diff options
author | Jeremy Harris <jgh146exb@wizmail.org> | 2014-05-07 20:46:49 +0100 |
---|---|---|
committer | Jeremy Harris <jgh146exb@wizmail.org> | 2014-05-09 21:36:27 +0100 |
commit | 018058b21d17a988ed29cf31a7002da74b599d1a (patch) | |
tree | 13529249a6547ea48029f5fb2f183bce7e6b5ff3 | |
parent | 80c974f8633781c6f10a196ed33e6cdce605bcd4 (diff) |
Make $tls_out_ocsp visible to TPDA (mostly testsuite)
-rw-r--r-- | src/src/deliver.c | 32 | ||||
-rw-r--r-- | src/src/globals.c | 1 | ||||
-rw-r--r-- | src/src/globals.h | 3 | ||||
-rw-r--r-- | src/src/structs.h | 1 | ||||
-rw-r--r-- | src/src/tls-gnu.c | 7 | ||||
-rw-r--r-- | src/src/tls-openssl.c | 36 | ||||
-rw-r--r-- | src/src/transports/smtp.c | 7 | ||||
-rw-r--r-- | test/confs/5600 | 8 | ||||
-rw-r--r-- | test/confs/5601 | 16 | ||||
-rw-r--r-- | test/confs/5608 | 157 | ||||
-rw-r--r-- | test/confs/5650 | 8 | ||||
-rw-r--r-- | test/confs/5651 | 16 | ||||
-rw-r--r-- | test/confs/5658 | 161 | ||||
-rw-r--r-- | test/log/5600 | 8 | ||||
-rw-r--r-- | test/log/5601 | 6 | ||||
-rw-r--r-- | test/log/5608 | 66 | ||||
-rw-r--r-- | test/log/5650 | 8 | ||||
-rw-r--r-- | test/log/5651 | 6 | ||||
-rw-r--r-- | test/log/5658 | 57 | ||||
-rw-r--r-- | test/scripts/5608-OCSP-OpenSSL-TPDA/5608 | 82 | ||||
-rw-r--r-- | test/scripts/5608-OCSP-OpenSSL-TPDA/REQUIRES | 4 | ||||
-rw-r--r-- | test/scripts/5658-OCSP-GnuTLS-TPDA/5658 | 82 | ||||
-rw-r--r-- | test/scripts/5658-OCSP-GnuTLS-TPDA/REQUIRES | 4 |
23 files changed, 727 insertions, 49 deletions
diff --git a/src/src/deliver.c b/src/src/deliver.c index fff0e2fd0..dd7f888fb 100644 --- a/src/src/deliver.c +++ b/src/src/deliver.c @@ -718,6 +718,7 @@ uschar *s; /* building log lines; */ void *reset_point; /* released afterwards. */ +DEBUG(D_deliver) debug_printf("B cipher %s\n", addr->cipher); /* Log the delivery on the main log. We use an extensible string to build up the log line, and reset the store afterwards. Remote deliveries should always have a pointer to the host item that succeeded; local deliveries can have a @@ -734,6 +735,7 @@ pointer to a single host item in their host list, for use by the transport. */ s = reset_point = store_get(size); +DEBUG(D_deliver) debug_printf("C cipher %s\n", addr->cipher); log_address = string_log_address(addr, (log_write_selector & L_all_parents) != 0, TRUE); if (msg) s = string_append(s, &size, &ptr, 3, host_and_ident(TRUE), US" ", log_address); @@ -876,6 +878,7 @@ if (addr->transport->tpda_delivery_action) DEBUG(D_deliver) debug_printf(" TPDA(Delivery): tpda_deliver_action=|%s| tpda_delivery_IP=%s\n", addr->transport->tpda_delivery_action, tpda_delivery_ip); +DEBUG(D_deliver) debug_printf("D cipher %s\n", addr->cipher); router_name = addr->router->name; transport_name = addr->transport->name; @@ -1088,6 +1091,11 @@ if (result == OK) addr->ourcert = NULL; tls_out.peercert = addr->peercert; addr->peercert = NULL; + +DEBUG(D_deliver) debug_printf("A cipher %s\n", addr->cipher); + tls_out.cipher = addr->cipher; + tls_out.peerdn = addr->peerdn; + tls_out.ocsp = addr->ocsp; #endif delivery_log(LOG_MAIN, addr, logchar, NULL); @@ -1103,6 +1111,9 @@ if (result == OK) tls_free_cert(tls_out.peercert); tls_out.peercert = NULL; } + tls_out.cipher = NULL; + tls_out.peerdn = NULL; + tls_out.ocsp = OCSP_NOT_REQ; #endif } @@ -2987,9 +2998,7 @@ while (!done) addr->cipher = string_copy(ptr); while (*ptr++); if (*ptr) - { addr->peerdn = string_copy(ptr); - } break; case '2': @@ -3003,6 +3012,14 @@ while (!done) if (*ptr) (void) tls_import_cert(ptr, &addr->ourcert); break; + + #ifdef EXPERIMENTAL_OCSP + case '4': + addr->ocsp = OCSP_NOT_REQ; + if (*ptr) + addr->ocsp = *ptr - '0'; + break; + #endif } while (*ptr++); break; @@ -4132,7 +4149,16 @@ for (delivery_count = 0; addr_remote != NULL; delivery_count++) *ptr++ = 0; rmt_dlv_checked_write(fd, big_buffer, ptr - big_buffer); } - #endif + # ifdef EXPERIMENTAL_OCSP + if (addr->ocsp > OCSP_NOT_REQ) + { + ptr = big_buffer; + sprintf(CS ptr, "X4%c", addr->ocsp + '0'); + while(*ptr++); + rmt_dlv_checked_write(fd, big_buffer, ptr - big_buffer); + } + # endif + #endif /*SUPPORT_TLS if (client_authenticator) { diff --git a/src/src/globals.c b/src/src/globals.c index af2903525..a2cc50313 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -341,6 +341,7 @@ address_item address_defaults = { NULL, /* ourcert */ NULL, /* peercert */ NULL, /* peerdn */ + OCSP_NOT_REQ, /* ocsp */ #endif NULL, /* authenticator */ NULL, /* auth_id */ diff --git a/src/src/globals.h b/src/src/globals.h index 9a42fe27e..8b55321f9 100644 --- a/src/src/globals.h +++ b/src/src/globals.h @@ -92,7 +92,8 @@ typedef struct { enum { OCSP_NOT_REQ=0, /* not requested */ OCSP_NOT_RESP, /* no response to request */ - OCSP_NOT_VFY, /* response