kozorizki/haproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

REGTESTS: Fix script about OCSP update compatibility tests

Browse Source 
There were two occurrences of the seventh test. I don't know really why, but
this triggered a VTC error:

---- h7    Assert error in _assert_VSB_state(), lib/vsb.c line 104:  Condition((s->s_flags & 0x00020000) == state) not true.  Errno=0 Success

Renumbering tests fixes the script.
This commit is contained in:
Christopher Faulet 2024-03-28 17:23:51 +01:00
parent 6333e6ec8e
commit e91da1dd8e
1 changed files with 111 additions and 114 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

225
reg-tests/ssl/ocsp_auto_update.vtc
View File

@ -642,13 +642,10 @@ haproxy h7 -cli {
haproxy h7 -wait
process p7 -wait
haproxy h6 -wait
process p6 -wait
######################
# #
# SEVENTH TEST CASE #
# EIGTH TEST CASE #
# #
######################
@ -658,100 +655,6 @@ process p6 -wait
# instance is removed (via del ssl crt-list).
#
haproxy h7 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h7/stats" level admin
crt-base ${testdir}/ocsp_update
defaults
mode http
option httplog
log stderr local0 debug err
option logasap
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
frontend ssl-fe
bind "${tmpdir}/ssl-h7.sock" ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
listen http_rebound_lst
mode http
bind "127.0.0.1:12345"
server s1 "127.0.0.1:12346"
} -start
# Check that the two certificates are taken into account in the auto update process
haproxy h7 -cli {
send "show ssl ocsp-updates"
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 .*"
send "show ssl ocsp-updates"
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*"
}
# Remove the second line from the crt-list and check that the corresponding
# ocsp response was removed from the auto update list but is still present in the
# system
haproxy h7 -cli {
send "del ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list ${testdir}/ocsp_update/multicert/server_ocsp.pem.ecdsa"
expect ~ "Entry.*deleted in crtlist"
send "show ssl ocsp-updates"
expect !~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*"
send "show ssl ocsp-response"
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
send "show ssl ocsp-response ${testdir}/ocsp_update/multicert/server_ocsp.pem.ecdsa"
expect ~ ".* Cert Status: good.*"
}
# Add the previously removed crt-list line with auto-update enabled and check that
# the ocsp response appears in the auto update list
shell {
printf "add ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa [ocsp-update on] foo.bar\n\n" | socat "${tmpdir}/h7/stats" - | grep "Inserting certificate.*in crt-list"
}
haproxy h7 -cli {
send "show ssl ocsp-updates"
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*"
}
# Check that the auto update option consistency check work even when crt-list
# lines are added through the cli
shell {
printf "add ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa foo.foo\n\n" | socat "${tmpdir}/h7/stats" - | grep "Incompatibilities found in OCSP update mode for certificate"
}
haproxy h7 -wait
####################
# #
# EIGTH TEST CASE #
# #
####################
#
# Check that a certificate created through the CLI and which does not have ocsp
# update enabled can be updated via "update ssl ocsp-response" command.
#
process p8 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12346 -timeout 5" -start
barrier b8 cond 2 -cyclic
syslog Syslog_h8 -level info {
recv
expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAV HTTP/1.1"
barrier b8 sync
} -start
haproxy h8 -conf {
global
tune.ssl.default-dh-param 2048
@ -769,58 +672,152 @@ haproxy h8 -conf {
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
frontend ssl-fe
bind "${tmpdir}/ssl-h8.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
bind "${tmpdir}/ssl-h8.sock" ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
listen http_rebound_lst
mode http
bind "127.0.0.1:12345"
server s1 "127.0.0.1:12346"
} -start
# Check that the two certificates are taken into account in the auto update process
haproxy h8 -cli {
send "show ssl ocsp-updates"
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 .*"
send "show ssl ocsp-updates"
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*"
}
# Remove the second line from the crt-list and check that the corresponding
# ocsp response was removed from the auto update list but is still present in the
# system
haproxy h8 -cli {
send "del ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list ${testdir}/ocsp_update/multicert/server_ocsp.pem.ecdsa"
expect ~ "Entry.*deleted in crtlist"
send "show ssl ocsp-updates"
