[ruby/openssl] test_ssl_session.rb: test adjustments to work with AWS-LC

The SSL SESSION files we were originally testing against use DHE and SSLv3. AWS-LC happens to have no support for either and we have newer possible alternatives available, so I've updated the respective files to use ECDHE-RSA-AES256-SHA with TLS 1.1 and 1.2. I've verified that these work as expected with all libcryptos we support. There are also a few SSL session discrepencies in AWS-LC when compared to OpenSSL. 1. AWS-LC has no support for internal session caching on the client-end. 2. AWS-LC supports internal session caching on the server, but SSL_get1_session does not return a resumable session with TLS 1.3 in AWS-LC. Users have to use the SSL_CTX_sess_set_new_cb (ctx.session_new_cb in Ruby) to retrieve the resumable session ticket. 3. AWS-LC has no current support for external session caching in TLS 1.3. https://github.com/ruby/openssl/commit/ca384b8e2f
2025-02-12 02:12:05 +00:00 · 2025-02-12 02:12:05 +00:00 · fd882fb681
commit fd882fb681
parent 7a15ba48b5
1 changed files with 16 additions and 8 deletions
--- a/test/openssl/test_ssl_session.rb
+++ b/test/openssl/test_ssl_session.rb
@ -30,9 +30,10 @@ class OpenSSL::TestSSLSession < OpenSSL::SSLTestCase
    end
  end

+  # PEM file updated to use TLS 1.2 with ECDHE-RSA-AES256-SHA.
  DUMMY_SESSION = <<__EOS__
 -----BEGIN SSL SESSION PARAMETERS-----
-MIIDzQIBAQICAwEEAgA5BCAF219w9ZEV8dNA60cpEGOI34hJtIFbf3bkfzSgMyad
+MIIDzQIBAQICAwMEAsAUBCAF219w9ZEV8dNA60cpEGOI34hJtIFbf3bkfzSgMyad
 MQQwyGLbkCxE4OiMLdKKem+pyh8V7ifoP7tCxhdmwoDlJxI1v6nVCjai+FGYuncy
 NNSWoQYCBE4DDWuiAwIBCqOCAo4wggKKMIIBcqADAgECAgECMA0GCSqGSIb3DQEB
 BQUAMD0xEzARBgoJkiaJk/IsZAEZFgNvcmcxGTAXBgoJkiaJk/IsZAEZFglydWJ5
@ -56,9 +57,10 @@ j+RBGfCFrrQbBdnkFI/ztgM=
 -----END SSL SESSION PARAMETERS-----
 __EOS__

+  # PEM file updated to use TLS 1.1 with ECDHE-RSA-AES256-SHA.
  DUMMY_SESSION_NO_EXT = <<-__EOS__
 -----BEGIN SSL SESSION PARAMETERS-----
-MIIDCAIBAQICAwAEAgA5BCDyAW7rcpzMjDSosH+Tv6sukymeqgq3xQVVMez628A+
+MIIDCAIBAQICAwIEAsAUBCDyAW7rcpzMjDSosH+Tv6sukymeqgq3xQVVMez628A+
 lAQw9TrKzrIqlHEh6ltuQaqv/Aq83AmaAlogYktZgXAjOGnhX7ifJDNLMuCfQq53
 hPAaoQYCBE4iDeeiBAICASyjggKOMIICijCCAXKgAwIBAgIBAjANBgkqhkiG9w0B
 AQUFADA9MRMwEQYKCZImiZPyLGQBGRYDb3JnMRkwFwYKCZImiZPyLGQBGRYJcnVi
@ -122,7 +124,8 @@ __EOS__
      ctx.options &= ~OpenSSL::SSL::OP_NO_TICKET
      # Disable server-side session cache which is enabled by default
      ctx.session_cache_mode = OpenSSL::SSL::SSLContext::SESSION_CACHE_OFF
-      ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION if libressl?
+      # Session tickets must be retrieved via ctx.session_new_cb in TLS 1.3 in AWS-LC.
+      ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION if libressl? || aws_lc?
    }
    start_server(ctx_proc: ctx_proc) do |port|
      sess1 = server_connect_with_session(port, nil, nil) { |ssl|
@ -239,20 +242,25 @@ __EOS__
      end

      server_connect_with_session(port, ctx, nil) { |ssl|
-        assert_equal(1, ctx.session_cache_stats[:cache_num])
        assert_equal(1, ctx.session_cache_stats[:connect_good])
        assert_equal([ssl, ssl.session], called[:new])
-        assert_equal(true, ctx.session_remove(ssl.session))
-        assert_equal(false, ctx.session_remove(ssl.session))
-        if TEST_SESSION_REMOVE_CB
-          assert_equal([ctx, ssl.session], called[:remove])
+        # AWS-LC doesn't support internal session caching on the client, but
+        # the callback is still enabled as expected.
+        unless aws_lc?
+          assert_equal(1, ctx.session_cache_stats[:cache_num])
+          assert_equal(true, ctx.session_remove(ssl.session))
+          if TEST_SESSION_REMOVE_CB
+            assert_equal([ctx, ssl.session], called[:remove])
+          end
        end
+        assert_equal(false, ctx.session_remove(ssl.session))
      }
    end
  end

  def test_ctx_client_session_cb_tls13
    omit "LibreSSL does not call session_new_cb in TLS 1.3" if libressl?
+    omit "AWS-LC does not support internal session caching on the client" if aws_lc?

    start_server do |port|
      called = {}