1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
|
#REGTEST_TYPE=devel
# broken with BoringSSL.
# This reg-test uses the "show ssl ocsp-response" command to display the details
# of the OCSP responses used by HAProxy.
# It also uses the new special cases of the "show ssl cert" command, where an OCSP
# extension is provided to the certificate name (with or without preceding * for an
# ongoing transaction).
#
# It uses the show_ocsp_server.pem server certificate, signed off by set_cafile_rootCA.crt,
# which has two OCSP responses, show_ocsp_server.pem.ocsp which is loaded by default and in
# which it is valid, and show_ocsp_server.pem.ocsp.revoked in which it is revoked.
# The OSCP response is updated through the two means available in the CLI, the
# "set ssl ocsp-response" command and the update through a "set ssl cert foo.ocsp".
#
# It requires socat to upload the new OCSP responses.
#
# If this test does not work anymore:
# - Check that you have socat
varnishtest "Test the 'show ssl ocsp-response' and 'show ssl cert foo.pem.ocsp' features of the CLI"
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev0)'"
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(BoringSSL)'"
feature cmd "command -v socat && command -v openssl"
feature ignore_unknown_macro
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
defaults
mode http
option httplog
log stderr local0 debug err
option logasap
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
listen clear-lst
bind "fd@${clearlst}"
server s1 "${tmpdir}/ssl.sock" ssl ca-file ${testdir}/set_cafile_rootCA.crt verify none
listen ssl-lst
# crt: certificate of the server
# ca-file: CA used for client authentication request
bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/show_ocsp_server.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
http-response add-header X-SSL-Client-Verify %[ssl_c_verify]
server s1 ${s1_addr}:${s1_port}
} -start
# Test the "show ssl ocsp-response" command
haproxy h1 -cli {
send "show ssl ocsp-response"
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
expect ~ "Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com"
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
expect ~ "Cert Status: good"
}
# Test the "show ssl cert foo.pem.ocsp" command
haproxy h1 -cli {
send "show ssl cert"
expect ~ ".*show_ocsp_server.pem"
send "show ssl cert ${testdir}/show_ocsp_server.pem"
expect ~ "Serial: 100F"
send "show ssl cert ${testdir}/show_ocsp_server.pem"
expect ~ "OCSP Response Key: 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
send "show ssl cert ${testdir}/show_ocsp_server.pem.ocsp"
expect ~ "Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com"
send "show ssl cert ${testdir}/show_ocsp_server.pem.ocsp"
expect ~ "Cert Status: good"
}
# Change the server certificate's OCSP response through "set ssl ocsp-response"
shell {
printf "set ssl ocsp-response <<\n$(cat ${testdir}/show_ocsp_server.pem.ocsp.revoked|openssl base64)\n\n" | socat "${tmpdir}/h1/stats" -
}
# Check that the change was taken into account
haproxy h1 -cli {
send "show ssl ocsp-response"
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
expect ~ "Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com"
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
expect ~ "Cert Status: revoked"
send "show ssl cert ${testdir}/show_ocsp_server.pem.ocsp"
expect ~ "Cert Status: revoked"
}
# Change the server certificate's OCSP response through a transaction
shell {
printf "set ssl cert ${testdir}/show_ocsp_server.pem <<\n$(cat ${testdir}/show_ocsp_server.pem)\n\n" | socat "${tmpdir}/h1/stats" -
printf "set ssl cert ${testdir}/show_ocsp_server.pem.ocsp <<\n$(cat ${testdir}/show_ocsp_server.pem.ocsp|openssl base64)\n\n" | socat "${tmpdir}/h1/stats" -
}
# Check that the actual tree entry was not changed and that the uncommitted
# transaction's OCSP response is the new one
haproxy h1 -cli {
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
expect ~ "Cert Status: revoked"
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
expect ~ "This Update: Jun 10 08:57:45 2021 GMT"
send "show ssl cert *${testdir}/show_ocsp_server.pem.ocsp"
expect ~ "Cert Status: good"
send "show ssl cert *${testdir}/show_ocsp_server.pem.ocsp"
expect ~ "This Update: Jun 10 08:55:04 2021 GMT"
}
# Commit the transaction and check that it was taken into account
haproxy h1 -cli {
send "commit ssl cert ${testdir}/show_ocsp_server.pem"
expect ~ "Success!"
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
expect ~ "Cert Status: good"
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
expect ~ "This Update: Jun 10 08:55:04 2021 GMT"
}
|