summaryrefslogtreecommitdiffstats
path: root/reg-tests/ssl
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--reg-tests/ssl/crt_store.vtc31
-rw-r--r--reg-tests/ssl/ocsp_auto_update.vtc468
-rw-r--r--reg-tests/ssl/ocsp_compat_check.vtc401
-rw-r--r--reg-tests/ssl/ocsp_update/multicert_both_certs.crt-list2
4 files changed, 774 insertions, 128 deletions
diff --git a/reg-tests/ssl/crt_store.vtc b/reg-tests/ssl/crt_store.vtc
new file mode 100644
index 0000000..685183e
--- /dev/null
+++ b/reg-tests/ssl/crt_store.vtc
@@ -0,0 +1,31 @@
+#REGTEST_TYPE=devel
+varnishtest "Test the crt-store section"
+feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(3.0-dev7)'"
+feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
+feature ignore_unknown_macro
+
+#
+# Basic check for the crt-store, ensure that loading works and that we can't
+# load a crt which was used before
+#
+
+
+haproxy h1 -arg -V -conf-OK {
+ crt-store
+ load crt "${testdir}/common.crt" key "${testdir}/common.key"
+
+ listen ssl-lst
+ bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.crt strict-sni
+
+}
+
+haproxy h2 -arg -V -conf-BAD {} {
+
+ listen ssl-lst
+ bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem strict-sni
+
+ crt-store
+ load crt "${testdir}/common.pem" key "${testdir}/common.key"
+
+}
+
diff --git a/reg-tests/ssl/ocsp_auto_update.vtc b/reg-tests/ssl/ocsp_auto_update.vtc
index a1d9a3c..0193953 100644
--- a/reg-tests/ssl/ocsp_auto_update.vtc
+++ b/reg-tests/ssl/ocsp_auto_update.vtc
@@ -1,4 +1,5 @@
#REGTEST_TYPE=slow
+# reg-test is around ~2.5s
# broken with BoringSSL.
@@ -14,29 +15,20 @@
# soon as possible by the update task.
#
# The ocsp responder used in all the tests will be an openssl using the
-# certificate database in ocsp_update/index.txt. It will listen on port 12346
-# which is not the same as the one specified in the certificates' OCSP URI
-# which point to port 12345. The link from port 12345 to port 12346 will be
-# ensured through HAProxy instances that will enable logs, later used as a
-# synchronization mean.
-#
-# Unfortunately some arbitrary "sleep" calls are still needed to leave some
-# time for the ocsp update task to actually process the ocsp responses and
-# reinsert them into the tree. This explains why the test's mode is set to
-# "slow".
-#
-# The fourth test case focuses on the "update ssl ocsp-response" CLI command
-# and tests two certificates that have a known OCSP response loaded during init
-# but no OCSP auto update. The only difference between the two certificates is
-# that one has a separate .issuer file while the other one has the issuer
-# certificate directly in the main .pem file.
+# certificate database in ocsp_update/index.txt. It will listen on port 12345
+# which was specified explicitly in the certificates used in the tests.
+# The synchronization will be based on the logs emitted by the OCSP update task
+# directly. When this log is created, we will know that the update was
+# effective and the updated OCSP response is loaded in the tree. So any
+# following call to "show ssl ocsp-response" will display the latest response
+# information.
#
# If this test does not work anymore:
# - Check that you have openssl and socat
varnishtest "Test the OCSP auto update feature"
-feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.7-dev0)'"
-feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(BoringSSL) && openssl_version_atleast(1.1.1)'"
+feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(3.0-dev0)'"
+feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(BoringSSL) && !ssllib_name_startswith(LibreSSL) && openssl_version_atleast(1.1.1)'"
feature cmd "command -v openssl && command -v socat"
feature ignore_unknown_macro
@@ -102,26 +94,23 @@ haproxy h1 -wait
# This test will focus on two separate certificates that have the same OCSP uri
# (http://ocsp.haproxy.com:12345) but no OCSP response loaded at build time.
# The update mode is set to 'on' in the two crt-lists used. The two ocsp
-# responses should then be fetched automatically after init. We use an http
-# listener as a rebound on which http log is enabled towards Syslog_http. This
-# ensures that two requests are sent by the ocsp auto update task and it
-# enables to use a barrier to synchronize the ocsp task and the subsequent cli
-# calls. Thanks to the barrier we know that when calling "show ssl
-# ocsp-response" on the cli, the two answers should already have been received
-# and processed.
+# responses should then be fetched automatically after init.
+# We rely on the OCSP logs to ensure that the two updates are over before
+# calling "show ssl ocsp-response". This is done through the Syslog_ocsp
+# listener and a dedicated barrier.
-process p1 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12346 -timeout 5" -start
+process p2 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start
-barrier b1 cond 2 -cyclic
+barrier b2 cond 2 -cyclic
-syslog Syslog_http -level info {
+syslog Syslog_ocsp -level notice {
recv
- expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAV HTTP/1.1"
+ expect ~ "<OCSP-UPDATE> ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem 1 \"Update successful\" 0 1"
recv
- expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAW HTTP/1.1"
+ expect ~ "<OCSP-UPDATE> ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1"
- barrier b1 sync
+ barrier b2 sync
} -start
haproxy h2 -conf {
@@ -130,6 +119,7 @@ haproxy h2 -conf {
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h2/stats" level admin
crt-base ${testdir}/ocsp_update
+ log ${Syslog_ocsp_addr}:${Syslog_ocsp_port} local0 notice notice
defaults
mode http
@@ -146,18 +136,9 @@ haproxy h2 -conf {
frontend ssl-ecdsa-fe
bind "${tmpdir}/ssl3.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
-
- listen http_rebound_lst
- mode http
- option httplog
- log ${Syslog_http_addr}:${Syslog_http_port} local0
- bind "127.0.0.1:12345"
- server s1 "127.0.0.1:12346"
} -start
-barrier b1 sync
-
-shell "sleep 1"
+barrier b2 sync
# We should have two distinct ocsp IDs known that were loaded at build time and
# the responses' contents should have been filled automatically by the ocsp
@@ -176,7 +157,7 @@ haproxy h2 -cli {
}
haproxy h2 -wait
-process p1 -wait -expect-exit 0
+process p2 -wait -expect-exit 0
###################
@@ -189,15 +170,14 @@ process p1 -wait -expect-exit 0
# will not enable ocsp-update on its certificate. Only one request should then
# be sent.
-process p2 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12346 -timeout 5" -start
+process p3 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start
-barrier b2 cond 2 -cyclic
+barrier b3 cond 2 -cyclic
-syslog Syslog_http2 -level info {
+syslog Syslog_ocsp3 -level notice {
recv
- expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAV HTTP/1.1"
-
- barrier b2 sync
+ expect ~ "<OCSP-UPDATE> ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem 1 \"Update successful\" 0 1"
+ barrier b3 sync
} -start
haproxy h3 -conf {
@@ -206,6 +186,7 @@ haproxy h3 -conf {
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h3/stats" level admin
crt-base ${testdir}/ocsp_update
+ log ${Syslog_ocsp3_addr}:${Syslog_ocsp3_port} local0 notice notice
defaults
mode http
@@ -222,18 +203,9 @@ haproxy h3 -conf {
frontend ssl-ecdsa-fe
bind "${tmpdir}/ssl5.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
-
- listen http_rebound_lst
- mode http
- option httplog
- log ${Syslog_http2_addr}:${Syslog_http2_port} local0
- bind "127.0.0.1:12345"
- server s1 "127.0.0.1:12346"
} -start
-barrier b2 sync
-
-shell "sleep 1"
+barrier b3 sync
# We should have a single ocsp ID known that was loaded at build time and the
# response should be filled
@@ -248,7 +220,7 @@ haproxy h3 -cli {
}
haproxy h3 -wait
-process p2 -wait
+process p3 -wait
@@ -258,8 +230,27 @@ process p2 -wait
# (CLI COMMAND) #
# #
####################
+# This test focuses on the "update ssl ocsp-response" CLI command and tests two
+# certificates that have a known OCSP response loaded during init but no OCSP
+# auto update. The only difference between the two certificates is that one has
+# a separate .issuer file while the other one has the issuer certificate
+# directly in the main .pem file.
+# We store the original "Produced At" date of the responses loaded during init
+# in haproxy proc variables in order to compare them to their new value after
+# the update is performed.
