Support optional server certificate name checking. Bug 1479

Enable EXPERIMENTAL_CERTNAMES to include.
author: Jeremy Harris <jgh146exb@wizmail.org> 2014-05-20 21:25:10 +0100
committer: Jeremy Harris <jgh146exb@wizmail.org> 2014-05-20 21:25:10 +0100
commit: e51c7be22dfccad376659a1a46cee93c9979bbf7 (patch)
tree: 3a6facf5bd5b51f1b3e21c62736ae04bc7504099 /test
parent: 2e6afa4f11972312d3dbb9bb1d4f4bf585a3cdd2 (diff)
12 files changed, 570 insertions, 31 deletions
diff --git a/test/confs/2012 b/test/confs/2012
index 263034435..97dc25e75 100644
--- a/test/confs/2012
+++ b/test/confs/2012
@@ -12,6 +12,16 @@ log_file_path = DIR/spool/log/SERVER%slog
 gecos_pattern = ""
 gecos_name = CALLER_NAME
 
+FX = DIR/aux-fixed
+S1 = FX/exim-ca/example.com/server1.example.com
+
+CA1 =   S1/ca_chain.pem 
+CERT1 = S1/server1.example.com.pem
+KEY1 =  S1/server1.example.com.unlocked.key
+CA2 =   FX/cert2
+CERT2 = FX/cert2
+KEY2 =  FX/cert2
+
 # ----- Main settings -----
 
 acl_smtp_rcpt = accept
@@ -25,11 +35,11 @@ tls_advertise_hosts = *
 
 # Set certificate only if server
 
-tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
-tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
+tls_certificate = ${if eq {SERVER}{server}{CERT1}fail}
+tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail}
 
 tls_verify_hosts = *
-tls_verify_certificates = ${if eq {SERVER}{server}{DIR/aux-fixed/cert2}fail}
+tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail}
 
 
 # ----- Routers -----
@@ -66,6 +76,18 @@ client_q:
   retry_use_local_part
   transport = send_to_server_req_fail
 
+client_r:
+  driver = accept
+  local_parts = userr
+  retry_use_local_part
+  transport = send_to_server_req_failname
+
+client_s:
+  driver = accept
+  local_parts = users
+  retry_use_local_part
+  transport = send_to_server_req_passname
+
 
 # ----- Transports -----
 
@@ -78,8 +100,10 @@ send_to_server_failcert:
   hosts = HOSTIPV4
   hosts_require_tls = HOSTIPV4
   port = PORT_D
-  tls_certificate = DIR/aux-fixed/cert2
-  tls_verify_certificates = DIR/aux-fixed/cert2
+  tls_certificate = CERT2
+  tls_privatekey = CERT2
+
+  tls_verify_certificates = CA2
 
 # this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
 send_to_server_retry:
@@ -88,19 +112,23 @@ send_to_server_retry:
   hosts = HOSTIPV4 : 127.0.0.1
   hosts_require_tls = HOSTIPV4
   port = PORT_D
-  tls_certificate = DIR/aux-fixed/cert2
+  tls_certificate = CERT2
+  tls_privatekey = CERT2
+
   tls_verify_certificates = \
-	${if eq{$host_address}{127.0.0.1}{DIR/aux-fixed/cert1}{DIR/aux-fixed/cert2}}
+    ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
 
-# this will fail to verify the cert at HOSTIPV4 but continue unverified though crypted
+# this will fail to verify the cert but continue unverified though crypted
 send_to_server_crypt:
   driver = smtp
   allow_localhost
   hosts = HOSTIPV4
   hosts_require_tls = HOSTIPV4
   port = PORT_D
-  tls_certificate = DIR/aux-fixed/cert2
-  tls_verify_certificates = DIR/aux-fixed/cert2
+  tls_certificate = CERT2
+  tls_privatekey = CERT2
+
+  tls_verify_certificates = CA2
   tls_try_verify_hosts = *
 
