summaryrefslogtreecommitdiff
path: root/test
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2014-11-22 19:16:19 +0000
committerJeremy Harris <jgh146exb@wizmail.org>2015-01-12 18:58:33 +0000
commit01a4a5c5cbaa40ca618d3e233991ce183b551477 (patch)
treebbef9f6e942157f611d0db4d70dbbeabca9e0337 /test
parentad07e9add2a9959a2cc07c996452fcfc10ccab9f (diff)
Move certificate name checking to mainline, default enabled
This is an exim client checking a server certificate.
Diffstat (limited to 'test')
-rw-r--r--test/confs/201256
-rw-r--r--test/confs/211256
-rw-r--r--test/confs/56014
-rw-r--r--test/confs/56084
-rw-r--r--test/confs/56514
-rw-r--r--test/confs/56584
-rw-r--r--test/confs/57501
-rw-r--r--test/confs/57601
-rw-r--r--test/confs/58401
-rw-r--r--test/log/201222
-rw-r--r--test/log/211222
-rw-r--r--test/log/58402
-rw-r--r--test/scripts/2000-GnuTLS/20126
-rw-r--r--test/scripts/2100-OpenSSL/21126
-rw-r--r--test/scripts/5840-DANE-OpenSSL/58402
-rw-r--r--test/stderr/54101
16 files changed, 127 insertions, 65 deletions
diff --git a/test/confs/2012 b/test/confs/2012
index 97dc25e75..6bc5487ff 100644
--- a/test/confs/2012
+++ b/test/confs/2012
@@ -104,6 +104,7 @@ send_to_server_failcert:
tls_privatekey = CERT2
tls_verify_certificates = CA2
+ tls_verify_cert_hostnames =
# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
send_to_server_retry:
@@ -117,6 +118,7 @@ send_to_server_retry:
tls_verify_certificates = \
${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
+ tls_verify_cert_hostnames =
# this will fail to verify the cert but continue unverified though crypted
send_to_server_crypt:
@@ -130,6 +132,7 @@ send_to_server_crypt:
tls_verify_certificates = CA2
tls_try_verify_hosts = *
+ tls_verify_cert_hostnames =
# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted
send_to_server_req_fail:
@@ -142,31 +145,32 @@ send_to_server_req_fail:
tls_verify_certificates = CA2
tls_verify_hosts = *
-
-# # this will fail to verify the cert name and fallback to unencrypted
-# send_to_server_req_failname:
-# driver = smtp
-# allow_localhost
-# hosts = HOSTIPV4
-# port = PORT_D
-# tls_certificate = CERT2
-# tls_privatekey = CERT2
-#
-# tls_verify_certificates = CA1
-# tls_verify_cert_hostnames = server1.example.net : server1.example.org
-# tls_verify_hosts = *
-#
-# # this will pass the cert verify including name check
-# send_to_server_req_passname:
-# driver = smtp
-# allow_localhost
-# hosts = HOSTIPV4
-# port = PORT_D
-# tls_certificate = CERT2
-# tls_privatekey = CERT2
-#
-# tls_verify_certificates = CA1
-# tls_verify_cert_hostnames = noway.example.com : server1.example.com
-# tls_verify_hosts = *
+ tls_verify_cert_hostnames =
+
+ # this will fail to verify the cert name and fallback to unencrypted
+ send_to_server_req_failname:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA1
+ tls_verify_cert_hostnames = server1.example.net : server1.example.org
+ tls_verify_hosts = *
+
+ # this will pass the cert verify including name check
+ send_to_server_req_passname:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA1
+ tls_verify_cert_hostnames = noway.example.com : server1.example.com
+ tls_verify_hosts = *
# End
diff --git a/test/confs/2112 b/test/confs/2112
index 4751e6015..2c81e0cf3 100644
--- a/test/confs/2112
+++ b/test/confs/2112
@@ -104,6 +104,7 @@ send_to_server_failcert:
tls_privatekey = CERT2
tls_verify_certificates = CA2
+ tls_verify_cert_hostnames =
# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
send_to_server_retry:
@@ -117,6 +118,7 @@ send_to_server_retry:
tls_verify_certificates = \
${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
+ tls_verify_cert_hostnames =
# this will fail to verify the cert but continue unverified though crypted
send_to_server_crypt:
@@ -130,6 +132,7 @@ send_to_server_crypt:
tls_verify_certificates = CA2
tls_try_verify_hosts = *
+ tls_verify_cert_hostnames =
# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted
send_to_server_req_fail:
@@ -142,31 +145,32 @@ send_to_server_req_fail:
tls_verify_certificates = CA2
tls_verify_hosts = *
-
-# # this will fail to verify the cert name and fallback to unencrypted
-# send_to_server_req_failname:
-# driver = smtp
-# allow_localhost
-# hosts = HOSTIPV4
-# port = PORT_D
-# tls_certificate = CERT2
-# tls_privatekey = CERT2
-#