not verified */ + OCSP_VFY_NOT_TRIED, /* response not verified */ + OCSP_FAILED, /* verify failed */ OCSP_VFIED /* verified */ } ocsp; /* Stapled OCSP status */ } tls_support; diff --git a/src/src/structs.h b/src/src/structs.h index a6c78f4fc..aba579f89 100644 --- a/src/src/structs.h +++ b/src/src/structs.h @@ -543,6 +543,7 @@ typedef struct address_item { void *ourcert; /* Certificate offered to peer, binary */ void *peercert; /* Certificate from peer, binary */ uschar *peerdn; /* DN of server's certificate */ + int ocsp; /* OCSP status of peer cert */ #endif uschar *authenticator; /* auth driver name used by transport */ diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index b0b67d820..3c926c0d4 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -1446,15 +1446,15 @@ server_ocsp_stapling_cb(gnutls_session_t session, void * ptr, { int ret; -tls_in.ocsp = OCSP_NOT_RESP; if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0) { DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n", (char *)ptr); + tls_in.ocsp = OCSP_NOT_RESP; return GNUTLS_E_NO_CERTIFICATE_STATUS; } -tls_in.ocsp = OCSP_NOT_VFY; +tls_in.ocsp = OCSP_VFY_NOT_TRIED; return 0; } @@ -1778,7 +1778,10 @@ if (require_ocsp) } if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0) + { + tls_out.ocsp = OCSP_FAILED; return tls_error(US"certificate status check failed", NULL, state->host); + } DEBUG(D_tls) debug_printf("Passed OCSP checking\n"); tls_out.ocsp = OCSP_VFIED; } diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index fd257f3c6..16612d300 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -572,21 +572,21 @@ if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX } supply_response: -cbinfo->u_ocsp.server.response = resp; + cbinfo->u_ocsp.server.response = resp; return; bad: -if (running_in_test_harness) - { - extern char ** environ; - uschar ** p; - for (p = USS environ; *p != NULL; p++) - if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0) - { - DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n"); - goto supply_response; - } - } + if (running_in_test_harness) + { + extern char ** environ; + uschar ** p; + for (p = USS environ; *p != NULL; p++) + if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0) + { + DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n"); + goto supply_response; + } + } return; } #endif /*EXPERIMENTAL_OCSP*/ @@ -844,9 +844,10 @@ if(!p) DEBUG(D_tls) debug_printf(" null\n"); return cbinfo->u_ocsp.client.verify_required ? 0 : 1; } -tls_out.ocsp = OCSP_NOT_VFY; + if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len))) { + tls_out.ocsp = OCSP_FAILED; if (log_extra_selector & LX_tls_cipher) log_write(0, LOG_MAIN, "Received TLS status response, parse error"); else @@ -856,6 +857,7 @@ if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len))) if(!(bs = OCSP_response_get1_basic(rsp))) { + tls_out.ocsp = OCSP_FAILED; if (log_extra_selector & LX_tls_cipher) log_write(0, LOG_MAIN, "Received TLS status response, error parsing response"); else @@ -867,7 +869,6 @@ if(!(bs = OCSP_response_get1_basic(rsp))) /* We'd check the nonce here if we'd put one in the request. */ /* However that would defeat cacheability on the server so we don't. */ - /* This section of code reworked from OpenSSL apps source; The OpenSSL Project retains copyright: Copyright (c) 1999 The OpenSSL Project. All rights reserved. @@ -888,6 +889,7 @@ if(!(bs = OCSP_response_get1_basic(rsp))) if ((i = OCSP_basic_verify(bs, NULL, cbinfo->u_ocsp.client.verify_store, 0)) <= 0) { + tls_out.ocsp = OCSP_FAILED; BIO_printf(bp, "OCSP response verify failure\n"); ERR_print_errors(bp); i = cbinfo->u_ocsp.client.verify_required ? 0 : 1; @@ -902,6 +904,7 @@ if(!(bs = OCSP_response_get1_basic(rsp))) if (sk_OCSP_SINGLERESP_num(sresp) != 1) { + tls_out.ocsp = OCSP_FAILED; log_write(0, LOG_MAIN, "OCSP stapling " "with multiple responses not handled"); i = cbinfo->u_ocsp.client.verify_required ? 0 : 1; @@ -917,6 +920,7 @@ if(!(bs = OCSP_response_get1_basic(rsp))) if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE)) { + tls_out.ocsp = OCSP_FAILED; DEBUG(D_tls) ERR_print_errors(bp); log_write(0, LOG_MAIN, "Server OSCP dates invalid"); i = cbinfo->u_ocsp.client.verify_required ? 0 : 1; @@ -928,10 +932,11 @@ if(!(bs = OCSP_response_get1_basic(rsp))) switch(status) { case V_OCSP_CERTSTATUS_GOOD: - i = 1; tls_out.ocsp = OCSP_VFIED; + i = 1; break; case V_OCSP_CERTSTATUS_REVOKED: + tls_out.ocsp = OCSP_FAILED; log_write(0, LOG_MAIN, "Server certificate revoked%s%s", reason != -1 ? "; reason: " : "", reason != -1 ? OCSP_crl_reason_str(reason) : ""); @@ -939,6 +944,7 @@ if(!(bs = OCSP_response_get1_basic(rsp))) i = cbinfo->u_ocsp.client.verify_required ? 