Skip optional wildcard SAN tests on LibreSSL 3.5.0+

jeremyevans · jeremyevans · commit 717d7009d692 · 2022-01-04T11:35:17.000-08:00
RFC 6066 states how some wildcard SAN entries MAY be handled, but it does not say they MUST be handled. LibreSSL 3.5.0 only handles suffix wildcard SANs, not prefix wildcard SANs, or interior wildcard SANs, so return early from the wildcard SAN tests on LibreSSL 3.5.0. Fixes #471
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
@@ -676,10 +676,16 @@ def test_post_connection_check_wildcard_san
     #     buzz.example.net, respectively).  ...
     assert_equal(true, OpenSSL::SSL.verify_certificate_identity(
       create_cert_with_san('DNS:baz*.example.com'), 'baz1.example.com'))
+
+    # LibreSSL 3.5.0+ doesn't support other wildcard certificates
+    # (it isn't required to, as RFC states MAY, not MUST)
+    return if libressl?(3, 5, 0)
+
     assert_equal(true, OpenSSL::SSL.verify_certificate_identity(
       create_cert_with_san('DNS:*baz.example.com'), 'foobaz.example.com'))
     assert_equal(true, OpenSSL::SSL.verify_certificate_identity(
       create_cert_with_san('DNS:b*z.example.com'), 'buzz.example.com'))
+
     # Section 6.4.3 of RFC6125 states that client should NOT match identifier
     # where wildcard is other than left-most label.
     #
