| #REGTEST_TYPE=broken |
| varnishtest "Test for the bug #810 and #818" |
| # This test checks if the multiple certificate types works correctly with the |
| # SNI, and that the negative filters are correctly excluded |
| |
| |
| #REQUIRE_VERSION=2.2 |
| #REQUIRE_OPTIONS=OPENSSL |
| feature ignore_unknown_macro |
| |
| server s1 -repeat 3 { |
| rxreq |
| txresp |
| } -start |
| |
| haproxy h1 -conf { |
| global |
| tune.ssl.default-dh-param 2048 |
| crt-base ${testdir} |
| stats socket "${tmpdir}/h1/stats" level admin |
| |
| defaults |
| mode http |
| option httplog |
| log stderr local0 debug err |
| option logasap |
| timeout connect 1s |
| timeout client 1s |
| timeout server 1s |
| |
| |
| listen clear-lst |
| bind "fd@${clearlst}" |
| balance roundrobin |
| server s1 "${tmpdir}/ssl.sock" ssl verify none sni str(another-record.bug810.domain.tld) ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.2 ciphers "kRSA" |
| server s2 "${tmpdir}/ssl.sock" ssl verify none sni str(another-record.bug810.domain.tld) ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.2 ciphers "aECDSA" |
| server s3 "${tmpdir}/ssl.sock" ssl verify none sni str(another-record.bug818.domain.tld) ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.2 ciphers "kRSA" |
| |
| listen ssl-lst |
| mode http |
| ${no-htx} option http-use-htx |
| bind "${tmpdir}/ssl.sock" ssl strict-sni ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.2 ciphers "kRSA:aECDSA" crt-list ${testdir}/filters.crt-list |
| |
| server s1 ${s1_addr}:${s1_port} |
| } -start |
| |
| |
| client c1 -connect ${h1_clearlst_sock} { |
| txreq |
| rxresp |
| expect resp.status == 200 |
| } -run |
| |
| client c1 -connect ${h1_clearlst_sock} { |
| txreq |
| rxresp |
| expect resp.status == 200 |
| } -run |
| |
| client c1 -connect ${h1_clearlst_sock} { |
| txreq |
| rxresp |
| expect resp.status == 503 |
| } -run |