 # this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted
@@ -109,8 +137,36 @@ send_to_server_req_fail:
   allow_localhost
   hosts = HOSTIPV4
   port = PORT_D
-  tls_certificate = DIR/aux-fixed/cert2
-  tls_verify_certificates = DIR/aux-fixed/cert2
+  tls_certificate = CERT2
+  tls_privatekey = CERT2
+
+  tls_verify_certificates = CA2
   tls_verify_hosts = *
 
+# # this will fail to verify the cert name and fallback to unencrypted
+# send_to_server_req_failname:
+#   driver = smtp
+#   allow_localhost
+#   hosts = HOSTIPV4
+#   port = PORT_D
+#   tls_certificate = CERT2
+#   tls_privatekey = CERT2
+# 
+#   tls_verify_certificates = CA1
+#   tls_verify_cert_hostnames = server1.example.net : server1.example.org
+#   tls_verify_hosts = *
+# 
+# # this will pass the cert verify including name check
+# send_to_server_req_passname:
+#   driver = smtp
+#   allow_localhost
+#   hosts = HOSTIPV4
+#   port = PORT_D
+#   tls_certificate = CERT2
+#   tls_privatekey = CERT2
+# 
+#   tls_verify_certificates = CA1
+#   tls_verify_cert_hostnames = noway.example.com : server1.example.com
+#   tls_verify_hosts = *
+
 # End
diff --git a/test/confs/2112 b/test/confs/2112
index deb02944d..4751e6015 100644
--- a/test/confs/2112
+++ b/test/confs/2112
@@ -12,6 +12,16 @@ log_file_path = DIR/spool/log/SERVER%slog
 gecos_pattern = ""
 gecos_name = CALLER_NAME
 
+FX = DIR/aux-fixed
+S1 = FX/exim-ca/example.com/server1.example.com
+
+CA1 =   S1/ca_chain.pem 
+CERT1 = S1/server1.example.com.pem
+KEY1 =  S1/server1.example.com.unlocked.key
+CA2 =   FX/cert2
+CERT2 = FX/cert2
+KEY2 =  FX/cert2
+
 # ----- Main settings -----
 
 acl_smtp_rcpt = accept
@@ -25,11 +35,11 @@ tls_advertise_hosts = *
 
 # Set certificate only if server
 
-tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
-tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
+tls_certificate = ${if eq {SERVER}{server}{CERT1}fail}
+tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail}
 
 tls_verify_hosts = *
-tls_verify_certificates = ${if eq {SERVER}{server}{DIR/aux-fixed/cert2}fail}
+tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail}
 
 
 # ----- Routers -----
@@ -66,6 +76,18 @@ client_q:
   retry_use_local_part
   transport = send_to_server_req_fail
 
+client_r:
+  driver = accept
+  local_parts = userr
+  retry_use_local_part
+  transport = send_to_server_req_failname
+
+client_s:
+  driver = accept
+  local_parts = users
+  retry_use_local_part
+  transport = send_to_server_req_passname
+
 
 # ----- Transports -----
 
@@ -78,8 +100,10 @@ send_to_server_failcert:
   hosts = HOSTIPV4
   hosts_require_tls = HOSTIPV4
   port = PORT_D
-  tls_certificate = DIR/aux-fixed/cert2
-  tls_verify_certificates = DIR/aux-fixed/cert2
+  tls_certificate = CERT2
+  tls_privatekey = CERT2
+
+  tls_verify_certificates = CA2
 
 # this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
 send_to_server_retry:
@@ -88,9 +112,11 @@ send_to_server_retry:
   hosts = HOSTIPV4 : 127.0.0.1
   hosts_require_tls = HOSTIPV4
   port = PORT_D
-  tls_certificate = DIR/aux-fixed/cert2
+  tls_certificate = CERT2
+  tls_privatekey = CERT2
+
   tls_verify_certificates = \
-    ${if eq{$host_address}{127.0.0.1}{DIR/aux-fixed/cert1}{DIR/aux-fixed/cert2}}
+    ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
 
