blob: c4d0883064805b1772f0184b7c55178be467e36d [file] [log] [blame]
William Lallemand4781fad2020-03-31 14:48:34 +02001#REGTEST_TYPE=devel
William Lallemand9c1aa0a2019-12-19 11:25:19 +01002
3# This reg-test uses the "set ssl cert" command to update a certificate over the CLI.
William Lallemanda9115482020-04-30 10:19:40 +02004# It requires socat to upload the certificate
5#
Remi Tricot-Le Breton8218aed2021-03-17 14:56:54 +01006# This check has two separate parts.
7# In the first part, there are 3 requests, the first one will use "www.test1.com" as SNI,
William Lallemanda9115482020-04-30 10:19:40 +02008# the second one with the same but that must fail and the third one will use
9# "localhost". Since vtest can't do SSL, we use haproxy as an SSL client with 2
10# chained listen section.
11#
Remi Tricot-Le Breton8218aed2021-03-17 14:56:54 +010012# In the second part, we check the update of a default certificate in a crt-list.
13# This corresponds to a bug raised in https://github.com/haproxy/haproxy/issues/1143.
14# A certificate is used as default certificate as well as regular one, and during the update
15# the default certificate would not be properly updated if the default instance did not have
16# any SNI. The test consists in checking that the used certificate is the right one after
17# updating it via a "set ssl cert" call.
18#
William Lallemand9c1aa0a2019-12-19 11:25:19 +010019# If this test does not work anymore:
William Lallemanda9115482020-04-30 10:19:40 +020020# - Check that you have socat
William Lallemand9c1aa0a2019-12-19 11:25:19 +010021
22varnishtest "Test the 'set ssl cert' feature of the CLI"
Willy Tarreaufa10ffd2020-01-24 13:49:42 +010023#REQUIRE_VERSION=2.2
William Lallemand9c1aa0a2019-12-19 11:25:19 +010024#REQUIRE_OPTIONS=OPENSSL
William Lallemanda9115482020-04-30 10:19:40 +020025#REQUIRE_BINARIES=socat
William Lallemand9c1aa0a2019-12-19 11:25:19 +010026feature ignore_unknown_macro
27
Remi Tricot-Le Breton8218aed2021-03-17 14:56:54 +010028server s1 -repeat 9 {
William Lallemanda9115482020-04-30 10:19:40 +020029 rxreq
30 txresp
31} -start
William Lallemand9c1aa0a2019-12-19 11:25:19 +010032
33haproxy h1 -conf {
William Lallemanda9115482020-04-30 10:19:40 +020034 global
35 tune.ssl.default-dh-param 2048
36 tune.ssl.capture-cipherlist-size 1
37 stats socket "${tmpdir}/h1/stats" level admin
Remi Tricot-Le Breton8218aed2021-03-17 14:56:54 +010038 crt-base ${testdir}
William Lallemanda9115482020-04-30 10:19:40 +020039
40 defaults
41 mode http
42 option httplog
William Lallemanda9115482020-04-30 10:19:40 +020043 log stderr local0 debug err
44 option logasap
45 timeout connect 100ms
46 timeout client 1s
47 timeout server 1s
48
49 listen clear-lst
50 bind "fd@${clearlst}"
51 balance roundrobin
Remi Tricot-Le Breton8218aed2021-03-17 14:56:54 +010052
53 http-response set-header X-SSL-Server-SHA1 %[ssl_s_sha1,hex]
54
William Lallemanda9115482020-04-30 10:19:40 +020055 retries 0 # 2nd SSL connection must fail so skip the retry
56 server s1 "${tmpdir}/ssl.sock" ssl verify none sni str(www.test1.com)
57 server s2 "${tmpdir}/ssl.sock" ssl verify none sni str(www.test1.com)
58 server s3 "${tmpdir}/ssl.sock" ssl verify none sni str(localhost)
59
Remi Tricot-Le Breton8218aed2021-03-17 14:56:54 +010060 server s4 "${tmpdir}/other-ssl.sock" ssl verify none sni str(www.test1.com)
61 server s5 "${tmpdir}/other-ssl.sock" ssl verify none sni str(other.test1.com) # uses the default certificate
62 server s6 "${tmpdir}/other-ssl.sock" ssl verify none sni str(www.test1.com)
63 server s7 "${tmpdir}/other-ssl.sock" ssl verify none sni str(other.test1.com) # uses the default certificate
64
65 server s8 "${tmpdir}/other-ssl.sock" ssl verify none sni str(www.test1.com)
66 server s9 "${tmpdir}/other-ssl.sock" ssl verify none sni str(other.test1.com) # uses the default certificate
67
William Lallemanda9115482020-04-30 10:19:40 +020068 listen ssl-lst
69 bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem strict-sni
Remi Tricot-Le Breton8218aed2021-03-17 14:56:54 +010070 server s1 ${s1_addr}:${s1_port}
William Lallemand9c1aa0a2019-12-19 11:25:19 +010071
Remi Tricot-Le Breton8218aed2021-03-17 14:56:54 +010072 listen other-ssl-lst
73 bind "${tmpdir}/other-ssl.sock" ssl crt-list ${testdir}/set_default_cert.crt-list
William Lallemanda9115482020-04-30 10:19:40 +020074 server s1 ${s1_addr}:${s1_port}
