REGTESTS: ocsp-update: change the reg-test to support the new crt-store mode

Update the ocsp-update tests for the recent changes:

- Incompatibilities check string changed to match the crt-store one
- The "good configurations" are not good anymore because the
  ckch_conf_cmp() does not compare anymore with a global value.

diff --git a/reg-tests/ssl/ocsp_auto_update.vtc b/reg-tests/ssl/ocsp_auto_update.vtc
index 11524e481a57517387a76c3a3c03e96c655c0684..019395380359b04e34f9cafd6fede817245c66af 100644 (file)
--- a/reg-tests/ssl/ocsp_auto_update.vtc
+++ b/reg-tests/ssl/ocsp_auto_update.vtc
@@ -1,4 +1,4 @@
-#REGTEST_TYPE=broken
+#REGTEST_TYPE=slow
 # reg-test is around ~2.5s
 
 # broken with BoringSSL.
@@ -653,7 +653,7 @@ haproxy h8 -cli {
 # Check that the auto update option consistency check work even when crt-list
 # lines are added through the cli
 shell {
-    printf "add ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa foo.foo\n\n" | socat "${tmpdir}/h8/stats" - | grep "Incompatibilities found in OCSP update mode for certificate"
+    printf "add ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa foo.foo\n\n" | socat "${tmpdir}/h8/stats" - | grep "different parameter 'ocsp-update'"
 }
 
 haproxy h8 -wait

diff --git a/reg-tests/ssl/ocsp_compat_check.vtc b/reg-tests/ssl/ocsp_compat_check.vtc
index ec19d6c8701b1a3e1ca255f1ce4638dcd4fe1e86..7dbcdf94b0780b74907014b51affcf2d03aed4dc 100644 (file)
--- a/reg-tests/ssl/ocsp_compat_check.vtc
+++ b/reg-tests/ssl/ocsp_compat_check.vtc
@@ -1,4 +1,4 @@
-#REGTEST_TYPE=broken
+#REGTEST_TYPE=devel
 
 # broken with BoringSSL.
 #
@@ -26,8 +26,8 @@ feature ignore_unknown_macro
 
 
 # test1
-#    global_option   DFLT
-#    bind line       DFLT    (first)
+#    global_option   OFF
+#    bind line       DFLT (OFF)   (first)
 #    crt-list        ON      (second)
 shell {
     cat << EOF > ${tmpdir}/ocsp_compat_check.list
@@ -52,7 +52,7 @@ EOF
     echo "==== test 1"
     echo "$haproxy_output"
     echo "HAProxy return code: $haproxy_ret"
-    ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate"
+    [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
 }
 
 # test2
@@ -82,7 +82,7 @@ EOF
     echo "==== test 2"
     echo "$haproxy_output"
     echo "HAProxy return code: $haproxy_ret"
-    ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate"
+    [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
 }
 
 # test3
@@ -112,13 +112,13 @@ EOF
     echo "==== test 3"
     echo "$haproxy_output"
     echo "HAProxy return code: $haproxy_ret"
-    ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate"
+    [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
 }
 
 # test4
-#    global_option   DFLT
-#    bind line       DFLT    (second)
-#    crt-list        ON      (first)
+#    global_option   OFF
+#    bind line       DFLT OFF (second)
+#    crt-list        ON       (first)
 shell {
     cat << EOF > ${tmpdir}/ocsp_compat_check.list
 server_ocsp_ecdsa.pem [ocsp-update on] foo.com
@@ -143,7 +143,7 @@ EOF
     echo "==== test 4"
     echo "$haproxy_output"
     echo "HAProxy return code: $haproxy_ret"
-    ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate"
+    [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
 }
 
 # test5
@@ -174,7 +174,7 @@ EOF
     echo "==== test 5"
     echo "$haproxy_output"
     echo "HAProxy return code: $haproxy_ret"
-    ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate"
+    [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
 }
 
 # test6
@@ -205,7 +205,7 @@ EOF
     echo "==== test 6"
     echo "$haproxy_output"
     echo "HAProxy return code: $haproxy_ret"
-    ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate"
+    [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
 }
 
 # test7
@@ -236,8 +236,7 @@ EOF
     haproxy_ret=$?
     echo "==== test 7"
     echo "$haproxy_output"
-    echo "HAProxy return code: $haproxy_ret"
-    ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate"
+    [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
 }
 
 # test8
@@ -269,7 +268,7 @@ EOF
     echo "==== test 8"
     echo "$haproxy_output"
     echo "HAProxy return code: $haproxy_ret"
-    ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate"
+    [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
 }
 
