----------------------------------------------------
TESTING:

The attached nginx configuration file is what I used for testing.

Vincent Berant ( https://github.com/vincentbernat/rfc5077 ) has the client side
testing tool for testing the impacts of session ids and session tickets using 
the openssl, gnutls and nss libraries.

I have forked this tool and added options for delays, client side certificates
and a few other things. https://github.com/grooverdan/rfc5077

ENVIRONMENT:

To setup the environment take a clone of my github rfc5077 tool.

$ git clone https://github.com/grooverdan/rfc5077.git

The dependencies are listed in the README.md so install those.

Make the tools by running make.

$ make

If you do not have a configuration for client certificate testing run 'make certificate'
Answer the following questions based on the output:
Generating a self signed certificate...
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
Country name (2 chars): 
Organization name: 
Organizational unit name: 
Locality name: 
State or province name:          
Common name: localhost
UID: 
This field should not be used in new certificates.
E-mail: 
Enter the certificate's serial number in decimal (default: 1348800523): 


Activation/Expiration time.
The certificate will expire in (days): 6000


Extensions.
Does the certificate belong to an authority? (y/N): n
Is this a TLS web client certificate? (y/N): y
Will the certificate be used for IPsec IKE operations? (y/N): y
Is this also a TLS web server certificate? (y/N): y
Enter a dnsName of the subject of the certificate: localhost
Enter a dnsName of the subject of the certificate: 
Enter the IP address of the subject of the certificate: 
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): 
Will the certificate be used for encryption (RSA ciphersuites)? (y/N): 
Enter the URI of the CRL distribution point: 
X.509 Certificate Information:
....
Is the above information ok? (y/N): y

Copy the certs to the nginx server configuration:

$ cp cert.pem key.pem /usr/local/nginx/conf/

For testing we are going to use the same certificates for client and server
testing as this make the ssl verify of the nginx configuration easy.

CONFIGURATION:

$ cp nginx.conf /usr/local/nginx/conf

$ patch -p1 < nginx-rfc5077.patch

$ auto/configure --with-debug --with-http_ssl_module

$ make && make install

$ objs/nginx

TEST OPERATION

Tests use the tools of rfc5077. These are gnutls-client, openssl-client and nss-client.
All these have the same syntax. The openssl-client one does however provide more ssl session 
information.

For each of the below items openssl-client can be replaced with gnutls-client and
 nss-client.

TEST 1: session IDs still work

To do this we run the tools with tickets disabled.

./openssl-client -T -r localhost 4433


Expected output - key bits marked with * at beginning of line.

[✔] Parse arguments.
[✔] Initialize OpenSSL library.
[✔] Disable use of session tickets (RFC 5077).
[✔] Solve localhost:4433:
    │ Will connect to 127.0.0.1
[✔] Connect to localhost:4433.
[✔] Start TLS renegotiation.
[✔] Check if session was reused:
*    │ SSL session was not used
[✔] Get current session:
    │ Session content:
    │ SSL-Session:
    │     Protocol  : TLSv1
    │     Cipher    : DHE-RSA-AES256-SHA
*    │     Session-ID: 0100A52103BD90A1FB8BBD561860CB5C140AE34F13794941FF1B2F637766BA07
    │     Session-ID-ctx: 
    │     Master-Key: 7A01F4E88C56EDEDC191A62D254179D2FAB13067044DDBAC24CCEFB84AF20C67A609D472F90211FE0AE21B9ADC8688F0
    │     Key-Arg   : None
    │     Krb5 Principal: None
    │     PSK identity: None
    │     PSK identity hint: None
    │     Start Time: 1348801331
    │     Timeout   : 7200 (sec)
    │     Verify return code: 18 (self signed certificate)
[✔] Send HTTP GET.
[✔] Get HTTP answer:
    │ HTTP/1.1 200 OK
[✔] End TLS connection.
[✔] waiting 0 seconds.
[✔] Connect to localhost:4433.
[✔] Start TLS renegotiation.
[✔] Check if session was reused:
*    │ SSL session correctly reused
[✔] Get current session:
    │ Session content:
    │ SSL-Session:
    │     Protocol  : TLSv1
    │     Cipher    : DHE-RSA-AES256-SHA
*    │     Session-ID: 0100A52103BD90A1FB8BBD561860CB5C140AE34F13794941FF1B2F637766BA07
    │     Session-ID-ctx: 
    │     Master-Key: 7A01F4E88C56EDEDC191A62D254179D2FAB13067044DDBAC24CCEFB84AF20C67A609D472F90211FE0AE21B9ADC8688F0
    │     Key-Arg   : None
    │     Krb5 Principal: None
    │     PSK identity: None
    │     PSK identity hint: None
    │     Start Time: 1348801331
    │     Timeout   : 7200 (sec)
    │     Verify return code: 18 (self signed certificate)
[✔] Send HTTP GET.
[✔] Get HTTP answer:
    │ HTTP/1.1 200 OK
[✔] End TLS connection.

Here were can see that the first connection didn't resume a session id.
The second connection did resume a session id.

The session-ID number is the same for both connections.

