diff --git a/reg-tests/quic/tls13_0rtt.vtc b/reg-tests/quic/tls13_0rtt.vtc deleted file mode 100644 index 90024dce6..000000000 --- a/reg-tests/quic/tls13_0rtt.vtc +++ /dev/null @@ -1,14 +0,0 @@ -#REGTEST_TYPE=devel - -# This reg-test tests 8 scenarios with and without tickets, with various -# combinations of settings for allow-0rtt, with QUIC/TLSv1.3. Each client will -# try to established a connection, then try to reconnect 10 times resuming, -# and check for which combination(s) 0-rtt is used and if they are expected. - -varnishtest "Test if the SSL session/ticket reuse works correctly for QUIC" -feature cmd "$HAPROXY_PROGRAM -cc 'feature(QUIC) && !feature(QUIC_OPENSSL_COMPAT) && !feature(OPENSSL_WOLFSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'" - -setenv VTC_SOCK_TYPE quic -setenv TLSV TLSv1.3 -setenv ALPN h3 -include ${testdir}/../ssl/ssl-0rtt.vtci diff --git a/reg-tests/quic/tls13_resume_stateful.vtc b/reg-tests/quic/tls13_resume_stateful.vtc new file mode 100644 index 000000000..682c6a1fa --- /dev/null +++ b/reg-tests/quic/tls13_resume_stateful.vtc @@ -0,0 +1,13 @@ +#REGTEST_TYPE=devel + +# This reg-test tests 2 scenarios without resumption tickets, with QUIC/TLSv1.3 +# Each client will try to established a connection, then try to reconnect 20 times resuming. + +varnishtest "Test if the SSL session/ticket reuse works correctly for QUIC" +feature cmd "$HAPROXY_PROGRAM -cc 'feature(QUIC) && !feature(QUIC_OPENSSL_COMPAT) && !feature(OPENSSL_WOLFSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'" + +setenv VTC_SOCK_TYPE quic +setenv TLSV TLSv1.3 +setenv NO_TLS_TICKETS "no-tls-tickets" +setenv SSL_CACHESIZE 20000 +include ${testdir}/../ssl/ssl_reuse.vtci diff --git a/reg-tests/quic/tls13_reuse.vtc b/reg-tests/quic/tls13_resume_stateless.vtc similarity index 77% rename from reg-tests/quic/tls13_reuse.vtc rename to reg-tests/quic/tls13_resume_stateless.vtc index 43808d9db..17f186bdf 100644 --- a/reg-tests/quic/tls13_reuse.vtc +++ b/reg-tests/quic/tls13_resume_stateless.vtc @@ -1,6 +1,6 @@ #REGTEST_TYPE=devel -# This reg-test tests 2 scenarios with and without resumption tickets, with QUIC/TLSv1.3 +# This reg-test tests 2 scenarios with resumption tickets, with QUIC/TLSv1.3 # Each client will try to established a connection, then try to reconnect 20 times resuming. varnishtest "Test if the SSL session/ticket reuse works correctly for QUIC" @@ -8,4 +8,6 @@ feature cmd "$HAPROXY_PROGRAM -cc 'feature(QUIC) && !feature(QUIC_OPENSSL_COMPAT setenv VTC_SOCK_TYPE quic setenv TLSV TLSv1.3 +setenv NO_TLS_TICKETS tls-tickets +setenv SSL_CACHESIZE 0 include ${testdir}/../ssl/ssl_reuse.vtci diff --git a/reg-tests/ssl/ssl_reuse.vtci b/reg-tests/ssl/ssl_reuse.vtci index f7218588f..91db545e9 100644 --- a/reg-tests/ssl/ssl_reuse.vtci +++ b/reg-tests/ssl/ssl_reuse.vtci @@ -17,6 +17,8 @@ haproxy h1 -conf { thread-groups 1 .endif + # allow to enable or disable completely the cache for stateful resumption + tune.ssl.cachesize "${SSL_CACHESIZE}" # forced to 1 here, because there is a cached session per thread nbthread 1 @@ -36,14 +38,8 @@ haproxy h1 -conf { server s1 "${VTC_SOCK_TYPE}+${h1_fe3_addr}:${h1_fe3_port}" ssl verify none sni str(www.test1.com) http-response add-header x-ssl-bc-resumed %[ssl_bc_is_resumed] - listen clst4 - bind "fd@${clst4}" - server s1 "${VTC_SOCK_TYPE}+${h1_fe4_addr}:${h1_fe4_port}" ssl verify none sni str(www.test1.com) - http-response add-header x-ssl-bc-resumed %[ssl_bc_is_resumed] - listen ssl - bind "${VTC_SOCK_TYPE}+fd@${fe3}" ssl crt ${testdir}/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" - bind "${VTC_SOCK_TYPE}+fd@${fe4}" ssl crt ${testdir}/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" no-tls-tickets + bind "${VTC_SOCK_TYPE}+fd@${fe3}" ssl crt ${testdir}/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" "${NO_TLS_TICKETS}" http-response add-header x-ssl-resumed %[ssl_fc_is_resumed] server s1 ${s1_addr}:${s1_port} @@ -65,22 +61,6 @@ client c3 -connect ${h1_clst3_sock} -repeat 20 { expect resp.http.x-ssl-resumed == 1 } -run -# fourth bind -client c4 -connect ${h1_clst4_sock} { - txreq - rxresp - expect resp.status == 200 - expect resp.http.x-ssl-resumed == 0 -} -run - -client c4 -connect ${h1_clst4_sock} -repeat 20 { - txreq - rxresp - expect resp.status == 200 - expect resp.http.x-ssl-resumed == 1 -} -run - - # Could be useful to debug the result, the ssl_fc_is_resumed field in the log must be 1 after the 2nd command #shell { # diff --git a/reg-tests/ssl/tls12_0rtt_stateful.vtc b/reg-tests/ssl/tls12_0rtt_stateful.vtc new file mode 100644 index 000000000..0aa7f333b --- /dev/null +++ b/reg-tests/ssl/tls12_0rtt_stateful.vtc @@ -0,0 +1,17 @@ +#REGTEST_TYPE=devel + +# This reg-test tests 8 scenarios without tickets, with various +# combinations of settings for allow-0rtt, with TLSv1.2. Each client will try +# to established a connection, then try to reconnect 10 times resuming, and +# check for which combination(s) 0-rtt is used and fail if any does so since +# it's not expected to work with 1.2. + +varnishtest "Test if the SSL session/ticket reuse works correctly for TLSv1.2" +feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL_AWSLC) || feature(OPENSSL_WOLFSSL) || feature(OPENSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'" + +setenv VTC_SOCK_TYPE stream +setenv TLSV TLSv1.2 +setenv NO_TLS_TICKETS "no-tls-tickets" +setenv SSL_CACHESIZE 20000 +setenv ALPN http/1.1 +include ${testdir}/../ssl/ssl-0rtt.vtci diff --git a/reg-tests/ssl/tls12_0rtt.vtc b/reg-tests/ssl/tls12_0rtt_stateless.vtc similarity index 61% rename from reg-tests/ssl/tls12_0rtt.vtc rename to reg-tests/ssl/tls12_0rtt_stateless.vtc index f95c60785..c6cb16d7c 100644 --- a/reg-tests/ssl/tls12_0rtt.vtc +++ b/reg-tests/ssl/tls12_0rtt_stateless.vtc @@ -1,15 +1,17 @@ #REGTEST_TYPE=devel -# This reg-test tests 8 scenarios with and without tickets, with various +# This reg-test tests 8 scenarios with tickets, with various # combinations of settings for allow-0rtt, with TLSv1.2. Each client will try # to established a connection, then try to reconnect 10 times resuming, and # check for which combination(s) 0-rtt is used and fail if any does so since # it's not expected to work with 1.2. varnishtest "Test if the SSL session/ticket reuse works correctly for TLSv1.2" -feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL_WOLFSSL) || feature(OPENSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'" +feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL_AWSLC) || feature(OPENSSL_WOLFSSL) || feature(OPENSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'" setenv VTC_SOCK_TYPE stream setenv TLSV TLSv1.2 +setenv NO_TLS_TICKETS tls-tickets +setenv SSL_CACHESIZE 0 setenv ALPN http/1.1 include ${testdir}/../ssl/ssl-0rtt.vtci diff --git a/reg-tests/ssl/tls12_resume_stateful.vtc b/reg-tests/ssl/tls12_resume_stateful.vtc new file mode 100644 index 000000000..1dd2fa807 --- /dev/null +++ b/reg-tests/ssl/tls12_resume_stateful.vtc @@ -0,0 +1,14 @@ +#REGTEST_TYPE=devel + +# This reg-test tests the stateful TLS resumption (sessions) with TLSv1.2 +# Each client will try to established a connection, then try to reconnect 20 times resuming. + +varnishtest "Test if the SSL session resume works correctly for TLSv1.2" +feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL_AWSLC) || feature(OPENSSL_WOLFSSL) || feature(OPENSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'" + +setenv VTC_SOCK_TYPE stream +setenv TLSV TLSv1.2 +setenv NO_TLS_TICKETS "no-tls-tickets" +setenv SSL_CACHESIZE 20000 + +include ${testdir}/../ssl/ssl_reuse.vtci diff --git a/reg-tests/ssl/tls12_resume_stateless.vtc b/reg-tests/ssl/tls12_resume_stateless.vtc new file mode 100644 index 000000000..a6849252b --- /dev/null +++ b/reg-tests/ssl/tls12_resume_stateless.vtc @@ -0,0 +1,14 @@ +#REGTEST_TYPE=devel + +# This reg-test tests stateless resumption tickets, with TLSv1.2 +# Each client will try to established a connection, then try to reconnect 20 times resuming. + +varnishtest "Test if the SSL session/ticket reuse works correctly for TLSv1.2" +feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL_AWSLC) || feature(OPENSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'" + +setenv