From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Tue, 11 Jan 2022 16:29:24 +0000 (+0100)
Subject: REGTESTS: ssl: Fix ssl_errors regtest with OpenSSL 1.0.2
X-Git-Tag: v2.6-dev1~145
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aab8d255bc0fcbcc50884a4be4f69598ee08fe73;p=thirdparty%2Fhaproxy.git

REGTESTS: ssl: Fix ssl_errors regtest with OpenSSL 1.0.2

This test was broken with OpenSSL 1.0.2 after commit a996763619d
(BUG/MINOR: ssl: Store client SNI in SSL context in case of ClientHello
error) because it expected the default TLS version to be 1.3 in some
cases (when it can't be the case with OpenSSL 1.0.2).
---

diff --git a/reg-tests/ssl/ssl_errors.vtc b/reg-tests/ssl/ssl_errors.vtc
index 6148a9dee6..b1c36ec50f 100644
--- a/reg-tests/ssl/ssl_errors.vtc
+++ b/reg-tests/ssl/ssl_errors.vtc
@@ -136,16 +136,19 @@ syslog Slg_bcknd -level info {
 
 syslog Slg_bcknd_fe -level info {
     # Client c13 - No error
+    # Depending on the version of OpenSSL, the TLS version and ciphersuite will change
     recv
-    expect ~ ".* Server/TLSv1.3/TLS_AES_256_GCM_SHA384"
+    expect ~ ".* Server/(TLSv1.3/TLS_AES_256_GCM_SHA384|TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384)"
 
     # Client c14 - Server certificate rejected
+    # Depending on the version of OpenSSL, the TLS version and ciphersuite will change
     recv
-    expect ~ ".* foo.com/TLSv1.3/TLS_AES_256_GCM_SHA384"
+    expect ~ ".* foo.com/(TLSv1.3/TLS_AES_256_GCM_SHA384|TLSv1.2/\\(NONE\\))"
 
     # Client c15 - Server certificate mismatch (verifyhost option on backend)
+    # Depending on the version of OpenSSL, the TLS version and ciphersuite will change
     recv
-    expect ~ ".* foo.com/TLSv1.3/TLS_AES_256_GCM_SHA384"
+    expect ~ ".* foo.com/(TLSv1.3/TLS_AES_256_GCM_SHA384|TLSv1.2/\\(NONE\\))"
 
     # Client c16 - Client certificate rejected
     recv
@@ -155,9 +158,11 @@ syslog Slg_bcknd_fe -level info {
     recv
     expect ~ ".* foo.com/TLSv1.2/\\(NONE\\)"
 
-    # Client c18 - Wrong ciphers TLSv1.3 - the client does not get to send its certificate because the error happens before
+    # Client c18
+    # With OpenSSL1.0.2 -Wrong ciphers TLSv1.2 (same as c17)
+    # With newer versions - Wrong ciphers TLSv1.3 - the client does not get to send its certificate because the error happens before
     recv
-    expect ~ ".* -/TLSv1.3/\\(NONE\\)"
+    expect ~ ".* (foo.com/TLSv1.2|-/TLSv1.3)/\\(NONE\\)"
 } -start