From: Remi Tricot-Le Breton Date: Wed, 13 Oct 2021 09:21:02 +0000 (+0200) Subject: REGTESTS: ssl: Use mostly TLSv1.2 in ssl_errors test X-Git-Tag: v2.5-dev10~63 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e1b61090a015ceea9a6c4653d8b6e2c2afabb476;p=thirdparty%2Fhaproxy.git REGTESTS: ssl: Use mostly TLSv1.2 in ssl_errors test In order for the test to run with OpenSSL 1.0.2 the test will now mostly use TLSv1.2 and use TLS 1.3 only on some specific tests (covered by preconditions). --- diff --git a/reg-tests/ssl/ssl_errors.vtc b/reg-tests/ssl/ssl_errors.vtc index 49ee8c0ac5..dbc5b17095 100644 --- a/reg-tests/ssl/ssl_errors.vtc +++ b/reg-tests/ssl/ssl_errors.vtc @@ -63,24 +63,24 @@ syslog Slg_cust_fmt -level info { syslog Slg_https_fmt -level info { recv - expect ~ ".*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/s1.*0/0000000000000000/0/0 TLSv1.3/TLS_AES_256_GCM_SHA384" + expect ~ ".*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/s1.*0/0000000000000000/0/0 TLSv1.2/AES256-GCM-SHA384" barrier b1 sync } -start syslog Slg_https_fmt_err -level info { recv - expect ~ "ERROR.*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/.*30/0000000000000086/0/2 TLSv1.3/TLS_AES_256_GCM_SHA384" + expect ~ "ERROR.*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/.*30/0000000000000086/0/2 TLSv1.2/\\(NONE\\)" barrier b1 sync recv - expect ~ "ERROR.*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/.*31/0000000000000086/20/0 TLSv1.3/TLS_AES_256_GCM_SHA384" + expect ~ "ERROR.*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/.*31/0000000000000086/20/0 TLSv1.2/\\(NONE\\)" barrier b1 sync recv - expect ~ "ERROR.*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/.*34/00000000000000C1/0/0 TLSv1.3/\\(NONE\\)" + expect ~ "ERROR.*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/.*34/00000000000000C1/0/0 TLSv1.2/\\(NONE\\)" } -start syslog Slg_logconnerror -level info { @@ -119,9 +119,9 @@ syslog Slg_bcknd -level info { barrier b2 sync - # Verify errors on the server side cannot be caught through those backend fetches yet + # Verify errors on the server side cannot be caught when using TLSv1.3 but it works for TLSv1.2 recv - expect ~ ".*bc_conn_err:0:\"Success\" ssl_bc_err:0:" + expect ~ ".*bc_conn_err:34:\"SSL handshake failure\" ssl_bc_err:1048:.*:tlsv1 alert unknown ca" barrier b2 sync @@ -154,7 +154,7 @@ haproxy h1 -conf { listen clear_lst bind "fd@${clearlst}" - default-server ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none no-ssl-reuse + default-server ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none no-ssl-reuse force-tlsv12 balance roundrobin server cust_fmt "${tmpdir}/cust_logfmt_ssl.sock" @@ -164,7 +164,7 @@ haproxy h1 -conf { listen clear_wrong_ciphers_lst bind "fd@${wrongcipherslst}" - default-server ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none no-ssl-reuse ciphersuites "TLS_AES_128_GCM_SHA256" + default-server ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none no-ssl-reuse force-tlsv12 ciphers "aECDSA" balance roundrobin server cust_fmt "${tmpdir}/cust_logfmt_ssl.sock" @@ -183,9 +183,19 @@ haproxy h1 -conf { server no_err "${tmpdir}/no_err_ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify required server srv_cert_rejected "${tmpdir}/srv_rejected_ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA1.crt verify required server mismatch_frontend "${tmpdir}/mismatch_fe_ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify required verifyhost str(toto) - server clt_cert_rejected "${tmpdir}/rejected_ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none + # We force TLSv1.2 for this specific case because server-side + # verification errors cannot be caught by the backend fetches when + # using TLSv1.3 + server clt_cert_rejected "${tmpdir}/rejected_ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none force-tlsv12 server wrong_ciphers "${tmpdir}/wrong_ciphers_ssl.sock" ssl verify none crt ${testdir}/client1.pem ca-file ${testdir}/ca-auth.crt force-tlsv12 ciphers "aECDSA" + + # No TLSv1.3 support with OpenSSL 1.0.2 so we duplicate the previous + # wrong cipher test in this case so that the error log remains the same +.if openssl_version_before(1.1.1) + server wrong_ciphers2 "${tmpdir}/wrong_ciphers_ssl.sock" ssl verify none crt ${testdir}/client1.pem ca-file ${testdir}/ca-auth.crt force-tlsv12 ciphers "aECDSA" +.else server wrong_ciphers_tls13 "${tmpdir}/wrong_ciphers_tls13_ssl.sock" ssl verify none crt ${testdir}/client1.pem ca-file ${testdir}/ca-auth.crt ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" force-tlsv13 +.endif @@ -195,7 +205,7 @@ haproxy h1 -conf { mode http log-format "conn_status:\"%[fc_conn_err]:%[fc_conn_err_str]\" hsk_err:\"%[ssl_fc_err]:%[ssl_fc_err_str]\" CN=%{+Q}[ssl_c_s_dn],serial=%[ssl_c_serial,hex],hash=%[ssl_c_sha1,hex]" error-log-format "ERROR conn_status:\"%[fc_conn_err]:%[fc_conn_err_str]\" hsk_err:\"%[ssl_fc_err,and(proc.ssl_error_mask)]:%[ssl_fc_err_str]\" CN=%{+Q}[ssl_c_s_dn],serial=%[ssl_c_serial,hex],hash=%[ssl_c_sha1,hex]" - bind "${tmpdir}/cust_logfmt_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA1.crt verify required ciphersuites "TLS_AES_256_GCM_SHA384" + bind "${tmpdir}/cust_logfmt_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA1.crt verify required ciphers "kRSA" server s1 ${s1_addr}:${s1_port} listen https_logfmt_ssl_lst @@ -205,14 +215,14 @@ haproxy h1 -conf { mode http option httpslog error-log-format "ERROR %ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %[fc_conn_err]/%[ssl_fc_err,and(proc.ssl_error_mask),hex]/%[ssl_c_err]/%[ssl_c_ca_err] %sslv/%sslc" - bind "${tmpdir}/https_logfmt_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA1.crt verify required ciphersuites "TLS_AES_256_GCM_SHA384" + bind "${tmpdir}/https_logfmt_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA1.crt verify required ciphers "kRSA" server s1 ${s1_addr}:${s1_port} listen logconnerror_ssl_lst log ${Slg_logconnerror_addr}:${Slg_logconnerror_port} local0 info mode http option httplog - bind "${tmpdir}/logconnerror_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA1.crt verify required ciphersuites "TLS_AES_256_GCM_SHA384" + bind "${tmpdir}/logconnerror_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA1.crt verify required ciphers "kRSA" server s1 ${s1_addr}:${s1_port} @@ -237,9 +247,11 @@ haproxy h1 -conf { bind "${tmpdir}/wrong_ciphers_ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/ca-auth.crt verify none force-tlsv12 ciphers "kRSA" server s1 ${s1_addr}:${s1_port} +.if openssl_version_atleast(1.1.1) listen wrong_ciphers_tls13_ssl_lst bind "${tmpdir}/wrong_ciphers_tls13_ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/ca-auth.crt verify none force-tlsv13 ciphersuites "TLS_AES_128_GCM_SHA256" server s1 ${s1_addr}:${s1_port} +.endif } -start