From fc1126610b78130595533bc1b05216f7e60e7ec8 Mon Sep 17 00:00:00 2001 From: Ilya Shipitsin Date: Sat, 4 Dec 2021 14:32:23 +0500 Subject: [PATCH] REGTESTS: ssl: use X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY for cert check LibreSSL-3.4.2 introduced cert revocation check behaviour change, for some checks now X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY (20) is returned. https://github.com/libressl-portable/portable/issues/697 let us modify vtc accordingly --- reg-tests/ssl/new_del_ssl_cafile.vtc | 2 +- reg-tests/ssl/set_ssl_cafile.vtc | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/reg-tests/ssl/new_del_ssl_cafile.vtc b/reg-tests/ssl/new_del_ssl_cafile.vtc index 166ba2c19c..4b045715d2 100644 --- a/reg-tests/ssl/new_del_ssl_cafile.vtc +++ b/reg-tests/ssl/new_del_ssl_cafile.vtc @@ -60,7 +60,7 @@ client c1 -connect ${h1_clearlst_sock} { rxresp expect resp.status == 200 # The CA file known by the frontend does not allow to verify the client's certificate - expect resp.http.X-SSL-Client-Verify == 21 + expect resp.http.X-SSL-Client-Verify ~ "20|21" } -run # This connection should fail because the with-ca.com sni is not mentioned in the crt-list yet. diff --git a/reg-tests/ssl/set_ssl_cafile.vtc b/reg-tests/ssl/set_ssl_cafile.vtc index 38ee91952f..c9dbf7490e 100644 --- a/reg-tests/ssl/set_ssl_cafile.vtc +++ b/reg-tests/ssl/set_ssl_cafile.vtc @@ -77,7 +77,7 @@ client c1 -connect ${h1_clearlst_sock} { rxresp expect resp.status == 200 # unable to verify the client certificate - expect resp.http.X-SSL-Client-Verify == 21 + expect resp.http.X-SSL-Client-Verify ~ "20|21" } -run # Set a new ca-file without committing it and check that the new ca-file is not taken into account @@ -106,7 +106,7 @@ client c1 -connect ${h1_clearlst_sock} { rxresp expect resp.status == 200 # unable to verify the client certificate - expect resp.http.X-SSL-Client-Verify == 21 + expect resp.http.X-SSL-Client-Verify ~ "20|21" } -run haproxy h1 -cli {