--- /dev/null
+#REGTEST_TYPE=slow
+# reg-test is around ~2.5s
+
+# broken with BoringSSL.
+
+# With QUIC listeners.
+# This reg-test focuses on the OCSP response auto-update functionality. It does
+# not test the full scope of the feature because most of it is based on
+# expiration times and long delays between updates of valid OCSP responses.
+# Automatic update of valid OCSP responses loaded during init will not be
+# tested because by design, such a response would no be automatically updated
+# until init+1H.
+#
+# This test will then focus on certificates that have a specified OCSP URI but
+# no known OCSP response. For those certificates, OCSP requests are sent as
+# soon as possible by the update task.
+#
+# The ocsp responder used in all the tests will be an openssl using the
+# certificate database in ocsp_update/index.txt. It will listen on port 12345
+# which was specified explicitly in the certificates used in the tests.
+# The synchronization will be based on the logs emitted by the OCSP update task
+# directly. When this log is created, we will know that the update was
+# effective and the updated OCSP response is loaded in the tree. So any
+# following call to "show ssl ocsp-response" will display the latest response
+# information.
+#
+# If this test does not work anymore:
+# - Check that you have openssl and socat
+
+varnishtest "Test the OCSP auto update feature"
+feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(3.0-dev0)'"
+feature cmd "command -v openssl && command -v socat"
+feature cmd "$HAPROXY_PROGRAM -cc 'feature(QUIC) && !feature(QUIC_OPENSSL_COMPAT) && !feature(OPENSSL_WOLFSSL)'"
+
+setenv VTC_SOCK_TYPE quic
+include ${testdir}/../ssl/ocsp_auto_update.vtci
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(3.0-dev0)'"
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(BoringSSL) && !ssllib_name_startswith(LibreSSL) && openssl_version_atleast(1.1.1)'"
feature cmd "command -v openssl && command -v socat"
-feature ignore_unknown_macro
-
-###################
-# #
-# FIRST TEST CASE #
-# #
-###################
-
-# No automatic update should occur in this test case since we load two already
-# valid OCSP responses during init which have a "Next Update" date really far
-# in the future. So they should only be updated after one hour.
-# This test will only be the most basic one where we check that ocsp response
-# loading still works as expected.
-
-haproxy h1 -conf {
- global
- .if feature(THREAD)
- thread-groups 1
- .endif
-
- .if !ssllib_name_startswith(AWS-LC)
- tune.ssl.default-dh-param 2048
- .endif
- tune.ssl.capture-buffer-size 1
- stats socket "${tmpdir}/h1/stats" level admin
- crt-base ${testdir}/certs/ocsp_update
-
- defaults
- mode http
- option httplog
- log stderr local0 debug err
- option logasap
- timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
- timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
- timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
-
- frontend ssl-fe
- bind "${tmpdir}/ssl.sock" ssl crt multicert/server_ocsp.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
- http-request return status 200
-} -start
-
-
-# We should have two distinct ocsp responses known that were loaded at build time
-haproxy h1 -cli {
- send "show ssl ocsp-response"
- expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
- send "show ssl ocsp-response"
- expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
-
- send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
- expect ~ "Cert Status: revoked"
-
- send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
- expect ~ "Cert Status: good"
-}
-
-haproxy h1 -wait
-
-
-
-####################
-# #
-# SECOND TEST CASE #
-# #
-####################
-
-# This test will focus on two separate certificates that have the same OCSP uri
-# (http://ocsp.haproxy.com:12345) but no OCSP response loaded at build time.
-# The update mode is set to 'on' in the two crt-lists used. The two ocsp
-# responses should then be fetched automatically after init.
-# We rely on the OCSP logs to ensure that the two updates are over before
-# calling "show ssl ocsp-response". This is done through the Syslog_ocsp
-# listener and a dedicated barrier.
-
-process p2 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start
-
-barrier b2 cond 2 -cyclic
-
-syslog Syslog_ocsp -level notice {
- recv
- expect ~ "<OCSP-UPDATE> ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem 1 \"Update successful\" 0 1"
-
- recv
- expect ~ "<OCSP-UPDATE> ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1"
-
- barrier b2 sync
-} -start
-
-haproxy h2 -conf {
- global
- .if feature(THREAD)
- thread-groups 1
- .endif
-
- .if !ssllib_name_startswith(AWS-LC)
- tune.ssl.default-dh-param 2048
- .endif
- tune.ssl.capture-buffer-size 1
- stats socket "${tmpdir}/h2/stats" level admin
- crt-base ${testdir}/certs/ocsp_update
- log ${Syslog_ocsp_addr}:${Syslog_ocsp_port} local0 notice notice
-
- defaults
- mode http
- option httplog
- log stderr local0 debug err
- timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
- timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
- timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
-
- frontend ssl-rsa-fe
- bind "${tmpdir}/ssl2.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
- http-request return status 200
-
- frontend ssl-ecdsa-fe
- bind "${tmpdir}/ssl3.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
- http-request return status 200
-} -start
-
-barrier b2 sync
-
-# We should have two distinct ocsp IDs known that were loaded at build time and
-# the responses' contents should have been filled automatically by the ocsp
-# update task after init
-haproxy h2 -cli {
- send "show ssl ocsp-response"
- expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
- send "show ssl ocsp-response"
- expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
-
- send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
- expect ~ "Cert Status: revoked"
-
- send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
- expect ~ "Cert Status: revoked"
-}
-
-haproxy h2 -wait
-process p2 -wait -expect-exit 0
-
-
-###################
-# #
-# THIRD TEST CASE #
-# #
-###################
-
-# This test will be roughly the same as the second one but one of the crt-lists
-# will not enable ocsp-update on its certificate. Only one request should then
-# be sent.