Remi Tricot-Le Breton8218aed2021-03-17 14:56:54 +010075
William Lallemand9c1aa0a2019-12-19 11:25:19 +010076} -start
77
78
79haproxy h1 -cli {
80 send "show ssl cert ${testdir}/common.pem"
81 expect ~ ".*SHA1 FingerPrint: 2195C9F0FD58470313013FC27C1B9CF9864BD1C6"
82}
83
William Lallemanda9115482020-04-30 10:19:40 +020084client c1 -connect ${h1_clearlst_sock} {
85 txreq
86 rxresp
87 expect resp.status == 200
88} -run
William Lallemand9c1aa0a2019-12-19 11:25:19 +010089
90shell {
William Lallemanda9115482020-04-30 10:19:40 +020091 printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" -
92 echo "commit ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h1/stats" -
William Lallemand9c1aa0a2019-12-19 11:25:19 +010093}
94
95haproxy h1 -cli {
96 send "show ssl cert ${testdir}/common.pem"
97 expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1"
98}
99
William Lallemanda9115482020-04-30 10:19:40 +0200100# check that the "www.test1.com" SNI was removed
101client c1 -connect ${h1_clearlst_sock} {
102 txreq
103 rxresp
104 expect resp.status == 503
105} -run
106
107client c1 -connect ${h1_clearlst_sock} {
108 txreq
109 rxresp
110 expect resp.status == 200
111} -run
William Lallemand8695ce02021-02-01 15:31:00 +0100112
113shell {
114 printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/common.pem)\n\n" | socat "${tmpdir}/h1/stats" -
115 echo "abort ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h1/stats" -
116}
117
118haproxy h1 -cli {
119 send "show ssl cert ${testdir}/common.pem"
120 expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1"
121}
122
Remi Tricot-Le Breton8218aed2021-03-17 14:56:54 +0100123
124
125# The following requests are aimed at a backend that uses the set_default_cert.crt-list file
126
127# Uses the www.test1.com sni
128client c1 -connect ${h1_clearlst_sock} {
129 txreq
130 rxresp
131 expect resp.http.X-SSL-Server-SHA1 == "9DC18799428875976DDE706E9956035EE88A4CB3"
132 expect resp.status == 200
133} -run
134
135# Uses the other.test1.com sni and the default line of the crt-list
136client c1 -connect ${h1_clearlst_sock} {
137 txreq
138 rxresp
139 expect resp.http.X-SSL-Server-SHA1 == "9DC18799428875976DDE706E9956035EE88A4CB3"
140 expect resp.status == 200
141} -run
142
143shell {
144 printf "set ssl cert ${testdir}/set_default_cert.pem <<\n$(cat ${testdir}/common.pem)\n\n" | socat "${tmpdir}/h1/stats" -
145}
146
147# Certificate should not have changed yet
148haproxy h1 -cli {
149 send "show ssl cert ${testdir}/set_default_cert.pem"
150 expect ~ ".*SHA1 FingerPrint: 9DC18799428875976DDE706E9956035EE88A4CB3"
151}
152
153shell {
154 echo "commit ssl cert ${testdir}/set_default_cert.pem" | socat "${tmpdir}/h1/stats" -
155}
156
157haproxy h1 -cli {
158 send "show ssl cert ${testdir}/set_default_cert.pem"
159 expect ~ ".*SHA1 FingerPrint: 2195C9F0FD58470313013FC27C1B9CF9864BD1C6"
160}
161
162# Uses the www.test1.com sni
163client c1 -connect ${h1_clearlst_sock} {
164 txreq
165 rxresp
166 expect resp.http.X-SSL-Server-SHA1 == "2195C9F0FD58470313013FC27C1B9CF9864BD1C6"
167 expect resp.status == 200
168} -run
169
170# Uses the other.test1.com sni and the default line of the crt-list
171client c1 -connect ${h1_clearlst_sock} {
172 txreq
173 rxresp
174 expect resp.http.X-SSL-Server-SHA1 == "2195C9F0FD58470313013FC27C1B9CF9864BD1C6"
175 expect resp.status == 200
176} -run
177
178# Restore original certificate
179shell {
180 printf "set ssl cert ${testdir}/set_default_cert.pem <<\n$(cat ${testdir}/set_default_cert.pem)\n\n" | socat "${tmpdir}/h1/stats" -
181 echo "commit ssl cert ${testdir}/set_default_cert.pem" | socat "${tmpdir}/h1/stats" -
182}
183
184haproxy h1 -cli {
185 send "show ssl cert ${testdir}/set_default_cert.pem"
186 expect ~ ".*SHA1 FingerPrint: 9DC18799428875976DDE706E9956035EE88A4CB"
187}
188
189# Uses the www.test1.com sni
190client c1 -connect ${h1_clearlst_sock} {
191 txreq
192 rxresp
193 expect resp.http.X-SSL-Server-SHA1 == "9DC18799428875976DDE706E9956035EE88A4CB3"
194 expect resp.status == 200
195} -run
196
197# Uses the other.test1.com sni and the default line of the crt-list
198client c1 -connect ${h1_clearlst_sock} {
199 txreq
200 rxresp
201 expect resp.http.X-SSL-Server-SHA1 == "9DC18799428875976DDE706E9956035EE88A4CB3"
202 expect resp.status == 200
203} -run