diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2020-10-03 20:59:15 +0100 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2020-10-04 00:14:30 +0100 |
| commit | 6a9cf7f890226aa085842cd3d94b13e78ea31637 (patch) | |
| tree | a342beb35a47209193ca7506b7a76d087dba1aa7 /test | |
| parent | dcc5e2cbb4a253eea54c12320e54fb5d85d64e5f (diff) | |
TLS: preload configuration items
Diffstat (limited to 'test')
| -rw-r--r-- | test/confs/1102 | 27 | ||||
| -rw-r--r-- | test/confs/1103 | 43 | ||||
| -rw-r--r-- | test/confs/2025 | 7 | ||||
| -rw-r--r-- | test/confs/2100 | 8 | ||||
| -rw-r--r-- | test/confs/2113 | 1 | ||||
| -rw-r--r-- | test/confs/4060 | 6 | ||||
| -rw-r--r-- | test/log/1103 | 9 | ||||
| -rwxr-xr-x | test/runtest | 26 | ||||
| -rw-r--r-- | test/scripts/1100-Basic-TLS/1101 | 3 | ||||
| -rw-r--r-- | test/scripts/1100-Basic-TLS/1102 | 51 | ||||
| -rw-r--r-- | test/scripts/1100-Basic-TLS/1103 | 21 |
11 files changed, 190 insertions, 12 deletions
diff --git a/test/confs/1102 b/test/confs/1102 new file mode 100644 index 000000000..2bab6e804 --- /dev/null +++ b/test/confs/1102 @@ -0,0 +1,27 @@ +# Exim test configuration 1102 + +.include DIR/aux-var/tls_conf_prefix + +primary_hostname = myhost.test.ex + +# ----- Main settings ----- + +tls_advertise_hosts = * + +tls_certificate = DIR/tmp/certs/servercert +tls_privatekey = DIR/tmp/certs/serverkey +#tls_verify_certificates = DIR/aux-fixed/cert2 +tls_verify_certificates = system,cache + +queue_only +log_selector = +millisec + +# --- ACL --- + +acl_smtp_rcpt = acl_check_rcpt + +begin acl +acl_check_rcpt: + accept logwrite = server cert: CN=${certextract{subject,CN}{$tls_in_ourcert}} + +# End diff --git a/test/confs/1103 b/test/confs/1103 new file mode 100644 index 000000000..b937ee99c --- /dev/null +++ b/test/confs/1103 @@ -0,0 +1,43 @@ +# Exim test configuration 1103 + +.include DIR/aux-var/tls_conf_prefix + +primary_hostname = myhost.test.ex + +# ----- Main settings ----- + +tls_advertise_hosts = * + +tls_certificate = DIR/tmp/certs/servercert +tls_privatekey = DIR/tmp/certs/serverkey +tls_try_verify_hosts = * +tls_verify_certificates = DIR/aux-fixed/cert2 +#tls_verify_certificates = system,cache + +queue_only +log_selector = +millisec + +# --- ACL --- + +acl_smtp_rcpt = accept + +# ---- + +begin routers + +all: + driver = accept + transport = smtp + +begin transports + +smtp: + driver = smtp + hosts = 127.0.0.1 + allow_localhost + port = PORT_D + tls_certificate = DIR/aux-fixed/cert2 + tls_verify_certificates = DIR/aux-fixed/cert1 + tls_verify_cert_hostnames = : + +# End diff --git a/test/confs/2025 b/test/confs/2025 index 8c08abebe..5ddeb7573 100644 --- a/test/confs/2025 +++ b/test/confs/2025 @@ -16,13 +16,8 @@ queue_only queue_run_in_order tls_advertise_hosts = * - tls_require_ciphers = NORMAL:-VERS-ALL:+VERS-TLS1.2:-MAC-ALL:+SHA256 - -# Set certificate only if server - -tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} -tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} +tls_certificate = DIR/aux-fixed/cert1 # ----- Routers ----- diff --git a/test/confs/2100 b/test/confs/2100 index 827d93811..63a2f255a 100644 --- a/test/confs/2100 +++ b/test/confs/2100 @@ -22,11 +22,13 @@ tls_advertise_hosts = * # Set certificate only if server -tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} -tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} +#tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} +tls_certificate = DIR/aux-fixed/cert1 +#tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} tls_verify_hosts = * -tls_verify_certificates = ${if eq {SERVER}{server}{DIR/aux-fixed/cert2}fail} +#tls_verify_certificates = ${if eq {SERVER}{server}{DIR/aux-fixed/cert2}fail} +tls_verify_certificates = DIR/aux-fixed/cert2 # ----- Routers ----- diff --git a/test/confs/2113 b/test/confs/2113 index fc2c72215..b992747e2 100644 --- a/test/confs/2113 +++ b/test/confs/2113 @@ -66,7 +66,6 @@ send_to_server: port = PORT_D hosts_try_fastopen = : hosts_noproxy_tls = PEX - tls_try_verify_hosts = : tls_verify_certificates = DIR/aux-fixed/cert1 tls_verify_cert_hostnames = : diff --git a/test/confs/4060 b/test/confs/4060 index f3aa84d66..b6e071202 100644 --- a/test/confs/4060 +++ b/test/confs/4060 @@ -21,7 +21,11 @@ gecos_name = CALLER_NAME dns_cname_loops = 9 chunking_advertise_hosts = OPT tls_advertise_hosts = * -tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} +tls_certificate = DIR/aux-fixed/cert1 + +.ifdef _HAVE_TLS_CA_CACHE +tls_verify_certificates = system,cache +.endif .ifdef _HAVE_DMARC dmarc_tld_file = diff --git a/test/log/1103 b/test/log/1103 new file mode 100644 index 000000000..28d97d389 --- /dev/null +++ b/test/log/1103 @@ -0,0 +1,9 @@ +2017-07-30 18:51:05.712 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss + +******** SERVER ******** +2017-07-30 18:51:05.712 exim x.yz daemon started: pid=pppp, -q7s, listening for SMTP on port PORT_D +2017-07-30 18:51:05.712 Start queue run: pid=pppp +2017-07-30 18:51:05.712 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes S=sss id=E10HmaX-0005vi-00@myhost.test.ex +2017-07-30 18:51:05.712 10HmaX-0005vi-00 => test@example.com R=all T=smtp H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmaY-0005vi-00" +2017-07-30 18:51:05.712 10HmaX-0005vi-00 Completed +2017-07-30 18:51:05.712 End queue run: pid=pppp diff --git a/test/runtest b/test/runtest index 4972aedd8..f61b016f9 100755 --- a/test/runtest +++ b/test/runtest @@ -1067,6 +1067,24 @@ RESET_AFTER_EXTRA_LINE_READ: # this is timing-dependent next if /^OpenSSL: creating STEK$/; + # only OpenSSL speaks of these + next if /^TLS: preloading DH params for server/; + next if /^Diffie-Hellman initialized from default/; + next if /^TLS: preloading ECDH curve for server/; + next if /^ECDH OpenSSL [\d.+]+ temp key parameter settings: default selection$/; + next if /^watch dir '\/etc\/pki\/tls'$/; + + # only GnuTLS speaks of these + next if /^GnuTLS global init required$/; + next if /^TLS: basic cred init, server/; + next if /^TLS: preloading cipher list for server: NULL$/; + s/^GnuTLS using default session cipher\/priority "NORMAL"$/TLS: not preloading cipher list for server/; + next if /^GnuTLS<2>: added \d+ protocols, \d+ ciphersuites, \d+ sig algos and \d+ groups into priority list$/; + + # there happen in different orders for