File: set_ssl_server_cert.vtc

package info (click to toggle)
haproxy 3.2.11-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 23,928 kB
  • sloc: ansic: 268,119; sh: 3,466; xml: 1,756; python: 1,345; makefile: 1,155; perl: 168; cpp: 21
file content (131 lines) | stat: -rw-r--r-- 4,307 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
 
#REGTEST_TYPE=devel

# This reg-test uses the "set ssl cert" command to update a backend certificate over the CLI.
# It requires socat to upload the certificate

varnishtest "Test the 'set ssl cert' feature of the CLI"
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.4)'"
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(wolfSSL)'"
feature cmd "command -v socat"
feature ignore_unknown_macro

server s1 -repeat 4 {
  rxreq
  txresp
} -start

haproxy h1 -conf {
    global
    .if !ssllib_name_startswith(AWS-LC)
        tune.ssl.default-dh-param 2048
    .endif
        tune.ssl.capture-buffer-size 1
        stats socket "${tmpdir}/h1/stats" level admin
        nbthread 1

    defaults
        mode http
        option httplog
        log stderr local0 debug err
        option logasap
        timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
        timeout client  "${HAPROXY_TEST_TIMEOUT-5s}"
        timeout server  "${HAPROXY_TEST_TIMEOUT-5s}"

    listen clear-lst
        bind "fd@${clearlst}"
        retries 0 # 2nd SSL connection must fail so skip the retry
        server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client1.pem

    listen ssl-lst
        # crt: certificate of the server
        # ca-file: CA used for client authentication request
        # crl-file: revocation list for client auth: the client1 certificate is revoked
        bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/ca-auth.crt verify optional crt-ignore-err all crl-file ${testdir}/crl-auth.pem

        acl cert_expired ssl_c_verify 10
        acl cert_revoked ssl_c_verify 23
        acl cert_ok ssl_c_verify 0

        http-response add-header X-SSL Ok if cert_ok
        http-response add-header X-SSL Expired if cert_expired
        http-response add-header X-SSL Revoked if cert_revoked
        http-response add-header x-ssl-sha1 %[ssl_c_sha1,hex]

        server s1 ${s1_addr}:${s1_port}
} -start

client c1 -connect ${h1_clearlst_sock} {
  txreq
  rxresp
  expect resp.status == 200
  expect resp.http.x-ssl-sha1 == "D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4"
  expect resp.http.x-ssl == "Ok"
} -run

haproxy h1 -cli {
    send "show ssl cert ${testdir}/client1.pem"
    expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4"
}

# Replace certificate with an expired one
shell {
    printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client2_expired.pem)\n\n" | socat "${tmpdir}/h1/stats" -
    echo "commit ssl cert ${testdir}/client1.pem" | socat "${tmpdir}/h1/stats" -
}

haproxy h1 -cli {
    send "show ssl cert ${testdir}/client1.pem"
    expect ~ ".*SHA1 FingerPrint: C625EB01A0A660294B9D7F44C5CEEE5AFC495BE4"
}


# The updated client certificate is an expired one so this request should fail
client c1 -connect ${h1_clearlst_sock} {
    txreq
    rxresp
    expect resp.status == 200
    expect resp.http.x-ssl-sha1 == "C625EB01A0A660294B9D7F44C5CEEE5AFC495BE4"
    expect resp.http.x-ssl == "Expired"
} -run

# Replace certificate with a revoked one
shell {
    printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client3_revoked.pem)\n\n" | socat "${tmpdir}/h1/stats" -
    echo "commit ssl cert ${testdir}/client1.pem" | socat "${tmpdir}/h1/stats" -
}

haproxy h1 -cli {
    send "show ssl cert ${testdir}/client1.pem"
    expect ~ ".*SHA1 FingerPrint: 992386628A40C9D49C89BAC0058B5D45D8575151"
}

# The updated client certificate is a revoked one so this request should fail
client c1 -connect ${h1_clearlst_sock} {
    txreq
    rxresp
    expect resp.status == 200
    expect resp.http.x-ssl-sha1 == "992386628A40C9D49C89BAC0058B5D45D8575151"
    expect resp.http.x-ssl == "Revoked"
} -run

# Abort a transaction
shell {
    printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client3_revoked.pem)\n\n" | socat "${tmpdir}/h1/stats" -
    echo "abort ssl cert ${testdir}/client1.pem" | socat "${tmpdir}/h1/stats" -
}

haproxy h1 -cli {
    send "show ssl cert ${testdir}/client1.pem"
    expect ~ ".*SHA1 FingerPrint: 992386628A40C9D49C89BAC0058B5D45D8575151"
}

# The certificate was not updated so it should still be revoked
client c1 -connect ${h1_clearlst_sock} {
    txreq
    rxresp
    expect resp.status == 200
    expect resp.http.x-ssl == "Revoked"
} -run