-# tls_verify_certificates = CA1
-# tls_verify_cert_hostnames = server1.example.net : server1.example.org
-# tls_verify_hosts = *
-#
-# # this will pass the cert verify including name check
-# send_to_server_req_passname:
-# driver = smtp
-# allow_localhost
-# hosts = HOSTIPV4
-# port = PORT_D
-# tls_certificate = CERT2
-# tls_privatekey = CERT2
-#
-# tls_verify_certificates = CA1
-# tls_verify_cert_hostnames = noway.example.com : server1.example.com
-# tls_verify_hosts = *
+ tls_verify_cert_hostnames =
+
+ # this will fail to verify the cert name and fallback to unencrypted
+ send_to_server_req_failname:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA1
+ tls_verify_cert_hostnames = server1.example.net : server1.example.org
+ tls_verify_hosts = *
+
+ # this will pass the cert verify including name check
+ send_to_server_req_passname:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA1
+ tls_verify_cert_hostnames = noway.example.com : server1.example.com
+ tls_verify_hosts = *
# End
diff --git a/test/confs/5601 b/test/confs/5601
index 3e97fcbea..1a7320300 100644
--- a/test/confs/5601
+++ b/test/confs/5601
@@ -90,6 +90,7 @@ send_to_server1:
hosts = HOSTIPV4
port = PORT_D
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ tls_verify_cert_hostnames =
hosts_require_tls = *
hosts_request_ocsp = :
headers_add = X-TLS-out: ocsp status $tls_out_ocsp \
@@ -102,6 +103,7 @@ send_to_server2:
hosts = HOSTIPV4
port = PORT_D
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ tls_verify_cert_hostnames =
hosts_require_tls = *
# note no ocsp mention here
headers_add = X-TLS-out: ocsp status $tls_out_ocsp \
@@ -115,6 +117,7 @@ send_to_server3:
port = PORT_D
helo_data = helo.data.changed
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ tls_verify_cert_hostnames =
hosts_require_tls = *
hosts_require_ocsp = *
headers_add = X-TLS-out: ocsp status $tls_out_ocsp \
@@ -128,6 +131,7 @@ send_to_server4:
port = PORT_D
helo_data = helo.data.changed
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ tls_verify_cert_hostnames =
protocol = smtps
hosts_require_tls = *
hosts_require_ocsp = *
diff --git a/test/confs/5608 b/test/confs/5608
index da0f6707f..6061a1343 100644
--- a/test/confs/5608
+++ b/test/confs/5608
@@ -98,6 +98,7 @@ send_to_server1:
hosts = HOSTIPV4
port = PORT_D
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ tls_verify_cert_hostnames =
hosts_require_tls = *
hosts_request_ocsp = :
headers_add = X-TLS-out: ocsp status $tls_out_ocsp
@@ -110,6 +111,7 @@ send_to_server2:
hosts = HOSTIPV4
port = PORT_D
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ tls_verify_cert_hostnames =
hosts_require_tls = *
# note no ocsp mention here
headers_add = X-TLS-out: ocsp status $tls_out_ocsp
@@ -123,6 +125,7 @@ send_to_server3:
port = PORT_D
helo_data = helo.data.changed
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ tls_verify_cert_hostnames =
hosts_require_tls = *
hosts_require_ocsp = *
headers_add = X-TLS-out: ocsp status $tls_out_ocsp
@@ -136,6 +139,7 @@ send_to_server4:
port = PORT_D
helo_data = helo.data.changed
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ tls_verify_cert_hostnames =
protocol = smtps
hosts_require_tls = *
hosts_require_ocsp = *
diff --git a/test/confs/5651 b/test/confs/5651
index 6b70d33b2..19f16d03d 100644
--- a/test/confs/5651
+++ b/test/confs/5651
@@ -88,6 +88,7 @@ send_to_server1:
hosts = HOSTIPV4
port = PORT_D
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ tls_verify_cert_hostnames =
hosts_require_tls = *
hosts_request_ocsp = :
headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
@@ -100,6 +101,7 @@ send_to_server2:
hosts = HOSTIPV4
port = PORT_D
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ tls_verify_cert_hostnames =
hosts_require_tls = *
# note no ocsp mention here
headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
@@ -114,6 +116,7 @@ send_to_server3:
helo_data = helo.data.changed
#tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ tls_verify_cert_hostnames =
hosts_require_tls = *
hosts_require_ocsp = *
headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
@@ -128,6 +131,7 @@ send_to_server4:
helo_data = helo.data.changed
#tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ tls_verify_cert_hostnames =
protocol = smtps
hosts_require_tls = *
