mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2024-12-12 14:35:14 +00:00
6da0879083
Since patch fde517b ("REGTESTS: wolfssl: temporarly disable some failing
reg-tests") some 'feature cmd' lines have an extra quotation mark, so
they were disable in every cases.
Must be backported to 2.9.
168 lines
6.7 KiB
Plaintext
168 lines
6.7 KiB
Plaintext
#REGTEST_TYPE=devel
|
|
|
|
# This reg-test uses the "set ssl ca-file" command to update a CA file over the CLI.
|
|
# It also tests the "abort ssl ca-file" and "show ssl ca-file" commands.
|
|
#
|
|
# It is based on two CA certificates, set_cafile_interCA1.crt and set_cafile_interCA2.crt,
|
|
# and a client certificate that was signed with set_cafile_interCA1.crt (set_cafile_client.pem)
|
|
# and a server certificate that was signed with set_cafile_interCA2.crt (set_cafile_server.pem).
|
|
# The CA files used by the client and the server will be updated through the CLI until a
|
|
# proper connection can be established between them.
|
|
#
|
|
# It requires socat to upload the certificate
|
|
#
|
|
# If this test does not work anymore:
|
|
# - Check that you have socat
|
|
|
|
varnishtest "Test the 'set ssl ca-file' feature of the CLI"
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev0)'"
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(wolfSSL)'"
|
|
feature cmd "command -v socat"
|
|
feature ignore_unknown_macro
|
|
|
|
server s1 -repeat 4 {
|
|
rxreq
|
|
txresp
|
|
} -start
|
|
|
|
haproxy h1 -conf {
|
|
global
|
|
tune.ssl.default-dh-param 2048
|
|
tune.ssl.capture-buffer-size 1
|
|
stats socket "${tmpdir}/h1/stats" level admin
|
|
|
|
defaults
|
|
mode http
|
|
option httplog
|
|
retries 0
|
|
log stderr local0 debug err
|
|
option logasap
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
listen clear-lst
|
|
bind "fd@${clearlst}"
|
|
# dummy bind used to test a change when the same crt is used as server and bind
|
|
bind "fd@${foobarlst}" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA1.crt verify none
|
|
server s1 "${tmpdir}/ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA1.crt verify none
|
|
|
|
listen clear-verified-lst
|
|
bind "fd@${clearverifiedlst}"
|
|
server s1 "${tmpdir}/ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA1.crt verify required
|
|
|
|
listen ssl-lst
|
|
# crt: certificate of the server
|
|
# ca-file: CA used for client authentication request
|
|
bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA2.crt verify required crt-ignore-err all
|
|
http-response add-header X-SSL-Client-Verify %[ssl_c_verify]
|
|
server s1 ${s1_addr}:${s1_port}
|
|
} -start
|
|
|
|
|
|
# Test the "show ssl ca-file" command
|
|
haproxy h1 -cli {
|
|
send "show ssl ca-file"
|
|
expect ~ ".*${testdir}/set_cafile_interCA1.crt - 1 certificate.*"
|
|
send "show ssl ca-file"
|
|
expect ~ ".*${testdir}/set_cafile_interCA2.crt - 1 certificate.*"
|
|
|
|
send "show ssl ca-file ${testdir}/set_cafile_interCA2.crt"
|
|
expect ~ ".*SHA1 FingerPrint: 3D3D1D10AD74A8135F05A818E10E5FA91433954D"
