From: William Lallemand Date: Tue, 7 May 2024 07:55:02 +0000 (+0200) Subject: REGTESTS: ocsp-update: change the reg-test to support the new crt-store mode X-Git-Tag: v3.0-dev12~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d33a5f8e14dc1c75163262f379af3023668cc5c0;p=thirdparty%2Fhaproxy.git REGTESTS: ocsp-update: change the reg-test to support the new crt-store mode Update the ocsp-update tests for the recent changes: - Incompatibilities check string changed to match the crt-store one - The "good configurations" are not good anymore because the ckch_conf_cmp() does not compare anymore with a global value. --- diff --git a/reg-tests/ssl/ocsp_auto_update.vtc b/reg-tests/ssl/ocsp_auto_update.vtc index 11524e481a..0193953803 100644 --- a/reg-tests/ssl/ocsp_auto_update.vtc +++ b/reg-tests/ssl/ocsp_auto_update.vtc @@ -1,4 +1,4 @@ -#REGTEST_TYPE=broken +#REGTEST_TYPE=slow # reg-test is around ~2.5s # broken with BoringSSL. @@ -653,7 +653,7 @@ haproxy h8 -cli { # Check that the auto update option consistency check work even when crt-list # lines are added through the cli shell { - printf "add ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa foo.foo\n\n" | socat "${tmpdir}/h8/stats" - | grep "Incompatibilities found in OCSP update mode for certificate" + printf "add ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa foo.foo\n\n" | socat "${tmpdir}/h8/stats" - | grep "different parameter 'ocsp-update'" } haproxy h8 -wait diff --git a/reg-tests/ssl/ocsp_compat_check.vtc b/reg-tests/ssl/ocsp_compat_check.vtc index ec19d6c870..7dbcdf94b0 100644 --- a/reg-tests/ssl/ocsp_compat_check.vtc +++ b/reg-tests/ssl/ocsp_compat_check.vtc @@ -1,4 +1,4 @@ -#REGTEST_TYPE=broken +#REGTEST_TYPE=devel # broken with BoringSSL. # @@ -26,8 +26,8 @@ feature ignore_unknown_macro # test1 -# global_option DFLT -# bind line DFLT (first) +# global_option OFF +# bind line DFLT (OFF) (first) # crt-list ON (second) shell { cat << EOF > ${tmpdir}/ocsp_compat_check.list @@ -52,7 +52,7 @@ EOF echo "==== test 1" echo "$haproxy_output" echo "HAProxy return code: $haproxy_ret" - ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate" + [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'" } # test2 @@ -82,7 +82,7 @@ EOF echo "==== test 2" echo "$haproxy_output" echo "HAProxy return code: $haproxy_ret" - ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate" + [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'" } # test3 @@ -112,13 +112,13 @@ EOF echo "==== test 3" echo "$haproxy_output" echo "HAProxy return code: $haproxy_ret" - ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate" + [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'" } # test4 -# global_option DFLT -# bind line DFLT (second) -# crt-list ON (first) +# global_option OFF +# bind line DFLT OFF (second) +# crt-list ON (first) shell { cat << EOF > ${tmpdir}/ocsp_compat_check.list server_ocsp_ecdsa.pem [ocsp-update on] foo.com @@ -143,7 +143,7 @@ EOF echo "==== test 4" echo "$haproxy_output" echo "HAProxy return code: $haproxy_ret" - ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate" + [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'" } # test5 @@ -174,7 +174,7 @@ EOF echo "==== test 5" echo "$haproxy_output" echo "HAProxy return code: $haproxy_ret" - ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate" + [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'" } # test6 @@ -205,7 +205,7 @@ EOF echo "==== test 6" echo "$haproxy_output" echo "HAProxy return code: $haproxy_ret" - ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate" + [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'" } # test7 @@ -236,8 +236,7 @@ EOF haproxy_ret=$? echo "==== test 7" echo "$haproxy_output" - echo "HAProxy return code: $haproxy_ret" - ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate" + [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'" } # test8 @@ -269,7 +268,7 @@ EOF echo "==== test 8" echo "$haproxy_output" echo "HAProxy return code: $haproxy_ret" - ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate" + [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'" } # test9 @@ -301,7 +300,7 @@ EOF echo "==== test 9" echo "$haproxy_output" echo "HAProxy return code: $haproxy_ret" - ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate" + [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'" } # test10 @@ -333,7 +332,7 @@ EOF echo "==== test 10" echo "$haproxy_output" echo "HAProxy return code: $haproxy_ret" - ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate" + [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'" } # test11 @@ -365,7 +364,7 @@ EOF echo "==== test 11" echo "$haproxy_output" echo "HAProxy return code: $haproxy_ret" - ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate" + [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'" } # test12 @@ -397,365 +396,6 @@ EOF echo "==== test 12" echo "$haproxy_output" echo "HAProxy return code: $haproxy_ret" - ! [ $haproxy_ret -eq 0 ] && echo "$haproxy_output" | grep -q "Incompatibilities found in OCSP update mode for certificate" -} - - - - -########################### -# # -# GOOD CONFIGURATIONS # -# # -########################### - -# test1 -# global_option DFLT -# bind line DFLT (first) -# crt-list OFF (second) -shell { - cat << EOF > ${tmpdir}/ocsp_compat_check.list -server_ocsp_ecdsa.pem [ocsp-update off] foo.com -EOF - - cat << EOF > ${tmpdir}/ocsp_compat_check.cfg -global - crt-base ${testdir}/ocsp_update/multicert -# ocsp-update.mode on - -defaults - log stderr local0 debug err - timeout connect 1s - timeout client 1s - timeout server 1s - -listen ssl-lst - bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list - server s1 127.0.0.1:80 -EOF - - $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c -} - -# test2 -# global_option ON -# bind line DFLT/ON (first) -# crt-list ON (second) -shell { - cat << EOF > ${tmpdir}/ocsp_compat_check.list -server_ocsp_ecdsa.pem [ocsp-update on] foo.com -EOF - - cat << EOF > ${tmpdir}/ocsp_compat_check.cfg -global - crt-base ${testdir}/ocsp_update/multicert - ocsp-update.mode on - -defaults - log stderr local0 debug err - timeout connect 1s - timeout client 1s - timeout server 1s - -listen ssl-lst - bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list - server s1 127.0.0.1:80 -EOF - - $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c -} - -# test3 -# global_option OFF -# bind line DFLT/OFF(first) -# crt-list OFF (second) -shell { - cat << EOF > ${tmpdir}/ocsp_compat_check.list -server_ocsp_ecdsa.pem [ocsp-update off] foo.com -EOF - - cat << EOF > ${tmpdir}/ocsp_compat_check.cfg -global - crt-base ${testdir}/ocsp_update/multicert - ocsp-update.mode off - -defaults - log stderr local0 debug err - timeout connect 1s - timeout client 1s - timeout server 1s - -listen ssl-lst - bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list - server s1 127.0.0.1:80 -EOF - - $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c -} - -# test4 -# global_option DFLT -# bind line DFLT (second) -# crt-list OFF (first) -shell { - cat << EOF > ${tmpdir}/ocsp_compat_check.list -server_ocsp_ecdsa.pem [ocsp-update off] foo.com -EOF - - cat << EOF > ${tmpdir}/ocsp_compat_check.cfg -global - crt-base ${testdir}/ocsp_update/multicert -# ocsp-update.mode off - -defaults - log stderr local0 debug err - timeout connect 1s - timeout client 1s - timeout server 1s - -listen ssl-lst - bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list - bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem - server s1 127.0.0.1:80 -EOF - - $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c -} - -# test5 -# global_option ON -# bind line DFLT (second) -# crt-list ON (first) -shell { - cat << EOF > ${tmpdir}/ocsp_compat_check.list -server_ocsp_ecdsa.pem [ocsp-update on] foo.com -EOF - - cat << EOF > ${tmpdir}/ocsp_compat_check.cfg -global - crt-base ${testdir}/ocsp_update/multicert - ocsp-update.mode on - -defaults - log stderr local0 debug err - timeout connect 1s - timeout client 1s - timeout server 1s - -listen ssl-lst - bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list - bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem - server s1 127.0.0.1:80 -EOF - - $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c -} - -# test6 -# global_option OFF -# bind line DFLT (second) -# crt-list OFF (first) -shell { - cat << EOF > ${tmpdir}/ocsp_compat_check.list -server_ocsp_ecdsa.pem [ocsp-update off] foo.com -EOF - - cat << EOF > ${tmpdir}/ocsp_compat_check.cfg -global - crt-base ${testdir}/ocsp_update/multicert - ocsp-update.mode off - -defaults - log stderr local0 debug err - timeout connect 1s - timeout client 1s - timeout server 1s - -listen ssl-lst - bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list - bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem - server s1 127.0.0.1:80 -EOF - - $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c + [ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'" } -# test7 -# global_option DFLT -# bind line - -# crt-list OFF -# crt-list DFLT -shell { - cat << EOF > ${tmpdir}/ocsp_compat_check.list -server_ocsp_ecdsa.pem [ocsp-update off] foo.com -server_ocsp_ecdsa.pem foo.com -EOF - - cat << EOF > ${tmpdir}/ocsp_compat_check.cfg -global - crt-base ${testdir}/ocsp_update/multicert -# ocsp-update.mode off - -defaults - log stderr local0 debug err - timeout connect 1s - timeout client 1s - timeout server 1s - -listen ssl-lst - bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list - server s1 127.0.0.1:80 -EOF - - $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c -} - -# test8 -# global_option DFLT -# bind line - -# crt-list DFLT -# crt-list OFF -shell { - cat << EOF > ${tmpdir}/ocsp_compat_check.list -server_ocsp_ecdsa.pem foo.com -server_ocsp_ecdsa.pem [ocsp-update off] foo.com -EOF - - cat << EOF > ${tmpdir}/ocsp_compat_check.cfg -global - crt-base ${testdir}/ocsp_update/multicert -# ocsp-update.mode off - -defaults - log stderr local0 debug err - timeout connect 1s - timeout client 1s - timeout server 1s - -listen ssl-lst - bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list - server s1 127.0.0.1:80 -EOF - - $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c -} - -# test9 -# global_option ON -# bind line - -# crt-list ON -# crt-list DFLT -shell { - cat << EOF > ${tmpdir}/ocsp_compat_check.list -server_ocsp_ecdsa.pem [ocsp-update on] foo.com -server_ocsp_ecdsa.pem foo.com -EOF - - cat << EOF > ${tmpdir}/ocsp_compat_check.cfg -global - crt-base ${testdir}/ocsp_update/multicert - ocsp-update.mode on - -defaults - log stderr local0 debug err - timeout connect 1s - timeout client 1s - timeout server 1s - -listen ssl-lst - bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list - server s1 127.0.0.1:80 -EOF - - $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c -} - -# test10 -# global_option ON -# bind line - -# crt-list DFLT -# crt-list ON -shell { - cat << EOF > ${tmpdir}/ocsp_compat_check.list -server_ocsp_ecdsa.pem foo.com -server_ocsp_ecdsa.pem [ocsp-update on] foo.com -EOF - - cat << EOF > ${tmpdir}/ocsp_compat_check.cfg -global - crt-base ${testdir}/ocsp_update/multicert - ocsp-update.mode on - -defaults - log stderr local0 debug err - timeout connect 1s - timeout client 1s - timeout server 1s - -listen ssl-lst - bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list - server s1 127.0.0.1:80 -EOF - - $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c -} - -# test11 -# global_option OFF -# bind line - -# crt-list OFF -# crt-list DFLT -shell { - cat << EOF > ${tmpdir}/ocsp_compat_check.list -server_ocsp_ecdsa.pem [ocsp-update off] foo.com -server_ocsp_ecdsa.pem foo.com -EOF - - cat << EOF > ${tmpdir}/ocsp_compat_check.cfg -global - crt-base ${testdir}/ocsp_update/multicert - ocsp-update.mode off - -defaults - log stderr local0 debug err - timeout connect 1s - timeout client 1s - timeout server 1s - -listen ssl-lst - bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list - server s1 127.0.0.1:80 -EOF - - $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c -} - -# test12 -# global_option OFF -# bind line - -# crt-list DFLT -# crt-list OFF -shell { - cat << EOF > ${tmpdir}/ocsp_compat_check.list -server_ocsp_ecdsa.pem foo.com -server_ocsp_ecdsa.pem [ocsp-update off] foo.com -EOF - - cat << EOF > ${tmpdir}/ocsp_compat_check.cfg -global - crt-base ${testdir}/ocsp_update/multicert - ocsp-update.mode off - -defaults - log stderr local0 debug err - timeout connect 1s - timeout client 1s - timeout server 1s - -listen ssl-lst - bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list - server s1 127.0.0.1:80 -EOF - - $HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c -}