TLS: when tls_certificates unset, generate a selfsigned cert

15 files changed, 221 insertions, 155 deletions

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index ddb0001a5..ba32403d6 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -16843,8 +16843,8 @@ of the STARTTLS command to set up an encrypted session is advertised in
 response to EHLO only to those client hosts that match this option. See
 chapter &<<CHAPTLS>>& for details of Exim's support for TLS.
 Note that the default value requires that a certificate be supplied
-using the &%tls_certificate%& option.  If no certificate is available then
-the &%tls_advertise_hosts%& option should be set empty.
+using the &%tls_certificate%& option.  If TLS support for incoming connections
+is not required the &%tls_advertise_hosts%& option should be set empty.
 
 
 .option tls_certificate main string&!! unset
@@ -16865,6 +16865,11 @@ if the OpenSSL build supports TLS extensions and the TLS client sends the
 Server Name Indication extension, then this option and others documented in
 &<<SECTtlssni>>& will be re-expanded.
 
+.new
+If this option is unset or empty a fresh self-signed certificate will be
+generated for every connection.
+.wen
+
 .option tls_crl main string&!! unset
 .cindex "TLS" "server certificate revocation list"
 .cindex "certificate" "revocation list for server"
@@ -26958,10 +26963,17 @@ with the error
 If a STARTTLS command is issued within an existing TLS session, it is
 rejected with a 554 error code.
 
-To enable TLS operations on a server, you must set &%tls_advertise_hosts%& to
-match some hosts. You can, of course, set it to * to match all hosts.
-However, this is not all you need to do. TLS sessions to a server won't work
-without some further configuration at the server end.
+To enable TLS operations on a server, the &%tls_advertise_hosts%& option
+must be set to match some hosts. The default is * which matches all hosts.
+
+.new
+If this is all you do, TLS encryption will be enabled but not authentication -
+meaning that the peer has no assurance it is actually you he is talking to.
+You gain protection from a passive sniffer listening on the wire but not
+from someone able to intercept the communication.
+.wen
+
+Further protection requires some further configuration at the server end.
 
 It is rumoured that all existing clients that support TLS/SSL use RSA
 encryption. To make this work you need to set, in the server,
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 43009011f..272176cc8 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -23,6 +23,9 @@ JH/03 Upgrade security requirements imposed for hosts_try_dane: previously
 JH/04 Bug 1810: make continued-use of an open smtp transport connection
       non-noisy when a race steals the message being considered.
 
+JH/05 If main configuration option tls_certificate is unset, generate a
+      selfsigned certificate for inbound TLS connections.
+
 
 Exim version 4.87
 -----------------
diff --git a/src/src/readconf.c b/src/src/readconf.c
index ba4cb668b..375f01a1a 100644
--- a/src/src/readconf.c
+++ b/src/src/readconf.c
@@ -2963,8 +2963,8 @@ if (  !tls_advertise_hosts
    )
   return TRUE;
 else if (!nowarn && !tls_certificate)
-  log_write(0, LOG_MAIN|LOG_PANIC,
-    "Warning: No server certificate defined; TLS connections will fail.\n"
+  log_write(0, LOG_MAIN,
+    "Warning: No server certificate defined; will use a selfsigned one.\n"
     " Suggested action: either install a certificate or change tls_advertise_hosts option");
 
 oldsignal = signal(SIGCHLD, SIG_DFL);
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 316906517..522bb9026 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -709,6 +709,70 @@ return OK;
 
 
 