+
+process p4 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start
-process p3 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12346 -timeout 5" -start
+barrier b4 cond 2 -cyclic
+
+syslog Syslog_ocsp4 -level notice {
+ recv
+ expect ~ "<OCSP-UPDATE> ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa 1 \"Update successful\" 0 1"
+
+ recv
+ expect ~ "<OCSP-UPDATE> ${testdir}/ocsp_update/multicert/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1"
+ barrier b4 sync
+} -start
haproxy h4 -conf {
global
@@ -267,6 +258,7 @@ haproxy h4 -conf {
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h4/stats" level admin
crt-base ${testdir}/ocsp_update
+ log ${Syslog_ocsp4_addr}:${Syslog_ocsp4_port} local0 notice notice
defaults
mode http
@@ -283,19 +275,12 @@ haproxy h4 -conf {
frontend ssl-ecdsa-ocsp
bind "${tmpdir}/ssl6.sock" ssl crt ${testdir}/ocsp_update/multicert/server_ocsp_ecdsa.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
-
- listen http_rebound_lst
- mode http
- option httplog
- bind "127.0.0.1:12345"
- http-response set-var(proc.processed) int(1)
- server s1 "127.0.0.1:12346"
} -start
# We need to "enable" the cli with a first cli call before using it only through socats
haproxy h4 -cli {
- send "show ssl ocsp-response"
- expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
+ send "show ssl cert"
+ expect ~ ""
}
# We should have two OCSP responses loaded during init
@@ -307,62 +292,53 @@ shell {
echo "$responses" | grep "Serial Number: 1015"
}
-shell {
- echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" - | grep "Cert Status: revoked"
-}
+haproxy h4 -cli {
+ send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
+ expect ~ "Cert Status: revoked"
-shell {
- echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" - | grep "Cert Status: good"
+ send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
+ expect ~ "Cert Status: good"
}
# Update the first ocsp response (ckch_data has a non-NULL ocsp_issuer pointer)
shell {
# Store the current "Produced At" in order to ensure that after the update
# the OCSP response actually changed
- produced_at=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" - | grep "Produced At")
+ produced_at1=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" - | grep "Produced At" | tr -d ' ')
echo "update ssl ocsp-response ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h4/stats" -
- while ! echo "get var proc.processed" | socat "${tmpdir}/h4/stats" - | grep 'proc.processed: type=sint value=<1>'
- do
- echo "get var proc.processed" | socat "${tmpdir}/h4/stats" - >> /tmp/toto
- sleep 0.5
- done
- echo "experimental-mode on;set var proc.processed int(0)" | socat "${tmpdir}/h4/stats" -
+ # Update the second ocsp response (ckch_data has a NULL ocsp_issuer pointer)
+ # Store the current "Produced At" in order to ensure that after the update
+ # the OCSP response actually changed
+ produced_at2=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" - | grep "Produced At" | tr -d ' ')
- ocsp_response=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" -)
- new_produced_at=$(echo "$ocsp_response" | grep "Produced At")
+ echo "update ssl ocsp-response ${testdir}/ocsp_update/multicert/server_ocsp_ecdsa.pem" | socat "${tmpdir}/h4/stats" -
- echo "$ocsp_response" | grep -q "Serial Number: 1015" && \
- echo "$ocsp_response" | grep -q "Cert Status: revoked" && \
- [ "$new_produced_at" != "$produced_at" ]
+ echo "experimental-mode on;set var proc.produced_at1 str($produced_at1)" | socat "${tmpdir}/h4/stats" -
+ echo "experimental-mode on;set var proc.produced_at2 str($produced_at2)" | socat "${tmpdir}/h4/stats" -
}
-# Update the second ocsp response (ckch_data has a NULL ocsp_issuer pointer)
-shell {
- # Store the current "Produced At" in order to ensure that after the update
- # the OCSP response actually changed
- produced_at=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" - | grep "Produced At")
+barrier b4 sync
- echo "update ssl ocsp-response ${testdir}/ocsp_update/multicert/server_ocsp_ecdsa.pem" | socat "${tmpdir}/h4/stats" -
- while ! echo "get var proc.processed" | socat "${tmpdir}/h4/stats" - | grep 'proc.processed: type=sint value=<1>'
- do
- echo "get var proc.processed" | socat "${tmpdir}/h4/stats" - >> /tmp/toto
- sleep 0.5
- done
+shell {
+ produced_at1_after=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" - | grep "Produced At" | tr -d ' ')
+ produced_at2_after=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" - | grep "Produced At" | tr -d ' ')
- echo "experimental-mode on;set var proc.processed int(0)" | socat "${tmpdir}/h4/stats" -
+ ocsp_response1=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" -)
+ ocsp_response2=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" -)
- ocsp_response=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" -)
- new_produced_at=$(echo "$ocsp_response" | grep "Produced At")
+ echo "$ocsp_response1" | grep -q "Serial Number: 1015" && \
+ echo "$ocsp_response1" | grep -q "Cert Status: revoked" && \
+ echo "$ocsp_response2" | grep -q "Serial Number: 1016" && \
+ echo "$ocsp_response2" | grep -q "Cert Status: revoked" && \
+ [ "$produced_at1_after" != "$(echo \"experimental-mode on; get var proc.produced_at1\" | socat \"${tmpdir}/h4/stats\")" ] && \
+ [ "$produced_at2_after" != "$(echo \"experimental-mode on; get var proc.produced_at2\" | socat \"${tmpdir}/h4/stats\")" ]
- echo "$ocsp_response" | grep -q "Serial Number: 1016" && \
- echo "$ocsp_response" | grep -q "Cert Status: revoked" && \
- [ "$new_produced_at" != "$produced_at" ]
