REGTESTS: ssl: split tls*_reuse in stateless and stateful resume tests

Simplify ssl_reuse.vtci so it can be started with variables:

- SSL_CACHESIZE allow to specify the size of the session cache size for
  the frontend
- NO_TLS_TICKETS allow to specify the "no-tls-tickets" option on bind

It introduces these files:

- ssl/tls12_resume_stateful.vtc
- ssl/tls12_resume_stateless.vtc
- ssl/tls13_resume_stateless.vtc
- ssl/tls13_resume_stateful.vtc
- quic/tls13_resume_stateless.vtc
- quic/tls13_resume_stateful.vtc
- quic/tls13_0rtt_stateful.vtc
- quic/tls13_0rtt_stateless.vtc

stateful files have "no-tls-tickets" + tune.tls.cachesize 20000
stateless files have "tls-tickets" + tune.tls.cachesize 0

This allows to enable AWS-LC on TCP TLS1.2 and TCP TL1.3+tickets.

TLS1.2+stateless does not seem to work on WolfSSL.

diff --git a/reg-tests/quic/tls13_0rtt.vtc b/reg-tests/quic/tls13_0rtt.vtc
deleted file mode 100644 (file)
index 90024dc..0000000
--- a/reg-tests/quic/tls13_0rtt.vtc
+++ /dev/null
@@ -1,14 +0,0 @@
-#REGTEST_TYPE=devel
-
-# This reg-test tests 8 scenarios with and without tickets, with various
-# combinations of settings for allow-0rtt, with QUIC/TLSv1.3. Each client will
-# try to established a connection, then try to reconnect 10 times resuming,
-# and check for which combination(s) 0-rtt is used and if they are expected.
-
-varnishtest "Test if the SSL session/ticket reuse works correctly for QUIC"
-feature cmd "$HAPROXY_PROGRAM -cc 'feature(QUIC) && !feature(QUIC_OPENSSL_COMPAT) && !feature(OPENSSL_WOLFSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'"
-
-setenv VTC_SOCK_TYPE quic
-setenv TLSV TLSv1.3
-setenv ALPN h3
-include ${testdir}/../ssl/ssl-0rtt.vtci

diff --git a/reg-tests/quic/tls13_resume_stateful.vtc b/reg-tests/quic/tls13_resume_stateful.vtc
new file mode 100644 (file)
index 0000000..682c6a1
--- /dev/null
+++ b/reg-tests/quic/tls13_resume_stateful.vtc
@@ -0,0 +1,13 @@
+#REGTEST_TYPE=devel
+
+# This reg-test tests 2 scenarios without resumption tickets, with QUIC/TLSv1.3
+# Each client will try to established a connection, then try to reconnect 20 times resuming.
+
+varnishtest "Test if the SSL session/ticket reuse works correctly for QUIC"
+feature cmd "$HAPROXY_PROGRAM -cc 'feature(QUIC) && !feature(QUIC_OPENSSL_COMPAT) && !feature(OPENSSL_WOLFSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'"
+
+setenv VTC_SOCK_TYPE quic
+setenv TLSV TLSv1.3
+setenv NO_TLS_TICKETS "no-tls-tickets"
+setenv SSL_CACHESIZE 20000
+include ${testdir}/../ssl/ssl_reuse.vtci

diff --git a/reg-tests/quic/tls13_reuse.vtc b/reg-tests/quic/tls13_resume_stateless.vtc
similarity index 77%
rename from reg-tests/quic/tls13_reuse.vtc
rename to reg-tests/quic/tls13_resume_stateless.vtc
index 43808d9dba60b3d54086c80ad73a33130b0e383e..17f186bdf98fb312978edcad0c4024d01c4ba897 100644 (file)
--- a/reg-tests/quic/tls13_reuse.vtc
+++ b/reg-tests/quic/tls13_resume_stateless.vtc
@@ -1,6 +1,6 @@
 #REGTEST_TYPE=devel
 
-# This reg-test tests 2 scenarios with and without resumption tickets, with QUIC/TLSv1.3
+# This reg-test tests 2 scenarios with resumption tickets, with QUIC/TLSv1.3
 # Each client will try to established a connection, then try to reconnect 20 times resuming.
 