|
|
}
|
|
|
|
|
|
# This first connection should fail because the client's certificate was signed with the
|
|
# set_cafile_interCA1.crt certificate which is not known by the backend.
|
|
client c1 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
# unable to verify the client certificate
|
|
expect resp.http.X-SSL-Client-Verify ~ "20|21"
|
|
} -run
|
|
|
|
# Set a new ca-file without committing it and check that the new ca-file is not taken into account
|
|
shell {
|
|
printf "set ssl ca-file ${testdir}/set_cafile_interCA2.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
}
|
|
|
|
# Test the "show ssl ca-file" command
|
|
# The transaction should be mentioned in the list
|
|
haproxy h1 -cli {
|
|
send "show ssl ca-file"
|
|
expect ~ "\\*${testdir}/set_cafile_interCA2.crt - 1 certificate.*"
|
|
|
|
# The original CA file did not change
|
|
send "show ssl ca-file ${testdir}/set_cafile_interCA2.crt"
|
|
expect ~ ".*SHA1 FingerPrint: 3D3D1D10AD74A8135F05A818E10E5FA91433954D"
|
|
|
|
# Only the current transaction displays a new certificate
|
|
send "show ssl ca-file *${testdir}/set_cafile_interCA2.crt"
|
|
expect ~ ".*SHA1 FingerPrint: 4FFF535278883264693CEA72C4FAD13F995D0098"
|
|
}
|
|
|
|
# This connection should still fail for the same reasons as previously
|
|
client c1 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
# unable to verify the client certificate
|
|
expect resp.http.X-SSL-Client-Verify ~ "20|21"
|
|
} -run
|
|
|
|
haproxy h1 -cli {
|
|
send "abort ssl ca-file ${testdir}/set_cafile_interCA2.crt"
|
|
expect ~ "Transaction aborted for certificate '${testdir}/set_cafile_interCA2.crt'!"
|
|
send "commit ssl ca-file ${testdir}/set_cafile_interCA2.crt"
|
|
expect ~ "No ongoing transaction!"
|
|
}
|
|
|
|
|
|
# Update the bind line's ca-file in order to accept the client certificate
|
|
shell {
|
|
printf "set ssl ca-file ${testdir}/set_cafile_interCA2.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n$(cat ${testdir}/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
echo "commit ssl ca-file ${testdir}/set_cafile_interCA2.crt" | socat "${tmpdir}/h1/stats" -
|
|
}
|
|
|
|
|
|
# The backend's certificate can't be verified by the frontend because it was signed with
|
|
# the set_cafile_interCA2.crt certificate.
|
|
client c1 -connect ${h1_clearverifiedlst_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 503
|
|
} -run
|
|
|
|
|
|
# Update the server line's ca-file. The server certificate should now be accepted by
|
|
# the frontend. We replace the single CA by a list of CAs that includes the correct one.
|
|
shell {
|
|
printf "set ssl ca-file ${testdir}/set_cafile_interCA1.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
printf "add ssl ca-file ${testdir}/set_cafile_interCA1.crt <<\n$(cat ${testdir}/set_cafile_interCA2.crt)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
printf "add ssl ca-file ${testdir}/set_cafile_interCA1.crt <<\n$(cat ${testdir}/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
echo "commit ssl ca-file ${testdir}/set_cafile_interCA1.crt" | socat "${tmpdir}/h1/stats" -
|
|
}
|
|
|
|
# Test the "show ssl ca-file" with a certificate index
|
|
haproxy h1 -cli {
|
|
send "show ssl ca-file"
|
|
expect ~ ".*${testdir}/set_cafile_interCA1.crt - 3 certificate.*"
|
|
|
|
send "show ssl ca-file ${testdir}/set_cafile_interCA1.crt:1"
|
|
expect ~ ".*SHA1 FingerPrint: 4FFF535278883264693CEA72C4FAD13F995D0098"
|
|
|
|
send "show ssl ca-file ${testdir}/set_cafile_interCA1.crt:2"
|
|
expect !~ ".*SHA1 FingerPrint: 4FFF535278883264693CEA72C4FAD13F995D0098"
|
|
send "show ssl ca-file ${testdir}/set_cafile_interCA1.crt:2"
|
|
expect ~ ".*SHA1 FingerPrint: 3D3D1D10AD74A8135F05A818E10E5FA91433954D"
|
|
}
|
|
|
|
client c1 -connect ${h1_clearverifiedlst_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
# there should be no error on the backend side but one on the frontend side
|
|
expect resp.http.X-SSL-Client-Verify == 0
|
|
} -run
|