blob: 2123fb030c508ad77d769233899e51f2141a8c3a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
|
#REGTEST_TYPE=devel
# This test uses the "new ssl ca-file" and "del ssl ca-file" commands to create
# a new CA file or delete an unused CA file.
#
# It requires socat to upload the CA file.
#
# If this test does not work anymore:
# - Check that you have socat
varnishtest "Test the 'new ssl ca-file' and 'del ssl ca-file' commands of the CLI"
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev0)'"
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
feature cmd "command -v socat"
feature ignore_unknown_macro
server s1 -repeat 2 {
rxreq
txresp
} -start
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
crt-base ${testdir}
defaults
mode http
option httplog
retries 0
log stderr local0 debug err
option logasap
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
listen clear-lst
bind "fd@${clearlst}"
balance roundrobin
use_backend with_ca_be if { path /with-ca }
default_backend default_be
backend default_be
server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/set_cafile_client.pem sni str(www.test1.com)
backend with_ca_be
server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/set_cafile_client.pem sni str(with-ca.com)
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/localhost.crt-list ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA2.crt verify required crt-ignore-err all
http-response add-header X-SSL-Client-Verify %[ssl_c_verify]
server s1 ${s1_addr}:${s1_port}
} -start
# Request using the default backend and the www.test1.com sni
client c1 -connect ${h1_clearlst_sock} {
txreq
rxresp
expect resp.status == 200
# The CA file known by the frontend does not allow to verify the client's certificate
expect resp.http.X-SSL-Client-Verify ~ "20|21"
} -run
# This connection should fail because the with-ca.com sni is not mentioned in the crt-list yet.
client c1 -connect ${h1_clearlst_sock} {
txreq -url "/with-ca"
rxresp
expect resp.status == 503
} -run
# Create a new unlinked CA file
haproxy h1 -cli {
send "new ssl ca-file new_cafile.crt"
expect ~ "New CA file created 'new_cafile.crt'!"
}
shell {
printf "set ssl ca-file new_cafile.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
echo "commit ssl ca-file new_cafile.crt" | socat "${tmpdir}/h1/stats" -
}
# Remove the unliked CA file and create a new one with the "add ssl ca-file method"
haproxy h1 -cli {
send "del ssl ca-file new_cafile.crt"
expect ~ "CA file 'new_cafile.crt' deleted!"
send "new ssl ca-file new_cafile.crt"
expect ~ "New CA file created 'new_cafile.crt'!"
}
shell {
printf "add ssl ca-file new_cafile.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
echo "commit ssl ca-file new_cafile.crt" | socat "${tmpdir}/h1/stats" -
}
shell {
printf "set ssl ca-file new_cafile.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
echo "commit ssl ca-file new_cafile.crt" | socat "${tmpdir}/h1/stats" -
}
haproxy h1 -cli {
send "show ssl ca-file"
expect ~ ".*new_cafile.crt - 1 certificate.*"
send "show ssl ca-file new_cafile.crt"
expect ~ ".*SHA1 FingerPrint: 4FFF535278883264693CEA72C4FAD13F995D0098"
}
# The new CA file is still not linked anywhere so the request should fail.
client c1 -connect ${h1_clearlst_sock} {
txreq -url "/with-ca"
rxresp
expect resp.status == 503
} -run
# Add a new certificate that will use the new CA file
shell {
echo "new ssl cert ${testdir}/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" -
printf "set ssl cert ${testdir}/set_cafile_server.pem <<\n$(cat ${testdir}/set_cafile_server.pem)\n\n" | socat "${tmpdir}/h1/stats" -
echo "commit ssl cert ${testdir}/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" -
}
# Create a new crt-list line that will use the new CA file
shell {
printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/set_cafile_server.pem [ca-file new_cafile.crt] with-ca.com\n\n" | socat "${tmpdir}/h1/stats" -
}
client c1 -connect ${h1_clearlst_sock} {
txreq -url "/with-ca"
rxresp
expect resp.status == 200
# Thanks to the newly added CA file, the client's certificate can be verified
expect resp.http.X-SSL-Client-Verify == 0
} -run
# Delete the newly added crt-list line and CA file
haproxy h1 -cli {
send "del ssl crt-list ${testdir}/localhost.crt-list ${testdir}/set_cafile_server.pem"
expect ~ "Entry '${testdir}/set_cafile_server.pem' deleted in crtlist '${testdir}/localhost.crt-list'!"
send "del ssl ca-file new_cafile.crt"
expect ~ "CA file 'new_cafile.crt' deleted!"
send "show ssl ca-file"
expect !~ "new_cafile.crt"
}
# The connection should now fail since the crt-list line was deleted
client c1 -connect ${h1_clearlst_sock} {
txreq -url "/with-ca"
rxresp
expect resp.status == 503
} -run
|
