reg-tests/ssl/set_ssl_cert_bundle.vtc - haproxy - Gitiles

 #REGTEST_TYPE=broken

 # This reg-test uses the "set ssl cert" command to update a multi-certificate
 # bundle over the CLI.
 # It requires socat to upload the certificate
 #
 # This regtests loads a multi-certificates bundle "cert1-example.com.pem"
 # composed of a .rsa and a .ecdsa
 #
 # After verifying that the RSA and ECDSA algorithms were avalailble with the
 # right certificate, the test changes the certificates and try new requests.
 #
 # If this test does not work anymore:
 # - Check that you have socat
 # - Check that you have at least OpenSSL 1.1.0

 varnishtest "Test the 'set ssl cert' feature of the CLI with bundles"
 #REQUIRE_VERSION=2.3
 #REQUIRE_OPTIONS=OPENSSL
 #REQUIRE_BINARIES=socat
 feature ignore_unknown_macro

 server s1 -repeat 9 {
   rxreq
   txresp
 } -start

 haproxy h1 -conf {
     global
         tune.ssl.default-dh-param 2048
         tune.ssl.capture-cipherlist-size 1
         stats socket "${tmpdir}/h1/stats" level admin
         crt-base ${testdir}

     defaults
         mode http
         option httplog
         ${no-htx} option http-use-htx
         log stderr local0 debug err
         option logasap
         timeout connect 100ms
         timeout client  1s
         timeout server  1s

     listen clear-lst
         bind "fd@${clearlst}"
         balance roundrobin

         http-response set-header X-SSL-Server-SHA1 %[ssl_s_sha1,hex]

         retries 0 # 2nd SSL connection must fail so skip the retry
         server s1 "${tmpdir}/ssl.sock" ssl verify none sni str(example.com) force-tlsv12 ciphers ECDHE-RSA-AES128-GCM-SHA256
         server s2 "${tmpdir}/ssl.sock" ssl verify none sni str(example.com) force-tlsv12 ciphers ECDHE-ECDSA-AES256-GCM-SHA384

         server s3 "${tmpdir}/ssl.sock" ssl verify none sni str(example.com) force-tlsv12 ciphers ECDHE-RSA-AES128-GCM-SHA256
         server s4 "${tmpdir}/ssl.sock" ssl verify none sni str(example.com) force-tlsv12 ciphers ECDHE-ECDSA-AES256-GCM-SHA384

     listen ssl-lst
         bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/cert1-example.com.pem
         server s1 ${s1_addr}:${s1_port}

 } -start


 haproxy h1 -cli {
     send "show ssl cert ${testdir}/cert1-example.com.pem.rsa"
     expect ~ ".*SHA1 FingerPrint: 94F720DACA71B8B1A0AC9BD48C65BA688FF047DE"
     send "show ssl cert ${testdir}/cert1-example.com.pem.ecdsa"
     expect ~ ".*SHA1 FingerPrint: C1BA055D452F92EB02D449F0498C289F50698300"
 }

 client c1 -connect ${h1_clearlst_sock} {
 # RSA
     txreq
     rxresp
     expect resp.http.X-SSL-Server-SHA1 == "94F720DACA71B8B1A0AC9BD48C65BA688FF047DE"
     expect resp.status == 200
 # ECDSA
     txreq
     rxresp
     expect resp.http.X-SSL-Server-SHA1 == "C1BA055D452F92EB02D449F0498C289F50698300"
     expect resp.status == 200
 } -run

 shell {
     printf "set ssl cert ${testdir}/cert1-example.com.pem.rsa <<\n$(cat ${testdir}/cert2-example.com.pem.rsa)\n\n" | socat "${tmpdir}/h1/stats" -
     echo "commit ssl cert ${testdir}/cert1-example.com.pem.rsa" | socat "${tmpdir}/h1/stats" -
     printf "set ssl cert ${testdir}/cert1-example.com.pem.ecdsa <<\n$(cat ${testdir}/cert2-example.com.pem.ecdsa)\n\n" | socat "${tmpdir}/h1/stats" -
     echo "commit ssl cert ${testdir}/cert1-example.com.pem.ecdsa" | socat "${tmpdir}/h1/stats" -
 }

 haproxy h1 -cli {
     send "show ssl cert ${testdir}/cert1-example.com.pem.rsa"
     expect ~ ".*SHA1 FingerPrint: ADC863817FC40C2A9CA913CE45C9A92232558F90"
     send "show ssl cert ${testdir}/cert1-example.com.pem.ecdsa"
     expect ~ ".*SHA1 FingerPrint: F49FFA446D072262445C197B85D2F400B3F58808"
 }

 client c1 -connect ${h1_clearlst_sock} {
 # RSA
     txreq
     rxresp
     expect resp.http.X-SSL-Server-SHA1 == "ADC863817FC40C2A9CA913CE45C9A92232558F90"
     expect resp.status == 200
 # ECDSA
     txreq
     rxresp
     expect resp.http.X-SSL-Server-SHA1 == "F49FFA446D072262445C197B85D2F400B3F58808"
     expect resp.status == 200
 } -run
	#REGTEST_TYPE=broken

