From fd882fb6819fb8b48b09e24ff71748d1bae35e43 Mon Sep 17 00:00:00 2001 From: Samuel Chiang Date: Wed, 12 Feb 2025 02:12:05 +0000 Subject: [PATCH] [ruby/openssl] test_ssl_session.rb: test adjustments to work with AWS-LC The SSL SESSION files we were originally testing against use DHE and SSLv3. AWS-LC happens to have no support for either and we have newer possible alternatives available, so I've updated the respective files to use ECDHE-RSA-AES256-SHA with TLS 1.1 and 1.2. I've verified that these work as expected with all libcryptos we support. There are also a few SSL session discrepencies in AWS-LC when compared to OpenSSL. 1. AWS-LC has no support for internal session caching on the client-end. 2. AWS-LC supports internal session caching on the server, but SSL_get1_session does not return a resumable session with TLS 1.3 in AWS-LC. Users have to use the SSL_CTX_sess_set_new_cb (ctx.session_new_cb in Ruby) to retrieve the resumable session ticket. 3. AWS-LC has no current support for external session caching in TLS 1.3. https://github.com/ruby/openssl/commit/ca384b8e2f --- test/openssl/test_ssl_session.rb | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/test/openssl/test_ssl_session.rb b/test/openssl/test_ssl_session.rb index d1ef9cd3db..f453f58657 100644 --- a/test/openssl/test_ssl_session.rb +++ b/test/openssl/test_ssl_session.rb @@ -30,9 +30,10 @@ class OpenSSL::TestSSLSession < OpenSSL::SSLTestCase end end + # PEM file updated to use TLS 1.2 with ECDHE-RSA-AES256-SHA. DUMMY_SESSION = <<__EOS__ -----BEGIN SSL SESSION PARAMETERS----- -MIIDzQIBAQICAwEEAgA5BCAF219w9ZEV8dNA60cpEGOI34hJtIFbf3bkfzSgMyad +MIIDzQIBAQICAwMEAsAUBCAF219w9ZEV8dNA60cpEGOI34hJtIFbf3bkfzSgMyad MQQwyGLbkCxE4OiMLdKKem+pyh8V7ifoP7tCxhdmwoDlJxI1v6nVCjai+FGYuncy NNSWoQYCBE4DDWuiAwIBCqOCAo4wggKKMIIBcqADAgECAgECMA0GCSqGSIb3DQEB BQUAMD0xEzARBgoJkiaJk/IsZAEZFgNvcmcxGTAXBgoJkiaJk/IsZAEZFglydWJ5 @@ -56,9 +57,10 @@ j+RBGfCFrrQbBdnkFI/ztgM= -----END SSL SESSION PARAMETERS----- __EOS__ + # PEM file updated to use TLS 1.1 with ECDHE-RSA-AES256-SHA. DUMMY_SESSION_NO_EXT = <<-__EOS__ -----BEGIN SSL SESSION PARAMETERS----- -MIIDCAIBAQICAwAEAgA5BCDyAW7rcpzMjDSosH+Tv6sukymeqgq3xQVVMez628A+ +MIIDCAIBAQICAwIEAsAUBCDyAW7rcpzMjDSosH+Tv6sukymeqgq3xQVVMez628A+ lAQw9TrKzrIqlHEh6ltuQaqv/Aq83AmaAlogYktZgXAjOGnhX7ifJDNLMuCfQq53 hPAaoQYCBE4iDeeiBAICASyjggKOMIICijCCAXKgAwIBAgIBAjANBgkqhkiG9w0B AQUFADA9MRMwEQYKCZImiZPyLGQBGRYDb3JnMRkwFwYKCZImiZPyLGQBGRYJcnVi @@ -122,7 +124,8 @@ __EOS__ ctx.options &= ~OpenSSL::SSL::OP_NO_TICKET # Disable server-side session cache which is enabled by default ctx.session_cache_mode = OpenSSL::SSL::SSLContext::SESSION_CACHE_OFF - ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION if libressl? + # Session tickets must be retrieved via ctx.session_new_cb in TLS 1.3 in AWS-LC. + ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION if libressl? || aws_lc? } start_server(ctx_proc: ctx_proc) do |port| sess1 = server_connect_with_session(port, nil, nil) { |ssl| @@ -239,20 +242,25 @@ __EOS__ end server_connect_with_session(port, ctx, nil) { |ssl| - assert_equal(1, ctx.session_cache_stats[:cache_num]) assert_equal(1, ctx.session_cache_stats[:connect_good]) assert_equal([ssl, ssl.session], called[:new]) - assert_equal(true, ctx.session_remove(ssl.session)) - assert_equal(false, ctx.session_remove(ssl.session)) - if TEST_SESSION_REMOVE_CB - assert_equal([ctx, ssl.session], called[:remove]) + # AWS-LC doesn't support internal session caching on the client, but + # the callback is still enabled as expected. + unless aws_lc? + assert_equal(1, ctx.session_cache_stats[:cache_num]) + assert_equal(true, ctx.session_remove(ssl.session)) + if TEST_SESSION_REMOVE_CB + assert_equal([ctx, ssl.session], called[:remove]) + end end + assert_equal(false, ctx.session_remove(ssl.session)) } end end def test_ctx_client_session_cb_tls13 omit "LibreSSL does not call session_new_cb in TLS 1.3" if libressl? + omit "AWS-LC does not support internal session caching on the client" if aws_lc? start_server do |port| called = {}