OpenSSL: support OCSP stapling on multi-cert servers

author: Jeremy Harris <jgh146exb@wizmail.org> 2019-09-29 14:16:36 +0100
committer: Jeremy Harris <jgh146exb@wizmail.org> 2019-09-29 14:58:02 +0100
commit: 5b2fd993eadb7b476e5ef14028c7db09fda6c3ae (patch)
tree: 20a5788a0b121ef8118a01740c2eac7261d8c170 /test
parent: d896cef5f6f3ff1b7509fd832a4ee66403a7c57f (diff)
7 files changed, 57 insertions, 14 deletions
diff --git a/test/aux-fixed/exim-ca/example_ec.com/CA/index.valid.txt b/test/aux-fixed/exim-ca/example_ec.com/CA/index.valid.txt
index 4dc4d2d63..1ae59f7a8 100644
--- a/test/aux-fixed/exim-ca/example_ec.com/CA/index.valid.txt
+++ b/test/aux-fixed/exim-ca/example_ec.com/CA/index.valid.txt
@@ -1 +1 @@
-V	130110200751Z		65	unknown	CN=server1.example_ec.com
+V	130110200751Z		835	unknown	CN=server1.example_ec.com
diff --git a/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/server1.example_ec.com.ocsp.good.resp b/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/server1.example_ec.com.ocsp.good.resp
index d129311d1..10e994150 100644
--- a/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/server1.example_ec.com.ocsp.good.resp
+++ b/test/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/server1.example_ec.com.ocsp.good.resp
diff --git a/test/aux-fixed/exim-ca/genall b/test/aux-fixed/exim-ca/genall
index 9904cfa6f..8efda889f 100755
--- a/test/aux-fixed/exim-ca/genall
+++ b/test/aux-fixed/exim-ca/genall
@@ -263,7 +263,7 @@ do
 # 5: DN, index
 
     cat >$CADIR/index.valid.txt <<EOF
-V	130110200751Z		65	unknown	CN=server1.$iname
+V	130110200751Z		835	unknown	CN=server1.$iname
 EOF
 
     # Now create all the ocsp requests and responses
diff --git a/test/confs/5602 b/test/confs/5602
new file mode 120000
index 000000000..4602aa558
--- /dev/null
+++ b/test/confs/5602
@@ -0,0 +1 @@
+5652
+\ No newline at end of file
diff --git a/test/confs/5652 b/test/confs/5652
index 5b29f5b68..da6e5197a 100644
--- a/test/confs/5652
+++ b/test/confs/5652
@@ -1,5 +1,5 @@
 # Exim test configuration 5652
-# OCSP stapling, server, multiple certs
+# OCSP stapling, server, multiple leaf-certs
 
 .include DIR/aux-var/tls_conf_prefix
 
@@ -29,7 +29,12 @@ tls_ocsp_file =   DRSA/server1.example.com/server1.example.com.ocsp.good.resp \
 	      : DECDSA/server1.example_ec.com/server1.example_ec.com.ocsp.good.resp
 
 
+.ifdef _HAVE_GNUTLS
 tls_require_ciphers = NORMAL:!VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.0
+.endif
+.ifdef _OPT_OPENSSL_NO_TLSV1_3_X
+openssl_options = +no_tlsv1_3
+.endif
 
