blob: c9dbf7490e10ba7e6481ea5a91aee72371cf1e41 [file] [log] [blame]
Remi Tricot-Le Breton2db61012021-03-05 14:42:40 +01001#REGTEST_TYPE=devel
2
3# This reg-test uses the "set ssl ca-file" command to update a CA file over the CLI.
Remi Tricot-Le Breton2a22e162021-03-16 11:19:33 +01004# It also tests the "abort ssl ca-file" and "show ssl ca-file" commands.
Remi Tricot-Le Breton2db61012021-03-05 14:42:40 +01005#
6# It is based on two CA certificates, set_cafile_interCA1.crt and set_cafile_interCA2.crt,
7# and a client certificate that was signed with set_cafile_interCA1.crt (set_cafile_client.pem)
8# and a server certificate that was signed with set_cafile_interCA2.crt (set_cafile_server.pem).
9# The CA files used by the client and the server will be updated through the CLI until a
10# proper connection can be established between them.
11#
12# It requires socat to upload the certificate
13#
14# If this test does not work anymore:
15# - Check that you have socat
16
17varnishtest "Test the 'set ssl ca-file' feature of the CLI"
Tim Duesterhus5efc48d2021-06-11 19:56:15 +020018feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev0)'"
Tim Duesterhusc9570482021-06-11 19:56:16 +020019feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
Tim Duesterhus4ee192f2021-06-11 19:56:17 +020020feature cmd "command -v socat"
Remi Tricot-Le Breton2db61012021-03-05 14:42:40 +010021feature ignore_unknown_macro
22
Remi Tricot-Le Bretond5fd09d2021-03-11 10:22:52 +010023server s1 -repeat 4 {
Remi Tricot-Le Breton2db61012021-03-05 14:42:40 +010024 rxreq
25 txresp
26} -start
27
28haproxy h1 -conf {
29 global
30 tune.ssl.default-dh-param 2048
Marcin Deranek310a2602021-07-13 19:04:24 +020031 tune.ssl.capture-buffer-size 1
Remi Tricot-Le Breton2db61012021-03-05 14:42:40 +010032 stats socket "${tmpdir}/h1/stats" level admin
33
34 defaults
35 mode http
36 option httplog
Willy Tarreauf6739232021-11-18 17:46:22 +010037 retries 0
Remi Tricot-Le Breton2db61012021-03-05 14:42:40 +010038 log stderr local0 debug err
39 option logasap
Willy Tarreauf6739232021-11-18 17:46:22 +010040 timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
41 timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
42 timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
Remi Tricot-Le Breton2db61012021-03-05 14:42:40 +010043
44 listen clear-lst
45 bind "fd@${clearlst}"
46 server s1 "${tmpdir}/ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA1.crt verify none
47
48 listen clear-verified-lst
49 bind "fd@${clearverifiedlst}"
50 server s1 "${tmpdir}/ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA1.crt verify required
51
52 listen ssl-lst
53 # crt: certificate of the server
54 # ca-file: CA used for client authentication request
55 bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA2.crt verify required crt-ignore-err all
56 http-response add-header X-SSL-Client-Verify %[ssl_c_verify]
57 server s1 ${s1_addr}:${s1_port}
58} -start
59
60
Remi Tricot-Le Breton2a22e162021-03-16 11:19:33 +010061# Test the "show ssl ca-file" command
62haproxy h1 -cli {
63 send "show ssl ca-file"
64 expect ~ ".*${testdir}/set_cafile_interCA1.crt - 1 certificate.*"
65 send "show ssl ca-file"
66 expect ~ ".*${testdir}/set_cafile_interCA2.crt - 1 certificate.*"
67
68 send "show ssl ca-file ${testdir}/set_cafile_interCA2.crt"
69 expect ~ ".*SHA1 FingerPrint: 3D3D1D10AD74A8135F05A818E10E5FA91433954D"
70}
71
72
Remi Tricot-Le Breton2db61012021-03-05 14:42:40 +010073# This first connection should fail because the client's certificate was signed with the
74# set_cafile_interCA1.crt certificate which is not known by the backend.
