Merge latest master into 11-Dev
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 76b1439..ac8034c 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -24,7 +24,7 @@
endif()
cmake_minimum_required(VERSION 3.20..3.27)
-project(ats VERSION 10.1.0)
+project(ats VERSION 11.0.0)
set(TS_VERSION_MAJOR ${PROJECT_VERSION_MAJOR})
set(TS_VERSION_MINOR ${PROJECT_VERSION_MINOR})
diff --git a/doc/admin-guide/files/records.yaml.en.rst b/doc/admin-guide/files/records.yaml.en.rst
index 176da25..4f93a10 100644
--- a/doc/admin-guide/files/records.yaml.en.rst
+++ b/doc/admin-guide/files/records.yaml.en.rst
@@ -3879,58 +3879,6 @@
Setting a value less than or equal to ``0`` effectively disables
SSL session cache for the origin server.
-.. ts:cv:: CONFIG proxy.config.ssl.session_cache.enabled INT 2
-
- Enables the SSL session cache:
-
- ===== ======================================================================
- Value Description
- ===== ======================================================================
- ``0`` Disables the session cache entirely.
- ``1`` Enables the session cache using OpenSSL's implementation.
- ``2`` Default. Enables the session cache using |TS|'s implementation. This
- implementation should perform much better than the OpenSSL
- implementation.
- ===== ======================================================================
-
-.. ts:cv:: CONFIG proxy.config.ssl.session_cache.timeout INT 0
-
- This configuration specifies the lifetime of SSL session cache
- entries in seconds. If it is ``0``, then the SSL library will use
- a default value, typically 300 seconds. Note: This option has no affect
- when using the |TS| session cache (option ``2`` in
- ``proxy.config.ssl.session_cache.enabled``)
-
- See :ref:`admin-performance-timeouts` for more discussion on |TS| timeouts.
-
-.. ts:cv:: CONFIG proxy.config.ssl.session_cache.auto_clear INT 1
-
- This will set the OpenSSL auto clear flag. Auto clear is enabled by
- default with ``1`` it can be disabled by changing this setting to ``0``.
-
-.. ts:cv:: CONFIG proxy.config.ssl.session_cache.size INT 102400
-
- This configuration specifies the maximum number of entries
- the SSL session cache may contain.
-
-.. ts:cv:: CONFIG proxy.config.ssl.session_cache.num_buckets INT 256
-
- This configuration specifies the number of buckets to use with the
- |TS| SSL session cache implementation. The TS implementation
- is a fixed size hash map where each bucket is protected by a mutex.
-
-.. ts:cv:: CONFIG proxy.config.ssl.session_cache.skip_cache_on_bucket_contention INT 0
-
- This configuration specifies the behavior of the |TS| SSL session
- cache implementation during lock contention on each bucket:
-
- ===== ======================================================================
- Value Description
- ===== ======================================================================
- ``0`` Default. Don't skip session caching when bucket lock is contented.
- ``1`` Disable the SSL session cache for a connection during lock contention.
- ===== ======================================================================
-
.. ts:cv:: CONFIG proxy.config.ssl.server.session_ticket.enable INT 1
Set to 1 to enable Traffic Server to process TLS tickets for TLS session resumption.
diff --git a/include/iocore/net/TLSSessionResumptionSupport.h b/include/iocore/net/TLSSessionResumptionSupport.h
index 6955528..086ccbf 100644
--- a/include/iocore/net/TLSSessionResumptionSupport.h
+++ b/include/iocore/net/TLSSessionResumptionSupport.h
@@ -52,7 +52,6 @@
bool getSSLOriginSessionCacheHit() const;
ssl_curve_id getSSLCurveNID() const;
- SSL_SESSION *getSession(SSL *ssl, const unsigned char *id, int len, int *copy);
std::shared_ptr<SSL_SESSION> getOriginSession(const std::string &lookup_key);
protected:
diff --git a/include/ts/ts.h b/include/ts/ts.h
index 76030df..85c335b 100644
--- a/include/ts/ts.h
+++ b/include/ts/ts.h
@@ -1336,11 +1336,6 @@
int TSVConnProvidedSslCert(TSVConn sslp);
const char *TSVConnSslSniGet(TSVConn sslp, int *length);
-TSSslSession TSSslSessionGet(const TSSslSessionID *session_id);
-int TSSslSessionGetBuffer(const TSSslSessionID *session_id, char *buffer, int *len_ptr);
-TSReturnCode TSSslSessionInsert(const TSSslSessionID *session_id, TSSslSession add_session, TSSslConnection ssl_conn);
-TSReturnCode TSSslSessionRemove(const TSSslSessionID *session_id);
-
/* --------------------------------------------------------------------------
HTTP transactions */
void TSHttpTxnHookAdd(TSHttpTxn txnp, TSHttpHookID id, TSCont contp);
diff --git a/src/api/InkAPI.cc b/src/api/InkAPI.cc
index 92907df..560618c 100644
--- a/src/api/InkAPI.cc
+++ b/src/api/InkAPI.cc
@@ -134,8 +134,6 @@
/* From proxy/http/HttpProxyServerMain.c: */
extern bool ssl_register_protocol(const char *, Continuation *);
-extern SSLSessionCache *session_cache; // declared extern in P_SSLConfig.h
-
// External converters.
extern MgmtConverter const &HttpDownServerCacheTimeConv;
@@ -8410,61 +8408,6 @@
}
}
-TSSslSession
-TSSslSessionGet(const TSSslSessionID *session_id)
-{
- SSL_SESSION *session = nullptr;
- if (session_id && session_cache) {
- session_cache->getSession(reinterpret_cast<const SSLSessionID &>(*session_id), &session, nullptr);
- }
- return reinterpret_cast<TSSslSession>(session);
-}
-
-int
-TSSslSessionGetBuffer(const TSSslSessionID *session_id, char *buffer, int *len_ptr)
-{
- int true_len = 0;
- // Don't get if there is no session id or the cache is not yet set up
- if (session_id && session_cache && len_ptr) {
- true_len = session_cache->getSessionBuffer(reinterpret_cast<const SSLSessionID &>(*session_id), buffer, *len_ptr);
- }
- return true_len;
-}
-
-TSReturnCode
-TSSslSessionInsert(const TSSslSessionID *session_id, TSSslSession add_session, TSSslConnection ssl_conn)
-{
- // Don't insert if there is no session id or the cache is not yet set up
- if (session_id && session_cache) {
- if (dbg_ctl_ssl_session_cache_insert.on()) {
- const SSLSessionID *sid = reinterpret_cast<const SSLSessionID *>(session_id);
- char buf[sid->len * 2 + 1];
- sid->toString(buf, sizeof(buf));
- DbgPrint(dbg_ctl_ssl_session_cache_insert, "TSSslSessionInsert: Inserting session '%s' ", buf);
- }
- SSL_SESSION *session = reinterpret_cast<SSL_SESSION *>(add_session);
- SSL *ssl = reinterpret_cast<SSL *>(ssl_conn);
- session_cache->insertSession(reinterpret_cast<const SSLSessionID &>(*session_id), session, ssl);
- // insertSession returns void, assume all went well
- return TS_SUCCESS;
- } else {
- return TS_ERROR;
- }
-}
-
-TSReturnCode
-TSSslSessionRemove(const TSSslSessionID *session_id)
-{
- // Don't remove if there is no session id or the cache is not yet set up
- if (session_id && session_cache) {
- session_cache->removeSession(reinterpret_cast<const SSLSessionID &>(*session_id));
- // removeSession returns void, assume all went well
- return TS_SUCCESS;
- } else {
- return TS_ERROR;
- }
-}
-
// APIs for managing and using UUIDs.
