summaryrefslogtreecommitdiffstats
path: root/reg-tests/ssl/ssl_reuse.vtc
blob: d7244eeb4d88517b07f0f3989487c0769e197ffa (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141

#REGTEST_TYPE=devel

# This reg-test tests 4 scenarios with and without resumption tickets, with TLSv1.3 and TLSv1.2
# Each client will try to established a connection, then try to reconnect 20 times resuming.


varnishtest "Test if the SSL session/ticket reuse work correctly"
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL_WOLFSSL) || feature(OPENSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'"
feature ignore_unknown_macro

server s1 -repeat 84 {
    rxreq
    txresp
} -start

haproxy h1 -conf {
   global
      # forced to 1 here, because there is a cached session per thread
      nbthread 1


    defaults
        mode http
        option httplog
        option logasap
        log stderr local0 debug err
        option httpclose
        timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
        timeout client  "${HAPROXY_TEST_TIMEOUT-5s}"
        timeout server  "${HAPROXY_TEST_TIMEOUT-5s}"

    listen clst1
        bind "fd@${clst1}"
        server s1 "${h1_fe1_addr}:${h1_fe1_port}" ssl verify none   sni str(www.test1.com)
        http-response add-header x-ssl-bc-resumed %[ssl_bc_is_resumed]

    listen clst2
        bind "fd@${clst2}"
        server s1 "${h1_fe2_addr}:${h1_fe2_port}" ssl verify none  sni str(www.test1.com)
        http-response add-header x-ssl-bc-resumed %[ssl_bc_is_resumed]

    listen clst3
        bind "fd@${clst3}"
        server s1 "${h1_fe3_addr}:${h1_fe3_port}" ssl verify none  sni str(www.test1.com)
        http-response add-header x-ssl-bc-resumed %[ssl_bc_is_resumed]

    listen clst4
        bind "fd@${clst4}"
        server s1 "${h1_fe4_addr}:${h1_fe4_port}" ssl verify none  sni str(www.test1.com)
        http-response add-header x-ssl-bc-resumed %[ssl_bc_is_resumed]

    listen ssl
        bind "fd@${fe1}" ssl crt ${testdir}/common.pem ssl-max-ver TLSv1.2
        bind "fd@${fe2}" ssl crt ${testdir}/common.pem ssl-max-ver TLSv1.2 no-tls-tickets
        bind "fd@${fe3}" ssl crt ${testdir}/common.pem ssl-min-ver TLSv1.3
        bind "fd@${fe4}" ssl crt ${testdir}/common.pem ssl-min-ver TLSv1.3 no-tls-tickets

        http-response add-header x-ssl-resumed %[ssl_fc_is_resumed]
        server s1 ${s1_addr}:${s1_port}
} -start


# first bind
# the first connection is not resumed
client c1 -connect ${h1_clst1_sock} {
    txreq
    rxresp
    expect resp.status == 200
    expect resp.http.x-ssl-resumed == 0
} -run
# the next 20 connections are resumed
client c1 -connect ${h1_clst1_sock} -repeat 20 {
    txreq
    rxresp
    expect resp.status == 200
    expect resp.http.x-ssl-resumed == 1
} -run

# second bind
client c2 -connect ${h1_clst2_sock} {
    txreq
    rxresp
    expect resp.status == 200
    expect resp.http.x-ssl-resumed == 0
} -run

client c2 -connect ${h1_clst2_sock} -repeat 20 {
    txreq
    rxresp
    expect resp.status == 200
    expect resp.http.x-ssl-resumed == 1
} -run

# third bind
client c3 -connect ${h1_clst3_sock} {
    txreq
    rxresp
    expect resp.status == 200
    expect resp.http.x-ssl-resumed == 0
} -run

client c3 -connect ${h1_clst3_sock} -repeat 20 {
    txreq
    rxresp
    expect resp.status == 200
    expect resp.http.x-ssl-resumed == 1
} -run

# fourth bind
client c4 -connect ${h1_clst4_sock} {
    txreq
    rxresp
    expect resp.status == 200
    expect resp.http.x-ssl-resumed == 0
} -run

client c4 -connect ${h1_clst4_sock} -repeat 20 {
    txreq
    rxresp
    expect resp.status == 200
    expect resp.http.x-ssl-resumed == 1
} -run


# Could be useful to debug the result, the ssl_fc_is_resumed field in the log must be 1 after the 2nd command
#shell {
#
#   HOST=${h1_fe4_addr}
#    if [ "${h1_fe4_addr}" = "::1" ] ; then
#        HOST="\[::1\]"
#    fi
#
# rm sess.pem; (echo -e -n "GET / HTTP/1.1\r\n\r\n"; sleep 1) | openssl s_client -connect $HOST:${h1_fe4_port} -tls1_3 -sess_out sess.pem -keylogfile keys1.txt -servername www.test1.com > /tmp/ssl_debug1; echo | openssl s_client -connect ${HOST}:${h1_fe4_port} -tls1_3 -sess_in sess.pem -keylogfile keys2.txt -servername www.test1.com >> /tmp/ssl_debug1
#    echo "GET / HTTP/1.1" | openssl s_client -connect $HOST:${h1_fe4_port} -tls1_3 -servername www.test1.com
#}

haproxy h1 -cli {
    send "show info"
    expect ~ ".*SslFrontendSessionReuse_pct: 95.*"
}
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-01 16:37:57 +0000