summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2014-05-06 14:44:21 +0100
committerJeremy Harris <jgh146exb@wizmail.org>2014-05-06 22:40:45 +0100
commit4466248715466b6f251454283642b74de65e9d9a (patch)
tree487f21c1e0aa2c02c8d6ce5a21aa83b1f258ddaa
parent65867078f62db450bd8f91100600f6de559e7590 (diff)
OCSP observability: variables $tls_{in,out}_ocsp
and smtp transport option hosts_request_ocsp
-rw-r--r--doc/doc-txt/ChangeLog4
-rw-r--r--doc/doc-txt/experimental-spec.txt23
-rw-r--r--src/src/expand.c2
-rw-r--r--src/src/globals.c6
-rw-r--r--src/src/globals.h6
-rw-r--r--src/src/smtp_in.c1
-rw-r--r--src/src/spool_in.c3
-rw-r--r--src/src/spool_out.c1
-rw-r--r--src/src/tls-gnu.c63
-rw-r--r--src/src/tls-openssl.c84
-rw-r--r--src/src/transports/smtp.c5
-rw-r--r--src/src/transports/smtp.h1
-rw-r--r--test/confs/56008
-rw-r--r--test/confs/560130
-rw-r--r--test/confs/56508
-rw-r--r--test/confs/565129
-rw-r--r--test/log/56004
-rw-r--r--test/log/560142
-rw-r--r--test/log/56504
-rw-r--r--test/log/565135
-rw-r--r--test/scripts/5600-OCSP-OpenSSL/560116
-rw-r--r--test/scripts/5650-OCSP-GnuTLS/565116
-rw-r--r--test/stderr/54101
-rw-r--r--test/stderr/54201
24 files changed, 292 insertions, 101 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index c98528884..ebf2eadb2 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -107,6 +107,10 @@ TL/10 Bugzilla 1454: New -oMm option to pass message reference to Exim.
JH/20 New expansion variables tls_(in,out)_(our,peer)cert, and expansion item
certextract with support for various fields. Bug 1358.
+JH/21 Observability of OCSP via variables tls_(in,out)_ocsp. Stapling
+ is requested by default, modifiable by smtp transport option
+ hosts_request_ocsp;
+
Exim version 4.82
-----------------
diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt
index 16738a51f..1ec323433 100644
--- a/doc/doc-txt/experimental-spec.txt
+++ b/doc/doc-txt/experimental-spec.txt
@@ -84,14 +84,21 @@ contents are always valid. Exim will expand the "tls_ocsp_file" option
on each connection, so a new file will be handled transparently on the
next connection.
-Exim will check for a valid next update timestamp in the OCSP proof;
-if not present, or if the proof has expired, it will be ignored.
-
-Also, given EXPERIMENTAL_OCSP, the smtp transport gains
-a "hosts_require_ocsp" option; a host-list for which an OCSP Stapling
-is requested and required for the connection to proceed. The host(s)
-should also be in "hosts_require_tls", and "tls_verify_certificates"
-configured for the transport.
+Under OpenSSL Exim will check for a valid next update timestamp in the
+OCSP proof; if not present, or if the proof has expired, it will be
+ignored.
+
+Also, given EXPERIMENTAL_OCSP, the smtp transport gains two options:
+- "hosts_require_ocsp"; a host-list for which an OCSP Stapling
+is requested and required for the connection to proceed. The default
+value is empty.
+- "hosts_request_ocsp"; a host-list for which (additionally) an OCSP
+Stapling is requested (but not necessarily verified). The default
+value is "*" meaning that requests are made unless configured
+otherwise.
+
+The host(s) should also be in "hosts_require_tls", and
+"tls_verify_certificates" configured for the transport.
