William Lallemand | 4f59c67 | 2021-07-29 16:00:24 +0200 | [diff] [blame] | 1 | #REGTEST_TYPE=broken |
Remi Tricot-Le Breton | 54f6383 | 2021-07-29 09:45:54 +0200 | [diff] [blame] | 2 | |
| 3 | # This reg-test checks that the connection and SSL sample fetches related to |
| 4 | # errors are functioning properly. It also tests the proper behaviour of the |
William Lallemand | 56f1f75 | 2021-08-02 10:25:30 +0200 | [diff] [blame] | 5 | # default HTTPS log format and of the log-error-via-logformat option which enables |
Remi Tricot-Le Breton | 54f6383 | 2021-07-29 09:45:54 +0200 | [diff] [blame] | 6 | # or disables the output of a special error message in case of connection |
| 7 | # failure (otherwise a line following the configured log-format is output). |
| 8 | # |
| 9 | # It works by sending request through three different paths, one using a custom |
| 10 | # log-format line that contains the connection error and SSL handshake error |
| 11 | # sample fetches, one using the default HTTPS log-format and one using the |
| 12 | # legacy error log format. |
| 13 | # |
| 14 | # The output log lines are caught by syslog blocks (one for each path) and |
| 15 | # compared to an expected format. |
| 16 | # Since the syslog is not by design synchronized with the Varnish clients and |
| 17 | # servers, synchronization is achieved through barriers, which ensure that |
| 18 | # syslog messages arrive in the right order. |
| 19 | # |
| 20 | # In order to ensure that the log line raised in case of connection error if |
William Lallemand | 56f1f75 | 2021-08-02 10:25:30 +0200 | [diff] [blame] | 21 | # the log-error-via-logformat option is disabled still follows the |
Remi Tricot-Le Breton | 54f6383 | 2021-07-29 09:45:54 +0200 | [diff] [blame] | 22 | # log-separate-error option, the log lines raised by the https_fmt_lst listener |
| 23 | # will be sent to two separate syslog servers. |
| 24 | # |
| 25 | |
| 26 | varnishtest "Test the connection and SSL error fetches." |
| 27 | feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev2)'" |
| 28 | feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'" |
| 29 | feature cmd "command -v socat" |
| 30 | feature ignore_unknown_macro |
| 31 | |
| 32 | server s1 -repeat 3 { |
| 33 | rxreq |
| 34 | txresp |
| 35 | } -start |
| 36 | |
| 37 | barrier b1 cond 4 -cyclic |
| 38 | |
| 39 | |
| 40 | syslog Slg_cust_fmt -level info { |
| 41 | recv |
Remi Tricot-Le Breton | 74f6ab6 | 2021-08-19 18:06:30 +0200 | [diff] [blame] | 42 | expect ~ ".*conn_status:\"0:Success\" hsk_err:\"0:-\" CN=\"/C=FR/O=HAProxy Technologies/CN=Client\",serial=1007,hash=063DCC2E6A9159E66994B325D6D2EF3D17A75B6F" |
Remi Tricot-Le Breton | 54f6383 | 2021-07-29 09:45:54 +0200 | [diff] [blame] | 43 | |
| 44 | barrier b1 sync |
| 45 | |
| 46 | recv |
Remi Tricot-Le Breton | 74f6ab6 | 2021-08-19 18:06:30 +0200 | [diff] [blame] | 47 | expect ~ ".*conn_status:\"30:SSL client CA chain cannot be verified\" hsk_err:\"337100934:error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed\" CN=\"/C=FR/O=HAProxy Technologies/CN=Client\",serial=1007,hash=063DCC2E6A9159E66994B325D6D2EF3D17A75B6F" |