hosts_require_ocsp = *
diff --git a/test/confs/5658 b/test/confs/5658
index 7ab2de68f..de486e083 100644
--- a/test/confs/5658
+++ b/test/confs/5658
@@ -95,6 +95,7 @@ send_to_server1:
hosts = HOSTIPV4
port = PORT_D
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ tls_verify_cert_hostnames =
hosts_require_tls = *
hosts_request_ocsp = :
headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
@@ -108,6 +109,7 @@ send_to_server2:
hosts = HOSTIPV4
port = PORT_D
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ tls_verify_cert_hostnames =
hosts_require_tls = *
# note no ocsp mention here
headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
@@ -123,6 +125,7 @@ send_to_server3:
helo_data = helo.data.changed
#tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ tls_verify_cert_hostnames =
hosts_require_tls = *
hosts_require_ocsp = *
headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
@@ -138,6 +141,7 @@ send_to_server4:
helo_data = helo.data.changed
#tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ tls_verify_cert_hostnames =
protocol = smtps
hosts_require_tls = *
hosts_require_ocsp = *
diff --git a/test/confs/5750 b/test/confs/5750
index 364f73a90..d1e2e7ce0 100644
--- a/test/confs/5750
+++ b/test/confs/5750
@@ -104,6 +104,7 @@ send_to_server:
${if eq {$local_part}{good}\
{example.com/server1.example.com/ca_chain.pem}\
{example.net/server1.example.net/ca_chain.pem}}
+ tls_verify_cert_hostnames =
event_action = ${acl {logger} {$event_name} {$domain} }
diff --git a/test/confs/5760 b/test/confs/5760
index 60f386ba4..80dde3e15 100644
--- a/test/confs/5760
+++ b/test/confs/5760
@@ -104,6 +104,7 @@ send_to_server:
${if eq {$local_part}{good}\
{example.com/server1.example.com/ca_chain.pem}\
{example.net/server1.example.net/ca_chain.pem}}
+ tls_verify_cert_hostnames =
event_action = ${acl {logger} {$event_name} {$domain} }
diff --git a/test/confs/5840 b/test/confs/5840
index 2c72b64c3..5c0f6a51d 100644
--- a/test/confs/5840
+++ b/test/confs/5840
@@ -68,6 +68,7 @@ send_to_server:
hosts_request_ocsp = ${if or { {= {4}{$tls_out_tlsa_usage}} \
{= {0}{$tls_out_tlsa_usage}} } \
{*}{}}
+ tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}}
tls_try_verify_hosts = thishost.test.ex
tls_verify_certificates = CDIR2/ca_chain.pem
diff --git a/test/log/2012 b/test/log/2012
index 48c75d2b8..efb293303 100644
--- a/test/log/2012
+++ b/test/log/2012
@@ -2,6 +2,8 @@
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (certificate verification failed): certificate invalid
1999-03-02 09:44:33 10HmaX-0005vi-00 == userx@test.ex R=client_x T=send_to_server_failcert defer (-37) H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]: failure while setting up TLS session
@@ -9,14 +11,20 @@
1999-03-02 09:44:33 10HmaX-0005vi-00 userx@test.ex: error ignored
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 10HmaY-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (certificate verification failed): certificate invalid
-1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbB-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00"
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
1999-03-02 09:44:33 10HmbA-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (certificate verification failed): certificate invalid
1999-03-02 09:44:33 10HmbA-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
-1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbD-0005vi-00"
+1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbF-0005vi-00"
1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 no IP address found for host server1.example.net
+1999-03-02 09:44:33 10HmbB-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbG-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbC-0005vi-00 no IP address found for host noway.example.com
+1999-03-02 09:44:33 10HmbC-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbH-0005vi-00"
+1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
******** SERVER ********
@@ -25,8 +33,10 @@
1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad
1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
-1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad
1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
-1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmbB-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmbC-0005vi-00@myhost.test.ex