-
-process p3 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start
-
-barrier b3 cond 2 -cyclic
-
-syslog Syslog_ocsp3 -level notice {
- recv
- expect ~ "<OCSP-UPDATE> ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem 1 \"Update successful\" 0 1"
- barrier b3 sync
-} -start
-
-haproxy h3 -conf {
- global
- .if feature(THREAD)
- thread-groups 1
- .endif
-
- .if !ssllib_name_startswith(AWS-LC)
- tune.ssl.default-dh-param 2048
- .endif
- tune.ssl.capture-buffer-size 1
- stats socket "${tmpdir}/h3/stats" level admin
- crt-base ${testdir}/certs/ocsp_update
- log ${Syslog_ocsp3_addr}:${Syslog_ocsp3_port} local0 notice notice
-
- defaults
- mode http
- option httplog
- log stderr local0 debug err
- timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
- timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
- timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
-
- frontend ssl-rsa-fe
- bind "${tmpdir}/ssl4.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
- http-request return status 200
-
- frontend ssl-ecdsa-fe
- bind "${tmpdir}/ssl5.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
- http-request return status 200
-} -start
-
-barrier b3 sync
-
-# We should have a single ocsp ID known that was loaded at build time and the
-# response should be filled
-haproxy h3 -cli {
- send "show ssl ocsp-response"
- expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
- send "show ssl ocsp-response"
- expect !~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
-
- send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
- expect ~ "Cert Status: revoked"
-}
-
-haproxy h3 -wait
-process p3 -wait
-
-
-
-####################
-# #
-# FOURTH TEST CASE #
-# (CLI COMMAND) #
-# #
-####################
-# This test focuses on the "update ssl ocsp-response" CLI command and tests two
-# certificates that have a known OCSP response loaded during init but no OCSP
-# auto update. The only difference between the two certificates is that one has
-# a separate .issuer file while the other one has the issuer certificate
-# directly in the main .pem file.
-# We store the original "Produced At" date of the responses loaded during init
-# in haproxy proc variables in order to compare them to their new value after
-# the update is performed.
-
-process p4 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start
-
-barrier b4 cond 2 -cyclic
-
-syslog Syslog_ocsp4 -level notice {
- recv
- expect ~ "<OCSP-UPDATE> ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa 1 \"Update successful\" 0 1"
-
- recv
- expect ~ "<OCSP-UPDATE> ${testdir}/certs/ocsp_update/multicert/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1"
- barrier b4 sync
-} -start
-
-haproxy h4 -conf {
- global
- .if feature(THREAD)
- thread-groups 1
- .endif
-
- .if !ssllib_name_startswith(AWS-LC)
- tune.ssl.default-dh-param 2048
- .endif
- tune.ssl.capture-buffer-size 1
- stats socket "${tmpdir}/h4/stats" level admin
- crt-base ${testdir}/certs/ocsp_update
- log ${Syslog_ocsp4_addr}:${Syslog_ocsp4_port} local0 notice notice
-
- defaults
- mode http
- option httplog
- log stderr local0 debug err
- timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
- timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
- timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
-
- frontend ssl-rsa-ocsp
- bind "${tmpdir}/ssl5.sock" ssl crt ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
- http-request return status 200
-
- frontend ssl-ecdsa-ocsp
- bind "${tmpdir}/ssl6.sock" ssl crt ${testdir}/certs/ocsp_update/multicert/server_ocsp_ecdsa.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
- http-request return status 200
-} -start
-
-# We need to "enable" the cli with a first cli call before using it only through socats
-haproxy h4 -cli {
- send "show ssl cert"
- expect ~ ""
-}
-
-# We should have two OCSP responses loaded during init
-shell {
- responses=$(echo "show ssl ocsp-response" | socat "${tmpdir}/h4/stats" -)
-
- [ $(echo "$responses" | grep -c "^Certificate ID key") -eq 2 ] && \
- echo "$responses" | grep "Serial Number: 1016" && \
- echo "$responses" | grep "Serial Number: 1015"
-}
-
-haproxy h4 -cli {
- send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
- expect ~ "Cert Status: revoked"
-
- send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
- expect ~ "Cert Status: good"
-}
-
-# Update the first ocsp response (ckch_data has a non-NULL ocsp_issuer pointer)
-shell {
- # Store the current "Produced At" in order to ensure that after the update
- # the OCSP response actually changed
- produced_at1=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" - | grep "Produced At" | tr -d ' ')
-
- echo "update ssl ocsp-response ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h4/stats" -
-
- # Update the second ocsp response (ckch_data has a NULL ocsp_issuer pointer)
- # Store the current "Produced At" in order to ensure that after the update
- # the OCSP response actually changed
- produced_at2=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" - | grep "Produced At" | tr -d ' ')
-
- echo "update ssl ocsp-response ${testdir}/certs/ocsp_update/multicert/server_ocsp_ecdsa.pem" | socat "${tmpdir}/h4/stats" -
-
- echo "experimental-mode on;set var proc.produced_at1 str($produced_at1)" | socat "${tmpdir}/h4/stats" -
- echo "experimental-mode on;set var proc.produced_at2 str($produced_at2)" | socat "${tmpdir}/h4/stats" -
-}
-
-barrier b4 sync
-
-shell {
- produced_at1_after=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" - | grep "Produced At" | tr -d ' ')
- produced_at2_after=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" - | grep "Produced At" | tr -d ' ')
-
- ocsp_response1=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" -)
- ocsp_response2=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" -)
-
- echo "$ocsp_response1" | grep -q "Serial Number: 1015" && \
- echo "$ocsp_response1" | grep -q "Cert Status: revoked" && \
- echo "$ocsp_response2" | grep -q "Serial Number: 1016" && \
- echo "$ocsp_response2" | grep -q "Cert Status: revoked" && \
- [ "$produced_at1_after" != "$(echo \"experimental-mode on; get var proc.produced_at1\" | socat \"${tmpdir}/h4/stats\")" ] && \
- [ "$produced_at2_after" != "$(echo \"experimental-mode on; get var proc.produced_at2\" | socat \"${tmpdir}/h4/stats\")" ]
-
-}
-
-haproxy h4 -wait
-process p4 -wait
-
-
-####################
-# #
-# FIFTH TEST CASE #
-# (CLI COMMAND) #
-# #
-####################
-
-# Test the "show ssl ocsp-updates" command as well as the new 'base64' parameter
-# to the "show ssl ocsp-response" command.
