reg-tests/ssl/ssl_crt-list_filters.vtc - haproxy - Gitiles

 #REGTEST_TYPE=broken
 varnishtest "Test for the bug #810 and #818"
 # This test checks if the multiple certificate types works correctly with the
 # SNI, and that the negative filters are correctly excluded


 #REQUIRE_VERSION=2.2
 #REQUIRE_OPTIONS=OPENSSL
 feature ignore_unknown_macro

 server s1 -repeat 3 {
     rxreq
     txresp
 } -start

 haproxy h1 -conf {
     global
         tune.ssl.default-dh-param 2048
         crt-base ${testdir}
         stats socket "${tmpdir}/h1/stats" level admin

     defaults
         mode http
         option httplog
         log stderr local0 debug err
         option logasap
         timeout connect 1s
         timeout client  1s
         timeout server  1s


     listen clear-lst
         bind "fd@${clearlst}"
         balance roundrobin
         server s1 "${tmpdir}/ssl.sock" ssl verify none sni str(another-record.bug810.domain.tld) ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.2 ciphers "kRSA"
         server s2 "${tmpdir}/ssl.sock" ssl verify none sni str(another-record.bug810.domain.tld) ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.2 ciphers "aECDSA"
         server s3 "${tmpdir}/ssl.sock" ssl verify none sni str(another-record.bug818.domain.tld) ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.2 ciphers "kRSA"

     listen ssl-lst
         mode http
         ${no-htx} option http-use-htx
         bind "${tmpdir}/ssl.sock" ssl strict-sni ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.2 ciphers "kRSA:aECDSA" crt-list ${testdir}/filters.crt-list

         server s1 ${s1_addr}:${s1_port}
 } -start


 client c1 -connect ${h1_clearlst_sock} {
     txreq
     rxresp
     expect resp.status == 200
 } -run

 client c1 -connect ${h1_clearlst_sock} {
     txreq
     rxresp
     expect resp.status == 200
 } -run

 client c1 -connect ${h1_clearlst_sock} {
     txreq
     rxresp
     expect resp.status == 503
 } -run
	#REGTEST_TYPE=broken
	varnishtest "Test for the bug #810 and #818"
	# This test checks if the multiple certificate types works correctly with the
	# SNI, and that the negative filters are correctly excluded


	#REQUIRE_VERSION=2.2
	#REQUIRE_OPTIONS=OPENSSL
	feature ignore_unknown_macro

	server s1 -repeat 3 {
	rxreq
	txresp
	} -start

	haproxy h1 -conf {
	global
	tune.ssl.default-dh-param 2048
	crt-base ${testdir}
	stats socket "${tmpdir}/h1/stats" level admin

	defaults
	mode http
	option httplog
	log stderr local0 debug err
	option logasap
	timeout connect 1s
	timeout client 1s
	timeout server 1s


	listen clear-lst
	bind "fd@${clearlst}"
	balance roundrobin
	server s1 "${tmpdir}/ssl.sock" ssl verify none sni str(another-record.bug810.domain.tld) ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.2 ciphers "kRSA"
	server s2 "${tmpdir}/ssl.sock" ssl verify none sni str(another-record.bug810.domain.tld) ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.2 ciphers "aECDSA"
	server s3 "${tmpdir}/ssl.sock" ssl verify none sni str(another-record.bug818.domain.tld) ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.2 ciphers "kRSA"

	listen ssl-lst
	mode http
	${no-htx} option http-use-htx
	bind "${tmpdir}/ssl.sock" ssl strict-sni ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.2 ciphers "kRSA:aECDSA" crt-list ${testdir}/filters.crt-list

	server s1 ${s1_addr}:${s1_port}
	} -start


	client c1 -connect ${h1_clearlst_sock} {
	txreq
	rxresp
	expect resp.status == 200
	} -run

	client c1 -connect ${h1_clearlst_sock} {
	txreq
	rxresp
	expect resp.status == 200
	} -run

	client c1 -connect ${h1_clearlst_sock} {
	txreq
	rxresp
	expect resp.status == 503
	} -run