Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 6fc86974cf18a54f5832cc85a1edb3392dfc5e05 / . / reg-tests / ssl / set_ssl_cert.vtc
blob: a0fe5e7339531a7a857c37c857634121a733ded3 [file] [log] [blame]
William Lallemand4781fad2020-03-31 14:48:34 +0200[diff] [blame]1#REGTEST_TYPE=devel
William Lallemand9c1aa0a2019-12-19 11:25:19 +0100[diff] [blame]2
3# This reg-test uses the "set ssl cert" command to update a certificate over the CLI.
William Lallemanda9115482020-04-30 10:19:40 +0200[diff] [blame]4# It requires socat to upload the certificate
5#
Remi Tricot-Le Breton8218aed2021-03-17 14:56:54 +0100[diff] [blame]6# This check has two separate parts.
7# In the first part, there are 3 requests, the first one will use "www.test1.com" as SNI,
William Lallemanda9115482020-04-30 10:19:40 +0200[diff] [blame]8# the second one with the same but that must fail and the third one will use
9# "localhost". Since vtest can't do SSL, we use haproxy as an SSL client with 2
10# chained listen section.
11#
Remi Tricot-Le Breton8218aed2021-03-17 14:56:54 +0100[diff] [blame]12# In the second part, we check the update of a default certificate in a crt-list.
13# This corresponds to a bug raised in https://github.com/haproxy/haproxy/issues/1143.
14# A certificate is used as default certificate as well as regular one, and during the update
15# the default certificate would not be properly updated if the default instance did not have
16# any SNI. The test consists in checking that the used certificate is the right one after
17# updating it via a "set ssl cert" call.
18#
William Lallemand9c1aa0a2019-12-19 11:25:19 +0100[diff] [blame]19# If this test does not work anymore:
William Lallemanda9115482020-04-30 10:19:40 +0200[diff] [blame]20# - Check that you have socat
William Lallemand9c1aa0a2019-12-19 11:25:19 +0100[diff] [blame]21
22varnishtest "Test the 'set ssl cert' feature of the CLI"
Willy Tarreaufa10ffd2020-01-24 13:49:42 +0100[diff] [blame]23#REQUIRE_VERSION=2.2
William Lallemand9c1aa0a2019-12-19 11:25:19 +0100[diff] [blame]24#REQUIRE_OPTIONS=OPENSSL
Tim Duesterhus4ee192f2021-06-11 19:56:17 +0200[diff] [blame]25feature cmd "command -v socat"
William Lallemand9c1aa0a2019-12-19 11:25:19 +0100[diff] [blame]26feature ignore_unknown_macro
27
Remi Tricot-Le Breton8218aed2021-03-17 14:56:54 +0100[diff] [blame]28server s1 -repeat 9 {
William Lallemanda9115482020-04-30 10:19:40 +0200[diff] [blame]29 rxreq
30 txresp
31} -start
William Lallemand9c1aa0a2019-12-19 11:25:19 +0100[diff] [blame]32
33haproxy h1 -conf {
William Lallemanda9115482020-04-30 10:19:40 +0200[diff] [blame]34 global
35 tune.ssl.default-dh-param 2048
Marcin Deranek310a2602021-07-13 19:04:24 +0200[diff] [blame]36 tune.ssl.capture-buffer-size 1
William Lallemanda9115482020-04-30 10:19:40 +0200[diff] [blame]37 stats socket "${tmpdir}/h1/stats" level admin
Remi Tricot-Le Breton8218aed2021-03-17 14:56:54 +0100[diff] [blame]38 crt-base ${testdir}
William Lallemanda9115482020-04-30 10:19:40 +0200[diff] [blame]39
40 defaults
41 mode http
42 option httplog
Willy Tarreauf6739232021-11-18 17:46:22 +0100[diff] [blame]43 retries 0
William Lallemanda9115482020-04-30 10:19:40 +0200[diff] [blame]44 log stderr local0 debug err
45 option logasap
Willy Tarreauf6739232021-11-18 17:46:22 +0100[diff] [blame]46 timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