+/* Create and install a selfsigned certificate, for use in server mode */
+
+static int
+tls_install_selfsign(exim_gnutls_state_st * state)
+{
+gnutls_x509_crt_t cert = NULL;
+time_t now;
+gnutls_x509_privkey_t pkey = NULL;
+const uschar * where;
+int rc;
+
+where = US"initialising pkey";
+if ((rc = gnutls_x509_privkey_init(&pkey))) goto err;
+
+where = US"initialising cert";
+if ((rc = gnutls_x509_crt_init(&cert))) goto err;
+
+where = US"generating pkey";
+if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA,
+	    gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_LOW),
+	    0)))			/* _to_pk_bits() Since: 2.12.0 */
+  goto err;
+
+where = US"configuring cert";
+now = 0;
+if (  (rc = gnutls_x509_crt_set_version(cert, 3))
+   || (rc = gnutls_x509_crt_set_serial(cert, &now, sizeof(now)))
+   || (rc = gnutls_x509_crt_set_activation_time(cert, now = time(NULL)))
+   || (rc = gnutls_x509_crt_set_expiration_time(cert, now + 60 * 60)) /* 1 hr */
+   || (rc = gnutls_x509_crt_set_key(cert, pkey))
+
+   || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
+	      GNUTLS_OID_X520_COUNTRY_NAME, 0, "UK", 2))
+   || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
+	      GNUTLS_OID_X520_ORGANIZATION_NAME, 0, "Exim Developers", 15))
+   || (rc = gnutls_x509_crt_set_dn_by_oid(cert,
+	      GNUTLS_OID_X520_COMMON_NAME, 0,
+	      smtp_active_hostname, Ustrlen(smtp_active_hostname)))
+   )
+  goto err;
+
+where = US"signing cert";
+if ((rc = gnutls_x509_crt_sign(cert, cert, pkey))) goto err;
+
+where = US"installing selfsign cert";
+					/* Since: 2.4.0 */
+if ((rc = gnutls_certificate_set_x509_key(state->x509_cred, &cert, 1, pkey)))
+  goto err;
+
+rc = OK;
+
+out:
+  if (cert) gnutls_x509_crt_deinit(cert);
+  if (pkey) gnutls_x509_privkey_deinit(pkey);
+  return rc;
+
+err:
+  rc = tls_error(where, gnutls_strerror(rc), NULL);
+  goto out;
+}
+
+
+
+
 /*************************************************
 *       Variables re-expanded post-SNI           *
 *************************************************/
@@ -741,7 +805,6 @@ int cert_count;
 
 /* We check for tls_sni *before* expansion. */
 if (!host)	/* server */
-  {
   if (!state->received_sni)
     {
     if (state->tls_certificate &&
@@ -762,7 +825,6 @@ if (!host)	/* server */
     saved_tls_verify_certificates = state->exp_tls_verify_certificates;
     saved_tls_crl = state->exp_tls_crl;
     }
-  }
 
 rc = gnutls_certificate_allocate_credentials(&state->x509_cred);
 exim_gnutls_err_check(US"gnutls_certificate_allocate_credentials");
@@ -779,14 +841,13 @@ if (!expand_check_tlsvar(tls_certificate))
 
 /* certificate is mandatory in server, optional in client */
 
-if ((state->exp_tls_certificate == NULL) ||
-    (*state->exp_tls_certificate == '\0'))
-  {
+if (  !state->exp_tls_certificate
+   || !*state->exp_tls_certificate
+   )
   if (!host)
-    return tls_error(US"no TLS server certificate is specified", NULL, NULL);
+    return tls_install_selfsign(state);
   else
     DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
-  }
 
 if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey))
   return DEFER;
@@ -806,9 +867,9 @@ if (state->exp_tls_certificate && *state->exp_tls_certificate)
       state->exp_tls_certificate, state->exp_tls_privatekey);
 
   if (state->received_sni)
-    {
-    if ((Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0) &&
-        (Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0))
+    if (  Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0
+       && Ustrcmp(state->exp_tls_privatekey,  saved_tls_privatekey)  == 0
+       )
       {
       DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
       }
@@ -816,7 +877,6 @@ if (state->exp_tls_certificate && *state->exp_tls_certificate)
       {
       DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n");
       }
-    }
 
   rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
       CS state->exp_tls_certificate, CS state->exp_tls_privatekey,
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 6036bce52..c24eb4544 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -214,7 +214,7 @@ Returns:    OK/DEFER/FAIL
 */
 
 static int
-tls_error(uschar * prefix, const host_item * host, uschar *  msg)
+tls_error(uschar * prefix, const host_item * host, uschar * msg)
 {
 if (!msg)
   {
@@ -273,8 +273,7 @@ if (  !BN_set_word(bn, (unsigned long)RSA_F4)
    || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
    )
 #else
-rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
-if (rsa_key == NULL)
+if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
 #endif
 
