blob: d6d45261f9d1bf113ee9b532e5b586e1b0bb9c17 [file] [log] [blame]
William Lallemand4781fad2020-03-31 14:48:34 +02001#REGTEST_TYPE=devel
William Lallemand9c1aa0a2019-12-19 11:25:19 +01002
3# This reg-test uses the "set ssl cert" command to update a certificate over the CLI.
William Lallemanda9115482020-04-30 10:19:40 +02004# It requires socat to upload the certificate
5#
6# this check does 3 requests, the first one will use "www.test1.com" as SNI,
7# the second one with the same but that must fail and the third one will use
8# "localhost". Since vtest can't do SSL, we use haproxy as an SSL client with 2
9# chained listen section.
10#
William Lallemand9c1aa0a2019-12-19 11:25:19 +010011# If this test does not work anymore:
William Lallemanda9115482020-04-30 10:19:40 +020012# - Check that you have socat
William Lallemand9c1aa0a2019-12-19 11:25:19 +010013
14varnishtest "Test the 'set ssl cert' feature of the CLI"
Willy Tarreaufa10ffd2020-01-24 13:49:42 +010015#REQUIRE_VERSION=2.2
William Lallemand9c1aa0a2019-12-19 11:25:19 +010016#REQUIRE_OPTIONS=OPENSSL
William Lallemanda9115482020-04-30 10:19:40 +020017#REQUIRE_BINARIES=socat
William Lallemand9c1aa0a2019-12-19 11:25:19 +010018feature ignore_unknown_macro
19
William Lallemanda9115482020-04-30 10:19:40 +020020server s1 -repeat 3 {
21 rxreq
22 txresp
23} -start
William Lallemand9c1aa0a2019-12-19 11:25:19 +010024
25haproxy h1 -conf {
William Lallemanda9115482020-04-30 10:19:40 +020026 global
27 tune.ssl.default-dh-param 2048
28 tune.ssl.capture-cipherlist-size 1
29 stats socket "${tmpdir}/h1/stats" level admin
30
31 defaults
32 mode http
33 option httplog
34 ${no-htx} option http-use-htx
35 log stderr local0 debug err
36 option logasap
37 timeout connect 100ms
38 timeout client 1s
39 timeout server 1s
40
41 listen clear-lst
42 bind "fd@${clearlst}"
43 balance roundrobin
44 retries 0 # 2nd SSL connection must fail so skip the retry
45 server s1 "${tmpdir}/ssl.sock" ssl verify none sni str(www.test1.com)
46 server s2 "${tmpdir}/ssl.sock" ssl verify none sni str(www.test1.com)
47 server s3 "${tmpdir}/ssl.sock" ssl verify none sni str(localhost)
48
49 listen ssl-lst
50 bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem strict-sni
William Lallemand9c1aa0a2019-12-19 11:25:19 +010051
William Lallemanda9115482020-04-30 10:19:40 +020052 server s1 ${s1_addr}:${s1_port}
William Lallemand9c1aa0a2019-12-19 11:25:19 +010053} -start
54
55
56haproxy h1 -cli {
57 send "show ssl cert ${testdir}/common.pem"
58 expect ~ ".*SHA1 FingerPrint: 2195C9F0FD58470313013FC27C1B9CF9864BD1C6"
59}
60
William Lallemanda9115482020-04-30 10:19:40 +020061client c1 -connect ${h1_clearlst_sock} {
62 txreq
63 rxresp
64 expect resp.status == 200
65} -run
William Lallemand9c1aa0a2019-12-19 11:25:19 +010066
67shell {
William Lallemanda9115482020-04-30 10:19:40 +020068 printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" -
69 echo "commit ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h1/stats" -
William Lallemand9c1aa0a2019-12-19 11:25:19 +010070}
71
72haproxy h1 -cli {
73 send "show ssl cert ${testdir}/common.pem"
74 expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1"
75}
76
William Lallemanda9115482020-04-30 10:19:40 +020077# check that the "www.test1.com" SNI was removed
78client c1 -connect ${h1_clearlst_sock} {
79 txreq
80 rxresp
81 expect resp.status == 503
82} -run
83
84client c1 -connect ${h1_clearlst_sock} {
85 txreq
86 rxresp
87 expect resp.status == 200
88} -run
William Lallemand3d6ebec2021-02-01 15:31:00 +010089
90shell {
91 printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/common.pem)\n\n" | socat "${tmpdir}/h1/stats" -
92 echo "abort ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h1/stats" -
93}
94
95haproxy h1 -cli {
96 send "show ssl cert ${testdir}/common.pem"
97 expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1"
98}
99