---
reg-tests/checks/tcp-check-client-hello.vtc | 81 +++++++++++++++++++++
1 file changed, 81 insertions(+)
create mode 100644 reg-tests/checks/tcp-check-client-hello.vtc
diff --git a/reg-tests/checks/tcp-check-client-hello.vtc
b/reg-tests/checks/tcp-check-client-hello.vtc
new file mode 100644
index 000000000..eccbb40d9
--- /dev/null
+++ b/reg-tests/checks/tcp-check-client-hello.vtc
@@ -0,0 +1,81 @@
+#REGTEST_TYPE=devel
+#EXCLUDE_TARGETS=osx,generic
+
+varnishtest "Health checks: test enhanced observability of TLS ClientHello"
+feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) &&
!ssllib_name_startswith(wolfSSL) && !ssllib_name_startswith(LibreSSL) &&
openssl_version_atleast(1.1.1)'"
+feature ignore_unknown_macro
+
+syslog S_ok -level notice {
+ recv
+ expect ~ "[^:\\[ ]\\[${h1_pid}\\]: Health check for server be[0-9]+/srv
succeeded, reason: Layer6 check passed.+check duration: [[:digit:]]+ms, status:
1/1 UP."
+ recv
+ expect ~ "[^:\\[ ]\\[${h1_pid}\\]: Health check for server be[0-9]+/srv
succeeded, reason: Layer6 check passed.+check duration: [[:digit:]]+ms, status:
1/1 UP."
+ recv
+ expect ~ "[^:\\[ ]\\[${h1_pid}\\]: Health check for server be[0-9]+/srv
succeeded, reason: Layer6 check passed.+check duration: [[:digit:]]+ms, status:
1/1 UP."
+} -start
+
+haproxy htst -conf {
+ global
+ ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3
+
+ defaults
+ log global
+ option tcplog
+ timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
+ timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
+ timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
+
+ listen li1
+ mode tcp
+ bind "fd@${li1}"
+ tcp-request inspect-delay 100ms
+
+ acl check_sig_algs req.ssl_sigalgs,be2hex(:,2),lower -m found
+ acl check_key_shares req.ssl_keyshare_groups,be2hex(:,2),lower -m found
+ tcp-request content accept if check_sig_algs
+ tcp-request content accept if check_key_shares
+
+ # Refer to https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.8
&& https://tls13.xargs.org/#client-hello/annotated to get the binary values
+ use-server fe3 if { req.ssl_cipherlist,be2hex(:,2),lower -m sub
1302:1303:1301:009f } || { req.ssl_supported_groups, be2hex(:,2),lower -m sub
001d }
+ server fe3 ${htst_fe3_addr}:${htst_fe3_port}
+
+ use-server fe1 if { req.ssl_supported_groups, be2hex(:,2),lower -m sub
0017 }
+ server fe1 ${htst_fe1_addr}:${htst_fe1_port}
+
+ frontend fe1
+ bind "fd@${fe1}" ssl crt ${testdir}/common.pem curves P-256:P-384
+
+ frontend fe3
+ bind "fd@${fe3}" ssl crt ${testdir}/common.pem
+} -start
+
+haproxy h1 -conf {
+ defaults
+ mode tcp
+ timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
+ timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
+ timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
+
+ backend be1
+ mode tcp
+ log ${S_ok_addr}:${S_ok_port} daemon
+ option log-health-checks
+ option tcp-check
+ server srv ${htst_li1_addr}:${htst_li1_port} check inter 1s rise 1
fall 1 check-ssl verify none curves X25519
+
+ backend be2
+ mode tcp
+ log ${S_ok_addr}:${S_ok_port} daemon
+ option log-health-checks
+ option tcp-check
+ server srv ${htst_li1_addr}:${htst_li1_port} check inter 1s rise 1
fall 1 check-ssl verify none curves P-256:P-384
+
+ backend be3
+ mode tcp
+ log ${S_ok_addr}:${S_ok_port} daemon
+ option log-health-checks
+ option tcp-check
+ server srv ${htst_li1_addr}:${htst_li1_port} check inter 1s rise 1
fall 1 check-ssl verify none ciphers ECDHE-RSA-AES256-GCM-SHA384
+} -start
+
+syslog S_ok -wait
--
2.39.3 (Apple Git-145)