 # test9
@@ -301,7 +300,7 @@ EOF
     echo "==== test 9"
     echo "$haproxy_output"
     echo "HAProxy return code: $haproxy_ret"
-    ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate"
+    [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
 }
 
 # test10
@@ -333,7 +332,7 @@ EOF
     echo "==== test 10"
     echo "$haproxy_output"
     echo "HAProxy return code: $haproxy_ret"
-    ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate"
+    [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
 }
 
 # test11
@@ -365,7 +364,7 @@ EOF
     echo "==== test 11"
     echo "$haproxy_output"
     echo "HAProxy return code: $haproxy_ret"
-    ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate"
+    [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
 }
 
 # test12
@@ -397,365 +396,6 @@ EOF
     echo "==== test 12"
     echo "$haproxy_output"
     echo "HAProxy return code: $haproxy_ret"
-    ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate"
-}
-
-
-
-
-###########################
-#                         #
-#   GOOD CONFIGURATIONS   #
-#                         #
-###########################
-
-# test1
-#    global_option   DFLT
-#    bind line       DFLT    (first)
-#    crt-list        OFF     (second)
-shell {
-    cat << EOF > ${tmpdir}/ocsp_compat_check.list
-server_ocsp_ecdsa.pem [ocsp-update off] foo.com
-EOF
-
-    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
-global
-    crt-base ${testdir}/ocsp_update/multicert
-#    ocsp-update.mode on
-
-defaults
-    log stderr local0 debug err
-    timeout connect 1s
-    timeout client  1s
-    timeout server  1s
-
-listen ssl-lst
-    bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list
-    server s1 127.0.0.1:80
-EOF
-
-    $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
-}
-
-# test2
-#    global_option   ON
-#    bind line       DFLT/ON (first)
-#    crt-list        ON      (second)
-shell {
-    cat << EOF > ${tmpdir}/ocsp_compat_check.list
-server_ocsp_ecdsa.pem [ocsp-update on] foo.com
-EOF
-
-    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
-global
-    crt-base ${testdir}/ocsp_update/multicert
-    ocsp-update.mode on
-
-defaults
-    log stderr local0 debug err
-    timeout connect 1s
-    timeout client  1s
-    timeout server  1s
-
-listen ssl-lst
-    bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list
-    server s1 127.0.0.1:80
-EOF
-
-    $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
-}
-
-# test3
-#    global_option   OFF
-#    bind line       DFLT/OFF(first)
-#    crt-list        OFF     (second)
-shell {
-    cat << EOF > ${tmpdir}/ocsp_compat_check.list
-server_ocsp_ecdsa.pem [ocsp-update off] foo.com
-EOF
-
-    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
-global
-    crt-base ${testdir}/ocsp_update/multicert
-    ocsp-update.mode off
-
-defaults
-    log stderr local0 debug err
-    timeout connect 1s
-    timeout client  1s
-    timeout server  1s
-
-listen ssl-lst
-    bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list
-    server s1 127.0.0.1:80
-EOF
-
-    $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
-}
-
-# test4
-#    global_option   DFLT
-#    bind line       DFLT    (second)
-#    crt-list        OFF     (first)
-shell {
-    cat << EOF > ${tmpdir}/ocsp_compat_check.list
-server_ocsp_ecdsa.pem [ocsp-update off] foo.com
-EOF
-
-    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
-global
-    crt-base ${testdir}/ocsp_update/multicert
-#    ocsp-update.mode off
-
-defaults
-    log stderr local0 debug err
-    timeout connect 1s
-    timeout client  1s
-    timeout server  1s
-
-listen ssl-lst
-    bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
-    bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem
-    server s1 127.0.0.1:80
-EOF
-
-    $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
-}
-
-# test5
-#    global_option   ON
-#    bind line       DFLT    (second)
-#    crt-list        ON      (first)
-shell {
-    cat << EOF > ${tmpdir}/ocsp_compat_check.list
-server_ocsp_ecdsa.pem [ocsp-update on] foo.com
-EOF
-
-    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
-global
-    crt-base ${testdir}/ocsp_update/multicert
-    ocsp-update.mode on
-
-defaults
-    log stderr local0 debug err
-    timeout connect 1s
-    timeout client  1s
-    timeout server  1s
-
-listen ssl-lst
-    bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
-    bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem
-    server s1 127.0.0.1:80
-EOF
-
-    $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
-}
-
-# test6
-#    global_option   OFF
-#    bind line       DFLT    (second)
-#    crt-list        OFF     (first)
-shell {
-    cat << EOF > ${tmpdir}/ocsp_compat_check.list
-server_ocsp_ecdsa.pem [ocsp-update off] foo.com
-EOF
-
-    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
-global
-    crt-base ${testdir}/ocsp_update/multicert
-    ocsp-update.mode off
-
-defaults
-    log stderr local0 debug err
-    timeout connect 1s
-    timeout client  1s
-    timeout server  1s
-
-listen ssl-lst
-    bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
-    bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem
-    server s1 127.0.0.1:80
-EOF
-
-    $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
+    [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
 }
 
