frontend h2
mode http
- bind 127.0.0.1:8443 ssl crt reg-tests/ssl/common.pem alpn h2,http/1.1
+ bind 127.0.0.1:8443 ssl crt reg-tests/ssl/certs/common.pem alpn h2,http/1.1
default_backend h2b
backend h2b
--- /dev/null
+../ssl/certs/
\ No newline at end of file
+++ /dev/null
-../ssl/common.pem
\ No newline at end of file
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
frontend fe1
- bind "fd@${fe1}" ssl crt ${testdir}/common.pem
+ bind "fd@${fe1}" ssl crt ${testdir}/certs/common.pem
frontend fe2
bind "fd@${fe2}"
server fe1 ${htst_fe1_addr}:${htst_fe1_port}
frontend fe1
- bind "fd@${fe1}" ssl crt ${testdir}/common.pem curves P-256:P-384
+ bind "fd@${fe1}" ssl crt ${testdir}/certs/common.pem curves P-256:P-384
frontend fe3
- bind "fd@${fe3}" ssl crt ${testdir}/common.pem
+ bind "fd@${fe3}" ssl crt ${testdir}/certs/common.pem
} -start
haproxy h1 -conf {
server fe1 ${htst_fe1_addr}:${htst_fe1_port}
frontend fe1
- bind "fd@${fe1}" ssl crt ${testdir}/common.pem
+ bind "fd@${fe1}" ssl crt ${testdir}/certs/common.pem
} -start
frontend fe1
option httplog
log ${S1_addr}:${S1_port} len 2048 local0 debug err
- bind "fd@${fe1}" ssl crt ${testdir}/common.pem
+ bind "fd@${fe1}" ssl crt ${testdir}/certs/common.pem
use_backend be1
frontend fe2
- bind "fd@${fe2}" ssl crt ${testdir}/common.pem
+ bind "fd@${fe2}" ssl crt ${testdir}/certs/common.pem
use_backend be2
frontend fe3
- bind "fd@${fe3}" ssl crt ${testdir}/common.pem
+ bind "fd@${fe3}" ssl crt ${testdir}/certs/common.pem
use_backend be3
} -start
option httpchk OPTIONS * HTTP/1.1
http-check send hdr Host www
log ${S2_addr}:${S2_port} daemon
- server srv1 ${h1_fe1_addr}:${h1_fe1_port} ssl crt ${testdir}/common.pem verify none check
+ server srv1 ${h1_fe1_addr}:${h1_fe1_port} ssl crt ${testdir}/certs/common.pem verify none check
backend be4
option log-health-checks
log ${S4_addr}:${S4_port} daemon
- server srv2 ${h1_fe2_addr}:${h1_fe2_port} ssl crt ${testdir}/common.pem verify none check-ssl check
+ server srv2 ${h1_fe2_addr}:${h1_fe2_port} ssl crt ${testdir}/certs/common.pem verify none check-ssl check
backend be6
option log-health-checks
option httpchk OPTIONS * HTTP/1.1
http-check send hdr Host www
log ${S6_addr}:${S6_port} daemon
- server srv3 127.0.0.1:80 crt ${testdir}/common.pem verify none check check-ssl port ${h1_fe3_port} addr ${h1_fe3_addr}:80
+ server srv3 127.0.0.1:80 crt ${testdir}/certs/common.pem verify none check check-ssl port ${h1_fe3_port} addr ${h1_fe3_addr}:80
} -start
syslog S1 -wait
--- /dev/null
+../ssl/certs/
\ No newline at end of file
+++ /dev/null
-../ssl/common.pem
\ No newline at end of file
mode http
frontend main-https
- bind "fd@${fe1}" ssl crt ${testdir}/common.pem
+ bind "fd@${fe1}" ssl crt ${testdir}/certs/common.pem
compression algo gzip
compression type text/html text/plain application/json application/javascript
compression offload
+++ /dev/null
-../ssl/ca-auth.crt
\ No newline at end of file
--- /dev/null
+../ssl/certs/
\ No newline at end of file
+++ /dev/null
-../ssl/client1.pem
\ No newline at end of file
+++ /dev/null
-../ssl/common.pem
\ No newline at end of file
listen receiver
bind "fd@${feR}"
- bind "fd@${feR_ssl}" ssl crt ${testdir}/common.pem
+ bind "fd@${feR_ssl}" ssl crt ${testdir}/certs/common.pem
bind "fd@${feR_proxy}" accept-proxy
http-request return status 200
http-after-response set-header http_first_request %[http_first_req]
server example ${h1_feR_addr}:${h1_feR_port} send-proxy-v2 proxy-v2-options unique-id ssl alpn XXX verify none
listen receiver
- bind "fd@${feR}" ssl crt ${testdir}/common.pem accept-proxy
+ bind "fd@${feR}" ssl crt ${testdir}/certs/common.pem accept-proxy
http-request set-var(txn.proxy_unique_id) fc_pp_unique_id
http-after-response set-header proxy_unique_id %[var(txn.proxy_unique_id)]
server dev rhttp@ ssl sni hdr(x-name) verify none
frontend priv
- bind "fd@${priv}" ssl crt ${testdir}/common.pem verify required ca-verify-file ${testdir}/ca-auth.crt alpn h2
+ bind "fd@${priv}" ssl crt ${testdir}/certs/common.pem verify required ca-verify-file ${testdir}/certs/ca-auth.crt alpn h2
tcp-request session attach-srv be-reverse/dev name ssl_c_s_dn(CN)
} -start
listen li
bind "fd@${li}"
- server h_edge "${h_edge_priv_addr}:${h_edge_priv_port}" ssl crt ${testdir}/client1.pem verify none alpn h2
+ server h_edge "${h_edge_priv_addr}:${h_edge_priv_port}" ssl crt ${testdir}/certs/client1.pem verify none alpn h2
} -start
# Run a client through private endpoint
--- /dev/null
+../ssl/certs/
\ No newline at end of file
+++ /dev/null
-../ssl/common.pem
\ No newline at end of file
frontend fe
bind "fd@${fe}"
- bind "fd@${fessl}" ssl crt ${testdir}/common.pem alpn h2,http/1.1
+ bind "fd@${fessl}" ssl crt ${testdir}/certs/common.pem alpn h2,http/1.1
capture request header sec-websocket-key len 128
http-request set-var(txn.ver) req.ver
use_backend be
--- /dev/null
+../ssl/certs/
\ No newline at end of file
+++ /dev/null
-../ssl/common.pem
\ No newline at end of file
frontend fe2
mode http
- bind ":8443" ssl crt ${testdir}/common.pem
+ bind ":8443" ssl crt ${testdir}/certs/common.pem
stats enable
stats uri /
frontend fe2
mode http
- bind ":8443" ssl crt ${testdir}/common.pem
+ bind ":8443" ssl crt ${testdir}/certs/common.pem
stats enable
stats uri /
--- /dev/null
+../ssl/certs
\ No newline at end of file
+++ /dev/null
-../ssl/common.pem
\ No newline at end of file
stick-table type string size 10m store server_id,gpc0,conn_cur,conn_rate(50000) peers peers
peers peers
- default-server ssl crt ${testdir}/common.pem verify none
- bind "fd@${A}" ssl crt ${testdir}/common.pem
+ default-server ssl crt ${testdir}/certs/common.pem verify none
+ bind "fd@${A}" ssl crt ${testdir}/certs/common.pem
server A
server B ${h2_B_addr}:${h2_B_port}
server C ${h3_C_addr}:${h3_C_port}
stick-table type string size 10m store server_id,gpc0,conn_cur,conn_rate(50000) peers peers
peers peers
- default-server ssl crt ${testdir}/common.pem verify none
- bind "fd@${B}" ssl crt ${testdir}/common.pem
+ default-server ssl crt ${testdir}/certs/common.pem verify none
+ bind "fd@${B}" ssl crt ${testdir}/certs/common.pem
server A ${h1_A_addr}:${h1_A_port}
server B
server C ${h3_C_addr}:${h3_C_port}
stick-table type string size 10m store server_id,gpc0,conn_cur,conn_rate(50000) peers peers
peers peers
- default-server ssl crt ${testdir}/common.pem verify none
- bind "fd@${C}" ssl crt ${testdir}/common.pem
+ default-server ssl crt ${testdir}/certs/common.pem verify none
+ bind "fd@${C}" ssl crt ${testdir}/certs/common.pem
server A ${h1_A_addr}:${h1_A_port}
server B ${h2_B_addr}:${h2_B_port}
server C
peers peers
table stkt type string size 10m store server_id,gpc0,conn_cur,conn_rate(50000)
- default-server ssl crt ${testdir}/common.pem verify none
- bind "fd@${A}" ssl crt ${testdir}/common.pem
+ default-server ssl crt ${testdir}/certs/common.pem verify none
+ bind "fd@${A}" ssl crt ${testdir}/certs/common.pem
server A
server B ${h2_B_addr}:${h2_B_port}
server C ${h3_C_addr}:${h3_C_port}
peers peers
table stkt type string size 10m store server_id,gpc0,conn_cur,conn_rate(50000)
- default-server ssl crt ${testdir}/common.pem verify none
- bind "fd@${B}" ssl crt ${testdir}/common.pem
+ default-server ssl crt ${testdir}/certs/common.pem verify none
+ bind "fd@${B}" ssl crt ${testdir}/certs/common.pem
server A ${h1_A_addr}:${h1_A_port}
server B
server C ${h3_C_addr}:${h3_C_port}
peers peers
table stkt type string size 10m store server_id,gpc0,conn_cur,conn_rate(50000)
- default-server ssl crt ${testdir}/common.pem verify none
- bind "fd@${C}" ssl crt ${testdir}/common.pem
+ default-server ssl crt ${testdir}/certs/common.pem verify none
+ bind "fd@${C}" ssl crt ${testdir}/certs/common.pem
server A ${h1_A_addr}:${h1_A_port}
server B ${h2_B_addr}:${h2_B_port}
server C
--- /dev/null
+../ssl/certs
\ No newline at end of file
+++ /dev/null
-../ssl/common.pem
\ No newline at end of file
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
listen quic_lstnr
- bind "quic+fd@${fe_quic}" ssl crt ${testdir}/common.pem
+ bind "quic+fd@${fe_quic}" ssl crt ${testdir}/certs/common.pem
server srv ${s1_addr}:${s1_port}
listen quic_lstnr_retry
- bind "quic+fd@${fe_quic_retry}" ssl crt ${testdir}/common.pem quic-force-retry
+ bind "quic+fd@${fe_quic_retry}" ssl crt ${testdir}/certs/common.pem quic-force-retry
server srv ${s1_addr}:${s1_port}
} -start
--- /dev/null
+../ssl/certs/
\ No newline at end of file
# frontend used to respond to ssl connection
frontend fe-ssl-term
- bind "fd@${feSslTerm}" ssl crt ${testdir}/common.pem
+ bind "fd@${feSslTerm}" ssl crt ${testdir}/certs/common.pem
http-request return status 200
} -start
shell {
echo "new ssl ca-file common.pem" | socat "${tmpdir}/h1/stats" -
- printf "set ssl ca-file common.pem <<\n$(cat ${testdir}/common.pem)\n\n" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl ca-file common.pem <<\n$(cat ${testdir}/certs/common.pem)\n\n" | socat "${tmpdir}/h1/stats" -
echo "commit ssl ca-file common.pem" | socat "${tmpdir}/h1/stats" -
} -run
+++ /dev/null
-../ssl/common.pem
\ No newline at end of file
tune.ssl.default-dh-param 2048
.endif
tune.ssl.capture-buffer-size 1
- crt-base ${testdir}
+ crt-base ${testdir}/certs
stats socket "${tmpdir}/h1/stats" level admin
defaults
listen ssl-lst
mode http
- bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/localhost.crt-list
+ bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list "${testdir}/certs/localhost.crt-list"
server s1 ${s1_addr}:${s1_port}
- server s2 ${s1_addr}:${s1_port} ssl crt "${testdir}/common.pem" weight 0 verify none
+ server s2 ${s1_addr}:${s1_port} ssl crt "${testdir}/certs/common.pem" weight 0 verify none
} -start
haproxy h1 -cli {
- send "show ssl cert ${testdir}/common.pem"
+ send "show ssl cert ${testdir}/certs/common.pem"
expect ~ ".*SHA1 FingerPrint: DF3B6E847A7BF83DFAAFCFEC65EE9BC36230D3EA"
}
} -run
shell {
- echo "new ssl cert ${testdir}/ecdsa.pem" | socat "${tmpdir}/h1/stats" -
- printf "set ssl cert ${testdir}/ecdsa.pem <<\n$(cat ${testdir}/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" -
- echo "commit ssl cert ${testdir}/ecdsa.pem" | socat "${tmpdir}/h1/stats" -
- printf "add ssl crt-list ${testdir}/localhost.crt-list/ <<\n${testdir}/common.pem [ssl-min-ver SSLv3 verify none allow-0rtt] !*\n\n" | socat "${tmpdir}/h1/stats" -
- printf "add ssl crt-list ${testdir}/localhost.crt-list/ <<\n${testdir}/ecdsa.pem [ssl-min-ver SSLv3 verify none allow-0rtt] localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" -
- printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem [verify none allow-0rtt]\n\n" | socat "${tmpdir}/h1/stats" -
- printf "add ssl crt-list ${testdir}/localhost.crt-list/// <<\n${testdir}/ecdsa.pem localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" -
- printf "add ssl crt-list ${testdir}/localhost.crt-list///// <<\n${testdir}/ecdsa.pem\n\n" | socat "${tmpdir}/h1/stats" -
- printf "add ssl crt-list ${testdir}/localhost.crt-list// ${testdir}/ecdsa.pem\n" | socat "${tmpdir}/h1/stats" -
+ echo "new ssl cert ${testdir}/certs/ecdsa.pem" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl cert ${testdir}/certs/ecdsa.pem <<\n$(cat ${testdir}/certs/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" -
+ echo "commit ssl cert ${testdir}/certs/ecdsa.pem" | socat "${tmpdir}/h1/stats" -
+ printf "add ssl crt-list ${testdir}/certs/localhost.crt-list/ <<\n${testdir}/certs/common.pem [ssl-min-ver SSLv3 verify none allow-0rtt] !*\n\n" | socat "${tmpdir}/h1/stats" -
+ printf "add ssl crt-list ${testdir}/certs/localhost.crt-list/ <<\n${testdir}/certs/ecdsa.pem [ssl-min-ver SSLv3 verify none allow-0rtt] localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" -
+ printf "add ssl crt-list ${testdir}/certs/localhost.crt-list <<\n${testdir}/certs/ecdsa.pem [verify none allow-0rtt]\n\n" | socat "${tmpdir}/h1/stats" -
+ printf "add ssl crt-list ${testdir}/certs/localhost.crt-list/// <<\n${testdir}/certs/ecdsa.pem localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" -
+ printf "add ssl crt-list ${testdir}/certs/localhost.crt-list///// <<\n${testdir}/certs/ecdsa.pem\n\n" | socat "${tmpdir}/h1/stats" -
+ printf "add ssl crt-list ${testdir}/certs/localhost.crt-list// ${testdir}/certs/ecdsa.pem\n" | socat "${tmpdir}/h1/stats" -
}
haproxy h1 -cli {
- send "show ssl cert ${testdir}/ecdsa.pem"
+ send "show ssl cert ${testdir}/certs/ecdsa.pem"
expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1"
}
haproxy h1 -cli {
- send "show ssl crt-list ${testdir}/localhost.crt-list//"
+ send "show ssl crt-list ${testdir}/certs/localhost.crt-list//"
# check the options and the filters in any order
- expect ~ ".*${testdir}/ecdsa.pem \\[(?=.*verify none)(?=.*allow-0rtt)(?=.*ssl-min-ver SSLv3).*\\](?=.*!www.test1.com)(?=.*localhost).*"
+ expect ~ ".*${testdir}/certs/ecdsa.pem \\[(?=.*verify none)(?=.*allow-0rtt)(?=.*ssl-min-ver SSLv3).*\\](?=.*!www.test1.com)(?=.*localhost).*"
