From: Frederic Lecaille <flecaille@haproxy.com>
Date: Thu, 30 Oct 2025 13:28:33 +0000 (+0100)
Subject: REGTEST: quic: add del_ssl_crt-list.vtc new QUIC test
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=097e75f6876557d3de21147510e0880c98f28325;p=thirdparty%2Fhaproxy.git

REGTEST: quic: add del_ssl_crt-list.vtc new QUIC test

This new reg test run exactly the same test as reg-test/ssl/del_ssl_crt-list.vtc
but with QUIC connections.

Does not work with OpenSSL 3.5 with such errors:
debug|conn. @(nil) OpenSSL error[0xa0000ea] tls_early_post_process_client_hello: callback failed

Does not work with AWSLC with such errors;
debug|conn. @(nil) OpenSSL error[0x10000085] OPENSSL_internal: CONNECTION_REJECTED
---

diff --git a/reg-tests/quic/del_ssl_crt-list.vtc b/reg-tests/quic/del_ssl_crt-list.vtc
new file mode 100644
index 000000000..392ffb525
--- /dev/null
+++ b/reg-tests/quic/del_ssl_crt-list.vtc
@@ -0,0 +1,10 @@
+#REGTEST_TYPE=devel
+
+# Same test as ssl/del_ssl_crt-list.vtc, but with QUIC connections where applicable (only for TLSv3)
+
+varnishtest "Test the 'del ssl crt-list' feature of the CLI"
+
+feature cmd "$HAPROXY_PROGRAM -cc 'feature(QUIC) && !feature(QUIC_OPENSSL_COMPAT) && !feature(OPENSSL_WOLFSSL) && !feature(OPENSSL_AWSLC) && openssl_version_before(3.5.0)'"
+
+setenv VTC_SOCK_TYPE quic
+include ${testdir}/../ssl/del_ssl_crt-list.vtc
diff --git a/reg-tests/quic/simple.crt-list b/reg-tests/quic/simple.crt-list
new file mode 120000
index 000000000..990cc47b0
--- /dev/null
+++ b/reg-tests/quic/simple.crt-list
@@ -0,0 +1 @@
+../ssl/simple.crt-list
\ No newline at end of file
diff --git a/reg-tests/ssl/del_ssl_crt-list.vtc b/reg-tests/ssl/del_ssl_crt-list.vtc
index df0a51a21..d325def79 100644
--- a/reg-tests/ssl/del_ssl_crt-list.vtc
+++ b/reg-tests/ssl/del_ssl_crt-list.vtc
@@ -18,8 +18,15 @@ server s1 -repeat 2 {
     txresp
 } -start
 
+setenv -ifunset VTC_SOCK_TYPE stream
+
 haproxy h1 -conf {
     global
+    .if streq("$VTC_SOCK_TYPE",quic)
+        # required for backend connections
+        expose-experimental-directives
+    .endif
+
     .if feature(THREAD)
         thread-groups 1
     .endif
@@ -32,6 +39,10 @@ haproxy h1 -conf {
         stats socket "${tmpdir}/h1/stats" level admin
         ssl-default-bind-options strict-sni
 
+#traces
+#trace quic sink stderr level developer start now
+#trace ssl sink stderr level developer verbosity complete start now
+
     defaults
         mode http
         option httplog
@@ -47,19 +58,19 @@ haproxy h1 -conf {
         bind "fd@${clearlst}"
         balance roundrobin
         http-response set-header X-SSL-Server-SHA1 %[ssl_s_sha1,hex]
-        server s1 "${tmpdir}/first-ssl.sock" ssl verify none sni str(record2.bug940.domain.tld)
-        server s2 "${tmpdir}/first-ssl.sock" ssl verify none sni str(record3.bug940.domain.tld)
-        server s3 "${tmpdir}/first-ssl.sock" ssl verify none sni str(record2.bug940.domain.tld)
+        server s1 "${VTC_SOCK_TYPE}+${h1_ssl_addr}:${h1_ssl_port}" ssl verify none sni str(record2.bug940.domain.tld)
+        server s2 "${VTC_SOCK_TYPE}+${h1_ssl_addr}:${h1_ssl_port}" ssl verify none sni str(record3.bug940.domain.tld)
+        server s3 "${VTC_SOCK_TYPE}+${h1_ssl_addr}:${h1_ssl_port}" ssl verify none sni str(record2.bug940.domain.tld)
 
     listen first-ssl-fe
         # note: strict-sni is enforced from ssl-default-bind-options above
         mode http
-        bind "${tmpdir}/first-ssl.sock" ssl crt-list ${testdir}/simple.crt-list
+        bind "${VTC_SOCK_TYPE}+fd@${ssl}" ssl crt-list ${testdir}/simple.crt-list
         server s1 ${s1_addr}:${s1_port}
 
     listen second-ssl-fe
         mode http
-        bind "${tmpdir}/second-ssl.sock" ssl no-strict-sni crt-list ${testdir}/localhost.crt-list
+        bind "fd@${secondssl}" ssl no-strict-sni crt-list ${testdir}/localhost.crt-list
         server s1 ${s1_addr}:${s1_port}
 } -start