-# test7
-#    global_option   DFLT
-#    bind line       -
-#    crt-list        OFF
-#    crt-list        DFLT
-shell {
-    cat << EOF > ${tmpdir}/ocsp_compat_check.list
-server_ocsp_ecdsa.pem [ocsp-update off] foo.com
-server_ocsp_ecdsa.pem foo.com
-EOF
-
-    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
-global
-    crt-base ${testdir}/ocsp_update/multicert
-#    ocsp-update.mode off
-
-defaults
-    log stderr local0 debug err
-    timeout connect 1s
-    timeout client  1s
-    timeout server  1s
-
-listen ssl-lst
-    bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
-    server s1 127.0.0.1:80
-EOF
-
-    $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
-}
-
-# test8
-#    global_option   DFLT
-#    bind line       -
-#    crt-list        DFLT
-#    crt-list        OFF
-shell {
-    cat << EOF > ${tmpdir}/ocsp_compat_check.list
-server_ocsp_ecdsa.pem foo.com
-server_ocsp_ecdsa.pem [ocsp-update off] foo.com
-EOF
-
-    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
-global
-    crt-base ${testdir}/ocsp_update/multicert
-#    ocsp-update.mode off
-
-defaults
-    log stderr local0 debug err
-    timeout connect 1s
-    timeout client  1s
-    timeout server  1s
-
-listen ssl-lst
-    bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
-    server s1 127.0.0.1:80
-EOF
-
-    $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
-}
-
-# test9
-#    global_option   ON
-#    bind line       -
-#    crt-list        ON
-#    crt-list        DFLT
-shell {
-    cat << EOF > ${tmpdir}/ocsp_compat_check.list
-server_ocsp_ecdsa.pem [ocsp-update on] foo.com
-server_ocsp_ecdsa.pem foo.com
-EOF
-
-    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
-global
-    crt-base ${testdir}/ocsp_update/multicert
-    ocsp-update.mode on
-
-defaults
-    log stderr local0 debug err
-    timeout connect 1s
-    timeout client  1s
-    timeout server  1s
-
-listen ssl-lst
-    bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
-    server s1 127.0.0.1:80
-EOF
-
-    $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
-}
-
-# test10
-#    global_option   ON
-#    bind line       -
-#    crt-list        DFLT
-#    crt-list        ON
-shell {
-    cat << EOF > ${tmpdir}/ocsp_compat_check.list
-server_ocsp_ecdsa.pem foo.com
-server_ocsp_ecdsa.pem [ocsp-update on] foo.com
-EOF
-
-    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
-global
-    crt-base ${testdir}/ocsp_update/multicert
-    ocsp-update.mode on
-
-defaults
-    log stderr local0 debug err
-    timeout connect 1s
-    timeout client  1s
-    timeout server  1s
-
-listen ssl-lst
-    bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
-    server s1 127.0.0.1:80
-EOF
-
-    $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
-}
-
-# test11
-#    global_option   OFF
-#    bind line       -
-#    crt-list        OFF
-#    crt-list        DFLT
-shell {
-    cat << EOF > ${tmpdir}/ocsp_compat_check.list
-server_ocsp_ecdsa.pem [ocsp-update off] foo.com
-server_ocsp_ecdsa.pem foo.com
-EOF
-
-    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
-global
-    crt-base ${testdir}/ocsp_update/multicert
-    ocsp-update.mode off
-
-defaults
-    log stderr local0 debug err
-    timeout connect 1s
-    timeout client  1s
-    timeout server  1s
-
-listen ssl-lst
-    bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
-    server s1 127.0.0.1:80
-EOF
-
-    $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
-}
-
-# test12
-#    global_option   OFF
-#    bind line       -
-#    crt-list        DFLT
-#    crt-list        OFF
-shell {
-    cat << EOF > ${tmpdir}/ocsp_compat_check.list
-server_ocsp_ecdsa.pem foo.com
-server_ocsp_ecdsa.pem [ocsp-update off] foo.com
-EOF
-
-    cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
-global
-    crt-base ${testdir}/ocsp_update/multicert
-    ocsp-update.mode off
-
-defaults
-    log stderr local0 debug err
-    timeout connect 1s
-    timeout client  1s
-    timeout server  1s
-
-listen ssl-lst
-    bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
-    server s1 127.0.0.1:80
-EOF
-
-    $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c
-}