From 717d7009d6926b1f076f6ac0178b3861ae6e20da Mon Sep 17 00:00:00 2001
From: Jeremy Evans <code@jeremyevans.net>
Date: Tue, 4 Jan 2022 11:32:11 -0800
Subject: [PATCH] Skip optional wildcard SAN tests on LibreSSL 3.5.0+

RFC 6066 states how some wildcard SAN entries MAY be handled, but
it does not say they MUST be handled.  LibreSSL 3.5.0 only handles
suffix wildcard SANs, not prefix wildcard SANs, or interior
wildcard SANs, so return early from the wildcard SAN tests on
LibreSSL 3.5.0.

Fixes #471
---
 test/openssl/test_ssl.rb | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
index a7607da07..39964bf49 100644
--- a/test/openssl/test_ssl.rb
+++ b/test/openssl/test_ssl.rb
@@ -676,10 +676,16 @@ def test_post_connection_check_wildcard_san
     #     buzz.example.net, respectively).  ...
     assert_equal(true, OpenSSL::SSL.verify_certificate_identity(
       create_cert_with_san('DNS:baz*.example.com'), 'baz1.example.com'))
+
+    # LibreSSL 3.5.0+ doesn't support other wildcard certificates
+    # (it isn't required to, as RFC states MAY, not MUST)
+    return if libressl?(3, 5, 0)
+
     assert_equal(true, OpenSSL::SSL.verify_certificate_identity(
       create_cert_with_san('DNS:*baz.example.com'), 'foobaz.example.com'))
     assert_equal(true, OpenSSL::SSL.verify_certificate_identity(
       create_cert_with_san('DNS:b*z.example.com'), 'buzz.example.com'))
+
     # Section 6.4.3 of RFC6125 states that client should NOT match identifier
     # where wildcard is other than left-most label.
     #