GnuTLS: Move to more-modern stapling API

author: Jeremy Harris <jgh146exb@wizmail.org> 2019-08-27 17:24:23 +0100
committer: Jeremy Harris <jgh146exb@wizmail.org> 2019-09-20 14:30:21 +0100
commit: e54893330b92ed765b6872a1c47ba61d5e20ff7c (patch)
tree: a775954bf2c04f4d3662761c4cf8ae69f4586c6a /test
parent: 5c03403d88afcde2bb3f543296b0fca6f05c9f2c (diff)
11 files changed, 171 insertions, 37 deletions
diff --git a/test/confs/5651 b/test/confs/5651
index 5803c3ce9..01fa45524 100644
--- a/test/confs/5651
+++ b/test/confs/5651
@@ -3,10 +3,21 @@
 
 SERVER =
 
-.include DIR/aux-var/tls_conf_prefix
-
+exim_path = EXIM_PATH
+keep_environment  = ^EXIM_TESTHARNESS_DISABLE_[O]CSPVALIDITYCHECK$
+host_lookup_order = bydns
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+chunking_advertise_hosts =
 primary_hostname = server1.example.com
 
+.ifdef _HAVE_DMARC
+dmarc_tld_file =
+.endif
+
+
 # ----- Main settings -----
 
 domainlist local_domains = test.ex : *.test.ex
diff --git a/test/confs/5653 b/test/confs/5653
new file mode 100644
index 000000000..5b29f5b68
--- /dev/null
+++ b/test/confs/5653
@@ -0,0 +1,84 @@
+# Exim test configuration 5652
+# OCSP stapling, server, multiple certs
+
+.include DIR/aux-var/tls_conf_prefix
+
+primary_hostname = server1.example.com
+
+# ----- Main settings -----
+
+acl_smtp_mail = check_mail
+acl_smtp_rcpt = check_recipient
+
+log_selector = +tls_peerdn
+
+queue_only
+queue_run_in_order
+
+tls_advertise_hosts = *
+
+CADIR = DIR/aux-fixed/exim-ca
+DRSA = CADIR/example.com
+DECDSA = CADIR/example_ec.com
+
+tls_certificate = DRSA/server1.example.com/server1.example.com.pem \
+	      : DECDSA/server1.example_ec.com/server1.example_ec.com.pem
+tls_privatekey =  DRSA/server1.example.com/server1.example.com.unlocked.key \
+	      : DECDSA/server1.example_ec.com/server1.example_ec.com.unlocked.key
+tls_ocsp_file =   DRSA/server1.example.com/server1.example.com.ocsp.good.resp \
+	      : DECDSA/server1.example_ec.com/server1.example_ec.com.ocsp.good.resp
+
+
+tls_require_ciphers = NORMAL:!VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.0
+
+# ------ ACL ------
+
+begin acl
+
+check_mail:
+  accept   logwrite = acl_mail: ocsp in status: $tls_in_ocsp \
+    (${listextract {${eval:$tls_in_ocsp+1}} \
+		{notreq:notresp:vfynotdone:failed:verified}})
+
+check_recipient:
+  accept
+
+
+# ----- Routers -----
+
+begin routers
+
+client:
+  driver = manualroute
+  condition = ${if !eq {SERVER}{server}}
+  route_list = * 127.0.0.1
+  self = send
+  transport = remote_delivery
+  errors_to = ""
+
+srvr:
+  driver = accept
+  retry_use_local_part
+  transport = local_delivery
+
+
+# ----- Transports -----
+
+begin transports
+
+remote_delivery:
+  driver =			smtp
+  port =			PORT_D
+  hosts_require_tls =		*
+  tls_require_ciphers =		OPT
+  hosts_require_ocsp =		*
+  tls_verify_certificates =	CERT
+  tls_verify_cert_hostnames =	:
+
+local_delivery:
+  driver = appendfile
+  file = DIR/test-mail/$local_part
+  headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
+  user = CALLER
+
+# End
diff --git a/test/confs/5730 b/test/confs/5730
index 625decec7..2b32008d4 100644
--- a/test/confs/5730
+++ b/test/confs/5730
@@ -3,9 +3,20 @@
 
 SERVER =
 
-.include DIR/aux-var/tls_conf_prefix
+exim_path = EXIM_PATH
+keep_environment  = ^EXIM_TESTHARNESS_DISABLE_[O]CSPVALIDITYCHECK$
+host_lookup_order = bydns
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+chunking_advertise_hosts =
 
 primary_hostname = server1.example.com
+ 
+.ifdef _HAVE_DMARC
+dmarc_tld_file =
+.endif
 