diff --git a/test/log/2112 b/test/log/2112
index 45a0458d7..02d1d315c 100644
--- a/test/log/2112
+++ b/test/log/2112
@@ -2,6 +2,8 @@
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
1999-03-02 09:44:33 10HmaX-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>
@@ -11,18 +13,24 @@
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
1999-03-02 09:44:33 10HmaY-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbB-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00"
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 10HmaZ-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
1999-03-02 09:44:33 10HmaZ-0005vi-00 SSL verify error: depth=0 error=certificate not trusted cert=/CN=server1.example.com
1999-03-02 09:44:33 10HmaZ-0005vi-00 SSL verify error: depth=0 error=unable to verify the first certificate cert=/CN=server1.example.com
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
1999-03-02 09:44:33 10HmbA-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
1999-03-02 09:44:33 10HmbA-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>
1999-03-02 09:44:33 10HmbA-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
-1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbD-0005vi-00"
+1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbF-0005vi-00"
1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 no IP address found for host server1.example.net
+1999-03-02 09:44:33 10HmbB-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbG-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbC-0005vi-00 no IP address found for host noway.example.com
+1999-03-02 09:44:33 10HmbC-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbH-0005vi-00"
+1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
******** SERVER ********
@@ -31,8 +39,10 @@
1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
-1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
-1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmbB-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmbC-0005vi-00@myhost.test.ex
diff --git a/test/log/5840 b/test/log/5840
index 7507c5cba..a842abc2e 100644
--- a/test/log/5840
+++ b/test/log/5840
@@ -14,6 +14,8 @@
1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@thishost.test.ex
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmbD-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 10HmbD-0005vi-00 SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock"
+
1999-03-02 09:44:33 10HmbD-0005vi-00 => CALLER@thishost.test.ex R=client T=send_to_server H=thishost.test.ex [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbE-0005vi-00"
1999-03-02 09:44:33 10HmbD-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
diff --git a/test/scripts/2000-GnuTLS/2012 b/test/scripts/2000-GnuTLS/2012
index 3b25ba206..76a6d50ea 100644
--- a/test/scripts/2000-GnuTLS/2012
+++ b/test/scripts/2000-GnuTLS/2012
@@ -14,6 +14,12 @@ Testing
exim userq@test.ex
Testing
****
+exim userr@test.ex
+Testing
+****
+exim users@test.ex
+Testing
+****
exim -qf
****
killdaemon
diff --git a/test/scripts/2100-OpenSSL/2112 b/test/scripts/2100-OpenSSL/2112
index 98ea4cb17..c500751d5 100644
--- a/test/scripts/2100-OpenSSL/2112
+++ b/test/scripts/2100-OpenSSL/2112
@@ -13,6 +13,12 @@ Testing
exim userq@test.ex
Testing
****
+exim userr@test.ex
+Testing
+****
+exim users@test.ex
+Testing
+****
exim -qf
****
killdaemon
diff --git a/test/scripts/5840-DANE-OpenSSL/5840 b/test/scripts/5840-DANE-OpenSSL/5840
index eef14c2fe..c0133eae3 100644
--- a/test/scripts/5840-DANE-OpenSSL/5840
+++ b/test/scripts/5840-DANE-OpenSSL/5840
@@ -43,7 +43,7 @@ exim -DSERVER=server -DDETAILS=ca -bd -oX PORT_D
exim -odq CALLER@thishost.test.ex
Testing
****
-exim -qf
+exim -DOPT=no_certname -qf
****
killdaemon
#
diff --git a/test/stderr/5410 b/test/stderr/5410
index 09685491d..943681e13 100644
--- a/test/stderr/5410
+++ b/test/stderr/5410
@@ -83,6 +83,7 @@ expanding: ${if eq {$address_data}{userz}{*}{:}}
SMTP<< 220 TLS go ahead
127.0.0.1 in hosts_require_ocsp? no (option unset)
127.0.0.1 in hosts_request_ocsp? yes (matched "*")
+127.0.0.1 in tls_verify_cert_hostnames? yes (matched "*")
SMTP>> EHLO myhost.test.ex
SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
250-SIZE 52428800