For the client to be able to verify the stapled OCSP the server must
also supply, in its stapled information, any intermediate
diff --git a/src/src/expand.c b/src/src/expand.c
index 05b714a7f..de911db90 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -671,6 +671,7 @@ static var_entry var_table[] = {
{ "tls_in_bits", vtype_int, &tls_in.bits },
{ "tls_in_certificate_verified", vtype_int, &tls_in.certificate_verified },
{ "tls_in_cipher", vtype_stringptr, &tls_in.cipher },
+ { "tls_in_ocsp", vtype_int, &tls_in.ocsp },
{ "tls_in_ourcert", vtype_cert, &tls_in.ourcert },
{ "tls_in_peercert", vtype_cert, &tls_in.peercert },
{ "tls_in_peerdn", vtype_stringptr, &tls_in.peerdn },
@@ -680,6 +681,7 @@ static var_entry var_table[] = {
{ "tls_out_bits", vtype_int, &tls_out.bits },
{ "tls_out_certificate_verified", vtype_int,&tls_out.certificate_verified },
{ "tls_out_cipher", vtype_stringptr, &tls_out.cipher },
+ { "tls_out_ocsp", vtype_int, &tls_out.ocsp },
{ "tls_out_ourcert", vtype_cert, &tls_out.ourcert },
{ "tls_out_peercert", vtype_cert, &tls_out.peercert },
{ "tls_out_peerdn", vtype_stringptr, &tls_out.peerdn },
diff --git a/src/src/globals.c b/src/src/globals.c
index 7b591e42a..af2903525 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -109,7 +109,8 @@ tls_support tls_in = {
NULL, /* tls_ourcert */
NULL, /* tls_peercert */
NULL, /* tls_peerdn */
- NULL /* tls_sni */
+ NULL, /* tls_sni */
+ 0 /* tls_ocsp */
};
tls_support tls_out = {
-1, /* tls_active */
@@ -121,7 +122,8 @@ tls_support tls_out = {
NULL, /* tls_ourcert */
NULL, /* tls_peercert */
NULL, /* tls_peerdn */
- NULL /* tls_sni */
+ NULL, /* tls_sni */
+ 0 /* tls_ocsp */
};
diff --git a/src/src/globals.h b/src/src/globals.h
index 584d1bd09..9a42fe27e 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -89,6 +89,12 @@ typedef struct {
void *peercert; /* Certificate of peer, binary */
uschar *peerdn; /* DN from peer */
uschar *sni; /* Server Name Indication */
+ enum {
+ OCSP_NOT_REQ=0, /* not requested */
+ OCSP_NOT_RESP, /* no response to request */
+ OCSP_NOT_VFY, /* response not verified */
+ OCSP_VFIED /* verified */
+ } ocsp; /* Stapled OCSP status */
} tls_support;
extern tls_support tls_in;
extern tls_support tls_out;
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index 6810d25e3..82a805a21 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -1820,6 +1820,7 @@ authenticated_by = NULL;
tls_in.cipher = tls_in.peerdn = NULL;
tls_in.ourcert = tls_in.peercert = NULL;
tls_in.sni = NULL;
+tls_in.ocsp = OCSP_NOT_REQ;
tls_advertised = FALSE;
#endif
diff --git a/src/src/spool_in.c b/src/src/spool_in.c
index 2006e1b02..ba775bbce 100644
--- a/src/src/spool_in.c
+++ b/src/src/spool_in.c
@@ -289,6 +289,7 @@ tls_in.ourcert = NULL;
tls_in.peercert = NULL;
tls_in.peerdn = NULL;
tls_in.sni = NULL;
+tls_in.ocsp = OCSP_NOT_REQ;
#endif
#ifdef WITH_CONTENT_SCAN
@@ -560,6 +561,8 @@ for (;;)
tls_in.peerdn = string_unprinting(string_copy(big_buffer + 12));
else if (Ustrncmp(p, "ls_sni", 6) == 0)
tls_in.sni = string_unprinting(string_copy(big_buffer + 9));
+ else if (Ustrncmp(p, "ls_ocsp", 7) == 0)
+ tls_in.ocsp = big_buffer[10] - '0';
break;
#endif
diff --git a/src/src/spool_out.c b/src/src/spool_out.c
index 7bbd42df0..de81786b3 100644
--- a/src/src/spool_out.c
+++ b/src/src/spool_out.c
@@ -242,6 +242,7 @@ if (tls_in.ourcert)
(void) tls_export_cert(big_buffer, big_buffer_size, tls_in.ourcert);
fprintf(f, "-tls_ourcert %s\n", CS big_buffer);
}
+if (tls_in.ocsp) fprintf(f, "-tls_ocsp %d\n", tls_in.ocsp);
#endif
/* To complete the envelope, write out the tree of non-recipients, followed by
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index d0e1c35d7..b0b67d820 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -101,6 +101,7 @@ typedef struct exim_gnutls_state {
uschar *exp_tls_verify_certificates;
uschar *exp_tls_crl;
uschar *exp_tls_require_ciphers;
+ uschar *exp_tls_ocsp_file;
tls_support *tlsp; /* set in tls_init() */
@@ -115,7 +116,7 @@ static const exim_gnutls_state_st exim_gnutls_state_init = {
NULL, NULL, NULL, VERIFY_NONE, -1, -1, FALSE, FALSE, FALSE,
NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, NULL,
- NULL, NULL, NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL,
NULL, 0, 0, 0, 0,
};
@@ -203,6 +204,10 @@ static void exim_gnutls_logger_cb(int level, const char *message);
static int exim_sni_handling_cb(gnutls_session_t session);
+#ifdef EXPERIMENTAL_OCSP
+static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
+ gnutls_datum_t * ocsp_response);
+#endif
@@ -791,18 +796,18 @@ if ( !host /* server */
&& tls_ocsp_file
)
{
- uschar * expanded;
- int rc;
-
- if (!expand_check(tls_ocsp_file, US"tls_ocsp_file", &expanded))
+ if (!expand_check(tls_ocsp_file, US"tls_ocsp_file",
+ &state->exp_tls_ocsp_file))
return DEFER;
- /* Lazy way; would like callback to emit debug on actual response */
+ /* Use the full callback method for stapling just to get observability.