   {
@@ -915,6 +914,73 @@ return;
 
 
 
+/* Create and install a selfsigned certificate, for use in server mode */
+
+static int
+tls_install_selfsign(SSL_CTX * sctx)
+{
+X509 * x509 = NULL;
+EVP_PKEY * pkey;
+RSA * rsa;
+X509_NAME * name;
+uschar * where;
+
+where = US"allocating pkey";
+if (!(pkey = EVP_PKEY_new()))
+  goto err;
+
+where = US"allocating cert";
+if (!(x509 = X509_new()))
+  goto err;
+
+where = US"generating pkey";
+		/* deprecated, use RSA_generate_key_ex() */
+if (!(rsa = RSA_generate_key(1024, RSA_F4, NULL, NULL)))
+  goto err;
+
+where = US"assiging pkey";
+if (!EVP_PKEY_assign_RSA(pkey, rsa))
+  goto err;
+
+X509_set_version(x509, 2);				/* N+1 - version 3 */
+ASN1_INTEGER_set(X509_get_serialNumber(x509), 0);
+X509_gmtime_adj(X509_get_notBefore(x509), 0);
+X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60);	/* 1 hour */
+X509_set_pubkey(x509, pkey);
+
+name = X509_get_subject_name(x509);
+X509_NAME_add_entry_by_txt(name, "C",
+			  MBSTRING_ASC, "UK", -1, -1, 0);
+X509_NAME_add_entry_by_txt(name, "O",
+			  MBSTRING_ASC, "Exim Developers", -1, -1, 0);
+X509_NAME_add_entry_by_txt(name, "CN",
+			  MBSTRING_ASC, CS smtp_active_hostname, -1, -1, 0);
+X509_set_issuer_name(x509, name);
+
+where = US"signing cert";
+if (!X509_sign(x509, pkey, EVP_md5()))
+  goto err;
+
+where = US"installing selfsign cert";
+if (!SSL_CTX_use_certificate(sctx, x509))
+  goto err;
+
+where = US"installing selfsign key";
+if (!SSL_CTX_use_PrivateKey(sctx, pkey))
+  goto err;
+
+return OK;
+
+err:
+  (void) tls_error(where, NULL, NULL);
+  if (x509) X509_free(x509);
+  if (pkey) EVP_PKEY_free(pkey);
+  return DEFER;
+}
+
+
+
+
 /*************************************************
 *        Expand key and cert file specs          *
 *************************************************/
@@ -935,41 +1001,49 @@ tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo)
 {
 uschar *expanded;
 
-if (cbinfo->certificate == NULL)
-  return OK;
-
-if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
-    Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
-    Ustrstr(cbinfo->certificate, US"tls_out_sni")
-   )
-  reexpand_tls_files_for_sni = TRUE;
-
-if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded))
-  return DEFER;
-
-if (expanded != NULL)
+if (!cbinfo->certificate)
   {
-  DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
-  if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
-    return tls_error(string_sprintf(
-      "SSL_CTX_use_certificate_chain_file file=%s", expanded),
-        cbinfo->host, NULL);
+  if (cbinfo->host)			/* client */
+    return OK;
+  					/* server */
+  if (tls_install_selfsign(sctx) != OK)
+    return DEFER;
   }
+else
+  {
+  if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
+      Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
+      Ustrstr(cbinfo->certificate, US"tls_out_sni")
+     )
+    reexpand_tls_files_for_sni = TRUE;
 
-if (cbinfo->privatekey != NULL &&
-    !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded))
-  return DEFER;
+  if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded))
+    return DEFER;
 
-/* If expansion was forced to fail, key_expanded will be NULL. If the result
-of the expansion is an empty string, ignore it also, and assume the private
-key is in the same file as the certificate. */
+  if (expanded != NULL)
+    {
+    DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
+    if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
+      return tls_error(string_sprintf(
+	"SSL_CTX_use_certificate_chain_file file=%s", expanded),
+	  cbinfo->host, NULL);
+    }
 
