This is an automated email from the ASF dual-hosted git repository.
duke8253 pushed a commit to branch 11-Dev
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/11-Dev by this push:
new bf54760629 remove support for session id based session resumption
(#11157)
bf54760629 is described below
commit bf54760629d52d3e69d72dc7504570d52998931e
Author: Fei Deng <[email protected]>
AuthorDate: Thu Mar 14 14:04:39 2024 -0500
remove support for session id based session resumption (#11157)
---
doc/admin-guide/files/records.yaml.en.rst | 52 ----
include/iocore/net/TLSSessionResumptionSupport.h | 1 -
include/ts/ts.h | 5 -
src/api/InkAPI.cc | 57 -----
src/iocore/net/P_SSLConfig.h | 16 --
src/iocore/net/SSLConfig.cc | 66 ++---
src/iocore/net/SSLSessionCache.cc | 278 ---------------------
src/iocore/net/SSLSessionCache.h | 145 -----------
src/iocore/net/SSLUtils.cc | 145 +----------
src/iocore/net/TLSSessionResumptionSupport.cc | 48 ----
src/records/RecordsConfig.cc | 12 -
.../pluginTest/stek_share/stek_share.test.py | 20 --
tests/gold_tests/tls/tls_0rtt_server.test.py | 8 -
.../tls/tls_origin_session_reuse.test.py | 24 --
tests/gold_tests/tls/tls_session_reuse.test.py | 162 ++++++------
15 files changed, 105 insertions(+), 934 deletions(-)
diff --git a/doc/admin-guide/files/records.yaml.en.rst
b/doc/admin-guide/files/records.yaml.en.rst
index 93da31b31d..ebd17f1bec 100644
--- a/doc/admin-guide/files/records.yaml.en.rst
+++ b/doc/admin-guide/files/records.yaml.en.rst
@@ -3811,58 +3811,6 @@ SSL Termination
Setting a value less than or equal to ``0`` effectively disables
SSL session cache for the origin server.
-.. ts:cv:: CONFIG proxy.config.ssl.session_cache INT 2
-
- Enables the SSL session cache:
-
- ===== ======================================================================
- Value Description
- ===== ======================================================================
- ``0`` Disables the session cache entirely.
- ``1`` Enables the session cache using OpenSSL's implementation.
- ``2`` Default. Enables the session cache using |TS|'s implementation. This
- implementation should perform much better than the OpenSSL
- implementation.
- ===== ======================================================================
-
-.. ts:cv:: CONFIG proxy.config.ssl.session_cache.timeout INT 0
-
- This configuration specifies the lifetime of SSL session cache
- entries in seconds. If it is ``0``, then the SSL library will use
- a default value, typically 300 seconds. Note: This option has no affect
- when using the |TS| session cache (option ``2`` in
- ``proxy.config.ssl.session_cache``)
-
- See :ref:`admin-performance-timeouts` for more discussion on |TS| timeouts.
-
-.. ts:cv:: CONFIG proxy.config.ssl.session_cache.auto_clear INT 1
-
- This will set the OpenSSL auto clear flag. Auto clear is enabled by
- default with ``1`` it can be disabled by changing this setting to ``0``.
-
-.. ts:cv:: CONFIG proxy.config.ssl.session_cache.size INT 102400
-
- This configuration specifies the maximum number of entries
- the SSL session cache may contain.
-
-.. ts:cv:: CONFIG proxy.config.ssl.session_cache.num_buckets INT 256
-
- This configuration specifies the number of buckets to use with the
- |TS| SSL session cache implementation. The TS implementation
- is a fixed size hash map where each bucket is protected by a mutex.
-
-.. ts:cv:: CONFIG
proxy.config.ssl.session_cache.skip_cache_on_bucket_contention INT 0
-
- This configuration specifies the behavior of the |TS| SSL session
- cache implementation during lock contention on each bucket:
-
- ===== ======================================================================
- Value Description
- ===== ======================================================================
- ``0`` Default. Don't skip session caching when bucket lock is contented.
- ``1`` Disable the SSL session cache for a connection during lock contention.
- ===== ======================================================================
-
.. ts:cv:: CONFIG proxy.config.ssl.server.session_ticket.enable INT 1
Set to 1 to enable Traffic Server to process TLS tickets for TLS session
resumption.
diff --git a/include/iocore/net/TLSSessionResumptionSupport.h
b/include/iocore/net/TLSSessionResumptionSupport.h
index a1ff716a3b..6ba38779b0 100644
--- a/include/iocore/net/TLSSessionResumptionSupport.h
+++ b/include/iocore/net/TLSSessionResumptionSupport.h
@@ -51,7 +51,6 @@ public:
bool getSSLOriginSessionCacheHit() const;
ssl_curve_id getSSLCurveNID() const;
- SSL_SESSION *getSession(SSL *ssl, const unsigned char *id, int len, int
*copy);
std::shared_ptr<SSL_SESSION> getOriginSession(SSL *ssl, const std::string
&lookup_key);
protected:
diff --git a/include/ts/ts.h b/include/ts/ts.h
index 6b7ebcc874..0429eb0978 100644
--- a/include/ts/ts.h
+++ b/include/ts/ts.h
@@ -1367,11 +1367,6 @@ int TSVConnIsSsl(TSVConn sslp);
int TSVConnProvidedSslCert(TSVConn sslp);
const char *TSVConnSslSniGet(TSVConn sslp, int *length);
-TSSslSession TSSslSessionGet(const TSSslSessionID *session_id);
-int TSSslSessionGetBuffer(const TSSslSessionID *session_id, char *buffer, int
*len_ptr);
-TSReturnCode TSSslSessionInsert(const TSSslSessionID *session_id, TSSslSession
add_session, TSSslConnection ssl_conn);
-TSReturnCode TSSslSessionRemove(const TSSslSessionID *session_id);
-
/* --------------------------------------------------------------------------
HTTP transactions */
void TSHttpTxnHookAdd(TSHttpTxn txnp, TSHttpHookID id, TSCont contp);
diff --git a/src/api/InkAPI.cc b/src/api/InkAPI.cc
index 91cba8252f..22fee5798e 100644
--- a/src/api/InkAPI.cc
+++ b/src/api/InkAPI.cc
@@ -131,8 +131,6 @@ extern ClassAllocator<FetchSM> FetchSMAllocator;
/* From proxy/http/HttpProxyServerMain.c: */
extern bool ssl_register_protocol(const char *, Continuation *);
-extern SSLSessionCache *session_cache; // declared extern in P_SSLConfig.h
-
// External converters.
extern MgmtConverter const &HttpDownServerCacheTimeConv;
@@ -8371,61 +8369,6 @@ TSVConnReenableEx(TSVConn vconn, TSEvent event)
}
}
-TSSslSession
-TSSslSessionGet(const TSSslSessionID *session_id)
-{
- SSL_SESSION *session = nullptr;
- if (session_id && session_cache) {
- session_cache->getSession(reinterpret_cast<const SSLSessionID
&>(*session_id), &session, nullptr);
- }
- return reinterpret_cast<TSSslSession>(session);
-}
-
-int
-TSSslSessionGetBuffer(const TSSslSessionID *session_id, char *buffer, int
*len_ptr)
-{
- int true_len = 0;
- // Don't get if there is no session id or the cache is not yet set up
- if (session_id && session_cache && len_ptr) {
- true_len = session_cache->getSessionBuffer(reinterpret_cast<const
SSLSessionID &>(*session_id), buffer, *len_ptr);
- }
- return true_len;
-}
-
-TSReturnCode
-TSSslSessionInsert(const TSSslSessionID *session_id, TSSslSession add_session,
TSSslConnection ssl_conn)
-{
- // Don't insert if there is no session id or the cache is not yet set up
- if (session_id && session_cache) {
- if (is_debug_tag_set("ssl.session_cache")) {
- const SSLSessionID *sid = reinterpret_cast<const SSLSessionID
*>(session_id);
- char buf[sid->len * 2 + 1];
- sid->toString(buf, sizeof(buf));
- Debug("ssl.session_cache.insert", "TSSslSessionInsert: Inserting session
'%s' ", buf);
- }
- SSL_SESSION *session = reinterpret_cast<SSL_SESSION *>(add_session);
- SSL *ssl = reinterpret_cast<SSL *>(ssl_conn);
- session_cache->insertSession(reinterpret_cast<const SSLSessionID
&>(*session_id), session, ssl);
- // insertSession returns void, assume all went well
- return TS_SUCCESS;
- } else {
- return TS_ERROR;
- }
-}
-
-TSReturnCode
-TSSslSessionRemove(const TSSslSessionID *session_id)
-{
- // Don't remove if there is no session id or the cache is not yet set up
- if (session_id && session_cache) {
- session_cache->removeSession(reinterpret_cast<const SSLSessionID
&>(*session_id));
- // removeSession returns void, assume all went well
- return TS_SUCCESS;
- } else {
- return TS_ERROR;
- }
-}
-
// APIs for managing and using UUIDs.
