blob: 96549df54df146e7125b81fcce4e4dd301d93d9c [file] [log] [blame]
Remi Tricot-Le Breton3f269bb2022-02-08 17:45:57 +01001#REGTEST_TYPE=devel
2
3# This reg-test checks that the 'generate-certificates' SSL option works
4# properly. This option allows to generate server-side certificates on the fly
5# for clients that use an SNI for which no certificate was specified in the
6# configuration file.
7# This test also aims at checking that the 'generate-certificates' and the
8# 'ecdhe' bind options work correctly together.
9# Any bind line having a 'generate-certificates' needs to have a ca-sign-file
10# option as well that specifies the path to a CA pem file (containing a
11# certificate as well as its private key). For this reason, a new
12# ssl_gen_ca.pem CA certificate was created, along with the ssl_gen_server.pem
13# server certificate signed by the CA. This server certificate will be used as
14# a default certificate and will serve as a base for any newly created
15# certificate.
16
17varnishtest "Test the 'generate-certificates' SSL option"
18feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
19feature cmd "command -v openssl && command -v grep"
20feature ignore_unknown_macro
21
22server s1 -repeat 6 {
23 rxreq
24 txresp
25} -start
26
27
28haproxy h1 -conf {
29 global
30 tune.ssl.default-dh-param 2048
31 tune.ssl.capture-buffer-size 2048
32
33 defaults
34 mode http
35 option httpslog
36 log stderr local0 debug err
37 option logasap
38 timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
39 timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
40 timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
41 option httpslog
42
43 listen clear-lst
44 bind "fd@${clearlst}"
45 http-request set-var(sess.sni) hdr(x-sni)
46
47 use_backend P-384_backend if { path /P-384 }
48 default_backend default_backend
49
50 backend default_backend
51 server s1 "${tmpdir}/ssl.sock" ssl verify none ssl-max-ver TLSv1.2 sni var(sess.sni)
52
53 backend P-384_backend
54 server s1 "${tmpdir}/ssl_P-384.sock" ssl verify none ssl-max-ver TLSv1.2 sni var(sess.sni)
55
56 listen ssl-lst
57 bind "${tmpdir}/ssl.sock" ssl generate-certificates crt ${testdir}/generate_certificates/gen_cert_server.pem ca-sign-file ${testdir}/generate_certificates/gen_cert_ca.pem ca-file ${testdir}/generate_certificates/gen_cert_ca.pem verify optional
58 http-response add-header x-ssl-s_dn %[ssl_f_s_dn(CN)]
59 http-response add-header x-ssl-i_dn %[ssl_f_i_dn(CN)]
60 http-response add-header x-ssl-sig_alg %[ssl_f_sig_alg]
61 http-response add-header x-ssl-key_alg %[ssl_f_key_alg]
62 http-response add-header x-ssl-sha1 %[ssl_f_sha1,hex]
63
64 server s1 ${s1_addr}:${s1_port}
65
66 listen ssl-lst-P-384
67 bind "${tmpdir}/ssl_P-384.sock" ssl generate-certificates crt ${testdir}/generate_certificates/gen_cert_server.pem ca-sign-file ${testdir}/generate_certificates/gen_cert_ca.pem ca-file ${testdir}/generate_certificates/gen_cert_ca.pem verify optional ecdhe secp384r1
68 http-response add-header x-ssl-s_dn %[ssl_f_s_dn(CN)]
69 http-response add-header x-ssl-i_dn %[ssl_f_i_dn(CN)]
70 http-response add-header x-ssl-sig_alg %[ssl_f_sig_alg]
71 http-response add-header x-ssl-key_alg %[ssl_f_key_alg]
72 http-response add-header x-ssl-sha1 %[ssl_f_sha1,hex]
73
74 server s1 ${s1_addr}:${s1_port}
75
76} -start
77
78# Use default certificate
79client c1 -connect ${h1_clearlst_sock} {
80 txreq
81 rxresp
82 expect resp.status == 200
83 expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"
84 expect resp.http.x-ssl-i_dn == "ECDSA CA"
85 expect resp.http.x-ssl-s_dn == "server.ecdsa.com"
