REGTEST: add new reg-test for the 4 new clienthello fetches

Add a reg-test which uses the 4 fetches: - req.ssl_cipherlist - req.ssl_sigalgs - req.ssl_keyshare_groups - req.ssl_supported_groups
2025-04-16 08:36:08 -05:00 · 2025-04-16 08:36:08 -05:00 · 9a8c4df45d
commit 9a8c4df45d
parent fa063a9e77
1 changed files with 79 additions and 0 deletions
--- a/reg-tests/checks/tcp-check-client-hello.vtc
+++ b/reg-tests/checks/tcp-check-client-hello.vtc
@ -0,0 +1,79 @@
+#REGTEST_TYPE=devel
+#EXCLUDE_TARGETS=osx,generic
+
+varnishtest "Health checks: test enhanced observability of TLS ClientHello"
+feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && !ssllib_name_startswith(wolfSSL) && !ssllib_name_startswith(LibreSSL) && openssl_version_atleast(1.1.1)'"
+feature ignore_unknown_macro
+
+syslog S_ok -level notice {
+    recv
+    expect ~ "[^:\\[ ]\\[${h1_pid}\\]: Health check for server be[0-9]+/srv succeeded, reason: Layer6 check passed.+check duration: [[:digit:]]+ms, status: 1/1 UP."
+    recv
+    expect ~ "[^:\\[ ]\\[${h1_pid}\\]: Health check for server be[0-9]+/srv succeeded, reason: Layer6 check passed.+check duration: [[:digit:]]+ms, status: 1/1 UP."
+    recv
+    expect ~ "[^:\\[ ]\\[${h1_pid}\\]: Health check for server be[0-9]+/srv succeeded, reason: Layer6 check passed.+check duration: [[:digit:]]+ms, status: 1/1 UP."
+} -start
+
+haproxy htst -conf {
+    global
+        ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3
+
+    defaults
+        timeout  client "${HAPROXY_TEST_TIMEOUT-5s}"
+        timeout  server "${HAPROXY_TEST_TIMEOUT-5s}"
+        timeout  connect "${HAPROXY_TEST_TIMEOUT-5s}"
+
+    listen li1
+       mode tcp
+       bind "fd@${li1}"
+       tcp-request inspect-delay 100ms
+
+       acl check_sig_algs req.ssl_sigalgs,be2hex(:,2),lower -m found
+       acl check_key_shares req.ssl_keyshare_groups,be2hex(:,2),lower -m found
+       tcp-request content accept if check_sig_algs
+       tcp-request content accept if check_key_shares
+
+       # Refer to https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.8 && https://tls13.xargs.org/#client-hello/annotated to get the binary values
+       use-server fe3 if { req.ssl_cipherlist,be2hex(:,2),lower -m sub 1302:1303:1301:009f } || { req.ssl_supported_groups, be2hex(:,2),lower -m sub 001d }
+       server fe3  ${htst_fe3_addr}:${htst_fe3_port}
+
+       use-server fe1 if { req.ssl_supported_groups, be2hex(:,2),lower -m sub 0017 }
+       server fe1 ${htst_fe1_addr}:${htst_fe1_port}
+
+    frontend fe1
+        bind "fd@${fe1}" ssl crt ${testdir}/common.pem curves P-256:P-384
+
+    frontend fe3
+        bind "fd@${fe3}" ssl crt ${testdir}/common.pem
+} -start
+
+haproxy h1 -conf {
+    defaults
+        mode tcp
+        timeout  client "${HAPROXY_TEST_TIMEOUT-5s}"
+        timeout  server "${HAPROXY_TEST_TIMEOUT-5s}"
+        timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
+
+    backend be1
+        mode tcp
+        log ${S_ok_addr}:${S_ok_port} daemon
+        option log-health-checks
+        option tcp-check
+        server srv ${htst_li1_addr}:${htst_li1_port}  check inter 1s rise 1 fall 1 check-ssl verify none curves X25519
+
+    backend be2
+        mode tcp
+        log ${S_ok_addr}:${S_ok_port} daemon
+        option log-health-checks
+        option tcp-check
+        server srv ${htst_li1_addr}:${htst_li1_port}  check inter 1s rise 1 fall 1 check-ssl verify none curves P-256:P-384
+
+    backend be3
+        mode tcp
+        log ${S_ok_addr}:${S_ok_port} daemon
+        option log-health-checks
+        option tcp-check
+        server srv ${htst_li1_addr}:${htst_li1_port}  check inter 1s rise 1 fall 1 check-ssl verify none ciphers ECDHE-RSA-AES256-GCM-SHA384
+} -start
+
+syslog S_ok -wait