diff options
author | Jeremy Harris <jgh146exb@wizmail.org> | 2022-12-15 20:22:01 +0000 |
---|---|---|
committer | Jeremy Harris <jgh146exb@wizmail.org> | 2022-12-17 14:09:11 +0000 |
commit | 4b98b16dbae9610e439e9d4e60951cbcabd2380d (patch) | |
tree | 8b7996132636a7263567d83307eaf47aedf29576 | |
parent | fbc9cad45187d2cf1ef2665cc45a41220fd66513 (diff) |
Testsuite: quieten timing-dependent testcase
-rw-r--r-- | test/scripts/2000-GnuTLS/2014 | 17 | ||||
-rw-r--r-- | test/src/client.c | 46 | ||||
-rw-r--r-- | test/stdout/2014 | 14 |
3 files changed, 47 insertions, 30 deletions
diff --git a/test/scripts/2000-GnuTLS/2014 b/test/scripts/2000-GnuTLS/2014 index 16bcbe4a9..6ecfeccfc 100644 --- a/test/scripts/2000-GnuTLS/2014 +++ b/test/scripts/2000-GnuTLS/2014 @@ -128,8 +128,15 @@ killdaemon exim -DCRL=DIR/aux-fixed/exim-ca/example.com/CA/crl.v2.pem -DSERVER=server -bd -oX PORT_D **** ### Otherwise good but revoked certificate, certificate required +# The trace for this test appears in the mainlog +# - but the stdout from the client is a problem: the server sends a TLS ALERT. If the client sees that early enough +# then it says that + "Failed to start TLS". But if it's later, it says "Succeeded in starting TLS" +# and only another command from the client elicits anything from the server (eg "554 Security failure"). +# How can we test this? +# An option on client to be quiet about tls problems. +# # GnuTLS seems to not mind the lack of CRLs for the nonleaf certs in the chain, unlike under OpenSSL -client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key +client-gnutls -tls-quiet HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key ??? 220 ehlo rhu7.barb ??? 250- @@ -138,10 +145,12 @@ ehlo rhu7.barb ??? 250- ??? 250- ??? 250 -starttls +STARTTLS ??? 220 -helo test -??? 554 +NOP +??? 554 Security failure +QUIT +220 **** ### Revoked certificate, certificate optional at TLS time, reject at ACL time client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key diff --git a/test/src/client.c b/test/src/client.c index 250f7af8b..2544ec84a 100644 --- a/test/src/client.c +++ b/test/src/client.c @@ -137,6 +137,7 @@ static const int comp_priority[16] = { GNUTLS_COMP_NULL, 0 }; #ifdef HAVE_TLS char * ocsp_stapling = NULL; char * pri_string = NULL; +int tls_quiet = 0; #endif @@ -739,7 +740,7 @@ nextinput: srv->tls_active = rc >= 0; alarm(0); - if (!srv->tls_active) printf("%s\n", gnutls_strerror(rc)); + if (!srv->tls_active && !tls_quiet) printf("gnutls_handshake: %s\n", gnutls_strerror(rc)); /* look for an error on the TLS conn */ FD_ZERO(&rfd); @@ -754,7 +755,7 @@ nextinput: DEBUG { printf("gnutls_record_recv: %s\n", gnutls_strerror(rc)); fflush(stdout); } if (rc == GNUTLS_E_INTERRUPTED || rc == GNUTLS_E_AGAIN) goto retry2; - printf("%s\n", gnutls_strerror(rc)); + if (!tls_quiet) printf("gnutls_record_recv: %s\n", gnutls_strerror(rc)); srv->tls_active = FALSE; } DEBUG { printf("gnutls_record_recv: %d\n", rc); fflush(stdout); } @@ -762,15 +763,16 @@ nextinput: } # endif /*HAVE_GNUTLS*/ - if (!srv->tls_active) - { - printf("Failed to start TLS\n"); - fflush(stdout); - } + if (!tls_quiet) + if (!srv->tls_active) + { + printf("Failed to start TLS\n"); + fflush(stdout); + } # ifdef HAVE_OPENSSL - else if (ocsp_stapling) - printf("Succeeded in starting TLS (with OCSP)\n"); + else if (ocsp_stapling) + printf("Succeeded in starting TLS (with OCSP)\n"); # endif # ifdef HAVE_GNUTLS @@ -965,6 +967,7 @@ Usage: client\n" #ifdef HAVE_TLS "\ [-tls-on-connect]\n\ + [-tls-quiet]\n\ [-ocsp]\n" # ifdef HAVE_GNUTLS "\ @@ -1020,12 +1023,17 @@ while (argc >= argi + 1 && argv[argi][0] == '-') puts(HELP_MESSAGE); exit(0); } +#ifdef HAVE_TLS if (strcmp(argv[argi], "-tls-on-connect") == 0) { tls_on_connect = 1; argi++; } -#ifdef HAVE_TLS + else if (strcmp(argv[argi], "-tls-quiet") == 0) + { + tls_quiet = 1; + argi++; + } else if (strcmp(argv[argi], "-ocsp") == 0) { if (argc < ++argi + 1) @@ -1045,8 +1053,7 @@ while (argc >= argi + 1 && argv[argi][0] == '-') } pri_string = argv[argi++]; } -#endif - +# endif #endif else if (argv[argi][1] == 't' && isdigit(argv[argi][2])) { @@ -1346,15 +1353,16 @@ if (tls_on_connect) } #endif - if (!srv.tls_active) - printf("Failed to start TLS\n"); + if (!tls_quiet) + if (!srv.tls_active) + printf("Failed to start TLS\n"); #if defined(HAVE_GNUTLS) && defined(HAVE_GNUTLS_OCSP) - else if ( ocsp_stapling - && gnutls_ocsp_status_request_is_checked(tls_session, 0) == 0) - printf("Failed to verify certificate status\n"); + else if ( ocsp_stapling + && gnutls_ocsp_status_request_is_checked(tls_session, 0) == 0) + printf("Failed to verify certificate status\n"); #endif - else - printf("Succeeded in starting TLS%s\n", ocsp_stapling ? " (with OCSP)":""); + else + printf("Succeeded in starting TLS%s\n", ocsp_stapling ? " (with OCSP)":""); } #endif diff --git a/test/stdout/2014 b/test/stdout/2014 index 4eddd724c..edd498aa8 100644 --- a/test/stdout/2014 +++ b/test/stdout/2014 @@ -19,7 +19,7 @@ Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected ??? 220 <<< 220 TLS go ahead Attempting to start TLS -A TLS fatal alert has been received. +gnutls_record_recv: A TLS fatal alert has been received. Failed to start TLS >>> nop ????554 @@ -156,7 +156,7 @@ Key file = aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net ??? 220 <<< 220 TLS go ahead Attempting to start TLS -A TLS fatal alert has been received. +gnutls_record_recv: A TLS fatal alert has been received. Failed to start TLS >>> nop ????554 @@ -217,15 +217,15 @@ Key file = aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.c <<< 250-STARTTLS ??? 250 <<< 250 HELP ->>> starttls +>>> STARTTLS ??? 220 <<< 220 TLS go ahead Attempting to start TLS -A TLS fatal alert has been received. -Failed to start TLS ->>> helo test -??? 554 +>>> NOP +??? 554 Security failure <<< 554 Security failure +>>> QUIT +>>> 220 End of script ### Revoked certificate, certificate optional at TLS time, reject at ACL time Connecting to 127.0.0.1 port 1225 ... connected |