reg-tests/ssl/set_ssl_cert.vtc


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206

#REGTEST_TYPE=devel

# This reg-test uses the "set ssl cert" command to update a certificate over the CLI.
# It requires socat to upload the certificate
#
# This check has two separate parts.
# In the first part, there are 3 requests, the first one will use "www.test1.com" as SNI,
# the second one with the same but that must fail and the third one will use
# "localhost". Since vtest can't do SSL, we use haproxy as an SSL client with 2
# chained listen section.
#
# In the second part, we check the update of a default certificate in a crt-list.
# This corresponds to a bug raised in https://github.com/haproxy/haproxy/issues/1143.
# A certificate is used as default certificate as well as regular one, and during the update
# the default certificate would not be properly updated if the default instance did not have
# any SNI. The test consists in checking that the used certificate is the right one after
# updating it via a "set ssl cert" call.
#
# If this test does not work anymore:
# - Check that you have socat

varnishtest "Test the 'set ssl cert' feature of the CLI"
#REQUIRE_VERSION=2.2
#REQUIRE_OPTIONS=OPENSSL
feature cmd "command -v socat"
feature ignore_unknown_macro

server s1 -repeat 9 {
  rxreq
  txresp
} -start

haproxy h1 -conf {
    global
        tune.ssl.default-dh-param 2048
        tune.ssl.capture-buffer-size 1
        stats socket "${tmpdir}/h1/stats" level admin
        crt-base ${testdir}

    defaults
        mode http
        option httplog
	retries 0
        log stderr local0 debug err
        option logasap
        timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
        timeout client  "${HAPROXY_TEST_TIMEOUT-5s}"
        timeout server  "${HAPROXY_TEST_TIMEOUT-5s}"

    listen clear-lst
        bind "fd@${clearlst}"
        balance roundrobin

        http-response set-header X-SSL-Server-SHA1 %[ssl_s_sha1,hex]

        retries 0 # 2nd SSL connection must fail so skip the retry
        server s1 "${tmpdir}/ssl.sock" ssl verify none sni str(www.test1.com)
        server s2 "${tmpdir}/ssl.sock" ssl verify none sni str(www.test1.com)
        server s3 "${tmpdir}/ssl.sock" ssl verify none sni str(localhost)

        server s4 "${tmpdir}/other-ssl.sock" ssl verify none sni str(www.test1.com)
        server s5 "${tmpdir}/other-ssl.sock" ssl verify none sni str(other.test1.com) # uses the default certificate
        server s6 "${tmpdir}/other-ssl.sock" ssl verify none sni str(www.test1.com)
        server s7 "${tmpdir}/other-ssl.sock" ssl verify none sni str(other.test1.com) # uses the default certificate

        server s8 "${tmpdir}/other-ssl.sock" ssl verify none sni str(www.test1.com)
        server s9 "${tmpdir}/other-ssl.sock" ssl verify none sni str(other.test1.com) # uses the default certificate

    listen ssl-lst
        bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem strict-sni
        server s1 ${s1_addr}:${s1_port}
	# dummy server used to test a change when the same crt is used as server and bind
        server s2 ${s1_addr}:${s1_port} ssl crt ${testdir}/common.pem verify none weight 0

    listen other-ssl-lst
        bind "${tmpdir}/other-ssl.sock" ssl crt-list ${testdir}/set_default_cert.crt-list
        server s1 ${s1_addr}:${s1_port}

} -start


haproxy h1 -cli {
    send "show ssl cert ${testdir}/common.pem"
    expect ~ ".*SHA1 FingerPrint: DF3B6E847A7BF83DFAAFCFEC65EE9BC36230D3EA"
}

client c1 -connect ${h1_clearlst_sock} {
    txreq
    rxresp
    expect resp.status == 200
} -run

shell {
    printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" -
    echo "commit ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h1/stats" -
}

haproxy h1 -cli {
    send "show ssl cert ${testdir}/common.pem"
    expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1"
}

