summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--doc/doc-docbook/spec.xfpt21
-rw-r--r--doc/doc-txt/ChangeLog3
-rw-r--r--src/src/deliver.c21
-rw-r--r--src/src/tls-gnu.c19
-rw-r--r--src/src/verify.c4
l---------test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/08c48a5f.01
l---------test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/61e813e6.01
-rwxr-xr-xtest/aux-fixed/exim-ca/genall12
-rw-r--r--test/confs/203273
-rw-r--r--test/confs/213274
-rw-r--r--test/log/213220
-rw-r--r--test/mail/2132.CALLER36
-rw-r--r--test/scripts/2000-GnuTLS/203295
-rw-r--r--test/scripts/2100-OpenSSL/213291
-rw-r--r--test/stderr/213210
-rw-r--r--test/stdout/2132205
-rw-r--r--test/stdout/34501
-rw-r--r--test/stdout/34542
18 files changed, 664 insertions, 25 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 9cfc06ca5..e3df0854e 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -16484,9 +16484,11 @@ See &%tls_verify_hosts%& below.
The value of this option is expanded, and must then be the absolute path to
a file containing permitted certificates for clients that
match &%tls_verify_hosts%& or &%tls_try_verify_hosts%&. Alternatively, if you
-are using OpenSSL, you can set &%tls_verify_certificates%& to the name of a
-directory containing certificate files. This does not work with GnuTLS; the
-option must be set to the name of a single file if you are using GnuTLS.
+are using either GnuTLS version 3.3.6 (or later) or OpenSSL,
+you can set &%tls_verify_certificates%& to the name of a
+directory containing certificate files.
+For earlier versions of GnuTLS
+the option must be set to the name of a single file.
These certificates should be for the certificate authorities trusted, rather
than the public cert of individual clients. With both OpenSSL and GnuTLS, if
@@ -23432,10 +23434,14 @@ certificate verification succeeds.
.vindex "&$host_address$&"
The value of this option must be the absolute path to a file containing
permitted server certificates, for use when setting up an encrypted connection.
-Alternatively, if you are using OpenSSL, you can set
+Alternatively,
+if you are using either GnuTLS version 3.3.6 (or later) or OpenSSL,
+you can set
&%tls_verify_certificates%& to the name of a directory containing certificate
-files. This does not work with GnuTLS; the option must be set to the name of a
-single file if you are using GnuTLS. The values of &$host$& and
+files.
+For earlier versions of GnuTLS the option must be set to the name of a
+single file.
+The values of &$host$& and
&$host_address$& are set to the name and address of the server during the
expansion of this option. See chapter &<<CHAPTLS>>& for details of TLS.
@@ -25917,7 +25923,8 @@ There are some differences in usage when using GnuTLS instead of OpenSSL:
.ilist
The &%tls_verify_certificates%& option must contain the name of a file, not the
-name of a directory (for OpenSSL it can be either).
+name of a directory for GnuTLS versions before 3.3.6
+(for later versions, or OpenSSL, it can be either).
.next
The default value for &%tls_dhparam%& differs for historical reasons.
.next
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 0b03894b2..8b3dfe8c7 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -48,6 +48,9 @@ JH/06 Bug 1533: Fix truncation of items in headers_remove lists. A fixed
size buffer was used, resulting in syntax errors when an expansion
exceeded it.
+JH/07 Add support for directories of certificates when compiled with a GnuTLS
+ version 3.3.6 or later.
