From 21b192e7995ffac2ac741367632059039e8268af Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Wed, 21 Jan 2026 16:40:21 +0100 Subject: [PATCH] REGTESTS: ssl: fix generate-certificates w/ LibreSSL Since commit eb5279b15 ("BUG/MEDIUM: ssl: fix generate-certificates option when SNI greater than 64bytes") the LibreSSL job does not seem to work anymore. Indeed the reg-tests was modified to add a SNI longer than 64 bytes, without any concern about the DNS standard, which allows only 63 bytes per label. LibreSSL is stricter than the other libraries about that, and checks that the SNI is compliant with the DNS RFC in the tlsext_sni_is_valid_hostname() function https://github.com/libressl/openbsd/blob/OPENBSD_7_8/src/lib/libssl/ssl_tlsext.c#L710 This patch fixes the issue by splitting the SNI with a second label to reach more than 64 bytes. Must be backported with eb5279b15 in every stable branches. --- reg-tests/ssl/ssl_generate_certificate.vtc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reg-tests/ssl/ssl_generate_certificate.vtc b/reg-tests/ssl/ssl_generate_certificate.vtc index 1f758f98a..53f81c780 100644 --- a/reg-tests/ssl/ssl_generate_certificate.vtc +++ b/reg-tests/ssl/ssl_generate_certificate.vtc @@ -150,7 +150,7 @@ client c5 -connect ${h1_clearlst_sock} { # Use another SNI - the server certificate should be generated and different # than the default one client c6 -connect ${h1_clearlst_sock} { - txreq -url "/P-384" -hdr "x-sni: sni-longer-sni-longer-sni-longer-sni-longer-than-64-bytes-unknown-sni.com" + txreq -url "/P-384" -hdr "x-sni: sni-longer-sni-longer-sni-longer.sni-longer-than-64-bytes-unknown-sni.com" rxresp expect resp.status == 200 expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"