# check that the "www.test1.com" SNI was removed
client c1 -connect ${h1_clearlst_sock} {
    txreq
    rxresp
    expect resp.status == 503
} -run

client c1 -connect ${h1_clearlst_sock} {
    txreq
    rxresp
    expect resp.status == 200
} -run

shell {
    printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/common.pem)\n\n" | socat "${tmpdir}/h1/stats" -
    echo "abort ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h1/stats" -
}

haproxy h1 -cli {
    send "show ssl cert ${testdir}/common.pem"
    expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1"
}


# The following requests are aimed at a backend that uses the set_default_cert.crt-list file

# Uses the www.test1.com sni
client c1 -connect ${h1_clearlst_sock} {
    txreq
    rxresp
    expect resp.http.X-SSL-Server-SHA1 == "9DC18799428875976DDE706E9956035EE88A4CB3"
    expect resp.status == 200
} -run

# Uses the other.test1.com sni and the default line of the crt-list
client c1 -connect ${h1_clearlst_sock} {
    txreq
    rxresp
    expect resp.http.X-SSL-Server-SHA1 == "9DC18799428875976DDE706E9956035EE88A4CB3"
    expect resp.status == 200
} -run

shell {
    printf "set ssl cert ${testdir}/set_default_cert.pem <<\n$(cat ${testdir}/common.pem)\n\n" | socat "${tmpdir}/h1/stats" -
}

# Certificate should not have changed yet
haproxy h1 -cli {
    send "show ssl cert ${testdir}/set_default_cert.pem"
    expect ~ ".*SHA1 FingerPrint: 9DC18799428875976DDE706E9956035EE88A4CB3"
}

shell {
    echo "commit ssl cert ${testdir}/set_default_cert.pem" | socat "${tmpdir}/h1/stats" -
}

haproxy h1 -cli {
    send "show ssl cert ${testdir}/set_default_cert.pem"
    expect ~ ".*SHA1 FingerPrint: DF3B6E847A7BF83DFAAFCFEC65EE9BC36230D3EA"
}

# Uses the www.test1.com sni
client c1 -connect ${h1_clearlst_sock} {
    txreq
    rxresp
    expect resp.http.X-SSL-Server-SHA1 == "DF3B6E847A7BF83DFAAFCFEC65EE9BC36230D3EA"
    expect resp.status == 200
} -run

# Uses the other.test1.com sni and the default line of the crt-list
client c1 -connect ${h1_clearlst_sock} {
    txreq
    rxresp
    expect resp.http.X-SSL-Server-SHA1 == "DF3B6E847A7BF83DFAAFCFEC65EE9BC36230D3EA"
    expect resp.status == 200
} -run

# Restore original certificate
shell {
    printf "set ssl cert ${testdir}/set_default_cert.pem <<\n$(cat ${testdir}/set_default_cert.pem)\n\n" | socat "${tmpdir}/h1/stats" -
    echo "commit ssl cert ${testdir}/set_default_cert.pem" | socat "${tmpdir}/h1/stats" -
}

haproxy h1 -cli {
    send "show ssl cert ${testdir}/set_default_cert.pem"
    expect ~ ".*SHA1 FingerPrint: 9DC18799428875976DDE706E9956035EE88A4CB"
}

# Uses the www.test1.com sni
client c1 -connect ${h1_clearlst_sock} {
    txreq
    rxresp
    expect resp.http.X-SSL-Server-SHA1 == "9DC18799428875976DDE706E9956035EE88A4CB3"
    expect resp.status == 200
} -run

# Uses the other.test1.com sni and the default line of the crt-list
client c1 -connect ${h1_clearlst_sock} {
    txreq
    rxresp
    expect resp.http.X-SSL-Server-SHA1 == "9DC18799428875976DDE706E9956035EE88A4CB3"
    expect resp.status == 200
} -run