MEDIUM: ssl: {ca,crt}-ignore-err can now use error constant name The ca-ignore-err and crt-ignore-err directives are now able to use the openssl X509_V_ERR constant names instead of the numerical values. This allow a configuration to survive an OpenSSL upgrade, because the numerical ID can change between versions. For example X509_V_ERR_INVALID_CA was 24 in OpenSSL 1 and is 79 in OpenSSL 3. The list of errors must be updated when a new major OpenSSL version is released.

commit: 960fb74cae15cf00030fda22836284989fe5a1c0 [log] [tgz]
author: William Lallemand <wlallemand@haproxy.org> Thu Nov 03 16:31:50 2022 +0100
committer: William Lallemand <wlallemand@haproxy.org> Thu Nov 10 13:28:37 2022 +0100
tree: 0fb27bdeccbf9c419095cefec3a3ae4f0ffc757a
parent: 9b25982716f0416c28f8fc894c58eb40885cf9e5 [diff]
diff --git a/reg-tests/ssl/ssl_client_auth.vtc b/reg-tests/ssl/ssl_client_auth.vtc
index 0278ec0..b8107d4 100644
--- a/reg-tests/ssl/ssl_client_auth.vtc
+++ b/reg-tests/ssl/ssl_client_auth.vtc

@@ -48,7 +48,7 @@
         # crt: certificate of the server
         # ca-file: CA used for client authentication request
         # crl-file: revocation list for client auth: the client1 certificate is revoked
-        bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/ca-auth.crt verify optional crt-ignore-err all crl-file ${testdir}/crl-auth.pem
+        bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem ca-file ${testdir}/ca-auth.crt verify optional crt-ignore-err X509_V_ERR_CERT_REVOKED,X509_V_ERR_CERT_HAS_EXPIRED crl-file ${testdir}/crl-auth.pem
 
         acl cert_expired ssl_c_verify 10
         acl cert_revoked ssl_c_verify 23
commit	960fb74cae15cf00030fda22836284989fe5a1c0	[log] [tgz]
author	William Lallemand <wlallemand@haproxy.org>	Thu Nov 03 16:31:50 2022 +0100
committer	William Lallemand <wlallemand@haproxy.org>	Thu Nov 10 13:28:37 2022 +0100
tree	0fb27bdeccbf9c419095cefec3a3ae4f0ffc757a
parent	9b25982716f0416c28f8fc894c58eb40885cf9e5 [diff]