+ More efficient would be to read the file once only, if it never changed
+ (due to SNI). Would need restart on file update, or watch datestamp. */
+
+ gnutls_certificate_set_ocsp_status_request_function(state->x509_cred,
+ server_ocsp_stapling_cb, state->exp_tls_ocsp_file);
- rc = gnutls_certificate_set_ocsp_status_request_file(state->x509_cred,
- expanded, 0);
- exim_gnutls_err_check(US"gnutls_certificate_set_ocsp_status_request_file");
- DEBUG(D_tls) debug_printf("Set OCSP response file %s\n", expanded);
+ DEBUG(D_tls) debug_printf("Set OCSP response file %s\n", &state->exp_tls_ocsp_file);
}
#endif
@@ -1433,6 +1438,31 @@ return 0;
+#ifdef EXPERIMENTAL_OCSP
+
+static int
+server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
+ gnutls_datum_t * ocsp_response)
+{
+int ret;
+
+tls_in.ocsp = OCSP_NOT_RESP;
+if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
+ {
+ DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
+ (char *)ptr);
+ return GNUTLS_E_NO_CERTIFICATE_STATUS;
+ }
+
+tls_in.ocsp = OCSP_NOT_VFY;
+return 0;
+}
+
+#endif
+
+
+
+
/* ------------------------------------------------------------------------ */
/* Exported functions */
@@ -1526,8 +1556,8 @@ if (!state->tlsp->on_connect)
that the GnuTLS library doesn't. */
gnutls_transport_set_ptr2(state->session,
- (gnutls_transport_ptr)fileno(smtp_in),
- (gnutls_transport_ptr)fileno(smtp_out));
+ (gnutls_transport_ptr)(long) fileno(smtp_in),
+ (gnutls_transport_ptr)(long) fileno(smtp_out));
state->fd_in = fileno(smtp_in);
state->fd_out = fileno(smtp_out);
@@ -1628,6 +1658,9 @@ exim_gnutls_state_st *state = NULL;
#ifdef EXPERIMENTAL_OCSP
BOOL require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
NULL, host->name, host->address, NULL) == OK;
+BOOL request_ocsp = require_ocsp ? TRUE
+ : verify_check_this_host(&ob->hosts_request_ocsp,
+ NULL, host->name, host->address, NULL) == OK;
#endif
DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", fd);
@@ -1684,17 +1717,18 @@ else
}
#ifdef EXPERIMENTAL_OCSP /* since GnuTLS 3.1.3 */
-if (require_ocsp)
+if (request_ocsp)
{
DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
NULL, 0, NULL)) != OK)
return tls_error(US"cert-status-req",
gnutls_strerror(rc), state->host);
+ tls_out.ocsp = OCSP_NOT_RESP;
}
#endif
-gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr)fd);
+gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr)(long) fd);
state->fd_in = fd;
state->fd_out = fd;
@@ -1746,6 +1780,7 @@ if (require_ocsp)
if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
return tls_error(US"certificate status check failed", NULL, state->host);
DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
+ tls_out.ocsp = OCSP_VFIED;
}
#endif
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 66fca7dbb..fd257f3c6 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -97,7 +97,8 @@ typedef struct tls_ext_ctx_cb {
OCSP_RESPONSE *response;
} server;
struct {
- X509_STORE *verify_store;
+ X509_STORE *verify_store; /* non-null if status requested */
+ BOOL verify_required;
} client;
} u_ocsp;
#endif
@@ -797,15 +798,18 @@ else
DEBUG(D_tls) debug_printf("Received TLS status request (OCSP stapling); %s response.",
cbinfo->u_ocsp.server.response ? "have" : "lack");
+tls_in.ocsp = OCSP_NOT_RESP;
if (!cbinfo->u_ocsp.server.response)
return SSL_TLSEXT_ERR_NOACK;
response_der = NULL;
-response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response, &response_der);
+response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response,
+ &response_der);
if (response_der_len <= 0)
return SSL_TLSEXT_ERR_NOACK;
SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
+tls_in.ocsp = OCSP_VFIED;
return SSL_TLSEXT_ERR_OK;
}
@@ -832,12 +836,15 @@ DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
len = SSL_get_tlsext_status_ocsp_resp(s, &p);
if(!p)
{
- if (log_extra_selector & LX_tls_cipher)
- log_write(0, LOG_MAIN, "Received TLS status response, null content");
+ /* Expect this when we requested ocsp but got none */
+ if ( cbinfo->u_ocsp.client.verify_required
+ && log_extra_selector & LX_tls_cipher)
+ log_write(0, LOG_MAIN, "Received TLS status callback, null content");
else
DEBUG(D_tls) debug_printf(" null\n");
- return 0; /* This is the fail case for require-ocsp; none from server */
