summaryrefslogtreecommitdiff
path: root/test
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2014-11-06 21:22:18 +0000
committerJeremy Harris <jgh146exb@wizmail.org>2014-11-06 21:22:18 +0000
commita320fabd09f43c02c869c90a5a5a70a49dd77f89 (patch)
tree341ccb129d815e0c2daa6c0b8531fc0d4756eb7d /test
parent09c17790eec23907b93df1ec7cee746b28dfc836 (diff)
EXPERIMENTAL_CERTNAMES: Hostlist for cert name checks should match host
connected-to, not be list of acceptable names. The name checked is the host name.
Diffstat (limited to 'test')
-rw-r--r--test/confs/544017
-rw-r--r--test/confs/545017
-rw-r--r--test/log/54408
-rw-r--r--test/log/545014
-rw-r--r--test/scripts/5440-certnames-GnuTLS/54404
-rw-r--r--test/scripts/5450-certnames-OpenSSL/54505
6 files changed, 38 insertions, 27 deletions
diff --git a/test/confs/5440 b/test/confs/5440
index 03d9916fb..01ba52532 100644
--- a/test/confs/5440
+++ b/test/confs/5440
@@ -1,5 +1,5 @@
# Exim test configuration 5440
-# TLS client: verify certificate from server - fails
+# TLS client: verify certificate from server - name-fails
SERVER=
@@ -131,11 +131,12 @@ send_to_server_crypt:
tls_verify_certificates = CA2
tls_try_verify_hosts = *
-# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted
+# this will fail to verify the cert at HOSTNAME and fallback to unencrypted
+# Fail due to lack of correct CA
send_to_server_req_fail:
driver = smtp
allow_localhost
- hosts = HOSTIPV4
+ hosts = HOSTNAME
port = PORT_D
tls_certificate = CERT2
tls_privatekey = CERT2
@@ -144,29 +145,31 @@ send_to_server_req_fail:
tls_verify_hosts = *
# this will fail to verify the cert name and fallback to unencrypted
+# fail because the cert is "server1.example.com" and the test system is something else
send_to_server_req_failname:
driver = smtp
allow_localhost
- hosts = HOSTIPV4
+ hosts = HOSTNAME
port = PORT_D
tls_certificate = CERT2
tls_privatekey = CERT2
tls_verify_certificates = CA1
- tls_verify_cert_hostnames = server1.example.net : server1.example.org
+ tls_verify_cert_hostnames = *
tls_verify_hosts = *
# this will pass the cert verify including name check
+# our stunt DNS has an A record for server1.example.com -> HOSTIPV4
send_to_server_req_passname:
driver = smtp
allow_localhost
- hosts = HOSTIPV4
+ hosts = server1.example.com
port = PORT_D
tls_certificate = CERT2
tls_privatekey = CERT2
tls_verify_certificates = CA1
- tls_verify_cert_hostnames = noway.example.com : server1.example.com
+ tls_verify_cert_hostnames = *
tls_verify_hosts = *
# End
diff --git a/test/confs/5450 b/test/confs/5450
index e737cf36d..dd42a3fb1 100644
--- a/test/confs/5450
+++ b/test/confs/5450
@@ -1,5 +1,5 @@
# Exim test configuration 5450
-# TLS client: verify certificate from server - fails
+# TLS client: verify certificate from server - name-fails
SERVER=
@@ -131,11 +131,12 @@ send_to_server_crypt:
tls_verify_certificates = CA2
tls_try_verify_hosts = *
-# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted
+# this will fail to verify the cert at HOSTNAME and fallback to unencrypted
+# Fail due to lack of correct CA
send_to_server_req_fail:
driver = smtp
allow_localhost
- hosts = HOSTIPV4
+ hosts = HOSTNAME
port = PORT_D
tls_certificate = CERT2
tls_privatekey = CERT2
@@ -144,29 +145,31 @@ send_to_server_req_fail:
tls_verify_hosts = *
# this will fail to verify the cert name and fallback to unencrypted
+# fail because the cert is "server1.example.com" and the test system is something else
send_to_server_req_failname:
driver = smtp
allow_localhost
- hosts = HOSTIPV4
+ hosts = HOSTNAME
port = PORT_D
tls_certificate = CERT2
tls_privatekey = CERT2
tls_verify_certificates = CA1
- tls_verify_cert_hostnames = server1.example.net : server1.example.org
+ tls_verify_cert_hostnames = *
tls_verify_hosts = *