Remi Tricot-Le Breton | 54f6383 | 2021-07-29 09:45:54 +0200 | [diff] [blame] | 48 | |
| 49 | barrier b1 sync |
| 50 | |
| 51 | recv |
Remi Tricot-Le Breton | 74f6ab6 | 2021-08-19 18:06:30 +0200 | [diff] [blame] | 52 | expect ~ ".*conn_status:\"31:SSL client certificate not trusted\" hsk_err:\"337100934:error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed\" CN=\"/C=FR/O=HAProxy Technologies/CN=Client\",serial=1007,hash=063DCC2E6A9159E66994B325D6D2EF3D17A75B6F" |
Remi Tricot-Le Breton | 54f6383 | 2021-07-29 09:45:54 +0200 | [diff] [blame] | 53 | |
| 54 | barrier b1 sync |
| 55 | |
Remi Tricot-Le Breton | 74f6ab6 | 2021-08-19 18:06:30 +0200 | [diff] [blame] | 56 | # In case of an error occuring before the certificate verification process, |
| 57 | # the client certificate chain is never parsed and verified so we can't |
| 58 | # have information about the client's certificate. |
Remi Tricot-Le Breton | 54f6383 | 2021-07-29 09:45:54 +0200 | [diff] [blame] | 59 | recv |
Remi Tricot-Le Breton | 74f6ab6 | 2021-08-19 18:06:30 +0200 | [diff] [blame] | 60 | expect ~ ".*conn_status:\"34:SSL handshake failure\" hsk_err:\"337678529:error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher\" CN=\"\",serial=-,hash=-" |
Remi Tricot-Le Breton | 54f6383 | 2021-07-29 09:45:54 +0200 | [diff] [blame] | 61 | } -start |
| 62 | |
| 63 | syslog Slg_https_fmt -level info { |
| 64 | recv |
| 65 | expect ~ ".*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/s1.*0/0000000000000000/0/0 TLSv1.3/TLS_AES_256_GCM_SHA384" |
| 66 | |
| 67 | barrier b1 sync |
| 68 | } -start |
| 69 | |
| 70 | syslog Slg_https_fmt_err -level info { |
| 71 | recv |
| 72 | expect ~ ".*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/<NOSRV>.*30/000000001417C086/0/2 TLSv1.3/TLS_AES_256_GCM_SHA384" |
| 73 | |
| 74 | barrier b1 sync |
| 75 | |
| 76 | recv |
| 77 | expect ~ ".*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/<NOSRV>.*31/000000001417C086/20/0 TLSv1.3/TLS_AES_256_GCM_SHA384" |
| 78 | |
| 79 | barrier b1 sync |
| 80 | |
| 81 | recv |
| 82 | expect ~ ".*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/<NOSRV>.*34/00000000142090C1/0/0 TLSv1.3/\\(NONE\\)" |
| 83 | } -start |
| 84 | |
| 85 | syslog Slg_logconnerror -level info { |
| 86 | recv |
| 87 | expect ~ ".*logconnerror_ssl_lst~ logconnerror_ssl_lst/s1" |
| 88 | |
| 89 | barrier b1 sync |
| 90 | |
| 91 | recv |
| 92 | expect ~ ".*logconnerror_ssl_lst/1: SSL client CA chain cannot be verified" |
| 93 | |
| 94 | barrier b1 sync |
| 95 | |
| 96 | recv |
| 97 | expect ~ ".*logconnerror_ssl_lst/1: SSL client certificate not trusted" |
| 98 | |
| 99 | barrier b1 sync |
| 100 | |
| 101 | recv |
| 102 | expect ~ ".*logconnerror_ssl_lst/1: SSL handshake failure" |
| 103 | } -start |
| 104 | |
| 105 | |
| 106 | haproxy h1 -conf { |
| 107 | global |
| 108 | tune.ssl.default-dh-param 2048 |
Marcin Deranek | 310a260 | 2021-07-13 19:04:24 +0200 | [diff] [blame^] | 109 | tune.ssl.capture-buffer-size 1 |