 # this will fail to verify the cert but continue unverified though crypted
 send_to_server_crypt:
@@ -99,8 +125,10 @@ send_to_server_crypt:
   hosts = HOSTIPV4
   hosts_require_tls = HOSTIPV4
   port = PORT_D
-  tls_certificate = DIR/aux-fixed/cert2
-  tls_verify_certificates = DIR/aux-fixed/cert2
+  tls_certificate = CERT2
+  tls_privatekey = CERT2
+
+  tls_verify_certificates = CA2
   tls_try_verify_hosts = *
 
 # this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted
@@ -109,8 +137,36 @@ send_to_server_req_fail:
   allow_localhost
   hosts = HOSTIPV4
   port = PORT_D
-  tls_certificate = DIR/aux-fixed/cert2
-  tls_verify_certificates = DIR/aux-fixed/cert2
+  tls_certificate = CERT2
+  tls_privatekey = CERT2
+
+  tls_verify_certificates = CA2
   tls_verify_hosts = *
 
+# # this will fail to verify the cert name and fallback to unencrypted
+# send_to_server_req_failname:
+#   driver = smtp
+#   allow_localhost
+#   hosts = HOSTIPV4
+#   port = PORT_D
+#   tls_certificate = CERT2
+#   tls_privatekey = CERT2
+# 
+#   tls_verify_certificates = CA1
+#   tls_verify_cert_hostnames = server1.example.net : server1.example.org
+#   tls_verify_hosts = *
+# 
+# # this will pass the cert verify including name check
+# send_to_server_req_passname:
+#   driver = smtp
+#   allow_localhost
+#   hosts = HOSTIPV4
+#   port = PORT_D
+#   tls_certificate = CERT2
+#   tls_privatekey = CERT2
+# 
+#   tls_verify_certificates = CA1
+#   tls_verify_cert_hostnames = noway.example.com : server1.example.com
+#   tls_verify_hosts = *
+
 # End
diff --git a/test/confs/5440 b/test/confs/5440
new file mode 100644
index 000000000..955641246
--- /dev/null
+++ b/test/confs/5440
@@ -0,0 +1,172 @@
+# Exim test configuration 2012
+# TLS client: verify certificate from server - fails
+
+SERVER=
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+FX = DIR/aux-fixed
+S1 = FX/exim-ca/example.com/server1.example.com
+
+CA1 =   S1/ca_chain.pem 
+CERT1 = S1/server1.example.com.pem
+KEY1 =  S1/server1.example.com.unlocked.key
+CA2 =   FX/cert2
+CERT2 = FX/cert2
+KEY2 =  FX/cert2
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept
+
+log_selector =  +tls_peerdn+tls_certificate_verified
+
+queue_only
+queue_run_in_order
+
+tls_advertise_hosts = *
+
+# Set certificate only if server
+
+tls_certificate = ${if eq {SERVER}{server}{CERT1}fail}
+tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail}
+
+tls_verify_hosts = *
+tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail}
+
+
+# ----- Routers -----
+
+begin routers
+
+server_dump:
+  driver = redirect
+  condition = ${if eq {SERVER}{server}{yes}{no}}
+  data = :blackhole:
+
+client_x:
+  driver = accept
+  local_parts = userx
+  retry_use_local_part
+  transport = send_to_server_failcert
+  errors_to = ""
+
+client_y:
+  driver = accept
+  local_parts = usery
+  retry_use_local_part
+  transport = send_to_server_retry
+
+client_z:
+  driver = accept
+  local_parts = userz
+  retry_use_local_part
+  transport = send_to_server_crypt
+
+client_q:
+  driver = accept
+  local_parts = userq
+  retry_use_local_part
+  transport = send_to_server_req_fail
+
+client_r:
+  driver = accept
+  local_parts = userr
+  retry_use_local_part
+  transport = send_to_server_req_failname
+
+client_s:
+  driver = accept
+  local_parts = users
+  retry_use_local_part
+  transport = send_to_server_req_passname
+
+
+# ----- Transports -----
+
+begin transports
+
+# this will fail to verify the cert at HOSTIPV4 so fail the crypt requirement
+send_to_server_failcert:
+  driver = smtp
+  allow_localhost
+  hosts = HOSTIPV4
+  hosts_require_tls = HOSTIPV4
+  port = PORT_D
+  tls_certificate = CERT2
