From: Viktor Szakats <commit@vsz.me>
Date: Wed, 31 Dec 2025 17:15:17 +0000 (+0100)
Subject: pytest: replace allowlist with feature check to enable OCSP test 17_08
X-Git-Tag: curl-8_18_0~43
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8292820b734cf0e27c20e17b3af1d35d9d0e2051;p=thirdparty%2Fcurl.git

pytest: replace allowlist with feature check to enable OCSP test 17_08

Add a `cert-status` feature flag to `curlinfo`, based on the conditions
used in `lib/vtls` sources.

To:
- fix disabling this test when using OpenSSL (or fork) built with
  the `no-ocsp` option.
- enable this test for AWS-LC in CI.

Note:
- BoringSSL (and quiche) has OSCP disabled by default.
- MultiSSL dynamic selection continues to confuse this test.
  (To fix it, support would need to be detected by querying libcurl
  via curl. Probably overkill given that OCSP is on its way out.)

Follow-up to f2c765028fcf91c4f7bf15eeb0249d525e13ac8f #20149

Closes #20133
---

diff --git a/src/curlinfo.c b/src/curlinfo.c
index 9e6030d553..3be2d8206d 100644
--- a/src/curlinfo.c
+++ b/src/curlinfo.c
@@ -39,6 +39,10 @@
 
 #include <stdio.h>
 
+#if defined(USE_QUICHE) || defined(USE_OPENSSL)
+#include <openssl/opensslconf.h> /* for OPENSSL_NO_OCSP */
+#endif
+
 static const char *disabled[] = {
   "bindlocal: "
 #ifdef CURL_DISABLE_BINDLOCAL
@@ -242,6 +246,14 @@ static const char *disabled[] = {
   "ON"
 #else
   "OFF"
+#endif
+  ,
+  "cert-status: "
+#if defined(USE_GNUTLS) || \
+  ((defined(USE_QUICHE) || defined(USE_OPENSSL)) && !defined(OPENSSL_NO_OCSP))
+  "ON"
+#else
+  "OFF"
 #endif
 };
 
diff --git a/tests/http/test_17_ssl_use.py b/tests/http/test_17_ssl_use.py
index 6618a5d713..4ef8ad1f94 100644
--- a/tests/http/test_17_ssl_use.py
+++ b/tests/http/test_17_ssl_use.py
@@ -292,10 +292,7 @@ class TestSSLUse:
 
     @pytest.mark.parametrize("proto", Env.http_protos())
     def test_17_08_cert_status(self, env: Env, proto, httpd, nghttpx):
-        if not env.curl_uses_lib('openssl') and \
-           not env.curl_uses_lib('quictls') and \
-           not env.curl_uses_lib('libressl') and \
-           not env.curl_uses_lib('gnutls'):
+        if not env.curl_can_cert_status():
             pytest.skip("TLS library does not support --cert-status")
         curl = CurlClient(env=env)
         domain = 'localhost'
diff --git a/tests/http/testenv/env.py b/tests/http/testenv/env.py
index d0ce6f53f8..76df2edb49 100644
--- a/tests/http/testenv/env.py
+++ b/tests/http/testenv/env.py
@@ -164,6 +164,7 @@ class EnvConfig:
         if p.returncode != 0:
             raise RuntimeError(f'{self.curlinfo} failed with exit code: {p.returncode}')
         self.curl_is_verbose = 'verbose-strings: ON' in p.stdout
+        self.curl_can_cert_status = 'cert-status: ON' in p.stdout
 
         self.ports = {}
 
@@ -506,6 +507,10 @@ class Env:
     def curl_is_verbose() -> bool:
         return Env.CONFIG.curl_is_verbose
 
+    @staticmethod
+    def curl_can_cert_status() -> bool:
+        return Env.CONFIG.curl_can_cert_status
+
     @staticmethod
     def curl_can_early_data() -> bool:
         if Env.curl_uses_lib('gnutls'):