timeout server 1s
|
|
retries 0
|
|
|
|
listen clear_lst
|
|
bind "fd@${clearlst}"
|
|
default-server ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none no-ssl-reuse
|
|
|
|
balance roundrobin
|
|
server cust_fmt "${tmpdir}/cust_logfmt_ssl.sock"
|
|
server https_fmt "${tmpdir}/https_logfmt_ssl.sock"
|
|
server logconnerror "${tmpdir}/logconnerror_ssl.sock"
|
|
|
|
|
|
listen clear_wrong_ciphers_lst
|
|
bind "fd@${wrongcipherslst}"
|
|
default-server ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none no-ssl-reuse ciphersuites "TLS_AES_128_GCM_SHA256"
|
|
|
|
balance roundrobin
|
|
server cust_fmt "${tmpdir}/cust_logfmt_ssl.sock"
|
|
server https_fmt "${tmpdir}/https_logfmt_ssl.sock"
|
|
server logconnerror "${tmpdir}/logconnerror_ssl.sock"
|
|
|
|
|
|
# This listener will be used to test backend fetches (bc_conn_err and ssl_bc_err)
|
|
listen clear_backend_errors_lst
|
|
bind "fd@${backenderrorslst}"
|
|
log ${Slg_bcknd_addr}:${Slg_bcknd_port} local0
|
|
log-format "bc_conn_err:%[bc_conn_err]:%{+Q}[bc_conn_err_str]\ ssl_bc_err:%[ssl_bc_err]:%{+Q}[ssl_bc_err_str]"
|
|
error-log-format "ERROR bc_conn_err:%[bc_conn_err]:%{+Q}[bc_conn_err_str]\ ssl_bc_err:%[ssl_bc_err]:%{+Q}[ssl_bc_err_str]"
|
|
|
|
balance roundrobin
|
|
server no_err "${tmpdir}/no_err_ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify required
|
|
server srv_cert_rejected "${tmpdir}/srv_rejected_ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA1.crt verify required
|
|
server mismatch_frontend "${tmpdir}/mismatch_fe_ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify required verifyhost str(toto)
|
|
server clt_cert_rejected "${tmpdir}/rejected_ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none
|
|
server wrong_ciphers "${tmpdir}/wrong_ciphers_ssl.sock" ssl verify none crt ${testdir}/client1.pem ca-file ${testdir}/ca-auth.crt force-tlsv12 ciphers "aECDSA"
|
|
server wrong_ciphers_tls13 "${tmpdir}/wrong_ciphers_tls13_ssl.sock" ssl verify none crt ${testdir}/client1.pem ca-file ${testdir}/ca-auth.crt ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" force-tlsv13
|
|
|
|
|
|
|
|
|
|
listen cust_logfmt_ssl_lst
|
|
log ${Slg_cust_fmt_addr}:${Slg_cust_fmt_port} local0
|
|
mode http
|
|
log-format "conn_status:\"%[fc_conn_err]:%[fc_conn_err_str]\" hsk_err:\"%[ssl_fc_err]:%[ssl_fc_err_str]\" CN=%{+Q}[ssl_c_s_dn],serial=%[ssl_c_serial,hex],hash=%[ssl_c_sha1,hex]"
|
|
error-log-format "ERROR conn_status:\"%[fc_conn_err]:%[fc_conn_err_str]\" hsk_err:\"%[ssl_fc_err]:%[ssl_fc_err_str]\" CN=%{+Q}[ssl_c_s_dn],serial=%[ssl_c_serial,hex],hash=%[ssl_c_sha1,hex]"
|
|
bind "${tmpdir}/cust_logfmt_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA1.crt verify required ciphersuites "TLS_AES_256_GCM_SHA384"
|
|
server s1 ${s1_addr}:${s1_port}
|
|
|
|
listen https_logfmt_ssl_lst
|
|
log ${Slg_https_fmt_addr}:${Slg_https_fmt_port} local0 info
|
|
log ${Slg_https_fmt_err_addr}:${Slg_https_fmt_err_port} local0 err info
|
|
option log-separate-errors
|
|
mode http
|
|
option httpslog
|
|
error-log-format "ERROR %ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %[fc_conn_err]/%[ssl_fc_err,hex]/%[ssl_c_err]/%[ssl_c_ca_err] %sslv/%sslc"
|
|
bind "${tmpdir}/https_logfmt_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA1.crt verify required ciphersuites "TLS_AES_256_GCM_SHA384"
|
|
server s1 ${s1_addr}:${s1_port}
|
|
|
|
listen logconnerror_ssl_lst
|
|
log ${Slg_logconnerror_addr}:${Slg_logconnerror_port} local0 info
|
|
mode http
|
|
option httplog
|
|
bind "${tmpdir}/logconnerror_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA1.crt verify required ciphersuites "TLS_AES_256_GCM_SHA384"
|
|
server s1 ${s1_addr}:${s1_port}
|
|
|
|
|
|
# The following listeners allow to test backend error fetches
|
|
listen no_backend_err_ssl_lst
|
|
bind "${tmpdir}/no_err_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none
|
|
server s1 ${s1_addr}:${s1_port}
|
|
|
|
listen srv_rejected_ssl_lst
|
|
bind "${tmpdir}/srv_rejected_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none
|
|
server s1 ${s1_addr}:${s1_port}
|
|
|
|
listen mismatch_fe_ssl_lst
|
|