+  tls_privatekey = CERT2
+
+  tls_verify_certificates = CA2
+
+# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
+send_to_server_retry:
+  driver = smtp
+  allow_localhost
+  hosts = HOSTIPV4 : 127.0.0.1
+  hosts_require_tls = HOSTIPV4
+  port = PORT_D
+  tls_certificate = CERT2
+  tls_privatekey = CERT2
+
+  tls_verify_certificates = \
+    ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
+
+# this will fail to verify the cert but continue unverified though crypted
+send_to_server_crypt:
+  driver = smtp
+  allow_localhost
+  hosts = HOSTIPV4
+  hosts_require_tls = HOSTIPV4
+  port = PORT_D
+  tls_certificate = CERT2
+  tls_privatekey = CERT2
+
+  tls_verify_certificates = CA2
+  tls_try_verify_hosts = *
+
+# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted
+send_to_server_req_fail:
+  driver = smtp
+  allow_localhost
+  hosts = HOSTIPV4
+  port = PORT_D
+  tls_certificate = CERT2
+  tls_privatekey = CERT2
+
+  tls_verify_certificates = CA2
+  tls_verify_hosts = *
+
+# this will fail to verify the cert name and fallback to unencrypted
+send_to_server_req_failname:
+  driver = smtp
+  allow_localhost
+  hosts = HOSTIPV4
+  port = PORT_D
+  tls_certificate = CERT2
+  tls_privatekey = CERT2
+
+  tls_verify_certificates = CA1
+  tls_verify_cert_hostnames = server1.example.net : server1.example.org
+  tls_verify_hosts = *
+
+# this will pass the cert verify including name check
+send_to_server_req_passname:
+  driver = smtp
+  allow_localhost
+  hosts = HOSTIPV4
+  port = PORT_D
+  tls_certificate = CERT2
+  tls_privatekey = CERT2
+
+  tls_verify_certificates = CA1
+  tls_verify_cert_hostnames = noway.example.com : server1.example.com
+  tls_verify_hosts = *
+
+# End
diff --git a/test/confs/5450 b/test/confs/5450
new file mode 100644
index 000000000..398871c64
--- /dev/null
+++ b/test/confs/5450
@@ -0,0 +1,172 @@
+# Exim test configuration 2112
+# TLS client: verify certificate from server - fails
+
+SERVER=
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+FX = DIR/aux-fixed
+S1 = FX/exim-ca/example.com/server1.example.com
+
+CA1 =   S1/ca_chain.pem 
+CERT1 = S1/server1.example.com.pem
+KEY1 =  S1/server1.example.com.unlocked.key
+CA2 =   FX/cert2
+CERT2 = FX/cert2
+KEY2 =  FX/cert2
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept
+
+log_selector =  +tls_peerdn+tls_certificate_verified
+
+queue_only
+queue_run_in_order
+
+tls_advertise_hosts = *
+
+# Set certificate only if server
+
+tls_certificate = ${if eq {SERVER}{server}{CERT1}fail}
+tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail}
+
+tls_verify_hosts = *
+tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail}
+
+
+# ----- Routers -----
+
+begin routers
+
+server_dump:
+  driver = redirect
+  condition = ${if eq {SERVER}{server}{yes}{no}}
+  data = :blackhole:
+
+client_x:
+  driver = accept
+  local_parts = userx
+  retry_use_local_part
+  transport = send_to_server_failcert
+  errors_to = ""
+
+client_y:
+  driver = accept
+  local_parts = usery
+  retry_use_local_part
+  transport = send_to_server_retry
+
+client_z:
+  driver = accept
+  local_parts = userz
+  retry_use_local_part
+  transport = send_to_server_crypt
+
+client_q:
+  driver = accept
+  local_parts = userq
+  retry_use_local_part
+  transport = send_to_server_req_fail
+
+client_r:
+  driver = accept
+  local_parts = userr
+  retry_use_local_part
+  transport = send_to_server_req_failname
+
+client_s:
+  driver = accept
+  local_parts = users
+  retry_use_local_part
+  transport = send_to_server_req_passname
+
+
+# ----- Transports -----
+
+begin transports
+
+# this will fail to verify the cert at HOSTIPV4 so fail the crypt requirement