TSUuid
TSUuidCreate()
diff --git a/src/iocore/net/P_SSLConfig.h b/src/iocore/net/P_SSLConfig.h
index 0fa6439979..bd7a3cc8f6 100644
--- a/src/iocore/net/P_SSLConfig.h
+++ b/src/iocore/net/P_SSLConfig.h
@@ -60,12 +60,6 @@ using init_ssl_ctx_func = void (*)(void *, bool);
using load_ssl_file_func = void (*)(const char *);
struct SSLConfigParams : public ConfigInfo {
- enum SSL_SESSION_CACHE_MODE {
- SSL_SESSION_CACHE_MODE_OFF = 0,
- SSL_SESSION_CACHE_MODE_SERVER_OPENSSL_IMPL = 1,
- SSL_SESSION_CACHE_MODE_SERVER_ATS_IMPL = 2
- };
-
SSLConfigParams();
~SSLConfigParams() override;
@@ -83,12 +77,6 @@ struct SSLConfigParams : public ConfigInfo {
int verify_depth;
int ssl_origin_session_cache;
int ssl_origin_session_cache_size;
- int ssl_session_cache; // SSL_SESSION_CACHE_MODE
- int ssl_session_cache_size;
- int ssl_session_cache_num_buckets;
- int ssl_session_cache_skip_on_contention;
- int ssl_session_cache_timeout;
- int ssl_session_cache_auto_clear;
char *clientCertPath;
char *clientCertPathOnly;
@@ -139,9 +127,6 @@ struct SSLConfigParams : public ConfigInfo {
static int origin_session_cache;
static size_t origin_session_cache_size;
- static size_t session_cache_number_buckets;
- static size_t session_cache_max_bucket_size;
- static bool session_cache_skip_on_lock_contention;
static swoc::IPRangeSet *proxy_protocol_ip_addrs;
@@ -263,5 +248,4 @@ private:
static int configid;
};
-extern SSLSessionCache *session_cache;
extern SSLOriginSessionCache *origin_sess_cache;
diff --git a/src/iocore/net/SSLConfig.cc b/src/iocore/net/SSLConfig.cc
index f275d1b051..dcdeb9ca22 100644
--- a/src/iocore/net/SSLConfig.cc
+++ b/src/iocore/net/SSLConfig.cc
@@ -52,29 +52,26 @@
#include "SSLSessionTicket.h"
#include "iocore/net/YamlSNIConfig.h"
-int SSLConfig::config_index = 0;
-int SSLConfig::configids[] = {0, 0};
-int SSLCertificateConfig::configid = 0;
-int SSLTicketKeyConfig::configid = 0;
-int SSLConfigParams::ssl_maxrecord = 0;
-int SSLConfigParams::ssl_misc_max_iobuffer_size_index = 8;
-bool SSLConfigParams::ssl_allow_client_renegotiation = false;
-bool SSLConfigParams::ssl_ocsp_enabled = false;
-int SSLConfigParams::ssl_ocsp_cache_timeout = 3600;
-bool SSLConfigParams::ssl_ocsp_request_mode = false;
-int SSLConfigParams::ssl_ocsp_request_timeout = 10;
-int SSLConfigParams::ssl_ocsp_update_period = 60;
-char *SSLConfigParams::ssl_ocsp_user_agent = nullptr;
-int SSLConfigParams::ssl_handshake_timeout_in = 0;
-int SSLConfigParams::origin_session_cache = 1;
-size_t SSLConfigParams::origin_session_cache_size = 10240;
-size_t SSLConfigParams::session_cache_number_buckets = 1024;
-bool SSLConfigParams::session_cache_skip_on_lock_contention = false;
-size_t SSLConfigParams::session_cache_max_bucket_size = 100;
-init_ssl_ctx_func SSLConfigParams::init_ssl_ctx_cb = nullptr;
-load_ssl_file_func SSLConfigParams::load_ssl_file_cb = nullptr;
-swoc::IPRangeSet *SSLConfigParams::proxy_protocol_ip_addrs = nullptr;
-bool SSLConfigParams::ssl_ktls_enabled = false;
+int SSLConfig::config_index = 0;
+int SSLConfig::configids[] = {0, 0};
+int SSLCertificateConfig::configid = 0;
+int SSLTicketKeyConfig::configid = 0;
+int SSLConfigParams::ssl_maxrecord = 0;
+int SSLConfigParams::ssl_misc_max_iobuffer_size_index = 8;
+bool SSLConfigParams::ssl_allow_client_renegotiation = false;
+bool SSLConfigParams::ssl_ocsp_enabled = false;
+int SSLConfigParams::ssl_ocsp_cache_timeout = 3600;
+bool SSLConfigParams::ssl_ocsp_request_mode = false;
+int SSLConfigParams::ssl_ocsp_request_timeout = 10;
+int SSLConfigParams::ssl_ocsp_update_period = 60;
+char *SSLConfigParams::ssl_ocsp_user_agent = nullptr;
+int SSLConfigParams::ssl_handshake_timeout_in = 0;
+int SSLConfigParams::origin_session_cache = 1;
+size_t SSLConfigParams::origin_session_cache_size = 10240;
+init_ssl_ctx_func SSLConfigParams::init_ssl_ctx_cb = nullptr;
+load_ssl_file_func SSLConfigParams::load_ssl_file_cb = nullptr;
+swoc::IPRangeSet *SSLConfigParams::proxy_protocol_ip_addrs = nullptr;
+bool SSLConfigParams::ssl_ktls_enabled = false;
const uint32_t EARLY_DATA_DEFAULT_SIZE = 16384;
uint32_t SSLConfigParams::server_max_early_data = 0;
@@ -122,14 +119,7 @@ SSLConfigParams::reset()
verifyServerProperties =
YamlSNIConfig::Property::NONE;
ssl_ctx_options = SSL_OP_NO_SSLv2 |
SSL_OP_NO_SSLv3;
ssl_client_ctx_options = SSL_OP_NO_SSLv2 |
SSL_OP_NO_SSLv3;
- ssl_session_cache =
SSL_SESSION_CACHE_MODE_SERVER_ATS_IMPL;
- ssl_session_cache_size = 1024 * 100;
- ssl_session_cache_num_buckets = 1024; // Sessions per bucket is
ceil(ssl_session_cache_size / ssl_session_cache_num_buckets)
- ssl_session_cache_skip_on_contention = 0;
- ssl_session_cache_timeout = 0;
- ssl_session_cache_auto_clear = 1;
- configExitOnLoadError = 1;
- clientCertExitOnLoadError = 0;
+ configExitOnLoadError = 1;
}
void
@@ -442,23 +432,9 @@ SSLConfigParams::initialize()
// SSL session cache configurations
REC_ReadConfigInteger(ssl_origin_session_cache,
"proxy.config.ssl.origin_session_cache.enabled");
REC_ReadConfigInteger(ssl_origin_session_cache_size,
"proxy.config.ssl.origin_session_cache.size");
- REC_ReadConfigInteger(ssl_session_cache,
"proxy.config.ssl.session_cache.value");
- REC_ReadConfigInteger(ssl_session_cache_size,
"proxy.config.ssl.session_cache.size");
- REC_ReadConfigInteger(ssl_session_cache_num_buckets,
"proxy.config.ssl.session_cache.num_buckets");
- REC_ReadConfigInteger(ssl_session_cache_skip_on_contention,
"proxy.config.ssl.session_cache.skip_cache_on_bucket_contention");
- REC_ReadConfigInteger(ssl_session_cache_timeout,
"proxy.config.ssl.session_cache.timeout");
- REC_ReadConfigInteger(ssl_session_cache_auto_clear,
"proxy.config.ssl.session_cache.auto_clear");
SSLConfigParams::origin_session_cache = ssl_origin_session_cache;
SSLConfigParams::origin_session_cache_size = ssl_origin_session_cache_size;
- SSLConfigParams::session_cache_max_bucket_size =
- static_cast<size_t>(ceil(static_cast<double>(ssl_session_cache_size) /
ssl_session_cache_num_buckets));
- SSLConfigParams::session_cache_skip_on_lock_contention =
ssl_session_cache_skip_on_contention;
- SSLConfigParams::session_cache_number_buckets =
ssl_session_cache_num_buckets;
-
- if (ssl_session_cache == SSL_SESSION_CACHE_MODE_SERVER_ATS_IMPL) {
- session_cache = new SSLSessionCache();
- }
if (ssl_origin_session_cache == 1 && ssl_origin_session_cache_size > 0) {
origin_sess_cache = new SSLOriginSessionCache();
diff --git a/src/iocore/net/SSLSessionCache.cc