47 timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
48 timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
William Lallemanda9115482020-04-30 10:19:40 +0200[diff] [blame]49
50 listen clear-lst
51 bind "fd@${clearlst}"
52 balance roundrobin
Remi Tricot-Le Breton8218aed2021-03-17 14:56:54 +0100[diff] [blame]53
54 http-response set-header X-SSL-Server-SHA1 %[ssl_s_sha1,hex]
55
William Lallemanda9115482020-04-30 10:19:40 +0200[diff] [blame]56 retries 0 # 2nd SSL connection must fail so skip the retry
57 server s1 "${tmpdir}/ssl.sock" ssl verify none sni str(www.test1.com)
58 server s2 "${tmpdir}/ssl.sock" ssl verify none sni str(www.test1.com)
59 server s3 "${tmpdir}/ssl.sock" ssl verify none sni str(localhost)
60
Remi Tricot-Le Breton8218aed2021-03-17 14:56:54 +0100[diff] [blame]61 server s4 "${tmpdir}/other-ssl.sock" ssl verify none sni str(www.test1.com)
62 server s5 "${tmpdir}/other-ssl.sock" ssl verify none sni str(other.test1.com) # uses the default certificate
63 server s6 "${tmpdir}/other-ssl.sock" ssl verify none sni str(www.test1.com)
64 server s7 "${tmpdir}/other-ssl.sock" ssl verify none sni str(other.test1.com) # uses the default certificate
65
66 server s8 "${tmpdir}/other-ssl.sock" ssl verify none sni str(www.test1.com)
67 server s9 "${tmpdir}/other-ssl.sock" ssl verify none sni str(other.test1.com) # uses the default certificate
68
William Lallemanda9115482020-04-30 10:19:40 +0200[diff] [blame]69 listen ssl-lst
70 bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem strict-sni
Remi Tricot-Le Breton8218aed2021-03-17 14:56:54 +0100[diff] [blame]71 server s1 ${s1_addr}:${s1_port}
William Lallemandae6547f2022-06-20 18:01:30 +0200[diff] [blame]72 # dummy server used to test a change when the same crt is used as server and bind
73 server s2 ${s1_addr}:${s1_port} ssl crt ${testdir}/common.pem verify none weight 0
William Lallemand9c1aa0a2019-12-19 11:25:19 +0100[diff] [blame]74
Remi Tricot-Le Breton8218aed2021-03-17 14:56:54 +0100[diff] [blame]75 listen other-ssl-lst
76 bind "${tmpdir}/other-ssl.sock" ssl crt-list ${testdir}/set_default_cert.crt-list
William Lallemanda9115482020-04-30 10:19:40 +0200[diff] [blame]77 server s1 ${s1_addr}:${s1_port}
Remi Tricot-Le Breton8218aed2021-03-17 14:56:54 +0100[diff] [blame]78
William Lallemand9c1aa0a2019-12-19 11:25:19 +0100[diff] [blame]79} -start
80
81
82haproxy h1 -cli {
83 send "show ssl cert ${testdir}/common.pem"
84 expect ~ ".*SHA1 FingerPrint: 2195C9F0FD58470313013FC27C1B9CF9864BD1C6"
85}
86
William Lallemanda9115482020-04-30 10:19:40 +0200[diff] [blame]87client c1 -connect ${h1_clearlst_sock} {
88 txreq
89 rxresp
90 expect resp.status == 200
91} -run
William Lallemand9c1aa0a2019-12-19 11:25:19 +0100[diff] [blame]92
93shell {
William Lallemanda9115482020-04-30 10:19:40 +0200[diff] [blame]94 printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" -
95 echo "commit ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h1/stats" -
William Lallemand9c1aa0a2019-12-19 11:25:19 +0100[diff] [blame]96}
97
98haproxy h1 -cli {
99 send "show ssl cert ${testdir}/common.pem"
100 expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1"
101}
102
William Lallemanda9115482020-04-30 10:19:40 +0200[diff] [blame]103# check that the "www.test1.com" SNI was removed
104client c1 -connect ${h1_clearlst_sock} {