}
client c1 -connect ${h1_clearlst_sock} {
# Try to add a new line that mentions an "unknown" CA file (not loaded yet).
# It should fail since no disk access are allowed during runtime.
shell {
- printf "add ssl crt-list ${testdir}/localhost.crt-list/ <<\n${testdir}/ecdsa.pem [ca-file ${testdir}/ca-auth.crt] localhost\n\n" | socat "${tmpdir}/h1/stats" - | grep "unable to load ${testdir}/ca-auth.crt"
+ printf "add ssl crt-list ${testdir}/certs/localhost.crt-list/ <<\n${testdir}/certs/ecdsa.pem [ca-file ${testdir}/certs/ca-auth.crt] localhost\n\n" | socat "${tmpdir}/h1/stats" - | grep "unable to load ${testdir}/certs/ca-auth.crt"
}
shell {
- printf "add ssl crt-list ${testdir}/localhost.crt-list/ <<\n${testdir}/ecdsa.pem [ca-verify-file ${testdir}/ca-auth.crt] localhost\n\n" | socat "${tmpdir}/h1/stats" - | grep "unable to load ${testdir}/ca-auth.crt"
+ printf "add ssl crt-list ${testdir}/certs/localhost.crt-list/ <<\n${testdir}/certs/ecdsa.pem [ca-verify-file ${testdir}/certs/ca-auth.crt] localhost\n\n" | socat "${tmpdir}/h1/stats" - | grep "unable to load ${testdir}/certs/ca-auth.crt"
}
shell {
- printf "add ssl crt-list ${testdir}/localhost.crt-list/ <<\n${testdir}/ecdsa.pem [crl-file ${testdir}/ca-auth.crt] localhost\n\n" | socat "${tmpdir}/h1/stats" - | grep "unable to load ${testdir}/ca-auth.crt"
+ printf "add ssl crt-list ${testdir}/certs/localhost.crt-list/ <<\n${testdir}/certs/ecdsa.pem [crl-file ${testdir}/certs/ca-auth.crt] localhost\n\n" | socat "${tmpdir}/h1/stats" - | grep "unable to load ${testdir}/certs/ca-auth.crt"
}
# Check that the new line was not added to the crt-list.
haproxy h1 -cli {
- send "show ssl crt-list ${testdir}/localhost.crt-list//"
- expect !~ ".*ca-file ${testdir}/ca-auth.crt"
+ send "show ssl crt-list ${testdir}/certs/localhost.crt-list//"
+ expect !~ ".*ca-file ${testdir}/certs/ca-auth.crt"
}
.endif
crt-store
- load crt "${testdir}/common.crt" key "${testdir}/common.key"
+ load crt "${testdir}/certs/common.crt" key "${testdir}/certs/common.key"
defaults
timeout client 30s
timeout connect 30s
listen ssl-lst
- bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.crt strict-sni
+ bind "${tmpdir}/ssl.sock" ssl crt "${testdir}/certs/common.crt" strict-sni
}
haproxy h2 -arg -V -conf-BAD {} {
listen ssl-lst
- bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem strict-sni
+ bind "${tmpdir}/ssl.sock" ssl crt "${testdir}/certs/common.pem" strict-sni
crt-store
- load crt "${testdir}/common.pem" key "${testdir}/common.key"
+ load crt "${testdir}/certs/common.pem" key "${testdir}/certs/common.key"
}
tune.ssl.default-dh-param 2048
.endif
tune.ssl.capture-buffer-size 1
- crt-base ${testdir}
+ crt-base ${testdir}/certs
stats socket "${tmpdir}/h1/stats" level admin
ssl-default-bind-options strict-sni
listen first-ssl-fe
# note: strict-sni is enforced from ssl-default-bind-options above
mode http
- bind "${tmpdir}/first-ssl.sock" ssl crt-list ${testdir}/simple.crt-list
+ bind "${tmpdir}/first-ssl.sock" ssl crt-list ${testdir}/certs/simple.crt-list
server s1 ${s1_addr}:${s1_port}
listen second-ssl-fe
mode http
- bind "${tmpdir}/second-ssl.sock" ssl no-strict-sni crt-list ${testdir}/localhost.crt-list
+ bind "${tmpdir}/second-ssl.sock" ssl no-strict-sni crt-list ${testdir}/certs/localhost.crt-list
server s1 ${s1_addr}:${s1_port}
} -start
} -run
haproxy h1 -cli {
- send "del ssl crt-list ${testdir}/simple.crt-list ${testdir}/common.pem:2"
- expect ~ "Entry '${testdir}/common.pem' deleted in crtlist '${testdir}/simple.crt-list'!"
+ send "del ssl crt-list ${testdir}/certs/simple.crt-list ${testdir}/certs/common.pem:2"
+ expect ~ "Entry '${testdir}/certs/common.pem' deleted in crtlist '${testdir}/certs/simple.crt-list'!"
}
haproxy h1 -cli {
- send "show ssl crt-list -n ${testdir}/simple.crt-list"
+ send "show ssl crt-list -n ${testdir}/certs/simple.crt-list"
expect !~ "common.pem:2"
}
# We should not be able to delete the crt-list's first line since it is the
# default certificate of this bind line and the strict-sni option is not enabled.
haproxy h1 -cli {
- send "del ssl crt-list ${testdir}/localhost.crt-list ${testdir}/common.pem:1"
- expect ~ "Can't delete the entry: certificate '${testdir}/common.pem' cannot be deleted, it is used as default certificate by the following frontends:"
+ send "del ssl crt-list ${testdir}/certs/localhost.crt-list ${testdir}/certs/common.pem:1"
+ expect ~ "Can't delete the entry: certificate '${testdir}/certs/common.pem' cannot be deleted, it is used as default certificate by the following frontends:"
}
# We should be able to delete any line of the crt-list since the strict-sni option is enabled.
haproxy h1 -cli {
- send "del ssl crt-list ${testdir}/simple.crt-list ${testdir}/common.pem:1"
- expect ~ "Entry '${testdir}/common.pem' deleted in crtlist '${testdir}/simple.crt-list'!"
+ send "del ssl crt-list ${testdir}/certs/simple.crt-list ${testdir}/certs/common.pem:1"
+ expect ~ "Entry '${testdir}/certs/common.pem' deleted in crtlist '${testdir}/certs/simple.crt-list'!"
}
default_backend test
backend test
- server s1 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem"
- server s2 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem"
- server s3 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem"
+ server s1 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/certs/client1.pem"
+ server s2 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/certs/client1.pem"
+ server s3 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/certs/client1.pem"
listen ssl-lst
- bind "${tmpdir}/ssl.sock" ssl crt "${testdir}/common.pem"
+ bind "${tmpdir}/ssl.sock" ssl crt "${testdir}/certs/common.pem"
server s1 ${s1_addr}:${s1_port}
} -start
haproxy h1 -cli {
- send "show ssl cert ${testdir}/client1.pem"
+ send "show ssl cert ${testdir}/certs/client1.pem"
expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4"
}
client c1 -connect ${h1_feS_sock} {
} -run
haproxy h1 -cli {
- send "show ssl cert ${testdir}/client1.pem"
+ send "show ssl cert ${testdir}/certs/client1.pem"
expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4"
}
# Replace certificate with an expired one
shell {
- printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client2_expired.pem)\n\n" | socat "${tmpdir}/h1/stats" -
- echo "commit ssl cert ${testdir}/client1.pem" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl cert ${testdir}/certs/client1.pem <<\n$(cat ${testdir}/certs/client2_expired.pem)\n\n" | socat "${tmpdir}/h1/stats" -
+ echo "commit ssl cert ${testdir}/certs/client1.pem" | socat "${tmpdir}/h1/stats" -
}
haproxy h1 -cli {
- send "show ssl cert ${testdir}/client1.pem"
+ send "show ssl cert ${testdir}/certs/client1.pem"
expect ~ ".*SHA1 FingerPrint: C625EB01A0A660294B9D7F44C5CEEE5AFC495BE4"
}
haproxy h1 -cli {
- send "show ssl cert ${testdir}/client1.pem"
+ send "show ssl cert ${testdir}/certs/client1.pem"
expect ~ ".*Status: Unused"
}
haproxy h1 -cli {
- send "add server test/s1 ${tmpdir}/ssl.sock ssl verify none crt ${testdir}/client1.pem"
+ send "add server test/s1 ${tmpdir}/ssl.sock ssl verify none crt ${testdir}/certs/client1.pem"
expect ~ "New server registered."
send "enable server test/s1"
expect ~ ".*"
- send "show ssl cert ${testdir}/client1.pem"
+ send "show ssl cert ${testdir}/certs/client1.pem"
expect ~ ".*Status: Used"
}
.endif
stats socket "${tmpdir}/h1/stats" level admin
- issuers-chain-path "${testdir}/issuers-chain-path/ca/"
- crt-base "${testdir}/issuers-chain-path"
+ issuers-chain-path "${testdir}/certs/issuers-chain-path/ca/"
+ crt-base "${testdir}/certs/issuers-chain-path"
defaults
mode http
# We should have two distinct ocsp responses known that were loaded at build time
haproxy h1 -cli {
- send "show ssl cert ${testdir}/issuers-chain-path/server.pem"
+ send "show ssl cert ${testdir}/certs/issuers-chain-path/server.pem"
expect ~ ".*Chain Filename.*"
- send "show ssl cert ${testdir}/issuers-chain-path/server.pem"
+ send "show ssl cert ${testdir}/certs/issuers-chain-path/server.pem"
expect ~ ".*Chain Subject.*"
}
log ring@myring local0 # To TCP log
log-forward syslog2local
- bind 127.0.0.1:2514 ssl crt ${testdir}/common.pem
+ bind 127.0.0.1:2514 ssl crt ${testdir}/certs/common.pem
log ${Slg1_addr}:${Slg1_port} local0 # To VTest syslog
} -start
.endif
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
- crt-base ${testdir}
+ crt-base ${testdir}/certs
defaults
mode http
default_backend default_be
backend default_be
- server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/set_cafile_client.pem sni str(www.test1.com)
+ server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/set_cafile_client.pem sni str(www.test1.com)
backend with_ca_be
- server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/set_cafile_client.pem sni str(with-ca.com)
+ server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/set_cafile_client.pem sni str(with-ca.com)
listen ssl-lst
- bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/localhost.crt-list ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA2.crt verify required crt-ignore-err all
+ bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/certs/localhost.crt-list ca-verify-file ${testdir}/certs/set_cafile_rootCA.crt ca-file ${testdir}/certs/set_cafile_interCA2.crt verify required crt-ignore-err all
http-response add-header X-SSL-Client-Verify %[ssl_c_verify]
server s1 ${s1_addr}:${s1_port}
} -start
}
shell {
- printf "set ssl ca-file new_cafile.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl ca-file new_cafile.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
echo "commit ssl ca-file new_cafile.crt" | socat "${tmpdir}/h1/stats" -
}
}
shell {
- printf "add ssl ca-file new_cafile.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
+ printf "add ssl ca-file new_cafile.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
echo "commit ssl ca-file new_cafile.crt" | socat "${tmpdir}/h1/stats" -
}
shell {
- printf "set ssl ca-file new_cafile.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl ca-file new_cafile.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
echo "commit ssl ca-file new_cafile.crt" | socat "${tmpdir}/h1/stats" -
}
# Add a new certificate that will use the new CA file
shell {
- echo "new ssl cert ${testdir}/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" -
- printf "set ssl cert ${testdir}/set_cafile_server.pem <<\n$(cat ${testdir}/set_cafile_server.pem)\n\n" | socat "${tmpdir}/h1/stats" -
- echo "commit ssl cert ${testdir}/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" -
+ echo "new ssl cert ${testdir}/certs/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl cert ${testdir}/certs/set_cafile_server.pem <<\n$(cat ${testdir}/certs/set_cafile_server.pem)\n\n" | socat "${tmpdir}/h1/stats" -
+ echo "commit ssl cert ${testdir}/certs/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" -
}
# Create a new crt-list line that will use the new CA file
shell {
- printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/set_cafile_server.pem [ca-file new_cafile.crt] with-ca.com\n\n" | socat "${tmpdir}/h1/stats" -
+ printf "add ssl crt-list ${testdir}/certs/localhost.crt-list <<\n${testdir}/certs/set_cafile_server.pem [ca-file new_cafile.crt] with-ca.com\n\n" | socat "${tmpdir}/h1/stats" -
}
client c1 -connect ${h1_clearlst_sock} {
# Delete the newly added crt-list line and CA file
haproxy h1 -cli {
- send "del ssl crt-list ${testdir}/localhost.crt-list ${testdir}/set_cafile_server.pem"
- expect ~ "Entry '${testdir}/set_cafile_server.pem' deleted in crtlist '${testdir}/localhost.crt-list'!"
