TLS: Deprecate RFC 5114 DH params. Bug 1895

author: Jeremy Harris <jgh146exb@wizmail.org> 2021-12-27 15:15:42 +0000
committer: Jeremy Harris <jgh146exb@wizmail.org> 2021-12-30 13:50:33 +0000
commit: ea98874e2a6a5aee2d512f3246f7d3c19c2ec63d (patch)
tree: da83f088e3eb0c6afd9a68c04d633bf95a2bd2b5 /test
parent: ef8a2428cfe2ba86715e8dc1f966f9532ff5d190 (diff)
13 files changed, 180 insertions, 80 deletions
diff --git a/test/confs/2049 b/test/confs/2049
new file mode 100644
index 000000000..4b6bf9b39
--- /dev/null
+++ b/test/confs/2049
@@ -0,0 +1,54 @@
+# Exim test configuration 2049
+
+SERVER =
+
+.include DIR/aux-var/tls_conf_prefix
+
+primary_hostname = myhost.test.ex
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept
+
+tls_advertise_hosts = *
+tls_certificate = DIR/aux-fixed/cert1
+tls_dhparam = ${if eq {SERVER}{server}{DATA}fail}
+
+
+# ----- Routers -----
+
+begin routers
+
+client:
+  driver = accept
+  condition = ${if eq {SERVER}{server}{no}{yes}}
+  retry_use_local_part
+  transport = send_to_server
+
+server:
+  driver = accept
+  retry_use_local_part
+  transport = local_delivery
+
+
+# ----- Transports -----
+
+begin transports
+
+local_delivery:
+  driver = appendfile
+  file = DIR/test-mail/$local_part
+  create_file = DIR/test-mail
+  headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
+  user = CALLER
+
+send_to_server:
+  driver = smtp
+  allow_localhost
+  hosts = 127.0.0.1
+  port = PORT_D
+  hosts_try_fastopen =	:
+  tls_verify_certificates =	DIR/aux-fixed/cert1
+  tls_verify_cert_hostnames =	:
+
+# End
diff --git a/test/log/2049 b/test/log/2049
new file mode 100644
index 000000000..90674743e
--- /dev/null
+++ b/test/log/2049
@@ -0,0 +1,39 @@
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userw@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbB-0005vi-00 => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbD-0005vi-00 => usera@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbE-0005vi-00"
+1999-03-02 09:44:33 10HmbD-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbF-0005vi-00 => userb@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbG-0005vi-00"
+1999-03-02 09:44:33 10HmbF-0005vi-00 Completed
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 => userw <userw@test.ex> R=server T=local_delivery
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 => userx <userx@test.ex> R=server T=local_delivery
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbB-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbC-0005vi-00 => userz <userz@test.ex> R=server T=local_delivery
+1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 WARNING: deprecated Diffie-Hellman parameter 'ike24' used
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbD-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbE-0005vi-00 => usera <usera@test.ex> R=server T=local_delivery
+1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 WARNING: deprecated Diffie-Hellman parameter 'ike22' used
+1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbF-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbG-0005vi-00 => userb <userb@test.ex> R=server T=local_delivery
+1999-03-02 09:44:33 10HmbG-0005vi-00 Completed
diff --git a/test/log/2149 b/test/log/2149
index 4b7e651b0..ea1c7e454 100644
--- a/test/log/2149
+++ b/test/log/2149
@@ -10,6 +10,12 @@
 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmbD-0005vi-00 => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbE-0005vi-00"
 1999-03-02 09:44:33 10HmbD-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbF-0005vi-00 => usera@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbG-0005vi-00"
+1999-03-02 09:44:33 10HmbF-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbH-0005vi-00 => userb@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbI-0005vi-00"
+1999-03-02 09:44:33 10HmbH-0005vi-00 Completed
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
@@ -29,3 +35,14 @@
 1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbD-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmbE-0005vi-00 => userz <userz@test.ex> R=server T=local_delivery
 1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 WARNING: deprecated Diffie-Hellman parameter 'ike24' used
+1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbF-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbG-0005vi-00 => usera <usera@test.ex> R=server T=local_delivery
+1999-03-02 09:44:33 10HmbG-0005vi-00 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 WARNING: deprecated Diffie-Hellman parameter 'ike22' used
+1999-03-02 09:44:33 TLS error (D-H param setting 'ike22'): error:xxxxxxxx:SSL routines::dh key too small
+1999-03-02 09:44:33 10HmbI-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbH-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbI-0005vi-00 => userb <userb@test.ex> R=server T=local_delivery
+1999-03-02 09:44:33 10HmbI-0005vi-00 Completed
diff --git a/test/mail/2149.userw b/test/mail/2149.userw
deleted file mode 100644
index 5e571319d..000000000
--- a/test/mail/2149.userw
+++ /dev/null
@@ -1,20 +0,0 @@
-From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
-Received: from localhost ([127.0.0.1] helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLS1.x:ke-RSA-AES256-SHAnnn:xxx)
-	(Exim x.yz)
-	(envelope-from <CALLER@myhost.test.ex>)
-	id 10HmaY-0005vi-00
-	for userw@test.ex;
-	Tue, 2 Mar 1999 09:44:33 +0000
-Received: from CALLER by myhost.test.ex with local (Exim x.yz)
-	(envelope-from <CALLER@myhost.test.ex>)
-	id 10HmaX-0005vi-00
-	for userw@test.ex;
-	Tue, 2 Mar 1999 09:44:33 +0000
-Message-Id: <E10HmaX-0005vi-00@myhost.test.ex>
-From: CALLER_NAME <CALLER@myhost.test.ex>
-Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLS1.x:ke-RSA-AES256-SHAnnn:xxx peerdn=
-
-Test message
-
diff --git a/test/mail/2149.userx b/test/mail/2149.userx
deleted file mode 100644
index fa117a23e..000000000
--- a/test/mail/2149.userx
+++ /dev/null
@@ -1,20 +0,0 @@
-From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
-Received: from localhost ([127.0.0.1] helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLS1.x:ke-RSA-AES256-SHAnnn:xxx)
-	(Exim x.yz)
-	(envelope-from <CALLER@myhost.test.ex>)
-	id 10HmbA-0005vi-00
-	for userx@test.ex;
-	Tue, 2 Mar 1999 09:44:33 +0000
-Received: from CALLER by myhost.test.ex with local (Exim x.yz)
-	(envelope-from <CALLER@myhost.test.ex>)
-	id 10HmaZ-0005vi-00
-	for userx@test.ex;
-	Tue, 2 Mar 1999 09:44:33 +0000
-Message-Id: <E10HmaZ-0005vi-00@myhost.test.ex>
-From: CALLER_NAME <CALLER@myhost.test.ex>
-Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLS1.x:ke-RSA-AES256-SHAnnn:xxx peerdn=
-
-Test message
-
diff --git a/test/mail/2149.usery b/test/mail/2149.usery
deleted file mode 100644
index 1cf700b26..000000000
--- a/test/mail/2149.usery
+++ /dev/null
@@ -1,20 +0,0 @@
-From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
-Received: from localhost ([127.0.0.1] helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLS1.x:ke-RSA-AES256-SHAnnn:xxx)
-	(Exim x.yz)
-	(envelope-from <CALLER@myhost.test.ex>)
-	id 10HmbC-0005vi-00
-	for usery@test.ex;
-	Tue, 2 Mar 1999 09:44:33 +0000
-Received: from CALLER by myhost.test.ex with local (Exim x.yz)
-	(envelope-from <CALLER@myhost.test.ex>)
-	id 10HmbB-0005vi-00
-	for usery@test.ex;
-	Tue, 2 Mar 1999 09:44:33 +0000
-Message-Id: <E10HmbB-0005vi-00@myhost.test.ex>
-From: CALLER_NAME <CALLER@myhost.test.ex>
-Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLS1.x:ke-RSA-AES256-SHAnnn:xxx peerdn=
-
-Test message
-
diff --git a/test/mail/2149.userz b/test/mail/2149.userz
deleted file mode 100644
index a09b0f05d..000000000
--- a/test/mail/2149.userz
+++ /dev/null
@@ -1,20 +0,0 @@
-From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
-Received: from localhost ([127.0.0.1] helo=myhost.test.ex)
-	by myhost.test.ex with esmtps (TLS1.x:ke-RSA-AES256-SHAnnn:xxx)
-	(Exim x.yz)
