diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2013-03-24 21:49:12 +0000 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2013-03-25 22:42:48 +0000 |
| commit | f5d786885721c374cc22a1f1311ca01408a496fd (patch) | |
| tree | 528ec5ecb56fc077445855d16014bc9a9c86d967 /test/confs/5600 | |
| parent | 26e72755c101f59e24735e9ca9a320d5f1ebc2b7 (diff) | |
OCSP-stapling enhancement and testing.
Server:
Honor environment variable as well as running_in_test_harness in permitting bogus staplings
Update server tests
Add "-ocsp" option to client-ssl.
Server side: add verification of stapled status.
First cut server-mode ocsp testing.
Fix some uninitialized ocsp-related data.
Client (new):
Verify stapling using only the chain that verified the server cert, not any acceptable chain.
Add check for multiple responses in a stapling, which is not handled
Refuse verification on expired and revoking staplings.
Handle OCSP client refusal on lack of stapling from server.
More fixing in client OCSP: use the server cert signing chain to verify the OCSP info.
Add transport hosts_require_ocsp option.
Log stapling responses.
Start on tests for client-side.
Testing support:
Add CRL generation code and documentation update
Initial CA & certificate set for testing.
BUGFIX:
Once a single OCSP response has been extracted the validation
routine return code is no longer about the structure, but the actual
returned OCSP status.
Diffstat (limited to 'test/confs/5600')
| -rw-r--r-- | test/confs/5600 | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/test/confs/5600 b/test/confs/5600 new file mode 100644 index 000000000..8b26ee7fa --- /dev/null +++ b/test/confs/5600 @@ -0,0 +1,66 @@ +# Exim test configuration 5600 +# OCSP stapling, server + +CRL= + +exim_path = EXIM_PATH +host_lookup_order = bydns +primary_hostname = server1.example.com +rfc1413_query_timeout = 0s +spool_directory = DIR/spool +log_file_path = DIR/spool/log/%slog +gecos_pattern = "" +gecos_name = CALLER_NAME + +# ----- Main settings ----- + +acl_smtp_rcpt = check_recipient + +log_selector = +tls_peerdn + +queue_only +queue_run_in_order + +tls_advertise_hosts = * + +tls_certificate = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem +tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key + +tls_verify_hosts = HOSTIPV4 +tls_try_verify_hosts = * +tls_verify_certificates = DIR/aux-fixed/cert2 +tls_crl = CRL +tls_ocsp_file = OCSP + + +# ------ ACL ------ + +begin acl + +check_recipient: + deny message = certificate not verified: peerdn=$tls_peerdn + ! verify = certificate + accept + + +# ----- Routers ----- + +begin routers + +abc: + driver = accept + retry_use_local_part + transport = local_delivery + + +# ----- Transports ----- + +begin transports + +local_delivery: + driver = appendfile + file = DIR/test-mail/$local_part + headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn + user = CALLER + +# End |