+ send "del ssl crt-list ${testdir}/certs/localhost.crt-list ${testdir}/certs/set_cafile_server.pem"
+ expect ~ "Entry '${testdir}/certs/set_cafile_server.pem' deleted in crtlist '${testdir}/certs/localhost.crt-list'!"
send "del ssl ca-file new_cafile.crt"
expect ~ "CA file 'new_cafile.crt' deleted!"
.endif
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
- crt-base ${testdir}
+ crt-base ${testdir}/certs
defaults
mode http
default_backend default_be
backend default_be
- server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client3_revoked.pem sni str(www.test1.com)
+ server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/client3_revoked.pem sni str(www.test1.com)
backend with_crl_be
- server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client3_revoked.pem sni str(with-crl.com)
+ server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/client3_revoked.pem sni str(with-crl.com)
listen ssl-lst
- bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/localhost.crt-list ca-file ${testdir}/ca-auth.crt verify required crt-ignore-err all
+ bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/certs/localhost.crt-list ca-file ${testdir}/certs/ca-auth.crt verify required crt-ignore-err all
http-response add-header X-SSL-Client-Verify %[ssl_c_verify]
server s1 ${s1_addr}:${s1_port}
} -start
}
shell {
- printf "set ssl crl-file new_crlfile.crt <<\n$(cat ${testdir}/crl-auth.pem)\n\n" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl crl-file new_crlfile.crt <<\n$(cat ${testdir}/certs/crl-auth.pem)\n\n" | socat "${tmpdir}/h1/stats" -
echo "commit ssl crl-file new_crlfile.crt" | socat "${tmpdir}/h1/stats" -
}
# Add a new certificate that will use the new CA file
shell {
- echo "new ssl cert ${testdir}/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" -
- printf "set ssl cert ${testdir}/set_cafile_server.pem <<\n$(cat ${testdir}/set_cafile_server.pem)\n\n" | socat "${tmpdir}/h1/stats" -
- echo "commit ssl cert ${testdir}/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" -
+ echo "new ssl cert ${testdir}/certs/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl cert ${testdir}/certs/set_cafile_server.pem <<\n$(cat ${testdir}/certs/set_cafile_server.pem)\n\n" | socat "${tmpdir}/h1/stats" -
+ echo "commit ssl cert ${testdir}/certs/set_cafile_server.pem" | socat "${tmpdir}/h1/stats" -
}
# Create a new crt-list line that will use the new CA file
shell {
- printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/set_cafile_server.pem [crl-file new_crlfile.crt] with-crl.com\n\n" | socat "${tmpdir}/h1/stats" -
+ printf "add ssl crt-list ${testdir}/certs/localhost.crt-list <<\n${testdir}/certs/set_cafile_server.pem [crl-file new_crlfile.crt] with-crl.com\n\n" | socat "${tmpdir}/h1/stats" -
}
client c1 -connect ${h1_clearlst_sock} {
# Delete the newly added crt-list line and CRL file
haproxy h1 -cli {
- send "del ssl crt-list ${testdir}/localhost.crt-list ${testdir}/set_cafile_server.pem"
- expect ~ "Entry '${testdir}/set_cafile_server.pem' deleted in crtlist '${testdir}/localhost.crt-list'!"
+ send "del ssl crt-list ${testdir}/certs/localhost.crt-list ${testdir}/certs/set_cafile_server.pem"
+ expect ~ "Entry '${testdir}/certs/set_cafile_server.pem' deleted in crtlist '${testdir}/certs/localhost.crt-list'!"
send "del ssl crl-file new_crlfile.crt"
expect ~ "CRL file 'new_crlfile.crt' deleted!"
.endif
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
- crt-base ${testdir}/ocsp_update
+ crt-base ${testdir}/certs/ocsp_update
defaults
mode http
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
frontend ssl-fe
- bind "${tmpdir}/ssl.sock" ssl crt multicert/server_ocsp.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
+ bind "${tmpdir}/ssl.sock" ssl crt multicert/server_ocsp.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
} -start
# calling "show ssl ocsp-response". This is done through the Syslog_ocsp
# listener and a dedicated barrier.
-process p2 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start
+process p2 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start
barrier b2 cond 2 -cyclic
syslog Syslog_ocsp -level notice {
recv
- expect ~ "<OCSP-UPDATE> ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem 1 \"Update successful\" 0 1"
+ expect ~ "<OCSP-UPDATE> ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem 1 \"Update successful\" 0 1"
recv
- expect ~ "<OCSP-UPDATE> ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1"
+ expect ~ "<OCSP-UPDATE> ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1"
barrier b2 sync
} -start
.endif
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h2/stats" level admin
- crt-base ${testdir}/ocsp_update
+ crt-base ${testdir}/certs/ocsp_update
log ${Syslog_ocsp_addr}:${Syslog_ocsp_port} local0 notice notice
defaults
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
frontend ssl-rsa-fe
- bind "${tmpdir}/ssl2.sock" ssl crt-list ${testdir}/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
+ bind "${tmpdir}/ssl2.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
frontend ssl-ecdsa-fe
- bind "${tmpdir}/ssl3.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
+ bind "${tmpdir}/ssl3.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
} -start
# will not enable ocsp-update on its certificate. Only one request should then
# be sent.
-process p3 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start
+process p3 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start
barrier b3 cond 2 -cyclic
syslog Syslog_ocsp3 -level notice {
recv
- expect ~ "<OCSP-UPDATE> ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem 1 \"Update successful\" 0 1"
+ expect ~ "<OCSP-UPDATE> ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem 1 \"Update successful\" 0 1"
barrier b3 sync
} -start
.endif
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h3/stats" level admin
- crt-base ${testdir}/ocsp_update
+ crt-base ${testdir}/certs/ocsp_update
log ${Syslog_ocsp3_addr}:${Syslog_ocsp3_port} local0 notice notice
defaults
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
frontend ssl-rsa-fe
- bind "${tmpdir}/ssl4.sock" ssl crt-list ${testdir}/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
+ bind "${tmpdir}/ssl4.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
frontend ssl-ecdsa-fe
- bind "${tmpdir}/ssl5.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
+ bind "${tmpdir}/ssl5.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
} -start
# in haproxy proc variables in order to compare them to their new value after
# the update is performed.
-process p4 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start
+process p4 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start
barrier b4 cond 2 -cyclic
syslog Syslog_ocsp4 -level notice {
recv
- expect ~ "<OCSP-UPDATE> ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa 1 \"Update successful\" 0 1"
+ expect ~ "<OCSP-UPDATE> ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa 1 \"Update successful\" 0 1"
recv
- expect ~ "<OCSP-UPDATE> ${testdir}/ocsp_update/multicert/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1"
+ expect ~ "<OCSP-UPDATE> ${testdir}/certs/ocsp_update/multicert/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1"
barrier b4 sync
} -start
.endif
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h4/stats" level admin
- crt-base ${testdir}/ocsp_update
+ crt-base ${testdir}/certs/ocsp_update
log ${Syslog_ocsp4_addr}:${Syslog_ocsp4_port} local0 notice notice
defaults
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
frontend ssl-rsa-ocsp
- bind "${tmpdir}/ssl5.sock" ssl crt ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
+ bind "${tmpdir}/ssl5.sock" ssl crt ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
frontend ssl-ecdsa-ocsp
- bind "${tmpdir}/ssl6.sock" ssl crt ${testdir}/ocsp_update/multicert/server_ocsp_ecdsa.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
+ bind "${tmpdir}/ssl6.sock" ssl crt ${testdir}/certs/ocsp_update/multicert/server_ocsp_ecdsa.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
} -start
# the OCSP response actually changed
produced_at1=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015" | socat "${tmpdir}/h4/stats" - | grep "Produced At" | tr -d ' ')
- echo "update ssl ocsp-response ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h4/stats" -
+ echo "update ssl ocsp-response ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h4/stats" -
# Update the second ocsp response (ckch_data has a NULL ocsp_issuer pointer)
# Store the current "Produced At" in order to ensure that after the update
# the OCSP response actually changed
produced_at2=$(echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016" | socat "${tmpdir}/h4/stats" - | grep "Produced At" | tr -d ' ')
- echo "update ssl ocsp-response ${testdir}/ocsp_update/multicert/server_ocsp_ecdsa.pem" | socat "${tmpdir}/h4/stats" -
+ echo "update ssl ocsp-response ${testdir}/certs/ocsp_update/multicert/server_ocsp_ecdsa.pem" | socat "${tmpdir}/h4/stats" -
echo "experimental-mode on;set var proc.produced_at1 str($produced_at1)" | socat "${tmpdir}/h4/stats" -
echo "experimental-mode on;set var proc.produced_at2 str($produced_at2)" | socat "${tmpdir}/h4/stats" -
# to the "show ssl ocsp-response" command.
-process p5 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start
+process p5 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start
barrier b5 cond 2 -cyclic
.endif
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h5/stats" level admin
- crt-base ${testdir}/ocsp_update
+ crt-base ${testdir}/certs/ocsp_update
log ${Syslog_ocsp5_addr}:${Syslog_ocsp5_port} local0 notice notice
defaults
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
frontend ssl-rsa-fe
- bind "${tmpdir}/ssl7.sock" ssl crt-list ${testdir}/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
+ bind "${tmpdir}/ssl7.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_rsa.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
frontend ssl-ecdsa-fe
- bind "${tmpdir}/ssl8.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
+ bind "${tmpdir}/ssl8.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
} -start
# the 'ocsp-update on' option will be taken into account by the OCSP
# auto update task
#
-process p6 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start
+process p6 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start
barrier b6 cond 2 -cyclic
syslog Syslog_ocsp6 -level notice {
recv
- expect ~ "<OCSP-UPDATE> ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa 1 \"Update successful\" 0 1"
+ expect ~ "<OCSP-UPDATE> ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa 1 \"Update successful\" 0 1"
barrier b6 sync
} -start
.endif
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h6/stats" level admin
- crt-base ${testdir}
+ crt-base ${testdir}/certs
log ${Syslog_ocsp6_addr}:${Syslog_ocsp6_port} local0 notice notice
defaults
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
frontend ssl-fe
- bind "${tmpdir}/ssl9.sock" ssl crt-list ${testdir}/simple.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
+ bind "${tmpdir}/ssl9.sock" ssl crt-list ${testdir}/certs/simple.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
} -start
# Create a new certificate that has an OCSP uri and add it to the
# existing CLI with the 'ocsp-update on' command.
shell {
- echo "new ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h6/stats" -
- printf "set ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa <<\n$(cat ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h6/stats" -
- printf "set ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa.issuer <<\n$(cat ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa.issuer)\n\n" | socat "${tmpdir}/h6/stats" -
- echo "commit ssl cert ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h6/stats" -
+ echo "new ssl cert ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h6/stats" -
+ printf "set ssl cert ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa <<\n$(cat ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h6/stats" -
+ printf "set ssl cert ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa.issuer <<\n$(cat ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa.issuer)\n\n" | socat "${tmpdir}/h6/stats" -
+ echo "commit ssl cert ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa" | socat "${tmpdir}/h6/stats" -
- printf "add ssl crt-list ${testdir}/simple.crt-list <<\n${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa [ocsp-update on] foo.com\n\n" | socat "${tmpdir}/h6/stats" -
+ printf "add ssl crt-list ${testdir}/certs/simple.crt-list <<\n${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa [ocsp-update on] foo.com\n\n" | socat "${tmpdir}/h6/stats" -
}
barrier b6 sync
# Check that the global "tune.ocsp-update.mode" option works and that it
# applies to certificates added via the CLI as well.
#
-process p7 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start
+process p7 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 2 -ndays 1 -port 12345 -timeout 5" -start
barrier b7 cond 2 -cyclic
syslog Syslog_ocsp7 -level notice {
recv
- expect ~ "<OCSP-UPDATE> ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1"
+ expect ~ "<OCSP-UPDATE> ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem 1 \"Update successful\" 0 1"
barrier b7 sync
recv
- expect ~ "<OCSP-UPDATE> ${testdir}/server_ocsp_rsa.pem 1 \"Update successful\" 0 1"
+ expect ~ "<OCSP-UPDATE> ${testdir}/certs/server_ocsp_rsa.pem 1 \"Update successful\" 0 1"
barrier b7 sync
} -start
.endif
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h7/stats" level admin
- crt-base ${testdir}
+ crt-base ${testdir}/certs
ocsp-update.mode on
log ${Syslog_ocsp7_addr}:${Syslog_ocsp7_port} local0 notice notice
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
frontend ssl-fe
- bind "${tmpdir}/ssl_h7.sock" ssl crt ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
- bind "${tmpdir}/ssl_h7_2.sock" ssl crt-list ${testdir}/simple.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
+ bind "${tmpdir}/ssl_h7.sock" ssl crt ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
+ bind "${tmpdir}/ssl_h7_2.sock" ssl crt-list ${testdir}/certs/simple.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