TSUuid
TSUuidCreate()
diff --git a/src/iocore/net/P_SSLConfig.h b/src/iocore/net/P_SSLConfig.h
index 813d8e8..9aea6dc 100644
--- a/src/iocore/net/P_SSLConfig.h
+++ b/src/iocore/net/P_SSLConfig.h
@@ -53,12 +53,6 @@
using load_ssl_file_func = void (*)(const char *);
struct SSLConfigParams : public ConfigInfo {
- enum SSL_SESSION_CACHE_MODE {
- SSL_SESSION_CACHE_MODE_OFF = 0,
- SSL_SESSION_CACHE_MODE_SERVER_OPENSSL_IMPL = 1,
- SSL_SESSION_CACHE_MODE_SERVER_ATS_IMPL = 2
- };
-
SSLConfigParams();
~SSLConfigParams() override;
@@ -76,12 +70,6 @@
int verify_depth;
int ssl_origin_session_cache;
int ssl_origin_session_cache_size;
- int ssl_session_cache; // SSL_SESSION_CACHE_MODE
- int ssl_session_cache_size;
- int ssl_session_cache_num_buckets;
- int ssl_session_cache_skip_on_contention;
- int ssl_session_cache_timeout;
- int ssl_session_cache_auto_clear;
char *clientCertPath;
char *clientCertPathOnly;
@@ -132,9 +120,6 @@
static int origin_session_cache;
static size_t origin_session_cache_size;
- static size_t session_cache_number_buckets;
- static size_t session_cache_max_bucket_size;
- static bool session_cache_skip_on_lock_contention;
static swoc::IPRangeSet *proxy_protocol_ip_addrs;
@@ -256,5 +241,4 @@
static int configid;
};
-extern SSLSessionCache *session_cache;
extern SSLOriginSessionCache *origin_sess_cache;
diff --git a/src/iocore/net/SSLConfig.cc b/src/iocore/net/SSLConfig.cc
index af0056c..7a2b566 100644
--- a/src/iocore/net/SSLConfig.cc
+++ b/src/iocore/net/SSLConfig.cc
@@ -47,29 +47,26 @@
#include <cstring>
#include <cmath>
-int SSLConfig::config_index = 0;
-int SSLConfig::configids[] = {0, 0};
-int SSLCertificateConfig::configid = 0;
-int SSLTicketKeyConfig::configid = 0;
-int SSLConfigParams::ssl_maxrecord = 0;
-int SSLConfigParams::ssl_misc_max_iobuffer_size_index = 8;
-bool SSLConfigParams::ssl_allow_client_renegotiation = false;
-bool SSLConfigParams::ssl_ocsp_enabled = false;
-int SSLConfigParams::ssl_ocsp_cache_timeout = 3600;
-bool SSLConfigParams::ssl_ocsp_request_mode = false;
-int SSLConfigParams::ssl_ocsp_request_timeout = 10;
-int SSLConfigParams::ssl_ocsp_update_period = 60;
-char *SSLConfigParams::ssl_ocsp_user_agent = nullptr;
-int SSLConfigParams::ssl_handshake_timeout_in = 0;
-int SSLConfigParams::origin_session_cache = 1;
-size_t SSLConfigParams::origin_session_cache_size = 10240;
-size_t SSLConfigParams::session_cache_number_buckets = 1024;
-bool SSLConfigParams::session_cache_skip_on_lock_contention = false;
-size_t SSLConfigParams::session_cache_max_bucket_size = 100;
-init_ssl_ctx_func SSLConfigParams::init_ssl_ctx_cb = nullptr;
-load_ssl_file_func SSLConfigParams::load_ssl_file_cb = nullptr;
-swoc::IPRangeSet *SSLConfigParams::proxy_protocol_ip_addrs = nullptr;
-bool SSLConfigParams::ssl_ktls_enabled = false;
+int SSLConfig::config_index = 0;
+int SSLConfig::configids[] = {0, 0};
+int SSLCertificateConfig::configid = 0;
+int SSLTicketKeyConfig::configid = 0;
+int SSLConfigParams::ssl_maxrecord = 0;
+int SSLConfigParams::ssl_misc_max_iobuffer_size_index = 8;
+bool SSLConfigParams::ssl_allow_client_renegotiation = false;
+bool SSLConfigParams::ssl_ocsp_enabled = false;
+int SSLConfigParams::ssl_ocsp_cache_timeout = 3600;
+bool SSLConfigParams::ssl_ocsp_request_mode = false;
+int SSLConfigParams::ssl_ocsp_request_timeout = 10;
+int SSLConfigParams::ssl_ocsp_update_period = 60;
+char *SSLConfigParams::ssl_ocsp_user_agent = nullptr;
+int SSLConfigParams::ssl_handshake_timeout_in = 0;
+int SSLConfigParams::origin_session_cache = 1;
+size_t SSLConfigParams::origin_session_cache_size = 10240;
+init_ssl_ctx_func SSLConfigParams::init_ssl_ctx_cb = nullptr;
+load_ssl_file_func SSLConfigParams::load_ssl_file_cb = nullptr;
+swoc::IPRangeSet *SSLConfigParams::proxy_protocol_ip_addrs = nullptr;
+bool SSLConfigParams::ssl_ktls_enabled = false;
const uint32_t EARLY_DATA_DEFAULT_SIZE = 16384;
uint32_t SSLConfigParams::server_max_early_data = 0;
@@ -125,14 +122,7 @@
verifyServerProperties = YamlSNIConfig::Property::NONE;
ssl_ctx_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
ssl_client_ctx_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
- ssl_session_cache = SSL_SESSION_CACHE_MODE_SERVER_ATS_IMPL;
- ssl_session_cache_size = 1024 * 100;
- ssl_session_cache_num_buckets = 1024; // Sessions per bucket is ceil(ssl_session_cache_size / ssl_session_cache_num_buckets)
- ssl_session_cache_skip_on_contention = 0;
- ssl_session_cache_timeout = 0;
- ssl_session_cache_auto_clear = 1;
- configExitOnLoadError = 1;
- clientCertExitOnLoadError = 0;
+ configExitOnLoadError = 1;
}
void
@@ -446,23 +436,9 @@
// SSL session cache configurations
REC_ReadConfigInteger(ssl_origin_session_cache, "proxy.config.ssl.origin_session_cache.enabled");
REC_ReadConfigInteger(ssl_origin_session_cache_size, "proxy.config.ssl.origin_session_cache.size");
- REC_ReadConfigInteger(ssl_session_cache, "proxy.config.ssl.session_cache.value");
- REC_ReadConfigInteger(ssl_session_cache_size, "proxy.config.ssl.session_cache.size");
- REC_ReadConfigInteger(ssl_session_cache_num_buckets, "proxy.config.ssl.session_cache.num_buckets");
- REC_ReadConfigInteger(ssl_session_cache_skip_on_contention, "proxy.config.ssl.session_cache.skip_cache_on_bucket_contention");
- REC_ReadConfigInteger(ssl_session_cache_timeout, "proxy.config.ssl.session_cache.timeout");
- REC_ReadConfigInteger(ssl_session_cache_auto_clear, "proxy.config.ssl.session_cache.auto_clear");
SSLConfigParams::origin_session_cache = ssl_origin_session_cache;
SSLConfigParams::origin_session_cache_size = ssl_origin_session_cache_size;
- SSLConfigParams::session_cache_max_bucket_size =
- static_cast<size_t>(ceil(static_cast<double>(ssl_session_cache_size) / ssl_session_cache_num_buckets));
- SSLConfigParams::session_cache_skip_on_lock_contention = ssl_session_cache_skip_on_contention;
- SSLConfigParams::session_cache_number_buckets = ssl_session_cache_num_buckets;
-
- if (ssl_session_cache == SSL_SESSION_CACHE_MODE_SERVER_ATS_IMPL) {
- session_cache = new SSLSessionCache();
- }
if (ssl_origin_session_cache == 1 && ssl_origin_session_cache_size > 0) {
origin_sess_cache = new SSLOriginSessionCache();
diff --git a/src/iocore/net/SSLSessionCache.cc b/src/iocore/net/SSLSessionCache.cc
index ee36095..da68af4 100644
--- a/src/iocore/net/SSLSessionCache.cc
+++ b/src/iocore/net/SSLSessionCache.cc
@@ -29,293 +29,11 @@
#include <memory>
#include <shared_mutex>
-#define SSLSESSIONCACHE_STRINGIFY0(x) #x
-#define SSLSESSIONCACHE_STRINGIFY(x) SSLSESSIONCACHE_STRINGIFY0(x)
