reg-tests/ssl/show_ssl_ocspresponse.vtc


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144

#REGTEST_TYPE=devel

# broken with BoringSSL.

# This reg-test uses the "show ssl ocsp-response" command to display the details
# of the OCSP responses used by HAProxy.
# It also uses the new special cases of the "show ssl cert" command, where an OCSP
# extension is provided to the certificate name (with or without preceding * for an
# ongoing transaction).
#
# It uses the show_ocsp_server.pem server certificate, signed off by set_cafile_rootCA.crt,
# which has two OCSP responses, show_ocsp_server.pem.ocsp which is loaded by default and in
# which it is valid, and show_ocsp_server.pem.ocsp.revoked in which it is revoked.
# The OSCP response is updated through the two means available in the CLI, the
# "set ssl ocsp-response" command and the update through a "set ssl cert foo.ocsp".
#
# It requires socat to upload the new OCSP responses.
#
# If this test does not work anymore:
# - Check that you have socat

varnishtest "Test the 'show ssl ocsp-response' and 'show ssl cert foo.pem.ocsp' features of the CLI"
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev0)'"
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(BoringSSL) && !ssllib_name_startswith(wolfSSL)'"
feature cmd "command -v socat && command -v openssl"
feature ignore_unknown_macro

haproxy h1 -conf {
    global
        tune.ssl.default-dh-param 2048
        tune.ssl.capture-buffer-size 1
        stats socket "${tmpdir}/h1/stats" level admin

    defaults
        mode http
        option httplog
        log stderr local0 debug err
        option logasap
        timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
        timeout client  "${HAPROXY_TEST_TIMEOUT-5s}"
        timeout server  "${HAPROXY_TEST_TIMEOUT-5s}"

    listen clear-lst
        bind "fd@${clearlst}"
        server s1 "${tmpdir}/ssl.sock" ssl ca-file ${testdir}/set_cafile_rootCA.crt verify none

    listen ssl-lst
        # crt: certificate of the server
        # ca-file: CA used for client authentication request
        bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/show_ocsp_server.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
        http-response add-header X-SSL-Client-Verify %[ssl_c_verify]
        server s1 ${s1_addr}:${s1_port}
} -start


# Test the "show ssl ocsp-response" command
haproxy h1 -cli {
    send "show ssl ocsp-response"
    expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"

    send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
    expect ~ "Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com"
    send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
    expect ~ "Cert Status: good"
}

# Test the "show ssl ocsp-response" command with a certificate path as parameter
shell {
    ocsp_response=$(echo "show ssl ocsp-response ${testdir}/show_ocsp_server.pem" | socat "${tmpdir}/h1/stats" -)

    echo "$ocsp_response" | grep "Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com" &&
    echo "$ocsp_response" | grep "Cert Status: good"
}

# Test the "show ssl cert foo.pem.ocsp" command
haproxy h1 -cli {
    send "show ssl cert"
    expect ~ ".*show_ocsp_server.pem"

    send "show ssl cert ${testdir}/show_ocsp_server.pem"
    expect ~ "Serial: 100F"
    send "show ssl cert ${testdir}/show_ocsp_server.pem"
    expect ~ "OCSP Response Key: 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"

    send "show ssl cert ${testdir}/show_ocsp_server.pem.ocsp"
    expect ~ "Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com"
    send "show ssl cert ${testdir}/show_ocsp_server.pem.ocsp"
    expect ~ "Cert Status: good"
}


# Change the server certificate's OCSP response through "set ssl ocsp-response"
shell {
    printf "set ssl ocsp-response <<\n$(cat ${testdir}/show_ocsp_server.pem.ocsp.revoked|openssl base64)\n\n" | socat "${tmpdir}/h1/stats" -
}

# Check that the change was taken into account
haproxy h1 -cli {
    send "show ssl ocsp-response"
    expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"

    send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
    expect ~ "Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com"
    send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
    expect ~ "Cert Status: revoked"

    send "show ssl cert ${testdir}/show_ocsp_server.pem.ocsp"
    expect ~ "Cert Status: revoked"
}


# Change the server certificate's OCSP response through a transaction
shell {
    printf "set ssl cert ${testdir}/show_ocsp_server.pem <<\n$(cat ${testdir}/show_ocsp_server.pem | sed  '/^$/d')\n\n" | socat  "${tmpdir}/h1/stats" -
    printf "set ssl cert ${testdir}/show_ocsp_server.pem.issuer <<\n$(cat ${testdir}/show_ocsp_server.pem.issuer | sed  '/^$/d')\n\n" | socat  "${tmpdir}/h1/stats" -
    printf "set ssl cert ${testdir}/show_ocsp_server.pem.ocsp <<\n$(cat ${testdir}/show_ocsp_server.pem.ocsp|openssl base64)\n\n" | socat  "${tmpdir}/h1/stats" -
}


# Check that the actual tree entry was not changed and that the uncommitted
# transaction's OCSP response is the new one
haproxy h1 -cli {
    send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
    expect ~ "Cert Status: revoked"
    send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
    expect ~ "This Update: Jun 10 08:57:45 2021 GMT"

    send "show ssl cert *${testdir}/show_ocsp_server.pem.ocsp"
    expect ~ "Cert Status: good"
    send "show ssl cert *${testdir}/show_ocsp_server.pem.ocsp"
    expect ~ "This Update: Jun 10 08:55:04 2021 GMT"
}


# Commit the transaction and check that it was taken into account
haproxy h1 -cli {
    send "commit ssl cert ${testdir}/show_ocsp_server.pem"
    expect ~ "Success!"

    send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
    expect ~ "Cert Status: good"
    send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
    expect ~ "This Update: Jun 10 08:55:04 2021 GMT"
}