mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2024-12-29 16:12:10 +00:00
d33a5f8e14
Update the ocsp-update tests for the recent changes: - Incompatibilities check string changed to match the crt-store one - The "good configurations" are not good anymore because the ckch_conf_cmp() does not compare anymore with a global value.
402 lines
11 KiB
Plaintext
402 lines
11 KiB
Plaintext
#REGTEST_TYPE=devel
|
|
|
|
# broken with BoringSSL.
|
|
#
|
|
# This reg-test tries loading multiple configurations that make use of the
|
|
# 'ocsp-update' crt-list option and the global 'ocsp-update.mode'
|
|
# option. It ensures that an error message is raised when the user provides an
|
|
# incoherent configuration. Any configuration in which a given certificate has
|
|
# the ocsp auto update mode set to 'on' as well as 'off' simultaneously should
|
|
# raise an ALERT type message and not start.
|
|
# The first batch of configurations should all raise errors and the second
|
|
# batch should all load properly. We do not focus on the actual auto update in
|
|
# this reg-test though so no actual proxy instance will be launched.
|
|
|
|
varnishtest "Test the OCSP auto update feature"
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(3.0-dev0)'"
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(BoringSSL) && openssl_version_atleast(1.1.1)'"
|
|
feature ignore_unknown_macro
|
|
|
|
|
|
#############################
|
|
# #
|
|
# WRONG CONFIGURATIONS #
|
|
# #
|
|
#############################
|
|
|
|
|
|
# test1
|
|
# global_option OFF
|
|
# bind line DFLT (OFF) (first)
|
|
# crt-list ON (second)
|
|
shell {
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.list
|
|
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
|
|
EOF
|
|
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
|
|
global
|
|
crt-base ${testdir}/ocsp_update/multicert
|
|
# ocsp-update.mode on
|
|
|
|
defaults
|
|
log stderr local0 debug err
|
|
|
|
listen ssl-lst
|
|
bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list
|
|
server s1 127.0.0.1:80
|
|
EOF
|
|
|
|
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
|
|
haproxy_ret=$?
|
|
echo "==== test 1"
|
|
echo "$haproxy_output"
|
|
echo "HAProxy return code: $haproxy_ret"
|
|
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
|
|
}
|
|
|
|
# test2
|
|
# global_option ON
|
|
# bind line DFLT/ON (first)
|
|
# crt-list OFF (second)
|
|
shell {
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.list
|
|
server_ocsp_ecdsa.pem [ocsp-update off] foo.com
|
|
EOF
|
|
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
|
|
global
|
|
crt-base ${testdir}/ocsp_update/multicert
|
|
ocsp-update.mode on
|
|
|
|
defaults
|
|
log stderr local0 debug err
|
|
|
|
listen ssl-lst
|
|
bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list
|
|
server s1 127.0.0.1:80
|
|
EOF
|
|
|
|
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
|
|
haproxy_ret=$?
|
|
echo "==== test 2"
|
|
echo "$haproxy_output"
|
|
echo "HAProxy return code: $haproxy_ret"
|
|
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
|
|
}
|
|
|
|
# test3
|
|
# global_option OFF
|
|
# bind line DFLT/OFF(first)
|
|
# crt-list ON (second)
|
|
shell {
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.list
|
|
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
|
|
EOF
|
|
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
|
|
global
|
|
crt-base ${testdir}/ocsp_update/multicert
|
|
ocsp-update.mode off
|
|
|
|
defaults
|
|
log stderr local0 debug err
|
|
|
|
listen ssl-lst
|
|
bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list
|
|
server s1 127.0.0.1:80
|
|
EOF
|
|
|
|
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
|
|
haproxy_ret=$?
|
|
echo "==== test 3"
|
|
echo "$haproxy_output"
|
|
echo "HAProxy return code: $haproxy_ret"
|
|
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
|
|
}
|
|
|
|
# test4
|
|
# global_option OFF
|
|
# bind line DFLT OFF (second)
|
|
# crt-list ON (first)
|
|
shell {
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.list
|
|
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
|
|
EOF
|
|
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
|
|
global
|
|
crt-base ${testdir}/ocsp_update/multicert
|
|
# ocsp-update.mode off
|
|
|
|
defaults
|
|
log stderr local0 debug err
|
|
|
|
listen ssl-lst
|
|
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
|
|
bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem
|
|
server s1 127.0.0.1:80
|
|
EOF
|
|
|
|
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
|
|
haproxy_ret=$?
|
|
echo "==== test 4"
|
|
echo "$haproxy_output"
|
|
echo "HAProxy return code: $haproxy_ret"
|
|
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
|
|
}
|
|
|
|
# test5
|
|
# global_option ON
|
|
# bind line DFLT (second)
|
|
# crt-list OFF (first)
|
|
shell {
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.list
|
|
server_ocsp_ecdsa.pem [ocsp-update off] foo.com
|
|
EOF
|
|
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
|
|
global
|
|
crt-base ${testdir}/ocsp_update/multicert
|
|
ocsp-update.mode on
|
|
|
|
defaults
|
|
log stderr local0 debug err
|
|
|
|
listen ssl-lst
|
|
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
|
|
bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem
|
|
server s1 127.0.0.1:80
|
|
EOF
|
|
|
|
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
|
|
haproxy_ret=$?
