SSL_F_CIPHERSUITE_CB:622:ciphersuite_cb
SSL_F_CONSTRUCT_CA_NAMES:552:construct_ca_names
SSL_F_CONSTRUCT_KEY_EXCHANGE_TBS:553:construct_key_exchange_tbs
+SSL_F_CONSTRUCT_STATEFUL_TICKET:636:construct_stateful_ticket
+SSL_F_CONSTRUCT_STATELESS_TICKET:637:construct_stateless_ticket
SSL_F_CREATE_SYNTHETIC_MESSAGE_HASH:539:create_synthetic_message_hash
+SSL_F_CREATE_TICKET_PREQUEL:638:create_ticket_prequel
SSL_F_CT_MOVE_SCTS:345:ct_move_scts
SSL_F_CT_STRICT:349:ct_strict
SSL_F_CUSTOM_EXT_ADD:554:custom_ext_add
# define SSL_F_CIPHERSUITE_CB 622
# define SSL_F_CONSTRUCT_CA_NAMES 552
# define SSL_F_CONSTRUCT_KEY_EXCHANGE_TBS 553
+# define SSL_F_CONSTRUCT_STATEFUL_TICKET 636
+# define SSL_F_CONSTRUCT_STATELESS_TICKET 637
# define SSL_F_CREATE_SYNTHETIC_MESSAGE_HASH 539
-# define SSL_F_CREATE_TICKET_PREQUEL 636
+# define SSL_F_CREATE_TICKET_PREQUEL 638
# define SSL_F_CT_MOVE_SCTS 345
# define SSL_F_CT_STRICT 349
# define SSL_F_CUSTOM_EXT_ADD 554
{ERR_PACK(ERR_LIB_SSL, SSL_F_CONSTRUCT_CA_NAMES, 0), "construct_ca_names"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_CONSTRUCT_KEY_EXCHANGE_TBS, 0),
"construct_key_exchange_tbs"},
+ {ERR_PACK(ERR_LIB_SSL, SSL_F_CONSTRUCT_STATEFUL_TICKET, 0),
+ "construct_stateful_ticket"},
+ {ERR_PACK(ERR_LIB_SSL, SSL_F_CONSTRUCT_STATELESS_TICKET, 0),
+ "construct_stateless_ticket"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_CREATE_SYNTHETIC_MESSAGE_HASH, 0),
"create_synthetic_message_hash"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_CREATE_TICKET_PREQUEL, 0),
&& (!s->hit || SSL_IS_TLS13(s))) {
/*
* Add the session to the internal cache. In server side TLSv1.3 we
- * normally don't do this because its a full stateless ticket with only
- * a dummy session id so there is no reason to cache it, unless:
+ * normally don't do this because by default it's a full stateless ticket
+ * with only a dummy session id so there is no reason to cache it,
+ * unless:
* - we are doing early_data, in which case we cache so that we can
* detect replays
* - the application has set a remove_session_cb so needs to know about
* session timeout events
+ * - SSL_OP_NO_TICKET is set in which case it is a stateful ticket
*/
if ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) == 0
&& (!SSL_IS_TLS13(s)
|| !s->server
|| s->max_early_data > 0
- || s->session_ctx->remove_session_cb != NULL))
+ || s->session_ctx->remove_session_cb != NULL
+ || (s->options & SSL_OP_NO_TICKET) != 0))
SSL_CTX_add_session(s->session_ctx, s->session);
/*
void ssl_cert_free(CERT *c);
__owur int ssl_generate_session_id(SSL *s, SSL_SESSION *ss);
__owur int ssl_get_new_session(SSL *s, int session);
+__owur SSL_SESSION *lookup_sess_in_cache(SSL *s, const unsigned char *sess_id,
+ size_t sess_id_len);
__owur int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello);
__owur SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket);
__owur int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b);
#include <openssl/rand.h>
#include <openssl/engine.h>
#include "internal/refcount.h"
+#include "internal/cryptlib.h"
#include "ssl_locl.h"
#include "statem/statem_locl.h"
return 1;
}
+SSL_SESSION *lookup_sess_in_cache(SSL *s, const unsigned char *sess_id,
+ size_t sess_id_len)
+{
+ SSL_SESSION *ret = NULL;
+ int discard;
+
+ if ((s->session_ctx->session_cache_mode
+ & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP) == 0) {
