From: Willy Tarreau <w@1wt.eu>
Date: Tue, 18 Nov 2025 10:40:52 +0000 (+0100)
Subject: REGTESTS: ssl: split the SSL reuse test into TLS 1.2/1.3
X-Git-Tag: v3.3-dev14~41
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=14cb3799df5f945936920d3d3778dc3900471ccd;p=thirdparty%2Fhaproxy.git

REGTESTS: ssl: split the SSL reuse test into TLS 1.2/1.3

QUIC and TLS don't use the same tests because QUIC only supports
TLS 1.3 while SSL tests both TLS 1.2 and 1.3, which complicates
the tests scenarios.

This change extracts the core of the test into a single generic
ssl_reuse.vtci file and creates new high-level tests for TLSv1.2
over TCP, TLSv1.3 over TCP and TLSv1.3 over QUIC, which simply
include this file and set two variables. The test is now cleaner
and simpler.
---

diff --git a/reg-tests/quic/ssl_reuse.vtc b/reg-tests/quic/ssl_reuse.vtc
deleted file mode 100644
index b3e09c11d..000000000
--- a/reg-tests/quic/ssl_reuse.vtc
+++ /dev/null
@@ -1,10 +0,0 @@
-#REGTEST_TYPE=devel
-
-# Same test as ssl/ssl_reuse.vtc, but with QUIC connections where applicable (only for TLSv3)
-
-varnishtest "Test if the SSL session/ticket reuse work correctly"
-
-feature cmd "$HAPROXY_PROGRAM -cc 'feature(QUIC) && !feature(QUIC_OPENSSL_COMPAT) && !feature(OPENSSL_WOLFSSL)'"
-
-setenv VTC_SOCK_TYPE quic
-include ${testdir}/../ssl/ssl_reuse.vtc
diff --git a/reg-tests/quic/tls13_reuse.vtc b/reg-tests/quic/tls13_reuse.vtc
new file mode 100644
index 000000000..43808d9db
--- /dev/null
+++ b/reg-tests/quic/tls13_reuse.vtc
@@ -0,0 +1,11 @@
+#REGTEST_TYPE=devel
+
+# This reg-test tests 2 scenarios with and without resumption tickets, with QUIC/TLSv1.3
+# Each client will try to established a connection, then try to reconnect 20 times resuming.
+
+varnishtest "Test if the SSL session/ticket reuse works correctly for QUIC"
+feature cmd "$HAPROXY_PROGRAM -cc 'feature(QUIC) && !feature(QUIC_OPENSSL_COMPAT) && !feature(OPENSSL_WOLFSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'"
+
+setenv VTC_SOCK_TYPE quic
+setenv TLSV TLSv1.3
+include ${testdir}/../ssl/ssl_reuse.vtci
diff --git a/reg-tests/ssl/ssl_reuse.vtc b/reg-tests/ssl/ssl_reuse.vtci
similarity index 60%
rename from reg-tests/ssl/ssl_reuse.vtc
rename to reg-tests/ssl/ssl_reuse.vtci
index 7ca8e3d64..f7218588f 100644
--- a/reg-tests/ssl/ssl_reuse.vtc
+++ b/reg-tests/ssl/ssl_reuse.vtci
@@ -1,11 +1,5 @@
-#REGTEST_TYPE=devel
+# Uses VTC_SOCK_TYPE (quic / stream) TLSV (TLSv1.2 / TLSv1.3)
 
-# This reg-test tests 4 scenarios with and without resumption tickets, with TLSv1.3 and TLSv1.2
-# Each client will try to established a connection, then try to reconnect 20 times resuming.
-
-
-varnishtest "Test if the SSL session/ticket reuse work correctly"
-feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL_WOLFSSL) || feature(OPENSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'"
 feature ignore_unknown_macro
 
 server s1 -repeat 84 {
@@ -13,8 +7,6 @@ server s1 -repeat 84 {
     txresp
 } -start
 
-setenv -ifunset VTC_SOCK_TYPE stream
-
 haproxy h1 -conf {
    global
     .if streq("$VTC_SOCK_TYPE",quic)
@@ -39,16 +31,6 @@ haproxy h1 -conf {
         timeout client  "${HAPROXY_TEST_TIMEOUT-5s}"
         timeout server  "${HAPROXY_TEST_TIMEOUT-5s}"
 
