mirror of
https://github.com/haproxy/haproxy.git
synced 2026-02-03 20:39:41 -05:00
6e94b69665
Move all these files and others for OCSP tests found into reg-tests/ssl
to reg-test/ssl/certs and adapt all the VTC files which use them.
This patch is needed by other tests which have to include the SSL tests.
Indeed, some VTC commands contain paths to these files which cannot
be customized with environment variables, depending on the location the VTC file
is runi from, because VTC does not resolve the environment variables. Only macros
as ${testdir} can be resolved.
For instance this command run from a VTC file from reg-tests/ssl directory cannot
be reused from another directory, except if we add a symbolic link for each certs,
key etc.
haproxy h1 -cli {
send "del ssl crt-list ${testdir}/localhost.crt-list ${testdir}/common.pem:1"
}
This is not what we want. We add a symbolic link to reg-test/ssl/certs to the
directory and modify the command above as follows:
haproxy h1 -cli {
send "del ssl crt-list ${testdir}/certs/localhost.crt-list ${testdir}/certs/common.pem:1"
}
461 lines
12 KiB
Text
461 lines
12 KiB
Text
#REGTEST_TYPE=devel
|
|
|
|
# broken with BoringSSL.
|
|
#
|
|
# This reg-test tries loading multiple configurations that make use of the
|
|
# 'ocsp-update' crt-list option and the global 'ocsp-update.mode'
|
|
# option. It ensures that an error message is raised when the user provides an
|
|
# incoherent configuration. Any configuration in which a given certificate has
|
|
# the ocsp auto update mode set to 'on' as well as 'off' simultaneously should
|
|
# raise an ALERT type message and not start.
|
|
# The first batch of configurations should all raise errors and the second
|
|
# batch should all load properly. We do not focus on the actual auto update in
|
|
# this reg-test though so no actual proxy instance will be launched.
|
|
|
|
varnishtest "Test the OCSP auto update feature"
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(3.0-dev0)'"
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(BoringSSL) && openssl_version_atleast(1.1.1)'"
|
|
feature ignore_unknown_macro
|
|
|
|
|
|
#############################
|
|
# #
|
|
# WRONG CONFIGURATIONS #
|
|
# #
|
|
#############################
|
|
|
|
|
|
# test1
|
|
# global_option OFF
|
|
# bind line DFLT (OFF) (first)
|
|
# crt-list ON (second)
|
|
shell {
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.list
|
|
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
|
|
EOF
|
|
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
|
|
global
|
|
.if feature(THREAD)
|
|
thread-groups 1
|
|
.endif
|
|
|
|
crt-base ${testdir}/certs/ocsp_update/multicert
|
|
# ocsp-update.mode on
|
|
|
|
defaults
|
|
log stderr local0 debug err
|
|
|
|
listen ssl-lst
|
|
bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list
|
|
server s1 127.0.0.1:80
|
|
EOF
|
|
|
|
set +e
|
|
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
|
|
haproxy_ret=$?
|
|
echo "==== test 1"
|
|
echo "$haproxy_output"
|
|
echo "HAProxy return code: $haproxy_ret"
|
|
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
|
|
}
|
|
|
|
# test2
|
|
# global_option ON
|
|
# bind line DFLT/ON (first)
|
|
# crt-list OFF (second)
|
|
shell {
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.list
|
|
server_ocsp_ecdsa.pem [ocsp-update off] foo.com
|
|
EOF
|
|
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
|
|
global
|
|
.if feature(THREAD)
|
|
thread-groups 1
|
|
.endif
|
|
|
|
crt-base ${testdir}/certs/ocsp_update/multicert
|
|
ocsp-update.mode on
|
|
|
|
defaults
|
|
log stderr local0 debug err
|
|
|
|
listen ssl-lst
|
|
bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list
|
|
server s1 127.0.0.1:80
|
|
EOF
|
|
|
|
set +e
|
|
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
|
|
haproxy_ret=$?
|
|
echo "==== test 2"
|
|
echo "$haproxy_output"
|
|
echo "HAProxy return code: $haproxy_ret"
|
|
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
|
|
}
|
|
|
|
# test3
|
|
# global_option OFF
|
|
# bind line DFLT/OFF(first)
|
|
# crt-list ON (second)
|
|
shell {
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.list
|
|
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
|
|
EOF
|
|
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
|
|
global
|
|
.if feature(THREAD)
|
|
thread-groups 1
|
|
.endif
|
|
|
|
crt-base ${testdir}/certs/ocsp_update/multicert
|
|
ocsp-update.mode off
|
|
|
|
defaults
|
|
log stderr local0 debug err
|
|
|
|
listen ssl-lst
|
|
bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list
|
|
server s1 127.0.0.1:80
|
|
EOF
|
|
|
|
set +e
|
|
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
|
|
haproxy_ret=$?