-if (expanded && *expanded)
-  {
-  DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
-  if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
-    return tls_error(string_sprintf(
-      "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL);
+  if (cbinfo->privatekey != NULL &&
+      !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded))
+    return DEFER;
+
+  /* If expansion was forced to fail, key_expanded will be NULL. If the result
+  of the expansion is an empty string, ignore it also, and assume the private
+  key is in the same file as the certificate. */
+
+  if (expanded && *expanded)
+    {
+    DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
+    if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
+      return tls_error(string_sprintf(
+	"SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL);
+    }
   }
 
 #ifndef DISABLE_OCSP
@@ -1429,8 +1503,8 @@ if (  !init_dh(*ctxp, dhparam, host)
 
 /* Set up certificate and key (and perhaps OCSP info) */
 
-rc = tls_expand_session_files(*ctxp, cbinfo);
-if (rc != OK) return rc;
+if ((rc = tls_expand_session_files(*ctxp, cbinfo)) != OK)
+  return rc;
 
 /* If we need to handle SNI, do so */
 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
diff --git a/test/confs/2020 b/test/confs/2020
index 241d88335..5ec250ecd 100644..120000
--- a/test/confs/2020
+++ b/test/confs/2020
@@ -1,52 +1 @@
-# Exim test configuration 2020
-
-SERVER=
-
-exim_path = EXIM_PATH
-keep_environment =
-host_lookup_order = bydns
-log_file_path = DIR/spool/log/SERVER%slog
-gecos_pattern = ""
-gecos_name = CALLER_NAME
-primary_hostname = myhost.test.ex
-spool_directory = DIR/spool
-
-# ----- Main settings -----
-
-acl_smtp_rcpt = accept
-
-log_selector = +tls_peerdn
-
-queue_only
-queue_run_in_order
-
-tls_advertise_hosts = *
-
-
-# ----- Routers -----
-
-begin routers
-
-abc:
-  driver = accept
-  transport = t1
-
-
-# ----- Transports -----
-
-begin transports
-
-t1:
-  driver = smtp
-  hosts = 127.0.0.1
-  allow_localhost
-  port = PORT_D
-
-
-# ----- Retry -----
-
-begin retry
-
-* * F,1d,1d
-
-# End
+2120
\ No newline at end of file
diff --git a/test/confs/2120 b/test/confs/2120
index e3a0ba1af..75b8dfa7f 100644
--- a/test/confs/2120
+++ b/test/confs/2120
@@ -8,7 +8,7 @@ host_lookup_order = bydns
 log_file_path = DIR/spool/log/SERVER%slog
 gecos_pattern = ""
 gecos_name = CALLER_NAME
-primary_hostname = myhost.test.ex
+primary_hostname = thishost.test.ex
 spool_directory = DIR/spool
 
 # ----- Main settings -----
@@ -38,7 +38,7 @@ begin transports
 
 t1:
   driver = smtp
-  hosts = 127.0.0.1
+  hosts = thishost.test.ex
   allow_localhost
   port = PORT_D
 
