From ac009b7e7e5dcbb87ab2534a177ffab6b7f5f8e4 Mon Sep 17 00:00:00 2001
From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Tue, 11 Jan 2022 17:29:24 +0100
Subject: [PATCH] REGTESTS: ssl: Fix ssl_errors regtest with OpenSSL 1.0.2

This test was broken with OpenSSL 1.0.2 after commit a996763619d
(BUG/MINOR: ssl: Store client SNI in SSL context in case of ClientHello
error) because it expected the default TLS version to be 1.3 in some
cases (when it can't be the case with OpenSSL 1.0.2).

(cherry picked from commit aab8d255bc0fcbcc50884a4be4f69598ee08fe73)
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
 reg-tests/ssl/ssl_errors.vtc |   15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/reg-tests/ssl/ssl_errors.vtc b/reg-tests/ssl/ssl_errors.vtc
index 6148a9d..b1c36ec 100644
--- a/reg-tests/ssl/ssl_errors.vtc
+++ b/reg-tests/ssl/ssl_errors.vtc
@@ -136,16 +136,19 @@ syslog Slg_bcknd -level info {
 
 syslog Slg_bcknd_fe -level info {
     # Client c13 - No error
+    # Depending on the version of OpenSSL, the TLS version and ciphersuite will change
     recv
-    expect ~ ".* Server/TLSv1.3/TLS_AES_256_GCM_SHA384"
+    expect ~ ".* Server/(TLSv1.3/TLS_AES_256_GCM_SHA384|TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384)"
 
     # Client c14 - Server certificate rejected
+    # Depending on the version of OpenSSL, the TLS version and ciphersuite will change
     recv
-    expect ~ ".* foo.com/TLSv1.3/TLS_AES_256_GCM_SHA384"
+    expect ~ ".* foo.com/(TLSv1.3/TLS_AES_256_GCM_SHA384|TLSv1.2/\\(NONE\\))"
 
     # Client c15 - Server certificate mismatch (verifyhost option on backend)
+    # Depending on the version of OpenSSL, the TLS version and ciphersuite will change
     recv
-    expect ~ ".* foo.com/TLSv1.3/TLS_AES_256_GCM_SHA384"
+    expect ~ ".* foo.com/(TLSv1.3/TLS_AES_256_GCM_SHA384|TLSv1.2/\\(NONE\\))"
 
     # Client c16 - Client certificate rejected
     recv
@@ -155,9 +158,11 @@ syslog Slg_bcknd_fe -level info {
     recv
     expect ~ ".* foo.com/TLSv1.2/\\(NONE\\)"
 
-    # Client c18 - Wrong ciphers TLSv1.3 - the client does not get to send its certificate because the error happens before
+    # Client c18
+    # With OpenSSL1.0.2 -Wrong ciphers TLSv1.2 (same as c17)
+    # With newer versions - Wrong ciphers TLSv1.3 - the client does not get to send its certificate because the error happens before
     recv
-    expect ~ ".* -/TLSv1.3/\\(NONE\\)"
+    expect ~ ".* (foo.com/TLSv1.2|-/TLSv1.3)/\\(NONE\\)"
 } -start
 
 
-- 
1.7.10.4