@@ -2764,3 +2764,251 @@ SSL reused session
27642764[alert]
27652765[emerg]
27662766-- - timeout: 10
2767+
2768+
2769+
2770+ === TEST 35 : ssl session/ ticket reuse CVE
2771+ https: // www. cve. org/ CVERecord? id= CVE-2025-23419
2772+ -- - stream_config
2773+ server {
2774+ listen $ TEST_NGINX_SERVER_SSL_PORT ssl reuseport default_server;
2775+ ssl_certificate .. / .. / cert/ test. crt;
2776+ ssl_certificate_key .. / .. / cert/ test. key ;
2777+ ssl_session_cache builtin: 1000 ;
2778+ ssl_session_tickets off;
2779+ ssl_client_certificate .. / .. / cert/ test. crt;
2780+ ssl_verify_client on;
2781+ server_name test. com;
2782+
2783+ ssl_client_hello_by_lua_block {
2784+ local ssl_clt = require " ngx.ssl.clienthello"
2785+ local host, err = ssl_clt. get_client_hello_server_name()
2786+ ngx. log (ngx. INFO, " ssl client hello:"
2787+ }
2788+
2789+ content_by_lua_block {
2790+ local sock = assert(ngx. req. socket(true))
2791+ local data = sock: receive()
2792+ if data == " ping"
2793+ sock: send(" test.com\n "
2794+ else
2795+ ngx. log (ngx. ERR, " unexpect data: "
2796+ end
2797+ }
2798+ }
2799+
2800+ server {
2801+ listen $ TEST_NGINX_SERVER_SSL_PORT ssl;
2802+ ssl_certificate .. / .. / cert/ test2. crt;
2803+ ssl_certificate_key .. / .. / cert/ test2. key ;
2804+ ssl_session_cache builtin: 1000 ;
2805+ ssl_session_tickets off;
2806+ ssl_client_certificate .. / .. / cert/ test. crt;
2807+ ssl_verify_client on;
2808+ server_name test2. com;
2809+
2810+ ssl_client_hello_by_lua_block {
2811+ local ssl_clt = require " ngx.ssl.clienthello"
2812+ local host, err = ssl_clt. get_client_hello_server_name()
2813+ ngx. log (ngx. ERR, " ssl client hello:"
2814+ }
2815+
2816+ content_by_lua_block {
2817+ local sock = assert(ngx. req. socket(true))
2818+ local data = sock: receive()
2819+ if data == " ping"
2820+ sock: send(" test2.com\n "
2821+ else
2822+ ngx. log (ngx. ERR, " unexpect data: "
2823+ end
2824+ }
2825+ }
2826+ -- - stream_server_config
2827+ resolver $ TEST_NGINX_RESOLVER ipv6= off;
2828+ lua_ssl_protocols TLSv1. 2;
2829+ lua_ssl_certificate .. / .. / cert/ test. crt;
2830+ lua_ssl_certificate_key .. / .. / cert/ test. key ;
2831+ lua_ssl_trusted_certificate .. / .. / cert/ test. crt;
2832+
2833+ content_by_lua_block {
2834+ do
2835+ local session
2836+ for i = 1 , 2 do
2837+ local sock = ngx. socket. tcp()
2838+ sock: settimeout(2000 )
2839+ local ok , err = sock: connect(" 127.0.0.1" $ TEST_NGINX_SERVER_SSL_PORT )
2840+ if not ok then
2841+ ngx. say (" failed to connect: "
2842+ return
2843+ end
2844+
2845+ ngx. say (" connected: " ok )
2846+
2847+ local server_name = " test.com"
2848+ if i == 2 then
2849+ server_name = " test2.com"
2850+ end
2851+
2852+ session, err = sock: sslhandshake(session, server_name)
2853+ if not session then
2854+ ngx. say (" failed to do SSL handshake: "
2855+ return
2856+ end
2857+
2858+ ngx. say (" ssl handshake: "
2859+
2860+ local bytes , err = sock: send(" ping\n "
2861+ if not bytes then
2862+ ngx. say (" failed to send stream request: "
2863+ return
2864+ end
2865+
2866+ ngx. say (" sent stream request: " bytes , " bytes."
2867+
2868+ local line, err = sock: receive()
2869+ if not line then
2870+ ngx. say (" failed to recieve response status line: "
2871+ return
2872+ end
2873+
2874+ ngx. say (" received: "
2875+
2876+ local ok , err = sock: close()
2877+ ngx. say (" close: " ok , " "
2878+ end
2879+
2880+ end -- do
2881+ collectgarbage()
2882+ }
2883+
2884+ -- - stream_response
2885+ connected: 1
2886+ ssl handshake: userdata
2887+ sent stream request: 5 bytes .
2888+ received: test. com
2889+ close : 1 nil
2890+ connected: 1
2891+ ssl handshake: userdata
2892+ sent stream request: 5 bytes .
