rapid-cdn: Implement expert SSL downgrade

expert-backend-allow-downgrade-ssl allows to configure each node to downgrade
SSL negotiation with the backends to insecure, OpenSSL 1 style, ciphers and
algorithms.

It's implemented only per node as it shall be only used in some specific
circumstances and the cluster default (by default) is false. Such separation
allows to setup each node independently, as it requires node restart.

backend-haproxy is hashing backend-haproxy-wrapper:output in order to be
reactive on applied change to the configuration; this will result with node
restart after the configuration.

Note that the special test backend has been moved to different file in order
to start it with subprocess with altered environment; using multiprocessing
with spawn context didn't worked out, as it altered test process and thus
supervisord environment.

software/rapid-cdn/README.rst

@@ -27,6 +27,7 @@ These parameters are:
     * ``disk-cache-size``
     * ``enable-http3``
     * ``http3-port``
+    * ``expert-backend-allow-downgrade-ssl``
   * ``-sla-i-foo`` : where "i" is the number of the concerned frontend (between 1 and "-frontend-quantity") and "foo" a sla parameter.
 
 For example::

software/rapid-cdn/buildout.hash.cfg

@@ -14,7 +14,7 @@
 # not need these here).
 [template]
 filename = instance.cfg.in
-md5sum = 1714aa40cffc3b26b672e534ef90894b
+md5sum = af3668cbfd2991fff846f3e96efcd711
 
 [profile-common]
 filename = instance-common.cfg.in
@@ -22,11 +22,11 @@ md5sum = 5784bea3bd608913769ff9a8afcccb68
 
 [profile-frontend]
 filename = instance-frontend.cfg.in
-md5sum = 081aef1b071585e5f334a93d6d4969d0
+md5sum = 4a53b09ba4cbf15e32a5088cc81db5ea
 
 [profile-master]
 filename = instance-master.cfg.in
-md5sum = 5ded3544de312750d0ae06fdb3a436c9
+md5sum = 653e8249ee71c3fa71b172fa3d2a4207
 
 [profile-slave-list]
 filename = instance-slave-list.cfg.in
@@ -119,3 +119,7 @@ md5sum = b79addf01b6fb93c2f3d018e83eff766
 [template-expose-csr-nginx-conf]
 _update_hash_filename_ = templates/expose-csr-nginx.conf.in
 md5sum = 5620baa8819fcc8340fa6777ee551a1a
+
+[template-backend-openssl-ssl-downgrade]
+_update_hash_filename_ = templates/backend-openssl-ssl-downgrade.cnf
+md5sum = ae9d1a46301f6e3dd9cd7dc710cee6be

software/rapid-cdn/instance-frontend.cfg.in

@@ -263,6 +263,7 @@ template-frontend-haproxy-rsyslogd-conf = {{ software_parameter_dict['template_f
 template-backend-haproxy-configuration = {{ software_parameter_dict['template_backend_haproxy_configuration'] }}
 template-backend-haproxy-rsyslogd-conf = {{ software_parameter_dict['template_backend_haproxy_rsyslogd_conf'] }}
 template-expose-csr-nginx-conf = {{ software_parameter_dict['template_expose_csr_nginx_conf'] }}
+template-backend-openssl-ssl-downgrade = {{ software_parameter_dict['template_backend_openssl_ssl_downgrade'] }}
 
 [kedifa-login-config]
 d = ${directory:ca-dir}
@@ -841,10 +842,22 @@ extra-context =
     key wait_time :wait_time
     key lazy_command frontend-haproxy-rsyslogd-config:graceful-command
 
+[backend-haproxy-wrapper]
+recipe = slapos.recipe.template:jinja2
+output = ${directory:bin}/${:_buildout_section_name_}
+backend-haproxy = {{ BACKEND_HAPROXY_EXECUTABLE }}
+inline =
+  #!/bin/bash
+{%- if instance_parameter_dict.get('configuration.expert-backend-allow-downgrade-ssl', 'false').lower() in TRUE_VALUES %}
+  export OPENSSL_CONF=${software-release-path:template-backend-openssl-ssl-downgrade}
+{%- endif %}
+  exec ${:backend-haproxy} -f ${backend-haproxy-configuration:file} "$@"
+
 [backend-haproxy]
 recipe = slapos.cookbook:wrapper
-command-line = {{ BACKEND_HAPROXY_EXECUTABLE }} -f ${backend-haproxy-configuration:file}
+command-line = ${backend-haproxy-wrapper:output}
 wrapper-path = ${directory:service}/backend-haproxy
+hash-files = ${backend-haproxy-wrapper:output}
 hash-existing-files = ${buildout:directory}/software_release/buildout.cfg
 