b/src/iocore/net/SSLSessionCache.cc
index 81931f781d..53cd7b8d8f 100644
--- a/src/iocore/net/SSLSessionCache.cc
+++ b/src/iocore/net/SSLSessionCache.cc
@@ -27,279 +27,6 @@
#include <memory>
#include <shared_mutex>
-#define SSLSESSIONCACHE_STRINGIFY0(x) #x
-#define SSLSESSIONCACHE_STRINGIFY(x) SSLSESSIONCACHE_STRINGIFY0(x)
-#define SSLSESSIONCACHE_LINENO SSLSESSIONCACHE_STRINGIFY(__LINE__)
-
-#ifdef DEBUG
-#define PRINT_BUCKET(x) this->print(x " at " __FILE__ ":"
SSLSESSIONCACHE_LINENO);
-#else
-#define PRINT_BUCKET(x)
-#endif
-
-/* Session Cache */
-SSLSessionCache::SSLSessionCache() :
nbuckets(SSLConfigParams::session_cache_number_buckets)
-{
- Debug("ssl.session_cache", "Created new ssl session cache %p with %zu
buckets each with size max size %zu", this, nbuckets,
- SSLConfigParams::session_cache_max_bucket_size);
-
- session_bucket = new SSLSessionBucket[nbuckets];
-}
-
-SSLSessionCache::~SSLSessionCache()
-{
- delete[] session_bucket;
-}
-
-int
-SSLSessionCache::getSessionBuffer(const SSLSessionID &sid, char *buffer, int
&len) const
-{
- uint64_t hash = sid.hash();
- uint64_t target_bucket = hash % nbuckets;
- SSLSessionBucket *bucket = &session_bucket[target_bucket];
-
- return bucket->getSessionBuffer(sid, buffer, len);
-}
-
-bool
-SSLSessionCache::getSession(const SSLSessionID &sid, SSL_SESSION **sess,
ssl_session_cache_exdata **data) const
-{
- uint64_t hash = sid.hash();
- uint64_t target_bucket = hash % nbuckets;
- SSLSessionBucket *bucket = &session_bucket[target_bucket];
-
- if (is_debug_tag_set("ssl.session_cache")) {
- char buf[sid.len * 2 + 1];
- sid.toString(buf, sizeof(buf));
- Debug("ssl.session_cache.get", "SessionCache looking in bucket %" PRId64 "
(%p) for session '%s' (hash: %" PRIX64 ").",
- target_bucket, bucket, buf, hash);
- }
-
- return bucket->getSession(sid, sess, data);
-}
-
-void
-SSLSessionCache::removeSession(const SSLSessionID &sid)
-{
- uint64_t hash = sid.hash();
- uint64_t target_bucket = hash % nbuckets;
- SSLSessionBucket *bucket = &session_bucket[target_bucket];
-
- if (is_debug_tag_set("ssl.session_cache")) {
- char buf[sid.len * 2 + 1];
- sid.toString(buf, sizeof(buf));
- Debug("ssl.session_cache.remove", "SessionCache using bucket %" PRId64 "
(%p): Removing session '%s' (hash: %" PRIX64 ").",
- target_bucket, bucket, buf, hash);
- }
- Metrics::Counter::increment(ssl_rsb.session_cache_eviction);
-
- bucket->removeSession(sid);
-}
-
-void
-SSLSessionCache::insertSession(const SSLSessionID &sid, SSL_SESSION *sess, SSL
*ssl)
-{
- uint64_t hash = sid.hash();
- uint64_t target_bucket = hash % nbuckets;
- SSLSessionBucket *bucket = &session_bucket[target_bucket];
-
- if (is_debug_tag_set("ssl.session_cache")) {
- char buf[sid.len * 2 + 1];
- sid.toString(buf, sizeof(buf));
- Debug("ssl.session_cache.insert", "SessionCache using bucket %" PRId64 "
(%p): Inserting session '%s' (hash: %" PRIX64 ").",
- target_bucket, bucket, buf, hash);
- }
-
- bucket->insertSession(sid, sess, ssl);
-}
-
-void
-SSLSessionBucket::insertSession(const SSLSessionID &id, SSL_SESSION *sess, SSL
*ssl)
-{
- std::shared_lock r_lock(mutex, std::try_to_lock);
- if (!r_lock.owns_lock()) {
- Metrics::Counter::increment(ssl_rsb.session_cache_lock_contention);
- if (SSLConfigParams::session_cache_skip_on_lock_contention) {
- return;
- }
- r_lock.lock();
- }
-
- // Don't insert if it is already there
- if (bucket_map.find(id) != bucket_map.end()) {
- return;
- }
-
- r_lock.unlock();
-
- size_t len = i2d_SSL_SESSION(sess, nullptr); // make sure we're not going to
need more than SSL_MAX_SESSION_SIZE bytes
- /* do not cache a session that's too big. */
- if (len > static_cast<size_t>(SSL_MAX_SESSION_SIZE)) {
- Debug("ssl.session_cache", "Unable to save SSL session because size of %zd
exceeds the max of %d", len, SSL_MAX_SESSION_SIZE);
- return;
- }
-
- if (is_debug_tag_set("ssl.session_cache")) {
- char buf[id.len * 2 + 1];
- id.toString(buf, sizeof(buf));
- Debug("ssl.session_cache", "Inserting session '%s' to bucket %p.", buf,
this);
- }
-
- Ptr<IOBufferData> buf;
- Ptr<IOBufferData> buf_exdata;
- size_t len_exdata = sizeof(ssl_session_cache_exdata);
- buf = new_IOBufferData(buffer_size_to_index(len,
MAX_BUFFER_SIZE_INDEX), MEMALIGNED);
- ink_release_assert(static_cast<size_t>(buf->block_size()) >= len);
- unsigned char *loc = reinterpret_cast<unsigned char *>(buf->data());
- i2d_SSL_SESSION(sess, &loc);
- buf_exdata = new_IOBufferData(buffer_size_to_index(len,
MAX_BUFFER_SIZE_INDEX), MEMALIGNED);
- ink_release_assert(static_cast<size_t>(buf_exdata->block_size()) >=
len_exdata);
- ssl_session_cache_exdata *exdata = reinterpret_cast<ssl_session_cache_exdata
*>(buf_exdata->data());
- // This could be moved to a function in charge of populating exdata
- exdata->curve = (ssl == nullptr) ? 0 : SSLGetCurveNID(ssl);
-
- std::unique_ptr<SSLSession> ssl_session(new SSLSession(id, buf, len,
buf_exdata));
-
- std::unique_lock w_lock(mutex, std::try_to_lock);
- if (!w_lock.owns_lock()) {
- Metrics::Counter::increment(ssl_rsb.session_cache_lock_contention);
- if (SSLConfigParams::session_cache_skip_on_lock_contention) {
- return;
- }
- w_lock.lock();
- }
-
- PRINT_BUCKET("insertSession before")
- if (bucket_map.size() >= SSLConfigParams::session_cache_max_bucket_size) {
- Metrics::Counter::increment(ssl_rsb.session_cache_eviction);
- removeOldestSession(w_lock);
- }
-
- /* do the actual insert */
- auto node = ssl_session.release();
- bucket_que.enqueue(node);
- bucket_map[id] = node;
-
- PRINT_BUCKET("insertSession after")
-}
-
-int
-SSLSessionBucket::getSessionBuffer(const SSLSessionID &id, char *buffer, int
&len)
-{
- int true_len = 0;
- std::shared_lock lock(mutex, std::try_to_lock);
- if (!lock.owns_lock()) {
- Metrics::Counter::increment(ssl_rsb.session_cache_lock_contention);
- if (SSLConfigParams::session_cache_skip_on_lock_contention) {
- return true_len;
- }
- lock.lock();
- }
-
- auto entry = bucket_map.find(id);
- if (buffer && entry != bucket_map.end()) {
- true_len = entry->second->len_asn1_data;
- const unsigned char *loc = reinterpret_cast<const unsigned char
*>(entry->second->asn1_data->data());
- if (true_len < len) {
- len = true_len;
- }
- memcpy(buffer, loc, len);
- return true_len;
- }
- return 0;
-}
-
-bool
-SSLSessionBucket::getSession(const SSLSessionID &id, SSL_SESSION **sess,
ssl_session_cache_exdata **data)
-{
- char buf[id.len * 2 + 1];
- buf[0] = '\0'; // just to be safe.