75client c1 -connect ${h1_clearlst_sock} {
76 txreq
77 rxresp
78 expect resp.status == 200
79 # unable to verify the client certificate
Ilya Shipitsinfc112662021-12-04 14:32:23 +050080 expect resp.http.X-SSL-Client-Verify ~ "20|21"
Remi Tricot-Le Breton2db61012021-03-05 14:42:40 +010081} -run
82
Remi Tricot-Le Bretond5fd09d2021-03-11 10:22:52 +010083# Set a new ca-file without committing it and check that the new ca-file is not taken into account
84shell {
Remi Tricot-Le Breton2a22e162021-03-16 11:19:33 +010085 printf "set ssl ca-file ${testdir}/set_cafile_interCA2.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
86}
87
88# Test the "show ssl ca-file" command
89# The transaction should be mentioned in the list
90haproxy h1 -cli {
91 send "show ssl ca-file"
92 expect ~ "\\*${testdir}/set_cafile_interCA2.crt - 1 certificate.*"
93
94# The original CA file did not change
95 send "show ssl ca-file ${testdir}/set_cafile_interCA2.crt"
96 expect ~ ".*SHA1 FingerPrint: 3D3D1D10AD74A8135F05A818E10E5FA91433954D"
97
98# Only the current transaction displays a new certificate
99 send "show ssl ca-file *${testdir}/set_cafile_interCA2.crt"
100 expect ~ ".*SHA1 FingerPrint: 4FFF535278883264693CEA72C4FAD13F995D0098"
Remi Tricot-Le Bretond5fd09d2021-03-11 10:22:52 +0100101}
102
103# This connection should still fail for the same reasons as previously
104client c1 -connect ${h1_clearlst_sock} {
105 txreq
106 rxresp
107 expect resp.status == 200
108 # unable to verify the client certificate
Ilya Shipitsinfc112662021-12-04 14:32:23 +0500109 expect resp.http.X-SSL-Client-Verify ~ "20|21"
Remi Tricot-Le Bretond5fd09d2021-03-11 10:22:52 +0100110} -run
111
112haproxy h1 -cli {
Remi Tricot-Le Breton2a22e162021-03-16 11:19:33 +0100113 send "abort ssl ca-file ${testdir}/set_cafile_interCA2.crt"
114 expect ~ "Transaction aborted for certificate '${testdir}/set_cafile_interCA2.crt'!"
115 send "commit ssl ca-file ${testdir}/set_cafile_interCA2.crt"
Remi Tricot-Le Bretond5fd09d2021-03-11 10:22:52 +0100116 expect ~ "No ongoing transaction!"
117}
118
Remi Tricot-Le Breton2db61012021-03-05 14:42:40 +0100119
120# Update the bind line's ca-file in order to accept the client certificate
121shell {
122 printf "set ssl ca-file ${testdir}/set_cafile_interCA2.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n$(cat ${testdir}/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" -
123 echo "commit ssl ca-file ${testdir}/set_cafile_interCA2.crt" | socat "${tmpdir}/h1/stats" -
124}
125
126
127# The backend's certificate can't be verified by the frontend because it was signed with
128# the set_cafile_interCA2.crt certificate.
129client c1 -connect ${h1_clearverifiedlst_sock} {
130 txreq
131 rxresp
132 expect resp.status == 503
133} -run
134
135
136# Update the server line's ca-file. The server certificate should now be accepted by
137# the frontend. We replace the single CA by a list of CAs that includes the correct one.
138shell {
139 printf "set ssl ca-file ${testdir}/set_cafile_interCA1.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n$(cat ${testdir}/set_cafile_interCA2.crt)\n$(cat ${testdir}/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" -
140 echo "commit ssl ca-file ${testdir}/set_cafile_interCA1.crt" | socat "${tmpdir}/h1/stats" -
141}
142
Remi Tricot-Le Breton2a22e162021-03-16 11:19:33 +0100143# Test the "show ssl ca-file" with a certificate index
144haproxy h1 -cli {
145 send "show ssl ca-file"
146 expect ~ ".*${testdir}/set_cafile_interCA1.crt - 3 certificate.*"
147
148 send "show ssl ca-file ${testdir}/set_cafile_interCA1.crt:1"
149 expect ~ ".*SHA1 FingerPrint: 4FFF535278883264693CEA72C4FAD13F995D0098"
150
151 send "show ssl ca-file ${testdir}/set_cafile_interCA1.crt:2"
152 expect !~ ".*SHA1 FingerPrint: 4FFF535278883264693CEA72C4FAD13F995D0098"
153 send "show ssl ca-file ${testdir}/set_cafile_interCA1.crt:2"
154 expect ~ ".*SHA1 FingerPrint: 3D3D1D10AD74A8135F05A818E10E5FA91433954D"
155}
Remi Tricot-Le Breton2db61012021-03-05 14:42:40 +0100156
157client c1 -connect ${h1_clearverifiedlst_sock} {
158 txreq
159 rxresp
160 expect resp.status == 200
161 # there should be no error on the backend side but one on the frontend side
162 expect resp.http.X-SSL-Client-Verify == 0
163} -run