From aab8d255bc0fcbcc50884a4be4f69598ee08fe73 Mon Sep 17 00:00:00 2001
From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Tue, 11 Jan 2022 17:29:24 +0100
Subject: [PATCH] REGTESTS: ssl: Fix ssl_errors regtest with OpenSSL 1.0.2

This test was broken with OpenSSL 1.0.2 after commit a996763619d
(BUG/MINOR: ssl: Store client SNI in SSL context in case of ClientHello
error) because it expected the default TLS version to be 1.3 in some
cases (when it can't be the case with OpenSSL 1.0.2).
---
 reg-tests/ssl/ssl_errors.vtc | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/reg-tests/ssl/ssl_errors.vtc b/reg-tests/ssl/ssl_errors.vtc
index 6148a9dee..b1c36ec50 100644
--- a/reg-tests/ssl/ssl_errors.vtc
+++ b/reg-tests/ssl/ssl_errors.vtc
@@ -136,16 +136,19 @@ syslog Slg_bcknd -level info {
 
 syslog Slg_bcknd_fe -level info {
     # Client c13 - No error
+    # Depending on the version of OpenSSL, the TLS version and ciphersuite will change
     recv
-    expect ~ ".* Server/TLSv1.3/TLS_AES_256_GCM_SHA384"
+    expect ~ ".* Server/(TLSv1.3/TLS_AES_256_GCM_SHA384|TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384)"
 
     # Client c14 - Server certificate rejected
+    # Depending on the version of OpenSSL, the TLS version and ciphersuite will change
     recv
-    expect ~ ".* foo.com/TLSv1.3/TLS_AES_256_GCM_SHA384"
+    expect ~ ".* foo.com/(TLSv1.3/TLS_AES_256_GCM_SHA384|TLSv1.2/\\(NONE\\))"
 
     # Client c15 - Server certificate mismatch (verifyhost option on backend)
+    # Depending on the version of OpenSSL, the TLS version and ciphersuite will change
     recv
-    expect ~ ".* foo.com/TLSv1.3/TLS_AES_256_GCM_SHA384"
+    expect ~ ".* foo.com/(TLSv1.3/TLS_AES_256_GCM_SHA384|TLSv1.2/\\(NONE\\))"
 
     # Client c16 - Client certificate rejected
     recv
@@ -155,9 +158,11 @@ syslog Slg_bcknd_fe -level info {
     recv
     expect ~ ".* foo.com/TLSv1.2/\\(NONE\\)"
 
-    # Client c18 - Wrong ciphers TLSv1.3 - the client does not get to send its certificate because the error happens before
+    # Client c18
+    # With OpenSSL1.0.2 -Wrong ciphers TLSv1.2 (same as c17)
+    # With newer versions - Wrong ciphers TLSv1.3 - the client does not get to send its certificate because the error happens before
     recv
-    expect ~ ".* -/TLSv1.3/\\(NONE\\)"
+    expect ~ ".* (foo.com/TLSv1.2|-/TLSv1.3)/\\(NONE\\)"
 } -start