+
Exim version 4.84
-----------------
diff --git a/src/src/deliver.c b/src/src/deliver.c
index 2ee69d37e..c6339c62f 100644
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -2988,16 +2988,15 @@ while (!done)
to get all available data from pipe. unfinished has to be true
as well. */
if (remaining < required)
+ {
if (unfinished)
continue;
- else
- {
- msg = string_sprintf("failed to read pipe from transport process "
- "%d for transport %s: required size=%d > remaining size=%d and unfinished=false",
- pid, addr->transport->driver_name, required, remaining);
- done = TRUE;
- break;
- }
+ msg = string_sprintf("failed to read pipe from transport process "
+ "%d for transport %s: required size=%d > remaining size=%d and unfinished=false",
+ pid, addr->transport->driver_name, required, remaining);
+ done = TRUE;
+ break;
+ }
/* step behind the header */
ptr += PIPE_HEADER_SIZE;
@@ -3703,7 +3702,7 @@ if (size > 99999)
/* two write() calls would increase the complexity of reading from pipe */
/* convert size to human readable string prepended by id and subid */
-header_length = snprintf(writebuffer, PIPE_HEADER_SIZE+1, "%c%c%05d", id, subid, size);
+header_length = snprintf(CS writebuffer, PIPE_HEADER_SIZE+1, "%c%c%05d", id, subid, size);
if (header_length != PIPE_HEADER_SIZE)
{
log_write(0, LOG_MAIN|LOG_PANIC_DIE, "header snprintf failed\n");
@@ -4342,9 +4341,9 @@ for (delivery_count = 0; addr_remote != NULL; delivery_count++)
#ifndef DISABLE_PRDR
if (addr->flags & af_prdr_used)
rmt_dlv_checked_write(fd, 'P', '0', NULL, 0);
- #endif
+#endif
- #ifdef EXPERIMENTAL_DSN
+#ifdef EXPERIMENTAL_DSN
memcpy(big_buffer, &addr->dsn_aware, sizeof(addr->dsn_aware));
rmt_dlv_checked_write(fd, 'D', '0', big_buffer, sizeof(addr->dsn_aware));
DEBUG(D_deliver) debug_printf("DSN write: addr->dsn_aware = %d\n", addr->dsn_aware);
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 3043e3abc..14cdd12d4 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -51,6 +51,11 @@ require current GnuTLS, then we'll drop support for the ancient libraries).
# warning "GnuTLS library version too old; TPDA tls:cert event unsupported"
# undef EXPERIMENTAL_TPDA
#endif
+#if GNUTLS_VERSION_NUMBER >= 0x030306
+# define SUPPORT_CA_DIR
+#else
+# undef SUPPORT_CA_DIR
+#endif
#ifndef DISABLE_OCSP
# include <gnutls/ocsp.h>
@@ -884,6 +889,7 @@ if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
return DEFER;
}
+#ifndef SUPPORT_CA_DIR
/* The test suite passes in /dev/null; we could check for that path explicitly,
but who knows if someone has some weird FIFO which always dumps some certs, or
other weirdness. The thing we really want to check is that it's not a
@@ -899,6 +905,7 @@ if (S_ISDIR(statbuf.st_mode))
state->exp_tls_verify_certificates);
return DEFER;
}
+#endif
DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
state->exp_tls_verify_certificates, statbuf.st_size);
@@ -910,8 +917,18 @@ if (statbuf.st_size == 0)
return OK;
}
-cert_count = gnutls_certificate_set_x509_trust_file(state->x509_cred,
+cert_count =
+
+#ifdef SUPPORT_CA_DIR
+ (statbuf.st_mode & S_IFMT) == S_IFDIR
+ ?
+ gnutls_certificate_set_x509_trust_dir(state->x509_cred,
+ CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM)
+ :
+#endif
+ gnutls_certificate_set_x509_trust_file(state->x509_cred,
CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
+
if (cert_count < 0)
{
rc = cert_count;
diff --git a/src/src/verify.c b/src/src/verify.c
index c25e6e257..29d7b1328 100644
--- a/src/src/verify.c
+++ b/src/src/verify.c
@@ -1044,9 +1044,7 @@ else
cutthrough_addr = *addr; /* Save the address_item for later logging */
cutthrough_addr.next = NULL;
cutthrough_addr.host_used = store_get(sizeof(host_item));
- cutthrough_addr.host_used->name = host->name;
- cutthrough_addr.host_used->address = host->address;
- cutthrough_addr.host_used->port = port;
+ *(cutthrough_addr.host_used) = *host;
if (addr->parent)
*(cutthrough_addr.parent = store_get(sizeof(address_item)))= *addr->parent;
ctblock.buffer = ctbuffer;
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/08c48a5f.0 b/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/08c48a5f.0
new file mode 120000
index 000000000..0bc47166d
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/08c48a5f.0
@@ -0,0 +1 @@
+../../CA/CA.pem \ No newline at end of file
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/61e813e6.0 b/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/61e813e6.0
new file mode 120000
index 000000000..890dffc23
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/61e813e6.0
@@ -0,0 +1 @@
+../../CA/Signer.pem \ No newline at end of file
diff --git a/test/aux-fixed/exim-ca/genall b/test/aux-fixed/exim-ca/genall
index 0e3feb25e..64e5a85b4 100755
--- a/test/aux-fixed/exim-ca/genall
+++ b/test/aux-fixed/exim-ca/genall
@@ -112,6 +112,18 @@ do
openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem
done
+# Finally, a single certificate-directory
+cd example.com/server1.example.com
+mkdir -f certdir
+cd certdir
+f=../../CA/CA.pem
+h=`openssl x509 -hash -noout -in $f`
+ln -s $f $h.0
+f=../../CA/Signer.pem
+h=`openssl x509 -hash -noout -in $f`
+ln -s $f $h.0
+cd ../..