 
 # ----- Main settings -----
diff --git a/test/log/5650 b/test/log/5650
index 75428e24f..7f46ba122 100644
--- a/test/log/5650
+++ b/test/log/5650
@@ -6,12 +6,12 @@
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
 1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq)
-1999-03-02 09:44:33 acl_mail: ocsp in status: 2 (vfynotdone)
+1999-03-02 09:44:33 acl_mail: ocsp in status: 1 (notresp)
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
 1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq)
-1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (recv): The TLS connection was non-properly terminated.
+1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (gnutls_certificate_set_ocsp_status_request_file2): The session or certificate has expired.
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
 1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq)
-1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (recv): The TLS connection was non-properly terminated.
+1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (gnutls_certificate_set_ocsp_status_request_file2): The session or certificate has expired.
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
 1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq)
diff --git a/test/log/5652 b/test/log/5652
index 48034447f..cf31aa340 100644
--- a/test/log/5652
+++ b/test/log/5652
@@ -9,8 +9,8 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
-1999-03-02 09:44:33 acl_mail: ocsp in status: 2 (vfynotdone)
+1999-03-02 09:44:33 acl_mail: ocsp in status: 4 (verified)
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=localhost (server1.example.com) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@server1.example.com
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
-1999-03-02 09:44:33 acl_mail: ocsp in status: 2 (vfynotdone)
+1999-03-02 09:44:33 acl_mail: ocsp in status: 4 (verified)
 1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=localhost (server1.example.com) [127.0.0.1] P=esmtps X=TLS1.x:ke-ECDSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaZ-0005vi-00@server1.example.com
diff --git a/test/log/5653 b/test/log/5653
new file mode 100644
index 000000000..82d2e7aeb
--- /dev/null
+++ b/test/log/5653
@@ -0,0 +1,9 @@
+1999-03-02 09:44:33 1: Server sends good staple on request, to client requiring RSA auth
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 => rsa.auth@test.ex R=client T=remote_delivery H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 acl_mail: ocsp in status: 4 (verified)
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=localhost (server1.example.com) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@server1.example.com
diff --git a/test/log/5890 b/test/log/5890
index 324e5a4a7..5ffb9ccf7 100644
--- a/test/log/5890
+++ b/test/log/5890
@@ -180,7 +180,7 @@
 1999-03-02 09:44:33 peer cert subject	
 1999-03-02 09:44:33 peer cert verified	0
 1999-03-02 09:44:33 peer dn	
-1999-03-02 09:44:33 ocsp	2
+1999-03-02 09:44:33 ocsp	4
 1999-03-02 09:44:33 cipher	TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits	256
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for getticket@test.ex
@@ -191,7 +191,7 @@
 1999-03-02 09:44:33 peer cert subject	
 1999-03-02 09:44:33 peer cert verified	0
 1999-03-02 09:44:33 peer dn	
-1999-03-02 09:44:33 ocsp	0
+1999-03-02 09:44:33 ocsp	1
 1999-03-02 09:44:33 cipher	TLS1.x:ke--AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits	256
 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for resume@test.ex xyz@test.ex
@@ -203,7 +203,7 @@
 1999-03-02 09:44:33 peer cert subject	
 1999-03-02 09:44:33 peer cert verified	0
 1999-03-02 09:44:33 peer dn	
-1999-03-02 09:44:33 ocsp	2
+1999-03-02 09:44:33 ocsp	4
 1999-03-02 09:44:33 cipher	TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits	256
 1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for abcd@test.ex
@@ -214,7 +214,7 @@
 1999-03-02 09:44:33 peer cert subject	
 1999-03-02 09:44:33 peer cert verified	0
 1999-03-02 09:44:33 peer dn	
-1999-03-02 09:44:33 ocsp	0
+1999-03-02 09:44:33 ocsp	1