0 : 1; break; default: + tls_out.ocsp = OCSP_FAILED; log_write(0, LOG_MAIN, "Server certificate status unknown, in OCSP stapling"); i = cbinfo->u_ocsp.client.verify_required ? 0 : 1; diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 9089d90c1..1232965b9 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -1232,6 +1232,7 @@ tls_out.peerdn = NULL; #if defined(SUPPORT_TLS) && !defined(USE_GNUTLS) tls_out.sni = NULL; #endif +tls_out.ocsp = OCSP_NOT_REQ; /* Flip the legacy TLS-related variables over to the outbound set in case they're used in the context of the transport. Don't bother resetting @@ -1242,8 +1243,8 @@ tls_modify_variables(&tls_out); #ifndef SUPPORT_TLS if (smtps) { - set_errno(addrlist, 0, US"TLS support not available", DEFER, FALSE); - return ERROR; + set_errno(addrlist, 0, US"TLS support not available", DEFER, FALSE); + return ERROR; } #endif @@ -1475,6 +1476,7 @@ if (tls_offered && !suppress_tls && addr->ourcert = tls_out.ourcert; addr->peercert = tls_out.peercert; addr->peerdn = tls_out.peerdn; + addr->ocsp = tls_out.ocsp; } } } @@ -2514,6 +2516,7 @@ for (addr = addrlist; addr != NULL; addr = addr->next) addr->ourcert = NULL; addr->peercert = NULL; addr->peerdn = NULL; + addr->ocsp = OCSP_NOT_REQ; #endif } return first_addr; diff --git a/test/confs/5600 b/test/confs/5600 index cd5f3c8e7..018ee3a78 100644 --- a/test/confs/5600 +++ b/test/confs/5600 @@ -40,10 +40,14 @@ tls_ocsp_file = OCSP begin acl check_connect: - accept logwrite = acl_conn: ocsp in status: $tls_in_ocsp + accept logwrite = acl_conn: ocsp in status: $tls_in_ocsp \ + (${listextract {${eval:$tls_in_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) check_mail: - accept logwrite = acl_mail: ocsp in status: $tls_in_ocsp + accept logwrite = acl_mail: ocsp in status: $tls_in_ocsp \ + (${listextract {${eval:$tls_in_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) check_recipient: deny message = certificate not verified: peerdn=$tls_peerdn diff --git a/test/confs/5601 b/test/confs/5601 index 7eb19f754..3e97fcbea 100644 --- a/test/confs/5601 +++ b/test/confs/5601 @@ -92,7 +92,9 @@ send_to_server1: tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem hosts_require_tls = * hosts_request_ocsp = : - headers_add = X-TLS-out: ocsp status $tls_out_ocsp + headers_add = X-TLS-out: ocsp status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) send_to_server2: driver = smtp @@ -102,7 +104,9 @@ send_to_server2: tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem hosts_require_tls = * # note no ocsp mention here - headers_add = X-TLS-out: ocsp status $tls_out_ocsp + headers_add = X-TLS-out: ocsp status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) send_to_server3: driver = smtp @@ -113,7 +117,9 @@ send_to_server3: tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem hosts_require_tls = * hosts_require_ocsp = * - headers_add = X-TLS-out: ocsp status $tls_out_ocsp + headers_add = X-TLS-out: ocsp status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) send_to_server4: driver = smtp @@ -125,7 +131,9 @@ send_to_server4: protocol = smtps hosts_require_tls = * hosts_require_ocsp = * - headers_add = X-TLS-out: ocsp status $tls_out_ocsp + headers_add = X-TLS-out: ocsp status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) # ----- Retry ----- diff --git a/test/confs/5608 b/test/confs/5608 new file mode 100644 index 000000000..55d9a2015 --- /dev/null +++ b/test/confs/5608 @@ -0,0 +1,157 @@ +# Exim test configuration 5601 +# OCSP stapling, client, tpda + +SERVER = + +exim_path = EXIM_PATH +host_lookup_order = bydns +primary_hostname = server1.example.com +rfc1413_query_timeout = 0s +spool_directory = DIR/spool +log_file_path = DIR/spool/log/SERVER%slog +gecos_pattern = "" +gecos_name = CALLER_NAME + + +# ----- Main settings ----- + +domainlist local_domains = test.ex : *.test.ex + +acl_smtp_rcpt = check_recipient +acl_smtp_data = check_data + +log_selector = +tls_peerdn +remote_max_parallel = 1 + +tls_advertise_hosts = * + +# Set certificate only if server + +tls_certificate = ${if eq {SERVER}{server}\ +{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem}\ +fail\ +} + +#{DIR/aux-fixed/exim-ca/example.com/CA/CA.pem}\ + +tls_privatekey = ${if eq {SERVER}{server}\ +{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key}\ +fail} + +tls_ocsp_file = OCSP + + +# ------ ACL ------ + +begin acl + +check_recipient: + accept domains = +local_domains + deny message = relay not permitted + +check_data: + warn condition = ${if def:h_X-TLS-out:} + logwrite = client claims: $h_X-TLS-out: + accept + +logger: + warn logwrite = client ocsp status: $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) + accept + +# ----- Routers ----- + +begin routers + +client: + driver = accept + condition = ${if eq {SERVER}{server}{no}{yes}} + retry_use_local_part + transport = send_to_server${if eq{$local_part}{nostaple}{1} \ + {${if eq{$local_part}{norequire} {2} \ + {${if eq{$local_part}{smtps} {4}{3}}} \ + }}} + +server: + driver = redirect + data = :blackhole: + #retry_use_local_part + #transport = local_delivery + + +# ----- Transports ----- + +begin transports + +local_delivery: + driver = appendfile + file = DIR/test-mail/$local_part + headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn + user = CALLER + +# nostaple: deliberately do not request cert-status +send_to_server1: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + hosts_require_tls = * + hosts_request_ocsp = : + headers_add = X-TLS-out: ocsp status $tls_out_ocsp + tpda_delivery_action = ${acl {logger}} + tpda_host_defer_action = ${acl {logger}} + +# norequire: request stapling but do not verify +send_to_server2: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + hosts_require_tls = * +# note no ocsp mention here + headers_add = X-TLS-out: ocsp status $tls_out_ocsp + tpda_delivery_action = ${acl {logger}} + tpda_host_defer_action = ${acl {logger}} + +# (any other name): request and verify +send_to_server3: + driver = smtp + allow_localhost + hosts = 127.0.0.1 + port = PORT_D + helo_data = helo.data.changed + tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + hosts_require_tls = * + hosts_require_ocsp = * + headers_add = X-TLS-out: ocsp status $tls_out_ocsp + tpda_delivery_action = ${acl {logger}} + tpda_host_defer_action = ${acl {logger}} + +# (any other name): request and verify, ssl-on-connect +send_to_server4: + driver = smtp + allow_localhost + hosts = 127.0.0.1 + port = PORT_D + helo_data = helo.data.changed + tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + protocol = smtps + hosts_require_tls = * + hosts_require_ocsp = * + headers_add = X-TLS-out: ocsp status $tls_out_ocsp + tpda_delivery_action = ${acl {logger}} + tpda_host_defer_action = ${acl {logger}} + + +# ----- Retry ----- + + +begin retry + +* * F,5d,1s + + +# End diff --git a/test/confs/5650 b/test/confs/5650 index 3d4a68ef3..2b8960366 100644 --- a/test/confs/5650 +++ b/test/confs/5650 @@ -41,10 +41,14 @@ tls_ocsp_file = OCSP begin acl check_connect: - accept logwrite = acl_conn: ocsp in status: $tls_in_ocsp + accept logwrite = acl_conn: ocsp in status: $tls_in_ocsp \ + (${listextract {${eval:$tls_in_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) check_mail: - accept logwrite = acl_mail: ocsp in status: $tls_in_ocsp + accept logwrite = acl_mail: ocsp in status: $tls_in_ocsp \ + (${listextract {${eval:$tls_in_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) check_recipient: accept diff --git a/test/confs/5651 b/test/confs/5651 index 4a1989f43..6b70d33b2 100644 --- a/test/confs/5651 +++ b/test/confs/5651 @@ -90,7 +90,9 @@ send_to_server1: tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem hosts_require_tls = * hosts_request_ocsp = : - headers_add = X-TLS-out: OCSP status $tls_out_ocsp + headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) send_to_server2: driver = smtp @@ -100,7 +102,9 @@ send_to_server2: tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem hosts_require_tls = * # note no ocsp mention here - headers_add = X-TLS-out: OCSP status $tls_out_ocsp + headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) send_to_server3: driver = smtp @@ -112,7 +116,9 @@ send_to_server3: tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem hosts_require_tls = * hosts_require_ocsp = * - headers_add = X-TLS-out: OCSP status $tls_out_ocsp + headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) send_to_server4: driver = smtp @@ -125,7 +131,9 @@ send_to_server4: protocol = smtps hosts_require_tls = * hosts_require_ocsp = * - headers_add = X-TLS-out: OCSP status $tls_out_ocsp + headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) # ----- Retry ----- diff --git a/test/confs/5658 b/test/confs/5658 new file mode 100644 index 000000000..e8f2494f6 --- /dev/null +++ b/test/confs/5658 @@ -0,0 +1,161 @@ +# Exim test configuration 5658 +# OCSP stapling, client, tpda + +SERVER = + +exim_path = EXIM_PATH +host_lookup_order = bydns +primary_hostname = server1.example.com +rfc1413_query_timeout = 0s +spool_directory = DIR/spool +log_file_path = DIR/spool/log/SERVER%slog +gecos_pattern = "" +gecos_name = CALLER_NAME + + +# ----- Main settings ----- + +domainlist local_domains = test.ex : *.test.ex + +acl_smtp_rcpt = check_recipient +acl_smtp_data = check_data + +log_selector = +tls_peerdn +remote_max_parallel = 1 + +tls_advertise_hosts = * + +# Set certificate only if server +tls_certificate = ${if eq {SERVER}{server}\ +{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem}\ +fail\ +} +tls_privatekey = ${if eq {SERVER}{server}\ +{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key}\ +fail} + +# from cmdline define +tls_ocsp_file = OCSP + + +# ------ ACL ------ + +begin acl + +check_recipient: + accept domains = +local_domains + deny message = relay not permitted + +check_data: + warn condition = ${if def:h_X-TLS-out:} + logwrite = client claims: $h_X-TLS-out: + accept + +logger: + warn logwrite = client ocsp status: $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) + accept + + +# ----- Routers ----- + +begin routers + +client: + driver = accept + condition = ${if eq {SERVER}{server}{no}{yes}} + retry_use_local_part + transport = send_to_server${if eq{$local_part}{nostaple}{1} \ + {${if eq{$local_part}{norequire} {2} \ + {${if eq{$local_part}{smtps} {4}{3}}} \ + }}} + +server: + driver = redirect + data = :blackhole: + #retry_use_local_part + #transport = local_delivery + + +# ----- Transports ----- + +begin transports + +local_delivery: + driver = appendfile + file = DIR/test-mail/$local_part + headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn + user = CALLER + +send_to_server1: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + hosts_require_tls = * + hosts_request_ocsp = : + headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) + tpda_delivery_action = ${acl {logger}} + tpda_host_defer_action = ${acl {logger}} + +send_to_server2: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + hosts_require_tls = * +# note no ocsp mention here + headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) + tpda_delivery_action = ${acl {logger}} + tpda_host_defer_action = ${acl {logger}} + +send_to_server3: + driver = smtp + allow_localhost + hosts = 127.0.0.1 + port = PORT_D + helo_data = helo.data.changed + #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem + tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + hosts_require_tls = * + hosts_require_ocsp = * + headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) + tpda_delivery_action = ${acl {logger}} + tpda_host_defer_action = ${acl {logger}} + +send_to_server4: + driver = smtp + allow_localhost + hosts = 127.0.0.1 + port = PORT_D + helo_data = helo.data.changed + #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem + tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + protocol = smtps + hosts_require_tls = * + hosts_require_ocsp = * + headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) + tpda_delivery_action = ${acl {logger}} + tpda_host_defer_action = ${acl {logger}} + + +# ----- Retry ----- + + +begin retry + +* * F,5d,1s + + +# End diff --git a/test/log/5600 b/test/log/5600 index d0dc7b16e..f2a469d8b 100644 --- a/test/log/5600 +++ b/test/log/5600 @@ -1,10 +1,10 @@ 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 acl_conn: ocsp in status: 0 +1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq) 1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; responding -1999-03-02 09:44:33 acl_mail: ocsp in status: 3 +1999-03-02 09:44:33 acl_mail: ocsp in status: 4 (verified) 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 acl_conn: ocsp in status: 0 +1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq) 1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; not responding 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 acl_conn: ocsp in status: 0 +1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq) 1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; not responding diff --git a/test/log/5601 b/test/log/5601 index d3c46eda0..1276861fc 100644 --- a/test/log/5601 +++ b/test/log/5601 @@ -23,17 +23,17 @@ ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; not responding -1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: ocsp status 1 +1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: ocsp status 1 (notresp) 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaX-0005vi-00@server1.example.com 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <norequire@test.ex> R=server 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 10HmbB-0005vi-00 client claims: ocsp status 0 +1999-03-02 09:44:33 10HmbB-0005vi-00 client claims: ocsp status 0 (notreq) 1999-03-02 09:44:33 [127.0.0.1] Recieved OCSP stapling req; responding 1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaZ-0005vi-00@server1.example.com 1999-03-02 09:44:33 10HmbB-0005vi-00 => :blackhole: <nostaple@test.ex> R=server 1999-03-02 09:44:33 10HmbB-0005vi-00 Completed -1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: ocsp status 3 +1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: ocsp status 4 (verified) 1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmbA-0005vi-00@server1.example.com 