From: Tomas Mraz <tomas@openssl.org>
Date: Fri, 28 Jun 2024 14:08:39 +0000 (+0200)
Subject: To reliably trigger HRR we must use P-384 group
X-Git-Tag: openssl-3.0.15~70
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e56f195cd3b7b793ef3b6807d23b3c39aa3fb8cd;p=thirdparty%2Fopenssl.git

To reliably trigger HRR we must use P-384 group

Otherwise with newer FIPS providers P-256 is the first group
supported.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24763)

(cherry picked from commit 0da6d328d5f6d0fe0aca47a94bb55a9f2ed0628b)
---

diff --git a/test/sslapitest.c b/test/sslapitest.c
index 171298bd5b3..97cf0f3ef09 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -3938,7 +3938,7 @@ static int early_data_skip_helper(int testtype, int cipher, int idx)
         if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
             goto end;
 #else
-        if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
+        if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
             goto end;
 #endif
     } else if (idx == 2) {
@@ -5553,7 +5553,7 @@ static int test_tls13_psk(int idx)
     if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
         goto end;
 #else
-    if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
+    if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
         goto end;
 #endif