This is an automated email from the ASF dual-hosted git repository.

moonchen pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
     new 7c4fc5b730 tls_renegotiation autest: gate the detection-line check to 
OpenSSL (#13371)
7c4fc5b730 is described below

commit 7c4fc5b7305db97db99922f7d6fb9cce547abe21
Author: Mo Chen <[email protected]>
AuthorDate: Wed Jul 8 13:14:23 2026 -0500

    tls_renegotiation autest: gate the detection-line check to OpenSSL (#13371)
    
    BoringSSL rejects a peer-initiated renegotiation inside the library
    before ATS's SSL info callback runs -- SSL_get_state() there only ever
    returns SSL_ST_INIT or SSL_ST_OK, never SSL_ST_RENEGOTIATE -- so the
    "trying to renegotiate from the client" line is never logged and the
    ContainsExpression fails on BoringSSL (Apache CI stays green because it
    runs OpenSSL). The crash-safety check still runs on every SSL library;
    only the detection-line assertion is now OpenSSL-only.
---
 tests/gold_tests/tls/tls_renegotiation.test.py | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/tests/gold_tests/tls/tls_renegotiation.test.py 
b/tests/gold_tests/tls/tls_renegotiation.test.py
index 70fecc14df..10d6c9db1e 100644
--- a/tests/gold_tests/tls/tls_renegotiation.test.py
+++ b/tests/gold_tests/tls/tls_renegotiation.test.py
@@ -86,10 +86,15 @@ ssl_multicert:
         # The refused renegotiation must not abort the process.
         ts.Disk.traffic_out.Content = Testers.ExcludesExpression(
             "received signal|failed assertion", "ATS must refuse the 
renegotiation without crashing")
-        # ...and it must actually reach the renegotiation-detection path 
(otherwise
-        # a no-crash pass could mean the client never managed to renegotiate 
at all).
-        ts.Disk.traffic_out.Content += Testers.ContainsExpression(
-            "trying to renegotiate from the client", "ATS must detect the 
client-initiated renegotiation")
+        # ...and, on OpenSSL, it must actually reach ATS's 
renegotiation-detection
+        # path (otherwise a no-crash pass could mean the client never managed 
to
+        # renegotiate at all). BoringSSL rejects a peer-initiated 
renegotiation inside
+        # the library before ATS's info callback runs -- SSL_get_state() there 
only
+        # ever returns SSL_ST_INIT or SSL_ST_OK, never SSL_ST_RENEGOTIATE -- 
so the
+        # detection line is never logged. The no-crash check above still 
covers it.
+        if Condition.IsOpenSSL():
+            ts.Disk.traffic_out.Content += Testers.ContainsExpression(
+                "trying to renegotiate from the client", "ATS must detect the 
client-initiated renegotiation")
         return ts
 
     def run(self) -> None:

Reply via email to