blob: 485a9ba17162da6ff371de265929a79b4a2a34ec [file] [log] [blame]
Remi Tricot-Le Breton0498fa42021-07-13 18:28:22 +02001#REGTEST_TYPE=devel
2
3# This reg-test ensures that SSL related configuration specified in a
4# default-server option are properly taken into account by the servers
5# (frontend). It mainly focuses on the client certificate used by the frontend,
6# that can either be defined in the server line itself, in the default-server
7# line or in both.
8#
9# It was created following a bug raised in redmine (issue #3906) in which a
10# server used an "empty" SSL context instead of the proper one.
11#
12
13varnishtest "Test the 'set ssl cert' feature of the CLI"
14feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev0)'"
15feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
16feature ignore_unknown_macro
17
18server s1 -repeat 7 {
19 rxreq
20 txresp
21} -start
22
23haproxy h1 -conf {
24 global
25 tune.ssl.default-dh-param 2048
Marcin Deranek310a2602021-07-13 19:04:24 +020026 tune.ssl.capture-buffer-size 1
Remi Tricot-Le Breton0498fa42021-07-13 18:28:22 +020027 stats socket "${tmpdir}/h1/stats" level admin
28 crt-base ${testdir}
29 ca-base ${testdir}
30
31 defaults
32 mode http
33 option httplog
34 log stderr local0 debug err
35 option logasap
Willy Tarreauf6739232021-11-18 17:46:22 +010036 timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
37 timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
38 timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
Remi Tricot-Le Breton0498fa42021-07-13 18:28:22 +020039
40 listen clear-lst
41 bind "fd@${clearlst}"
42 use_backend first_be if { path /first }
43 use_backend second_be if { path /second }
44 use_backend third_be if { path /third }
45 use_backend fourth_be if { path /fourth }
46 use_backend fifth_be if { path /fifth }
47
48
49 backend first_be
50 default-server ssl crt client1.pem ca-file ca-auth.crt verify none
51 server s1 "${tmpdir}/ssl.sock"
52
53 backend second_be
54 default-server ssl ca-file ca-auth.crt verify none
55 server s1 "${tmpdir}/ssl.sock" crt client1.pem
56
57 backend third_be
58 default-server ssl crt client1.pem ca-file ca-auth.crt verify none
59 server s1 "${tmpdir}/ssl.sock" crt client2_expired.pem
60
61 backend fourth_be
62 default-server ssl crt client1.pem verify none
63 server s1 "${tmpdir}/ssl.sock" ca-file ca-auth.crt
64
65 backend fifth_be
66 balance roundrobin
67 default-server ssl crt client1.pem verify none
68 server s1 "${tmpdir}/ssl.sock"
69 server s2 "${tmpdir}/ssl.sock" crt client2_expired.pem
70 server s3 "${tmpdir}/ssl.sock"
71
72
73 listen ssl-lst
74 bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem ca-file ca-auth.crt verify required crt-ignore-err all
75
76 acl cert_expired ssl_c_verify 10
77 acl cert_revoked ssl_c_verify 23
78 acl cert_ok ssl_c_verify 0
79
80 http-response add-header X-SSL Ok if cert_ok
81 http-response add-header X-SSL Expired if cert_expired
82 http-response add-header X-SSL Revoked if cert_revoked
83
84 server s1 ${s1_addr}:${s1_port}
85} -start
86
87
88
89client c1 -connect ${h1_clearlst_sock} {
90 txreq -url "/first"
91 rxresp
92 expect resp.status == 200
93 expect resp.http.x-ssl == "Ok"
94} -run
95
96client c1 -connect ${h1_clearlst_sock} {
97 txreq -url "/second"
98 txreq
99 rxresp
100 expect resp.status == 200
101 expect resp.http.x-ssl == "Ok"
102} -run
103
104client c1 -connect ${h1_clearlst_sock} {
105 txreq -url "/third"
106 txreq
107 rxresp
108 expect resp.status == 200
109 expect resp.http.x-ssl == "Expired"
110} -run
111
112client c1 -connect ${h1_clearlst_sock} {
113 txreq -url "/fourth"
114 txreq
115 rxresp
116 expect resp.status == 200
117 expect resp.http.x-ssl == "Ok"
118} -run
119
120client c1 -connect ${h1_clearlst_sock} {
121 txreq -url "/fifth"
122 txreq
123 rxresp
124 expect resp.status == 200
125 expect resp.http.x-ssl == "Ok"
126} -run
127
128client c1 -connect ${h1_clearlst_sock} {
129 txreq -url "/fifth"
130 txreq
131 rxresp
132 expect resp.status == 200
133 expect resp.http.x-ssl == "Expired"
134} -run
135
136client c1 -connect ${h1_clearlst_sock} {
137 txreq -url "/fifth"
138 txreq
139 rxresp
140 expect resp.status == 200
141 expect resp.http.x-ssl == "Ok"
142} -run