Remi Tricot-Le Breton | 3f269bb | 2022-02-08 17:45:57 +0100 | [diff] [blame] | 1 | #REGTEST_TYPE=devel |
| 2 | |
| 3 | # This reg-test checks that the 'generate-certificates' SSL option works |
| 4 | # properly. This option allows to generate server-side certificates on the fly |
| 5 | # for clients that use an SNI for which no certificate was specified in the |
| 6 | # configuration file. |
| 7 | # This test also aims at checking that the 'generate-certificates' and the |
| 8 | # 'ecdhe' bind options work correctly together. |
| 9 | # Any bind line having a 'generate-certificates' needs to have a ca-sign-file |
| 10 | # option as well that specifies the path to a CA pem file (containing a |
| 11 | # certificate as well as its private key). For this reason, a new |
| 12 | # ssl_gen_ca.pem CA certificate was created, along with the ssl_gen_server.pem |
| 13 | # server certificate signed by the CA. This server certificate will be used as |
| 14 | # a default certificate and will serve as a base for any newly created |
| 15 | # certificate. |
| 16 | |
| 17 | varnishtest "Test the 'generate-certificates' SSL option" |
| 18 | feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'" |
| 19 | feature cmd "command -v openssl && command -v grep" |
| 20 | feature ignore_unknown_macro |
| 21 | |
| 22 | server s1 -repeat 6 { |
| 23 | rxreq |
| 24 | txresp |
| 25 | } -start |
| 26 | |
| 27 | |
| 28 | haproxy h1 -conf { |
| 29 | global |
| 30 | tune.ssl.default-dh-param 2048 |
| 31 | tune.ssl.capture-buffer-size 2048 |
| 32 | |
| 33 | defaults |
| 34 | mode http |
| 35 | option httpslog |
| 36 | log stderr local0 debug err |
| 37 | option logasap |
| 38 | timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" |
| 39 | timeout client "${HAPROXY_TEST_TIMEOUT-5s}" |
| 40 | timeout server "${HAPROXY_TEST_TIMEOUT-5s}" |
| 41 | option httpslog |
| 42 | |
| 43 | listen clear-lst |
| 44 | bind "fd@${clearlst}" |
| 45 | http-request set-var(sess.sni) hdr(x-sni) |
| 46 | |
| 47 | use_backend P-384_backend if { path /P-384 } |
| 48 | default_backend default_backend |
| 49 | |
| 50 | backend default_backend |
| 51 | server s1 "${tmpdir}/ssl.sock" ssl verify none ssl-max-ver TLSv1.2 sni var(sess.sni) |
| 52 | |
| 53 | backend P-384_backend |
| 54 | server s1 "${tmpdir}/ssl_P-384.sock" ssl verify none ssl-max-ver TLSv1.2 sni var(sess.sni) |
| 55 | |
| 56 | listen ssl-lst |
| 57 | bind "${tmpdir}/ssl.sock" ssl generate-certificates crt ${testdir}/generate_certificates/gen_cert_server.pem ca-sign-file ${testdir}/generate_certificates/gen_cert_ca.pem ca-file ${testdir}/generate_certificates/gen_cert_ca.pem verify optional |
| 58 | http-response add-header x-ssl-s_dn %[ssl_f_s_dn(CN)] |
| 59 | http-response add-header x-ssl-i_dn %[ssl_f_i_dn(CN)] |
| 60 | http-response add-header x-ssl-sig_alg %[ssl_f_sig_alg] |
| 61 | http-response add-header x-ssl-key_alg %[ssl_f_key_alg] |
| 62 | http-response add-header x-ssl-sha1 %[ssl_f_sha1,hex] |
| 63 | |
| 64 | server s1 ${s1_addr}:${s1_port} |
| 65 | |
| 66 | listen ssl-lst-P-384 |
| 67 | bind "${tmpdir}/ssl_P-384.sock" ssl generate-certificates crt ${testdir}/generate_certificates/gen_cert_server.pem ca-sign-file ${testdir}/generate_certificates/gen_cert_ca.pem ca-file ${testdir}/generate_certificates/gen_cert_ca.pem verify optional ecdhe secp384r1 |
| 68 | http-response add-header x-ssl-s_dn %[ssl_f_s_dn(CN)] |
| 69 | http-response add-header x-ssl-i_dn %[ssl_f_i_dn(CN)] |
| 70 | http-response add-header x-ssl-sig_alg %[ssl_f_sig_alg] |
| 71 | http-response add-header x-ssl-key_alg %[ssl_f_key_alg] |
| 72 | http-response add-header x-ssl-sha1 %[ssl_f_sha1,hex] |
| 73 | |
| 74 | server s1 ${s1_addr}:${s1_port} |
| 75 | |
| 76 | } -start |
| 77 | |
| 78 | # Use default certificate |
| 79 | client c1 -connect ${h1_clearlst_sock} { |
| 80 | txreq |
| 81 | rxresp |
| 82 | expect resp.status == 200 |
| 83 | expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256" |
| 84 | expect resp.http.x-ssl-i_dn == "ECDSA CA" |
| 85 | expect resp.http.x-ssl-s_dn == "server.ecdsa.com" |
| 86 | expect resp.http.x-ssl-key_alg == "id-ecPublicKey" |