TEST 2: operation on session tickets

$ ./openssl-client -S -r localhost 4433

Expected Output:

[✔] Parse arguments.
[✔] Initialize OpenSSL library.
[✔] Solve localhost:4433:
    │ Will connect to 127.0.0.1
[✔] Connect to localhost:4433.
[✔] Start TLS renegotiation.
[✔] Check if session was reused:
    │ SSL session was not used
[✔] Get current session:
    │ Session content:
    │ SSL-Session:
    │     Protocol  : TLSv1
    │     Cipher    : DHE-RSA-AES256-SHA
*    │     Session-ID: CE9BF370F4865B6C3BD6EFC3A1F41DB223997FDA3F2E8F705433924F8FBBB350
    │     Session-ID-ctx: 
    │     Master-Key: E867F33A87AFC90732D617484514CD1BCFB5B470FE4C27D1765F1B5C087AC20DDBFC5B17106449FE9DA4942FF7362FA3
    │     Key-Arg   : None
    │     Krb5 Principal: None
    │     PSK identity: None
    │     PSK identity hint: None
*    │     TLS session ticket:
*    │     0000 - 9a f4 23 9e 09 f4 c7 f5-9b 85 95 c0 09 df fb 38   ..#............8
*    │     0010 - 67 94 74 68 19 34 f0 81-fc e6 85 79 0f 22 cd 6f   g.th.4.....y.".o
*    │     0020 - 1e b4 04 2d 96 8f bf 11-ff bd 61 67 da 00 79 29   ...-......ag..y)
*    │     0030 - ff 1f ed a9 63 8b f8 f6-e3 e9 a1 70 67 c7 a4 6a   ....c......pg..j
*    │     0040 - ee d5 a8 c5 04 3e b1 1e-e8 06 30 cb 66 88 f1 4a   .....>....0.f..J
*    │     0050 - d6 19 97 0e 2e 1d 63 45-0b ff e0 21 d6 fb 6f 1c   ......cE...!..o.
*    │     0060 - 0c c5 db ee da f0 df d8-61 73 99 17 fd ea 6f 5c   ........as....o\
*    │     0070 - 72 00 12 8b 93 d7 94 c8-d2 01 f9 50 b9 43 17 e8   r..........P.C..
*    │     0080 - 79 80 40 c2 ff be 7e 67-d1 4e d5 92 0f 8d f6 f8   y.@...~g.N......
*    │     0090 - 0e f2 01 e0 00 6d b4 0e-4a 5a 16 54 d4 75 ef 51   .....m..JZ.T.u.Q
    │ 
    │     Start Time: 1348801578
    │     Timeout   : 7200 (sec)
    │     Verify return code: 18 (self signed certificate)
[✔] Send HTTP GET.
[✔] Get HTTP answer:
    │ HTTP/1.1 200 OK
[✔] End TLS connection.
[✔] waiting 0 seconds.
[✔] Connect to localhost:4433.
[✔] Start TLS renegotiation.
*[✔] Check if session was reused:
*    │ SSL session correctly reused
[✔] Get current session:
    │ Session content:
    │ SSL-Session:
    │     Protocol  : TLSv1
    │     Cipher    : DHE-RSA-AES256-SHA
*    │     Session-ID: CE9BF370F4865B6C3BD6EFC3A1F41DB223997FDA3F2E8F705433924F8FBBB350
    │     Session-ID-ctx: 
    │     Master-Key: E867F33A87AFC90732D617484514CD1BCFB5B470FE4C27D1765F1B5C087AC20DDBFC5B17106449FE9DA4942FF7362FA3
    │     Key-Arg   : None
    │     Krb5 Principal: None
    │     PSK identity: None
    │     PSK identity hint: None
    │     TLS session ticket:
*    │     0000 - 9a f4 23 9e 09 f4 c7 f5-9b 85 95 c0 09 df fb 38   ..#............8
*    │     0010 - 67 94 74 68 19 34 f0 81-fc e6 85 79 0f 22 cd 6f   g.th.4.....y.".o
*    │     0020 - 1e b4 04 2d 96 8f bf 11-ff bd 61 67 da 00 79 29   ...-......ag..y)
*    │     0030 - ff 1f ed a9 63 8b f8 f6-e3 e9 a1 70 67 c7 a4 6a   ....c......pg..j
*    │     0040 - ee d5 a8 c5 04 3e b1 1e-e8 06 30 cb 66 88 f1 4a   .....>....0.f..J
*    │     0050 - d6 19 97 0e 2e 1d 63 45-0b ff e0 21 d6 fb 6f 1c   ......cE...!..o.
*    │     0060 - 0c c5 db ee da f0 df d8-61 73 99 17 fd ea 6f 5c   ........as....o\
*    │     0070 - 72 00 12 8b 93 d7 94 c8-d2 01 f9 50 b9 43 17 e8   r..........P.C..
*    │     0080 - 79 80 40 c2 ff be 7e 67-d1 4e d5 92 0f 8d f6 f8   y.@...~g.N......
*    │     0090 - 0e f2 01 e0 00 6d b4 0e-4a 5a 16 54 d4 75 ef 51   .....m..JZ.T.u.Q
    │ 
    │     Start Time: 1348801578
    │     Timeout   : 7200 (sec)
    │     Verify return code: 18 (self signed certificate)
[✔] Send HTTP GET.
[✔] Get HTTP answer:
    │ HTTP/1.1 200 OK


Here we can ses that the session ticket is identical between two connections. Note only openssl-client
displays the session ticket output. As per the RFC the session-id should be identical when using session
tickets.

