blob: c1f96f1ebc90bc6a627242a1602ff1c68c40bde6 [file] [log] [blame]
William Lallemand4f59c672021-07-29 16:00:24 +02001#REGTEST_TYPE=broken
Remi Tricot-Le Breton54f63832021-07-29 09:45:54 +02002
3# This reg-test checks that the connection and SSL sample fetches related to
4# errors are functioning properly. It also tests the proper behaviour of the
William Lallemand56f1f752021-08-02 10:25:30 +02005# default HTTPS log format and of the log-error-via-logformat option which enables
Remi Tricot-Le Breton54f63832021-07-29 09:45:54 +02006# or disables the output of a special error message in case of connection
7# failure (otherwise a line following the configured log-format is output).
8#
9# It works by sending request through three different paths, one using a custom
10# log-format line that contains the connection error and SSL handshake error
11# sample fetches, one using the default HTTPS log-format and one using the
12# legacy error log format.
13#
14# The output log lines are caught by syslog blocks (one for each path) and
15# compared to an expected format.
16# Since the syslog is not by design synchronized with the Varnish clients and
17# servers, synchronization is achieved through barriers, which ensure that
18# syslog messages arrive in the right order.
19#
20# In order to ensure that the log line raised in case of connection error if
William Lallemand56f1f752021-08-02 10:25:30 +020021# the log-error-via-logformat option is disabled still follows the
Remi Tricot-Le Breton54f63832021-07-29 09:45:54 +020022# log-separate-error option, the log lines raised by the https_fmt_lst listener
23# will be sent to two separate syslog servers.
24#
25
26varnishtest "Test the connection and SSL error fetches."
27feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev2)'"
28feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
29feature cmd "command -v socat"
30feature ignore_unknown_macro
31
Remi Tricot-Le Bretonb061fb32021-09-01 15:52:16 +020032server s1 -repeat 4 {
Remi Tricot-Le Breton54f63832021-07-29 09:45:54 +020033 rxreq
34 txresp
35} -start
36
37barrier b1 cond 4 -cyclic
Remi Tricot-Le Bretonb061fb32021-09-01 15:52:16 +020038barrier b2 cond 2 -cyclic
Remi Tricot-Le Breton54f63832021-07-29 09:45:54 +020039
40
41syslog Slg_cust_fmt -level info {
42 recv
Remi Tricot-Le Breton74f6ab62021-08-19 18:06:30 +020043 expect ~ ".*conn_status:\"0:Success\" hsk_err:\"0:-\" CN=\"/C=FR/O=HAProxy Technologies/CN=Client\",serial=1007,hash=063DCC2E6A9159E66994B325D6D2EF3D17A75B6F"
Remi Tricot-Le Breton54f63832021-07-29 09:45:54 +020044
45 barrier b1 sync
46
47 recv
Remi Tricot-Le Bretonfe21fe72021-08-31 12:08:52 +020048 expect ~ "ERROR.*conn_status:\"30:SSL client CA chain cannot be verified\" hsk_err:\"337100934:error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed\" CN=\"/C=FR/O=HAProxy Technologies/CN=Client\",serial=1007,hash=063DCC2E6A9159E66994B325D6D2EF3D17A75B6F"
Remi Tricot-Le Breton54f63832021-07-29 09:45:54 +020049
50 barrier b1 sync
51
52 recv
Remi Tricot-Le Bretonfe21fe72021-08-31 12:08:52 +020053 expect ~ "ERROR.*conn_status:\"31:SSL client certificate not trusted\" hsk_err:\"337100934:error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed\" CN=\"/C=FR/O=HAProxy Technologies/CN=Client\",serial=1007,hash=063DCC2E6A9159E66994B325D6D2EF3D17A75B6F"
Remi Tricot-Le Breton54f63832021-07-29 09:45:54 +020054
55 barrier b1 sync
56
Remi Tricot-Le Breton74f6ab62021-08-19 18:06:30 +020057 # In case of an error occuring before the certificate verification process,
58 # the client certificate chain is never parsed and verified so we can't
59 # have information about the client's certificate.
