reg-tests/ssl/ssl_generate_certificate.vtc


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168

#REGTEST_TYPE=devel

# This reg-test checks that the 'generate-certificates' SSL option works
# properly. This option allows to generate server-side certificates on the fly
# for clients that use an SNI for which no certificate was specified in the
# configuration file.
# This test also aims at checking that the 'generate-certificates' and the
# 'ecdhe' bind options work correctly together.
# Any bind line having a 'generate-certificates' needs to have a ca-sign-file
# option as well that specifies the path to a CA pem file (containing a
# certificate as well as its private key). For this reason, a new
# ssl_gen_ca.pem CA certificate was created, along with the ssl_gen_server.pem
# server certificate signed by the CA. This server certificate will be used as
# a default certificate and will serve as a base for any newly created
# certificate.

varnishtest "Test the 'generate-certificates' SSL option"
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(wolfSSL)'"
feature cmd "command -v openssl && command -v grep"
feature ignore_unknown_macro

server s1 -repeat 6 {
  rxreq
  txresp
} -start


haproxy h1 -conf {
    global
        tune.ssl.default-dh-param 2048
        tune.ssl.capture-buffer-size 2048

    defaults
        mode http
        option httpslog
        log stderr local0 debug err
        option logasap
        timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
        timeout client  "${HAPROXY_TEST_TIMEOUT-5s}"
        timeout server  "${HAPROXY_TEST_TIMEOUT-5s}"
        option httpslog

    listen clear-lst
        bind "fd@${clearlst}"
        http-request set-var(sess.sni) hdr(x-sni)

        use_backend P-384_backend if { path /P-384 }
        default_backend default_backend

    backend default_backend
        server s1 "${tmpdir}/ssl.sock" ssl verify none ssl-max-ver TLSv1.2 sni var(sess.sni)

    backend P-384_backend
        server s1 "${tmpdir}/ssl_P-384.sock" ssl verify none ssl-max-ver TLSv1.2 sni var(sess.sni)

    listen ssl-lst
        bind "${tmpdir}/ssl.sock" ssl generate-certificates crt ${testdir}/generate_certificates/gen_cert_server.pem ca-sign-file ${testdir}/generate_certificates/gen_cert_ca.pem ca-file ${testdir}/generate_certificates/gen_cert_ca.pem verify optional
        http-response add-header x-ssl-s_dn %[ssl_f_s_dn(CN)]
        http-response add-header x-ssl-i_dn %[ssl_f_i_dn(CN)]
        http-response add-header x-ssl-sig_alg %[ssl_f_sig_alg]
        http-response add-header x-ssl-key_alg %[ssl_f_key_alg]
        http-response add-header x-ssl-sha1 %[ssl_f_sha1,hex]

        server s1 ${s1_addr}:${s1_port}

    listen ssl-lst-P-384
        bind "${tmpdir}/ssl_P-384.sock" ssl generate-certificates crt ${testdir}/generate_certificates/gen_cert_server.pem ca-sign-file ${testdir}/generate_certificates/gen_cert_ca.pem ca-file ${testdir}/generate_certificates/gen_cert_ca.pem verify optional ecdhe secp384r1
        http-response add-header x-ssl-s_dn %[ssl_f_s_dn(CN)]
        http-response add-header x-ssl-i_dn %[ssl_f_i_dn(CN)]
        http-response add-header x-ssl-sig_alg %[ssl_f_sig_alg]
        http-response add-header x-ssl-key_alg %[ssl_f_key_alg]
        http-response add-header x-ssl-sha1 %[ssl_f_sha1,hex]

        server s1 ${s1_addr}:${s1_port}

} -start

# Use default certificate
client c1 -connect ${h1_clearlst_sock} {
  txreq
  rxresp
  expect resp.status == 200
  expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"
  expect resp.http.x-ssl-i_dn == "ECDSA CA"
  expect resp.http.x-ssl-s_dn  == "server.ecdsa.com"
  expect resp.http.x-ssl-key_alg == "id-ecPublicKey"
  expect resp.http.x-ssl-sha1 == "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11"
} -run


# Use default certificate's sni
client c2 -connect ${h1_clearlst_sock} {
  txreq -hdr "x-sni: server.ecdsa.com"
  rxresp
  expect resp.status == 200
  expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"
  expect resp.http.x-ssl-i_dn == "ECDSA CA"
  expect resp.http.x-ssl-s_dn  == "server.ecdsa.com"
  expect resp.http.x-ssl-key_alg == "id-ecPublicKey"
  expect resp.http.x-ssl-sha1 == "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11"
} -run


# Use another SNI - the server certificate should be generated and different
# than the default one
client c3 -connect ${h1_clearlst_sock} {
  txreq -hdr "x-sni: unknown-sni.com"
  rxresp
  expect resp.status == 200
  expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"
  expect resp.http.x-ssl-i_dn == "ECDSA CA"
  expect resp.http.x-ssl-s_dn  == "ECDSA CA"
  expect resp.http.x-ssl-key_alg == "id-ecPublicKey"
  expect resp.http.x-ssl-sha1 != "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11"
} -run


# Use default certificate
client c4 -connect ${h1_clearlst_sock} {
  txreq -url "/P-384"
  rxresp
  expect resp.status == 200
  expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"
  expect resp.http.x-ssl-i_dn == "ECDSA CA"
  expect resp.http.x-ssl-s_dn  == "server.ecdsa.com"
  expect resp.http.x-ssl-key_alg == "id-ecPublicKey"
  expect resp.http.x-ssl-sha1 == "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11"
} -run


# Use default certificate's sni
client c5 -connect ${h1_clearlst_sock} {
  txreq -url "/P-384" -hdr "x-sni: server.ecdsa.com"
  rxresp
  expect resp.status == 200
  expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"
  expect resp.http.x-ssl-i_dn == "ECDSA CA"
  expect resp.http.x-ssl-s_dn  == "server.ecdsa.com"
  expect resp.http.x-ssl-key_alg == "id-ecPublicKey"
  expect resp.http.x-ssl-sha1 == "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11"
} -run


# Use another SNI - the server certificate should be generated and different
# than the default one
client c6 -connect ${h1_clearlst_sock} {
  txreq -url "/P-384" -hdr "x-sni: unknown-sni.com"
  rxresp
  expect resp.status == 200
  expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"
  expect resp.http.x-ssl-i_dn == "ECDSA CA"
  expect resp.http.x-ssl-s_dn  == "ECDSA CA"
  expect resp.http.x-ssl-key_alg == "id-ecPublicKey"
  expect resp.http.x-ssl-sha1 != "66AC64728CEA0C1F614A89C278FA2F94EDE9AB11"
} -run

# Check that the curves that the server accepts to use correspond to what we
# expect it to be (according to ecdhe option).
# The curve with the highest priority is X25519 for OpenSSL 1.1.1 and later,
# and P-256 for OpenSSL 1.0.2.
shell {
    echo "Q" | openssl s_client -unix "${tmpdir}/ssl.sock" -servername server.ecdsa.com -tls1_2 2>/dev/null | grep -E "Server Temp Key: (ECDH, P-256, 256 bits|ECDH, prime256v1, 256 bits|X25519, 253 bits)"
}

shell {
    echo "Q" | openssl s_client -unix "${tmpdir}/ssl_P-384.sock" -servername server.ecdsa.com 2>/dev/null| grep -E "Temp Key: ECDH,.+, 384 bits"
}