Blame - reg-tests/ssl/new_del_ssl_crlfile.vtc - haproxy

blob: 8658a1a7a5638a56ab906eadba01991827971271 [file] [log] [blame]

Remi Tricot-Le Breton	f615070	2021-04-22 11:02:16 +0200	[diff] [blame]	1	#REGTEST_TYPE=devel
				2
				3	# This test uses the "new ssl crl-file" and "del ssl crl-file" commands to create
				4	# a new CRL file or delete an unused CRL file.
				5	#
				6	# It requires socat to upload the CRL file.
				7	#
				8	# If this test does not work anymore:
				9	# - Check that you have socat
				10
				11	varnishtest "Test the 'new ssl crl-file' and 'del ssl crl-file' commands of the CLI"
Tim Duesterhus	5efc48d	2021-06-11 19:56:15 +0200	[diff] [blame]	12	feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev0)'"
Tim Duesterhus	c957048	2021-06-11 19:56:16 +0200	[diff] [blame]	13	feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
Tim Duesterhus	4ee192f	2021-06-11 19:56:17 +0200	[diff] [blame]	14	feature cmd "command -v socat"
Remi Tricot-Le Breton	f615070	2021-04-22 11:02:16 +0200	[diff] [blame]	15	feature ignore_unknown_macro
				16
				17	server s1 -repeat 3 {
				18	rxreq
				19	txresp
				20	} -start
				21
				22	haproxy h1 -conf {
				23	global
				24	tune.ssl.default-dh-param 2048
Marcin Deranek	310a260	2021-07-13 19:04:24 +0200	[diff] [blame]	25	tune.ssl.capture-buffer-size 1
Remi Tricot-Le Breton	f615070	2021-04-22 11:02:16 +0200	[diff] [blame]	26	stats socket "${tmpdir}/h1/stats" level admin
				27	crt-base ${testdir}
				28
				29	defaults
				30	mode http
				31	option httplog
Willy Tarreau	f673923	2021-11-18 17:46:22 +0100	[diff] [blame]	32	retries 0
Remi Tricot-Le Breton	f615070	2021-04-22 11:02:16 +0200	[diff] [blame]	33	log stderr local0 debug err
				34	option logasap
Willy Tarreau	f673923	2021-11-18 17:46:22 +0100	[diff] [blame]	35	timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
				36	timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
				37	timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
Remi Tricot-Le Breton	f615070	2021-04-22 11:02:16 +0200	[diff] [blame]	38
				39	listen clear-lst
				40	bind "fd@${clearlst}"
				41	balance roundrobin
				42	use_backend with_crl_be if { path /with-crl }
				43	default_backend default_be
				44
				45	backend default_be
				46	server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client3_revoked.pem sni str(www.test1.com)
				47
				48	backend with_crl_be
				49	server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client3_revoked.pem sni str(with-crl.com)
				50
				51	listen ssl-lst
				52	bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/localhost.crt-list ca-file ${testdir}/ca-auth.crt verify required crt-ignore-err all
				53	http-response add-header X-SSL-Client-Verify %[ssl_c_verify]
				54	server s1 ${s1_addr}:${s1_port}
				55	} -start
				56
				57	# Request using the default backend and the www.test1.com sni
				58	client c1 -connect ${h1_clearlst_sock} {
				59	txreq
				60	rxresp
				61	expect resp.status == 200
				62	# The backend has no CRL so the connection should succeed
				63	expect resp.http.X-SSL-Client-Verify == 0
				64	} -run
				65
				66	# This connection should fail because the with-crl.com sni is not mentioned in the crt-list yet.
				67	client c1 -connect ${h1_clearlst_sock} {
				68	txreq -url "/with-crl"
				69	rxresp
				70	expect resp.status == 503
				71	} -run
				72
				73	# Create a new unlinked CRL file
				74	haproxy h1 -cli {
				75	send "new ssl crl-file new_crlfile.crt"
				76	expect ~ "New CRL file created 'new_crlfile.crt'!"
				77	}
				78
				79	shell {
				80	printf "set ssl crl-file new_crlfile.crt <<\n$(cat ${testdir}/crl-auth.pem)\n\n" \| socat "${tmpdir}/h1/stats" -
				81	echo "commit ssl crl-file new_crlfile.crt" \| socat "${tmpdir}/h1/stats" -
				82	}
				83
				84	haproxy h1 -cli {
				85	send "show ssl crl-file"
				86	expect ~ ".*new_crlfile.crt"
				87
				88	send "show ssl crl-file new_crlfile.crt"
				89	expect ~ ".Issuer:./CN=HAProxy Technologies CA Test Client Auth"
				90	}
				91
				92	# Add a new certificate that will use the new CA file
				93	shell {
				94	echo "new ssl cert ${testdir}/set_cafile_server.pem" \| socat "${tmpdir}/h1/stats" -
				95	printf "set ssl cert ${testdir}/set_cafile_server.pem <<\n$(cat ${testdir}/set_cafile_server.pem)\n\n" \| socat "${tmpdir}/h1/stats" -
				96	echo "commit ssl cert ${testdir}/set_cafile_server.pem" \| socat "${tmpdir}/h1/stats" -
				97	}
				98
				99	# Create a new crt-list line that will use the new CA file
				100	shell {
				101	printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/set_cafile_server.pem [crl-file new_crlfile.crt] with-crl.com\n\n" \| socat "${tmpdir}/h1/stats" -
				102	}
				103
				104	client c1 -connect ${h1_clearlst_sock} {
				105	txreq -url "/with-crl"
				106	rxresp
				107	expect resp.status == 200
				108	# The frontend's certificate is revoked in the newly added CRL, connection should fail
				109	expect resp.http.X-SSL-Client-Verify == 23
				110	} -run
				111
				112	# Request using the default backend and the www.test1.com sni
				113	client c1 -connect ${h1_clearlst_sock} {
				114	txreq
				115	rxresp
				116	expect resp.status == 200
				117	# The backend has no CRL for this SNI so the connection should still succeed
				118	expect resp.http.X-SSL-Client-Verify == 0
				119	} -run
				120
				121	# Delete the newly added crt-list line and CRL file
				122	haproxy h1 -cli {
				123	send "del ssl crt-list ${testdir}/localhost.crt-list ${testdir}/set_cafile_server.pem"
				124	expect ~ "Entry '${testdir}/set_cafile_server.pem' deleted in crtlist '${testdir}/localhost.crt-list'!"
				125
				126	send "del ssl crl-file new_crlfile.crt"
				127	expect ~ "CRL file 'new_crlfile.crt' deleted!"
				128
				129	send "show ssl crl-file"
				130	expect !~ "new_crlfile.crt"
				131	}
				132
				133	# The connection should now fail since the crt-list line was deleted
				134	client c1 -connect ${h1_clearlst_sock} {
				135	txreq -url "/with-crl"
				136	rxresp
				137	expect resp.status == 503
				138	} -run
				139