From c332d19048735e32e2754685fa3c8654ca068b78 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Tue, 21 Aug 2018 12:32:39 +0200
Subject: [PATCH] Exclude TLSv1.3 from t/session_ticket.t
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The test fails with OpenSSL 1.1.1 because SSL_get1_session() is not
reliable with TLSv1.3. A proper resumption support would need
migration to SSL_CTX_sess_set_new_cb() API.

This patch also performs full SSL_shutdown in the test becasue
SSL_get1_session() manual documents that a connection must be properly
SSL_shutdowned, otherwise the session will be removed from the
(internal) session cache.

Signed-off-by: Petr Písař <ppisar@redhat.com>
---
 t/session_ticket.t | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/t/session_ticket.t b/t/session_ticket.t
index bff6a86..69cbc96 100644
--- a/t/session_ticket.t
+++ b/t/session_ticket.t
@@ -69,7 +69,7 @@ my $client = sub {
     diag("connect to $i: ".
 	($cl ? "success reuse=$reuse" : "error: $!,$SSL_ERROR"));
     is($reuse,$expect_reuse,$desc);
-    close($cl);
+    $cl->close('SSL_fast_shutdown' => 0);
 };
 
 
@@ -123,6 +123,11 @@ sub _server {
 	    SSL_verify_mode => SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
 	    SSL_ticket_keycb => $get_ticket_key,
 	    SSL_session_id_context => 'foobar',
+	    SSL_version => 'SSLv23:!TLSv1_3', # TLSv1.3 sends session tickes after
+		# a handshake, this SSL_get1_session() is not reliable anymore.
+		# Exclude TLSv1.3 from tests. Proper TLSv1.3 session resumption
+		# will need SSL_CTX_sess_set_new_cb().
+		# <https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/>
 	) or die "failed to create SSL context: $SSL_ERROR";
     }
 
@@ -158,7 +163,7 @@ sub _server {
 		print "rotate secrets\n";
 		push @secrets, shift(@secrets);
 	    }
-	    close($cl);
+	    $cl->close('SSL_fast_shutdown' => 0);
 	    alarm(0);
 	    last;
 	}
-- 
2.14.4