diff options
Diffstat (limited to '')
-rw-r--r-- | reg-tests/ssl/ocsp_compat_check.vtc | 401 |
1 files changed, 401 insertions, 0 deletions
diff --git a/reg-tests/ssl/ocsp_compat_check.vtc b/reg-tests/ssl/ocsp_compat_check.vtc new file mode 100644 index 0000000..7dbcdf9 --- /dev/null +++ b/reg-tests/ssl/ocsp_compat_check.vtc @@ -0,0 +1,401 @@ +#REGTEST_TYPE=devel + +# broken with BoringSSL. +# +# This reg-test tries loading multiple configurations that make use of the +# 'ocsp-update' crt-list option and the global 'ocsp-update.mode' +# option. It ensures that an error message is raised when the user provides an +# incoherent configuration. Any configuration in which a given certificate has +# the ocsp auto update mode set to 'on' as well as 'off' simultaneously should +# raise an ALERT type message and not start. +# The first batch of configurations should all raise errors and the second +# batch should all load properly. We do not focus on the actual auto update in +# this reg-test though so no actual proxy instance will be launched. + +varnishtest "Test the OCSP auto update feature" +feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(3.0-dev0)'" +feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(BoringSSL) && openssl_version_atleast(1.1.1)'" +feature ignore_unknown_macro + + +############################# +# # +# WRONG CONFIGURATIONS # +# # +############################# + + +# test1 +# global_option OFF +# bind line DFLT (OFF) (first) +# crt-list ON (second) +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem [ocsp-update on] foo.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert +# ocsp-update.mode on + +defaults + log stderr local0 debug err + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list + server s1 127.0.0.1:80 +EOF + + haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)" + haproxy_ret=$? + echo "==== test 1" + echo "$haproxy_output" + echo "HAProxy return code: $haproxy_ret" + [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'" +} + +# test2 +# global_option ON +# bind line DFLT/ON (first) +# crt-list OFF (second) +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem [ocsp-update off] foo.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert + ocsp-update.mode on + +defaults + log stderr local0 debug err + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list + server s1 127.0.0.1:80 +EOF + + haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)" + haproxy_ret=$? + echo "==== test 2" + echo "$haproxy_output" + echo "HAProxy return code: $haproxy_ret" + [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'" +} + +# test3 +# global_option OFF +# bind line DFLT/OFF(first) +# crt-list ON (second) +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem [ocsp-update on] foo.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert + ocsp-update.mode off + +defaults + log stderr local0 debug err + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list + server s1 127.0.0.1:80 +EOF + + haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)" + haproxy_ret=$? + echo "==== test 3" + echo "$haproxy_output" + echo "HAProxy return code: $haproxy_ret" + [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'" +} + +# test4 +# global_option OFF +# bind line DFLT OFF (second) +# crt-list ON (first) +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem [ocsp-update on] foo.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert +# ocsp-update.mode off + +defaults + log stderr local0 debug err + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list + bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem + server s1 127.0.0.1:80 +EOF + + haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)" + haproxy_ret=$? + echo "==== test 4" + echo "$haproxy_output" + echo "HAProxy return code: $haproxy_ret" + [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'" +} + +# test5 +# global_option ON +# bind line DFLT (second) +# crt-list OFF (first) +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem [ocsp-update off] foo.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert + ocsp-update.mode on + +defaults + log stderr local0 debug err + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list + bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem + server s1 127.0.0.1:80 +EOF + + haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)" + haproxy_ret=$? + echo "==== test 5" + echo "$haproxy_output" + echo "HAProxy return code: $haproxy_ret" + [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'" +} + +# test6 +# global_option OFF +# bind line DFLT (second) +# crt-list ON (first) +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem [ocsp-update on] foo.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert + ocsp-update.mode off + +defaults + log stderr local0 debug err + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list + bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem + server s1 127.0.0.1:80 +EOF + + haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)" + haproxy_ret=$? + echo "==== test 6" + echo "$haproxy_output" + echo "HAProxy return code: $haproxy_ret" + [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'" +} + +# test7 +# global_option DFLT +# bind line - +# crt-list ON +# crt-list DFLT +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem [ocsp-update on] foo.com +server_ocsp_ecdsa.pem bar.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert +# ocsp-update.mode off + +defaults + log stderr local0 debug err + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list + server s1 127.0.0.1:80 +EOF + + haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)" + haproxy_ret=$? + echo "==== test 7" + echo "$haproxy_output" + [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'" +} + +# test8 +# global_option DFLT +# bind line - +# crt-list DFLT +# crt-list ON +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem bar.com +server_ocsp_ecdsa.pem [ocsp-update on] foo.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert +# ocsp-update.mode off + +defaults + log stderr local0 debug err + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list + server s1 127.0.0.1:80 +EOF + + haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)" + haproxy_ret=$? + echo "==== test 8" + echo "$haproxy_output" + echo "HAProxy return code: $haproxy_ret" + [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'" +} + +# test9 +# global_option ON +# bind line - +# crt-list OFF +# crt-list DFLT +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem [ocsp-update off] foo.com +server_ocsp_ecdsa.pem bar.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert + ocsp-update.mode on + +defaults + log stderr local0 debug err + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list + server s1 127.0.0.1:80 +EOF + + haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)" + haproxy_ret=$? + echo "==== test 9" + echo "$haproxy_output" + echo "HAProxy return code: $haproxy_ret" + [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'" +} + +# test10 +# global_option ON +# bind line - +# crt-list DFLT +# crt-list OFF +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem bar.com +server_ocsp_ecdsa.pem [ocsp-update off] foo.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert + ocsp-update.mode on + +defaults + log stderr local0 debug err + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list + server s1 127.0.0.1:80 +EOF + + haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)" + haproxy_ret=$? + echo "==== test 10" + echo "$haproxy_output" + echo "HAProxy return code: $haproxy_ret" + [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'" +} + +# test11 +# global_option OFF +# bind line - +# crt-list ON +# crt-list DFLT +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem [ocsp-update on] foo.com +server_ocsp_ecdsa.pem bar.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert + ocsp-update.mode off + +defaults + log stderr local0 debug err + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list + server s1 127.0.0.1:80 +EOF + + haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)" + haproxy_ret=$? + echo "==== test 11" + echo "$haproxy_output" + echo "HAProxy return code: $haproxy_ret" + [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'" +} + +# test12 +# global_option OFF +# bind line - +# crt-list DFLT +# crt-list ON +shell { + cat << EOF > ${tmpdir}/ocsp_compat_check.list +server_ocsp_ecdsa.pem bar.com +server_ocsp_ecdsa.pem [ocsp-update on] foo.com +EOF + + cat << EOF > ${tmpdir}/ocsp_compat_check.cfg +global + crt-base ${testdir}/ocsp_update/multicert + ocsp-update.mode off + +defaults + log stderr local0 debug err + +listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list + server s1 127.0.0.1:80 +EOF + + haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)" + haproxy_ret=$? + echo "==== test 12" + echo "$haproxy_output" + echo "HAProxy return code: $haproxy_ret" + [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'" +} + |