Fix TLS tests for OTP-26+

ct_helper now uses the test certificates generated by
public_key. A few adjustments had to be made as a result.

test/cowboy_test.erl

@@ -112,10 +112,14 @@ gun_open(Config) ->
 	gun_open(Config, #{}).
 
 gun_open(Config, Opts) ->
+	TlsOpts = case proplists:get_value(no_cert, Config, false) of
+		true -> [{verify, verify_none}];
+		false -> ct_helper:get_certs_from_ets()
+	end,
 	{ok, ConnPid} = gun:open("localhost", config(port, Config), Opts#{
 		retry => 0,
 		transport => config(type, Config),
-		tls_opts => [{versions, ['tlsv1.2']}|proplists:get_value(tls_opts, Config, [])],
+		tls_opts => TlsOpts,
 		protocols => [config(protocol, Config)]
 	}),
 	ConnPid.

test/proxy_header_SUITE.erl

@@ -126,7 +126,8 @@ do_proxy_header_https(Config, ProxyInfo) ->
 	{ok, Socket0} = gen_tcp:connect("localhost", config(port, Config),
 		[binary, {active, false}, {packet, raw}]),
 	ok = gen_tcp:send(Socket0, ranch_proxy_header:header(ProxyInfo)),
-	{ok, Socket} = ssl:connect(Socket0, [{versions, ['tlsv1.2']}], 1000),
+	TlsOpts = ct_helper:get_certs_from_ets(),
+	{ok, Socket} = ssl:connect(Socket0, TlsOpts, 1000),
 	do_proxy_header_http_common({raw_client, Socket, ssl}, ProxyInfo).
 
 do_proxy_header_http_common(Client, ProxyInfo) ->
@@ -151,8 +152,9 @@ do_proxy_header_h2(Config, ProxyInfo) ->
 	{ok, Socket0} = gen_tcp:connect("localhost", config(port, Config),
 		[binary, {active, false}, {packet, raw}]),
 	ok = gen_tcp:send(Socket0, ranch_proxy_header:header(ProxyInfo)),
+	TlsOpts = ct_helper:get_certs_from_ets(),
 	{ok, Socket} = ssl:connect(Socket0,
-		[{alpn_advertised_protocols, [<<"h2">>]}, {versions, ['tlsv1.2']}], 1000),
+		[{alpn_advertised_protocols, [<<"h2">>]}|TlsOpts], 1000),
 	do_proxy_header_h2_common({raw_client, Socket, ssl}, ProxyInfo).
 
 do_proxy_header_h2c(Config, ProxyInfo) ->

test/req_SUITE.erl

@@ -184,22 +184,16 @@ cert(Config) ->
 		ssl -> do_cert(Config)
 	end.
 
-do_cert(Config0) ->
+do_cert(Config) ->
 	doc("A client TLS certificate was provided."),
-	{CaCert, Cert, Key} = ct_helper:make_certs(),
-	Config = [{tls_opts, [
-		{cert, Cert},
-		{key, Key},
-		{cacerts, [CaCert]}
-	]}|Config0],
 	Cert = do_get_body("/cert", Config),
 	Cert = do_get_body("/direct/cert", Config),
 	ok.
 
 cert_undefined(Config) ->
 	doc("No client TLS certificate was provided."),
-	<<"undefined">> = do_get_body("/cert", Config),
-	<<"undefined">> = do_get_body("/direct/cert", Config),
+	<<"undefined">> = do_get_body("/cert", [{no_cert, true}|Config]),
+	<<"undefined">> = do_get_body("/direct/cert", [{no_cert, true}|Config]),
 	ok.
 
 header(Config) ->

test/rfc7540_SUITE.erl

@@ -589,18 +589,20 @@ http_upgrade_response_half_closed(Config) ->
 
 alpn_ignore_h2c(Config) ->
 	doc("An h2c ALPN protocol identifier must be ignored. (RFC7540 3.3)"),
+	TlsOpts = ct_helper:get_certs_from_ets(),
 	{ok, Socket} = ssl:connect("localhost", config(port, Config),
 		[{alpn_advertised_protocols, [<<"h2c">>, <<"http/1.1">>]},
-			binary, {active, false}, {versions, ['tlsv1.2']}]),
+			binary, {active, false}|TlsOpts]),
 	{ok, <<"http/1.1">>} = ssl:negotiated_protocol(Socket),
 	ok.
 