diff --git a/test/log/2020 b/test/log/2020
index 25a01dfb3..2e4a0944b 100644
--- a/test/log/2020
+++ b/test/log/2020
@@ -1,16 +1,15 @@
-1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail.
+1999-03-02 09:44:33 Warning: No server certificate defined; will use a selfsigned one.
  Suggested action: either install a certificate or change tls_advertise_hosts option
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
-1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail.
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@thishost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 Warning: No server certificate defined; will use a selfsigned one.
  Suggested action: either install a certificate or change tls_advertise_hosts option
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@myhost.test.ex R=abc T=t1 H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@thishost.test.ex R=abc T=t1 H=thishost.test.ex [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=Exim Developers,CN=thishost.test.ex" C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 
 ******** SERVER ********
-1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail.
+1999-03-02 09:44:33 Warning: No server certificate defined; will use a selfsigned one.
  Suggested action: either install a certificate or change tls_advertise_hosts option
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 TLS error on connection from localhost (myhost.test.ex) [127.0.0.1] (no TLS server certificate is specified)
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@thishost.test.ex H=localhost (thishost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@thishost.test.ex
diff --git a/test/log/2120 b/test/log/2120
index 10e2316c0..c70f7d401 100644
--- a/test/log/2120
+++ b/test/log/2120
@@ -1,19 +1,16 @@
-1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail.
+1999-03-02 09:44:33 Warning: No server certificate defined; will use a selfsigned one.
  Suggested action: either install a certificate or change tls_advertise_hosts option
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
-1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail.
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@thishost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 Warning: No server certificate defined; will use a selfsigned one.
  Suggested action: either install a certificate or change tls_advertise_hosts option
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 H=127.0.0.1 [127.0.0.1] TLS error on connection (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to 127.0.0.1 [127.0.0.1] (not in hosts_require_tls)
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@myhost.test.ex R=abc T=t1 H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=Exim Developers/CN=thishost.test.ex
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@thishost.test.ex R=abc T=t1 H=thishost.test.ex [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=Exim Developers/CN=thishost.test.ex" C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 
 ******** SERVER ********
-1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail.
+1999-03-02 09:44:33 Warning: No server certificate defined; will use a selfsigned one.
  Suggested action: either install a certificate or change tls_advertise_hosts option
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 TLS error on connection from localhost (myhost.test.ex) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
-1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@thishost.test.ex H=localhost (thishost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@thishost.test.ex
diff --git a/test/paniclog/2020 b/test/paniclog/2020
deleted file mode 100644
index e16a6800b..000000000
--- a/test/paniclog/2020
+++ /dev/null
@@ -1,8 +0,0 @@
-1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail.
- Suggested action: either install a certificate or change tls_advertise_hosts option
-1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail.
- Suggested action: either install a certificate or change tls_advertise_hosts option
-
-******** SERVER ********
-1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail.
- Suggested action: either install a certificate or change tls_advertise_hosts option
diff --git a/test/paniclog/2120 b/test/paniclog/2120
deleted file mode 100644
index e16a6800b..000000000
--- a/test/paniclog/2120
+++ /dev/null
@@ -1,8 +0,0 @@
-1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail.
- Suggested action: either install a certificate or change tls_advertise_hosts option
-1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail.
- Suggested action: either install a certificate or change tls_advertise_hosts option
-
-******** SERVER ********
-1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail.
- Suggested action: either install a certificate or change tls_advertise_hosts option
diff --git a/test/scripts/2000-GnuTLS/2020 b/test/scripts/2000-GnuTLS/2020
index bd00740bf..3203ab4ea 100644
--- a/test/scripts/2000-GnuTLS/2020
+++ b/test/scripts/2000-GnuTLS/2020
@@ -1,4 +1,4 @@
-# TLS server: no certificate defined, client sends in clear
+# TLS server: no certificate defined, autogen selfsign used
 gnutls
 exim -DSERVER=server -bd -oX PORT_D
 ****
diff --git a/test/scripts/2100-OpenSSL/2120 b/test/scripts/2100-OpenSSL/2120
index 7e0aa1e0e..53cd81333 100644
--- a/test/scripts/2100-OpenSSL/2120
+++ b/test/scripts/2100-OpenSSL/2120
@@ -1,4 +1,4 @@
-# TLS server: no certificate defined, client sends in clear
+# TLS server: no certificate defined, autogen selfsign used
 exim -DSERVER=server -bd -oX PORT_D
 ****
 exim userx
diff --git a/test/stderr/2020 b/test/stderr/2020
index e16a6800b..045fadc9b 100644
--- a/test/stderr/2020
+++ b/test/stderr/2020
@@ -1,8 +1,2 @@
-1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail.
- Suggested action: either install a certificate or change tls_advertise_hosts option
-1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail.
- Suggested action: either install a certificate or change tls_advertise_hosts option
 
 ******** SERVER ********
-1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail.
- Suggested action: either install a certificate or change tls_advertise_hosts option
diff --git a/test/stderr/2120 b/test/stderr/2120
index e16a6800b..045fadc9b 100644
--- a/test/stderr/2120
+++ b/test/stderr/2120
@@ -1,8 +1,2 @@
-1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail.
- Suggested action: either install a certificate or change tls_advertise_hosts option
-1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail.
- Suggested action: either install a certificate or change tls_advertise_hosts option
 
 ******** SERVER ********
-1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail.
- Suggested action: either install a certificate or change tls_advertise_hosts option