6 files changed, 25 insertions, 33 deletions
diff --git a/test/modules/http2/env.py b/test/modules/http2/env.py
index f70852dd2a..fee672bd2b 100644
--- a/test/modules/http2/env.py
+++ b/test/modules/http2/env.py
@@ -92,6 +92,7 @@ class H2TestEnv(HttpdTestEnv):
             re.compile(r'.*:tls_post_process_client_hello:.*'),
             re.compile(r'.*:tls_process_client_certificate:.*'),
             re.compile(r'.*have incompatible TLS configurations.'),
+            re.compile(r'.*SSL Library Error: error:0A0000C[17]:.*'),
         ])
 
     def setup_httpd(self, setup: HttpdTestSetup = None):
diff --git a/test/modules/tls/env.py b/test/modules/tls/env.py
index e60c321712..705192f351 100644
--- a/test/modules/tls/env.py
+++ b/test/modules/tls/env.py
@@ -3,13 +3,9 @@ import logging
 import os
 import re
 import subprocess
-import sys
-import time
 
 from datetime import timedelta, datetime
-from http.client import HTTPConnection
 from typing import List, Optional, Dict, Tuple, Union
-from urllib.parse import urlparse
 
 from pyhttpd.certs import CertificateSpec
 from pyhttpd.env import HttpdTestEnv, HttpdTestSetup
@@ -57,6 +53,19 @@ class TlsCipher:
 
 class TlsTestEnv(HttpdTestEnv):
 
+    CURL_SUPPORTS_TLS_1_3 = None
+
+    @classmethod
+    def curl_supports_tls_1_3(cls) -> bool:
+        if cls.CURL_SUPPORTS_TLS_1_3 is None:
+            p = subprocess.run(['curl', '--tlsv1.3', 'https://shouldneverexistreally'],
+                               stderr=subprocess.PIPE, stdout=subprocess.PIPE)
+            # return code 6 means the site could not be resolved, but the
+            # tls parameter was recognized
+            cls.CURL_SUPPORTS_TLS_1_3 = p.returncode == 6
+        return cls.CURL_SUPPORTS_TLS_1_3
+
+
     # current rustls supported ciphers in their order of preference
     # used to test cipher selection, see test_06_ciphers.py
     RUSTLS_CIPHERS = [
@@ -159,14 +168,6 @@ class TlsTestEnv(HttpdTestEnv):
         args.extend([])
         return self.openssl(args)
 
-    CURL_SUPPORTS_TLS_1_3 = None
-
-    def curl_supports_tls_1_3(self) -> bool:
-        if self.CURL_SUPPORTS_TLS_1_3 is None:
-            r = self.tls_get(self.domain_a, "/index.json", options=["--tlsv1.3"])
-            self.CURL_SUPPORTS_TLS_1_3 = r.exit_code == 0
-        return self.CURL_SUPPORTS_TLS_1_3
-
     OPENSSL_SUPPORTED_PROTOCOLS = None
 
     @staticmethod
diff --git a/test/modules/tls/test_03_sni.py b/test/modules/tls/test_03_sni.py
index eda9a33adb..2f11afc35b 100644
--- a/test/modules/tls/test_03_sni.py
+++ b/test/modules/tls/test_03_sni.py
@@ -3,6 +3,7 @@ from datetime import timedelta
 import pytest
 
 from .conf import TlsTestConf
+from .env import TlsTestEnv
 
 
 class TestSni:
@@ -13,7 +14,6 @@ class TestSni:
         conf.add_tls_vhosts(domains=[env.domain_a, env.domain_b])
         conf.install()
         assert env.apache_restart() == 0
-        env.curl_supports_tls_1_3()  # init
 
