From: William Lallemand <wlallemand@haproxy.org>
Date: Mon, 1 Feb 2021 13:37:36 +0000 (+0100)
Subject: REGTESTS: set_ssl_server_cert.vtc: remove SSL caching and set as working
X-Git-Tag: v2.4-dev7~39
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a870a9cfdba7f8730766fc5995f51ef5a3384dbd;p=thirdparty%2Fhaproxy.git

REGTESTS: set_ssl_server_cert.vtc: remove SSL caching and set as working

In a previous commit this test was disabled because I though the
feature was broken, but in fact this is the test which is broken.

Indeed the connection between the server and the client was not
renegociated and was using the SSL cache or a ticket. To be work
correctly these 2 features must be disabled or a new connection must be
established after the ticket timeout, which is too long for a regtest.

Also a "nbthread 1" was added as it was easier to reproduce the problem
with it.
---

diff --git a/reg-tests/ssl/set_ssl_server_cert.vtc b/reg-tests/ssl/set_ssl_server_cert.vtc
index 0a58c1bbd3..61346e07e5 100644
--- a/reg-tests/ssl/set_ssl_server_cert.vtc
+++ b/reg-tests/ssl/set_ssl_server_cert.vtc
@@ -1,4 +1,4 @@
-#REGTEST_TYPE=broken
+#REGTEST_TYPE=devel
 
 # This reg-test uses the "set ssl cert" command to update a backend certificate over the CLI.
 # It requires socat to upload the certificate
@@ -19,6 +19,8 @@ haproxy h1 -conf {
         tune.ssl.default-dh-param 2048
         tune.ssl.capture-cipherlist-size 1
         stats socket "${tmpdir}/h1/stats" level admin
+        nbthread 1
+        tune.ssl.cachesize 0
 
     defaults
         mode http
@@ -39,7 +41,7 @@ haproxy h1 -conf {
         # crt: certificate of the server
         # ca-file: CA used for client authentication request
         # crl-file: revocation list for client auth: the client1 certificate is revoked
-        bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/ca-auth.crt verify optional crt-ignore-err all crl-file ${testdir}/crl-auth.pem
+        bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/ca-auth.crt verify optional crt-ignore-err all crl-file ${testdir}/crl-auth.pem no-tls-tickets
 
         acl cert_expired ssl_c_verify 10
         acl cert_revoked ssl_c_verify 23