+send_to_server_failcert:
+  driver = smtp
+  allow_localhost
+  hosts = HOSTIPV4
+  hosts_require_tls = HOSTIPV4
+  port = PORT_D
+  tls_certificate = CERT2
+  tls_privatekey = CERT2
+
+  tls_verify_certificates = CA2
+
+# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
+send_to_server_retry:
+  driver = smtp
+  allow_localhost
+  hosts = HOSTIPV4 : 127.0.0.1
+  hosts_require_tls = HOSTIPV4
+  port = PORT_D
+  tls_certificate = CERT2
+  tls_privatekey = CERT2
+
+  tls_verify_certificates = \
+    ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
+
+# this will fail to verify the cert but continue unverified though crypted
+send_to_server_crypt:
+  driver = smtp
+  allow_localhost
+  hosts = HOSTIPV4
+  hosts_require_tls = HOSTIPV4
+  port = PORT_D
+  tls_certificate = CERT2
+  tls_privatekey = CERT2
+
+  tls_verify_certificates = CA2
+  tls_try_verify_hosts = *
+
+# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted
+send_to_server_req_fail:
+  driver = smtp
+  allow_localhost
+  hosts = HOSTIPV4
+  port = PORT_D
+  tls_certificate = CERT2
+  tls_privatekey = CERT2
+
+  tls_verify_certificates = CA2
+  tls_verify_hosts = *
+
+# this will fail to verify the cert name and fallback to unencrypted
+send_to_server_req_failname:
+  driver = smtp
+  allow_localhost
+  hosts = HOSTIPV4
+  port = PORT_D
+  tls_certificate = CERT2
+  tls_privatekey = CERT2
+
+  tls_verify_certificates = CA1
+  tls_verify_cert_hostnames = server1.example.net : server1.example.org
+  tls_verify_hosts = *
+
+# this will pass the cert verify including name check
+send_to_server_req_passname:
+  driver = smtp
+  allow_localhost
+  hosts = HOSTIPV4
+  port = PORT_D
+  tls_certificate = CERT2
+  tls_privatekey = CERT2
+
+  tls_verify_certificates = CA1
+  tls_verify_cert_hostnames = noway.example.com : server1.example.com
+  tls_verify_hosts = *
+
+# End
diff --git a/test/log/2012 b/test/log/2012
index dbb3273af..bcb1e6fd8 100644
--- a/test/log/2012
+++ b/test/log/2012
@@ -9,9 +9,9 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 userx@test.ex: error ignored
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaY-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (certificate verification failed): certificate invalid
-1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbB-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbB-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbA-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (certificate verification failed): certificate invalid
 1999-03-02 09:44:33 10HmbA-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
diff --git a/test/log/2112 b/test/log/2112
index 3f77e65ea..ea09dd9a9 100644
--- a/test/log/2112
+++ b/test/log/2112
@@ -3,20 +3,22 @@
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
 1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (SSL_connect): error: <<detail omitted>>
 1999-03-02 09:44:33 10HmaX-0005vi-00 == userx@test.ex R=client_x T=send_to_server_failcert defer (-37): failure while setting up TLS session
 1999-03-02 09:44:33 10HmaX-0005vi-00 ** userx@test.ex: retry timeout exceeded
 1999-03-02 09:44:33 10HmaX-0005vi-00 userx@test.ex: error ignored
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
 1999-03-02 09:44:33 10HmaY-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbB-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbB-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaZ-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
+1999-03-02 09:44:33 10HmaZ-0005vi-00 SSL verify error: depth=0 error=certificate not trusted cert=/CN=server1.example.com
