--- /dev/null
+#REGTEST_TYPE=devel
+
+# This reg-test uses the "del ssl crt-list" command to remove a line from a crt-list.
+
+# It performs three requests towards a QUIC frontend that uses simple.crt-list.
+# Between the second and third requests, a line is deleted from the crt-list,
+# which makes the third request fail since it would have used the deleted line
+# and the strict-sni option is enabled on the frontend.
+# Another test is performed as well. A line corresponding to the default instance
+# of a frontend that does not have the strict-sni option enabled cannot be deleted.
+
+varnishtest "Test the 'del ssl crt-list' feature of the CLI"
+#REQUIRE_OPTIONS=OPENSSL
+
+feature cmd "$HAPROXY_PROGRAM -cc 'feature(QUIC) && !feature(QUIC_OPENSSL_COMPAT) && !feature(OPENSSL_WOLFSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'"
+
+setenv VTC_SOCK_TYPE quic
+include ${testdir}/../ssl/del_ssl_crt-list.vtci
# This reg-test uses the "del ssl crt-list" command to remove a line from a crt-list.
-# It performs three requests towards a frontend that uses simple.crt-list.
+# It performs three requests towards a SSL/TCP frontend that uses simple.crt-list.
# Between the second and third requests, a line is deleted from the crt-list,
# which makes the third request fail since it would have used the deleted line
# and the strict-sni option is enabled on the frontend.
varnishtest "Test the 'del ssl crt-list' feature of the CLI"
#REQUIRE_OPTIONS=OPENSSL
-feature ignore_unknown_macro
-server s1 -repeat 2 {
- rxreq
- txresp
-} -start
-
-haproxy h1 -conf {
- global
- .if feature(THREAD)
- thread-groups 1
- .endif
-
- .if !ssllib_name_startswith(AWS-LC)
- tune.ssl.default-dh-param 2048
- .endif
- tune.ssl.capture-buffer-size 1
- crt-base ${testdir}/certs
- stats socket "${tmpdir}/h1/stats" level admin
- ssl-default-bind-options strict-sni
-
- defaults
- mode http
- option httplog
- retries 0
- log stderr local0 debug err
- option logasap
- timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
- timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
- timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
-
-
- listen clear-lst
- bind "fd@${clearlst}"
- balance roundrobin
- http-response set-header X-SSL-Server-SHA1 %[ssl_s_sha1,hex]
- server s1 "${tmpdir}/first-ssl.sock" ssl verify none sni str(record2.bug940.domain.tld)
- server s2 "${tmpdir}/first-ssl.sock" ssl verify none sni str(record3.bug940.domain.tld)
- server s3 "${tmpdir}/first-ssl.sock" ssl verify none sni str(record2.bug940.domain.tld)
-
- listen first-ssl-fe
- # note: strict-sni is enforced from ssl-default-bind-options above
- mode http
- bind "${tmpdir}/first-ssl.sock" ssl crt-list ${testdir}/certs/simple.crt-list
- server s1 ${s1_addr}:${s1_port}
-
- listen second-ssl-fe
- mode http
- bind "${tmpdir}/second-ssl.sock" ssl no-strict-sni crt-list ${testdir}/certs/localhost.crt-list
- server s1 ${s1_addr}:${s1_port}
-} -start
-
-client c1 -connect ${h1_clearlst_sock} {
- txreq
- rxresp
- expect resp.http.X-SSL-Server-SHA1 == "DF3B6E847A7BF83DFAAFCFEC65EE9BC36230D3EA"
- expect resp.status == 200
-} -run
-
-client c1 -connect ${h1_clearlst_sock} {
- txreq
- rxresp
- expect resp.http.X-SSL-Server-SHA1 == "A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1"
- expect resp.status == 200
-} -run
-
-haproxy h1 -cli {
- send "del ssl crt-list ${testdir}/certs/simple.crt-list ${testdir}/certs/common.pem:2"
- expect ~ "Entry '${testdir}/certs/common.pem' deleted in crtlist '${testdir}/certs/simple.crt-list'!"
-}
-
-haproxy h1 -cli {
- send "show ssl crt-list -n ${testdir}/certs/simple.crt-list"
- expect !~ "common.pem:2"
-}
-
-# This connection should fail since the corresponding line was deleted from the crt-list
-# and the strict-sni option is enabled.
-client c1 -connect ${h1_clearlst_sock} {
- txreq
- rxresp
- expect resp.status == 503
-} -run
-
-# We should not be able to delete the crt-list's first line since it is the
-# default certificate of this bind line and the strict-sni option is not enabled.
-haproxy h1 -cli {
- send "del ssl crt-list ${testdir}/certs/localhost.crt-list ${testdir}/certs/common.pem:1"
- expect ~ "Can't delete the entry: certificate '${testdir}/certs/common.pem' cannot be deleted, it is used as default certificate by the following frontends:"
-}
-
-# We should be able to delete any line of the crt-list since the strict-sni option is enabled.