Remi Tricot-Le Breton54f63832021-07-29 09:45:54 +020060 recv
Remi Tricot-Le Bretonfe21fe72021-08-31 12:08:52 +020061 expect ~ "ERROR.*conn_status:\"34:SSL handshake failure\" hsk_err:\"337678529:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher\" CN=\"\",serial=-,hash=-"
Remi Tricot-Le Breton54f63832021-07-29 09:45:54 +020062} -start
63
64syslog Slg_https_fmt -level info {
65 recv
66 expect ~ ".*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/s1.*0/0000000000000000/0/0 TLSv1.3/TLS_AES_256_GCM_SHA384"
67
68 barrier b1 sync
69} -start
70
71syslog Slg_https_fmt_err -level info {
72 recv
Remi Tricot-Le Bretonfe21fe72021-08-31 12:08:52 +020073 expect ~ "ERROR.*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/<NOSRV>.*30/000000001417C086/0/2 TLSv1.3/TLS_AES_256_GCM_SHA384"
Remi Tricot-Le Breton54f63832021-07-29 09:45:54 +020074
75 barrier b1 sync
76
77 recv
Remi Tricot-Le Bretonfe21fe72021-08-31 12:08:52 +020078 expect ~ "ERROR.*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/<NOSRV>.*31/000000001417C086/20/0 TLSv1.3/TLS_AES_256_GCM_SHA384"
Remi Tricot-Le Breton54f63832021-07-29 09:45:54 +020079
80 barrier b1 sync
81
82 recv
Remi Tricot-Le Bretonfe21fe72021-08-31 12:08:52 +020083 expect ~ "ERROR.*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/<NOSRV>.*34/00000000142090C1/0/0 TLSv1.3/\\(NONE\\)"
Remi Tricot-Le Breton54f63832021-07-29 09:45:54 +020084} -start
85
86syslog Slg_logconnerror -level info {
87 recv
88 expect ~ ".*logconnerror_ssl_lst~ logconnerror_ssl_lst/s1"
89
90 barrier b1 sync
91
92 recv
93 expect ~ ".*logconnerror_ssl_lst/1: SSL client CA chain cannot be verified"
94
95 barrier b1 sync
96
97 recv
98 expect ~ ".*logconnerror_ssl_lst/1: SSL client certificate not trusted"
99
100 barrier b1 sync
101
102 recv
103 expect ~ ".*logconnerror_ssl_lst/1: SSL handshake failure"
104} -start
105
Remi Tricot-Le Bretonb061fb32021-09-01 15:52:16 +0200106syslog Slg_bcknd -level info {
107 recv
Remi Tricot-Le Breton1fe0fad2021-09-29 18:56:52 +0200108 expect ~ ".*bc_conn_err:0:\"Success\" ssl_bc_err:0:\"\""
Remi Tricot-Le Bretonb061fb32021-09-01 15:52:16 +0200109
110 barrier b2 sync
111
112 recv
Remi Tricot-Le Breton1fe0fad2021-09-29 18:56:52 +0200113 expect ~ ".*bc_conn_err:34:\"SSL handshake failure\" ssl_bc_err:337047686:\"error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed\""
Remi Tricot-Le Bretonb061fb32021-09-01 15:52:16 +0200114
115 barrier b2 sync
116
117 recv
Remi Tricot-Le Breton1fe0fad2021-09-29 18:56:52 +0200118 expect ~ ".*bc_conn_err:32:\"Server presented an SSL certificate different from the configured one\" ssl_bc_err:337047686:\"error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed\""
Remi Tricot-Le Bretonb061fb32021-09-01 15:52:16 +0200119
120 barrier b2 sync
121
122 # Verify errors on the server side cannot be caught through those backend fetches yet
123 recv
Remi Tricot-Le Breton1fe0fad2021-09-29 18:56:52 +0200124 expect ~ ".*bc_conn_err:0:\"Success\" ssl_bc_err:0:\"\""
Remi Tricot-Le Bretonb061fb32021-09-01 15:52:16 +0200125
126 barrier b2 sync
127
128 recv
Remi Tricot-Le Breton1fe0fad2021-09-29 18:56:52 +0200129 expect ~ ".*bc_conn_err:34:\"SSL handshake failure\" ssl_bc_err:336151568:\"error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure\""
