This is an automated email from the ASF dual-hosted git repository. cmcfarlen pushed a commit to branch 10.2.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit 18a3f80a39a1d4ae06642effefd54edd59e6e8ce Author: Mo Chen <[email protected]> AuthorDate: Wed Jul 8 13:14:23 2026 -0500 tls_renegotiation autest: gate the detection-line check to OpenSSL (#13371) BoringSSL rejects a peer-initiated renegotiation inside the library before ATS's SSL info callback runs -- SSL_get_state() there only ever returns SSL_ST_INIT or SSL_ST_OK, never SSL_ST_RENEGOTIATE -- so the "trying to renegotiate from the client" line is never logged and the ContainsExpression fails on BoringSSL (Apache CI stays green because it runs OpenSSL). The crash-safety check still runs on every SSL library; only the detection-line assertion is now OpenSSL-only. (cherry picked from commit 7c4fc5b7305db97db99922f7d6fb9cce547abe21) --- tests/gold_tests/tls/tls_renegotiation.test.py | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/tests/gold_tests/tls/tls_renegotiation.test.py b/tests/gold_tests/tls/tls_renegotiation.test.py index a65979bb23..1e3b181d7f 100644 --- a/tests/gold_tests/tls/tls_renegotiation.test.py +++ b/tests/gold_tests/tls/tls_renegotiation.test.py @@ -80,10 +80,15 @@ class TestRenegotiationRefused: # The refused renegotiation must not abort the process. ts.Disk.traffic_out.Content = Testers.ExcludesExpression( "received signal|failed assertion", "ATS must refuse the renegotiation without crashing") - # ...and it must actually reach the renegotiation-detection path (otherwise - # a no-crash pass could mean the client never managed to renegotiate at all). - ts.Disk.traffic_out.Content += Testers.ContainsExpression( - "trying to renegotiate from the client", "ATS must detect the client-initiated renegotiation") + # ...and, on OpenSSL, it must actually reach ATS's renegotiation-detection + # path (otherwise a no-crash pass could mean the client never managed to + # renegotiate at all). BoringSSL rejects a peer-initiated renegotiation inside + # the library before ATS's info callback runs -- SSL_get_state() there only + # ever returns SSL_ST_INIT or SSL_ST_OK, never SSL_ST_RENEGOTIATE -- so the + # detection line is never logged. The no-crash check above still covers it. + if Condition.IsOpenSSL(): + ts.Disk.traffic_out.Content += Testers.ContainsExpression( + "trying to renegotiate from the client", "ATS must detect the client-initiated renegotiation") return ts def run(self) -> None:
