merge revision(s) 64234,64252: [Backport #15219]

	net/http, net/ftp: fix session resumption with TLS 1.3

	When TLS 1.3 is in use, the session ticket may not have been sent yet
	even though a handshake has finished. Also, the ticket could change if
	multiple session ticket messages are sent by the server. Use
	SSLContext#session_new_cb instead of calling SSLSocket#session
	immediately after a handshake. This way also works with earlier protocol
	versions.

	net/http, net/ftp: skip SSL/TLS session resumption tests

	Due to a bug in OpenSSL 1.1.0h[1] (it's only in this specific version;
	it was introduced just before the release and is already fixed in their
	stable branch), the callback set by SSLContext#session_new_cb= does not
	get called for clients, making net/http and net/ftp not attempt session
	resumption.

	Let's disable the affected test cases for now. Another option would be
	to fallback to using SSLSocket#session as we did before r64234. But
	since only a single version is affected and hopefully a new stable
	version containing the fix will be released in near future, I chose not
	to add such workaround code to lib/.

	[1] https://github.com/openssl/openssl/pull/5967

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@67237 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

1 files changed, 13 insertions, 0 deletions

diff --git a/test/net/ftp/test_ftp.rb b/test/net/ftp/test_ftp.rb
index 03204ebc52..8177bfe36e 100644
--- a/test/net/ftp/test_ftp.rb
+++ b/test/net/ftp/test_ftp.rb
@@ -1755,6 +1755,7 @@ EOF
       server = TCPServer.new(SERVER_ADDR, 0)
       port = server.addr[1]
       commands = []
+      session_reused_for_data_connection = nil
       binary_data = (0..0xff).map {|i| i.chr}.join * 4 * 3
       @thread = Thread.start do
         sock = server.accept
@@ -1793,6 +1794,7 @@ EOF
             conn = OpenSSL::SSL::SSLSocket.new(conn, ctx)
             conn.sync_close = true
             conn.accept
+            session_reused_for_data_connection = conn.session_reused?
             binary_data.scan(/.{1,1024}/nm) do |s|
               conn.print(s)
             end
@@ -1823,6 +1825,11 @@ EOF
         assert_match(/\A(PORT|EPRT) /, commands.shift)
         assert_equal("RETR foo\r\n", commands.shift)
         assert_equal(nil, commands.shift)
+        # FIXME: The new_session_cb is known broken for clients in OpenSSL 1.1.0h.
+        # See https://github.com/openssl/openssl/pull/5967 for details.
+        if OpenSSL::OPENSSL_LIBRARY_VERSION !~ /OpenSSL 1.1.0h/
+          assert_equal(true, session_reused_for_data_connection)
+        end
       ensure
         ftp.close
       end
@@ -1832,6 +1839,7 @@ EOF
       server = TCPServer.new(SERVER_ADDR, 0)
       port = server.addr[1]
       commands = []
+      session_reused_for_data_connection = nil
       binary_data = (0..0xff).map {|i| i.chr}.join * 4 * 3
       @thread = Thread.start do
         sock = server.accept
@@ -1869,6 +1877,7 @@ EOF
             conn = OpenSSL::SSL::SSLSocket.new(conn, ctx)
             conn.sync_close = true
             conn.accept
+            session_reused_for_data_connection = conn.session_reused?
             binary_data.scan(/.{1,1024}/nm) do |s|
               conn.print(s)
             end
@@ -1900,6 +1909,10 @@ EOF
         assert_match(/\A(PASV|EPSV)\r\n/, commands.shift)
         assert_equal("RETR foo\r\n", commands.shift)
         assert_equal(nil, commands.shift)
+        # FIXME: The new_session_cb is known broken for clients in OpenSSL 1.1.0h.
+        if OpenSSL::OPENSSL_LIBRARY_VERSION !~ /OpenSSL 1.1.0h/
+          assert_equal(true, session_reused_for_data_connection)
+        end
       ensure
         ftp.close
       end