reg-tests/ssl/add_ssl_crt-list.vtc - haproxy - Gitiles

 #REGTEST_TYPE=devel

 # This reg-test uses the "add ssl crt-list" command to add a certificate over the CLI.
 # It requires socat and curl to upload and validate that the certificate was well updated

 # If this test does not work anymore:
 # - Check that you have socat and curl
 # - Check if haproxy and curl use the same ciphers

 varnishtest "Test the 'add ssl crt-list' feature of the CLI"
 #REQUIRE_VERSION=2.2
 #REQUIRE_OPTIONS=OPENSSL
 #REQUIRE_BINARIES=socat,curl
 feature ignore_unknown_macro


 haproxy h1 -conf {
   global
     tune.ssl.default-dh-param 2048
     tune.ssl.capture-cipherlist-size 1
     crt-base ${testdir}
     stats socket "${tmpdir}/h1/stats" level admin

   listen frt
     mode http
     ${no-htx} option http-use-htx
     bind "fd@${frt}" ssl strict-sni crt-list ${testdir}/localhost.crt-list
     http-request redirect location /
 } -start


 haproxy h1 -cli {
     send "show ssl cert ${testdir}/common.pem"
     expect ~ ".*SHA1 FingerPrint: 2195C9F0FD58470313013FC27C1B9CF9864BD1C6"
 }

 shell {
     HOST=${h1_frt_addr}
     if [ "${h1_frt_addr}" = "::1" ] ; then
         HOST="\[::1\]"
     fi
     curl -v -i -k --resolve www.test1.com:${h1_frt_port}:${h1_frt_addr} https://www.test1.com:${h1_frt_port}
 }

 shell {
    echo "new ssl cert ${testdir}/ecdsa.pem" | socat "${tmpdir}/h1/stats" -
    printf "set ssl cert ${testdir}/ecdsa.pem <<\n$(cat ${testdir}/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" -
    echo "commit ssl cert ${testdir}/ecdsa.pem" | socat "${tmpdir}/h1/stats" -
    printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem [verify none allow-0rtt] localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" -
    printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem [verify none allow-0rtt]\n\n" | socat "${tmpdir}/h1/stats" -
    printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" -
    printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem\n\n" | socat "${tmpdir}/h1/stats" -
    printf "add ssl crt-list ${testdir}/localhost.crt-list ${testdir}/ecdsa.pem\n" | socat "${tmpdir}/h1/stats" -
 }

 haproxy h1 -cli {
     send "show ssl cert ${testdir}/ecdsa.pem"
     expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1"
 }

 haproxy h1 -cli {
     send "show ssl crt-list ${testdir}/localhost.crt-list"
     # check the options and the filters in any order
     expect ~ ".*${testdir}/ecdsa.pem \\[(?=.*verify none)(?=.*allow-0rtt).*\\](?=.*!www.test1.com)(?=.*localhost).*"
 }

 shell {
     HOST=${h1_frt_addr}
     if [ "${h1_frt_addr}" = "::1" ] ; then
         HOST="\[::1\]"
     fi
     curl -v -i -k --resolve localhost:${h1_frt_port}:${h1_frt_addr} https://localhost:${h1_frt_port}
 }
	#REGTEST_TYPE=devel

	# This reg-test uses the "add ssl crt-list" command to add a certificate over the CLI.
	# It requires socat and curl to upload and validate that the certificate was well updated

	# If this test does not work anymore:
	# - Check that you have socat and curl
	# - Check if haproxy and curl use the same ciphers

	varnishtest "Test the 'add ssl crt-list' feature of the CLI"
	#REQUIRE_VERSION=2.2
	#REQUIRE_OPTIONS=OPENSSL
	#REQUIRE_BINARIES=socat,curl
	feature ignore_unknown_macro


	haproxy h1 -conf {
	global
	tune.ssl.default-dh-param 2048
	tune.ssl.capture-cipherlist-size 1
	crt-base ${testdir}
	stats socket "${tmpdir}/h1/stats" level admin

	listen frt
	mode http
	${no-htx} option http-use-htx
	bind "fd@${frt}" ssl strict-sni crt-list ${testdir}/localhost.crt-list
	http-request redirect location /
	} -start


	haproxy h1 -cli {
	send "show ssl cert ${testdir}/common.pem"
	expect ~ ".*SHA1 FingerPrint: 2195C9F0FD58470313013FC27C1B9CF9864BD1C6"
	}

	shell {
	HOST=${h1_frt_addr}
	if [ "${h1_frt_addr}" = "::1" ] ; then
	HOST="\[::1\]"
	fi
	curl -v -i -k --resolve www.test1.com:${h1_frt_port}:${h1_frt_addr} https://www.test1.com:${h1_frt_port}
	}

	shell {
	echo "new ssl cert ${testdir}/ecdsa.pem" \| socat "${tmpdir}/h1/stats" -
	printf "set ssl cert ${testdir}/ecdsa.pem <<\n$(cat ${testdir}/ecdsa.pem)\n\n" \| socat "${tmpdir}/h1/stats" -
	echo "commit ssl cert ${testdir}/ecdsa.pem" \| socat "${tmpdir}/h1/stats" -
	printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem [verify none allow-0rtt] localhost !www.test1.com\n\n" \| socat "${tmpdir}/h1/stats" -
	printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem [verify none allow-0rtt]\n\n" \| socat "${tmpdir}/h1/stats" -
	printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem localhost !www.test1.com\n\n" \| socat "${tmpdir}/h1/stats" -
	printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem\n\n" \| socat "${tmpdir}/h1/stats" -
	printf "add ssl crt-list ${testdir}/localhost.crt-list ${testdir}/ecdsa.pem\n" \| socat "${tmpdir}/h1/stats" -
	}

	haproxy h1 -cli {
	send "show ssl cert ${testdir}/ecdsa.pem"
	expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1"
	}

	haproxy h1 -cli {
	send "show ssl crt-list ${testdir}/localhost.crt-list"
	# check the options and the filters in any order
	expect ~ ".${testdir}/ecdsa.pem \\[(?=.verify none)(?=.allow-0rtt).\\](?=.!www.test1.com)(?=.localhost).*"
	}

	shell {
	HOST=${h1_frt_addr}
	if [ "${h1_frt_addr}" = "::1" ] ; then
	HOST="\[::1\]"
	fi
	curl -v -i -k --resolve localhost:${h1_frt_port}:${h1_frt_addr} https://localhost:${h1_frt_port}
	}