 alpn_server_preface(Config) ->
 	doc("The first frame must be a SETTINGS frame "
 		"for the server connection preface. (RFC7540 3.3, RFC7540 3.5, RFC7540 6.5)"),
+	TlsOpts = ct_helper:get_certs_from_ets(),
 	{ok, Socket} = ssl:connect("localhost", config(port, Config),
 		[{alpn_advertised_protocols, [<<"h2">>]},
-			binary, {active, false}, {versions, ['tlsv1.2']}]),
+			binary, {active, false}|TlsOpts]),
 	{ok, <<"h2">>} = ssl:negotiated_protocol(Socket),
 	%% Receive the server preface.
 	{ok, << _:24, 4:8, 0:40 >>} = ssl:recv(Socket, 9, 1000),
@@ -609,9 +611,10 @@ alpn_server_preface(Config) ->
 alpn_client_preface_timeout(Config) ->
 	doc("Clients negotiating HTTP/2 and not sending a preface in "
 		"a timely manner must be disconnected."),
+	TlsOpts = ct_helper:get_certs_from_ets(),
 	{ok, Socket} = ssl:connect("localhost", config(port, Config),
 		[{alpn_advertised_protocols, [<<"h2">>]},
-			binary, {active, false}, {versions, ['tlsv1.2']}]),
+			binary, {active, false}|TlsOpts]),
 	{ok, <<"h2">>} = ssl:negotiated_protocol(Socket),
 	%% Receive the server preface.
 	{ok, << Len:24 >>} = ssl:recv(Socket, 3, 1000),
@@ -623,9 +626,10 @@ alpn_client_preface_timeout(Config) ->
 alpn_reject_missing_client_preface(Config) ->
 	doc("Servers must treat an invalid connection preface as a "
 		"connection error of type PROTOCOL_ERROR. (RFC7540 3.3, RFC7540 3.5)"),
+	TlsOpts = ct_helper:get_certs_from_ets(),
 	{ok, Socket} = ssl:connect("localhost", config(port, Config),
 		[{alpn_advertised_protocols, [<<"h2">>]},
-			binary, {active, false}, {versions, ['tlsv1.2']}]),
+			binary, {active, false}|TlsOpts]),
 	{ok, <<"h2">>} = ssl:negotiated_protocol(Socket),
 	%% Send a SETTINGS frame directly instead of the proper preface.
 	ok = ssl:send(Socket, cow_http2:settings(#{})),
@@ -639,9 +643,10 @@ alpn_reject_missing_client_preface(Config) ->
 alpn_reject_invalid_client_preface(Config) ->
 	doc("Servers must treat an invalid connection preface as a "
 		"connection error of type PROTOCOL_ERROR. (RFC7540 3.3, RFC7540 3.5)"),
+	TlsOpts = ct_helper:get_certs_from_ets(),
 	{ok, Socket} = ssl:connect("localhost", config(port, Config),
 		[{alpn_advertised_protocols, [<<"h2">>]},
-			binary, {active, false}, {versions, ['tlsv1.2']}]),
+			binary, {active, false}|TlsOpts]),
 	{ok, <<"h2">>} = ssl:negotiated_protocol(Socket),
 	%% Send a slightly incorrect preface.
 	ok = ssl:send(Socket, "PRI * HTTP/2.0\r\n\r\nSM: Value\r\n\r\n"),
@@ -655,9 +660,10 @@ alpn_reject_invalid_client_preface(Config) ->
 alpn_reject_missing_client_preface_settings(Config) ->
 	doc("Servers must treat an invalid connection preface as a "
 		"connection error of type PROTOCOL_ERROR. (RFC7540 3.3, RFC7540 3.5)"),
+	TlsOpts = ct_helper:get_certs_from_ets(),
 	{ok, Socket} = ssl:connect("localhost", config(port, Config),
 		[{alpn_advertised_protocols, [<<"h2">>]},
-			binary, {active, false}, {versions, ['tlsv1.2']}]),
+			binary, {active, false}|TlsOpts]),
 	{ok, <<"h2">>} = ssl:negotiated_protocol(Socket),
 	%% Send a valid preface sequence except followed by a PING instead of a SETTINGS frame.
 	ok = ssl:send(Socket, ["PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n", cow_http2:ping(0)]),
@@ -671,9 +677,10 @@ alpn_reject_missing_client_preface_settings(Config) ->
 alpn_reject_invalid_client_preface_settings(Config) ->
 	doc("Servers must treat an invalid connection preface as a "
 		"connection error of type PROTOCOL_ERROR. (RFC7540 3.3, RFC7540 3.5)"),
+	TlsOpts = ct_helper:get_certs_from_ets(),
 	{ok, Socket} = ssl:connect("localhost", config(port, Config),
 		[{alpn_advertised_protocols, [<<"h2">>]},
-			binary, {active, false}, {versions, ['tlsv1.2']}]),
+			binary, {active, false}|TlsOpts]),
 	{ok, <<"h2">>} = ssl:negotiated_protocol(Socket),
 	%% Send a valid preface sequence except followed by a badly formed SETTINGS frame.
 	ok = ssl:send(Socket, ["PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n", << 0:24, 4:8, 0:9, 1:31 >>]),
@@ -686,9 +693,10 @@ alpn_reject_invalid_client_preface_settings(Config) ->
 