 1999-03-02 09:44:33 cipher	TLS1.x:ke--AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits	256
 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbC-0005vi-00@myhost.test.ex for renewal@test.ex
@@ -225,7 +225,7 @@
 1999-03-02 09:44:33 peer cert subject	
 1999-03-02 09:44:33 peer cert verified	0
 1999-03-02 09:44:33 peer dn	
-1999-03-02 09:44:33 ocsp	0
+1999-03-02 09:44:33 ocsp	1
 1999-03-02 09:44:33 cipher	TLS1.x:ke--AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits	256
 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbE-0005vi-00@myhost.test.ex for postrenewal@test.ex
@@ -236,7 +236,7 @@
 1999-03-02 09:44:33 peer cert subject	
 1999-03-02 09:44:33 peer cert verified	0
 1999-03-02 09:44:33 peer dn	
-1999-03-02 09:44:33 ocsp	2
+1999-03-02 09:44:33 ocsp	4
 1999-03-02 09:44:33 cipher	TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits	256
 1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbG-0005vi-00@myhost.test.ex for timeout@test.ex
@@ -247,7 +247,7 @@
 1999-03-02 09:44:33 peer cert subject	
 1999-03-02 09:44:33 peer cert verified	0
 1999-03-02 09:44:33 peer dn	
-1999-03-02 09:44:33 ocsp	2
+1999-03-02 09:44:33 ocsp	4
 1999-03-02 09:44:33 cipher	TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits	256
 1999-03-02 09:44:33 10HmbJ-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbI-0005vi-00@myhost.test.ex for notreq@test.ex
@@ -258,7 +258,7 @@
 1999-03-02 09:44:33 peer cert subject	
 1999-03-02 09:44:33 peer cert verified	0
 1999-03-02 09:44:33 peer dn	
-1999-03-02 09:44:33 ocsp	2
+1999-03-02 09:44:33 ocsp	4
 1999-03-02 09:44:33 cipher	TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits	256
 1999-03-02 09:44:33 10HmbL-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbK-0005vi-00@myhost.test.ex for noverify_getticket@test.ex
@@ -269,7 +269,7 @@
 1999-03-02 09:44:33 peer cert subject	
 1999-03-02 09:44:33 peer cert verified	0
 1999-03-02 09:44:33 peer dn	
-1999-03-02 09:44:33 ocsp	0
+1999-03-02 09:44:33 ocsp	1
 1999-03-02 09:44:33 cipher	TLS1.x:ke--AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits	256
 1999-03-02 09:44:33 10HmbN-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbM-0005vi-00@myhost.test.ex for noverify_resume@test.ex
@@ -281,7 +281,7 @@
 1999-03-02 09:44:33 peer cert subject	
 1999-03-02 09:44:33 peer cert verified	0
 1999-03-02 09:44:33 peer dn	
-1999-03-02 09:44:33 ocsp	2
+1999-03-02 09:44:33 ocsp	1
 1999-03-02 09:44:33 cipher	TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits	256
 1999-03-02 09:44:33 10HmbP-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbO-0005vi-00@myhost.test.ex for getticket@test.ex
@@ -292,7 +292,7 @@
 1999-03-02 09:44:33 peer cert subject	
 1999-03-02 09:44:33 peer cert verified	0
 1999-03-02 09:44:33 peer dn	
-1999-03-02 09:44:33 ocsp	0
+1999-03-02 09:44:33 ocsp	1
 1999-03-02 09:44:33 cipher	TLS1.x:ke-PSK-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits	256
 1999-03-02 09:44:33 10HmbR-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbQ-0005vi-00@myhost.test.ex for resume@test.ex xyz@test.ex
@@ -304,7 +304,7 @@
 1999-03-02 09:44:33 peer cert subject	
 1999-03-02 09:44:33 peer cert verified	0
 1999-03-02 09:44:33 peer dn	
-1999-03-02 09:44:33 ocsp	2
+1999-03-02 09:44:33 ocsp	1
 1999-03-02 09:44:33 cipher	TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits	256
 1999-03-02 09:44:33 10HmbS-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbQ-0005vi-00@myhost.test.ex for abcd@test.ex
@@ -315,7 +315,7 @@
 1999-03-02 09:44:33 peer cert subject	
 1999-03-02 09:44:33 peer cert verified	0
 1999-03-02 09:44:33 peer dn	
-1999-03-02 09:44:33 ocsp	0
+1999-03-02 09:44:33 ocsp	1
 1999-03-02 09:44:33 cipher	TLS1.x:ke-PSK-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits	256
 1999-03-02 09:44:33 10HmbU-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbT-0005vi-00@myhost.test.ex for renewal@test.ex
@@ -326,7 +326,7 @@
 1999-03-02 09:44:33 peer cert subject	
 1999-03-02 09:44:33 peer cert verified	0
 1999-03-02 09:44:33 peer dn	
-1999-03-02 09:44:33 ocsp	0
