upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-05-28 04:12:17 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 12
haproxy/reg-tests/checks/tcp-check-client-hello.vtc
Frederic Lecaille 6e94b69665 REGTESTS: ssl: Move all the SSL certificates, keys, crt-lists inside "certs" directory 
Move all these files and others for OCSP tests found into reg-tests/ssl
to reg-test/ssl/certs and adapt all the VTC files which use them.

This patch is needed by other tests which have to include the SSL tests.
Indeed, some VTC commands contain paths to these files which cannot
be customized with environment variables, depending on the location the VTC file
is runi from, because VTC does not resolve the environment variables. Only macros
as ${testdir} can be resolved.

For instance this command run from a VTC file from reg-tests/ssl directory cannot
be reused from another directory, except if we add a symbolic link for each certs,
key etc.

 haproxy h1 -cli {
   send "del ssl crt-list ${testdir}/localhost.crt-list ${testdir}/common.pem:1"
 }

This is not what we want. We add a symbolic link to reg-test/ssl/certs to the
directory and modify the command above as follows:

 haproxy h1 -cli {
   send "del ssl crt-list ${testdir}/certs/localhost.crt-list ${testdir}/certs/common.pem:1"
 }
2025-12-08 10:40:59 +01:00

83 lines
3.2 KiB
Text
Raw Permalink Blame History

#REGTEST_TYPE=devel
#EXCLUDE_TARGETS=osx,generic
varnishtest "Health checks: test enhanced observability of TLS ClientHello"
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(wolfSSL) && !ssllib_name_startswith(LibreSSL) && openssl_version_atleast(1.1.1)'"
feature ignore_unknown_macro
syslog S_ok -level notice {
recv
expect ~ "[^:\\[ ]\\[${h1_pid}\\]: Health check for server be[0-9]+/srv succeeded, reason: Layer6 check passed.+check duration: [[:digit:]]+ms, status: 1/1 UP."
recv
expect ~ "[^:\\[ ]\\[${h1_pid}\\]: Health check for server be[0-9]+/srv succeeded, reason: Layer6 check passed.+check duration: [[:digit:]]+ms, status: 1/1 UP."
recv
expect ~ "[^:\\[ ]\\[${h1_pid}\\]: Health check for server be[0-9]+/srv succeeded, reason: Layer6 check passed.+check duration: [[:digit:]]+ms, status: 1/1 UP."
} -start
haproxy htst -conf {
global
.if feature(THREAD)
thread-groups 1
.endif
ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3
defaults
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
listen li1
mode tcp
bind "fd@${li1}"
tcp-request inspect-delay 100ms
acl check_sig_algs req.ssl_sigalgs,be2hex(:,2),lower -m found
acl check_key_shares req.ssl_keyshare_groups,be2hex(:,2),lower -m found
tcp-request content accept if check_sig_algs
tcp-request content accept if check_key_shares
# Refer to https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.8 && https://tls13.xargs.org/#client-hello/annotated to get the binary values
use-server fe3 if { req.ssl_cipherlist,be2hex(:,2),lower -m sub 1302:1303:1301:009f } || { req.ssl_supported_groups, be2hex(:,2),lower -m sub 001d }
server fe3 ${htst_fe3_addr}:${htst_fe3_port}
use-server fe1 if { req.ssl_supported_groups, be2hex(:,2),lower -m sub 0017 }
server fe1 ${htst_fe1_addr}:${htst_fe1_port}
frontend fe1
bind "fd@${fe1}" ssl crt ${testdir}/certs/common.pem curves P-256:P-384
frontend fe3
bind "fd@${fe3}" ssl crt ${testdir}/certs/common.pem
} -start
haproxy h1 -conf {
defaults
mode tcp
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
backend be1
mode tcp
log ${S_ok_addr}:${S_ok_port} daemon
option log-health-checks
option tcp-check
server srv ${htst_li1_addr}:${htst_li1_port} check inter 1s rise 1 fall 1 check-ssl verify none curves X25519
backend be2
mode tcp
log ${S_ok_addr}:${S_ok_port} daemon
option log-health-checks
option tcp-check
server srv ${htst_li1_addr}:${htst_li1_port} check inter 1s rise 1 fall 1 check-ssl verify none curves P-256:P-384
backend be3
mode tcp
log ${S_ok_addr}:${S_ok_port} daemon
option log-health-checks
option tcp-check
server srv ${htst_li1_addr}:${htst_li1_port} check inter 1s rise 1 fall 1 check-ssl verify none ciphers ECDHE-RSA-AES256-GCM-SHA384
} -start
syslog S_ok -wait
Reference in a new issue View git blame Copy permalink