From 57837f09fcff4bfeff710188c9598e53dc66e96e Mon Sep 17 00:00:00 2001
From: Frederic Lecaille <flecaille@haproxy.com>
Date: Fri, 28 Nov 2025 16:43:41 +0100
Subject: [PATCH] REGTESTS: quic: dynamic_server_ssl.vtc supported by QUIC

ssl/dynamic_server_ssl.vtc was rename to ssl/dynamic_server_ssl.vtci
to produce a common part runnable both for QUIC and TCP connections.
Then dynamic_server_ssl.vtc were created both under ssl and quic directories
to call the .vtci file with correct VTC_SOCK_TYPE environment value.

Note that VTC_SOCK_TYPE may be resolved in haproxy -cli { } sections.
---
 reg-tests/quic/dynamic_server_ssl.vtc |  13 +++
 reg-tests/ssl/dynamic_server_ssl.vtc  | 111 +------------------------
 reg-tests/ssl/dynamic_server_ssl.vtci | 114 ++++++++++++++++++++++++++
 3 files changed, 129 insertions(+), 109 deletions(-)
 create mode 100644 reg-tests/quic/dynamic_server_ssl.vtc
 create mode 100644 reg-tests/ssl/dynamic_server_ssl.vtci

diff --git a/reg-tests/quic/dynamic_server_ssl.vtc b/reg-tests/quic/dynamic_server_ssl.vtc
new file mode 100644
index 000000000..a03e6cdc5
--- /dev/null
+++ b/reg-tests/quic/dynamic_server_ssl.vtc
@@ -0,0 +1,13 @@
+#REGTEST_TYPE=bug
+# Test if a certificate can be dynamically updated once a QUIC server which used it
+# was removed.
+#
+varnishtest "Delete server via cli and update certificates"
+
+feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(3.3-dev2)'"
+# QUIC backend are not supported with USE_QUIC_OPENSSL_COMPAT
+feature cmd "$HAPROXY_PROGRAM -cc 'feature(QUIC) && !feature(QUIC_OPENSSL_COMPAT) && !feature(OPENSSL_WOLFSSL)'"
+
+setenv VTC_SOCK_TYPE quic
+include ${testdir}/../ssl/dynamic_server_ssl.vtci
+
diff --git a/reg-tests/ssl/dynamic_server_ssl.vtc b/reg-tests/ssl/dynamic_server_ssl.vtc
index 23b5605b4..37f15f172 100644
--- a/reg-tests/ssl/dynamic_server_ssl.vtc
+++ b/reg-tests/ssl/dynamic_server_ssl.vtc
@@ -4,113 +4,6 @@
 #
 varnishtest "Delete server via cli and update certificates"
 
-feature ignore_unknown_macro
-
-#REQUIRE_OPTIONS=OPENSSL
-feature cmd "command -v socat"
-
-# static server
-server s1 -repeat 3 {
-	rxreq
-	txresp \
-	  -body "resp from s1"
-} -start
-
-haproxy h1 -conf {
-	global
-    .if feature(THREAD)
-        thread-groups 1
-    .endif
-
-		stats socket "${tmpdir}/h1/stats" level admin
-
-	defaults
-		mode http
-		option httpclose
-		timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
-		timeout client  "${HAPROXY_TEST_TIMEOUT-5s}"
-		timeout server  "${HAPROXY_TEST_TIMEOUT-5s}"
-
-	frontend fe
-		bind "fd@${feS}"
-		default_backend test
-
-	backend test
-		server s1 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/certs/client1.pem"
-		server s2 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/certs/client1.pem"
-		server s3 "${tmpdir}/ssl.sock" ssl verify none crt "${testdir}/certs/client1.pem"
-
-
-	listen ssl-lst
-		bind "${tmpdir}/ssl.sock" ssl crt "${testdir}/certs/common.pem"
-		server s1 ${s1_addr}:${s1_port}
-
-} -start
-
-
-haproxy h1 -cli {
-    send "show ssl cert ${testdir}/certs/client1.pem"
-    expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4"
-}
-client c1 -connect ${h1_feS_sock} {
-	txreq
-	rxresp
-	expect resp.body == "resp from s1"
-} -run
-
-haproxy h1 -cli {
-    send "show ssl cert ${testdir}/certs/client1.pem"
-    expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4"
-}
-
-## delete the  servers
-haproxy h1 -cli {
-	send "disable server test/s1"
-	expect ~ ".*"
-	send "disable server test/s2"
-	expect ~ ".*"
-	send "disable server test/s3"
-	expect ~ ".*"
-
-	# valid command
-	send "del server test/s1"
-	expect ~ "Server deleted."
-	send "del server test/s2"
-	expect ~ "Server deleted."
-	send "del server test/s3"
-	expect ~ "Server deleted."
-}
-
-# Replace certificate with an expired one
-shell {
-    printf "set ssl cert ${testdir}/certs/client1.pem <<\n$(cat ${testdir}/certs/client2_expired.pem)\n\n" | socat "${tmpdir}/h1/stats" -
-    echo "commit ssl cert ${testdir}/certs/client1.pem" | socat "${tmpdir}/h1/stats" -
-}
-
-haproxy h1 -cli {
-    send "show ssl cert ${testdir}/certs/client1.pem"
-    expect ~ ".*SHA1 FingerPrint: C625EB01A0A660294B9D7F44C5CEEE5AFC495BE4"
-}
-
-haproxy h1 -cli {
-	send "show ssl cert ${testdir}/certs/client1.pem"
-	expect ~ ".*Status: Unused"
-}
-
-haproxy h1 -cli {
-	send "add server test/s1 ${tmpdir}/ssl.sock ssl verify none crt ${testdir}/certs/client1.pem"
-	expect ~ "New server registered."
-	send "enable server test/s1"
-	expect ~ ".*"
-	send "show ssl cert ${testdir}/certs/client1.pem"
-	expect ~ ".*Status: Used"
-}
-
-
-# check that servers are active
-client c1 -connect ${h1_feS_sock} {
-	txreq
-	rxresp
-	expect resp.body == "resp from s1"
-} -run
+setenv VTC_SOCK_TYPE stream
+include ${testdir}/dynamic_server_ssl.vtci
 
