Blame - reg-tests/ssl/ssl_generate_certificate.vtc - haproxy

blob: 665175567ba901b65b3ed1b378d27a343832279d [file] [log] [blame]

Remi Tricot-Le Breton	3f269bb	2022-02-08 17:45:57 +0100	[diff] [blame]	1	#REGTEST_TYPE=devel
				2
				3	# This reg-test checks that the 'generate-certificates' SSL option works
				4	# properly. This option allows to generate server-side certificates on the fly
				5	# for clients that use an SNI for which no certificate was specified in the
				6	# configuration file.
				7	# This test also aims at checking that the 'generate-certificates' and the
				8	# 'ecdhe' bind options work correctly together.
				9	# Any bind line having a 'generate-certificates' needs to have a ca-sign-file
				10	# option as well that specifies the path to a CA pem file (containing a
				11	# certificate as well as its private key). For this reason, a new
				12	# ssl_gen_ca.pem CA certificate was created, along with the ssl_gen_server.pem
				13	# server certificate signed by the CA. This server certificate will be used as
				14	# a default certificate and will serve as a base for any newly created
				15	# certificate.
				16
				17	varnishtest "Test the 'generate-certificates' SSL option"
				18	feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
				19	feature cmd "command -v openssl && command -v grep"
				20	feature ignore_unknown_macro
				21
				22	server s1 -repeat 6 {
				23	rxreq
				24	txresp
				25	} -start
				26
				27
				28	haproxy h1 -conf {
				29	global
				30	tune.ssl.default-dh-param 2048
				31	tune.ssl.capture-buffer-size 2048
				32
				33	defaults
				34	mode http
				35	option httpslog
				36	log stderr local0 debug err
				37	option logasap
				38	timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
				39	timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
				40	timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
				41	option httpslog
				42
				43	listen clear-lst
				44	bind "fd@${clearlst}"
				45	http-request set-var(sess.sni) hdr(x-sni)
				46
				47	use_backend P-384_backend if { path /P-384 }
				48	default_backend default_backend
				49
				50	backend default_backend
				51	server s1 "${tmpdir}/ssl.sock" ssl verify none ssl-max-ver TLSv1.2 sni var(sess.sni)
				52
				53	backend P-384_backend
				54	server s1 "${tmpdir}/ssl_P-384.sock" ssl verify none ssl-max-ver TLSv1.2 sni var(sess.sni)
				55
				56	listen ssl-lst
				57	bind "${tmpdir}/ssl.sock" ssl generate-certificates crt ${testdir}/generate_certificates/gen_cert_server.pem ca-sign-file ${testdir}/generate_certificates/gen_cert_ca.pem ca-file ${testdir}/generate_certificates/gen_cert_ca.pem verify optional
				58	http-response add-header x-ssl-s_dn %[ssl_f_s_dn(CN)]
				59	http-response add-header x-ssl-i_dn %[ssl_f_i_dn(CN)]
				60	http-response add-header x-ssl-sig_alg %[ssl_f_sig_alg]
				61	http-response add-header x-ssl-key_alg %[ssl_f_key_alg]
				62	http-response add-header x-ssl-sha1 %[ssl_f_sha1,hex]
				63
				64	server s1 ${s1_addr}:${s1_port}
				65
				66	listen ssl-lst-P-384
				67	bind "${tmpdir}/ssl_P-384.sock" ssl generate-certificates crt ${testdir}/generate_certificates/gen_cert_server.pem ca-sign-file ${testdir}/generate_certificates/gen_cert_ca.pem ca-file ${testdir}/generate_certificates/gen_cert_ca.pem verify optional ecdhe secp384r1
				68	http-response add-header x-ssl-s_dn %[ssl_f_s_dn(CN)]
				69	http-response add-header x-ssl-i_dn %[ssl_f_i_dn(CN)]
				70	http-response add-header x-ssl-sig_alg %[ssl_f_sig_alg]
				71	http-response add-header x-ssl-key_alg %[ssl_f_key_alg]
				72	http-response add-header x-ssl-sha1 %[ssl_f_sha1,hex]
				73
				74	server s1 ${s1_addr}:${s1_port}
				75
				76	} -start
				77
				78	# Use default certificate
				79	client c1 -connect ${h1_clearlst_sock} {
				80	txreq
				81	rxresp
				82	expect resp.status == 200