# this will pass the cert verify including name check
+# our stunt DNS has an A record for server1.example.com -> HOSTIPV4
send_to_server_req_passname:
driver = smtp
allow_localhost
- hosts = HOSTIPV4
+ hosts = server1.example.com
port = PORT_D
tls_certificate = CERT2
tls_privatekey = CERT2
tls_verify_certificates = CA1
- tls_verify_cert_hostnames = noway.example.com : server1.example.com
+ tls_verify_cert_hostnames = *
tls_verify_hosts = *
# End
diff --git a/test/log/5440 b/test/log/5440
index b90e6edb3..f084e82a9 100644
--- a/test/log/5440
+++ b/test/log/5440
@@ -1,11 +1,11 @@
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (certificate verification failed)
-1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmaZ-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 H=the.local.host.name [ip4.ip4.ip4.ip4] TLS error on connection (certificate verification failed)
+1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to the.local.host.name [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=the.local.host.name [ip4.ip4.ip4.ip4] C="250 OK id=10HmaZ-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=server1.example.com [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
diff --git a/test/log/5450 b/test/log/5450
index 243215335..d56307a19 100644
--- a/test/log/5450
+++ b/test/log/5450
@@ -3,17 +3,17 @@
1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
-1999-03-02 09:44:33 10HmaX-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 H=the.local.host.name [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to the.local.host.name [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=the.local.host.name [ip4.ip4.ip4.ip4] C="250 OK id=10HmbA-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: certificate name mismatch: "/CN=server1.example.com"
-1999-03-02 09:44:33 10HmaY-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmaY-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
-1999-03-02 09:44:33 10HmaY-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbB-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 H=the.local.host.name [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmaY-0005vi-00 TLS session failure: delivering unencrypted to the.local.host.name [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmaY-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=the.local.host.name [ip4.ip4.ip4.ip4] C="250 OK id=10HmbB-0005vi-00"
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=server1.example.com [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
diff --git a/test/scripts/5440-certnames-GnuTLS/5440 b/test/scripts/5440-certnames-GnuTLS/5440
index fea9551c0..2a61eb1d0 100644
--- a/test/scripts/5440-certnames-GnuTLS/5440
+++ b/test/scripts/5440-certnames-GnuTLS/5440
@@ -1,10 +1,12 @@
-# TLS client: verify certificate from server - fails
+# TLS client: verify certificate from server - name-fails
gnutls
exim -DSERVER=server -bd -oX PORT_D
****
+# this will fail to verify the cert name and fallback to unencrypted
exim userr@test.ex
Testing
****
+# this will pass the cert verify including name check
exim users@test.ex
Testing
****
diff --git a/test/scripts/5450-certnames-OpenSSL/5450 b/test/scripts/5450-certnames-OpenSSL/5450
index c94d1a5b2..5359096b1 100644
--- a/test/scripts/5450-certnames-OpenSSL/5450
+++ b/test/scripts/5450-certnames-OpenSSL/5450
@@ -1,12 +1,15 @@
-# TLS client: verify certificate from server - fails
+# TLS client: verify certificate from server - name-fails
exim -DSERVER=server -bd -oX PORT_D
****
+# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted
exim userq@test.ex
Testing
****
+# this will fail to verify the cert name and fallback to unencrypted
exim userr@test.ex
Testing
****
+# this will pass the cert verify including name check
exim users@test.ex
Testing
****