From e56f195cd3b7b793ef3b6807d23b3c39aa3fb8cd Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Fri, 28 Jun 2024 16:08:39 +0200
Subject: [PATCH] To reliably trigger HRR we must use P-384 group

Otherwise with newer FIPS providers P-256 is the first group
supported.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24763)

(cherry picked from commit 0da6d328d5f6d0fe0aca47a94bb55a9f2ed0628b)
---
 test/sslapitest.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/test/sslapitest.c b/test/sslapitest.c
index 171298bd5b3..97cf0f3ef09 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -3938,7 +3938,7 @@ static int early_data_skip_helper(int testtype, int cipher, int idx)
         if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
             goto end;
 #else
-        if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
+        if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
             goto end;
 #endif
     } else if (idx == 2) {
@@ -5553,7 +5553,7 @@ static int test_tls13_psk(int idx)
     if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
         goto end;
 #else
-    if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
+    if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
         goto end;
 #endif
 
-- 
2.47.2