mirror/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git synced 2026-02-04 15:11:03 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
2808e3577fb72b693198c3f4e8f9284cb69675b3
haproxy/reg-tests/ssl/ocsp_compat_check.vtc
Christopher Faulet 2808e3577f REGTESTS: Explicitly allow failing shell commands in some scripts 
Vtest2, that should replaced Vtest in few months, will reject any failing
commands in shell blocks. However, some scripts are executing some commands,
expecting an error to be able to parse the error output. So, now use "set
+e" in those scripts to explicitly state failing commads are expected.

It is just used for non-final commands. At the end, the shell block must
still report a success.
2025-05-26 19:00:00 +02:00

414 lines
11 KiB
Plaintext
Raw Blame History

#REGTEST_TYPE=devel
# broken with BoringSSL.
#
# This reg-test tries loading multiple configurations that make use of the
# 'ocsp-update' crt-list option and the global 'ocsp-update.mode'
# option. It ensures that an error message is raised when the user provides an
# incoherent configuration. Any configuration in which a given certificate has
# the ocsp auto update mode set to 'on' as well as 'off' simultaneously should
# raise an ALERT type message and not start.
# The first batch of configurations should all raise errors and the second
# batch should all load properly. We do not focus on the actual auto update in
# this reg-test though so no actual proxy instance will be launched.
varnishtest "Test the OCSP auto update feature"
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(3.0-dev0)'"
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(BoringSSL) && openssl_version_atleast(1.1.1)'"
feature ignore_unknown_macro
#############################
# #
# WRONG CONFIGURATIONS #
# #
#############################
# test1
# global_option OFF
# bind line DFLT (OFF) (first)
# crt-list ON (second)
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
# ocsp-update.mode on
defaults
log stderr local0 debug err
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list
server s1 127.0.0.1:80
EOF
set +e
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
haproxy_ret=$?
echo "==== test 1"
echo "$haproxy_output"
echo "HAProxy return code: $haproxy_ret"
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
}
# test2
# global_option ON
# bind line DFLT/ON (first)
# crt-list OFF (second)
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem [ocsp-update off] foo.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
ocsp-update.mode on
defaults
log stderr local0 debug err
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list
server s1 127.0.0.1:80
EOF
set +e
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
haproxy_ret=$?
echo "==== test 2"
echo "$haproxy_output"
echo "HAProxy return code: $haproxy_ret"
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
}
# test3
# global_option OFF
# bind line DFLT/OFF(first)
# crt-list ON (second)
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
ocsp-update.mode off
defaults
log stderr local0 debug err
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt server_ocsp_ecdsa.pem crt-list ${tmpdir}/ocsp_compat_check.list
server s1 127.0.0.1:80
EOF
set +e
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
haproxy_ret=$?
echo "==== test 3"
echo "$haproxy_output"
echo "HAProxy return code: $haproxy_ret"
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
}
# test4
# global_option OFF
# bind line DFLT OFF (second)
# crt-list ON (first)
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
# ocsp-update.mode off
defaults
log stderr local0 debug err
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem
server s1 127.0.0.1:80
EOF
set +e
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
haproxy_ret=$?
echo "==== test 4"
echo "$haproxy_output"
echo "HAProxy return code: $haproxy_ret"
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
}
# test5
# global_option ON
# bind line DFLT (second)
# crt-list OFF (first)
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem [ocsp-update off] foo.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
ocsp-update.mode on
defaults
log stderr local0 debug err
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem
server s1 127.0.0.1:80
EOF
set +e
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
haproxy_ret=$?
echo "==== test 5"
echo "$haproxy_output"
echo "HAProxy return code: $haproxy_ret"
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
}
# test6
# global_option OFF
# bind line DFLT (second)
# crt-list ON (first)
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
ocsp-update.mode off
defaults
log stderr local0 debug err
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
bind "${tmpdir}/ssl2.sock" ssl crt server_ocsp_ecdsa.pem
server s1 127.0.0.1:80
EOF
set +e
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
haproxy_ret=$?
echo "==== test 6"
echo "$haproxy_output"
echo "HAProxy return code: $haproxy_ret"
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
}
# test7
# global_option DFLT
# bind line -
# crt-list ON
# crt-list DFLT
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
server_ocsp_ecdsa.pem bar.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
# ocsp-update.mode off
defaults
log stderr local0 debug err
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
server s1 127.0.0.1:80
EOF
set +e
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
haproxy_ret=$?
echo "==== test 7"
echo "$haproxy_output"
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
}
# test8
# global_option DFLT
# bind line -
# crt-list DFLT
# crt-list ON
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem bar.com
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
# ocsp-update.mode off
defaults
log stderr local0 debug err
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
server s1 127.0.0.1:80
EOF
set +e
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
haproxy_ret=$?
echo "==== test 8"
echo "$haproxy_output"
echo "HAProxy return code: $haproxy_ret"
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
}
# test9
# global_option ON
# bind line -
# crt-list OFF
# crt-list DFLT
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem [ocsp-update off] foo.com
server_ocsp_ecdsa.pem bar.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
ocsp-update.mode on
defaults
log stderr local0 debug err
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
server s1 127.0.0.1:80
EOF
set +e
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
haproxy_ret=$?
echo "==== test 9"
echo "$haproxy_output"
echo "HAProxy return code: $haproxy_ret"
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
}
# test10
# global_option ON
# bind line -
# crt-list DFLT
# crt-list OFF
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem bar.com
server_ocsp_ecdsa.pem [ocsp-update off] foo.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
ocsp-update.mode on
defaults
log stderr local0 debug err
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
server s1 127.0.0.1:80
EOF
set +e
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
haproxy_ret=$?
echo "==== test 10"
echo "$haproxy_output"
echo "HAProxy return code: $haproxy_ret"
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
}
# test11
# global_option OFF
# bind line -
# crt-list ON
# crt-list DFLT
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
server_ocsp_ecdsa.pem bar.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
ocsp-update.mode off
defaults
log stderr local0 debug err
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
server s1 127.0.0.1:80
EOF
set +e
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
haproxy_ret=$?
echo "==== test 11"
echo "$haproxy_output"
echo "HAProxy return code: $haproxy_ret"
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
}
# test12
# global_option OFF
# bind line -
# crt-list DFLT
# crt-list ON
shell {
cat << EOF > ${tmpdir}/ocsp_compat_check.list
server_ocsp_ecdsa.pem bar.com
server_ocsp_ecdsa.pem [ocsp-update on] foo.com
EOF
cat << EOF > ${tmpdir}/ocsp_compat_check.cfg
global
crt-base ${testdir}/ocsp_update/multicert
ocsp-update.mode off
defaults
log stderr local0 debug err
listen ssl-lst
bind "${tmpdir}/ssl.sock" ssl crt-list ${tmpdir}/ocsp_compat_check.list
server s1 127.0.0.1:80
EOF
set +e
haproxy_output="$($HAPROXY_PROGRAM -f ${tmpdir}/ocsp_compat_check.cfg -c 2>&1)"
haproxy_ret=$?
echo "==== test 12"
echo "$haproxy_output"
echo "HAProxy return code: $haproxy_ret"
[ $haproxy_ret -ne 0 ] && echo "$haproxy_output" | grep -q "different parameter 'ocsp-update'"
}
Reference in New Issue View Git Blame Copy Permalink