-	(envelope-from <CALLER@myhost.test.ex>)
-	id 10HmbE-0005vi-00
-	for userz@test.ex;
-	Tue, 2 Mar 1999 09:44:33 +0000
-Received: from CALLER by myhost.test.ex with local (Exim x.yz)
-	(envelope-from <CALLER@myhost.test.ex>)
-	id 10HmbD-0005vi-00
-	for userz@test.ex;
-	Tue, 2 Mar 1999 09:44:33 +0000
-Message-Id: <E10HmbD-0005vi-00@myhost.test.ex>
-From: CALLER_NAME <CALLER@myhost.test.ex>
-Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLS1.x:ke-RSA-AES256-SHAnnn:xxx peerdn=
-
-Test message
-
diff --git a/test/paniclog/2049 b/test/paniclog/2049
new file mode 100644
index 000000000..e08849638
--- /dev/null
+++ b/test/paniclog/2049
@@ -0,0 +1,3 @@
+
+******** SERVER ********
+1999-03-02 09:44:33 WARNING: deprecated Diffie-Hellman parameter 'ike22' used
diff --git a/test/paniclog/2149 b/test/paniclog/2149
index 2221cd458..dff86ef7c 100644
--- a/test/paniclog/2149
+++ b/test/paniclog/2149
@@ -1,3 +1,5 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 TLS error (D-H param setting 'TESTSUITE/aux-fixed/dh512'): error:xxxxxxxx:SSL routines::dh key too small
+1999-03-02 09:44:33 WARNING: deprecated Diffie-Hellman parameter 'ike22' used
+1999-03-02 09:44:33 TLS error (D-H param setting 'ike22'): error:xxxxxxxx:SSL routines::dh key too small
diff --git a/test/scripts/2000-GnuTLS/2049 b/test/scripts/2000-GnuTLS/2049
new file mode 100644
index 000000000..e66d952ab
--- /dev/null
+++ b/test/scripts/2000-GnuTLS/2049
@@ -0,0 +1,43 @@
+# TLS: DH ciphers for GnuTLS
+#
+# DH param from file
+exim -DSERVER=server -DDATA=DIR/aux-fixed/dh2048 -bd -oX PORT_D
+****
+exim -odf userw@test.ex
+Test message
+****
+killdaemon
+#
+# Too-big DH param (vs. tls_dh_max_bits), from file
+exim -DSERVER=server -DDATA=DIR/aux-fixed/dh3072 -bd -oX PORT_D
+****
+exim -odf userx@test.ex
+Test message
+****
+killdaemon
+#
+#
+# Named DH-param
+exim -DSERVER=server -DDATA=ffdhe2048 -bd -oX PORT_D
+****
+exim -odf userz@test.ex
+Test message
+****
+killdaemon
+#
+# Named DH-param, logged deprecation
+exim -DSERVER=server -DDATA=ike24 -bd -oX PORT_D
+****
+exim -odf usera@test.ex
+Test message
+****
+killdaemon
+#
+# Named DH-param, panic-logged deprecation
+exim -DSERVER=server -DDATA=ike22 -bd -oX PORT_D
+****
+exim -odf userb@test.ex
+Test message
+****
+killdaemon
+no_message_check
diff --git a/test/scripts/2100-OpenSSL/2149 b/test/scripts/2100-OpenSSL/2149
index 4435fca19..b8ff65560 100644
--- a/test/scripts/2100-OpenSSL/2149
+++ b/test/scripts/2100-OpenSSL/2149
@@ -31,3 +31,20 @@ exim -odf userz@test.ex
 Test message
 ****
 killdaemon
+#
+# Named DH-param, logged deprecation
+exim -DSERVER=server -DDATA=ike24 -bd -oX PORT_D
+****
+exim -odf usera@test.ex
+Test message
+****
+killdaemon
+#
+# Named DH-param, panic-logged deprecation
+exim -DSERVER=server -DDATA=ike22 -bd -oX PORT_D
+****
+exim -odf userb@test.ex
+Test message
+****
+killdaemon
+no_message_check
diff --git a/test/stderr/2049 b/test/stderr/2049
new file mode 100644
index 000000000..e08849638
--- /dev/null
+++ b/test/stderr/2049
@@ -0,0 +1,3 @@
+
+******** SERVER ********
+1999-03-02 09:44:33 WARNING: deprecated Diffie-Hellman parameter 'ike22' used
diff --git a/test/stderr/2149 b/test/stderr/2149
index 2221cd458..dff86ef7c 100644
--- a/test/stderr/2149
+++ b/test/stderr/2149
@@ -1,3 +1,5 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 TLS error (D-H param setting 'TESTSUITE/aux-fixed/dh512'): error:xxxxxxxx:SSL routines::dh key too small
+1999-03-02 09:44:33 WARNING: deprecated Diffie-Hellman parameter 'ike22' used
+1999-03-02 09:44:33 TLS error (D-H param setting 'ike22'): error:xxxxxxxx:SSL routines::dh key too small
author	Jeremy Harris <jgh146exb@wizmail.org>	2021-12-27 15:15:42 +0000
committer	Jeremy Harris <jgh146exb@wizmail.org>	2021-12-30 13:50:33 +0000
commit	ea98874e2a6a5aee2d512f3246f7d3c19c2ec63d (patch)
tree	da83f088e3eb0c6afd9a68c04d633bf95a2bd2b5 /test
parent	ef8a2428cfe2ba86715e8dc1f966f9532ff5d190 (diff)