Testsuite: use higher-spec certs, for more-recent GnuTLS versions which deprecate weaker ones

Needed for GnuTLS 3.6.15 (on Fedora 33)
author: Jeremy Harris <jgh146exb@wizmail.org> 2021-05-28 17:33:13 +0100
committer: Jeremy Harris <jgh146exb@wizmail.org> 2021-06-03 23:44:12 +0100
commit: 8af4fd7e0f697d9585f013b9664f88d32131b5df (patch)
tree: a8cd800e375a0ca72798db4b8e2af192ce32cb93 /test/confs
parent: ef77ddc9239a2a96442b7708c825235823d6c9ce (diff)
8 files changed, 29 insertions, 61 deletions
diff --git a/test/confs/1110 b/test/confs/1110
index b22360fe3..30d1c3a2d 100644
--- a/test/confs/1110
+++ b/test/confs/1110
@@ -1,4 +1,4 @@
-# Exim test configuration 2019
+# Exim test configuration 1110
 
 .include DIR/aux-var/tls_conf_prefix
 
@@ -17,7 +17,7 @@ tls_certificate = DIR/aux-fixed/cert1
 tls_privatekey = DIR/aux-fixed/cert1
 
 tls_verify_hosts = HOSTIPV4
-tls_verify_certificates = DIR/aux-fixed/cert2
+tls_verify_certificates = DIR/aux-fixed/exim-ca/example.org/server2.example.org/ca_chain.pem
 
 
 # ------ ACL ------
diff --git a/test/confs/1151 b/test/confs/1151
index 4729c9222..b041a9c8a 100644
--- a/test/confs/1151
+++ b/test/confs/1151
@@ -11,8 +11,8 @@ tls_advertise_hosts = *
 tls_certificate = DIR/tmp/certs/servercert
 tls_privatekey = DIR/tmp/certs/serverkey
 tls_try_verify_hosts = *
-tls_verify_certificates = DIR/aux-fixed/cert2
-#tls_verify_certificates = system,cache
+
+tls_verify_certificates = DIR/aux-fixed/exim-ca/example.org/server2.example.org/ca_chain.pem
 
 queue_only
 log_selector = +millisec
@@ -37,7 +37,9 @@ smtp:
   allow_localhost
   port =		PORT_D
   hosts_try_fastopen =	:
-  tls_certificate =	DIR/aux-fixed/cert2
+  tls_certificate =	DIR/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.pem
+  tls_privatekey =	DIR/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.unlocked.key
+
   tls_verify_certificates =	DIR/aux-fixed/cert1
   tls_verify_cert_hostnames =	:
 
diff --git a/test/confs/2000 b/test/confs/2000
index 11104b09d..c81c80d59 100644
--- a/test/confs/2000
+++ b/test/confs/2000
@@ -25,7 +25,7 @@ tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
 tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
 
 tls_verify_hosts = *
-tls_verify_certificates = ${if eq {SERVER}{server}{DIR/aux-fixed/cert2}fail}
+tls_verify_certificates = DIR/aux-fixed/exim-ca/example.org/server2.example.org/ca_chain.pem
 
 
 # ----- Routers -----
@@ -49,8 +49,9 @@ send_to_server:
   hosts = 127.0.0.1
   port = PORT_D
   hosts_try_fastopen =	:
-  tls_certificate = DIR/aux-fixed/cert2
-  tls_privatekey = DIR/aux-fixed/cert2
+  tls_certificate =	DIR/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.pem
+  tls_privatekey =	DIR/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.unlocked.key
+
   tls_verify_certificates = DIR/aux-fixed/cert2
   tls_try_verify_hosts =
 
diff --git a/test/confs/2001 b/test/confs/2001
index d6525cae5..f8358cbd4 100644
--- a/test/confs/2001
+++ b/test/confs/2001
@@ -23,9 +23,6 @@ tls_advertise_hosts = *
 tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
 tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
 
-tls_verify_hosts = *
-tls_verify_certificates = ${if eq {SERVER}{server}{DIR/aux-fixed/cert2}fail}
-
 
 # so we can decode in wireshark
 tls_require_ciphers = NORMAL:-KX-ALL:+RSA
@@ -52,8 +49,6 @@ send_to_server:
   hosts_try_fastopen =	:
   OPTION
   port = PORT_D
-  tls_certificate = DIR/aux-fixed/cert2
-  tls_privatekey = DIR/aux-fixed/cert2
   tls_verify_certificates = DIR/aux-fixed/cert2
   tls_try_verify_hosts =
 
diff --git a/test/confs/2012 b/test/confs/2012
index c0ed029c5..8de185b64 100644
--- a/test/confs/2012
+++ b/test/confs/2012
@@ -33,9 +33,6 @@ tls_advertise_hosts = *
 tls_certificate = ${if eq {SERVER}{server}{CERT1}fail}
 tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail}
 