1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <CALLER@test.ex> R=server 1999-03-02 09:44:33 10HmbC-0005vi-00 Completed diff --git a/test/log/5608 b/test/log/5608 new file mode 100644 index 000000000..2c0c98016 --- /dev/null +++ b/test/log/5608 @@ -0,0 +1,66 @@ +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 client ocsp status: 1 (notresp) +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaZ-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 client ocsp status: 4 (verified) +1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed +1999-03-02 09:44:33 10HmbA-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00" +1999-03-02 09:44:33 10HmbA-0005vi-00 client ocsp status: 0 (notreq) +1999-03-02 09:44:33 10HmbA-0005vi-00 Completed +1999-03-02 09:44:33 10HmbB-0005vi-00 => good@test.ex R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00" +1999-03-02 09:44:33 10HmbB-0005vi-00 client ocsp status: 4 (verified) +1999-03-02 09:44:33 10HmbB-0005vi-00 Completed +1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbF-0005vi-00 Received TLS status callback, null content +1999-03-02 09:44:33 10HmbF-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <<detail omitted>> +1999-03-02 09:44:33 10HmbF-0005vi-00 client ocsp status: 1 (notresp) +1999-03-02 09:44:33 10HmbF-0005vi-00 == failrequire@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session +1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbG-0005vi-00 Server certificate revoked; reason: superseded +1999-03-02 09:44:33 10HmbG-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <<detail omitted>> +1999-03-02 09:44:33 10HmbG-0005vi-00 client ocsp status: 3 (failed) +1999-03-02 09:44:33 10HmbG-0005vi-00 == failrevoked@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session +1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbH-0005vi-00 Server OSCP dates invalid +1999-03-02 09:44:33 10HmbH-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <<detail omitted>> +1999-03-02 09:44:33 10HmbH-0005vi-00 client ocsp status: 3 (failed) +1999-03-02 09:44:33 10HmbH-0005vi-00 == failexpired@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session + +******** SERVER ******** +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; not responding +1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: ocsp status 1 +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaX-0005vi-00@server1.example.com +1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <norequire@test.ex> R=server +1999-03-02 09:44:33 10HmaY-0005vi-00 Completed +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; responding +1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: ocsp status 4 +1999-03-02 09:44:33 10HmbD-0005vi-00 client claims: ocsp status 0 +1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaZ-0005vi-00@server1.example.com +1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <norequire@test.ex> R=server +1999-03-02 09:44:33 10HmbC-0005vi-00 Completed +1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmbA-0005vi-00@server1.example.com +1999-03-02 09:44:33 10HmbD-0005vi-00 => :blackhole: <nostaple@test.ex> R=server +1999-03-02 09:44:33 10HmbD-0005vi-00 Completed +1999-03-02 09:44:33 [127.0.0.1] Recieved OCSP stapling req; responding +1999-03-02 09:44:33 10HmbE-0005vi-00 client claims: ocsp status 4 +1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmbB-0005vi-00@server1.example.com +1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: <good@test.ex> R=server +1999-03-02 09:44:33 10HmbE-0005vi-00 Completed +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 [127.0.0.1] Recieved OCSP stapling req; not responding +1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>> +1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 [127.0.0.1] Recieved OCSP stapling req; responding +1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>> +1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 [127.0.0.1] Recieved OCSP stapling req; responding +1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>> +1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) diff --git a/test/log/5650 b/test/log/5650 index 139d3e7b5..6bb550248 100644 --- a/test/log/5650 +++ b/test/log/5650 @@ -1,11 +1,11 @@ 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 acl_conn: ocsp in status: 0 -1999-03-02 09:44:33 acl_mail: ocsp in status: 2 +1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq) +1999-03-02 09:44:33 acl_mail: ocsp in status: 2 (vfynotdone) 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 acl_conn: ocsp in status: 0 +1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq) 1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (recv): The TLS connection was non-properly terminated. 