TEST 3: Ensure that session tickets are used when both session id and session ticket are presented

$ ./openssl-client -r localhost 4433

Expected output:

[✔] Parse arguments.
[✔] Initialize OpenSSL library.
[✔] Solve localhost:4433:
    │ Will connect to 127.0.0.1
[✔] Connect to localhost:4433.
[✔] Start TLS renegotiation.
[✔] Check if session was reused:
    │ SSL session was not used
[✔] Get current session:
    │ Session content:
    │ SSL-Session:
    │     Protocol  : TLSv1
    │     Cipher    : DHE-RSA-AES256-SHA
    │     Session-ID: B5FB477DC9EC2BF8DD889331A741B7C59459321B1FDD7806518E0E27A019D117
    │     Session-ID-ctx: 
    │     Master-Key: 2D2BF38985D62EEE8A96E822E12141BE2BB1A5E54CF0B3AF79F112C5F523CD8705C8342197CA1F55DABCC92888928EC5
    │     Key-Arg   : None
    │     Krb5 Principal: None
    │     PSK identity: None
    │     PSK identity hint: None
*    │     TLS session ticket:
*    │     0000 - 37 20 ee b4 ae 62 b1 a7-22 e2 c5 d2 bc 69 21 66   7 ...b.."....i!f
*    │     0010 - e5 8c 07 90 2c 98 15 7e-55 2e 13 86 5b 0f c6 be   ....,..~U...[...
*    │     0020 - 26 07 73 86 96 18 61 2a-dd 31 46 ce 9c 89 ea 53   &.s...a*.1F....S
*    │     0030 - 5e 1a 74 16 f7 dd bc 3f-b0 7b 07 18 b9 fd 16 71   ^.t....?.{.....q
*    │     0040 - 5a af cb ff c4 78 18 6f-48 f8 57 e6 76 9e 9a f1   Z....x.oH.W.v...
*    │     0050 - 18 0d 93 e9 ef 32 66 29-96 7a 92 d9 f8 60 87 41   .....2f).z...`.A
*    │     0060 - 70 e0 86 9a 96 cd a7 c1-27 97 98 56 27 11 9c f8   p.......'..V'...
*    │     0070 - 3f 91 ca c5 2b 72 8e ea-46 47 46 23 32 ed eb b8   ?...+r..FGF#2...
*    │     0080 - a1 d8 6c 34 da 90 9b d5-a0 1c df 92 86 b3 57 dc   ..l4..........W.
*    │     0090 - c1 fd 9c 3d e3 85 f4 96-88 ee 9e 3b 72 1b 77 0f   ...=.......;r.w.
    │ 
    │     Start Time: 1348801913
    │     Timeout   : 7200 (sec)
    │     Verify return code: 18 (self signed certificate)
[✔] Send HTTP GET.
[✔] Get HTTP answer:
    │ HTTP/1.1 200 OK
[✔] End TLS connection.
[✔] waiting 0 seconds.
[✔] Connect to localhost:4433.
[✔] Start TLS renegotiation.
[✔] Check if session was reused:
    │ SSL session correctly reused
[✔] Get current session:
    │ Session content:
    │ SSL-Session:
    │     Protocol  : TLSv1
    │     Cipher    : DHE-RSA-AES256-SHA
    │     Session-ID: B5FB477DC9EC2BF8DD889331A741B7C59459321B1FDD7806518E0E27A019D117
    │     Session-ID-ctx: 
    │     Master-Key: 2D2BF38985D62EEE8A96E822E12141BE2BB1A5E54CF0B3AF79F112C5F523CD8705C8342197CA1F55DABCC92888928EC5
    │     Key-Arg   : None
    │     Krb5 Principal: None
    │     PSK identity: None
    │     PSK identity hint: None
*    │     TLS session ticket:
*    │     0000 - 37 20 ee b4 ae 62 b1 a7-22 e2 c5 d2 bc 69 21 66   7 ...b.."....i!f
*    │     0010 - e5 8c 07 90 2c 98 15 7e-55 2e 13 86 5b 0f c6 be   ....,..~U...[...
*    │     0020 - 26 07 73 86 96 18 61 2a-dd 31 46 ce 9c 89 ea 53   &.s...a*.1F....S
*    │     0030 - 5e 1a 74 16 f7 dd bc 3f-b0 7b 07 18 b9 fd 16 71   ^.t....?.{.....q
*    │     0040 - 5a af cb ff c4 78 18 6f-48 f8 57 e6 76 9e 9a f1   Z....x.oH.W.v...
*    │     0050 - 18 0d 93 e9 ef 32 66 29-96 7a 92 d9 f8 60 87 41   .....2f).z...`.A
*    │     0060 - 70 e0 86 9a 96 cd a7 c1-27 97 98 56 27 11 9c f8   p.......'..V'...
*    │     0070 - 3f 91 ca c5 2b 72 8e ea-46 47 46 23 32 ed eb b8   ?...+r..FGF#2...
*    │     0080 - a1 d8 6c 34 da 90 9b d5-a0 1c df 92 86 b3 57 dc   ..l4..........W.
*    │     0090 - c1 fd 9c 3d e3 85 f4 96-88 ee 9e 3b 72 1b 77 0f   ...=.......;r.w.
    │ 
    │     Start Time: 1348801913
    │     Timeout   : 7200 (sec)
    │     Verify return code: 18 (self signed certificate)
[✔] Send HTTP GET.
[✔] Get HTTP answer:
    │ HTTP/1.1 200 OK
[✔] End TLS connection.


As above we can see the session ticket is identical.

TEST 4: ensure that the session tickets timeout

The configuration has a 10 second timeout. Here we run the client with 15 seconds between 
reconnections:

$ ./openssl-client -r -d 15  localhost 4433

Expected output:

[✔] Parse arguments.
[✔] Initialize OpenSSL library.
[✔] Solve localhost:4433:
    │ Will connect to 127.0.0.1
[✔] Connect to localhost:4433.
[✔] Start TLS renegotiation.
[✔] Check if session was reused:
    │ SSL session was not used
[✔] Get current session:
    │ Session content:
    │ SSL-Session:
    │     Protocol  : TLSv1
    │     Cipher    : DHE-RSA-AES256-SHA
    │     Session-ID: F812EC4DEFA21936D5578D55646ED7DA81C3096070A653142217E4D727B4DEC7
    │     Session-ID-ctx: 
    │     Master-Key: 32BA72DBE79A4FCC429B61F646970049E7E2BAC86770500D4AF8767803667D73C8E8C5DBD1C465131550420F587C7183
    │     Key-Arg   : None
    │     Krb5 Principal: None
    │     PSK identity: None
    │     PSK identity hint: None
*    │     TLS session ticket:
*    │     0000 - c5 c9 7d 85 16 41 e4 5b-cc 5f 6a 4e fe a5 bf 9f   ..}..A.[._jN....
*    │     0010 - 9c 07 f2 4f d5 af 8f 42-76 2f 8e f5 b1 55 84 86   ...O...Bv/...U..
*    │     0020 - f1 27 11 55 cf e9 a4 bd-82 b0 47 89 d7 01 75 b9   .'.U......G...u.
*    │     0030 - e3 99 94 89 f1 bd 49 17-30 2c 67 5c 02 85 47 ed   ......I.0,g\..G.
*    │     0040 - e3 ea f3 2a 08 a8 68 f1-ca eb ac 59 56 45 b7 51   ...*..h....YVE.Q
*    │     0050 - e0 9a 3b 29 9b 85 f0 8a-10 bd 84 3c af 84 d2 70   ..;).......<...p
*    │     0060 - 54 16 8a 36 65 98 c7 a4-b9 a6 f0 38 fe e6 83 c9   T..6e......8....
*    │     0070 - 7b b3 41 e9 ba 03 62 21-cd f3 fb d7 36 75 30 b1   {.A...b!....6u0.
*    │     0080 - 30 42 d0 80 d2 ac 9e 36-e5 9e 91 df e2 91 d1 b2   0B.....6........
*    │     0090 - 20 06 0d bf d3 41 33 75-05 67 b7 b8 e6 b0 0c 57    ....A3u.g.....W
    │ 
    │     Start Time: 1348802062
    │     Timeout   : 7200 (sec)
    │     Verify return code: 18 (self signed certificate)
[✔] Send HTTP GET.
[✔] Get HTTP answer:
    │ HTTP/1.1 200 OK
[✔] End TLS connection.
[✔] waiting 15 seconds.
[✔] Connect to localhost:4433.
[✔] Start TLS renegotiation.
*[‼] Check if session was reused:
*    │ No session was reused.
[✔] Get current session:
    │ Session content:
    │ SSL-Session:
    │     Protocol  : TLSv1
    │     Cipher    : DHE-RSA-AES256-SHA
    │     Session-ID: 6B8C59C43F82A7E68B59772C7E219C1A147BD811AFEA1C06D2B299AEDCE54E13
    │     Session-ID-ctx: 
    │     Master-Key: 3CD7B96D73240062DEC972C2C85A56AFA393F8AE2FE43E20D666C9201176250333C0C1EBC5A20ADB260C48102D8703E2
    │     Key-Arg   : None
    │     Krb5 Principal: None
    │     PSK identity: None
    │     PSK identity hint: None
*    │     TLS session ticket:
*    │     0000 - 06 94 4c bf 32 22 98 df-85 6a a7 a7 59 dc e5 63   ..L.2"...j..Y..c
*    │     0010 - 2c 40 ca ca 47 46 74 1a-40 69 ed ef 94 f2 36 9a   ,@..GFt.@i....6.
*    │     0020 - e6 e9 d3 7c 72 ff eb 09-0b fc 6d 90 43 f5 11 db   ...|r.....m.C...
*    │     0030 - 0e 94 10 72 ce 99 23 d4-cd 2d 2c e7 c7 85 53 59   ...r..#..-,...SY
*    │     0040 - 0f 73 25 91 f1 40 f5 c8-62 6c b5 9c 80 2e a4 69   .s%..@..bl.....i
*    │     0050 - 29 89 1c ee 6b 75 73 f4-c8 9a d8 d0 c8 20 b2 58   )...kus...... .X
*    │     0060 - a0 5b 04 2f 7e 08 9e c6-be 53 95 9f 20 d0 a4 ca   .[./~....S.. ...
*    │     0070 - 36 df 50 32 76 d8 0e d9-d6 2b 8e b3 32 fc 45 97   6.P2v....+..2.E.
*    │     0080 - 21 6d db f9 16 45 76 8d-90 e3 5c 08 6c a0 c9 47   !m...Ev...\.l..G
*    │     0090 - 7d 69 0a 7a ff c8 f7 11-e0 b9 91 2a 3c db 80 2f   }i.z.......*<../
    │ 
    │     Start Time: 1348802077
    │     Timeout   : 7200 (sec)
    │     Verify return code: 18 (self signed certificate)
[✔] Send HTTP GET.
[✔] Get HTTP answer:
    │ HTTP/1.1 200 OK
[✔] End TLS connection.

Here we see that there was no session resumption and the session tickets are different.

TEST 5: Session ticket renewing.

With a timeout set for 10 seconds the renew time is 5 seconds. Here we perform a number
of reconnections 4 seconds apart.

Wait 10 seconds from last test to ensure that the session ticket cache has expired.

$ ./openssl-client -r -r -r  -d 4  localhost 4433

(almost) Expected output:

[✔] Parse arguments.
[✔] Initialize OpenSSL library.
[✔] Solve localhost:4433:
    │ Will connect to 127.0.0.1
[✔] Connect to localhost:4433.
[✔] Start TLS renegotiation.
[✔] Check if session was reused:
    │ SSL session was not used
[✔] Get current session:
    │ Session content:
    │ SSL-Session:
    │     Protocol  : TLSv1
    │     Cipher    : DHE-RSA-AES256-SHA
    │     Session-ID: B1C4C69EA2AF8B6A20829B8DEDC8F7538470C3349F730E617A42FA1D1FAA0C62
    │     Session-ID-ctx: 
    │     Master-Key: 2AB6444DC0C983293CCAA41A76943D329B05AEC6597230C239D2FA5552AD25D4448DB014D28C8BF68F8A49198D3CE26D
    │     Key-Arg   : None
    │     Krb5 Principal: None
    │     PSK identity: None
    │     PSK identity hint: None
*    │     TLS session ticket:
*    │     0000 - 8c f0 b6 e1 a1 50 8f 88-a0 9d 2a 91 0d 6b d6 65   .....P....*..k.e
*    │     0010 - 70 74 24 ec 6f 83 5c ee-80 cf be 8c d8 e1 65 84   pt$.o.\.......e.
*    │     0020 - 80 a1 e2 26 1b c9 5b 23-b8 5a 9a 0e 33 cf 62 4d   ...&..[#.Z..3.bM
*    │     0030 - 93 1f b1 42 aa 13 d4 20-b9 22 81 ee f4 2d 38 d7   ...B... ."...-8.
*    │     0040 - e3 18 cf a9 c3 fb 81 8d-1f f9 93 bf 08 7a c1 16   .............z..
*    │     0050 - a0 98 16 0a bf dc df cd-82 f9 b0 1c f2 94 1d 67   ...............g
*    │     0060 - 49 59 a1 df ff 4d 51 c5-72 34 64 08 8f 96 c9 c7   IY...MQ.r4d.....
*    │     0070 - aa 02 2b 03 91 b2 6f e8-dc 8d 79 34 88 f7 6f 51   ..+...o...y4..oQ
*    │     0080 - 77 92 82 ac e7 ef 48 3f-28 9a a4 7d be 9e 7d 63   w.....H?(..}..}c
*    │     0090 - f5 03 cc a5 7f ee d8 bc-93 54 7f 67 90 ef 64 df   .........T.g..d.
    │ 
    │     Start Time: 1348909837
    │     Timeout   : 7200 (sec)
    │     Verify return code: 18 (self signed certificate)
[✔] Send HTTP GET.
[✔] Get HTTP answer:
    │ HTTP/1.1 200 OK
[✔] End TLS connection.
[✔] waiting 4 seconds.
[✔] Connect to localhost:4433.
[✔] Start TLS renegotiation.
[✔] Check if session was reused:
    │ SSL session correctly reused
[✔] Get current session:
    │ Session content:
    │ SSL-Session:
    │     Protocol  : TLSv1
    │     Cipher    : DHE-RSA-AES256-SHA
    │     Session-ID: B1C4C69EA2AF8B6A20829B8DEDC8F7538470C3349F730E617A42FA1D1FAA0C62
    │     Session-ID-ctx: 
    │     Master-Key: 2AB6444DC0C983293CCAA41A76943D329B05AEC6597230C239D2FA5552AD25D4448DB014D28C8BF68F8A49198D3CE26D
    │     Key-Arg   : None
    │     Krb5 Principal: None
    │     PSK identity: None
    │     PSK identity hint: None
*    │     TLS session ticket:
*    │     0000 - 8c f0 b6 e1 a1 50 8f 88-a0 9d 2a 91 0d 6b d6 65   .....P....*..k.e
*    │     0010 - 70 74 24 ec 6f 83 5c ee-80 cf be 8c d8 e1 65 84   pt$.o.\.......e.
*    │     0020 - 80 a1 e2 26 1b c9 5b 23-b8 5a 9a 0e 33 cf 62 4d   ...&..[#.Z..3.bM
*    │     0030 - 93 1f b1 42 aa 13 d4 20-b9 22 81 ee f4 2d 38 d7   ...B... ."...-8.
*    │     0040 - e3 18 cf a9 c3 fb 81 8d-1f f9 93 bf 08 7a c1 16   .............z..
*    │     0050 - a0 98 16 0a bf dc df cd-82 f9 b0 1c f2 94 1d 67   ...............g
*    │     0060 - 49 59 a1 df ff 4d 51 c5-72 34 64 08 8f 96 c9 c7   IY...MQ.r4d.....
*    │     0070 - aa 02 2b 03 91 b2 6f e8-dc 8d 79 34 88 f7 6f 51   ..+...o...y4..oQ
*    │     0080 - 77 92 82 ac e7 ef 48 3f-28 9a a4 7d be 9e 7d 63   w.....H?(..}..}c
*    │     0090 - f5 03 cc a5 7f ee d8 bc-93 54 7f 67 90 ef 64 df   .........T.g..d.
    │ 
    │     Start Time: 1348909837
    │     Timeout   : 7200 (sec)
    │     Verify return code: 18 (self signed certificate)
[✔] Send HTTP GET.
[✔] Get HTTP answer:
    │ HTTP/1.1 200 OK
[✔] End TLS connection.
[✔] waiting 4 seconds.
[✔] Connect to localhost:4433.
[✔] Start TLS renegotiation.
[✔] Check if session was reused:
    │ SSL session correctly reused
[✔] Get current session:
    │ Session content:
    │ SSL-Session:
    │     Protocol  : TLSv1
    │     Cipher    : DHE-RSA-AES256-SHA
    │     Session-ID: B1C4C69EA2AF8B6A20829B8DEDC8F7538470C3349F730E617A42FA1D1FAA0C62
    │     Session-ID-ctx: 
    │     Master-Key: 2AB6444DC0C983293CCAA41A76943D329B05AEC6597230C239D2FA5552AD25D4448DB014D28C8BF68F8A49198D3CE26D
    │     Key-Arg   : None
    │     Krb5 Principal: None
    │     PSK identity: None
    │     PSK identity hint: None
*    │     TLS session ticket:
*    │     0000 - 8c f0 b6 e1 a1 50 8f 88-a0 9d 2a 91 0d 6b d6 65   .....P....*..k.e
*    │     0010 - 70 74 24 ec 6f 83 5c ee-80 cf be 8c d8 e1 65 84   pt$.o.\.......e.
*    │     0020 - 80 a1 e2 26 1b c9 5b 23-b8 5a 9a 0e 33 cf 62 4d   ...&..[#.Z..3.bM
*    │     0030 - 93 1f b1 42 aa 13 d4 20-b9 22 81 ee f4 2d 38 d7   ...B... ."...-8.
*    │     0040 - e3 18 cf a9 c3 fb 81 8d-1f f9 93 bf 08 7a c1 16   .............z..
*    │     0050 - a0 98 16 0a bf dc df cd-82 f9 b0 1c f2 94 1d 67   ...............g
*    │     0060 - 49 59 a1 df ff 4d 51 c5-72 34 64 08 8f 96 c9 c7   IY...MQ.r4d.....
*    │     0070 - aa 02 2b 03 91 b2 6f e8-dc 8d 79 34 88 f7 6f 51   ..+...o...y4..oQ
*    │     0080 - 77 92 82 ac e7 ef 48 3f-28 9a a4 7d be 9e 7d 63   w.....H?(..}..}c
*    │     0090 - f5 03 cc a5 7f ee d8 bc-93 54 7f 67 90 ef 64 df   .........T.g..d.
    │ 
    │     Start Time: 1348909837
    │     Timeout   : 7200 (sec)
    │     Verify return code: 18 (self signed certificate)
[✔] Send HTTP GET.
[✔] Get HTTP answer:
    │ HTTP/1.1 200 OK
[✔] End TLS connection.
[✔] waiting 4 seconds.
[✔] Connect to localhost:4433.
*[✘] Start TLS renegotiation:
*    │ Unable to start TLS renegotiation:
*    │ error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected message