-tls_verify_hosts = *
-tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail}
-
 
 # ----- Routers -----
 
@@ -108,8 +105,6 @@ send_to_server_failcert:
   port = PORT_D
   hosts_try_fastopen =	:
   hosts_require_tls = HOSTIPV4
-  tls_certificate = CERT2
-  tls_privatekey = CERT2
 
   tls_verify_certificates = CA2
   tls_try_verify_hosts =
@@ -123,8 +118,6 @@ send_to_server_retry:
   port = PORT_D
   hosts_try_fastopen =	:
   hosts_require_tls = HOSTIPV4
-  tls_certificate = CERT2
-  tls_privatekey = CERT2
 
   tls_verify_certificates = \
     ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
@@ -139,8 +132,6 @@ send_to_server_crypt:
   port = PORT_D
   hosts_try_fastopen =	:
   hosts_require_tls = HOSTIPV4
-  tls_certificate = CERT2
-  tls_privatekey = CERT2
 
   tls_verify_certificates = CA2
   tls_try_verify_hosts = *
@@ -153,8 +144,6 @@ send_to_server_req_fail:
   hosts = HOSTIPV4
   port = PORT_D
   hosts_try_fastopen =	:
-  tls_certificate = CERT2
-  tls_privatekey = CERT2
 
   tls_verify_certificates = CA2
   tls_verify_hosts = *
@@ -167,8 +156,6 @@ send_to_server_req_fail:
    hosts =		serverbadname.example.com
    port =		PORT_D
    hosts_try_fastopen =	:
-   tls_certificate =	CERT2
-   tls_privatekey =	CERT2
  
    tls_verify_certificates =	CA1
    tls_verify_cert_hostnames =	HOSTIPV4
@@ -181,8 +168,6 @@ send_to_server_req_fail:
    hosts =		server1.example.com
    port =		PORT_D
    hosts_try_fastopen =	:
-   tls_certificate =	CERT2
-   tls_privatekey =	CERT2
  
    tls_verify_certificates =	CA1
    tls_verify_cert_hostnames =	HOSTIPV4
@@ -195,8 +180,6 @@ send_to_server_req_fail:
    hosts =		serverchain1.example.com
    port =		PORT_D
    hosts_try_fastopen =	:
-   tls_certificate =	CERT2
-   tls_privatekey =	CERT2
  
    tls_verify_certificates =	CA1
    tls_verify_cert_hostnames =	HOSTIPV4
@@ -209,8 +192,6 @@ send_to_server_req_fail:
    hosts =		alternatename.server1.example.com
    port =		PORT_D
    hosts_try_fastopen =	:
-   tls_certificate =	CERT2
-   tls_privatekey =	CERT2
  
    tls_verify_certificates =	CA1
    tls_verify_cert_hostnames =	HOSTIPV4
diff --git a/test/confs/2033 b/test/confs/2033
index 8fa51d0e9..44ebbc594 100644
--- a/test/confs/2033
+++ b/test/confs/2033
@@ -1,4 +1,4 @@
-# Exim test configuration 1162
+# Exim test configuration 2033
 # TLS client: verify certificate from server - name-fails
 
 SERVER=
@@ -35,9 +35,6 @@ tls_advertise_hosts = *
 tls_certificate = ${if eq {SERVER}{server}{CERT1}fail}
 tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail}
 
-tls_verify_hosts = *
-tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail}
-
 
 # ----- Routers -----
 
@@ -103,8 +100,6 @@ send_to_server_failcert:
   port = PORT_D
   hosts_try_fastopen =	:
   hosts_require_tls = HOSTIPV4
-  tls_certificate = CERT2
-  tls_privatekey = CERT2
 
   tls_verify_certificates = CA2
 
@@ -116,8 +111,6 @@ send_to_server_retry:
   port = PORT_D
   hosts_try_fastopen =	:
   hosts_require_tls = HOSTIPV4
-  tls_certificate = CERT2
-  tls_privatekey = CERT2
 
   tls_verify_certificates = \
     ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
@@ -130,8 +123,6 @@ send_to_server_crypt:
   port = PORT_D
   hosts_try_fastopen =	:
   hosts_require_tls = HOSTIPV4
-  tls_certificate = CERT2
-  tls_privatekey = CERT2
 
   tls_verify_certificates = CA2
   tls_try_verify_hosts = *
@@ -144,8 +135,6 @@ send_to_server_req_fail:
   hosts = HOSTNAME
   port = PORT_D
   hosts_try_fastopen =	:
-  tls_certificate = CERT2
-  tls_privatekey = CERT2
 
