diff options
-rw-r--r-- | test/aux-fixed/exim-ca/example.com/server1.example.com/fullchain.pem | 58 | ||||
-rwxr-xr-x | test/aux-fixed/exim-ca/genall | 10 | ||||
-rw-r--r-- | test/confs/5850 | 17 | ||||
-rw-r--r-- | test/dnszones-src/db.test.ex | 5 | ||||
-rw-r--r-- | test/log/5850 | 11 | ||||
-rw-r--r-- | test/scripts/5850-DANE-OpenSSL/5850 | 17 |
6 files changed, 113 insertions, 5 deletions
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/fullchain.pem b/test/aux-fixed/exim-ca/example.com/server1.example.com/fullchain.pem new file mode 100644 index 000000000..27ee5ef4f --- /dev/null +++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/fullchain.pem @@ -0,0 +1,58 @@ +Bag Attributes + friendlyName: server1.example.com + localKeyID: 39 11 FB 30 22 36 42 DA FC D7 A2 8A 0C 60 83 2F 66 A7 B8 4E +subject=/CN=server1.example.com +issuer=/O=example.com/CN=clica Signing Cert +-----BEGIN CERTIFICATE----- +MIIC0DCCAjmgAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt +cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy +MzQwNVoXDTM4MDEwMTEyMzQwNVowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl +LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyAGT263/ZlxGjPEi2BQj +DMa/86TF+zVzMfozEZNOLiX6Sov54fW5I0nXCm0CjACOelLa2Eos/vqffxu0w5hM +A8slRHrt0Gak7dJjwgKK/5NAQDrA+WnyJx/62u25299oCKk+egulCC0D3XczA89N +cLuz8iKvYnWT+rdnbFdAPdcCAwEAAaOCAQcwggEDMA4GA1UdDwEB/wQEAwIE8DAg +BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg +I4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB +BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5jb20vMGUGA1Ud +EQReMFyCIWFsdGVybmF0ZW5hbWUuc2VydmVyMS5leGFtcGxlLmNvbYIiYWx0ZXJu +YXRlbmFtZTIuc2VydmVyMS5leGFtcGxlLmNvbYITc2VydmVyMS5leGFtcGxlLmNv +bTANBgkqhkiG9w0BAQUFAAOBgQBWOqQ8y+u4J8KQCHQTiNxIxrUs5Sa+W5HUZ+c8 +SRLXRzDfmNtY7RiofUvbl0j1XH9wuTdjM/EkYnKSYPVu2ra8c8jC3NaVmr0WFqLv +CvHXQWj2rZha0P/ZG1GfWc4vPYTQ7ugr65syGg4CPswwiUQJKnWBRqe27X1B61pj ++pxY7w== +-----END CERTIFICATE----- +Bag Attributes + friendlyName: Signing Cert +subject=/O=example.com/CN=clica Signing Cert +issuer=/O=example.com/CN=clica CA +-----BEGIN CERTIFICATE----- +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA1WhcNMzgw +MTAxMTIzNDA1WjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzwXsp +P4RsZUoDfQfm5O5bi5unhwl+BTrKIaOtl5TBxMau+qEdKa02DD7Bx6PCzLKhWiZ3 +/MrO7V/cXIBun97dF5Zr5kk+HJk+y3es+xoPd3doknvGQEC/0cSGLcEC7aQ/bEqi +fw2CgEY5ffkEAnDrdvGGeqBfJJGft/tqmlZbeQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +Lq4cCtWMjqLHqf6lJUOBMsm+tgFcYDdxwkTquSZyUrbP1jrODkg5lQWNCdvB76B2 +tZQfMJ3F/kct2EAfsKbHqN3f+DARqPAR2qtOqzl3Ou5+TJjExKgojjzIAPFQzswH +7v4aglpReaPBaVSNOZ7bMn/E8yRy3o466bhzdEIDcII= +-----END CERTIFICATE----- +Bag Attributes + friendlyName: Certificate Authority +subject=/O=example.com/CN=clica CA +issuer=/O=example.com/CN=clica CA +-----BEGIN CERTIFICATE----- +MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA0WhcNMzgw +MTAxMTIzNDA0WjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp +Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL0wro64rve876glpdRh +tD6qFY6iH2kCarFFq3WaKmfCvOjYmn4CJr7pL7J5DuvCFh7A0H8lD/on5NK3yqkX +Yi6EUlaYWxeRo2/PuZYUGbCpejST41sibw9V2dT4MHLidjDShE0W9SfgiMmxfF02 +H5hLYswAGCL1kezsVeEJeH31AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw +DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAIn9+8uyQtaq8sBEohTl +qyJQQeZk5xxaILYP/rCIxc+z5fgOh+usB9adaiD23RPuuD/P2c3UqHJQWqIUTu46 +eOKn9K7X7ndIH3WnaC/u4nysL+SIAug72/k1BAVGNQvyNQMhth6CfZTgY0tgcS0Z +RSHyhbTD0HeiJDI281BoOJjm +-----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/genall b/test/aux-fixed/exim-ca/genall index d1901fe7e..0e3feb25e 100755 --- a/test/aux-fixed/exim-ca/genall +++ b/test/aux-fixed/exim-ca/genall @@ -17,6 +17,16 @@ do clica -D example.$tld -p password -s 201 -S server2.example.$tld clica -D example.$tld -p password -s 202 -S revoked2.example.$tld clica -D example.