 [backend-haproxy-rsyslogd-lazy-graceful]

software/rapid-cdn/instance-master.cfg.in

@@ -40,6 +40,7 @@
         'ciphers',
         'request-timeout',
         'authenticate-to-backend',
+        'expert-backend-allow-downgrade-ssl',
     ]
 %}
 {#- SlapOS Master (but not slapproxy!) merges slave's instance and connection parameters, so the slave information passed to nodes have to be limited only to instance related keys #}

software/rapid-cdn/instance.cfg.in

@@ -109,3 +109,4 @@ configuration.backend-haproxy-statistic-port = 21444
 configuration.authenticate-to-backend = False
 configuration.rotate-num = 4000
 configuration.slave-introspection-https-port = 22443
+configuration.expert-backend-allow-downgrade-ssl = false

software/rapid-cdn/software.cfg

@@ -100,6 +100,7 @@ template_trafficserver_storage_config = ${template-trafficserver-storage-config:
 template_validate_script = ${template-validate-script:target}
 template_wrapper = ${template-wrapper:output}
 template_expose_csr_nginx_conf = ${template-expose-csr-nginx-conf:target}
+template_backend_openssl_ssl_downgrade = ${template-backend-openssl-ssl-downgrade:target}
 
 # directories
 bin_directory = ${buildout:bin-directory}
@@ -213,6 +214,9 @@ output = ${buildout:directory}/template-wrapper.cfg
 [template-frontend-haproxy-rsyslogd-conf]
 <=download-template
 
+[template-backend-openssl-ssl-downgrade]
+<=download-template
+
 [versions]
 kedifa = 0.0.7
 # Modern KeDiFa requires zc.lockfile