The first three session tickets are identical which is what's expected. 

The last connection should of reconnected but had a different TLS session ticket.

TEST 6:  Client certificate support

Here we use the cert.pem and key.pem generated earlier.

$ ./openssl-client -r -S -C cert.pem -K key.pem localhost 4433

Expected Output:

[✔] Parse arguments.
[✔] Initialize OpenSSL library.
[✔] Solve localhost:4433:
    │ Will connect to 127.0.0.1
[✔] Connect to localhost:4433.
[✔] Start TLS renegotiation.
[✔] Check if session was reused:
    │ SSL session was not used
[✔] Get current session:
    │ Session content:
    │ SSL-Session:
    │     Protocol  : TLSv1
    │     Cipher    : DHE-RSA-AES256-SHA
    │     Session-ID: 126A1CC3AC0E73853391E612FD8992DE502A91CEA6F7DB7572882DF4EFF0C496
    │     Session-ID-ctx: 
    │     Master-Key: E89B9E260BDF67BFEFD4FAE1ED056F4D1BF3FDFD09C50A091A7292756C65430C10C7F131F4C4C557C3A836EC02C3109F
    │     Key-Arg   : None
    │     Krb5 Principal: None
    │     PSK identity: None
    │     PSK identity hint: None
*    │     TLS session ticket:
*    │     0000 - 0b 0b 2d b4 92 c1 b3 ba-fe 01 6f f6 1c 35 0e 3f   ..-.......o..5.?
*    │     0010 - d9 e5 e8 dd ed 9a f7 82-83 2f 01 4f 88 70 5e 73   ........./.O.p^s
*    │     0020 - 88 b0 c8 eb dc 18 2c d3-0f ef 6d dd 6e ce 9e f3   ......,...m.n...
*    │     0030 - 85 15 e9 f5 bf 21 38 c0-f6 ce d0 e8 f5 6c 37 54   .....!8......l7T
*    │     0040 - 42 46 0f 71 59 c5 45 62-41 20 e6 cc 6a 1f 16 a0   BF.qY.EbA ..j...
*    │     0050 - a0 a8 fc 21 21 f6 20 ff-a1 41 3f 6b 08 f4 1b bc   ...!!. ..A?k....
*    │     0060 - c2 19 a1 d5 ae 97 79 7f-0c 4c 93 81 22 1c e1 f1   ......y..L.."...
*    │     0070 - d0 76 d9 13 e7 e1 7e 15-b2 31 ff 5a 2c 1f a0 b4   .v....~..1.Z,...
*    │     0080 - e8 88 24 13 66 45 34 e4-65 c7 e9 12 57 75 bb 42   ..$.fE4.e...Wu.B
*    │     0090 - c8 b3 82 cf 0e 98 05 de-27 5e c5 e4 a5 c9 fd b0   ........'^......
*    │     00a0 - 40 75 d8 ae 22 39 b1 78-79 5f 7c aa 31 fd bd fa   @u.."9.xy_|.1...
*    │     00b0 - 2f 66 96 56 2c 4f aa 7e-29 d6 3a 58 ec f1 2b 51   /f.V,O.~).:X..+Q
*    │     00c0 - e6 84 25 31 d3 36 92 c5-0d f7 77 56 06 86 ed 24   ..%1.6....wV...$
*    │     00d0 - b3 46 93 69 82 c6 c8 a7-5d 7d 90 d3 fc 7b ca 0b   .F.i....]}...{..
*    │     00e0 - ce 8d f2 be 83 70 21 eb-ae 41 f0 63 49 a8 d9 b0   .....p!..A.cI...
*    │     00f0 - bc d1 8b b0 9d 4f ca 94-d5 0c 38 f7 b0 58 c2 0c   .....O....8..X..
*    │     0100 - 55 dd b8 2a 26 7f bf ff-d1 c5 26 19 96 0d 7d 2e   U..*&.....&...}.
*    │     0110 - ff 1c 2a 4c 95 16 44 ae-29 db cb 45 1e 59 c6 ce   ..*L..D.)..E.Y..
    │     0120 - c0 8c a5 6f dd 7e 3e e1-6d 7d 0c d4 8e 55 be 07   ...o.~>.m}...U..
    │     0130 - 5d d2 c6 62 53 34 09 7c-fc 32 58 bf 8b 2a 37 d0   ]..bS4.|.2X..*7.
    │     0140 - e0 3f 67 81 72 4a a9 06-b1 83 32 7c fd d2 a4 40   .?g.rJ....2|...@
    │     0150 - 41 13 8c 03 db 2d 12 90-c7 36 3b 46 27 51 4f 65   A....-...6;F'QOe
    │     0160 - e4 f8 c3 06 ec b9 4c 04-76 1c 0e 1d 77 0e 86 3d   ......L.v...w..=
    │     0170 - 42 d3 19 6e ad b9 16 09-41 21 9c a8 a3 50 b8 ad   B..n....A!...P..
    │     0180 - 80 99 4f 1a c1 36 e4 25-52 22 e7 56 e2 10 b0 b4   ..O..6.%R".V....
    │     0190 - 89 2d a0 3f 7c cc d8 9f-80 99 92 fb e4 cd 71 1f   .-.?|.........q.
