William Lallemand | 4781fad | 2020-03-31 14:48:34 +0200 | [diff] [blame] | 1 | #REGTEST_TYPE=devel |
William Lallemand | 2be4a2e | 2020-03-31 12:13:34 +0200 | [diff] [blame] | 2 | |
| 3 | # This reg-test uses the "add ssl crt-list" command to add a certificate over the CLI. |
William Lallemand | 3ed722f | 2020-04-30 09:47:08 +0200 | [diff] [blame] | 4 | # It requires socat to upload the certificate |
| 5 | |
| 6 | # this check does 2 requests, the first one will use "www.test1.com" as SNI, and |
| 7 | # the second one will use "localhost". Since vtest can't do SSL, we use haproxy |
| 8 | # as an SSL client with 2 chained listen section. |
William Lallemand | 2be4a2e | 2020-03-31 12:13:34 +0200 | [diff] [blame] | 9 | |
| 10 | # If this test does not work anymore: |
William Lallemand | 3ed722f | 2020-04-30 09:47:08 +0200 | [diff] [blame] | 11 | # - Check that you have socat |
William Lallemand | 2be4a2e | 2020-03-31 12:13:34 +0200 | [diff] [blame] | 12 | |
| 13 | varnishtest "Test the 'add ssl crt-list' feature of the CLI" |
| 14 | #REQUIRE_VERSION=2.2 |
| 15 | #REQUIRE_OPTIONS=OPENSSL |
William Lallemand | 3ed722f | 2020-04-30 09:47:08 +0200 | [diff] [blame] | 16 | #REQUIRE_BINARIES=socat |
William Lallemand | 2be4a2e | 2020-03-31 12:13:34 +0200 | [diff] [blame] | 17 | feature ignore_unknown_macro |
| 18 | |
William Lallemand | 3ed722f | 2020-04-30 09:47:08 +0200 | [diff] [blame] | 19 | server s1 -repeat 2 { |
| 20 | rxreq |
| 21 | txresp |
| 22 | } -start |
William Lallemand | 2be4a2e | 2020-03-31 12:13:34 +0200 | [diff] [blame] | 23 | |
| 24 | haproxy h1 -conf { |
William Lallemand | 3ed722f | 2020-04-30 09:47:08 +0200 | [diff] [blame] | 25 | global |
| 26 | tune.ssl.default-dh-param 2048 |
| 27 | tune.ssl.capture-cipherlist-size 1 |
| 28 | crt-base ${testdir} |
| 29 | stats socket "${tmpdir}/h1/stats" level admin |
| 30 | |
| 31 | defaults |
| 32 | mode http |
| 33 | option httplog |
| 34 | ${no-htx} option http-use-htx |
| 35 | log stderr local0 debug err |
| 36 | option logasap |
| 37 | timeout connect 1s |
| 38 | timeout client 1s |
| 39 | timeout server 1s |
William Lallemand | 2be4a2e | 2020-03-31 12:13:34 +0200 | [diff] [blame] | 40 | |
William Lallemand | 3ed722f | 2020-04-30 09:47:08 +0200 | [diff] [blame] | 41 | |
| 42 | listen clear-lst |
| 43 | bind "fd@${clearlst}" |
| 44 | balance roundrobin |
| 45 | server s1 "${tmpdir}/ssl.sock" ssl verify none sni str(www.test1.com) |
| 46 | server s2 "${tmpdir}/ssl.sock" ssl verify none sni str(localhost) |
| 47 | |
| 48 | |
| 49 | listen ssl-lst |
| 50 | mode http |
| 51 | ${no-htx} option http-use-htx |
| 52 | bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/localhost.crt-list |
| 53 | |
| 54 | server s1 ${s1_addr}:${s1_port} |
William Lallemand | 2be4a2e | 2020-03-31 12:13:34 +0200 | [diff] [blame] | 55 | } -start |
| 56 | |
| 57 | |
| 58 | haproxy h1 -cli { |
| 59 | send "show ssl cert ${testdir}/common.pem" |
| 60 | expect ~ ".*SHA1 FingerPrint: 2195C9F0FD58470313013FC27C1B9CF9864BD1C6" |
| 61 | } |
| 62 | |
William Lallemand | 3ed722f | 2020-04-30 09:47:08 +0200 | [diff] [blame] | 63 | client c1 -connect ${h1_clearlst_sock} { |
| 64 | txreq |
| 65 | rxresp |
| 66 | expect resp.status == 200 |
| 67 | } -run |
William Lallemand | 2be4a2e | 2020-03-31 12:13:34 +0200 | [diff] [blame] | 68 | |
| 69 | shell { |
William Lallemand | 3ed722f | 2020-04-30 09:47:08 +0200 | [diff] [blame] | 70 | echo "new ssl cert ${testdir}/ecdsa.pem" | socat "${tmpdir}/h1/stats" - |