diff --git a/reg-tests/ssl/dynamic_server_ssl.vtci b/reg-tests/ssl/dynamic_server_ssl.vtci
new file mode 100644
index 000000000..66ddd2834
--- /dev/null
+++ b/reg-tests/ssl/dynamic_server_ssl.vtci
@@ -0,0 +1,114 @@
+feature ignore_unknown_macro
+
+#REQUIRE_OPTIONS=OPENSSL
+feature cmd "command -v socat"
+
+# static server
+server s1 -repeat 3 {
+	rxreq
+	txresp \
+	  -body "resp from s1"
+} -start
+
+haproxy h1 -conf {
+	global
+    .if streq("$VTC_SOCK_TYPE",quic)
+        # required for backend connections
+        expose-experimental-directives
+    .endif
+    .if feature(THREAD)
+        thread-groups 1
+    .endif
+
+		stats socket "${tmpdir}/h1/stats" level admin
+
+	defaults
+		mode http
+		option httpclose
+		timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
+		timeout client  "${HAPROXY_TEST_TIMEOUT-5s}"
+		timeout server  "${HAPROXY_TEST_TIMEOUT-5s}"
+
+	frontend fe
+		bind "fd@${feS}"
+		default_backend test
+
+	backend test
+		server s1 "${VTC_SOCK_TYPE}+${h1_ssl_lst_sock}" ssl verify none crt "${testdir}/certs/client1.pem"
+		server s2 "${VTC_SOCK_TYPE}+${h1_ssl_lst_sock}" ssl verify none crt "${testdir}/certs/client1.pem"
+		server s3 "${VTC_SOCK_TYPE}+${h1_ssl_lst_sock}" ssl verify none crt "${testdir}/certs/client1.pem"
+
+
+	listen ssl-lst
+		bind "${VTC_SOCK_TYPE}+fd@${ssl_lst}" ssl crt "${testdir}/certs/common.pem"
+		server s1 ${s1_addr}:${s1_port}
+
+} -start
+
+
+haproxy h1 -cli {
+    send "show ssl cert ${testdir}/certs/client1.pem"
+    expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4"
+}
+client c1 -connect ${h1_feS_sock} {
+	txreq
+	rxresp
+	expect resp.body == "resp from s1"
+} -run
+
+haproxy h1 -cli {
+    send "show ssl cert ${testdir}/certs/client1.pem"
+    expect ~ ".*SHA1 FingerPrint: D9C3BAE37EA5A7EDB7B3C9BDD4DCB2FE58A412E4"
+}
+
+## delete the  servers
+haproxy h1 -cli {
+	send "disable server test/s1"
+	expect ~ ".*"
+	send "disable server test/s2"
+	expect ~ ".*"
+	send "disable server test/s3"
+	expect ~ ".*"
+
+	# valid command
+	send "del server test/s1"
+	expect ~ "Server deleted."
+	send "del server test/s2"
+	expect ~ "Server deleted."
+	send "del server test/s3"
+	expect ~ "Server deleted."
+}
+
+# Replace certificate with an expired one
+shell {
+    printf "set ssl cert ${testdir}/certs/client1.pem <<\n$(cat ${testdir}/certs/client2_expired.pem)\n\n" | socat "${tmpdir}/h1/stats" -
+    echo "commit ssl cert ${testdir}/certs/client1.pem" | socat "${tmpdir}/h1/stats" -
+}
+
+haproxy h1 -cli {
+    send "show ssl cert ${testdir}/certs/client1.pem"
+    expect ~ ".*SHA1 FingerPrint: C625EB01A0A660294B9D7F44C5CEEE5AFC495BE4"
+}
+
+haproxy h1 -cli {
+	send "show ssl cert ${testdir}/certs/client1.pem"
+	expect ~ ".*Status: Unused"
+}
+
+haproxy h1 -cli {
+	send "add server test/s1 ${VTC_SOCK_TYPE}+${h1_ssl_lst_sock} ssl verify none crt ${testdir}/certs/client1.pem"
+	expect ~ "New server registered."
+	send "enable server test/s1"
+	expect ~ ".*"
+	send "show ssl cert ${testdir}/certs/client1.pem"
+	expect ~ ".*Status: Used"
+}
+
+
+# check that servers are active
+client c1 -connect ${h1_feS_sock} {
+	txreq
+	rxresp
+	expect resp.body == "resp from s1"
+} -run
+