software/rapid-cdn/test/backend.py

+##############################################################################
+#
+# Copyright (c) 2025 Nexedi SA and Contributors. All Rights Reserved.
+#
+# WARNING: This program as such is intended to be used by professional
+# programmers who take the whole responsibility of assessing all potential
+# consequences resulting from its eventual inadequacies and bugs
+# End users who are looking for a ready-to-use solution with commercial
+# guarantees and support are strongly advised to contract a Free Software
+# Service Company
+#
+# This program is Free Software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 3
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+#
+##############################################################################
+
+from http.server import BaseHTTPRequestHandler
+from http.server import HTTPServer
+from socketserver import ThreadingMixIn
+import base64
+import gzip
+import io
+import json
+import logging
+import os
+import random
+import ssl
+import string
+import sys
+import time
+
+
+class ThreadedHTTPServer(ThreadingMixIn, HTTPServer):
+  pass
+
+
+class TestHandler(BaseHTTPRequestHandler):
+  identification = None
+  configuration = {}
+  # override Server header response
+  server_version = "TestBackend"
+  sys_version = ""
+
+  log_message = logging.getLogger(__name__ + '.TestHandler').info
+
+  def do_DELETE(self):
+    config = self.configuration.pop(self.path, None)
+    if config is None:
+      self.send_response(204)
+      self.end_headers()
+    else:
+      self.send_response(200)
+      self.send_header("Content-Type", "application/json")
+      self.end_headers()
+      self.wfile.write(json.dumps({self.path: config}, indent=2))
+
+  def do_PUT(self):
+    incoming_config = {}
+    for key, value in list(self.headers.items()):
+      if key.startswith('X-'):
+        incoming_config[key] = value
+    config = {
+      'status_code': incoming_config.pop('X-Reply-Status-Code', '200')
+    }
+    prefix = 'X-Reply-Header-'
+    length = len(prefix)
+    for key in list(incoming_config.keys()):
+      if key.startswith(prefix):
+        header = '-'.join([q.capitalize() for q in key[length:].split('-')])
+        config[header] = incoming_config.pop(key)
+
+    if 'X-Reply-Body' in incoming_config:
+      config['Body'] = base64.b64decode(
+        incoming_config.pop('X-Reply-Body')).decode()
+
+    config['X-Drop-Header'] = incoming_config.pop('X-Drop-Header', None)
+    self.configuration[self.path] = config
+
+    self.send_response(201)
+    self.send_header("Content-Type", "application/json")
+    self.end_headers()
+    reply = {self.path: config}
+    if incoming_config:
+      reply['unknown_config'] = incoming_config
+    self.wfile.write(json.dumps(reply, indent=2).encode())
+
+  def do_POST(self):
+    return self.do_GET()
+
+  def do_GET(self):
+    config = self.configuration.get(self.path, None)
+    if config is not None:
+      config = config.copy()
+      response = config.pop('Body', None)
+      status_code = int(config.pop('status_code'))
+      timeout = int(config.pop('Timeout', '0'))
+      compress = int(config.pop('Compress', '0'))
+      drop_header_list = []
+      for header in (config.pop('X-Drop-Header') or '').split():
+        drop_header_list.append(header)
+      header_dict = config
+    else:
+      drop_header_list = []
+      for header in (self.headers.get('x-drop-header') or '').split():
+        drop_header_list.append(header)
+      response = None
+      status_code = 200
+      timeout = int(self.headers.get('timeout', '0'))
+      if 'x-maximum-timeout' in self.headers:
+        maximum_timeout = int(self.headers['x-maximum-timeout'])
+        timeout = random.randrange(maximum_timeout)
+      if 'x-response-size' in self.headers:
+        min_response, max_response = [
+          int(q) for q in self.headers['x-response-size'].split(' ')]
+        reponse_size = random.randrange(min_response, max_response)
+        response = ''.join(
+          random.choice(string.lowercase) for x in range(reponse_size))
+      compress = int(self.headers.get('compress', '0'))
+      header_dict = {}
+      prefix = 'x-reply-header-'
+      length = len(prefix)
+      for key, value in list(self.headers.items()):
+        if key.startswith(prefix):
+          header = '-'.join([q.capitalize() for q in key[length:].split('-')])
+          header_dict[header] = value.strip()
+    if response is None:
+      if 'x-reply-body' not in self.headers:
+        headers_dict = dict()
+        for header in list(self.headers.keys()):
+          content = self.headers.get_all(header)
+          if len(content) == 0:
+            headers_dict[header] = None
+          elif len(content) == 1:
+            headers_dict[header] = content[0]
+          else:
+            headers_dict[header] = content
+        response = {
+          'Path': self.path,
+          'Incoming Headers': headers_dict
+        }
+        response = json.dumps(response, indent=2)
+      else:
+        response = base64.b64decode(self.headers['x-reply-body'])
+
+    time.sleep(timeout)
+    self.send_response_only(status_code)
+    self.send_header('Server', self.server_version)
+
+    for key, value in list(header_dict.items()):
+      self.send_header(key, value)
+
+    if self.identification is not None:
+      self.send_header('X-Backend-Identification', self.identification)
+
+    if 'Content-Type' not in drop_header_list:
+      self.send_header("Content-Type", "application/json")
+    if 'Set-Cookie' not in drop_header_list:
+      self.send_header('Set-Cookie', 'secured=value;secure')
+      self.send_header('Set-Cookie', 'nonsecured=value')
+
+    if 'Via' not in drop_header_list:
+      self.send_header('Via', 'http/1.1 backendvia')
+    if compress:
+      self.send_header('Content-Encoding', 'gzip')
+      out = io.BytesIO()
+      # compress with level 0, to find out if in the middle someting would
+      # like to alter the compression
+      with gzip.GzipFile(fileobj=out, mode="wb", compresslevel=0) as f:
+        f.write(response.encode())
+      response = out.getvalue()
+      self.send_header('Backend-Content-Length', len(response))
+    if 'Content-Length' not in drop_header_list:
+      self.send_header('Content-Length', len(response))
+    self.end_headers()
+    if getattr(response, 'encode', None) is not None:
+      response = response.encode()
+    self.wfile.write(response)
+
+
+def server_https_weak_method(ip, port):
+  server_https_weak = ThreadedHTTPServer(
+    (ip, port),
+    TestHandler)
+  context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
+  context.load_cert_chain(
+    os.path.join(
+      os.path.dirname(
+        os.path.realpath(__file__)), 'test_data', 'sha1-2048.pem'))
+  server_https_weak.socket = context.wrap_socket(
+    server_https_weak.socket, server_side=True)
+  server_https_weak.serve_forever()
+
+
+if __name__ == '__main__':
+  server_https_weak_method(sys.argv[1], int(sys.argv[2]))