 varnishtest "Test if the SSL session/ticket reuse works correctly for QUIC"
@@ -8,4 +8,6 @@ feature cmd "$HAPROXY_PROGRAM -cc 'feature(QUIC) && !feature(QUIC_OPENSSL_COMPAT
 
 setenv VTC_SOCK_TYPE quic
 setenv TLSV TLSv1.3
+setenv NO_TLS_TICKETS tls-tickets
+setenv SSL_CACHESIZE 0
 include ${testdir}/../ssl/ssl_reuse.vtci

diff --git a/reg-tests/ssl/ssl_reuse.vtci b/reg-tests/ssl/ssl_reuse.vtci
index f7218588f240afcddfe423d73d92a79605d191fb..91db545e92b097c35c70ab2ff4dab8dad9bf61b3 100644 (file)
--- a/reg-tests/ssl/ssl_reuse.vtci
+++ b/reg-tests/ssl/ssl_reuse.vtci
@@ -17,6 +17,8 @@ haproxy h1 -conf {
         thread-groups 1
     .endif
 
+      # allow to enable or disable completely the cache for stateful resumption
+      tune.ssl.cachesize "${SSL_CACHESIZE}"
       # forced to 1 here, because there is a cached session per thread
       nbthread 1
 
@@ -36,14 +38,8 @@ haproxy h1 -conf {
         server s1 "${VTC_SOCK_TYPE}+${h1_fe3_addr}:${h1_fe3_port}" ssl verify none  sni str(www.test1.com)
         http-response add-header x-ssl-bc-resumed %[ssl_bc_is_resumed]
 
-    listen clst4
-        bind "fd@${clst4}"
-        server s1 "${VTC_SOCK_TYPE}+${h1_fe4_addr}:${h1_fe4_port}" ssl verify none  sni str(www.test1.com)
-        http-response add-header x-ssl-bc-resumed %[ssl_bc_is_resumed]
-
     listen ssl
-        bind "${VTC_SOCK_TYPE}+fd@${fe3}" ssl crt ${testdir}/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}"
-        bind "${VTC_SOCK_TYPE}+fd@${fe4}" ssl crt ${testdir}/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" no-tls-tickets
+        bind "${VTC_SOCK_TYPE}+fd@${fe3}" ssl crt ${testdir}/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" "${NO_TLS_TICKETS}"
 
         http-response add-header x-ssl-resumed %[ssl_fc_is_resumed]
         server s1 ${s1_addr}:${s1_port}
@@ -65,22 +61,6 @@ client c3 -connect ${h1_clst3_sock} -repeat 20 {
     expect resp.http.x-ssl-resumed == 1
 } -run
 
-# fourth bind
-client c4 -connect ${h1_clst4_sock} {
-    txreq
-    rxresp
-    expect resp.status == 200
-    expect resp.http.x-ssl-resumed == 0
-} -run
-
-client c4 -connect ${h1_clst4_sock} -repeat 20 {
-    txreq
-    rxresp
-    expect resp.status == 200
-    expect resp.http.x-ssl-resumed == 1
-} -run
-
-
 # Could be useful to debug the result, the ssl_fc_is_resumed field in the log must be 1 after the 2nd command
 #shell {
 #

diff --git a/reg-tests/ssl/tls12_0rtt_stateful.vtc b/reg-tests/ssl/tls12_0rtt_stateful.vtc
new file mode 100644 (file)
index 0000000..0aa7f33
--- /dev/null
+++ b/reg-tests/ssl/tls12_0rtt_stateful.vtc
@@ -0,0 +1,17 @@
+#REGTEST_TYPE=devel
+
+# This reg-test tests 8 scenarios without tickets, with various
+# combinations of settings for allow-0rtt, with TLSv1.2. Each client will try
+# to established a connection, then try to reconnect 10 times resuming, and
+# check for which combination(s) 0-rtt is used and fail if any does so since
+# it's not expected to work with 1.2.
+
+varnishtest "Test if the SSL session/ticket reuse works correctly for TLSv1.2"
+feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL_AWSLC) || feature(OPENSSL_WOLFSSL) || feature(OPENSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'"
+
+setenv VTC_SOCK_TYPE stream
+setenv TLSV TLSv1.2
+setenv NO_TLS_TICKETS "no-tls-tickets"
+setenv SSL_CACHESIZE 20000
+setenv ALPN http/1.1
+include ${testdir}/../ssl/ssl-0rtt.vtci

diff --git a/reg-tests/ssl/tls12_0rtt.vtc b/reg-tests/ssl/tls12_0rtt_stateless.vtc
similarity index 61%
rename from reg-tests/ssl/tls12_0rtt.vtc
rename to reg-tests/ssl/tls12_0rtt_stateless.vtc
index f95c60785b653c66c51ae4825d6b686329efc8fb..c6cb16d7cb8c480f8d48bac8852a26c8ba60f147 100644 (file)
--- a/reg-tests/ssl/tls12_0rtt.vtc
+++ b/reg-tests/ssl/tls12_0rtt_stateless.vtc
@@ -1,15 +1,17 @@
 #REGTEST_TYPE=devel
 
