| #REGTEST_TYPE=devel |
| |
| varnishtest "Test the ssl_c_* sample fetches" |
| #REQUIRE_VERSION=2.2 |
| #REQUIRE_OPTIONS=OPENSSL |
| feature ignore_unknown_macro |
| |
| server s1 -repeat 3 { |
| rxreq |
| txresp |
| } -start |
| |
| haproxy h1 -conf { |
| global |
| tune.ssl.default-dh-param 2048 |
| tune.ssl.capture-buffer-size 1 |
| crt-base ${testdir} |
| |
| defaults |
| mode http |
| option httplog |
| log stderr local0 debug err |
| option logasap |
| timeout connect 1s |
| timeout client 1s |
| timeout server 1s |
| |
| |
| listen clear-lst |
| bind "fd@${clearlst}" |
| balance roundrobin |
| server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client1.pem |
| |
| listen ssl-lst |
| mode http |
| |
| http-response add-header x-ssl-der %[ssl_c_der,hex] |
| http-response add-header x-ssl-chain-der %[ssl_c_chain_der,hex] |
| http-response add-header x-ssl-sha1 %[ssl_c_sha1,hex] |
| http-response add-header x-ssl-notafter %[ssl_c_notafter] |
| http-response add-header x-ssl-notbefore %[ssl_c_notbefore] |
| http-response add-header x-ssl-sig_alg %[ssl_c_sig_alg] |
| http-response add-header x-ssl-i_dn %[ssl_c_i_dn] |
| http-response add-header x-ssl-s_dn %[ssl_c_s_dn] |
| http-response add-header x-ssl-s_serial %[ssl_c_serial,hex] |
| http-response add-header x-ssl-key_alg %[ssl_c_key_alg] |
| http-response add-header x-ssl-version %[ssl_c_version] |
| |
| bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/ca-auth.crt verify optional crt-ignore-err all crl-file ${testdir}/crl-auth.pem |
| |
| server s1 ${s1_addr}:${s1_port} |
| } -start |
| |
| |
| client c1 -connect ${h1_clearlst_sock} { |
| txreq |
| rxresp |
| expect resp.status == 200 |
| expect resp.http.x-ssl-der ~ 3082052D30820315020102300D0.*995ED3BE2BFB923A3EB71FA07002E |
| expect resp.http.x-ssl-chain-der ~ 3082096B30820553A0030201020.*0237D08F425C8414A23D436415502 |
| expect resp.http.x-ssl-sha1 == "D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4" |
| expect resp.http.x-ssl-notafter == "500421185942Z" |
| expect resp.http.x-ssl-notbefore == "200428185942Z" |
| expect resp.http.x-ssl-sig_alg == "RSA-SHA256" |
| expect resp.http.x-ssl-i_dn == "/C=FR/ST=Some-State/O=HAProxy Technologies/CN=HAProxy Technologies CA Test Client Auth" |
| expect resp.http.x-ssl-s_dn == "/C=FR/O=HAProxy Technologies Test/CN=client1" |
| expect resp.http.x-ssl-s_serial == "02" |
| expect resp.http.x-ssl-key_alg == "rsaEncryption" |
| expect resp.http.x-ssl-version == "1" |
| } -run |
| |
| |