 alpn_accept_client_preface_empty_settings(Config) ->
 	doc("The SETTINGS frame in the client preface may be empty. (RFC7540 3.3, RFC7540 3.5)"),
+	TlsOpts = ct_helper:get_certs_from_ets(),
 	{ok, Socket} = ssl:connect("localhost", config(port, Config),
 		[{alpn_advertised_protocols, [<<"h2">>]},
-			binary, {active, false}, {versions, ['tlsv1.2']}]),
+			binary, {active, false}|TlsOpts]),
 	{ok, <<"h2">>} = ssl:negotiated_protocol(Socket),
 	%% Send a valid preface sequence except followed by an empty SETTINGS frame.
 	ok = ssl:send(Socket, ["PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n", cow_http2:settings(#{})]),
@@ -702,9 +710,10 @@ alpn_accept_client_preface_empty_settings(Config) ->
 alpn_client_preface_settings_ack_timeout(Config) ->
 	doc("Failure to acknowledge the server's SETTINGS frame "
 		"results in a SETTINGS_TIMEOUT connection error. (RFC7540 3.5, RFC7540 6.5.3)"),
+	TlsOpts = ct_helper:get_certs_from_ets(),
 	{ok, Socket} = ssl:connect("localhost", config(port, Config),
 		[{alpn_advertised_protocols, [<<"h2">>]},
-			binary, {active, false}, {versions, ['tlsv1.2']}]),
+			binary, {active, false}|TlsOpts]),
 	{ok, <<"h2">>} = ssl:negotiated_protocol(Socket),
 	%% Send a valid preface.
 	ok = ssl:send(Socket, ["PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n", cow_http2:settings(#{})]),
@@ -719,9 +728,10 @@ alpn_client_preface_settings_ack_timeout(Config) ->
 
 alpn(Config) ->
 	doc("Successful ALPN negotiation. (RFC7540 3.3)"),
+	TlsOpts = ct_helper:get_certs_from_ets(),
 	{ok, Socket} = ssl:connect("localhost", config(port, Config),
 		[{alpn_advertised_protocols, [<<"h2">>]},
-			binary, {active, false}, {versions, ['tlsv1.2']}]),
+			binary, {active, false}|TlsOpts]),
 	{ok, <<"h2">>} = ssl:negotiated_protocol(Socket),
 	%% Send a valid preface.
 	%% @todo Use non-empty SETTINGS here. Just because.
@@ -745,8 +755,9 @@ alpn(Config) ->
 
 prior_knowledge_reject_tls(Config) ->
 	doc("Implementations that support HTTP/2 over TLS must use ALPN. (RFC7540 3.4)"),
+	TlsOpts = ct_helper:get_certs_from_ets(),
 	{ok, Socket} = ssl:connect("localhost", config(port, Config),
-		[binary, {active, false}, {versions, ['tlsv1.2']}]),
+		[binary, {active, false}|TlsOpts]),
 	%% Send a valid preface.
 	ok = ssl:send(Socket, ["PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n", cow_http2:settings(#{})]),
 	%% We expect the server to send an HTTP 400 error

test/sys_SUITE.erl

@@ -22,7 +22,6 @@
 -import(ct_helper, [get_remote_pid_tcp/1]).
 -import(ct_helper, [get_remote_pid_tls/1]).
 -import(ct_helper, [is_process_down/1]).
--import(cowboy_test, [gun_open/1]).
 