    │     01a0 - 14 de d3 82 07 cd 7d 31-78 e2 ec ba 5f a0 b3 07   ......}1x..._...
    │     01b0 - 92 df fa 84 cf c7 4f 5b-ca 84 fc ac 80 6b 0f 6b   ......O[.....k.k
    │     01c0 - 5b a1 f3 a3 89 86 e4 dc-68 93 01 43 57 02 6c ea   [.......h..CW.l.
    │     01d0 - b3 bc 06 55 37 d5 3a b7-39 50 c0 f9 27 e2 10 a7   ...U7.:.9P..'...
    │     01e0 - 63 f7 0e e9 f3 8c 69 6b-63 8f d1 36 1d 3e 49 94   c.....ikc..6.>I.
    │     01f0 - 3c 1d c2 00 8d aa b6 ca-d5 eb 78 81 86 ae 5d 24   <.........x...]$
    │     0200 - 74 6b e1 3e 75 ef ff d5-e3 ff 84 d5 f0 0e b1 d9   tk.>u...........
    │     0210 - 9f c6 d1 a1 82 e4 14 40-84 8d 03 c4 75 5d a9 77   .......@....u].w
    │     0220 - 6e eb bd 48 be bc 24 e8-15 41 6e 4f e4 19 8b b6   n..H..$..AnO....
    │     0230 - b8 59 d1 30 5c 02 5d 2c-4c 8b 9e b5 45 4b 2b 6a   .Y.0\.],L...EK+j
    │     0240 - d6 6e 42 2d d3 f3 ba 8a-a7 61 af 68 f0 98 97 d2   .nB-.....a.h....
    │     0250 - 11 c6 94 31 58 39 18 57-03 cf 2e 9a 9a ef 69 02   ...1X9.W......i.
    │     0260 - b4 c5 f9 65 5c e3 d9 bc-90 3d fe 75 30 ec 74 11   ...e\....=.u0.t.
    │     0270 - 4b ba d9 3b 74 60 14 20-e1 33 33 72 d4 b5 5c b3   K..;t`. .33r..\.
    │     0280 - 37 ca 23 90 20 a1 bb 5e-3e c7 67 6b 53 e6 fc 9c   7.#. ..^>.gkS...
    │     0290 - 1b c5 e0 32 86 8b 8d 90-37 a6 e2 57 61 23 80 99   ...2....7..Wa#..
    │     02a0 - 5b fd df 71 22 cd 12 d1-95 32 f7 fd 6b 49 4d a7   [..q"....2..kIM.
    │     02b0 - 4f a2 5a 7d 35 da da 50-03 b1 ee 65 f5 9b 2b 3b   O.Z}5..P...e..+;
    │     02c0 - f5 d2 00 df a1 13 c9 cd-9b d1 68 c7 57 b4 fa a7   ..........h.W...
    │     02d0 - ba 97 0e 56 c1 a8 98 89-4b 61 d4 99 24 fc 32 55   ...V....Ka..$.2U
    │     02e0 - 6b b0 c6 2a 52 85 19 59-68 b3 95 1d 54 6f 69 92   k..*R..Yh...Toi.
    │     02f0 - c1 cf c8 df 72 c6 40 6b-c9 5c ee e7 6b c5 91 9d   ....r.@k.\..k...
    │     0300 - db 04 0d 1d 1b f1 d5 90-b4 06 48 e6 50 40 1f d9   ..........H.P@..
    │     0310 - d7 f0 6b 88 ae c1 94 90-31 de 7a 49 fe 71 4a c4   ..k.....1.zI.qJ.
    │     0320 - 52 e4 00 be 94 95 97 67-c0 5b 25 4e 40 0f 1f a0   R......g.[%N@...
    │     0330 - 1c eb 2a ce 7d 7b 05 01-e9 8d ed 86 fd af ab 28   ..*.}{.........(
    │     0340 - 20 31 c9 33 45 85 51 df-e3 78 f2 e2 3e 37 cb a2    1.3E.Q..x..>7..
    │     0350 - fd 46 78 4d a3 08 93 e9-cf 87 63 34 5c a9 37 a6   .FxM......c4\.7.
    │     0360 - 05 c0 bb 0c 3c cd 9a 3b-c2 80 e3 6e f6 2d 6a 6d   ....<..;...n.-jm
    │     0370 - 8d 0d 99 5b d4 53 3b 4a-5c bd ca 26 7f 46 3b 11   ...[.S;J\..&.F;.
    │     0380 - a6 cf cb 48 32 c9 0f dd-5a 86 13 61 b7 a5 5e 2c   ...H2...Z..a..^,
    │     0390 - f5 9b 59 68 d6 98 53 32-ec 94 69 39 6f 16 41 29   ..Yh..S2..i9o.A)
    │     03a0 - 79 fd 48 d5 5c ae 7e 2f-99 46 6a 0e 88 1f 05 93   y.H.\.~/.Fj.....
    │     03b0 - 5a 0b 6d b7 be 16 bb 9c-73 63 02 53 c2 2e 68 9e   Z.m.....sc.S..h.
    │     03c0 - 53 8c 63 55 49 53 06 05-2d 88 ed 0d d1 ad d2 8f   S.cUIS..-.......
    │     03d0 - 44 df ac ab d7 c7 3a 3a-61 8a 00 a6 77 6f a8 20   D.....::a...wo. 
    │     03e0 - 3e cf 60 94 92 ff fe d3-53 a4 ef 2a fd 75 a8 75   >.`.....S..*.u.u
    │     03f0 - d3 c1 2c 6f 29 dc a2 87-3d 56 10 da 29 b0 93 6b   ..,o)...=V..)..k
    │     0400 - d0 e5 4c b0 d4 65 87 7b-7c be 99 0c 72 03 72 fa   ..L..e.{|...r.r.