     @pytest.fixture(autouse=True, scope='function')
     def _function_scope(self, env):
@@ -46,9 +46,6 @@ class TestSni:
         assert r.response['status'] == 421
 
     def test_03_sni_request_other_other_honor(self, env):
-        if env.curl_supports_tls_1_3():
-            # can't do this test then
-            return
         # do we see the first vhost response for an unknown domain?
         conf = TlsTestConf(env=env, extras={
             env.domain_a: "TLSProtocol TLSv1.2+",
@@ -58,7 +55,7 @@ class TestSni:
         conf.install()
         assert env.apache_restart() == 0
         r = env.tls_get(env.domain_a, "/index.json", options=[
-            "-vvvv", "--header", "Host: {0}".format(env.domain_b)
+            "-vvvv", "--tls-max", "1.2", "--header", "Host: {0}".format(env.domain_b)
         ])
         # request denied
         assert r.exit_code == 0
diff --git a/test/modules/tls/test_05_proto.py b/test/modules/tls/test_05_proto.py
index 7165f21b84..6f4762cd26 100644
--- a/test/modules/tls/test_05_proto.py
+++ b/test/modules/tls/test_05_proto.py
@@ -6,6 +6,7 @@ from threading import Thread
 import pytest
 
 from .conf import TlsTestConf
+from .env import TlsTestEnv
 
 
 class TestProto:
@@ -29,18 +30,16 @@ class TestProto:
     def _function_scope(self, env):
         pass
 
-    CURL_SUPPORTS_TLS_1_3 = None
-
     def test_05_proto_1_2(self, env):
         r = env.tls_get(env.domain_b, "/index.json", options=["--tlsv1.2"])
         assert r.exit_code == 0, r.stderr
-        if env.curl_supports_tls_1_3():
+        if TlsTestEnv.curl_supports_tls_1_3():
             r = env.tls_get(env.domain_b, "/index.json", options=["--tlsv1.3"])
             assert r.exit_code == 0, r.stderr
 
     def test_05_proto_1_3(self, env):
         r = env.tls_get(env.domain_a, "/index.json", options=["--tlsv1.3"])
-        if env.curl_supports_tls_1_3():
+        if TlsTestEnv.curl_supports_tls_1_3():
             assert r.exit_code == 0, r.stderr
         else:
             assert r.exit_code == 4, r.stderr
diff --git a/test/modules/tls/test_08_vars.py b/test/modules/tls/test_08_vars.py
index baaed38205..4527213346 100644
--- a/test/modules/tls/test_08_vars.py
+++ b/test/modules/tls/test_08_vars.py
@@ -1,9 +1,9 @@
 import re
-from datetime import timedelta
 
 import pytest
 
 from .conf import TlsTestConf
+from .env import TlsTestEnv
 
 
 class TestVars:
@@ -22,13 +22,10 @@ class TestVars:
 
     def test_08_vars_root(self, env):
         # in domain_b root, the StdEnvVars is switch on
-        if env.curl_supports_tls_1_3():
-            exp_proto = "TLSv1.3"
-            exp_cipher = "TLS_AES_256_GCM_SHA384"
-        else:
-            exp_proto = "TLSv1.2"
-            exp_cipher = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
-        r = env.tls_get(env.domain_b, "/vars.py")
+        exp_proto = "TLSv1.2"
+        exp_cipher = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
+        options = [ '--tls-max', '1.2']
+        r = env.tls_get(env.domain_b, "/vars.py", options=options)
         assert r.exit_code == 0, r.stderr
         assert r.json == {
             'https': 'on',
@@ -37,7 +34,7 @@ class TestVars:
             'ssl_protocol': exp_proto,
             # this will vary by client potentially
             'ssl_cipher': exp_cipher,
-        }, r.stdout
+        }
 
     @pytest.mark.parametrize("name, value", [
         ("SERVER_NAME", "b.mod-tls.test"),
diff --git a/test/pyhttpd/env.py b/test/pyhttpd/env.py
index fb87272c26..c08320a883 100644
--- a/test/pyhttpd/env.py
+++ b/test/pyhttpd/env.py
@@ -632,9 +632,6 @@ class HttpdTestEnv:
 
     def curl_raw(self, urls, timeout=10, options=None, insecure=False,
                  force_resolve=True):
-        xopt = ['-vvvv']
-        if options:
-            xopt.extend(options)
         args, headerfile = self.curl_complete_args(
             urls=urls, timeout=timeout, options=options, insecure=insecure,
             force_resolve=force_resolve)