From 0b4324a048143513a28533a6a9e6bb2d8def81e1 Mon Sep 17 00:00:00 2001 From: Bryan Call Date: Wed, 4 Feb 2026 07:07:13 -0800 Subject: [PATCH 1/6] Fix autest compatibility with Fedora 43 / Python 3.14 This commit addresses multiple compatibility issues that cause autests to fail on modern systems like Fedora 43 with Python 3.14 and OpenSSL 3.x: Python 3.14 compatibility: - Fix kwargs.iteritems() -> kwargs.items() in microserver.test.ext - Add missing 'os' import in microserver.test.ext and conditions.test.ext - Add explicit UTF-8 encoding to socket decode() calls - Replace deprecated socket.error with OSError in ports.py - Add socket timeout to prevent recv() from hanging indefinitely TLS protocol deprecation: - Add HasLegacyTLSSupport() condition to detect TLSv1.0/TLSv1.1 support - Skip tls_client_versions tests on systems without legacy TLS support - Modern OpenSSL 3.x disables TLSv1.0/TLSv1.1 by default Timing improvements: - Increase sleep duration in polite_hook_wait.cc from 200ms to 500ms to account for variable scheduling latency on different systems --- .../autest-site/conditions.test.ext | 24 ++++++++++++++++++ .../autest-site/microserver.test.ext | 25 ++++++++++++------- tests/gold_tests/autest-site/ports.py | 2 +- .../polite_hook_wait/polite_hook_wait.cc | 3 ++- .../tls/tls_client_versions.test.py | 4 +++ .../tls/tls_client_versions_minmax.test.py | 4 +++ 6 files changed, 51 insertions(+), 11 deletions(-) diff --git a/tests/gold_tests/autest-site/conditions.test.ext b/tests/gold_tests/autest-site/conditions.test.ext index ed2656a32c7..bb7bb3ea36c 100644 --- a/tests/gold_tests/autest-site/conditions.test.ext +++ b/tests/gold_tests/autest-site/conditions.test.ext @@ -16,6 +16,7 @@ # See the License for the specific language governing permissions and # limitations under the License. +import os import subprocess import json import re @@ -51,6 +52,28 @@ def IsOpenSSL(self): "SSL library is not OpenSSL") +def HasLegacyTLSSupport(self): + """Check if the system supports legacy TLS protocols (TLSv1.0 and TLSv1.1). + + Modern OpenSSL 3.x installations often disable these protocols entirely. + This condition checks if curl can use the --tlsv1 flag, which indicates + TLSv1.0 support is available. + """ + def check_tls1_support(): + try: + # Check if openssl supports TLSv1 + result = subprocess.run( + ['openssl', 'ciphers', '-v', '-tls1'], + capture_output=True, text=True + ) + # If the command succeeds and returns ciphers, TLSv1 is supported + return result.returncode == 0 and len(result.stdout.strip()) > 0 + except Exception: + return False + + return self.Condition(check_tls1_support, "System does not support legacy TLS protocols (TLSv1.0/TLSv1.1)") + + def HasCurlVersion(self, version): return self.EnsureVersion(["curl", "--version"], min_version=version) @@ -118,6 +141,7 @@ ExtendCondition(HasOpenSSLVersion) ExtendCondition(HasProxyVerifierVersion) ExtendCondition(IsBoringSSL) ExtendCondition(IsOpenSSL) +ExtendCondition(HasLegacyTLSSupport) ExtendCondition(HasATSFeature) ExtendCondition(HasCurlVersion) ExtendCondition(HasCurlFeature) diff --git a/tests/gold_tests/autest-site/microserver.test.ext b/tests/gold_tests/autest-site/microserver.test.ext index e15547ff18d..70c734f42db 100644 --- a/tests/gold_tests/autest-site/microserver.test.ext +++ b/tests/gold_tests/autest-site/microserver.test.ext @@ -17,6 +17,7 @@ # limitations under the License. import json +import os import socket import ssl @@ -109,7 +110,7 @@ def addSessionFromFiles(self, session_dir): # make headers with the key and values provided def makeHeader(self, requestString, **kwargs): headerStr = requestString + '\r\n' - for k, v in kwargs.iteritems(): + for k, v in kwargs.items(): headerStr += k + ': ' + v + '\r\n' headerStr = headerStr + '\r\n' return headerStr @@ -142,14 +143,20 @@ def uServerUpAndRunning(serverHost, port, isSsl, isIPv6, request, clientcert='', sock.sendall(request.encode()) decoded_output = '' - while True: - host.WriteDebug("??") - output = sock.recv(4096) # suggested bufsize from docs.python.org - host.WriteDebug("!!") - if len(output) <= 0: - break - else: - decoded_output += output.decode() + sock.settimeout(10.0) # 10 second timeout for recv + try: + while True: + host.WriteDebug("??") + output = sock.recv(4096) # suggested bufsize from docs.python.org + host.WriteDebug("!!") + if len(output) <= 0: + break + else: + decoded_output += output.decode('utf-8', errors='replace') + except socket.timeout: + host.WriteDebug(['uServerUpAndRunning', 'when'], "Socket timeout waiting for response") + sock.close() + return False sock.close() sock = None diff --git a/tests/gold_tests/autest-site/ports.py b/tests/gold_tests/autest-site/ports.py index bc4de3c1e32..0b1c7c8d6b6 100644 --- a/tests/gold_tests/autest-site/ports.py +++ b/tests/gold_tests/autest-site/ports.py @@ -74,7 +74,7 @@ def PortOpen(port: int, address: str = None, listening_ports: Set[int] = None) - host.WriteDebug( 'PortOpen', f"Connection to port {port} succeeded, the port is open, " "and a future connection cannot use it") - except socket.error: + except OSError: host.WriteDebug( 'PortOpen', f"socket error for port {port}, port is closed, " "and therefore a future connection can use it") diff --git a/tests/gold_tests/pluginTest/polite_hook_wait/polite_hook_wait.cc b/tests/gold_tests/pluginTest/polite_hook_wait/polite_hook_wait.cc index 1e071a0dfcb..3642bdbac08 100644 --- a/tests/gold_tests/pluginTest/polite_hook_wait/polite_hook_wait.cc +++ b/tests/gold_tests/pluginTest/polite_hook_wait/polite_hook_wait.cc @@ -202,8 +202,9 @@ Blocking_action::_thread_func(void *vba) ba->_cont_mutex_locked.store(true, std::memory_order_release); // This is a stand-in for some blocking call to validate the HTTP request in some way. + // Use a longer delay to account for slower systems and variable scheduling latency. // - std::this_thread::sleep_for(std::chrono::milliseconds(200)); + std::this_thread::sleep_for(std::chrono::milliseconds(500)); // Pass "validation" for first transaction, fail it for second. // diff --git a/tests/gold_tests/tls/tls_client_versions.test.py b/tests/gold_tests/tls/tls_client_versions.test.py index fcd53c265e4..89a8fd5664f 100644 --- a/tests/gold_tests/tls/tls_client_versions.test.py +++ b/tests/gold_tests/tls/tls_client_versions.test.py @@ -24,6 +24,10 @@ # for special domain foo.com only offer TLSv1 and TLSv1_1 Test.SkipUnless(Condition.HasOpenSSLVersion("1.1.1")) +Test.SkipUnless( + Condition.HasLegacyTLSSupport(), + "This test requires TLSv1.0/TLSv1.1 support which is disabled on modern systems" +) # Define default ATS ts = Test.MakeATSProcess("ts", enable_tls=True) diff --git a/tests/gold_tests/tls/tls_client_versions_minmax.test.py b/tests/gold_tests/tls/tls_client_versions_minmax.test.py index 2ea78535803..d4e6ddc33fa 100644 --- a/tests/gold_tests/tls/tls_client_versions_minmax.test.py +++ b/tests/gold_tests/tls/tls_client_versions_minmax.test.py @@ -24,6 +24,10 @@ # for special domain foo.com only offer TLSv1 and TLSv1_1 Test.SkipUnless(Condition.HasOpenSSLVersion("1.1.1")) +Test.SkipUnless( + Condition.HasLegacyTLSSupport(), + "This test requires TLSv1.0/TLSv1.1 support which is disabled on modern systems" +) # Define default ATS ts = Test.MakeATSProcess("ts", enable_tls=True) From 7a82213ef70f8a7e46f547324fe12f8a4a55cf23 Mon Sep 17 00:00:00 2001 From: Bryan Call Date: Wed, 4 Feb 2026 07:10:46 -0800 Subject: [PATCH 2/6] Improve HasLegacyTLSSupport detection for Fedora crypto-policies On Fedora/RHEL systems with crypto-policies, TLSv1.0/TLSv1.1 may be disabled at the system level even though OpenSSL accepts the -tls1 flag. The previous check would incorrectly report TLSv1 as supported because 'openssl ciphers -v -tls1' returns ciphers (TLSv1.2/TLSv1.3) even when TLSv1.0 is disabled. This fix improves detection by parsing the cipher list output and checking if any cipher is specifically marked as TLSv1 or SSLv3 in the version column, rather