blob: f6d97ce6be710743d59e0c8f84c280b5b530c754 [file] [log] [blame]
Remi Tricot-Le Bretona3b2e092021-04-23 18:35:25 +02001#REGTEST_TYPE=devel
2
3# This reg-test uses the "set ssl crl-file" command to update a CRL file over the CLI.
4# It also tests the "abort ssl crl-file" and "show ssl crl-file" commands.
5#
6# The frontend's certificate is signed by set_cafile_interCA1.crt and is revoked in interCA1_crl.pem
7# but not in interCA1_crl_empty.pem.
8# The backend's certificate is signed by set_cafile_interCA2.crt and is revoked in interCA2_crl.pem
9# but not in interCA2_crl_empty.pem.
10#
11# The test consists in replacing the two empty CRLs by their not empty equivalent thanks to CLI
12# calls and to check that the certificates (frontend and backend) are indeed revoked after the
13# update.
14#
15# It requires socat to upload the certificate
16#
17# If this test does not work anymore:
18# - Check that you have socat
19
20varnishtest "Test the 'set ssl crl-file' feature of the CLI"
Tim Duesterhus5efc48d2021-06-11 19:56:15 +020021feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev0)'"
Tim Duesterhusc9570482021-06-11 19:56:16 +020022feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
Tim Duesterhus4ee192f2021-06-11 19:56:17 +020023feature cmd "command -v socat"
Remi Tricot-Le Bretona3b2e092021-04-23 18:35:25 +020024feature ignore_unknown_macro
25
26server s1 -repeat 4 {
27 rxreq
28 txresp
29} -start
30
31haproxy h1 -conf {
32 global
33 tune.ssl.default-dh-param 2048
34 tune.ssl.capture-cipherlist-size 1
35 stats socket "${tmpdir}/h1/stats" level admin
36
37 defaults
38 mode http
39 option httplog
Remi Tricot-Le Bretona3b2e092021-04-23 18:35:25 +020040 log stderr local0 debug err
41 option logasap
42 timeout connect 100ms
43 timeout client 1s
44 timeout server 1s
45
46 listen clear-lst
47 bind "fd@${clearlst}"
48 server s1 "${tmpdir}/ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt crl-file ${testdir}/interCA2_crl_empty.pem verify required
49
50 listen ssl-lst
51 # crt: certificate of the server
52 # ca-file: CA used for client authentication request
53 # crl-file: revocation list for client auth
54 bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-file ${testdir}/set_cafile_interCA1.crt ca-verify-file ${testdir}/set_cafile_rootCA.crt crl-file ${testdir}/interCA1_crl_empty.pem verify required crt-ignore-err all
55 http-response add-header X-SSL-Client-Verify %[ssl_c_verify]
56 server s1 ${s1_addr}:${s1_port}
57} -start
58
59# Test the "show ssl ca-file" command
60haproxy h1 -cli {
61 send "show ssl ca-file"
62 expect ~ ".*${testdir}/set_cafile_interCA1.crt - 1 certificate.*"
63 send "show ssl ca-file"
64 expect ~ ".*${testdir}/set_cafile_interCA2.crt - 1 certificate.*"
65}
66
67# Add the rootCA certificate to set_cafile_interCA2.crt in order for the frontend to
68# be able to validate the server's certificate
69shell {
70 printf "set ssl ca-file ${testdir}/set_cafile_interCA2.crt <<\n$(cat ${testdir}/set_cafile_interCA2.crt)\n$(cat ${testdir}/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" -
71 echo "commit ssl ca-file ${testdir}/set_cafile_interCA2.crt" | socat "${tmpdir}/h1/stats" -
72}
73
74haproxy h1 -cli {
75 send "show ssl ca-file"
76 expect ~ ".*${testdir}/set_cafile_interCA2.crt - 2 certificate.*"
77
78 send "show ssl ca-file ${testdir}/set_cafile_interCA2.crt"
79 expect ~ ".*Subject.*/CN=Root CA"
80}
81
82# This first connection should succeed
83client c1 -connect ${h1_clearlst_sock} {
84 txreq
85 rxresp
86 expect resp.status == 200
87 expect resp.http.X-SSL-Client-Verify == 0
88} -run
89
90# Change the frontend's crl-file to one in which the server certificate is revoked
91shell {
92 printf "set ssl crl-file ${testdir}/interCA2_crl_empty.pem <<\n$(cat ${testdir}/interCA2_crl.pem)\n\n" | socat "${tmpdir}/h1/stats" -
93}
94
95# Check that the transaction is displayed in the output of "show ssl crl-list"
96haproxy h1 -cli {
97 send "show ssl crl-file"
98 expect ~ "\\*${testdir}/interCA2_crl_empty.pem"
99
100 send "show ssl crl-file \\*${testdir}/interCA2_crl_empty.pem"
101 expect ~ "Revoked Certificates:"
102 send "show ssl crl-file \\*${testdir}/interCA2_crl_empty.pem:1"
103 expect ~ "Serial Number: 1008"
104}
105
106# This connection should still succeed since the transaction was not committed
107client c1 -connect ${h1_clearlst_sock} {
108 txreq
109 rxresp
110 expect resp.status == 200
111 expect resp.http.X-SSL-Client-Verify == 0
112} -run
113
114haproxy h1 -cli {
115 send "commit ssl crl-file ${testdir}/interCA2_crl_empty.pem"
116 expect ~ "Committing ${testdir}/interCA2_crl_empty.pem"
117}
118
119# This connection should fail, the server's certificate is revoked in the newly updated CRL file
120client c1 -connect ${h1_clearlst_sock} {
121 txreq
122 rxresp
123 expect resp.status == 503
124} -run
125
126# Restore the frontend's CRL
127shell {
128 printf "set ssl crl-file ${testdir}/interCA2_crl_empty.pem <<\n$(cat ${testdir}/interCA2_crl_empty.pem)\n\n" | socat "${tmpdir}/h1/stats" -
129 echo "commit ssl crl-file ${testdir}/interCA2_crl_empty.pem" | socat "${tmpdir}/h1/stats" -
130}
131
132# Change the backend's CRL file to one in which the frontend's certificate is revoked
133shell {
134 printf "set ssl crl-file ${testdir}/interCA1_crl_empty.pem <<\n$(cat ${testdir}/interCA1_crl.pem)\n\n" | socat "${tmpdir}/h1/stats" -
135 echo "commit ssl crl-file ${testdir}/interCA1_crl_empty.pem" | socat "${tmpdir}/h1/stats" -
136}
137
138# This connection should fail, the client's certificate is revoked in the newly updated CRL file
139client c1 -connect ${h1_clearlst_sock} {
140 txreq
141 rxresp
142 expect resp.status == 200
143 # Revoked certificate
144 expect resp.http.X-SSL-Client-Verify == 23
145} -run