diff options
Diffstat (limited to 'reg-tests/ssl/ocsp_auto_update.vtc')
-rw-r--r-- | reg-tests/ssl/ocsp_auto_update.vtc | 718 |
1 files changed, 718 insertions, 0 deletions
diff --git a/reg-tests/ssl/ocsp_auto_update.vtc b/reg-tests/ssl/ocsp_auto_update.vtc new file mode 100644 index 0000000..2ab4a4a --- /dev/null +++ b/reg-tests/ssl/ocsp_auto_update.vtc @@ -0,0 +1,718 @@ +#REGTEST_TYPE=slow + +# broken with BoringSSL. + +# This reg-test focuses on the OCSP response auto-update functionality. It does +# not test the full scope of the feature because most of it is based on +# expiration times and long delays between updates of valid OCSP responses. +# Automatic update of valid OCSP responses loaded during init will not be +# tested because by design, such a response would no be automatically updated +# until init+1H. +# +# This test will then focus on certificates that have a specified OCSP URI but +# no known OCSP response. For those certificates, OCSP requests are sent as +# soon as possible by the update task. +# +# The ocsp responder used in all the tests will be an openssl using the +# certificate database in ocsp_update/index.txt. It will listen on port 12346 +# which is not the same as the one specified in the certificates' OCSP URI +# which point to port 12345. The link from port 12345 to port 12346 will be +# ensured through HAProxy instances that will enable logs, later used as a +# synchronization mean. +# +# Unfortunately some arbitrary "sleep" calls are still needed to leave some +# time for the ocsp update task to actually process the ocsp responses and +# reinsert them into the tree. This explains why the test's mode is set to +# "slow". +# +# The fourth test case focuses on the "update ssl ocsp-response" CLI command +# and tests two certificates that have a known OCSP response loaded during init +# but no OCSP auto update. The only difference between the two certificates is +# that one has a separate .issuer file while the other one has the issuer +# certificate directly in the main .pem file. +# +# If this test does not work anymore: +# - Check that you have openssl and socat + +varnishtest "Test the OCSP auto update feature" +feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.7-dev0)'" +feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(BoringSSL) && openssl_version_atleast(1.1.1)'" +feature cmd "command -v openssl && command -v socat" +feature ignore_unknown_macro + + +################### +# # +# FIRST TEST CASE # +# # +################### + +# No automatic update should occur in this test case since we load two already +# valid OCSP responses during init which have a "Next Update" date really far +# in the future. So they should only be updated after one hour. +# This test will only be the most basic one where we check that ocsp response +# loading still works as expected. + +haproxy h1 -conf { + global + tune.ssl.default-dh-param 2048 + tune.ssl.capture-buffer-size 1 + stats socket "${tmpdir}/h1/stats" level admin + crt-base ${testdir}/ocsp_update + + defaults + mode http + option httplog + log stderr local0 debug err + option logasap + timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" + timeout client "${HAPROXY_TEST_TIMEOUT-5s}" + timeout server "${HAPROXY_TEST_TIMEOUT-5s}" + + frontend ssl-fe + bind "${tmpdir}/ssl.sock" ssl crt multicert/server_ocsp.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + http-request return status 200 +} -start + + +# We should have two distinct ocsp responses known that were loaded at build time +haproxy h1 -cli { + send "show ssl ocsp-response" + expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" + send "show ssl ocsp-response" + expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" + + send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" + expect ~ "Cert Status: revoked" + + send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" + expect ~ "Cert Status: good" +} + +haproxy h1 -wait + + + +#################### +# # +# SECOND TEST CASE # +# # +#################### + +# This test will focus on two separate certificates that have the same OCSP uri +# (http://ocsp.haproxy.com:12345) but no OCSP response loaded at build time. +# The update mode is set to 'on' in the two crt-lists used. The two ocsp +# responses should then be fetched automatically after init. We use an http +# listener as a rebound on which http log is enabled towards Syslog_http. This +# ensures that two requests are sent by the ocsp auto update task and it +# enables to use a barrier to synchronize the ocsp task and the subsequent cli +# calls. Thanks to the barrier we know that when calling "show ssl +# ocsp-response" on the