VTC_SOCK_TYPE stream +setenv TLSV TLSv1.2 +setenv NO_TLS_TICKETS tls-tickets +setenv SSL_CACHESIZE 0 + +include ${testdir}/../ssl/ssl_reuse.vtci diff --git a/reg-tests/ssl/tls13_0rtt_stateful.vtc b/reg-tests/ssl/tls13_0rtt_stateful.vtc new file mode 100644 index 000000000..ff4f60fba --- /dev/null +++ b/reg-tests/ssl/tls13_0rtt_stateful.vtc @@ -0,0 +1,16 @@ +#REGTEST_TYPE=devel + +# This reg-test tests 8 scenarios without tickets, with various +# combinations of settings for allow-0rtt, with TLSv1.3. Each client will try +# to established a connection, then try to reconnect 10 times resuming, and +# check for which combination(s) 0-rtt is used and if they are expected. + +varnishtest "Test if the SSL session/ticket reuse works correctly for TLSv1.3" +feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'" + +setenv VTC_SOCK_TYPE stream +setenv TLSV TLSv1.3 +setenv NO_TLS_TICKETS no-tls-tickets +setenv SSL_CACHESIZE 20000 +setenv ALPN http/1.1 +include ${testdir}/../ssl/ssl-0rtt.vtci diff --git a/reg-tests/ssl/tls13_0rtt.vtc b/reg-tests/ssl/tls13_0rtt_stateless.vtc similarity index 82% rename from reg-tests/ssl/tls13_0rtt.vtc rename to reg-tests/ssl/tls13_0rtt_stateless.vtc index f211144ac..6eaaee3e3 100644 --- a/reg-tests/ssl/tls13_0rtt.vtc +++ b/reg-tests/ssl/tls13_0rtt_stateless.vtc @@ -1,6 +1,6 @@ #REGTEST_TYPE=devel -# This reg-test tests 8 scenarios with and without tickets, with various +# This reg-test tests 8 scenarios with tickets, with various # combinations of settings for allow-0rtt, with TLSv1.3. Each client will try # to established a connection, then try to reconnect 10 times resuming, and # check for which combination(s) 0-rtt is used and if they are expected. @@ -10,5 +10,7 @@ feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && ssllib_name_startswith(Op setenv VTC_SOCK_TYPE stream setenv TLSV TLSv1.3 +setenv NO_TLS_TICKETS tls-tickets +setenv SSL_CACHESIZE 0 setenv ALPN http/1.1 include ${testdir}/../ssl/ssl-0rtt.vtci diff --git a/reg-tests/ssl/tls13_reuse.vtc b/reg-tests/ssl/tls13_resume_stateful.vtc similarity index 76% rename from reg-tests/ssl/tls13_reuse.vtc rename to reg-tests/ssl/tls13_resume_stateful.vtc index d990286c2..b1f3303de 100644 --- a/reg-tests/ssl/tls13_reuse.vtc +++ b/reg-tests/ssl/tls13_resume_stateful.vtc @@ -1,6 +1,6 @@ #REGTEST_TYPE=devel -# This reg-test tests 2 scenarios with and without resumption tickets, with TLSv1.3 +# This reg-test tests stateful resumption (session) with TLSv1.3 # Each client will try to established a connection, then try to reconnect 20 times resuming. varnishtest "Test if the SSL session/ticket reuse works correctly for TLSv1.3" @@ -8,4 +8,7 @@ feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL_WOLFSSL) || feature(OPENSSL) setenv VTC_SOCK_TYPE stream setenv TLSV TLSv1.3 +setenv NO_TLS_TICKETS "no-tls-tickets" +setenv SSL_CACHESIZE 20000 + include ${testdir}/../ssl/ssl_reuse.vtci diff --git a/reg-tests/ssl/tls12_reuse.vtc b/reg-tests/ssl/tls13_resume_stateless.vtc similarity index 81% rename from reg-tests/ssl/tls12_reuse.vtc rename to reg-tests/ssl/tls13_resume_stateless.vtc index bd3932e68..c6c628b64 100644 --- a/reg-tests/ssl/tls12_reuse.vtc +++ b/reg-tests/ssl/tls13_resume_stateless.vtc @@ -1,11 +1,14 @@ #REGTEST_TYPE=devel -# This reg-test tests 2 scenarios with and without resumption tickets, with TLSv1.2 +# This reg-test tests 2 scenarios with and without resumption tickets, with TLSv1.3 # Each client will try to established a connection, then try to reconnect 20 times resuming. -varnishtest "Test if the SSL session/ticket reuse works correctly for TLSv1.2" +varnishtest "Test if the SSL session/ticket reuse works correctly for TLSv1.3" feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL_AWSLC) || feature(OPENSSL_WOLFSSL) || feature(OPENSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'" setenv VTC_SOCK_TYPE stream -setenv TLSV TLSv1.2 +setenv TLSV TLSv1.3 +setenv NO_TLS_TICKETS tls-tickets +setenv SSL_CACHESIZE 0 + include ${testdir}/../ssl/ssl_reuse.vtci