+
find example.* -type d -print0 | xargs -0 chmod 755
find example.* -type f -print0 | xargs -0 chmod 644
diff --git a/test/confs/2032 b/test/confs/2032
new file mode 100644
index 000000000..5a6099378
--- /dev/null
+++ b/test/confs/2032
@@ -0,0 +1,73 @@
+# Exim test configuration 2032 (close copy of 2002)
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = check_recipient
+
+log_selector = +tls_peerdn
+
+queue_only
+queue_run_in_order
+
+tls_advertise_hosts = 127.0.0.1 : HOSTIPV4
+
+tls_certificate = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem
+tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key
+
+tls_verify_hosts = HOSTIPV4
+tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/certdir
+
+
+# ------ ACL ------
+
+begin acl
+
+check_recipient:
+ accept hosts = :
+ deny hosts = HOSTIPV4
+ !encrypted = AES256-SHA : \
+ AES256-GCM-SHA384 : \
+ IDEA-CBC-MD5 : \
+ DES-CBC3-SHA : \
+ DHE_RSA_AES_256_CBC_SHA1 : \
+ DHE_RSA_3DES_EDE_CBC_SHA : \
+ RSA_AES_256_CBC_SHA1
+ warn logwrite = ${if def:tls_in_ourcert \
+ {Our cert SN: <${certextract{subject}{$tls_in_ourcert}}>} \
+ {We did not present a cert}}
+ accept condition = ${if !def:tls_in_peercert}
+ logwrite = Peer did not present a cert
+ accept logwrite = SN <${certextract {subject} {$tls_in_peercert}}>
+
+
+# ----- Routers -----
+
+begin routers
+
+abc:
+ driver = accept
+ retry_use_local_part
+ transport = local_delivery
+ headers_add = tls-certificate-verified: $tls_certificate_verified
+
+
+# ----- Transports -----
+
+begin transports
+
+local_delivery:
+ driver = appendfile
+ file = DIR/test-mail/$local_part
+ headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
+ user = CALLER
+
+# End
diff --git a/test/confs/2132 b/test/confs/2132
new file mode 100644
index 000000000..069249322
--- /dev/null
+++ b/test/confs/2132
@@ -0,0 +1,74 @@
+# Exim test configuration 2132 (close copy of 2102)
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = check_recipient
+
+log_selector = +tls_peerdn
+
+queue_only
+queue_run_in_order
+
+tls_advertise_hosts = 127.0.0.1 : HOSTIPV4
+
+tls_certificate = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem
+tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key
+
+tls_verify_hosts = HOSTIPV4
+tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/certdir
+
+
+# ------ ACL ------
+
+begin acl
+
+check_recipient:
+ accept hosts = :
+ deny hosts = HOSTIPV4
+ !encrypted = AES256-SHA : \
+ AES256-GCM-SHA384 : \
+ IDEA-CBC-MD5 : \
+ DES-CBC3-SHA : \
+ DHE-RSA-AES256-SHA : \
+ DHE-RSA-AES256-GCM-SHA384 : \
+ DHE_RSA_AES_256_CBC_SHA1 : \
+ DHE_RSA_3DES_EDE_CBC_SHA
+ warn logwrite = ${if def:tls_in_ourcert \
+ {Our cert SN: <${certextract{subject}{$tls_in_ourcert}}>} \
+ {We did not present a cert}}
+ accept condition = ${if !def:tls_in_peercert}
+ logwrite = Peer did not present a cert
+ accept logwrite = SN <${certextract {subject} {$tls_in_peercert}}>
+
+
+# ----- Routers -----
+
+begin routers
+
+abc:
+ driver = accept
+ retry_use_local_part
+ transport = local_delivery
+ headers_add = tls-certificate-verified: $tls_certificate_verified
+
+
+# ----- Transports -----
+
+begin transports
+
+local_delivery:
+ driver = appendfile
+ file = DIR/test-mail/$local_part
+ headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
+ user = CALLER
+
+# End
diff --git a/test/log/2132 b/test/log/2132
new file mode 100644
index 000000000..34633871f
--- /dev/null
+++ b/test/log/2132
@@ -0,0 +1,20 @@
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 Our cert SN: <CN=server2.example.com>
+1999-03-02 09:44:33 Peer did not present a cert
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@test.ex H=[127.0.0.1] P=smtps X=TLSv1:AES256-SHA:256 S=sss
+1999-03-02 09:44:33 Our cert SN: <CN=server2.example.com>
+1999-03-02 09:44:33 Peer did not present a cert