-haproxy h1 -cli {
- send "del ssl crt-list ${testdir}/certs/simple.crt-list ${testdir}/certs/common.pem:1"
- expect ~ "Entry '${testdir}/certs/common.pem' deleted in crtlist '${testdir}/certs/simple.crt-list'!"
-}
+setenv VTC_SOCK_TYPE stream
+include ${testdir}/../ssl/del_ssl_crt-list.vtci
--- /dev/null
+# Uses VTC_SOCK_TYPE (quic / stream)
+
+feature ignore_unknown_macro
+
+server s1 -repeat 2 {
+ rxreq
+ txresp
+} -start
+
+haproxy h1 -conf {
+ global
+ .if streq("$VTC_SOCK_TYPE",quic)
+ # required for backend connections
+ expose-experimental-directives
+ .endif
+ .if feature(THREAD)
+ thread-groups 1
+ .endif
+
+ .if !ssllib_name_startswith(AWS-LC)
+ tune.ssl.default-dh-param 2048
+ .endif
+ tune.ssl.capture-buffer-size 1
+ crt-base ${testdir}/certs
+ stats socket "${tmpdir}/h1/stats" level admin
+ ssl-default-bind-options strict-sni
+
+ defaults
+ mode http
+ option httplog
+ retries 0
+ log stderr local0 debug err
+ option logasap
+ timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
+ timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
+ timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
+
+
+ listen clear-lst
+ bind "fd@${clearlst}"
+ balance roundrobin
+ http-response set-header X-SSL-Server-SHA1 %[ssl_s_sha1,hex]
+ server s1 "${VTC_SOCK_TYPE}+${h1_first_ssl_sock}" ssl verify none sni str(record2.bug940.domain.tld)
+ server s2 "${VTC_SOCK_TYPE}+${h1_first_ssl_sock}" ssl verify none sni str(record3.bug940.domain.tld)
+ server s3 "${VTC_SOCK_TYPE}+${h1_first_ssl_sock}" ssl verify none sni str(record2.bug940.domain.tld)
+
+ listen first-ssl-fe
+ # note: strict-sni is enforced from ssl-default-bind-options above
+ mode http
+ bind "${VTC_SOCK_TYPE}+fd@${first_ssl}" ssl crt-list ${testdir}/certs/simple.crt-list
+ server s1 ${s1_addr}:${s1_port}
+
+ listen second-ssl-fe
+ mode http
+ bind "fd@${second_ssl}" ssl no-strict-sni crt-list ${testdir}/certs/localhost.crt-list
+ server s1 ${s1_addr}:${s1_port}
+} -start
+
+client c1 -connect ${h1_clearlst_sock} {
+ txreq
+ rxresp
+ expect resp.http.X-SSL-Server-SHA1 == "DF3B6E847A7BF83DFAAFCFEC65EE9BC36230D3EA"
+ expect resp.status == 200
+} -run
+
+client c1 -connect ${h1_clearlst_sock} {
+ txreq
+ rxresp
+ expect resp.http.X-SSL-Server-SHA1 == "A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1"
+ expect resp.status == 200
+} -run
+
+haproxy h1 -cli {
+ send "del ssl crt-list ${testdir}/certs/simple.crt-list ${testdir}/certs/common.pem:2"
+ expect ~ "Entry '${testdir}/certs/common.pem' deleted in crtlist '${testdir}/certs/simple.crt-list'!"
+}
+
+haproxy h1 -cli {
+ send "show ssl crt-list -n ${testdir}/certs/simple.crt-list"
+ expect !~ "common.pem:2"
+}
+
+# This connection should fail since the corresponding line was deleted from the crt-list
+# and the strict-sni option is enabled.
+client c1 -connect ${h1_clearlst_sock} {
+ txreq
+ rxresp
+ expect resp.status == 503
+} -run
+
+# We should not be able to delete the crt-list's first line since it is the
+# default certificate of this bind line and the strict-sni option is not enabled.
+haproxy h1 -cli {
+ send "del ssl crt-list ${testdir}/certs/localhost.crt-list ${testdir}/certs/common.pem:1"
+ expect ~ "Can't delete the entry: certificate '${testdir}/certs/common.pem' cannot be deleted, it is used as default certificate by the following frontends:"
+}
+
+# We should be able to delete any line of the crt-list since the strict-sni option is enabled.
+haproxy h1 -cli {
+ send "del ssl crt-list ${testdir}/certs/simple.crt-list ${testdir}/certs/common.pem:1"
+ expect ~ "Entry '${testdir}/certs/common.pem' deleted in crtlist '${testdir}/certs/simple.crt-list'!"
+}
projects / thirdparty / haproxy.git / commitdiff