-
-
-process p5 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start
-
-barrier b5 cond 2 -cyclic
-
-syslog Syslog_ocsp5 -level notice {
- recv
- expect ~ "<OCSP-UPDATE> .*/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem 1 \"Update successful\" 0 1"
-
- recv
- expect ~ "<OCSP-UPDATE> .*/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1"
-
- barrier b5 sync
-} -start
-
-haproxy h5 -conf {
- global
- .if feature(THREAD)
- thread-groups 1
- .endif
-
- .if !ssllib_name_startswith(AWS-LC)
- tune.ssl.default-dh-param 2048
- .endif
- tune.ssl.capture-buffer-size 1
- stats socket "${tmpdir}/h5/stats" level admin
- crt-base ${testdir}/certs/ocsp_update
- log ${Syslog_ocsp5_addr}:${Syslog_ocsp5_port} local0 notice notice
-
- defaults
- mode http
- option httplog
- log stderr local0 debug err
- timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
- timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
- timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
-
- frontend ssl-rsa-fe
- bind "${tmpdir}/ssl7.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
- http-request return status 200
-
- frontend ssl-ecdsa-fe
- bind "${tmpdir}/ssl8.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
- http-request return status 200
-} -start
-
-barrier b5 sync
-
-# Use "show ssl ocsp-updates" CLI command
-# We should have one line per OCSP response and each one of them should have been successfully updated once
-# The command's output follows this format:
-# OCSP Certid | Next Update | Last Update | Successes | Failures | Last Update Status | Last Update Status (str)
-haproxy h5 -cli {
- send "show ssl ocsp-updates"
- expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 .*| 1 | 0 | 1 | Update successful"
-
- send "show ssl ocsp-updates"
- expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*| 1 | 0 | 1 | Update successful"
-}
-
-# Use "show ssl ocsp-response" command to dump an OCSP response in base64
-shell {
- ocsp_resp_file="${tmpdir}.ocsp_resp.der"
-
- echo "show ssl ocsp-response base64 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h5/stats" - | sed -e 's/.\{72\}/&\n/g' | openssl base64 -d | tee /tmp/with-o64 > $ocsp_resp_file
-
- if [ $? -eq 0 ]
- then
- ocsp_resp_txt="$(openssl ocsp -respin $ocsp_resp_file -noverify -text)"
- echo "$ocsp_resp_txt" | grep "Issuer Name Hash: 8A83E0060FAFF709CA7E9B95522A2E81635FDA0A" && \
- echo "$ocsp_resp_txt" | grep "Issuer Key Hash: F652B0E435D5EA923851508F0ADBE92D85DE007A" && \
- echo "$ocsp_resp_txt" | grep "Serial Number: 1015" && \
- echo "$ocsp_resp_txt" | grep "Cert Status: revoked"
- else
- return 1
- fi
-}
-
-haproxy h5 -wait
-process p5 -wait
-
-
-####################
-# #
-# SIXTH TEST CASE #
-# #
-####################
-
-# Check that a new certificate added via the CLI to a crt-list with
-# the 'ocsp-update on' option will be taken into account by the OCSP
-# auto update task
-#
-process p6 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start
-
-barrier b6 cond 2 -cyclic
-
-syslog Syslog_ocsp6 -level notice {
- recv
- expect ~ "<OCSP-UPDATE> ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa 1 \"Update successful\" 0 1"
-
- barrier b6 sync
-} -start
-
-haproxy h6 -conf {
- global
- .if feature(THREAD)
- thread-groups 1
- .endif
-
- .if !ssllib_name_startswith(AWS-LC)
- tune.ssl.default-dh-param 2048
- .endif
- tune.ssl.capture-buffer-size 1
- stats socket "${tmpdir}/h6/stats" level admin
- crt-base ${testdir}/certs
- log ${Syslog_ocsp6_addr}:${Syslog_ocsp6_port} local0 notice notice
-
- defaults
- mode http
- option httplog
- log stderr local0 debug err
- option logasap
- timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
- timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
- timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
-
- frontend ssl-fe
- bind "${tmpdir}/ssl9.sock" ssl crt-list ${testdir}/certs/simple.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
- http-request return status 200
-
-} -start
-
-# We need to "enable" the cli with a first cli call before using it only through socats
-haproxy h6 -cli {
- send "show ssl cert"
- expect ~ ""
-}
-
-# Create a new certificate that has an OCSP uri and add it to the
-# existing CLI with the 'ocsp-update on' command.
-shell {
- echo "new ssl cert ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h6/stats" -
- printf "set ssl cert ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa <<\n$(cat ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h6/stats" -
- printf "set ssl cert ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa.issuer <<\n$(cat ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa.issuer)\n\n" | socat "${tmpdir}/h6/stats" -
- echo "commit ssl cert ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h6/stats" -
-
- printf "add ssl crt-list ${testdir}/certs/simple.crt-list <<\n${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa [ocsp-update on] foo.com\n\n" | socat "${tmpdir}/h6/stats" -
-}
-
-barrier b6 sync
-
-haproxy h6 -cli {
- send "show ssl ocsp-updates"
- expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*| 1 | 0 | 1 | Update successful"
-}
-
-haproxy h6 -wait
-process p6 -wait
-
-
-######################
-# #
-# SEVENTH TEST CASE #
-# #
-######################
-
-# Check that the global "tune.ocsp-update.mode" option works and that it
-# applies to certificates added via the CLI as well.
-#
-process p7 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start
-
-barrier b7 cond 2 -cyclic
-
-syslog Syslog_ocsp7 -level notice {
- recv
- expect ~ "<OCSP-UPDATE> ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1"
-
- barrier b7 sync
-
- recv
- expect ~ "<OCSP-UPDATE> ${testdir}/certs/server_ocsp_rsa.pem 1 \"Update successful\" 0 1"
-
- barrier b7 sync
-} -start
-
-haproxy h7 -conf {
- global
- .if feature(THREAD)
- thread-groups 1
- .endif
-
- .if !ssllib_name_startswith(AWS-LC)
- tune.ssl.default-dh-param 2048
- .endif
- tune.ssl.capture-buffer-size 1
- stats socket "${tmpdir}/h7/stats" level admin
- crt-base ${testdir}/certs
- ocsp-update.mode on
- log ${Syslog_ocsp7_addr}:${Syslog_ocsp7_port} local0 notice notice
-
- defaults
- mode http
- option httplog
- log stderr local0 debug err
- option logasap
- timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
- timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
- timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
-
- frontend ssl-fe
- bind "${tmpdir}/ssl_h7.sock" ssl crt ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
- bind "${tmpdir}/ssl_h7_2.sock" ssl crt-list ${testdir}/certs/simple.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
- http-request return status 200
-} -start
-
-barrier b7 sync
-
-# Create a new certificate that has an OCSP uri and add it to the
-# existing CLI with the 'ocsp-update on' command.