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= "name with spaces"@test.ex H=[127.0.0.1] P=smtps X=TLSv1:AES256-SHA:256 S=sss
+1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
+1999-03-02 09:44:33 Our cert SN: <CN=server2.example.com>
+1999-03-02 09:44:33 SN <CN=server1.example.com>
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@test.ex H=[ip4.ip4.ip4.ip4] P=smtps X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" S=sss
+1999-03-02 09:44:33 Start queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER <CALLER@test.ex> R=abc T=local_delivery
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER <CALLER@test.ex> R=abc T=local_delivery
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER <CALLER@test.ex> R=abc T=local_delivery
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 End queue run: pid=pppp -qf
diff --git a/test/mail/2132.CALLER b/test/mail/2132.CALLER
new file mode 100644
index 000000000..21b5e2c66
--- /dev/null
+++ b/test/mail/2132.CALLER
@@ -0,0 +1,36 @@
+From CALLER@test.ex Tue Mar 02 09:44:33 1999
+Received: from [127.0.0.1]
+ by myhost.test.ex with smtps (TLSv1:AES256-SHA:256)
+ (Exim x.yz)
+ (envelope-from <CALLER@test.ex>)
+ id 10HmaX-0005vi-00
+ for CALLER@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
+tls-certificate-verified: 0
+TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+
+This is a test encrypted message.
+
+From "name with spaces"@test.ex Tue Mar 02 09:44:33 1999
+Received: from [127.0.0.1]
+ by myhost.test.ex with smtps (TLSv1:AES256-SHA:256)
+ (Exim x.yz)
+ (envelope-from <"name with spaces"@test.ex>)
+ id 10HmaY-0005vi-00
+ for CALLER@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
+tls-certificate-verified: 0
+TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+
+This is a test encrypted message.
+
+From CALLER@test.ex Tue Mar 02 09:44:33 1999
+Received: from [ip4.ip4.ip4.ip4]
+ by myhost.test.ex with smtps (TLSv1:AES256-SHA:256)
+ (Exim x.yz)
+ (envelope-from <CALLER@test.ex>)
+ id 10HmaZ-0005vi-00
+ for CALLER@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
+tls-certificate-verified: 1
+TLS: cipher=TLSv1:AES256-SHA:256 peerdn=/CN=server1.example.com
+
+This is a test encrypted message from a verified host.
+
diff --git a/test/scripts/2000-GnuTLS/2032 b/test/scripts/2000-GnuTLS/2032
new file mode 100644
index 000000000..88c0e8ac9
--- /dev/null
+++ b/test/scripts/2000-GnuTLS/2032
@@ -0,0 +1,95 @@
+# TLS server: server ca cert from directory
+# - tests all disabled until GnuTLS 3.3.6 (or later) is in common use
+# - or we get a library-version dependency mechanism in the testsuite
+#
+#gnutls
+#exim -DSERVER=server -bd -oX PORT_D
+#****
+#client-gnutls 127.0.0.1 PORT_D
+#??? 220
+#ehlo rhu.barb
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250
+#starttls
+#??? 220
+#mail from:<CALLER@test.ex>
+#??? 250
+#rcpt to:<CALLER@test.ex>
+#??? 250
+#DATA
+#??? 3
+#This is a test encrypted message.
+#.
+#??? 250
+#quit
+#??? 221
+#****
+#client-gnutls 127.0.0.1 PORT_D
+#??? 220
+#ehlo rhu.barb
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250
+#starttls
+#??? 220
+#mail from:<"name with spaces"@test.ex>
+#??? 250
+#rcpt to:<CALLER@test.ex>
+#??? 250
+#DATA
+#??? 3
+#This is a test encrypted message.
+#.
+#??? 250
+#quit
+#??? 221
+#****
+#client-gnutls HOSTIPV4 PORT_D
+#??? 220
+#ehlo rhu.barb
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250
+#starttls
+#??? 220
+#****
+#client-gnutls HOSTIPV4 PORT_D DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+#??? 220
+#ehlo rhu.barb
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250
+#starttls
+#??? 220
+#mail from:<CALLER@test.ex>
+#??? 250
+#rcpt to:<CALLER@test.ex>
+#??? 250
+#DATA
+#??? 3
+#This is a test encrypted message from a verified host.