|
|
echo "==== test 5"
|
|
echo "$haproxy_output"
|
|
echo "HAProxy return code: $haproxy_ret"
|
|
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
|
|
}
|
|
|
|
# test6
|
|
# global_option OFF
|
|
# bind line DFLT (second)
|
|
# crt-list ON (first)
|
|
shell {
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.list
|
|
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
|
|
EOF
|
|
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
|
|
global
|
|
crt-base ${testdir}/ocsp_update/multicert
|
|
ocsp-update.mode off
|
|
|
|
defaults
|
|
log stderr local0 debug err
|
|
|
|
listen ssl-lst
|
|
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
|
|
bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem
|
|
server s1 127.0.0.1:80
|
|
EOF
|
|
|
|
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
|
|
haproxy_ret=$?
|
|
echo "==== test 6"
|
|
echo "$haproxy_output"
|
|
echo "HAProxy return code: $haproxy_ret"
|
|
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
|
|
}
|
|
|
|
# test7
|
|
# global_option DFLT
|
|
# bind line -
|
|
# crt-list ON
|
|
# crt-list DFLT
|
|
shell {
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.list
|
|
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
|
|
server_ocsp_ecdsa.pem bar.com
|
|
EOF
|
|
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
|
|
global
|
|
crt-base ${testdir}/ocsp_update/multicert
|
|
# ocsp-update.mode off
|
|
|
|
defaults
|
|
log stderr local0 debug err
|
|
|
|
listen ssl-lst
|
|
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
|
|
server s1 127.0.0.1:80
|
|
EOF
|
|
|
|
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
|
|
haproxy_ret=$?
|
|
echo "==== test 7"
|
|
echo "$haproxy_output"
|
|
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
|
|
}
|
|
|
|
# test8
|
|
# global_option DFLT
|
|
# bind line -
|
|
# crt-list DFLT
|
|
# crt-list ON
|
|
shell {
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.list
|
|
server_ocsp_ecdsa.pem bar.com
|
|
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
|
|
EOF
|
|
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
|
|
global
|
|
crt-base ${testdir}/ocsp_update/multicert
|
|
# ocsp-update.mode off
|
|
|
|
defaults
|
|
log stderr local0 debug err
|
|
|
|
listen ssl-lst
|
|
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
|
|
server s1 127.0.0.1:80
|
|
EOF
|
|
|
|
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
|
|
haproxy_ret=$?
|
|
echo "==== test 8"
|
|
echo "$haproxy_output"
|
|
echo "HAProxy return code: $haproxy_ret"
|
|
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
|
|
}
|
|
|
|
# test9
|
|
# global_option ON
|
|
# bind line -
|
|
# crt-list OFF
|
|
# crt-list DFLT
|
|
shell {
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.list
|
|
server_ocsp_ecdsa.pem [ocsp-update off] foo.com
|
|
server_ocsp_ecdsa.pem bar.com
|
|
EOF
|
|
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
|
|
global
|
|
crt-base ${testdir}/ocsp_update/multicert
|
|
ocsp-update.mode on
|
|
|
|
defaults
|
|
log stderr local0 debug err
|
|
|
|
listen ssl-lst
|
|
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
|
|
server s1 127.0.0.1:80
|
|
EOF
|
|
|
|
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
|
|
haproxy_ret=$?
|
|
echo "==== test 9"
|
|
echo "$haproxy_output"
|
|
echo "HAProxy return code: $haproxy_ret"
|
|
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
|
|
}
|
|
|
|
# test10
|
|
# global_option ON
|
|
# bind line -
|
|
# crt-list DFLT
|
|
# crt-list OFF
|
|
shell {
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.list
|
|
server_ocsp_ecdsa.pem bar.com
|
|
server_ocsp_ecdsa.pem [ocsp-update off] foo.com
|
|
EOF
|
|
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
|
|
global
|
|
crt-base ${testdir}/ocsp_update/multicert
|
|
ocsp-update.mode on
|
|
|
|
defaults
|
|
log stderr local0 debug err
|
|
|
|
listen ssl-lst
|
|
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
|
|
server s1 127.0.0.1:80
|
|
EOF
|
|
|
|
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
|
|
haproxy_ret=$?
|
|
echo "==== test 10"
|
|
echo "$haproxy_output"
|
|
echo "HAProxy return code: $haproxy_ret"
|
|
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
|
|
}
|
|
|
|
# test11
|
|
# global_option OFF
|
|
# bind line -
|
|
# crt-list ON
|
|
# crt-list DFLT
|
|
shell {
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.list
|
|
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
|
|
server_ocsp_ecdsa.pem bar.com
|
|
EOF
|
|
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
|
|
global
|
|
crt-base ${testdir}/ocsp_update/multicert
|
|
ocsp-update.mode off
|
|
|
|
defaults
|
|
log stderr local0 debug err
|
|
|
|
listen ssl-lst
|
|
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
|
|
server s1 127.0.0.1:80
|
|
EOF
|
|
|
|
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
|
|
haproxy_ret=$?
|
|
echo "==== test 11"
|
|
echo "$haproxy_output"
|
|
echo "HAProxy return code: $haproxy_ret"
|
|
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
|
|
}
|
|
|
|
# test12
|
|
# global_option OFF
|
|
# bind line -
|
|
# crt-list DFLT
|
|
# crt-list ON
|
|
shell {
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.list
|
|
server_ocsp_ecdsa.pem bar.com
|
|
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
|
|
EOF
|
|
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
|
|
global
|
|
crt-base ${testdir}/ocsp_update/multicert
|
|
ocsp-update.mode off
|
|
|
|
defaults
|
|
log stderr local0 debug err
|
|
|
|
listen ssl-lst
|
|
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
|
|
server s1 127.0.0.1:80
|
|
EOF
|
|
|
|
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
|
|
haproxy_ret=$?
|
|
echo "==== test 12"
|
|
echo "$haproxy_output"
|
|
echo "HAProxy return code: $haproxy_ret"
|
|
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
|
|
}
|
|
|