blob: 4ebd34eaeeacfbacc18f8c50815a90e08043f554 [file] [log] [blame]
William Lallemande15ab932021-11-17 02:52:51 +01001#REGTEST_TYPE=devel
2
3# This reg-test tests 4 scenarios with and without resumption tickets, with TLSv1.3 and TLSv1.2
4# Each client will try to established a connection, then try to reconnect 20 times resuming.
5
6
7varnishtest "Test if the SSL session/ticket reuse work correctly"
8feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'"
9feature ignore_unknown_macro
10
11server s1 -repeat 84 {
12 rxreq
13 txresp
14} -start
15
16haproxy h1 -conf {
17 global
18 # forced to 1 here, because there is a cached session per thread
19 nbthread 1
20
21
22 defaults
23 mode http
24 option httplog
25 option logasap
26 log stderr local0 debug err
27 option httpclose
28 timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
29 timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
30 timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
31
32 listen clst1
33 bind "fd@${clst1}"
34 server s1 "${h1_fe1_addr}:${h1_fe1_port}" ssl verify none sni str(www.test1.com)
35 http-response add-header x-ssl-bc-resumed %[ssl_bc_is_resumed]
36
37 listen clst2
38 bind "fd@${clst2}"
39 server s1 "${h1_fe2_addr}:${h1_fe2_port}" ssl verify none sni str(www.test1.com)
40 http-response add-header x-ssl-bc-resumed %[ssl_bc_is_resumed]
41
42 listen clst3
43 bind "fd@${clst3}"
44 server s1 "${h1_fe3_addr}:${h1_fe3_port}" ssl verify none sni str(www.test1.com)
45 http-response add-header x-ssl-bc-resumed %[ssl_bc_is_resumed]
46
47 listen clst4
48 bind "fd@${clst4}"
49 server s1 "${h1_fe4_addr}:${h1_fe4_port}" ssl verify none sni str(www.test1.com)
50 http-response add-header x-ssl-bc-resumed %[ssl_bc_is_resumed]
51
52 listen ssl
53 bind "fd@${fe1}" ssl crt ${testdir}/common.pem ssl-max-ver TLSv1.2
54 bind "fd@${fe2}" ssl crt ${testdir}/common.pem ssl-max-ver TLSv1.2 no-tls-tickets
55 bind "fd@${fe3}" ssl crt ${testdir}/common.pem ssl-min-ver TLSv1.3
56 bind "fd@${fe4}" ssl crt ${testdir}/common.pem ssl-min-ver TLSv1.3 no-tls-tickets
57
58 http-response add-header x-ssl-resumed %[ssl_fc_is_resumed]
59 server s1 ${s1_addr}:${s1_port}
60} -start
61
62
63# first bind
64# the first connection is not resumed
65client c1 -connect ${h1_clst1_sock} {
66 txreq
67 rxresp
68 expect resp.status == 200
69 expect resp.http.x-ssl-resumed == 0
70} -run
71# the next 20 connections are resumed
72client c1 -connect ${h1_clst1_sock} -repeat 20 {
73 txreq
74 rxresp
75 expect resp.status == 200
76 expect resp.http.x-ssl-resumed == 1
77} -run
78
79# second bind
80client c2 -connect ${h1_clst2_sock} {
81 txreq
82 rxresp
83 expect resp.status == 200
84 expect resp.http.x-ssl-resumed == 0
85} -run
86
87client c2 -connect ${h1_clst2_sock} -repeat 20 {
88 txreq
89 rxresp
90 expect resp.status == 200
91 expect resp.http.x-ssl-resumed == 1
92} -run
93
94# third bind
95client c3 -connect ${h1_clst3_sock} {
96 txreq
97 rxresp
98 expect resp.status == 200
99 expect resp.http.x-ssl-resumed == 0
100} -run
101
102client c3 -connect ${h1_clst3_sock} -repeat 20 {
103 txreq
104 rxresp
105 expect resp.status == 200
106 expect resp.http.x-ssl-resumed == 1
107} -run
108
109# fourth bind
110client c4 -connect ${h1_clst4_sock} {
111 txreq
112 rxresp
113 expect resp.status == 200
114 expect resp.http.x-ssl-resumed == 0
115} -run
116
117client c4 -connect ${h1_clst4_sock} -repeat 20 {
118 txreq
119 rxresp
120 expect resp.status == 200
121 expect resp.http.x-ssl-resumed == 1
122} -run
123
124
125# Could be useful to debug the result, the ssl_fc_is_resumed field in the log must be 1 after the 2nd command
126#shell {
127#
128# HOST=${h1_fe4_addr}
129# if [ "${h1_fe4_addr}" = "::1" ] ; then
130# HOST="\[::1\]"
131# fi
132#
133# rm sess.pem; (echo -e -n "GET / HTTP/1.1\r\n\r\n"; sleep 1) | openssl s_client -connect $HOST:${h1_fe4_port} -tls1_3 -sess_out sess.pem -keylogfile keys1.txt -servername www.test1.com > /tmp/ssl_debug1; echo | openssl s_client -connect ${HOST}:${h1_fe4_port} -tls1_3 -sess_in sess.pem -keylogfile keys2.txt -servername www.test1.com >> /tmp/ssl_debug1
134# echo "GET / HTTP/1.1" | openssl s_client -connect $HOST:${h1_fe4_port} -tls1_3 -servername www.test1.com
135#}
136
137haproxy h1 -cli {
138 send "show info"
139 expect ~ ".*SslFrontendSessionReuse_pct: 95.*"
140}
141