Testsuite: move CRL testcases away from using SHA1-signed certs

author: Jeremy Harris <jgh146exb@wizmail.org> 2017-12-18 15:38:54 +0000
committer: Jeremy Harris <jgh146exb@wizmail.org> 2017-12-18 16:23:07 +0000
commit: dc9c8f8b52cbf2e8424f5e98f63d29aa7fb81fe7 (patch)
tree: a76e6042d7fb65130815dd36ddae949fcf7a0a97 /test/scripts/2000-GnuTLS
parent: 242583694aff4f43c3dbf7581b1100a68b3e0c11 (diff)
1 files changed, 42 insertions, 17 deletions
diff --git a/test/scripts/2000-GnuTLS/2014 b/test/scripts/2000-GnuTLS/2014
index c5a01494a..1e12b4ef5 100644
--- a/test/scripts/2000-GnuTLS/2014
+++ b/test/scripts/2000-GnuTLS/2014
@@ -3,7 +3,7 @@ gnutls
 munge gnutls_unexpected
 exim -DSERVER=server -bd -oX PORT_D
 ****
-# No certificate, certificate required
+### No certificate, certificate required
 client-gnutls HOSTIPV4 PORT_D
 ??? 220
 ehlo rhu1.barb
@@ -16,7 +16,7 @@ ehlo rhu1.barb
 starttls
 ??? 220
 ****
-# No certificate, certificate optional at TLS time, required by ACL
+### No certificate, certificate optional at TLS time, required by ACL
 client-gnutls 127.0.0.1 PORT_D
 ??? 220
 ehlo rhu2.barb
@@ -37,8 +37,8 @@ rcpt to:<userx@test.ex>
 quit
 ??? 221
 ****
-# Good certificate, certificate required
-client-gnutls HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2
+### Good certificate, certificate required
+client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
 ??? 220
 ehlo rhu3.barb
 ??? 250-
@@ -56,8 +56,8 @@ rcpt to:<userx@test.ex>
 quit
 ??? 221
 ****
-# Good certificate, certificate optional at TLS time, checked by ACL
-client-gnutls 127.0.0.1 PORT_D aux-fixed/cert2 aux-fixed/cert2
+### Good certificate, certificate optional at TLS time, checked by ACL
+client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
 ??? 220
 ehlo rhu4.barb
 ??? 250-
@@ -75,8 +75,10 @@ rcpt to:<userx@test.ex>
 quit
 ??? 221
 ****
-# Bad certificate, certificate required
-client-gnutls HOSTIPV4 PORT_D aux-fixed/cert1 aux-fixed/cert1
+### Bad certificate, certificate required
+# Actually this test does not have the client presenting a cert at all, as it filters what it has
+# by the options offered by the server first.  So it's not a good testcase.
+client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
 ??? 220
 ehlo rhu5.barb
 ??? 250-
@@ -88,8 +90,9 @@ ehlo rhu5.barb
 starttls
 ??? 220
 ****
-# Bad certificate, certificate optional at TLS time, reject at ACL time
-client-gnutls 127.0.0.1 PORT_D aux-fixed/cert1 aux-fixed/cert1
+### Bad certificate, certificate optional at TLS time, reject at ACL time
+# (situation as above)
+client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
 ??? 220
 ehlo rhu6.barb
 ??? 250-
@@ -103,16 +106,20 @@ starttls
 mail from:<userx@test.ex>
 ??? 250
 rcpt to:<userx@test.ex>
-??? 550-
 ??? 550
 quit
 ??? 221
 ****
 killdaemon
-exim -DCRL=DIR/aux-fixed/crl.pem -DSERVER=server -bd -oX PORT_D
+#
+#
+#
+#
+exim -DCRL=DIR/aux-fixed/exim-ca/example.com/CA/crl.v2.pem -DSERVER=server -bd -oX PORT_D
 ****
-# Good but revoked certificate, certificate required
-client-gnutls HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2
+### Otherwise good but revoked certificate, certificate required
+# GnuTLS seems to not mind the lack of CRLs for the nonleaf certs in the chain, unlike under OpenSSL
+client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
 ??? 220
 ehlo rhu7.barb
 ??? 250-
@@ -124,8 +131,8 @@ ehlo rhu7.barb
 starttls
 ??? 220
 ****
-# Revoked certificate, certificate optional at TLS time, reject at ACL time
-client-gnutls 127.0.0.1 PORT_D aux-fixed/cert1 aux-fixed/cert1
+### Revoked certificate, certificate optional at TLS time, reject at ACL time
+client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
 ??? 220
 ehlo rhu8.barb
 ??? 250-
@@ -139,9 +146,27 @@ starttls
 mail from:<userx@test.ex>
 ??? 250
 rcpt to:<userx@test.ex>
-??? 550-
 ??? 550
 quit
 ??? 221
 ****
+### Good certificate, certificate required - but nonmatching CRL also present
+client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+??? 220
+ehlo rhu.barb
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+starttls
+??? 220
+mail from:<userx@test.ex>
+??? 250
+rcpt to:<userx@test.ex>
+??? 250
+quit
+??? 221
+****
 killdaemon
author	Jeremy Harris <jgh146exb@wizmail.org>	2017-12-18 15:38:54 +0000
committer	Jeremy Harris <jgh146exb@wizmail.org>	2017-12-18 16:23:07 +0000
commit	dc9c8f8b52cbf2e8424f5e98f63d29aa7fb81fe7 (patch)
tree	a76e6042d7fb65130815dd36ddae949fcf7a0a97 /test/scripts/2000-GnuTLS
parent	242583694aff4f43c3dbf7581b1100a68b3e0c11 (diff)