- if (is_debug_tag_set("ssl.session_cache")) {
- id.toString(buf, sizeof(buf));
- }
-
- Debug("ssl.session_cache", "Looking for session with id '%s' in bucket %p",
buf, this);
-
- std::shared_lock lock(mutex, std::try_to_lock);
- if (!lock.owns_lock()) {
- Metrics::Counter::increment(ssl_rsb.session_cache_lock_contention);
- if (SSLConfigParams::session_cache_skip_on_lock_contention) {
- return false;
- }
- lock.lock();
- }
-
- PRINT_BUCKET("getSession")
-
- auto entry = bucket_map.find(id);
- if (entry == bucket_map.end()) {
- Debug("ssl.session_cache", "Session with id '%s' not found in bucket %p.",
buf, this);
- return false;
- }
- const unsigned char *loc = reinterpret_cast<const unsigned char
*>(entry->second->asn1_data->data());
- *sess = d2i_SSL_SESSION(nullptr, &loc,
entry->second->len_asn1_data);
- if (data != nullptr) {
- ssl_session_cache_exdata *exdata =
reinterpret_cast<ssl_session_cache_exdata *>(entry->second->extra_data->data());
- *data = exdata;
- }
- return true;
-}
-
-void inline SSLSessionBucket::print(const char *ref_str) const
-{
- /* NOTE: This method assumes you're already holding the bucket lock */
- if (!is_debug_tag_set("ssl.session_cache.bucket")) {
- return;
- }
-
- fprintf(stderr, "-------------- BUCKET %p (%s) ----------------\n", this,
ref_str);
- fprintf(stderr, "Current Size: %ld, Max Size: %zd\n", bucket_map.size(),
SSLConfigParams::session_cache_max_bucket_size);
- fprintf(stderr, "Bucket: \n");
-
- for (auto &x : bucket_map) {
- char s_buf[2 * x.second->session_id.len + 1];
- x.second->session_id.toString(s_buf, sizeof(s_buf));
- fprintf(stderr, " %s\n", s_buf);
- }
-}
-
-void inline SSLSessionBucket::removeOldestSession(const
std::unique_lock<ts::shared_mutex> &lock)
-{
- // Caller must hold the bucket shared_mutex with unique_lock.
- ink_assert(lock.owns_lock());
-
- PRINT_BUCKET("removeOldestSession before")
-
- while (bucket_que.head && bucket_que.size >=
static_cast<int>(SSLConfigParams::session_cache_max_bucket_size)) {
- auto node = bucket_que.pop();
- bucket_map.erase(node->session_id);
- delete node;
- }
-
- PRINT_BUCKET("removeOldestSession after")
-}
-
-void
-SSLSessionBucket::removeSession(const SSLSessionID &id)
-{
- // We can't bail on contention here because this session MUST be removed.
- std::unique_lock lock(mutex);
-
- PRINT_BUCKET("removeSession before")
-
- auto entry = bucket_map.find(id);
- if (entry != bucket_map.end()) {
- auto node = entry->second;
- bucket_que.remove(node);
- bucket_map.erase(entry);
- delete node;
- }
-
- PRINT_BUCKET("removeSession after")
-
- return;
-}
-
// Custom deleter for shared origin sessions
void
SSLSessDeleter(SSL_SESSION *_p)
@@ -307,11 +34,6 @@ SSLSessDeleter(SSL_SESSION *_p)
SSL_SESSION_free(_p);
}
-/* Session Bucket */
-SSLSessionBucket::SSLSessionBucket() {}
-
-SSLSessionBucket::~SSLSessionBucket() {}
-
SSLOriginSessionCache::SSLOriginSessionCache() {}
SSLOriginSessionCache::~SSLOriginSessionCache() {}
diff --git a/src/iocore/net/SSLSessionCache.h b/src/iocore/net/SSLSessionCache.h
index 574fe72423..ee206fa0ee 100644
--- a/src/iocore/net/SSLSessionCache.h
+++ b/src/iocore/net/SSLSessionCache.h
@@ -39,151 +39,6 @@ struct ssl_session_cache_exdata {
ssl_curve_id curve = 0;
};
-inline void
-hash_combine(uint64_t &seed, uint64_t hash)
-{
- // using boost's version of hash combine, substituting magic number with a
64bit version
- //
https://www.boost.org/doc/libs/1_43_0/doc/html/hash/reference.html#boost.hash_combine
- seed ^= hash + 0x9E3779B97F4A7C15 + (seed << 6) + (seed >> 2);
-}
-
-struct SSLSessionID : public TSSslSessionID {
- SSLSessionID(const unsigned char *s, size_t l)
- {
- len = l;
- ink_release_assert(l <= sizeof(bytes));
- memcpy(bytes, s, l);
- hash();
- }
-
- SSLSessionID(const SSLSessionID &other)
- {
- if (other.len)
- memcpy(bytes, other.bytes, other.len);
-
- len = other.len;
- hash();
- }
-
- bool
- operator<(const SSLSessionID &other) const
- {
- if (len != other.len)
- return len < other.len;
-
- return (memcmp(bytes, other.bytes, len) < 0);
- }
-
- SSLSessionID &
- operator=(const SSLSessionID &other)
- {
- if (other.len)
- memcpy(bytes, other.bytes, other.len);
-
- len = other.len;
- return *this;
- }
-
- bool
- operator==(const SSLSessionID &other) const
- {
- if (len != other.len)
- return false;
-
- // memcmp returns 0 on equal
- return (memcmp(bytes, other.bytes, len) == 0);
- }
-
- const char *
- toString(char *buf, size_t buflen) const
- {
- char *cur_pos = buf;
- for (size_t i = 0; i < len && buflen > 0; ++i) {
- if (buflen > 2) { // we have enough space for 3 bytes, 2 hex and 1 null
terminator
- snprintf(cur_pos, 3 /* including a null terminator */, "%02hhX",
static_cast<unsigned char>(bytes[i]));
- cur_pos += 2;
- buflen -= 2;
- } else { // not enough space for any more hex bytes, just null terminate
- *cur_pos = '\0';
- break;
- }
- }
- return buf;
- }
-
- uint64_t
- hash() const
- {
- // because the session ids should be uniformly random, we can treat the
bits as a hash value
- // however we need to combine them if the length is longer than 64bits
- if (len >= sizeof(uint64_t)) {
- uint64_t seed = 0;
- for (uint64_t i = 0; i < len; i += sizeof(uint64_t)) {
- hash_combine(seed, static_cast<uint64_t>(bytes[i]));
- }
- return seed;
- } else if (len) {
- return static_cast<uint64_t>(bytes[0]);
- } else {
- return 0;
- }
- }
-};
-
-class SSLSession
-{
-public:
- SSLSessionID session_id;
- Ptr<IOBufferData> asn1_data; /* this is the ASN1 representation of the
SSL_CTX */
- size_t len_asn1_data;
- Ptr<IOBufferData> extra_data;
-
- SSLSession(const SSLSessionID &id, const Ptr<IOBufferData> &ssl_asn1_data,
size_t len_asn1, Ptr<IOBufferData> &exdata)
- : session_id(id), asn1_data(ssl_asn1_data), len_asn1_data(len_asn1),
extra_data(exdata)
- {
- }
-
- LINK(SSLSession, link);
-};
-
-class SSLSessionBucket
-{
-public:
- SSLSessionBucket();
- ~SSLSessionBucket();
- void insertSession(const SSLSessionID &sid, SSL_SESSION *sess, SSL *ssl);
- bool getSession(const SSLSessionID &sid, SSL_SESSION **sess,
ssl_session_cache_exdata **data);
- int getSessionBuffer(const SSLSessionID &sid, char *buffer, int &len);
- void removeSession(const SSLSessionID &sid);
-
-private:
- /* these method must be used while hold the lock */
- void print(const char *) const;
- void removeOldestSession(const std::unique_lock<ts::shared_mutex> &lock);
