reg-tests/ssl/ssl_crt-list_filters.vtc

#REGTEST_TYPE=broken
varnishtest "Test for the bug #810 and #818"
# This test checks if the multiple certificate types works correctly with the
# SNI, and that the negative filters are correctly excluded


#REQUIRE_VERSION=2.2
#REQUIRE_OPTIONS=OPENSSL
feature ignore_unknown_macro

server s1 -repeat 3 {
    rxreq
    txresp
} -start

haproxy h1 -conf {
    global
        tune.ssl.default-dh-param 2048
        crt-base ${testdir}
        stats socket "${tmpdir}/h1/stats" level admin

    defaults
        mode http
        option httplog
        log stderr local0 debug err
        option logasap
        timeout connect 1s
        timeout client  1s
        timeout server  1s


    listen clear-lst
        bind "fd@${clearlst}"
        balance roundrobin
        server s1 "${tmpdir}/ssl.sock" ssl verify none sni str(another-record.bug810.domain.tld) ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.2 ciphers "kRSA"
        server s2 "${tmpdir}/ssl.sock" ssl verify none sni str(another-record.bug810.domain.tld) ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.2 ciphers "aECDSA"
        server s3 "${tmpdir}/ssl.sock" ssl verify none sni str(another-record.bug818.domain.tld) ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.2 ciphers "kRSA"

    listen ssl-lst
        mode http
        ${no-htx} option http-use-htx
        bind "${tmpdir}/ssl.sock" ssl strict-sni ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.2 ciphers "kRSA:aECDSA" crt-list ${testdir}/filters.crt-list

        server s1 ${s1_addr}:${s1_port}
} -start


client c1 -connect ${h1_clearlst_sock} {
    txreq
    rxresp
    expect resp.status == 200
} -run

client c1 -connect ${h1_clearlst_sock} {
    txreq
    rxresp
    expect resp.status == 200
} -run

client c1 -connect ${h1_clearlst_sock} {
    txreq
    rxresp
    expect resp.status == 503
} -run