REGTESTS: ssl: use X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY for cert check

LibreSSL-3.4.2 introduced cert revocation check behaviour change, for some
checks now X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY (20) is returned.

https://github.com/libressl-portable/portable/issues/697

let us modify vtc accordingly

diff --git a/reg-tests/ssl/new_del_ssl_cafile.vtc b/reg-tests/ssl/new_del_ssl_cafile.vtc
index 166ba2c19c3eb2a0d581011585d61ccb687dc328..4b045715d2e2a60408c7eae8e10630897bbf4460 100644 (file)
--- a/reg-tests/ssl/new_del_ssl_cafile.vtc
+++ b/reg-tests/ssl/new_del_ssl_cafile.vtc
@@ -60,7 +60,7 @@ client c1 -connect ${h1_clearlst_sock} {
     rxresp
     expect resp.status == 200
     # The CA file known by the frontend does not allow to verify the client's certificate
-    expect resp.http.X-SSL-Client-Verify == 21
+    expect resp.http.X-SSL-Client-Verify ~ "20|21"
 } -run
 
 # This connection should fail because the with-ca.com sni is not mentioned in the crt-list yet.

diff --git a/reg-tests/ssl/set_ssl_cafile.vtc b/reg-tests/ssl/set_ssl_cafile.vtc
index 38ee91952f65fda34c98352dbc8e6a098d47eec6..c9dbf7490e10ba7e6481ea5a91aee72371cf1e41 100644 (file)
--- a/reg-tests/ssl/set_ssl_cafile.vtc
+++ b/reg-tests/ssl/set_ssl_cafile.vtc
@@ -77,7 +77,7 @@ client c1 -connect ${h1_clearlst_sock} {
     rxresp
     expect resp.status == 200
     # unable to verify the client certificate
-    expect resp.http.X-SSL-Client-Verify == 21
+    expect resp.http.X-SSL-Client-Verify ~ "20|21"
 } -run
 
 # Set a new ca-file without committing it and check that the new ca-file is not taken into account
@@ -106,7 +106,7 @@ client c1 -connect ${h1_clearlst_sock} {
     rxresp
     expect resp.status == 200
     # unable to verify the client certificate
-    expect resp.http.X-SSL-Client-Verify == 21
+    expect resp.http.X-SSL-Client-Verify ~ "20|21"
 } -run
 
 haproxy h1 -cli {