software/rapid-cdn/test/test_data/sha1-2048.pem

+-----BEGIN CERTIFICATE-----
+MIIClzCCAX8CAQEwDQYJKoZIhvcNAQEFBQAwDTELMAkGA1UEAwwCQ0EwIBcNMjUw
+MTMwMTQxMjI4WhgPMzAyNDA2MDIxNDEyMjhaMBQxEjAQBgNVBAMMCXNoYTEtMjA0
+ODCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJzOtJWwtvWCgje14g/4
+swgPXaQkEnbmIhJUeC3h6lsxKuoUn1t7N/AmFSwVy+CUpjbo15JUqtN+gyGZezZH
+u27Q6K5NPLu1GjrJPLXtzQ6dZmWYub5wB5GMLziEQMeGPHC5OihWE2FkszTzDApA
+cr8vO9i6aZPjVobog5D12l1giB1R+n1RgJ0DsCTH7Cr9PaovNZ5uWsNdeZFE75VQ
+weIV/KjNL75TMHUpzSrjUdU0NCjyu6MOEbCpXPsZNb8qwmqUn9ImbTuBvgFotb7U
+GFomukAZGwmSaa9bDBiIah58vCZ3GM5HxBrJj/GFwBSntsWShxAZUvUMvXjb3T1y
+D0cCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEASMYlBKwIF1FgkuCH7FqB92x7Qm7O
+yA6SqSwRUqZ0W6OtRr7gyblC0+Q9uqtLOpSo6pLl7/lGS76eioriqbZS7hkV63ot
+kHjaLFCKpvAhbpVyFRDdD6qXqf3rJuvdS8wr4KgRF54vPs7KSv6Z7QUu3TQChP7y
+5eOll5Ug9Bx7biJx5dme+GpswqnRgfHFVehTJ2FALtV2QraU1uzvvghiFhcXRsuZ
+6GMpGWGKTERtRApSHimFvysdwqzN9GQzP+06nXEekNEHReAYYIkrBISE0mnW98ar
+TaCZvYNmzA2jXULFNJh/Igg0PyPjLJr5jv9JD1B5yf5Nl/069H098hTMPg==
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCczrSVsLb1goI3
+teIP+LMID12kJBJ25iISVHgt4epbMSrqFJ9bezfwJhUsFcvglKY26NeSVKrTfoMh
+mXs2R7tu0OiuTTy7tRo6yTy17c0OnWZlmLm+cAeRjC84hEDHhjxwuTooVhNhZLM0
+8wwKQHK/LzvYummT41aG6IOQ9dpdYIgdUfp9UYCdA7Akx+wq/T2qLzWeblrDXXmR
+RO+VUMHiFfyozS++UzB1Kc0q41HVNDQo8rujDhGwqVz7GTW/KsJqlJ/SJm07gb4B
+aLW+1BhaJrpAGRsJkmmvWwwYiGoefLwmdxjOR8QayY/xhcAUp7bFkocQGVL1DL14
+2909cg9HAgMBAAECggEAPv+k+cbnmrd2TZ+bVUNb2k8iFgIQEQjgg3DAX9614zFb
+xnPGmmBk1uzV8MJJCM9v//uIMFgn0ZSwZl1dbS9glGMGOJD7Z4aZJSkYZRdHHSoL
+q6GyblpgEA+8IP6xb/f0bG1eejoqyyREA2/qVGwULc9yQd6S8EGTz9u2kBTWSFER
+HG09Hl5HHY19Ad05F9wqpx2nwlo9bUZfdOHWqkaXpp0Gs7FWmSPsC1rSh4nCM1wz
+Jol/9hMSbXQQIgD8p6EaHRY0KYF7mmfoVtmUJdHKanB5Pra44p+FPr2bAsMRo/HS
+Bw4t1p9fZotekizcz7yp47j65SeW1UbaKTLVjQBJYQKBgQDLOHeXUeIzUilrOBxJ
+DZ3yQ/mh2MxNtMbOqy+OPhyREf60CTZpGQ2S8glfkclRjfpDueLfKrxYZn/s0/kJ
+BTZEB/Po3fYVyaLtYhFlMqS69p3JrNPEH6Vtxfawks13qv1MnErwj2dH3RnqHDwg
+6Od2wlb2cWanL2Kn9maYozzpTwKBgQDFiF3r0Se6Yh99YY4cDiJY670QoaiqJHd4
+ShRBvZd17gzFNCb2JXOcn++82royFjNIq5viJvf6WWcBrqtb9Bl2S0pEbDW8lPlo
+vLlZYbd2KP7NTx1dC6PovGMJokGLfzCVn/0DO6gX2DtBcMKGN2xinzJSgnpRa3+o
+zwtSVR6MiQKBgHBrFk0RMQ6u3ta/PXZ0H/HLBKcxpSM/Y9MkA7SuS2M9DydNCVpu
+T4IAfortvO5umgkpJYXKwFIusYmzYUpKJdDQjW8+iklXN9gVrgXLVDFRB8xu3N7b
+msn0/xiCvUL7xg/BTftxePLaLuHBKMoTzSd3LmA6L01A+1RrDCpX8vQlAoGAKC+/
+E9vAXl3aFDMFq1WAzWBgXYLWAo9asuE3T8yXhMmCVZhvmMIzzBiJuH0zRj9X/Z/U
+HeVZq9gGacQ0XofBqlxU5qixIgWY3CMQ/ksv/N0IQZKn4acdmJrC91HITe35X2dm
+HQNFBlzaaUzcdlvONB45Kaob4nahSSGeJwjkJykCgYEAyKIEDfiV33waYa0dvfno
++dqrxDqw5sYHIL9mwo6brt2yFxXa4yJxqc0jUb/9SxduTX6hex6ydtgtibpU34Hb
+Z8wBbyiGx4gaRXxnCQpklhGb5vF65pG4jEqEsoWopvZo/5HDsed1RM+mRIMfmI30
+wX/muwDoq11LDHFNFzW3dyA=
+-----END PRIVATE KEY-----

