upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-02-03 20:39:41 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

REGTESTS: ssl: split tls*_reuse in stateless and stateful resume tests
Some checks failed
Contrib / build (push) Has been cancelled
Details
alpine/musl / gcc (push) Has been cancelled
Details
VTest / Generate Build Matrix (push) Has been cancelled
Details
Windows / Windows, gcc, all features (push) Has been cancelled
Details
VTest / (push) Has been cancelled
Details

Browse source 
Simplify ssl_reuse.vtci so it can be started with variables:

- SSL_CACHESIZE allow to specify the size of the session cache size for
  the frontend
- NO_TLS_TICKETS allow to specify the "no-tls-tickets" option on bind

It introduces these files:

- ssl/tls12_resume_stateful.vtc
- ssl/tls12_resume_stateless.vtc
- ssl/tls13_resume_stateless.vtc
- ssl/tls13_resume_stateful.vtc
- quic/tls13_resume_stateless.vtc
- quic/tls13_resume_stateful.vtc
- quic/tls13_0rtt_stateful.vtc
- quic/tls13_0rtt_stateless.vtc

stateful files have "no-tls-tickets" + tune.tls.cachesize 20000
stateless files have "tls-tickets" + tune.tls.cachesize 0

This allows to enable AWS-LC on TCP TLS1.2 and TCP TL1.3+tickets.

TLS1.2+stateless does not seem to work on WolfSSL.
This commit is contained in:
William Lallemand 2025-12-04 14:02:01 +01:00
parent c7b5d2552a
commit 85689b072a
12 changed files with 97 additions and 45 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
reg-tests/quic/tls13_0rtt.vtc
View file

@ -1,14 +0,0 @@
#REGTEST_TYPE=devel
# This reg-test tests 8 scenarios with and without tickets, with various
# combinations of settings for allow-0rtt, with QUIC/TLSv1.3. Each client will
# try to established a connection, then try to reconnect 10 times resuming,
# and check for which combination(s) 0-rtt is used and if they are expected.
varnishtest "Test if the SSL session/ticket reuse works correctly for QUIC"
feature cmd "$HAPROXY_PROGRAM -cc 'feature(QUIC) && !feature(QUIC_OPENSSL_COMPAT) && !feature(OPENSSL_WOLFSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'"
setenv VTC_SOCK_TYPE quic
setenv TLSV TLSv1.3
setenv ALPN h3
include ${testdir}/../ssl/ssl-0rtt.vtci

13
reg-tests/quic/tls13_resume_stateful.vtc Normal file
View file

@ -0,0 +1,13 @@
#REGTEST_TYPE=devel
# This reg-test tests 2 scenarios without resumption tickets, with QUIC/TLSv1.3
# Each client will try to established a connection, then try to reconnect 20 times resuming.
varnishtest "Test if the SSL session/ticket reuse works correctly for QUIC"
feature cmd "$HAPROXY_PROGRAM -cc 'feature(QUIC) && !feature(QUIC_OPENSSL_COMPAT) && !feature(OPENSSL_WOLFSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'"
setenv VTC_SOCK_TYPE quic
setenv TLSV TLSv1.3
setenv NO_TLS_TICKETS "no-tls-tickets"
setenv SSL_CACHESIZE 20000
include ${testdir}/../ssl/ssl_reuse.vtci

4
reg-tests/quic/tls13_reuse.vtc → reg-tests/quic/tls13_resume_stateless.vtc
View file

@ -1,6 +1,6 @@
#REGTEST_TYPE=devel
# This reg-test tests 2 scenarios with and without resumption tickets, with QUIC/TLSv1.3
# This reg-test tests 2 scenarios with resumption tickets, with QUIC/TLSv1.3
# Each client will try to established a connection, then try to reconnect 20 times resuming.
varnishtest "Test if the SSL session/ticket reuse works correctly for QUIC"
@ -8,4 +8,6 @@ feature cmd "$HAPROXY_PROGRAM -cc 'feature(QUIC) && !feature(QUIC_OPENSSL_COMPAT
setenv VTC_SOCK_TYPE quic
setenv TLSV TLSv1.3
setenv NO_TLS_TICKETS tls-tickets
setenv SSL_CACHESIZE 0
include ${testdir}/../ssl/ssl_reuse.vtci

