Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / bd703e56501945dd8d51686906a08c5f0885f784 / . / reg-tests / ssl / set_ssl_cert.vtc
blob: 0e84058baa71e8b0be57bfbb58132adcfc9cbaa4 [file] [log] [blame]
William Lallemand4781fad2020-03-31 14:48:34 +0200[diff] [blame]1#REGTEST_TYPE=devel
William Lallemand9c1aa0a2019-12-19 11:25:19 +0100[diff] [blame]2
3# This reg-test uses the "set ssl cert" command to update a certificate over the CLI.
William Lallemanda9115482020-04-30 10:19:40 +0200[diff] [blame]4# It requires socat to upload the certificate
5#
6# this check does 3 requests, the first one will use "www.test1.com" as SNI,
7# the second one with the same but that must fail and the third one will use
8# "localhost". Since vtest can't do SSL, we use haproxy as an SSL client with 2
9# chained listen section.
10#
William Lallemand9c1aa0a2019-12-19 11:25:19 +0100[diff] [blame]11# If this test does not work anymore:
William Lallemanda9115482020-04-30 10:19:40 +0200[diff] [blame]12# - Check that you have socat
William Lallemand9c1aa0a2019-12-19 11:25:19 +0100[diff] [blame]13
14varnishtest "Test the 'set ssl cert' feature of the CLI"
Willy Tarreaufa10ffd2020-01-24 13:49:42 +0100[diff] [blame]15#REQUIRE_VERSION=2.2
William Lallemand9c1aa0a2019-12-19 11:25:19 +0100[diff] [blame]16#REQUIRE_OPTIONS=OPENSSL
William Lallemanda9115482020-04-30 10:19:40 +0200[diff] [blame]17#REQUIRE_BINARIES=socat
William Lallemand9c1aa0a2019-12-19 11:25:19 +0100[diff] [blame]18feature ignore_unknown_macro
19
William Lallemanda9115482020-04-30 10:19:40 +0200[diff] [blame]20server s1 -repeat 3 {
21 rxreq
22 txresp
23} -start
William Lallemand9c1aa0a2019-12-19 11:25:19 +0100[diff] [blame]24
25haproxy h1 -conf {
William Lallemanda9115482020-04-30 10:19:40 +0200[diff] [blame]26 global
27 tune.ssl.default-dh-param 2048
28 tune.ssl.capture-cipherlist-size 1
29 stats socket "${tmpdir}/h1/stats" level admin
30
31 defaults
32 mode http
33 option httplog
34 ${no-htx} option http-use-htx
35 log stderr local0 debug err
36 option logasap
37 timeout connect 100ms
38 timeout client 1s
39 timeout server 1s
40
41 listen clear-lst
42 bind "fd@${clearlst}"
43 balance roundrobin
44 retries 0 # 2nd SSL connection must fail so skip the retry
45 server s1 "${tmpdir}/ssl.sock" ssl verify none sni str(www.test1.com)
46 server s2 "${tmpdir}/ssl.sock" ssl verify none sni str(www.test1.com)
47 server s3 "${tmpdir}/ssl.sock" ssl verify none sni str(localhost)
48
49 listen ssl-lst
50 bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem strict-sni
William Lallemand9c1aa0a2019-12-19 11:25:19 +0100[diff] [blame]51
William Lallemanda9115482020-04-30 10:19:40 +0200[diff] [blame]52 server s1 ${s1_addr}:${s1_port}
William Lallemand9c1aa0a2019-12-19 11:25:19 +0100[diff] [blame]53} -start
54
55
56haproxy h1 -cli {
57 send "show ssl cert ${testdir}/common.pem"
58 expect ~ ".*SHA1 FingerPrint: 2195C9F0FD58470313013FC27C1B9CF9864BD1C6"
59}
60
William Lallemanda9115482020-04-30 10:19:40 +0200[diff] [blame]61client c1 -connect ${h1_clearlst_sock} {
62 txreq
63 rxresp
64 expect resp.status == 200
65} -run
William Lallemand9c1aa0a2019-12-19 11:25:19 +0100[diff] [blame]66
67shell {
William Lallemanda9115482020-04-30 10:19:40 +0200[diff] [blame]68 printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" -
69 echo "commit ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h1/stats" -
William Lallemand9c1aa0a2019-12-19 11:25:19 +0100[diff] [blame]70}
71
72haproxy h1 -cli {
73 send "show ssl cert ${testdir}/common.pem"
74 expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1"
75}
76
William Lallemanda9115482020-04-30 10:19:40 +0200[diff] [blame]77# check that the "www.test1.com" SNI was removed
78client c1 -connect ${h1_clearlst_sock} {
79 txreq
80 rxresp
81 expect resp.status == 503
82} -run
83
84client c1 -connect ${h1_clearlst_sock} {
85 txreq
86 rxresp
87 expect resp.status == 200
88} -run