| 71 | printf "set ssl cert ${testdir}/ecdsa.pem <<\n$(cat ${testdir}/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" - |
| 72 | echo "commit ssl cert ${testdir}/ecdsa.pem" | socat "${tmpdir}/h1/stats" - |
William Lallemand | 99cc218 | 2020-06-25 15:19:51 +0200 | [diff] [blame] | 73 | printf "add ssl crt-list ${testdir}/localhost.crt-list/ <<\n${testdir}/ecdsa.pem [ssl-min-ver SSLv3 verify none allow-0rtt] localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" - |
William Lallemand | 3ed722f | 2020-04-30 09:47:08 +0200 | [diff] [blame] | 74 | printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem [verify none allow-0rtt]\n\n" | socat "${tmpdir}/h1/stats" - |
William Lallemand | 99cc218 | 2020-06-25 15:19:51 +0200 | [diff] [blame] | 75 | printf "add ssl crt-list ${testdir}/localhost.crt-list/// <<\n${testdir}/ecdsa.pem localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" - |
| 76 | printf "add ssl crt-list ${testdir}/localhost.crt-list///// <<\n${testdir}/ecdsa.pem\n\n" | socat "${tmpdir}/h1/stats" - |
| 77 | printf "add ssl crt-list ${testdir}/localhost.crt-list// ${testdir}/ecdsa.pem\n" | socat "${tmpdir}/h1/stats" - |
William Lallemand | 2be4a2e | 2020-03-31 12:13:34 +0200 | [diff] [blame] | 78 | } |
| 79 | |
| 80 | haproxy h1 -cli { |
| 81 | send "show ssl cert ${testdir}/ecdsa.pem" |
| 82 | expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1" |
| 83 | } |
| 84 | |
| 85 | haproxy h1 -cli { |
William Lallemand | 99cc218 | 2020-06-25 15:19:51 +0200 | [diff] [blame] | 86 | send "show ssl crt-list ${testdir}/localhost.crt-list//" |
William Lallemand | fdb6db4 | 2020-04-01 17:13:22 +0200 | [diff] [blame] | 87 | # check the options and the filters in any order |
William Lallemand | 8177ad9 | 2020-05-20 16:49:02 +0200 | [diff] [blame] | 88 | expect ~ ".*${testdir}/ecdsa.pem \\[(?=.*verify none)(?=.*allow-0rtt)(?=.*ssl-min-ver SSLv3).*\\](?=.*!www.test1.com)(?=.*localhost).*" |
William Lallemand | 2be4a2e | 2020-03-31 12:13:34 +0200 | [diff] [blame] | 89 | } |
| 90 | |
William Lallemand | 3ed722f | 2020-04-30 09:47:08 +0200 | [diff] [blame] | 91 | client c1 -connect ${h1_clearlst_sock} { |
| 92 | txreq |
| 93 | rxresp |
| 94 | expect resp.status == 200 |
| 95 | } -run |
Remi Tricot-Le Breton | bcec63e | 2021-03-23 16:41:53 +0100 | [diff] [blame] | 96 | |
| 97 | |
| 98 | # Try to add a new line that mentions an "unknown" CA file (not loaded yet). |
| 99 | # It should fail since no disk access are allowed during runtime. |
| 100 | shell { |
| 101 | printf "add ssl crt-list ${testdir}/localhost.crt-list/ <<\n${testdir}/ecdsa.pem [ca-file ${testdir}/ca-auth.crt] localhost\n\n" | socat "${tmpdir}/h1/stats" - | grep "unable to load ${testdir}/ca-auth.crt" |
| 102 | } |
| 103 | shell { |
| 104 | printf "add ssl crt-list ${testdir}/localhost.crt-list/ <<\n${testdir}/ecdsa.pem [ca-verify-file ${testdir}/ca-auth.crt] localhost\n\n" | socat "${tmpdir}/h1/stats" - | grep "unable to load ${testdir}/ca-auth.crt" |
| 105 | } |
| 106 | shell { |
| 107 | printf "add ssl crt-list ${testdir}/localhost.crt-list/ <<\n${testdir}/ecdsa.pem [crl-file ${testdir}/ca-auth.crt] localhost\n\n" | socat "${tmpdir}/h1/stats" - | grep "unable to load ${testdir}/ca-auth.crt" |
| 108 | } |
| 109 | |
| 110 | # Check that the new line was not added to the crt-list. |
| 111 | haproxy h1 -cli { |
| 112 | send "show ssl crt-list ${testdir}/localhost.crt-list//" |
| 113 | expect !~ ".*ca-file ${testdir}/ca-auth.crt" |
| 114 | } |