cli, the two answers should already have been received +# and processed. + +process p1 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12346 -timeout 5" -start + +barrier b1 cond 2 -cyclic + +syslog Syslog_http -level info { + recv + expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAV HTTP/1.1" + + recv + expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAW HTTP/1.1" + + barrier b1 sync +} -start + +haproxy h2 -conf { + global + tune.ssl.default-dh-param 2048 + tune.ssl.capture-buffer-size 1 + stats socket "${tmpdir}/h2/stats" level admin + crt-base ${testdir}/ocsp_update + + defaults + mode http + option httplog + log stderr local0 debug err + timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" + timeout client "${HAPROXY_TEST_TIMEOUT-5s}" + timeout server "${HAPROXY_TEST_TIMEOUT-5s}" + + frontend ssl-rsa-fe + bind "${tmpdir}/ssl2.sock" ssl crt-list ${testdir}/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + http-request return status 200 + + frontend ssl-ecdsa-fe + bind "${tmpdir}/ssl3.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + http-request return status 200 + + listen http_rebound_lst + mode http + option httplog + log ${Syslog_http_addr}:${Syslog_http_port} local0 + bind "127.0.0.1:12345" + server s1 "127.0.0.1:12346" +} -start + +barrier b1 sync + +shell "sleep 1" + +# We should have two distinct ocsp IDs known that were loaded at build time and +# the responses' contents should have been filled automatically by the ocsp +# update task after init +haproxy h2 -cli { + send "show ssl ocsp-response" + expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" + send "show ssl ocsp-response" + expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" + + send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" + expect ~ "Cert Status: revoked" + + send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" + expect ~ "Cert Status: revoked" +} + +haproxy h2 -wait +process p1 -wait -expect-exit 0 + + +################### +# # +# THIRD TEST CASE # +# # +################### + +# This test will be roughly the same as the second one but one of the crt-lists +# will not enable ocsp-update on its certificate. Only one request should then +# be sent. + +process p2 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12346 -timeout 5" -start + +barrier b2 cond 2 -cyclic + +syslog Syslog_http2 -level info { + recv + expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAV HTTP/1.1" + + barrier b2 sync +} -start + +haproxy h3 -conf { + global + tune.ssl.default-dh-param 2048 + tune.ssl.capture-buffer-size 1 + stats socket "${tmpdir}/h3/stats" level admin + crt-base ${testdir}/ocsp_update + + defaults + mode http + option httplog + log stderr local0 debug err + timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" + timeout client "${HAPROXY_TEST_TIMEOUT-5s}" + timeout server "${HAPROXY_TEST_TIMEOUT-5s}" + + frontend ssl-rsa-fe + bind "${tmpdir}/ssl4.sock" ssl crt-list ${testdir}/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + http-request return status 200 + + frontend ssl-ecdsa-fe + bind "${tmpdir}/ssl5.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + http-request return status 200 + + listen http_rebound_lst + mode http + option httplog + log ${Syslog_http2_addr}:${Syslog_http2_port} local0 + bind "127.0.0.1:12345" + server s1 "127.0.0.1:12346" +} -start + +barrier b2 sync + +shell "sleep 1" + +# We should have a single ocsp ID known that was loaded at build time and the +# response should be filled +haproxy h3 -cli { + send "show ssl ocsp-response" + expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" + send "show ssl ocsp-response" + expect !~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" + + send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" + expect ~ "Cert Status: revoked" +} + +haproxy h3 -wait +process p2 -wait + + + +#################### +# # +# FOURTH TEST CASE # +# (CLI COMMAND) # +# # +#################### + +process p3 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12346 -timeout 5" -start + +haproxy h4 -conf { + global + tune.ssl.default-dh-param 2048 + tune.ssl.capture-buffer-size 1 + stats socket "${tmpdir}/h4/stats" level admin + crt-base ${testdir}/ocsp_update + + defaults + mode http + option httplog + log stderr local0 debug err + timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" + timeout client "${HAPROXY_TEST_TIMEOUT-5s}" + timeout server "${HAPROXY_TEST_TIMEOUT-5s}" + + frontend ssl-rsa-ocsp + bind "${tmpdir}/ssl5.sock" ssl crt ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + http-request return status 200 + + frontend ssl-ecdsa-ocsp + bind "${tmpdir}/ssl6.sock" ssl crt ${testdir}/ocsp_update/multicert/server_ocsp_ecdsa.