|
|
6309f8 |
From c332d19048735e32e2754685fa3c8654ca068b78 Mon Sep 17 00:00:00 2001
|
|
|
6309f8 |
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
|
|
6309f8 |
Date: Tue, 21 Aug 2018 12:32:39 +0200
|
|
|
6309f8 |
Subject: [PATCH] Exclude TLSv1.3 from t/session_ticket.t
|
|
|
6309f8 |
MIME-Version: 1.0
|
|
|
6309f8 |
Content-Type: text/plain; charset=UTF-8
|
|
|
6309f8 |
Content-Transfer-Encoding: 8bit
|
|
|
6309f8 |
|
|
|
6309f8 |
The test fails with OpenSSL 1.1.1 because SSL_get1_session() is not
|
|
|
6309f8 |
reliable with TLSv1.3. A proper resumption support would need
|
|
|
6309f8 |
migration to SSL_CTX_sess_set_new_cb() API.
|
|
|
6309f8 |
|
|
|
6309f8 |
This patch also performs full SSL_shutdown in the test becasue
|
|
|
6309f8 |
SSL_get1_session() manual documents that a connection must be properly
|
|
|
6309f8 |
SSL_shutdowned, otherwise the session will be removed from the
|
|
|
6309f8 |
(internal) session cache.
|
|
|
6309f8 |
|
|
|
6309f8 |
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
|
|
6309f8 |
---
|
|
|
6309f8 |
t/session_ticket.t | 9 +++++++--
|
|
|
6309f8 |
1 file changed, 7 insertions(+), 2 deletions(-)
|
|
|
6309f8 |
|
|
|
6309f8 |
diff --git a/t/session_ticket.t b/t/session_ticket.t
|
|
|
6309f8 |
index bff6a86..69cbc96 100644
|
|
|
6309f8 |
--- a/t/session_ticket.t
|
|
|
6309f8 |
+++ b/t/session_ticket.t
|
|
|
6309f8 |
@@ -69,7 +69,7 @@ my $client = sub {
|
|
|
6309f8 |
diag("connect to $i: ".
|
|
|
6309f8 |
($cl ? "success reuse=$reuse" : "error: $!,$SSL_ERROR"));
|
|
|
6309f8 |
is($reuse,$expect_reuse,$desc);
|
|
|
6309f8 |
- close($cl);
|
|
|
6309f8 |
+ $cl->close('SSL_fast_shutdown' => 0);
|
|
|
6309f8 |
};
|
|
|
6309f8 |
|
|
|
6309f8 |
|
|
|
6309f8 |
@@ -123,6 +123,11 @@ sub _server {
|
|
|
6309f8 |
SSL_verify_mode => SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
|
|
|
6309f8 |
SSL_ticket_keycb => $get_ticket_key,
|
|
|
6309f8 |
SSL_session_id_context => 'foobar',
|
|
|
6309f8 |
+ SSL_version => 'SSLv23:!TLSv1_3', # TLSv1.3 sends session tickes after
|
|
|
6309f8 |
+ # a handshake, this SSL_get1_session() is not reliable anymore.
|
|
|
6309f8 |
+ # Exclude TLSv1.3 from tests. Proper TLSv1.3 session resumption
|
|
|
6309f8 |
+ # will need SSL_CTX_sess_set_new_cb().
|
|
|
6309f8 |
+ # <https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/>
|
|
|
6309f8 |
) or die "failed to create SSL context: $SSL_ERROR";
|
|
|
6309f8 |
}
|
|
|
6309f8 |
|
|
|
6309f8 |
@@ -158,7 +163,7 @@ sub _server {
|
|
|
6309f8 |
print "rotate secrets\n";
|
|
|
6309f8 |
push @secrets, shift(@secrets);
|
|
|
6309f8 |
}
|
|
|
6309f8 |
- close($cl);
|
|
|
6309f8 |
+ $cl->close('SSL_fast_shutdown' => 0);
|
|
|
6309f8 |
alarm(0);
|
|
|
6309f8 |
last;
|
|
|
6309f8 |
}
|
|
|
6309f8 |
--
|
|
|
6309f8 |
2.14.4
|
|
|
6309f8 |
|