Improve TLS integration tests

integration/consul_test.go

@@ -591,7 +591,7 @@ func (s *ConsulSuite) TestSNIDynamicTlsConfig(c *check.C) {
 	req.Header.Set("Host", tr1.TLSClientConfig.ServerName)
 	req.Header.Set("Accept", "*/*")
 
-	err = try.RequestWithTransport(req, 30*time.Second, tr1, try.HasCn("snitest.com"))
+	err = try.RequestWithTransport(req, 30*time.Second, tr1, try.HasCn(tr1.TLSClientConfig.ServerName))
 	c.Assert(err, checker.IsNil)
 
 	// now we configure the second keypair in consul and the request for host "snitest.org" will use the second keypair
@@ -613,6 +613,6 @@ func (s *ConsulSuite) TestSNIDynamicTlsConfig(c *check.C) {
 	req.Header.Set("Host", tr2.TLSClientConfig.ServerName)
 	req.Header.Set("Accept", "*/*")
 
-	err = try.RequestWithTransport(req, 30*time.Second, tr2, try.HasCn("snitest.org"))
+	err = try.RequestWithTransport(req, 30*time.Second, tr2, try.HasCn(tr2.TLSClientConfig.ServerName))
 	c.Assert(err, checker.IsNil)
 }

integration/etcd3_test.go

@@ -538,7 +538,7 @@ func (s *Etcd3Suite) TestSNIDynamicTlsConfig(c *check.C) {
 	req.Header.Set("Host", tr1.TLSClientConfig.ServerName)
 	req.Header.Set("Accept", "*/*")
 
-	err = try.RequestWithTransport(req, 30*time.Second, tr1, try.HasCn("snitest.com"))
+	err = try.RequestWithTransport(req, 30*time.Second, tr1, try.HasCn(tr1.TLSClientConfig.ServerName))
 	c.Assert(err, checker.IsNil)
 
 	// now we configure the second keypair in etcd and the request for host "snitest.org" will use the second keypair
@@ -561,7 +561,7 @@ func (s *Etcd3Suite) TestSNIDynamicTlsConfig(c *check.C) {
 	req.Header.Set("Host", tr2.TLSClientConfig.ServerName)
 	req.Header.Set("Accept", "*/*")
 
-	err = try.RequestWithTransport(req, 30*time.Second, tr2, try.HasCn("snitest.org"))
+	err = try.RequestWithTransport(req, 30*time.Second, tr2, try.HasCn(tr2.TLSClientConfig.ServerName))
 	c.Assert(err, checker.IsNil)
 }
 
@@ -639,7 +639,7 @@ func (s *Etcd3Suite) TestDeleteSNIDynamicTlsConfig(c *check.C) {
 	req.Header.Set("Host", tr1.TLSClientConfig.ServerName)
 	req.Header.Set("Accept", "*/*")
 
-	err = try.RequestWithTransport(req, 30*time.Second, tr1, try.HasCn("snitest.com"))
+	err = try.RequestWithTransport(req, 30*time.Second, tr1, try.HasCn(tr1.TLSClientConfig.ServerName))
 	c.Assert(err, checker.IsNil)
 
 	// now we delete the tls cert/key pairs,so the endpoint show use default cert/key pair

integration/etcd_test.go

@@ -554,7 +554,7 @@ func (s *EtcdSuite) TestSNIDynamicTlsConfig(c *check.C) {
 	req.Header.Set("Host", tr1.TLSClientConfig.ServerName)
 	req.Header.Set("Accept", "*/*")
 
-	err = try.RequestWithTransport(req, 30*time.Second, tr1, try.HasCn("snitest.com"))
+	err = try.RequestWithTransport(req, 30*time.Second, tr1, try.HasCn(tr1.TLSClientConfig.ServerName))
 	c.Assert(err, checker.IsNil)
 
 	// now we configure the second keypair in etcd and the request for host "snitest.org" will use the second keypair
@@ -577,6 +577,6 @@ func (s *EtcdSuite) TestSNIDynamicTlsConfig(c *check.C) {
 	req.Header.Set("Host", tr2.TLSClientConfig.ServerName)
 	req.Header.Set("Accept", "*/*")
 