Remi Tricot-Le Breton | 54f6383 | 2021-07-29 09:45:54 +0200 | [diff] [blame] | 110 | stats socket "${tmpdir}/h1/stats" level admin |
| 111 | |
| 112 | defaults |
| 113 | timeout connect 100ms |
| 114 | timeout client 1s |
| 115 | timeout server 1s |
| 116 | retries 0 |
| 117 | |
| 118 | listen clear_lst |
| 119 | bind "fd@${clearlst}" |
| 120 | default-server ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none no-ssl-reuse |
| 121 | |
| 122 | balance roundrobin |
| 123 | server cust_fmt "${tmpdir}/cust_logfmt_ssl.sock" |
| 124 | server https_fmt "${tmpdir}/https_logfmt_ssl.sock" |
| 125 | server logconnerror "${tmpdir}/logconnerror_ssl.sock" |
| 126 | |
| 127 | |
| 128 | listen clear_wrong_ciphers_lst |
| 129 | bind "fd@${wrongcipherslst}" |
| 130 | default-server ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none no-ssl-reuse ciphersuites "TLS_AES_128_GCM_SHA256" |
| 131 | |
| 132 | balance roundrobin |
| 133 | server cust_fmt "${tmpdir}/cust_logfmt_ssl.sock" |
| 134 | server https_fmt "${tmpdir}/https_logfmt_ssl.sock" |
| 135 | server logconnerror "${tmpdir}/logconnerror_ssl.sock" |
| 136 | |
| 137 | |
| 138 | listen cust_logfmt_ssl_lst |
| 139 | log ${Slg_cust_fmt_addr}:${Slg_cust_fmt_port} local0 |
William Lallemand | 56f1f75 | 2021-08-02 10:25:30 +0200 | [diff] [blame] | 140 | option log-error-via-logformat |
Remi Tricot-Le Breton | 54f6383 | 2021-07-29 09:45:54 +0200 | [diff] [blame] | 141 | mode http |
Remi Tricot-Le Breton | 74f6ab6 | 2021-08-19 18:06:30 +0200 | [diff] [blame] | 142 | log-format "conn_status:\"%[fc_conn_err]:%[fc_conn_err_str]\" hsk_err:\"%[ssl_fc_hsk_err]:%[ssl_fc_hsk_err_str]\" CN=%{+Q}[ssl_c_s_dn],serial=%[ssl_c_serial,hex],hash=%[ssl_c_sha1,hex]" |
Remi Tricot-Le Breton | 54f6383 | 2021-07-29 09:45:54 +0200 | [diff] [blame] | 143 | bind "${tmpdir}/cust_logfmt_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA1.crt verify required ciphersuites "TLS_AES_256_GCM_SHA384" |
| 144 | server s1 ${s1_addr}:${s1_port} |
| 145 | |
| 146 | listen https_logfmt_ssl_lst |
| 147 | log ${Slg_https_fmt_addr}:${Slg_https_fmt_port} local0 info |
| 148 | log ${Slg_https_fmt_err_addr}:${Slg_https_fmt_err_port} local0 err info |
William Lallemand | 56f1f75 | 2021-08-02 10:25:30 +0200 | [diff] [blame] | 149 | option log-error-via-logformat |
Remi Tricot-Le Breton | 54f6383 | 2021-07-29 09:45:54 +0200 | [diff] [blame] | 150 | option log-separate-errors |
| 151 | mode http |
| 152 | option httpslog |
| 153 | bind "${tmpdir}/https_logfmt_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA1.crt verify required ciphersuites "TLS_AES_256_GCM_SHA384" |
| 154 | server s1 ${s1_addr}:${s1_port} |
| 155 | |
| 156 | listen logconnerror_ssl_lst |
| 157 | log ${Slg_logconnerror_addr}:${Slg_logconnerror_port} local0 info |
| 158 | mode http |
| 159 | option httplog |
| 160 | bind "${tmpdir}/logconnerror_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA1.crt verify required ciphersuites "TLS_AES_256_GCM_SHA384" |
| 161 | server s1 ${s1_addr}:${s1_port} |
