openssl/test/ssl_test_ctx_test.conf
Todd Short a84e5c9aa8 Session resume broken switching contexts
When an SSL's context is swtiched from a ticket-enabled context to
a ticket-disabled context in the servername callback, no session-id
is generated, so the session can't be resumed.

If a servername callback changes the SSL_OP_NO_TICKET option, check
to see if it's changed to disable, and whether a session ticket is
expected (i.e. the client indicated ticket support and the SSL had
tickets enabled at the time), and whether we already have a previous
session (i.e. s->hit is set).

In this case, clear the ticket-expected flag, remove any ticket data
and generate a session-id in the session.

If the SSL hit (resumed) and switched to a ticket-disabled context,
assume that the resumption was via session-id, and don't bother to
update the session.

Before this fix, the updated unit-tests in 06-sni-ticket.conf would
fail test #4 (server1 = SNI, server2 = no SNI).

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/1529)
2017-10-04 10:21:08 +10:00

95 lines
1.9 KiB
Plaintext

[ssltest_default]
[ssltest_good]
client = ssltest_good_client_extra
server = ssltest_good_server_extra
resume-server2 = ssltest_good_resume_server2_extra
resume-client = ssltest_good_resume_client_extra
Method = DTLS
HandshakeMode = Resume
ApplicationData = 1024
MaxFragmentSize = 2048
ExpectedResult = ServerFail
ExpectedClientAlert = UnknownCA
ExpectedProtocol = TLSv1.1
ExpectedServerName = server2
SessionTicketExpected = Yes
ResumptionExpected = Yes
[ssltest_good_client_extra]
VerifyCallback = RejectAll
ServerName = server2
NPNProtocols = foo,bar
[ssltest_good_resume_client_extra]
CTValidation = Strict
[ssltest_good_server_extra]
ServerNameCallback = IgnoreMismatch
BrokenSessionTicket = Yes
[ssltest_good_resume_server2_extra]
ALPNProtocols = baz
[ssltest_unknown_option]
UnknownOption = Foo
[ssltest_wrong_section]
server = ssltest_wrong_section_server
[ssltest_wrong_section_server]
VerifyCallback = RejectAll
[ssltest_unknown_expected_result]
ExpectedResult = Foo
[ssltest_unknown_alert]
ExpectedServerAlert = Foo
[ssltest_unknown_protocol]
Protocol = Foo
[ssltest_unknown_verify_callback]
client = ssltest_unknown_verify_callback_client
[ssltest_unknown_verify_callback_client]
VerifyCallback = Foo
[ssltest_unknown_servername]
client = ssltest_unknown_servername_client
[ssltest_unknown_servername_client]
ServerName = Foo
[ssltest_unknown_servername_callback]
server = ssltest_unknown_servername_server
[ssltest_unknown_servername_server]
ServerNameCallback = Foo
[ssltest_unknown_session_ticket_expected]
SessionTicketExpected = Foo
[ssltest_unknown_compression_expected]
CompressionExpected = Foo
[ssltest_unknown_session_id_expected]
SessionIdExpected = Foo
[ssltest_unknown_method]
Method = TLS2
[ssltest_unknown_handshake_mode]
HandshakeMode = Foo
[ssltest_unknown_resumption_expected]
ResumptionExpected = Foo
[ssltest_unknown_ct_validation]
client = ssltest_unknown_ct_validation_client
[ssltest_unknown_ct_validation_client]
CTCallback = Foo