| #REGTEST_TYPE=devel |
| |
| # This reg-test ensures that SSL related configuration specified in a |
| # default-server option are properly taken into account by the servers |
| # (frontend). It mainly focuses on the client certificate used by the frontend, |
| # that can either be defined in the server line itself, in the default-server |
| # line or in both. |
| # |
| # It was created following a bug raised in redmine (issue #3906) in which a |
| # server used an "empty" SSL context instead of the proper one. |
| # |
| |
| varnishtest "Test the 'set ssl cert' feature of the CLI" |
| feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev0)'" |
| feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'" |
| feature ignore_unknown_macro |
| |
| server s1 -repeat 7 { |
| rxreq |
| txresp |
| } -start |
| |
| haproxy h1 -conf { |
| global |
| tune.ssl.default-dh-param 2048 |
| tune.ssl.capture-buffer-size 1 |
| stats socket "${tmpdir}/h1/stats" level admin |
| crt-base ${testdir} |
| ca-base ${testdir} |
| |
| defaults |
| mode http |
| option httplog |
| log stderr local0 debug err |
| option logasap |
| timeout connect 100ms |
| timeout client 1s |
| timeout server 1s |
| |
| listen clear-lst |
| bind "fd@${clearlst}" |
| use_backend first_be if { path /first } |
| use_backend second_be if { path /second } |
| use_backend third_be if { path /third } |
| use_backend fourth_be if { path /fourth } |
| use_backend fifth_be if { path /fifth } |
| |
| |
| backend first_be |
| default-server ssl crt client1.pem ca-file ca-auth.crt verify none |
| server s1 "${tmpdir}/ssl.sock" |
| |
| backend second_be |
| default-server ssl ca-file ca-auth.crt verify none |
| server s1 "${tmpdir}/ssl.sock" crt client1.pem |
| |
| backend third_be |
| default-server ssl crt client1.pem ca-file ca-auth.crt verify none |
| server s1 "${tmpdir}/ssl.sock" crt client2_expired.pem |
| |
| backend fourth_be |
| default-server ssl crt client1.pem verify none |
| server s1 "${tmpdir}/ssl.sock" ca-file ca-auth.crt |
| |
| backend fifth_be |
| balance roundrobin |
| default-server ssl crt client1.pem verify none |
| server s1 "${tmpdir}/ssl.sock" |
| server s2 "${tmpdir}/ssl.sock" crt client2_expired.pem |
| server s3 "${tmpdir}/ssl.sock" |
| |
| |
| listen ssl-lst |
| bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem ca-file ca-auth.crt verify required crt-ignore-err all |
| |
| acl cert_expired ssl_c_verify 10 |
| acl cert_revoked ssl_c_verify 23 |
| acl cert_ok ssl_c_verify 0 |
| |
| http-response add-header X-SSL Ok if cert_ok |
| http-response add-header X-SSL Expired if cert_expired |
| http-response add-header X-SSL Revoked if cert_revoked |
| |
| server s1 ${s1_addr}:${s1_port} |
| } -start |
| |
| |
| |
| client c1 -connect ${h1_clearlst_sock} { |
| txreq -url "/first" |
| rxresp |
| expect resp.status == 200 |
| expect resp.http.x-ssl == "Ok" |
| } -run |
| |
| client c1 -connect ${h1_clearlst_sock} { |
| txreq -url "/second" |
| txreq |
| rxresp |
| expect resp.status == 200 |
| expect resp.http.x-ssl == "Ok" |
| } -run |
| |
| client c1 -connect ${h1_clearlst_sock} { |
| txreq -url "/third" |
| txreq |
| rxresp |
| expect resp.status == 200 |
| expect resp.http.x-ssl == "Expired" |
| } -run |
| |
| client c1 -connect ${h1_clearlst_sock} { |
| txreq -url "/fourth" |
| txreq |
| rxresp |
| expect resp.status == 200 |
| expect resp.http.x-ssl == "Ok" |
| } -run |
| |
| client c1 -connect ${h1_clearlst_sock} { |
| txreq -url "/fifth" |
| txreq |
| rxresp |
| expect resp.status == 200 |
| expect resp.http.x-ssl == "Ok" |
| } -run |
| |
| client c1 -connect ${h1_clearlst_sock} { |
| txreq -url "/fifth" |
| txreq |
| rxresp |
| expect resp.status == 200 |
| expect resp.http.x-ssl == "Expired" |
| } -run |
| |
| client c1 -connect ${h1_clearlst_sock} { |
| txreq -url "/fifth" |
| txreq |
| rxresp |
| expect resp.status == 200 |
| expect resp.http.x-ssl == "Ok" |
| } -run |