				83	expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"
				84	expect resp.http.x-ssl-i_dn == "ECDSA CA"
				85	expect resp.http.x-ssl-s_dn == "server.ecdsa.com"
				86	expect resp.http.x-ssl-key_alg == "id-ecPublicKey"
				87	expect resp.http.x-ssl-sha1 == "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11"
				88	} -run
				89
				90
				91	# Use default certificate's sni
				92	client c2 -connect ${h1_clearlst_sock} {
				93	txreq -hdr "x-sni: server.ecdsa.com"
				94	rxresp
				95	expect resp.status == 200
				96	expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"
				97	expect resp.http.x-ssl-i_dn == "ECDSA CA"
				98	expect resp.http.x-ssl-s_dn == "server.ecdsa.com"
				99	expect resp.http.x-ssl-key_alg == "id-ecPublicKey"
				100	expect resp.http.x-ssl-sha1 == "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11"
				101	} -run
				102
				103
				104
				105	# Use another SNI - the server certificate should be generated and different
				106	# than the default one
				107	client c3 -connect ${h1_clearlst_sock} {
				108	txreq -hdr "x-sni: unknown-sni.com"
				109	rxresp
				110	expect resp.status == 200
				111	expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"
				112	expect resp.http.x-ssl-i_dn == "ECDSA CA"
				113	expect resp.http.x-ssl-s_dn == "ECDSA CA"
				114	expect resp.http.x-ssl-key_alg == "id-ecPublicKey"
				115	expect resp.http.x-ssl-sha1 != "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11"
				116	} -run
				117
				118
				119	# Use default certificate
				120	client c4 -connect ${h1_clearlst_sock} {
				121	txreq -url "/P-384"
				122	rxresp
				123	expect resp.status == 200
				124	expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"
				125	expect resp.http.x-ssl-i_dn == "ECDSA CA"
				126	expect resp.http.x-ssl-s_dn == "server.ecdsa.com"
				127	expect resp.http.x-ssl-key_alg == "id-ecPublicKey"
				128	expect resp.http.x-ssl-sha1 == "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11"
				129	} -run
				130
				131
				132	# Use default certificate's sni
				133	client c5 -connect ${h1_clearlst_sock} {
				134	txreq -url "/P-384" -hdr "x-sni: server.ecdsa.com"
				135	rxresp
				136	expect resp.status == 200
				137	expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"
				138	expect resp.http.x-ssl-i_dn == "ECDSA CA"
				139	expect resp.http.x-ssl-s_dn == "server.ecdsa.com"
				140	expect resp.http.x-ssl-key_alg == "id-ecPublicKey"
				141	expect resp.http.x-ssl-sha1 == "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11"
				142	} -run
				143
				144
				145	# Use another SNI - the server certificate should be generated and different
				146	# than the default one
				147	client c6 -connect ${h1_clearlst_sock} {
				148	txreq -url "/P-384" -hdr "x-sni: unknown-sni.com"
				149	rxresp
				150	expect resp.status == 200
				151	expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"
				152	expect resp.http.x-ssl-i_dn == "ECDSA CA"
				153	expect resp.http.x-ssl-s_dn == "ECDSA CA"
				154	expect resp.http.x-ssl-key_alg == "id-ecPublicKey"
				155	expect resp.http.x-ssl-sha1 != "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11"
				156	} -run
				157
				158	# Check that the curves that the server accepts to use correspond to what we
				159	# expect it to be (according to ecdhe option).
				160	# The curve with the highest priority is X25519 for OpenSSL 1.1.1 and later,
				161	# and P-256 for OpenSSL 1.0.2.
				162	shell {
				163	echo "Q" \| openssl s_client -unix "${tmpdir}/ssl.sock" -servername server.ecdsa.com -tls1_2 2>/dev/null \| grep -E "Server Temp Key: (ECDH, P-256, 256 bits\|X25519, 253 bits)"
				164	}
				165
				166	shell {
				167	echo "Q" \| openssl s_client -unix "${tmpdir}/ssl_P-384.sock" -servername server.ecdsa.com 2>/dev/null\| grep "Server Temp Key: ECDH, P-384, 384 bits"
				168	}