blob: e0ee4870eea349d99c3788319509af5d41617b12 [file] [log] [blame]
Remi Tricot-Le Bretonf3eedfe2021-01-25 17:19:44 +01001#REGTEST_TYPE=devel
2
3# This reg-test uses the "set ssl cert" command to update a backend certificate over the CLI.
4# It requires socat to upload the certificate
5
6varnishtest "Test the 'set ssl cert' feature of the CLI"
7#REQUIRE_VERSION=2.4
8#REQUIRE_OPTIONS=OPENSSL
9#REQUIRE_BINARIES=socat
10feature ignore_unknown_macro
11
12server s1 -repeat 4 {
13 rxreq
14 txresp
15} -start
16
17haproxy h1 -conf {
18 global
19 tune.ssl.default-dh-param 2048
20 tune.ssl.capture-cipherlist-size 1
21 stats socket "${tmpdir}/h1/stats" level admin
22
23 defaults
24 mode http
25 option httplog
26 ${no-htx} option http-use-htx
27 log stderr local0 debug err
28 option logasap
29 timeout connect 100ms
30 timeout client 1s
31 timeout server 1s
32
33 listen clear-lst
34 bind "fd@${clearlst}"
35 retries 0 # 2nd SSL connection must fail so skip the retry
36 server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client1.pem
37
38 listen ssl-lst
39 # crt: certificate of the server
40 # ca-file: CA used for client authentication request
41 # crl-file: revocation list for client auth: the client1 certificate is revoked
42 bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/ca-auth.crt verify optional crt-ignore-err all crl-file ${testdir}/crl-auth.pem
43
44 acl cert_expired ssl_c_verify 10
45 acl cert_revoked ssl_c_verify 23
46 acl cert_ok ssl_c_verify 0
47
48 http-response add-header X-SSL Ok if cert_ok
49 http-response add-header X-SSL Expired if cert_expired
50 http-response add-header X-SSL Revoked if cert_revoked
51
52 server s1 ${s1_addr}:${s1_port}
53} -start
54
55client c1 -connect ${h1_clearlst_sock} {
56 txreq
57 rxresp
58 expect resp.status == 200
59 expect resp.http.x-ssl == "Ok"
60} -run
61
62# Replace certificate with an expired one
63shell {
64 printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client2_expired.pem)\n\n" | socat "${tmpdir}/h1/stats" -
65 echo "commit ssl cert ${testdir}/client1.pem" | socat "${tmpdir}/h1/stats" -
66}
67
68# The updated client certificate is an expired one so this request should fail
69client c1 -connect ${h1_clearlst_sock} {
70 txreq
71 rxresp
72 expect resp.status == 200
73 expect resp.http.x-ssl == "Expired"
74} -run
75
76# Replace certificate with a revoked one
77shell {
78 printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client3_revoked.pem)\n\n" | socat "${tmpdir}/h1/stats" -
79 echo "commit ssl cert ${testdir}/client1.pem" | socat "${tmpdir}/h1/stats" -
80}
81
82# The updated client certificate is a revoked one so this request should fail
83client c1 -connect ${h1_clearlst_sock} {
84 txreq
85 rxresp
86 expect resp.status == 200
87 expect resp.http.x-ssl == "Revoked"
88} -run
89
90# Abort a transaction
91shell {
92 printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client3_revoked.pem)\n\n" | socat "${tmpdir}/h1/stats" -
93 echo "abort ssl cert ${testdir}/client1.pem" | socat "${tmpdir}/h1/stats" -
94}
95
96# The certificate was not updated so it should still be revoked
97client c1 -connect ${h1_clearlst_sock} {
98 txreq
99 rxresp
100 expect resp.status == 200
101 expect resp.http.x-ssl == "Revoked"
102} -run
103
104