-# This reg-test tests 8 scenarios with and without tickets, with various
+# This reg-test tests 8 scenarios with  tickets, with various
 # combinations of settings for allow-0rtt, with TLSv1.2. Each client will try
 # to established a connection, then try to reconnect 10 times resuming, and
 # check for which combination(s) 0-rtt is used and fail if any does so since
 # it's not expected to work with 1.2.
 
 varnishtest "Test if the SSL session/ticket reuse works correctly for TLSv1.2"
-feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL_WOLFSSL) || feature(OPENSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'"
+feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL_AWSLC) || feature(OPENSSL_WOLFSSL) || feature(OPENSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'"
 
 setenv VTC_SOCK_TYPE stream
 setenv TLSV TLSv1.2
+setenv NO_TLS_TICKETS tls-tickets
+setenv SSL_CACHESIZE 0
 setenv ALPN http/1.1
 include ${testdir}/../ssl/ssl-0rtt.vtci

diff --git a/reg-tests/ssl/tls12_resume_stateful.vtc b/reg-tests/ssl/tls12_resume_stateful.vtc
new file mode 100644 (file)
index 0000000..1dd2fa8
--- /dev/null
+++ b/reg-tests/ssl/tls12_resume_stateful.vtc
@@ -0,0 +1,14 @@
+#REGTEST_TYPE=devel
+
+# This reg-test tests the stateful TLS resumption (sessions) with TLSv1.2
+# Each client will try to established a connection, then try to reconnect 20 times resuming.
+
+varnishtest "Test if the SSL session resume works correctly for TLSv1.2"
+feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL_AWSLC) || feature(OPENSSL_WOLFSSL) || feature(OPENSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'"
+
+setenv VTC_SOCK_TYPE stream
+setenv TLSV TLSv1.2
+setenv NO_TLS_TICKETS "no-tls-tickets"
+setenv SSL_CACHESIZE 20000
+
+include ${testdir}/../ssl/ssl_reuse.vtci

diff --git a/reg-tests/ssl/tls12_resume_stateless.vtc b/reg-tests/ssl/tls12_resume_stateless.vtc
new file mode 100644 (file)
index 0000000..a684925
--- /dev/null
+++ b/reg-tests/ssl/tls12_resume_stateless.vtc
@@ -0,0 +1,14 @@
+#REGTEST_TYPE=devel
+
+# This reg-test tests stateless resumption tickets, with TLSv1.2
+# Each client will try to established a connection, then try to reconnect 20 times resuming.
+
+varnishtest "Test if the SSL session/ticket reuse works correctly for TLSv1.2"
+feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL_AWSLC) || feature(OPENSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'"
+
+setenv VTC_SOCK_TYPE stream
+setenv TLSV TLSv1.2
+setenv NO_TLS_TICKETS tls-tickets
+setenv SSL_CACHESIZE 0
+
+include ${testdir}/../ssl/ssl_reuse.vtci

diff --git a/reg-tests/ssl/tls13_0rtt_stateful.vtc b/reg-tests/ssl/tls13_0rtt_stateful.vtc
new file mode 100644 (file)
index 0000000..ff4f60f
--- /dev/null
+++ b/reg-tests/ssl/tls13_0rtt_stateful.vtc
@@ -0,0 +1,16 @@
+#REGTEST_TYPE=devel
+
+# This reg-test tests 8 scenarios without tickets, with various
+# combinations of settings for allow-0rtt, with TLSv1.3. Each client will try
+# to established a connection, then try to reconnect 10 times resuming, and
+# check for which combination(s) 0-rtt is used and if they are expected.
+
+varnishtest "Test if the SSL session/ticket reuse works correctly for TLSv1.3"
+feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'"
+
+setenv VTC_SOCK_TYPE stream
+setenv TLSV TLSv1.3
+setenv NO_TLS_TICKETS no-tls-tickets
+setenv SSL_CACHESIZE 20000
+setenv ALPN http/1.1
+include ${testdir}/../ssl/ssl-0rtt.vtci