26
reg-tests/ssl/ssl_reuse.vtci
View file

@ -17,6 +17,8 @@ haproxy h1 -conf {
thread-groups 1
.endif
# allow to enable or disable completely the cache for stateful resumption
tune.ssl.cachesize "${SSL_CACHESIZE}"
# forced to 1 here, because there is a cached session per thread
nbthread 1
@ -36,14 +38,8 @@ haproxy h1 -conf {
server s1 "${VTC_SOCK_TYPE}+${h1_fe3_addr}:${h1_fe3_port}" ssl verify none sni str(www.test1.com)
http-response add-header x-ssl-bc-resumed %[ssl_bc_is_resumed]
listen clst4
bind "fd@${clst4}"
server s1 "${VTC_SOCK_TYPE}+${h1_fe4_addr}:${h1_fe4_port}" ssl verify none sni str(www.test1.com)
http-response add-header x-ssl-bc-resumed %[ssl_bc_is_resumed]
listen ssl
bind "${VTC_SOCK_TYPE}+fd@${fe3}" ssl crt ${testdir}/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}"
bind "${VTC_SOCK_TYPE}+fd@${fe4}" ssl crt ${testdir}/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" no-tls-tickets
bind "${VTC_SOCK_TYPE}+fd@${fe3}" ssl crt ${testdir}/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" "${NO_TLS_TICKETS}"
http-response add-header x-ssl-resumed %[ssl_fc_is_resumed]
server s1 ${s1_addr}:${s1_port}
@ -65,22 +61,6 @@ client c3 -connect ${h1_clst3_sock} -repeat 20 {
expect resp.http.x-ssl-resumed == 1
} -run
# fourth bind
client c4 -connect ${h1_clst4_sock} {
txreq
rxresp
expect resp.status == 200
expect resp.http.x-ssl-resumed == 0
} -run
client c4 -connect ${h1_clst4_sock} -repeat 20 {
txreq
rxresp
expect resp.status == 200
expect resp.http.x-ssl-resumed == 1
} -run
# Could be useful to debug the result, the ssl_fc_is_resumed field in the log must be 1 after the 2nd command
#shell {
#

17
reg-tests/ssl/tls12_0rtt_stateful.vtc Normal file
View file

@ -0,0 +1,17 @@
#REGTEST_TYPE=devel
# This reg-test tests 8 scenarios without tickets, with various
# combinations of settings for allow-0rtt, with TLSv1.2. Each client will try
# to established a connection, then try to reconnect 10 times resuming, and
# check for which combination(s) 0-rtt is used and fail if any does so since
# it's not expected to work with 1.2.
varnishtest "Test if the SSL session/ticket reuse works correctly for TLSv1.2"
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL_AWSLC) || feature(OPENSSL_WOLFSSL) || feature(OPENSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'"
setenv VTC_SOCK_TYPE stream
setenv TLSV TLSv1.2
setenv NO_TLS_TICKETS "no-tls-tickets"
setenv SSL_CACHESIZE 20000
setenv ALPN http/1.1
include ${testdir}/../ssl/ssl-0rtt.vtci

6
reg-tests/ssl/tls12_0rtt.vtc → reg-tests/ssl/tls12_0rtt_stateless.vtc
View file

@ -1,15 +1,17 @@
#REGTEST_TYPE=devel
# This reg-test tests 8 scenarios with and without tickets, with various
# This reg-test tests 8 scenarios with tickets, with various
# combinations of settings for allow-0rtt, with TLSv1.2. Each client will try
# to established a connection, then try to reconnect 10 times resuming, and
# check for which combination(s) 0-rtt is used and fail if any does so since
# it's not expected to work with 1.2.
varnishtest "Test if the SSL session/ticket reuse works correctly for TLSv1.2"
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL_WOLFSSL) || feature(OPENSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'"
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL_AWSLC) || feature(OPENSSL_WOLFSSL) || feature(OPENSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'"
setenv VTC_SOCK_TYPE stream
setenv TLSV TLSv1.2
setenv NO_TLS_TICKETS tls-tickets
setenv SSL_CACHESIZE 0
setenv ALPN http/1.1
include ${testdir}/../ssl/ssl-0rtt.vtci

14
reg-tests/ssl/tls12_resume_stateful.vtc Normal file
View file

@ -0,0 +1,14 @@
#REGTEST_TYPE=devel
# This reg-test tests the stateful TLS resumption (sessions) with TLSv1.2
# Each client will try to established a connection, then try to reconnect 20 times resuming.
varnishtest "Test if the SSL session resume works correctly for TLSv1.2"
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL_AWSLC) || feature(OPENSSL_WOLFSSL) || feature(OPENSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'"
setenv VTC_SOCK_TYPE stream
setenv TLSV TLSv1.2
setenv NO_TLS_TICKETS "no-tls-tickets"
setenv SSL_CACHESIZE 20000
include ${testdir}/../ssl/ssl_reuse.vtci

