summaryrefslogtreecommitdiffstats
path: root/reg-tests/ssl/set_ssl_crlfile.vtc
blob: c9ac904617a8903b897edb3247cf0223d4ccbad3 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
#REGTEST_TYPE=devel

# This reg-test uses the "set ssl crl-file" command to update a CRL file over the CLI.
# It also tests the "abort ssl crl-file" and "show ssl crl-file" commands.
#
# The frontend's certificate is signed by set_cafile_interCA1.crt and is revoked in interCA1_crl.pem
# but not in interCA1_crl_empty.pem.
# The backend's certificate is signed by set_cafile_interCA2.crt and is revoked in interCA2_crl.pem
# but not in interCA2_crl_empty.pem.
#
# The test consists in replacing the two empty CRLs by their not empty equivalent thanks to CLI
# calls and to check that the certificates (frontend and backend) are indeed revoked after the
# update.
#
# It requires socat to upload the certificate
#
# If this test does not work anymore:
# - Check that you have socat

varnishtest "Test the 'set ssl crl-file' feature of the CLI"
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev0)'"
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
feature cmd "command -v socat"
feature ignore_unknown_macro

server s1 -repeat 4 {
  rxreq
  txresp
} -start

haproxy h1 -conf {
    global
        tune.ssl.default-dh-param 2048
        tune.ssl.capture-buffer-size 1
        stats socket "${tmpdir}/h1/stats" level admin

    defaults
        mode http
        option httplog
	retries 0
        log stderr local0 debug err
        option logasap
        timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
        timeout client  "${HAPROXY_TEST_TIMEOUT-5s}"
        timeout server  "${HAPROXY_TEST_TIMEOUT-5s}"

    listen clear-lst
        bind "fd@${clearlst}"
        server s1 "${tmpdir}/ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt crl-file ${testdir}/interCA2_crl_empty.pem verify required

    listen ssl-lst
        # crt: certificate of the server
        # ca-file: CA used for client authentication request
        # crl-file: revocation list for client auth
        bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-file ${testdir}/set_cafile_interCA1.crt ca-verify-file ${testdir}/set_cafile_rootCA.crt crl-file ${testdir}/interCA1_crl_empty.pem verify required crt-ignore-err all
        http-response add-header X-SSL-Client-Verify %[ssl_c_verify]
        server s1 ${s1_addr}:${s1_port}
} -start

# Test the "show ssl ca-file" command
haproxy h1 -cli {
    send "show ssl ca-file"
    expect ~ ".*${testdir}/set_cafile_interCA1.crt - 1 certificate.*"
    send "show ssl ca-file"
    expect ~ ".*${testdir}/set_cafile_interCA2.crt - 1 certificate.*"
}

# Add the rootCA certificate to set_cafile_interCA2.crt in order for the frontend to
# be able to validate the server's certificate
shell {
    printf "set ssl ca-file ${testdir}/set_cafile_interCA2.crt <<\n$(cat ${testdir}/set_cafile_interCA2.crt)\n$(cat ${testdir}/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" -
    echo "commit ssl ca-file ${testdir}/set_cafile_interCA2.crt" | socat "${tmpdir}/h1/stats" -
}

haproxy h1 -cli {
    send "show ssl ca-file"
    expect ~ ".*${testdir}/set_cafile_interCA2.crt - 2 certificate.*"

    send "show ssl ca-file ${testdir}/set_cafile_interCA2.crt"
    expect ~ ".*Subject.*/CN=Root CA"
}

# This first connection should succeed
client c1 -connect ${h1_clearlst_sock} {
    txreq
    rxresp
    expect resp.status == 200
    expect resp.http.X-SSL-Client-Verify == 0
} -run

# Change the frontend's crl-file to one in which the server certificate is revoked
shell {
    printf "set ssl crl-file ${testdir}/interCA2_crl_empty.pem <<\n$(cat ${testdir}/interCA2_crl.pem)\n\n" | socat "${tmpdir}/h1/stats" -
}

# Check that the transaction is displayed in the output of "show ssl crl-list"
haproxy h1 -cli {
    send "show ssl crl-file"
    expect ~ "\\*${testdir}/interCA2_crl_empty.pem"

    send "show ssl crl-file \\*${testdir}/interCA2_crl_empty.pem"
    expect ~ "Revoked Certificates:"
    send "show ssl crl-file \\*${testdir}/interCA2_crl_empty.pem:1"
    expect ~ "Serial Number: 1008"
}

# This connection should still succeed since the transaction was not committed
client c1 -connect ${h1_clearlst_sock} {
    txreq
    rxresp
    expect resp.status == 200
    expect resp.http.X-SSL-Client-Verify == 0
} -run

haproxy h1 -cli {
    send "commit ssl crl-file ${testdir}/interCA2_crl_empty.pem"
    expect ~ "Committing ${testdir}/interCA2_crl_empty.pem"
}

# This connection should fail, the server's certificate is revoked in the newly updated CRL file
client c1 -connect ${h1_clearlst_sock} {
    txreq
    rxresp
    expect resp.status == 503
} -run

# Restore the frontend's CRL
shell {
    printf "set ssl crl-file ${testdir}/interCA2_crl_empty.pem <<\n$(cat ${testdir}/interCA2_crl_empty.pem)\n\n" | socat "${tmpdir}/h1/stats" -
    echo "commit ssl crl-file ${testdir}/interCA2_crl_empty.pem" | socat "${tmpdir}/h1/stats" -
}

# Change the backend's CRL file to one in which the frontend's certificate is revoked
shell {
    printf "set ssl crl-file ${testdir}/interCA1_crl_empty.pem <<\n$(cat ${testdir}/interCA1_crl.pem)\n\n" | socat "${tmpdir}/h1/stats" -
    echo "commit ssl crl-file ${testdir}/interCA1_crl_empty.pem" | socat "${tmpdir}/h1/stats" -
}

# This connection should fail, the client's certificate is revoked in the newly updated CRL file
client c1 -connect ${h1_clearlst_sock} {
    txreq
    rxresp
    expect resp.status == 200
    # Revoked certificate
    expect resp.http.X-SSL-Client-Verify == 23
} -run