} -start
# Create a new certificate that has an OCSP uri and add it to the
# existing CLI with the 'ocsp-update on' command.
shell {
- echo "new ssl cert ${testdir}/server_ocsp_rsa.pem" | socat "${tmpdir}/h7/stats" -
- printf "set ssl cert ${testdir}/server_ocsp_rsa.pem <<\n$(cat ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem)\n\n" | socat "${tmpdir}/h7/stats" -
- echo "commit ssl cert ${testdir}/server_ocsp_rsa.pem" | socat "${tmpdir}/h7/stats" -
+ echo "new ssl cert ${testdir}/certs/server_ocsp_rsa.pem" | socat "${tmpdir}/h7/stats" -
+ printf "set ssl cert ${testdir}/certs/server_ocsp_rsa.pem <<\n$(cat ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_rsa.pem)\n\n" | socat "${tmpdir}/h7/stats" -
+ echo "commit ssl cert ${testdir}/certs/server_ocsp_rsa.pem" | socat "${tmpdir}/h7/stats" -
# We should have ocsp-update enabled via the global option
- printf "add ssl crt-list ${testdir}/simple.crt-list <<\n${testdir}/server_ocsp_rsa.pem foo.com\n\n" | socat "${tmpdir}/h7/stats" -
+ printf "add ssl crt-list ${testdir}/certs/simple.crt-list <<\n${testdir}/certs/server_ocsp_rsa.pem foo.com\n\n" | socat "${tmpdir}/h7/stats" -
}
barrier b7 sync
haproxy h7 -cli {
send "show ssl ocsp-updates"
- expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 | ${testdir}/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem .*| 1 | 0 | 1 | Update successful"
+ expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 | ${testdir}/certs/ocsp_update/multicert_no_ocsp/server_ocsp_ecdsa.pem .*| 1 | 0 | 1 | Update successful"
send "show ssl ocsp-updates"
- expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 | ${testdir}/server_ocsp_rsa.pem .*| 1 | 0 | 1 | Update successful"
+ expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 | ${testdir}/certs/server_ocsp_rsa.pem .*| 1 | 0 | 1 | Update successful"
}
haproxy h7 -wait
.endif
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h8/stats" level admin
- crt-base ${testdir}/ocsp_update
+ crt-base ${testdir}/certs/ocsp_update
defaults
mode http
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
frontend ssl-fe
- bind "${tmpdir}/ssl-h8.sock" ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
+ bind "${tmpdir}/ssl-h8.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_both_certs.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
listen http_rebound_lst
# ocsp response was removed from the auto update list but is still present in the
# system
haproxy h8 -cli {
- send "del ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list ${testdir}/ocsp_update/multicert/server_ocsp.pem.ecdsa"
+ send "del ssl crt-list ${testdir}/certs/ocsp_update/multicert_both_certs.crt-list ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.ecdsa"
expect ~ "Entry.*deleted in crtlist"
send "show ssl ocsp-updates"
send "show ssl ocsp-response"
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
- send "show ssl ocsp-response ${testdir}/ocsp_update/multicert/server_ocsp.pem.ecdsa"
+ send "show ssl ocsp-response ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.ecdsa"
expect ~ ".* Cert Status: good.*"
}
# Add the previously removed crt-list line with auto-update enabled and check that
# the ocsp response appears in the auto update list
shell {
- printf "add ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa [ocsp-update on] foo.bar\n\n" | socat "${tmpdir}/h8/stats" - | grep "Inserting certificate.*in crt-list"
+ printf "add ssl crt-list ${testdir}/certs/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa [ocsp-update on] foo.bar\n\n" | socat "${tmpdir}/h8/stats" - | grep "Inserting certificate.*in crt-list"
}
haproxy h8 -cli {
# Check that the auto update option consistency check work even when crt-list
# lines are added through the cli
shell {
- printf "add ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa foo.foo\n\n" | socat "${tmpdir}/h8/stats" - | grep "different parameter 'ocsp-update'"
+ printf "add ssl crt-list ${testdir}/certs/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa foo.foo\n\n" | socat "${tmpdir}/h8/stats" - | grep "different parameter 'ocsp-update'"
}
haproxy h8 -wait
# update enabled can be updated via "update ssl ocsp-response" command.
#
-process p9 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start
+process p9 "openssl ocsp -index ${testdir}/certs/ocsp_update/index.txt -rsigner ${testdir}/certs/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12345 -timeout 5" -start
barrier b9 cond 2 -cyclic
syslog Syslog_ocsp9 -level notice {
recv
- expect ~ "<OCSP-UPDATE> ${testdir}/ocsp_update/rsa.pem 1 \"Update successful\" 0 1"
+ expect ~ "<OCSP-UPDATE> ${testdir}/certs/ocsp_update/rsa.pem 1 \"Update successful\" 0 1"
barrier b9 sync
} -start
.endif
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h9/stats" level admin
- crt-base ${testdir}/ocsp_update
+ crt-base ${testdir}/certs/ocsp_update
log ${Syslog_ocsp9_addr}:${Syslog_ocsp9_port} local0 notice notice
defaults
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
frontend ssl-fe
- bind "${tmpdir}/ssl-h9.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
+ bind "${tmpdir}/ssl-h9.sock" ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
} -start
# Create a new certificate and add it in the crt-list with ocsp auto-update enabled
shell {
- echo "new ssl cert ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" -
- printf "set ssl cert ${testdir}/ocsp_update/rsa.pem <<\n$(cat ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h9/stats" -
- printf "set ssl cert ${testdir}/ocsp_update/rsa.pem.issuer <<\n$(cat ${testdir}/ocsp_update/ocsp_update_rootca.crt)\n\n" | socat "${tmpdir}/h9/stats" -
- printf "set ssl cert ${testdir}/ocsp_update/rsa.pem.ocsp <<\n$(openssl base64 < ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa.ocsp)\n\n" | socat "${tmpdir}/h9/stats" -
- echo "commit ssl cert ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" -
+ echo "new ssl cert ${testdir}/certs/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" -
+ printf "set ssl cert ${testdir}/certs/ocsp_update/rsa.pem <<\n$(cat ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h9/stats" -
+ printf "set ssl cert ${testdir}/certs/ocsp_update/rsa.pem.issuer <<\n$(cat ${testdir}/certs/ocsp_update/ocsp_update_rootca.crt)\n\n" | socat "${tmpdir}/h9/stats" -
+ printf "set ssl cert ${testdir}/certs/ocsp_update/rsa.pem.ocsp <<\n$(openssl base64 < ${testdir}/certs/ocsp_update/multicert/server_ocsp.pem.rsa.ocsp)\n\n" | socat "${tmpdir}/h9/stats" -
+ echo "commit ssl cert ${testdir}/certs/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" -
- printf "add ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list <<\nrsa.pem [ocsp-update off] foo.bar\n\n" | socat "${tmpdir}/h9/stats" -
+ printf "add ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa_no_update.crt-list <<\nrsa.pem [ocsp-update off] foo.bar\n\n" | socat "${tmpdir}/h9/stats" -
}
# Check that the line is in the crt-list
haproxy h9 -cli {
- send "show ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list"
- expect ~ "${testdir}/ocsp_update/rsa.pem.*ocsp-update off.*foo.bar"
+ send "show ssl crt-list ${testdir}/certs/ocsp_update/multicert_ecdsa_no_update.crt-list"
+ expect ~ "${testdir}/certs/ocsp_update/rsa.pem.*ocsp-update off.*foo.bar"
}
# Check that the new certificate is NOT in the auto update list
}
shell {
- echo "update ssl ocsp-response ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" -
+ echo "update ssl ocsp-response ${testdir}/certs/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" -
}
barrier b9 sync
haproxy h9 -cli {
- send "show ssl ocsp-response ${testdir}/ocsp_update/rsa.pem"
+ send "show ssl ocsp-response ${testdir}/certs/ocsp_update/rsa.pem"
expect ~ ".* Cert Status: revoked.*"
}
thread-groups 1
.endif
- crt-base ${testdir}/ocsp_update/multicert
+ crt-base ${testdir}/certs/ocsp_update/multicert
# ocsp-update.mode on
defaults
thread-groups 1
.endif
- crt-base ${testdir}/ocsp_update/multicert
+ crt-base ${testdir}/certs/ocsp_update/multicert
ocsp-update.mode on
defaults
thread-groups 1
.endif
- crt-base ${testdir}/ocsp_update/multicert
+ crt-base ${testdir}/certs/ocsp_update/multicert
ocsp-update.mode off
defaults
thread-groups 1
.endif
- crt-base ${testdir}/ocsp_update/multicert
+ crt-base ${testdir}/certs/ocsp_update/multicert
# ocsp-update.mode off
defaults
thread-groups 1
.endif
- crt-base ${testdir}/ocsp_update/multicert
+ crt-base ${testdir}/certs/ocsp_update/multicert
ocsp-update.mode on
defaults
thread-groups 1
.endif
- crt-base ${testdir}/ocsp_update/multicert
+ crt-base ${testdir}/certs/ocsp_update/multicert
ocsp-update.mode off
defaults
thread-groups 1
.endif
- crt-base ${testdir}/ocsp_update/multicert
+ crt-base ${testdir}/certs/ocsp_update/multicert
# ocsp-update.mode off
defaults
thread-groups 1
.endif
- crt-base ${testdir}/ocsp_update/multicert
+ crt-base ${testdir}/certs/ocsp_update/multicert
# ocsp-update.mode off
defaults
thread-groups 1
.endif
- crt-base ${testdir}/ocsp_update/multicert
+ crt-base ${testdir}/certs/ocsp_update/multicert
ocsp-update.mode on
defaults
thread-groups 1
.endif
- crt-base ${testdir}/ocsp_update/multicert
+ crt-base ${testdir}/certs/ocsp_update/multicert
ocsp-update.mode on
defaults
thread-groups 1
.endif
- crt-base ${testdir}/ocsp_update/multicert
+ crt-base ${testdir}/certs/ocsp_update/multicert
ocsp-update.mode off
defaults
thread-groups 1
.endif
- crt-base ${testdir}/ocsp_update/multicert
+ crt-base ${testdir}/certs/ocsp_update/multicert
ocsp-update.mode off
defaults
server s3 "${tmpdir}/ssl.sock" ssl verify none sni str(localhost)
listen ssl-lst
- bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/bug-2265.crt strict-sni
+ bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/bug-2265.crt strict-sni
server s1 ${s1_addr}:${s1_port}
} -start
haproxy h1 -cli {
- send "show ssl cert ${testdir}/bug-2265.crt"
+ send "show ssl cert ${testdir}/certs/bug-2265.crt"
expect ~ ".*SHA1 FingerPrint: DF3B6E847A7BF83DFAAFCFEC65EE9BC36230D3EA"
}
} -run
shell {
- printf "set ssl cert ${testdir}/bug-2265.crt <<\n$(cat ${testdir}/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" -
- echo "commit ssl cert ${testdir}/bug-2265.crt" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl cert ${testdir}/certs/bug-2265.crt <<\n$(cat ${testdir}/certs/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" -
+ echo "commit ssl cert ${testdir}/certs/bug-2265.crt" | socat "${tmpdir}/h1/stats" -
}
haproxy h1 -cli {
- send "show ssl cert ${testdir}/bug-2265.crt"
+ send "show ssl cert ${testdir}/certs/bug-2265.crt"
expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1"
}
listen clear-lst
bind "fd@${clearlst}"
# dummy bind used to test a change when the same crt is used as server and bind
- bind "fd@${foobarlst}" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA1.crt verify none
- server s1 "${tmpdir}/ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA1.crt verify none no-sni-auto
+ bind "fd@${foobarlst}" ssl crt ${testdir}/certs/set_cafile_client.pem ca-file ${testdir}/certs/set_cafile_interCA1.crt verify none
+ server s1 "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/set_cafile_client.pem ca-file ${testdir}/certs/set_cafile_interCA1.crt verify none no-sni-auto
listen clear-verified-lst
bind "fd@${clearverifiedlst}"
- server s1 "${tmpdir}/ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA1.crt verify required no-sni-auto
+ server s1 "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/set_cafile_client.pem ca-file ${testdir}/certs/set_cafile_interCA1.crt verify required no-sni-auto
listen ssl-lst
# crt: certificate of the server
# ca-file: CA used for client authentication request
- bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA2.crt verify required crt-ignore-err all
+ bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/set_cafile_server.pem ca-verify-file ${testdir}/certs/set_cafile_rootCA.crt ca-file ${testdir}/certs/set_cafile_interCA2.crt verify required crt-ignore-err all
http-response add-header X-SSL-Client-Verify %[ssl_c_verify]
server s1 ${s1_addr}:${s1_port}
} -start
# Test the "show ssl ca-file" command
haproxy h1 -cli {
send "show ssl ca-file"
- expect ~ ".*${testdir}/set_cafile_interCA1.crt - 1 certificate.*"
+ expect ~ ".*${testdir}/certs/set_cafile_interCA1.crt - 1 certificate.*"
send "show ssl ca-file"
- expect ~ ".*${testdir}/set_cafile_interCA2.crt - 1 certificate.*"
+ expect ~ ".*${testdir}/certs/set_cafile_interCA2.crt - 1 certificate.*"
- send "show ssl ca-file ${testdir}/set_cafile_interCA2.crt"
+ send "show ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt"
expect ~ ".*SHA1 FingerPrint: 3D3D1D10AD74A8135F05A818E10E5FA91433954D"
}
# Set a new ca-file without committing it and check that the new ca-file is not taken into account
shell {
- printf "set ssl ca-file ${testdir}/set_cafile_interCA2.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
}
# Test the "show ssl ca-file" command
# The transaction should be mentioned in the list
haproxy h1 -cli {
send "show ssl ca-file"
- expect ~ "\\*${testdir}/set_cafile_interCA2.crt - 1 certificate.*"
+ expect ~ "\\*${testdir}/certs/set_cafile_interCA2.crt - 1 certificate.*"
# The original CA file did not change
- send "show ssl ca-file ${testdir}/set_cafile_interCA2.crt"
+ send "show ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt"
expect ~ ".*SHA1 FingerPrint: 3D3D1D10AD74A8135F05A818E10E5FA91433954D"
# Only the current transaction displays a new certificate
- send "show ssl ca-file *${testdir}/set_cafile_interCA2.crt"
+ send "show ssl ca-file *${testdir}/certs/set_cafile_interCA2.crt"
expect ~ ".*SHA1 FingerPrint: 4FFF535278883264693CEA72C4FAD13F995D0098"
}
} -run
haproxy h1 -cli {
- send "abort ssl ca-file ${testdir}/set_cafile_interCA2.crt"
- expect ~ "Transaction aborted for certificate '${testdir}/set_cafile_interCA2.crt'!"
- send "commit ssl ca-file ${testdir}/set_cafile_interCA2.crt"
+ send "abort ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt"
+ expect ~ "Transaction aborted for certificate '${testdir}/certs/set_cafile_interCA2.crt'!"
+ send "commit ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt"
expect ~ "No ongoing transaction!"