-
- mutable ts::shared_mutex mutex;
- CountQueue<SSLSession> bucket_que;
- std::map<SSLSessionID, SSLSession *> bucket_map;
-};
-
-class SSLSessionCache
-{
-public:
- bool getSession(const SSLSessionID &sid, SSL_SESSION **sess,
ssl_session_cache_exdata **data) const;
- int getSessionBuffer(const SSLSessionID &sid, char *buffer, int &len) const;
- void insertSession(const SSLSessionID &sid, SSL_SESSION *sess, SSL *ssl);
- void removeSession(const SSLSessionID &sid);
- SSLSessionCache();
- ~SSLSessionCache();
-
- SSLSessionCache(const SSLSessionCache &) = delete;
- SSLSessionCache &operator=(const SSLSessionCache &) = delete;
-
-private:
- SSLSessionBucket *session_bucket = nullptr;
- size_t nbuckets;
-};
-
class SSLOriginSession
{
public:
diff --git a/src/iocore/net/SSLUtils.cc b/src/iocore/net/SSLUtils.cc
index 4007741f4d..1b9828b5b6 100644
--- a/src/iocore/net/SSLUtils.cc
+++ b/src/iocore/net/SSLUtils.cc
@@ -101,8 +101,6 @@ static constexpr char SSL_CERT_SEPARATE_DELIM = ',';
#endif
#endif
-SSLSessionCache *session_cache; // declared extern in P_SSLConfig.h
-
static int ssl_vc_index = -1;
static ink_mutex *mutex_buf = nullptr;
@@ -187,92 +185,6 @@ SSL_CTX_add_extra_chain_cert_file(SSL_CTX *ctx, const char
*chainfile)
return SSL_CTX_add_extra_chain_cert_bio(ctx, bio.get());
}
-static SSL_SESSION *
-#if defined(LIBRESSL_VERSION_NUMBER)
-ssl_get_cached_session(SSL *ssl, unsigned char *id, int len, int *copy)
-#else
-ssl_get_cached_session(SSL *ssl, const unsigned char *id, int len, int *copy)
-#endif
-{
- TLSSessionResumptionSupport *srs =
TLSSessionResumptionSupport::getInstance(ssl);
-
- ink_assert(srs);
- if (srs) {
- return srs->getSession(ssl, id, len, copy);
- }
-
- return nullptr;
-}
-
-static int
-ssl_new_cached_session(SSL *ssl, SSL_SESSION *sess)
-{
-#ifdef TLS1_3_VERSION
- if (SSL_SESSION_get_protocol_version(sess) == TLS1_3_VERSION) {
- return 0;
- }
-#endif
-
- unsigned int len = 0;
- const unsigned char *id = SSL_SESSION_get_id(sess, &len);
-
- SSLSessionID sid(id, len);
-
- if (diags()->on()) {
- static DbgCtl dbg_ctl("ssl_session_cache.insert");
- if (dbg_ctl.tag_on()) {
- char printable_buf[(len * 2) + 1];
-
- sid.toString(printable_buf, sizeof(printable_buf));
- DbgPrint(dbg_ctl, "ssl_new_cached_session session '%s' and context %p",
printable_buf, SSL_get_SSL_CTX(ssl));
- }
- }
-
- Metrics::Counter::increment(ssl_rsb.session_cache_new_session);
- session_cache->insertSession(sid, sess, ssl);
-
- // Call hook after new session is created
- APIHook *hook = g_ssl_hooks->get(TSSslHookInternalID(TS_SSL_SESSION_HOOK));
- while (hook) {
- hook->invoke(TS_EVENT_SSL_SESSION_NEW, &sid);
- hook = hook->m_link.next;
- }
-
- return 0;
-}
-
-static void
-ssl_rm_cached_session(SSL_CTX *ctx, SSL_SESSION *sess)
-{
-#ifdef TLS1_3_VERSION
- if (SSL_SESSION_get_protocol_version(sess) == TLS1_3_VERSION) {
- return;
- }
-#endif
-
- unsigned int len = 0;
- const unsigned char *id = SSL_SESSION_get_id(sess, &len);
- SSLSessionID sid(id, len);
-
- // Call hook before session is removed
- APIHook *hook = g_ssl_hooks->get(TSSslHookInternalID(TS_SSL_SESSION_HOOK));
- while (hook) {
- hook->invoke(TS_EVENT_SSL_SESSION_REMOVE, &sid);
- hook = hook->m_link.next;
- }
-
- if (diags()->on()) {
- static DbgCtl dbg_ctl("ssl_session_cache.remove");
- if (dbg_ctl.tag_on()) {
- char printable_buf[(len * 2) + 1];
- sid.toString(printable_buf, sizeof(printable_buf));
- DbgPrint(dbg_ctl, "ssl_rm_cached_session cached session '%s'",
printable_buf);
- }
- }
-
- session_cache->removeSession(sid);
-}
-
// Callback function for verifying client certificate
static int
ssl_verify_client_callback(int preverify_ok, X509_STORE_CTX *ctx)
@@ -437,12 +349,15 @@ ssl_cert_callback(SSL *ssl, void *arg)
}
// Reset the ticket callback if needed
- SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
+ SSL_CTX *ctx =
SSL_get_SSL_CTX(ssl);
+ shared_SSLMultiCertConfigParams sslMultiCertSettings =
std::make_shared<SSLMultiCertConfigParams>();
+ if (sslMultiCertSettings->session_ticket_enabled != 0) {
#ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
- SSL_CTX_set_tlsext_ticket_key_evp_cb(ctx, ssl_callback_session_ticket);
+ SSL_CTX_set_tlsext_ticket_key_evp_cb(ctx, ssl_callback_session_ticket);
#else
- SSL_CTX_set_tlsext_ticket_key_cb(ctx, ssl_callback_session_ticket);
+ SSL_CTX_set_tlsext_ticket_key_cb(ctx, ssl_callback_session_ticket);
#endif
+ }
}
#endif
@@ -632,9 +547,9 @@ ssl_context_enable_tickets(SSL_CTX *ctx, const char
*ticket_key_path)
Metrics::Counter::increment(ssl_rsb.total_ticket_keys_renewed);
}
-// Setting the callback can only fail if OpenSSL does not recognize the
-// SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB constant. we set the callback first
-// so that we don't leave a ticket_key pointer attached if it fails.
+ // Setting the callback can only fail if OpenSSL does not recognize the
+ // SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB constant. we set the callback first
+ // so that we don't leave a ticket_key pointer attached if it fails.
#ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
if (SSL_CTX_set_tlsext_ticket_key_evp_cb(ctx, ssl_callback_session_ticket)
== 0) {
#else
@@ -1279,9 +1194,7 @@
SSLMultiCertConfigLoader::init_server_ssl_ctx(CertLoadData const &data, const SS
SSL_CTX_set_max_proto_version(ctx, ver);
}
- if (!this->_setup_session_cache(ctx)) {
- goto fail;
- }
+ SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF |
SSL_SESS_CACHE_NO_INTERNAL);
#ifdef SSL_MODE_RELEASE_BUFFERS
Dbg(dbg_ctl_ssl_load, "enabling SSL_MODE_RELEASE_BUFFERS");
@@ -1386,44 +1299,6 @@ fail:
bool
SSLMultiCertConfigLoader::_setup_session_cache(SSL_CTX *ctx)
{
- const SSLConfigParams *params = this->_params;
-
- Dbg(dbg_ctl_ssl_session_cache,
- "ssl context=%p: using session cache options, enabled=%d, size=%d,
num_buckets=%d, "
- "skip_on_contention=%d, timeout=%d, auto_clear=%d",
- ctx, params->ssl_session_cache, params->ssl_session_cache_size,
params->ssl_session_cache_num_buckets,
- params->ssl_session_cache_skip_on_contention,
params->ssl_session_cache_timeout, params->ssl_session_cache_auto_clear);
-
- if (params->ssl_session_cache_timeout) {
- SSL_CTX_set_timeout(ctx, params->ssl_session_cache_timeout);
- }
-
- int additional_cache_flags = 0;
- additional_cache_flags |= (params->ssl_session_cache_auto_clear == 0) ?