Remi Tricot-Le Bretonb061fb32021-09-01 15:52:16 +0200130
131 barrier b2 sync
132
133 recv
Remi Tricot-Le Breton1fe0fad2021-09-29 18:56:52 +0200134 expect ~ ".*bc_conn_err:34:\"SSL handshake failure\" ssl_bc_err:336151568:\"error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure\""
Remi Tricot-Le Bretonb061fb32021-09-01 15:52:16 +0200135} -start
136
Remi Tricot-Le Breton54f63832021-07-29 09:45:54 +0200137
138haproxy h1 -conf {
139 global
140 tune.ssl.default-dh-param 2048
Marcin Deranek310a2602021-07-13 19:04:24 +0200141 tune.ssl.capture-buffer-size 1
Remi Tricot-Le Breton54f63832021-07-29 09:45:54 +0200142 stats socket "${tmpdir}/h1/stats" level admin
143
144 defaults
145 timeout connect 100ms
146 timeout client 1s
147 timeout server 1s
148 retries 0
149
150 listen clear_lst
151 bind "fd@${clearlst}"
152 default-server ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none no-ssl-reuse
153
154 balance roundrobin
155 server cust_fmt "${tmpdir}/cust_logfmt_ssl.sock"
156 server https_fmt "${tmpdir}/https_logfmt_ssl.sock"
157 server logconnerror "${tmpdir}/logconnerror_ssl.sock"
158
159
160 listen clear_wrong_ciphers_lst
161 bind "fd@${wrongcipherslst}"
162 default-server ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none no-ssl-reuse ciphersuites "TLS_AES_128_GCM_SHA256"
163
164 balance roundrobin
165 server cust_fmt "${tmpdir}/cust_logfmt_ssl.sock"
166 server https_fmt "${tmpdir}/https_logfmt_ssl.sock"
167 server logconnerror "${tmpdir}/logconnerror_ssl.sock"
168
169
Remi Tricot-Le Breton1fe0fad2021-09-29 18:56:52 +0200170 # This listener will be used to test backend fetches (bc_conn_err and ssl_bc_err)
Remi Tricot-Le Bretonb061fb32021-09-01 15:52:16 +0200171 listen clear_backend_errors_lst
172 bind "fd@${backenderrorslst}"
173 log ${Slg_bcknd_addr}:${Slg_bcknd_port} local0
Remi Tricot-Le Breton1fe0fad2021-09-29 18:56:52 +0200174 log-format "bc_conn_err:%[bc_conn_err]:%{+Q}[bc_conn_err_str]\ ssl_bc_err:%[ssl_bc_err]:%{+Q}[ssl_bc_err_str]"
175 error-log-format "ERROR bc_conn_err:%[bc_conn_err]:%{+Q}[bc_conn_err_str]\ ssl_bc_err:%[ssl_bc_err]:%{+Q}[ssl_bc_err_str]"
Remi Tricot-Le Bretonb061fb32021-09-01 15:52:16 +0200176
177 balance roundrobin
178 server no_err "${tmpdir}/no_err_ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify required
179 server srv_cert_rejected "${tmpdir}/srv_rejected_ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA1.crt verify required
180 server mismatch_frontend "${tmpdir}/mismatch_fe_ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify required verifyhost str(toto)
181 server clt_cert_rejected "${tmpdir}/rejected_ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none
182 server wrong_ciphers "${tmpdir}/wrong_ciphers_ssl.sock" ssl verify none crt ${testdir}/client1.pem ca-file ${testdir}/ca-auth.crt force-tlsv12 ciphers "aECDSA"
183 server wrong_ciphers_tls13 "${tmpdir}/wrong_ciphers_tls13_ssl.sock" ssl verify none crt ${testdir}/client1.pem ca-file ${testdir}/ca-auth.crt ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" force-tlsv13
184
185
186
187
Remi Tricot-Le Breton54f63832021-07-29 09:45:54 +0200188 listen cust_logfmt_ssl_lst
189 log ${Slg_cust_fmt_addr}:${Slg_cust_fmt_port} local0
Remi Tricot-Le Breton54f63832021-07-29 09:45:54 +0200190 mode http