}
# Update the bind line's ca-file in order to accept the client certificate
shell {
- printf "set ssl ca-file ${testdir}/set_cafile_interCA2.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n$(cat ${testdir}/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" -
- echo "commit ssl ca-file ${testdir}/set_cafile_interCA2.crt" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n$(cat ${testdir}/certs/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" -
+ echo "commit ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt" | socat "${tmpdir}/h1/stats" -
}
# Update the server line's ca-file. The server certificate should now be accepted by
# the frontend. We replace the single CA by a list of CAs that includes the correct one.
shell {
- printf "set ssl ca-file ${testdir}/set_cafile_interCA1.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
- printf "add ssl ca-file ${testdir}/set_cafile_interCA1.crt <<\n$(cat ${testdir}/set_cafile_interCA2.crt)\n\n" | socat "${tmpdir}/h1/stats" -
- printf "add ssl ca-file ${testdir}/set_cafile_interCA1.crt <<\n$(cat ${testdir}/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" -
- echo "commit ssl ca-file ${testdir}/set_cafile_interCA1.crt" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
+ printf "add ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA2.crt)\n\n" | socat "${tmpdir}/h1/stats" -
+ printf "add ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt <<\n$(cat ${testdir}/certs/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" -
+ echo "commit ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt" | socat "${tmpdir}/h1/stats" -
}
# Test the "show ssl ca-file" with a certificate index
haproxy h1 -cli {
send "show ssl ca-file"
- expect ~ ".*${testdir}/set_cafile_interCA1.crt - 3 certificate.*"
+ expect ~ ".*${testdir}/certs/set_cafile_interCA1.crt - 3 certificate.*"
- send "show ssl ca-file ${testdir}/set_cafile_interCA1.crt:1"
+ send "show ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt:1"
expect ~ ".*SHA1 FingerPrint: 4FFF535278883264693CEA72C4FAD13F995D0098"
- send "show ssl ca-file ${testdir}/set_cafile_interCA1.crt:2"
+ send "show ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt:2"
expect !~ ".*SHA1 FingerPrint: 4FFF535278883264693CEA72C4FAD13F995D0098"
- send "show ssl ca-file ${testdir}/set_cafile_interCA1.crt:2"
+ send "show ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt:2"
expect ~ ".*SHA1 FingerPrint: 3D3D1D10AD74A8135F05A818E10E5FA91433954D"
}
.endif
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
- crt-base ${testdir}
+ crt-base ${testdir}/certs
defaults
mode http
server s9 "${tmpdir}/other-ssl.sock" ssl verify none sni str(other.test1.com) # uses the default certificate
listen ssl-lst
- bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem strict-sni
+ bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/common.pem strict-sni
server s1 ${s1_addr}:${s1_port}
# dummy server used to test a change when the same crt is used as server and bind
- server s2 ${s1_addr}:${s1_port} ssl crt ${testdir}/common.pem verify none weight 0
+ server s2 ${s1_addr}:${s1_port} ssl crt ${testdir}/certs/common.pem verify none weight 0
listen other-ssl-lst
- bind "${tmpdir}/other-ssl.sock" ssl crt-list ${testdir}/set_default_cert.crt-list
+ bind "${tmpdir}/other-ssl.sock" ssl crt-list ${testdir}/certs/set_default_cert.crt-list
server s1 ${s1_addr}:${s1_port}
} -start
haproxy h1 -cli {
- send "show ssl cert ${testdir}/common.pem"
+ send "show ssl cert ${testdir}/certs/common.pem"
expect ~ ".*SHA1 FingerPrint: DF3B6E847A7BF83DFAAFCFEC65EE9BC36230D3EA"
}
} -run
shell {
- printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" -
- echo "commit ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl cert ${testdir}/certs/common.pem <<\n$(cat ${testdir}/certs/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" -
+ echo "commit ssl cert ${testdir}/certs/common.pem" | socat "${tmpdir}/h1/stats" -
}
haproxy h1 -cli {
- send "show ssl cert ${testdir}/common.pem"
+ send "show ssl cert ${testdir}/certs/common.pem"
expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1"
}
} -run
shell {
- printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/common.pem)\n\n" | socat "${tmpdir}/h1/stats" -
- echo "abort ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl cert ${testdir}/certs/common.pem <<\n$(cat ${testdir}/certs/common.pem)\n\n" | socat "${tmpdir}/h1/stats" -
+ echo "abort ssl cert ${testdir}/certs/common.pem" | socat "${tmpdir}/h1/stats" -
}
haproxy h1 -cli {
- send "show ssl cert ${testdir}/common.pem"
+ send "show ssl cert ${testdir}/certs/common.pem"
expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1"
}
} -run
shell {
- printf "set ssl cert ${testdir}/set_default_cert.pem <<\n$(cat ${testdir}/common.pem)\n\n" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl cert ${testdir}/certs/set_default_cert.pem <<\n$(cat ${testdir}/certs/common.pem)\n\n" | socat "${tmpdir}/h1/stats" -
}
# Certificate should not have changed yet
haproxy h1 -cli {
- send "show ssl cert ${testdir}/set_default_cert.pem"
+ send "show ssl cert ${testdir}/certs/set_default_cert.pem"
expect ~ ".*SHA1 FingerPrint: 9DC18799428875976DDE706E9956035EE88A4CB3"
}
shell {
- echo "commit ssl cert ${testdir}/set_default_cert.pem" | socat "${tmpdir}/h1/stats" -
+ echo "commit ssl cert ${testdir}/certs/set_default_cert.pem" | socat "${tmpdir}/h1/stats" -
}
haproxy h1 -cli {
- send "show ssl cert ${testdir}/set_default_cert.pem"
+ send "show ssl cert ${testdir}/certs/set_default_cert.pem"
expect ~ ".*SHA1 FingerPrint: DF3B6E847A7BF83DFAAFCFEC65EE9BC36230D3EA"
}
# Restore original certificate
shell {
- printf "set ssl cert ${testdir}/set_default_cert.pem <<\n$(cat ${testdir}/set_default_cert.pem)\n\n" | socat "${tmpdir}/h1/stats" -
- echo "commit ssl cert ${testdir}/set_default_cert.pem" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl cert ${testdir}/certs/set_default_cert.pem <<\n$(cat ${testdir}/certs/set_default_cert.pem)\n\n" | socat "${tmpdir}/h1/stats" -
+ echo "commit ssl cert ${testdir}/certs/set_default_cert.pem" | socat "${tmpdir}/h1/stats" -
}
haproxy h1 -cli {
- send "show ssl cert ${testdir}/set_default_cert.pem"
+ send "show ssl cert ${testdir}/certs/set_default_cert.pem"
expect ~ ".*SHA1 FingerPrint: 9DC18799428875976DDE706E9956035EE88A4CB"
}
server s4 "${tmpdir}/ssl.sock" ssl verify none sni str(example.com) force-tlsv12 ciphers ECDHE-ECDSA-AES256-GCM-SHA384
listen ssl-lst
- bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/cert1-example.com.pem
+ bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/cert1-example.com.pem
server s1 ${s1_addr}:${s1_port}
} -start
haproxy h1 -cli {
- send "show ssl cert ${testdir}/cert1-example.com.pem.rsa"
+ send "show ssl cert ${testdir}/certs/cert1-example.com.pem.rsa"
expect ~ ".*SHA1 FingerPrint: 94F720DACA71B8B1A0AC9BD48C65BA688FF047DE"
- send "show ssl cert ${testdir}/cert1-example.com.pem.ecdsa"
+ send "show ssl cert ${testdir}/certs/cert1-example.com.pem.ecdsa"
expect ~ ".*SHA1 FingerPrint: C1BA055D452F92EB02D449F0498C289F50698300"
}
} -run
shell {
- printf "set ssl cert ${testdir}/cert1-example.com.pem.rsa <<\n$(cat ${testdir}/cert2-example.com.pem.rsa)\n\n" | socat "${tmpdir}/h1/stats" -
- echo "commit ssl cert ${testdir}/cert1-example.com.pem.rsa" | socat "${tmpdir}/h1/stats" -
- printf "set ssl cert ${testdir}/cert1-example.com.pem.ecdsa <<\n$(cat ${testdir}/cert2-example.com.pem.ecdsa)\n\n" | socat "${tmpdir}/h1/stats" -
- echo "commit ssl cert ${testdir}/cert1-example.com.pem.ecdsa" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl cert ${testdir}/certs/cert1-example.com.pem.rsa <<\n$(cat ${testdir}/certs/cert2-example.com.pem.rsa)\n\n" | socat "${tmpdir}/h1/stats" -
+ echo "commit ssl cert ${testdir}/certs/cert1-example.com.pem.rsa" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl cert ${testdir}/certs/cert1-example.com.pem.ecdsa <<\n$(cat ${testdir}/certs/cert2-example.com.pem.ecdsa)\n\n" | socat "${tmpdir}/h1/stats" -
+ echo "commit ssl cert ${testdir}/certs/cert1-example.com.pem.ecdsa" | socat "${tmpdir}/h1/stats" -
}
haproxy h1 -cli {
- send "show ssl cert ${testdir}/cert1-example.com.pem.rsa"
+ send "show ssl cert ${testdir}/certs/cert1-example.com.pem.rsa"
expect ~ ".*SHA1 FingerPrint: ADC863817FC40C2A9CA913CE45C9A92232558F90"
- send "show ssl cert ${testdir}/cert1-example.com.pem.ecdsa"
+ send "show ssl cert ${testdir}/certs/cert1-example.com.pem.ecdsa"
expect ~ ".*SHA1 FingerPrint: F49FFA446D072262445C197B85D2F400B3F58808"
}
server s3 "${tmpdir}/ssl.sock" ssl verify none sni str(localhost)
listen ssl-lst
- bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.crt strict-sni
+ bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/common.crt strict-sni
server s1 ${s1_addr}:${s1_port}
} -start
haproxy h1 -cli {
- send "show ssl cert ${testdir}/common.crt"
+ send "show ssl cert ${testdir}/certs/common.crt"
expect ~ ".*SHA1 FingerPrint: 2195C9F0FD58470313013FC27C1B9CF9864BD1C6"
}
} -run
shell {
- printf "set ssl cert ${testdir}/common.crt <<\n$(cat ${testdir}/ecdsa.crt)\n\n" | socat "${tmpdir}/h1/stats" -
- printf "set ssl cert ${testdir}/common.key <<\n$(cat ${testdir}/ecdsa.key)\n\n" | socat "${tmpdir}/h1/stats" -
- echo "commit ssl cert ${testdir}/common.crt" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl cert ${testdir}/certs/common.crt <<\n$(cat ${testdir}/certs/ecdsa.crt)\n\n" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl cert ${testdir}/certs/common.key <<\n$(cat ${testdir}/certs/ecdsa.key)\n\n" | socat "${tmpdir}/h1/stats" -
+ echo "commit ssl cert ${testdir}/certs/common.crt" | socat "${tmpdir}/h1/stats" -
}
haproxy h1 -cli {
- send "show ssl cert ${testdir}/common.crt"
+ send "show ssl cert ${testdir}/certs/common.crt"
expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1"
}
listen clear-lst
bind "fd@${clearlst}"
- server s1 "${tmpdir}/ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt crl-file ${testdir}/interCA2_crl_empty.pem verify required no-sni-auto
+ server s1 "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/set_cafile_client.pem ca-file ${testdir}/certs/set_cafile_interCA2.crt crl-file ${testdir}/certs/interCA2_crl_empty.pem verify required no-sni-auto
listen ssl-lst
# crt: certificate of the server
# ca-file: CA used for client authentication request
# crl-file: revocation list for client auth
- bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-file ${testdir}/set_cafile_interCA1.crt ca-verify-file ${testdir}/set_cafile_rootCA.crt crl-file ${testdir}/interCA1_crl_empty.pem verify required crt-ignore-err all
+ bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/set_cafile_server.pem ca-file ${testdir}/certs/set_cafile_interCA1.crt ca-verify-file ${testdir}/certs/set_cafile_rootCA.crt crl-file ${testdir}/certs/interCA1_crl_empty.pem verify required crt-ignore-err all
http-response add-header X-SSL-Client-Verify %[ssl_c_verify]
server s1 ${s1_addr}:${s1_port}
} -start
# Test the "show ssl ca-file" command
haproxy h1 -cli {
send "show ssl ca-file"