+ SSL_SESSION data;
+
+ data.ssl_version = s->version;
+ if (!ossl_assert(sess_id_len <= SSL_MAX_SSL_SESSION_ID_LENGTH))
+ return NULL;
+
+ memcpy(data.session_id, sess_id, sess_id_len);
+ data.session_id_length = sess_id_len;
+
+ CRYPTO_THREAD_read_lock(s->session_ctx->lock);
+ ret = lh_SSL_SESSION_retrieve(s->session_ctx->sessions, &data);
+ if (ret != NULL) {
+ /* don't allow other threads to steal it: */
+ SSL_SESSION_up_ref(ret);
+ }
+ CRYPTO_THREAD_unlock(s->session_ctx->lock);
+ if (ret == NULL)
+ CRYPTO_atomic_add(&s->session_ctx->stats.sess_miss, 1, &discard,
+ s->session_ctx->lock);
+ }
+
+ if (ret == NULL && s->session_ctx->get_session_cb != NULL) {
+ int copy = 1;
+
+ ret = s->session_ctx->get_session_cb(s, sess_id, sess_id_len, ©);
+
+ if (ret != NULL) {
+ CRYPTO_atomic_add(&s->session_ctx->stats.sess_cb_hit, 1, &discard,
+ s->session_ctx->lock);
+
+ /*
+ * Increment reference count now if the session callback asks us
+ * to do so (note that if the session structures returned by the
+ * callback are shared between threads, it must handle the
+ * reference count itself [i.e. copy == 0], or things won't be
+ * thread-safe).
+ */
+ if (copy)
+ SSL_SESSION_up_ref(ret);
+
+ /*
+ * Add the externally cached session to the internal cache as
+ * well if and only if we are supposed to.
+ */
+ if ((s->session_ctx->session_cache_mode &
+ SSL_SESS_CACHE_NO_INTERNAL_STORE) == 0) {
+ /*
+ * Either return value of SSL_CTX_add_session should not
+ * interrupt the session resumption process. The return
+ * value is intentionally ignored.
+ */
+ (void)SSL_CTX_add_session(s->session_ctx, ret);
+ }
+ }
+ }
+
+ return ret;
+}
+
/*-
* ssl_get_prev attempts to find an SSL_SESSION to be used to resume this
* connection. It is only called by servers.
goto err;
case SSL_TICKET_NONE:
case SSL_TICKET_EMPTY:
- if (hello->session_id_len > 0)
+ if (hello->session_id_len > 0) {
try_session_cache = 1;
+ ret = lookup_sess_in_cache(s, hello->session_id,
+ hello->session_id_len);
+ }
break;
case SSL_TICKET_NO_DECRYPT:
case SSL_TICKET_SUCCESS:
}
}
- if (try_session_cache &&
- ret == NULL &&
- !(s->session_ctx->session_cache_mode &
- SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) {
- SSL_SESSION data;
-
- data.ssl_version = s->version;
- memcpy(data.session_id, hello->session_id, hello->session_id_len);
- data.session_id_length = hello->session_id_len;
-
- CRYPTO_THREAD_read_lock(s->session_ctx->lock);
- ret = lh_SSL_SESSION_retrieve(s->session_ctx->sessions, &data);
- if (ret != NULL) {
- /* don't allow other threads to steal it: */
- SSL_SESSION_up_ref(ret);
- }
- CRYPTO_THREAD_unlock(s->session_ctx->lock);
- if (ret == NULL)
- CRYPTO_atomic_add(&s->session_ctx->stats.sess_miss, 1, &discard,
- s->session_ctx->lock);
- }
-
- if (try_session_cache &&
- ret == NULL && s->session_ctx->get_session_cb != NULL) {
- int copy = 1;
-
- ret = s->session_ctx->get_session_cb(s, hello->session_id,
- hello->session_id_len,
- ©);
-
- if (ret != NULL) {
- CRYPTO_atomic_add(&s->session_ctx->stats.sess_cb_hit, 1, &discard,
- s->session_ctx->lock);
-
- /*
- * Increment reference count now if the session callback asks us
- * to do so (note that if the session structures returned by the
- * callback are shared between threads, it must handle the
- * reference count itself [i.e. copy == 0], or things won't be
- * thread-safe).
