diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2020-09-26 15:35:58 +0100 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2020-09-26 15:52:44 +0100 |
| commit | 4cfb21b860882e76c3d3147b01708b347d0f9a0d (patch) | |
| tree | 50973ae96ddfa46926054ceb3871807c7a89d940 /test/confs | |
| parent | fdf263214d6536aba14944283ffc131597870a46 (diff) | |
OpenSSL: Fix client-side tls_verify_cert_hostnames behaviour
Diffstat (limited to 'test/confs')
| -rw-r--r-- | test/confs/2113 | 7 | ||||
| -rw-r--r-- | test/confs/2117 | 9 | ||||
| -rw-r--r-- | test/confs/2125 | 9 | ||||
| -rw-r--r-- | test/confs/2126 | 5 | ||||
| -rw-r--r-- | test/confs/2127 | 6 | ||||
| -rw-r--r-- | test/confs/2130 | 11 | ||||
| -rw-r--r-- | test/confs/2131 | 23 | ||||
| -rw-r--r-- | test/confs/2138 | 17 | ||||
| -rw-r--r-- | test/confs/2149 | 6 | ||||
| -rw-r--r-- | test/confs/3461 | 9 | ||||
| -rw-r--r-- | test/confs/3462 | 9 | ||||
| -rw-r--r-- | test/confs/3465 | 9 | ||||
| -rw-r--r-- | test/confs/4221 | 6 | ||||
| -rw-r--r-- | test/confs/5410 | 5 |
14 files changed, 53 insertions, 78 deletions
diff --git a/test/confs/2113 b/test/confs/2113 index e5fc5393d..fc2c72215 100644 --- a/test/confs/2113 +++ b/test/confs/2113 @@ -20,10 +20,7 @@ smtp_accept_max_nonmail = 0 tls_advertise_hosts = * -# Set certificate only if server - -tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} -tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} +tls_certificate = DIR/aux-fixed/cert1 # ----- Routers ----- @@ -70,5 +67,7 @@ send_to_server: hosts_try_fastopen = : hosts_noproxy_tls = PEX tls_try_verify_hosts = : + tls_verify_certificates = DIR/aux-fixed/cert1 + tls_verify_cert_hostnames = : # End diff --git a/test/confs/2117 b/test/confs/2117 index f05eedb0a..16429f1a4 100644 --- a/test/confs/2117 +++ b/test/confs/2117 @@ -16,11 +16,7 @@ queue_only queue_run_in_order tls_advertise_hosts = * - -# Set certificate only if server - -tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} -tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} +tls_certificate = DIR/aux-fixed/cert1 # ----- Routers ----- @@ -55,7 +51,8 @@ send_to_server: hosts = 127.0.0.1 port = PORT_D hosts_try_fastopen = : - tls_try_verify_hosts = : + tls_verify_certificates = DIR/aux-fixed/cert1 + tls_verify_cert_hostnames = : hosts_nopass_tls = * diff --git a/test/confs/2125 b/test/confs/2125 index 3591c8653..91b5283b2 100644 --- a/test/confs/2125 +++ b/test/confs/2125 @@ -19,11 +19,7 @@ tls_advertise_hosts = * tls_require_ciphers = ${if eq{$sender_host_address}{HOSTIPV4}\ {AES256}{AES128}} - -# Set certificate only if server - -tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} -tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} +tls_certificate = DIR/aux-fixed/cert1 .ifdef _OPT_OPENSSL_NO_TLSV1_3_X openssl_options = +no_tlsv1_3 @@ -52,7 +48,8 @@ send_to_server: hosts_require_tls = HOSTIPV4 tls_require_ciphers = AES128-SHA hosts_try_fastopen = : - tls_try_verify_hosts = : + tls_verify_certificates = DIR/aux-fixed/cert1 + tls_verify_cert_hostnames = : # ----- Retry ----- diff --git a/test/confs/2126 b/test/confs/2126 index cb448134f..d98681be2 100644 --- a/test/confs/2126 +++ b/test/confs/2126 @@ -13,8 +13,6 @@ log_selector = +tls_peerdn tls_advertise_hosts = HOSTIPV4 tls_certificate = DIR/aux-fixed/cert1 -tls_privatekey = DIR/aux-fixed/cert1 - # ----- ACLs ----- @@ -53,7 +51,8 @@ t1: port = PORT_D hosts_try_fastopen = : allow_localhost - tls_try_verify_hosts = : + tls_verify_certificates = DIR/aux-fixed/cert1 + tls_verify_cert_hostnames = : t2: driver = appendfile diff --git a/test/confs/2127 b/test/confs/2127 index 148eb7ef0..05dd10f64 100644 --- a/test/confs/2127 +++ b/test/confs/2127 @@ -14,8 +14,7 @@ queue_only queue_run_in_order tls_advertise_hosts = * -tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} -tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} +tls_certificate = DIR/aux-fixed/cert1 tls_try_verify_hosts = 127.0.0.1 tls_verify_hosts = HOSTIPV4 tls_verify_certificates = DIR/aux-fixed/cert1 @@ -56,6 +55,7 @@ send_to_server: hosts = ${if eq{$local_part}{userx}{127.0.0.1}{HOSTIPV4}} port = PORT_D hosts_try_fastopen = : - tls_try_verify_hosts = : + tls_verify_certificates = DIR/aux-fixed/cert1 + tls_verify_cert_hostnames = : # End diff --git a/test/confs/2130 b/test/confs/2130 index 4afded1cf..0559bba53 100644 --- a/test/confs/2130 +++ b/test/confs/2130 @@ -16,10 +16,7 @@ log_selector = +tls_peerdn +tls_sni remote_max_parallel = 1 tls_advertise_hosts = * - -# Set certificate only if server - -tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} +tls_certificate = DIR/aux-fixed/cert1 # ------ ACL ------ @@ -55,7 +52,8 @@ send_to_server1: port = PORT_D hosts_try_fastopen = : tls_sni = fred - tls_try_verify_hosts = : + tls_verify_certificates = DIR/aux-fixed/cert1 + tls_verify_cert_hostnames = : send_to_server2: driver = smtp @@ -63,7 +61,8 @@ send_to_server2: hosts = HOSTIPV4 port = PORT_D hosts_try_fastopen = : - tls_try_verify_hosts = : + tls_verify_certificates = DIR/aux-fixed/cert1 + tls_verify_cert_hostnames = : # ----- Retry ----- diff --git a/test/confs/2131 b/test/confs/2131 index 243fc092c..e4d4ae551 100644 --- a/test/confs/2131 +++ b/test/confs/2131 @@ -17,22 +17,13 @@ remote_max_parallel = 1 tls_advertise_hosts = * -# Set certificate only if server - -tls_certificate = ${if eq {SERVER}{server} \ - {DIR/aux-fixed/${if eq {$tls_in_sni}{bill} \ +tls_certificate = DIR/aux-fixed/${if eq {$tls_in_sni}{bill} \ {exim-ca/example.com/server1.example.com/server1.example.com.pem} \ - {cert1} \ - }\ - }fail} + {cert1} } -tls_privatekey = ${if eq {SERVER}{server} \ - {DIR/aux-fixed/${if eq {$tls_in_sni}{bill} \ +tls_privatekey = DIR/aux-fixed/${if eq {$tls_in_sni}{bill} \ {exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key} \ - {cert1} \ - }\ - }fail} - + {cert1} } # ------ ACL ------ @@ -68,7 +59,8 @@ send_to_server1: hosts_try_fastopen = : tls_sni = fred hosts_require_tls = * - tls_try_verify_hosts = : + tls_verify_certificates = DIR/aux-fixed/cert1 + tls_verify_cert_hostnames = : send_to_server2: driver = smtp @@ -78,7 +70,8 @@ send_to_server2: hosts_try_fastopen = : tls_sni = bill hosts_require_tls = * - tls_try_verify_hosts = : + tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem + tls_verify_cert_hostnames = : # ----- Retry ----- diff --git a/test/confs/2138 b/test/confs/2138 index aedeacf2f..c255373b5 100644 --- a/test/confs/2138 +++ b/test/confs/2138 @@ -19,11 +19,7 @@ remote_max_parallel = 1 smtp_accept_max_nonmail = 0 tls_advertise_hosts = * - -# Set certificate only if server - -tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} -tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} +tls_certificate = DIR/aux-fixed/cert1 # ----- Routers ----- @@ -55,12 +51,13 @@ local_delivery: user = CALLER send_to_server: - driver = smtp + driver = smtp allow_localhost - port = PORT_D + port = PORT_D hosts_try_fastopen = : - hosts_noproxy_tls = : - tls_try_verify_hosts = : - max_rcpt = 1 + hosts_noproxy_tls = : + tls_verify_certificates = DIR/aux-fixed/cert1 + tls_verify_cert_hostnames = : + max_rcpt = 1 # End diff --git a/test/confs/2149 b/test/confs/2149 index 41e71486f..9fa4fbf5a 100644 --- a/test/confs/2149 +++ b/test/confs/2149 @@ -14,8 +14,7 @@ queue_only queue_run_in_order tls_advertise_hosts = * -tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} -tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} +tls_certificate = DIR/aux-fixed/cert1 tls_dhparam = ${if eq {SERVER}{server}{DIR/aux-fixed/dh1}fail} @@ -51,6 +50,7 @@ send_to_server: hosts = 127.0.0.1 port = PORT_D hosts_try_fastopen = : - tls_try_verify_hosts = : + tls_verify_certificates = DIR/aux-fixed/cert1 + tls_verify_cert_hostnames = : # End diff --git a/test/confs/3461 b/test/confs/3461 index f865057fd..159a55376 100644 --- a/test/confs/3461 +++ b/test/confs/3461 @@ -19,11 +19,7 @@ queue_run_in_order smtp_accept_max_nonmail = 0 tls_advertise_hosts = * - -# Set certificate only if server - -tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} -tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} +tls_certificate =DIR/aux-fixed/cert1 # ----- Authenticators ----- @@ -73,6 +69,7 @@ send_to_server: hosts_try_fastopen = : hosts_try_auth = * hosts_noproxy_tls = PEX - tls_try_verify_hosts = : + tls_verify_certificates = DIR/aux-fixed/cert1 + tls_verify_cert_hostnames = : # End diff --git a/test/confs/3462 b/test/confs/3462 index 6c3aaee8d..75385a029 100644 --- a/test/confs/3462 +++ b/test/confs/3462 @@ -16,11 +16,7 @@ queue_only queue_run_in_order tls_advertise_hosts = * - -# Set certificate only if server - -tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} -tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} +tls_certificate = DIR/aux-fixed/cert1 # ----- Authenticators ----- @@ -70,7 +66,8 @@ send_to_server: port = PORT_D hosts_try_fastopen = : hosts_try_auth = * - tls_try_verify_hosts = : + tls_verify_certificates = DIR/aux-fixed/cert1 + tls_verify_cert_hostnames = : # ----- Retry ----- diff --git a/test/confs/3465 b/test/confs/3465 index 0d97a3a7f..2ff6a5172 100644 --- a/test/confs/3465 +++ b/test/confs/3465 @@ -18,8 +18,6 @@ queue_only = true tls_advertise_hosts = * tls_certificate = DIR/aux-fixed/cert1 -tls_privatekey = DIR/aux-fixed/cert1 - # ----- Authenticators ----- @@ -61,11 +59,12 @@ t1: driver = smtp hosts = 127.0.0.1 port = PORT_D + allow_localhost hosts_try_fastopen = : - hosts_avoid_tls = HOSTS_AVOID_TLS - tls_try_verify_hosts = : + hosts_avoid_tls = HOSTS_AVOID_TLS + tls_verify_certificates = DIR/aux-fixed/cert1 + tls_verify_cert_hostnames = : hosts_require_auth = * - allow_localhost # These can be made visible by adding "-d-all+deliver+transport+tls" to the script 1st queuerun headers_add = X-tls-cipher: <$tls_cipher> diff --git a/test/confs/4221 b/test/confs/4221 index 61205cde3..07feb488b 100644 --- a/test/confs/4221 +++ b/test/confs/4221 @@ -21,9 +21,8 @@ queue_only queue_run_in_order .endif -tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} -tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} tls_advertise_hosts = * +tls_certificate = DIR/aux-fixed/cert1 smtputf8_advertise_hosts = OPTION @@ -117,7 +116,8 @@ rmt_smtp: driver = smtp hosts_try_fastopen = : hosts_require_tls = * - tls_try_verify_hosts = : + tls_verify_certificates = DIR/aux-fixed/cert1 + tls_verify_cert_hostnames = : utf8_downconvert = 0 # End diff --git a/test/confs/5410 b/test/confs/5410 index e00234363..c56b4624d 100644 --- a/test/confs/5410 +++ b/test/confs/5410 @@ -8,7 +8,7 @@ primary_hostname = myhost.test.ex log_selector = +smtp_confirmation tls_advertise_hosts = * -tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} +tls_certificate = DIR/aux-fixed/cert1 domainlist local_domains = test.ex : *.test.ex @@ -50,7 +50,8 @@ smtp: hosts_try_fastopen = : hosts_avoid_tls = ${if eq {$address_data}{usery}{*}{:}} hosts_verify_avoid_tls = ${if eq {$address_data}{userz}{*}{:}} - tls_try_verify_hosts = : + tls_verify_certificates = DIR/aux-fixed/cert1 + tls_verify_cert_hostnames = : # End |