- expect ~ ".*${testdir}/set_cafile_interCA1.crt - 1 certificate.*"
+ expect ~ ".*${testdir}/certs/set_cafile_interCA1.crt - 1 certificate.*"
send "show ssl ca-file"
- expect ~ ".*${testdir}/set_cafile_interCA2.crt - 1 certificate.*"
+ expect ~ ".*${testdir}/certs/set_cafile_interCA2.crt - 1 certificate.*"
}
# Add the rootCA certificate to set_cafile_interCA2.crt in order for the frontend to
# be able to validate the server's certificate
shell {
- printf "set ssl ca-file ${testdir}/set_cafile_interCA2.crt <<\n$(cat ${testdir}/set_cafile_interCA2.crt)\n$(cat ${testdir}/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" -
- echo "commit ssl ca-file ${testdir}/set_cafile_interCA2.crt" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA2.crt)\n$(cat ${testdir}/certs/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" -
+ echo "commit ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt" | socat "${tmpdir}/h1/stats" -
}
haproxy h1 -cli {
send "show ssl ca-file"
- expect ~ ".*${testdir}/set_cafile_interCA2.crt - 2 certificate.*"
+ expect ~ ".*${testdir}/certs/set_cafile_interCA2.crt - 2 certificate.*"
- send "show ssl ca-file ${testdir}/set_cafile_interCA2.crt"
+ send "show ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt"
expect ~ ".*Subject.*/CN=Root CA"
}
# Change the frontend's crl-file to one in which the server certificate is revoked
shell {
- printf "set ssl crl-file ${testdir}/interCA2_crl_empty.pem <<\n$(cat ${testdir}/interCA2_crl.pem)\n\n" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl crl-file ${testdir}/certs/interCA2_crl_empty.pem <<\n$(cat ${testdir}/certs/interCA2_crl.pem)\n\n" | socat "${tmpdir}/h1/stats" -
}
# Check that the transaction is displayed in the output of "show ssl crl-list"
haproxy h1 -cli {
send "show ssl crl-file"
- expect ~ "\\*${testdir}/interCA2_crl_empty.pem"
+ expect ~ "\\*${testdir}/certs/interCA2_crl_empty.pem"
- send "show ssl crl-file \\*${testdir}/interCA2_crl_empty.pem"
+ send "show ssl crl-file \\*${testdir}/certs/interCA2_crl_empty.pem"
expect ~ "Revoked Certificates:"
- send "show ssl crl-file \\*${testdir}/interCA2_crl_empty.pem:1"
+ send "show ssl crl-file \\*${testdir}/certs/interCA2_crl_empty.pem:1"
expect ~ "Serial Number: 1008"
}
} -run
haproxy h1 -cli {
- send "commit ssl crl-file ${testdir}/interCA2_crl_empty.pem"
- expect ~ "Committing ${testdir}/interCA2_crl_empty.pem"
+ send "commit ssl crl-file ${testdir}/certs/interCA2_crl_empty.pem"
+ expect ~ "Committing ${testdir}/certs/interCA2_crl_empty.pem"
}
# This connection should fail, the server's certificate is revoked in the newly updated CRL file
# Restore the frontend's CRL
shell {
- printf "set ssl crl-file ${testdir}/interCA2_crl_empty.pem <<\n$(cat ${testdir}/interCA2_crl_empty.pem)\n\n" | socat "${tmpdir}/h1/stats" -
- echo "commit ssl crl-file ${testdir}/interCA2_crl_empty.pem" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl crl-file ${testdir}/certs/interCA2_crl_empty.pem <<\n$(cat ${testdir}/certs/interCA2_crl_empty.pem)\n\n" | socat "${tmpdir}/h1/stats" -
+ echo "commit ssl crl-file ${testdir}/certs/interCA2_crl_empty.pem" | socat "${tmpdir}/h1/stats" -
}
# Change the backend's CRL file to one in which the frontend's certificate is revoked
shell {
- printf "set ssl crl-file ${testdir}/interCA1_crl_empty.pem <<\n$(cat ${testdir}/interCA1_crl.pem)\n\n" | socat "${tmpdir}/h1/stats" -
- echo "commit ssl crl-file ${testdir}/interCA1_crl_empty.pem" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl crl-file ${testdir}/certs/interCA1_crl_empty.pem <<\n$(cat ${testdir}/certs/interCA1_crl.pem)\n\n" | socat "${tmpdir}/h1/stats" -
+ echo "commit ssl crl-file ${testdir}/certs/interCA1_crl_empty.pem" | socat "${tmpdir}/h1/stats" -
}
# This connection should fail, the client's certificate is revoked in the newly updated CRL file
listen clear-lst
bind "fd@${clearlst}"
retries 0 # 2nd SSL connection must fail so skip the retry
- server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client1.pem
+ server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/client1.pem
listen ssl-lst
# crt: certificate of the server
# ca-file: CA used for client authentication request
# crl-file: revocation list for client auth: the client1 certificate is revoked
- bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/ca-auth.crt verify optional crt-ignore-err all crl-file ${testdir}/crl-auth.pem
+ bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/ca-auth.crt verify optional crt-ignore-err all crl-file ${testdir}/certs/crl-auth.pem
acl cert_expired ssl_c_verify 10
acl cert_revoked ssl_c_verify 23
} -run
haproxy h1 -cli {
- send "show ssl cert ${testdir}/client1.pem"
+ send "show ssl cert ${testdir}/certs/client1.pem"
expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4"
}
# Replace certificate with an expired one
shell {
- printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client2_expired.pem)\n\n" | socat "${tmpdir}/h1/stats" -
- echo "commit ssl cert ${testdir}/client1.pem" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl cert ${testdir}/certs/client1.pem <<\n$(cat ${testdir}/certs/client2_expired.pem)\n\n" | socat "${tmpdir}/h1/stats" -
+ echo "commit ssl cert ${testdir}/certs/client1.pem" | socat "${tmpdir}/h1/stats" -
}
haproxy h1 -cli {
- send "show ssl cert ${testdir}/client1.pem"
+ send "show ssl cert ${testdir}/certs/client1.pem"
expect ~ ".*SHA1 FingerPrint: C625EB01A0A660294B9D7F44C5CEEE5AFC495BE4"
}
# Replace certificate with a revoked one
shell {
- printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client3_revoked.pem)\n\n" | socat "${tmpdir}/h1/stats" -
- echo "commit ssl cert ${testdir}/client1.pem" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl cert ${testdir}/certs/client1.pem <<\n$(cat ${testdir}/certs/client3_revoked.pem)\n\n" | socat "${tmpdir}/h1/stats" -
+ echo "commit ssl cert ${testdir}/certs/client1.pem" | socat "${tmpdir}/h1/stats" -
}
haproxy h1 -cli {
- send "show ssl cert ${testdir}/client1.pem"
+ send "show ssl cert ${testdir}/certs/client1.pem"
expect ~ ".*SHA1 FingerPrint: 992386628A40C9D49C89BAC0058B5D45D8575151"
}
# Abort a transaction
shell {
- printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client3_revoked.pem)\n\n" | socat "${tmpdir}/h1/stats" -
- echo "abort ssl cert ${testdir}/client1.pem" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl cert ${testdir}/certs/client1.pem <<\n$(cat ${testdir}/certs/client3_revoked.pem)\n\n" | socat "${tmpdir}/h1/stats" -
+ echo "abort ssl cert ${testdir}/certs/client1.pem" | socat "${tmpdir}/h1/stats" -
}
haproxy h1 -cli {
- send "show ssl cert ${testdir}/client1.pem"
+ send "show ssl cert ${testdir}/certs/client1.pem"
expect ~ ".*SHA1 FingerPrint: 992386628A40C9D49C89BAC0058B5D45D8575151"
}
listen clear-lst
bind "fd@${clearlst}"
- server s1 "${tmpdir}/ssl.sock" ssl ca-file ${testdir}/set_cafile_rootCA.crt verify none
+ server s1 "${tmpdir}/ssl.sock" ssl ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none
listen ssl-lst
# crt: certificate of the server
# ca-file: CA used for client authentication request
- bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/show_ocsp_server.pem ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
+ bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/show_ocsp_server.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify none crt-ignore-err all
http-response add-header X-SSL-Client-Verify %[ssl_c_verify]
server s1 ${s1_addr}:${s1_port}
} -start
# Test the "show ssl ocsp-response" command with a certificate path as parameter
shell {
- ocsp_response=$(echo "show ssl ocsp-response ${testdir}/show_ocsp_server.pem" | socat "${tmpdir}/h1/stats" -)
+ ocsp_response=$(echo "show ssl ocsp-response ${testdir}/certs/show_ocsp_server.pem" | socat "${tmpdir}/h1/stats" -)
echo "$ocsp_response" | grep "Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com" &&
echo "$ocsp_response" | grep "Cert Status: good"
send "show ssl cert"
expect ~ ".*show_ocsp_server.pem"
- send "show ssl cert ${testdir}/show_ocsp_server.pem"
+ send "show ssl cert ${testdir}/certs/show_ocsp_server.pem"
expect ~ "Serial: 100F"
- send "show ssl cert ${testdir}/show_ocsp_server.pem"
+ send "show ssl cert ${testdir}/certs/show_ocsp_server.pem"
expect ~ "OCSP Response Key: 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
- send "show ssl cert ${testdir}/show_ocsp_server.pem.ocsp"
+ send "show ssl cert ${testdir}/certs/show_ocsp_server.pem.ocsp"
expect ~ "Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com"
- send "show ssl cert ${testdir}/show_ocsp_server.pem.ocsp"
+ send "show ssl cert ${testdir}/certs/show_ocsp_server.pem.ocsp"
expect ~ "Cert Status: good"
}
# Change the server certificate's OCSP response through "set ssl ocsp-response"
shell {
- printf "set ssl ocsp-response <<\n$(cat ${testdir}/show_ocsp_server.pem.ocsp.revoked|openssl base64)\n\n" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl ocsp-response <<\n$(cat ${testdir}/certs/show_ocsp_server.pem.ocsp.revoked|openssl base64)\n\n" | socat "${tmpdir}/h1/stats" -
}
# Check that the change was taken into account
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
expect ~ "Cert Status: revoked"
- send "show ssl cert ${testdir}/show_ocsp_server.pem.ocsp"
+ send "show ssl cert ${testdir}/certs/show_ocsp_server.pem.ocsp"
expect ~ "Cert Status: revoked"
}
# Change the server certificate's OCSP response through a transaction
shell {
- printf "set ssl cert ${testdir}/show_ocsp_server.pem <<\n$(cat ${testdir}/show_ocsp_server.pem | sed '/^$/d')\n\n" | socat "${tmpdir}/h1/stats" -
- printf "set ssl cert ${testdir}/show_ocsp_server.pem.issuer <<\n$(cat ${testdir}/show_ocsp_server.pem.issuer | sed '/^$/d')\n\n" | socat "${tmpdir}/h1/stats" -
- printf "set ssl cert ${testdir}/show_ocsp_server.pem.ocsp <<\n$(cat ${testdir}/show_ocsp_server.pem.ocsp|openssl base64)\n\n" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl cert ${testdir}/certs/show_ocsp_server.pem <<\n$(cat ${testdir}/certs/show_ocsp_server.pem | sed '/^$/d')\n\n" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl cert ${testdir}/certs/show_ocsp_server.pem.issuer <<\n$(cat ${testdir}/certs/show_ocsp_server.pem.issuer | sed '/^$/d')\n\n" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl cert ${testdir}/certs/show_ocsp_server.pem.ocsp <<\n$(cat ${testdir}/certs/show_ocsp_server.pem.ocsp|openssl base64)\n\n" | socat "${tmpdir}/h1/stats" -
}
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
expect ~ "This Update: Jun 10 08:57:45 2021 GMT"
- send "show ssl cert *${testdir}/show_ocsp_server.pem.ocsp"
+ send "show ssl cert *${testdir}/certs/show_ocsp_server.pem.ocsp"
expect ~ "Cert Status: good"
- send "show ssl cert *${testdir}/show_ocsp_server.pem.ocsp"
+ send "show ssl cert *${testdir}/certs/show_ocsp_server.pem.ocsp"
expect ~ "This Update: Jun 10 08:55:04 2021 GMT"
}
# Commit the transaction and check that it was taken into account
haproxy h1 -cli {
- send "commit ssl cert ${testdir}/show_ocsp_server.pem"
+ send "commit ssl cert ${testdir}/certs/show_ocsp_server.pem"
expect ~ "Success!"