Remi Tricot-Le Breton1fe0fad2021-09-29 18:56:52 +0200191 log-format "conn_status:\"%[fc_conn_err]:%[fc_conn_err_str]\" hsk_err:\"%[ssl_fc_err]:%[ssl_fc_err_str]\" CN=%{+Q}[ssl_c_s_dn],serial=%[ssl_c_serial,hex],hash=%[ssl_c_sha1,hex]"
192 error-log-format "ERROR conn_status:\"%[fc_conn_err]:%[fc_conn_err_str]\" hsk_err:\"%[ssl_fc_err]:%[ssl_fc_err_str]\" CN=%{+Q}[ssl_c_s_dn],serial=%[ssl_c_serial,hex],hash=%[ssl_c_sha1,hex]"
Remi Tricot-Le Breton54f63832021-07-29 09:45:54 +0200193 bind "${tmpdir}/cust_logfmt_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA1.crt verify required ciphersuites "TLS_AES_256_GCM_SHA384"
194 server s1 ${s1_addr}:${s1_port}
195
196 listen https_logfmt_ssl_lst
197 log ${Slg_https_fmt_addr}:${Slg_https_fmt_port} local0 info
198 log ${Slg_https_fmt_err_addr}:${Slg_https_fmt_err_port} local0 err info
Remi Tricot-Le Breton54f63832021-07-29 09:45:54 +0200199 option log-separate-errors
200 mode http
201 option httpslog
Remi Tricot-Le Breton1fe0fad2021-09-29 18:56:52 +0200202 error-log-format "ERROR %ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %[fc_conn_err]/%[ssl_fc_err,hex]/%[ssl_c_err]/%[ssl_c_ca_err] %sslv/%sslc"
Remi Tricot-Le Breton54f63832021-07-29 09:45:54 +0200203 bind "${tmpdir}/https_logfmt_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA1.crt verify required ciphersuites "TLS_AES_256_GCM_SHA384"
204 server s1 ${s1_addr}:${s1_port}
205
206 listen logconnerror_ssl_lst
207 log ${Slg_logconnerror_addr}:${Slg_logconnerror_port} local0 info
208 mode http
209 option httplog
210 bind "${tmpdir}/logconnerror_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA1.crt verify required ciphersuites "TLS_AES_256_GCM_SHA384"
211 server s1 ${s1_addr}:${s1_port}
212
Remi Tricot-Le Bretonb061fb32021-09-01 15:52:16 +0200213
214 # The following listeners allow to test backend error fetches
215 listen no_backend_err_ssl_lst
216 bind "${tmpdir}/no_err_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none
217 server s1 ${s1_addr}:${s1_port}
218
219 listen srv_rejected_ssl_lst
220 bind "${tmpdir}/srv_rejected_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none
221 server s1 ${s1_addr}:${s1_port}
222
223 listen mismatch_fe_ssl_lst
224 bind "${tmpdir}/mismatch_fe_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none
225 server s1 ${s1_addr}:${s1_port}
226
227 listen rejected_clt_ssl_lst
228 bind "${tmpdir}/rejected_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-file ${testdir}/set_cafile_interCA2.crt verify required
229 server s1 ${s1_addr}:${s1_port}
230
231 listen wrong_ciphers_ssl_lst
232 bind "${tmpdir}/wrong_ciphers_ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/ca-auth.crt verify none force-tlsv12 ciphers "kRSA"
233 server s1 ${s1_addr}:${s1_port}
234
235 listen wrong_ciphers_tls13_ssl_lst
236 bind "${tmpdir}/wrong_ciphers_tls13_ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/ca-auth.crt verify none force-tlsv13 ciphersuites "TLS_AES_128_GCM_SHA256"
237 server s1 ${s1_addr}:${s1_port}
238
Remi Tricot-Le Breton54f63832021-07-29 09:45:54 +0200239} -start
240
241
242# The three following requests should all succeed
243client c1 -connect ${h1_clearlst_sock} {
244 txreq
245 rxresp
246 expect resp.status == 200
247} -run
248
249client c2 -connect ${h1_clearlst_sock} {
