Merge pull request #488 from jeremyevans/skip-san-wildcard-libressl

Skip optional wildcard SAN tests on LibreSSL 3.5.0+
ruby · Jan 5, 2022 · ee64d93 · ee64d93
2 parents bff4080 + 717d700
commit ee64d93
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
@@ -676,10 +676,16 @@ def test_post_connection_check_wildcard_san
     #     buzz.example.net, respectively).  ...
     assert_equal(true, OpenSSL::SSL.verify_certificate_identity(
       create_cert_with_san('DNS:baz*.example.com'), 'baz1.example.com'))
+
+    # LibreSSL 3.5.0+ doesn't support other wildcard certificates
+    # (it isn't required to, as RFC states MAY, not MUST)
+    return if libressl?(3, 5, 0)
+
     assert_equal(true, OpenSSL::SSL.verify_certificate_identity(
       create_cert_with_san('DNS:*baz.example.com'), 'foobaz.example.com'))
     assert_equal(true, OpenSSL::SSL.verify_certificate_identity(
       create_cert_with_san('DNS:b*z.example.com'), 'buzz.example.com'))
+
     # Section 6.4.3 of RFC6125 states that client should NOT match identifier
     # where wildcard is other than left-most label.
     #