send "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100f"
listen ssl
# socket names indicate their capabilities and are used below in regex
# (0r means 0rtt OK, 1r means 0rtt not accepted)
- bind "${VTC_SOCK_TYPE}+fd@${sv_sf_1r}" name sf_1r ssl crt ${testdir}/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}"
- bind "${VTC_SOCK_TYPE}+fd@${sv_sl_1r}" name sl_1r ssl crt ${testdir}/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" no-tls-tickets
- bind "${VTC_SOCK_TYPE}+fd@${sv_sf_0r}" name sf_0r ssl crt ${testdir}/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" allow-0rtt
- bind "${VTC_SOCK_TYPE}+fd@${sv_sl_0r}" name sl_0r ssl crt ${testdir}/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" allow-0rtt no-tls-tickets
+ bind "${VTC_SOCK_TYPE}+fd@${sv_sf_1r}" name sf_1r ssl crt ${testdir}/certs/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}"
+ bind "${VTC_SOCK_TYPE}+fd@${sv_sl_1r}" name sl_1r ssl crt ${testdir}/certs/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" no-tls-tickets
+ bind "${VTC_SOCK_TYPE}+fd@${sv_sf_0r}" name sf_0r ssl crt ${testdir}/certs/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" allow-0rtt
+ bind "${VTC_SOCK_TYPE}+fd@${sv_sl_0r}" name sl_0r ssl crt ${testdir}/certs/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" allow-0rtt no-tls-tickets
# expect early-data TLS version supports it and both the client and the listener support it
http-request add-header x-expect-early 1 if { int("$ZRTT_SUPP") eq 1 } { ssl_fc_is_resumed } { req.hdr(x-from) -m reg '^cl_0r' } { so_name -m reg '0r$' }
server s34 "${tmpdir}/ssl4.sock" alpn h2,http/1.1
frontend fe-ssl
- bind "${tmpdir}/ssl0.sock" ssl crt ${testdir}/common.pem
- bind "${tmpdir}/ssl1.sock" ssl crt ${testdir}/common.pem alpn http/1.1
- bind "${tmpdir}/ssl2.sock" ssl crt ${testdir}/common.pem alpn h2
- bind "${tmpdir}/ssl3.sock" ssl crt ${testdir}/common.pem alpn h2,http/1.1
- bind "${tmpdir}/ssl4.sock" ssl crt ${testdir}/common.pem no-alpn
+ bind "${tmpdir}/ssl0.sock" ssl crt ${testdir}/certs/common.pem
+ bind "${tmpdir}/ssl1.sock" ssl crt ${testdir}/certs/common.pem alpn http/1.1
+ bind "${tmpdir}/ssl2.sock" ssl crt ${testdir}/certs/common.pem alpn h2
+ bind "${tmpdir}/ssl3.sock" ssl crt ${testdir}/certs/common.pem alpn h2,http/1.1
+ bind "${tmpdir}/ssl4.sock" ssl crt ${testdir}/certs/common.pem no-alpn
http-request return status 200 hdr x-alpn _%[ssl_fc_alpn] hdr x-path %[path] hdr x-ver _%[req.ver]
} -start
bind "fd@${clearlst}"
balance roundrobin
# crt: certificate sent for a client certificate request
- server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client1.pem
- server s2 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client2_expired.pem # expired
- server s3 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client3_revoked.pem # revoked
+ server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/client1.pem
+ server s2 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/client2_expired.pem # expired
+ server s3 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/client3_revoked.pem # revoked
listen ssl-lst
# crt: certificate of the server
# ca-file: CA used for client authentication request
# crl-file: revocation list for client auth: the client1 certificate is revoked
- bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/ca-auth.crt verify optional crt-ignore-err X509_V_ERR_CERT_REVOKED,X509_V_ERR_CERT_HAS_EXPIRED crl-file ${testdir}/crl-auth.pem
+ bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/ca-auth.crt verify optional crt-ignore-err X509_V_ERR_CERT_REVOKED,X509_V_ERR_CERT_HAS_EXPIRED crl-file ${testdir}/certs/crl-auth.pem
http-response add-header X-SSL %[ssl_c_verify,x509_v_err_str]
server s1 ${s1_addr}:${s1_port}
listen clear-lst
bind "fd@${clearlst}"
balance roundrobin
- server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client1.pem
+ server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/client1.pem
listen ssl-lst
mode http
http-response add-header x-ssl-key_alg %[ssl_c_key_alg]
http-response add-header x-ssl-version %[ssl_c_version]
- bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/ca-auth.crt verify optional crt-ignore-err all crl-file ${testdir}/crl-auth.pem
+ bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/ca-auth.crt verify optional crt-ignore-err all crl-file ${testdir}/certs/crl-auth.pem
server s1 ${s1_addr}:${s1_port}
} -start
.if !ssllib_name_startswith(AWS-LC)
tune.ssl.default-dh-param 2048
.endif
- crt-base ${testdir}
+ crt-base ${testdir}/certs
stats socket "${tmpdir}/h1/stats" level admin
defaults
listen ssl-lst
mode http
- bind "${tmpdir}/ssl.sock" ssl strict-sni ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.2 crt-list ${testdir}/filters.crt-list
- bind "${tmpdir}/ssl2.sock" ssl strict-sni ssl-min-ver TLSv1.3 ssl-max-ver TLSv1.3 crt-list ${testdir}/filters.crt-list
+ bind "${tmpdir}/ssl.sock" ssl strict-sni ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.2 crt-list ${testdir}/certs/filters.crt-list
+ bind "${tmpdir}/ssl2.sock" ssl strict-sni ssl-min-ver TLSv1.3 ssl-max-ver TLSv1.3 crt-list ${testdir}/certs/filters.crt-list
server s1 ${s1_addr}:${s1_port}
} -start
tune.ssl.default-dh-param 2048
.endif
tune.ssl.capture-buffer-size 1
- crt-base ${testdir}
+ crt-base ${testdir}/certs
defaults
mode http
bind "fd@${clearlst}"
balance roundrobin
http-response add-header x-ssl-bc-curve-name %[ssl_bc_curve]
- server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client.ecdsa.pem
+ server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/certs/client.ecdsa.pem
listen ssl-lst
mode http
http-response add-header x-ssl-fc-curve-name %[ssl_fc_curve]
- bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/set_cafile_rootCA.crt verify optional curves X25519:P-256:P-384
+ bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify optional curves X25519:P-256:P-384
server s1 ${s1_addr}:${s1_port}
} -start
default_backend ssl-be
backend ssl-be
- server s1 "${tmpdir}/ssl1.sock" ssl verify none crt ${testdir}/client.ecdsa.pem force-tlsv12 curves P-256:P-384
+ server s1 "${tmpdir}/ssl1.sock" ssl verify none crt ${testdir}/certs/client.ecdsa.pem force-tlsv12 curves P-256:P-384
backend ssl-curves-be
- server s1 "${tmpdir}/ssl2.sock" ssl verify none crt ${testdir}/client.ecdsa.pem force-tlsv12 curves P-384
+ server s1 "${tmpdir}/ssl2.sock" ssl verify none crt ${testdir}/certs/client.ecdsa.pem force-tlsv12 curves P-384
backend ssl-ecdhe-256-be
- server s1 "${tmpdir}/ssl-ecdhe-256.sock" ssl verify none crt ${testdir}/client.ecdsa.pem force-tlsv12
+ server s1 "${tmpdir}/ssl-ecdhe-256.sock" ssl verify none crt ${testdir}/certs/client.ecdsa.pem force-tlsv12
backend ssl-ecdhe-521-be
- server s1 "${tmpdir}/ssl-ecdhe-521.sock" ssl verify none crt ${testdir}/client.ecdsa.pem force-tlsv12
+ server s1 "${tmpdir}/ssl-ecdhe-521.sock" ssl verify none crt ${testdir}/certs/client.ecdsa.pem force-tlsv12
listen ssl1-lst
- bind "${tmpdir}/ssl1.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/set_cafile_rootCA.crt verify optional curves P-256:P-384
+ bind "${tmpdir}/ssl1.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify optional curves P-256:P-384
server s1 ${s1_addr}:${s1_port}
# The prime256v1 curve, which is used by default by a backend when no
log ${Slg_cust_fmt_addr}:${Slg_cust_fmt_port} local0
error-log-format "ERROR conn_status:\"%[fc_err]:%[fc_err_str]\" hsk_err:%{+Q}[ssl_fc_err_str]"
- bind "${tmpdir}/ssl2.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/set_cafile_rootCA.crt verify optional curves P-384
+ bind "${tmpdir}/ssl2.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify optional curves P-384
server s1 ${s1_addr}:${s1_port}
listen ssl-ecdhe-521-lst
log ${Slg_cust_fmt_addr}:${Slg_cust_fmt_port} local0
error-log-format "ERROR ECDHE-521 conn_status:\"%[fc_err]:%[fc_err_str]\" hsk_err:%{+Q}[ssl_fc_err_str]"
- bind "${tmpdir}/ssl-ecdhe-521.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/set_cafile_rootCA.crt verify optional ecdhe secp521r1
+ bind "${tmpdir}/ssl-ecdhe-521.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify optional ecdhe secp521r1
server s1 ${s1_addr}:${s1_port}
listen ssl-ecdhe-256-lst
log ${Slg_cust_fmt_addr}:${Slg_cust_fmt_port} local0
error-log-format "ERROR ECDHE-256 conn_status:\"%[fc_err]:%[fc_err_str]\" hsk_err:%{+Q}[ssl_fc_err_str]"
- bind "${tmpdir}/ssl-ecdhe-256.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/set_cafile_rootCA.crt verify optional ecdhe prime256v1
+ bind "${tmpdir}/ssl-ecdhe-256.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify optional ecdhe prime256v1
server s1 ${s1_addr}:${s1_port}
} -start
.endif
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
- crt-base ${testdir}
- ca-base ${testdir}
+ crt-base ${testdir}/certs
+ ca-base ${testdir}/certs
defaults
mode http
listen ssl-lst
- bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem ca-file ca-auth.crt verify required crt-ignore-err all
+ bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/common.pem ca-file ca-auth.crt verify required crt-ignore-err all
acl cert_expired ssl_c_verify 10
acl cert_revoked ssl_c_verify 23
server s1 "${tmpdir}/ssl_dflt_gencert.sock" ssl verify none ssl-max-ver TLSv1.2
listen ssl-dflt-lst
- bind "${tmpdir}/ssl_dflt.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/set_cafile_rootCA.crt verify optional ciphers "DHE-RSA-AES256-GCM-SHA384" ssl-max-ver TLSv1.2
+ bind "${tmpdir}/ssl_dflt.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify optional ciphers "DHE-RSA-AES256-GCM-SHA384" ssl-max-ver TLSv1.2
http-response set-header x-ssl-cipher %[ssl_fc_cipher]
server s1 ${s1_addr}:${s1_port}
listen ssl-dflt-gencert-lst
- bind "${tmpdir}/ssl_dflt_gencert.sock" ssl generate-certificates crt ${testdir}/common.pem ca-file ${testdir}/set_cafile_rootCA.crt ca-sign-file ${testdir}/generate_certificates/gen_cert_ca.pem verify optional ciphers "DHE-RSA-AES256-GCM-SHA384" ssl-max-ver TLSv1.2
+ bind "${tmpdir}/ssl_dflt_gencert.sock" ssl generate-certificates crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt ca-sign-file ${testdir}/certs/generate_certificates/gen_cert_ca.pem verify optional ciphers "DHE-RSA-AES256-GCM-SHA384" ssl-max-ver TLSv1.2
http-response set-header x-ssl-cipher %[ssl_fc_cipher]
server s1 ${s1_addr}:${s1_port}
} -start
server s1 "${tmpdir}/ssl_dfltdh.sock" ssl verify none ssl-max-ver TLSv1.2
listen ssl-4096dh-dflt-lst
- bind "${tmpdir}/ssl_dfltdh.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/set_cafile_rootCA.crt verify optional ciphers "DHE-RSA-AES256-GCM-SHA384" ssl-max-ver TLSv1.2
+ bind "${tmpdir}/ssl_dfltdh.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify optional ciphers "DHE-RSA-AES256-GCM-SHA384" ssl-max-ver TLSv1.2
http-response set-header x-ssl-cipher %[ssl_fc_cipher]
server s1 ${s1_addr}:${s1_port}
} -start
thread-groups 1
.endif
- ssl-dh-param-file ${testdir}/common.4096.dh
+ ssl-dh-param-file ${testdir}/certs/common.4096.dh
defaults
mode http
server s1 "${tmpdir}/ssl_dhfile.sock" ssl verify none ssl-max-ver TLSv1.2
listen ssl-dhfile-lst
- bind "${tmpdir}/ssl_dhfile.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/set_cafile_rootCA.crt verify optional ciphers "DHE-RSA-AES256-GCM-SHA384" ssl-max-ver TLSv1.2
+ bind "${tmpdir}/ssl_dhfile.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/set_cafile_rootCA.crt verify optional ciphers "DHE-RSA-AES256-GCM-SHA384" ssl-max-ver TLSv1.2
http-response set-header x-ssl-cipher %[ssl_fc_cipher]
server s1 ${s1_addr}:${s1_port}
} -start
# Add a custom DH to the server's PEM certificate
#
shell {
- printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/common.pem)\n$(cat ${testdir}/common.4096.dh)\n\n" | socat "${tmpdir}/h1/stats" -
- echo "commit ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl cert ${testdir}/certs/common.pem <<\n$(cat ${testdir}/certs/common.pem)\n$(cat ${testdir}/certs/common.4096.dh)\n\n" | socat "${tmpdir}/h1/stats" -
+ echo "commit ssl cert ${testdir}/certs/common.pem" | socat "${tmpdir}/h1/stats" -
- printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/common.pem)\n$(cat ${testdir}/common.4096.dh)\n\n" | socat "${tmpdir}/h2/stats" -
- echo "commit ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h2/stats" -
+ printf "set ssl cert ${testdir}/certs/common.pem <<\n$(cat ${testdir}/certs/common.pem)\n$(cat ${testdir}/certs/common.4096.dh)\n\n" | socat "${tmpdir}/h2/stats" -
+ echo "commit ssl cert ${testdir}/certs/common.pem" | socat "${tmpdir}/h2/stats" -
- printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/common.pem)\n$(cat ${testdir}/common.4096.dh)\n\n" | socat "${tmpdir}/h3/stats" -
- echo "commit ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h3/stats" -
+ printf "set ssl cert ${testdir}/certs/common.pem <<\n$(cat ${testdir}/certs/common.pem)\n$(cat ${testdir}/certs/common.4096.dh)\n\n" | socat "${tmpdir}/h3/stats" -
+ echo "commit ssl cert ${testdir}/certs/common.pem" | socat "${tmpdir}/h3/stats" -
}
listen clear_lst
bind "fd@${clearlst}"
- default-server ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none no-ssl-reuse force-tlsv12 sni str(foo.com)
+ default-server ssl crt ${testdir}/certs/set_cafile_client.pem ca-file ${testdir}/certs/set_cafile_interCA2.crt verify none no-ssl-reuse force-tlsv12 sni str(foo.com)
balance roundrobin
server cust_fmt "${tmpdir}/cust_logfmt_ssl.sock"
listen clear_wrong_ciphers_lst
bind "fd@${wrongcipherslst}"
- default-server ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none no-ssl-reuse force-tlsv12 ciphers "aECDSA" sni str(foo.com)
+ default-server ssl crt ${testdir}/certs/set_cafile_client.pem ca-file ${testdir}/certs/set_cafile_interCA2.crt verify none no-ssl-reuse force-tlsv12 ciphers "aECDSA" sni str(foo.com)
balance roundrobin
server cust_fmt "${tmpdir}/cust_logfmt_ssl.sock"
