From: William Lallemand Date: Wed, 21 Jan 2026 15:40:21 +0000 (+0100) Subject: REGTESTS: ssl: fix generate-certificates w/ LibreSSL X-Git-Tag: v3.4-dev3~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=21b192e7995ffac2ac741367632059039e8268af;p=thirdparty%2Fhaproxy.git REGTESTS: ssl: fix generate-certificates w/ LibreSSL Since commit eb5279b15 ("BUG/MEDIUM: ssl: fix generate-certificates option when SNI greater than 64bytes") the LibreSSL job does not seem to work anymore. Indeed the reg-tests was modified to add a SNI longer than 64 bytes, without any concern about the DNS standard, which allows only 63 bytes per label. LibreSSL is stricter than the other libraries about that, and checks that the SNI is compliant with the DNS RFC in the tlsext_sni_is_valid_hostname() function https://github.com/libressl/openbsd/blob/OPENBSD_7_8/src/lib/libssl/ssl_tlsext.c#L710 This patch fixes the issue by splitting the SNI with a second label to reach more than 64 bytes. Must be backported with eb5279b15 in every stable branches. --- diff --git a/reg-tests/ssl/ssl_generate_certificate.vtc b/reg-tests/ssl/ssl_generate_certificate.vtc index 1f758f98a..53f81c780 100644 --- a/reg-tests/ssl/ssl_generate_certificate.vtc +++ b/reg-tests/ssl/ssl_generate_certificate.vtc @@ -150,7 +150,7 @@ client c5 -connect ${h1_clearlst_sock} { # Use another SNI - the server certificate should be generated and different # than the default one client c6 -connect ${h1_clearlst_sock} { - txreq -url "/P-384" -hdr "x-sni: sni-longer-sni-longer-sni-longer-sni-longer-than-64-bytes-unknown-sni.com" + txreq -url "/P-384" -hdr "x-sni: sni-longer-sni-longer-sni-longer.sni-longer-than-64-bytes-unknown-sni.com" rxresp expect resp.status == 200 expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"