- */
- if (copy)
- SSL_SESSION_up_ref(ret);
-
- /*
- * Add the externally cached session to the internal cache as
- * well if and only if we are supposed to.
- */
- if (!
- (s->session_ctx->session_cache_mode &
- SSL_SESS_CACHE_NO_INTERNAL_STORE)) {
- /*
- * Either return value of SSL_CTX_add_session should not
- * interrupt the session resumption process. The return
- * value is intentionally ignored.
- */
- SSL_CTX_add_session(s->session_ctx, ret);
- }
- }
- }
-
if (ret == NULL)
goto err;
return 1;
}
+static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL *s, PACKET *tick,
+ SSL_SESSION **sess)
+{
+ SSL_SESSION *tmpsess = NULL;
+
+ switch (PACKET_remaining(tick)) {
+ case 0:
+ return SSL_TICKET_EMPTY;
+
+ case SSL_MAX_SSL_SESSION_ID_LENGTH:
+ break;
+
+ default:
+ return SSL_TICKET_NO_DECRYPT;
+ }
+
+ tmpsess = lookup_sess_in_cache(s, PACKET_data(tick),
+ SSL_MAX_SSL_SESSION_ID_LENGTH);
+
+ if (tmpsess == NULL)
+ return SSL_TICKET_NO_DECRYPT;
+
+ s->ext.ticket_expected = 1;
+ *sess = tmpsess;
+ return SSL_TICKET_SUCCESS;
+}
+
int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx)
{
uint32_t ticket_age = 0, now, agesec, agems;
int ret;
- ret = tls_decrypt_ticket(s, PACKET_data(&identity),
- PACKET_remaining(&identity), NULL, 0,
- &sess);
+ if ((s->options & SSL_OP_NO_TICKET) != 0)
+ ret = tls_get_stateful_ticket(s, &identity, &sess);
+ else
+ ret = tls_decrypt_ticket(s, PACKET_data(&identity),
+ PACKET_remaining(&identity), NULL, 0,
+ &sess);
if (ret == SSL_TICKET_EMPTY) {
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
* long
*/
if (slen_full == 0 || slen_full > 0xFF00) {
- SSLfatal(s, SSL_AD_INTERNAL_ERROR,
- SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
+ ERR_R_INTERNAL_ERROR);
goto err;
}
senc = OPENSSL_malloc(slen_full);
if (senc == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
- SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
+ SSL_F_CONSTRUCT_STATELESS_TICKET, ERR_R_MALLOC_FAILURE);
goto err;
}
ctx = EVP_CIPHER_CTX_new();
hctx = HMAC_CTX_new();
if (ctx == NULL || hctx == NULL) {
- SSLfatal(s, SSL_AD_INTERNAL_ERROR,
- SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
+ ERR_R_MALLOC_FAILURE);
goto err;
}
p = senc;
if (!i2d_SSL_SESSION(s->session, &p)) {
- SSLfatal(s, SSL_AD_INTERNAL_ERROR,
- SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
+ ERR_R_INTERNAL_ERROR);
goto err;
}
const_p = senc;
sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
if (sess == NULL) {
- SSLfatal(s, SSL_AD_INTERNAL_ERROR,
- SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
+ ERR_R_INTERNAL_ERROR);
goto err;
}
slen = i2d_SSL_SESSION(sess, NULL);
if (slen == 0 || slen > slen_full) {
/* shouldn't ever happen */
- SSLfatal(s, SSL_AD_INTERNAL_ERROR,
- SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
+ ERR_R_INTERNAL_ERROR);
SSL_SESSION_free(sess);
goto err;
}
p = senc;
if (!i2d_SSL_SESSION(sess, &p)) {
- SSLfatal(s, SSL_AD_INTERNAL_ERROR,
- SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
+ ERR_R_INTERNAL_ERROR);
SSL_SESSION_free(sess);
goto err;
}
if (!WPACKET_put_bytes_u32(pkt, 0)
|| !WPACKET_put_bytes_u16(pkt, 0)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
- SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
+ SSL_F_CONSTRUCT_STATELESS_TICKET,
ERR_R_INTERNAL_ERROR);
goto err;
}
return 1;
}
if (ret < 0) {
- SSLfatal(s, SSL_AD_INTERNAL_ERROR,
- SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
SSL_R_CALLBACK_FAILED);
goto err;
}
|| !HMAC_Init_ex(hctx, tctx->ext.secure->tick_hmac_key,
sizeof(tctx->ext.secure->tick_hmac_key),
EVP_sha256(), NULL)) {
- SSLfatal(s, SSL_AD_INTERNAL_ERROR,
- SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
ERR_R_INTERNAL_ERROR);
goto err;
}
|| !WPACKET_allocate_bytes(pkt, hlen, &macdata2)
|| macdata1 != macdata2) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
- SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
+ SSL_F_CONSTRUCT_STATELESS_TICKET, ERR_R_INTERNAL_ERROR);
goto err;
}
/* Close the sub-packet created by create_ticket_prequel() */
if (!WPACKET_close(pkt)) {
- SSLfatal(s, SSL_AD_INTERNAL_ERROR,
- SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
+ ERR_R_INTERNAL_ERROR);
goto err;
}
return ok;
}
+static int construct_stateful_ticket(SSL *s, WPACKET *pkt, uint32_t age_add,
+ unsigned char *tick_nonce)
+{
+ if (!create_ticket_prequel(s, pkt, age_add, tick_nonce)) {
+ /* SSLfatal() already called */
+ return 0;
+ }
+
+ if (!WPACKET_memcpy(pkt, s->session->session_id,
+ s->session->session_id_length)
+ || !WPACKET_close(pkt)) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATEFUL_TICKET,
+ ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+
+ return 1;
+}
+
int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
{
SSL_CTX *tctx = s->session_ctx;
tctx->generate_ticket_cb(s, tctx->ticket_cb_data) == 0)
goto err;
- if (!construct_stateless_ticket(s, pkt, age_add_u.age_add, tick_nonce)) {
+ if ((s->options & SSL_OP_NO_TICKET) != 0 && SSL_IS_TLS13(s)) {
+ if (!construct_stateful_ticket(s, pkt, age_add_u.age_add, tick_nonce)) {
+ /* SSLfatal() already called */
+ goto err;
+ }
+ } else if (!construct_stateless_ticket(s, pkt, age_add_u.age_add,
+ tick_nonce)) {
/* SSLfatal() already called */
goto err;
}
static HANDSHAKE_RESULT *do_handshake_internal(
SSL_CTX *server_ctx, SSL_CTX *server2_ctx, SSL_CTX *client_ctx,
const SSL_TEST_CTX *test_ctx, const SSL_TEST_EXTRA_CONF *extra,
- SSL_SESSION *session_in, SSL_SESSION **session_out)
+ SSL_SESSION *session_in, SSL_SESSION *serv_sess_in,
+ SSL_SESSION **session_out, SSL_SESSION **serv_sess_out)
{
PEER server, client;
BIO *client_to_server = NULL, *server_to_client = NULL;
configure_handshake_ssl(server.ssl, client.ssl, extra);
if (session_in != NULL) {
+ SSL_SESSION_get_id(serv_sess_in, &sess_id_len);
/* In case we're testing resumption without tickets. */
- if (!TEST_true(SSL_CTX_add_session(server_ctx, session_in))
+ if ((sess_id_len > 0
+ && !TEST_true(SSL_CTX_add_session(server_ctx,
+ serv_sess_in)))
|| !TEST_true(SSL_set_session(client.ssl, session_in)))
goto err;
+ sess_id_len = 0;
}
ret->result = SSL_TEST_INTERNAL_ERROR;
if (session_out != NULL)
*session_out = SSL_get1_session(client.ssl);
+ if (serv_sess_out != NULL) {
+ SSL_SESSION *tmp = SSL_get_session(server.ssl);
+
+ /*
+ * We create a fresh copy that is not in the server session ctx linked
+ * list.