+1999-03-02 09:44:33 10HmaZ-0005vi-00 SSL verify error: depth=0 error=unable to verify the first certificate cert=/CN=server1.example.com
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
-1999-03-02 09:44:33 10HmbA-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 10HmbA-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
 1999-03-02 09:44:33 10HmbA-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (SSL_connect): error: <<detail omitted>>
 1999-03-02 09:44:33 10HmbA-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
 1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbD-0005vi-00"
diff --git a/test/log/5440 b/test/log/5440
new file mode 100644
index 000000000..4d600ebc6
--- /dev/null
+++ b/test/log/5440
@@ -0,0 +1,17 @@
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 Start queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (certificate verification failed)
+1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmaZ-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaY-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 End queue run: pid=pppp -qf
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex
diff --git a/test/log/5450 b/test/log/5450
new file mode 100644
index 000000000..2a8aec4e7
--- /dev/null
+++ b/test/log/5450
@@ -0,0 +1,28 @@
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 Start queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
+1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: certificate name mismatch: "/CN=server1.example.com"
+
+1999-03-02 09:44:33 10HmaY-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmaY-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmaY-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbB-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 End queue run: pid=pppp -qf
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaY-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
diff --git a/test/scripts/5440-certnames-GnuTLS/5440 b/test/scripts/5440-certnames-GnuTLS/5440
new file mode 100644
index 000000000..fea9551c0
--- /dev/null
+++ b/test/scripts/5440-certnames-GnuTLS/5440
@@ -0,0 +1,14 @@
+# TLS client: verify certificate from server - fails
+gnutls
+exim -DSERVER=server -bd -oX PORT_D
+****
+exim userr@test.ex
+Testing
+****
+exim users@test.ex
+Testing
+****
+exim -qf
+****
+killdaemon
+no_msglog_check
diff --git a/test/scripts/5440-certnames-GnuTLS/REQUIRES b/test/scripts/5440-certnames-GnuTLS/REQUIRES
new file mode 100644
index 000000000..5a5fac1f1
--- /dev/null
+++ b/test/scripts/5440-certnames-GnuTLS/REQUIRES
@@ -0,0 +1,3 @@
+support GnuTLS
+support Experimental_Certnames
+running IPv4
diff --git a/test/scripts/5450-certnames-OpenSSL/5450 b/test/scripts/5450-certnames-OpenSSL/5450
new file mode 100644
index 000000000..c94d1a5b2
--- /dev/null
+++ b/test/scripts/5450-certnames-OpenSSL/5450
@@ -0,0 +1,16 @@
+# TLS client: verify certificate from server - fails
+exim -DSERVER=server -bd -oX PORT_D
+****
+exim userq@test.ex
+Testing
+****
+exim userr@test.ex
+Testing
+****
+exim users@test.ex
+Testing
+****
+exim -qf
+****
+killdaemon
+no_msglog_check
diff --git a/test/scripts/5450-certnames-OpenSSL/REQUIRES b/test/scripts/5450-certnames-OpenSSL/REQUIRES
new file mode 100644
index 000000000..663b390a9
--- /dev/null
+++ b/test/scripts/5450-certnames-OpenSSL/REQUIRES
@@ -0,0 +1,3 @@
+support OpenSSL
+support Experimental_Certnames
+running IPv4
author	Jeremy Harris <jgh146exb@wizmail.org>	2014-05-20 21:25:10 +0100
committer	Jeremy Harris <jgh146exb@wizmail.org>	2014-05-20 21:25:10 +0100
commit	e51c7be22dfccad376659a1a46cee93c9979bbf7 (patch)
tree	3a6facf5bd5b51f1b3e21c62736ae04bc7504099 /test
parent	2e6afa4f11972312d3dbb9bb1d4f4bf585a3cdd2 (diff)