}
haproxy h4 -wait
-process p3 -wait
+process p4 -wait
####################
@@ -376,16 +352,16 @@ process p3 -wait
# to the "show ssl ocsp-response" command.
-process p5 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12346 -timeout 5" -start
+process p5 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start
barrier b5 cond 2 -cyclic
-syslog Syslog_http5 -level info {
+syslog Syslog_ocsp5 -level notice {
recv
- expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAV HTTP/1.1"
+ expect ~ "<OCSP-UPDATE> .*/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem 1 \"Update successful\" 0 1"
recv
- expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAW HTTP/1.1"
+ expect ~ "<OCSP-UPDATE> .*/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1"
barrier b5 sync
} -start
@@ -396,6 +372,7 @@ haproxy h5 -conf {
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h5/stats" level admin
crt-base ${testdir}/ocsp_update
+ log ${Syslog_ocsp5_addr}:${Syslog_ocsp5_port} local0 notice notice
defaults
mode http
@@ -412,19 +389,10 @@ haproxy h5 -conf {
frontend ssl-ecdsa-fe
bind "${tmpdir}/ssl8.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
-
- listen http_rebound_lst
- mode http
- option httplog
- log ${Syslog_http5_addr}:${Syslog_http5_port} local0
- bind "127.0.0.1:12345"
- server s1 "127.0.0.1:12346"
} -start
barrier b5 sync
-shell "sleep 1"
-
# Use "show ssl ocsp-updates" CLI command
# We should have one line per OCSP response and each one of them should have been successfully updated once
# The command's output follows this format:
@@ -469,13 +437,13 @@ process p5 -wait
# the 'ocsp-update on' option will be taken into account by the OCSP
# auto update task
#
-process p6 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12346 -timeout 5" -start
+process p6 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start
barrier b6 cond 2 -cyclic
-syslog Syslog_http6 -level info {
+syslog Syslog_ocsp6 -level notice {
recv
- expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAV HTTP/1.1"
+ expect ~ "<OCSP-UPDATE> ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa 1 \"Update successful\" 0 1"
barrier b6 sync
} -start
@@ -486,6 +454,7 @@ haproxy h6 -conf {
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h6/stats" level admin
crt-base ${testdir}
+ log ${Syslog_ocsp6_addr}:${Syslog_ocsp6_port} local0 notice notice
defaults
mode http
@@ -500,12 +469,6 @@ haproxy h6 -conf {
bind "${tmpdir}/ssl9.sock" ssl crt-list ${testdir}/simple.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
- listen http_rebound_lst
- mode http
- option httplog
- log ${Syslog_http6_addr}:${Syslog_http6_port} local0
- bind "127.0.0.1:12345"
- server s1 "127.0.0.1:12346"
} -start
# We need to "enable" the cli with a first cli call before using it only through socats
@@ -527,9 +490,258 @@ shell {
barrier b6 sync
-shell "sleep 1"
-
haproxy h6 -cli {
send "show ssl ocsp-updates"
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*| 1 | 0 | 1 | Update successful"
}
+
+haproxy h6 -wait
+process p6 -wait
+
+
+######################
+# #
+# SEVENTH TEST CASE #
+# #
+######################
+
+# Check that the global "tune.ocsp-update.mode" option works and that it
+# applies to certificates added via the CLI as well.
+#
+process p7 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start
+
+barrier b7 cond 2 -cyclic
+
+syslog Syslog_ocsp7 -level notice {
+ recv
+ expect ~ "<OCSP-UPDATE> ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1"
+
+ barrier b7 sync
+
+ recv
+ expect ~ "<OCSP-UPDATE> ${testdir}/server_ocsp_rsa.pem 1 \"Update successful\" 0 1"
+
+ barrier b7 sync
+} -start
+
+haproxy h7 -conf {
+ global
+ tune.ssl.default-dh-param 2048
+ tune.ssl.capture-buffer-size 1
+ stats socket "${tmpdir}/h7/stats" level admin
+ crt-base ${testdir}
+ ocsp-update.mode on
+ log ${Syslog_ocsp7_addr}:${Syslog_ocsp7_port} local0 notice notice
+
+ defaults
+ mode http
+ option httplog
+ log stderr local0 debug err
+ option logasap
+ timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
+ timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
+ timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
+
+ frontend ssl-fe
+ bind "${tmpdir}/ssl_h7.sock" ssl crt ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
+ bind "${tmpdir}/ssl_h7_2.sock" ssl crt-list ${testdir}/simple.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
+ http-request return status 200
+} -start
+
+barrier b7 sync
+
+# Create a new certificate that has an OCSP uri and add it to the
+# existing CLI with the 'ocsp-update on' command.
+shell {
+ echo "new ssl cert ${testdir}/server_ocsp_rsa.pem" | socat "${tmpdir}/h7/stats" -
+ printf "set ssl cert ${testdir}/server_ocsp_rsa.pem <<\n$(cat ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem)\n\n" | socat "${tmpdir}/h7/stats" -
+ echo "commit ssl cert ${testdir}/server_ocsp_rsa.pem" | socat "${tmpdir}/h7/stats" -
+
+ # We should have ocsp-update enabled via the global option
+ printf "add ssl crt-list ${testdir}/simple.crt-list <<\n${testdir}/server_ocsp_rsa.pem foo.com\n\n" | socat "${tmpdir}/h7/stats" -
+}
+
+barrier b7 sync
+
+haproxy h7 -cli {
+ send "show ssl ocsp-updates"
+ expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 | ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem .*| 1 | 0 | 1 | Update successful"
+
+ send "show ssl ocsp-updates"
+ expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 | ${testdir}/server_ocsp_rsa.pem .*| 1 | 0 | 1 | Update successful"
+}
+
+haproxy h7 -wait
+process p7 -wait
+
+
+######################
+# #
+# EIGHTH TEST CASE #
+# #
+######################
+
+#
+# Check that removing crt-list instances does not remove the OCSP responses
+# from the tree but that they will not be auto updated anymore if the last
+# instance is removed (via del ssl crt-list).
+#
+
+haproxy h8 -conf {
+ global
+ tune.ssl.default-dh-param 2048
+ tune.ssl.capture-buffer-size 1
+ stats socket "${tmpdir}/h8/stats" level admin
+ crt-base ${testdir}/ocsp_update
+
+ defaults
+ mode http
+ option httplog
+ log stderr local0 debug err
+ option logasap
+ timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
+ timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
+ timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
+
+ frontend ssl-fe
+ bind "${tmpdir}/ssl-h8.sock" ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
+ http-request return status 200
+
+ listen http_rebound_lst
+ mode http
+ bind "127.0.0.1:12345"
+ server s1 "127.0.0.1:12346"
+} -start
+
+# Check that the two certificates are taken into account in the auto update process
+haproxy h8 -cli {
+ send "show ssl ocsp-updates"
+ expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 .*"
+
+ send "show ssl ocsp-updates"
+ expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*"
+}
+
+# Remove the second line from the crt-list and check that the corresponding
+# ocsp response was removed from the auto update list but is still present in the
+# system
+haproxy h8 -cli {
+ send "del ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list ${testdir}/ocsp_update/multicert/server_ocsp.pem.ecdsa"
+ expect ~ "Entry.*deleted in crtlist"
+
+ send "show ssl ocsp-updates"
+ expect !~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*"
+
+ send "show ssl ocsp-response"
+ expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
+
+ send "show ssl ocsp-response ${testdir}/ocsp_update/multicert/server_ocsp.pem.ecdsa"
+ expect ~ ".* Cert Status: good.*"
+}
+
+# Add the previously removed crt-list line with auto-update enabled and check that
+# the ocsp response appears in the auto update list
+shell {
+ printf "add ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa [ocsp-update on] foo.bar\n\n" | socat "${tmpdir}/h8/stats" - | grep "Inserting certificate.*in crt-list"
+}
+
+haproxy h8 -cli {
+ send "show ssl ocsp-updates"
+ expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*"
+}
+
+# Check that the auto update option consistency check work even when crt-list
+# lines are added through the cli
+shell {
+ printf "add ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa foo.foo\n\n" | socat "${tmpdir}/h8/stats" - | grep "different parameter 'ocsp-update'"
+}
+
+haproxy h8 -wait
+
+####################
+# #
+# NINTH TEST CASE #
+# #
+####################
+
+#
+# Check that a certificate created through the CLI and which does not have ocsp
+# update enabled can be updated via "update ssl ocsp-response" command.