error-log-format "ERROR bc_err:%[bc_err]:%{+Q}[bc_err_str]\ ssl_bc_err:%[ssl_bc_err,and(proc.ssl_error_mask)]:%[ssl_bc_err_str]"
balance roundrobin
- server no_err "${tmpdir}/no_err_ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify required sni str(Server)
- server srv_cert_rejected "${tmpdir}/srv_rejected_ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA1.crt verify required sni str(foo.com)
- server mismatch_frontend "${tmpdir}/mismatch_fe_ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify required sni str(foo.com) verifyhost str(toto) # We force TLSv1.2 for this specific case because server-side
+ server no_err "${tmpdir}/no_err_ssl.sock" ssl crt ${testdir}/certs/set_cafile_client.pem ca-file ${testdir}/certs/set_cafile_interCA2.crt verify required sni str(Server)
+ server srv_cert_rejected "${tmpdir}/srv_rejected_ssl.sock" ssl crt ${testdir}/certs/set_cafile_client.pem ca-file ${testdir}/certs/set_cafile_interCA1.crt verify required sni str(foo.com)
+ server mismatch_frontend "${tmpdir}/mismatch_fe_ssl.sock" ssl crt ${testdir}/certs/set_cafile_client.pem ca-file ${testdir}/certs/set_cafile_interCA2.crt verify required sni str(foo.com) verifyhost str(toto) # We force TLSv1.2 for this specific case because server-side
# verification errors cannot be caught by the backend fetches when
# using TLSv1.3
- server clt_cert_rejected "${tmpdir}/rejected_ssl.sock" ssl crt ${testdir}/set_cafile_client.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none force-tlsv12 sni str(foo.com)
- server wrong_ciphers "${tmpdir}/wrong_ciphers_ssl.sock" ssl verify none crt ${testdir}/client1.pem ca-file ${testdir}/ca-auth.crt force-tlsv12 ciphers "aECDSA" sni str(foo.com)
+ server clt_cert_rejected "${tmpdir}/rejected_ssl.sock" ssl crt ${testdir}/certs/set_cafile_client.pem ca-file ${testdir}/certs/set_cafile_interCA2.crt verify none force-tlsv12 sni str(foo.com)
+ server wrong_ciphers "${tmpdir}/wrong_ciphers_ssl.sock" ssl verify none crt ${testdir}/certs/client1.pem ca-file ${testdir}/certs/ca-auth.crt force-tlsv12 ciphers "aECDSA" sni str(foo.com)
# No TLSv1.3 support with OpenSSL 1.0.2 so we duplicate the previous
# wrong cipher test in this case so that the error log remains the same
.if openssl_version_before(1.1.1)
- server wrong_ciphers2 "${tmpdir}/wrong_ciphers_ssl.sock" ssl verify none crt ${testdir}/client1.pem ca-file ${testdir}/ca-auth.crt force-tlsv12 ciphers "aECDSA" sni str(foo.com)
+ server wrong_ciphers2 "${tmpdir}/wrong_ciphers_ssl.sock" ssl verify none crt ${testdir}/certs/client1.pem ca-file ${testdir}/certs/ca-auth.crt force-tlsv12 ciphers "aECDSA" sni str(foo.com)
.else
- server wrong_ciphers_tls13 "${tmpdir}/wrong_ciphers_tls13_ssl.sock" ssl verify none crt ${testdir}/client1.pem ca-file ${testdir}/ca-auth.crt ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" force-tlsv13 sni str(foo.com)
+ server wrong_ciphers_tls13 "${tmpdir}/wrong_ciphers_tls13_ssl.sock" ssl verify none crt ${testdir}/certs/client1.pem ca-file ${testdir}/certs/ca-auth.crt ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" force-tlsv13 sni str(foo.com)
.endif
mode http
log-format "conn_status:\"%[fc_err]:%[fc_err_str]\" hsk_err:\"%[ssl_fc_err]:%[ssl_fc_err_str]\" CN=%{+Q}[ssl_c_s_dn],serial=%[ssl_c_serial,hex],hash=%[ssl_c_sha1,hex]"
error-log-format "ERROR conn_status:\"%[fc_err]:%[fc_err_str]\" hsk_err:\"%[ssl_fc_err,and(proc.ssl_error_mask)]:%[ssl_fc_err_str]\" CN=%{+Q}[ssl_c_s_dn],serial=%[ssl_c_serial,hex],hash=%[ssl_c_sha1,hex]"
- bind "${tmpdir}/cust_logfmt_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA1.crt verify required ciphers "kRSA"
+ bind "${tmpdir}/cust_logfmt_ssl.sock" ssl crt ${testdir}/certs/set_cafile_server.pem ca-verify-file ${testdir}/certs/set_cafile_rootCA.crt ca-file ${testdir}/certs/set_cafile_interCA1.crt verify required ciphers "kRSA"
server s1 ${s1_addr}:${s1_port}
listen https_logfmt_ssl_lst
mode http
option httpslog
error-log-format "ERROR %ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %[fc_err]/%[ssl_fc_err,and(proc.ssl_error_mask),hex]/%[ssl_c_err]/%[ssl_c_ca_err]/%[ssl_fc_is_resumed] %[ssl_fc_sni]/%sslv/%sslc"
- bind "${tmpdir}/https_logfmt_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA1.crt verify required ciphers "kRSA"
+ bind "${tmpdir}/https_logfmt_ssl.sock" ssl crt ${testdir}/certs/set_cafile_server.pem ca-verify-file ${testdir}/certs/set_cafile_rootCA.crt ca-file ${testdir}/certs/set_cafile_interCA1.crt verify required ciphers "kRSA"
server s1 ${s1_addr}:${s1_port}
listen logconnerror_ssl_lst
log ${Slg_logconnerror_addr}:${Slg_logconnerror_port} local0 info
mode http
option httplog
- bind "${tmpdir}/logconnerror_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA1.crt verify required ciphers "kRSA"
+ bind "${tmpdir}/logconnerror_ssl.sock" ssl crt ${testdir}/certs/set_cafile_server.pem ca-verify-file ${testdir}/certs/set_cafile_rootCA.crt ca-file ${testdir}/certs/set_cafile_interCA1.crt verify required ciphers "kRSA"
server s1 ${s1_addr}:${s1_port}
# The following listeners allow to test backend error fetches
listen no_backend_err_ssl_lst from bknd_err_dflt
- bind "${tmpdir}/no_err_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none
+ bind "${tmpdir}/no_err_ssl.sock" ssl crt ${testdir}/certs/set_cafile_server.pem ca-file ${testdir}/certs/set_cafile_interCA2.crt verify none
server s1 ${s1_addr}:${s1_port}
listen srv_rejected_ssl_lst from bknd_err_dflt
- bind "${tmpdir}/srv_rejected_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none
+ bind "${tmpdir}/srv_rejected_ssl.sock" ssl crt ${testdir}/certs/set_cafile_server.pem ca-file ${testdir}/certs/set_cafile_interCA2.crt verify none
server s1 ${s1_addr}:${s1_port}
listen mismatch_fe_ssl_lst from bknd_err_dflt
- bind "${tmpdir}/mismatch_fe_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-file ${testdir}/set_cafile_interCA2.crt verify none
+ bind "${tmpdir}/mismatch_fe_ssl.sock" ssl crt ${testdir}/certs/set_cafile_server.pem ca-file ${testdir}/certs/set_cafile_interCA2.crt verify none
server s1 ${s1_addr}:${s1_port}
listen rejected_clt_ssl_lst from bknd_err_dflt
- bind "${tmpdir}/rejected_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-file ${testdir}/set_cafile_interCA2.crt verify required
+ bind "${tmpdir}/rejected_ssl.sock" ssl crt ${testdir}/certs/set_cafile_server.pem ca-file ${testdir}/certs/set_cafile_interCA2.crt verify required
server s1 ${s1_addr}:${s1_port}
listen wrong_ciphers_ssl_lst from bknd_err_dflt
- bind "${tmpdir}/wrong_ciphers_ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/ca-auth.crt verify none force-tlsv12 ciphers "kRSA"
+ bind "${tmpdir}/wrong_ciphers_ssl.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/ca-auth.crt verify none force-tlsv12 ciphers "kRSA"
server s1 ${s1_addr}:${s1_port}
.if openssl_version_atleast(1.1.1)
listen wrong_ciphers_tls13_ssl_lst from bknd_err_dflt
- bind "${tmpdir}/wrong_ciphers_tls13_ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/ca-auth.crt verify none force-tlsv13 ciphersuites "TLS_AES_128_GCM_SHA256"
+ bind "${tmpdir}/wrong_ciphers_tls13_ssl.sock" ssl crt ${testdir}/certs/common.pem ca-file ${testdir}/certs/ca-auth.crt verify none force-tlsv13 ciphersuites "TLS_AES_128_GCM_SHA256"
server s1 ${s1_addr}:${s1_port}
.endif
# Change the root CA in the frontends
shell {
- printf "set ssl ca-file ${testdir}/set_cafile_rootCA.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
- echo "commit ssl ca-file ${testdir}/set_cafile_rootCA.crt" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl ca-file ${testdir}/certs/set_cafile_rootCA.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
+ echo "commit ssl ca-file ${testdir}/certs/set_cafile_rootCA.crt" | socat "${tmpdir}/h1/stats" -
}
client c4 -connect ${h1_clearlst_sock} {
# Restore the root CA
shell {
- printf "set ssl ca-file ${testdir}/set_cafile_rootCA.crt <<\n$(cat ${testdir}/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" -
- echo "commit ssl ca-file ${testdir}/set_cafile_rootCA.crt" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl ca-file ${testdir}/certs/set_cafile_rootCA.crt <<\n$(cat ${testdir}/certs/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" -
+ echo "commit ssl ca-file ${testdir}/certs/set_cafile_rootCA.crt" | socat "${tmpdir}/h1/stats" -
}
# Change the intermediate CA in the frontends
shell {
- printf "set ssl ca-file ${testdir}/set_cafile_interCA1.crt <<\n$(cat ${testdir}/set_cafile_interCA2.crt)\n\n" | socat "${tmpdir}/h1/stats" -
- echo "commit ssl ca-file ${testdir}/set_cafile_interCA1.crt" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA2.crt)\n\n" | socat "${tmpdir}/h1/stats" -
+ echo "commit ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt" | socat "${tmpdir}/h1/stats" -
}
client c7 -connect ${h1_clearlst_sock} {
# Restore the intermediate CA in the frontends
shell {
- printf "set ssl ca-file ${testdir}/set_cafile_interCA1.crt <<\n$(cat ${testdir}/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
- echo "commit ssl ca-file ${testdir}/set_cafile_interCA1.crt" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA1.crt)\n\n" | socat "${tmpdir}/h1/stats" -
+ echo "commit ssl ca-file ${testdir}/certs/set_cafile_interCA1.crt" | socat "${tmpdir}/h1/stats" -
}
# "No shared cipher" errors
shell {
- printf "set ssl ca-file ${testdir}/set_cafile_interCA2.crt <<\n$(cat ${testdir}/set_cafile_interCA2.crt)\n$(cat ${testdir}/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" -
- echo "commit ssl ca-file ${testdir}/set_cafile_interCA2.crt" | socat "${tmpdir}/h1/stats" -
+ printf "set ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt <<\n$(cat ${testdir}/certs/set_cafile_interCA2.crt)\n$(cat ${testdir}/certs/set_cafile_rootCA.crt)\n\n" | socat "${tmpdir}/h1/stats" -
+ echo "commit ssl ca-file ${testdir}/certs/set_cafile_interCA2.crt" | socat "${tmpdir}/h1/stats" -
}
client c13 -connect ${h1_backenderrorslst_sock} {
tune.ssl.default-dh-param 2048
.endif
tune.ssl.capture-buffer-size 1
- crt-base ${testdir}
defaults
mode http
http-response add-header x-ssl-key_alg %[ssl_f_key_alg]
http-response add-header x-ssl-version %[ssl_f_version]
- bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem
+ bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/common.pem
server s1 ${s1_addr}:${s1_port}
} -start
server s1 "${tmpdir}/ssl_P-384.sock" ssl verify none ssl-max-ver TLSv1.2 sni var(sess.sni)
listen ssl-lst
- bind "${tmpdir}/ssl.sock" ssl generate-certificates crt ${testdir}/generate_certificates/gen_cert_server.pem ca-sign-file ${testdir}/generate_certificates/gen_cert_ca.pem ca-file ${testdir}/generate_certificates/gen_cert_ca.pem verify optional
+ bind "${tmpdir}/ssl.sock" ssl generate-certificates crt ${testdir}/certs/generate_certificates/gen_cert_server.pem ca-sign-file ${testdir}/certs/generate_certificates/gen_cert_ca.pem ca-file ${testdir}/certs/generate_certificates/gen_cert_ca.pem verify optional
http-response add-header x-ssl-s_dn %[ssl_f_s_dn(CN)]
http-response add-header x-ssl-i_dn %[ssl_f_i_dn(CN)]
http-response add-header x-ssl-sig_alg %[ssl_f_sig_alg]
server s1 ${s1_addr}:${s1_port}
listen ssl-lst-P-384
- bind "${tmpdir}/ssl_P-384.sock" ssl generate-certificates crt ${testdir}/generate_certificates/gen_cert_server.pem ca-sign-file ${testdir}/generate_certificates/gen_cert_ca.pem ca-file ${testdir}/generate_certificates/gen_cert_ca.pem verify optional ecdhe secp384r1
+ bind "${tmpdir}/ssl_P-384.sock" ssl generate-certificates crt ${testdir}/certs/generate_certificates/gen_cert_server.pem ca-sign-file ${testdir}/certs/generate_certificates/gen_cert_ca.pem ca-file ${testdir}/certs/generate_certificates/gen_cert_ca.pem verify optional ecdhe secp384r1
http-response add-header x-ssl-s_dn %[ssl_f_s_dn(CN)]
http-response add-header x-ssl-i_dn %[ssl_f_i_dn(CN)]
http-response add-header x-ssl-sig_alg %[ssl_f_sig_alg]
http-response add-header x-ssl-bc-resumed %[ssl_bc_is_resumed]
listen ssl
- bind "${VTC_SOCK_TYPE}+fd@${fe3}" ssl crt ${testdir}/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" "${NO_TLS_TICKETS}"
-
+ bind "${VTC_SOCK_TYPE}+fd@${fe3}" ssl crt ${testdir}/certs/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" "${NO_TLS_TICKETS}"
http-response add-header x-ssl-resumed %[ssl_fc_is_resumed]
server s1 ${s1_addr}:${s1_port}
} -start
tune.ssl.default-dh-param 2048
.endif
tune.ssl.capture-buffer-size 1
- crt-base ${testdir}
+ crt-base ${testdir}/certs
stats socket "${tmpdir}/h1/stats" level admin
defaults
listen ssl-lst
mode http
- bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/localhost.crt-list
+ bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/certs/localhost.crt-list
server s1 ${s1_addr}:${s1_port}
} -start
.if !ssllib_name_startswith(AWS-LC)
tune.ssl.default-dh-param 2048
.endif
- crt-base ${testdir}
+ crt-base ${testdir}/certs
stats socket "${tmpdir}/h1/stats" level admin
defaults
listen ssl-lst
mode http
- bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/simple.crt-list
+ bind "${tmpdir}/ssl.sock" ssl strict-sni crt-list ${testdir}/certs/simple.crt-list
server s1 ${s1_addr}:${s1_port}
} -start
default-server inter 100ms
frontend fe_ssl
- bind "fd@${fe_ssl}" ssl crt ${testdir}/common.pem
+ bind "fd@${fe_ssl}" ssl crt ${testdir}/certs/common.pem
http-request return status 200 if { path /test1 } { ssl_fc_sni www.test1.org }
http-request return status 500 if { path /test2 } { ssl_fc_sni -m found }
http-request deny
listen li_check_ssl
- bind "fd@${li_check_ssl}" ssl crt ${testdir}/common.pem
+ bind "fd@${li_check_ssl}" ssl crt ${testdir}/certs/common.pem
http-request set-header x-sni %[ssl_fc_sni] if { ssl_fc_sni -m found }
use-server s1 if { path /test1 }
listen frt
mode http
- bind "fd@${frt}" ssl crt ${testdir}/common.pem
+ bind "fd@${frt}" ssl crt ${testdir}/certs/common.pem
http-request redirect location /
} -start
projects / thirdparty / haproxy.git / commitdiff
