commit 2be4a2e02d01067dfdd9fc806d268d3db1831d1d
author William Lallemand <wlallemand@haproxy.com> Tue Mar 31 12:13:34 2020 +0200
committer William Lallemand <wlallemand@haproxy.org> Tue Mar 31 12:32:18 2020 +0200
tree 159464ab02b022b14d363aeeb023ec28553122b0
parent e67c80be7f19c2d4417843064d2ca6f502da0c87

REGTEST: ssl/cli: test the 'add ssl crt-list' command

Test the 'add ssl crt-list' feature by inserting the ecdsa.pem
certificate and verifying with curl and strict-sni that it works.

reg-tests/ssl/add_ssl_crt-list.vtc

diff --git a/reg-tests/ssl/add_ssl_crt-list.vtc b/reg-tests/ssl/add_ssl_crt-list.vtc
new file mode 100644
index 0000000..c698963
--- /dev/null
+++ b/reg-tests/ssl/add_ssl_crt-list.vtc
@@ -0,0 +1,68 @@
+#REGTEST_TYPE=slow
+
+# This reg-test uses the "add ssl crt-list" command to add a certificate over the CLI.
+# It requires socat and curl to upload and validate that the certificate was well updated
+
+# If this test does not work anymore:
+# - Check that you have socat and curl
+# - Check if haproxy and curl use the same ciphers
+
+varnishtest "Test the 'add ssl crt-list' feature of the CLI"
+#REQUIRE_VERSION=2.2
+#REQUIRE_OPTIONS=OPENSSL
+#REQUIRE_BINARIES=socat,curl
+feature ignore_unknown_macro
+
+
+haproxy h1 -conf {
+  global
+    tune.ssl.default-dh-param 2048
+    tune.ssl.capture-cipherlist-size 1
+    crt-base ${testdir}
+    stats socket "${tmpdir}/h1/stats" level admin
+
+  listen frt
+    mode http
+    ${no-htx} option http-use-htx
+    bind "fd@${frt}" ssl strict-sni crt-list ${testdir}/localhost.crt-list
+    http-request redirect location /
+} -start
+
+
+haproxy h1 -cli {
+    send "show ssl cert ${testdir}/common.pem"
+    expect ~ ".*SHA1 FingerPrint: 2195C9F0FD58470313013FC27C1B9CF9864BD1C6"
+}
+
+shell {
+    HOST=${h1_frt_addr}
+    if [ "${h1_frt_addr}" = "::1" ] ; then
+        HOST="\[::1\]"
+    fi
+    curl -v -i -k --resolve www.test1.com:${h1_frt_port}:${h1_frt_addr} https://www.test1.com:${h1_frt_port}
+}
+
+shell {
+   echo "new ssl cert ${testdir}/ecdsa.pem" | socat "${tmpdir}/h1/stats" -
+   printf "set ssl cert ${testdir}/ecdsa.pem <<\n$(cat ${testdir}/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" -
+   echo "commit ssl cert ${testdir}/ecdsa.pem" | socat "${tmpdir}/h1/stats" -
+   echo "add ssl crt-list ${testdir}/localhost.crt-list ${testdir}/ecdsa.pem" | socat "${tmpdir}/h1/stats" -
+}
+
+haproxy h1 -cli {
+    send "show ssl cert ${testdir}/ecdsa.pem"
+    expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1"
+}
+
+haproxy h1 -cli {
+    send "show ssl crt-list ${testdir}/localhost.crt-list"
+    expect ~ ".*${testdir}/ecdsa.pem"
+}
+
+shell {
+    HOST=${h1_frt_addr}
+    if [ "${h1_frt_addr}" = "::1" ] ; then
+        HOST="\[::1\]"
+    fi
+    curl -v -i -k --resolve localhost:${h1_frt_port}:${h1_frt_addr} https://localhost:${h1_frt_port}
+}