11981Szelenkov@nginx.comimport socket 21981Szelenkov@nginx.comimport time 31981Szelenkov@nginx.com 41981Szelenkov@nginx.comimport pytest 51985Szelenkov@nginx.com 61985Szelenkov@nginx.compytest.importorskip('OpenSSL.SSL') 71981Szelenkov@nginx.comfrom OpenSSL.SSL import ( 81981Szelenkov@nginx.com TLSv1_2_METHOD, 91981Szelenkov@nginx.com SESS_CACHE_CLIENT, 101981Szelenkov@nginx.com OP_NO_TICKET, 111981Szelenkov@nginx.com Context, 121981Szelenkov@nginx.com Connection, 131981Szelenkov@nginx.com _lib, 141981Szelenkov@nginx.com) 152491Szelenkov@nginx.comfrom unit.applications.tls import ApplicationTLS 161981Szelenkov@nginx.com 172488Szelenkov@nginx.comprerequisites = {'modules': {'openssl': 'any'}} 182488Szelenkov@nginx.com 192491Szelenkov@nginx.comclient = ApplicationTLS() 201981Szelenkov@nginx.com 212491Szelenkov@nginx.com 222491Szelenkov@nginx.com@pytest.fixture(autouse=True) 232491Szelenkov@nginx.comdef setup_method_fixture(): 242491Szelenkov@nginx.com client.certificate() 251981Szelenkov@nginx.com 262491Szelenkov@nginx.com assert 'success' in client.conf( 272491Szelenkov@nginx.com { 282491Szelenkov@nginx.com "listeners": { 29*2592Szelenkov@nginx.com "*:8080": { 302491Szelenkov@nginx.com "pass": "routes", 312491Szelenkov@nginx.com "tls": {"certificate": "default", "session": {}}, 322491Szelenkov@nginx.com } 332491Szelenkov@nginx.com }, 342491Szelenkov@nginx.com "routes": [{"action": {"return": 200}}], 352491Szelenkov@nginx.com "applications": {}, 362491Szelenkov@nginx.com } 372491Szelenkov@nginx.com ), 'load application configuration' 381981Szelenkov@nginx.com 392491Szelenkov@nginx.com 402491Szelenkov@nginx.comdef add_session(cache_size=None, timeout=None): 412491Szelenkov@nginx.com session = {} 421981Szelenkov@nginx.com 432491Szelenkov@nginx.com if cache_size is not None: 442491Szelenkov@nginx.com session['cache_size'] = cache_size 452491Szelenkov@nginx.com if timeout is not None: 462491Szelenkov@nginx.com session['timeout'] = timeout 471981Szelenkov@nginx.com 48*2592Szelenkov@nginx.com return client.conf(session, 'listeners/*:8080/tls/session') 492491Szelenkov@nginx.com 501981Szelenkov@nginx.com 512491Szelenkov@nginx.comdef connect(ctx=None, session=None): 52*2592Szelenkov@nginx.com sock = socket.create_connection(('127.0.0.1', 8080)) 531981Szelenkov@nginx.com 542491Szelenkov@nginx.com if ctx is None: 552491Szelenkov@nginx.com ctx = Context(TLSv1_2_METHOD) 562491Szelenkov@nginx.com ctx.set_session_cache_mode(SESS_CACHE_CLIENT) 572491Szelenkov@nginx.com ctx.set_options(OP_NO_TICKET) 581981Szelenkov@nginx.com 592491Szelenkov@nginx.com conn = Connection(ctx, sock) 602491Szelenkov@nginx.com conn.set_connect_state() 611981Szelenkov@nginx.com 622491Szelenkov@nginx.com if session is not None: 632491Szelenkov@nginx.com conn.set_session(session) 641981Szelenkov@nginx.com 652491Szelenkov@nginx.com conn.do_handshake() 662491Szelenkov@nginx.com conn.shutdown() 671981Szelenkov@nginx.com 682491Szelenkov@nginx.com return ( 692491Szelenkov@nginx.com conn, 702491Szelenkov@nginx.com conn.get_session(), 712491Szelenkov@nginx.com ctx, 722491Szelenkov@nginx.com _lib.SSL_session_reused(conn._ssl), 732491Szelenkov@nginx.com ) 742491Szelenkov@nginx.com 751981Szelenkov@nginx.com 762502Szelenkov@nginx.com@pytest.mark.skipif( 772502Szelenkov@nginx.com not hasattr(_lib, 'SSL_session_reused'), 