-shell {
- echo "new ssl cert ${testdir}/certs/server_ocsp_rsa.pem" | socat "${tmpdir}/h7/stats" -
- printf "set ssl cert ${testdir}/certs/server_ocsp_rsa.pem <<\n$(cat ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem)\n\n" | socat "${tmpdir}/h7/stats" -
- echo "commit ssl cert ${testdir}/certs/server_ocsp_rsa.pem" | socat "${tmpdir}/h7/stats" -
-
- # We should have ocsp-update enabled via the global option
- printf "add ssl crt-list ${testdir}/certs/simple.crt-list <<\n${testdir}/certs/server_ocsp_rsa.pem foo.com\n\n" | socat "${tmpdir}/h7/stats" -
-}
-
-barrier b7 sync
-
-haproxy h7 -cli {
- send "show ssl ocsp-updates"
- expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 | ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem .*| 1 | 0 | 1 | Update successful"
-
- send "show ssl ocsp-updates"
- expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 | ${testdir}/certs/server_ocsp_rsa.pem .*| 1 | 0 | 1 | Update successful"
-}
-
-haproxy h7 -wait
-process p7 -wait
-
-
-######################
-# #
-# EIGHTH TEST CASE #
-# #
-######################
-
-#
-# Check that removing crt-list instances does not remove the OCSP responses
-# from the tree but that they will not be auto updated anymore if the last
-# instance is removed (via del ssl crt-list).
-#
-
-haproxy h8 -conf {
- global
- .if feature(THREAD)
- thread-groups 1
- .endif
-
- .if !ssllib_name_startswith(AWS-LC)
- tune.ssl.default-dh-param 2048
- .endif
- tune.ssl.capture-buffer-size 1
- stats socket "${tmpdir}/h8/stats" level admin
- crt-base ${testdir}/certs/ocsp_update
-
- defaults
- mode http
- option httplog
- log stderr local0 debug err
- option logasap
- timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
- timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
- timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
-
- frontend ssl-fe
- bind "${tmpdir}/ssl-h8.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_both_certs.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
- http-request return status 200
-
- listen http_rebound_lst
- mode http
- bind "127.0.0.1:12345"
- server s1 "127.0.0.1:12346"
-} -start
-
-# Check that the two certificates are taken into account in the auto update process
-haproxy h8 -cli {
- send "show ssl ocsp-updates"
- expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 .*"
-
- send "show ssl ocsp-updates"
- expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*"
-}
-
-# Remove the second line from the crt-list and check that the corresponding
-# ocsp response was removed from the auto update list but is still present in the
-# system
-haproxy h8 -cli {
- send "del ssl crt-list ${testdir}/certs/ocsp_update/multicert_both_certs.crt-list ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.ecdsa"
- expect ~ "Entry.*deleted in crtlist"
-
- send "show ssl ocsp-updates"
- expect !~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*"
-
- send "show ssl ocsp-response"
- expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
-
- send "show ssl ocsp-response ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.ecdsa"
- expect ~ ".* Cert Status: good.*"
-}
-
-# Add the previously removed crt-list line with auto-update enabled and check that
-# the ocsp response appears in the auto update list
-shell {
- printf "add ssl crt-list ${testdir}/certs/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa [ocsp-update on] foo.bar\n\n" | socat "${tmpdir}/h8/stats" - | grep "Inserting certificate.*in crt-list"
-}
-
-haproxy h8 -cli {
- send "show ssl ocsp-updates"
- expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*"
-}
-
-# Check that the auto update option consistency check work even when crt-list
-# lines are added through the cli
-shell {
- printf "add ssl crt-list ${testdir}/certs/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa foo.foo\n\n" | socat "${tmpdir}/h8/stats" - | grep "different parameter 'ocsp-update'"
-}
-
-haproxy h8 -wait
-
-####################
-# #
-# NINTH TEST CASE #
-# #
-####################
-
-#
-# Check that a certificate created through the CLI and which does not have ocsp
-# update enabled can be updated via "update ssl ocsp-response" command.
-#
-
-process p9 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start
-
-barrier b9 cond 2 -cyclic
-
-syslog Syslog_ocsp9 -level notice {
- recv
- expect ~ "<OCSP-UPDATE> ${testdir}/certs/ocsp_update/rsa.pem 1 \"Update successful\" 0 1"
-
- barrier b9 sync
-} -start
-
-
-haproxy h9 -conf {
- global
- .if feature(THREAD)
- thread-groups 1
- .endif
-
- .if !ssllib_name_startswith(AWS-LC)
- tune.ssl.default-dh-param 2048
- .endif
- tune.ssl.capture-buffer-size 1
- stats socket "${tmpdir}/h9/stats" level admin
- crt-base ${testdir}/certs/ocsp_update
- log ${Syslog_ocsp9_addr}:${Syslog_ocsp9_port} local0 notice notice
-
- defaults
- mode http
- option httplog
- log stderr local0 debug err
- option logasap
- timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
- timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
- timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
-
- frontend ssl-fe
- bind "${tmpdir}/ssl-h9.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
- http-request return status 200
-} -start
-
-# We need to "enable" the cli with a first cli call before using it only through socats
-haproxy h9 -cli {
- send "show ssl cert"
- expect ~ ""
-}
-
-# Create a new certificate and add it in the crt-list with ocsp auto-update enabled
-shell {
- echo "new ssl cert ${testdir}/certs/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" -
- printf "set ssl cert ${testdir}/certs/ocsp_update/rsa.pem <<\n$(cat ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h9/stats" -
- printf "set ssl cert ${testdir}/certs/ocsp_update/rsa.pem.issuer <<\n$(cat ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt)\n\n" | socat "${tmpdir}/h9/stats" -
- printf "set ssl cert ${testdir}/certs/ocsp_update/rsa.pem.ocsp <<\n$(openssl base64 < ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa.ocsp)\n\n" | socat "${tmpdir}/h9/stats" -
- echo "commit ssl cert ${testdir}/certs/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" -
-
- printf "add ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa_no_update.crt-list <<\nrsa.pem [ocsp-update off] foo.bar\n\n" | socat "${tmpdir}/h9/stats" -
-}
-
-# Check that the line is in the crt-list
-haproxy h9 -cli {
- send "show ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa_no_update.crt-list"
- expect ~ "${testdir}/certs/ocsp_update/rsa.pem.*ocsp-update off.*foo.bar"
-}
-
-# Check that the new certificate is NOT in the auto update list
-haproxy h9 -cli {
- send "show ssl ocsp-updates"
- expect !~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015.*"
-}
-
-shell {
- echo "update ssl ocsp-response ${testdir}/certs/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" -
-}
-
-barrier b9 sync
-
-haproxy h9 -cli {
- send "show ssl ocsp-response ${testdir}/certs/ocsp_update/rsa.pem"
- expect ~ ".* Cert Status: revoked.*"
-}
-
-haproxy h9 -wait
-process p9 -wait
+setenv VTC_SOCK_TYPE stream
+include ${testdir}/ocsp_auto_update.vtci
--- /dev/null
+feature ignore_unknown_macro
+
+
+###################
+# #
+# FIRST TEST CASE #
+# #
+###################
+
+# No automatic update should occur in this test case since we load two already
+# valid OCSP responses during init which have a "Next Update" date really far
+# in the future. So they should only be updated after one hour.