1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason. 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 acl_conn: ocsp in status: 0 +1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq) 1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (recv): The TLS connection was non-properly terminated. 1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason. diff --git a/test/log/5651 b/test/log/5651 index 194443aa8..d3a2775b8 100644 --- a/test/log/5651 +++ b/test/log/5651 @@ -19,16 +19,16 @@ ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: OCSP status 1 +1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: OCSP status 1 (notresp) 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaX-0005vi-00@server1.example.com 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <norequire@test.ex> R=server 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 10HmbB-0005vi-00 client claims: OCSP status 0 +1999-03-02 09:44:33 10HmbB-0005vi-00 client claims: OCSP status 0 (notreq) 1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaZ-0005vi-00@server1.example.com 1999-03-02 09:44:33 10HmbB-0005vi-00 => :blackhole: <nostaple@test.ex> R=server 1999-03-02 09:44:33 10HmbB-0005vi-00 Completed -1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: OCSP status 3 +1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: OCSP status 4 (verified) 1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmbA-0005vi-00@server1.example.com 1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <CALLER@test.ex> R=server 1999-03-02 09:44:33 10HmbC-0005vi-00 Completed diff --git a/test/log/5658 b/test/log/5658 new file mode 100644 index 000000000..3479b6691 --- /dev/null +++ b/test/log/5658 @@ -0,0 +1,57 @@ +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 client ocsp status: 1 (notresp) +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaZ-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 client ocsp status: 1 (notresp) +1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed +1999-03-02 09:44:33 10HmbA-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00" +1999-03-02 09:44:33 10HmbA-0005vi-00 client ocsp status: 0 (notreq) +1999-03-02 09:44:33 10HmbA-0005vi-00 Completed +1999-03-02 09:44:33 10HmbB-0005vi-00 => good@test.ex R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00" +1999-03-02 09:44:33 10HmbB-0005vi-00 client ocsp status: 4 (verified) +1999-03-02 09:44:33 10HmbB-0005vi-00 Completed +1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbF-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate status check failed) +1999-03-02 09:44:33 10HmbF-0005vi-00 client ocsp status: 3 (failed) +1999-03-02 09:44:33 10HmbF-0005vi-00 == failrequire@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session +1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbG-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate verification failed): certificate revoked +1999-03-02 09:44:33 10HmbG-0005vi-00 client ocsp status: 1 (notresp) +1999-03-02 09:44:33 10HmbG-0005vi-00 == failrevoked@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session +1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbH-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate status check failed) +1999-03-02 09:44:33 10HmbH-0005vi-00 client ocsp status: 3 (failed) +1999-03-02 09:44:33 10HmbH-0005vi-00 == failexpired@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session + +******** SERVER ******** +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: OCSP status 1 (notresp) +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaX-0005vi-00@server1.example.com +1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <norequire@test.ex> R=server +1999-03-02 09:44:33 10HmaY-0005vi-00 Completed +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: OCSP status 1 (notresp) +1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaZ-0005vi-00@server1.example.com +1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <norequire@test.ex> R=server +1999-03-02 09:44:33 10HmbC-0005vi-00 Completed +1999-03-02 09:44:33 10HmbD-0005vi-00 client claims: OCSP status 0 (notreq) +1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmbA-0005vi-00@server1.example.com +1999-03-02 09:44:33 10HmbD-0005vi-00 => :blackhole: <nostaple@test.ex> R=server +1999-03-02 09:44:33 10HmbD-0005vi-00 Completed +1999-03-02 09:44:33 10HmbE-0005vi-00 client claims: OCSP status 4 (verified) +1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmbB-0005vi-00@server1.example.com +1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: <good@test.ex> R=server +1999-03-02 09:44:33 10HmbE-0005vi-00 Completed +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (recv): The