Merge pull request #1337 from dcooper16/fix_session_resumption

Fix sub_session_resumption()
This commit is contained in:
Dirk Wetter 2019-10-02 08:52:23 +02:00 committed by GitHub
commit cf00c8e8ac
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -6055,8 +6055,9 @@ sub_session_resumption() {
local sess_data=$(mktemp $TEMPDIR/sub_session_data_resumption.$NODEIP.XXXXXX)
local -a rw_line
local not_new_reused=false
local protocol="$1"
if [[ "$1" == ID ]]; then
if [[ "$2" == ID ]]; then
local byID=true
local addcmd="-no_ticket"
else
@ -6067,7 +6068,21 @@ sub_session_resumption() {
fi
fi
"$CLIENT_AUTH" && return 3
"$HAS_NO_SSL2" && addcmd+=" -no_ssl2" || addcmd+=" $OPTIMAL_PROTO"
if "$HAS_NO_SSL2"; then
addcmd+=" -no_ssl2"
else
protocol=${protocol/\./_}
protocol=${protocol/v/}
protocol="-$(tolower $protocol)"
# In some cases a server will not support session tickets, but will support session resumption
# by ID. In such a case, it may be more likely to support session resumption with TLSv1.2 than
# with TLSv1.3. So, if testing a server that does not support session tickets and that supports
# both TLSv1.3 and TLSv1.2 for session resumption by ID, then use a TLSv1.2 ClientHello. (Note that
# the line below assumes that if $protocol is -tls1_3, then the server either supports TLSv1.2 or
# is TLSv1.3-only.
! "$TLS_TICKETS" && "$byID" && [[ $(has_server_protocol "tls1_2") -eq 0 ]] && protocol="-tls1_2"
addcmd+=" $protocol"
fi
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS -connect $NODEIP:$PORT $PROXY $SNI $addcmd -sess_out $sess_data") </dev/null &>/dev/null
ret1=$?
@ -8823,7 +8838,7 @@ certificate_info() {
run_server_defaults() {
local ciph newhostcert sni
local match_found
local sessticket_lifetime_hint="" lifetime unit
local sessticket_lifetime_hint="" sessticket_proto="" lifetime unit
local -i i n
local -i certs_found=0
local -i ret=0
@ -8890,6 +8905,7 @@ run_server_defaults() {
>$ERRFILE
if [[ -z "$sessticket_lifetime_hint" ]]; then
sessticket_lifetime_hint=$(awk '/session ticket life/ { if (!found) print; found=1 }' $TMPFILE)
sessticket_proto="$(get_protocol "$TMPFILE")"
fi
if [[ $n -le 7 ]]; then
@ -9042,7 +9058,10 @@ run_server_defaults() {
if [[ $? -eq 0 ]] && [[ "$OPTIMAL_PROTO" != -ssl2 ]]; then
cp "$TEMPDIR/$NODEIP.determine_tls_extensions.txt" $TMPFILE
>$ERRFILE
[[ -z "$sessticket_lifetime_hint" ]] && sessticket_lifetime_hint=$(awk '/session ticket lifetime/ { if (!found) print; found=1 }' $TMPFILE)
if [[ -z "$sessticket_lifetime_hint" ]]; then
sessticket_lifetime_hint=$(awk '/session ticket lifetime/ { if (!found) print; found=1 }' $TMPFILE)
sessticket_proto="$(get_protocol "$TMPFILE")"
fi
fi
if "$using_sockets" && ! "$TLS13_ONLY" && [[ -z "$sessticket_lifetime_hint" ]] && [[ "$OPTIMAL_PROTO" != -ssl2 ]]; then
if "$HAS_TLS13" && ( [[ -z "$OPTIMAL_PROTO" ]] || [[ "$OPTIMAL_PROTO" == -tls1_3 ]] ) ; then
@ -9052,7 +9071,10 @@ run_server_defaults() {
else
$OPENSSL s_client $(s_client_options "$STARTTLS $BUGS "$OPTIMAL_PROTO" -connect $NODEIP:$PORT $PROXY $SNI") </dev/null 2>$ERRFILE >$TMPFILE
fi
sclient_connect_successful $? $TMPFILE && sessticket_lifetime_hint=$(awk '/session ticket lifetime/ { if (!found) print; found=1 }' $TMPFILE)
if sclient_connect_successful $? $TMPFILE; then
sessticket_lifetime_hint=$(awk '/session ticket lifetime/ { if (!found) print; found=1 }' $TMPFILE)
sessticket_proto="$(get_protocol "$TMPFILE")"
fi
fi
[[ -z "$sessticket_lifetime_hint" ]] && TLS_TICKETS=false || TLS_TICKETS=true
@ -9122,7 +9144,7 @@ run_server_defaults() {
pr_bold " Session Resumption "
jsonID="sessionresumption_ticket"
sub_session_resumption
sub_session_resumption "$sessticket_proto"
case $? in
0) SESS_RESUMPTION[2]="ticket=yes"
out "Tickets: yes, "
@ -9154,7 +9176,7 @@ run_server_defaults() {
outln "ID: no"
fileout "$jsonID" "INFO" "No Session ID, no resumption"
else
sub_session_resumption ID
sub_session_resumption "$sessticket_proto" ID
case $? in
0) SESS_RESUMPTION[1]="ID=yes"
outln "ID: yes"