-#define SSLSESSIONCACHE_LINENO SSLSESSIONCACHE_STRINGIFY(__LINE__)
-
-#ifdef DEBUG
-#define PRINT_BUCKET(x) this->print(x " at " __FILE__ ":" SSLSESSIONCACHE_LINENO);
-#else
-#define PRINT_BUCKET(x)
-#endif
-
namespace
{
DbgCtl dbg_ctl_ssl_origin_session_cache{"ssl.origin_session_cache"};
-DbgCtl dbg_ctl_ssl_session_cache{"ssl.session_cache"};
-DbgCtl dbg_ctl_ssl_session_cache_bucket{"ssl.session_cache.bucket"};
-DbgCtl dbg_ctl_ssl_session_cache_get{"ssl.session_cache.get"};
-DbgCtl dbg_ctl_ssl_session_cache_insert{"ssl.session_cache.insert"};
-DbgCtl dbg_ctl_ssl_session_cache_remove{"ssl.session_cache.remove"};
-
} // end anonymous namespace
-/* Session Cache */
-SSLSessionCache::SSLSessionCache() : nbuckets(SSLConfigParams::session_cache_number_buckets)
-{
- Dbg(dbg_ctl_ssl_session_cache, "Created new ssl session cache %p with %zu buckets each with size max size %zu", this, nbuckets,
- SSLConfigParams::session_cache_max_bucket_size);
-
- session_bucket = new SSLSessionBucket[nbuckets];
-}
-
-SSLSessionCache::~SSLSessionCache()
-{
- delete[] session_bucket;
-}
-
-int
-SSLSessionCache::getSessionBuffer(const SSLSessionID &sid, char *buffer, int &len) const
-{
- uint64_t hash = sid.hash();
- uint64_t target_bucket = hash % nbuckets;
- SSLSessionBucket *bucket = &session_bucket[target_bucket];
-
- return bucket->getSessionBuffer(sid, buffer, len);
-}
-
-bool
-SSLSessionCache::getSession(const SSLSessionID &sid, SSL_SESSION **sess, ssl_session_cache_exdata **data) const
-{
- uint64_t hash = sid.hash();
- uint64_t target_bucket = hash % nbuckets;
- SSLSessionBucket *bucket = &session_bucket[target_bucket];
-
- if (dbg_ctl_ssl_session_cache.on()) {
- char buf[sid.len * 2 + 1];
- sid.toString(buf, sizeof(buf));
- DbgPrint(dbg_ctl_ssl_session_cache_get, "SessionCache looking in bucket %" PRId64 " (%p) for session '%s' (hash: %" PRIX64 ").",
- target_bucket, bucket, buf, hash);
- }
-
- return bucket->getSession(sid, sess, data);
-}
-
-void
-SSLSessionCache::removeSession(const SSLSessionID &sid)
-{
- uint64_t hash = sid.hash();
- uint64_t target_bucket = hash % nbuckets;
- SSLSessionBucket *bucket = &session_bucket[target_bucket];
-
- if (dbg_ctl_ssl_session_cache_remove.on()) {
- char buf[sid.len * 2 + 1];
- sid.toString(buf, sizeof(buf));
- DbgPrint(dbg_ctl_ssl_session_cache_remove,
- "SessionCache using bucket %" PRId64 " (%p): Removing session '%s' (hash: %" PRIX64 ").", target_bucket, bucket, buf,
- hash);
- }
- Metrics::Counter::increment(ssl_rsb.session_cache_eviction);
-
- bucket->removeSession(sid);
-}
-
-void
-SSLSessionCache::insertSession(const SSLSessionID &sid, SSL_SESSION *sess, SSL *ssl)
-{
- uint64_t hash = sid.hash();
- uint64_t target_bucket = hash % nbuckets;
- SSLSessionBucket *bucket = &session_bucket[target_bucket];
-
- if (dbg_ctl_ssl_session_cache_insert.on()) {
- char buf[sid.len * 2 + 1];
- sid.toString(buf, sizeof(buf));
- DbgPrint(dbg_ctl_ssl_session_cache_insert,
- "SessionCache using bucket %" PRId64 " (%p): Inserting session '%s' (hash: %" PRIX64 ").", target_bucket, bucket, buf,
- hash);
- }
-
- bucket->insertSession(sid, sess, ssl);
-}
-
-void
-SSLSessionBucket::insertSession(const SSLSessionID &id, SSL_SESSION *sess, SSL *ssl)
-{
- std::shared_lock r_lock(mutex, std::try_to_lock);
- if (!r_lock.owns_lock()) {
- Metrics::Counter::increment(ssl_rsb.session_cache_lock_contention);
- if (SSLConfigParams::session_cache_skip_on_lock_contention) {
- return;
- }
- r_lock.lock();
- }
-
- // Don't insert if it is already there
- if (bucket_map.find(id) != bucket_map.end()) {
- return;
- }
-
- r_lock.unlock();
-
- size_t len = i2d_SSL_SESSION(sess, nullptr); // make sure we're not going to need more than SSL_MAX_SESSION_SIZE bytes
- /* do not cache a session that's too big. */
- if (len > static_cast<size_t>(SSL_MAX_SESSION_SIZE)) {
- Dbg(dbg_ctl_ssl_session_cache, "Unable to save SSL session because size of %zd exceeds the max of %d", len,
- SSL_MAX_SESSION_SIZE);
- return;
- }
-
- if (dbg_ctl_ssl_session_cache.on()) {
- char buf[id.len * 2 + 1];
- id.toString(buf, sizeof(buf));
- DbgPrint(dbg_ctl_ssl_session_cache, "Inserting session '%s' to bucket %p.", buf, this);
- }
-
- Ptr<IOBufferData> buf;
- Ptr<IOBufferData> buf_exdata;
- size_t len_exdata = sizeof(ssl_session_cache_exdata);
- buf = new_IOBufferData(buffer_size_to_index(len, MAX_BUFFER_SIZE_INDEX), MEMALIGNED);
- ink_release_assert(static_cast<size_t>(buf->block_size()) >= len);
- unsigned char *loc = reinterpret_cast<unsigned char *>(buf->data());
- i2d_SSL_SESSION(sess, &loc);
- buf_exdata = new_IOBufferData(buffer_size_to_index(len, MAX_BUFFER_SIZE_INDEX), MEMALIGNED);
- ink_release_assert(static_cast<size_t>(buf_exdata->block_size()) >= len_exdata);
- ssl_session_cache_exdata *exdata = reinterpret_cast<ssl_session_cache_exdata *>(buf_exdata->data());
- // This could be moved to a function in charge of populating exdata
- exdata->curve = (ssl == nullptr) ? 0 : SSLGetCurveNID(ssl);
-
- std::unique_ptr<SSLSession> ssl_session(new SSLSession(id, buf, len, buf_exdata));
-
- std::unique_lock w_lock(mutex, std::try_to_lock);
- if (!w_lock.owns_lock()) {
- Metrics::Counter::increment(ssl_rsb.session_cache_lock_contention);
- if (SSLConfigParams::session_cache_skip_on_lock_contention) {
- return;
- }
- w_lock.lock();
- }
-
- PRINT_BUCKET("insertSession before")
- if (bucket_map.size() >= SSLConfigParams::session_cache_max_bucket_size) {
- Metrics::Counter::increment(ssl_rsb.session_cache_eviction);
- removeOldestSession(w_lock);
- }
-
- /* do the actual insert */
- auto node = ssl_session.release();
- bucket_que.enqueue(node);
- bucket_map[id] = node;
-
- PRINT_BUCKET("insertSession after")
-}
-
-int
-SSLSessionBucket::getSessionBuffer(const SSLSessionID &id, char *buffer, int &len)
-{
- int true_len = 0;
- std::shared_lock lock(mutex, std::try_to_lock);
- if (!lock.owns_lock()) {
- Metrics::Counter::increment(ssl_rsb.session_cache_lock_contention);
- if (SSLConfigParams::session_cache_skip_on_lock_contention) {
- return true_len;
- }
- lock.lock();
- }
-
- auto entry = bucket_map.find(id);
- if (buffer && entry != bucket_map.end()) {
- true_len = entry->second->len_asn1_data;
- const unsigned char *loc = reinterpret_cast<const unsigned char *>(entry->second->asn1_data->data());
- if (true_len < len) {
- len = true_len;
- }
- memcpy(buffer, loc, len);
- return true_len;
- }
- return 0;
-}
-
-bool
-SSLSessionBucket::getSession(const SSLSessionID &id, SSL_SESSION **sess, ssl_session_cache_exdata **data)
-{
- char buf[id.len * 2 + 1];
- buf[0] = '\0'; // just to be safe.
