diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-13 12:18:05 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-13 12:18:05 +0000 |
commit | b46aad6df449445a9fc4aa7b32bd40005438e3f7 (patch) | |
tree | 751aa858ca01f35de800164516b298887382919d /reg-tests/ssl/dynamic_server_ssl.vtc | |
parent | Initial commit. (diff) | |
download | haproxy-b46aad6df449445a9fc4aa7b32bd40005438e3f7.tar.xz haproxy-b46aad6df449445a9fc4aa7b32bd40005438e3f7.zip |
Adding upstream version 2.9.5.upstream/2.9.5
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'reg-tests/ssl/dynamic_server_ssl.vtc')
-rw-r--r-- | reg-tests/ssl/dynamic_server_ssl.vtc | 113 |
1 files changed, 113 insertions, 0 deletions
diff --git a/reg-tests/ssl/dynamic_server_ssl.vtc b/reg-tests/ssl/dynamic_server_ssl.vtc new file mode 100644 index 0000000..b7730f5 --- /dev/null +++ b/reg-tests/ssl/dynamic_server_ssl.vtc @@ -0,0 +1,113 @@ +#REGTEST_TYPE=bug +# Test if a certificate can be dynamically updated once a server which used it +# was removed. +# +varnishtest "Delete server via cli and update certificates" + +feature ignore_unknown_macro + +#REQUIRE_VERSION=2.4 +#REQUIRE_OPTIONS=OPENSSL +feature cmd "command -v socat" + +# static server +server s1 -repeat 3 { + rxreq + txresp \ + -body "resp from s1" +} -start + +haproxy h1 -conf { + global + stats socket "${tmpdir}/h1/stats" level admin + + defaults + mode http + option httpclose + timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" + timeout client "${HAPROXY_TEST_TIMEOUT-5s}" + timeout server "${HAPROXY_TEST_TIMEOUT-5s}" + + frontend fe + bind "fd@${feS}" + default_backend test + + backend test + server s1 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem" + server s2 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem" + server s3 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem" + + + listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt "${testdir}/common.pem" + server s1 ${s1_addr}:${s1_port} + +} -start + + +haproxy h1 -cli { + send "show ssl cert ${testdir}/client1.pem" + expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4" +} +client c1 -connect ${h1_feS_sock} { + txreq + rxresp + expect resp.body == "resp from s1" +} -run + +haproxy h1 -cli { + send "show ssl cert ${testdir}/client1.pem" + expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4" +} + +## delete the servers +haproxy h1 -cli { + send "disable server test/s1" + expect ~ ".*" + send "disable server test/s2" + expect ~ ".*" + send "disable server test/s3" + expect ~ ".*" + + # valid command + send "del server test/s1" + expect ~ "Server deleted." + send "del server test/s2" + expect ~ "Server deleted." + send "del server test/s3" + expect ~ "Server deleted." +} + +# Replace certificate with an expired one +shell { + printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client2_expired.pem)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/client1.pem" | socat "${tmpdir}/h1/stats" - +} + +haproxy h1 -cli { + send "show ssl cert ${testdir}/client1.pem" + expect ~ ".*SHA1 FingerPrint: C625EB01A0A660294B9D7F44C5CEEE5AFC495BE4" +} + +haproxy h1 -cli { + send "show ssl cert ${testdir}/client1.pem" + expect ~ ".*Status: Unused" +} + +haproxy h1 -cli { + send "add server test/s1 ${tmpdir}/ssl.sock ssl verify none crt ${testdir}/client1.pem" + expect ~ "New server registered." + send "enable server test/s1" + expect ~ ".*" + send "show ssl cert ${testdir}/client1.pem" + expect ~ ".*Status: Used" +} + + +# check that servers are active +client c1 -connect ${h1_feS_sock} { + txreq + rxresp + expect resp.body == "resp from s1" +} -run + |