[PATC H] adjust vtc for cert revocation check

Sat, 04 Dec 2021 01:46:02 -0800 

hello,

breaking behaviour was introduced on LibreSSL side.
more details: https://github.com/libressl-portable/portable/issues/697

in short, currently vtc expects 21, but some openssl variations return 20

X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE   = 21
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY = 20

cheers,
Ilya

From 264fed1ab9bd799f6b492e3e25cbcd09365d74f6 Mon Sep 17 00:00:00 2001
From: Ilya Shipitsin <[email protected]>
Date: Sat, 4 Dec 2021 14:32:23 +0500
Subject: [PATCH] REGTESTS: ssl: use
 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY for cert check

LibreSSL-3.4.2 introduced cert revocation check behaviour change, for some
checks now X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY (20) is returned.

let us modify vtc accordingly
---
 reg-tests/ssl/new_del_ssl_cafile.vtc | 2 +-
 reg-tests/ssl/set_ssl_cafile.vtc     | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/reg-tests/ssl/new_del_ssl_cafile.vtc b/reg-tests/ssl/new_del_ssl_cafile.vtc
index 166ba2c19..4b045715d 100644
--- a/reg-tests/ssl/new_del_ssl_cafile.vtc
+++ b/reg-tests/ssl/new_del_ssl_cafile.vtc
@@ -60,7 +60,7 @@ client c1 -connect ${h1_clearlst_sock} {
     rxresp
     expect resp.status == 200
     # The CA file known by the frontend does not allow to verify the client's certificate
-    expect resp.http.X-SSL-Client-Verify == 21
+    expect resp.http.X-SSL-Client-Verify ~ "20|21"
 } -run
 
 # This connection should fail because the with-ca.com sni is not mentioned in the crt-list yet.
diff --git a/reg-tests/ssl/set_ssl_cafile.vtc b/reg-tests/ssl/set_ssl_cafile.vtc
index 38ee91952..c9dbf7490 100644
--- a/reg-tests/ssl/set_ssl_cafile.vtc
+++ b/reg-tests/ssl/set_ssl_cafile.vtc
@@ -77,7 +77,7 @@ client c1 -connect ${h1_clearlst_sock} {
     rxresp
     expect resp.status == 200
     # unable to verify the client certificate
-    expect resp.http.X-SSL-Client-Verify == 21
+    expect resp.http.X-SSL-Client-Verify ~ "20|21"
 } -run
 
 # Set a new ca-file without committing it and check that the new ca-file is not taken into account
@@ -106,7 +106,7 @@ client c1 -connect ${h1_clearlst_sock} {
     rxresp
     expect resp.status == 200
     # unable to verify the client certificate
-    expect resp.http.X-SSL-Client-Verify == 21
+    expect resp.http.X-SSL-Client-Verify ~ "20|21"
 } -run
 
 haproxy h1 -cli {
-- 
2.33.1

Reply via email to