-	err = try.RequestWithTransport(req, 30*time.Second, tr2, try.HasCn("snitest.org"))
+	err = try.RequestWithTransport(req, 30*time.Second, tr2, try.HasCn(tr2.TLSClientConfig.ServerName))
 	c.Assert(err, checker.IsNil)
 }

integration/https_test.go

@@ -3,7 +3,6 @@ package integration
 import (
 	"bytes"
 	"crypto/tls"
-	"fmt"
 	"net"
 	"net/http"
 	"net/http/httptest"
@@ -66,7 +65,7 @@ func (s *HTTPSSuite) TestWithSNIConfigRoute(c *check.C) {
 	defer cmd.Process.Kill()
 
 	// wait for Traefik
-	err = try.GetRequest("http://127.0.0.1:8080/api/providers", 500*time.Millisecond, try.BodyContains("Host:snitest.org"))
+	err = try.GetRequest("http://127.0.0.1:8080/api/providers", 1*time.Second, try.BodyContains("Host:snitest.org"))
 	c.Assert(err, checker.IsNil)
 
 	backend1 := startTestServer("9010", http.StatusNoContent)
@@ -92,27 +91,23 @@ func (s *HTTPSSuite) TestWithSNIConfigRoute(c *check.C) {
 		},
 	}
 
-	client := &http.Client{Transport: tr1}
 	req, err := http.NewRequest(http.MethodGet, "https://127.0.0.1:4443/", nil)
 	c.Assert(err, checker.IsNil)
-	req.Host = "snitest.com"
-	req.Header.Set("Host", "snitest.com")
+	req.Host = tr1.TLSClientConfig.ServerName
+	req.Header.Set("Host", tr1.TLSClientConfig.ServerName)
 	req.Header.Set("Accept", "*/*")
-	resp, err := client.Do(req)
-	c.Assert(err, checker.IsNil)
-	// Expected a 204 (from backend1)
-	c.Assert(resp.StatusCode, checker.Equals, http.StatusNoContent)
 
-	client = &http.Client{Transport: tr2}
+	err = try.RequestWithTransport(req, 30*time.Second, tr1, try.HasCn(tr1.TLSClientConfig.ServerName), try.StatusCodeIs(http.StatusNoContent))
+	c.Assert(err, checker.IsNil)
+
 	req, err = http.NewRequest(http.MethodGet, "https://127.0.0.1:4443/", nil)
 	c.Assert(err, checker.IsNil)
-	req.Host = "snitest.org"
-	req.Header.Set("Host", "snitest.org")
+	req.Host = tr2.TLSClientConfig.ServerName
+	req.Header.Set("Host", tr2.TLSClientConfig.ServerName)
 	req.Header.Set("Accept", "*/*")
-	resp, err = client.Do(req)
+
+	err = try.RequestWithTransport(req, 30*time.Second, tr2, try.HasCn(tr2.TLSClientConfig.ServerName), try.StatusCodeIs(http.StatusResetContent))
 	c.Assert(err, checker.IsNil)
-	// Expected a 205 (from backend2)
-	c.Assert(resp.StatusCode, checker.Equals, http.StatusResetContent)
 }
 
 // TestWithSNIStrictNotMatchedRequest involves a client sending a SNI hostname of
@@ -561,28 +556,25 @@ func (s *HTTPSSuite) TestWithSNIDynamicConfigRouteWithNoChange(c *check.C) {
 	err = try.GetRequest(backend2.URL, 500*time.Millisecond, try.StatusCodeIs(http.StatusResetContent))
 	c.Assert(err, checker.IsNil)
 