14
reg-tests/ssl/tls12_resume_stateless.vtc Normal file
View file

@ -0,0 +1,14 @@
#REGTEST_TYPE=devel
# This reg-test tests stateless resumption tickets, with TLSv1.2
# Each client will try to established a connection, then try to reconnect 20 times resuming.
varnishtest "Test if the SSL session/ticket reuse works correctly for TLSv1.2"
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL_AWSLC) || feature(OPENSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'"
setenv VTC_SOCK_TYPE stream
setenv TLSV TLSv1.2
setenv NO_TLS_TICKETS tls-tickets
setenv SSL_CACHESIZE 0
include ${testdir}/../ssl/ssl_reuse.vtci

16
reg-tests/ssl/tls13_0rtt_stateful.vtc Normal file
View file

@ -0,0 +1,16 @@
#REGTEST_TYPE=devel
# This reg-test tests 8 scenarios without tickets, with various
# combinations of settings for allow-0rtt, with TLSv1.3. Each client will try
# to established a connection, then try to reconnect 10 times resuming, and
# check for which combination(s) 0-rtt is used and if they are expected.
varnishtest "Test if the SSL session/ticket reuse works correctly for TLSv1.3"
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'"
setenv VTC_SOCK_TYPE stream
setenv TLSV TLSv1.3
setenv NO_TLS_TICKETS no-tls-tickets
setenv SSL_CACHESIZE 20000
setenv ALPN http/1.1
include ${testdir}/../ssl/ssl-0rtt.vtci

4
reg-tests/ssl/tls13_0rtt.vtc → reg-tests/ssl/tls13_0rtt_stateless.vtc
View file

@ -1,6 +1,6 @@
#REGTEST_TYPE=devel
# This reg-test tests 8 scenarios with and without tickets, with various
# This reg-test tests 8 scenarios with tickets, with various
# combinations of settings for allow-0rtt, with TLSv1.3. Each client will try
# to established a connection, then try to reconnect 10 times resuming, and
# check for which combination(s) 0-rtt is used and if they are expected.
@ -10,5 +10,7 @@ feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && ssllib_name_startswith(Op
setenv VTC_SOCK_TYPE stream
setenv TLSV TLSv1.3
setenv NO_TLS_TICKETS tls-tickets
setenv SSL_CACHESIZE 0
setenv ALPN http/1.1
include ${testdir}/../ssl/ssl-0rtt.vtci

5
reg-tests/ssl/tls13_reuse.vtc → reg-tests/ssl/tls13_resume_stateful.vtc
View file

@ -1,6 +1,6 @@
#REGTEST_TYPE=devel
# This reg-test tests 2 scenarios with and without resumption tickets, with TLSv1.3
# This reg-test tests stateful resumption (session) with TLSv1.3
# Each client will try to established a connection, then try to reconnect 20 times resuming.
varnishtest "Test if the SSL session/ticket reuse works correctly for TLSv1.3"
@ -8,4 +8,7 @@ feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL_WOLFSSL) || feature(OPENSSL)
setenv VTC_SOCK_TYPE stream
setenv TLSV TLSv1.3
setenv NO_TLS_TICKETS "no-tls-tickets"
setenv SSL_CACHESIZE 20000
include ${testdir}/../ssl/ssl_reuse.vtci

9
reg-tests/ssl/tls12_reuse.vtc → reg-tests/ssl/tls13_resume_stateless.vtc
View file

@ -1,11 +1,14 @@
#REGTEST_TYPE=devel
# This reg-test tests 2 scenarios with and without resumption tickets, with TLSv1.2
# This reg-test tests 2 scenarios with and without resumption tickets, with TLSv1.3
# Each client will try to established a connection, then try to reconnect 20 times resuming.
varnishtest "Test if the SSL session/ticket reuse works correctly for TLSv1.2"
varnishtest "Test if the SSL session/ticket reuse works correctly for TLSv1.3"
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL_AWSLC) || feature(OPENSSL_WOLFSSL) || feature(OPENSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'"
setenv VTC_SOCK_TYPE stream
setenv TLSV TLSv1.2
setenv TLSV TLSv1.3
setenv NO_TLS_TICKETS tls-tickets
setenv SSL_CACHESIZE 0
include ${testdir}/../ssl/ssl_reuse.vtci