Draft: Fix tests
-
Mark juniper-sso-auth test as using LD_PRELOAD
This will allow us to correctly detect it as broken-under-ASAN
-
Mark obsolete-server-crypto test as XFAIL in Fedora/GnuTLS/* CI
The system-wide minimum crypto policy on Fedora prevents us from enabling 3DES and RC4 ciphers via GnuTLS priority strings, and the library-reinitialization hack added in !158 (merged) does not work reliably to disable system-wide minimum crypto policy. Its unreliability is perhaps due to insufficient testing of this code path (see #243 (comment 576194663)).
Rather than pre-disable or delete the system-wide crypto policy in these CI builds, we should mark obsolete-server-crypto test as XFAIL for these builds. It's the most accurate description of the state of those tests: these environments do not provide OpenConnect with the capabilities to reliably enable obsolete/insecure crypto algorithms in a self-contained way.
See https://bugzilla.redhat.com/show_bug.cgi?id=1960763 for ongoing discussions about how to come up with a more reliable, testable, and maintainable mechanism for OpenConnect to enable these algorithms without compromising the system-wide minimum crypto policy.