blob: a606b477d9761d28953f655a00eb022f57c5d1d2 [file] [log] [blame]
William Lallemand4781fad2020-03-31 14:48:34 +02001#REGTEST_TYPE=devel
William Lallemand9c1aa0a2019-12-19 11:25:19 +01002
3# This reg-test uses the "set ssl cert" command to update a certificate over the CLI.
William Lallemanda9115482020-04-30 10:19:40 +02004# It requires socat to upload the certificate
5#
Remi Tricot-Le Breton358a8222021-03-17 14:56:54 +01006# This check has two separate parts.
7# In the first part, there are 3 requests, the first one will use "www.test1.com" as SNI,
William Lallemanda9115482020-04-30 10:19:40 +02008# the second one with the same but that must fail and the third one will use
9# "localhost". Since vtest can't do SSL, we use haproxy as an SSL client with 2
10# chained listen section.
11#
Remi Tricot-Le Breton358a8222021-03-17 14:56:54 +010012# In the second part, we check the update of a default certificate in a crt-list.
13# This corresponds to a bug raised in https://github.com/haproxy/haproxy/issues/1143.
14# A certificate is used as default certificate as well as regular one, and during the update
15# the default certificate would not be properly updated if the default instance did not have
16# any SNI. The test consists in checking that the used certificate is the right one after
17# updating it via a "set ssl cert" call.
18#
William Lallemand9c1aa0a2019-12-19 11:25:19 +010019# If this test does not work anymore:
William Lallemanda9115482020-04-30 10:19:40 +020020# - Check that you have socat
William Lallemand9c1aa0a2019-12-19 11:25:19 +010021
22varnishtest "Test the 'set ssl cert' feature of the CLI"
Willy Tarreaufa10ffd2020-01-24 13:49:42 +010023#REQUIRE_VERSION=2.2
William Lallemand9c1aa0a2019-12-19 11:25:19 +010024#REQUIRE_OPTIONS=OPENSSL
William Lallemanda9115482020-04-30 10:19:40 +020025#REQUIRE_BINARIES=socat
William Lallemand9c1aa0a2019-12-19 11:25:19 +010026feature ignore_unknown_macro
27
Remi Tricot-Le Breton358a8222021-03-17 14:56:54 +010028server s1 -repeat 9 {
William Lallemanda9115482020-04-30 10:19:40 +020029 rxreq
30 txresp
31} -start
William Lallemand9c1aa0a2019-12-19 11:25:19 +010032
33haproxy h1 -conf {
William Lallemanda9115482020-04-30 10:19:40 +020034 global
35 tune.ssl.default-dh-param 2048
36 tune.ssl.capture-cipherlist-size 1
37 stats socket "${tmpdir}/h1/stats" level admin
Remi Tricot-Le Breton358a8222021-03-17 14:56:54 +010038 crt-base ${testdir}
William Lallemanda9115482020-04-30 10:19:40 +020039
40 defaults
41 mode http
42 option httplog
43 ${no-htx} option http-use-htx
44 log stderr local0 debug err
45 option logasap
46 timeout connect 100ms
47 timeout client 1s
48 timeout server 1s
49
50 listen clear-lst
51 bind "fd@${clearlst}"
52 balance roundrobin
Remi Tricot-Le Breton358a8222021-03-17 14:56:54 +010053
54 http-response set-header X-SSL-Server-SHA1 %[ssl_s_sha1,hex]
55
William Lallemanda9115482020-04-30 10:19:40 +020056 retries 0 # 2nd SSL connection must fail so skip the retry
57 server s1 "${tmpdir}/ssl.sock" ssl verify none sni str(www.test1.com)
58 server s2 "${tmpdir}/ssl.sock" ssl verify none sni str(www.test1.com)
59 server s3 "${tmpdir}/ssl.sock" ssl verify none sni str(localhost)
60
Remi Tricot-Le Breton358a8222021-03-17 14:56:54 +010061 server s4 "${tmpdir}/other-ssl.sock" ssl verify none sni str(www.test1.com)
62 server s5 "${tmpdir}/other-ssl.sock" ssl verify none sni str(other.test1.com) # uses the default certificate
63 server s6 "${tmpdir}/other-ssl.sock" ssl verify none sni str(www.test1.com)
64 server s7 "${tmpdir}/other-ssl.sock" ssl verify none sni str(other.test1.com) # uses the default certificate
65
66 server s8 "${tmpdir}/other-ssl.sock" ssl verify none sni str(www.test1.com)
67 server s9 "${tmpdir}/other-ssl.sock" ssl verify none sni str(other.test1.com) # uses the default certificate
68
William Lallemanda9115482020-04-30 10:19:40 +020069 listen ssl-lst
70 bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem strict-sni
Remi Tricot-Le Breton358a8222021-03-17 14:56:54 +010071 server s1 ${s1_addr}:${s1_port}
William Lallemand9c1aa0a2019-12-19 11:25:19 +010072
Remi Tricot-Le Breton358a8222021-03-17 14:56:54 +010073 listen other-ssl-lst
74 bind "${tmpdir}/other-ssl.sock" ssl crt-list ${testdir}/set_default_cert.crt-list
William Lallemanda9115482020-04-30 10:19:40 +020075 server s1 ${s1_addr}:${s1_port}