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + http-request return status 200 + + listen http_rebound_lst + mode http + option httplog + bind "127.0.0.1:12345" + http-response set-var(proc.processed) int(1) + server s1 "127.0.0.1:12346" +} -start + +# We need to "enable" the cli with a first cli call before using it only through socats +haproxy h4 -cli { + send "show ssl ocsp-response" + expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" +} + +# We should have two OCSP responses loaded during init +shell { + responses=$(echo "show ssl ocsp-response" | socat "${tmpdir}/h4/stats" -) + + [ $(echo "$responses" | grep -c "^Certificate ID key") -eq 2 ] && \ + echo "$responses" | grep "Serial Number: 1016" && \ + echo "$responses" | grep "Serial Number: 1015" +} + +shell { + echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" - | grep "Cert Status: revoked" +} + +shell { + echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" - | grep "Cert Status: good" +} + +# Update the first ocsp response (ckch_data has a non-NULL ocsp_issuer pointer) +shell { + # Store the current "Produced At" in order to ensure that after the update + # the OCSP response actually changed + produced_at=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" - | grep "Produced At") + + echo "update ssl ocsp-response ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h4/stats" - + while ! echo "get var proc.processed" | socat "${tmpdir}/h4/stats" - | grep 'proc.processed: type=sint value=<1>' + do + echo "get var proc.processed" | socat "${tmpdir}/h4/stats" - >> /tmp/toto + sleep 0.5 + done + + echo "experimental-mode on;set var proc.processed int(0)" | socat "${tmpdir}/h4/stats" - + + ocsp_response=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" -) + new_produced_at=$(echo "$ocsp_response" | grep "Produced At") + + echo "$ocsp_response" | grep -q "Serial Number: 1015" && \ + echo "$ocsp_response" | grep -q "Cert Status: revoked" && \ + [ "$new_produced_at" != "$produced_at" ] +} + +# Update the second ocsp response (ckch_data has a NULL ocsp_issuer pointer) +shell { + # Store the current "Produced At" in order to ensure that after the update + # the OCSP response actually changed + produced_at=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" - | grep "Produced At") + + echo "update ssl ocsp-response ${testdir}/ocsp_update/multicert/server_ocsp_ecdsa.pem" | socat "${tmpdir}/h4/stats" - + while ! echo "get var proc.processed" | socat "${tmpdir}/h4/stats" - | grep 'proc.processed: type=sint value=<1>' + do + echo "get var proc.processed" | socat "${tmpdir}/h4/stats" - >> /tmp/toto + sleep 0.5 + done + + echo "experimental-mode on;set var proc.processed int(0)" | socat "${tmpdir}/h4/stats" - + + ocsp_response=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" -) + new_produced_at=$(echo "$ocsp_response" | grep "Produced At") + + echo "$ocsp_response" | grep -q "Serial Number: 1016" && \ + echo "$ocsp_response" | grep -q "Cert Status: revoked" && \ + [ "$new_produced_at" != "$produced_at" ] +} + +haproxy h4 -wait +process p3 -wait + + +#################### +# # +# FIFTH TEST CASE # +# (CLI COMMAND) # +# # +#################### + +# Test the "show ssl ocsp-updates" command as well as the new 'base64' parameter +# to the "show ssl ocsp-response" command. + + +process p5 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12346 -timeout 5" -start + +barrier b5 cond 2 -cyclic + +syslog Syslog_http5 -level info { + recv + expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAV HTTP/1.1" + + recv + expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAW HTTP/1.1" + + barrier b5 sync +} -start + +haproxy h5 -conf { + global + tune.ssl.default-dh-param 2048 + tune.ssl.capture-buffer-size 1 + stats socket "${tmpdir}/h5/stats" level admin + crt-base ${testdir}/ocsp_update + + defaults + mode http + option httplog + log stderr local0 debug err + timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" + timeout client "${HAPROXY_TEST_TIMEOUT-5s}" + timeout server "${HAPROXY_TEST_TIMEOUT-5s}" + + frontend ssl-rsa-fe + bind "${tmpdir}/ssl7.sock" ssl crt-list ${testdir}/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + http-request return status 200 + + frontend ssl-ecdsa-fe + bind "${tmpdir}/ssl8.