blob: 32179b1f690c769265dbc4b2d696bbb9c411573f [file] [log] [blame]
#REGTEST_TYPE=devel
# This reg-test ensures that SSL related configuration specified in a
# default-server option are properly taken into account by the servers
# (frontend). It mainly focuses on the client certificate used by the frontend,
# that can either be defined in the server line itself, in the default-server
# line or in both.
#
# It was created following a bug raised in redmine (issue #3906) in which a
# server used an "empty" SSL context instead of the proper one.
#
varnishtest "Test the 'set ssl cert' feature of the CLI"
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev0)'"
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
feature ignore_unknown_macro
server s1 -repeat 7 {
rxreq
txresp
} -start
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
crt-base ${testdir}
ca-base ${testdir}
defaults
mode http
option httplog
log stderr local0 debug err
option logasap
timeout connect 100ms
timeout client 1s
timeout server 1s
listen clear-lst
bind "fd@${clearlst}"
use_backend first_be if { path /first }
use_backend second_be if { path /second }
use_backend third_be if { path /third }
use_backend fourth_be if { path /fourth }
use_backend fifth_be if { path /fifth }
backend first_be
default-server ssl crt client1.pem ca-file ca-auth.crt verify none
server s1 "${tmpdir}/ssl.sock"
backend second_be
default-server ssl ca-file ca-auth.crt verify none
server s1 "${tmpdir}/ssl.sock" crt client1.pem
backend third_be
default-server ssl crt client1.pem ca-file ca-auth.crt verify none
server s1 "${tmpdir}/ssl.sock" crt client2_expired.pem
backend fourth_be
default-server ssl crt client1.pem verify none
server s1 "${tmpdir}/ssl.sock" ca-file ca-auth.crt
backend fifth_be
balance roundrobin
default-server ssl crt client1.pem verify none
server s1 "${tmpdir}/ssl.sock"
server s2 "${tmpdir}/ssl.sock" crt client2_expired.pem
server s3 "${tmpdir}/ssl.sock"
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem ca-file ca-auth.crt verify required crt-ignore-err all
acl cert_expired ssl_c_verify 10
acl cert_revoked ssl_c_verify 23
acl cert_ok ssl_c_verify 0
http-response add-header X-SSL Ok if cert_ok
http-response add-header X-SSL Expired if cert_expired
http-response add-header X-SSL Revoked if cert_revoked
server s1 ${s1_addr}:${s1_port}
} -start
client c1 -connect ${h1_clearlst_sock} {
txreq -url "/first"
rxresp
expect resp.status == 200
expect resp.http.x-ssl == "Ok"
} -run
client c1 -connect ${h1_clearlst_sock} {
txreq -url "/second"
txreq
rxresp
expect resp.status == 200
expect resp.http.x-ssl == "Ok"
} -run
client c1 -connect ${h1_clearlst_sock} {
txreq -url "/third"
txreq
rxresp
expect resp.status == 200
expect resp.http.x-ssl == "Expired"
} -run
client c1 -connect ${h1_clearlst_sock} {
txreq -url "/fourth"
txreq
rxresp
expect resp.status == 200
expect resp.http.x-ssl == "Ok"
} -run
client c1 -connect ${h1_clearlst_sock} {
txreq -url "/fifth"
txreq
rxresp
expect resp.status == 200
expect resp.http.x-ssl == "Ok"
} -run
client c1 -connect ${h1_clearlst_sock} {
txreq -url "/fifth"
txreq
rxresp
expect resp.status == 200
expect resp.http.x-ssl == "Expired"
} -run
client c1 -connect ${h1_clearlst_sock} {
txreq -url "/fifth"
txreq
rxresp
expect resp.status == 200
expect resp.http.x-ssl == "Ok"
} -run