expect !~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*"
send "show ssl ocsp-response"
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
send "show ssl ocsp-response ${testdir}/ocsp_update/multicert/server_ocsp.pem.ecdsa"
expect ~ ".* Cert Status: good.*"
}
# Add the previously removed crt-list line with auto-update enabled and check that
# the ocsp response appears in the auto update list
shell {
printf "add ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa [ocsp-update on] foo.bar\n\n" | socat "${tmpdir}/h8/stats" - | grep "Inserting certificate.*in crt-list"
}
haproxy h8 -cli {
send "show ssl ocsp-updates"
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*"
}
# Check that the auto update option consistency check work even when crt-list
# lines are added through the cli
shell {
printf "add ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa foo.foo\n\n" | socat "${tmpdir}/h8/stats" - | grep "Incompatibilities found in OCSP update mode for certificate"
}
haproxy h8 -wait
####################
# #
# NINTH TEST CASE #
# #
####################
#
# Check that a certificate created through the CLI and which does not have ocsp
# update enabled can be updated via "update ssl ocsp-response" command.
#
process p9 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12346 -timeout 5" -start
barrier b9 cond 2 -cyclic
syslog Syslog_h9 -level info {
recv
expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAV HTTP/1.1"
barrier b9 sync
} -start
haproxy h9 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h9/stats" level admin
crt-base ${testdir}/ocsp_update
defaults
mode http
option httplog
log stderr local0 debug err
option logasap
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
frontend ssl-fe
bind "${tmpdir}/ssl-h9.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
http-request return status 200
listen http_rebound_lst
mode http
option httplog
log ${Syslog_h8_addr}:${Syslog_h8_port} local0
log ${Syslog_h9_addr}:${Syslog_h9_port} local0
bind "127.0.0.1:12345"
server s1 "127.0.0.1:12346"
} -start
# We need to "enable" the cli with a first cli call before using it only through socats
haproxy h8 -cli {
haproxy h9 -cli {
send "show ssl cert"
expect ~ ""
}
# Create a new certificate and add it in the crt-list with ocsp auto-update enabled
shell {
echo "new ssl cert ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h8/stats" -
printf "set ssl cert ${testdir}/ocsp_update/rsa.pem <<\n$(cat ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h8/stats" -
printf "set ssl cert ${testdir}/ocsp_update/rsa.pem.issuer <<\n$(cat ${testdir}/ocsp_update/ocsp_update_rootca.crt)\n\n" | socat "${tmpdir}/h8/stats" -
printf "set ssl cert ${testdir}/ocsp_update/rsa.pem.ocsp <<\n$(base64 -w 1000 ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa.ocsp)\n\n" | socat "${tmpdir}/h8/stats" -
echo "commit ssl cert ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h8/stats" -
echo "new ssl cert ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" -
printf "set ssl cert ${testdir}/ocsp_update/rsa.pem <<\n$(cat ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h9/stats" -
printf "set ssl cert ${testdir}/ocsp_update/rsa.pem.issuer <<\n$(cat ${testdir}/ocsp_update/ocsp_update_rootca.crt)\n\n" | socat "${tmpdir}/h9/stats" -
printf "set ssl cert ${testdir}/ocsp_update/rsa.pem.ocsp <<\n$(base64 -w 1000 ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa.ocsp)\n\n" | socat "${tmpdir}/h9/stats" -
echo "commit ssl cert ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" -
printf "add ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list <<\nrsa.pem [ocsp-update off] foo.bar\n\n" | socat "${tmpdir}/h8/stats" -
printf "add ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list <<\nrsa.pem [ocsp-update off] foo.bar\n\n" | socat "${tmpdir}/h9/stats" -
}
# Check that the line is in the crt-list
haproxy h8 -cli {
haproxy h9 -cli {
send "show ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list"
expect ~ "${testdir}/ocsp_update/rsa.pem .* foo.bar"
}
# Check that the new certificate is NOT in the auto update list
haproxy h8 -cli {
haproxy h9 -cli {
send "show ssl ocsp-updates"
expect !~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015.*"
}
shell {
echo "update ssl ocsp-response ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h8/stats" -
echo "update ssl ocsp-response ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" -
}
shell "sleep 1"
barrier b8 sync
barrier b9 sync
haproxy h8 -cli {
haproxy h9 -cli {
send "show ssl ocsp-response ${testdir}/ocsp_update/rsa.pem"
expect ~ ".* Cert Status: revoked.*"
}
haproxy h8 -wait
process p8 -wait
haproxy h9 -wait
process p9 -wait