 all() ->
 	[{group, sys}].
@@ -109,8 +108,8 @@ bad_system_from_h1(Config) ->
 bad_system_from_h2(Config) ->
 	doc("h2: Sending a system message with a bad From value results in a process crash."),
 	{ok, Socket} = ssl:connect("localhost", config(tls_port, Config),
-		[{active, false}, binary, {versions, ['tlsv1.2']},
-			{alpn_advertised_protocols, [<<"h2">>]}]),
+		[{alpn_advertised_protocols, [<<"h2">>]},
+			{active, false}, binary|config(tls_opts, Config)]),
 	%% Skip the SETTINGS frame.
 	{ok, <<_,_,_,4,_/bits>>} = ssl:recv(Socket, 0, 1000),
 	timer:sleep(100),
@@ -177,8 +176,8 @@ bad_system_message_h1(Config) ->
 bad_system_message_h2(Config) ->
 	doc("h2: Sending a system message with a bad Request value results in an error."),
 	{ok, Socket} = ssl:connect("localhost", config(tls_port, Config),
-		[{active, false}, binary, {versions, ['tlsv1.2']},
-			{alpn_advertised_protocols, [<<"h2">>]}]),
+		[{alpn_advertised_protocols, [<<"h2">>]},
+			{active, false}, binary|config(tls_opts, Config)]),
 	%% Skip the SETTINGS frame.
 	{ok, <<_,_,_,4,_/bits>>} = ssl:recv(Socket, 0, 1000),
 	timer:sleep(100),
@@ -254,8 +253,8 @@ good_system_message_h1(Config) ->
 good_system_message_h2(Config) ->
 	doc("h2: System messages are handled properly."),
 	{ok, Socket} = ssl:connect("localhost", config(tls_port, Config),
-		[{active, false}, binary, {versions, ['tlsv1.2']},
-			{alpn_advertised_protocols, [<<"h2">>]}]),
+		[{alpn_advertised_protocols, [<<"h2">>]},
+			{active, false}, binary|config(tls_opts, Config)]),
 	%% Skip the SETTINGS frame.
 	{ok, <<_,_,_,4,_/bits>>} = ssl:recv(Socket, 0, 1000),
 	timer:sleep(100),
@@ -339,8 +338,8 @@ trap_exit_parent_exit_h2(Config) ->
 	doc("h2: A process trapping exits must stop when receiving "
 		"an 'EXIT' message from its parent."),
 	{ok, Socket} = ssl:connect("localhost", config(tls_port, Config),
-		[{active, false}, binary, {versions, ['tlsv1.2']},
-			{alpn_advertised_protocols, [<<"h2">>]}]),
+		[{alpn_advertised_protocols, [<<"h2">>]},
+			{active, false}, binary|config(tls_opts, Config)]),
 	%% Skip the SETTINGS frame.
 	{ok, <<_,_,_,4,_/bits>>} = ssl:recv(Socket, 0, 1000),
 	timer:sleep(100),
@@ -412,8 +411,8 @@ trap_exit_other_exit_h2(Config) ->
 	doc("h2: A process trapping exits must ignore "
 		"'EXIT' messages from unknown processes."),
 	{ok, Socket} = ssl:connect("localhost", config(tls_port, Config),
-		[{active, false}, binary, {versions, ['tlsv1.2']},
-			{alpn_advertised_protocols, [<<"h2">>]}]),
+		[{alpn_advertised_protocols, [<<"h2">>]},
+			{active, false}, binary|config(tls_opts, Config)]),
 	do_http2_handshake(Socket),
 	Pid = get_remote_pid_tls(Socket),
 	Pid ! {'EXIT', self(), {shutdown, ?MODULE}},
@@ -531,8 +530,8 @@ sys_change_code_h1(Config) ->
 sys_change_code_h2(Config) ->
 	doc("h2: The sys:change_code/4 function works as expected."),
 	{ok, Socket} = ssl:connect("localhost", config(tls_port, Config),
-		[{active, false}, binary, {versions, ['tlsv1.2']},
-			{alpn_advertised_protocols, [<<"h2">>]}]),
+		[{alpn_advertised_protocols, [<<"h2">>]},
+			{active, false}, binary|config(tls_opts, Config)]),
 	do_http2_handshake(Socket),
 	Pid = get_remote_pid_tls(Socket),
 	%% Suspend the process and try to get a request in. The
@@ -615,8 +614,8 @@ sys_get_state_h1(Config) ->