- if (dbg_ctl_ssl_session_cache.on()) {
- id.toString(buf, sizeof(buf));
- }
-
- Dbg(dbg_ctl_ssl_session_cache, "Looking for session with id '%s' in bucket %p", buf, this);
-
- std::shared_lock lock(mutex, std::try_to_lock);
- if (!lock.owns_lock()) {
- Metrics::Counter::increment(ssl_rsb.session_cache_lock_contention);
- if (SSLConfigParams::session_cache_skip_on_lock_contention) {
- return false;
- }
- lock.lock();
- }
-
- PRINT_BUCKET("getSession")
-
- auto entry = bucket_map.find(id);
- if (entry == bucket_map.end()) {
- Dbg(dbg_ctl_ssl_session_cache, "Session with id '%s' not found in bucket %p.", buf, this);
- return false;
- }
- const unsigned char *loc = reinterpret_cast<const unsigned char *>(entry->second->asn1_data->data());
- *sess = d2i_SSL_SESSION(nullptr, &loc, entry->second->len_asn1_data);
- if (data != nullptr) {
- ssl_session_cache_exdata *exdata = reinterpret_cast<ssl_session_cache_exdata *>(entry->second->extra_data->data());
- *data = exdata;
- }
- return true;
-}
-
-void inline SSLSessionBucket::print(const char *ref_str) const
-{
- /* NOTE: This method assumes you're already holding the bucket lock */
- if (!dbg_ctl_ssl_session_cache_bucket.on()) {
- return;
- }
-
- fprintf(stderr, "-------------- BUCKET %p (%s) ----------------\n", this, ref_str);
- fprintf(stderr, "Current Size: %ld, Max Size: %zd\n", bucket_map.size(), SSLConfigParams::session_cache_max_bucket_size);
- fprintf(stderr, "Bucket: \n");
-
- for (auto &x : bucket_map) {
- char s_buf[2 * x.second->session_id.len + 1];
- x.second->session_id.toString(s_buf, sizeof(s_buf));
- fprintf(stderr, " %s\n", s_buf);
- }
-}
-
-void inline SSLSessionBucket::removeOldestSession(const std::unique_lock<ts::shared_mutex> &lock)
-{
- // Caller must hold the bucket shared_mutex with unique_lock.
- ink_assert(lock.owns_lock());
-
- PRINT_BUCKET("removeOldestSession before")
-
- while (bucket_que.head && bucket_que.size >= static_cast<int>(SSLConfigParams::session_cache_max_bucket_size)) {
- auto node = bucket_que.pop();
- bucket_map.erase(node->session_id);
- delete node;
- }
-
- PRINT_BUCKET("removeOldestSession after")
-}
-
-void
-SSLSessionBucket::removeSession(const SSLSessionID &id)
-{
- // We can't bail on contention here because this session MUST be removed.
- std::unique_lock lock(mutex);
-
- PRINT_BUCKET("removeSession before")
-
- auto entry = bucket_map.find(id);
- if (entry != bucket_map.end()) {
- auto node = entry->second;
- bucket_que.remove(node);
- bucket_map.erase(entry);
- delete node;
- }
-
- PRINT_BUCKET("removeSession after")
-
- return;
-}
-
// Custom deleter for shared origin sessions
void
SSLSessDeleter(SSL_SESSION *_p)
@@ -323,11 +41,6 @@
SSL_SESSION_free(_p);
}
-/* Session Bucket */
-SSLSessionBucket::SSLSessionBucket() {}
-
-SSLSessionBucket::~SSLSessionBucket() {}
-
SSLOriginSessionCache::SSLOriginSessionCache() {}
SSLOriginSessionCache::~SSLOriginSessionCache() {}
diff --git a/src/iocore/net/SSLSessionCache.h b/src/iocore/net/SSLSessionCache.h
index a2a6535..501df2a 100644
--- a/src/iocore/net/SSLSessionCache.h
+++ b/src/iocore/net/SSLSessionCache.h
@@ -39,155 +39,6 @@
ssl_curve_id curve = 0;
};
-inline void
-hash_combine(uint64_t &seed, uint64_t hash)
-{
- // using boost's version of hash combine, substituting magic number with a 64bit version
- // https://www.boost.org/doc/libs/1_43_0/doc/html/hash/reference.html#boost.hash_combine
- seed ^= hash + 0x9E3779B97F4A7C15 + (seed << 6) + (seed >> 2);
-}
-
-struct SSLSessionID : public TSSslSessionID {
- SSLSessionID(const unsigned char *s, size_t l)
- {
- len = l;
- ink_release_assert(l <= sizeof(bytes));
- memcpy(bytes, s, l);
- hash();
- }
-
- SSLSessionID(const SSLSessionID &other)
- {
- if (other.len) {
- memcpy(bytes, other.bytes, other.len);
- }
-
- len = other.len;
- hash();
- }
-
- bool
- operator<(const SSLSessionID &other) const
- {
- if (len != other.len) {
- return len < other.len;
- }
-
- return (memcmp(bytes, other.bytes, len) < 0);
- }
-
- SSLSessionID &
- operator=(const SSLSessionID &other)
- {
- if (other.len) {
- memcpy(bytes, other.bytes, other.len);
- }
-
- len = other.len;
- return *this;
- }
-
- bool
- operator==(const SSLSessionID &other) const
- {
- if (len != other.len) {
- return false;
- }
-
- // memcmp returns 0 on equal
- return (memcmp(bytes, other.bytes, len) == 0);
- }
-
- const char *
- toString(char *buf, size_t buflen) const
- {
- char *cur_pos = buf;
- for (size_t i = 0; i < len && buflen > 0; ++i) {
- if (buflen > 2) { // we have enough space for 3 bytes, 2 hex and 1 null terminator
- snprintf(cur_pos, 3 /* including a null terminator */, "%02hhX", static_cast<unsigned char>(bytes[i]));
- cur_pos += 2;
- buflen -= 2;
- } else { // not enough space for any more hex bytes, just null terminate
- *cur_pos = '\0';
- break;
- }
- }
- return buf;
- }
-
- uint64_t
- hash() const
- {
- // because the session ids should be uniformly random, we can treat the bits as a hash value
- // however we need to combine them if the length is longer than 64bits
- if (len >= sizeof(uint64_t)) {
- uint64_t seed = 0;
- for (uint64_t i = 0; i < len; i += sizeof(uint64_t)) {
- hash_combine(seed, static_cast<uint64_t>(bytes[i]));
- }
- return seed;
- } else if (len) {
- return static_cast<uint64_t>(bytes[0]);
- } else {
- return 0;
- }
- }
-};
-
-class SSLSession
-{
-public:
- SSLSessionID session_id;
- Ptr<IOBufferData> asn1_data; /* this is the ASN1 representation of the SSL_CTX */
- size_t len_asn1_data;
- Ptr<IOBufferData> extra_data;
-
- SSLSession(const SSLSessionID &id, const Ptr<IOBufferData> &ssl_asn1_data, size_t len_asn1, Ptr<IOBufferData> &exdata)
- : session_id(id), asn1_data(ssl_asn1_data), len_asn1_data(len_asn1), extra_data(exdata)
- {
- }
-
- LINK(SSLSession, link);
-};
-
-class SSLSessionBucket
-{
-public:
- SSLSessionBucket();
- ~SSLSessionBucket();
- void insertSession(const SSLSessionID &sid, SSL_SESSION *sess, SSL *ssl);
- bool getSession(const SSLSessionID &sid, SSL_SESSION **sess, ssl_session_cache_exdata **data);
- int getSessionBuffer(const SSLSessionID &sid, char *buffer, int &len);
- void removeSession(const SSLSessionID &sid);
-
-private:
- /* these method must be used while hold the lock */
- void print(const char *) const;
- void removeOldestSession(const std::unique_lock<ts::shared_mutex> &lock);
-
- mutable ts::shared_mutex mutex;
- CountQueue<SSLSession> bucket_que;
- std::map<SSLSessionID, SSLSession *> bucket_map;
-};
-
-class SSLSessionCache
-{
-public:
- bool getSession(const SSLSessionID &sid, SSL_SESSION **sess, ssl_session_cache_exdata **data) const;
- int getSessionBuffer(const SSLSessionID &sid, char *buffer, int &len) const;
- void insertSession(const SSLSessionID &sid, SSL_SESSION *sess, SSL *ssl);
- void removeSession(const SSLSessionID &sid);
- SSLSessionCache();
- ~SSLSessionCache();
-
- SSLSessionCache(const SSLSessionCache &) = delete;
- SSLSessionCache &operator=(const SSLSessionCache &) = delete;
-
-private:
- SSLSessionBucket *session_bucket = nullptr;
- size_t nbuckets;
-};
-
class SSLOriginSession
{
public:
diff --git a/src/iocore/net/SSLUtils.cc b/src/iocore/net/SSLUtils.cc
index 40bbf7b..c342245 100644
--- a/src/iocore/net/SSLUtils.cc
+++ b/src/iocore/net/SSLUtils.cc
@@ -95,8 +95,6 @@
#endif
#endif
-SSLSessionCache *session_cache; // declared extern in P_SSLConfig.h
-
static int ssl_vc_index = -1;
static ink_mutex *mutex_buf = nullptr;
@@ -181,92 +179,6 @@
return SSL_CTX_add_extra_chain_cert_bio(ctx, bio.get());
}
-static SSL_SESSION *
-#if defined(LIBRESSL_VERSION_NUMBER)
-ssl_get_cached_session(SSL *ssl, unsigned char *id, int len, int *copy)
-#else
-ssl_get_cached_session(SSL *ssl, const unsigned char *id, int len, int *copy)
-#endif
-{
- TLSSessionResumptionSupport *srs = TLSSessionResumptionSupport::getInstance(ssl);
-
- ink_assert(srs);
- if (srs) {
- return srs->getSession(ssl, id, len, copy);
- }
-
- return nullptr;
-}
-
-static int
-ssl_new_cached_session(SSL *ssl, SSL_SESSION *sess)
-{
-#ifdef TLS1_3_VERSION
- if (SSL_SESSION_get_protocol_version(sess) == TLS1_3_VERSION) {
- return 0;
- }
-#endif
-
- unsigned int len = 0;
- const unsigned char *id = SSL_SESSION_get_id(sess, &len);
-
- SSLSessionID sid(id, len);
-
- if (diags()->on()) {
- static DbgCtl dbg_ctl("ssl_session_cache.insert");
- if (dbg_ctl.tag_on()) {
- char printable_buf[(len * 2) + 1];
-
- sid.toString(printable_buf, sizeof(printable_buf));
- DbgPrint(dbg_ctl, "ssl_new_cached_session session '%s' and context %p", printable_buf, SSL_get_SSL_CTX(ssl));
- }
- }
-
- Metrics::Counter::increment(ssl_rsb.session_cache_new_session);
- session_cache->insertSession(sid, sess, ssl);
-
- // Call hook after new session is created
- APIHook *hook = SSLAPIHooks::instance()->get(TSSslHookInternalID(TS_SSL_SESSION_HOOK));
- while (hook) {
- hook->invoke(TS_EVENT_SSL_SESSION_NEW, &sid);
- hook = hook->m_link.next;
- }
-
- return 0;
-}
-
-static void
-ssl_rm_cached_session(SSL_CTX * /* ctx ATS_UNUSED */, SSL_SESSION *sess)
-{
-#ifdef TLS1_3_VERSION
- if (SSL_SESSION_get_protocol_version(sess) == TLS1_3_VERSION) {
- return;
- }
-#endif
-
- unsigned int len = 0;
- const unsigned char *id = SSL_SESSION_get_id(sess, &len);
- SSLSessionID sid(id, len);
-
- // Call hook before session is removed
- APIHook *hook = SSLAPIHooks::instance()->get(TSSslHookInternalID(TS_SSL_SESSION_HOOK));
- while (hook) {
- hook->invoke(TS_EVENT_SSL_SESSION_REMOVE, &sid);
- hook = hook->m_link.next;
- }
-
- if (diags()->on()) {
- static DbgCtl dbg_ctl("ssl_session_cache.remove");
- if (dbg_ctl.tag_on()) {
- char printable_buf[(len * 2) + 1];
- sid.toString(printable_buf, sizeof(printable_buf));
- DbgPrint(dbg_ctl, "ssl_rm_cached_session cached session '%s'", printable_buf);
- }
- }
-
- session_cache->removeSession(sid);
-}
-
// Callback function for verifying client certificate
static int
ssl_verify_client_callback(int preverify_ok, X509_STORE_CTX *ctx)
@@ -401,12 +313,15 @@
}
// Reset the ticket callback if needed
- SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
+ SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
+ shared_SSLMultiCertConfigParams sslMultiCertSettings = std::make_shared<SSLMultiCertConfigParams>();
+ if (sslMultiCertSettings->session_ticket_enabled != 0) {
#ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
- SSL_CTX_set_tlsext_ticket_key_evp_cb(ctx, ssl_callback_session_ticket);
+ SSL_CTX_set_tlsext_ticket_key_evp_cb(ctx, ssl_callback_session_ticket);
#else
- SSL_CTX_set_tlsext_ticket_key_cb(ctx, ssl_callback_session_ticket);
+ SSL_CTX_set_tlsext_ticket_key_cb(ctx, ssl_callback_session_ticket);
#endif
+ }
}
#endif
@@ -599,9 +514,9 @@
Metrics::Counter::increment(ssl_rsb.total_ticket_keys_renewed);
}
-// Setting the callback can only fail if OpenSSL does not recognize the
-// SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB constant. we set the callback first
-// so that we don't leave a ticket_key pointer attached if it fails.
+ // Setting the callback can only fail if OpenSSL does not recognize the
+ // SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB constant. we set the callback first
+ // so that we don't leave a ticket_key pointer attached if it fails.
#ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
if (SSL_CTX_set_tlsext_ticket_key_evp_cb(ctx, ssl_callback_session_ticket) == 0) {
#else
@@ -1263,9 +1178,7 @@
SSL_CTX_set_max_proto_version(ctx, ver);
}
- if (!this->_setup_session_cache(ctx)) {
- goto fail;
- }
+ SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF | SSL_SESS_CACHE_NO_INTERNAL);
#ifdef SSL_MODE_RELEASE_BUFFERS
Dbg(dbg_ctl_ssl_load, "enabling SSL_MODE_RELEASE_BUFFERS");
@@ -1370,44 +1283,6 @@
bool
SSLMultiCertConfigLoader::_setup_session_cache(SSL_CTX *ctx)
{
- const SSLConfigParams *params = this->_params;
-
- Dbg(dbg_ctl_ssl_session_cache,
- "ssl context=%p: using session cache options, enabled=%d, size=%d, num_buckets=%d, "
- "skip_on_contention=%d, timeout=%d, auto_clear=%d",
- ctx, params->ssl_session_cache, params->ssl_session_cache_size, params->ssl_session_cache_num_buckets,
- params->ssl_session_cache_skip_on_contention, params->ssl_session_cache_timeout, params->ssl_session_cache_auto_clear);
-
- if (params->ssl_session_cache_timeout) {
- SSL_CTX_set_timeout(ctx, params->ssl_session_cache_timeout);
- }
-
- int additional_cache_flags = 0;
- additional_cache_flags |= (params->ssl_session_cache_auto_clear == 0) ? SSL_SESS_CACHE_NO_AUTO_CLEAR : 0;
-
- switch (params->ssl_session_cache) {
- case SSLConfigParams::SSL_SESSION_CACHE_MODE_OFF:
- Dbg(dbg_ctl_ssl_session_cache, "disabling SSL session cache");
-
- SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF | SSL_SESS_CACHE_NO_INTERNAL);
- break;
- case SSLConfigParams::SSL_SESSION_CACHE_MODE_SERVER_OPENSSL_IMPL:
- Dbg(dbg_ctl_ssl_session_cache, "enabling SSL session cache with OpenSSL implementation");
-
- SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER | additional_cache_flags);
- SSL_CTX_sess_set_cache_size(ctx, params->ssl_session_cache_size);
- break;
- case SSLConfigParams::SSL_SESSION_CACHE_MODE_SERVER_ATS_IMPL: {
- Dbg(dbg_ctl_ssl_session_cache, "enabling SSL session cache with ATS implementation");
- /* Add all the OpenSSL callbacks */
- SSL_CTX_sess_set_new_cb(ctx, ssl_new_cached_session);
- SSL_CTX_sess_set_remove_cb(ctx, ssl_rm_cached_session);
- SSL_CTX_sess_set_get_cb(ctx, ssl_get_cached_session);
-
- SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_INTERNAL | additional_cache_flags);
- break;
- }
- }
return true;
}
diff --git a/src/iocore/net/TLSSessionResumptionSupport.cc b/src/iocore/net/TLSSessionResumptionSupport.cc
index af78aba..21d5a02 100644
--- a/src/iocore/net/TLSSessionResumptionSupport.cc
+++ b/src/iocore/net/TLSSessionResumptionSupport.cc
@@ -141,54 +141,6 @@
return this->_sslCurveNID;
}
-SSL_SESSION *
-TLSSessionResumptionSupport::getSession(SSL *ssl, const unsigned char *id, int len, int *copy)
-{
- SSLSessionID sid(id, len);
-
- *copy = 0;
- if (diags()->on()) {
- static DbgCtl dbg_ctl("ssl.session_cache.get");
- if (dbg_ctl.tag_on()) {
- char printable_buf[(len * 2) + 1];
- sid.toString(printable_buf, sizeof(printable_buf));
- DbgPrint(dbg_ctl, "ssl_get_cached_session cached session '%s' context %p", printable_buf, SSL_get_SSL_CTX(ssl));
- }
- }
-
- APIHook *hook = SSLAPIHooks::instance()->get(TSSslHookInternalID(TS_SSL_SESSION_HOOK));
- while (hook) {
- hook->invoke(TS_EVENT_SSL_SESSION_GET, &sid);
- hook = hook->m_link.next;
- }
-
- SSL_SESSION *session = nullptr;
- ssl_session_cache_exdata *exdata = nullptr;
- if (session_cache->getSession(sid, &session, &exdata)) {
- ink_assert(session);
- ink_assert(exdata);
-
- // Double check the timeout
- if (is_ssl_session_timed_out(session)) {
- Metrics::Counter::increment(ssl_rsb.session_cache_miss);
-// Due to bug in openssl, the timeout is checked, but only removed
-// from the openssl built-in hash table. The external remove cb is not called
-#if 0 // This is currently eliminated, since it breaks things in odd ways (see TS-3710)
- ssl_rm_cached_session(SSL_get_SSL_CTX(ssl), session);
-#endif
- SSL_SESSION_free(session);
- session = nullptr;
- } else {
- Metrics::Counter::increment(ssl_rsb.session_cache_hit);
- this->_setSSLSessionCacheHit(true);
- this->_setSSLCurveNID(exdata->curve);
- }
- } else {
- Metrics::Counter::increment(ssl_rsb.session_cache_miss);
- }
- return session;
-}
-
std::shared_ptr<SSL_SESSION>
TLSSessionResumptionSupport::getOriginSession(const std::string &lookup_key)
{
diff --git a/src/records/RecordsConfig.cc b/src/records/RecordsConfig.cc
index 111a87c..f773261 100644
--- a/src/records/RecordsConfig.cc
+++ b/src/records/RecordsConfig.cc
@@ -1168,20 +1168,8 @@
,
{RECT_CONFIG, "proxy.config.ssl.origin_session_cache.size", RECD_INT, "10240", RECU_RESTART_TS, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
,
- {RECT_CONFIG, "proxy.config.ssl.session_cache.value", RECD_INT, "2", RECU_RESTART_TS, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
- ,
- {RECT_CONFIG, "proxy.config.ssl.session_cache.size", RECD_INT, "102400", RECU_RESTART_TS, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
- ,
- {RECT_CONFIG, "proxy.config.ssl.session_cache.num_buckets", RECD_INT, "256", RECU_RESTART_TS, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
- ,
- {RECT_CONFIG, "proxy.config.ssl.session_cache.skip_cache_on_bucket_contention", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
- ,
{RECT_CONFIG, "proxy.config.ssl.max_record_size", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_NULL, "[0-16383]", RECA_NULL}
,
- {RECT_CONFIG, "proxy.config.ssl.session_cache.timeout", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
- ,
- {RECT_CONFIG, "proxy.config.ssl.session_cache.auto_clear", RECD_INT, "1", RECU_DYNAMIC, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
- ,
{RECT_CONFIG, "proxy.config.ssl.hsts_max_age", RECD_INT, "-1", RECU_DYNAMIC, RR_NULL, RECC_STR, "^-?[0-9]+$", RECA_NULL}
,
{RECT_CONFIG, "proxy.config.ssl.hsts_include_subdomains", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
diff --git a/tests/gold_tests/pluginTest/stek_share/stek_share.test.py b/tests/gold_tests/pluginTest/stek_share/stek_share.test.py
index de320d6..8dcaf78 100644
--- a/tests/gold_tests/pluginTest/stek_share/stek_share.test.py
+++ b/tests/gold_tests/pluginTest/stek_share/stek_share.test.py
@@ -164,10 +164,6 @@
'proxy.config.exec_thread.limit': 4,
'proxy.config.ssl.server.cert.path': '{0}'.format(Test.RunDirectory),
'proxy.config.ssl.server.private_key.path': '{0}'.format(Test.RunDirectory),
- 'proxy.config.ssl.session_cache.value': 2,
- 'proxy.config.ssl.session_cache.size': 1024,
- 'proxy.config.ssl.session_cache.timeout': 7200,
- 'proxy.config.ssl.session_cache.num_buckets': 16,
'proxy.config.ssl.server.session_ticket.enable': 1,
'proxy.config.ssl.server.cipher_suite':
'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'
@@ -184,10 +180,6 @@
'proxy.config.exec_thread.limit': 4,
'proxy.config.ssl.server.cert.path': '{0}'.format(Test.RunDirectory),
'proxy.config.ssl.server.private_key.path': '{0}'.format(Test.RunDirectory),
- 'proxy.config.ssl.session_cache.value': 2,
- 'proxy.config.ssl.session_cache.size': 1024,
- 'proxy.config.ssl.session_cache.timeout': 7200,
- 'proxy.config.ssl.session_cache.num_buckets': 16,
'proxy.config.ssl.server.session_ticket.enable': 1,
'proxy.config.ssl.server.cipher_suite':
'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'
@@ -204,10 +196,6 @@
'proxy.config.exec_thread.limit': 4,
'proxy.config.ssl.server.cert.path': '{0}'.format(Test.RunDirectory),
'proxy.config.ssl.server.private_key.path': '{0}'.format(Test.RunDirectory),
- 'proxy.config.ssl.session_cache.value': 2,
- 'proxy.config.ssl.session_cache.size': 1024,
- 'proxy.config.ssl.session_cache.timeout': 7200,
- 'proxy.config.ssl.session_cache.num_buckets': 16,
'proxy.config.ssl.server.session_ticket.enable': 1,
'proxy.config.ssl.server.cipher_suite':
'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'
@@ -224,10 +212,6 @@
'proxy.config.exec_thread.limit': 4,
'proxy.config.ssl.server.cert.path': '{0}'.format(Test.RunDirectory),
'proxy.config.ssl.server.private_key.path': '{0}'.format(Test.RunDirectory),
- 'proxy.config.ssl.session_cache.value': 2,
- 'proxy.config.ssl.session_cache.size': 1024,
- 'proxy.config.ssl.session_cache.timeout': 7200,
- 'proxy.config.ssl.session_cache.num_buckets': 16,
'proxy.config.ssl.server.session_ticket.enable': 1,
'proxy.config.ssl.server.cipher_suite':
'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'
@@ -244,10 +228,6 @@
'proxy.config.exec_thread.limit': 4,
'proxy.config.ssl.server.cert.path': '{0}'.format(Test.RunDirectory),
'proxy.config.ssl.server.private_key.path': '{0}'.format(Test.RunDirectory),
- 'proxy.config.ssl.session_cache.value': 2,
- 'proxy.config.ssl.session_cache.size': 1024,
- 'proxy.config.ssl.session_cache.timeout': 7200,
- 'proxy.config.ssl.session_cache.num_buckets': 16,
'proxy.config.ssl.server.session_ticket.enable': 1,
'proxy.config.ssl.server.cipher_suite':
'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'
diff --git a/tests/gold_tests/tls/tls_0rtt_server.test.py b/tests/gold_tests/tls/tls_0rtt_server.test.py
index a23230f..babebe3 100644
--- a/tests/gold_tests/tls/tls_0rtt_server.test.py
+++ b/tests/gold_tests/tls/tls_0rtt_server.test.py
@@ -104,10 +104,6 @@
'proxy.config.exec_thread.limit': 8,
'proxy.config.ssl.server.cert.path': '{0}'.format(ts1.Variables.SSLDir),
'proxy.config.ssl.server.private_key.path': '{0}'.format(ts1.Variables.SSLDir),
- 'proxy.config.ssl.session_cache.value': 2,
- 'proxy.config.ssl.session_cache.size': 512000,
- 'proxy.config.ssl.session_cache.timeout': 7200,
- 'proxy.config.ssl.session_cache.num_buckets': 32768,
'proxy.config.ssl.server.session_ticket.enable': 1,
'proxy.config.ssl.server.max_early_data': 16384,
'proxy.config.ssl.server.allow_early_data_params': 0,
@@ -133,10 +129,6 @@
'proxy.config.exec_thread.limit': 8,
'proxy.config.ssl.server.cert.path': '{0}'.format(ts1.Variables.SSLDir),
'proxy.config.ssl.server.private_key.path': '{0}'.format(ts1.Variables.SSLDir),
- 'proxy.config.ssl.session_cache.value': 2,
- 'proxy.config.ssl.session_cache.size': 512000,
- 'proxy.config.ssl.session_cache.timeout': 7200,
- 'proxy.config.ssl.session_cache.num_buckets': 32768,
'proxy.config.ssl.server.session_ticket.enable': 1,
'proxy.config.ssl.server.max_early_data': 0,
'proxy.config.ssl.server.allow_early_data_params': 0,
diff --git a/tests/gold_tests/tls/tls_origin_session_reuse.test.py b/tests/gold_tests/tls/tls_origin_session_reuse.test.py
index 0732dd3..3ba1b12 100644
--- a/tests/gold_tests/tls/tls_origin_session_reuse.test.py
+++ b/tests/gold_tests/tls/tls_origin_session_reuse.test.py
@@ -64,12 +64,6 @@
'proxy.config.ssl.server.cert.path': '{0}'.format(ts1.Variables.SSLDir),
'proxy.config.ssl.server.private_key.path': '{0}'.format(ts1.Variables.SSLDir),
'proxy.config.exec_thread.autoconfig.scale': 1.0,
- 'proxy.config.ssl.session_cache.value': 2,
- 'proxy.config.ssl.session_cache.size': 4096,
- 'proxy.config.ssl.session_cache.num_buckets': 256,
- 'proxy.config.ssl.session_cache.skip_cache_on_bucket_contention': 0,
- 'proxy.config.ssl.session_cache.timeout': 0,
- 'proxy.config.ssl.session_cache.auto_clear': 1,
'proxy.config.ssl.server.session_ticket.enable': 1,
'proxy.config.ssl.origin_session_cache.enabled': 1,
'proxy.config.ssl.origin_session_cache.size': 1,
@@ -83,12 +77,6 @@
'proxy.config.ssl.server.cert.path': '{0}'.format(ts2.Variables.SSLDir),
'proxy.config.ssl.server.private_key.path': '{0}'.format(ts2.Variables.SSLDir),
'proxy.config.exec_thread.autoconfig.scale': 1.0,
- 'proxy.config.ssl.session_cache.value': 2,
- 'proxy.config.ssl.session_cache.size': 4096,
- 'proxy.config.ssl.session_cache.num_buckets': 256,
- 'proxy.config.ssl.session_cache.skip_cache_on_bucket_contention': 0,
- 'proxy.config.ssl.session_cache.timeout': 0,
- 'proxy.config.ssl.session_cache.auto_clear': 1,
'proxy.config.ssl.server.session_ticket.enable': 1,
'proxy.config.ssl.origin_session_cache.enabled': 1,
'proxy.config.ssl.origin_session_cache.size': 1,
@@ -100,12 +88,6 @@
'proxy.config.ssl.server.cert.path': '{0}'.format(ts3.Variables.SSLDir),
'proxy.config.ssl.server.private_key.path': '{0}'.format(ts3.Variables.SSLDir),
'proxy.config.exec_thread.autoconfig.scale': 1.0,
- 'proxy.config.ssl.session_cache.value': 2,
- 'proxy.config.ssl.session_cache.size': 4096,
- 'proxy.config.ssl.session_cache.num_buckets': 256,
- 'proxy.config.ssl.session_cache.skip_cache_on_bucket_contention': 0,
- 'proxy.config.ssl.session_cache.timeout': 0,
- 'proxy.config.ssl.session_cache.auto_clear': 1,
'proxy.config.ssl.server.session_ticket.enable': 1,
'proxy.config.ssl.origin_session_cache.enabled': 1,
'proxy.config.ssl.origin_session_cache.size': 1,
@@ -119,12 +101,6 @@
'proxy.config.ssl.server.cert.path': '{0}'.format(ts4.Variables.SSLDir),
'proxy.config.ssl.server.private_key.path': '{0}'.format(ts4.Variables.SSLDir),
'proxy.config.exec_thread.autoconfig.scale': 1.0,
- 'proxy.config.ssl.session_cache.value': 2,
- 'proxy.config.ssl.session_cache.size': 4096,
- 'proxy.config.ssl.session_cache.num_buckets': 256,
- 'proxy.config.ssl.session_cache.skip_cache_on_bucket_contention': 0,
- 'proxy.config.ssl.session_cache.timeout': 0,
- 'proxy.config.ssl.session_cache.auto_clear': 1,
'proxy.config.ssl.server.session_ticket.enable': 1,
'proxy.config.ssl.origin_session_cache.enabled': 0,
'proxy.config.ssl.origin_session_cache.size': 1,
diff --git a/tests/gold_tests/tls/tls_session_reuse.test.py b/tests/gold_tests/tls/tls_session_reuse.test.py
index ff0c25e..6647b16 100644
--- a/tests/gold_tests/tls/tls_session_reuse.test.py
+++ b/tests/gold_tests/tls/tls_session_reuse.test.py
@@ -26,7 +26,6 @@
# Define default ATS
ts1 = Test.MakeATSProcess("ts1", enable_tls=True)
ts2 = Test.MakeATSProcess("ts2", enable_tls=True)
-ts3 = Test.MakeATSProcess("ts3", enable_tls=True)
server = Test.MakeOriginServer("server")
# Add info the origin server responses
@@ -39,124 +38,111 @@
ts1.addSSLfile("ssl/server.key")
ts2.addSSLfile("ssl/server.pem")
ts2.addSSLfile("ssl/server.key")
-ts3.addSSLfile("ssl/server.pem")
-ts3.addSSLfile("ssl/server.key")
ts1.Disk.remap_config.AddLine('map / http://127.0.0.1:{0}'.format(server.Variables.Port))
ts2.Disk.remap_config.AddLine('map / http://127.0.0.1:{0}'.format(server.Variables.Port))
-ts3.Disk.remap_config.AddLine('map / http://127.0.0.1:{0}'.format(server.Variables.Port))
ts1.Disk.ssl_multicert_config.AddLine('dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key')
ts2.Disk.ssl_multicert_config.AddLine('dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key')
-ts3.Disk.ssl_multicert_config.AddLine('dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key')
ts1.Disk.records_config.update(
{
+ 'proxy.config.diags.debug.enabled': 1,
+ 'proxy.config.diags.debug.tags': 'ssl',
'proxy.config.ssl.server.cert.path': '{0}'.format(ts1.Variables.SSLDir),
'proxy.config.ssl.server.private_key.path': '{0}'.format(ts1.Variables.SSLDir),
'proxy.config.ssl.server.cipher_suite':
'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA',
'proxy.config.exec_thread.autoconfig.scale': 1.0,
- 'proxy.config.ssl.session_cache.value': 2,
- 'proxy.config.ssl.session_cache.size': 4096,
- 'proxy.config.ssl.session_cache.num_buckets': 256,
- 'proxy.config.ssl.session_cache.skip_cache_on_bucket_contention': 0,
- 'proxy.config.ssl.session_cache.timeout': 0,
- 'proxy.config.ssl.session_cache.auto_clear': 1,
- 'proxy.config.ssl.server.session_ticket.enable': 0,
+ 'proxy.config.ssl.server.session_ticket.enable': 1,
+ 'proxy.config.ssl.server.session_ticket.number': 2,
})
ts2.Disk.records_config.update(
{
+ 'proxy.config.diags.debug.enabled': 1,
+ 'proxy.config.diags.debug.tags': 'ssl',
'proxy.config.ssl.server.cert.path': '{0}'.format(ts2.Variables.SSLDir),
'proxy.config.ssl.server.private_key.path': '{0}'.format(ts2.Variables.SSLDir),
'proxy.config.ssl.server.cipher_suite':
'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA',
'proxy.config.exec_thread.autoconfig.scale': 1.0,
- 'proxy.config.ssl.session_cache.value': 2,
- 'proxy.config.ssl.session_cache.size': 4096,
- 'proxy.config.ssl.session_cache.num_buckets': 256,
- 'proxy.config.ssl.session_cache.skip_cache_on_bucket_contention': 0,
- 'proxy.config.ssl.session_cache.timeout': 0,
- 'proxy.config.ssl.session_cache.auto_clear': 1,
- 'proxy.config.ssl.server.session_ticket.enable': 1,
- })
-ts3.Disk.records_config.update(
- {
- 'proxy.config.ssl.server.cert.path': '{0}'.format(ts3.Variables.SSLDir),
- 'proxy.config.ssl.server.private_key.path': '{0}'.format(ts3.Variables.SSLDir),
- 'proxy.config.ssl.server.cipher_suite':
- 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA',
- 'proxy.config.exec_thread.autoconfig.scale': 1.0,
- 'proxy.config.ssl.session_cache.value': 0,
- 'proxy.config.ssl.session_cache.size': 4096,