+# This test will only be the most basic one where we check that ocsp response
+# loading still works as expected.
+
+haproxy h1 -conf {
+ global
+ .if feature(THREAD)
+ thread-groups 1
+ .endif
+
+ .if !ssllib_name_startswith(AWS-LC)
+ tune.ssl.default-dh-param 2048
+ .endif
+ tune.ssl.capture-buffer-size 1
+ stats socket "${tmpdir}/h1/stats" level admin
+ crt-base ${testdir}/certs/ocsp_update
+
+ defaults
+ mode http
+ option httplog
+ log stderr local0 debug err
+ option logasap
+ timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
+ timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
+ timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
+
+ frontend ssl-fe
+ bind "${VTC_SOCK_TYPE}+fd@${ssl}" ssl crt multicert/server_ocsp.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
+ http-request return status 200
+} -start
+
+
+# We should have two distinct ocsp responses known that were loaded at build time
+haproxy h1 -cli {
+ send "show ssl ocsp-response"
+ expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
+ send "show ssl ocsp-response"
+ expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
+
+ send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
+ expect ~ "Cert Status: revoked"
+
+ send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
+ expect ~ "Cert Status: good"
+}
+
+haproxy h1 -wait
+
+
+
+####################
+# #
+# SECOND TEST CASE #
+# #
+####################
+
+# This test will focus on two separate certificates that have the same OCSP uri
+# (http://ocsp.haproxy.com:12345) but no OCSP response loaded at build time.
+# The update mode is set to 'on' in the two crt-lists used. The two ocsp
+# responses should then be fetched automatically after init.
+# We rely on the OCSP logs to ensure that the two updates are over before
+# calling "show ssl ocsp-response". This is done through the Syslog_ocsp
+# listener and a dedicated barrier.
+
+process p2 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start
+
+barrier b2 cond 2 -cyclic
+
+syslog Syslog_ocsp -level notice {
+ recv
+ expect ~ "<OCSP-UPDATE> ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem 1 \"Update successful\" 0 1"
+
+ recv
+ expect ~ "<OCSP-UPDATE> ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1"
+
+ barrier b2 sync
+} -start
+
+haproxy h2 -conf {
+ global
+ .if feature(THREAD)
+ thread-groups 1
+ .endif
+
+ .if !ssllib_name_startswith(AWS-LC)
+ tune.ssl.default-dh-param 2048
+ .endif
+ tune.ssl.capture-buffer-size 1
+ stats socket "${tmpdir}/h2/stats" level admin
+ crt-base ${testdir}/certs/ocsp_update
+ log ${Syslog_ocsp_addr}:${Syslog_ocsp_port} local0 notice notice
+
+ defaults
+ mode http
+ option httplog
+ log stderr local0 debug err
+ timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
+ timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
+ timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
+
+ frontend ssl-rsa-fe
+ bind "${VTC_SOCK_TYPE}+fd@${ssl_rsa}" ssl crt-list ${testdir}/certs/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
+ http-request return status 200
+
+ frontend ssl-ecdsa-fe
+ bind "${VTC_SOCK_TYPE}+fd@${ssl_ecdsa}" ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
+ http-request return status 200
+} -start
+
+barrier b2 sync
+
+# We should have two distinct ocsp IDs known that were loaded at build time and
+# the responses' contents should have been filled automatically by the ocsp
+# update task after init
+haproxy h2 -cli {
+ send "show ssl ocsp-response"
+ expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
+ send "show ssl ocsp-response"
+ expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
+
+ send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
+ expect ~ "Cert Status: revoked"
+
+ send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
+ expect ~ "Cert Status: revoked"
+}
+
+haproxy h2 -wait
+process p2 -wait -expect-exit 0
+
+
+###################
+# #
+# THIRD TEST CASE #
+# #
+###################
+
+# This test will be roughly the same as the second one but one of the crt-lists
+# will not enable ocsp-update on its certificate. Only one request should then
+# be sent.
+
+process p3 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start
+
+barrier b3 cond 2 -cyclic
+
+syslog Syslog_ocsp3 -level notice {
+ recv
+ expect ~ "<OCSP-UPDATE> ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem 1 \"Update successful\" 0 1"
+ barrier b3 sync
+} -start
+
+haproxy h3 -conf {
+ global
+ .if feature(THREAD)
+ thread-groups 1
+ .endif
+
+ .if !ssllib_name_startswith(AWS-LC)
+ tune.ssl.default-dh-param 2048
+ .endif
+ tune.ssl.capture-buffer-size 1
+ stats socket "${tmpdir}/h3/stats" level admin
+ crt-base ${testdir}/certs/ocsp_update
+ log ${Syslog_ocsp3_addr}:${Syslog_ocsp3_port} local0 notice notice
+
+ defaults
+ mode http
+ option httplog
+ log stderr local0 debug err
+ timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
+ timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
+ timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
+
+ frontend ssl-rsa-fe
+ bind "${VTC_SOCK_TYPE}+fd@${ssl_rsa}" ssl crt-list ${testdir}/certs/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
+ http-request return status 200
+
+ frontend ssl-ecdsa-fe
+ bind "${VTC_SOCK_TYPE}+fd@${ssl_ecdsa}" ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
+ http-request return status 200
+} -start
+
+barrier b3 sync
+
+# We should have a single ocsp ID known that was loaded at build time and the
+# response should be filled
+haproxy h3 -cli {
+ send "show ssl ocsp-response"
+ expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
+ send "show ssl ocsp-response"
+ expect !~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
+
+ send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
+ expect ~ "Cert Status: revoked"
+}
+
+haproxy h3 -wait
+process p3 -wait
+
+
+
+####################
+# #
+# FOURTH TEST CASE #
+# (CLI COMMAND) #
+# #
+####################
+# This test focuses on the "update ssl ocsp-response" CLI command and tests two
+# certificates that have a known OCSP response loaded during init but no OCSP
+# auto update. The only difference between the two certificates is that one has
+# a separate .issuer file while the other one has the issuer certificate
+# directly in the main .pem file.
