blob: eb625639bf50a96693254adc047bd414b16ba750 [file] [log] [blame]
Remi Tricot-Le Breton2db61012021-03-05 14:42:40 +01001#REGTEST_TYPE=devel
2
3# This reg-test uses the "set ssl ca-file" command to update a CA file over the CLI.
Remi Tricot-Le Breton2a22e162021-03-16 11:19:33 +01004# It also tests the "abort ssl ca-file" and "show ssl ca-file" commands.
Remi Tricot-Le Breton2db61012021-03-05 14:42:40 +01005#
6# It is based on two CA certificates, set_cafile_interCA1.crt and set_cafile_interCA2.crt,
7# and a client certificate that was signed with set_cafile_interCA1.crt (set_cafile_client.pem)
8# and a server certificate that was signed with set_cafile_interCA2.crt (set_cafile_server.pem).
9# The CA files used by the client and the server will be updated through the CLI until a
10# proper connection can be established between them.
11#
12# It requires socat to upload the certificate
13#
14# If this test does not work anymore:
15# - Check that you have socat
16
17varnishtest "Test the 'set ssl ca-file' feature of the CLI"
18#REQUIRE_VERSION=2.5
19#REQUIRE_OPTIONS=OPENSSL
20#REQUIRE_BINARIES=socat
21feature ignore_unknown_macro
22
Remi Tricot-Le Bretond5fd09d2021-03-11 10:22:52 +010023server s1 -repeat 4 {
Remi Tricot-Le Breton2db61012021-03-05 14:42:40 +010024 rxreq
25 txresp
26} -start
27
28haproxy h1 -conf {
29 global
30 tune.ssl.default-dh-param 2048
31 tune.ssl.capture-cipherlist-size 1
32 stats socket "${tmpdir}/h1/stats" level admin
33
34 defaults
35 mode http
36 option httplog
Remi Tricot-Le Breton2db61012021-03-05 14:42:40 +010037 log stderr local0 debug err
38 option logasap
39 timeout connect 100ms
40 timeout client 1s
41 timeout server 1s
42
43 listen clear-lst
44 bind "fd@${clearlst}"
45 server s1 "${tmpdir}/ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA1.crt verify none
46
47 listen clear-verified-lst
48 bind "fd@${clearverifiedlst}"
49 server s1 "${tmpdir}/ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA1.crt verify required
50
51 listen ssl-lst
52 # crt: certificate of the server
53 # ca-file: CA used for client authentication request
54 bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA2.crt verify required crt-ignore-err all
55 http-response add-header X-SSL-Client-Verify %[ssl_c_verify]
56 server s1 ${s1_addr}:${s1_port}
57} -start
58
59
Remi Tricot-Le Breton2a22e162021-03-16 11:19:33 +010060# Test the "show ssl ca-file" command
61haproxy h1 -cli {
62 send "show ssl ca-file"
63 expect ~ ".*${testdir}/set_cafile_interCA1.crt - 1 certificate.*"
64 send "show ssl ca-file"
65 expect ~ ".*${testdir}/set_cafile_interCA2.crt - 1 certificate.*"
66
67 send "show ssl ca-file ${testdir}/set_cafile_interCA2.crt"
68 expect ~ ".*SHA1 FingerPrint: 3D3D1D10AD74A8135F05A818E10E5FA91433954D"
69}
70
71
Remi Tricot-Le Breton2db61012021-03-05 14:42:40 +010072# This first connection should fail because the client's certificate was signed with the
73# set_cafile_interCA1.crt certificate which is not known by the backend.
