diff options
author | Phil Pennock <pdp@exim.org> | 2018-03-30 22:28:20 -0400 |
---|---|---|
committer | Phil Pennock <pdp@exim.org> | 2018-03-30 22:28:20 -0400 |
commit | 5d4da40d5b25b4f4029b46246c9757b42929bd87 (patch) | |
tree | 83b07d4ad2b66aca53875ebfdfaef619ea36dfae | |
parent | c3d43245c842965fed6a9153f9c6e9e8be326b7c (diff) | |
parent | bffc2609553745d57e15942505f34cbdd3c26b7f (diff) |
Merge branch 'dane_require_tls_ciphers'
New SMTP Transport option for simplified improved security for DANE.
-rw-r--r-- | doc/doc-docbook/spec.xfpt | 34 | ||||
-rw-r--r-- | doc/doc-txt/ChangeLog | 3 | ||||
-rw-r--r-- | doc/doc-txt/NewStuff | 1 | ||||
-rw-r--r-- | doc/doc-txt/OptionLists.txt | 5 | ||||
-rw-r--r-- | src/src/tls-gnu.c | 20 | ||||
-rw-r--r-- | src/src/tls-openssl.c | 21 | ||||
-rw-r--r-- | src/src/transports/smtp.c | 5 | ||||
-rw-r--r-- | src/src/transports/smtp.h | 1 | ||||
-rw-r--r-- | test/confs/5821 | 62 | ||||
-rw-r--r-- | test/confs/5841 | 62 | ||||
-rw-r--r-- | test/log/5821 | 31 | ||||
-rw-r--r-- | test/log/5841 | 31 | ||||
-rw-r--r-- | test/scripts/5820-DANE-GnuTLS/5821 | 30 | ||||
-rw-r--r-- | test/scripts/5840-DANE-OpenSSL/5841 | 29 | ||||
-rw-r--r-- | test/stderr/5821 | 10 | ||||
-rw-r--r-- | test/stderr/5841 | 10 | ||||
-rw-r--r-- | test/stdout/5821 | 10 | ||||
-rw-r--r-- | test/stdout/5841 | 10 |
18 files changed, 365 insertions, 10 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 2dbe6d2d3..16d276ee8 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -23941,6 +23941,24 @@ For testing purposes, this value can be overridden by the &%-oB%& command line option. +.new +.option dane_require_tls_ciphers smtp string&!! unset +.cindex "TLS" "requiring specific ciphers for DANE" +.cindex "cipher" "requiring specific" +.cindex DANE "TLS ciphers" +This option may be used to override &%tls_require_ciphers%& for connections +where DANE has been determined to be in effect. +If not set, then &%tls_require_ciphers%& will be used. +Normal SMTP delivery is not able to make strong demands of TLS cipher +configuration, because delivery will fall back to plaintext. Once DANE has +been determined to be in effect, there is no plaintext fallback and making the +TLS cipherlist configuration stronger will increase security, rather than +counter-intuitively decreasing it. +If the option expands to be empty or is forced to fail, then it will +be treated as unset and &%tls_require_ciphers%& will be used instead. +.wen + + .option data_timeout smtp time 5m This sets a timeout for the transmission of each block in the data portion of the message. As a result, the overall timeout for a message depends on the size @@ -28102,8 +28120,7 @@ that DNS lookups they do for the server have not been tampered with. The domain to this server, its A record, its TLSA record and any associated CNAME records must all be covered by DNSSEC. 2) add TLSA DNS records. These say what the server certificate for a TLS connection should be. -3) offer a server certificate, or certificate chain, in TLS connections which is traceable to the one -defined by (one of?) the TSLA records +3) offer a server certificate, or certificate chain, in TLS connections which is is anchored by one of the TLSA records. There are no changes to Exim specific to server-side operation of DANE. Support for client-side operation of DANE can be included at compile time by defining SUPPORT_DANE=yes @@ -28158,8 +28175,9 @@ This modification of hosts_request_ocsp is only done if it has the default value those who use &%hosts_require_ocsp%&, should consider the interaction with DANE in their OCSP settings. -For client-side DANE there are two new smtp transport options, &%hosts_try_dane%& and &%hosts_require_dane%&. -The latter