-	client := &http.Client{Transport: tr1}
 	req, err := http.NewRequest(http.MethodGet, "https://127.0.0.1:4443/", nil)
 	c.Assert(err, checker.IsNil)
 	req.Host = tr1.TLSClientConfig.ServerName
 	req.Header.Set("Host", tr1.TLSClientConfig.ServerName)
 	req.Header.Set("Accept", "*/*")
-	resp, err := client.Do(req)
-	c.Assert(err, checker.IsNil)
-	// snitest.org certificate must be used yet
-	c.Assert(resp.TLS.PeerCertificates[0].Subject.CommonName, check.Equals, tr1.TLSClientConfig.ServerName)
-	// Expected a 204 (from backend1)
-	c.Assert(resp.StatusCode, checker.Equals, http.StatusResetContent)
 
-	client = &http.Client{Transport: tr2}
+	// snitest.org certificate must be used yet && Expected a 204 (from backend1)
+	err = try.RequestWithTransport(req, 30*time.Second, tr1, try.HasCn(tr1.TLSClientConfig.ServerName), try.StatusCodeIs(http.StatusResetContent))
+	c.Assert(err, checker.IsNil)
+
+	req, err = http.NewRequest(http.MethodGet, "https://127.0.0.1:4443/", nil)
+	c.Assert(err, checker.IsNil)
 	req.Host = tr2.TLSClientConfig.ServerName
 	req.Header.Set("Host", tr2.TLSClientConfig.ServerName)
-	resp, err = client.Do(req)
+	req.Header.Set("Accept", "*/*")
+
+	// snitest.com certificate does not exist, default certificate has to be used && Expected a 205 (from backend2)
+	err = try.RequestWithTransport(req, 30*time.Second, tr2, try.HasCn("TRAEFIK DEFAULT CERT"), try.StatusCodeIs(http.StatusNoContent))
 	c.Assert(err, checker.IsNil)
-	// snitest.com certificate does not exist, default certificate has to be used
-	c.Assert(resp.TLS.PeerCertificates[0].Subject.CommonName, checker.Not(check.Equals), tr2.TLSClientConfig.ServerName)
-	// Expected a 205 (from backend2)
-	c.Assert(resp.StatusCode, checker.Equals, http.StatusNoContent)
 }
 
 // TestWithSNIDynamicConfigRouteWithChange involves a client sending HTTPS requests with
@@ -633,57 +625,26 @@ func (s *HTTPSSuite) TestWithSNIDynamicConfigRouteWithChange(c *check.C) {
 	err = try.GetRequest(backend2.URL, 500*time.Millisecond, try.StatusCodeIs(http.StatusResetContent))
 	c.Assert(err, checker.IsNil)
 
+	// Change certificates configuration file content
+	modifyCertificateConfFileContent(c, tr1.TLSClientConfig.ServerName, dynamicConfFileName, "https")
+
 	req, err := http.NewRequest(http.MethodGet, "https://127.0.0.1:4443/", nil)
-	client := &http.Client{Transport: tr1}
+	c.Assert(err, checker.IsNil)
 	req.Host = tr1.TLSClientConfig.ServerName
 	req.Header.Set("Host", tr1.TLSClientConfig.ServerName)
 	req.Header.Set("Accept", "*/*")
 
-	// Change certificates configuration file content
-	modifyCertificateConfFileContent(c, tr1.TLSClientConfig.ServerName, dynamicConfFileName, "https")
-	var resp *http.Response
-	err = try.Do(30*time.Second, func() error {
-		resp, err = client.Do(req)
-
-		// /!\ If connection is not closed, SSLHandshake will only be done during the first trial /!\
-		req.Close = true
-
-		if err != nil {
-			return err
-		}
-
-		cn := resp.TLS.PeerCertificates[0].Subject.CommonName
-		if cn != tr1.TLSClientConfig.ServerName {
-			return fmt.Errorf("domain %s found in place of %s", cn, tr1.TLSClientConfig.ServerName)
-		}
-
-		return nil
-	})
+	err = try.RequestWithTransport(req, 30*time.Second, tr1, try.HasCn(tr1.TLSClientConfig.ServerName), try.StatusCodeIs(http.StatusNotFound))
+	c.Assert(err, checker.IsNil)
+
+	req, err = http.NewRequest(http.MethodGet, "https://127.0.0.1:4443/", nil)
 	c.Assert(err, checker.IsNil)
-	c.Assert(resp.StatusCode, checker.Equals, http.StatusNotFound)
-	client = &http.Client{Transport: tr2}
 	req.Host = tr2.TLSClientConfig.ServerName
 	req.Header.Set("Host", tr2.TLSClientConfig.ServerName)
+	req.Header.Set("Accept", "*/*")
 