| 87 | expect resp.http.x-ssl-sha1 == "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11" |
| 88 | } -run |
| 89 | |
| 90 | |
| 91 | # Use default certificate's sni |
| 92 | client c2 -connect ${h1_clearlst_sock} { |
| 93 | txreq -hdr "x-sni: server.ecdsa.com" |
| 94 | rxresp |
| 95 | expect resp.status == 200 |
| 96 | expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256" |
| 97 | expect resp.http.x-ssl-i_dn == "ECDSA CA" |
| 98 | expect resp.http.x-ssl-s_dn == "server.ecdsa.com" |
| 99 | expect resp.http.x-ssl-key_alg == "id-ecPublicKey" |
| 100 | expect resp.http.x-ssl-sha1 == "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11" |
| 101 | } -run |
| 102 | |
| 103 | |
| 104 | |
| 105 | # Use another SNI - the server certificate should be generated and different |
| 106 | # than the default one |
| 107 | client c3 -connect ${h1_clearlst_sock} { |
| 108 | txreq -hdr "x-sni: unknown-sni.com" |
| 109 | rxresp |
| 110 | expect resp.status == 200 |
| 111 | expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256" |
| 112 | expect resp.http.x-ssl-i_dn == "ECDSA CA" |
| 113 | expect resp.http.x-ssl-s_dn == "ECDSA CA" |
| 114 | expect resp.http.x-ssl-key_alg == "id-ecPublicKey" |
| 115 | expect resp.http.x-ssl-sha1 != "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11" |
| 116 | } -run |
| 117 | |
| 118 | |
| 119 | # Use default certificate |
| 120 | client c4 -connect ${h1_clearlst_sock} { |
| 121 | txreq -url "/P-384" |
| 122 | rxresp |
| 123 | expect resp.status == 200 |
| 124 | expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256" |
| 125 | expect resp.http.x-ssl-i_dn == "ECDSA CA" |
| 126 | expect resp.http.x-ssl-s_dn == "server.ecdsa.com" |
| 127 | expect resp.http.x-ssl-key_alg == "id-ecPublicKey" |
| 128 | expect resp.http.x-ssl-sha1 == "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11" |
| 129 | } -run |
| 130 | |
| 131 | |
| 132 | # Use default certificate's sni |
| 133 | client c5 -connect ${h1_clearlst_sock} { |
| 134 | txreq -url "/P-384" -hdr "x-sni: server.ecdsa.com" |
| 135 | rxresp |
| 136 | expect resp.status == 200 |
| 137 | expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256" |
| 138 | expect resp.http.x-ssl-i_dn == "ECDSA CA" |
| 139 | expect resp.http.x-ssl-s_dn == "server.ecdsa.com" |
| 140 | expect resp.http.x-ssl-key_alg == "id-ecPublicKey" |
| 141 | expect resp.http.x-ssl-sha1 == "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11" |
| 142 | } -run |
| 143 | |
| 144 | |
| 145 | # Use another SNI - the server certificate should be generated and different |
| 146 | # than the default one |
| 147 | client c6 -connect ${h1_clearlst_sock} { |
| 148 | txreq -url "/P-384" -hdr "x-sni: unknown-sni.com" |
| 149 | rxresp |
| 150 | expect resp.status == 200 |
| 151 | expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256" |
| 152 | expect resp.http.x-ssl-i_dn == "ECDSA CA" |
| 153 | expect resp.http.x-ssl-s_dn == "ECDSA CA" |
| 154 | expect resp.http.x-ssl-key_alg == "id-ecPublicKey" |
| 155 | expect resp.http.x-ssl-sha1 != "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11" |
| 156 | } -run |
| 157 | |
| 158 | # Check that the curves that the server accepts to use correspond to what we |
| 159 | # expect it to be (according to ecdhe option). |
| 160 | # The curve with the highest priority is X25519 for OpenSSL 1.1.1 and later, |
| 161 | # and P-256 for OpenSSL 1.0.2. |
| 162 | shell { |
Ilya Shipitsin | 0865160 | 2022-07-24 00:01:32 +0500 | [diff] [blame] | 163 | echo "Q" | openssl s_client -unix "${tmpdir}/ssl.sock" -servername server.ecdsa.com -tls1_2 2>/dev/null | grep -E "Server Temp Key: (ECDH, P-256, 256 bits|ECDH, prime256v1, 256 bits|X25519, 253 bits)" |
Remi Tricot-Le Breton | 3f269bb | 2022-02-08 17:45:57 +0100 | [diff] [blame] | 164 | } |
| 165 | |
| 166 | shell { |
Ilya Shipitsin | b6189bc | 2022-08-06 22:40:41 +0500 | [diff] [blame] | 167 | echo "Q" | openssl s_client -unix "${tmpdir}/ssl_P-384.sock" -servername server.ecdsa.com 2>/dev/null| grep -E "Temp Key: ECDH,.+, 384 bits" |
Remi Tricot-Le Breton | 3f269bb | 2022-02-08 17:45:57 +0100 | [diff] [blame] | 168 | } |