software/rapid-cdn/test/test_data/test.TestEnableHttp2ByDefaultFalseSlave.test00file_list_log.txt

@@ -193,6 +193,9 @@ T-2/var/log/httpd/_url-trailing-slash-present_frontend_log
 T-2/var/log/httpd/_url_https-url_access_log
 T-2/var/log/httpd/_url_https-url_backend_log
 T-2/var/log/httpd/_url_https-url_frontend_log
+T-2/var/log/httpd/_weak-ssl-backend_access_log
+T-2/var/log/httpd/_weak-ssl-backend_backend_log
+T-2/var/log/httpd/_weak-ssl-backend_frontend_log
 T-2/var/log/monitor-httpd-access.log
 T-2/var/log/monitor-httpd-error.log
 T-2/var/log/slave-introspection-access.log

software/rapid-cdn/test/test_data/test.TestEnableHttp2ByDefaultFalseSlave.test00supervisor_state.txt

@@ -19,7 +19,7 @@ T-1:logrotate-setup-validate EXITED
 T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
-T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
+T-2:backend-haproxy-{hash-backend-haproxy-T-2}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED
 T-2:bootstrap-monitor EXITED

software/rapid-cdn/test/test_data/test.TestMasterAIKCDisabledAIBCCDisabledRequest.test00supervisor_state.txt

@@ -17,7 +17,7 @@ T-1:logrotate-setup-validate EXITED
 T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
-T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
+T-2:backend-haproxy-{hash-backend-haproxy-T-2}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED
 T-2:bootstrap-monitor EXITED

software/rapid-cdn/test/test_data/test.TestMasterRequest.test00supervisor_state.txt

@@ -19,7 +19,7 @@ T-1:logrotate-setup-validate EXITED
 T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
-T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
+T-2:backend-haproxy-{hash-backend-haproxy-T-2}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED
 T-2:bootstrap-monitor EXITED

software/rapid-cdn/test/test_data/test.TestMasterRequestDomain.test00supervisor_state.txt

@@ -19,7 +19,7 @@ T-1:logrotate-setup-validate EXITED
 T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
-T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
+T-2:backend-haproxy-{hash-backend-haproxy-T-2}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED
 T-2:bootstrap-monitor EXITED

software/rapid-cdn/test/test_data/test.TestRe6stVerificationUrlSlave.test00supervisor_state.txt

@@ -19,7 +19,7 @@ T-1:logrotate-setup-validate EXITED
 T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
-T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
+T-2:backend-haproxy-{hash-backend-haproxy-T-2}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED
 T-2:bootstrap-monitor EXITED

software/rapid-cdn/test/test_data/test.TestReplicateSlave.test00supervisor_state.txt

@@ -19,7 +19,7 @@ T-1:logrotate-setup-validate EXITED
 T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
-T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
+T-2:backend-haproxy-{hash-backend-haproxy-T-2}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED
 T-2:bootstrap-monitor EXITED

software/rapid-cdn/test/test_data/test.TestSlave.test00file_list_log.txt

@@ -193,6 +193,9 @@ T-2/var/log/httpd/_url-trailing-slash-present_frontend_log
 T-2/var/log/httpd/_url_https-url_access_log
 T-2/var/log/httpd/_url_https-url_backend_log
 T-2/var/log/httpd/_url_https-url_frontend_log
+T-2/var/log/httpd/_weak-ssl-backend_access_log
+T-2/var/log/httpd/_weak-ssl-backend_backend_log
+T-2/var/log/httpd/_weak-ssl-backend_frontend_log
 T-2/var/log/monitor-httpd-access.log
 T-2/var/log/monitor-httpd-error.log
 T-2/var/log/slave-introspection-access.log

software/rapid-cdn/test/test_data/test.TestSlave.test00supervisor_state.txt

@@ -19,7 +19,7 @@ T-1:logrotate-setup-validate EXITED
 T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
-T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
+T-2:backend-haproxy-{hash-backend-haproxy-T-2}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED
 T-2:bootstrap-monitor EXITED

software/rapid-cdn/test/test_data/test.TestSlaveCiphers.test00supervisor_state.txt

@@ -19,7 +19,7 @@ T-1:logrotate-setup-validate EXITED
 T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
-T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
+T-2:backend-haproxy-{hash-backend-haproxy-T-2}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED
 T-2:bootstrap-monitor EXITED

software/rapid-cdn/test/test_data/test.TestSlaveHealthCheck.test00supervisor_state.txt

@@ -19,7 +19,7 @@ T-1:logrotate-setup-validate EXITED
 T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
-T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
+T-2:backend-haproxy-{hash-backend-haproxy-T-2}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED
 T-2:bootstrap-monitor EXITED

software/rapid-cdn/test/test_data/test.TestSlaveHostHaproxyClash.test00supervisor_state.txt

@@ -19,7 +19,7 @@ T-1:logrotate-setup-validate EXITED
 T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
-T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
+T-2:backend-haproxy-{hash-backend-haproxy-T-2}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED
 T-2:bootstrap-monitor EXITED

software/rapid-cdn/test/test_data/test.TestSlaveHttp3.test00file_list_log.txt

@@ -193,6 +193,9 @@ T-2/var/log/httpd/_url-trailing-slash-present_frontend_log
 T-2/var/log/httpd/_url_https-url_access_log
 T-2/var/log/httpd/_url_https-url_backend_log
 T-2/var/log/httpd/_url_https-url_frontend_log
+T-2/var/log/httpd/_weak-ssl-backend_access_log
+T-2/var/log/httpd/_weak-ssl-backend_backend_log
+T-2/var/log/httpd/_weak-ssl-backend_frontend_log
 T-2/var/log/monitor-httpd-access.log
 T-2/var/log/monitor-httpd-error.log
 T-2/var/log/slave-introspection-access.log

software/rapid-cdn/test/test_data/test.TestSlaveHttp3.test00supervisor_state.txt

@@ -19,7 +19,7 @@ T-1:logrotate-setup-validate EXITED
 T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
-T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
+T-2:backend-haproxy-{hash-backend-haproxy-T-2}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED
 T-2:bootstrap-monitor EXITED

software/rapid-cdn/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibility.test00supervisor_state.txt

@@ -19,7 +19,7 @@ T-1:logrotate-setup-validate EXITED
 T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
-T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
+T-2:backend-haproxy-{hash-backend-haproxy-T-2}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED
 T-2:bootstrap-monitor EXITED

software/rapid-cdn/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityOverrideMaster.test00supervisor_state.txt

@@ -19,7 +19,7 @@ T-1:logrotate-setup-validate EXITED
 T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
-T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
+T-2:backend-haproxy-{hash-backend-haproxy-T-2}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED
 T-2:bootstrap-monitor EXITED

software/rapid-cdn/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityUpdate.test00supervisor_state.txt

@@ -19,7 +19,7 @@ T-1:logrotate-setup-validate EXITED
 T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
-T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
+T-2:backend-haproxy-{hash-backend-haproxy-T-2}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED
 T-2:bootstrap-monitor EXITED