blob: 43267110591965608e1e9a2dfd7c7f45cd896ed2 [file] [log] [blame]
William Lallemand1ac17682020-10-23 18:37:19 +02001#REGTEST_TYPE=devel
2
3# This reg-test uses the "set ssl cert" command to update a certificate over the CLI.
4# It requires socat to upload the certificate
5#
6# this check does 3 requests, the first one will use "www.test1.com" as SNI,
7# the second one with the same but that must fail and the third one will use
8# "localhost". Since vtest can't do SSL, we use haproxy as an SSL client with 2
9# chained listen section.
10#
11# If this test does not work anymore:
12# - Check that you have socat
13
14varnishtest "Test the 'set ssl cert' feature of the CLI with separate key and crt"
15#REQUIRE_VERSION=2.2
16#REQUIRE_OPTIONS=OPENSSL
Tim Duesterhus4ee192f2021-06-11 19:56:17 +020017feature cmd "command -v socat"
William Lallemand1ac17682020-10-23 18:37:19 +020018feature ignore_unknown_macro
19
20server s1 -repeat 3 {
21 rxreq
22 txresp
23} -start
24
25haproxy h1 -conf {
26 global
27 tune.ssl.default-dh-param 2048
Marcin Deranek310a2602021-07-13 19:04:24 +020028 tune.ssl.capture-buffer-size 1
William Lallemand1ac17682020-10-23 18:37:19 +020029 ssl-load-extra-del-ext
30 stats socket "${tmpdir}/h1/stats" level admin
31
32 defaults
33 mode http
34 option httplog
Willy Tarreauf6739232021-11-18 17:46:22 +010035 retries 0
William Lallemand1ac17682020-10-23 18:37:19 +020036 log stderr local0 debug err
37 option logasap
Willy Tarreauf6739232021-11-18 17:46:22 +010038 timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
39 timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
40 timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
William Lallemand1ac17682020-10-23 18:37:19 +020041
42 listen clear-lst
43 bind "fd@${clearlst}"
44 balance roundrobin
45 retries 0 # 2nd SSL connection must fail so skip the retry
46 server s1 "${tmpdir}/ssl.sock" ssl verify none sni str(www.test1.com)
47 server s2 "${tmpdir}/ssl.sock" ssl verify none sni str(www.test1.com)
48 server s3 "${tmpdir}/ssl.sock" ssl verify none sni str(localhost)
49
50 listen ssl-lst
51 bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.crt strict-sni
52
53 server s1 ${s1_addr}:${s1_port}
54} -start
55
56
57haproxy h1 -cli {
58 send "show ssl cert ${testdir}/common.crt"
59 expect ~ ".*SHA1 FingerPrint: 2195C9F0FD58470313013FC27C1B9CF9864BD1C6"
60}
61
62client c1 -connect ${h1_clearlst_sock} {
63 txreq
64 rxresp
65 expect resp.status == 200
66} -run
67
68shell {
69 printf "set ssl cert ${testdir}/common.crt <<\n$(cat ${testdir}/ecdsa.crt)\n\n" | socat "${tmpdir}/h1/stats" -
70 printf "set ssl cert ${testdir}/common.key <<\n$(cat ${testdir}/ecdsa.key)\n\n" | socat "${tmpdir}/h1/stats" -
71 echo "commit ssl cert ${testdir}/common.crt" | socat "${tmpdir}/h1/stats" -
72}
73
74haproxy h1 -cli {
75 send "show ssl cert ${testdir}/common.crt"
76 expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1"
77}
78
79# check that the "www.test1.com" SNI was removed
80client c1 -connect ${h1_clearlst_sock} {
81 txreq
82 rxresp
83 expect resp.status == 503
84} -run
85
86client c1 -connect ${h1_clearlst_sock} {
87 txreq
88 rxresp
89 expect resp.status == 200
90} -run