Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / f509065191a01dc1b5950e204944a4de7137217c / . / reg-tests / ssl / set_ssl_server_cert.vtc
blob: ccf78873b3f7bcf48e3ccafe6d6334beeb39d2f9 [file] [log] [blame]
William Lallemanda870a9c2021-02-01 14:37:36 +0100[diff] [blame]1#REGTEST_TYPE=devel
Remi Tricot-Le Bretonf3eedfe2021-01-25 17:19:44 +0100[diff] [blame]2
3# This reg-test uses the "set ssl cert" command to update a backend certificate over the CLI.
4# It requires socat to upload the certificate
5
6varnishtest "Test the 'set ssl cert' feature of the CLI"
7#REQUIRE_VERSION=2.4
8#REQUIRE_OPTIONS=OPENSSL
9#REQUIRE_BINARIES=socat
10feature ignore_unknown_macro
11
12server s1 -repeat 4 {
13 rxreq
14 txresp
15} -start
16
17haproxy h1 -conf {
18 global
19 tune.ssl.default-dh-param 2048
20 tune.ssl.capture-cipherlist-size 1
21 stats socket "${tmpdir}/h1/stats" level admin
William Lallemanda870a9c2021-02-01 14:37:36 +0100[diff] [blame]22 nbthread 1
Remi Tricot-Le Bretonf3eedfe2021-01-25 17:19:44 +0100[diff] [blame]23
24 defaults
25 mode http
26 option httplog
27 ${no-htx} option http-use-htx
28 log stderr local0 debug err
29 option logasap
30 timeout connect 100ms
31 timeout client 1s
32 timeout server 1s
33
34 listen clear-lst
35 bind "fd@${clearlst}"
36 retries 0 # 2nd SSL connection must fail so skip the retry
William Lallemande0de0a62021-02-03 18:51:01 +0100[diff] [blame]37 server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client1.pem
Remi Tricot-Le Bretonf3eedfe2021-01-25 17:19:44 +0100[diff] [blame]38
39 listen ssl-lst
40 # crt: certificate of the server
41 # ca-file: CA used for client authentication request
42 # crl-file: revocation list for client auth: the client1 certificate is revoked
William Lallemandff97eda2021-02-01 14:57:31 +0100[diff] [blame]43 bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/ca-auth.crt verify optional crt-ignore-err all crl-file ${testdir}/crl-auth.pem
Remi Tricot-Le Bretonf3eedfe2021-01-25 17:19:44 +0100[diff] [blame]44
45 acl cert_expired ssl_c_verify 10
46 acl cert_revoked ssl_c_verify 23
47 acl cert_ok ssl_c_verify 0
48
49 http-response add-header X-SSL Ok if cert_ok
50 http-response add-header X-SSL Expired if cert_expired
51 http-response add-header X-SSL Revoked if cert_revoked
William Lallemand7b794242021-01-28 16:00:22 +0100[diff] [blame]52 http-response add-header x-ssl-sha1 %[ssl_c_sha1,hex]
Remi Tricot-Le Bretonf3eedfe2021-01-25 17:19:44 +0100[diff] [blame]53
54 server s1 ${s1_addr}:${s1_port}
55} -start
56
57client c1 -connect ${h1_clearlst_sock} {
58 txreq
59 rxresp
60 expect resp.status == 200
William Lallemand7b794242021-01-28 16:00:22 +0100[diff] [blame]61 expect resp.http.x-ssl-sha1 == "D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4"
Remi Tricot-Le Bretonf3eedfe2021-01-25 17:19:44 +0100[diff] [blame]62 expect resp.http.x-ssl == "Ok"
63} -run
64
William Lallemand7e696372021-01-28 14:59:19 +0100[diff] [blame]65haproxy h1 -cli {
66 send "show ssl cert ${testdir}/client1.pem"
67 expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4"
68}
69
Remi Tricot-Le Bretonf3eedfe2021-01-25 17:19:44 +0100[diff] [blame]70# Replace certificate with an expired one
71shell {
72 printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client2_expired.pem)\n\n" | socat "${tmpdir}/h1/stats" -
73 echo "commit ssl cert ${testdir}/client1.pem" | socat "${tmpdir}/h1/stats" -
74}
75
William Lallemand7e696372021-01-28 14:59:19 +0100[diff] [blame]76haproxy h1 -cli {
77 send "show ssl cert ${testdir}/client1.pem"
78 expect ~ ".*SHA1 FingerPrint: C625EB01A0A660294B9D7F44C5CEEE5AFC495BE4"
79}
80
81
Remi Tricot-Le Bretonf3eedfe2021-01-25 17:19:44 +0100[diff] [blame]82# The updated client certificate is an expired one so this request should fail
83client c1 -connect ${h1_clearlst_sock} {
84 txreq
85 rxresp
86 expect resp.status == 200
William Lallemand7b794242021-01-28 16:00:22 +0100[diff] [blame]87 expect resp.http.x-ssl-sha1 == "C625EB01A0A660294B9D7F44C5CEEE5AFC495BE4"
Remi Tricot-Le Bretonf3eedfe2021-01-25 17:19:44 +0100[diff] [blame]88 expect resp.http.x-ssl == "Expired"
89} -run
90
91# Replace certificate with a revoked one
92shell {
93 printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client3_revoked.pem)\n\n" | socat "${tmpdir}/h1/stats" -
94 echo "commit ssl cert ${testdir}/client1.pem" | socat "${tmpdir}/h1/stats" -
95}
96
William Lallemand7e696372021-01-28 14:59:19 +0100[diff] [blame]97haproxy h1 -cli {
98 send "show ssl cert ${testdir}/client1.pem"
99 expect ~ ".*SHA1 FingerPrint: 992386628A40C9D49C89BAC0058B5D45D8575151"
100}
101
Remi Tricot-Le Bretonf3eedfe2021-01-25 17:19:44 +0100[diff] [blame]102# The updated client certificate is a revoked one so this request should fail
103client c1 -connect ${h1_clearlst_sock} {
104 txreq
105 rxresp
106 expect resp.status == 200
William Lallemand7b794242021-01-28 16:00:22 +0100[diff] [blame]107 expect resp.http.x-ssl-sha1 == "992386628A40C9D49C89BAC0058B5D45D8575151"
Remi Tricot-Le Bretonf3eedfe2021-01-25 17:19:44 +0100[diff] [blame]108 expect resp.http.x-ssl == "Revoked"
109} -run
110
William Lallemand8695ce02021-02-01 15:31:00 +0100[diff] [blame]111# Abort a transaction
112shell {
113 printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client3_revoked.pem)\n\n" | socat "${tmpdir}/h1/stats" -
114 echo "abort ssl cert ${testdir}/client1.pem" | socat "${tmpdir}/h1/stats" -
115}
116
117haproxy h1 -cli {
118 send "show ssl cert ${testdir}/client1.pem"
119 expect ~ ".*SHA1 FingerPrint: 992386628A40C9D49C89BAC0058B5D45D8575151"
120}
121
122# The certificate was not updated so it should still be revoked
123client c1 -connect ${h1_clearlst_sock} {
124 txreq
125 rxresp
126 expect resp.status == 200
127 expect resp.http.x-ssl == "Revoked"
128} -run
129
130