Tests: adjusted LibreSSL certificate selection TODO with TLSv1.3.

pluknet · pluknet · commit eaac6eb14f68 · 2024-10-16T05:40:51.000+04:00
LibreSSL 4.0 can select and send an RSA server certificate in TLSv1.3
without failing with "unknown pkey type" errors, when both RSA and ECC
certificates are loaded.

After certificate selection has occurred, it still always returns the
most recently added certificate by SSL_get_certificate(), which means
that OCSP stapling with multiple certificates remains broken here.
diff --git a/ssl_stapling.t b/ssl_stapling.t
@@ -288,7 +288,8 @@ ok(!staple(8449, 'ECDSA'), 'ocsp error');
 
 TODO: {
 local $TODO = 'broken TLSv1.3 sigalgs in LibreSSL'
-	if $t->has_module('LibreSSL') && test_tls13();
+	if $t->has_module('LibreSSL') && test_tls13()
+	and not $t->has_feature('libressl:4.0.0');
 
 like(`grep -F '[crit]' ${\($t->testdir())}/error.log`, qr/^$/s, 'no crit');
 
diff --git a/stream_ssl_stapling.t b/stream_ssl_stapling.t
@@ -287,7 +287,8 @@ ok(!staple(8449, 'ECDSA'), 'ocsp error');
 
 TODO: {
 local $TODO = 'broken TLSv1.3 sigalgs in LibreSSL'
-	if $t->has_module('LibreSSL') && test_tls13();
+	if $t->has_module('LibreSSL') && test_tls13()
+	and not $t->has_feature('libressl:4.0.0');
 
 like(`grep -F '[crit]' ${\($t->testdir())}/error.log`, qr/^$/s, 'no crit');
 