-    listen clst1
-        bind "fd@${clst1}"
-        server s1 "${h1_fe1_addr}:${h1_fe1_port}" ssl verify none   sni str(www.test1.com)
-        http-response add-header x-ssl-bc-resumed %[ssl_bc_is_resumed]
-
-    listen clst2
-        bind "fd@${clst2}"
-        server s1 "${h1_fe2_addr}:${h1_fe2_port}" ssl verify none  sni str(www.test1.com)
-        http-response add-header x-ssl-bc-resumed %[ssl_bc_is_resumed]
-
     listen clst3
         bind "fd@${clst3}"
         server s1 "${VTC_SOCK_TYPE}+${h1_fe3_addr}:${h1_fe3_port}" ssl verify none  sni str(www.test1.com)
@@ -60,47 +42,14 @@ haproxy h1 -conf {
         http-response add-header x-ssl-bc-resumed %[ssl_bc_is_resumed]
 
     listen ssl
-        bind "fd@${fe1}" ssl crt ${testdir}/common.pem ssl-max-ver TLSv1.2
-        bind "fd@${fe2}" ssl crt ${testdir}/common.pem ssl-max-ver TLSv1.2 no-tls-tickets
-        bind "${VTC_SOCK_TYPE}+fd@${fe3}" ssl crt ${testdir}/common.pem ssl-min-ver TLSv1.3
-        bind "${VTC_SOCK_TYPE}+fd@${fe4}" ssl crt ${testdir}/common.pem ssl-min-ver TLSv1.3 no-tls-tickets
+        bind "${VTC_SOCK_TYPE}+fd@${fe3}" ssl crt ${testdir}/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}"
+        bind "${VTC_SOCK_TYPE}+fd@${fe4}" ssl crt ${testdir}/common.pem ssl-min-ver "${TLSV}" ssl-max-ver "${TLSV}" no-tls-tickets
 
         http-response add-header x-ssl-resumed %[ssl_fc_is_resumed]
         server s1 ${s1_addr}:${s1_port}
 } -start
 
 
-# first bind
-# the first connection is not resumed
-client c1 -connect ${h1_clst1_sock} {
-    txreq
-    rxresp
-    expect resp.status == 200
-    expect resp.http.x-ssl-resumed == 0
-} -run
-# the next 20 connections are resumed
-client c1 -connect ${h1_clst1_sock} -repeat 20 {
-    txreq
-    rxresp
-    expect resp.status == 200
-    expect resp.http.x-ssl-resumed == 1
-} -run
-
-# second bind
-client c2 -connect ${h1_clst2_sock} {
-    txreq
-    rxresp
-    expect resp.status == 200
-    expect resp.http.x-ssl-resumed == 0
-} -run
-
-client c2 -connect ${h1_clst2_sock} -repeat 20 {
-    txreq
-    rxresp
-    expect resp.status == 200
-    expect resp.http.x-ssl-resumed == 1
-} -run
-
 # third bind
 client c3 -connect ${h1_clst3_sock} {
     txreq
@@ -148,4 +97,3 @@ haproxy h1 -cli {
     send "show info"
     expect ~ ".*SslFrontendSessionReuse_pct: 95.*"
 }
-
diff --git a/reg-tests/ssl/tls12_reuse.vtc b/reg-tests/ssl/tls12_reuse.vtc
new file mode 100644
index 000000000..57d6ca486
--- /dev/null
+++ b/reg-tests/ssl/tls12_reuse.vtc
@@ -0,0 +1,11 @@
+#REGTEST_TYPE=devel
+
+# This reg-test tests 2 scenarios with and without resumption tickets, with TLSv1.2
+# Each client will try to established a connection, then try to reconnect 20 times resuming.
+
+varnishtest "Test if the SSL session/ticket reuse works correctly for TLSv1.2"
+feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL_WOLFSSL) || feature(OPENSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'"
+
+setenv VTC_SOCK_TYPE stream
+setenv TLSV TLSv1.2
+include ${testdir}/../ssl/ssl_reuse.vtci
diff --git a/reg-tests/ssl/tls13_reuse.vtc b/reg-tests/ssl/tls13_reuse.vtc
new file mode 100644
index 000000000..d990286c2
--- /dev/null
+++ b/reg-tests/ssl/tls13_reuse.vtc
@@ -0,0 +1,11 @@
+#REGTEST_TYPE=devel
+
+# This reg-test tests 2 scenarios with and without resumption tickets, with TLSv1.3
+# Each client will try to established a connection, then try to reconnect 20 times resuming.
+
+varnishtest "Test if the SSL session/ticket reuse works correctly for TLSv1.3"
+feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL_WOLFSSL) || feature(OPENSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(1.1.1)'"
+
+setenv VTC_SOCK_TYPE stream
+setenv TLSV TLSv1.3
+include ${testdir}/../ssl/ssl_reuse.vtci