than just checking if the command succeeds. --- .../autest-site/conditions.test.ext | 29 +++++++++++++++---- 1 file changed, 23 insertions(+), 6 deletions(-) diff --git a/tests/gold_tests/autest-site/conditions.test.ext b/tests/gold_tests/autest-site/conditions.test.ext index bb7bb3ea36c..59e48a09a07 100644 --- a/tests/gold_tests/autest-site/conditions.test.ext +++ b/tests/gold_tests/autest-site/conditions.test.ext @@ -55,19 +55,36 @@ def IsOpenSSL(self): def HasLegacyTLSSupport(self): """Check if the system supports legacy TLS protocols (TLSv1.0 and TLSv1.1). - Modern OpenSSL 3.x installations often disable these protocols entirely. - This condition checks if curl can use the --tlsv1 flag, which indicates - TLSv1.0 support is available. + Modern OpenSSL 3.x installations often disable these protocols entirely, + even if the openssl binary still accepts the -tls1 flag. This condition + checks if actual TLSv1.0 ciphers are available (not just TLSv1.2/TLSv1.3 + ciphers returned when using the -tls1 flag). + + On Fedora/RHEL systems, the crypto-policies framework may disable legacy + TLS even when OpenSSL is compiled with support for it. """ def check_tls1_support(): try: - # Check if openssl supports TLSv1 + # Check if openssl has actual TLSv1.0 ciphers available + # When TLSv1.0 is disabled by crypto-policy, 'openssl ciphers -v -tls1' + # will still return ciphers, but they'll be TLSv1.2/TLSv1.3 ciphers result = subprocess.run( ['openssl', 'ciphers', '-v', '-tls1'], capture_output=True, text=True ) - # If the command succeeds and returns ciphers, TLSv1 is supported - return result.returncode == 0 and len(result.stdout.strip()) > 0 + if result.returncode != 0: + return False + + # Check if any cipher is specifically TLSv1 (not TLSv1.2 or TLSv1.3) + # TLSv1.0 ciphers show as "SSLv3" or "TLSv1" in the version column + for line in result.stdout.strip().split('\n'): + parts = line.split() + if len(parts) >= 2: + # The second column is the protocol version + version = parts[1] + if version in ('SSLv3', 'TLSv1'): + return True + return False except Exception: return False From 185f8ab1ec97d420441768b8acba50c7bf28cade Mon Sep 17 00:00:00 2001 From: Bryan Call Date: Wed, 4 Feb 2026 07:11:54 -0800 Subject: [PATCH 3/6] Fix HasLegacyTLSSupport to detect crypto-policy restrictions The previous check looked for TLSv1 ciphers in 'openssl ciphers' output, but on Fedora with crypto-policies, TLSv1 ciphers are still listed even though the protocol is disabled at runtime ("no protocols available"). This fix tests actual TLSv1 protocol availability by attempting an s_client connection and checking for the "no protocols available" error that indicates the protocol is blocked by system crypto-policy. --- .../autest-site/conditions.test.ext | 38 +++++++++---------- 1 file changed, 17 insertions(+), 21 deletions(-) diff --git a/tests/gold_tests/autest-site/conditions.test.ext b/tests/gold_tests/autest-site/conditions.test.ext index 59e48a09a07..ffedf162b94 100644 --- a/tests/gold_tests/autest-site/conditions.test.ext +++ b/tests/gold_tests/autest-site/conditions.test.ext @@ -56,35 +56,31 @@ def HasLegacyTLSSupport(self): """Check if the system supports legacy TLS protocols (TLSv1.0 and TLSv1.1). Modern OpenSSL 3.x installations often disable these protocols entirely, - even if the openssl binary still accepts the -tls1 flag. This condition - checks if actual TLSv1.0 ciphers are available (not just TLSv1.2/TLSv1.3 - ciphers returned when using the -tls1 flag). + even if the openssl binary still accepts the -tls1 flag and lists TLSv1 ciphers. On Fedora/RHEL systems, the crypto-policies framework may disable legacy - TLS even when OpenSSL is compiled with support for it. + TLS at runtime even when OpenSSL is compiled with support for it. This + causes 'openssl ciphers -v -tls1' to still list TLSv1 ciphers, but actual + TLS 1.0 connections will fail with "no protocols available". + + This check attempts to create an actual