+ return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
}
+tls_out.ocsp = OCSP_NOT_VFY;
if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
{
if (log_extra_selector & LX_tls_cipher)
@@ -878,11 +885,12 @@ if(!(bs = OCSP_response_get1_basic(rsp)))
/* Use the chain that verified the server cert to verify the stapled info */
/* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
- if ((i = OCSP_basic_verify(bs, NULL, cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
+ if ((i = OCSP_basic_verify(bs, NULL,
+ cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
{
BIO_printf(bp, "OCSP response verify failure\n");
ERR_print_errors(bp);
- i = 0;
+ i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
goto out;
}
@@ -894,39 +902,48 @@ if(!(bs = OCSP_response_get1_basic(rsp)))
if (sk_OCSP_SINGLERESP_num(sresp) != 1)
{
- log_write(0, LOG_MAIN, "OCSP stapling with multiple responses not handled");
+ log_write(0, LOG_MAIN, "OCSP stapling "
+ "with multiple responses not handled");
+ i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
goto out;
}
single = OCSP_resp_get0(bs, 0);
- status = OCSP_single_get0_status(single, &reason, &rev, &thisupd, &nextupd);
+ status = OCSP_single_get0_status(single, &reason, &rev,
+ &thisupd, &nextupd);
}
- i = 0;
DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
- if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
+ if (!OCSP_check_validity(thisupd, nextupd,
+ EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
{
DEBUG(D_tls) ERR_print_errors(bp);
log_write(0, LOG_MAIN, "Server OSCP dates invalid");
- goto out;
+ i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
}
-
- DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n", OCSP_cert_status_str(status));
- switch(status)
+ else
{
- case V_OCSP_CERTSTATUS_GOOD:
- i = 1;
- break;
- case V_OCSP_CERTSTATUS_REVOKED:
- log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
- reason != -1 ? "; reason: " : "", reason != -1 ? OCSP_crl_reason_str(reason) : "");
- DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
- i = 0;
- break;
- default:
- log_write(0, LOG_MAIN, "Server certificate status unknown, in OCSP stapling");
- i = 0;
- break;
+ DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
+ OCSP_cert_status_str(status));
+ switch(status)
+ {
+ case V_OCSP_CERTSTATUS_GOOD:
+ i = 1;
+ tls_out.ocsp = OCSP_VFIED;
+ break;
+ case V_OCSP_CERTSTATUS_REVOKED:
+ log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
+ reason != -1 ? "; reason: " : "",
+ reason != -1 ? OCSP_crl_reason_str(reason) : "");
+ DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
+ i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
+ break;
+ default:
+ log_write(0, LOG_MAIN,
+ "Server certificate status unknown, in OCSP stapling");
+ i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
+ break;
+ }
}
out:
BIO_free(bp);
@@ -1497,12 +1514,15 @@ static uschar cipherbuf[256];
#ifdef EXPERIMENTAL_OCSP
BOOL require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
NULL, host->name, host->address, NULL) == OK;
+BOOL request_ocsp = require_ocsp ? TRUE
+ : verify_check_this_host(&ob->hosts_request_ocsp,
+ NULL, host->name, host->address, NULL) == OK;
#endif
rc = tls_init(&client_ctx, host, NULL,
ob->tls_certificate, ob->tls_privatekey,
#ifdef EXPERIMENTAL_OCSP
- require_ocsp ? US"" : NULL,
+ (void *)(long)request_ocsp,
#endif
addr, &client_static_cbinfo);
if (rc != OK) return rc;
@@ -1578,8 +1598,12 @@ if (ob->tls_sni)
#ifdef EXPERIMENTAL_OCSP
/* Request certificate status at connection-time. If the server
does OCSP stapling we will get the callback (set in tls_init()) */
-if (require_ocsp)
+if (request_ocsp)
+ {
SSL_set_tlsext_status_type(client_ssl, TLSEXT_STATUSTYPE_ocsp);
+ client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
+ tls_out.ocsp = OCSP_NOT_RESP;
+ }
#endif
/* There doesn't seem to be a built-in timeout on connection. */
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 7223f9c89..9089d90c1 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -102,6 +102,10 @@ optionlist smtp_transport_options[] = {
(void *)offsetof(smtp_transport_options_block, hosts_override) },
{ "hosts_randomize", opt_bool,
(void *)offsetof(smtp_transport_options_block, hosts_randomize) },
+#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_OCSP)
+ { "hosts_request_ocsp", opt_stringptr,
+ (void *)offsetof(smtp_transport_options_block, hosts_request_ocsp) },
+#endif
{ "hosts_require_auth", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_require_auth) },
#ifdef SUPPORT_TLS
@@ -196,6 +200,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
NULL, /* hosts_try_prdr */
#endif
#ifdef EXPERIMENTAL_OCSP
+ US"*", /* hosts_request_ocsp */
NULL, /* hosts_require_ocsp */
#endif
NULL, /* hosts_require_tls */
diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h
index 6912ad83e..900542564 100644
--- a/src/src/transports/smtp.h
+++ b/src/src/transports/smtp.h
@@ -25,6 +25,7 @@ typedef struct {
uschar *hosts_try_prdr;
#endif
#ifdef EXPERIMENTAL_OCSP
+ uschar *hosts_request_ocsp;
uschar *hosts_require_ocsp;
#endif
uschar *hosts_require_tls;
diff --git a/test/confs/5600 b/test/confs/5600
index 8b26ee7fa..cd5f3c8e7 100644
--- a/test/confs/5600
+++ b/test/confs/5600
@@ -14,6 +14,8 @@ gecos_name = CALLER_NAME
# ----- Main settings -----
+acl_smtp_connect = check_connect
+acl_smtp_mail = check_mail
acl_smtp_rcpt = check_recipient
log_selector = +tls_peerdn
@@ -37,6 +39,12 @@ tls_ocsp_file = OCSP
begin acl
+check_connect:
+ accept logwrite = acl_conn: ocsp in status: $tls_in_ocsp
+
+check_mail:
+ accept logwrite = acl_mail: ocsp in status: $tls_in_ocsp
+
check_recipient:
deny message = certificate not verified: peerdn=$tls_peerdn
! verify = certificate
diff --git a/test/confs/5601 b/test/confs/5601
index 5172ff279..7eb19f754 100644
--- a/test/confs/5601
+++ b/test/confs/5601
@@ -18,6 +18,8 @@ gecos_name = CALLER_NAME
domainlist local_domains = test.ex : *.test.ex
acl_smtp_rcpt = check_recipient
+acl_smtp_data = check_data
+
log_selector = +tls_peerdn
remote_max_parallel = 1
@@ -47,6 +49,10 @@ check_recipient:
accept domains = +local_domains
deny message = relay not permitted
+check_data:
+ warn condition = ${if def:h_X-TLS-out:}
+ logwrite = client claims: $h_X-TLS-out:
+ accept
# ----- Routers -----
@@ -57,8 +63,9 @@ client:
condition = ${if eq {SERVER}{server}{no}{yes}}
retry_use_local_part
transport = send_to_server${if eq{$local_part}{nostaple}{1} \
- {${if eq{$local_part}{smtps} {3}{2}}} \
- }
+ {${if eq{$local_part}{norequire} {2} \
+ {${if eq{$local_part}{smtps} {4}{3}}} \
+ }}}
server:
driver = redirect
@@ -84,30 +91,41 @@ send_to_server1:
port = PORT_D
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
hosts_require_tls = *
-# note no ocsp here
+ hosts_request_ocsp = :
+ headers_add = X-TLS-out: ocsp status $tls_out_ocsp
send_to_server2:
driver = smtp
allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ hosts_require_tls = *
+# note no ocsp mention here
+ headers_add = X-TLS-out: ocsp status $tls_out_ocsp
+
+send_to_server3:
+ driver = smtp
+ allow_localhost
hosts = 127.0.0.1
port = PORT_D
helo_data = helo.data.changed
- #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
hosts_require_tls = *
hosts_require_ocsp = *
+ headers_add = X-TLS-out: ocsp status $tls_out_ocsp
-send_to_server3:
+send_to_server4:
driver = smtp
allow_localhost
hosts = 127.0.0.1
port = PORT_D
helo_data = helo.data.changed
- #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
protocol = smtps
hosts_require_tls = *
hosts_require_ocsp = *
+ headers_add = X-TLS-out: ocsp status $tls_out_ocsp
# ----- Retry -----
diff --git a/test/confs/5650 b/test/confs/5650
index 12584c731..3d4a68ef3 100644
--- a/test/confs/5650
+++ b/test/confs/5650
@@ -14,6 +14,8 @@ gecos_name = CALLER_NAME
# ----- Main settings -----
+acl_smtp_connect = check_connect
+acl_smtp_mail = check_mail
acl_smtp_rcpt = check_recipient
log_selector = +tls_peerdn
@@ -38,6 +40,12 @@ tls_ocsp_file = OCSP
begin acl
+check_connect:
+ accept logwrite = acl_conn: ocsp in status: $tls_in_ocsp
+
+check_mail:
+ accept logwrite = acl_mail: ocsp in status: $tls_in_ocsp
+
check_recipient:
accept
diff --git a/test/confs/5651 b/test/confs/5651
index e38043f3e..4a1989f43 100644
--- a/test/confs/5651
+++ b/test/confs/5651
@@ -18,6 +18,8 @@ gecos_name = CALLER_NAME
domainlist local_domains = test.ex : *.test.ex
acl_smtp_rcpt = check_recipient
+acl_smtp_data = check_data
+
log_selector = +tls_peerdn
remote_max_parallel = 1
@@ -44,6 +46,11 @@ check_recipient:
accept domains = +local_domains
deny message = relay not permitted
+check_data:
+ warn condition = ${if def:h_X-TLS-out:}
+ logwrite = client claims: $h_X-TLS-out:
+ accept
+
# ----- Routers -----
@@ -54,8 +61,9 @@ client:
condition = ${if eq {SERVER}{server}{no}{yes}}
retry_use_local_part
transport = send_to_server${if eq{$local_part}{nostaple}{1} \
- {${if eq{$local_part}{smtps} {3}{2}}} \
- }
+ {${if eq{$local_part}{norequire} {2} \
+ {${if eq{$local_part}{smtps} {4}{3}}} \
+ }}}
server:
driver = redirect
@@ -81,11 +89,22 @@ send_to_server1:
port = PORT_D
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
hosts_require_tls = *
-# note no ocsp here
+ hosts_request_ocsp = :
+ headers_add = X-TLS-out: OCSP status $tls_out_ocsp
send_to_server2:
driver = smtp
allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ hosts_require_tls = *
+# note no ocsp mention here
+ headers_add = X-TLS-out: OCSP status $tls_out_ocsp
+
+send_to_server3:
+ driver = smtp
+ allow_localhost
hosts = 127.0.0.1
port = PORT_D
helo_data = helo.data.changed
@@ -93,8 +112,9 @@ send_to_server2:
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
hosts_require_tls = *
hosts_require_ocsp = *
+ headers_add = X-TLS-out: OCSP status $tls_out_ocsp
-send_to_server3:
+send_to_server4:
driver = smtp
allow_localhost
hosts = 127.0.0.1
@@ -105,6 +125,7 @@ send_to_server3:
protocol = smtps
hosts_require_tls = *
hosts_require_ocsp = *
+ headers_add = X-TLS-out: OCSP status $tls_out_ocsp
# ----- Retry -----
diff --git a/test/log/5600 b/test/log/5600
index 869883f06..d0dc7b16e 100644
--- a/test/log/5600
+++ b/test/log/5600
@@ -1,6 +1,10 @@
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 acl_conn: ocsp in status: 0
1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; responding
+1999-03-02 09:44:33 acl_mail: ocsp in status: 3
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 acl_conn: ocsp in status: 0
1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; not responding
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 acl_conn: ocsp in status: 0
1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; not responding
diff --git a/test/log/5601 b/test/log/5601
index 40caa0f88..d3c46eda0 100644
--- a/test/log/5601
+++ b/test/log/5601
@@ -1,32 +1,42 @@
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaX-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER@test.ex R=client T=send_to_server2 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbB-0005vi-00"
1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
-1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbB-0005vi-00 Received TLS status response, null content
-1999-03-02 09:44:33 10HmbB-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmbB-0005vi-00 == CALLER@test.ex R=client T=send_to_server2 defer (-37): failure while setting up TLS session
-1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbC-0005vi-00 Server certificate revoked; reason: superseded
-1999-03-02 09:44:33 10HmbC-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmbC-0005vi-00 == CALLER@test.ex R=client T=send_to_server2 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbA-0005vi-00 => CALLER@test.ex R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbD-0005vi-00 Server OSCP dates invalid
+1999-03-02 09:44:33 10HmbD-0005vi-00 Received TLS status callback, null content
1999-03-02 09:44:33 10HmbD-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmbD-0005vi-00 == CALLER@test.ex R=client T=send_to_server2 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbD-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbE-0005vi-00 Server certificate revoked; reason: superseded
+1999-03-02 09:44:33 10HmbE-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbE-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbF-0005vi-00 Server OSCP dates invalid
+1999-03-02 09:44:33 10HmbF-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbF-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; not responding
+1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: ocsp status 1
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaX-0005vi-00@server1.example.com
-1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <nostaple@test.ex> R=server
+1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <norequire@test.ex> R=server
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 10HmbB-0005vi-00 client claims: ocsp status 0