Remi Tricot-Le Breton358a8222021-03-17 14:56:54 +010076
William Lallemand9c1aa0a2019-12-19 11:25:19 +010077} -start
78
79
80haproxy h1 -cli {
81 send "show ssl cert ${testdir}/common.pem"
82 expect ~ ".*SHA1 FingerPrint: 2195C9F0FD58470313013FC27C1B9CF9864BD1C6"
83}
84
William Lallemanda9115482020-04-30 10:19:40 +020085client c1 -connect ${h1_clearlst_sock} {
86 txreq
87 rxresp
88 expect resp.status == 200
89} -run
William Lallemand9c1aa0a2019-12-19 11:25:19 +010090
91shell {
William Lallemanda9115482020-04-30 10:19:40 +020092 printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" -
93 echo "commit ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h1/stats" -
William Lallemand9c1aa0a2019-12-19 11:25:19 +010094}
95
96haproxy h1 -cli {
97 send "show ssl cert ${testdir}/common.pem"
98 expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1"
99}
100
William Lallemanda9115482020-04-30 10:19:40 +0200101# check that the "www.test1.com" SNI was removed
102client c1 -connect ${h1_clearlst_sock} {
103 txreq
104 rxresp
105 expect resp.status == 503
106} -run
107
108client c1 -connect ${h1_clearlst_sock} {
109 txreq
110 rxresp
111 expect resp.status == 200
112} -run
William Lallemand3d6ebec2021-02-01 15:31:00 +0100113
114shell {
115 printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/common.pem)\n\n" | socat "${tmpdir}/h1/stats" -
116 echo "abort ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h1/stats" -
117}
118
119haproxy h1 -cli {
120 send "show ssl cert ${testdir}/common.pem"
121 expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1"
122}
123
Remi Tricot-Le Breton358a8222021-03-17 14:56:54 +0100124
125
126# The following requests are aimed at a backend that uses the set_default_cert.crt-list file
127
128# Uses the www.test1.com sni
129client c1 -connect ${h1_clearlst_sock} {
130 txreq
131 rxresp
132 expect resp.http.X-SSL-Server-SHA1 == "9DC18799428875976DDE706E9956035EE88A4CB3"
133 expect resp.status == 200
134} -run
135
136# Uses the other.test1.com sni and the default line of the crt-list
137client c1 -connect ${h1_clearlst_sock} {
138 txreq
139 rxresp
140 expect resp.http.X-SSL-Server-SHA1 == "9DC18799428875976DDE706E9956035EE88A4CB3"
141 expect resp.status == 200
142} -run
143
144shell {
145 printf "set ssl cert ${testdir}/set_default_cert.pem <<\n$(cat ${testdir}/common.pem)\n\n" | socat "${tmpdir}/h1/stats" -
146}
147
148# Certificate should not have changed yet
149haproxy h1 -cli {
150 send "show ssl cert ${testdir}/set_default_cert.pem"
151 expect ~ ".*SHA1 FingerPrint: 9DC18799428875976DDE706E9956035EE88A4CB3"
152}
153
154shell {
155 echo "commit ssl cert ${testdir}/set_default_cert.pem" | socat "${tmpdir}/h1/stats" -
156}
157
158haproxy h1 -cli {
159 send "show ssl cert ${testdir}/set_default_cert.pem"
160 expect ~ ".*SHA1 FingerPrint: 2195C9F0FD58470313013FC27C1B9CF9864BD1C6"
161}
162
163# Uses the www.test1.com sni
164client c1 -connect ${h1_clearlst_sock} {
165 txreq
166 rxresp
167 expect resp.http.X-SSL-Server-SHA1 == "2195C9F0FD58470313013FC27C1B9CF9864BD1C6"
168 expect resp.status == 200
169} -run
170
171# Uses the other.test1.com sni and the default line of the crt-list
172client c1 -connect ${h1_clearlst_sock} {
173 txreq
174 rxresp
175 expect resp.http.X-SSL-Server-SHA1 == "2195C9F0FD58470313013FC27C1B9CF9864BD1C6"
176 expect resp.status == 200
177} -run
178
179# Restore original certificate
180shell {
181 printf "set ssl cert ${testdir}/set_default_cert.pem <<\n$(cat ${testdir}/set_default_cert.pem)\n\n" | socat "${tmpdir}/h1/stats" -
182 echo "commit ssl cert ${testdir}/set_default_cert.pem" | socat "${tmpdir}/h1/stats" -
183}
184
185haproxy h1 -cli {
186 send "show ssl cert ${testdir}/set_default_cert.pem"
187 expect ~ ".*SHA1 FingerPrint: 9DC18799428875976DDE706E9956035EE88A4CB"
188}
189
190# Uses the www.test1.com sni
191client c1 -connect ${h1_clearlst_sock} {
192 txreq
193 rxresp
194 expect resp.http.X-SSL-Server-SHA1 == "9DC18799428875976DDE706E9956035EE88A4CB3"
195 expect resp.status == 200
196} -run
197
198# Uses the other.test1.com sni and the default line of the crt-list
199client c1 -connect ${h1_clearlst_sock} {
200 txreq
201 rxresp
202 expect resp.http.X-SSL-Server-SHA1 == "9DC18799428875976DDE706E9956035EE88A4CB3"
203 expect resp.status == 200
204} -run