OpenSSL/GnuTLS/noTLS + next if /^TLS: not preloading (CA bundle|cipher list) for server$/; + next if /^TLS: not preloading server certs$/; + # drop lookups next if /^Lookups \(built-in\):/; next if /^Loading lookup modules from/; @@ -1275,6 +1293,14 @@ RESET_AFTER_EXTRA_LINE_READ: next if /^date:\w+,\{SP\}/; next if /^DKIM \[[^[]+\] (Header hash|b) computed:/; + # Timing variable over runs. Collapse repeated memssages. + if (/notify triggered queue run/) + { + my $line = $_; + while (/notify triggered queue run/) { $_ = <IN>; } + $_ = $line . $_; + } + # Not all platforms support TCP Fast Open, and the compile omits the check if (s/\S+ in hosts_try_fastopen\? (no \(option unset\)|no \(end of list\)|yes \(matched "\*"\))\n$//) { diff --git a/test/scripts/1100-Basic-TLS/1101 b/test/scripts/1100-Basic-TLS/1101 index 0bcefa9fd..41407e80b 100644 --- a/test/scripts/1100-Basic-TLS/1101 +++ b/test/scripts/1100-Basic-TLS/1101 @@ -1,4 +1,5 @@ -# TLS server: uncork in pipelining mode, fixed in bd95ffc2ba87fbd3c752df17bc8fd9c01586d45a +# TLS server: uncork in pipelining mode +# fixed in bd95ffc2ba87fbd3c752df17bc8fd9c01586d45a exim -DSERVER=server -bd -oX PORT_D:PORT_S **** client-anytls 127.0.0.1 PORT_D diff --git a/test/scripts/1100-Basic-TLS/1102 b/test/scripts/1100-Basic-TLS/1102 new file mode 100644 index 000000000..862d26a6e --- /dev/null +++ b/test/scripts/1100-Basic-TLS/1102 @@ -0,0 +1,51 @@ +# TLS server: creds caching +# +# +mkdir -p DIR/tmp/certs +cp DIR/aux-fixed/cert1 DIR/tmp/certs/servercert +cp DIR/aux-fixed/cert1 DIR/tmp/certs/serverkey +# +#exim -d-all+tls+receive+timestamp -DSERVER=server -bd -oX PORT_D +exim -DSERVER=server -bd -oX PORT_D +**** +client-anytls 127.0.0.1 PORT_D +??? 220 +EHLO rhu.barb +????250 +STARTTLS +??? 220 +EHLO rhu.barb +????250 +MAIL FROM:<> +RCPT TO:test@example.com +??? 250 +??? 250 +QUIT +??? 221 +**** +sleep 1 +# Now overwrite the cert. key? +cp DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem DIR/tmp/certs/servercert +cp DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key DIR/tmp/certs/serverkey +# The watch mech waits 5 sec after the last trigger, so give that time to expire the send another message +sleep 7 +client-anytls 127.0.0.1 PORT_D +??? 220 +EHLO rhu.barb +????250 +STARTTLS +??? 220 +EHLO rhu.barb +????250 +MAIL FROM:<> +RCPT TO:test@example.com +??? 250 +??? 250 +QUIT +??? 221 +**** +# +killdaemon +# +sudo rm -fr DIR/tmp +no_msglog_check diff --git a/test/scripts/1100-Basic-TLS/1103 b/test/scripts/1100-Basic-TLS/1103 new file mode 100644 index 000000000..de97e32ef --- /dev/null +++ b/test/scripts/1100-Basic-TLS/1103 @@ -0,0 +1,21 @@ +# TLS client: creds caching +# +# +mkdir -p DIR/tmp/certs +cp DIR/aux-fixed/cert1 DIR/tmp/certs/servercert +cp DIR/aux-fixed/cert1 DIR/tmp/certs/serverkey +# +# load up one message in the queue +exim test@example.com +**** +# +# start the daemon, with a queue-run interval +# this will send the queued message and the receive will re-queue it +#exim -d-all+tls+receive+timestamp -DSERVER=server -bd -q7s -oX PORT_D +exim -DSERVER=server -bd -q7s -oX PORT_D +**** +sleep 1 +killdaemon +# +sudo rm -fr DIR/tmp +no_msglog_check |