105 txreq
106 rxresp
107 expect resp.status == 503
108} -run
109
110client c1 -connect ${h1_clearlst_sock} {
111 txreq
112 rxresp
113 expect resp.status == 200
114} -run
William Lallemand8695ce02021-02-01 15:31:00 +0100[diff] [blame]115
116shell {
117 printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/common.pem)\n\n" | socat "${tmpdir}/h1/stats" -
118 echo "abort ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h1/stats" -
119}
120
121haproxy h1 -cli {
122 send "show ssl cert ${testdir}/common.pem"
123 expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1"
124}
125
Remi Tricot-Le Breton8218aed2021-03-17 14:56:54 +0100[diff] [blame]126
127
128# The following requests are aimed at a backend that uses the set_default_cert.crt-list file
129
130# Uses the www.test1.com sni
131client c1 -connect ${h1_clearlst_sock} {
132 txreq
133 rxresp
134 expect resp.http.X-SSL-Server-SHA1 == "9DC18799428875976DDE706E9956035EE88A4CB3"
135 expect resp.status == 200
136} -run
137
138# Uses the other.test1.com sni and the default line of the crt-list
139client c1 -connect ${h1_clearlst_sock} {
140 txreq
141 rxresp
142 expect resp.http.X-SSL-Server-SHA1 == "9DC18799428875976DDE706E9956035EE88A4CB3"
143 expect resp.status == 200
144} -run
145
146shell {
147 printf "set ssl cert ${testdir}/set_default_cert.pem <<\n$(cat ${testdir}/common.pem)\n\n" | socat "${tmpdir}/h1/stats" -
148}
149
150# Certificate should not have changed yet
151haproxy h1 -cli {
152 send "show ssl cert ${testdir}/set_default_cert.pem"
153 expect ~ ".*SHA1 FingerPrint: 9DC18799428875976DDE706E9956035EE88A4CB3"
154}
155
156shell {
157 echo "commit ssl cert ${testdir}/set_default_cert.pem" | socat "${tmpdir}/h1/stats" -
158}
159
160haproxy h1 -cli {
161 send "show ssl cert ${testdir}/set_default_cert.pem"
162 expect ~ ".*SHA1 FingerPrint: 2195C9F0FD58470313013FC27C1B9CF9864BD1C6"
163}
164
165# Uses the www.test1.com sni
166client c1 -connect ${h1_clearlst_sock} {
167 txreq
168 rxresp
169 expect resp.http.X-SSL-Server-SHA1 == "2195C9F0FD58470313013FC27C1B9CF9864BD1C6"
170 expect resp.status == 200
171} -run
172
173# Uses the other.test1.com sni and the default line of the crt-list
174client c1 -connect ${h1_clearlst_sock} {
175 txreq
176 rxresp
177 expect resp.http.X-SSL-Server-SHA1 == "2195C9F0FD58470313013FC27C1B9CF9864BD1C6"
178 expect resp.status == 200
179} -run
180
181# Restore original certificate
182shell {
183 printf "set ssl cert ${testdir}/set_default_cert.pem <<\n$(cat ${testdir}/set_default_cert.pem)\n\n" | socat "${tmpdir}/h1/stats" -
184 echo "commit ssl cert ${testdir}/set_default_cert.pem" | socat "${tmpdir}/h1/stats" -
185}
186
187haproxy h1 -cli {
188 send "show ssl cert ${testdir}/set_default_cert.pem"
189 expect ~ ".*SHA1 FingerPrint: 9DC18799428875976DDE706E9956035EE88A4CB"
190}
191
192# Uses the www.test1.com sni
193client c1 -connect ${h1_clearlst_sock} {
194 txreq
195 rxresp
196 expect resp.http.X-SSL-Server-SHA1 == "9DC18799428875976DDE706E9956035EE88A4CB3"
197 expect resp.status == 200
198} -run
199
200# Uses the other.test1.com sni and the default line of the crt-list
201client c1 -connect ${h1_clearlst_sock} {
202 txreq
203 rxresp
204 expect resp.http.X-SSL-Server-SHA1 == "9DC18799428875976DDE706E9956035EE88A4CB3"
205 expect resp.status == 200
206} -run