openssl/test/ssl-tests/06-sni-ticket.conf.in
Todd Short a84e5c9aa8 Session resume broken switching contexts
When an SSL's context is swtiched from a ticket-enabled context to
a ticket-disabled context in the servername callback, no session-id
is generated, so the session can't be resumed.

If a servername callback changes the SSL_OP_NO_TICKET option, check
to see if it's changed to disable, and whether a session ticket is
expected (i.e. the client indicated ticket support and the SSL had
tickets enabled at the time), and whether we already have a previous
session (i.e. s->hit is set).

In this case, clear the ticket-expected flag, remove any ticket data
and generate a session-id in the session.

If the SSL hit (resumed) and switched to a ticket-disabled context,
assume that the resumption was via session-id, and don't bother to
update the session.

Before this fix, the updated unit-tests in 06-sni-ticket.conf would
fail test #4 (server1 = SNI, server2 = no SNI).

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/1529)
2017-10-04 10:21:08 +10:00

102 lines
3.1 KiB
Perl

# -*- mode: perl; -*-
# Copyright 2016-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
## Test SNI/Session tickets
use strict;
use warnings;
package ssltests;
our @tests = ();
#Note: MaxProtocol is set to TLSv1.2 as session tickets work differently in
#TLSv1.3.
sub generate_tests() {
foreach my $c ("SessionTicket", "-SessionTicket") {
foreach my $s1 ("SessionTicket", "-SessionTicket") {
foreach my $s2 ("SessionTicket", "-SessionTicket") {
foreach my $n ("server1", "server2") {
my $ticket_result = expected_result($c, $s1, $s2, $n);
my $session_id_result = "Yes"; # always, even with a ticket
push @tests, {
"name" => "sni-session-ticket",
"client" => {
"Options" => $c,
"extra" => {
"ServerName" => $n,
},
"MaxProtocol" => "TLSv1.2"
},
"server" => {
"Options" => $s1,
"extra" => {
# We don't test mismatch here.
"ServerNameCallback" => "IgnoreMismatch",
},
},
"server2" => {
"Options" => $s2,
},
"test" => {
"ExpectedServerName" => $n,
"ExpectedResult" => "Success",
"SessionIdExpected" => $session_id_result,
"SessionTicketExpected" => $ticket_result,
}
};
}
}
}
}
}
# If the client has session tickets disabled, then No support
# If the server initial_ctx has session tickets disabled, then No support
# If SNI is in use, then if the "switched-to" context has session tickets disabled,
# then No support
sub expected_result {
my ($c, $s1, $s2, $n) = @_;
return "No" if $c eq "-SessionTicket";
return "No" if $s1 eq "-SessionTicket";
return "No" if ($s2 eq "-SessionTicket" && $n eq "server2");
return "Yes";
}
# Add a "Broken" case.
push @tests, {
"name" => "sni-session-ticket",
"client" => {
"MaxProtocol" => "TLSv1.2",
"Options" => "SessionTicket",
"extra" => {
"ServerName" => "server1",
}
},
"server" => {
"Options" => "SessionTicket",
"extra" => {
"BrokenSessionTicket" => "Yes",
},
},
"server2" => {
"Options" => "SessionTicket",
},
"test" => {
"ExpectedResult" => "Success",
"SessionTicketExpected" => "No",
}
};
generate_tests();