variant will result in failure if the target host is not DNSSEC-secured. +For client-side DANE there are three new smtp transport options, &%hosts_try_dane%&, &%hosts_require_dane%& +and &%dane_require_tls_ciphers%&. +The require variant will result in failure if the target host is not DNSSEC-secured. DANE will only be usable if the target host has DNSSEC-secured MX, A and TLSA records. @@ -28168,6 +28186,14 @@ If a TLSA lookup is done and succeeds, a DANE-verified TLS connection will be required for the host. If it does not, the host will not be used; there is no fallback to non-DANE or non-TLS. +If DANE is requested and usable, then the TLS cipher list configuration +prefers to use the option &%dane_require_tls_ciphers%& and falls +back to &%tls_require_ciphers%& only if that is unset. +This lets you configure "decent crypto" for DANE and "better than nothing +crypto" as the default. Note though that while GnuTLS lets the string control +which versions of TLS/SSL will be negotiated, OpenSSL does not and you're +limited to ciphersuite constraints. + If DANE is requested and useable (see above) the following transport options are ignored: .code hosts_require_tls diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 201e21207..8d1b33bc2 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -187,6 +187,9 @@ JH/35 Cutthrough: for a final-dot response timeout (and nonunderstood responses) in defer=pass mode supply a 450 to the initiator. Previously the message would be spooled. +PP/02 DANE: add dane_require_tls_ciphers SMTP Transport option; if unset, + tls_require_ciphers is used as before. + Exim version 4.90 ----------------- diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 58f3f2054..4bf04ec8d 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -14,6 +14,7 @@ Version 4.91 2. DANE is now supported under GnuTLS version 3.0.0 or later. Both GnuTLS and OpenSSL versions are moved to mainline support from Experimental. + New SMTP transport option "dane_require_tls_ciphers". 3. Feature macros for the compiled-in set of malware scanner interfaces. diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt index 1fe72be6b..dfb0219cb 100644 --- a/doc/doc-txt/OptionLists.txt +++ b/doc/doc-txt/OptionLists.txt @@ -149,12 +149,13 @@ current_directory string unset transports daemon_smtp_ports string unset main 1.75 pluralised in 4.21 daemon_startup_retries int 9 main 4.52 daemon_startup_sleep time 30s main 4.52 +dane_require_tls_ciphers string* unset smtp 4.91 data string unset redirect 4.00 data_timeout time 5m smtp debug_print string* unset authenticators 4.00 unset routers 4.00 unset transports 2.00 -debug_store boolean false main 4.90 +debug_store boolean false main 4.90 delay_after_cutoff boolean true smtp delay_warning time list 24h main delay_warning_condition string* + main 1.73 @@ -300,10 +301,12 @@ hosts_override boolean false smtp hosts_randomize boolean false manualroute 4.00 false smtp 3.14 hosts_require_auth host list unset smtp 4.00 +hosts_require_dane host list unset smtp 4.91 (4.85 experimental) hosts_require_ocsp host list unset smtp 4.82 if experimental_ocsp hosts_require_tls host list unset smtp 3.20 hosts_treat_as_local domain list unset main 1.95 hosts_try_auth host list unset smtp 4.00 +hosts_try_dane host list unset smtp 4.91 (4.85 experimental) hosts_try_fastopen host list unset smtp 4.88 hosts_try_prdr host list unset smtp 4.82 if experimental_prdr ibase_servers string unset main 4.23 diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index eed8c06dc..d73188277 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -1681,7 +1681,7 @@ else 1, 0)) || (rc = dane_verify_crt_raw(s, certlist, lsize, gnutls_certificate_type_get(state->session), - r, 