From 2f621aa52e4278e30f340a25e2e0f9071a84de18 Mon Sep 17 00:00:00 2001 From: Frederic Lecaille Date: Fri, 17 Oct 2025 16:30:18 +0200 Subject: [PATCH] REGTEST: quic: add ssl_reuse.vtc new QUIC test Note that this test does not work with OpenSSL 3.5.0 QUIC API because the callback set by SSL_CTX_sess_set_new_cb() (ssl_sess_new_srv_cb()) is not called (at least for QUIC clients) The role of this new QUIC test is to run the same SSL/TCP test as reg-tests/ssl/ssl_reuse.vtc but with QUIC connections where applicable (only with TLSv1.3). To do so, this QUIC test uses the "include" vtc command to run ssl/ssl_reuse.vtc It also sets the VTC_SOCK_TYPE environment variable with the "setenv" command and "quic" as value. This will ask vtest2 to use QUIC sockets for all "fd@{...}" addresses prefixed by "${VTC_SOCK_TYPE}+" socket type if VTC_SOCK_TYPE value is "quic". The SSL/TCP is modified to set this environment variable with "setenv -ifunset" from ssl/ssl_reuse.vtc with "stream" as value, if it not already set. vtest2 must be used with this patch to support this new QUIC test: https://github.com/vtest/VTest2/commit/9aa4d498dbd426adef8779c692a3e0865e55b9c2 Thanks to this latter patch, vtest2 retrieves the VTC_SOCK_TYPE environment variable value, then it parses the vtc file to retrieve all the fd addresses prefixed by "${VTC_SOCK_TYPE}+" and creates a QUIC socket or a TCP socket depending on this variable value. --- reg-tests/quic/ssl_reuse.vtc | 10 ++++++++++ reg-tests/ssl/ssl_reuse.vtc | 14 ++++++++++---- 2 files changed, 20 insertions(+), 4 deletions(-) create mode 100644 reg-tests/quic/ssl_reuse.vtc diff --git a/reg-tests/quic/ssl_reuse.vtc b/reg-tests/quic/ssl_reuse.vtc new file mode 100644 index 000000000..650292387 --- /dev/null +++ b/reg-tests/quic/ssl_reuse.vtc @@ -0,0 +1,10 @@ +#REGTEST_TYPE=devel + +# Same test as ssl/ssl_reuse.vtc, but with QUIC connections where applicable (only for TLSv3) + +varnishtest "Test if the SSL session/ticket reuse work correctly" + +feature cmd "$HAPROXY_PROGRAM -cc 'feature(QUIC) && !feature(QUIC_OPENSSL_COMPAT) && !feature(OPENSSL_WOLFSSL) && openssl_version_before(3.5.0)'" + +setenv VTC_SOCK_TYPE quic +include ${testdir}/../ssl/ssl_reuse.vtc diff --git a/reg-tests/ssl/ssl_reuse.vtc b/reg-tests/ssl/ssl_reuse.vtc index 57ef5f62c..7ca8e3d64 100644 --- a/reg-tests/ssl/ssl_reuse.vtc +++ b/reg-tests/ssl/ssl_reuse.vtc @@ -13,8 +13,14 @@ server s1 -repeat 84 { txresp } -start +setenv -ifunset VTC_SOCK_TYPE stream + haproxy h1 -conf { global + .if streq("$VTC_SOCK_TYPE",quic) + # required for backend connections + expose-experimental-directives + .endif .if feature(THREAD) thread-groups 1 .endif @@ -45,19 +51,19 @@ haproxy h1 -conf { listen clst3 bind "fd@${clst3}" - server s1 "${h1_fe3_addr}:${h1_fe3_port}" ssl verify none sni str(www.test1.com) + server s1 "${VTC_SOCK_TYPE}+${h1_fe3_addr}:${h1_fe3_port}" ssl verify none sni str(www.test1.com) http-response add-header x-ssl-bc-resumed %[ssl_bc_is_resumed] listen clst4 bind "fd@${clst4}" - server s1 "${h1_fe4_addr}:${h1_fe4_port}" ssl verify none sni str(www.test1.com) + server s1 "${VTC_SOCK_TYPE}+${h1_fe4_addr}:${h1_fe4_port}" ssl verify none sni str(www.test1.com) http-response add-header x-ssl-bc-resumed %[ssl_bc_is_resumed] listen ssl bind "fd@${fe1}" ssl crt ${testdir}/common.pem ssl-max-ver TLSv1.2 bind "fd@${fe2}" ssl crt ${testdir}/common.pem ssl-max-ver TLSv1.2 no-tls-tickets - bind "fd@${fe3}" ssl crt ${testdir}/common.pem ssl-min-ver TLSv1.3 - bind "fd@${fe4}" ssl crt ${testdir}/common.pem ssl-min-ver TLSv1.3 no-tls-tickets + bind "${VTC_SOCK_TYPE}+fd@${fe3}" ssl crt ${testdir}/common.pem ssl-min-ver TLSv1.3 + bind "${VTC_SOCK_TYPE}+fd@${fe4}" ssl crt ${testdir}/common.pem ssl-min-ver TLSv1.3 no-tls-tickets http-response add-header x-ssl-resumed %[ssl_fc_is_resumed] server s1 ${s1_addr}:${s1_port} -- 2.47.3