upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-02-03 20:39:41 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 10
haproxy/reg-tests/ssl/set_ssl_crlfile.vtci
William Lallemand da728aa0f6 REGTESTS: ssl: make reg-tests compatible with OpenSSL 4.0 
OpenSSL 4.0 changed the way it stores objects in X509_STORE structures
and are not allowing anymore to iterate on objects in insertion order.

Meaning that the order of the object are not the same before and after
OpenSSL 4.0, and the reg-tests need to handle both cases.
2026-01-29 17:08:45 +01:00

131 lines
4.7 KiB
Text
Raw Permalink Blame History

feature ignore_unknown_macro
server s1 -repeat 4 {
rxreq
txresp
} -start
haproxy h1 -conf {
global
.if streq("$VTC_SOCK_TYPE",quic)
# required for backend connections
expose-experimental-directives
.endif
.if feature(THREAD)
thread-groups 1
.endif
.if !ssllib_name_startswith(AWS-LC)
tune.ssl.default-dh-param 2048
.endif
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
defaults
mode http
option httplog
retries 0
log stderr local0 debug err
option logasap
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
listen clear-lst
bind "fd@${clearlst}"
server s1 "${VTC_SOCK_TYPE}+${h1_ssl_sock}" ssl crt ${testdir}/certs/set_cafile_client.pem ca-file ${testdir}/certs/set_cafile_interCA2.crt crl-file ${testdir}/certs/interCA2_crl_empty.pem verify required no-sni-auto
listen ssl-lst
# crt: certificate of the server
# ca-file: CA used for client authentication request
# crl-file: revocation list for client auth
bind "${VTC_SOCK_TYPE}+fd@${ssl}" ssl crt ${testdir}/certs/set_cafile_server.pem ca-file ${testdir}/certs/set_cafile_interCA1.crt ca-verify-file ${testdir}/certs/set_cafile_rootCA.crt crl-file ${testdir}/certs/interCA1_crl_empty.pem verify required crt-ignore-err all
http-response add-header X-SSL-Client-Verify %[ssl_c_verify]
server s1 ${s1_addr}:${s1_port}
} -start
# Test the "show ssl ca-file" command
haproxy h1 -cli {
send "show ssl ca-file"
expect ~ ".*${testdir}/certs/set_cafile_interCA1.crt - 1 certificate.*"
send "show ssl ca-file"
expect ~ ".*${testdir}/certs/set_cafile_interCA2.crt - 1 certificate.*"
}
# Add the rootCA certificate to set_cafile_interCA2.crt in order for the frontend to
# be able to validate the server's certificate
shell {
printf "set ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA2.crt)\n$(cat ${testdir}/certs/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" -
echo "commit ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt" | socat "${tmpdir}/h1/stats" -
}
haproxy h1 -cli {
send "show ssl ca-file"
expect ~ ".*${testdir}/certs/set_cafile_interCA2.crt - 2 certificate.*"
send "show ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt"
expect ~ ".*Subject.*/CN=Root CA"
}
# This first connection should succeed
client c1 -connect ${h1_clearlst_sock} {
txreq
rxresp
expect resp.status == 200
expect resp.http.X-SSL-Client-Verify == 0
} -run
# Change the frontend's crl-file to one in which the server certificate is revoked
shell {
printf "set ssl crl-file ${testdir}/certs/interCA2_crl_empty.pem <<\n$(cat ${testdir}/certs/interCA2_crl.pem)\n\n" | socat "${tmpdir}/h1/stats" -
}
# Check that the transaction is displayed in the output of "show ssl crl-list"
haproxy h1 -cli {
send "show ssl crl-file"
expect ~ "\\*${testdir}/certs/interCA2_crl_empty.pem"
send "show ssl crl-file \\*${testdir}/certs/interCA2_crl_empty.pem"
expect ~ "Revoked Certificates:\n.*Serial Number: 1008"
}
# This connection should still succeed since the transaction was not committed
client c1 -connect ${h1_clearlst_sock} {
txreq
rxresp
expect resp.status == 200
expect resp.http.X-SSL-Client-Verify == 0
} -run
haproxy h1 -cli {
send "commit ssl crl-file ${testdir}/certs/interCA2_crl_empty.pem"
expect ~ "Committing ${testdir}/certs/interCA2_crl_empty.pem"
}
# This connection should fail, the server's certificate is revoked in the newly updated CRL file
client c1 -connect ${h1_clearlst_sock} {
txreq
rxresp
expect resp.status == 503
} -run
# Restore the frontend's CRL
shell {
printf "set ssl crl-file ${testdir}/certs/interCA2_crl_empty.pem <<\n$(cat ${testdir}/certs/interCA2_crl_empty.pem)\n\n" | socat "${tmpdir}/h1/stats" -
echo "commit ssl crl-file ${testdir}/certs/interCA2_crl_empty.pem" | socat "${tmpdir}/h1/stats" -
}
# Change the backend's CRL file to one in which the frontend's certificate is revoked
shell {
printf "set ssl crl-file ${testdir}/certs/interCA1_crl_empty.pem <<\n$(cat ${testdir}/certs/interCA1_crl.pem)\n\n" | socat "${tmpdir}/h1/stats" -
echo "commit ssl crl-file ${testdir}/certs/interCA1_crl_empty.pem" | socat "${tmpdir}/h1/stats" -
}
# This connection should fail, the client's certificate is revoked in the newly updated CRL file
client c1 -connect ${h1_clearlst_sock} {
txreq
rxresp
expect resp.status == 200
# Revoked certificate
expect resp.http.X-SSL-Client-Verify == 23
} -run
Reference in a new issue View git blame Copy permalink