[PATCH 2 of 2] Tests: adjusted TODOs for LibreSSL 4.0.0

Maxim Dounin mdounin at mdounin.ru
Sat Mar 8 01:49:41 UTC 2025 

# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1741398262 -10800
#      Sat Mar 08 04:44:22 2025 +0300
# Node ID 00307a7f3cadcc3a1eb4f9446e779e8a093657c4
# Parent  a84cf984d25e61f759ebabe5f7fabb79d3653ac2
Tests: adjusted TODOs for LibreSSL 4.0.0.

Issue with signature algorithms in TLSv1.3 is fixed in LibreSSL 4.0.0
(https://github.com/libressl/portable/issues/1058), ssl_certificates.t
and ssl_stapling.t tests adjusted accordingly.

Note thought that LibreSSL also fails to provide correct certificate
information when OCSP stapling is used with TLSv1.3 and multiple
certificates (https://github.com/libressl/portable/issues/1059), so
some tests in ssl_stapling.t are still failing even with the fix.

Additionally, sending alerts in QUIC is also fixed in LibreSSL 4.0.0,
as seen in the h3_ssl_reject_handshake.t test.

diff --git a/h3_ssl_reject_handshake.t b/h3_ssl_reject_handshake.t
--- a/h3_ssl_reject_handshake.t
+++ b/h3_ssl_reject_handshake.t
@@ -114,7 +114,9 @@ skip "OpenSSL too old", 3 if $got && $go
 # default virtual server rejected
 
 TODO: {
-local $TODO = 'broken send_alert in LibreSSL' if $t->has_module('LibreSSL');
+local $TODO = 'broken send_alert in LibreSSL'
+	if $t->has_module('LibreSSL')
+	and not $t->has_feature('libressl:4.0.0');
 
 is(bad('default', 8980), $alert, 'default rejected');
 is(bad(undef, 8980), $alert, 'absent sni rejected');
@@ -132,7 +134,9 @@ like(get(undef, 8982), qr/200/, 'absent 
 like(get('virtual1', 8982), qr/virtual1/, 'virtual 1 accepted');
 
 TODO: {
-local $TODO = 'broken send_alert in LibreSSL' if $t->has_module('LibreSSL');
+local $TODO = 'broken send_alert in LibreSSL'
+	if $t->has_module('LibreSSL')
+	and not $t->has_feature('libressl:4.0.0');
 
 is(bad('virtual2', 8982), $alert, 'virtual 2 rejected');
 
diff --git a/ssl_certificates.t b/ssl_certificates.t
--- a/ssl_certificates.t
+++ b/ssl_certificates.t
@@ -96,7 +96,9 @@ foreach my $name ('ec', 'rsa') {
 
 TODO: {
 local $TODO = 'broken TLSv1.3 sigalgs in LibreSSL'
-	if $t->has_module('LibreSSL') && test_tls13();
+	if $t->has_module('LibreSSL')
+	&& !$t->has_feature('libressl:4.0.0')
+	&& test_tls13();
 
 like(cert('RSA'), qr/CN=rsa/, 'ssl cert RSA');
 
diff --git a/ssl_stapling.t b/ssl_stapling.t
--- a/ssl_stapling.t
+++ b/ssl_stapling.t
@@ -298,6 +298,7 @@ ok(!staple(8449, 'ECDSA'), 'ocsp error')
 TODO: {
 local $TODO = 'broken TLSv1.3 sigalgs in LibreSSL'
 	if $t->has_module('LibreSSL')
+	&& !$t->has_feature('libressl:4.0.0')
 	&& !Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER")
 	&& test_tls13();

More information about the nginx-devel mailing list