[nginx-tests] Tests: adjusted ECH tests to require OpenSSL 4.0.

Maxim Dounin mdounin at mdounin.ru
Sun Mar 22 13:37:47 UTC 2026 

details:   http://freenginx.org/hg/nginx-tests/rev/d7cbb4aa6548
branches:  
changeset: 2044:d7cbb4aa6548
user:      Maxim Dounin <mdounin at mdounin.ru>
date:      Sun Mar 15 15:06:03 2026 +0300
description:
Tests: adjusted ECH tests to require OpenSSL 4.0.

ECH support is in the OpenSSL master branch now, and available for testing
in OpenSSL 4.0 alpha 1.

diffstat:

 ssl_encrypted_hello.t |  25 +++++--------------------
 1 files changed, 5 insertions(+), 20 deletions(-)

diffs (69 lines):

diff --git a/ssl_encrypted_hello.t b/ssl_encrypted_hello.t
--- a/ssl_encrypted_hello.t
+++ b/ssl_encrypted_hello.t
@@ -187,7 +187,7 @@ SKIP: {
 skip 'no openssl client ech', 4
 	if `openssl s_client -help 2>&1` !~ /-ech_config_list/;
 
-# Tests with OpenSSL s_client from ECH feature branch
+# Tests with OpenSSL s_client with ECH support
 
 # Note that OpenSSL s_client prints confusing "ECH: BAD NAME: -102" status
 # when it is not able to verify server certificate.  To make sure proper
@@ -220,7 +220,7 @@ log_in($out);
 TODO: {
 local $TODO = 'OpenSSL too old'
 	if $t->has_module('OpenSSL') && !$t->has_module('BoringSSL')
-	&& !$t->has_feature('openssl:3.6.0');
+	&& !$t->has_feature('openssl:4.0.0');
 local $TODO = 'LibreSSL has no support yet'
 	if $t->has_module('LibreSSL');
 
@@ -251,23 +251,11 @@ like($out, qr/^ECH: NOT CONFIGURED.*secr
 # Tests with client certificate verification,
 # mostly to check if the $ssl_encrypted_hello variable is correct, notably
 # with failed client certificate verification.
-#
-# Currently fails with OpenSSL ECH feature branch on the server,
-# the error is as follows:
-#
-# ... [crit] ... SSL_do_handshake() failed (SSL: error:0A000100:SSL routines::
-# missing fatal)...
-#
-# This is expected to be fixed by
-# https://github.com/openssl/openssl/pull/28555.
 
 TODO: {
-local $TODO = 'OpenSSL broken verify'
-	if $t->has_module('OpenSSL') && !$t->has_module('BoringSSL')
-	&& $t->has_feature('openssl:3.6.0');
 local $TODO = 'OpenSSL too old'
 	if $t->has_module('OpenSSL') && !$t->has_module('BoringSSL')
-	&& !$t->has_feature('openssl:3.6.0');
+	&& !$t->has_feature('openssl:4.0.0');
 local $TODO = 'LibreSSL has no support yet'
 	if $t->has_module('LibreSSL');
 
@@ -335,7 +323,7 @@ log_in($out);
 TODO: {
 local $TODO = 'OpenSSL too old'
 	if $t->has_module('OpenSSL') && !$t->has_module('BoringSSL')
-	&& !$t->has_feature('openssl:3.6.0');
+	&& !$t->has_feature('openssl:4.0.0');
 local $TODO = 'LibreSSL has no support yet'
 	if $t->has_module('LibreSSL');
 
@@ -368,12 +356,9 @@ like($out, qr/Encrypted ClientHello: no.
 # with failed client certificate verification.
 
 TODO: {
-local $TODO = 'OpenSSL broken verify'
-	if $t->has_module('OpenSSL') && !$t->has_module('BoringSSL')
-	&& $t->has_feature('openssl:3.6.0');
 local $TODO = 'OpenSSL too old'
 	if $t->has_module('OpenSSL') && !$t->has_module('BoringSSL')
-	&& !$t->has_feature('openssl:3.6.0');
+	&& !$t->has_feature('openssl:4.0.0');
 local $TODO = 'LibreSSL has no support yet'
 	if $t->has_module('LibreSSL');

More information about the nginx-devel mailing list