+# We store the original "Produced At" date of the responses loaded during init
+# in haproxy proc variables in order to compare them to their new value after
+# the update is performed.
+
+process p4 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start
+
+barrier b4 cond 2 -cyclic
+
+syslog Syslog_ocsp4 -level notice {
+ recv
+ expect ~ "<OCSP-UPDATE> ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa 1 \"Update successful\" 0 1"
+
+ recv
+ expect ~ "<OCSP-UPDATE> ${testdir}/certs/ocsp_update/multicert/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1"
+ barrier b4 sync
+} -start
+
+haproxy h4 -conf {
+ global
+ .if feature(THREAD)
+ thread-groups 1
+ .endif
+
+ .if !ssllib_name_startswith(AWS-LC)
+ tune.ssl.default-dh-param 2048
+ .endif
+ tune.ssl.capture-buffer-size 1
+ stats socket "${tmpdir}/h4/stats" level admin
+ crt-base ${testdir}/certs/ocsp_update
+ log ${Syslog_ocsp4_addr}:${Syslog_ocsp4_port} local0 notice notice
+
+ defaults
+ mode http
+ option httplog
+ log stderr local0 debug err
+ timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
+ timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
+ timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
+
+ frontend ssl-rsa-ocsp
+ bind "${VTC_SOCK_TYPE}+fd@${ssl_rsa_ocsp}" ssl crt ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
+ http-request return status 200
+
+ frontend ssl-ecdsa-ocsp
+ bind "${VTC_SOCK_TYPE}+fd@${ssl_ecdsa_ocsp}" ssl crt ${testdir}/certs/ocsp_update/multicert/server_ocsp_ecdsa.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
+ http-request return status 200
+} -start
+
+# We need to "enable" the cli with a first cli call before using it only through socats
+haproxy h4 -cli {
+ send "show ssl cert"
+ expect ~ ""
+}
+
+# We should have two OCSP responses loaded during init
+shell {
+ responses=$(echo "show ssl ocsp-response" | socat "${tmpdir}/h4/stats" -)
+
+ [ $(echo "$responses" | grep -c "^Certificate ID key") -eq 2 ] && \
+ echo "$responses" | grep "Serial Number: 1016" && \
+ echo "$responses" | grep "Serial Number: 1015"
+}
+
+haproxy h4 -cli {
+ send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015"
+ expect ~ "Cert Status: revoked"
+
+ send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
+ expect ~ "Cert Status: good"
+}
+
+# Update the first ocsp response (ckch_data has a non-NULL ocsp_issuer pointer)
+shell {
+ # Store the current "Produced At" in order to ensure that after the update
+ # the OCSP response actually changed
+ produced_at1=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" - | grep "Produced At" | tr -d ' ')
+
+ echo "update ssl ocsp-response ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h4/stats" -
+
+ # Update the second ocsp response (ckch_data has a NULL ocsp_issuer pointer)
+ # Store the current "Produced At" in order to ensure that after the update
+ # the OCSP response actually changed
+ produced_at2=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" - | grep "Produced At" | tr -d ' ')
+
+ echo "update ssl ocsp-response ${testdir}/certs/ocsp_update/multicert/server_ocsp_ecdsa.pem" | socat "${tmpdir}/h4/stats" -
+
+ echo "experimental-mode on;set var proc.produced_at1 str($produced_at1)" | socat "${tmpdir}/h4/stats" -
+ echo "experimental-mode on;set var proc.produced_at2 str($produced_at2)" | socat "${tmpdir}/h4/stats" -
+}
+
+barrier b4 sync
+
+shell {
+ produced_at1_after=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" - | grep "Produced At" | tr -d ' ')
+ produced_at2_after=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" - | grep "Produced At" | tr -d ' ')
+
+ ocsp_response1=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" -)
+ ocsp_response2=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" -)
+
+ echo "$ocsp_response1" | grep -q "Serial Number: 1015" && \
+ echo "$ocsp_response1" | grep -q "Cert Status: revoked" && \
+ echo "$ocsp_response2" | grep -q "Serial Number: 1016" && \
+ echo "$ocsp_response2" | grep -q "Cert Status: revoked" && \
+ [ "$produced_at1_after" != "$(echo \"experimental-mode on; get var proc.produced_at1\" | socat \"${tmpdir}/h4/stats\")" ] && \
+ [ "$produced_at2_after" != "$(echo \"experimental-mode on; get var proc.produced_at2\" | socat \"${tmpdir}/h4/stats\")" ]
+
+}
+
+haproxy h4 -wait
+process p4 -wait
+
+
+####################
+# #
+# FIFTH TEST CASE #
+# (CLI COMMAND) #
+# #
+####################
+
+# Test the "show ssl ocsp-updates" command as well as the new 'base64' parameter
+# to the "show ssl ocsp-response" command.