250 txreq
251 rxresp
252 expect resp.status == 200
253} -run
254
255client c3 -connect ${h1_clearlst_sock} {
256 txreq
257 rxresp
258 expect resp.status == 200
259} -run
260
261
262barrier b1 sync
263
264
265# Change the root CA in the frontends
266shell {
267 printf "set ssl ca-file ${testdir}/set_cafile_rootCA.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
268 echo "commit ssl ca-file ${testdir}/set_cafile_rootCA.crt" | socat "${tmpdir}/h1/stats" -
269}
270
271client c4 -connect ${h1_clearlst_sock} {
272 txreq
273} -run
274
275client c5 -connect ${h1_clearlst_sock} {
276 txreq
277} -run
278
279client c6 -connect ${h1_clearlst_sock} {
280 txreq
281} -run
282
283barrier b1 sync
284
285
286
287# Restore the root CA
288shell {
289 printf "set ssl ca-file ${testdir}/set_cafile_rootCA.crt <<\n$(cat ${testdir}/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" -
290 echo "commit ssl ca-file ${testdir}/set_cafile_rootCA.crt" | socat "${tmpdir}/h1/stats" -
291}
292
293# Change the intermediate CA in the frontends
294shell {
295 printf "set ssl ca-file ${testdir}/set_cafile_interCA1.crt <<\n$(cat ${testdir}/set_cafile_interCA2.crt)\n\n" | socat "${tmpdir}/h1/stats" -
296 echo "commit ssl ca-file ${testdir}/set_cafile_interCA1.crt" | socat "${tmpdir}/h1/stats" -
297}
298
299client c7 -connect ${h1_clearlst_sock} {
300 txreq
301} -run
302
303client c8 -connect ${h1_clearlst_sock} {
304 txreq
305} -run
306
307client c9 -connect ${h1_clearlst_sock} {
308 txreq
309} -run
310
311barrier b1 sync
312
313
314# Restore the intermediate CA in the frontends
315shell {
316 printf "set ssl ca-file ${testdir}/set_cafile_interCA1.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
317 echo "commit ssl ca-file ${testdir}/set_cafile_interCA1.crt" | socat "${tmpdir}/h1/stats" -
318}
319
320# "No shared cipher" errors
321client c10 -connect ${h1_wrongcipherslst_sock} {
322 txreq
323} -run
324client c11 -connect ${h1_wrongcipherslst_sock} {
325 txreq
326} -run
327client c12 -connect ${h1_wrongcipherslst_sock} {
328 txreq
329} -run
330
Remi Tricot-Le Bretonb061fb32021-09-01 15:52:16 +0200331
332shell {
333 printf "set ssl ca-file ${testdir}/set_cafile_interCA2.crt <<\n$(cat ${testdir}/set_cafile_interCA2.crt)\n$(cat ${testdir}/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" -
334 echo "commit ssl ca-file ${testdir}/set_cafile_interCA2.crt" | socat "${tmpdir}/h1/stats" -
335}
336
337client c13 -connect ${h1_backenderrorslst_sock} {
338 txreq
339 rxresp
340 expect resp.status == 200
341} -run
342barrier b2 sync
343client c14 -connect ${h1_backenderrorslst_sock} {
344 txreq
345} -run
346barrier b2 sync
347client c15 -connect ${h1_backenderrorslst_sock} {
348 txreq
349} -run
350barrier b2 sync
351client c16 -connect ${h1_backenderrorslst_sock} {
352 txreq
353} -run
354barrier b2 sync
355client c17 -connect ${h1_backenderrorslst_sock} {
356 txreq
357} -run
358barrier b2 sync
359client c18 -connect ${h1_backenderrorslst_sock} {
360 txreq
361} -run
362
Remi Tricot-Le Breton54f63832021-07-29 09:45:54 +0200363syslog Slg_cust_fmt -wait
364syslog Slg_https_fmt -wait
365syslog Slg_https_fmt_err -wait
366syslog Slg_logconnerror -wait
Remi Tricot-Le Bretonb061fb32021-09-01 15:52:16 +0200367syslog Slg_bcknd -wait