blob: 04451c4422a0e71784c04f8cd6114af078235a55 [file] [log] [blame]
William Lallemand4781fad2020-03-31 14:48:34 +02001#REGTEST_TYPE=devel
William Lallemand2be4a2e2020-03-31 12:13:34 +02002
3# This reg-test uses the "add ssl crt-list" command to add a certificate over the CLI.
4# It requires socat and curl to upload and validate that the certificate was well updated
5
6# If this test does not work anymore:
7# - Check that you have socat and curl
8# - Check if haproxy and curl use the same ciphers
9
10varnishtest "Test the 'add ssl crt-list' feature of the CLI"
11#REQUIRE_VERSION=2.2
12#REQUIRE_OPTIONS=OPENSSL
13#REQUIRE_BINARIES=socat,curl
14feature ignore_unknown_macro
15
16
17haproxy h1 -conf {
18 global
19 tune.ssl.default-dh-param 2048
20 tune.ssl.capture-cipherlist-size 1
21 crt-base ${testdir}
22 stats socket "${tmpdir}/h1/stats" level admin
23
24 listen frt
25 mode http
26 ${no-htx} option http-use-htx
27 bind "fd@${frt}" ssl strict-sni crt-list ${testdir}/localhost.crt-list
28 http-request redirect location /
29} -start
30
31
32haproxy h1 -cli {
33 send "show ssl cert ${testdir}/common.pem"
34 expect ~ ".*SHA1 FingerPrint: 2195C9F0FD58470313013FC27C1B9CF9864BD1C6"
35}
36
37shell {
38 HOST=${h1_frt_addr}
39 if [ "${h1_frt_addr}" = "::1" ] ; then
40 HOST="\[::1\]"
41 fi
42 curl -v -i -k --resolve www.test1.com:${h1_frt_port}:${h1_frt_addr} https://www.test1.com:${h1_frt_port}
43}
44
45shell {
46 echo "new ssl cert ${testdir}/ecdsa.pem" | socat "${tmpdir}/h1/stats" -
47 printf "set ssl cert ${testdir}/ecdsa.pem <<\n$(cat ${testdir}/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" -
48 echo "commit ssl cert ${testdir}/ecdsa.pem" | socat "${tmpdir}/h1/stats" -
William Lallemandfdb6db42020-04-01 17:13:22 +020049 printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem [verify none allow-0rtt] localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" -
William Lallemand4fd94332020-04-02 12:13:27 +020050 printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem [verify none allow-0rtt]\n\n" | socat "${tmpdir}/h1/stats" -
51 printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" -
52 printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem\n\n" | socat "${tmpdir}/h1/stats" -
53 printf "add ssl crt-list ${testdir}/localhost.crt-list ${testdir}/ecdsa.pem\n" | socat "${tmpdir}/h1/stats" -
William Lallemand2be4a2e2020-03-31 12:13:34 +020054}
55
56haproxy h1 -cli {
57 send "show ssl cert ${testdir}/ecdsa.pem"
58 expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1"
59}
60
61haproxy h1 -cli {
62 send "show ssl crt-list ${testdir}/localhost.crt-list"
William Lallemandfdb6db42020-04-01 17:13:22 +020063 # check the options and the filters in any order
64 expect ~ ".*${testdir}/ecdsa.pem \\[(?=.*verify none)(?=.*allow-0rtt).*\\](?=.*!www.test1.com)(?=.*localhost).*"
William Lallemand2be4a2e2020-03-31 12:13:34 +020065}
66
67shell {
68 HOST=${h1_frt_addr}
69 if [ "${h1_frt_addr}" = "::1" ] ; then
70 HOST="\[::1\]"
71 fi
72 curl -v -i -k --resolve localhost:${h1_frt_port}:${h1_frt_addr} https://localhost:${h1_frt_port}
73}