Blame - reg-tests/ssl/new_del_ssl_cafile.vtc - haproxy

blob: 166ba2c19c3eb2a0d581011585d61ccb687dc328 [file] [log] [blame]

Remi Tricot-Le Breton	efcc5b2	2021-03-29 11:55:40 +0200	[diff] [blame]	1	#REGTEST_TYPE=devel
				2
				3	# This test uses the "new ssl ca-file" and "del ssl ca-file" commands to create
				4	# a new CA file or delete an unused CA file.
				5	#
				6	# It requires socat to upload the CA file.
				7	#
				8	# If this test does not work anymore:
				9	# - Check that you have socat
				10
				11	varnishtest "Test the 'new ssl ca-file' and 'del ssl ca-file' commands of the CLI"
Tim Duesterhus	5efc48d	2021-06-11 19:56:15 +0200	[diff] [blame]	12	feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev0)'"
Tim Duesterhus	c957048	2021-06-11 19:56:16 +0200	[diff] [blame]	13	feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
Tim Duesterhus	4ee192f	2021-06-11 19:56:17 +0200	[diff] [blame]	14	feature cmd "command -v socat"
Remi Tricot-Le Breton	efcc5b2	2021-03-29 11:55:40 +0200	[diff] [blame]	15	feature ignore_unknown_macro
				16
				17	server s1 -repeat 2 {
				18	rxreq
				19	txresp
				20	} -start
				21
				22	haproxy h1 -conf {
				23	global
				24	tune.ssl.default-dh-param 2048
Marcin Deranek	310a260	2021-07-13 19:04:24 +0200	[diff] [blame]	25	tune.ssl.capture-buffer-size 1
Remi Tricot-Le Breton	efcc5b2	2021-03-29 11:55:40 +0200	[diff] [blame]	26	stats socket "${tmpdir}/h1/stats" level admin
				27	crt-base ${testdir}
				28
				29	defaults
				30	mode http
				31	option httplog
Willy Tarreau	f673923	2021-11-18 17:46:22 +0100	[diff] [blame^]	32	retries 0
Remi Tricot-Le Breton	efcc5b2	2021-03-29 11:55:40 +0200	[diff] [blame]	33	log stderr local0 debug err
				34	option logasap
Willy Tarreau	f673923	2021-11-18 17:46:22 +0100	[diff] [blame^]	35	timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
				36	timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
				37	timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
Remi Tricot-Le Breton	efcc5b2	2021-03-29 11:55:40 +0200	[diff] [blame]	38
				39	listen clear-lst
				40	bind "fd@${clearlst}"
				41	balance roundrobin
				42	use_backend with_ca_be if { path /with-ca }
				43	default_backend default_be
				44
				45	backend default_be
				46	server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/set_cafile_client.pem sni str(www.test1.com)
				47
				48	backend with_ca_be
				49	server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/set_cafile_client.pem sni str(with-ca.com)
				50
				51	listen ssl-lst
				52	bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/localhost.crt-list ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA2.crt verify required crt-ignore-err all
				53	http-response add-header X-SSL-Client-Verify %[ssl_c_verify]
				54	server s1 ${s1_addr}:${s1_port}
				55	} -start
				56
				57	# Request using the default backend and the www.test1.com sni
				58	client c1 -connect ${h1_clearlst_sock} {
				59	txreq
				60	rxresp
				61	expect resp.status == 200
				62	# The CA file known by the frontend does not allow to verify the client's certificate
				63	expect resp.http.X-SSL-Client-Verify == 21
				64	} -run
				65
				66	# This connection should fail because the with-ca.com sni is not mentioned in the crt-list yet.
				67	client c1 -connect ${h1_clearlst_sock} {
				68	txreq -url "/with-ca"
				69	rxresp
				70	expect resp.status == 503
				71	} -run
				72
				73	# Create a new unlinked CA file
				74	haproxy h1 -cli {
				75	send "new ssl ca-file new_cafile.crt"
				76	expect ~ "New CA file created 'new_cafile.crt'!"
				77	}
				78
				79	shell {
				80	printf "set ssl ca-file new_cafile.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" \| socat "${tmpdir}/h1/stats" -
				81	echo "commit ssl ca-file new_cafile.crt" \| socat "${tmpdir}/h1/stats" -
				82	}
				83
				84	haproxy h1 -cli {
				85	send "show ssl ca-file"
				86	expect ~ ".new_cafile.crt - 1 certificate."
				87
				88	send "show ssl ca-file new_cafile.crt"
				89	expect ~ ".*SHA1 FingerPrint: 4FFF535278883264693CEA72C4FAD13F995D0098"
				90	}
				91
				92	# The new CA file is still not linked anywhere so the request should fail.
				93	client c1 -connect ${h1_clearlst_sock} {
				94	txreq -url "/with-ca"
				95	rxresp
				96	expect resp.status == 503
				97	} -run
				98
				99	# Add a new certificate that will use the new CA file
				100	shell {
				101	echo "new ssl cert ${testdir}/set_cafile_server.pem" \| socat "${tmpdir}/h1/stats" -
				102	printf "set ssl cert ${testdir}/set_cafile_server.pem <<\n$(cat ${testdir}/set_cafile_server.pem)\n\n" \| socat "${tmpdir}/h1/stats" -
				103	echo "commit ssl cert ${testdir}/set_cafile_server.pem" \| socat "${tmpdir}/h1/stats" -
				104	}
				105
				106	# Create a new crt-list line that will use the new CA file
				107	shell {
				108	printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/set_cafile_server.pem [ca-file new_cafile.crt] with-ca.com\n\n" \| socat "${tmpdir}/h1/stats" -
				109	}
				110
				111	client c1 -connect ${h1_clearlst_sock} {
				112	txreq -url "/with-ca"
				113	rxresp
				114	expect resp.status == 200
				115	# Thanks to the newly added CA file, the client's certificate can be verified
				116	expect resp.http.X-SSL-Client-Verify == 0
				117	} -run
				118
				119	# Delete the newly added crt-list line and CA file
				120	haproxy h1 -cli {
				121	send "del ssl crt-list ${testdir}/localhost.crt-list ${testdir}/set_cafile_server.pem"
				122	expect ~ "Entry '${testdir}/set_cafile_server.pem' deleted in crtlist '${testdir}/localhost.crt-list'!"
				123
				124	send "del ssl ca-file new_cafile.crt"
				125	expect ~ "CA file 'new_cafile.crt' deleted!"
				126
				127	send "show ssl ca-file"
				128	expect !~ "new_cafile.crt"
				129	}
				130
				131	# The connection should now fail since the crt-list line was deleted
				132	client c1 -connect ${h1_clearlst_sock} {
				133	txreq -url "/with-ca"
				134	rxresp
				135	expect resp.status == 503
				136	} -run
				137