+#.
+#??? 250
+#quit
+#??? 221
+#****
+#killdaemon
+#exim -qf
+#****
+#exim -bh 10.0.0.1
+#starttls
+#quit
+#****
diff --git a/test/scripts/2100-OpenSSL/2132 b/test/scripts/2100-OpenSSL/2132
new file mode 100644
index 000000000..620a63f57
--- /dev/null
+++ b/test/scripts/2100-OpenSSL/2132
@@ -0,0 +1,91 @@
+# TLS server: server ca cert from directory
+exim -DSERVER=server -bd -oX PORT_D
+****
+client-ssl 127.0.0.1 PORT_D
+??? 220
+ehlo rhu.barb
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+starttls
+??? 220
+mail from:<CALLER@test.ex>
+??? 250
+rcpt to:<CALLER@test.ex>
+??? 250
+DATA
+??? 3
+This is a test encrypted message.
+.
+??? 250
+quit
+??? 221
+****
+client-ssl 127.0.0.1 PORT_D
+??? 220
+ehlo rhu.barb
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+starttls
+??? 220
+mail from:<"name with spaces"@test.ex>
+??? 250
+rcpt to:<CALLER@test.ex>
+??? 250
+DATA
+??? 3
+This is a test encrypted message.
+.
+??? 250
+quit
+??? 221
+****
+client-ssl HOSTIPV4 PORT_D
+??? 220
+ehlo rhu.barb
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+starttls
+??? 220
+****
+client-ssl HOSTIPV4 PORT_D DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+??? 220
+ehlo rhu.barb
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+starttls
+??? 220
+mail from:<CALLER@test.ex>
+??? 250
+rcpt to:<CALLER@test.ex>
+??? 250
+DATA
+??? 3
+This is a test encrypted message from a verified host.
+.
+??? 250
+quit
+??? 221
+****
+killdaemon
+exim -qf
+****
+exim -bh 10.0.0.1
+starttls
+quit
+****
diff --git a/test/stderr/2132 b/test/stderr/2132
new file mode 100644
index 000000000..59f338294
--- /dev/null
+++ b/test/stderr/2132
@@ -0,0 +1,10 @@
+>>> host in hosts_connection_nolog? no (option unset)
+>>> host in host_lookup? no (option unset)
+>>> host in host_reject_connection? no (option unset)
+>>> host in sender_unqualified_hosts? no (option unset)
+>>> host in recipient_unqualified_hosts? no (option unset)
+>>> host in helo_verify_hosts? no (option unset)
+>>> host in helo_try_verify_hosts? no (option unset)
+>>> host in helo_accept_junk_hosts? no (option unset)
+
+******** SERVER ********
diff --git a/test/stdout/2132 b/test/stdout/2132
new file mode 100644
index 000000000..a9724e170
--- /dev/null
+++ b/test/stdout/2132
@@ -0,0 +1,205 @@
+Connecting to 127.0.0.1 port 1225 ... connected
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [127.0.0.1]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL info: before/connect initialization
+SSL info: before/connect initialization
+SSL info: SSLv3 read server hello A
+SSL info: SSLv3 read server certificate A
+SSL info: SSLv3 read server done A
+SSL info: SSLv3 write client key exchange A
+SSL info: SSLv3 write change cipher spec A
+SSL info: SSLv3 write finished A
+SSL info: SSLv3 flush data
+SSL info: SSLv3 read server session ticket A
+SSL info: SSLv3 read finished A
+SSL info: SSL negotiation finished successfully
+SSL info: SSL negotiation finished successfully
+SSL connection using AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<CALLER@test.ex>
+??? 250
+<<< 250 OK
+>>> rcpt to:<CALLER@test.ex>
+??? 250
+<<< 250 Accepted
+>>> DATA
+??? 3
+<<< 354 Enter message, ending with "." on a line by itself
+>>> This is a test encrypted message.
+>>> .
