Mercurial > hg > nginx-tests
comparison h3_ssl_session_reuse.t @ 1885:905b1704eb54
Tests: TLS session resumption tests with HTTP/3.
LibreSSL doesn't send NewSessionTicket messages in CRYPTO frames.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Wed, 18 Jan 2023 16:04:33 +0400 |
parents | |
children | 8b74936ff2ac |
comparison
equal
deleted
inserted
replaced
1884:6f1508d53a26 | 1885:905b1704eb54 |
---|---|
1 #!/usr/bin/perl | |
2 | |
3 # (C) Sergey Kandaurov | |
4 # (C) Nginx, Inc. | |
5 | |
6 # Tests for TLS session resumption with HTTP/3. | |
7 | |
8 ############################################################################### | |
9 | |
10 use warnings; | |
11 use strict; | |
12 | |
13 use Test::More; | |
14 | |
15 BEGIN { use FindBin; chdir($FindBin::Bin); } | |
16 | |
17 use lib 'lib'; | |
18 use Test::Nginx; | |
19 use Test::Nginx::HTTP3; | |
20 | |
21 ############################################################################### | |
22 | |
23 select STDERR; $| = 1; | |
24 select STDOUT; $| = 1; | |
25 | |
26 eval { require Crypt::Misc; die if $Crypt::Misc::VERSION < 0.067; }; | |
27 plan(skip_all => 'CryptX version >= 0.067 required') if $@; | |
28 | |
29 my $t = Test::Nginx->new()->has(qw/http http_v3/) | |
30 ->has_daemon('openssl')->plan(8) | |
31 ->write_file_expand('nginx.conf', <<'EOF'); | |
32 | |
33 %%TEST_GLOBALS%% | |
34 | |
35 daemon off; | |
36 | |
37 events { | |
38 } | |
39 | |
40 http { | |
41 %%TEST_GLOBALS_HTTP%% | |
42 | |
43 ssl_certificate_key localhost.key; | |
44 ssl_certificate localhost.crt; | |
45 | |
46 add_header X-Session $ssl_session_reused always; | |
47 | |
48 server { | |
49 listen 127.0.0.1:%%PORT_8943_UDP%% quic; | |
50 server_name localhost; | |
51 } | |
52 | |
53 server { | |
54 listen 127.0.0.1:%%PORT_8944_UDP%% quic; | |
55 server_name localhost; | |
56 | |
57 ssl_session_cache shared:SSL:1m; | |
58 ssl_session_tickets on; | |
59 } | |
60 | |
61 server { | |
62 listen 127.0.0.1:%%PORT_8945_UDP%% quic; | |
63 server_name localhost; | |
64 | |
65 ssl_session_cache shared:SSL:1m; | |
66 ssl_session_tickets off; | |
67 } | |
68 | |
69 server { | |
70 listen 127.0.0.1:%%PORT_8946_UDP%% quic; | |
71 server_name localhost; | |
72 | |
73 ssl_session_cache builtin; | |
74 ssl_session_tickets off; | |
75 } | |
76 | |
77 server { | |
78 listen 127.0.0.1:%%PORT_8947_UDP%% quic; | |
79 server_name localhost; | |
80 | |
81 ssl_session_cache builtin:1000; | |
82 ssl_session_tickets off; | |
83 } | |
84 | |
85 server { | |
86 listen 127.0.0.1:%%PORT_8948_UDP%% quic; | |
87 server_name localhost; | |
88 | |
89 ssl_session_cache none; | |
90 ssl_session_tickets off; | |
91 } | |
92 | |
93 server { | |
94 listen 127.0.0.1:%%PORT_8949_UDP%% quic; | |
95 server_name localhost; | |
96 | |
97 ssl_session_cache off; | |
98 ssl_session_tickets off; | |
99 } | |
100 } | |
101 | |
102 EOF | |
103 | |
104 $t->write_file('openssl.conf', <<EOF); | |
105 [ req ] | |
106 default_bits = 2048 | |
107 encrypt_key = no | |
108 distinguished_name = req_distinguished_name | |
109 [ req_distinguished_name ] | |
110 EOF | |
111 | |
112 my $d = $t->testdir(); | |
113 | |
114 foreach my $name ('localhost') { | |
115 system('openssl req -x509 -new ' | |
116 . "-config $d/openssl.conf -subj /CN=$name/ " | |
117 . "-out $d/$name.crt -keyout $d/$name.key " | |
118 . ">>$d/openssl.out 2>&1") == 0 | |
119 or die "Can't create certificate for $name: $!\n"; | |
120 } | |
121 | |
122 $t->run(); | |
123 | |
124 ############################################################################### | |
125 | |
126 # session reuse: | |
127 # | |
128 # - only tickets, the default | |
129 # - tickets and shared cache, should work always | |
130 # - only shared cache | |
131 # - only builtin cache | |
132 # - only builtin cache with explicitly configured size | |
133 # - only cache none | |
134 # - only cache off | |
135 | |
136 TODO: { | |
137 local $TODO = 'no TLSv1.3 sessions in LibreSSL' | |
138 if $t->has_module('LibreSSL'); | |
139 | |
140 is(test_reuse(8943), 1, 'tickets reused'); | |
141 is(test_reuse(8944), 1, 'tickets and cache reused'); | |
142 | |
143 local $TODO = 'no TLSv1.3 session cache in BoringSSL' | |
144 if $t->has_module('BoringSSL'); | |
145 | |
146 is(test_reuse(8945), 1, 'cache shared reused'); | |
147 is(test_reuse(8946), 1, 'cache builtin reused'); | |
148 is(test_reuse(8947), 1, 'cache builtin size reused'); | |
149 | |
150 } | |
151 | |
152 is(test_reuse(8948), 0, 'cache none not reused'); | |
153 is(test_reuse(8949), 0, 'cache off not reused'); | |
154 | |
155 $t->stop(); | |
156 | |
157 like(`grep -F '[crit]' ${\($t->testdir())}/error.log`, qr/^$/s, 'no crit'); | |
158 | |
159 ############################################################################### | |
160 | |
161 sub test_reuse { | |
162 my ($port) = @_; | |
163 | |
164 my $s = Test::Nginx::HTTP3->new($port); | |
165 my $frames = $s->read(all => [{ sid => $s->new_stream(), fin => 1 }]); | |
166 | |
167 my $psk_list = $s->{psk_list}; | |
168 | |
169 $s = Test::Nginx::HTTP3->new($port, psk_list => $psk_list); | |
170 $frames = $s->read(all => [{ sid => $s->new_stream(), fin => 1 }]); | |
171 | |
172 my ($frame) = grep { $_->{type} eq "HEADERS" } @$frames; | |
173 return $frame->{headers}->{'x-session'} eq 'r' ? 1 : 0; | |
174 } | |
175 | |
176 ############################################################################### |