diff --git a/reg-tests/ssl/tls13_0rtt.vtc b/reg-tests/ssl/tls13_0rtt_stateless.vtc
similarity index 82%
rename from reg-tests/ssl/tls13_0rtt.vtc
rename to reg-tests/ssl/tls13_0rtt_stateless.vtc
index f211144acc1a7bfa4be7ec9086cf70d7e60bf928..6eaaee3e3264aabd2c807f8bb5a462f0277f0eca 100644 (file)
--- a/reg-tests/ssl/tls13_0rtt.vtc
+++ b/reg-tests/ssl/tls13_0rtt_stateless.vtc
@@ -1,6 +1,6 @@
 #REGTEST_TYPE=devel
 
-# This reg-test tests 8 scenarios with and without tickets, with various
+# This reg-test tests 8 scenarios with tickets, with various
 # combinations of settings for allow-0rtt, with TLSv1.3. Each client will try
 # to established a connection, then try to reconnect 10 times resuming, and
 # check for which combination(s) 0-rtt is used and if they are expected.
@@ -10,5 +10,7 @@ feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && ssllib_name_startswith(Op
 
 setenv VTC_SOCK_TYPE stream
 setenv TLSV TLSv1.3
+setenv NO_TLS_TICKETS tls-tickets
+setenv SSL_CACHESIZE 0
 setenv ALPN http/1.1
 include ${testdir}/../ssl/ssl-0rtt.vtci

diff --git a/reg-tests/ssl/tls13_reuse.vtc b/reg-tests/ssl/tls13_resume_stateful.vtc
similarity index 76%
rename from reg-tests/ssl/tls13_reuse.vtc
rename to reg-tests/ssl/tls13_resume_stateful.vtc
index d990286c212fc6c6d594dfb9133665995f7308ae..b1f3303dedfb8f25876060718a92f95c42a3d4e5 100644 (file)
--- a/reg-tests/ssl/tls13_reuse.vtc
+++ b/reg-tests/ssl/tls13_resume_stateful.vtc
@@ -1,6 +1,6 @@
 #REGTEST_TYPE=devel
 
-# This reg-test tests 2 scenarios with and without resumption tickets, with TLSv1.3
+# This reg-test tests stateful resumption (session) with TLSv1.3
 # Each client will try to established a connection, then try to reconnect 20 times resuming.
 
 varnishtest "Test if the SSL session/ticket reuse works correctly for TLSv1.3"
@@ -8,4 +8,7 @@ feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL_WOLFSSL) || feature(OPENSSL)
 
 setenv VTC_SOCK_TYPE stream
 setenv TLSV TLSv1.3
+setenv NO_TLS_TICKETS "no-tls-tickets"
+setenv SSL_CACHESIZE 20000
+
 include ${testdir}/../ssl/ssl_reuse.vtci

diff --git a/reg-tests/ssl/tls12_reuse.vtc b/reg-tests/ssl/tls13_resume_stateless.vtc
similarity index 81%
rename from reg-tests/ssl/tls12_reuse.vtc
rename to reg-tests/ssl/tls13_resume_stateless.vtc
index bd3932e681533e7559576f36f79c463251969c6c..c6c628b64032936d81ae14d6bdac7db04fea313c 100644 (file)
--- a/reg-tests/ssl/tls12_reuse.vtc
+++ b/reg-tests/ssl/tls13_resume_stateless.vtc
@@ -1,11 +1,14 @@
 #REGTEST_TYPE=devel
 
-# This reg-test tests 2 scenarios with and without resumption tickets, with TLSv1.2
+# This reg-test tests 2 scenarios with and without resumption tickets, with TLSv1.3
 # Each client will try to established a connection, then try to reconnect 20 times resuming.
 
-varnishtest "Test if the SSL session/ticket reuse works correctly for TLSv1.2"
+varnishtest "Test if the SSL session/ticket reuse works correctly for TLSv1.3"
 feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL_AWSLC) || feature(OPENSSL_WOLFSSL) || feature(OPENSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'"
 
 setenv VTC_SOCK_TYPE stream
-setenv TLSV TLSv1.2
+setenv TLSV TLSv1.3
+setenv NO_TLS_TICKETS tls-tickets
+setenv SSL_CACHESIZE 0
+
 include ${testdir}/../ssl/ssl_reuse.vtci