diff options
author | William Lallemand <wlallemand@haproxy.org> | 2021-12-30 14:57:32 +0100 |
---|---|---|
committer | William Lallemand <wlallemand@haproxy.org> | 2021-12-30 16:57:16 +0100 |
commit | acd546b07cd68537d173dde38342d86fadd706d1 (patch) | |
tree | 82456974d2b0277cac2732db14ca418d62f31321 | |
parent | e69563fd8ed1a492ae4547451935908c0802e2c4 (diff) | |
download | haproxy-acd546b07cd68537d173dde38342d86fadd706d1.tar.gz |
REGTESTS: ssl: update of a crt with server deletion
This test verifies that a certificate is in a "Unused" state once every
server which uses it are dynamically removed.
-rw-r--r-- | reg-tests/ssl/dynamic_server_ssl.vtc | 112 |
1 files changed, 112 insertions, 0 deletions
diff --git a/reg-tests/ssl/dynamic_server_ssl.vtc b/reg-tests/ssl/dynamic_server_ssl.vtc new file mode 100644 index 000000000..84854a38b --- /dev/null +++ b/reg-tests/ssl/dynamic_server_ssl.vtc @@ -0,0 +1,112 @@ +#REGTEST_TYPE=bug +# Test if a certicate can be dynamically updated once a server which used it +# was removed. +# +varnishtest "Delete server via cli and update certificates" + +feature ignore_unknown_macro + +#REQUIRE_VERSION=2.4 +#REQUIRE_OPTIONS=OPENSSL +feature cmd "command -v socat" + +# static server +server s1 -repeat 3 { + rxreq + txresp \ + -body "resp from s1" +} -start + +haproxy h1 -conf { + global + stats socket "${tmpdir}/h1/stats" level admin + + defaults + mode http + timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" + timeout client "${HAPROXY_TEST_TIMEOUT-5s}" + timeout server "${HAPROXY_TEST_TIMEOUT-5s}" + + frontend fe + bind "fd@${feS}" + default_backend test + + backend test + server s1 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem" + server s2 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem" + server s3 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/client1.pem" + + + listen ssl-lst + bind "${tmpdir}/ssl.sock" ssl crt "${testdir}/common.pem" + server s1 ${s1_addr}:${s1_port} + +} -start + + +haproxy h1 -cli { + send "show ssl cert ${testdir}/client1.pem" + expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4" +} +client c1 -connect ${h1_feS_sock} { + txreq + rxresp + expect resp.body == "resp from s1" +} -run + +haproxy h1 -cli { + send "show ssl cert ${testdir}/client1.pem" + expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4" +} + +## delete the servers +haproxy h1 -cli { + send "disable server test/s1" + expect ~ ".*" + send "disable server test/s2" + expect ~ ".*" + send "disable server test/s3" + expect ~ ".*" + + # valid command + send "experimental-mode on; del server test/s1" + expect ~ "Server deleted." + send "experimental-mode on; del server test/s2" + expect ~ "Server deleted." + send "experimental-mode on; del server test/s3" + expect ~ "Server deleted." +} + +# Replace certificate with an expired one +shell { + printf "set ssl cert ${testdir}/client1.pem <<\n$(cat ${testdir}/client2_expired.pem)\n\n" | socat "${tmpdir}/h1/stats" - + echo "commit ssl cert ${testdir}/client1.pem" | socat "${tmpdir}/h1/stats" - +} + +haproxy h1 -cli { + send "show ssl cert ${testdir}/client1.pem" + expect ~ ".*SHA1 FingerPrint: C625EB01A0A660294B9D7F44C5CEEE5AFC495BE4" +} + +haproxy h1 -cli { + send "show ssl cert ${testdir}/client1.pem" + expect ~ ".*Status: Unused" +} + +haproxy h1 -cli { + send "experimental-mode on; add server test/s1 ${tmpdir}/ssl.sock ssl verify none crt ${testdir}/client1.pem" + expect ~ "New server registered." + send "enable server test/s1" + expect ~ ".*" + send "show ssl cert ${testdir}/client1.pem" + expect ~ ".*Status: Used" +} + + +# check that servers are active +client c1 -connect ${h1_feS_sock} { + txreq + rxresp + expect resp.body == "resp from s1" +} -run + |