0, + r, 0, # ifdef GNUTLS_BROKEN_DANE_VALIDATION usage == (1 << DANESSL_USAGE_DANE_EE) ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0, @@ -2260,6 +2260,7 @@ smtp_transport_options_block *ob = (smtp_transport_options_block *)tb->options_block; int rc; exim_gnutls_state_st * state = NULL; +uschar *cipher_list = NULL; #ifndef DISABLE_OCSP BOOL require_ocsp = verify_check_given_host(&ob->hosts_require_ocsp, host) == OK; @@ -2269,9 +2270,24 @@ BOOL request_ocsp = require_ocsp ? TRUE DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", fd); +#ifdef SUPPORT_DANE +if (tlsa_dnsa && ob->dane_require_tls_ciphers) + { + /* not using expand_check_tlsvar because not yet in state */ + if (!expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers", + &cipher_list, errstr)) + return DEFER; + cipher_list = cipher_list && *cipher_list + ? ob->dane_require_tls_ciphers : ob->tls_require_ciphers; + } +#endif + +if (!cipher_list) + cipher_list = ob->tls_require_ciphers; + if ((rc = tls_init(host, ob->tls_certificate, ob->tls_privatekey, ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl, - ob->tls_require_ciphers, &state, errstr)) != OK) + cipher_list, &state, errstr)) != OK) return rc; { diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 969a99d99..c142bd059 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -904,7 +904,7 @@ We do not free the stack since it could be needed a second time for SNI handling. Separately we might try to replace using OCSP_basic_verify() - which seems to not -be a public interface into the OpenSSL library (there's no manual entry) - +be a public interface into the OpenSSL library (there's no manual entry) - But what with? We also use OCSP_basic_verify in the client stapling callback. And there we NEED it; we must verify that status... unless the library does it for us anyway? */ @@ -2300,8 +2300,23 @@ if (rc != OK) return rc; tls_out.certificate_verified = FALSE; client_verify_callback_called = FALSE; -if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers", - &expciphers, errstr)) +expciphers = NULL; +#ifdef SUPPORT_DANE +if (tlsa_dnsa) + { + /* We fall back to tls_require_ciphers if unset, empty or forced failure, but + other failures should be treated as problems. */ + if (ob->dane_require_tls_ciphers && + !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers", + &expciphers, errstr)) + return FAIL; + if (expciphers && *expciphers == '\0') + expciphers = NULL; + } +#endif +if (!expciphers && + !expand_check(ob->tls_require_ciphers, US"tls_require_ciphers", + &expciphers, errstr)) return FAIL; /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 23083f5d8..2dfb5b73a 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -38,6 +38,10 @@ optionlist smtp_transport_options[] = { (void *)offsetof(smtp_transport_options_block, connect_timeout) }, { "connection_max_messages", opt_int | opt_public, (void *)offsetof(transport_instance, connection_max_messages) }, +# ifdef SUPPORT_DANE + { "dane_require_tls_ciphers", opt_stringptr, + (void *)offsetof(smtp_transport_options_block, dane_require_tls_ciphers) }, +# endif { "data_timeout", opt_time, (void *)offsetof(smtp_transport_options_block, data_timeout) }, { "delay_after_cutoff", opt_bool, @@ -225,6 +229,7 @@ smtp_transport_options_block smtp_transport_option_defaults = { #ifdef SUPPORT_DANE .hosts_try_dane = NULL, .hosts_require_dane = NULL, + .dane_require_tls_ciphers = NULL, #endif .hosts_try_fastopen = NULL, #ifndef DISABLE_PRDR diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h index 749c6f778..7727c0c6d 100644 --- a/src/src/transports/smtp.h +++ b/src/src/transports/smtp.h @@ -32,6 +32,7 @@ typedef struct { #ifdef SUPPORT_DANE uschar *hosts_try_dane; uschar *hosts_require_dane; + uschar *dane_require_tls_ciphers; #endif uschar *hosts_try_fastopen; #ifndef DISABLE_PRDR diff --git a/test/confs/5821 b/test/confs/5821 new file mode 100644 index 000000000..9b73181a9 --- /dev/null +++ b/test/confs/5821 @@ -0,0 +1,62 @@ +# Exim test configuration 5821 +# DANE/OpenSSL - ciphers option + +SERVER= +OPT= + +.include DIR/aux-var/tls_conf_prefix + +primary_hostname = myhost.test.ex + +# ----- Main settings ----- + +acl_smtp_rcpt = accept logwrite = "rcpt ACL" + +log_selector = +received_recipients +tls_peerdn +tls_certificate_verified + +tls_advertise_hosts = * + +# Set certificate only if server +CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com + +tls_certificate = ${if eq {SERVER}{server} {CDIR2/fullchain.pem}fail} +tls_privatekey = ${if eq {SERVER}{server} {CDIR2/server1.example.com.unlocked.key}fail} + +# Permit two specific ciphers +tls_require_ciphers = NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL + +# ----- Routers ----- +begin routers + +client: + driver = dnslookup + condition = ${if eq {SERVER}{}} + ignore_target_hosts = <; 0::0/0 + dnssec_request_domains = * + self = send + transport = send_to_server + errors_to = "" + +server: + driver = redirect + data = :blackhole: + +# ----- Transports ----- +begin transports + +send_to_server: + driver = smtp + allow_localhost + port = PORT_D + hosts_try_dane = * + tls_verify_certificates = CDIR2/ca_chain.pem + + # Some commonly-available cipher, we hope + tls_require_ciphers = NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+SIGN-ALL:+COMP-NULL + dane_require_tls_ciphers = OPT + +# ----- Retry ----- +begin retry +* * F,5d,10s + +# End diff --git a/test/confs/5841 b/test/confs/5841 new file mode 100644 index 000000000..57d692826 --- /dev/null +++ b/test/confs/5841 @@ -0,0 +1,62 @@ +# Exim test configuration 5841 +# DANE/OpenSSL - ciphers option + +SERVER= +OPT= + +.include DIR/aux-var/tls_conf_prefix + +primary_hostname = myhost.test.ex + +# ----- Main settings ----- + +acl_smtp_rcpt = accept logwrite = "rcpt ACL" + +log_selector = +received_recipients +tls_peerdn +tls_certificate_verified + +tls_advertise_hosts = * + +# Set certificate only if server +CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com + +tls_certificate = ${if eq {SERVER}{server} {CDIR2/fullchain.pem}fail} +tls_privatekey = ${if eq {SERVER}{server} {CDIR2/server1.example.com.unlocked.key}fail} + +# Permit two specific ciphers +tls_require_ciphers = ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-RSA-AES256-GCM-SHA384 + +# ----- Routers ----- +begin routers + +client: + driver = dnslookup + condition = ${if eq {SERVER}{}} + ignore_target_hosts = <; 0::0/0 + dnssec_request_domains = * + self = send + transport = send_to_server + errors_to = "" + +server: + driver = redirect + data = :blackhole: + +# ----- Transports ----- +begin transports + +send_to_server: + driver = smtp + allow_localhost + port = PORT_D + hosts_try_dane = * + tls_verify_certificates = CDIR2/ca_chain.pem + + # Some commonly-available cipher, we hope + tls_require_ciphers = ECDHE-RSA-AES256-GCM-SHA384 + dane_require_tls_ciphers = OPT + +# ----- Retry ----- +begin retry +* * F,5d,10s + +# End diff --git a/test/log/5821 b/test/log/5821 new file mode 100644 index 000000000..39af675fe --- /dev/null +++ b/test/log/5821 @@ -0,0 +1,31 @@ +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@localhost.test.ex +1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@localhost.test.ex R=client T=send_to_server H=localhost.test.ex [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane256ee.test.ex +1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=dane DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@localhost.test.ex +1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@localhost.test.ex R=client T=send_to_server H=localhost.test.ex [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmbB-0005vi-00 Completed +1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane256ee.test.ex +1999-03-02 09:44:33 10HmbD-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLS1.2:RSA_CAMELLIA_256_GCM_SHA384:256 CV=dane DN="CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00" +1999-03-02 09:44:33 10HmbD-0005vi-00 Completed + +******** SERVER ******** +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 "rcpt ACL" +1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@localhost.test.ex +1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <CALLER@localhost.test.ex> R=server +1999-03-02 09:44:33 10HmaY-0005vi-00 Completed +1999-03-02 09:44:33 "rcpt ACL" +1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for CALLER@dane256ee.test.ex +1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <CALLER@dane256ee.test.ex> R=server +1999-03-02 09:44:33 10HmbA-0005vi-00 Completed +1999-03-02 09:44:33 "rcpt ACL" +1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmbB-0005vi-00@myhost.test.ex for CALLER@localhost.test.ex +1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <CALLER@localhost.test.ex> R=server +1999-03-02 09:44:33 10HmbC-0005vi-00 Completed +1999-03-02 09:44:33 "rcpt ACL" +1999-03-02 09:44:33 10HmbE-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.2:RSA_CAMELLIA_256_GCM_SHA384:256 CV=no S=sss id=E10HmbD-0005vi-00@myhost.test.ex for CALLER@dane256ee.test.ex +1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: <CALLER@dane256ee.test.ex> R=server +1999-03-02 09:44:33 10HmbE-0005vi-00 Completed diff --git a/test/log/5841 b/test/log/5841 new file mode 100644 index 000000000..863107c2e --- /dev/null +++ b/test/log/5841 @@ -0,0 +1,31 @@ +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@localhost.test.ex +1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@localhost.test.ex R=client T=send_to_server H=localhost.test.ex [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane256ee.test.ex +1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=dane DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@localhost.test.ex +1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@localhost.test.ex R=client T=send_to_server H=localhost.test.ex [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmbB-0005vi-00 Completed +1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane256ee.test.ex +1999-03-02 09:44:33 10HmbD-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ECDHE-RSA-CAMELLIA256-SHA384:256 CV=dane DN="/CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00" +1999-03-02 09:44:33 10HmbD-0005vi-00 Completed + +******** SERVER ******** +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 "rcpt ACL" +1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@localhost.test.ex +1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <CALLER@localhost.test.ex> R=server +1999-03-02 09:44:33 10HmaY-0005vi-00 Completed +1999-03-02 09:44:33 "rcpt ACL" +1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for CALLER@dane256ee.test.ex +1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <CALLER@dane256ee.test.ex> R=server +1999-03-02 09:44:33 10HmbA-0005vi-00 Completed +1999-03-02 09:44:33 "rcpt ACL" +1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmbB-0005vi-00@myhost.test.ex for CALLER@localhost.test.ex +1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <CALLER@localhost.test.ex> R=server +1999-03-02 09:44:33 10HmbC-0005vi-00 Completed +1999-03-02 09:44:33 "rcpt ACL" +1999-03-02 09:44:33 10HmbE-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ECDHE-RSA-CAMELLIA256-SHA384:256 