+#
+
+process p9 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start
+
+barrier b9 cond 2 -cyclic
+
+syslog Syslog_ocsp9 -level notice {
+ recv
+ expect ~ "<OCSP-UPDATE> ${testdir}/ocsp_update/rsa.pem 1 \"Update successful\" 0 1"
+
+ barrier b9 sync
+} -start
+
+
+haproxy h9 -conf {
+ global
+ tune.ssl.default-dh-param 2048
+ tune.ssl.capture-buffer-size 1
+ stats socket "${tmpdir}/h9/stats" level admin
+ crt-base ${testdir}/ocsp_update
+ log ${Syslog_ocsp9_addr}:${Syslog_ocsp9_port} local0 notice notice
+
+ defaults
+ mode http
+ option httplog
+ log stderr local0 debug err
+ option logasap
+ timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
+ timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
+ timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
+
+ frontend ssl-fe
+ bind "${tmpdir}/ssl-h9.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
+ http-request return status 200
+} -start
+
+# We need to "enable" the cli with a first cli call before using it only through socats
+haproxy h9 -cli {
+ send "show ssl cert"
+ expect ~ ""
+}
+
+# Create a new certificate and add it in the crt-list with ocsp auto-update enabled
+shell {
+ echo "new ssl cert ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" -
+ printf "set ssl cert ${testdir}/ocsp_update/rsa.pem <<\n$(cat ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h9/stats" -
+ printf "set ssl cert ${testdir}/ocsp_update/rsa.pem.issuer <<\n$(cat ${testdir}/ocsp_update/ocsp_update_rootca.crt)\n\n" | socat "${tmpdir}/h9/stats" -
+ printf "set ssl cert ${testdir}/ocsp_update/rsa.pem.ocsp <<\n$(base64 -w 1000 ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa.ocsp)\n\n" | socat "${tmpdir}/h9/stats" -
+ echo "commit ssl cert ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" -
+
+ printf "add ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list <<\nrsa.pem [ocsp-update off] foo.bar\n\n" | socat "${tmpdir}/h9/stats" -
+}
+
+# Check that the line is in the crt-list
+haproxy h9 -cli {
+ send "show ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list"
+ expect ~ "${testdir}/ocsp_update/rsa.pem.*ocsp-update off.*foo.bar"
+}
+
+# Check that the new certificate is NOT in the auto update list
+haproxy h9 -cli {
+ send "show ssl ocsp-updates"
+ expect !~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015.*"
+}
+
+shell {
+ echo "update ssl ocsp-response ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" -
+}
+
+barrier b9 sync
+
+haproxy h9 -cli {
+ send "show ssl ocsp-response ${testdir}/ocsp_update/rsa.pem"
+ expect ~ ".* Cert Status: revoked.*"
+}
+
+haproxy h9 -wait
+process p9 -wait
diff --git a/reg-tests/ssl/ocsp_compat_check.vtc b/reg-tests/ssl/ocsp_compat_check.vtc
new file mode 100644
index 0000000..7dbcdf9
--- /dev/null
+++ b/reg-tests/ssl/ocsp_compat_check.vtc
@@ -0,0 +1,401 @@
+#REGTEST_TYPE=devel
+
+# broken with BoringSSL.
+#
+# This reg-test tries loading multiple configurations that make use of the
+# 'ocsp-update' crt-list option and the global 'ocsp-update.mode'
+# option. It ensures that an error message is raised when the user provides an
+# incoherent configuration. Any configuration in which a given certificate has
+# the ocsp auto update mode set to 'on' as well as 'off' simultaneously should
+# raise an ALERT type message and not start.
+# The first batch of configurations should all raise errors and the second
+# batch should all load properly. We do not focus on the actual auto update in
+# this reg-test though so no actual proxy instance will be launched.
