From: Mariam John Date: Wed, 16 Apr 2025 13:36:08 +0000 (-0500) Subject: REGTEST: add new reg-test for the 4 new clienthello fetches X-Git-Tag: v3.2-dev11~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9a8c4df45d6bebf58eae6dcf4a990f8f74b238d4;p=thirdparty%2Fhaproxy.git REGTEST: add new reg-test for the 4 new clienthello fetches Add a reg-test which uses the 4 fetches: - req.ssl_cipherlist - req.ssl_sigalgs - req.ssl_keyshare_groups - req.ssl_supported_groups --- diff --git a/reg-tests/checks/tcp-check-client-hello.vtc b/reg-tests/checks/tcp-check-client-hello.vtc new file mode 100644 index 0000000000..435fec70f1 --- /dev/null +++ b/reg-tests/checks/tcp-check-client-hello.vtc @@ -0,0 +1,79 @@ +#REGTEST_TYPE=devel +#EXCLUDE_TARGETS=osx,generic + +varnishtest "Health checks: test enhanced observability of TLS ClientHello" +feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(wolfSSL) && !ssllib_name_startswith(LibreSSL) && openssl_version_atleast(1.1.1)'" +feature ignore_unknown_macro + +syslog S_ok -level notice { + recv + expect ~ "[^:\\[ ]\\[${h1_pid}\\]: Health check for server be[0-9]+/srv succeeded, reason: Layer6 check passed.+check duration: [[:digit:]]+ms, status: 1/1 UP." + recv + expect ~ "[^:\\[ ]\\[${h1_pid}\\]: Health check for server be[0-9]+/srv succeeded, reason: Layer6 check passed.+check duration: [[:digit:]]+ms, status: 1/1 UP." + recv + expect ~ "[^:\\[ ]\\[${h1_pid}\\]: Health check for server be[0-9]+/srv succeeded, reason: Layer6 check passed.+check duration: [[:digit:]]+ms, status: 1/1 UP." +} -start + +haproxy htst -conf { + global + ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3 + + defaults + timeout client "${HAPROXY_TEST_TIMEOUT-5s}" + timeout server "${HAPROXY_TEST_TIMEOUT-5s}" + timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" + + listen li1 + mode tcp + bind "fd@${li1}" + tcp-request inspect-delay 100ms + + acl check_sig_algs req.ssl_sigalgs,be2hex(:,2),lower -m found + acl check_key_shares req.ssl_keyshare_groups,be2hex(:,2),lower -m found + tcp-request content accept if check_sig_algs + tcp-request content accept if check_key_shares + + # Refer to https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.8 && https://tls13.xargs.org/#client-hello/annotated to get the binary values + use-server fe3 if { req.ssl_cipherlist,be2hex(:,2),lower -m sub 1302:1303:1301:009f } || { req.ssl_supported_groups, be2hex(:,2),lower -m sub 001d } + server fe3 ${htst_fe3_addr}:${htst_fe3_port} + + use-server fe1 if { req.ssl_supported_groups, be2hex(:,2),lower -m sub 0017 } + server fe1 ${htst_fe1_addr}:${htst_fe1_port} + + frontend fe1 + bind "fd@${fe1}" ssl crt ${testdir}/common.pem curves P-256:P-384 + + frontend fe3 + bind "fd@${fe3}" ssl crt ${testdir}/common.pem +} -start + +haproxy h1 -conf { + defaults + mode tcp + timeout client "${HAPROXY_TEST_TIMEOUT-5s}" + timeout server "${HAPROXY_TEST_TIMEOUT-5s}" + timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" + + backend be1 + mode tcp + log ${S_ok_addr}:${S_ok_port} daemon + option log-health-checks + option tcp-check + server srv ${htst_li1_addr}:${htst_li1_port} check inter 1s rise 1 fall 1 check-ssl verify none curves X25519 + + backend be2 + mode tcp + log ${S_ok_addr}:${S_ok_port} daemon + option log-health-checks + option tcp-check + server srv ${htst_li1_addr}:${htst_li1_port} check inter 1s rise 1 fall 1 check-ssl verify none curves P-256:P-384 + + backend be3 + mode tcp + log ${S_ok_addr}:${S_ok_port} daemon + option log-health-checks + option tcp-check + server srv ${htst_li1_addr}:${htst_li1_port} check inter 1s rise 1 fall 1 check-ssl verify none ciphers ECDHE-RSA-AES256-GCM-SHA384 +} -start + +syslog S_ok -wait