 # ------ ACL ------
 
@@ -70,9 +75,21 @@ remote_delivery:
   driver =			smtp
   port =			PORT_D
   hosts_require_tls =		*
-  tls_require_ciphers =		OPT
+.ifdef _HAVE_GNUTLS
+  tls_require_ciphers =		NONE:\
+				${if eq {SELECTOR}{auth_ecdsa} \
+					{+SIGN-ECDSA-SHA512:+VERS-TLS-ALL:+KX-ALL:} \
+					{+SIGN-RSA-SHA256:+VERS-TLS-ALL:+ECDHE-RSA:+DHE-RSA:+RSA:}}\
+				+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509
+.endif
+.ifdef _HAVE_OPENSSL
+  tls_require_ciphers =		${if eq {SELECTOR}{auth_ecdsa} {ECDSA:RSA:!COMPLEMENTOFDEFAULT} {RSA}}
+.endif
   hosts_require_ocsp =		*
-  tls_verify_certificates =	CERT
+  tls_verify_certificates =	CADIR/\
+				${if eq {SELECTOR}{auth_ecdsa} \
+					{example_ec.com/server1.example_ec.com/ca_chain.pem}\
+					{example.com/server1.example.com/ca_chain.pem}}
   tls_verify_cert_hostnames =	:
 
 local_delivery:
diff --git a/test/scripts/5600-OCSP-OpenSSL/5602 b/test/scripts/5600-OCSP-OpenSSL/5602
new file mode 100644
index 000000000..07fda294c
--- /dev/null
+++ b/test/scripts/5600-OCSP-OpenSSL/5602
@@ -0,0 +1,31 @@
+# OCSP stapling, server, multiple leaf-certs
+#
+#
+#
+exim -z '1: Server sends good staple on request, to client requiring RSA auth'
+****
+#
+exim -bd -oX PORT_D -DSERVER=server
+****
+exim -odf -DSELECTOR=auth_rsa rsa.auth@test.ex
+Subject: test
+
+.
+****
+killdaemon
+#
+#
+#
+#
+exim -z '2: Server sends good staple on request, to client preferring ECDSA auth'
+****
+#
+exim -bd -oX PORT_D -DSERVER=server
+****
+exim -odf -DSELECTOR=auth_ecdsa ecdsa.auth@test.ex
+Subject: test
+
+.
+****
+killdaemon
+no_msglog_check
diff --git a/test/scripts/5650-OCSP-GnuTLS/5652 b/test/scripts/5650-OCSP-GnuTLS/5652
index 9130f65e6..07fda294c 100644
--- a/test/scripts/5650-OCSP-GnuTLS/5652
+++ b/test/scripts/5650-OCSP-GnuTLS/5652
@@ -1,4 +1,4 @@
-# OCSP stapling, server, multiple leaf certs
+# OCSP stapling, server, multiple leaf-certs
 #
 #
 #
@@ -7,10 +7,7 @@ exim -z '1: Server sends good staple on request, to client requiring RSA auth'
 #
 exim -bd -oX PORT_D -DSERVER=server
 ****
-exim -odf \
-  -DOPT=NONE:+SIGN-RSA-SHA256:+VERS-TLS-ALL:+ECDHE-RSA:+DHE-RSA:+RSA:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 \
-  -DCERT=DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem \
-  rsa.auth@test.ex
+exim -odf -DSELECTOR=auth_rsa rsa.auth@test.ex
 Subject: test
 
 .
@@ -25,10 +22,7 @@ exim -z '2: Server sends good staple on request, to client preferring ECDSA auth
 #
 exim -bd -oX PORT_D -DSERVER=server
 ****
-exim -odf \
-  -DOPT=NONE:+SIGN-ECDSA-SHA512:+VERS-TLS-ALL:+KX-ALL:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 \
-  -DCERT=DIR/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/ca_chain.pem \
-  ecdsa.auth@test.ex
+exim -odf -DSELECTOR=auth_ecdsa ecdsa.auth@test.ex
 Subject: test
 
 .
author	Jeremy Harris <jgh146exb@wizmail.org>	2019-09-29 14:16:36 +0100
committer	Jeremy Harris <jgh146exb@wizmail.org>	2019-09-29 14:58:02 +0100
commit	5b2fd993eadb7b476e5ef14028c7db09fda6c3ae (patch)
tree	20a5788a0b121ef8118a01740c2eac7261d8c170 /test
parent	d896cef5f6f3ff1b7509fd832a4ee66403a7c57f (diff)