mirror of
https://github.com/haproxy/haproxy.git
synced 2026-02-03 20:39:41 -05:00
da728aa0f6
OpenSSL 4.0 changed the way it stores objects in X509_STORE structures and are not allowing anymore to iterate on objects in insertion order. Meaning that the order of the object are not the same before and after OpenSSL 4.0, and the reg-tests need to handle both cases.
157 lines
6.3 KiB
Text
157 lines
6.3 KiB
Text
feature ignore_unknown_macro
|
|
|
|
server s1 -repeat 4 {
|
|
rxreq
|
|
txresp
|
|
} -start
|
|
|
|
haproxy h1 -conf {
|
|
global
|
|
.if streq("$VTC_SOCK_TYPE",quic)
|
|
# required for backend connections
|
|
expose-experimental-directives
|
|
.endif
|
|
.if feature(THREAD)
|
|
thread-groups 1
|
|
.endif
|
|
|
|
.if !ssllib_name_startswith(AWS-LC)
|
|
tune.ssl.default-dh-param 2048
|
|
.endif
|
|
tune.ssl.capture-buffer-size 1
|
|
stats socket "${tmpdir}/h1/stats" level admin
|
|
|
|
defaults
|
|
mode http
|
|
option httplog
|
|
retries 0
|
|
log stderr local0 debug err
|
|
option logasap
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
listen clear-lst
|
|
bind "fd@${clearlst}"
|
|
# dummy bind used to test a change when the same crt is used as server and bind
|
|
bind "fd@${foobarlst}" ssl crt ${testdir}/certs/set_cafile_client.pem ca-file ${testdir}/certs/set_cafile_interCA1.crt verify none
|
|
server s1 "${VTC_SOCK_TYPE}+${h1_ssl_sock}" ssl crt ${testdir}/certs/set_cafile_client.pem ca-file ${testdir}/certs/set_cafile_interCA1.crt verify none no-sni-auto
|
|
|
|
listen clear-verified-lst
|
|
bind "fd@${clearverifiedlst}"
|
|
server s1 "${VTC_SOCK_TYPE}+${h1_ssl_sock}" ssl crt ${testdir}/certs/set_cafile_client.pem ca-file ${testdir}/certs/set_cafile_interCA1.crt verify required no-sni-auto
|
|
|
|
listen ssl-lst
|
|
# crt: certificate of the server
|
|
# ca-file: CA used for client authentication request
|
|
bind "${VTC_SOCK_TYPE}+fd@${ssl}" ssl crt ${testdir}/certs/set_cafile_server.pem ca-verify-file ${testdir}/certs/set_cafile_rootCA.crt ca-file ${testdir}/certs/set_cafile_interCA2.crt verify required crt-ignore-err all
|
|
http-response add-header X-SSL-Client-Verify %[ssl_c_verify]
|
|
server s1 ${s1_addr}:${s1_port}
|
|
} -start
|
|
|
|
|
|
# Test the "show ssl ca-file" command
|
|
haproxy h1 -cli {
|
|
send "show ssl ca-file"
|
|
expect ~ ".*${testdir}/certs/set_cafile_interCA1.crt - 1 certificate.*"
|
|
send "show ssl ca-file"
|
|
expect ~ ".*${testdir}/certs/set_cafile_interCA2.crt - 1 certificate.*"
|
|
|
|
send "show ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt"
|
|
expect ~ ".*SHA1 FingerPrint: 3D3D1D10AD74A8135F05A818E10E5FA91433954D"
|
|
}
|
|
|
|
|
|
# This first connection should fail because the client's certificate was signed with the
|
|
# set_cafile_interCA1.crt certificate which is not known by the backend.
|
|
client c1 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
# unable to verify the client certificate
|
|
expect resp.http.X-SSL-Client-Verify ~ "20|21"
|
|
} -run
|
|
|
|
# Set a new ca-file without committing it and check that the new ca-file is not taken into account
|
|
shell {
|
|
printf "set ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
}
|
|
|
|
# Test the "show ssl ca-file" command
|
|
# The transaction should be mentioned in the list
|
|
haproxy h1 -cli {
|
|
send "show ssl ca-file"
|
|
expect ~ "\\*${testdir}/certs/set_cafile_interCA2.crt - 1 certificate.*"
|
|
|
|
# The original CA file did not change
|
|
send "show ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt"
|
|
expect ~ ".*SHA1 FingerPrint: 3D3D1D10AD74A8135F05A818E10E5FA91433954D"
|
|
|
|
# Only the current transaction displays a new certificate
|
|
send "show ssl ca-file *${testdir}/certs/set_cafile_interCA2.crt"
|
|
expect ~ ".*SHA1 FingerPrint: 4FFF535278883264693CEA72C4FAD13F995D0098"
|
|
}
|
|
|
|
# This connection should still fail for the same reasons as previously
|
|
client c1 -connect ${h1_clearlst_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
# unable to verify the client certificate
|
|
expect resp.http.X-SSL-Client-Verify ~ "20|21"
|
|
} -run
|
|
|
|
haproxy h1 -cli {
|
|
send "abort ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt"
|
|
expect ~ "Transaction aborted for certificate '${testdir}/certs/set_cafile_interCA2.crt'!"
|
|
send "commit ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt"
|
|
expect ~ "No ongoing transaction!"
|
|
}
|
|
|
|
|
|
# Update the bind line's ca-file in order to accept the client certificate
|
|
shell {
|
|
printf "set ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n$(cat ${testdir}/certs/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
echo "commit ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt" | socat "${tmpdir}/h1/stats" -
|
|
}
|
|
|
|
|
|
# The backend's certificate can't be verified by the frontend because it was signed with
|
|
# the set_cafile_interCA2.crt certificate.
|
|
client c1 -connect ${h1_clearverifiedlst_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 503
|
|
} -run
|
|
|
|
|
|
# Update the server line's ca-file. The server certificate should now be accepted by
|
|
# the frontend. We replace the single CA by a list of CAs that includes the correct one.
|
|
shell {
|
|
printf "set ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
printf "add ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA2.crt)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
printf "add ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt <<\n$(cat ${testdir}/certs/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" -
|
|
echo "commit ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt" | socat "${tmpdir}/h1/stats" -
|
|
}
|
|
|
|
# Test the "show ssl ca-file" with a certificate index
|
|
haproxy h1 -cli {
|
|
send "show ssl ca-file"
|
|
expect ~ ".*${testdir}/certs/set_cafile_interCA1.crt - 3 certificate.*"
|
|
|
|
send "show ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt:1"
|
|
expect ~ ".*SHA1 FingerPrint: 4FFF535278883264693CEA72C4FAD13F995D0098"
|
|
|
|
send "show ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt:2"
|
|
expect !~ ".*SHA1 FingerPrint: 4FFF535278883264693CEA72C4FAD13F995D0098"
|
|
send "show ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt:2"
|
|
expect ~ ".*SHA1 FingerPrint: 3D3D1D10AD74A8135F05A818E10E5FA91433954D|5F8DAE4B2099A09F9BDDAFD7E9D900F0CE49977C"
|
|
}
|
|
|
|
client c1 -connect ${h1_clearverifiedlst_sock} {
|
|
txreq
|
|
rxresp
|
|
expect resp.status == 200
|
|
# there should be no error on the backend side but one on the frontend side
|
|
expect resp.http.X-SSL-Client-Verify == 0
|
|
} -run
|