summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2022-12-15 20:22:01 +0000
committerJeremy Harris <jgh146exb@wizmail.org>2022-12-17 14:09:11 +0000
commit4b98b16dbae9610e439e9d4e60951cbcabd2380d (patch)
tree8b7996132636a7263567d83307eaf47aedf29576
parentfbc9cad45187d2cf1ef2665cc45a41220fd66513 (diff)
Testsuite: quieten timing-dependent testcase
-rw-r--r--test/scripts/2000-GnuTLS/201417
-rw-r--r--test/src/client.c46
-rw-r--r--test/stdout/201414
3 files changed, 47 insertions, 30 deletions
diff --git a/test/scripts/2000-GnuTLS/2014 b/test/scripts/2000-GnuTLS/2014
index 16bcbe4a9..6ecfeccfc 100644
--- a/test/scripts/2000-GnuTLS/2014
+++ b/test/scripts/2000-GnuTLS/2014
@@ -128,8 +128,15 @@ killdaemon
exim -DCRL=DIR/aux-fixed/exim-ca/example.com/CA/crl.v2.pem -DSERVER=server -bd -oX PORT_D
****
### Otherwise good but revoked certificate, certificate required
+# The trace for this test appears in the mainlog
+# - but the stdout from the client is a problem: the server sends a TLS ALERT. If the client sees that early enough
+# then it says that + "Failed to start TLS". But if it's later, it says "Succeeded in starting TLS"
+# and only another command from the client elicits anything from the server (eg "554 Security failure").
+# How can we test this?
+# An option on client to be quiet about tls problems.
+#
# GnuTLS seems to not mind the lack of CRLs for the nonleaf certs in the chain, unlike under OpenSSL
-client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
+client-gnutls -tls-quiet HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
??? 220
ehlo rhu7.barb
??? 250-
@@ -138,10 +145,12 @@ ehlo rhu7.barb
??? 250-
??? 250-
??? 250
-starttls
+STARTTLS
??? 220
-helo test
-??? 554
+NOP
+??? 554 Security failure
+QUIT
+220
****
### Revoked certificate, certificate optional at TLS time, reject at ACL time
client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
diff --git a/test/src/client.c b/test/src/client.c
index 250f7af8b..2544ec84a 100644
--- a/test/src/client.c
+++ b/test/src/client.c
@@ -137,6 +137,7 @@ static const int comp_priority[16] = { GNUTLS_COMP_NULL, 0 };
#ifdef HAVE_TLS
char * ocsp_stapling = NULL;
char * pri_string = NULL;
+int tls_quiet = 0;
#endif
@@ -739,7 +740,7 @@ nextinput:
srv->tls_active = rc >= 0;
alarm(0);
- if (!srv->tls_active) printf("%s\n", gnutls_strerror(rc));
+ if (!srv->tls_active && !tls_quiet) printf("gnutls_handshake: %s\n", gnutls_strerror(rc));
/* look for an error on the TLS conn */
FD_ZERO(&rfd);
@@ -754,7 +755,7 @@ nextinput:
DEBUG { printf("gnutls_record_recv: %s\n", gnutls_strerror(rc)); fflush(stdout); }
if (rc == GNUTLS_E_INTERRUPTED || rc == GNUTLS_E_AGAIN)
goto retry2;
- printf("%s\n", gnutls_strerror(rc));
+ if (!tls_quiet) printf("gnutls_record_recv: %s\n", gnutls_strerror(rc));
srv->tls_active = FALSE;
}
DEBUG { printf("gnutls_record_recv: %d\n", rc); fflush(stdout); }
@@ -762,15 +763,16 @@ nextinput:
}
# endif /*HAVE_GNUTLS*/
- if (!srv->tls_active)
- {
- printf("Failed to start TLS\n");
- fflush(stdout);
- }
+ if (!tls_quiet)
+ if (!srv->tls_active)
+ {
+ printf("Failed to start TLS\n");
+ fflush(stdout);
+ }
# ifdef HAVE_OPENSSL
- else if (ocsp_stapling)
- printf("Succeeded in starting TLS (with OCSP)\n");
+ else if (ocsp_stapling)
+ printf("Succeeded in starting TLS (with OCSP)\n");
# endif
# ifdef HAVE_GNUTLS
@@ -965,6 +967,7 @@ Usage: client\n"
#ifdef HAVE_TLS
"\
[-tls-on-connect]\n\
+ [-tls-quiet]\n\
[-ocsp]\n"
# ifdef HAVE_GNUTLS
"\
@@ -1020,12 +1023,17 @@ while (argc >= argi + 1 && argv[argi][0] == '-')
puts(HELP_MESSAGE);
exit(0);
}
+#ifdef HAVE_TLS
if (strcmp(argv[argi], "-tls-on-connect") == 0)
{
tls_on_connect = 1;
argi++;
}
-#ifdef HAVE_TLS
+ else if (strcmp(argv[argi], "-tls-quiet") == 0)
+ {
+ tls_quiet = 1;
+ argi++;
+ }
else if (strcmp(argv[argi], "-ocsp") == 0)
{
if (argc < ++argi + 1)
@@ -1045,8 +1053,7 @@ while (argc >= argi + 1 && argv[argi][0] == '-')
}
pri_string = argv[argi++];
}
-#endif
-
+# endif
#endif
else if (argv[argi][1] == 't' && isdigit(argv[argi][2]))
{
@@ -1346,15 +1353,16 @@ if (tls_on_connect)
}
#endif
- if (!srv.tls_active)
- printf("Failed to start TLS\n");
+ if (!tls_quiet)
+ if (!srv.tls_active)
+ printf("Failed to start TLS\n");
#if defined(HAVE_GNUTLS) && defined(HAVE_GNUTLS_OCSP)
- else if ( ocsp_stapling
- && gnutls_ocsp_status_request_is_checked(tls_session, 0) == 0)
- printf("Failed to verify certificate status\n");
+ else if ( ocsp_stapling
+ && gnutls_ocsp_status_request_is_checked(tls_session, 0) == 0)
+ printf("Failed to verify certificate status\n");
#endif
- else
- printf("Succeeded in starting TLS%s\n", ocsp_stapling ? " (with OCSP)":"");
+ else
+ printf("Succeeded in starting TLS%s\n", ocsp_stapling ? " (with OCSP)":"");
}
#endif
diff --git a/test/stdout/2014 b/test/stdout/2014
index 4eddd724c..edd498aa8 100644
--- a/test/stdout/2014
+++ b/test/stdout/2014
@@ -19,7 +19,7 @@ Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-A TLS fatal alert has been received.
+gnutls_record_recv: A TLS fatal alert has been received.
Failed to start TLS
>>> nop
????554
@@ -156,7 +156,7 @@ Key file = aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-A TLS fatal alert has been received.
+gnutls_record_recv: A TLS fatal alert has been received.
Failed to start TLS
>>> nop
????554
@@ -217,15 +217,15 @@ Key file = aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.c
<<< 250-STARTTLS
??? 250
<<< 250 HELP
->>> starttls
+>>> STARTTLS
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-A TLS fatal alert has been received.
-Failed to start TLS
->>> helo test
-??? 554
+>>> NOP
+??? 554 Security failure
<<< 554 Security failure
+>>> QUIT
+>>> 220
End of script
### Revoked certificate, certificate optional at TLS time, reject at ACL time
Connecting to 127.0.0.1 port 1225 ... connected