diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2019-10-17 21:45:32 +0100 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2019-10-17 21:45:32 +0100 |
| commit | 86ede124f0ce622b4f73e05504abc11fece021e3 (patch) | |
| tree | 1ec851a5ca9a6ec6986bbe1aeb1f5f00a7933b09 /test/confs/5655 | |
| parent | 6f47da8d2d526953e8e6403f448d1598c9140df1 (diff) | |
OpenSSL: full-chain OCSP stapling. Bug 1466
Diffstat (limited to 'test/confs/5655')
| -rw-r--r-- | test/confs/5655 | 35 |
1 files changed, 16 insertions, 19 deletions
diff --git a/test/confs/5655 b/test/confs/5655 index 0f6fe1b98..6fbd7c12a 100644 --- a/test/confs/5655 +++ b/test/confs/5655 @@ -1,5 +1,5 @@ # Exim test configuration 5655 -# OCSP stapling, server, multiple chain-element OCSP +# OCSP stapling, server, multiple chain-element OCSP. Both GnuTLS and OpenSSL. .include DIR/aux-var/tls_conf_prefix @@ -7,7 +7,6 @@ primary_hostname = server1.example.com # ----- Main settings ----- -acl_smtp_connect = accept logwrite = ${env {SSLKEYLOGFILE}} acl_smtp_mail = check_mail acl_smtp_rcpt = check_recipient @@ -22,23 +21,24 @@ CADIR = DIR/aux-fixed/exim-ca DRSA = CADIR/example.com DECDSA = CADIR/example_ec.com -tls_certificate = DRSA/server1.example.com/fullchain.pem \ - : DECDSA/server1.example_ec.com/server1.example_ec.com.pem -tls_privatekey = DRSA/server1.example.com/server1.example.com.unlocked.key \ - : DECDSA/server1.example_ec.com/server1.example_ec.com.unlocked.key +tls_certificate = DRSA/server1.example.com/fullchain.pem +tls_privatekey = DRSA/server1.example.com/server1.example.com.unlocked.key .ifndef CONTROL -tls_ocsp_file = PEM DIR/tmp/ocsp/triple.ocsp.pem \ - : DER DECDSA/server1.example_ec.com/server1.example_ec.com.ocsp.good.resp +tls_ocsp_file = PEM DRSA/server1.example.com/fullchain.ocsp.resp.pem .else -tls_ocsp_file = PEM DIR/tmp/ocsp/double_r.ocsp.pem \ - : DER DECDSA/server1.example_ec.com/server1.example_ec.com.ocsp.good.resp +tls_ocsp_file = PEM DIR/tmp/ocsp/double_r.ocsp.pem .endif .ifdef _HAVE_GNUTLS tls_require_ciphers = ${if eq {LIMIT}{TLS1.2} {NORMAL:!VERS-ALL:+VERS-TLS1.2} {}} .endif +.ifdef _HAVE_OPENSSL +.ifdef LIMIT +openssl_options = ${if eq {LIMIT}{TLS1.2} {+no_tlsv1_3} {}} +.endif +.endif # ------ ACL ------ @@ -79,21 +79,18 @@ remote_delivery: driver = smtp port = PORT_D hosts_require_tls = * -.ifdef _HAVE_GNUTLS +.ifdef _HAVE_GNUTLS tls_require_ciphers = ${if eq {LIMIT}{TLS1.2} \ {NONE:\ - ${if eq {OPT}{rsa} \ - {+SIGN-RSA-SHA256:+VERS-TLS-ALL:+ECDHE-RSA:+DHE-RSA:+RSA} \ - {+SIGN-ECDSA-SHA512:+VERS-TLS-ALL:+KX-ALL}}\ + +SIGN-RSA-SHA256:+VERS-TLS-ALL:+ECDHE-RSA:+DHE-RSA:+RSA\ :+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509} \ {}} - tls_verify_certificates = CADIR/\ - ${if eq {OPT}{rsa} \ - {example.com/server1.example.com} \ - {example_ec.com/server1.example_ec.com}}\ - /ca_chain.pem .endif +.ifdef _HAVE_OPENSSL + tls_require_ciphers = RSA +.endif + tls_verify_certificates = CADIR/example.com/server1.example.com/ca_chain.pem hosts_require_ocsp = * tls_verify_cert_hostnames = : |