+
+
+process p5 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start
+
+barrier b5 cond 2 -cyclic
+
+syslog Syslog_ocsp5 -level notice {
+ recv
+ expect ~ "<OCSP-UPDATE> .*/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem 1 \"Update successful\" 0 1"
+
+ recv
+ expect ~ "<OCSP-UPDATE> .*/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1"
+
+ barrier b5 sync
+} -start
+
+haproxy h5 -conf {
+ global
+ .if feature(THREAD)
+ thread-groups 1
+ .endif
+
+ .if !ssllib_name_startswith(AWS-LC)
+ tune.ssl.default-dh-param 2048
+ .endif
+ tune.ssl.capture-buffer-size 1
+ stats socket "${tmpdir}/h5/stats" level admin
+ crt-base ${testdir}/certs/ocsp_update
+ log ${Syslog_ocsp5_addr}:${Syslog_ocsp5_port} local0 notice notice
+
+ defaults
+ mode http
+ option httplog
+ log stderr local0 debug err
+ timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
+ timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
+ timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
+
+ frontend ssl-rsa-fe
+ bind "${VTC_SOCK_TYPE}+fd@${ssl_rsa}" ssl crt-list ${testdir}/certs/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
+ http-request return status 200
+
+ frontend ssl-ecdsa-fe
+ bind "${VTC_SOCK_TYPE}+fd@${ssl_ecdsa}" ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
+ http-request return status 200
+} -start
+
+barrier b5 sync
+
+# Use "show ssl ocsp-updates" CLI command
+# We should have one line per OCSP response and each one of them should have been successfully updated once
+# The command's output follows this format:
+# OCSP Certid | Next Update | Last Update | Successes | Failures | Last Update Status | Last Update Status (str)
+haproxy h5 -cli {
+ send "show ssl ocsp-updates"
+ expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 .*| 1 | 0 | 1 | Update successful"
+
+ send "show ssl ocsp-updates"
+ expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*| 1 | 0 | 1 | Update successful"
+}
+
+# Use "show ssl ocsp-response" command to dump an OCSP response in base64
+shell {
+ ocsp_resp_file="${tmpdir}.ocsp_resp.der"
+
+ echo "show ssl ocsp-response base64 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h5/stats" - | sed -e 's/.\{72\}/&\n/g' | openssl base64 -d | tee /tmp/with-o64 > $ocsp_resp_file
+
+ if [ $? -eq 0 ]
+ then
+ ocsp_resp_txt="$(openssl ocsp -respin $ocsp_resp_file -noverify -text)"
+ echo "$ocsp_resp_txt" | grep "Issuer Name Hash: 8A83E0060FAFF709CA7E9B95522A2E81635FDA0A" && \
+ echo "$ocsp_resp_txt" | grep "Issuer Key Hash: F652B0E435D5EA923851508F0ADBE92D85DE007A" && \
+ echo "$ocsp_resp_txt" | grep "Serial Number: 1015" && \
+ echo "$ocsp_resp_txt" | grep "Cert Status: revoked"
+ else
+ return 1
+ fi
+}
+
+haproxy h5 -wait
+process p5 -wait
+
+
+####################
+# #
+# SIXTH TEST CASE #
+# #
+####################
+
+# Check that a new certificate added via the CLI to a crt-list with
+# the 'ocsp-update on' option will be taken into account by the OCSP
+# auto update task
+#
+process p6 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start
+
+barrier b6 cond 2 -cyclic
+
+syslog Syslog_ocsp6 -level notice {
+ recv
+ expect ~ "<OCSP-UPDATE> ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa 1 \"Update successful\" 0 1"
+
+ barrier b6 sync
+} -start
+
+haproxy h6 -conf {
+ global
+ .if feature(THREAD)
+ thread-groups 1
+ .endif
+
+ .if !ssllib_name_startswith(AWS-LC)
+ tune.ssl.default-dh-param 2048
+ .endif
+ tune.ssl.capture-buffer-size 1
+ stats socket "${tmpdir}/h6/stats" level admin
+ crt-base ${testdir}/certs
+ log ${Syslog_ocsp6_addr}:${Syslog_ocsp6_port} local0 notice notice
+
+ defaults
+ mode http
+ option httplog
+ log stderr local0 debug err
+ option logasap
+ timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
+ timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
+ timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
+
+ frontend ssl-fe
+ bind "${VTC_SOCK_TYPE}+fd@${ssl}" ssl crt-list ${testdir}/certs/simple.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
+ http-request return status 200
+
+} -start
+
+# We need to "enable" the cli with a first cli call before using it only through socats
+haproxy h6 -cli {
+ send "show ssl cert"
+ expect ~ ""
+}
+
+# Create a new certificate that has an OCSP uri and add it to the
+# existing CLI with the 'ocsp-update on' command.
+shell {
+ echo "new ssl cert ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h6/stats" -
+ printf "set ssl cert ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa <<\n$(cat ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h6/stats" -
+ printf "set ssl cert ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa.issuer <<\n$(cat ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa.issuer)\n\n" | socat "${tmpdir}/h6/stats" -
+ echo "commit ssl cert ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h6/stats" -
+
+ printf "add ssl crt-list ${testdir}/certs/simple.crt-list <<\n${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa [ocsp-update on] foo.com\n\n" | socat "${tmpdir}/h6/stats" -
+}
+
+barrier b6 sync
+
+haproxy h6 -cli {
+ send "show ssl ocsp-updates"
+ expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*| 1 | 0 | 1 | Update successful"
+}
+
+haproxy h6 -wait
+process p6 -wait
+
+
+######################
+# #
+# SEVENTH TEST CASE #
+# #
+######################
+
+# Check that the global "tune.ocsp-update.mode" option works and that it
+# applies to certificates added via the CLI as well.
+#
+process p7 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start
+
+barrier b7 cond 2 -cyclic
+
+syslog Syslog_ocsp7 -level notice {
+ recv
+ expect ~ "<OCSP-UPDATE> ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1"
+
+ barrier b7 sync
+
+ recv
+ expect ~ "<OCSP-UPDATE> ${testdir}/certs/server_ocsp_rsa.pem 1 \"Update successful\" 0 1"
+
+ barrier b7 sync
+} -start
+
+haproxy h7 -conf {
+ global
+ .if feature(THREAD)
+ thread-groups 1
+ .endif
+
+ .if !ssllib_name_startswith(AWS-LC)
+ tune.ssl.default-dh-param 2048
+ .endif
+ tune.ssl.capture-buffer-size 1
+ stats socket "${tmpdir}/h7/stats" level admin
+ crt-base ${testdir}/certs
+ ocsp-update.mode on
+ log ${Syslog_ocsp7_addr}:${Syslog_ocsp7_port} local0 notice notice
+
+ defaults
+ mode http
+ option httplog
+ log stderr local0 debug err
+ option logasap
+ timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
+ timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
+ timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
+
+ frontend ssl-fe
+ bind "${VTC_SOCK_TYPE}+fd@${ssl}" ssl crt ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
+ bind "${VTC_SOCK_TYPE}+fd@${ssl2}" ssl crt-list ${testdir}/certs/simple.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
+ http-request return status 200
+} -start
+
+barrier b7 sync
+
+# Create a new certificate that has an OCSP uri and add it to the
+# existing CLI with the 'ocsp-update on' command.
+shell {
+ echo "new ssl cert ${testdir}/certs/server_ocsp_rsa.pem" | socat "${tmpdir}/h7/stats" -
+ printf "set ssl cert ${testdir}/certs/server_ocsp_rsa.pem <<\n$(cat ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem)\n\n" | socat "${tmpdir}/h7/stats" -
+ echo "commit ssl cert ${testdir}/certs/server_ocsp_rsa.pem" | socat "${tmpdir}/h7/stats" -
+
+ # We should have ocsp-update enabled via the global option
+ printf "add ssl crt-list ${testdir}/certs/simple.crt-list <<\n${testdir}/certs/server_ocsp_rsa.pem foo.com\n\n" | socat "${tmpdir}/h7/stats" -
+}
+
+barrier b7 sync
+
+haproxy h7 -cli {
+ send "show ssl ocsp-updates"
+ expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 | ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem .*| 1 | 0 | 1 | Update successful"
+
+ send "show ssl ocsp-updates"
+ expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 | ${testdir}/certs/server_ocsp_rsa.pem .*| 1 | 0 | 1 | Update successful"
+}
+
+haproxy h7 -wait
+process p7 -wait
+
+
+######################
+# #
+# EIGHTH TEST CASE #
+# #
+######################
+
+#
+# Check that removing crt-list instances does not remove the OCSP responses
+# from the tree but that they will not be auto updated anymore if the last
+# instance is removed (via del ssl crt-list).