86 expect resp.http.x-ssl-key_alg == "id-ecPublicKey"
87 expect resp.http.x-ssl-sha1 == "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11"
88} -run
89
90
91# Use default certificate's sni
92client c2 -connect ${h1_clearlst_sock} {
93 txreq -hdr "x-sni: server.ecdsa.com"
94 rxresp
95 expect resp.status == 200
96 expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"
97 expect resp.http.x-ssl-i_dn == "ECDSA CA"
98 expect resp.http.x-ssl-s_dn == "server.ecdsa.com"
99 expect resp.http.x-ssl-key_alg == "id-ecPublicKey"
100 expect resp.http.x-ssl-sha1 == "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11"
101} -run
102
103
104
105# Use another SNI - the server certificate should be generated and different
106# than the default one
107client c3 -connect ${h1_clearlst_sock} {
108 txreq -hdr "x-sni: unknown-sni.com"
109 rxresp
110 expect resp.status == 200
111 expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"
112 expect resp.http.x-ssl-i_dn == "ECDSA CA"
113 expect resp.http.x-ssl-s_dn == "ECDSA CA"
114 expect resp.http.x-ssl-key_alg == "id-ecPublicKey"
115 expect resp.http.x-ssl-sha1 != "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11"
116} -run
117
118
119# Use default certificate
120client c4 -connect ${h1_clearlst_sock} {
121 txreq -url "/P-384"
122 rxresp
123 expect resp.status == 200
124 expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"
125 expect resp.http.x-ssl-i_dn == "ECDSA CA"
126 expect resp.http.x-ssl-s_dn == "server.ecdsa.com"
127 expect resp.http.x-ssl-key_alg == "id-ecPublicKey"
128 expect resp.http.x-ssl-sha1 == "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11"
129} -run
130
131
132# Use default certificate's sni
133client c5 -connect ${h1_clearlst_sock} {
134 txreq -url "/P-384" -hdr "x-sni: server.ecdsa.com"
135 rxresp
136 expect resp.status == 200
137 expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"
138 expect resp.http.x-ssl-i_dn == "ECDSA CA"
139 expect resp.http.x-ssl-s_dn == "server.ecdsa.com"
140 expect resp.http.x-ssl-key_alg == "id-ecPublicKey"
141 expect resp.http.x-ssl-sha1 == "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11"
142} -run
143
144
145# Use another SNI - the server certificate should be generated and different
146# than the default one
147client c6 -connect ${h1_clearlst_sock} {
148 txreq -url "/P-384" -hdr "x-sni: unknown-sni.com"
149 rxresp
150 expect resp.status == 200
151 expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"
152 expect resp.http.x-ssl-i_dn == "ECDSA CA"
153 expect resp.http.x-ssl-s_dn == "ECDSA CA"
154 expect resp.http.x-ssl-key_alg == "id-ecPublicKey"
155 expect resp.http.x-ssl-sha1 != "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11"
156} -run
157
158# Check that the curves that the server accepts to use correspond to what we
159# expect it to be (according to ecdhe option).
160# The curve with the highest priority is X25519 for OpenSSL 1.1.1 and later,
161# and P-256 for OpenSSL 1.0.2.
162shell {
Ilya Shipitsin08651602022-07-24 00:01:32 +0500163 echo "Q" | openssl s_client -unix "${tmpdir}/ssl.sock" -servername server.ecdsa.com -tls1_2 2>/dev/null | grep -E "Server Temp Key: (ECDH, P-256, 256 bits|ECDH, prime256v1, 256 bits|X25519, 253 bits)"
Remi Tricot-Le Breton3f269bb2022-02-08 17:45:57 +0100164}
165
166shell {
Ilya Shipitsinb6189bc2022-08-06 22:40:41 +0500167 echo "Q" | openssl s_client -unix "${tmpdir}/ssl_P-384.sock" -servername server.ecdsa.com 2>/dev/null| grep -E "Temp Key: ECDH,.+, 384 bits"
Remi Tricot-Le Breton3f269bb2022-02-08 17:45:57 +0100168}