 sys_get_state_h2(Config) ->
 	doc("h2: The sys:get_state/1 function works as expected."),
 	{ok, Socket} = ssl:connect("localhost", config(tls_port, Config),
-		[{active, false}, binary, {versions, ['tlsv1.2']},
-			{alpn_advertised_protocols, [<<"h2">>]}]),
+		[{alpn_advertised_protocols, [<<"h2">>]},
+			{active, false}, binary|config(tls_opts, Config)]),
 	%% Skip the SETTINGS frame.
 	{ok, <<_,_,_,4,_/bits>>} = ssl:recv(Socket, 0, 1000),
 	timer:sleep(100),
@@ -678,8 +677,8 @@ sys_get_status_h1(Config) ->
 sys_get_status_h2(Config) ->
 	doc("h2: The sys:get_status/1 function works as expected."),
 	{ok, Socket} = ssl:connect("localhost", config(tls_port, Config),
-		[{active, false}, binary, {versions, ['tlsv1.2']},
-			{alpn_advertised_protocols, [<<"h2">>]}]),
+		[{alpn_advertised_protocols, [<<"h2">>]},
+			{active, false}, binary|config(tls_opts, Config)]),
 	%% Skip the SETTINGS frame.
 	{ok, <<_,_,_,4,_/bits>>} = ssl:recv(Socket, 0, 1000),
 	timer:sleep(100),
@@ -740,8 +739,8 @@ sys_replace_state_h1(Config) ->
 sys_replace_state_h2(Config) ->
 	doc("h2: The sys:replace_state/2 function works as expected."),
 	{ok, Socket} = ssl:connect("localhost", config(tls_port, Config),
-		[{active, false}, binary, {versions, ['tlsv1.2']},
-			{alpn_advertised_protocols, [<<"h2">>]}]),
+		[{alpn_advertised_protocols, [<<"h2">>]},
+			{active, false}, binary|config(tls_opts, Config)]),
 	%% Skip the SETTINGS frame.
 	{ok, <<_,_,_,4,_/bits>>} = ssl:recv(Socket, 0, 1000),
 	timer:sleep(100),
@@ -810,8 +809,8 @@ sys_suspend_and_resume_h1(Config) ->
 sys_suspend_and_resume_h2(Config) ->
 	doc("h2: The sys:suspend/1 and sys:resume/1 functions work as expected."),
 	{ok, Socket} = ssl:connect("localhost", config(tls_port, Config),
-		[{active, false}, binary, {versions, ['tlsv1.2']},
-			{alpn_advertised_protocols, [<<"h2">>]}]),
+		[{alpn_advertised_protocols, [<<"h2">>]},
+			{active, false}, binary|config(tls_opts, Config)]),
 	do_http2_handshake(Socket),
 	Pid = get_remote_pid_tls(Socket),
 	%% Suspend the process and try to get a request in. The
@@ -890,8 +889,8 @@ sys_terminate_h1(Config) ->
 sys_terminate_h2(Config) ->
 	doc("h2: The sys:terminate/2,3 function works as expected."),
 	{ok, Socket} = ssl:connect("localhost", config(tls_port, Config),
-		[{active, false}, binary, {versions, ['tlsv1.2']},
-			{alpn_advertised_protocols, [<<"h2">>]}]),
+		[{alpn_advertised_protocols, [<<"h2">>]},
+			{active, false}, binary|config(tls_opts, Config)]),
 	%% Skip the SETTINGS frame.
 	{ok, <<_,_,_,4,_/bits>>} = ssl:recv(Socket, 0, 1000),
 	timer:sleep(100),
@@ -994,8 +993,8 @@ supervisor_count_children_h1(Config) ->
 supervisor_count_children_h2(Config) ->
 	doc("h2: The function supervisor:count_children/1 must work."),
 	{ok, Socket} = ssl:connect("localhost", config(tls_port, Config),
-		[{active, false}, binary, {versions, ['tlsv1.2']},
-			{alpn_advertised_protocols, [<<"h2">>]}]),
+		[{alpn_advertised_protocols, [<<"h2">>]},
+			{active, false}, binary|config(tls_opts, Config)]),
 	do_http2_handshake(Socket),
 	Pid = get_remote_pid_tls(Socket),
 	%% No request was sent so there's no children.
@@ -1067,8 +1066,8 @@ supervisor_delete_child_not_found_h1(Config) ->
 supervisor_delete_child_not_found_h2(Config) ->