+
+varnishtest "Test the OCSP auto update feature"
+feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(3.0-dev0)'"
+feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(BoringSSL) && openssl_version_atleast(1.1.1)'"
+feature ignore_unknown_macro
+
+
+#############################
+# #
+# WRONG CONFIGURATIONS #
+# #
+#############################
+
+
+# test1
+# global_option OFF
+# bind line DFLT (OFF) (first)
+# crt-list ON (second)
+shell {
+ cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem [ocsp-update on] foo.com
+EOF
+
+ cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+ crt-base ${testdir}/ocsp_update/multicert
+# ocsp-update.mode on
+
+defaults
+ log stderr local0 debug err
+
+listen ssl-lst
+ bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list
+ server s1 127.0.0.1:80
+EOF
+
+ haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
+ haproxy_ret=$?
+ echo "==== test 1"
+ echo "$haproxy_output"
+ echo "HAProxy return code: $haproxy_ret"
+ [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
+}
+
+# test2
+# global_option ON
+# bind line DFLT/ON (first)
+# crt-list OFF (second)
+shell {
+ cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem [ocsp-update off] foo.com
+EOF
+
+ cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+ crt-base ${testdir}/ocsp_update/multicert
+ ocsp-update.mode on
+
+defaults
+ log stderr local0 debug err
+
+listen ssl-lst
+ bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list
+ server s1 127.0.0.1:80
+EOF
+
+ haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
+ haproxy_ret=$?
+ echo "==== test 2"
+ echo "$haproxy_output"
+ echo "HAProxy return code: $haproxy_ret"
+ [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
+}
+
+# test3
+# global_option OFF
+# bind line DFLT/OFF(first)
+# crt-list ON (second)
+shell {
+ cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem [ocsp-update on] foo.com
+EOF
+
+ cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+ crt-base ${testdir}/ocsp_update/multicert
+ ocsp-update.mode off
+
+defaults
+ log stderr local0 debug err
+
+listen ssl-lst
+ bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list
+ server s1 127.0.0.1:80
+EOF
+
+ haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
+ haproxy_ret=$?
+ echo "==== test 3"
+ echo "$haproxy_output"
+ echo "HAProxy return code: $haproxy_ret"
+ [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
+}
+
+# test4
+# global_option OFF
+# bind line DFLT OFF (second)
+# crt-list ON (first)
+shell {
+ cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem [ocsp-update on] foo.com
+EOF
+
+ cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+ crt-base ${testdir}/ocsp_update/multicert
+# ocsp-update.mode off
+
+defaults
+ log stderr local0 debug err
+
+listen ssl-lst
+ bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
+ bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem
+ server s1 127.0.0.1:80
+EOF
+
+ haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
+ haproxy_ret=$?
+ echo "==== test 4"
+ echo "$haproxy_output"
+ echo "HAProxy return code: $haproxy_ret"
+ [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
+}
+
+# test5
+# global_option ON
+# bind line DFLT (second)
+# crt-list OFF (first)
+shell {
+ cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem [ocsp-update off] foo.com
+EOF
+
+ cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+ crt-base ${testdir}/ocsp_update/multicert
+ ocsp-update.mode on
+
+defaults
+ log stderr local0 debug err
+
+listen ssl-lst
+ bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
+ bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem
+ server s1 127.0.0.1:80
+EOF
+
+ haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
+ haproxy_ret=$?
+ echo "==== test 5"
+ echo "$haproxy_output"
+ echo "HAProxy return code: $haproxy_ret"
+ [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
+}
+
+# test6
+# global_option OFF
+# bind line DFLT (second)
+# crt-list ON (first)
+shell {
+ cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem [ocsp-update on] foo.com
+EOF
+
+ cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+ crt-base ${testdir}/ocsp_update/multicert
+ ocsp-update.mode off
+
+defaults
+ log stderr local0 debug err
+
+listen ssl-lst
+ bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
+ bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem
+ server s1 127.0.0.1:80
+EOF
+
+ haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
+ haproxy_ret=$?
+ echo "==== test 6"
+ echo "$haproxy_output"
+ echo "HAProxy return code: $haproxy_ret"
+ [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
+}
+
+# test7
+# global_option DFLT
+# bind line -
+# crt-list ON
+# crt-list DFLT
+shell {
+ cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem [ocsp-update on] foo.com
+server_ocsp_ecdsa.pem bar.com
+EOF
+
+ cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+ crt-base ${testdir}/ocsp_update/multicert
+# ocsp-update.mode off
+
+defaults
+ log stderr local0 debug err
+
+listen ssl-lst
+ bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
+ server s1 127.0.0.1:80
+EOF
+
+ haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
+ haproxy_ret=$?
