From: Ilya Shipitsin Date: Sat, 4 Dec 2021 09:32:23 +0000 (+0500) Subject: REGTESTS: ssl: use X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY for cert check X-Git-Tag: v2.6-dev1~292 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fc1126610b78130595533bc1b05216f7e60e7ec8;p=thirdparty%2Fhaproxy.git REGTESTS: ssl: use X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY for cert check LibreSSL-3.4.2 introduced cert revocation check behaviour change, for some checks now X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY (20) is returned. https://github.com/libressl-portable/portable/issues/697 let us modify vtc accordingly --- diff --git a/reg-tests/ssl/new_del_ssl_cafile.vtc b/reg-tests/ssl/new_del_ssl_cafile.vtc index 166ba2c19c..4b045715d2 100644 --- a/reg-tests/ssl/new_del_ssl_cafile.vtc +++ b/reg-tests/ssl/new_del_ssl_cafile.vtc @@ -60,7 +60,7 @@ client c1 -connect ${h1_clearlst_sock} { rxresp expect resp.status == 200 # The CA file known by the frontend does not allow to verify the client's certificate - expect resp.http.X-SSL-Client-Verify == 21 + expect resp.http.X-SSL-Client-Verify ~ "20|21" } -run # This connection should fail because the with-ca.com sni is not mentioned in the crt-list yet. diff --git a/reg-tests/ssl/set_ssl_cafile.vtc b/reg-tests/ssl/set_ssl_cafile.vtc index 38ee91952f..c9dbf7490e 100644 --- a/reg-tests/ssl/set_ssl_cafile.vtc +++ b/reg-tests/ssl/set_ssl_cafile.vtc @@ -77,7 +77,7 @@ client c1 -connect ${h1_clearlst_sock} { rxresp expect resp.status == 200 # unable to verify the client certificate - expect resp.http.X-SSL-Client-Verify == 21 + expect resp.http.X-SSL-Client-Verify ~ "20|21" } -run # Set a new ca-file without committing it and check that the new ca-file is not taken into account @@ -106,7 +106,7 @@ client c1 -connect ${h1_clearlst_sock} { rxresp expect resp.status == 200 # unable to verify the client certificate - expect resp.http.X-SSL-Client-Verify == 21 + expect resp.http.X-SSL-Client-Verify ~ "20|21" } -run haproxy h1 -cli {