From: William Lallemand Date: Thu, 19 Dec 2019 10:25:19 +0000 (+0100) Subject: REGTEST: ssl: test the "set ssl cert" CLI command X-Git-Tag: v2.2-dev1~170 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9c1aa0a2a1ea39e4c9e194bb339785c55ceb4a2c;p=thirdparty%2Fhaproxy.git REGTEST: ssl: test the "set ssl cert" CLI command Add a reg-test which test the update of a certificate over the CLI. This test requires socat and curl. This commit also adds an ECDSA certificate in the ssl directory. --- diff --git a/reg-tests/ssl/ecdsa.pem b/reg-tests/ssl/ecdsa.pem new file mode 100644 index 0000000000..e737689cd0 --- /dev/null +++ b/reg-tests/ssl/ecdsa.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIIBfzCCAQWgAwIBAgIUYDgleyiLJSKbSWzlU3PTCB/PPYIwCgYIKoZIzj0EAwIw +FDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTE5MTIxOTA5MzExMloXDTIwMDExODA5 +MzExMlowFDESMBAGA1UEAwwJbG9jYWxob3N0MHYwEAYHKoZIzj0CAQYFK4EEACID +YgAEHNNG/ZSuS7CXvL03ye/Y+LpWnX818mnYkxqUQdFO2N1CO0p6kSIMHrzMQIRe +v3+j2g6drKehMGjBmeZJwsbD6nYyUO1z+0MatW5UiTMWFmPq4v08TDDtd8sNcWgs +SWrToxgwFjAUBgNVHREEDTALgglsb2NhbGhvc3QwCgYIKoZIzj0EAwIDaAAwZQIw +N2BdTJOH3BZlJ7HRIJNRC7jjByI9+QYAHiBoXmJVi9aoKd7OIz1Nb2DPe3QS1sDw +AjEA9KzI8BVIZJEmsVA6rs+vRjX0tUfBhD7BCHKas0roOny9Smj/TkBFxVTNnjzM +8iLn +-----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDDZMkuztqaUgCAC9/7P +CsmlC2ac7rWerq5+NKbP0Cz1+mao6+F5Hc8DKNXHgi5GPr2hZANiAAQc00b9lK5L +sJe8vTfJ79j4uladfzXyadiTGpRB0U7Y3UI7SnqRIgwevMxAhF6/f6PaDp2sp6Ew +aMGZ5knCxsPqdjJQ7XP7Qxq1blSJMxYWY+ri/TxMMO13yw1xaCxJatM= +-----END PRIVATE KEY----- diff --git a/reg-tests/ssl/set_ssl_cert.vtc b/reg-tests/ssl/set_ssl_cert.vtc new file mode 100644 index 0000000000..1cdbd423c6 --- /dev/null +++ b/reg-tests/ssl/set_ssl_cert.vtc @@ -0,0 +1,58 @@ +#REGTEST_TYPE=slow + +# This reg-test uses the "set ssl cert" command to update a certificate over the CLI. +# It requires socat and curl to upload and validate that the certificate was well updated + +# If this test does not work anymore: +# - Check that you have socat and curl +# - Check that the curl -v option still return the SSL CN + +varnishtest "Test the 'set ssl cert' feature of the CLI" +#REQUIRE_OPTIONS=OPENSSL +feature ignore_unknown_macro + + +haproxy h1 -conf { + global + tune.ssl.default-dh-param 2048 + tune.ssl.capture-cipherlist-size 1 + stats socket "${tmpdir}/h1/stats" level admin + + listen frt + mode http + ${no-htx} option http-use-htx + bind "fd@${frt}" ssl crt ${testdir}/common.pem + http-request redirect location / +} -start + + +haproxy h1 -cli { + send "show ssl cert ${testdir}/common.pem" + expect ~ ".*SHA1 FingerPrint: 2195C9F0FD58470313013FC27C1B9CF9864BD1C6" +} + +shell { + HOST=${h1_frt_addr} + if [ "${h1_frt_addr}" = "::1" ] ; then + HOST="\[::1\]" + fi + curl -v -i -k https://$HOST:${h1_frt_port} 2>&1 | grep CN=www.test1.com +} + +shell { + echo -e "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/ecdsa.pem)\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h1/stats" - +} + +haproxy h1 -cli { + send "show ssl cert ${testdir}/common.pem" + expect ~ ".*SHA1 FingerPrint: A490D069DBAFBEE66DE434BEC34030ADE8BCCBF1" +} + +shell { + HOST=${h1_frt_addr} + if [ "${h1_frt_addr}" = "::1" ] ; then + HOST="\[::1\]" + fi + curl -v -i -k https://$HOST:${h1_frt_port} 2>&1 | grep CN=localhost +}