[ruby/openssl] test_ssl_session.rb: test adjustments to work with AWS-LC

The SSL SESSION files we were originally testing against use DHE and
SSLv3. AWS-LC happens to have no support for either and we have newer
possible alternatives available, so I've updated the respective
files to use ECDHE-RSA-AES256-SHA with TLS 1.1 and 1.2. I've verified
that these work as expected with all libcryptos we support.

There are also a few SSL session discrepencies in AWS-LC when
compared to OpenSSL.

1. AWS-LC has no support for internal session caching on the
   client-end.
2. AWS-LC supports internal session caching on the server, but
   SSL_get1_session does not return a resumable session with TLS 1.3
   in AWS-LC. Users have to use the SSL_CTX_sess_set_new_cb
   (ctx.session_new_cb in Ruby) to retrieve the resumable session
   ticket.
3. AWS-LC has no current support for external session caching in TLS
   1.3.

https://github.com/ruby/openssl/commit/ca384b8e2f

1 files changed, 16 insertions, 8 deletions

diff --git a/test/openssl/test_ssl_session.rb b/test/openssl/test_ssl_session.rb
index d1ef9cd3db..f453f58657 100644
--- a/test/openssl/test_ssl_session.rb
+++ b/test/openssl/test_ssl_session.rb
@@ -30,9 +30,10 @@ class OpenSSL::TestSSLSession < OpenSSL::SSLTestCase
     end
   end
 
+  # PEM file updated to use TLS 1.2 with ECDHE-RSA-AES256-SHA.
   DUMMY_SESSION = <<__EOS__
 -----BEGIN SSL SESSION PARAMETERS-----
-MIIDzQIBAQICAwEEAgA5BCAF219w9ZEV8dNA60cpEGOI34hJtIFbf3bkfzSgMyad
+MIIDzQIBAQICAwMEAsAUBCAF219w9ZEV8dNA60cpEGOI34hJtIFbf3bkfzSgMyad
 MQQwyGLbkCxE4OiMLdKKem+pyh8V7ifoP7tCxhdmwoDlJxI1v6nVCjai+FGYuncy
 NNSWoQYCBE4DDWuiAwIBCqOCAo4wggKKMIIBcqADAgECAgECMA0GCSqGSIb3DQEB
 BQUAMD0xEzARBgoJkiaJk/IsZAEZFgNvcmcxGTAXBgoJkiaJk/IsZAEZFglydWJ5
@@ -56,9 +57,10 @@ j+RBGfCFrrQbBdnkFI/ztgM=
 -----END SSL SESSION PARAMETERS-----
 __EOS__
 
+  # PEM file updated to use TLS 1.1 with ECDHE-RSA-AES256-SHA.
   DUMMY_SESSION_NO_EXT = <<-__EOS__
 -----BEGIN SSL SESSION PARAMETERS-----
-MIIDCAIBAQICAwAEAgA5BCDyAW7rcpzMjDSosH+Tv6sukymeqgq3xQVVMez628A+
+MIIDCAIBAQICAwIEAsAUBCDyAW7rcpzMjDSosH+Tv6sukymeqgq3xQVVMez628A+
 lAQw9TrKzrIqlHEh6ltuQaqv/Aq83AmaAlogYktZgXAjOGnhX7ifJDNLMuCfQq53
 hPAaoQYCBE4iDeeiBAICASyjggKOMIICijCCAXKgAwIBAgIBAjANBgkqhkiG9w0B
 AQUFADA9MRMwEQYKCZImiZPyLGQBGRYDb3JnMRkwFwYKCZImiZPyLGQBGRYJcnVi
@@ -122,7 +124,8 @@ __EOS__
       ctx.options &= ~OpenSSL::SSL::OP_NO_TICKET
       # Disable server-side session cache which is enabled by default
       ctx.session_cache_mode = OpenSSL::SSL::SSLContext::SESSION_CACHE_OFF
-      ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION if libressl?
+      # Session tickets must be retrieved via ctx.session_new_cb in TLS 1.3 in AWS-LC.
+      ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION if libressl? || aws_lc?
     }
     start_server(ctx_proc: ctx_proc) do |port|
       sess1 = server_connect_with_session(port, nil, nil) { |ssl|
@@ -239,20 +242,25 @@ __EOS__
       end
 
       server_connect_with_session(port, ctx, nil) { |ssl|
-        assert_equal(1, ctx.session_cache_stats[:cache_num])
         assert_equal(1, ctx.session_cache_stats[:connect_good])
         assert_equal([ssl, ssl.session], called[:new])
-        assert_equal(true, ctx.session_remove(ssl.session))
-        assert_equal(false, ctx.session_remove(ssl.session))
-        if TEST_SESSION_REMOVE_CB
-          assert_equal([ctx, ssl.session], called[:remove])
+        # AWS-LC doesn't support internal session caching on the client, but
+        # the callback is still enabled as expected.
+        unless aws_lc?
+          assert_equal(1, ctx.session_cache_stats[:cache_num])
+          assert_equal(true, ctx.session_remove(ssl.session))
+          if TEST_SESSION_REMOVE_CB
+            assert_equal([ctx, ssl.session], called[:remove])
+          end
         end
+        assert_equal(false, ctx.session_remove(ssl.session))
       }
     end
   end
 
   def test_ctx_client_session_cb_tls13
     omit "LibreSSL does not call session_new_cb in TLS 1.3" if libressl?
+    omit "AWS-LC does not support internal session caching on the client" if aws_lc?
 
     start_server do |port|
       called = {}