--- /dev/null
+#REGTEST_TYPE=devel
+
+# This reg-test ensures that SSL related configuration specified in a
+# default-server option are properly taken into account by the servers
+# (frontend). It mainly focuses on the client certificate used by the frontend,
+# that can either be defined in the server line itself, in the default-server
+# line or in both.
+#
+# It was created following a bug raised in redmine (issue #3906) in which a
+# server used an "empty" SSL context instead of the proper one.
+#
+
+varnishtest "Test the 'set ssl cert' feature of the CLI"
+# QUIC backend are not supported with USE_QUIC_OPENSSL_COMPAT
+feature cmd "$HAPROXY_PROGRAM -cc 'feature(QUIC) && !feature(QUIC_OPENSSL_COMPAT) && !feature(OPENSSL_WOLFSSL)'"
+
+setenv VTC_SOCK_TYPE quic
+include ${testdir}/../ssl/ssl_default_server.vtci
varnishtest "Test the 'set ssl cert' feature of the CLI"
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev0)'"
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
-feature ignore_unknown_macro
-server s1 -repeat 7 {
- rxreq
- txresp
-} -start
-
-haproxy h1 -conf {
- global
- .if feature(THREAD)
- thread-groups 1
- .endif
-
- .if !ssllib_name_startswith(AWS-LC)
- tune.ssl.default-dh-param 2048
- .endif
- tune.ssl.capture-buffer-size 1
- stats socket "${tmpdir}/h1/stats" level admin
- crt-base ${testdir}/certs
- ca-base ${testdir}/certs
-
- defaults
- mode http
- option httplog
- log stderr local0 debug err
- option logasap
- timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
- timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
- timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
-
- listen clear-lst
- bind "fd@${clearlst}"
- use_backend first_be if { path /first }
- use_backend second_be if { path /second }
- use_backend third_be if { path /third }
- use_backend fourth_be if { path /fourth }
- use_backend fifth_be if { path /fifth }
-
-
- backend first_be
- default-server ssl crt client1.pem ca-file ca-auth.crt verify none
- server s1 "${tmpdir}/ssl.sock"
-
- backend second_be
- default-server ssl ca-file ca-auth.crt verify none
- server s1 "${tmpdir}/ssl.sock" crt client1.pem
-
- backend third_be
- default-server ssl crt client1.pem ca-file ca-auth.crt verify none
- server s1 "${tmpdir}/ssl.sock" crt client2_expired.pem
-
- backend fourth_be
- default-server ssl crt client1.pem verify none
- server s1 "${tmpdir}/ssl.sock" ca-file ca-auth.crt
-
- backend fifth_be
- balance roundrobin
- default-server ssl crt client1.pem verify none
- server s1 "${tmpdir}/ssl.sock"
- server s2 "${tmpdir}/ssl.sock" crt client2_expired.pem
- server s3 "${tmpdir}/ssl.sock"
-
-
- listen ssl-lst
- bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/certs/common.pem ca-file ca-auth.crt verify required crt-ignore-err all
-
- acl cert_expired ssl_c_verify 10
- acl cert_revoked ssl_c_verify 23
- acl cert_ok ssl_c_verify 0
-
- http-response add-header X-SSL Ok if cert_ok
- http-response add-header X-SSL Expired if cert_expired
- http-response add-header X-SSL Revoked if cert_revoked
-
- server s1 ${s1_addr}:${s1_port}
-} -start
-
-
-
-client c1 -connect ${h1_clearlst_sock} {
- txreq -url "/first"
- rxresp
- expect resp.status == 200
- expect resp.http.x-ssl == "Ok"
-} -run
-
-client c1 -connect ${h1_clearlst_sock} {
- txreq -url "/second"
- txreq
- rxresp
- expect resp.status == 200
- expect resp.http.x-ssl == "Ok"
-} -run
-
-client c1 -connect ${h1_clearlst_sock} {
- txreq -url "/third"
- txreq
- rxresp
- expect resp.status == 200
- expect resp.http.x-ssl == "Expired"
-} -run
-
-client c1 -connect ${h1_clearlst_sock} {
- txreq -url "/fourth"
- txreq
- rxresp
- expect resp.status == 200
- expect resp.http.x-ssl == "Ok"
-} -run
-
-client c1 -connect ${h1_clearlst_sock} {
- txreq -url "/fifth"
- txreq
- rxresp
- expect resp.status == 200
- expect resp.http.x-ssl == "Ok"