SSL_SESS_CACHE_NO_AUTO_CLEAR : 0;
-
- switch (params->ssl_session_cache) {
- case SSLConfigParams::SSL_SESSION_CACHE_MODE_OFF:
- Dbg(dbg_ctl_ssl_session_cache, "disabling SSL session cache");
-
- SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF |
SSL_SESS_CACHE_NO_INTERNAL);
- break;
- case SSLConfigParams::SSL_SESSION_CACHE_MODE_SERVER_OPENSSL_IMPL:
- Dbg(dbg_ctl_ssl_session_cache, "enabling SSL session cache with OpenSSL
implementation");
-
- SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER |
additional_cache_flags);
- SSL_CTX_sess_set_cache_size(ctx, params->ssl_session_cache_size);
- break;
- case SSLConfigParams::SSL_SESSION_CACHE_MODE_SERVER_ATS_IMPL: {
- Dbg(dbg_ctl_ssl_session_cache, "enabling SSL session cache with ATS
implementation");
- /* Add all the OpenSSL callbacks */
- SSL_CTX_sess_set_new_cb(ctx, ssl_new_cached_session);
- SSL_CTX_sess_set_remove_cb(ctx, ssl_rm_cached_session);
- SSL_CTX_sess_set_get_cb(ctx, ssl_get_cached_session);
-
- SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER |
SSL_SESS_CACHE_NO_INTERNAL | additional_cache_flags);
- break;
- }
- }
return true;
}
diff --git a/src/iocore/net/TLSSessionResumptionSupport.cc
b/src/iocore/net/TLSSessionResumptionSupport.cc
index 90394d63dc..dde41d96cc 100644
--- a/src/iocore/net/TLSSessionResumptionSupport.cc
+++ b/src/iocore/net/TLSSessionResumptionSupport.cc
@@ -136,54 +136,6 @@ TLSSessionResumptionSupport::getSSLCurveNID() const
return this->_sslCurveNID;
}
-SSL_SESSION *
-TLSSessionResumptionSupport::getSession(SSL *ssl, const unsigned char *id, int
len, int *copy)
-{
- SSLSessionID sid(id, len);
-
- *copy = 0;
- if (diags()->on()) {
- static DbgCtl dbg_ctl("ssl.session_cache.get");
- if (dbg_ctl.tag_on()) {
- char printable_buf[(len * 2) + 1];
- sid.toString(printable_buf, sizeof(printable_buf));
- DbgPrint(dbg_ctl, "ssl_get_cached_session cached session '%s' context
%p", printable_buf, SSL_get_SSL_CTX(ssl));
- }
- }
-
- APIHook *hook = g_ssl_hooks->get(TSSslHookInternalID(TS_SSL_SESSION_HOOK));
- while (hook) {
- hook->invoke(TS_EVENT_SSL_SESSION_GET, &sid);
- hook = hook->m_link.next;
- }
-
- SSL_SESSION *session = nullptr;
- ssl_session_cache_exdata *exdata = nullptr;
- if (session_cache->getSession(sid, &session, &exdata)) {
- ink_assert(session);
- ink_assert(exdata);
-
- // Double check the timeout
- if (is_ssl_session_timed_out(session)) {
- Metrics::Counter::increment(ssl_rsb.session_cache_miss);
-// Due to bug in openssl, the timeout is checked, but only removed
-// from the openssl built-in hash table. The external remove cb is not called
-#if 0 // This is currently eliminated, since it breaks things in odd ways (see
TS-3710)
- ssl_rm_cached_session(SSL_get_SSL_CTX(ssl), session);
-#endif
- SSL_SESSION_free(session);
- session = nullptr;
- } else {
- Metrics::Counter::increment(ssl_rsb.session_cache_hit);
- this->_setSSLSessionCacheHit(true);
- this->_setSSLCurveNID(exdata->curve);
- }
- } else {
- Metrics::Counter::increment(ssl_rsb.session_cache_miss);
- }
- return session;
-}
-
std::shared_ptr<SSL_SESSION>
TLSSessionResumptionSupport::getOriginSession(SSL *ssl, const std::string
&lookup_key)
{
diff --git a/src/records/RecordsConfig.cc b/src/records/RecordsConfig.cc
index 7aedc3fe00..10a4bbbc5a 100644
--- a/src/records/RecordsConfig.cc
+++ b/src/records/RecordsConfig.cc
@@ -1156,20 +1156,8 @@ static const RecordElement RecordsConfig[] =
,
{RECT_CONFIG, "proxy.config.ssl.origin_session_cache.size", RECD_INT,
"10240", RECU_RESTART_TS, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
,
- {RECT_CONFIG, "proxy.config.ssl.session_cache.value", RECD_INT, "2",
RECU_RESTART_TS, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
- ,
- {RECT_CONFIG, "proxy.config.ssl.session_cache.size", RECD_INT, "102400",
RECU_RESTART_TS, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
- ,
- {RECT_CONFIG, "proxy.config.ssl.session_cache.num_buckets", RECD_INT, "256",
RECU_RESTART_TS, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
- ,
- {RECT_CONFIG,
"proxy.config.ssl.session_cache.skip_cache_on_bucket_contention", RECD_INT,
"0", RECU_RESTART_TS, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
- ,
{RECT_CONFIG, "proxy.config.ssl.max_record_size", RECD_INT, "0",
RECU_DYNAMIC, RR_NULL, RECC_NULL, "[0-16383]", RECA_NULL}
,
- {RECT_CONFIG, "proxy.config.ssl.session_cache.timeout", RECD_INT, "0",
RECU_DYNAMIC, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
- ,
- {RECT_CONFIG, "proxy.config.ssl.session_cache.auto_clear", RECD_INT, "1",
RECU_DYNAMIC, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
- ,
{RECT_CONFIG, "proxy.config.ssl.hsts_max_age", RECD_INT, "-1", RECU_DYNAMIC,
RR_NULL, RECC_STR, "^-?[0-9]+$", RECA_NULL}
,
{RECT_CONFIG, "proxy.config.ssl.hsts_include_subdomains", RECD_INT, "0",
RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
diff --git a/tests/gold_tests/pluginTest/stek_share/stek_share.test.py
b/tests/gold_tests/pluginTest/stek_share/stek_share.test.py
index de320d64b0..8dcaf78ac4 100644
--- a/tests/gold_tests/pluginTest/stek_share/stek_share.test.py
+++ b/tests/gold_tests/pluginTest/stek_share/stek_share.test.py
@@ -164,10 +164,6 @@ ts1.Disk.records_config.update(
'proxy.config.exec_thread.limit': 4,
'proxy.config.ssl.server.cert.path': '{0}'.format(Test.RunDirectory),
'proxy.config.ssl.server.private_key.path':
'{0}'.format(Test.RunDirectory),
- 'proxy.config.ssl.session_cache.value': 2,
- 'proxy.config.ssl.session_cache.size': 1024,
- 'proxy.config.ssl.session_cache.timeout': 7200,
- 'proxy.config.ssl.session_cache.num_buckets': 16,
'proxy.config.ssl.server.session_ticket.enable': 1,
'proxy.config.ssl.server.cipher_suite':
'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-D
[...]
@@ -184,10 +180,6 @@ ts2.Disk.records_config.update(
'proxy.config.exec_thread.limit': 4,
'proxy.config.ssl.server.cert.path': '{0}'.format(Test.RunDirectory),
'proxy.config.ssl.server.private_key.path':
'{0}'.format(Test.RunDirectory),
- 'proxy.config.ssl.session_cache.value': 2,
- 'proxy.config.ssl.session_cache.size': 1024,
- 'proxy.config.ssl.session_cache.timeout': 7200,
- 'proxy.config.ssl.session_cache.num_buckets': 16,
'proxy.config.ssl.server.session_ticket.enable': 1,
'proxy.config.ssl.server.cipher_suite':
'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-D
[...]
@@ -204,10 +196,6 @@ ts3.Disk.records_config.update(
'proxy.config.exec_thread.limit': 4,
'proxy.config.ssl.server.cert.path': '{0}'.format(Test.RunDirectory),
'proxy.config.ssl.server.private_key.path':
'{0}'.format(Test.RunDirectory),
- 'proxy.config.ssl.session_cache.value': 2,
- 'proxy.config.ssl.session_cache.size': 1024,
- 'proxy.config.ssl.session_cache.timeout': 7200,
- 'proxy.config.ssl.session_cache.num_buckets': 16,
'proxy.config.ssl.server.session_ticket.enable': 1,
'proxy.config.ssl.server.cipher_suite':
'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-D
[...]
@@ -224,10 +212,6 @@ ts4.Disk.records_config.update(
'proxy.config.exec_thread.limit': 4,
'proxy.config.ssl.server.cert.path': '{0}'.format(Test.RunDirectory),
'proxy.config.ssl.server.private_key.path':
'{0}'.format(Test.RunDirectory),
- 'proxy.config.ssl.session_cache.value': 2,
- 'proxy.config.ssl.session_cache.size': 1024,
- 'proxy.config.ssl.session_cache.timeout': 7200,
- 'proxy.config.ssl.session_cache.num_buckets': 16,
'proxy.config.ssl.server.session_ticket.enable': 1,
'proxy.config.ssl.server.cipher_suite':
'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-D
[...]
@@ -244,10 +228,6 @@ ts5.Disk.records_config.update(
'proxy.config.exec_thread.limit': 4,
'proxy.config.ssl.server.cert.path': '{0}'.format(Test.RunDirectory),
'proxy.config.ssl.server.private_key.path':
'{0}'.format(Test.RunDirectory),
- 'proxy.config.ssl.session_cache.value': 2,
- 'proxy.config.ssl.session_cache.size': 1024,
- 'proxy.config.ssl.session_cache.timeout': 7200,
- 'proxy.config.ssl.session_cache.num_buckets': 16,
'proxy.config.ssl.server.session_ticket.enable': 1,
'proxy.config.ssl.server.cipher_suite':
'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-D
[...]
