mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2024-12-20 10:40:13 +00:00
66b20aada4
The 'set ssl cert' command was failing because of empty lines in the contents of the PEM file used to perform the update. We were also missing the issuer in the newly created ckch_store, which then raised an error when committing the transaction.
145 lines
6.8 KiB
Plaintext
145 lines
6.8 KiB
Plaintext
#REGTEST_TYPE=devel
|
|
|
|
# broken with BoringSSL.
|
|
|
|
# This reg-test uses the "show ssl ocsp-response" command to display the details
|
|
# of the OCSP responses used by HAProxy.
|
|
# It also uses the new special cases of the "show ssl cert" command, where an OCSP
|
|
# extension is provided to the certificate name (with or without preceding * for an
|
|
# ongoing transaction).
|
|
#
|
|
# It uses the show_ocsp_server.pem server certificate, signed off by set_cafile_rootCA.crt,
|
|
# which has two OCSP responses, show_ocsp_server.pem.ocsp which is loaded by default and in
|
|
# which it is valid, and show_ocsp_server.pem.ocsp.revoked in which it is revoked.
|
|
# The OSCP response is updated through the two means available in the CLI, the
|
|
# "set ssl ocsp-response" command and the update through a "set ssl cert foo.ocsp".
|
|
#
|
|
# It requires socat to upload the new OCSP responses.
|
|
#
|
|
# If this test does not work anymore:
|
|
# - Check that you have socat
|
|
|
|
varnishtest "Test the 'show ssl ocsp-response' and 'show ssl cert foo.pem.ocsp' features of the CLI"
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev0)'"
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(BoringSSL) && !ssllib_name_startswith(wolfSSL)'"
|
|
feature cmd "command -v socat && command -v openssl"
|
|
feature ignore_unknown_macro
|
|
|
|
haproxy h1 -conf {
|
|
global
|
|
tune.ssl.default-dh-param 2048
|
|
tune.ssl.capture-buffer-size 1
|
|
stats socket "${tmpdir}/h1/stats" level admin
|
|
|
|
defaults
|
|
mode http
|
|
option httplog
|
|
log stderr local0 debug err
|
|
option logasap
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
listen clear-lst
|
|
bind "fd@${clearlst}"
|
|
server s1 "${tmpdir}/ssl.sock" ssl ca-file ${testdir}/set_cafile_rootCA.crt verify none
|
|
|
|
listen ssl-lst
|
|
# crt: certificate of the server
|
|
# ca-file: CA used for client authentication request
|
|
bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/show_ocsp_server.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
|
http-response add-header X-SSL-Client-Verify %[ssl_c_verify]
|
|
server s1 ${s1_addr}:${s1_port}
|
|
} -start
|
|
|
|
|
|
# Test the "show ssl ocsp-response" command
|
|
haproxy h1 -cli {
|
|
send "show ssl ocsp-response"
|
|
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
|
|
|
|
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
|
|
expect ~ "Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com"
|
|
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
|
|
expect ~ "Cert Status: good"
|
|
}
|
|
|
|
# Test the "show ssl ocsp-response" command with a certificate path as parameter
|
|
shell {
|
|
ocsp_response=$(echo "show ssl ocsp-response ${testdir}/show_ocsp_server.pem" | socat "${tmpdir}/h1/stats" -)
|
|
|
|
echo "$ocsp_response" | grep "Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com" &&
|
|
echo "$ocsp_response" | grep "Cert Status: good"
|
|
}
|
|
|
|
# Test the "show ssl cert foo.pem.ocsp" command
|
|
haproxy h1 -cli {
|
|
send "show ssl cert"
|
|
expect ~ ".*show_ocsp_server.pem"
|
|
|
|
send "show ssl cert ${testdir}/show_ocsp_server.pem"
|
|
expect ~ "Serial: 100F"
|
|
send "show ssl cert ${testdir}/show_ocsp_server.pem"
|
|
expect ~ "OCSP Response Key: 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
|
|
|
|
send "show ssl cert ${testdir}/show_ocsp_server.pem.ocsp"
|
|
expect ~ "Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com"
|
|
send "show ssl cert ${testdir}/show_ocsp_server.pem.ocsp"
|
|
expect ~ "Cert Status: good"
|
|
}
|
|
|
|
|
|
# Change the server certificate's OCSP response through "set ssl ocsp-response"
|
|
shell {
|
|
printf "set ssl ocsp-response <<\n$(cat ${testdir}/show_ocsp_server.pem.ocsp.revoked|openssl base64)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
}
|
|
|
|
# Check that the change was taken into account
|
|
haproxy h1 -cli {
|
|
send "show ssl ocsp-response"
|
|
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
|
|
|
|
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
|
|
expect ~ "Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com"
|
|
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
|
|
expect ~ "Cert Status: revoked"
|
|
|
|
send "show ssl cert ${testdir}/show_ocsp_server.pem.ocsp"
|
|
expect ~ "Cert Status: revoked"
|
|
}
|
|
|
|
|
|
# Change the server certificate's OCSP response through a transaction
|
|
shell {
|
|
printf "set ssl cert ${testdir}/show_ocsp_server.pem <<\n$(cat ${testdir}/show_ocsp_server.pem | sed '/^$/d')\n\n" | socat "${tmpdir}/h1/stats" -
|
|
printf "set ssl cert ${testdir}/show_ocsp_server.pem.issuer <<\n$(cat ${testdir}/show_ocsp_server.pem.issuer | sed '/^$/d')\n\n" | socat "${tmpdir}/h1/stats" -
|
|
printf "set ssl cert ${testdir}/show_ocsp_server.pem.ocsp <<\n$(cat ${testdir}/show_ocsp_server.pem.ocsp|openssl base64)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
}
|
|
|
|
|
|
# Check that the actual tree entry was not changed and that the uncommitted
|
|
# transaction's OCSP response is the new one
|
|
haproxy h1 -cli {
|
|
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
|
|
expect ~ "Cert Status: revoked"
|
|
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
|
|
expect ~ "This Update: Jun 10 08:57:45 2021 GMT"
|
|
|
|
send "show ssl cert *${testdir}/show_ocsp_server.pem.ocsp"
|
|
expect ~ "Cert Status: good"
|
|
send "show ssl cert *${testdir}/show_ocsp_server.pem.ocsp"
|
|
expect ~ "This Update: Jun 10 08:55:04 2021 GMT"
|
|
}
|
|
|
|
|
|
# Commit the transaction and check that it was taken into account
|
|
haproxy h1 -cli {
|
|
send "commit ssl cert ${testdir}/show_ocsp_server.pem"
|
|
expect ~ "Success!"
|
|
|
|
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
|
|
expect ~ "Cert Status: good"
|
|
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
|
|
expect ~ "This Update: Jun 10 08:55:04 2021 GMT"
|
|
}
|