bind "${tmpdir}/mismatch_fe_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none
|
|
server s1 ${s1_addr}:${s1_port}
|
|
|
|
listen rejected_clt_ssl_lst
|
|
bind "${tmpdir}/rejected_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-file ${testdir}/set_cafile_interCA2.crt verify required
|
|
server s1 ${s1_addr}:${s1_port}
|
|
|
|
listen wrong_ciphers_ssl_lst
|
|
bind "${tmpdir}/wrong_ciphers_ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/ca-auth.crt verify none force-tlsv12 ciphers "kRSA"
|
|
server s1 ${s1_addr}:${s1_port}
|
|
|
|
listen wrong_ciphers_tls13_ssl_lst
|
|
bind "${tmpdir}/wrong_ciphers_tls13_ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/ca-auth.crt verify none force-tlsv13 ciphersuites "TLS_AES_128_GCM_SHA256"
|
|
server s1 ${s1_addr}:${s1_port}
|
|
|
|
} -start
|
|
|
|
|
|
# The three following requests should all succeed
|
|
client c1 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
} -run
|
|
|
|
client c2 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
} -run
|
|
|
|
client c3 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
} -run
|
|
|
|
|
|
barrier b1 sync
|
|
|
|
|
|
# Change the root CA in the frontends
|
|
shell {
|
|
printf "set ssl ca-file ${testdir}/set_cafile_rootCA.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
echo "commit ssl ca-file ${testdir}/set_cafile_rootCA.crt" | socat "${tmpdir}/h1/stats" -
|
|
}
|
|
|
|
client c4 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
} -run
|
|
|
|
client c5 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
} -run
|
|
|
|
client c6 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
} -run
|
|
|
|
barrier b1 sync
|
|
|
|
|
|
|
|
# Restore the root CA
|
|
shell {
|
|
printf "set ssl ca-file ${testdir}/set_cafile_rootCA.crt <<\n$(cat ${testdir}/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
echo "commit ssl ca-file ${testdir}/set_cafile_rootCA.crt" | socat "${tmpdir}/h1/stats" -
|
|
}
|
|
|
|
# Change the intermediate CA in the frontends
|
|
shell {
|
|
printf "set ssl ca-file ${testdir}/set_cafile_interCA1.crt <<\n$(cat ${testdir}/set_cafile_interCA2.crt)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
echo "commit ssl ca-file ${testdir}/set_cafile_interCA1.crt" | socat "${tmpdir}/h1/stats" -
|
|
}
|
|
|
|
client c7 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
} -run
|
|
|
|
client c8 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
} -run
|
|
|
|
client c9 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
} -run
|
|
|
|
barrier b1 sync
|
|
|
|
|
|
# Restore the intermediate CA in the frontends
|
|
shell {
|
|
printf "set ssl ca-file ${testdir}/set_cafile_interCA1.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
echo "commit ssl ca-file ${testdir}/set_cafile_interCA1.crt" | socat "${tmpdir}/h1/stats" -
|
|
}
|
|
|
|
# "No shared cipher" errors
|
|
client c10 -connect ${h1_wrongcipherslst_sock} {
|
|
txreq
|
|
} -run
|
|
client c11 -connect ${h1_wrongcipherslst_sock} {
|
|
txreq
|
|
} -run
|
|
client c12 -connect ${h1_wrongcipherslst_sock} {
|
|
txreq
|
|
} -run
|
|
|
|
|
|
shell {
|
|
printf "set ssl ca-file ${testdir}/set_cafile_interCA2.crt <<\n$(cat ${testdir}/set_cafile_interCA2.crt)\n$(cat ${testdir}/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
echo "commit ssl ca-file ${testdir}/set_cafile_interCA2.crt" | socat "${tmpdir}/h1/stats" -
|
|
}
|
|
|
|
client c13 -connect ${h1_backenderrorslst_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
} -run
|
|
barrier b2 sync
|
|
client c14 -connect ${h1_backenderrorslst_sock} {
|
|
txreq
|
|
} -run
|
|
barrier b2 sync
|
|
client c15 -connect ${h1_backenderrorslst_sock} {
|
|
txreq
|
|
} -run
|
|
barrier b2 sync
|
|
client c16 -connect ${h1_backenderrorslst_sock} {
|
|
txreq
|
|
} -run
|
|
barrier b2 sync
|
|
client c17 -connect ${h1_backenderrorslst_sock} {
|
|
txreq
|
|
} -run
|
|
barrier b2 sync
|
|
client c18 -connect ${h1_backenderrorslst_sock} {
|
|
txreq
|
|
} -run
|
|
|
|
syslog Slg_cust_fmt -wait
|
|
syslog Slg_https_fmt -wait
|
|
syslog Slg_https_fmt_err -wait
|
|
syslog Slg_logconnerror -wait
|
|
syslog Slg_bcknd -wait
|