+??? 250
+<<< 250 OK id=10HmaX-0005vi-00
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+Connecting to 127.0.0.1 port 1225 ... connected
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [127.0.0.1]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL info: before/connect initialization
+SSL info: before/connect initialization
+SSL info: SSLv3 read server hello A
+SSL info: SSLv3 read server certificate A
+SSL info: SSLv3 read server done A
+SSL info: SSLv3 write client key exchange A
+SSL info: SSLv3 write change cipher spec A
+SSL info: SSLv3 write finished A
+SSL info: SSLv3 flush data
+SSL info: SSLv3 read server session ticket A
+SSL info: SSLv3 read finished A
+SSL info: SSL negotiation finished successfully
+SSL info: SSL negotiation finished successfully
+SSL connection using AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<"name with spaces"@test.ex>
+??? 250
+<<< 250 OK
+>>> rcpt to:<CALLER@test.ex>
+??? 250
+<<< 250 Accepted
+>>> DATA
+??? 3
+<<< 354 Enter message, ending with "." on a line by itself
+>>> This is a test encrypted message.
+>>> .
+??? 250
+<<< 250 OK id=10HmaY-0005vi-00
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL info: before/connect initialization
+SSL info: before/connect initialization
+SSL info: SSLv3 read server hello A
+SSL info: SSLv3 read server certificate A
+SSL info: SSLv3 read server certificate request A
+SSL info: SSLv3 read server done A
+SSL info: SSLv3 write client certificate A
+SSL info: SSLv3 write client key exchange A
+SSL info: SSLv3 write change cipher spec A
+SSL info: SSLv3 write finished A
+SSL info: SSLv3 flush data
+SSL info: SSLv3 read server session ticket A
+SSL info: SSLv3 read server session ticket A
+pppp:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:dddd:SSL alert number 40
+Failed to start TLS
+End of script
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = TESTSUITE/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem
+Key file = TESTSUITE/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL info: before/connect initialization
+SSL info: before/connect initialization
+SSL info: SSLv3 read server hello A
+SSL info: SSLv3 read server certificate A
+SSL info: SSLv3 read server certificate request A
+SSL info: SSLv3 read server done A
+SSL info: SSLv3 write client certificate A
+SSL info: SSLv3 write client key exchange A
+SSL info: SSLv3 write certificate verify A
+SSL info: SSLv3 write change cipher spec A
+SSL info: SSLv3 write finished A
+SSL info: SSLv3 flush data
+SSL info: SSLv3 read server session ticket A
+SSL info: SSLv3 read finished A
+SSL info: SSL negotiation finished successfully
+SSL info: SSL negotiation finished successfully
+SSL connection using AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<CALLER@test.ex>
+??? 250
+<<< 250 OK
+>>> rcpt to:<CALLER@test.ex>
+??? 250
+<<< 250 Accepted
+>>> DATA
+??? 3
+<<< 354 Enter message, ending with "." on a line by itself
+>>> This is a test encrypted message from a verified host.
+>>> .
+??? 250
+<<< 250 OK id=10HmaZ-0005vi-00
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+
+**** SMTP testing session as if from host 10.0.0.1
+**** but without any ident (RFC 1413) callback.
+**** This is not for real!
+
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+503 STARTTLS command used when not advertised
+221 myhost.test.ex closing connection
diff --git a/test/stdout/3450 b/test/stdout/3450
index 24b1f8bf9..bbb4db1c2 100644
--- a/test/stdout/3450
+++ b/test/stdout/3450
@@ -52,7 +52,6 @@ SSL info: before/connect initialization
SSL info: before/connect initialization
SSL info: SSLv3 read server hello A
SSL info: SSLv3 read server certificate A
-SSL info: SSLv3 read server key exchange A
SSL info: SSLv3 read server done A
SSL info: SSLv3 write client key exchange A
SSL info: SSLv3 write change cipher spec A
diff --git a/test/stdout/3454 b/test/stdout/3454
index 5cdb2a760..d60485e6c 100644
--- a/test/stdout/3454
+++ b/test/stdout/3454
@@ -24,7 +24,6 @@ SSL info: before/connect initialization
SSL info: before/connect initialization
SSL info: SSLv3 read server hello A
SSL info: SSLv3 read server certificate A
-SSL info: SSLv3 read server key exchange A
SSL info: SSLv3 read server done A
SSL info: SSLv3 write client key exchange A
SSL info: SSLv3 write change cipher spec A
@@ -65,7 +64,6 @@ SSL info: before/connect initialization
SSL info: before/connect initialization
SSL info: SSLv3 read server hello A
SSL info: SSLv3 read server certificate A
-SSL info: SSLv3 read server key exchange A
SSL info: SSLv3 read server done A
SSL info: SSLv3 write client key exchange A
SSL info: SSLv3 write change cipher spec A