+#
+
+haproxy h8 -conf {
+ global
+ .if feature(THREAD)
+ thread-groups 1
+ .endif
+
+ .if !ssllib_name_startswith(AWS-LC)
+ tune.ssl.default-dh-param 2048
+ .endif
+ tune.ssl.capture-buffer-size 1
+ stats socket "${tmpdir}/h8/stats" level admin
+ crt-base ${testdir}/certs/ocsp_update
+
+ defaults
+ mode http
+ option httplog
+ log stderr local0 debug err
+ option logasap
+ timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
+ timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
+ timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
+
+ frontend ssl-fe
+ bind "${VTC_SOCK_TYPE}+fd@${ssl}" ssl crt-list ${testdir}/certs/ocsp_update/multicert_both_certs.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
+ http-request return status 200
+
+ listen http_rebound_lst
+ mode http
+ bind "127.0.0.1:12345"
+ server s1 "127.0.0.1:12346"
+} -start
+
+# Check that the two certificates are taken into account in the auto update process
+haproxy h8 -cli {
+ send "show ssl ocsp-updates"
+ expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 .*"
+
+ send "show ssl ocsp-updates"
+ expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*"
+}
+
+# Remove the second line from the crt-list and check that the corresponding
+# ocsp response was removed from the auto update list but is still present in the
+# system
+haproxy h8 -cli {
+ send "del ssl crt-list ${testdir}/certs/ocsp_update/multicert_both_certs.crt-list ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.ecdsa"
+ expect ~ "Entry.*deleted in crtlist"
+
+ send "show ssl ocsp-updates"
+ expect !~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*"
+
+ send "show ssl ocsp-response"
+ expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
+
+ send "show ssl ocsp-response ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.ecdsa"
+ expect ~ ".* Cert Status: good.*"
+}
+
+# Add the previously removed crt-list line with auto-update enabled and check that
+# the ocsp response appears in the auto update list
+shell {
+ printf "add ssl crt-list ${testdir}/certs/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa [ocsp-update on] foo.bar\n\n" | socat "${tmpdir}/h8/stats" - | grep "Inserting certificate.*in crt-list"
+}
+
+haproxy h8 -cli {
+ send "show ssl ocsp-updates"
+ expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*"
+}
+
+# Check that the auto update option consistency check work even when crt-list
+# lines are added through the cli
+shell {
+ printf "add ssl crt-list ${testdir}/certs/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa foo.foo\n\n" | socat "${tmpdir}/h8/stats" - | grep "different parameter 'ocsp-update'"
+}
+
+haproxy h8 -wait
+
+####################
+# #
+# NINTH TEST CASE #
+# #
+####################
+
+#
+# Check that a certificate created through the CLI and which does not have ocsp
+# update enabled can be updated via "update ssl ocsp-response" command.
+#
+
+process p9 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start
+
+barrier b9 cond 2 -cyclic
+
+syslog Syslog_ocsp9 -level notice {
+ recv
+ expect ~ "<OCSP-UPDATE> ${testdir}/certs/ocsp_update/rsa.pem 1 \"Update successful\" 0 1"
+
+ barrier b9 sync
+} -start
+
+
+haproxy h9 -conf {
+ global
+ .if feature(THREAD)
+ thread-groups 1
+ .endif
+
+ .if !ssllib_name_startswith(AWS-LC)
+ tune.ssl.default-dh-param 2048
+ .endif
+ tune.ssl.capture-buffer-size 1
+ stats socket "${tmpdir}/h9/stats" level admin
+ crt-base ${testdir}/certs/ocsp_update
+ log ${Syslog_ocsp9_addr}:${Syslog_ocsp9_port} local0 notice notice
+
+ defaults
+ mode http
+ option httplog
+ log stderr local0 debug err
+ option logasap
+ timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
+ timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
+ timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
+
+ frontend ssl-fe
+ bind "${VTC_SOCK_TYPE}+fd@${ssl}" ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
+ http-request return status 200
+} -start
+
+# We need to "enable" the cli with a first cli call before using it only through socats
+haproxy h9 -cli {
+ send "show ssl cert"
+ expect ~ ""
+}
+
+# Create a new certificate and add it in the crt-list with ocsp auto-update enabled
+shell {
+ echo "new ssl cert ${testdir}/certs/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" -
+ printf "set ssl cert ${testdir}/certs/ocsp_update/rsa.pem <<\n$(cat ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h9/stats" -
+ printf "set ssl cert ${testdir}/certs/ocsp_update/rsa.pem.issuer <<\n$(cat ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt)\n\n" | socat "${tmpdir}/h9/stats" -
+ printf "set ssl cert ${testdir}/certs/ocsp_update/rsa.pem.ocsp <<\n$(openssl base64 < ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa.ocsp)\n\n" | socat "${tmpdir}/h9/stats" -
+ echo "commit ssl cert ${testdir}/certs/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" -
+
+ printf "add ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa_no_update.crt-list <<\nrsa.pem [ocsp-update off] foo.bar\n\n" | socat "${tmpdir}/h9/stats" -
+}
+
+# Check that the line is in the crt-list
+haproxy h9 -cli {
+ send "show ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa_no_update.crt-list"
+ expect ~ "${testdir}/certs/ocsp_update/rsa.pem.*ocsp-update off.*foo.bar"
+}
+
+# Check that the new certificate is NOT in the auto update list
+haproxy h9 -cli {
+ send "show ssl ocsp-updates"
+ expect !~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015.*"
+}
+
+shell {
+ echo "update ssl ocsp-response ${testdir}/certs/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" -
+}
+
+barrier b9 sync
+
+haproxy h9 -cli {
+ send "show ssl ocsp-response ${testdir}/certs/ocsp_update/rsa.pem"
+ expect ~ ".* Cert Status: revoked.*"
+}
+
+haproxy h9 -wait
+process p9 -wait
projects / thirdparty / haproxy.git / commitdiff