|
|
echo "==== test 3"
|
|
echo "$haproxy_output"
|
|
echo "HAProxy return code: $haproxy_ret"
|
|
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
|
|
}
|
|
|
|
# test4
|
|
# global_option OFF
|
|
# bind line DFLT OFF (second)
|
|
# crt-list ON (first)
|
|
shell {
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.list
|
|
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
|
|
EOF
|
|
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
|
|
global
|
|
.if feature(THREAD)
|
|
thread-groups 1
|
|
.endif
|
|
|
|
crt-base ${testdir}/certs/ocsp_update/multicert
|
|
# ocsp-update.mode off
|
|
|
|
defaults
|
|
log stderr local0 debug err
|
|
|
|
listen ssl-lst
|
|
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
|
|
bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem
|
|
server s1 127.0.0.1:80
|
|
EOF
|
|
|
|
set +e
|
|
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
|
|
haproxy_ret=$?
|
|
echo "==== test 4"
|
|
echo "$haproxy_output"
|
|
echo "HAProxy return code: $haproxy_ret"
|
|
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
|
|
}
|
|
|
|
# test5
|
|
# global_option ON
|
|
# bind line DFLT (second)
|
|
# crt-list OFF (first)
|
|
shell {
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.list
|
|
server_ocsp_ecdsa.pem [ocsp-update off] foo.com
|
|
EOF
|
|
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
|
|
global
|
|
.if feature(THREAD)
|
|
thread-groups 1
|
|
.endif
|
|
|
|
crt-base ${testdir}/certs/ocsp_update/multicert
|
|
ocsp-update.mode on
|
|
|
|
defaults
|
|
log stderr local0 debug err
|
|
|
|
listen ssl-lst
|
|
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
|
|
bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem
|
|
server s1 127.0.0.1:80
|
|
EOF
|
|
|
|
set +e
|
|
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
|
|
haproxy_ret=$?
|
|
echo "==== test 5"
|
|
echo "$haproxy_output"
|
|
echo "HAProxy return code: $haproxy_ret"
|
|
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
|
|
}
|
|
|
|
# test6
|
|
# global_option OFF
|
|
# bind line DFLT (second)
|
|
# crt-list ON (first)
|
|
shell {
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.list
|
|
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
|
|
EOF
|
|
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
|
|
global
|
|
.if feature(THREAD)
|
|
thread-groups 1
|
|
.endif
|
|
|
|
crt-base ${testdir}/certs/ocsp_update/multicert
|
|
ocsp-update.mode off
|
|
|
|
defaults
|
|
log stderr local0 debug err
|
|
|
|
listen ssl-lst
|
|
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
|
|
bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem
|
|
server s1 127.0.0.1:80
|
|
EOF
|
|
|
|
set +e
|
|
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
|
|
haproxy_ret=$?
|
|
echo "==== test 6"
|
|
echo "$haproxy_output"
|
|
echo "HAProxy return code: $haproxy_ret"
|
|
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
|
|
}
|
|
|
|
# test7
|
|
# global_option DFLT
|
|
# bind line -
|
|
# crt-list ON
|
|
# crt-list DFLT
|
|
shell {
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.list
|
|
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
|
|
server_ocsp_ecdsa.pem bar.com
|
|
EOF
|
|
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
|
|
global
|
|
.if feature(THREAD)
|
|
thread-groups 1
|
|
.endif
|
|
|
|
crt-base ${testdir}/certs/ocsp_update/multicert
|
|
# ocsp-update.mode off
|
|
|
|
defaults
|
|
log stderr local0 debug err
|
|
|
|
listen ssl-lst
|
|
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
|
|
server s1 127.0.0.1:80
|
|
EOF
|
|
|
|
set +e
|
|
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
|
|
haproxy_ret=$?
|
|
echo "==== test 7"
|
|
echo "$haproxy_output"
|
|
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
|
|
}
|
|
|
|
# test8
|
|
# global_option DFLT
|
|
# bind line -
|
|
# crt-list DFLT
|
|
# crt-list ON
|
|
shell {
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.list
|
|
server_ocsp_ecdsa.pem bar.com
|
|
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
|
|
EOF
|
|
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
|
|
global
|
|
.if feature(THREAD)
|
|
thread-groups 1
|
|
.endif
|
|
|
|
crt-base ${testdir}/certs/ocsp_update/multicert
|
|
# ocsp-update.mode off
|
|
|
|
defaults
|
|
log stderr local0 debug err
|
|
|
|
listen ssl-lst
|
|
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
|
|
server s1 127.0.0.1:80
|
|
EOF
|
|
|
|
set +e
|
|
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
|
|
haproxy_ret=$?