-} -run
-
-client c1 -connect ${h1_clearlst_sock} {
- txreq -url "/fifth"
- txreq
- rxresp
- expect resp.status == 200
- expect resp.http.x-ssl == "Expired"
-} -run
-
-client c1 -connect ${h1_clearlst_sock} {
- txreq -url "/fifth"
- txreq
- rxresp
- expect resp.status == 200
- expect resp.http.x-ssl == "Ok"
-} -run
+setenv VTC_SOCK_TYPE stream
+include ${testdir}/ssl_default_server.vtci
--- /dev/null
+feature ignore_unknown_macro
+
+server s1 -repeat 7 {
+ rxreq
+ txresp
+} -start
+
+haproxy h1 -conf {
+ global
+ .if streq("$VTC_SOCK_TYPE",quic)
+ # required for backend connections
+ expose-experimental-directives
+ .endif
+ .if feature(THREAD)
+ thread-groups 1
+ .endif
+
+ .if !ssllib_name_startswith(AWS-LC)
+ tune.ssl.default-dh-param 2048
+ .endif
+ tune.ssl.capture-buffer-size 1
+ stats socket "${tmpdir}/h1/stats" level admin
+ crt-base ${testdir}/certs
+ ca-base ${testdir}/certs
+
+ defaults
+ mode http
+ option httplog
+ log stderr local0 debug err
+ option logasap
+ timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
+ timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
+ timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
+
+ listen clear-lst
+ bind "fd@${clearlst}"
+ use_backend first_be if { path /first }
+ use_backend second_be if { path /second }
+ use_backend third_be if { path /third }
+ use_backend fourth_be if { path /fourth }
+ use_backend fifth_be if { path /fifth }
+
+
+ backend first_be
+ default-server ssl crt client1.pem ca-file ca-auth.crt verify none
+ server s1 "${VTC_SOCK_TYPE}+${h1_ssl_sock}"
+
+ backend second_be
+ default-server ssl ca-file ca-auth.crt verify none
+ server s1 "${VTC_SOCK_TYPE}+${h1_ssl_sock}" crt client1.pem
+
+ backend third_be
+ default-server ssl crt client1.pem ca-file ca-auth.crt verify none
+ server s1 "${VTC_SOCK_TYPE}+${h1_ssl_sock}" crt client2_expired.pem
+
+ backend fourth_be
+ default-server ssl crt client1.pem verify none
+ server s1 "${VTC_SOCK_TYPE}+${h1_ssl_sock}" ca-file ca-auth.crt
+
+ backend fifth_be
+ balance roundrobin
+ default-server ssl crt client1.pem verify none
+ server s1 "${VTC_SOCK_TYPE}+${h1_ssl_sock}"
+ server s2 "${VTC_SOCK_TYPE}+${h1_ssl_sock}" crt client2_expired.pem
+ server s3 "${VTC_SOCK_TYPE}+${h1_ssl_sock}"
+
+
+ listen ssl-lst
+ bind "${VTC_SOCK_TYPE}+fd@${ssl}" ssl crt ${testdir}/certs/common.pem ca-file ca-auth.crt verify required crt-ignore-err all
+
+ acl cert_expired ssl_c_verify 10
+ acl cert_revoked ssl_c_verify 23
+ acl cert_ok ssl_c_verify 0
+
+ http-response add-header X-SSL Ok if cert_ok
+ http-response add-header X-SSL Expired if cert_expired
+ http-response add-header X-SSL Revoked if cert_revoked
+
+ server s1 ${s1_addr}:${s1_port}
+} -start
+
+
+
+client c1 -connect ${h1_clearlst_sock} {
+ txreq -url "/first"
+ rxresp
+ expect resp.status == 200
+ expect resp.http.x-ssl == "Ok"
+} -run
+
+client c1 -connect ${h1_clearlst_sock} {
+ txreq -url "/second"
+ txreq
+ rxresp
+ expect resp.status == 200
+ expect resp.http.x-ssl == "Ok"
+} -run
+
+client c1 -connect ${h1_clearlst_sock} {
+ txreq -url "/third"
+ txreq
+ rxresp
+ expect resp.status == 200
+ expect resp.http.x-ssl == "Expired"
+} -run
+
+client c1 -connect ${h1_clearlst_sock} {
+ txreq -url "/fourth"
+ txreq
+ rxresp
+ expect resp.status == 200
+ expect resp.http.x-ssl == "Ok"
+} -run
+
+client c1 -connect ${h1_clearlst_sock} {
+ txreq -url "/fifth"
+ txreq
+ rxresp
+ expect resp.status == 200
+ expect resp.http.x-ssl == "Ok"
+} -run
+
+client c1 -connect ${h1_clearlst_sock} {
+ txreq -url "/fifth"
+ txreq
+ rxresp
+ expect resp.status == 200
+ expect resp.http.x-ssl == "Expired"
+} -run
+
+client c1 -connect ${h1_clearlst_sock} {
+ txreq -url "/fifth"
+ txreq
+ rxresp
+ expect resp.status == 200
+ expect resp.http.x-ssl == "Ok"
+} -run
projects / thirdparty / haproxy.git / commitdiff
