diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2019-09-26 19:28:53 +0100 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2019-09-26 19:34:09 +0100 |
| commit | e326959e5e455e1b46124b023e0b202e4892e501 (patch) | |
| tree | 94df809ddf19d7eb97ec9eca348836510f832b86 /test/confs/5655 | |
| parent | 6219e0ec4a59a06b84eaabb6b3ae5d9e8f166672 (diff) | |
GnuTLS: full-chain OCSP stapling. Bug 1466
Diffstat (limited to 'test/confs/5655')
| -rw-r--r-- | test/confs/5655 | 106 |
1 files changed, 106 insertions, 0 deletions
diff --git a/test/confs/5655 b/test/confs/5655 new file mode 100644 index 000000000..0f6fe1b98 --- /dev/null +++ b/test/confs/5655 @@ -0,0 +1,106 @@ +# Exim test configuration 5655 +# OCSP stapling, server, multiple chain-element OCSP + +.include DIR/aux-var/tls_conf_prefix + +primary_hostname = server1.example.com + +# ----- Main settings ----- + +acl_smtp_connect = accept logwrite = ${env {SSLKEYLOGFILE}} +acl_smtp_mail = check_mail +acl_smtp_rcpt = check_recipient + +log_selector = +tls_peerdn + +queue_only +queue_run_in_order + +tls_advertise_hosts = * + +CADIR = DIR/aux-fixed/exim-ca +DRSA = CADIR/example.com +DECDSA = CADIR/example_ec.com + +tls_certificate = DRSA/server1.example.com/fullchain.pem \ + : DECDSA/server1.example_ec.com/server1.example_ec.com.pem +tls_privatekey = DRSA/server1.example.com/server1.example.com.unlocked.key \ + : DECDSA/server1.example_ec.com/server1.example_ec.com.unlocked.key + +.ifndef CONTROL +tls_ocsp_file = PEM DIR/tmp/ocsp/triple.ocsp.pem \ + : DER DECDSA/server1.example_ec.com/server1.example_ec.com.ocsp.good.resp +.else +tls_ocsp_file = PEM DIR/tmp/ocsp/double_r.ocsp.pem \ + : DER DECDSA/server1.example_ec.com/server1.example_ec.com.ocsp.good.resp +.endif + + +.ifdef _HAVE_GNUTLS +tls_require_ciphers = ${if eq {LIMIT}{TLS1.2} {NORMAL:!VERS-ALL:+VERS-TLS1.2} {}} +.endif + +# ------ ACL ------ + +begin acl + +check_mail: + accept logwrite = acl_mail: ocsp in status: $tls_in_ocsp \ + (${listextract {${eval:$tls_in_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) + +check_recipient: + accept + + +# ----- Routers ----- + +begin routers + +client: + driver = manualroute + condition = ${if !eq {SERVER}{server}} + route_list = * 127.0.0.1 + self = send + transport = remote_delivery + errors_to = "" + +srvr: + driver = accept + retry_use_local_part + transport = local_delivery + + +# ----- Transports ----- + +begin transports + +remote_delivery: + driver = smtp + port = PORT_D + hosts_require_tls = * +.ifdef _HAVE_GNUTLS + + tls_require_ciphers = ${if eq {LIMIT}{TLS1.2} \ + {NONE:\ + ${if eq {OPT}{rsa} \ + {+SIGN-RSA-SHA256:+VERS-TLS-ALL:+ECDHE-RSA:+DHE-RSA:+RSA} \ + {+SIGN-ECDSA-SHA512:+VERS-TLS-ALL:+KX-ALL}}\ + :+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509} \ + {}} + tls_verify_certificates = CADIR/\ + ${if eq {OPT}{rsa} \ + {example.com/server1.example.com} \ + {example_ec.com/server1.example_ec.com}}\ + /ca_chain.pem +.endif + hosts_require_ocsp = * + tls_verify_cert_hostnames = : + +local_delivery: + driver = appendfile + file = DIR/test-mail/$local_part + headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn + user = CALLER + +# End |