diff options
author | Jeremy Harris <jgh146exb@wizmail.org> | 2018-09-18 18:02:48 +0100 |
---|---|---|
committer | Jeremy Harris <jgh146exb@wizmail.org> | 2018-09-18 23:13:09 +0100 |
commit | 8008accd32d189afed4107a54466130dc1c331e2 (patch) | |
tree | fd2124e9302d30baecf350eb8c694e9620b5c6b9 /test/confs | |
parent | 5fd28bb83f80141b9f7671ed9ae3e1a4263134e3 (diff) |
Testsuite: track newer GnuTLS behaviour
We have lost one log line, for a ciphers-negotiation failure on an early
host in a list from routing. We still get something indicative if the
last one fails, so I'm going to let this pass.
Test 2025 will fail on earlier GnuTLS library versions as a result.
NONE no longer works as documented, in priority string for GnuTLS.
Diffstat (limited to 'test/confs')
-rw-r--r-- | test/confs/2024 | 2 | ||||
-rw-r--r-- | test/confs/2025 | 8 | ||||
-rw-r--r-- | test/confs/5821 | 4 |
3 files changed, 8 insertions, 6 deletions
diff --git a/test/confs/2024 b/test/confs/2024 index 64502d56b..ea3b28206 100644 --- a/test/confs/2024 +++ b/test/confs/2024 @@ -22,4 +22,6 @@ tls_verify_hosts = HOSTIPV4 #tls_verify_certificates = TVC tls_verify_certificates = CERT +# so we can decode in wireshark +tls_require_ciphers = NORMAL:-KX-ALL:+RSA # End diff --git a/test/confs/2025 b/test/confs/2025 index feaa815a1..fdf1e0405 100644 --- a/test/confs/2025 +++ b/test/confs/2025 @@ -17,8 +17,7 @@ queue_run_in_order tls_advertise_hosts = * -tls_require_ciphers = ${if eq{$sender_host_address}{HOSTIPV4}\ - {NONE}{SECURE256}} +tls_require_ciphers = NORMAL:-VERS-ALL:+VERS-TLS1.2:-MAC-ALL:+SHA256 # Set certificate only if server @@ -45,9 +44,10 @@ send_to_server: driver = smtp allow_localhost hosts = HOSTIPV4 : 127.0.0.1 - hosts_require_tls = HOSTIPV4 port = PORT_D - + hosts_require_tls = HOSTIPV4 + tls_require_ciphers = NORMAL:-VERS-ALL:+VERS-TLS1.2:-MAC-ALL:+SHA\ + ${if eq{$host}{HOSTIPV4} {384} {256} } # ----- Retry ----- diff --git a/test/confs/5821 b/test/confs/5821 index 9b73181a9..86ddbdedd 100644 --- a/test/confs/5821 +++ b/test/confs/5821 @@ -23,7 +23,7 @@ tls_certificate = ${if eq {SERVER}{server} {CDIR2/fullchain.pem}fail} tls_privatekey = ${if eq {SERVER}{server} {CDIR2/server1.example.com.unlocked.key}fail} # Permit two specific ciphers -tls_require_ciphers = NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL +tls_require_ciphers = NORMAL:-KX-ALL:+RSA:-CIPHER-ALL:+AES-128-CBC:+CAMELLIA-256-GCM # ----- Routers ----- begin routers @@ -52,7 +52,7 @@ send_to_server: tls_verify_certificates = CDIR2/ca_chain.pem # Some commonly-available cipher, we hope - tls_require_ciphers = NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+SIGN-ALL:+COMP-NULL + tls_require_ciphers = NORMAL:-CIPHER-ALL:+AES-128-CBC dane_require_tls_ciphers = OPT # ----- Retry ----- |