- 'proxy.config.ssl.session_cache.num_buckets': 256,
- 'proxy.config.ssl.session_cache.skip_cache_on_bucket_contention': 0,
- 'proxy.config.ssl.session_cache.timeout': 0,
- 'proxy.config.ssl.session_cache.auto_clear': 1,
- 'proxy.config.ssl.server.session_ticket.enable': 1,
+ 'proxy.config.ssl.server.session_ticket.enable': 0,
+ 'proxy.config.ssl.server.session_ticket.number': 0,
})
-def check_session(ev, test):
+def check_session(output_path, tls_ver, reuse_count):
retval = False
- f = open(test.GetContent(ev), 'r')
- err = "Session ids match"
+ f = open(output_path, 'r')
if not f:
- err = "Failed to open {0}".format(openssl_output)
- return (retval, "Check that session ids match", err)
+ err = "Failed to open {0}".format(output_path)
+ return (retval, "Check session is reused", err)
content = f.read()
- match = re.findall('Session-ID: ([0-9A-F]+)', content)
-
- if match:
- if all(i == j for i, j in zip(match, match[1:])):
- err = "{0} reused successfully {1} times".format(match[0], len(match) - 1)
- retval = True
- else:
- err = "Session is not being reused as expected"
+ match = re.findall(f'Reused, {tls_ver}', content)
+ if len(match) == reuse_count:
+ retval = True
+ err = "Reused successfully {0} times".format(len(match))
else:
- err = "Didn't find session id"
- return (retval, "Check that session ids match", err)
+ err = "Session is not being reused as expected"
+ f.close()
+ return (retval, "Check session is reused", err)
-tr = Test.AddTestRun("TLSv1.2 Session ID")
-tr.Command = \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -no_ticket -sess_out {1} && ' \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -no_ticket -sess_in {1} && ' \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -no_ticket -sess_in {1} && ' \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -no_ticket -sess_in {1} && ' \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -no_ticket -sess_in {1} && ' \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -no_ticket -sess_in {1}' \
- .format(ts1.Variables.ssl_port, os.path.join(Test.RunDirectory, 'sess.dat'))
-tr.ReturnCode = 0
-tr.Processes.Default.StartBefore(server)
-tr.Processes.Default.StartBefore(ts1)
-tr.Processes.Default.Streams.All.Content = Testers.Lambda(check_session)
-tr.StillRunningAfter = server
-
-tr1 = Test.AddTestRun("TLSv1.2 Session Ticket")
+tr1 = Test.AddTestRun("TLSv1.2 Session Resumption Enabled")
tr1.Command = \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -sess_out {1} && ' \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -sess_in {1} && ' \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -sess_in {1} && ' \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -sess_in {1} && ' \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -sess_in {1} && ' \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -sess_in {1}' \
- .format(ts2.Variables.ssl_port, os.path.join(Test.RunDirectory, 'sess.dat'))
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_out {1} -tls1_2 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in {1} -tls1_2 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in {1} -tls1_2 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in {1} -tls1_2 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in {1} -tls1_2 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in {1} -tls1_2' \
+ .format(ts1.Variables.ssl_port, os.path.join(Test.RunDirectory, 'sess1.dat'))
tr1.ReturnCode = 0
-tr1.Processes.Default.StartBefore(ts2)
-tr1.Processes.Default.Streams.All.Content = Testers.Lambda(check_session)
-tr1.StillRunningAfter = server
+tr1.Processes.Default.StartBefore(server)
+tr1.Processes.Default.StartBefore(ts1)
+tr1.Processes.Default.Streams.All.Content = Testers.Lambda(
+ lambda info, tester: check_session(tr1.Processes.Default.Streams.All.AbsPath, 'TLSv1.2', 5))
+tr1.StillRunningAfter += server
+tr1.StillRunningAfter += ts1
-tr2 = Test.AddTestRun("Disabled Session Cache")
+tr2 = Test.AddTestRun("TLSv1.3 Session Resumption Enabled")
tr2.Command = \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -no_ticket -sess_out {1} && ' \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -no_ticket -sess_in {1} && ' \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -no_ticket -sess_in {1} && ' \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -no_ticket -sess_in {1} && ' \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -no_ticket -sess_in {1} && ' \
- 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -no_ticket -sess_in {1}' \
- .format(ts3.Variables.ssl_port, os.path.join(Test.RunDirectory, 'sess.dat'))
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_out {1} -tls1_2 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in {1} -tls1_2 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in {1} -tls1_2 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in {1} -tls1_2 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in {1} -tls1_2 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in {1} -tls1_2' \
+ .format(ts1.Variables.ssl_port, os.path.join(Test.RunDirectory, 'sess2.dat'))
tr2.ReturnCode = 0
-tr2.Processes.Default.StartBefore(ts3)
-tr2.Processes.Default.Streams.All = Testers.ExcludesExpression('Reused', '')
+tr2.Processes.Default.Streams.All.Content = Testers.Lambda(
+ lambda info, tester: check_session(tr2.Processes.Default.Streams.All.AbsPath, 'TLSv1.2', 5))
+tr2.StillRunningAfter += server
+
+tr3 = Test.AddTestRun("TLSv1.2 Session Resumption Disabled")
+tr3.Command = \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_out {1} -tls1_2 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in {1} -tls1_2 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in {1} -tls1_2 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in {1} -tls1_2 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in {1} -tls1_2 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in {1} -tls1_2' \
+ .format(ts2.Variables.ssl_port, os.path.join(Test.RunDirectory, 'sess3.dat'))
+tr3.Processes.Default.StartBefore(ts2)
+tr3.Processes.Default.Streams.All = Testers.ExcludesExpression('Reused', '')
+tr3.Processes.Default.Streams.All += Testers.ContainsExpression('TLSv1.2', '')
+tr3.StillRunningAfter += server
+tr3.StillRunningAfter += ts2
+
+tr4 = Test.AddTestRun("TLSv1.3 Session Resumption Disabled")
+tr4.Command = \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_out {1} -tls1_3 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in {1} -tls1_3 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in {1} -tls1_3 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in {1} -tls1_3 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in {1} -tls1_3 && ' \
+ 'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in {1} -tls1_3' \
+ .format(ts2.Variables.ssl_port, os.path.join(Test.RunDirectory, 'sess4.dat'))
+tr4.Processes.Default.Streams.All = Testers.ExcludesExpression('Reused', '')
+tr4.Processes.Default.Streams.All += Testers.ContainsExpression('TLSv1.3', '')
