summaryrefslogtreecommitdiffstats
path: root/reg-tests/ssl/dynamic_server_ssl.vtc
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-13 12:18:05 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-13 12:18:05 +0000
commitb46aad6df449445a9fc4aa7b32bd40005438e3f7 (patch)
tree751aa858ca01f35de800164516b298887382919d /reg-tests/ssl/dynamic_server_ssl.vtc
parentInitial commit. (diff)
downloadhaproxy-b46aad6df449445a9fc4aa7b32bd40005438e3f7.tar.xz
haproxy-b46aad6df449445a9fc4aa7b32bd40005438e3f7.zip
Adding upstream version 2.9.5.upstream/2.9.5
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'reg-tests/ssl/dynamic_server_ssl.vtc')
-rw-r--r--reg-tests/ssl/dynamic_server_ssl.vtc113
1 files changed, 113 insertions, 0 deletions
diff --git a/reg-tests/ssl/dynamic_server_ssl.vtc b/reg-tests/ssl/dynamic_server_ssl.vtc
new file mode 100644
index 0000000..b7730f5
--- /dev/null
+++ b/reg-tests/ssl/dynamic_server_ssl.vtc
@@ -0,0 +1,113 @@
+#REGTEST_TYPE=bug
+# Test if a certificate can be dynamically updated once a server which used it
+# was removed.
+#
+varnishtest "Delete server via cli and update certificates"
+
+feature ignore_unknown_macro
+
+#REQUIRE_VERSION=2.4
+#REQUIRE_OPTIONS=OPENSSL
+feature cmd "command -v socat"
+
+# static server
+server s1 -repeat 3 {
+ rxreq
+ txresp \
+ -body "resp from s1"
+} -start
+
+haproxy h1 -conf {
+ global
+ stats socket "${tmpdir}/h1/stats" level admin
+
+ defaults
+ mode http
+ option httpclose
+ timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
+ timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
+ timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
+
+ frontend fe
+ bind "fd@${feS}"
+ default_backend test
+
+ backend test
+ server s1 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem"
+ server s2 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem"
+ server s3 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem"
+
+
+ listen ssl-lst
+ bind "${tmpdir}/ssl.sock" ssl crt "${testdir}/common.pem"
+ server s1 ${s1_addr}:${s1_port}
+
+} -start
+
+
+haproxy h1 -cli {
+ send "show ssl cert ${testdir}/client1.pem"
+ expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4"
+}
+client c1 -connect ${h1_feS_sock} {
+ txreq
+ rxresp
+ expect resp.body == "resp from s1"
+} -run
+
+haproxy h1 -cli {
+ send "show ssl cert ${testdir}/client1.pem"
+ expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4"
+}
+
+## delete the servers
+haproxy h1 -cli {
+ send "disable server test/s1"
+ expect ~ ".*"
+ send "disable server test/s2"
+ expect ~ ".*"
+ send "disable server test/s3"
+ expect ~ ".*"
+
+ # valid command
+ send "del server test/s1"
+ expect ~ "Server deleted."
+ send "del server test/s2"
+ expect ~ "Server deleted."
+ send "del server test/s3"
+ expect ~ "Server deleted."
+}
+
+# Replace certificate with an expired one
+shell {
+ printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client2_expired.pem)\n\n" | socat "${tmpdir}/h1/stats" -
+ echo "commit ssl cert ${testdir}/client1.pem" | socat "${tmpdir}/h1/stats" -
+}
+
+haproxy h1 -cli {
+ send "show ssl cert ${testdir}/client1.pem"
+ expect ~ ".*SHA1 FingerPrint: C625EB01A0A660294B9D7F44C5CEEE5AFC495BE4"
+}
+
+haproxy h1 -cli {
+ send "show ssl cert ${testdir}/client1.pem"
+ expect ~ ".*Status: Unused"
+}
+
+haproxy h1 -cli {
+ send "add server test/s1 ${tmpdir}/ssl.sock ssl verify none crt ${testdir}/client1.pem"
+ expect ~ "New server registered."
+ send "enable server test/s1"
+ expect ~ ".*"
+ send "show ssl cert ${testdir}/client1.pem"
+ expect ~ ".*Status: Used"
+}
+
+
+# check that servers are active
+client c1 -connect ${h1_feS_sock} {
+ txreq
+ rxresp
+ expect resp.body == "resp from s1"
+} -run
+