    │     0410 - 8d 15 d6 c6 f9 1f f4 ed-f9 01 62 70 6f d7 fc 30   ..........bpo..0
    │ 
    │     Start Time: 1348910565
    │     Timeout   : 7200 (sec)
    │     Verify return code: 18 (self signed certificate)
[✔] Send HTTP GET.
[✔] Get HTTP answer:
    │ HTTP/1.1 200 OK
[✔] End TLS connection.
[✔] waiting 0 seconds.
[✔] Connect to localhost:4433.
[✔] Start TLS renegotiation.
*[✔] Check if session was reused:
*    │ SSL session correctly reused
[✔] Get current session:
    │ Session content:
    │ SSL-Session:
    │     Protocol  : TLSv1
    │     Cipher    : DHE-RSA-AES256-SHA
    │     Session-ID: 126A1CC3AC0E73853391E612FD8992DE502A91CEA6F7DB7572882DF4EFF0C496
    │     Session-ID-ctx: 
    │     Master-Key: E89B9E260BDF67BFEFD4FAE1ED056F4D1BF3FDFD09C50A091A7292756C65430C10C7F131F4C4C557C3A836EC02C3109F
    │     Key-Arg   : None
    │     Krb5 Principal: None
    │     PSK identity: None
    │     PSK identity hint: None
*    │     TLS session ticket:
*    │     0000 - 0b 0b 2d b4 92 c1 b3 ba-fe 01 6f f6 1c 35 0e 3f   ..-.......o..5.?
*    │     0010 - d9 e5 e8 dd ed 9a f7 82-83 2f 01 4f 88 70 5e 73   ........./.O.p^s
*    │     0020 - 88 b0 c8 eb dc 18 2c d3-0f ef 6d dd 6e ce 9e f3   ......,...m.n...
*    │     0030 - 85 15 e9 f5 bf 21 38 c0-f6 ce d0 e8 f5 6c 37 54   .....!8......l7T
*    │     0040 - 42 46 0f 71 59 c5 45 62-41 20 e6 cc 6a 1f 16 a0   BF.qY.EbA ..j...
......(abbreviated)
    │     03c0 - 53 8c 63 55 49 53 06 05-2d 88 ed 0d d1 ad d2 8f   S.cUIS..-.......
    │     03d0 - 44 df ac ab d7 c7 3a 3a-61 8a 00 a6 77 6f a8 20   D.....::a...wo. 
    │     03e0 - 3e cf 60 94 92 ff fe d3-53 a4 ef 2a fd 75 a8 75   >.`.....S..*.u.u
    │     03f0 - d3 c1 2c 6f 29 dc a2 87-3d 56 10 da 29 b0 93 6b   ..,o)...=V..)..k
    │     0400 - d0 e5 4c b0 d4 65 87 7b-7c be 99 0c 72 03 72 fa   ..L..e.{|...r.r.
    │     0410 - 8d 15 d6 c6 f9 1f f4 ed-f9 01 62 70 6f d7 fc 30   ..........bpo..0
    │ 
    │     Start Time: 1348910565
    │     Timeout   : 7200 (sec)
    │     Verify return code: 18 (self signed certificate)
[✔] Send HTTP GET.
[✔] Get HTTP answer:
    │ HTTP/1.1 200 OK
[✔] End TLS connection.

As we can see the session ticket is bigger as the client certificate form part
part of the blob in the session ticket (encrypted by the server key).

The renegotiation also works as it says so and the same session ticket.

$ tail /usr/local/nginx/logs/access.log
127.0.0.1 - - [29/Sep/2012:19:22:45 +1000] "GET / HTTP/1.0" 200 612 "-" "-" "-" "TLSv1" "/CN=localhost"
127.0.0.1 - - [29/Sep/2012:19:22:45 +1000] "GET / HTTP/1.0" 200 612 "-" "-" "-" "TLSv1" "/CN=localhost"

The access logs of nginx have been configured to show the client certificate CN
as the last item. We show the here in the logs the the client certificate is 
also there on the renegotiation. 

KNOWN DEFICIENCIES

It doesn't seem like TLS session ticket lifetime hint isn't set. The openssl
print session is used by openssl-client doesn't display it and the code looks
like it will if it was set (ssl_txt.c in the openssl source). tlsext_tick_lifetime_hint
is an attribute of SSL_SESSION but unsure if it is a stable API.

UNTESTED:

Windows NGX_THREADS implementation however locking is written.

Multi worker operation
