summaryrefslogtreecommitdiffstats
path: root/reg-tests/ssl/new_del_ssl_cafile.vtc
blob: 4b045715d2e2a60408c7eae8e10630897bbf4460 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
#REGTEST_TYPE=devel

# This test uses the "new ssl ca-file" and "del ssl ca-file" commands to create
# a new CA file or delete an unused CA file.
#
# It requires socat to upload the CA file.
#
# If this test does not work anymore:
# - Check that you have socat

varnishtest "Test the 'new ssl ca-file' and 'del ssl ca-file' commands of the CLI"
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev0)'"
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
feature cmd "command -v socat"
feature ignore_unknown_macro

server s1 -repeat 2 {
  rxreq
  txresp
} -start

haproxy h1 -conf {
    global
        tune.ssl.default-dh-param 2048
        tune.ssl.capture-buffer-size 1
        stats socket "${tmpdir}/h1/stats" level admin
        crt-base ${testdir}

    defaults
        mode http
        option httplog
	retries 0
        log stderr local0 debug err
        option logasap
        timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
        timeout client  "${HAPROXY_TEST_TIMEOUT-5s}"
        timeout server  "${HAPROXY_TEST_TIMEOUT-5s}"

    listen clear-lst
        bind "fd@${clearlst}"
        balance roundrobin
        use_backend with_ca_be if { path /with-ca }
        default_backend default_be

    backend default_be
        server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/set_cafile_client.pem sni str(www.test1.com)

    backend with_ca_be
        server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/set_cafile_client.pem sni str(with-ca.com)

    listen ssl-lst
        bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/localhost.crt-list ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA2.crt verify required crt-ignore-err all
        http-response add-header X-SSL-Client-Verify %[ssl_c_verify]
        server s1 ${s1_addr}:${s1_port}
} -start

# Request using the default backend and the www.test1.com sni
client c1 -connect ${h1_clearlst_sock} {
    txreq
    rxresp
    expect resp.status == 200
    # The CA file known by the frontend does not allow to verify the client's certificate
    expect resp.http.X-SSL-Client-Verify ~ "20|21"
} -run

# This connection should fail because the with-ca.com sni is not mentioned in the crt-list yet.
client c1 -connect ${h1_clearlst_sock} {
    txreq -url "/with-ca"
    rxresp
    expect resp.status == 503
} -run

# Create a new unlinked CA file
haproxy h1 -cli {
    send "new ssl ca-file new_cafile.crt"
    expect ~ "New CA file created 'new_cafile.crt'!"
}

shell {
    printf "set ssl ca-file new_cafile.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
    echo "commit ssl ca-file new_cafile.crt" | socat "${tmpdir}/h1/stats" -
}

haproxy h1 -cli {
    send "show ssl ca-file"
    expect ~ ".*new_cafile.crt - 1 certificate.*"

    send "show ssl ca-file new_cafile.crt"
    expect ~ ".*SHA1 FingerPrint: 4FFF535278883264693CEA72C4FAD13F995D0098"
}

# The new CA file is still not linked anywhere so the request should fail.
client c1 -connect ${h1_clearlst_sock} {
    txreq -url "/with-ca"
    rxresp
    expect resp.status == 503
} -run

# Add a new certificate that will use the new CA file
shell {
    echo "new ssl cert ${testdir}/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" -
    printf "set ssl cert ${testdir}/set_cafile_server.pem <<\n$(cat ${testdir}/set_cafile_server.pem)\n\n" | socat "${tmpdir}/h1/stats" -
    echo "commit ssl cert ${testdir}/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" -
}

# Create a new crt-list line that will use the new CA file
shell {
    printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/set_cafile_server.pem [ca-file new_cafile.crt] with-ca.com\n\n" | socat "${tmpdir}/h1/stats" -
}

client c1 -connect ${h1_clearlst_sock} {
    txreq -url "/with-ca"
    rxresp
    expect resp.status == 200
    # Thanks to the newly added CA file, the client's certificate can be verified
    expect resp.http.X-SSL-Client-Verify == 0
} -run

# Delete the newly added crt-list line and CA file
haproxy h1 -cli {
    send "del ssl crt-list ${testdir}/localhost.crt-list ${testdir}/set_cafile_server.pem"
    expect ~ "Entry '${testdir}/set_cafile_server.pem' deleted in crtlist '${testdir}/localhost.crt-list'!"

    send "del ssl ca-file new_cafile.crt"
    expect ~ "CA file 'new_cafile.crt' deleted!"

    send "show ssl ca-file"
    expect !~ "new_cafile.crt"
}

# The connection should now fail since the crt-list line was deleted
client c1 -connect ${h1_clearlst_sock} {
    txreq -url "/with-ca"
    rxresp
    expect resp.status == 503
} -run