From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Mon, 22 Dec 2025 10:13:15 +0000 (+0100)
Subject: dnsdist: Add regression tests for IP-only TLS certificates
X-Git-Tag: rec-5.4.0-beta1~61^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3dcd68344c74dc81dad6c649e6a1920a5c82a959;p=thirdparty%2Fpdns.git

dnsdist: Add regression tests for IP-only TLS certificates

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>
---

diff --git a/regression-tests.dnsdist/.gitignore b/regression-tests.dnsdist/.gitignore
index f5c450fbbd..fb34804195 100644
--- a/regression-tests.dnsdist/.gitignore
+++ b/regression-tests.dnsdist/.gitignore
@@ -29,6 +29,7 @@
 /server-ocsp.p12
 /server-tls.*
 /server.ocsp
+/server-ip-only.*
 /configs
 /dnsdist.log
 /dnsdist_test.conf
diff --git a/regression-tests.dnsdist/Makefile b/regression-tests.dnsdist/Makefile
index e851c8c149..f755d3d845 100644
--- a/regression-tests.dnsdist/Makefile
+++ b/regression-tests.dnsdist/Makefile
@@ -27,3 +27,9 @@ certs:
 	openssl x509 -req -days 1 -CA ca.pem -CAkey ca.key -CAcreateserial -in server-ec.csr -out server-ec.pem -extfile configServer.conf -extensions v3_req
 	# Generate a chain
 	cat server-ec.pem ca.pem > server-ec.chain
+	# Generate a new server certificate request (IP-only)
+	openssl req -new -newkey rsa:2048 -nodes -keyout server-ip-only.key -out server-ip-only.csr -config configServer-ip-only.conf
+	# Sign the server cert
+	openssl x509 -req -days 1 -CA ca.pem -CAkey ca.key -CAcreateserial -in server-ip-only.csr -out server-ip-only.pem -extfile configServer-ip-only.conf -extensions v3_req
+	# Generate a chain
+	cat server-ip-only.pem ca.pem > server-ip-only.chain
diff --git a/regression-tests.dnsdist/test_TLS.py b/regression-tests.dnsdist/test_TLS.py
index 8223d28a57..cbf3be16bf 100644
--- a/regression-tests.dnsdist/test_TLS.py
+++ b/regression-tests.dnsdist/test_TLS.py
@@ -272,17 +272,21 @@ class TestOpenSSL(DNSDistTest, TLSTests):
     _serverKey = 'server-tls.key'
     _serverCert = 'server-tls.chain'
     _serverName = 'tls.tests.dnsdist.org'
+    _serverIPOnlyKey = 'server-ip-only.key'
+    _serverIPOnlyCert = 'server-ip-only.chain'
     _caCert = 'ca.pem'
     _tlsServerPort = pickAvailablePort()
+    _tlsServerPort2 = pickAvailablePort()
     _config_template = """
     setKey("%s")
     controlSocket("127.0.0.1:%d")
 
     newServer{address="127.0.0.1:%d"}
     addTLSLocal("127.0.0.1:%d", "%s", "%s", { provider="openssl" })
+    addTLSLocal("127.0.0.1:%d", "%s", "%s", { provider="openssl" })
     addAction(SNIRule("powerdns.com"), SpoofAction("1.2.3.4"))
     """
-    _config_params = ['_consoleKeyB64', '_consolePort', '_testServerPort', '_tlsServerPort', '_serverCert', '_serverKey']
+    _config_params = ['_consoleKeyB64', '_consolePort', '_testServerPort', '_tlsServerPort', '_serverCert', '_serverKey', '_tlsServerPort2', '_serverIPOnlyCert', '_serverIPOnlyKey']
 
     @classmethod
     def setUpClass(cls):
@@ -301,17 +305,21 @@ class TestGnuTLS(DNSDistTest, TLSTests):
     _serverKey = 'server-tls.key'
     _serverCert = 'server-tls.chain'
     _serverName = 'tls.tests.dnsdist.org'
+    _serverIPOnlyKey = 'server-ip-only.key'
+    _serverIPOnlyCert = 'server-ip-only.chain'
     _caCert = 'ca.pem'
     _tlsServerPort = pickAvailablePort()
+    _tlsServerPort2 = pickAvailablePort()
     _config_template = """
     setKey("%s")
     controlSocket("127.0.0.1:%d")
 
     newServer{address="127.0.0.1:%d"}
     addTLSLocal("127.0.0.1:%d", "%s", "%s", { provider="gnutls" })
+    addTLSLocal("127.0.0.1:%d", "%s", "%s", { provider="gnutls" })
     addAction(SNIRule("powerdns.com"), SpoofAction("1.2.3.4"))
     """
-    _config_params = ['_consoleKeyB64', '_consolePort', '_testServerPort', '_tlsServerPort', '_serverCert', '_serverKey']
+    _config_params = ['_consoleKeyB64', '_consolePort', '_testServerPort', '_tlsServerPort', '_serverCert', '_serverKey', '_tlsServerPort2', '_serverIPOnlyCert', '_serverIPOnlyKey']
 
     @classmethod
     def setUpClass(cls):