Copilot commented on code in PR #13198:
URL: https://github.com/apache/trafficserver/pull/13198#discussion_r3301047085
##########
tests/gold_tests/tls/tls_check_cert_select_plugin.test.py:
##########
@@ -170,7 +170,8 @@
tr.ReturnCode = 60
tr.StillRunningAfter = server
tr.StillRunningAfter = ts
-tr.Processes.Default.Streams.All = Testers.ContainsExpression("unknown CA",
"Failed handshake")
-tr.Processes.Default.Streams.All += Testers.ExcludesExpression("CN=bar.com",
"Cert should contain bar.com")
+tr.Processes.Default.Streams.All = Testers.ContainsExpression(r"curl: \(60\)
SSL certificate", "Failed certificate verification")
+# Older versions of curl do not print certificate subject details when
+# certificate verification fails.
tr.Processes.Default.Streams.All += Testers.ExcludesExpression("CN=foo.com",
"Cert should not contain foo.com")
tr.Processes.Default.Streams.All += Testers.ExcludesExpression("404", "Should
make an exchange")
Review Comment:
The "Test new version of bar cert with bad CA" run no longer asserts that
the presented certificate is for bar.com (it only checks curl(60) plus that
CN=foo.com is absent). This means the failure-path no longer actually verifies
certificate selection. Reintroduce a stable check that the handshake presented
the bar.com certificate (e.g., a CN/SAN match when available, potentially gated
on curl version if older curl doesn't print subjects on verify failures).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