   tls_verify_certificates = CA2
   tls_verify_hosts = *
@@ -158,8 +147,6 @@ send_to_server_req_failname:
   hosts = HOSTNAME
   port = PORT_D
   hosts_try_fastopen =	:
-  tls_certificate = CERT2
-  tls_privatekey = CERT2
 
   tls_verify_certificates = CA1
   tls_verify_cert_hostnames = *
@@ -173,8 +160,6 @@ send_to_server_req_passname:
   hosts = server1.example.com
   port = PORT_D
   hosts_try_fastopen =	:
-  tls_certificate = CERT2
-  tls_privatekey = CERT2
 
   tls_verify_certificates = CA1
   tls_verify_cert_hostnames = *
@@ -188,8 +173,6 @@ send_to_server_req_failcarryon:
   hosts = HOSTNAME
   port = PORT_D
   hosts_try_fastopen =	:
-  tls_certificate = CERT2
-  tls_privatekey = CERT2
 
   tls_verify_certificates = CA1
   tls_verify_cert_hostnames = *
diff --git a/test/confs/3700 b/test/confs/3700
index 599f3e50d..598bc7f1a 100644
--- a/test/confs/3700
+++ b/test/confs/3700
@@ -20,10 +20,11 @@ trusted_users = CALLER
 
 tls_on_connect_ports = PORT_S
 tls_advertise_hosts = *
-tls_certificate = DIR/aux-fixed/cert1
+tls_certificate = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem
+tls_privatekey =  DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
 
 tls_verify_hosts = *
-tls_verify_certificates = DIR/aux-fixed/cert2
+tls_verify_certificates = DIR/aux-fixed/exim-ca/example.org/server2.example.org/ca_chain.pem
 
 
 # ----- ACL -----
@@ -78,8 +79,9 @@ t1:
   port = PORT_D
   hosts_try_fastopen =	:
   allow_localhost
-  tls_certificate =         DIR/aux-fixed/cert2
-  tls_verify_certificates = DIR/aux-fixed/cert1
+  tls_certificate =         DIR/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.pem
+  tls_privatekey =          DIR/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.unlocked.key
+  tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
   tls_verify_cert_hostnames = :
 
 t2:
@@ -89,8 +91,9 @@ t2:
   hosts_try_fastopen =	:
   protocol = smtps
   allow_localhost
-  tls_certificate =         DIR/aux-fixed/cert2
-  tls_verify_certificates = DIR/aux-fixed/cert1
+  tls_certificate =         DIR/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.pem
+  tls_privatekey =          DIR/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.unlocked.key
+  tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
   tls_verify_cert_hostnames = :
 
 file:
diff --git a/test/confs/3720 b/test/confs/3720
index 74faec2cf..e82c57f03 100644
--- a/test/confs/3720
+++ b/test/confs/3720
@@ -19,10 +19,11 @@ queue_run_in_order
 trusted_users = CALLER
 
 tls_advertise_hosts = *
-tls_certificate = DIR/aux-fixed/cert1
+tls_certificate = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem
+tls_privatekey =  DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
 
 tls_verify_hosts = *
-tls_verify_certificates = DIR/aux-fixed/cert2
+tls_verify_certificates = DIR/aux-fixed/exim-ca/example.org/server2.example.org/ca_chain.pem
 
 
 # ----- ACL -----
@@ -54,7 +55,7 @@ ext_ccert_cn:
   server_set_id =	$auth1
   server_debug_print =	+++TLS \$auth1="$auth1"
 
-  client_send =		"Phil Pennock"
+  client_send =		"server2.example.org"
 
 
 # ----- Routers -----
@@ -81,8 +82,10 @@ t1:
   port = PORT_D
   hosts_try_fastopen =	:
   allow_localhost
-  tls_certificate =		DIR/aux-fixed/cert2
-  tls_verify_certificates =	DIR/aux-fixed/cert1
+  tls_certificate =		DIR/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.pem
+  tls_privatekey =		DIR/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.unlocked.key
+
+  tls_verify_certificates =	DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
   tls_verify_cert_hostnames =	:
   hosts_try_auth =		*
author	Jeremy Harris <jgh146exb@wizmail.org>	2021-05-28 17:33:13 +0100
committer	Jeremy Harris <jgh146exb@wizmail.org>	2021-06-03 23:44:12 +0100
commit	8af4fd7e0f697d9585f013b9664f88d32131b5df (patch)
tree	a8cd800e375a0ca72798db4b8e2af192ce32cb93 /test/confs
parent	ef77ddc9239a2a96442b7708c825235823d6c9ce (diff)