diff --git a/tests/gold_tests/tls/tls_0rtt_server.test.py
b/tests/gold_tests/tls/tls_0rtt_server.test.py
index fbcfac641a..d2e20d8fc6 100644
--- a/tests/gold_tests/tls/tls_0rtt_server.test.py
+++ b/tests/gold_tests/tls/tls_0rtt_server.test.py
@@ -104,10 +104,6 @@ ts1.Disk.records_config.update(
'proxy.config.exec_thread.limit': 8,
'proxy.config.ssl.server.cert.path':
'{0}'.format(ts1.Variables.SSLDir),
'proxy.config.ssl.server.private_key.path':
'{0}'.format(ts1.Variables.SSLDir),
- 'proxy.config.ssl.session_cache.value': 2,
- 'proxy.config.ssl.session_cache.size': 512000,
- 'proxy.config.ssl.session_cache.timeout': 7200,
- 'proxy.config.ssl.session_cache.num_buckets': 32768,
'proxy.config.ssl.server.session_ticket.enable': 1,
'proxy.config.ssl.server.max_early_data': 16384,
'proxy.config.ssl.server.allow_early_data_params': 0,
@@ -133,10 +129,6 @@ ts2.Disk.records_config.update(
'proxy.config.exec_thread.limit': 8,
'proxy.config.ssl.server.cert.path':
'{0}'.format(ts1.Variables.SSLDir),
'proxy.config.ssl.server.private_key.path':
'{0}'.format(ts1.Variables.SSLDir),
- 'proxy.config.ssl.session_cache.value': 2,
- 'proxy.config.ssl.session_cache.size': 512000,
- 'proxy.config.ssl.session_cache.timeout': 7200,
- 'proxy.config.ssl.session_cache.num_buckets': 32768,
'proxy.config.ssl.server.session_ticket.enable': 1,
'proxy.config.ssl.server.max_early_data': 0,
'proxy.config.ssl.server.allow_early_data_params': 0,
diff --git a/tests/gold_tests/tls/tls_origin_session_reuse.test.py
b/tests/gold_tests/tls/tls_origin_session_reuse.test.py
index 0732dd397a..3ba1b1227d 100644
--- a/tests/gold_tests/tls/tls_origin_session_reuse.test.py
+++ b/tests/gold_tests/tls/tls_origin_session_reuse.test.py
@@ -64,12 +64,6 @@ ts1.Disk.records_config.update(
'proxy.config.ssl.server.cert.path':
'{0}'.format(ts1.Variables.SSLDir),
'proxy.config.ssl.server.private_key.path':
'{0}'.format(ts1.Variables.SSLDir),
'proxy.config.exec_thread.autoconfig.scale': 1.0,
- 'proxy.config.ssl.session_cache.value': 2,
- 'proxy.config.ssl.session_cache.size': 4096,
- 'proxy.config.ssl.session_cache.num_buckets': 256,
- 'proxy.config.ssl.session_cache.skip_cache_on_bucket_contention': 0,
- 'proxy.config.ssl.session_cache.timeout': 0,
- 'proxy.config.ssl.session_cache.auto_clear': 1,
'proxy.config.ssl.server.session_ticket.enable': 1,
'proxy.config.ssl.origin_session_cache.enabled': 1,
'proxy.config.ssl.origin_session_cache.size': 1,
@@ -83,12 +77,6 @@ ts2.Disk.records_config.update(
'proxy.config.ssl.server.cert.path':
'{0}'.format(ts2.Variables.SSLDir),
'proxy.config.ssl.server.private_key.path':
'{0}'.format(ts2.Variables.SSLDir),
'proxy.config.exec_thread.autoconfig.scale': 1.0,
- 'proxy.config.ssl.session_cache.value': 2,
- 'proxy.config.ssl.session_cache.size': 4096,
- 'proxy.config.ssl.session_cache.num_buckets': 256,
- 'proxy.config.ssl.session_cache.skip_cache_on_bucket_contention': 0,
- 'proxy.config.ssl.session_cache.timeout': 0,
- 'proxy.config.ssl.session_cache.auto_clear': 1,
'proxy.config.ssl.server.session_ticket.enable': 1,
'proxy.config.ssl.origin_session_cache.enabled': 1,
'proxy.config.ssl.origin_session_cache.size': 1,
@@ -100,12 +88,6 @@ ts3.Disk.records_config.update(
'proxy.config.ssl.server.cert.path':
'{0}'.format(ts3.Variables.SSLDir),
'proxy.config.ssl.server.private_key.path':
'{0}'.format(ts3.Variables.SSLDir),
'proxy.config.exec_thread.autoconfig.scale': 1.0,
- 'proxy.config.ssl.session_cache.value': 2,
- 'proxy.config.ssl.session_cache.size': 4096,
- 'proxy.config.ssl.session_cache.num_buckets': 256,
- 'proxy.config.ssl.session_cache.skip_cache_on_bucket_contention': 0,
- 'proxy.config.ssl.session_cache.timeout': 0,
- 'proxy.config.ssl.session_cache.auto_clear': 1,
'proxy.config.ssl.server.session_ticket.enable': 1,
'proxy.config.ssl.origin_session_cache.enabled': 1,
'proxy.config.ssl.origin_session_cache.size': 1,
@@ -119,12 +101,6 @@ ts4.Disk.records_config.update(
'proxy.config.ssl.server.cert.path':
'{0}'.format(ts4.Variables.SSLDir),
'proxy.config.ssl.server.private_key.path':
'{0}'.format(ts4.Variables.SSLDir),
'proxy.config.exec_thread.autoconfig.scale': 1.0,
- 'proxy.config.ssl.session_cache.value': 2,
- 'proxy.config.ssl.session_cache.size': 4096,
- 'proxy.config.ssl.session_cache.num_buckets': 256,
- 'proxy.config.ssl.session_cache.skip_cache_on_bucket_contention': 0,
- 'proxy.config.ssl.session_cache.timeout': 0,
- 'proxy.config.ssl.session_cache.auto_clear': 1,
'proxy.config.ssl.server.session_ticket.enable': 1,
'proxy.config.ssl.origin_session_cache.enabled': 0,
'proxy.config.ssl.origin_session_cache.size': 1,
diff --git a/tests/gold_tests/tls/tls_session_reuse.test.py
b/tests/gold_tests/tls/tls_session_reuse.test.py
index ff0c25e034..6647b169bb 100644
--- a/tests/gold_tests/tls/tls_session_reuse.test.py
+++ b/tests/gold_tests/tls/tls_session_reuse.test.py
@@ -26,7 +26,6 @@ Test tls session reuse
# Define default ATS
ts1 = Test.MakeATSProcess("ts1", enable_tls=True)
ts2 = Test.MakeATSProcess("ts2", enable_tls=True)
-ts3 = Test.MakeATSProcess("ts3", enable_tls=True)
server = Test.MakeOriginServer("server")
# Add info the origin server responses
@@ -39,124 +38,111 @@ ts1.addSSLfile("ssl/server.pem")
ts1.addSSLfile("ssl/server.key")
ts2.addSSLfile("ssl/server.pem")
ts2.addSSLfile("ssl/server.key")
-ts3.addSSLfile("ssl/server.pem")
-ts3.addSSLfile("ssl/server.key")
ts1.Disk.remap_config.AddLine('map /
http://127.0.0.1:{0}'.format(server.Variables.Port))
ts2.Disk.remap_config.AddLine('map /
http://127.0.0.1:{0}'.format(server.Variables.Port))
-ts3.Disk.remap_config.AddLine('map /
http://127.0.0.1:{0}'.format(server.Variables.Port))
ts1.Disk.ssl_multicert_config.AddLine('dest_ip=* ssl_cert_name=server.pem
ssl_key_name=server.key')
ts2.Disk.ssl_multicert_config.AddLine('dest_ip=* ssl_cert_name=server.pem
ssl_key_name=server.key')
-ts3.Disk.ssl_multicert_config.AddLine('dest_ip=* ssl_cert_name=server.pem
ssl_key_name=server.key')
ts1.Disk.records_config.update(
{
+ 'proxy.config.diags.debug.enabled': 1,
+ 'proxy.config.diags.debug.tags': 'ssl',
'proxy.config.ssl.server.cert.path':
'{0}'.format(ts1.Variables.SSLDir),
'proxy.config.ssl.server.private_key.path':
'{0}'.format(ts1.Variables.SSLDir),
'proxy.config.ssl.server.cipher_suite':
'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-D
[...]
'proxy.config.exec_thread.autoconfig.scale': 1.0,
- 'proxy.config.ssl.session_cache.value': 2,
- 'proxy.config.ssl.session_cache.size': 4096,
- 'proxy.config.ssl.session_cache.num_buckets': 256,
- 'proxy.config.ssl.session_cache.skip_cache_on_bucket_contention': 0,
- 'proxy.config.ssl.session_cache.timeout': 0,
- 'proxy.config.ssl.session_cache.auto_clear': 1,
- 'proxy.config.ssl.server.session_ticket.enable': 0,
+ 'proxy.config.ssl.server.session_ticket.enable': 1,
+ 'proxy.config.ssl.server.session_ticket.number': 2,
})
ts2.Disk.records_config.update(
{
+ 'proxy.config.diags.debug.enabled': 1,
+ 'proxy.config.diags.debug.tags': 'ssl',
'proxy.config.ssl.server.cert.path':
'{0}'.format(ts2.Variables.SSLDir),
'proxy.config.ssl.server.private_key.path':
'{0}'.format(ts2.Variables.SSLDir),
'proxy.config.ssl.server.cipher_suite':
'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-D
[...]
