William Lallemand | e15ab93 | 2021-11-17 02:52:51 +0100 | [diff] [blame] | 1 | #REGTEST_TYPE=devel |
| 2 | |
| 3 | # This reg-test tests 4 scenarios with and without resumption tickets, with TLSv1.3 and TLSv1.2 |
| 4 | # Each client will try to established a connection, then try to reconnect 20 times resuming. |
| 5 | |
| 6 | |
| 7 | varnishtest "Test if the SSL session/ticket reuse work correctly" |
| 8 | feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'" |
| 9 | feature ignore_unknown_macro |
| 10 | |
| 11 | server s1 -repeat 84 { |
| 12 | rxreq |
| 13 | txresp |
| 14 | } -start |
| 15 | |
| 16 | haproxy h1 -conf { |
| 17 | global |
| 18 | # forced to 1 here, because there is a cached session per thread |
| 19 | nbthread 1 |
| 20 | |
| 21 | |
| 22 | defaults |
| 23 | mode http |
| 24 | option httplog |
| 25 | option logasap |
| 26 | log stderr local0 debug err |
| 27 | option httpclose |
| 28 | timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" |
| 29 | timeout client "${HAPROXY_TEST_TIMEOUT-5s}" |
| 30 | timeout server "${HAPROXY_TEST_TIMEOUT-5s}" |
| 31 | |
| 32 | listen clst1 |
| 33 | bind "fd@${clst1}" |
| 34 | server s1 "${h1_fe1_addr}:${h1_fe1_port}" ssl verify none sni str(www.test1.com) |
| 35 | http-response add-header x-ssl-bc-resumed %[ssl_bc_is_resumed] |
| 36 | |
| 37 | listen clst2 |
| 38 | bind "fd@${clst2}" |
| 39 | server s1 "${h1_fe2_addr}:${h1_fe2_port}" ssl verify none sni str(www.test1.com) |
| 40 | http-response add-header x-ssl-bc-resumed %[ssl_bc_is_resumed] |
| 41 | |
| 42 | listen clst3 |
| 43 | bind "fd@${clst3}" |
| 44 | server s1 "${h1_fe3_addr}:${h1_fe3_port}" ssl verify none sni str(www.test1.com) |
| 45 | http-response add-header x-ssl-bc-resumed %[ssl_bc_is_resumed] |
| 46 | |
| 47 | listen clst4 |
| 48 | bind "fd@${clst4}" |
| 49 | server s1 "${h1_fe4_addr}:${h1_fe4_port}" ssl verify none sni str(www.test1.com) |
| 50 | http-response add-header x-ssl-bc-resumed %[ssl_bc_is_resumed] |
| 51 | |
| 52 | listen ssl |
| 53 | bind "fd@${fe1}" ssl crt ${testdir}/common.pem ssl-max-ver TLSv1.2 |
| 54 | bind "fd@${fe2}" ssl crt ${testdir}/common.pem ssl-max-ver TLSv1.2 no-tls-tickets |
| 55 | bind "fd@${fe3}" ssl crt ${testdir}/common.pem ssl-min-ver TLSv1.3 |
| 56 | bind "fd@${fe4}" ssl crt ${testdir}/common.pem ssl-min-ver TLSv1.3 no-tls-tickets |
| 57 | |
| 58 | http-response add-header x-ssl-resumed %[ssl_fc_is_resumed] |
| 59 | server s1 ${s1_addr}:${s1_port} |
| 60 | } -start |
| 61 | |
| 62 | |
| 63 | # first bind |
| 64 | # the first connection is not resumed |
| 65 | client c1 -connect ${h1_clst1_sock} { |
| 66 | txreq |
| 67 | rxresp |
| 68 | expect resp.status == 200 |
| 69 | expect resp.http.x-ssl-resumed == 0 |
| 70 | } -run |
| 71 | # the next 20 connections are resumed |
| 72 | client c1 -connect ${h1_clst1_sock} -repeat 20 { |
| 73 | txreq |
| 74 | rxresp |
| 75 | expect resp.status == 200 |
| 76 | expect resp.http.x-ssl-resumed == 1 |
| 77 | } -run |
| 78 | |
| 79 | # second bind |
| 80 | client c2 -connect ${h1_clst2_sock} { |
| 81 | txreq |
| 82 | rxresp |
| 83 | expect resp.status == 200 |
| 84 | expect resp.http.x-ssl-resumed == 0 |
| 85 | } -run |
| 86 | |
| 87 | client c2 -connect ${h1_clst2_sock} -repeat 20 { |
| 88 | txreq |
| 89 | rxresp |
| 90 | expect resp.status == 200 |
| 91 | expect resp.http.x-ssl-resumed == 1 |
| 92 | } -run |
| 93 | |
| 94 | # third bind |
| 95 | client c3 -connect ${h1_clst3_sock} { |
| 96 | txreq |
| 97 | rxresp |
| 98 | expect resp.status == 200 |
| 99 | expect resp.http.x-ssl-resumed == 0 |
| 100 | } -run |
| 101 | |
| 102 | client c3 -connect ${h1_clst3_sock} -repeat 20 { |
| 103 | txreq |
| 104 | rxresp |
| 105 | expect resp.status == 200 |
| 106 | expect resp.http.x-ssl-resumed == 1 |
| 107 | } -run |
| 108 | |
| 109 | # fourth bind |
| 110 | client c4 -connect ${h1_clst4_sock} { |
| 111 | txreq |
| 112 | rxresp |
| 113 | expect resp.status == 200 |
| 114 | expect resp.http.x-ssl-resumed == 0 |
| 115 | } -run |
| 116 | |
| 117 | client c4 -connect ${h1_clst4_sock} -repeat 20 { |
| 118 | txreq |
| 119 | rxresp |
| 120 | expect resp.status == 200 |
| 121 | expect resp.http.x-ssl-resumed == 1 |
| 122 | } -run |
| 123 | |
| 124 | |
| 125 | # Could be useful to debug the result, the ssl_fc_is_resumed field in the log must be 1 after the 2nd command |
| 126 | #shell { |
| 127 | # |
| 128 | # HOST=${h1_fe4_addr} |
| 129 | # if [ "${h1_fe4_addr}" = "::1" ] ; then |
| 130 | # HOST="\[::1\]" |
| 131 | # fi |
| 132 | # |
| 133 | # rm sess.pem; (echo -e -n "GET / HTTP/1.1\r\n\r\n"; sleep 1) | openssl s_client -connect $HOST:${h1_fe4_port} -tls1_3 -sess_out sess.pem -keylogfile keys1.txt -servername www.test1.com > /tmp/ssl_debug1; echo | openssl s_client -connect ${HOST}:${h1_fe4_port} -tls1_3 -sess_in sess.pem -keylogfile keys2.txt -servername www.test1.com >> /tmp/ssl_debug1 |
| 134 | # echo "GET / HTTP/1.1" | openssl s_client -connect $HOST:${h1_fe4_port} -tls1_3 -servername www.test1.com |
| 135 | #} |
| 136 | |
| 137 | haproxy h1 -cli { |
| 138 | send "show info" |
| 139 | expect ~ ".*SslFrontendSessionReuse_pct: 95.*" |
| 140 | } |
| 141 | |