|
|
echo "==== test 8"
|
|
echo "$haproxy_output"
|
|
echo "HAProxy return code: $haproxy_ret"
|
|
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
|
|
}
|
|
|
|
# test9
|
|
# global_option ON
|
|
# bind line -
|
|
# crt-list OFF
|
|
# crt-list DFLT
|
|
shell {
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.list
|
|
server_ocsp_ecdsa.pem [ocsp-update off] foo.com
|
|
server_ocsp_ecdsa.pem bar.com
|
|
EOF
|
|
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
|
|
global
|
|
.if feature(THREAD)
|
|
thread-groups 1
|
|
.endif
|
|
|
|
crt-base ${testdir}/certs/ocsp_update/multicert
|
|
ocsp-update.mode on
|
|
|
|
defaults
|
|
log stderr local0 debug err
|
|
|
|
listen ssl-lst
|
|
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
|
|
server s1 127.0.0.1:80
|
|
EOF
|
|
|
|
set +e
|
|
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
|
|
haproxy_ret=$?
|
|
echo "==== test 9"
|
|
echo "$haproxy_output"
|
|
echo "HAProxy return code: $haproxy_ret"
|
|
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
|
|
}
|
|
|
|
# test10
|
|
# global_option ON
|
|
# bind line -
|
|
# crt-list DFLT
|
|
# crt-list OFF
|
|
shell {
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.list
|
|
server_ocsp_ecdsa.pem bar.com
|
|
server_ocsp_ecdsa.pem [ocsp-update off] foo.com
|
|
EOF
|
|
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
|
|
global
|
|
.if feature(THREAD)
|
|
thread-groups 1
|
|
.endif
|
|
|
|
crt-base ${testdir}/certs/ocsp_update/multicert
|
|
ocsp-update.mode on
|
|
|
|
defaults
|
|
log stderr local0 debug err
|
|
|
|
listen ssl-lst
|
|
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
|
|
server s1 127.0.0.1:80
|
|
EOF
|
|
|
|
set +e
|
|
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
|
|
haproxy_ret=$?
|
|
echo "==== test 10"
|
|
echo "$haproxy_output"
|
|
echo "HAProxy return code: $haproxy_ret"
|
|
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
|
|
}
|
|
|
|
# test11
|
|
# global_option OFF
|
|
# bind line -
|
|
# crt-list ON
|
|
# crt-list DFLT
|
|
shell {
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.list
|
|
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
|
|
server_ocsp_ecdsa.pem bar.com
|
|
EOF
|
|
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
|
|
global
|
|
.if feature(THREAD)
|
|
thread-groups 1
|
|
.endif
|
|
|
|
crt-base ${testdir}/certs/ocsp_update/multicert
|
|
ocsp-update.mode off
|
|
|
|
defaults
|
|
log stderr local0 debug err
|
|
|
|
listen ssl-lst
|
|
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
|
|
server s1 127.0.0.1:80
|
|
EOF
|
|
|
|
set +e
|
|
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
|
|
haproxy_ret=$?
|
|
echo "==== test 11"
|
|
echo "$haproxy_output"
|
|
echo "HAProxy return code: $haproxy_ret"
|
|
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
|
|
}
|
|
|
|
# test12
|
|
# global_option OFF
|
|
# bind line -
|
|
# crt-list DFLT
|
|
# crt-list ON
|
|
shell {
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.list
|
|
server_ocsp_ecdsa.pem bar.com
|
|
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
|
|
EOF
|
|
|
|
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
|
|
global
|
|
.if feature(THREAD)
|
|
thread-groups 1
|
|
.endif
|
|
|
|
crt-base ${testdir}/certs/ocsp_update/multicert
|
|
ocsp-update.mode off
|
|
|
|
defaults
|
|
log stderr local0 debug err
|
|
|
|
listen ssl-lst
|
|
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
|
|
server s1 127.0.0.1:80
|
|
EOF
|
|
|
|
set +e
|
|
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
|
|
haproxy_ret=$?
|
|
echo "==== test 12"
|
|
echo "$haproxy_output"
|
|
echo "HAProxy return code: $haproxy_ret"
|
|
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
|
|
}
|
|
|