GnuTLS: Move to more-modern stapling API

3 files changed, 109 insertions, 3 deletions

diff --git a/test/confs/5651 b/test/confs/5651
index 5803c3ce9..01fa45524 100644
--- a/test/confs/5651
+++ b/test/confs/5651
@@ -3,10 +3,21 @@
 
 SERVER =
 
-.include DIR/aux-var/tls_conf_prefix
-
+exim_path = EXIM_PATH
+keep_environment  = ^EXIM_TESTHARNESS_DISABLE_[O]CSPVALIDITYCHECK$
+host_lookup_order = bydns
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+chunking_advertise_hosts =
 primary_hostname = server1.example.com
 
+.ifdef _HAVE_DMARC
+dmarc_tld_file =
+.endif
+
+
 # ----- Main settings -----
 
 domainlist local_domains = test.ex : *.test.ex
diff --git a/test/confs/5653 b/test/confs/5653
new file mode 100644
index 000000000..5b29f5b68
--- /dev/null
+++ b/test/confs/5653
@@ -0,0 +1,84 @@
+# Exim test configuration 5652
+# OCSP stapling, server, multiple certs
+
+.include DIR/aux-var/tls_conf_prefix
+
+primary_hostname = server1.example.com
+
+# ----- Main settings -----
+
+acl_smtp_mail = check_mail
+acl_smtp_rcpt = check_recipient
+
+log_selector = +tls_peerdn
+
+queue_only
+queue_run_in_order
+
+tls_advertise_hosts = *
+
+CADIR = DIR/aux-fixed/exim-ca
+DRSA = CADIR/example.com
+DECDSA = CADIR/example_ec.com
+
+tls_certificate = DRSA/server1.example.com/server1.example.com.pem \
+	      : DECDSA/server1.example_ec.com/server1.example_ec.com.pem
+tls_privatekey =  DRSA/server1.example.com/server1.example.com.unlocked.key \
+	      : DECDSA/server1.example_ec.com/server1.example_ec.com.unlocked.key
+tls_ocsp_file =   DRSA/server1.example.com/server1.example.com.ocsp.good.resp \
+	      : DECDSA/server1.example_ec.com/server1.example_ec.com.ocsp.good.resp
+
+
+tls_require_ciphers = NORMAL:!VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.0
+
+# ------ ACL ------
+
+begin acl
+
+check_mail:
+  accept   logwrite = acl_mail: ocsp in status: $tls_in_ocsp \
+    (${listextract {${eval:$tls_in_ocsp+1}} \
+		{notreq:notresp:vfynotdone:failed:verified}})
+
+check_recipient:
+  accept
+
+
+# ----- Routers -----
+
+begin routers
+
+client:
+  driver = manualroute
+  condition = ${if !eq {SERVER}{server}}
+  route_list = * 127.0.0.1
+  self = send
+  transport = remote_delivery
+  errors_to = ""
+
+srvr:
+  driver = accept
+  retry_use_local_part
+  transport = local_delivery
+
+
+# ----- Transports -----
+
+begin transports
+
+remote_delivery:
+  driver =			smtp
+  port =			PORT_D
+  hosts_require_tls =		*
+  tls_require_ciphers =		OPT
+  hosts_require_ocsp =		*
+  tls_verify_certificates =	CERT
+  tls_verify_cert_hostnames =	:
+
+local_delivery:
+  driver = appendfile
+  file = DIR/test-mail/$local_part
+  headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
+  user = CALLER
+
+# End
diff --git a/test/confs/5730 b/test/confs/5730
index 625decec7..2b32008d4 100644
--- a/test/confs/5730
+++ b/test/confs/5730
@@ -3,9 +3,20 @@
 
 SERVER =
 
-.include DIR/aux-var/tls_conf_prefix
+exim_path = EXIM_PATH
+keep_environment  = ^EXIM_TESTHARNESS_DISABLE_[O]CSPVALIDITYCHECK$
+host_lookup_order = bydns
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+chunking_advertise_hosts =
 
 primary_hostname = server1.example.com
+ 
+.ifdef _HAVE_DMARC
+dmarc_tld_file =
+.endif
 
 
 # ----- Main settings -----