ssl: update test_verify_hostname_on_connect for LibreSSL

rhenium · rhenium · commit 187b176ecd73 · 2025-01-14T20:42:48.000+09:00
This reverts the change made to this test case in commit a0e98d4 (Enhance TLS 1.3 support on LibreSSL 3.2/3.3, 2020-12-03). Part of the test case was skipped on LibreSSL because LibreSSL 3.2.2 introduced a stricter check during creation of the extension. The check was then relaxed in LibreSSL 3.4.0.
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
@@ -1075,13 +1075,11 @@ def test_accept_errors_include_peeraddr
 
   def test_verify_hostname_on_connect
     ctx_proc = proc { |ctx|
-      san = "DNS:a.example.com,DNS:*.b.example.com"
-      san += ",DNS:c*.example.com,DNS:d.*.example.com" unless libressl?
       exts = [
         ["keyUsage", "keyEncipherment,digitalSignature", true],
-        ["subjectAltName", san],
+        ["subjectAltName", "DNS:a.example.com,DNS:*.b.example.com," \
+                           "DNS:c*.example.com,DNS:d.*.example.com"],
       ]
-
       ctx.cert = issue_cert(@svr, @svr_key, 4, exts, @ca_cert, @ca_key)
       ctx.key = @svr_key
     }
@@ -1103,7 +1101,6 @@ def test_verify_hostname_on_connect
         ["cx.example.com", true],
         ["d.x.example.com", false],
       ].each do |name, expected_ok|
-        next if name.start_with?('cx') if libressl?
         begin
           sock = TCPSocket.new("127.0.0.1", port)
           ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