TLSv1 connection to detect if + the protocol is truly available, not just listed. """ def check_tls1_support(): try: - # Check if openssl has actual TLSv1.0 ciphers available - # When TLSv1.0 is disabled by crypto-policy, 'openssl ciphers -v -tls1' - # will still return ciphers, but they'll be TLSv1.2/TLSv1.3 ciphers + # Try to actually use TLSv1 - this catches crypto-policy restrictions + # that aren't visible in cipher listings result = subprocess.run( - ['openssl', 'ciphers', '-v', '-tls1'], - capture_output=True, text=True + ['openssl', 's_client', '-tls1', '-connect', 'localhost:1'], + capture_output=True, text=True, timeout=5 ) - if result.returncode != 0: + # If we get "no protocols available", TLSv1 is disabled by policy + if 'no protocols available' in result.stderr: return False - - # Check if any cipher is specifically TLSv1 (not TLSv1.2 or TLSv1.3) - # TLSv1.0 ciphers show as "SSLv3" or "TLSv1" in the version column - for line in result.stdout.strip().split('\n'): - parts = line.split() - if len(parts) >= 2: - # The second column is the protocol version - version = parts[1] - if version in ('SSLv3', 'TLSv1'): - return True - return False + # Connection refused is fine - we're just testing if TLSv1 is allowed + return True + except subprocess.TimeoutExpired: + return True # Timeout means TLSv1 was at least attempted except Exception: return False From c0d0b295dff9ffc916e63a4282b2d60b86889ed4 Mon Sep 17 00:00:00 2001 From: Bryan Call Date: Wed, 4 Feb 2026 07:12:47 -0800 Subject: [PATCH 4/6] Fix HasLegacyTLSSupport to use real HTTPS server for detection Testing TLSv1 against localhost:1 fails at TCP layer before reaching TLS, so "no protocols available" error is never shown. Need to connect to a real HTTPS server to properly detect crypto-policy restrictions. --- .../autest-site/conditions.test.ext | 25 ++++++++++++------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/tests/gold_tests/autest-site/conditions.test.ext b/tests/gold_tests/autest-site/conditions.test.ext index ffedf162b94..c7903c125be 100644 --- a/tests/gold_tests/autest-site/conditions.test.ext +++ b/tests/gold_tests/autest-site/conditions.test.ext @@ -63,25 +63,32 @@ def HasLegacyTLSSupport(self): causes 'openssl ciphers -v -tls1' to still list TLSv1 ciphers, but actual TLS 1.0 connections will fail with "no protocols available". - This check attempts to create an actual TLSv1 connection to detect if - the protocol is truly available, not just listed. + This check attempts to create an actual TLSv1 connection to a known HTTPS + server to detect if the protocol is truly available at runtime. """ def check_tls1_support(): try: - # Try to actually use TLSv1 - this catches crypto-policy restrictions - # that aren't visible in cipher listings + # Try to actually use TLSv1 against a real HTTPS server + # This catches crypto-policy restrictions that aren't visible in cipher listings + # We use a well-known server that's likely to be reachable result = subprocess.run( - ['openssl', 's_client', '-tls1', '-connect', 'localhost:1'], - capture_output=True, text=True, timeout=5 + ['openssl', 's_client', '-tls1', '-connect', 'www.google.com:443'], + capture_output=True, text=True, timeout=10, + input='' # Don't wait for input ) + # Combine stdout and stderr for checking + output = result.stdout + result.stderr # If we get "no protocols available", TLSv1 is disabled by policy - if 'no protocols available' in result.stderr: + if 'no protocols available' in output: return False - # Connection refused is fine - we're just testing if TLSv1 is allowed + # If we get a successful connection or a server-side TLS version mismatch, + # it means TLSv1 is enabled on this client return True except subprocess.TimeoutExpired: - return True # Timeout means TLSv1 was at least attempted + # If network is slow but TLSv1 was attempted, assume it's available + return True except Exception: + # If we can't determine, assume TLSv1 is not available (safer) return