1999-03-02 09:44:33 [127.0.0.1] Recieved OCSP stapling req; responding
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaZ-0005vi-00@server1.example.com
-1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <CALLER@test.ex> R=server
-1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaZ-0005vi-00@server1.example.com
+1999-03-02 09:44:33 10HmbB-0005vi-00 => :blackhole: <nostaple@test.ex> R=server
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: ocsp status 3
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmbA-0005vi-00@server1.example.com
+1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <CALLER@test.ex> R=server
+1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
1999-03-02 09:44:33 [127.0.0.1] Recieved OCSP stapling req; not responding
1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
diff --git a/test/log/5650 b/test/log/5650
index 072756d4e..139d3e7b5 100644
--- a/test/log/5650
+++ b/test/log/5650
@@ -1,7 +1,11 @@
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 acl_conn: ocsp in status: 0
+1999-03-02 09:44:33 acl_mail: ocsp in status: 2
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 acl_conn: ocsp in status: 0
1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (recv): The TLS connection was non-properly terminated.
1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 acl_conn: ocsp in status: 0
1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (recv): The TLS connection was non-properly terminated.
1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
diff --git a/test/log/5651 b/test/log/5651
index a42426a7e..194443aa8 100644
--- a/test/log/5651
+++ b/test/log/5651
@@ -1,28 +1,37 @@
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaX-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER@test.ex R=client T=send_to_server2 H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbB-0005vi-00"
1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
-1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbB-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate status check failed)
-1999-03-02 09:44:33 10HmbB-0005vi-00 == CALLER@test.ex R=client T=send_to_server2 defer (-37): failure while setting up TLS session
-1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbC-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate verification failed): certificate revoked
-1999-03-02 09:44:33 10HmbC-0005vi-00 == CALLER@test.ex R=client T=send_to_server2 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbA-0005vi-00 => CALLER@test.ex R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmbD-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate status check failed)
-1999-03-02 09:44:33 10HmbD-0005vi-00 == CALLER@test.ex R=client T=send_to_server2 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbD-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbE-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate verification failed): certificate revoked
+1999-03-02 09:44:33 10HmbE-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbF-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate status check failed)
+1999-03-02 09:44:33 10HmbF-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: OCSP status 1
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaX-0005vi-00@server1.example.com
-1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <nostaple@test.ex> R=server
+1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <norequire@test.ex> R=server
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaZ-0005vi-00@server1.example.com
-1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <CALLER@test.ex> R=server
-1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 client claims: OCSP status 0
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaZ-0005vi-00@server1.example.com
+1999-03-02 09:44:33 10HmbB-0005vi-00 => :blackhole: <nostaple@test.ex> R=server
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: OCSP status 3
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmbA-0005vi-00@server1.example.com
+1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <CALLER@test.ex> R=server
+1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (recv): The TLS connection was non-properly terminated.