TLS connection was non-properly terminated. +1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (send): The specified session has been invalidated for some reason. +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (recv): A TLS fatal alert has been received.: Certificate is bad +1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (send): The specified session has been invalidated for some reason. +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (recv): The TLS connection was non-properly terminated. +1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (send): The specified session has been invalidated for some reason. diff --git a/test/scripts/5608-OCSP-OpenSSL-TPDA/5608 b/test/scripts/5608-OCSP-OpenSSL-TPDA/5608 new file mode 100644 index 000000000..409b48b1b --- /dev/null +++ b/test/scripts/5608-OCSP-OpenSSL-TPDA/5608 @@ -0,0 +1,82 @@ +# OCSP stapling, client, tpda +# duplicate of 5601 +# +# +# Client works when we request but don't require OCSP stapling and none comes +exim -bd -oX PORT_D -DSERVER=server -DOCSP=/dev/null +**** +exim norequire@test.ex +test message. +**** +sleep 1 +killdaemon +# +# +# +# +# Client works when we request but don't require OCSP stapling and some arrives +exim -bd -oX PORT_D -DSERVER=server \ + -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp +**** +exim norequire@test.ex +test message. +**** +# +# +# +# +# Client works when we don't request OCSP stapling +exim nostaple@test.ex +test message. +**** +# +# +# +# +# Client accepts good stapled info +exim good@test.ex +test message. +**** +sleep 1 +killdaemon +# +# +# +# Client fails on lack of required stapled info +exim -bd -oX PORT_D -DSERVER=server -DOCSP=/dev/null +**** +exim failrequire@test.ex +test message. +**** +sleep 1 +killdaemon +no_msglog_check +# +# +# +# Client fails on revoked stapled info +EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK=y exim -bd -oX PORT_D -DSERVER=server \ + -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp +**** +exim failrevoked@test.ex +test message. +**** +sleep 1 +killdaemon +# +# +# +# +# Client fails on expired stapled info +EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK=y exim -bd -oX PORT_D -DSERVER=server \ + -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp +**** +exim failexpired@test.ex +test message. +**** +sleep 1 +killdaemon +# +# +# +# diff --git a/test/scripts/5608-OCSP-OpenSSL-TPDA/REQUIRES b/test/scripts/5608-OCSP-OpenSSL-TPDA/REQUIRES new file mode 100644 index 000000000..77fbd5bba --- /dev/null +++ b/test/scripts/5608-OCSP-OpenSSL-TPDA/REQUIRES @@ -0,0 +1,4 @@ +support OpenSSL +support Experimental_OCSP +support Experimental_TPDA +running IPv4 diff --git a/test/scripts/5658-OCSP-GnuTLS-TPDA/5658 b/test/scripts/5658-OCSP-GnuTLS-TPDA/5658 new file mode 100644 index 000000000..2e3028bb3 --- /dev/null +++ b/test/scripts/5658-OCSP-GnuTLS-TPDA/5658 @@ -0,0 +1,82 @@ +# OCSP stapling, client, tpda +# duplicate of 5651 +# +# +# Client works when we request but don't require OCSP stapling and none comes +exim -bd -oX PORT_D -DSERVER=server -DOCSP="" +**** +exim norequire@test.ex +test message. +**** +sleep 1 +killdaemon +# +# +# +# +# Client works when we request but don't require OCSP stapling and some arrives +exim -bd -oX PORT_D -DSERVER=server \ + -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp +**** +exim norequire@test.ex +test message. +**** +# +# +# +# +# Client works when we don't request OCSP stapling +exim nostaple@test.ex +test message. +**** +# +# +# +# +# Client accepts good stapled info +exim good@test.ex +test message. +**** +sleep 1 +killdaemon +# +# +# +# Client fails on lack of required stapled info +exim -bd -oX PORT_D -DSERVER=server -DOCSP="" +**** +exim failrequire@test.ex +test message. +**** +sleep 1 +killdaemon +no_msglog_check +# +# +# +# Client fails on revoked stapled info +EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK=y exim -bd -oX PORT_D -DSERVER=server \ + -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp +**** +exim failrevoked@test.ex +test message. +**** +sleep 1 +killdaemon +# +# +# +# +# Client fails on expired stapled info +EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK=y exim -bd -oX PORT_D -DSERVER=server \ + -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp +**** +exim failexpired@test.ex +test message. +**** +sleep 1 +killdaemon +# +# +# +# diff --git a/test/scripts/5658-OCSP-GnuTLS-TPDA/REQUIRES b/test/scripts/5658-OCSP-GnuTLS-TPDA/REQUIRES new file mode 100644 index 000000000..2650bd997 --- /dev/null +++ b/test/scripts/5658-OCSP-GnuTLS-TPDA/REQUIRES @@ -0,0 +1,4 @@ +support GnuTLS +support Experimental_OCSP +support Experimental_TPDA +running IPv4 |