	# This reg-test uses the "set ssl cert" command to update a multi-certificate
	# bundle over the CLI.
	# It requires socat to upload the certificate
	#
	# This regtests loads a multi-certificates bundle "cert1-example.com.pem"
	# composed of a .rsa and a .ecdsa
	#
	# After verifying that the RSA and ECDSA algorithms were avalailble with the
	# right certificate, the test changes the certificates and try new requests.
	#
	# If this test does not work anymore:
	# - Check that you have socat
	# - Check that you have at least OpenSSL 1.1.0

	varnishtest "Test the 'set ssl cert' feature of the CLI with bundles"
	#REQUIRE_VERSION=2.3
	#REQUIRE_OPTIONS=OPENSSL
	#REQUIRE_BINARIES=socat
	feature ignore_unknown_macro

	server s1 -repeat 9 {
	rxreq
	txresp
	} -start

	haproxy h1 -conf {
	global
	tune.ssl.default-dh-param 2048
	tune.ssl.capture-cipherlist-size 1
	stats socket "${tmpdir}/h1/stats" level admin
	crt-base ${testdir}

	defaults
	mode http
	option httplog
	${no-htx} option http-use-htx
	log stderr local0 debug err
	option logasap
	timeout connect 100ms
	timeout client 1s
	timeout server 1s

	listen clear-lst
	bind "fd@${clearlst}"
	balance roundrobin

	http-response set-header X-SSL-Server-SHA1 %[ssl_s_sha1,hex]

	retries 0 # 2nd SSL connection must fail so skip the retry
	server s1 "${tmpdir}/ssl.sock" ssl verify none sni str(example.com) force-tlsv12 ciphers ECDHE-RSA-AES128-GCM-SHA256
	server s2 "${tmpdir}/ssl.sock" ssl verify none sni str(example.com) force-tlsv12 ciphers ECDHE-ECDSA-AES256-GCM-SHA384

	server s3 "${tmpdir}/ssl.sock" ssl verify none sni str(example.com) force-tlsv12 ciphers ECDHE-RSA-AES128-GCM-SHA256
	server s4 "${tmpdir}/ssl.sock" ssl verify none sni str(example.com) force-tlsv12 ciphers ECDHE-ECDSA-AES256-GCM-SHA384

	listen ssl-lst
	bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/cert1-example.com.pem
	server s1 ${s1_addr}:${s1_port}

	} -start


	haproxy h1 -cli {
	send "show ssl cert ${testdir}/cert1-example.com.pem.rsa"
	expect ~ ".*SHA1 FingerPrint: 94F720DACA71B8B1A0AC9BD48C65BA688FF047DE"
	send "show ssl cert ${testdir}/cert1-example.com.pem.ecdsa"
	expect ~ ".*SHA1 FingerPrint: C1BA055D452F92EB02D449F0498C289F50698300"
	}

	client c1 -connect ${h1_clearlst_sock} {
	# RSA
	txreq
	rxresp
	expect resp.http.X-SSL-Server-SHA1 == "94F720DACA71B8B1A0AC9BD48C65BA688FF047DE"
	expect resp.status == 200
	# ECDSA
	txreq
	rxresp
	expect resp.http.X-SSL-Server-SHA1 == "C1BA055D452F92EB02D449F0498C289F50698300"
	expect resp.status == 200
	} -run

	shell {
	printf "set ssl cert ${testdir}/cert1-example.com.pem.rsa <<\n$(cat ${testdir}/cert2-example.com.pem.rsa)\n\n" \| socat "${tmpdir}/h1/stats" -
	echo "commit ssl cert ${testdir}/cert1-example.com.pem.rsa" \| socat "${tmpdir}/h1/stats" -
	printf "set ssl cert ${testdir}/cert1-example.com.pem.ecdsa <<\n$(cat ${testdir}/cert2-example.com.pem.ecdsa)\n\n" \| socat "${tmpdir}/h1/stats" -
	echo "commit ssl cert ${testdir}/cert1-example.com.pem.ecdsa" \| socat "${tmpdir}/h1/stats" -
	}

	haproxy h1 -cli {
	send "show ssl cert ${testdir}/cert1-example.com.pem.rsa"
	expect ~ ".*SHA1 FingerPrint: ADC863817FC40C2A9CA913CE45C9A92232558F90"
	send "show ssl cert ${testdir}/cert1-example.com.pem.ecdsa"
	expect ~ ".*SHA1 FingerPrint: F49FFA446D072262445C197B85D2F400B3F58808"
	}

	client c1 -connect ${h1_clearlst_sock} {
	# RSA
	txreq
	rxresp
	expect resp.http.X-SSL-Server-SHA1 == "ADC863817FC40C2A9CA913CE45C9A92232558F90"
	expect resp.status == 200
	# ECDSA
	txreq
	rxresp
	expect resp.http.X-SSL-Server-SHA1 == "F49FFA446D072262445C197B85D2F400B3F58808"
	expect resp.status == 200
	} -run