| 162 | |
| 163 | } -start |
| 164 | |
| 165 | |
| 166 | # The three following requests should all succeed |
| 167 | client c1 -connect ${h1_clearlst_sock} { |
| 168 | txreq |
| 169 | rxresp |
| 170 | expect resp.status == 200 |
| 171 | } -run |
| 172 | |
| 173 | client c2 -connect ${h1_clearlst_sock} { |
| 174 | txreq |
| 175 | rxresp |
| 176 | expect resp.status == 200 |
| 177 | } -run |
| 178 | |
| 179 | client c3 -connect ${h1_clearlst_sock} { |
| 180 | txreq |
| 181 | rxresp |
| 182 | expect resp.status == 200 |
| 183 | } -run |
| 184 | |
| 185 | |
| 186 | barrier b1 sync |
| 187 | |
| 188 | |
| 189 | # Change the root CA in the frontends |
| 190 | shell { |
| 191 | printf "set ssl ca-file ${testdir}/set_cafile_rootCA.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - |
| 192 | echo "commit ssl ca-file ${testdir}/set_cafile_rootCA.crt" | socat "${tmpdir}/h1/stats" - |
| 193 | } |
| 194 | |
| 195 | client c4 -connect ${h1_clearlst_sock} { |
| 196 | txreq |
| 197 | } -run |
| 198 | |
| 199 | client c5 -connect ${h1_clearlst_sock} { |
| 200 | txreq |
| 201 | } -run |
| 202 | |
| 203 | client c6 -connect ${h1_clearlst_sock} { |
| 204 | txreq |
| 205 | } -run |
| 206 | |
| 207 | barrier b1 sync |
| 208 | |
| 209 | |
| 210 | |
| 211 | # Restore the root CA |
| 212 | shell { |
| 213 | printf "set ssl ca-file ${testdir}/set_cafile_rootCA.crt <<\n$(cat ${testdir}/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" - |
| 214 | echo "commit ssl ca-file ${testdir}/set_cafile_rootCA.crt" | socat "${tmpdir}/h1/stats" - |
| 215 | } |
| 216 | |
| 217 | # Change the intermediate CA in the frontends |
| 218 | shell { |
| 219 | printf "set ssl ca-file ${testdir}/set_cafile_interCA1.crt <<\n$(cat ${testdir}/set_cafile_interCA2.crt)\n\n" | socat "${tmpdir}/h1/stats" - |
| 220 | echo "commit ssl ca-file ${testdir}/set_cafile_interCA1.crt" | socat "${tmpdir}/h1/stats" - |
| 221 | } |
| 222 | |
| 223 | client c7 -connect ${h1_clearlst_sock} { |
| 224 | txreq |
| 225 | } -run |
| 226 | |
| 227 | client c8 -connect ${h1_clearlst_sock} { |
| 228 | txreq |
| 229 | } -run |
| 230 | |
| 231 | client c9 -connect ${h1_clearlst_sock} { |
| 232 | txreq |
| 233 | } -run |
| 234 | |
| 235 | barrier b1 sync |
| 236 | |
| 237 | |
| 238 | # Restore the intermediate CA in the frontends |
| 239 | shell { |
| 240 | printf "set ssl ca-file ${testdir}/set_cafile_interCA1.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" - |
| 241 | echo "commit ssl ca-file ${testdir}/set_cafile_interCA1.crt" | socat "${tmpdir}/h1/stats" - |
| 242 | } |
| 243 | |
| 244 | # "No shared cipher" errors |
| 245 | client c10 -connect ${h1_wrongcipherslst_sock} { |
| 246 | txreq |
| 247 | } -run |
| 248 | client c11 -connect ${h1_wrongcipherslst_sock} { |
| 249 | txreq |
| 250 | } -run |
| 251 | client c12 -connect ${h1_wrongcipherslst_sock} { |
| 252 | txreq |
| 253 | } -run |
| 254 | |
| 255 | syslog Slg_cust_fmt -wait |
| 256 | syslog Slg_https_fmt -wait |
| 257 | syslog Slg_https_fmt_err -wait |
| 258 | syslog Slg_logconnerror -wait |