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + http-request return status 200 + + listen http_rebound_lst + mode http + option httplog + log ${Syslog_http5_addr}:${Syslog_http5_port} local0 + bind "127.0.0.1:12345" + server s1 "127.0.0.1:12346" +} -start + +barrier b5 sync + +shell "sleep 1" + +# Use "show ssl ocsp-updates" CLI command +# We should have one line per OCSP response and each one of them should have been successfully updated once +# The command's output follows this format: +# OCSP Certid | Next Update | Last Update | Successes | Failures | Last Update Status | Last Update Status (str) +haproxy h5 -cli { + send "show ssl ocsp-updates" + expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 .*| 1 | 0 | 1 | Update successful" + + send "show ssl ocsp-updates" + expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*| 1 | 0 | 1 | Update successful" +} + +# Use "show ssl ocsp-response" command to dump an OCSP response in base64 +shell { + ocsp_resp_file="${tmpdir}.ocsp_resp.der" + + echo "show ssl ocsp-response base64 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h5/stats" - | base64 -d > $ocsp_resp_file + + if [ $? -eq 0 ] + then + ocsp_resp_txt="$(openssl ocsp -respin $ocsp_resp_file -noverify -text)" + echo "$ocsp_resp_txt" | grep "Issuer Name Hash: 8A83E0060FAFF709CA7E9B95522A2E81635FDA0A" && \ + echo "$ocsp_resp_txt" | grep "Issuer Key Hash: F652B0E435D5EA923851508F0ADBE92D85DE007A" && \ + echo "$ocsp_resp_txt" | grep "Serial Number: 1015" && \ + echo "$ocsp_resp_txt" | grep "Cert Status: revoked" + else + return 1 + fi +} + +haproxy h5 -wait +process p5 -wait + + +#################### +# # +# SIXTH TEST CASE # +# # +#################### + +# Check that a new certificate added via the CLI to a crt-list with +# the 'ocsp-update on' option will be taken into account by the OCSP +# auto update task +# +process p6 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12346 -timeout 5" -start + +barrier b6 cond 2 -cyclic + +syslog Syslog_http6 -level info { + recv + expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAV HTTP/1.1" + + barrier b6 sync +} -start + +haproxy h6 -conf { + global + tune.ssl.default-dh-param 2048 + tune.ssl.capture-buffer-size 1 + stats socket "${tmpdir}/h6/stats" level admin + crt-base ${testdir} + + defaults + mode http + option httplog + log stderr local0 debug err + option logasap + timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" + timeout client "${HAPROXY_TEST_TIMEOUT-5s}" + timeout server "${HAPROXY_TEST_TIMEOUT-5s}" + + frontend ssl-fe + bind "${tmpdir}/ssl9.sock" ssl crt-list ${testdir}/simple.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + http-request return status 200 + + listen http_rebound_lst + mode http + option httplog + log ${Syslog_http6_addr}:${Syslog_http6_port} local0 + bind "127.0.0.1:12345" + server s1 "127.0.0.1:12346" +} -start + +# We need to "enable" the cli with a first cli call before using it only through socats +haproxy h6 -cli { + send "show ssl cert" + expect ~ "" +} + +# Create a new certificate that has an OCSP uri and add it to the +# existing CLI with the 'ocsp-update on' command. +shell { + echo "new ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h6/stats" - + printf "set ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa <<\n$(cat ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h6/stats" - + printf "set ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa.issuer <<\n$(cat ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa.issuer)\n\n" | socat "${tmpdir}/h6/stats" - + echo "commit ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h6/stats" - + + printf "add ssl crt-list ${testdir}/simple.crt-list <<\n${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa [ocsp-update on] foo.com\n\n" | socat "${tmpdir}/h6/stats" - +} + +barrier b6 sync + +shell "sleep 1" + +haproxy h6 -cli { + send "show ssl ocsp-updates" + expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*| 1 | 0 | 1 | Update successful" +} + +haproxy h6 -wait +process p6 -wait + + +###################### +# # +# SEVENTH TEST CASE # +# # +###################### + +# +# Check that removing crt-list instances does not remove the OCSP responses +# from the tree but that they will not be auto updated anymore if the last +# instance is removed (via del ssl crt-list). +# + +haproxy h7 -conf { + global + tune.ssl.default-dh-param 2048 + tune.ssl.capture-buffer-size 1 + stats socket "${tmpdir}/h7/stats" level admin + crt-base ${testdir}/ocsp_update + + defaults + mode http + option httplog + log stderr local0 debug err + option logasap + timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" + timeout client "${HAPROXY_TEST_TIMEOUT-5s}" + timeout server "${HAPROXY_TEST_TIMEOUT-5s}" + + frontend ssl-fe + bind "${tmpdir}/ssl-h7.sock" ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + http-request return status 200 + + listen http_rebound_lst + mode http + bind "127.0.0.1:12345" + server s1 "127.0.0.1:12346" +} -start + +# Check that the two certificates are taken into account in the auto update process +haproxy h7 -cli { + send "show ssl ocsp-updates" + expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 .