diff options
author | Jeremy Harris <jgh146exb@wizmail.org> | 2022-11-22 22:32:59 +0000 |
---|---|---|
committer | Jeremy Harris <jgh146exb@wizmail.org> | 2022-11-23 00:06:42 +0000 |
commit | 415c5379af11bf8777af1a082a336ad7c5369525 (patch) | |
tree | 6e83a790e09a20e172276887d9060cba05d2dc8f /test/confs | |
parent | 6242a0bdfb6bacb2fc52e335ca550b62f2f39020 (diff) |
OpenSSL: OCSP under DANE
Diffstat (limited to 'test/confs')
-rw-r--r-- | test/confs/5840 | 13 | ||||
-rw-r--r-- | test/confs/5847 | 150 |
2 files changed, 154 insertions, 9 deletions
diff --git a/test/confs/5840 b/test/confs/5840 index 1b3b122b3..1e6406eaa 100644 --- a/test/confs/5840 +++ b/test/confs/5840 @@ -23,28 +23,23 @@ queue_run_in_order tls_advertise_hosts = * -# Set certificate only if server CDIR1 = DIR/aux-fixed/exim-ca/example.net/server1.example.net CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com .ifdef CERT tls_certificate = CERT .else -tls_certificate = ${if eq {SERVER}{server} \ - {${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \ +tls_certificate = ${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \ {CDIR2/fullchain.pem}\ - {CDIR1/fullchain.pem}}}\ - fail} + {CDIR1/fullchain.pem}} .endif .ifdef ALLOW tls_privatekey = ALLOW .else -tls_privatekey = ${if eq {SERVER}{server} \ - {${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \ +tls_privatekey = ${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \ {CDIR2/server1.example.com.unlocked.key}\ - {CDIR1/server1.example.net.unlocked.key}}}\ - fail} + {CDIR1/server1.example.net.unlocked.key}} .endif # ----- Routers ----- diff --git a/test/confs/5847 b/test/confs/5847 new file mode 100644 index 000000000..9f3277cb0 --- /dev/null +++ b/test/confs/5847 @@ -0,0 +1,150 @@ +# Exim test configuration 5847 +# OCSP stapling under DANE, client + +SERVER = + +exim_path = EXIM_PATH +keep_environment = ^EXIM_TESTHARNESS_DISABLE_[O]CSPVALIDITYCHECK$ +host_lookup_order = bydns +spool_directory = DIR/spool +log_file_path = DIR/spool/log/SERVER%slog +gecos_pattern = "" +gecos_name = CALLER_NAME +chunking_advertise_hosts = +primary_hostname = server1.example.com + +.ifdef _HAVE_DMARC +dmarc_tld_file = +.endif + + +# ----- Main settings ----- + +domainlist local_domains = test.ex : *.test.ex + +.ifndef OPT +acl_smtp_rcpt = check_recipient +.else +acl_smtp_rcpt = accept verify = recipient/callout +.endif +acl_smtp_data = check_data + +log_selector = +received_recipients +tls_peerdn +tls_certificate_verified +tls_sni +remote_max_parallel = 1 +queue_run_in_order + +tls_advertise_hosts = * + +CDIR1 = DIR/aux-fixed/exim-ca/example.net/server1.example.net +CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com + +.ifdef CERT +tls_certificate = CERT +.else +tls_certificate = ${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \ + {CDIR2/fullchain.pem}\ + {CDIR1/fullchain.pem}} +.endif + +.ifdef ALLOW +tls_privatekey = ALLOW +.else +tls_privatekey = ${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \ + {CDIR2/server1.example.com.unlocked.key}\ + {CDIR1/server1.example.net.unlocked.key}} +.endif + +tls_ocsp_file = RETURN + + +# ------ ACL ------ + +begin acl + +check_recipient: + accept domains = +local_domains + deny message = relay not permitted + +check_data: + warn condition = ${if def:h_X-TLS-out:} + logwrite = client claims: $h_X-TLS-out: + accept + +# ----- Routers ----- + +begin routers + +client: + driver = dnslookup + condition = ${if eq {SERVER}{server}{no}{yes}} + dnssec_request_domains = * + self = send + retry_use_local_part + transport = send_to_server${if eq{$local_part}{norequest}{1} \ + {${if eq{$local_part}{norequire} {2} \ + {3} \ + }}} + errors_to = "" + +server: + driver = redirect + data = :blackhole: + + +# ----- Transports ----- + +begin transports + + # nostaple +send_to_server1: + driver = smtp + allow_localhost + port = PORT_D + hosts_try_fastopen = : + tls_verify_certificates = ${if eq {DETAILS}{ca} {CDIR2/ca_chain.pem} {}} + tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}} + hosts_try_dane = * + hosts_require_tls = * + hosts_request_ocsp = : + headers_add = X-TLS-out: ocsp status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} {notreq:notresp:vfynotdone:failed:verified}}) + + # norequire +send_to_server2: + driver = smtp + allow_localhost + port = PORT_D + hosts_try_fastopen = : + tls_verify_certificates = ${if eq {DETAILS}{ca} {CDIR2/ca_chain.pem} {}} + tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}} + hosts_try_dane = * + hosts_require_tls = * +# note no ocsp mention here + headers_add = X-TLS-out: ocsp status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} {notreq:notresp:vfynotdone:failed:verified}}) + +# default +send_to_server3: + driver = smtp + allow_localhost + port = PORT_D + hosts_try_fastopen = : + helo_data = helo.data.changed + tls_verify_certificates = ${if eq {DETAILS}{ca} {CDIR2/ca_chain.pem} {}} + tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}} + hosts_try_dane = * + hosts_require_tls = * + hosts_require_ocsp = * + headers_add = X-TLS-out: ocsp status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} {notreq:notresp:vfynotdone:failed:verified}}) + + +# ----- Retry ----- + + +begin retry + +* * F,5d,1s + + +# End |