blob: 8658a1a7a5638a56ab906eadba01991827971271 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
|
#REGTEST_TYPE=devel
# This test uses the "new ssl crl-file" and "del ssl crl-file" commands to create
# a new CRL file or delete an unused CRL file.
#
# It requires socat to upload the CRL file.
#
# If this test does not work anymore:
# - Check that you have socat
varnishtest "Test the 'new ssl crl-file' and 'del ssl crl-file' commands of the CLI"
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev0)'"
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
feature cmd "command -v socat"
feature ignore_unknown_macro
server s1 -repeat 3 {
rxreq
txresp
} -start
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
crt-base ${testdir}
defaults
mode http
option httplog
retries 0
log stderr local0 debug err
option logasap
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
listen clear-lst
bind "fd@${clearlst}"
balance roundrobin
use_backend with_crl_be if { path /with-crl }
default_backend default_be
backend default_be
server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client3_revoked.pem sni str(www.test1.com)
backend with_crl_be
server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client3_revoked.pem sni str(with-crl.com)
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/localhost.crt-list ca-file ${testdir}/ca-auth.crt verify required crt-ignore-err all
http-response add-header X-SSL-Client-Verify %[ssl_c_verify]
server s1 ${s1_addr}:${s1_port}
} -start
# Request using the default backend and the www.test1.com sni
client c1 -connect ${h1_clearlst_sock} {
txreq
rxresp
expect resp.status == 200
# The backend has no CRL so the connection should succeed
expect resp.http.X-SSL-Client-Verify == 0
} -run
# This connection should fail because the with-crl.com sni is not mentioned in the crt-list yet.
client c1 -connect ${h1_clearlst_sock} {
txreq -url "/with-crl"
rxresp
expect resp.status == 503
} -run
# Create a new unlinked CRL file
haproxy h1 -cli {
send "new ssl crl-file new_crlfile.crt"
expect ~ "New CRL file created 'new_crlfile.crt'!"
}
shell {
printf "set ssl crl-file new_crlfile.crt <<\n$(cat ${testdir}/crl-auth.pem)\n\n" | socat "${tmpdir}/h1/stats" -
echo "commit ssl crl-file new_crlfile.crt" | socat "${tmpdir}/h1/stats" -
}
haproxy h1 -cli {
send "show ssl crl-file"
expect ~ ".*new_crlfile.crt"
send "show ssl crl-file new_crlfile.crt"
expect ~ ".*Issuer:.*/CN=HAProxy Technologies CA Test Client Auth"
}
# Add a new certificate that will use the new CA file
shell {
echo "new ssl cert ${testdir}/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" -
printf "set ssl cert ${testdir}/set_cafile_server.pem <<\n$(cat ${testdir}/set_cafile_server.pem)\n\n" | socat "${tmpdir}/h1/stats" -
echo "commit ssl cert ${testdir}/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" -
}
# Create a new crt-list line that will use the new CA file
shell {
printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/set_cafile_server.pem [crl-file new_crlfile.crt] with-crl.com\n\n" | socat "${tmpdir}/h1/stats" -
}
client c1 -connect ${h1_clearlst_sock} {
txreq -url "/with-crl"
rxresp
expect resp.status == 200
# The frontend's certificate is revoked in the newly added CRL, connection should fail
expect resp.http.X-SSL-Client-Verify == 23
} -run
# Request using the default backend and the www.test1.com sni
client c1 -connect ${h1_clearlst_sock} {
txreq
rxresp
expect resp.status == 200
# The backend has no CRL for this SNI so the connection should still succeed
expect resp.http.X-SSL-Client-Verify == 0
} -run
# Delete the newly added crt-list line and CRL file
haproxy h1 -cli {
send "del ssl crt-list ${testdir}/localhost.crt-list ${testdir}/set_cafile_server.pem"
expect ~ "Entry '${testdir}/set_cafile_server.pem' deleted in crtlist '${testdir}/localhost.crt-list'!"
send "del ssl crl-file new_crlfile.crt"
expect ~ "CRL file 'new_crlfile.crt' deleted!"
send "show ssl crl-file"
expect !~ "new_crlfile.crt"
}
# The connection should now fail since the crt-list line was deleted
client c1 -connect ${h1_clearlst_sock} {
txreq -url "/with-crl"
rxresp
expect resp.status == 503
} -run
|