*" + + send "show ssl ocsp-updates" + expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*" +} + +# Remove the second line from the crt-list and check that the corresponding +# ocsp response was removed from the auto update list but is still present in the +# system +haproxy h7 -cli { + send "del ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list ${testdir}/ocsp_update/multicert/server_ocsp.pem.ecdsa" + expect ~ "Entry.*deleted in crtlist" + + send "show ssl ocsp-updates" + expect !~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*" + + send "show ssl ocsp-response" + expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" + + send "show ssl ocsp-response ${testdir}/ocsp_update/multicert/server_ocsp.pem.ecdsa" + expect ~ ".* Cert Status: good.*" +} + +# Add the previously removed crt-list line with auto-update enabled and check that +# the ocsp response appears in the auto update list +shell { + printf "add ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa [ocsp-update on] foo.bar\n\n" | socat "${tmpdir}/h7/stats" - | grep "Inserting certificate.*in crt-list" +} + +haproxy h7 -cli { + send "show ssl ocsp-updates" + expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*" +} + +# Check that the auto update option consistency check work even when crt-list +# lines are added through the cli +shell { + printf "add ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa foo.foo\n\n" | socat "${tmpdir}/h7/stats" - | grep "Incompatibilities found in OCSP update mode for certificate" +} + +haproxy h7 -wait + +#################### +# # +# EIGTH TEST CASE # +# # +#################### + +# +# Check that a certificate created through the CLI and which does not have ocsp +# update enabled can be updated via "update ssl ocsp-response" command. +# + +process p8 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12346 -timeout 5" -start + +barrier b8 cond 2 -cyclic + +syslog Syslog_h8 -level info { + recv + expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAV HTTP/1.1" + + barrier b8 sync +} -start + + +haproxy h8 -conf { + global + tune.ssl.default-dh-param 2048 + tune.ssl.capture-buffer-size 1 + stats socket "${tmpdir}/h8/stats" level admin + crt-base ${testdir}/ocsp_update + + defaults + mode http + option httplog + log stderr local0 debug err + option logasap + timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" + timeout client "${HAPROXY_TEST_TIMEOUT-5s}" + timeout server "${HAPROXY_TEST_TIMEOUT-5s}" + + frontend ssl-fe + bind "${tmpdir}/ssl-h8.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all + http-request return status 200 + + listen http_rebound_lst + mode http + option httplog + log ${Syslog_h8_addr}:${Syslog_h8_port} local0 + bind "127.0.0.1:12345" + server s1 "127.0.0.1:12346" +} -start + +# We need to "enable" the cli with a first cli call before using it only through socats +haproxy h8 -cli { + send "show ssl cert" + expect ~ "" +} + +# Create a new certificate and add it in the crt-list with ocsp auto-update enabled +shell { + echo "new ssl cert ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h8/stats" - + printf "set ssl cert ${testdir}/ocsp_update/rsa.pem <<\n$(cat ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h8/stats" - + printf "set ssl cert ${testdir}/ocsp_update/rsa.pem.issuer <<\n$(cat ${testdir}/ocsp_update/ocsp_update_rootca.crt)\n\n" | socat "${tmpdir}/h8/stats" - + printf "set ssl cert ${testdir}/ocsp_update/rsa.pem.ocsp <<\n$(base64 -w 1000 ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa.ocsp)\n\n" | socat "${tmpdir}/h8/stats" - + echo "commit ssl cert ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h8/stats" - + + printf "add ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list <<\nrsa.pem [ocsp-update off] foo.bar\n\n" | socat "${tmpdir}/h8/stats" - +} + +# Check that the line is in the crt-list +haproxy h8 -cli { + send "show ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list" + expect ~ "${testdir}/ocsp_update/rsa.pem .* foo.bar" +} + +# Check that the new certificate is NOT in the auto update list +haproxy h8 -cli { + send "show ssl ocsp-updates" + expect !~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015.*" +} + +shell { + echo "update ssl ocsp-response ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h8/stats" - +} + +shell "sleep 1" + +barrier b8 sync + +haproxy h8 -cli { + send "show ssl ocsp-response ${testdir}/ocsp_update/rsa.pem" + expect ~ ".* Cert Status: revoked.*" +} + +haproxy h8 -wait +process p8 -wait |