+ */
+ if (tmp != NULL)
+ *serv_sess_out = SSL_SESSION_dup(tmp);
+ }
if (SSL_get_server_tmp_key(client.ssl, &tmp_key)) {
ret->tmp_key_type = pkey_type(tmp_key);
const SSL_TEST_CTX *test_ctx)
{
HANDSHAKE_RESULT *result;
- SSL_SESSION *session = NULL;
+ SSL_SESSION *session = NULL, *serv_sess = NULL;
result = do_handshake_internal(server_ctx, server2_ctx, client_ctx,
test_ctx, &test_ctx->extra,
- NULL, &session);
+ NULL, NULL, &session, &serv_sess);
if (result == NULL
|| test_ctx->handshake_mode != SSL_TEST_HANDSHAKE_RESUME
|| result->result == SSL_TEST_INTERNAL_ERROR)
/* We don't support SNI on second handshake yet, so server2_ctx is NULL. */
result = do_handshake_internal(resume_server_ctx, NULL, resume_client_ctx,
test_ctx, &test_ctx->resume_extra,
- session, NULL);
+ session, serv_sess, NULL, NULL);
end:
SSL_SESSION_free(session);
+ SSL_SESSION_free(serv_sess);
return result;
}
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1
+Options = SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[0-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1
+Options = -SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[1-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.1
+Options = SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[2-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.1
+Options = -SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[3-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.2
+Options = SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[4-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.2
+Options = -SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[5-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.3
+Options = SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[6-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.3
+Options = -SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[7-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1
+Options = SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[8-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1
+Options = -SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[9-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.1
+Options = SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[10-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.1
+Options = -SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[11-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.2
+Options = SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[12-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.2
+Options = -SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[13-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.3
+Options = SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[14-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.3
+Options = -SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[15-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1
+Options = SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[16-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1
+Options = -SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[17-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.1
+Options = SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[18-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.1
+Options = -SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[19-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.2
+Options = SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[20-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.2
+Options = -SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[21-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.3
+Options = SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[22-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.3
+Options = -SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[23-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1
+Options = SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[24-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1
+Options = -SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[25-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.1
+Options = SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[26-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.1
+Options = -SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[27-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.2
+Options = SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[28-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.2
+Options = -SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[29-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.3
+Options = SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[30-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.3
+Options = -SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[31-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = DTLSv1
+Options = SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[0-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = DTLSv1
+Options = -SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[1-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = DTLSv1.2
+Options = SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[2-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = DTLSv1.2
+Options = -SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[3-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = DTLSv1
+Options = SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[4-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = DTLSv1
+Options = -SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[5-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = DTLSv1.2
+Options = SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[6-resumption-client]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = DTLSv1.2
+Options = -SessionTicket
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[7-resumption-client]
},
"resume_server" => {
"MaxProtocol" => $protocols[$resume_protocol],
+ "Options" => $ticket,
},
"test" => {
"ExpectedProtocol" => $protocols[$resume_protocol],
sess2 = NULL;
SSL_CTX_set_max_proto_version(sctx, maxprot);
- SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
+ if (maxprot == TLS1_2_VERSION)
+ SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
new_called = remove_called = get_called = 0;
if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
NULL, NULL))