tests(integ): fix nondeterministic ocsp test shutdown behavior (#5340)

lrstewart · web-flow · commit faba649abc02 · 2025-05-30T19:42:10.000Z
diff --git a/tests/integrationv2/test_ocsp.py b/tests/integrationv2/test_ocsp.py
@@ -17,15 +17,13 @@
 @pytest.mark.uncollect_if(func=invalid_test_parameters)
 @pytest.mark.parametrize("cipher", ALL_TEST_CIPHERS, ids=get_parameter_name)
 @pytest.mark.parametrize("provider", [S2N, OpenSSL, GnuTLS], ids=get_parameter_name)
-@pytest.mark.parametrize("other_provider", [S2N], ids=get_parameter_name)
 @pytest.mark.parametrize("curve", ALL_TEST_CURVES, ids=get_parameter_name)
 @pytest.mark.parametrize("protocol", PROTOCOLS, ids=get_parameter_name)
 @pytest.mark.parametrize("certificate", OCSP_CERTS, ids=get_parameter_name)
 def test_s2n_client_ocsp_response(
     managed_process,  # noqa: F811
     cipher,
     provider,
-    other_provider,
     curve,
     protocol,
     certificate,
@@ -62,9 +60,18 @@ def test_s2n_client_ocsp_response(
     )
 
     kill_marker = None
-
     if provider == GnuTLS:
-        kill_marker = random_bytes
+        # The gnutls-serv process will never exit on its own, so should be killed
+        # to avoid a long timeout. However, we must NOT kill it until it sends
+        # the close_notify that the s2n-tls client expects. The only good signal
+        # for this is a debug message indicating that the alert was sent.
+        #
+        # The full debug message is something like:
+        # "Sent Packet[4] Alert(21) in epoch 2 and length: 24"
+        # but the packet number and epoch can vary. We are therefore forced to
+        # only match on a very narrow substring, which could prove brittle.
+        kill_marker = b"Alert(21) in epoch"
+        server_options.extra_flags = ["-d", "5"]
 
     server = managed_process(
         provider, server_options, timeout=30, kill_marker=kill_marker
@@ -87,15 +94,13 @@ def test_s2n_client_ocsp_response(
 @pytest.mark.uncollect_if(func=invalid_test_parameters)
 @pytest.mark.parametrize("cipher", ALL_TEST_CIPHERS, ids=get_parameter_name)
 @pytest.mark.parametrize("provider", [GnuTLS, OpenSSL], ids=get_parameter_name)
-@pytest.mark.parametrize("other_provider", [S2N])
 @pytest.mark.parametrize("curve", ALL_TEST_CURVES, ids=get_parameter_name)
 @pytest.mark.parametrize("protocol", PROTOCOLS, ids=get_parameter_name)
 @pytest.mark.parametrize("certificate", OCSP_CERTS, ids=get_parameter_name)
 def test_s2n_server_ocsp_response(
     managed_process,  # noqa: F811
     cipher,
     provider,
-    other_provider,
     curve,
     protocol,
     certificate,
@@ -129,20 +134,11 @@ def test_s2n_server_ocsp_response(
         }.get(certificate.algorithm),
     )
 
-    kill_marker = None
-    if provider == GnuTLS:
-        # The GnuTLS client hangs for a while after sending. Speed up the tests by killing
-        # it immediately after sending the message.
-        kill_marker = b"Sent: "
-
     server = managed_process(S2N, server_options, timeout=90)
-    client = managed_process(
-        provider, client_options, timeout=90, kill_marker=kill_marker
-    )
+    client = managed_process(provider, client_options, timeout=90)
 
     for client_results in client.get_results():
         client_results.assert_success()
-
         assert any(
             [
                 {
