REGTESTS: ssl: fix generate-certificates w/ LibreSSL

Since commit eb5279b15 ("BUG/MEDIUM: ssl: fix generate-certificates option when SNI greater than 64bytes") the LibreSSL job does not seem to work anymore. Indeed the reg-tests was modified to add a SNI longer than 64 bytes, without any concern about the DNS standard, which allows only 63 bytes per label. LibreSSL is stricter than the other libraries about that, and checks that the SNI is compliant with the DNS RFC in the tlsext_sni_is_valid_hostname() function https://github.com/libressl/openbsd/blob/OPENBSD_7_8/src/lib/libssl/ssl_tlsext.c#L710 This patch fixes the issue by splitting the SNI with a second label to reach more than 64 bytes. Must be backported with eb5279b15 in every stable branches.
2026-02-03 20:39:41 -05:00 · 2026-01-21 16:40:21 +01:00 · 2026-01-21 16:40:21 +01:00 · 21b192e799
commit 21b192e799
parent c7004be964
1 changed files with 1 additions and 1 deletions
--- a/reg-tests/ssl/ssl_generate_certificate.vtc
+++ b/reg-tests/ssl/ssl_generate_certificate.vtc
@ -150,7 +150,7 @@ client c5 -connect ${h1_clearlst_sock} {
 # Use another SNI - the server certificate should be generated and different
 # than the default one
 client c6 -connect ${h1_clearlst_sock} {
-  txreq -url "/P-384" -hdr "x-sni: sni-longer-sni-longer-sni-longer-sni-longer-than-64-bytes-unknown-sni.com"
+  txreq -url "/P-384" -hdr "x-sni: sni-longer-sni-longer-sni-longer.sni-longer-than-64-bytes-unknown-sni.com"
  rxresp
  expect resp.status == 200
  expect resp.http.x-ssl-sig_alg == "ecdsa-with-SHA256"