+1999-03-02 09:44:33 ocsp	1
 1999-03-02 09:44:33 cipher	TLS1.x:ke-PSK-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits	256
 1999-03-02 09:44:33 10HmbW-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbV-0005vi-00@myhost.test.ex for postrenewal@test.ex
@@ -337,7 +337,7 @@
 1999-03-02 09:44:33 peer cert subject	
 1999-03-02 09:44:33 peer cert verified	0
 1999-03-02 09:44:33 peer dn	
-1999-03-02 09:44:33 ocsp	2
+1999-03-02 09:44:33 ocsp	1
 1999-03-02 09:44:33 cipher	TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits	256
 1999-03-02 09:44:33 10HmbY-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbX-0005vi-00@myhost.test.ex for timeout@test.ex
@@ -348,7 +348,7 @@
 1999-03-02 09:44:33 peer cert subject	
 1999-03-02 09:44:33 peer cert verified	0
 1999-03-02 09:44:33 peer dn	
-1999-03-02 09:44:33 ocsp	2
+1999-03-02 09:44:33 ocsp	1
 1999-03-02 09:44:33 cipher	TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits	256
 1999-03-02 09:44:33 10HmcA-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbZ-0005vi-00@myhost.test.ex for notreq@test.ex
diff --git a/test/scripts/5650-OCSP-GnuTLS/5650 b/test/scripts/5650-OCSP-GnuTLS/5650
index 78c0afd61..99aaa0b7a 100644
--- a/test/scripts/5650-OCSP-GnuTLS/5650
+++ b/test/scripts/5650-OCSP-GnuTLS/5650
@@ -38,8 +38,6 @@ exim -z '2: Server does not staple an outdated response'
 exim -bd -oX PORT_D -DSERVER=server \
  -DOPTION=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp
 ****
-# XXX test sequence might not be quite right; this is for a server refusal
-# and we're expecting a client refusal.
 client-gnutls -ocsp aux-fixed/exim-ca/expired1.example.com/CA.pem HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2
 ??? 220
 ehlo rhu.barb
@@ -50,7 +48,7 @@ ehlo rhu.barb
 ??? 250-
 ??? 250
 starttls
-??? 220
+??? 454
 ****
 killdaemon
 #
@@ -76,7 +74,7 @@ ehlo rhu.barb
 ??? 250-
 ??? 250
 starttls
-??? 220
+??? 454
 ****
 killdaemon
 #
diff --git a/test/scripts/5650-OCSP-GnuTLS/5652 b/test/scripts/5650-OCSP-GnuTLS/5652
index 4a33ea862..9130f65e6 100644
--- a/test/scripts/5650-OCSP-GnuTLS/5652
+++ b/test/scripts/5650-OCSP-GnuTLS/5652
@@ -1,4 +1,4 @@
-# OCSP stapling, server, multiple certs
+# OCSP stapling, server, multiple leaf certs
 #
 #
 #
diff --git a/test/scripts/5650-OCSP-GnuTLS/5653 b/test/scripts/5650-OCSP-GnuTLS/5653
new file mode 100644
index 000000000..55cea8b31
--- /dev/null
+++ b/test/scripts/5650-OCSP-GnuTLS/5653
@@ -0,0 +1,23 @@
+# OCSP stapling, server, multiple chain-element OCSP
+#
+#
+#
+exim -z '1: Server sends good staple on request, to client requiring RSA auth'
+****
+#
+exim -d+all -bd -oX PORT_D -DSERVER=server
+****
+exim -odf \
+  -DOPT=NONE:+SIGN-RSA-SHA256:+VERS-TLS-ALL:+ECDHE-RSA:+DHE-RSA:+RSA:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 \
+  -DCERT=DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem \
+  rsa.auth@test.ex
+Subject: test
+
+.
+****
+killdaemon
+#
+#
+#
+#
+no_msglog_check
diff --git a/test/stdout/5650 b/test/stdout/5650
index 7b5628c6a..8a72c0f6f 100644
--- a/test/stdout/5650
+++ b/test/stdout/5650
@@ -49,10 +49,9 @@ Key file = aux-fixed/cert2
 ??? 250
 <<< 250 HELP
 >>> starttls
-??? 220
-<<< 220 TLS go ahead
-Attempting to start TLS
-Bad certificate
+??? 454
+<<< 454 TLS currently unavailable
+Abandoning TLS start attempt
 End of script
 Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
 Certificate file = aux-fixed/cert2
@@ -73,10 +72,9 @@ Key file = aux-fixed/cert2
 ??? 250
 <<< 250 HELP
 >>> starttls
-??? 220
-<<< 220 TLS go ahead
-Attempting to start TLS
-Bad certificate
+??? 454
+<<< 454 TLS currently unavailable
+Abandoning TLS start attempt
 End of script
 Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
 Certificate file = aux-fixed/cert2
author	Jeremy Harris <jgh146exb@wizmail.org>	2019-08-27 17:24:23 +0100
committer	Jeremy Harris <jgh146exb@wizmail.org>	2019-09-20 14:30:21 +0100
commit	e54893330b92ed765b6872a1c47ba61d5e20ff7c (patch)
tree	a775954bf2c04f4d3662761c4cf8ae69f4586c6a /test
parent	5c03403d88afcde2bb3f543296b0fca6f05c9f2c (diff)