2893+ received: test. com
2894+ close : 1 nil
2895+ -- - error_log
2896+ SSL reused session
2897+ lua ssl free session
2898+ -- - log_level: debug
2899+ -- - no_error_log
2900+ [error]
2901+ [alert]
2902+ [crit]
2903+ -- - timeout: 5
2904+ -- - skip_nginx: 7 : < 1.25 . 4
2905+
2906+
2907+
2908+ === TEST 36 : ssl session/ ticket reuse CVE
2909+ https: // www. cve. org/ CVERecord? id= CVE-2025-23419
2910+ -- - main_config
2911+ env PATH;
2912+ -- - stream_config
2913+ server {
2914+ listen $ TEST_NGINX_SERVER_SSL_PORT ssl reuseport default_server;
2915+ ssl_certificate .. / .. / cert/ test. crt;
2916+ ssl_certificate_key .. / .. / cert/ test. key ;
2917+ ssl_session_cache builtin: 1000 ;
2918+ ssl_session_tickets on;
2919+ ssl_client_certificate .. / .. / cert/ test. crt;
2920+ ssl_verify_client on;
2921+ server_name test. com;
2922+
2923+ ssl_client_hello_by_lua_block {
2924+ local ssl_clt = require " ngx.ssl.clienthello"
2925+ local host, err = ssl_clt. get_client_hello_server_name()
2926+ ngx. log (ngx. INFO, " ssl client hello:"
2927+ }
2928+
2929+ content_by_lua_block {
2930+ local sock = assert(ngx. req. socket(true))
2931+ local data = sock: receive()
2932+ if data == " ping"
2933+ sock: send(" test.com\n "
2934+ else
2935+ ngx. log (ngx. ERR, " unexpect data: "
2936+ end
2937+ }
2938+ }
2939+
2940+ server {
2941+ listen $ TEST_NGINX_SERVER_SSL_PORT ssl;
2942+ ssl_certificate .. / .. / cert/ test2. crt;
2943+ ssl_certificate_key .. / .. / cert/ test2. key ;
2944+ ssl_session_cache builtin: 1000 ;
2945+ ssl_session_tickets on;
2946+ ssl_client_certificate .. / .. / cert/ test. crt;
2947+ ssl_verify_client on;
2948+ server_name test2. com;
2949+
2950+ ssl_client_hello_by_lua_block {
2951+ local ssl_clt = require " ngx.ssl.clienthello"
2952+ local host, err = ssl_clt. get_client_hello_server_name()
2953+ ngx. log (ngx. ERR, " ssl client hello:"
2954+ }
2955+
2956+ content_by_lua_block {
2957+ local sock = assert(ngx. req. socket(true))
2958+ local data = sock: receive()
2959+ if data == " ping"
2960+ sock: send(" test2.com\n "
2961+ else
2962+ ngx. log (ngx. ERR, " unexpect data: "
2963+ end
2964+ }
2965+ }
2966+ -- - stream_server_config
2967+ resolver $ TEST_NGINX_RESOLVER ipv6= off;
2968+ lua_ssl_protocols TLSv1. 3;
2969+ lua_ssl_certificate .. / .. / cert/ test. crt;
2970+ lua_ssl_certificate_key .. / .. / cert/ test. key ;
2971+ lua_ssl_trusted_certificate .. / .. / cert/ test. crt;
2972+
2973+ content_by_lua_block {
2974+ do
2975+ -- openssl s_client -cert client_cert. pem -key client_key. pem -servername openresty. org -connect openresty. org: 443 -sess_out sess. pem
2976+ -- (" 127.0.0.1" $ TEST_NGINX_SERVER_SSL_PORT )
2977+ -- server_name = " test.com"
2978+ -- server_name = " test2.com"
2979+ local prefix = ngx. config. prefix ()
2980+
2981+ local cmd = [[bash -c " { sleep 0.3 ; echo ping; } | /usr/bin/openssl s_client -cert % s% s$ TEST_NGINX_SERVER_SSL_PORT"
2982+ cmd = string. format(cmd, prefix , prefix )
2983+ local handle, err = io. popen(cmd)
2984+ if not handle then
2985+ ngx. say (err)
2986+ end
2987+
2988+ ngx. sleep (0.2 )
2989+ local cmd = [[/usr /bin/ openssl s_client -cert % s / .. / cert/ test. crt -key % s / .. / cert/ test. key -servername test2. com -connect 127.0 . 0. 1: $ TEST_NGINX_SERVER_SSL_PORT -sess_in sess. pem]]
2990+ cmd = string. format(cmd, prefix , prefix )
2991+ local handle, err = io. popen(cmd)
2992+ if not handle then
2993+ ngx. say (err)
2994+ end
2995+ ngx. sleep (0.2 )
2996+
2997+ ngx. say (" hi"
2998+ end -- do
2999+ collectgarbage()
3000+ }
3001+
3002+ -- - stream_response
3003+ hi
3004+ -- - error_log
3005+ tlsv1 alert access denied
3006+ handshake rejected while SSL handshaking
3007+
3008+ -- - log_level: debug
3009+ -- - no_error_log
3010+ [error]
3011+ [alert]
3012+ [crit]
3013+ -- - timeout: 5
3014+ -- - skip_nginx: 7 : < 1.25 . 4
0 commit comments