'proxy.config.exec_thread.autoconfig.scale': 1.0,
- 'proxy.config.ssl.session_cache.value': 2,
- 'proxy.config.ssl.session_cache.size': 4096,
- 'proxy.config.ssl.session_cache.num_buckets': 256,
- 'proxy.config.ssl.session_cache.skip_cache_on_bucket_contention': 0,
- 'proxy.config.ssl.session_cache.timeout': 0,
- 'proxy.config.ssl.session_cache.auto_clear': 1,
- 'proxy.config.ssl.server.session_ticket.enable': 1,
- })
-ts3.Disk.records_config.update(
- {
- 'proxy.config.ssl.server.cert.path':
'{0}'.format(ts3.Variables.SSLDir),
- 'proxy.config.ssl.server.private_key.path':
'{0}'.format(ts3.Variables.SSLDir),
- 'proxy.config.ssl.server.cipher_suite':
-
'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-D
[...]
- 'proxy.config.exec_thread.autoconfig.scale': 1.0,
- 'proxy.config.ssl.session_cache.value': 0,
- 'proxy.config.ssl.session_cache.size': 4096,
- 'proxy.config.ssl.session_cache.num_buckets': 256,
- 'proxy.config.ssl.session_cache.skip_cache_on_bucket_contention': 0,
- 'proxy.config.ssl.session_cache.timeout': 0,
- 'proxy.config.ssl.session_cache.auto_clear': 1,
- 'proxy.config.ssl.server.session_ticket.enable': 1,
+ 'proxy.config.ssl.server.session_ticket.enable': 0,
+ 'proxy.config.ssl.server.session_ticket.number': 0,
})
-def check_session(ev, test):
+def check_session(output_path, tls_ver, reuse_count):
retval = False
- f = open(test.GetContent(ev), 'r')
- err = "Session ids match"
+ f = open(output_path, 'r')
if not f:
- err = "Failed to open {0}".format(openssl_output)
- return (retval, "Check that session ids match", err)
+ err = "Failed to open {0}".format(output_path)
+ return (retval, "Check session is reused", err)
content = f.read()
- match = re.findall('Session-ID: ([0-9A-F]+)', content)
-
- if match:
- if all(i == j for i, j in zip(match, match[1:])):
- err = "{0} reused successfully {1} times".format(match[0],
len(match) - 1)
- retval = True
- else:
- err = "Session is not being reused as expected"
+ match = re.findall(f'Reused, {tls_ver}', content)
+ if len(match) == reuse_count:
+ retval = True
+ err = "Reused successfully {0} times".format(len(match))
else:
- err = "Didn't find session id"
- return (retval, "Check that session ids match", err)
-
-
-tr = Test.AddTestRun("TLSv1.2 Session ID")
-tr.Command = \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect
127.0.0.1:{0} -no_ticket -sess_out {1} && ' \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect
127.0.0.1:{0} -no_ticket -sess_in {1} && ' \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect
127.0.0.1:{0} -no_ticket -sess_in {1} && ' \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect
127.0.0.1:{0} -no_ticket -sess_in {1} && ' \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect
127.0.0.1:{0} -no_ticket -sess_in {1} && ' \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect
127.0.0.1:{0} -no_ticket -sess_in {1}' \
- .format(ts1.Variables.ssl_port, os.path.join(Test.RunDirectory,
'sess.dat'))
-tr.ReturnCode = 0
-tr.Processes.Default.StartBefore(server)
-tr.Processes.Default.StartBefore(ts1)
-tr.Processes.Default.Streams.All.Content = Testers.Lambda(check_session)
-tr.StillRunningAfter = server
-
-tr1 = Test.AddTestRun("TLSv1.2 Session Ticket")
+ err = "Session is not being reused as expected"
+ f.close()
+ return (retval, "Check session is reused", err)
+
+
+tr1 = Test.AddTestRun("TLSv1.2 Session Resumption Enabled")
tr1.Command = \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect
127.0.0.1:{0} -sess_out {1} && ' \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect
127.0.0.1:{0} -sess_in {1} && ' \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect
127.0.0.1:{0} -sess_in {1} && ' \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect
127.0.0.1:{0} -sess_in {1} && ' \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect
127.0.0.1:{0} -sess_in {1} && ' \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect
127.0.0.1:{0} -sess_in {1}' \
- .format(ts2.Variables.ssl_port, os.path.join(Test.RunDirectory,
'sess.dat'))
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0}
-sess_out {1} -tls1_2 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0}
-sess_in {1} -tls1_2 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0}
-sess_in {1} -tls1_2 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0}
-sess_in {1} -tls1_2 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0}
-sess_in {1} -tls1_2 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0}
-sess_in {1} -tls1_2' \
+ .format(ts1.Variables.ssl_port, os.path.join(Test.RunDirectory,
'sess1.dat'))
tr1.ReturnCode = 0
-tr1.Processes.Default.StartBefore(ts2)
-tr1.Processes.Default.Streams.All.Content = Testers.Lambda(check_session)
-tr1.StillRunningAfter = server
-
-tr2 = Test.AddTestRun("Disabled Session Cache")
+tr1.Processes.Default.StartBefore(server)
+tr1.Processes.Default.StartBefore(ts1)
+tr1.Processes.Default.Streams.All.Content = Testers.Lambda(
+ lambda info, tester:
check_session(tr1.Processes.Default.Streams.All.AbsPath, 'TLSv1.2', 5))
+tr1.StillRunningAfter += server
+tr1.StillRunningAfter += ts1
+
+tr2 = Test.AddTestRun("TLSv1.3 Session Resumption Enabled")
tr2.Command = \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect
127.0.0.1:{0} -no_ticket -sess_out {1} && ' \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect
127.0.0.1:{0} -no_ticket -sess_in {1} && ' \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect
127.0.0.1:{0} -no_ticket -sess_in {1} && ' \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect
127.0.0.1:{0} -no_ticket -sess_in {1} && ' \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect
127.0.0.1:{0} -no_ticket -sess_in {1} && ' \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect
127.0.0.1:{0} -no_ticket -sess_in {1}' \
- .format(ts3.Variables.ssl_port, os.path.join(Test.RunDirectory,
'sess.dat'))
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0}
-sess_out {1} -tls1_2 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0}
-sess_in {1} -tls1_2 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0}
-sess_in {1} -tls1_2 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0}
-sess_in {1} -tls1_2 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0}
-sess_in {1} -tls1_2 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0}
-sess_in {1} -tls1_2' \
+ .format(ts1.Variables.ssl_port, os.path.join(Test.RunDirectory,
'sess2.dat'))
tr2.ReturnCode = 0
-tr2.Processes.Default.StartBefore(ts3)
-tr2.Processes.Default.Streams.All = Testers.ExcludesExpression('Reused', '')
+tr2.Processes.Default.Streams.All.Content = Testers.Lambda(
+ lambda info, tester:
check_session(tr2.Processes.Default.Streams.All.AbsPath, 'TLSv1.2', 5))
+tr2.StillRunningAfter += server
+
+tr3 = Test.AddTestRun("TLSv1.2 Session Resumption Disabled")
+tr3.Command = \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0}
-sess_out {1} -tls1_2 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0}
-sess_in {1} -tls1_2 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0}
-sess_in {1} -tls1_2 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0}
-sess_in {1} -tls1_2 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0}
-sess_in {1} -tls1_2 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0}
-sess_in {1} -tls1_2' \
+ .format(ts2.Variables.ssl_port, os.path.join(Test.RunDirectory,
'sess3.dat'))
+tr3.Processes.Default.StartBefore(ts2)
+tr3.Processes.Default.Streams.All = Testers.ExcludesExpression('Reused', '')
+tr3.Processes.Default.Streams.All += Testers.ContainsExpression('TLSv1.2', '')
+tr3.StillRunningAfter += server
+tr3.StillRunningAfter += ts2
+
+tr4 = Test.AddTestRun("TLSv1.3 Session Resumption Disabled")
+tr4.Command = \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0}
-sess_out {1} -tls1_3 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0}
-sess_in {1} -tls1_3 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0}
-sess_in {1} -tls1_3 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0}
-sess_in {1} -tls1_3 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0}
-sess_in {1} -tls1_3 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0}
-sess_in {1} -tls1_3' \
+ .format(ts2.Variables.ssl_port, os.path.join(Test.RunDirectory,
'sess4.dat'))
+tr4.Processes.Default.Streams.All = Testers.ExcludesExpression('Reused', '')
+tr4.Processes.Default.Streams.All += Testers.ContainsExpression('TLSv1.3', '')