-	err = try.Do(60*time.Second, func() error {
-		resp, err = client.Do(req)
-
-		// /!\ If connection is not closed, SSLHandshake will only be done during the first trial /!\
-		req.Close = true
-
-		if err != nil {
-			return err
-		}
-
-		cn := resp.TLS.PeerCertificates[0].Subject.CommonName
-		if cn == tr2.TLSClientConfig.ServerName {
-			return fmt.Errorf("domain %s found in place of default one", tr2.TLSClientConfig.ServerName)
-		}
-
-		return nil
-	})
+	err = try.RequestWithTransport(req, 30*time.Second, tr2, try.HasCn("TRAEFIK DEFAULT CERT"), try.StatusCodeIs(http.StatusNotFound))
 	c.Assert(err, checker.IsNil)
-	c.Assert(resp.StatusCode, checker.Equals, http.StatusNotFound)
 }
 
 // TestWithSNIDynamicConfigRouteWithTlsConfigurationDeletion involves a client sending HTTPS requests with
@@ -725,53 +686,19 @@ func (s *HTTPSSuite) TestWithSNIDynamicConfigRouteWithTlsConfigurationDeletion(c
 	c.Assert(err, checker.IsNil)
 
 	req, err := http.NewRequest(http.MethodGet, "https://127.0.0.1:4443/", nil)
-	client := &http.Client{Transport: tr2}
+	c.Assert(err, checker.IsNil)
 	req.Host = tr2.TLSClientConfig.ServerName
 	req.Header.Set("Host", tr2.TLSClientConfig.ServerName)
 	req.Header.Set("Accept", "*/*")
 
-	var resp *http.Response
-	err = try.Do(30*time.Second, func() error {
-		resp, err = client.Do(req)
-
-		// /!\ If connection is not closed, SSLHandshake will only be done during the first trial /!\
-		req.Close = true
-
-		if err != nil {
-			return err
-		}
-
-		cn := resp.TLS.PeerCertificates[0].Subject.CommonName
-		if cn != tr2.TLSClientConfig.ServerName {
-			return fmt.Errorf("domain %s found in place of %s", cn, tr2.TLSClientConfig.ServerName)
-		}
-
-		return nil
-	})
+	err = try.RequestWithTransport(req, 30*time.Second, tr2, try.HasCn(tr2.TLSClientConfig.ServerName), try.StatusCodeIs(http.StatusResetContent))
 	c.Assert(err, checker.IsNil)
-	c.Assert(resp.StatusCode, checker.Equals, http.StatusResetContent)
+
 	// Change certificates configuration file content
 	modifyCertificateConfFileContent(c, "", dynamicConfFileName, "https02")
 
-	err = try.Do(60*time.Second, func() error {
-		resp, err = client.Do(req)
-
-		// /!\ If connection is not closed, SSLHandshake will only be done during the first trial /!\
-		req.Close = true
-
-		if err != nil {
-			return err
-		}
-
-		cn := resp.TLS.PeerCertificates[0].Subject.CommonName
-		if cn == tr2.TLSClientConfig.ServerName {
-			return fmt.Errorf("domain %s found instead of the default one", tr2.TLSClientConfig.ServerName)
-		}
-
-		return nil
-	})
+	err = try.RequestWithTransport(req, 30*time.Second, tr2, try.HasCn("TRAEFIK DEFAULT CERT"), try.StatusCodeIs(http.StatusNotFound))
 	c.Assert(err, checker.IsNil)
-	c.Assert(resp.StatusCode, checker.Equals, http.StatusNotFound)
 }
 
 // modifyCertificateConfFileContent replaces the content of a HTTPS configuration file.