$tld -p password -s 203 -S expired2.example.$tld -m 1 + + + # openssl seems to generate a file (ca_chain.pam) in an order it + # cannot then use (the key applies to the first cert in the file?). + # Generate a shuffled one. + cd example.$tld/server1.example.$tld + openssl pkcs12 -in server1.example.com.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys + cat server1.example.com.pem cacerts.pem > fullchain.pem + rm cacerts.pem + cd ../.. done # and loop again diff --git a/test/confs/5850 b/test/confs/5850 index b2c7cb7eb..c381ef616 100644 --- a/test/confs/5850 +++ b/test/confs/5850 @@ -24,9 +24,20 @@ queue_run_in_order tls_advertise_hosts = * # Set certificate only if server +CDIR1 = DIR/aux-fixed +CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com -tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} -#tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} +tls_certificate = ${if eq {SERVER}{server} \ + {${if eq {DETAILS}{ta} \ + {CDIR2/fullchain.pem}\ + {CDIR1/cert1}}}\ + fail} + +tls_privatekey = ${if eq {SERVER}{server} \ + {${if eq {DETAILS}{ta} \ + {CDIR2/server1.example.com.unlocked.key}\ + {CDIR1/cert1}}}\ + fail} # ----- Routers ----- @@ -35,7 +46,7 @@ begin routers client: driver = dnslookup - condition = ${if eq {SERVER}{server}{no}{yes}} + condition = ${if eq {SERVER}{}} dnssec_request_domains = * self = send transport = send_to_server diff --git a/test/dnszones-src/db.test.ex b/test/dnszones-src/db.test.ex index 5cc61fd8a..4ec367cc9 100644 --- a/test/dnszones-src/db.test.ex +++ b/test/dnszones-src/db.test.ex @@ -394,4 +394,9 @@ DNSSEC _1225._tcp.dane512ee TLSA 3 1 2 3d5eb81b1dfc3f93c1fa8819e3fb3fdb41bb5904 DNSSEC dane256ee A HOSTIPV4 DNSSEC _1225._tcp.dane256ee TLSA 3 1 1 2bb55f418bb03411a5007cecbfcd3ec1c94404312c0d53a44bb2166b32654db3 +; full MX, sha256, TA-mode +DNSSEC mxdane256ta MX 1 dane256ta. +DNSSEC dane256ta A HOSTIPV4 +DNSSEC _1225._tcp.dane256ta TLSA 2 0 1 b2c6f27f2d16390b4f71cacc69742bf610d750534fab240516c0f2deb4042ad4 + ; End diff --git a/test/log/5850 b/test/log/5850 index 498137321..62dc13f02 100644 --- a/test/log/5850 +++ b/test/log/5850 @@ -6,6 +6,11 @@ 1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@mxdane512ee.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00" 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane256ta.test.ex +1999-03-02 09:44:33 Start queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@mxdane256ta.test.ex R=client T=send_to_server H=dane256ta.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=dane DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmbB-0005vi-00 Completed +1999-03-02 09:44:33 End queue run: pid=pppp -qf ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 @@ -17,3 +22,9 @@ 1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <CALLER@mxdane512ee.test.ex> R=server 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbB-0005vi-00@myhost.test.ex for CALLER@mxdane256ta.test.ex +1999-03-02 09:44:33 Start queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <CALLER@mxdane256ta.test.ex> R=server +1999-03-02 09:44:33 10HmbC-0005vi-00 Completed +1999-03-02 09:44:33 End queue run: pid=pppp -qf diff --git a/test/scripts/5850-DANE-OpenSSL/5850 b/test/scripts/5850-DANE-OpenSSL/5850 index a021dee6e..814b4b0e8 100644 --- a/test/scripts/5850-DANE-OpenSSL/5850 +++ b/test/scripts/5850-DANE-OpenSSL/5850 @@ -1,6 +1,6 @@ # DANE client: general # -exim -DSERVER=server -bd -oX PORT_D +exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D **** # TLSA (3 1 1) exim CALLER@dane256ee.test.ex @@ -13,5 +13,18 @@ Testing exim -qf **** killdaemon -exim -DSERVER=server -DNOTDAEMON -qf +exim -DSERVER=server -DDETAILS=ee -DNOTDAEMON -qf +**** +# +# +exim -DSERVER=server -DDETAILS=ta -bd -oX PORT_D +**** +# TLSA (2 0 1) +exim CALLER@mxdane256ta.test.ex +Testing +**** +exim -qf +**** +killdaemon +exim -DSERVER=server -DDETAILS=ta -DNOTDAEMON -qf **** |