test: update tls junk data error expectations

panva · nodejs-github-bot · commit 8c3cf47ece42 · 2026-04-10T13:29:46.000Z
PR-URL: #62629 Reviewed-By: Filip Skokan <panva.ip@gmail.com> Reviewed-By: Richard Lau <richard.lau@ibm.com>
diff --git a/test/parallel/test-tls-alert-handling.js b/test/parallel/test-tls-alert-handling.js
@@ -6,7 +6,6 @@ if (!common.hasCrypto) {
 }
 
 const {
-  hasOpenSSL,
   hasOpenSSL3,
 } = require('../common/crypto');
 
@@ -34,18 +33,15 @@ const max_iter = 20;
 let iter = 0;
 
 const errorHandler = common.mustCall((err) => {
-  let expectedErrorCode = 'ERR_SSL_WRONG_VERSION_NUMBER';
-  let expectedErrorReason = /wrong[\s_]version[\s_]number/i;
-  if (hasOpenSSL(3, 2)) {
-    expectedErrorCode = 'ERR_SSL_PACKET_LENGTH_TOO_LONG';
-    expectedErrorReason = /packet[\s_]length[\s_]too[\s_]long/i;
-  };
-
-  assert.strictEqual(err.code, expectedErrorCode);
+  // Different OpenSSL versions report different errors for junk data on a
+  // TLS connection, depending on which record validation check fires first.
+  assert.match(err.code,
+               /ERR_SSL_(WRONG_VERSION_NUMBER|PACKET_LENGTH_TOO_LONG|BAD_RECORD_TYPE)/);
   assert.strictEqual(err.library, 'SSL routines');
   if (!hasOpenSSL3 && !process.features.openssl_is_boringssl)
     assert.strictEqual(err.function, 'ssl3_get_record');
-  assert.match(err.reason, expectedErrorReason);
+  assert.match(err.reason,
+               /wrong[\s_]version[\s_]number|packet[\s_]length[\s_]too[\s_]long|bad[\s_]record[\s_]type/i);
   errorReceived = true;
   if (canCloseServer())
     server.close();
@@ -98,16 +94,14 @@ function sendBADTLSRecord() {
     });
   }));
   client.on('error', common.mustCall((err) => {
-    let expectedErrorCode = 'ERR_SSL_TLSV1_ALERT_PROTOCOL_VERSION';
-    let expectedErrorReason = /tlsv1[\s_]alert[\s_]protocol[\s_]version/i;
-    if (hasOpenSSL(3, 2)) {
-      expectedErrorCode = 'ERR_SSL_TLSV1_ALERT_RECORD_OVERFLOW';
-      expectedErrorReason = /tlsv1[\s_]alert[\s_]record[\s_]overflow/i;
-    }
-    assert.strictEqual(err.code, expectedErrorCode);
+    // Different OpenSSL versions send different TLS alerts when the peer
+    // receives an invalid record on an established connection.
+    assert.match(err.code,
+                 /ERR_SSL_(TLSV1_ALERT_PROTOCOL_VERSION|TLSV1_ALERT_RECORD_OVERFLOW|SSL\/TLS_ALERT_UNEXPECTED_MESSAGE)/);
     assert.strictEqual(err.library, 'SSL routines');
     if (!hasOpenSSL3 && !process.features.openssl_is_boringssl)
       assert.strictEqual(err.function, 'ssl3_read_bytes');
-    assert.match(err.reason, expectedErrorReason);
+    assert.match(err.reason,
+                 /tlsv1[\s_]alert[\s_]protocol[\s_]version|tlsv1[\s_]alert[\s_]record[\s_]overflow|ssl\/tls[\s_]alert[\s_]unexpected[\s_]message/i);
   }));
 }
diff --git a/test/parallel/test-tls-junk-server.js b/test/parallel/test-tls-junk-server.js
@@ -5,8 +5,6 @@ if (!common.hasCrypto) {
   common.skip('missing crypto');
 }
 
-const { hasOpenSSL } = require('../common/crypto');
-
 const assert = require('assert');
 const https = require('https');
 const net = require('net');
@@ -23,10 +21,10 @@ server.listen(0, common.mustCall(function() {
   const req = https.request({ port: this.address().port });
   req.end();
 
-  let expectedErrorMessage = new RegExp('wrong version number');
-  if (hasOpenSSL(3, 2)) {
-    expectedErrorMessage = new RegExp('packet length too long');
-  };
+  // Different OpenSSL versions report different errors for junk data on a
+  // TLS connection, depending on which record validation check fires first.
+  const expectedErrorMessage =
+    /wrong version number|packet length too long|bad record type/;
   req.once('error', common.mustCall(function(err) {
     assert.match(err.message, expectedErrorMessage);
     server.close();
