From b76a7e2f7697b3c783e9f6699dc6fce607264841 Mon Sep 17 00:00:00 2001 From: inoguchi Date: Thu, 23 Aug 2018 14:54:28 +0000 Subject: [PATCH] Check reusing SSL/TLS session ticket by regression test - Added checking for session ticket reusing with using openssl(1) s_server and s_client command in appstest.sh - Confirm certificate verification status. - Save s_server message to log file. ok tb@ and jsing@ --- regress/usr.bin/openssl/appstest.sh | 46 ++++++++++++++++++++++++----- 1 file changed, 38 insertions(+), 8 deletions(-) diff --git a/regress/usr.bin/openssl/appstest.sh b/regress/usr.bin/openssl/appstest.sh index f82b0bef246..6ec3170aaa2 100755 --- a/regress/usr.bin/openssl/appstest.sh +++ b/regress/usr.bin/openssl/appstest.sh @@ -917,26 +917,56 @@ section_message "client/server operations" host="localhost" port=4433 -sess_log=$user1_dir/s_client_sess.log -s_client_out=$user1_dir/s_client.out +sess_dat=$user1_dir/s_client_sess.dat +s_server_out=$server_dir/s_server.out +s_client_1_out=$user1_dir/s_client_1.out +s_client_2_out=$user1_dir/s_client_2.out +s_client_3_out=$user1_dir/s_client_3.out start_message "s_server ... start SSL/TLS test server" $openssl_bin s_server -accept $port -CAfile $ca_cert \ -cert $server_cert -key $server_key -pass pass:$server_pass \ -context "appstest.sh" -id_prefix "APPSTEST.SH" \ -crl_check -no_ssl2 -no_ssl3 -no_tls1 \ - -nextprotoneg "http/1.1,spdy/3" -alpn "http/1.1,spdy/3" \ - -www -quiet & + -nextprotoneg "http/1.1,spdy/3" -alpn "http/1.1,spdy/3" -www \ + -msg -tlsextdebug > $s_server_out 2>&1 & check_exit_status $? s_server_pid=$! echo "s_server pid = [ $s_server_pid ]" sleep 1 start_message "s_client ... connect to SSL/TLS test server" -$openssl_bin s_client -connect $host:$port -CAfile $ca_cert \ - -showcerts -crl_check -issuer_checks -policy_check -pause -prexit \ +$openssl_bin s_client -connect $host:$port -CAfile $ca_cert -pause -prexit \ -nextprotoneg "spdy/3,http/1.1" -alpn "spdy/3,http/1.1" \ - -sess_out $sess_log < /dev/null > $s_client_out 2>&1 + -sess_out $sess_dat \ + -msg -tlsextdebug < /dev/null > $s_client_1_out 2>&1 +check_exit_status $? + +grep 'New, TLSv1/SSLv3' $s_client_1_out > /dev/null +check_exit_status $? + +grep 'Verify return code: 0 (ok)' $s_client_1_out > /dev/null +check_exit_status $? + +start_message "s_client ... connect to SSL/TLS test server reusing session id" +$openssl_bin s_client -connect $host:$port -CAfile $ca_cert -pause -prexit \ + -sess_in $sess_dat \ + -msg -tlsextdebug < /dev/null > $s_client_2_out 2>&1 +check_exit_status $? + +grep 'Reused, TLSv1/SSLv3' $s_client_2_out > /dev/null +check_exit_status $? + +grep 'Verify return code: 0 (ok)' $s_client_2_out > /dev/null +check_exit_status $? + +start_message "s_client ... connect to SSL/TLS test server but verify error" +$openssl_bin s_client -connect $host:$port -CAfile $ca_cert -pause -prexit \ + -showcerts -crl_check -issuer_checks -policy_check \ + -msg -tlsextdebug < /dev/null > $s_client_3_out 2>&1 +check_exit_status $? + +grep 'Verify return code: 24 (invalid CA certificate)' $s_client_3_out > /dev/null check_exit_status $? start_message "s_time ... connect to SSL/TLS test server" @@ -944,7 +974,7 @@ $openssl_bin s_time -connect $host:$port -CAfile $ca_cert -time 2 check_exit_status $? start_message "sess_id" -$openssl_bin sess_id -in $sess_log -text -out $sess_log.out +$openssl_bin sess_id -in $sess_dat -text -out $sess_dat.out check_exit_status $? sleep 1 -- 2.20.1