CV=no S=sss id=E10HmbD-0005vi-00@myhost.test.ex for CALLER@dane256ee.test.ex +1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: <CALLER@dane256ee.test.ex> R=server +1999-03-02 09:44:33 10HmbE-0005vi-00 Completed diff --git a/test/scripts/5820-DANE-GnuTLS/5821 b/test/scripts/5820-DANE-GnuTLS/5821 new file mode 100644 index 000000000..f4ea30564 --- /dev/null +++ b/test/scripts/5820-DANE-GnuTLS/5821 @@ -0,0 +1,30 @@ +# DANE client: ciphers option +# +gnutls +exim -DSERVER=server -bd -oX PORT_D +**** + +### Baseline, dane unused +exim -odf CALLER@localhost.test.ex +Testing +**** +### Baseline, dane used +exim -odf CALLER@dane256ee.test.ex +Testing +**** +# +# +### Dane cipher specified, dane unused +# Since dane unused, should get the same cipher as the baseline +exim -odf -DOPT=NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL CALLER@localhost.test.ex +Testing +**** +### Dane cipher specified, dane used +# Should get the cipher specified here +exim -odf -DOPT=NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL CALLER@dane256ee.test.ex +Testing +**** +# +# +killdaemon +no_msglog_check diff --git a/test/scripts/5840-DANE-OpenSSL/5841 b/test/scripts/5840-DANE-OpenSSL/5841 new file mode 100644 index 000000000..52fac186a --- /dev/null +++ b/test/scripts/5840-DANE-OpenSSL/5841 @@ -0,0 +1,29 @@ +# DANE client: ciphers option +# +exim -DSERVER=server -bd -oX PORT_D +**** + +### Baseline, dane unused +exim -odf CALLER@localhost.test.ex +Testing +**** +### Baseline, dane used +exim -odf CALLER@dane256ee.test.ex +Testing +**** +# +# +### Dane cipher specified, dane unused +# Since dane unused, should get the same cipher as the baseline +exim -odf -DOPT=ECDHE-RSA-CAMELLIA256-SHA384 CALLER@localhost.test.ex +Testing +**** +### Dane cipher specified, dane used +# Should get the cipher specified here +exim -odf -DOPT=ECDHE-RSA-CAMELLIA256-SHA384 CALLER@dane256ee.test.ex +Testing +**** +# +# +killdaemon +no_msglog_check diff --git a/test/stderr/5821 b/test/stderr/5821 new file mode 100644 index 000000000..3f9e5f261 --- /dev/null +++ b/test/stderr/5821 @@ -0,0 +1,10 @@ +### Baseline, dane unused +### Baseline, dane used +### Dane cipher specified, dane unused +### Dane cipher specified, dane used + +******** SERVER ******** +### Baseline, dane unused +### Baseline, dane used +### Dane cipher specified, dane unused +### Dane cipher specified, dane used diff --git a/test/stderr/5841 b/test/stderr/5841 new file mode 100644 index 000000000..3f9e5f261 --- /dev/null +++ b/test/stderr/5841 @@ -0,0 +1,10 @@ +### Baseline, dane unused +### Baseline, dane used +### Dane cipher specified, dane unused +### Dane cipher specified, dane used + +******** SERVER ******** +### Baseline, dane unused +### Baseline, dane used +### Dane cipher specified, dane unused +### Dane cipher specified, dane used diff --git a/test/stdout/5821 b/test/stdout/5821 new file mode 100644 index 000000000..3f9e5f261 --- /dev/null +++ b/test/stdout/5821 @@ -0,0 +1,10 @@ +### Baseline, dane unused +### Baseline, dane used +### Dane cipher specified, dane unused +### Dane cipher specified, dane used + +******** SERVER ******** +### Baseline, dane unused +### Baseline, dane used +### Dane cipher specified, dane unused +### Dane cipher specified, dane used diff --git a/test/stdout/5841 b/test/stdout/5841 new file mode 100644 index 000000000..3f9e5f261 --- /dev/null +++ b/test/stdout/5841 @@ -0,0 +1,10 @@ +### Baseline, dane unused +### Baseline, dane used +### Dane cipher specified, dane unused +### Dane cipher specified, dane used + +******** SERVER ******** +### Baseline, dane unused +### Baseline, dane used +### Dane cipher specified, dane unused +### Dane cipher specified, dane used |