diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2019-09-26 19:28:53 +0100 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2019-09-26 19:34:09 +0100 |
| commit | e326959e5e455e1b46124b023e0b202e4892e501 (patch) | |
| tree | 94df809ddf19d7eb97ec9eca348836510f832b86 /test/confs | |
| parent | 6219e0ec4a59a06b84eaabb6b3ae5d9e8f166672 (diff) | |
GnuTLS: full-chain OCSP stapling. Bug 1466
Diffstat (limited to 'test/confs')
| -rw-r--r-- | test/confs/5655 (renamed from test/confs/5653) | 38 |
1 files changed, 30 insertions, 8 deletions
diff --git a/test/confs/5653 b/test/confs/5655 index 5b29f5b68..0f6fe1b98 100644 --- a/test/confs/5653 +++ b/test/confs/5655 @@ -1,5 +1,5 @@ -# Exim test configuration 5652 -# OCSP stapling, server, multiple certs +# Exim test configuration 5655 +# OCSP stapling, server, multiple chain-element OCSP .include DIR/aux-var/tls_conf_prefix @@ -7,6 +7,7 @@ primary_hostname = server1.example.com # ----- Main settings ----- +acl_smtp_connect = accept logwrite = ${env {SSLKEYLOGFILE}} acl_smtp_mail = check_mail acl_smtp_rcpt = check_recipient @@ -21,15 +22,23 @@ CADIR = DIR/aux-fixed/exim-ca DRSA = CADIR/example.com DECDSA = CADIR/example_ec.com -tls_certificate = DRSA/server1.example.com/server1.example.com.pem \ +tls_certificate = DRSA/server1.example.com/fullchain.pem \ : DECDSA/server1.example_ec.com/server1.example_ec.com.pem tls_privatekey = DRSA/server1.example.com/server1.example.com.unlocked.key \ : DECDSA/server1.example_ec.com/server1.example_ec.com.unlocked.key -tls_ocsp_file = DRSA/server1.example.com/server1.example.com.ocsp.good.resp \ - : DECDSA/server1.example_ec.com/server1.example_ec.com.ocsp.good.resp +.ifndef CONTROL +tls_ocsp_file = PEM DIR/tmp/ocsp/triple.ocsp.pem \ + : DER DECDSA/server1.example_ec.com/server1.example_ec.com.ocsp.good.resp +.else +tls_ocsp_file = PEM DIR/tmp/ocsp/double_r.ocsp.pem \ + : DER DECDSA/server1.example_ec.com/server1.example_ec.com.ocsp.good.resp +.endif -tls_require_ciphers = NORMAL:!VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.0 + +.ifdef _HAVE_GNUTLS +tls_require_ciphers = ${if eq {LIMIT}{TLS1.2} {NORMAL:!VERS-ALL:+VERS-TLS1.2} {}} +.endif # ------ ACL ------ @@ -70,9 +79,22 @@ remote_delivery: driver = smtp port = PORT_D hosts_require_tls = * - tls_require_ciphers = OPT +.ifdef _HAVE_GNUTLS + + tls_require_ciphers = ${if eq {LIMIT}{TLS1.2} \ + {NONE:\ + ${if eq {OPT}{rsa} \ + {+SIGN-RSA-SHA256:+VERS-TLS-ALL:+ECDHE-RSA:+DHE-RSA:+RSA} \ + {+SIGN-ECDSA-SHA512:+VERS-TLS-ALL:+KX-ALL}}\ + :+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509} \ + {}} + tls_verify_certificates = CADIR/\ + ${if eq {OPT}{rsa} \ + {example.com/server1.example.com} \ + {example_ec.com/server1.example_ec.com}}\ + /ca_chain.pem +.endif hosts_require_ocsp = * - tls_verify_certificates = CERT tls_verify_cert_hostnames = : local_delivery: |