74client c1 -connect ${h1_clearlst_sock} {
75 txreq
76 rxresp
77 expect resp.status == 200
78 # unable to verify the client certificate
79 expect resp.http.X-SSL-Client-Verify == 21
80} -run
81
Remi Tricot-Le Bretond5fd09d2021-03-11 10:22:52 +010082# Set a new ca-file without committing it and check that the new ca-file is not taken into account
83shell {
Remi Tricot-Le Breton2a22e162021-03-16 11:19:33 +010084 printf "set ssl ca-file ${testdir}/set_cafile_interCA2.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
85}
86
87# Test the "show ssl ca-file" command
88# The transaction should be mentioned in the list
89haproxy h1 -cli {
90 send "show ssl ca-file"
91 expect ~ "\\*${testdir}/set_cafile_interCA2.crt - 1 certificate.*"
92
93# The original CA file did not change
94 send "show ssl ca-file ${testdir}/set_cafile_interCA2.crt"
95 expect ~ ".*SHA1 FingerPrint: 3D3D1D10AD74A8135F05A818E10E5FA91433954D"
96
97# Only the current transaction displays a new certificate
98 send "show ssl ca-file *${testdir}/set_cafile_interCA2.crt"
99 expect ~ ".*SHA1 FingerPrint: 4FFF535278883264693CEA72C4FAD13F995D0098"
Remi Tricot-Le Bretond5fd09d2021-03-11 10:22:52 +0100100}
101
102# This connection should still fail for the same reasons as previously
103client c1 -connect ${h1_clearlst_sock} {
104 txreq
105 rxresp
106 expect resp.status == 200
107 # unable to verify the client certificate
108 expect resp.http.X-SSL-Client-Verify == 21
109} -run
110
111haproxy h1 -cli {
Remi Tricot-Le Breton2a22e162021-03-16 11:19:33 +0100112 send "abort ssl ca-file ${testdir}/set_cafile_interCA2.crt"
113 expect ~ "Transaction aborted for certificate '${testdir}/set_cafile_interCA2.crt'!"
114 send "commit ssl ca-file ${testdir}/set_cafile_interCA2.crt"
Remi Tricot-Le Bretond5fd09d2021-03-11 10:22:52 +0100115 expect ~ "No ongoing transaction!"
116}
117
Remi Tricot-Le Breton2db61012021-03-05 14:42:40 +0100118
119# Update the bind line's ca-file in order to accept the client certificate
120shell {
121 printf "set ssl ca-file ${testdir}/set_cafile_interCA2.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n$(cat ${testdir}/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" -
122 echo "commit ssl ca-file ${testdir}/set_cafile_interCA2.crt" | socat "${tmpdir}/h1/stats" -
123}
124
125
126# The backend's certificate can't be verified by the frontend because it was signed with
127# the set_cafile_interCA2.crt certificate.
128client c1 -connect ${h1_clearverifiedlst_sock} {
129 txreq
130 rxresp
131 expect resp.status == 503
132} -run
133
134
135# Update the server line's ca-file. The server certificate should now be accepted by
136# the frontend. We replace the single CA by a list of CAs that includes the correct one.
137shell {
138 printf "set ssl ca-file ${testdir}/set_cafile_interCA1.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n$(cat ${testdir}/set_cafile_interCA2.crt)\n$(cat ${testdir}/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" -
139 echo "commit ssl ca-file ${testdir}/set_cafile_interCA1.crt" | socat "${tmpdir}/h1/stats" -
140}
141
Remi Tricot-Le Breton2a22e162021-03-16 11:19:33 +0100142# Test the "show ssl ca-file" with a certificate index
143haproxy h1 -cli {
144 send "show ssl ca-file"
145 expect ~ ".*${testdir}/set_cafile_interCA1.crt - 3 certificate.*"
146
147 send "show ssl ca-file ${testdir}/set_cafile_interCA1.crt:1"
148 expect ~ ".*SHA1 FingerPrint: 4FFF535278883264693CEA72C4FAD13F995D0098"
149
150 send "show ssl ca-file ${testdir}/set_cafile_interCA1.crt:2"
151 expect !~ ".*SHA1 FingerPrint: 4FFF535278883264693CEA72C4FAD13F995D0098"
152 send "show ssl ca-file ${testdir}/set_cafile_interCA1.crt:2"
153 expect ~ ".*SHA1 FingerPrint: 3D3D1D10AD74A8135F05A818E10E5FA91433954D"
154}
Remi Tricot-Le Breton2db61012021-03-05 14:42:40 +0100155
156client c1 -connect ${h1_clearverifiedlst_sock} {
157 txreq
158 rxresp
159 expect resp.status == 200
160 # there should be no error on the backend side but one on the frontend side
161 expect resp.http.X-SSL-Client-Verify == 0
162} -run