False return self.Condition(check_tls1_support, "System does not support legacy TLS protocols (TLSv1.0/TLSv1.1)") From 9b0c9a45520ae40c27793d9ece23f0a239187a4a Mon Sep 17 00:00:00 2001 From: Bryan Call Date: Wed, 4 Feb 2026 09:35:19 -0800 Subject: [PATCH 5/6] tests: apply yapf formatting --- tests/gold_tests/autest-site/conditions.test.ext | 5 ++++- tests/gold_tests/tls/tls_client_versions.test.py | 5 +---- tests/gold_tests/tls/tls_client_versions_minmax.test.py | 5 +---- 3 files changed, 6 insertions(+), 9 deletions(-) diff --git a/tests/gold_tests/autest-site/conditions.test.ext b/tests/gold_tests/autest-site/conditions.test.ext index c7903c125be..e4d7eee042e 100644 --- a/tests/gold_tests/autest-site/conditions.test.ext +++ b/tests/gold_tests/autest-site/conditions.test.ext @@ -66,6 +66,7 @@ def HasLegacyTLSSupport(self): This check attempts to create an actual TLSv1 connection to a known HTTPS server to detect if the protocol is truly available at runtime. """ + def check_tls1_support(): try: # Try to actually use TLSv1 against a real HTTPS server @@ -73,7 +74,9 @@ def HasLegacyTLSSupport(self): # We use a well-known server that's likely to be reachable result = subprocess.run( ['openssl', 's_client', '-tls1', '-connect', 'www.google.com:443'], - capture_output=True, text=True, timeout=10, + capture_output=True, + text=True, + timeout=10, input='' # Don't wait for input ) # Combine stdout and stderr for checking diff --git a/tests/gold_tests/tls/tls_client_versions.test.py b/tests/gold_tests/tls/tls_client_versions.test.py index 89a8fd5664f..8aa8242199b 100644 --- a/tests/gold_tests/tls/tls_client_versions.test.py +++ b/tests/gold_tests/tls/tls_client_versions.test.py @@ -24,10 +24,7 @@ # for special domain foo.com only offer TLSv1 and TLSv1_1 Test.SkipUnless(Condition.HasOpenSSLVersion("1.1.1")) -Test.SkipUnless( - Condition.HasLegacyTLSSupport(), - "This test requires TLSv1.0/TLSv1.1 support which is disabled on modern systems" -) +Test.SkipUnless(Condition.HasLegacyTLSSupport(), "This test requires TLSv1.0/TLSv1.1 support which is disabled on modern systems") # Define default ATS ts = Test.MakeATSProcess("ts", enable_tls=True) diff --git a/tests/gold_tests/tls/tls_client_versions_minmax.test.py b/tests/gold_tests/tls/tls_client_versions_minmax.test.py index d4e6ddc33fa..c2de45ede2e 100644 --- a/tests/gold_tests/tls/tls_client_versions_minmax.test.py +++ b/tests/gold_tests/tls/tls_client_versions_minmax.test.py @@ -24,10 +24,7 @@ # for special domain foo.com only offer TLSv1 and TLSv1_1 Test.SkipUnless(Condition.HasOpenSSLVersion("1.1.1")) -Test.SkipUnless( - Condition.HasLegacyTLSSupport(), - "This test requires TLSv1.0/TLSv1.1 support which is disabled on modern systems" -) +Test.SkipUnless(Condition.HasLegacyTLSSupport(), "This test requires TLSv1.0/TLSv1.1 support which is disabled on modern systems") # Define default ATS ts = Test.MakeATSProcess("ts", enable_tls=True) From 20a8bafe4b9e2917d2bc4cadb432ffed61f6b8b5 Mon Sep 17 00:00:00 2001 From: Bryan Call Date: Sun, 8 Feb 2026 10:44:01 -0800 Subject: [PATCH 6/6] Fix HasLegacyTLSSupport to use localhost instead of external network - Replace www.google.com:443 with 127.0.0.1:1 to avoid external network dependency in CI environments. Connection refused means TLSv1 protocol is available; "no protocols available" means crypto-policy blocks it. - Fix TimeoutExpired to return False (not True) since timeout on localhost indicates something is wrong, not that TLSv1 is available. - Remove invalid reason string from SkipUnless calls -- SkipUnless only accepts Condition objects, not extra string arguments. The skip reason is already embedded in the Condition definition. - Add docstring rationale for why only TLSv1.0 is probed (crypto-policies always disable TLSv1.0 and TLSv1.1 together). --- .../autest-site/conditions.test.ext | 34 +++++++++++-------- .../tls/tls_client_versions.test.py | 2 +- .../tls/tls_client_versions_minmax.test.py | 2 +- 3 