782502Szelenkov@nginx.com reason='session reuse is not supported', 792502Szelenkov@nginx.com) 802491Szelenkov@nginx.comdef test_tls_session(): 812491Szelenkov@nginx.com _, sess, ctx, reused = connect() 822491Szelenkov@nginx.com assert not reused, 'new connection' 831981Szelenkov@nginx.com 842491Szelenkov@nginx.com _, _, _, reused = connect(ctx, sess) 852491Szelenkov@nginx.com assert not reused, 'no cache' 861981Szelenkov@nginx.com 872491Szelenkov@nginx.com assert 'success' in add_session(cache_size=2) 881981Szelenkov@nginx.com 892491Szelenkov@nginx.com _, sess, ctx, reused = connect() 902491Szelenkov@nginx.com assert not reused, 'new connection cache' 911981Szelenkov@nginx.com 922491Szelenkov@nginx.com _, _, _, reused = connect(ctx, sess) 932491Szelenkov@nginx.com assert reused, 'cache' 941981Szelenkov@nginx.com 952491Szelenkov@nginx.com _, _, _, reused = connect(ctx, sess) 962491Szelenkov@nginx.com assert reused, 'cache 2' 971981Szelenkov@nginx.com 982491Szelenkov@nginx.com # check that at least one session of four is not reused 991981Szelenkov@nginx.com 1002491Szelenkov@nginx.com conns = [connect() for _ in range(4)] 1012491Szelenkov@nginx.com assert True not in [c[-1] for c in conns], 'cache small all new' 1021981Szelenkov@nginx.com 1032491Szelenkov@nginx.com conns_again = [connect(c[2], c[1]) for c in conns] 1042491Szelenkov@nginx.com assert False in [c[-1] for c in conns_again], 'cache small no reuse' 1051981Szelenkov@nginx.com 1062491Szelenkov@nginx.com # all four sessions are reused 1071981Szelenkov@nginx.com 1082491Szelenkov@nginx.com assert 'success' in add_session(cache_size=8) 1091981Szelenkov@nginx.com 1102491Szelenkov@nginx.com conns = [connect() for _ in range(4)] 1112491Szelenkov@nginx.com assert True not in [c[-1] for c in conns], 'cache big all new' 1121981Szelenkov@nginx.com 1132491Szelenkov@nginx.com conns_again = [connect(c[2], c[1]) for c in conns] 1142491Szelenkov@nginx.com assert False not in [c[-1] for c in conns_again], 'cache big reuse' 1152491Szelenkov@nginx.com 1161981Szelenkov@nginx.com 1172502Szelenkov@nginx.com@pytest.mark.skipif( 1182502Szelenkov@nginx.com not hasattr(_lib, 'SSL_session_reused'), 1192502Szelenkov@nginx.com reason='session reuse is not supported', 1202502Szelenkov@nginx.com) 1212491Szelenkov@nginx.comdef test_tls_session_timeout(): 1222491Szelenkov@nginx.com assert 'success' in add_session(cache_size=5, timeout=1) 1231981Szelenkov@nginx.com 1242491Szelenkov@nginx.com _, sess, ctx, reused = connect() 1252491Szelenkov@nginx.com assert not reused, 'new connection' 1261981Szelenkov@nginx.com 1272491Szelenkov@nginx.com _, _, _, reused = connect(ctx, sess) 1282491Szelenkov@nginx.com assert reused, 'no timeout' 1291981Szelenkov@nginx.com 1302491Szelenkov@nginx.com time.sleep(3) 1311981Szelenkov@nginx.com 1322491Szelenkov@nginx.com _, _, _, reused = connect(ctx, sess) 1332491Szelenkov@nginx.com assert not reused, 'timeout' 1342491Szelenkov@nginx.com 1351981Szelenkov@nginx.com 1362491Szelenkov@nginx.comdef test_tls_session_invalid(): 1372491Szelenkov@nginx.com assert 'error' in add_session(cache_size=-1) 1382491Szelenkov@nginx.com assert 'error' in add_session(cache_size={}) 1392491Szelenkov@nginx.com assert 'error' in add_session(timeout=-1) 1402491Szelenkov@nginx.com assert 'error' in add_session(timeout={}) 141