This is an automated email from the ASF dual-hosted git repository.
moonchen pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 7c4fc5b730 tls_renegotiation autest: gate the detection-line check to
OpenSSL (#13371)
7c4fc5b730 is described below
commit 7c4fc5b7305db97db99922f7d6fb9cce547abe21
Author: Mo Chen <[email protected]>
AuthorDate: Wed Jul 8 13:14:23 2026 -0500
tls_renegotiation autest: gate the detection-line check to OpenSSL (#13371)
BoringSSL rejects a peer-initiated renegotiation inside the library
before ATS's SSL info callback runs -- SSL_get_state() there only ever
returns SSL_ST_INIT or SSL_ST_OK, never SSL_ST_RENEGOTIATE -- so the
"trying to renegotiate from the client" line is never logged and the
ContainsExpression fails on BoringSSL (Apache CI stays green because it
runs OpenSSL). The crash-safety check still runs on every SSL library;
only the detection-line assertion is now OpenSSL-only.
---
tests/gold_tests/tls/tls_renegotiation.test.py | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/tests/gold_tests/tls/tls_renegotiation.test.py
b/tests/gold_tests/tls/tls_renegotiation.test.py
index 70fecc14df..10d6c9db1e 100644
--- a/tests/gold_tests/tls/tls_renegotiation.test.py
+++ b/tests/gold_tests/tls/tls_renegotiation.test.py
@@ -86,10 +86,15 @@ ssl_multicert:
# The refused renegotiation must not abort the process.
ts.Disk.traffic_out.Content = Testers.ExcludesExpression(
"received signal|failed assertion", "ATS must refuse the
renegotiation without crashing")
- # ...and it must actually reach the renegotiation-detection path
(otherwise
- # a no-crash pass could mean the client never managed to renegotiate
at all).
- ts.Disk.traffic_out.Content += Testers.ContainsExpression(
- "trying to renegotiate from the client", "ATS must detect the
client-initiated renegotiation")
+ # ...and, on OpenSSL, it must actually reach ATS's
renegotiation-detection
+ # path (otherwise a no-crash pass could mean the client never managed
to
+ # renegotiate at all). BoringSSL rejects a peer-initiated
renegotiation inside
+ # the library before ATS's info callback runs -- SSL_get_state() there
only
+ # ever returns SSL_ST_INIT or SSL_ST_OK, never SSL_ST_RENEGOTIATE --
so the
+ # detection line is never logged. The no-crash check above still
covers it.
+ if Condition.IsOpenSSL():
+ ts.Disk.traffic_out.Content += Testers.ContainsExpression(
+ "trying to renegotiate from the client", "ATS must detect the
client-initiated renegotiation")
return ts
def run(self) -> None: