REGTEST: quic: add del_ssl_crt-list.vtc new QUIC test

This new reg test run exactly the same test as reg-test/ssl/del_ssl_crt-list.vtc but with QUIC connections. Does not work with OpenSSL 3.5 with such errors: debug|conn. @(nil) OpenSSL error[0xa0000ea] tls_early_post_process_client_hello: callback failed Does not work with AWSLC with such errors; debug|conn. @(nil) OpenSSL error[0x10000085] OPENSSL_internal: CONNECTION_REJECTED
2025-11-30 23:30:59 +01:00 · 2025-10-30 14:28:33 +01:00 · 2025-10-30 14:28:33 +01:00 · 097e75f687
commit 097e75f687
parent 381eb2411a
3 changed files with 27 additions and 5 deletions
--- a/reg-tests/quic/del_ssl_crt-list.vtc
+++ b/reg-tests/quic/del_ssl_crt-list.vtc
@ -0,0 +1,10 @@
+#REGTEST_TYPE=devel
+
+# Same test as ssl/del_ssl_crt-list.vtc, but with QUIC connections where applicable (only for TLSv3)
+
+varnishtest "Test the 'del ssl crt-list' feature of the CLI"
+
+feature cmd "$HAPROXY_PROGRAM -cc 'feature(QUIC) && !feature(QUIC_OPENSSL_COMPAT) && !feature(OPENSSL_WOLFSSL) && !feature(OPENSSL_AWSLC) && openssl_version_before(3.5.0)'"
+
+setenv VTC_SOCK_TYPE quic
+include ${testdir}/../ssl/del_ssl_crt-list.vtc
--- a/reg-tests/quic/simple.crt-list
+++ b/reg-tests/quic/simple.crt-list
@ -0,0 +1 @@
+../ssl/simple.crt-list
--- a/reg-tests/ssl/del_ssl_crt-list.vtc
+++ b/reg-tests/ssl/del_ssl_crt-list.vtc
@ -18,8 +18,15 @@ server s1 -repeat 2 {
    txresp
 } -start

+setenv -ifunset VTC_SOCK_TYPE stream
+
 haproxy h1 -conf {
    global
+    .if streq("$VTC_SOCK_TYPE",quic)
+        # required for backend connections
+        expose-experimental-directives
+    .endif
+
    .if feature(THREAD)
        thread-groups 1
    .endif
@ -32,6 +39,10 @@ haproxy h1 -conf {
        stats socket "${tmpdir}/h1/stats" level admin
        ssl-default-bind-options strict-sni

+#traces
+#trace quic sink stderr level developer start now
+#trace ssl sink stderr level developer verbosity complete start now
+
    defaults
        mode http
        option httplog
@ -47,19 +58,19 @@ haproxy h1 -conf {
        bind "fd@${clearlst}"
        balance roundrobin
        http-response set-header X-SSL-Server-SHA1 %[ssl_s_sha1,hex]
-        server s1 "${tmpdir}/first-ssl.sock" ssl verify none sni str(record2.bug940.domain.tld)
-        server s2 "${tmpdir}/first-ssl.sock" ssl verify none sni str(record3.bug940.domain.tld)
-        server s3 "${tmpdir}/first-ssl.sock" ssl verify none sni str(record2.bug940.domain.tld)
+        server s1 "${VTC_SOCK_TYPE}+${h1_ssl_addr}:${h1_ssl_port}" ssl verify none sni str(record2.bug940.domain.tld)
+        server s2 "${VTC_SOCK_TYPE}+${h1_ssl_addr}:${h1_ssl_port}" ssl verify none sni str(record3.bug940.domain.tld)
+        server s3 "${VTC_SOCK_TYPE}+${h1_ssl_addr}:${h1_ssl_port}" ssl verify none sni str(record2.bug940.domain.tld)

    listen first-ssl-fe
        # note: strict-sni is enforced from ssl-default-bind-options above
        mode http
-        bind "${tmpdir}/first-ssl.sock" ssl crt-list ${testdir}/simple.crt-list
+        bind "${VTC_SOCK_TYPE}+fd@${ssl}" ssl crt-list ${testdir}/simple.crt-list
        server s1 ${s1_addr}:${s1_port}

    listen second-ssl-fe
        mode http
-        bind "${tmpdir}/second-ssl.sock" ssl no-strict-sni crt-list ${testdir}/localhost.crt-list
+        bind "fd@${secondssl}" ssl no-strict-sni crt-list ${testdir}/localhost.crt-list
        server s1 ${s1_addr}:${s1_port}
 } -start