1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (send): The specified session has been invalidated for some reason.
diff --git a/test/scripts/5600-OCSP-OpenSSL/5601 b/test/scripts/5600-OCSP-OpenSSL/5601
index b2983eb0d..cf0f68fc7 100644
--- a/test/scripts/5600-OCSP-OpenSSL/5601
+++ b/test/scripts/5600-OCSP-OpenSSL/5601
@@ -1,10 +1,10 @@
# OCSP stapling, client
#
#
-# Client works when we don't demand OCSP stapling
+# Client works when we request but don't require OCSP stapling and none comes
exim -bd -oX PORT_D -DSERVER=server -DOCSP=/dev/null
****
-exim nostaple@test.ex
+exim norequire@test.ex
test message.
****
sleep 1
@@ -13,10 +13,18 @@ killdaemon
#
#
#
-# Client accepts good stapled info
+# Client works when we don't request OCSP stapling
exim -bd -oX PORT_D -DSERVER=server \
-DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp
****
+exim nostaple@test.ex
+test message.
+****
+#
+#
+#
+#
+# Client accepts good stapled info
exim CALLER@test.ex
test message.
****
@@ -25,7 +33,7 @@ killdaemon
#
#
#
-# Client fails on lack of requested stapled info
+# Client fails on lack of required stapled info
exim -bd -oX PORT_D -DSERVER=server -DOCSP=/dev/null
****
exim CALLER@test.ex
diff --git a/test/scripts/5650-OCSP-GnuTLS/5651 b/test/scripts/5650-OCSP-GnuTLS/5651
index f5432be19..5ed784be2 100644
--- a/test/scripts/5650-OCSP-GnuTLS/5651
+++ b/test/scripts/5650-OCSP-GnuTLS/5651
@@ -1,10 +1,10 @@
# OCSP stapling, client
#
#
-# Client works when we don't demand OCSP stapling
+# Client works when we request but don't require OCSP stapling and none comes
exim -bd -oX PORT_D -DSERVER=server -DOCSP=""
****
-exim nostaple@test.ex
+exim norequire@test.ex
test message.
****
sleep 1
@@ -13,10 +13,18 @@ killdaemon
#
#
#
-# Client accepts good stapled info
+# Client works when we don't request OCSP stapling
exim -bd -oX PORT_D -DSERVER=server \
-DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp
****
+exim nostaple@test.ex
+test message.
+****
+#
+#
+#
+#
+# Client accepts good stapled info
exim CALLER@test.ex
test message.
****
@@ -25,7 +33,7 @@ killdaemon
#
#
#
-# Client fails on lack of requested stapled info
+# Client fails on lack of required stapled info
exim -bd -oX PORT_D -DSERVER=server -DOCSP=""
****
exim CALLER@test.ex
diff --git a/test/stderr/5410 b/test/stderr/5410
index b84c26492..ddd6dbcc6 100644
--- a/test/stderr/5410
+++ b/test/stderr/5410
@@ -81,6 +81,7 @@ expanding: ${if eq {$address_data}{userz}{*}{:}}
SMTP>> STARTTLS
SMTP<< 220 TLS go ahead
127.0.0.1 in hosts_require_ocsp? no (option unset)
+127.0.0.1 in hosts_request_ocsp? yes (matched "*")
SMTP>> EHLO myhost.test.ex
SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
250-SIZE 52428800
diff --git a/test/stderr/5420 b/test/stderr/5420
index d2fb575b5..9eea77d05 100644
--- a/test/stderr/5420
+++ b/test/stderr/5420
@@ -81,6 +81,7 @@ expanding: ${if eq {$address_data}{userz}{*}{:}}
SMTP>> STARTTLS
SMTP<< 220 TLS go ahead
127.0.0.1 in hosts_require_ocsp? no (option unset)
+127.0.0.1 in hosts_request_ocsp? yes (matched "*")
in tls_verify_hosts? no (option unset)
in tls_try_verify_hosts? no (option unset)
SMTP>> EHLO myhost.test.ex