Mercurial > hg > nginx-tests

changeset 1885:905b1704eb54

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Tests: TLS session resumption tests with HTTP/3. LibreSSL doesn't send NewSessionTicket messages in CRYPTO frames.
author Sergey Kandaurov <pluknet@nginx.com>
date Wed, 18 Jan 2023 16:04:33 +0400
parents 6f1508d53a26
children 90a310f3cee6
files h3_ssl_session_reuse.t
diffstat 1 files changed, 176 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
new file mode 100644
--- /dev/null
+++ b/h3_ssl_session_reuse.t
@@ -0,0 +1,176 @@
+#!/usr/bin/perl
+
+# (C) Sergey Kandaurov
+# (C) Nginx, Inc.
+
+# Tests for TLS session resumption with HTTP/3.
+
+###############################################################################
+
+use warnings;
+use strict;
+
+use Test::More;
+
+BEGIN { use FindBin; chdir($FindBin::Bin); }
+
+use lib 'lib';
+use Test::Nginx;
+use Test::Nginx::HTTP3;
+
+###############################################################################
+
+select STDERR; $| = 1;
+select STDOUT; $| = 1;
+
+eval { require Crypt::Misc; die if $Crypt::Misc::VERSION < 0.067; };
+plan(skip_all => 'CryptX version >= 0.067 required') if $@;
+
+my $t = Test::Nginx->new()->has(qw/http http_v3/)
+	->has_daemon('openssl')->plan(8)
+	->write_file_expand('nginx.conf', <<'EOF');
+
+%%TEST_GLOBALS%%
+
+daemon off;
+
+events {
+}
+
+http {
+    %%TEST_GLOBALS_HTTP%%
+
+    ssl_certificate_key localhost.key;
+    ssl_certificate localhost.crt;
+
+    add_header X-Session $ssl_session_reused always;
+
+    server {
+        listen       127.0.0.1:%%PORT_8943_UDP%% quic;
+        server_name  localhost;
+    }
+
+    server {
+        listen       127.0.0.1:%%PORT_8944_UDP%% quic;
+        server_name  localhost;
+
+        ssl_session_cache shared:SSL:1m;
+        ssl_session_tickets on;
+    }
+
+    server {
+        listen       127.0.0.1:%%PORT_8945_UDP%% quic;
+        server_name  localhost;
+
+        ssl_session_cache shared:SSL:1m;
+        ssl_session_tickets off;
+    }
+
+    server {
+        listen       127.0.0.1:%%PORT_8946_UDP%% quic;
+        server_name  localhost;
+
+        ssl_session_cache builtin;
+        ssl_session_tickets off;
+    }
+
+    server {
+        listen       127.0.0.1:%%PORT_8947_UDP%% quic;
+        server_name  localhost;
+
+        ssl_session_cache builtin:1000;
+        ssl_session_tickets off;
+    }
+
+    server {
+        listen       127.0.0.1:%%PORT_8948_UDP%% quic;
+        server_name  localhost;
+
+        ssl_session_cache none;
+        ssl_session_tickets off;
+    }
+
+    server {
+        listen       127.0.0.1:%%PORT_8949_UDP%% quic;
+        server_name  localhost;
+
+        ssl_session_cache off;
+        ssl_session_tickets off;
+    }
+}
+
+EOF
+
+$t->write_file('openssl.conf', <<EOF);
+[ req ]
+default_bits = 2048
+encrypt_key = no
+distinguished_name = req_distinguished_name
+[ req_distinguished_name ]
+EOF
+
+my $d = $t->testdir();
+
+foreach my $name ('localhost') {
+	system('openssl req -x509 -new '
+		. "-config $d/openssl.conf -subj /CN=$name/ "
+		. "-out $d/$name.crt -keyout $d/$name.key "
+		. ">>$d/openssl.out 2>&1") == 0
+		or die "Can't create certificate for $name: $!\n";
+}
+
+$t->run();
+
+###############################################################################
+
+# session reuse:
+#
+# - only tickets, the default
+# - tickets and shared cache, should work always
+# - only shared cache
+# - only builtin cache
+# - only builtin cache with explicitly configured size
+# - only cache none
+# - only cache off
+
+TODO: {
+local $TODO = 'no TLSv1.3 sessions in LibreSSL'
+	if $t->has_module('LibreSSL');
+
+is(test_reuse(8943), 1, 'tickets reused');
+is(test_reuse(8944), 1, 'tickets and cache reused');
+
+local $TODO = 'no TLSv1.3 session cache in BoringSSL'
+	if $t->has_module('BoringSSL');
+
+is(test_reuse(8945), 1, 'cache shared reused');
+is(test_reuse(8946), 1, 'cache builtin reused');
+is(test_reuse(8947), 1, 'cache builtin size reused');
+
+}
+
+is(test_reuse(8948), 0, 'cache none not reused');
+is(test_reuse(8949), 0, 'cache off not reused');
+
+$t->stop();
+
+like(`grep -F '[crit]' ${\($t->testdir())}/error.log`, qr/^$/s, 'no crit');
+
+###############################################################################
+
+sub test_reuse {
+	my ($port) = @_;
+
+	my $s = Test::Nginx::HTTP3->new($port);
+	my $frames = $s->read(all => [{ sid => $s->new_stream(), fin => 1 }]);
+
+	my $psk_list = $s->{psk_list};
+
+	$s = Test::Nginx::HTTP3->new($port, psk_list => $psk_list);
+	$frames = $s->read(all => [{ sid => $s->new_stream(), fin => 1 }]);
+
+	my ($frame) = grep { $_->{type} eq "HEADERS" } @$frames;
+	return $frame->{headers}->{'x-session'} eq 'r' ? 1 : 0;
+}
+
+###############################################################################