files changed, 22 insertions(+), 16 deletions(-) diff --git a/tests/gold_tests/autest-site/conditions.test.ext b/tests/gold_tests/autest-site/conditions.test.ext index e4d7eee042e..e01fecdb85e 100644 --- a/tests/gold_tests/autest-site/conditions.test.ext +++ b/tests/gold_tests/autest-site/conditions.test.ext @@ -63,33 +63,39 @@ def HasLegacyTLSSupport(self): causes 'openssl ciphers -v -tls1' to still list TLSv1 ciphers, but actual TLS 1.0 connections will fail with "no protocols available". - This check attempts to create an actual TLSv1 connection to a known HTTPS - server to detect if the protocol is truly available at runtime. + We only probe TLSv1.0 (not TLSv1.1 separately) because crypto-policies + always disable both legacy versions together. If TLSv1.0 is unavailable, + TLSv1.1 will be too. + + The check connects to localhost on a closed port to avoid any external + network dependency. A "connection refused" error means the TLS protocol + was available but nothing was listening; "no protocols available" means + the crypto-policy blocked TLSv1.0 entirely. """ def check_tls1_support(): try: - # Try to actually use TLSv1 against a real HTTPS server - # This catches crypto-policy restrictions that aren't visible in cipher listings - # We use a well-known server that's likely to be reachable + # Connect to localhost on a port nothing is listening on. + # This avoids external network dependency while still detecting + # whether the crypto-policy allows TLSv1.0. result = subprocess.run( - ['openssl', 's_client', '-tls1', '-connect', 'www.google.com:443'], + ['openssl', 's_client', '-tls1', '-connect', '127.0.0.1:1'], capture_output=True, text=True, - timeout=10, - input='' # Don't wait for input + timeout=5, + input='' # Don't wait for interactive input ) - # Combine stdout and stderr for checking output = result.stdout + result.stderr - # If we get "no protocols available", TLSv1 is disabled by policy + # "no protocols available" means TLSv1 is disabled by crypto-policy if 'no protocols available' in output: return False - # If we get a successful connection or a server-side TLS version mismatch, - # it means TLSv1 is enabled on this client + # Connection refused or other errors mean TLSv1 was attempted + # (the protocol is available, just no server listening) return True except subprocess.TimeoutExpired: - # If network is slow but TLSv1 was attempted, assume it's available - return True + # Timeout on localhost shouldn't happen, but if it does, + # assume TLSv1 is not available (safer than false positive) + return False except Exception: # If we can't determine, assume TLSv1 is not available (safer) return False diff --git a/tests/gold_tests/tls/tls_client_versions.test.py b/tests/gold_tests/tls/tls_client_versions.test.py index 8aa8242199b..1f0343d9cd1 100644 --- a/tests/gold_tests/tls/tls_client_versions.test.py +++ b/tests/gold_tests/tls/tls_client_versions.test.py @@ -24,7 +24,7 @@ # for special domain foo.com only offer TLSv1 and TLSv1_1 Test.SkipUnless(Condition.HasOpenSSLVersion("1.1.1")) -Test.SkipUnless(Condition.HasLegacyTLSSupport(), "This test requires TLSv1.0/TLSv1.1 support which is disabled on modern systems") +Test.SkipUnless(Condition.HasLegacyTLSSupport()) # Define default ATS ts = Test.MakeATSProcess("ts", enable_tls=True) diff --git a/tests/gold_tests/tls/tls_client_versions_minmax.test.py b/tests/gold_tests/tls/tls_client_versions_minmax.test.py index c2de45ede2e..9c63d0700d8 100644 --- a/tests/gold_tests/tls/tls_client_versions_minmax.test.py +++ b/tests/gold_tests/tls/tls_client_versions_minmax.test.py @@ -24,7 +24,7 @@ # for special domain foo.com only offer TLSv1 and TLSv1_1 Test.SkipUnless(Condition.HasOpenSSLVersion("1.1.1")) -Test.SkipUnless(Condition.HasLegacyTLSSupport(), "This test requires TLSv1.0/TLSv1.1 support which is disabled on modern systems") +Test.SkipUnless(Condition.HasLegacyTLSSupport()) # Define default ATS ts = Test.MakeATSProcess("ts", enable_tls=True)