 	doc("h2: The function supervisor:delete_child/2 must return {error, not_found}."),
 	{ok, Socket} = ssl:connect("localhost", config(tls_port, Config),
-		[{active, false}, binary, {versions, ['tlsv1.2']},
-			{alpn_advertised_protocols, [<<"h2">>]}]),
+		[{alpn_advertised_protocols, [<<"h2">>]},
+			{active, false}, binary|config(tls_opts, Config)]),
 	do_http2_handshake(Socket),
 	Pid = get_remote_pid_tls(Socket),
 	%% When no children exist.
@@ -1127,8 +1126,8 @@ supervisor_get_childspec_not_found_h1(Config) ->
 supervisor_get_childspec_not_found_h2(Config) ->
 	doc("h2: The function supervisor:get_childspec/2 must return {error, not_found}."),
 	{ok, Socket} = ssl:connect("localhost", config(tls_port, Config),
-		[{active, false}, binary, {versions, ['tlsv1.2']},
-			{alpn_advertised_protocols, [<<"h2">>]}]),
+		[{alpn_advertised_protocols, [<<"h2">>]},
+			{active, false}, binary|config(tls_opts, Config)]),
 	do_http2_handshake(Socket),
 	Pid = get_remote_pid_tls(Socket),
 	%% When no children exist.
@@ -1187,8 +1186,8 @@ supervisor_restart_child_not_found_h1(Config) ->
 supervisor_restart_child_not_found_h2(Config) ->
 	doc("h2: The function supervisor:restart_child/2 must return {error, not_found}."),
 	{ok, Socket} = ssl:connect("localhost", config(tls_port, Config),
-		[{active, false}, binary, {versions, ['tlsv1.2']},
-			{alpn_advertised_protocols, [<<"h2">>]}]),
+		[{alpn_advertised_protocols, [<<"h2">>]},
+			{active, false}, binary|config(tls_opts, Config)]),
 	do_http2_handshake(Socket),
 	Pid = get_remote_pid_tls(Socket),
 	%% When no children exist.
@@ -1242,8 +1241,8 @@ supervisor_start_child_not_found_h1(Config) ->
 supervisor_start_child_not_found_h2(Config) ->
 	doc("h2: The function supervisor:start_child/2 must return {error, start_child_disabled}."),
 	{ok, Socket} = ssl:connect("localhost", config(tls_port, Config),
-		[{active, false}, binary, {versions, ['tlsv1.2']},
-			{alpn_advertised_protocols, [<<"h2">>]}]),
+		[{alpn_advertised_protocols, [<<"h2">>]},
+			{active, false}, binary|config(tls_opts, Config)]),
 	do_http2_handshake(Socket),
 	Pid = get_remote_pid_tls(Socket),
 	{error, start_child_disabled} = supervisor:start_child(Pid, #{
@@ -1297,8 +1296,8 @@ supervisor_terminate_child_not_found_h1(Config) ->
 supervisor_terminate_child_not_found_h2(Config) ->
 	doc("h2: The function supervisor:terminate_child/2 must return {error, not_found}."),
 	{ok, Socket} = ssl:connect("localhost", config(tls_port, Config),
-		[{active, false}, binary, {versions, ['tlsv1.2']},
-			{alpn_advertised_protocols, [<<"h2">>]}]),
+		[{alpn_advertised_protocols, [<<"h2">>]},
+			{active, false}, binary|config(tls_opts, Config)]),
 	do_http2_handshake(Socket),
 	Pid = get_remote_pid_tls(Socket),
 	%% When no children exist.
@@ -1361,8 +1360,8 @@ supervisor_which_children_h1(Config) ->
 supervisor_which_children_h2(Config) ->
 	doc("h2: The function supervisor:which_children/1 must work."),
 	{ok, Socket} = ssl:connect("localhost", config(tls_port, Config),
-		[{active, false}, binary, {versions, ['tlsv1.2']},
-			{alpn_advertised_protocols, [<<"h2">>]}]),
+		[{alpn_advertised_protocols, [<<"h2">>]},
+			{active, false}, binary|config(tls_opts, Config)]),
 	do_http2_handshake(Socket),
 	Pid = get_remote_pid_tls(Socket),
 	%% No request was sent so there's no children.