summaryrefslogtreecommitdiff
path: root/test/confs
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2013-03-24 21:49:12 +0000
committerJeremy Harris <jgh146exb@wizmail.org>2013-03-25 22:42:48 +0000
commitf5d786885721c374cc22a1f1311ca01408a496fd (patch)
tree528ec5ecb56fc077445855d16014bc9a9c86d967 /test/confs
parent26e72755c101f59e24735e9ca9a320d5f1ebc2b7 (diff)
OCSP-stapling enhancement and testing.
Server: Honor environment variable as well as running_in_test_harness in permitting bogus staplings Update server tests Add "-ocsp" option to client-ssl. Server side: add verification of stapled status. First cut server-mode ocsp testing. Fix some uninitialized ocsp-related data. Client (new): Verify stapling using only the chain that verified the server cert, not any acceptable chain. Add check for multiple responses in a stapling, which is not handled Refuse verification on expired and revoking staplings. Handle OCSP client refusal on lack of stapling from server. More fixing in client OCSP: use the server cert signing chain to verify the OCSP info. Add transport hosts_require_ocsp option. Log stapling responses. Start on tests for client-side. Testing support: Add CRL generation code and documentation update Initial CA & certificate set for testing. BUGFIX: Once a single OCSP response has been extracted the validation routine return code is no longer about the structure, but the actual returned OCSP status.
Diffstat (limited to 'test/confs')
-rw-r--r--test/confs/560066
-rw-r--r--test/confs/5601121
2 files changed, 187 insertions, 0 deletions
diff --git a/test/confs/5600 b/test/confs/5600
new file mode 100644
index 000000000..8b26ee7fa
--- /dev/null
+++ b/test/confs/5600
@@ -0,0 +1,66 @@
+# Exim test configuration 5600
+# OCSP stapling, server
+
+CRL=
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = server1.example.com
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = check_recipient
+
+log_selector = +tls_peerdn
+
+queue_only
+queue_run_in_order
+
+tls_advertise_hosts = *
+
+tls_certificate = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem
+tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+
+tls_verify_hosts = HOSTIPV4
+tls_try_verify_hosts = *
+tls_verify_certificates = DIR/aux-fixed/cert2
+tls_crl = CRL
+tls_ocsp_file = OCSP
+
+
+# ------ ACL ------
+
+begin acl
+
+check_recipient:
+ deny message = certificate not verified: peerdn=$tls_peerdn
+ ! verify = certificate
+ accept
+
+
+# ----- Routers -----
+
+begin routers
+
+abc:
+ driver = accept
+ retry_use_local_part
+ transport = local_delivery
+
+
+# ----- Transports -----
+
+begin transports
+
+local_delivery:
+ driver = appendfile
+ file = DIR/test-mail/$local_part
+ headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
+ user = CALLER
+
+# End
diff --git a/test/confs/5601 b/test/confs/5601
new file mode 100644
index 000000000..5172ff279
--- /dev/null
+++ b/test/confs/5601
@@ -0,0 +1,121 @@
+# Exim test configuration 5601
+# OCSP stapling, client
+
+SERVER =
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = server1.example.com
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+
+# ----- Main settings -----
+
+domainlist local_domains = test.ex : *.test.ex
+
+acl_smtp_rcpt = check_recipient
+log_selector = +tls_peerdn
+remote_max_parallel = 1
+
+tls_advertise_hosts = *
+
+# Set certificate only if server
+
+tls_certificate = ${if eq {SERVER}{server}\
+{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem}\
+fail\
+}
+
+#{DIR/aux-fixed/exim-ca/example.com/CA/CA.pem}\
+
+tls_privatekey = ${if eq {SERVER}{server}\
+{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key}\
+fail}
+
+tls_ocsp_file = OCSP
+
+
+# ------ ACL ------
+
+begin acl
+
+check_recipient:
+ accept domains = +local_domains
+ deny message = relay not permitted
+
+
+# ----- Routers -----
+
+begin routers
+
+client:
+ driver = accept
+ condition = ${if eq {SERVER}{server}{no}{yes}}
+ retry_use_local_part
+ transport = send_to_server${if eq{$local_part}{nostaple}{1} \
+ {${if eq{$local_part}{smtps} {3}{2}}} \
+ }
+
+server:
+ driver = redirect
+ data = :blackhole:
+ #retry_use_local_part
+ #transport = local_delivery
+
+
+# ----- Transports -----
+
+begin transports
+
+local_delivery:
+ driver = appendfile
+ file = DIR/test-mail/$local_part
+ headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
+ user = CALLER
+
+send_to_server1:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ hosts_require_tls = *
+# note no ocsp here
+
+send_to_server2:
+ driver = smtp
+ allow_localhost
+ hosts = 127.0.0.1
+ port = PORT_D
+ helo_data = helo.data.changed
+ #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
+ tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ hosts_require_tls = *
+ hosts_require_ocsp = *
+
+send_to_server3:
+ driver = smtp
+ allow_localhost
+ hosts = 127.0.0.1
+ port = PORT_D
+ helo_data = helo.data.changed
+ #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
+ tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ protocol = smtps
+ hosts_require_tls = *
+ hosts_require_ocsp = *
+
+
+# ----- Retry -----
+
+
+begin retry
+
+* * F,5d,1s
+
+
+# End