+ echo "==== test 7"
+ echo "$haproxy_output"
+ [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
+}
+
+# test8
+# global_option DFLT
+# bind line -
+# crt-list DFLT
+# crt-list ON
+shell {
+ cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem bar.com
+server_ocsp_ecdsa.pem [ocsp-update on] foo.com
+EOF
+
+ cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+ crt-base ${testdir}/ocsp_update/multicert
+# ocsp-update.mode off
+
+defaults
+ log stderr local0 debug err
+
+listen ssl-lst
+ bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
+ server s1 127.0.0.1:80
+EOF
+
+ haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
+ haproxy_ret=$?
+ echo "==== test 8"
+ echo "$haproxy_output"
+ echo "HAProxy return code: $haproxy_ret"
+ [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
+}
+
+# test9
+# global_option ON
+# bind line -
+# crt-list OFF
+# crt-list DFLT
+shell {
+ cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem [ocsp-update off] foo.com
+server_ocsp_ecdsa.pem bar.com
+EOF
+
+ cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+ crt-base ${testdir}/ocsp_update/multicert
+ ocsp-update.mode on
+
+defaults
+ log stderr local0 debug err
+
+listen ssl-lst
+ bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
+ server s1 127.0.0.1:80
+EOF
+
+ haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
+ haproxy_ret=$?
+ echo "==== test 9"
+ echo "$haproxy_output"
+ echo "HAProxy return code: $haproxy_ret"
+ [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
+}
+
+# test10
+# global_option ON
+# bind line -
+# crt-list DFLT
+# crt-list OFF
+shell {
+ cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem bar.com
+server_ocsp_ecdsa.pem [ocsp-update off] foo.com
+EOF
+
+ cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+ crt-base ${testdir}/ocsp_update/multicert
+ ocsp-update.mode on
+
+defaults
+ log stderr local0 debug err
+
+listen ssl-lst
+ bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
+ server s1 127.0.0.1:80
+EOF
+
+ haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
+ haproxy_ret=$?
+ echo "==== test 10"
+ echo "$haproxy_output"
+ echo "HAProxy return code: $haproxy_ret"
+ [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
+}
+
+# test11
+# global_option OFF
+# bind line -
+# crt-list ON
+# crt-list DFLT
+shell {
+ cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem [ocsp-update on] foo.com
+server_ocsp_ecdsa.pem bar.com
+EOF
+
+ cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+ crt-base ${testdir}/ocsp_update/multicert
+ ocsp-update.mode off
+
+defaults
+ log stderr local0 debug err
+
+listen ssl-lst
+ bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
+ server s1 127.0.0.1:80
+EOF
+
+ haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
+ haproxy_ret=$?
+ echo "==== test 11"
+ echo "$haproxy_output"
+ echo "HAProxy return code: $haproxy_ret"
+ [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
+}
+
+# test12
+# global_option OFF
+# bind line -
+# crt-list DFLT
+# crt-list ON
+shell {
+ cat << EOF > ${tmpdir}/ocsp_compat_check.list
+server_ocsp_ecdsa.pem bar.com
+server_ocsp_ecdsa.pem [ocsp-update on] foo.com
+EOF
+
+ cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
+global
+ crt-base ${testdir}/ocsp_update/multicert
+ ocsp-update.mode off
+
+defaults
+ log stderr local0 debug err
+
+listen ssl-lst
+ bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
+ server s1 127.0.0.1:80
+EOF
+
+ haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
+ haproxy_ret=$?
+ echo "==== test 12"
+ echo "$haproxy_output"
+ echo "HAProxy return code: $haproxy_ret"
+ [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
+}
+
diff --git a/reg-tests/ssl/ocsp_update/multicert_both_certs.crt-list b/reg-tests/ssl/ocsp_update/multicert_both_certs.crt-list
new file mode 100644
index 0000000..0ec641f
--- /dev/null
+++ b/reg-tests/ssl/ocsp_update/multicert_both_certs.crt-list
@@ -0,0 +1,2 @@
+multicert/server_ocsp.pem.rsa [ocsp-update on ssl-min-ver TLSv1.2] *
+multicert/server_ocsp.pem.ecdsa [ocsp-update on ssl-min-ver TLSv1.2] *