summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/src/lookups/dnsdb.c10
-rw-r--r--src/src/tls-gnu.c3
-rw-r--r--src/src/transports/smtp.c24
-rw-r--r--test/aux-fixed/cert.HOWTO4
-rw-r--r--test/aux-fixed/cert.config17
-rw-r--r--test/aux-fixed/cert197
-rw-r--r--test/confs/582267
-rw-r--r--test/confs/584264
-rw-r--r--test/dnszones-src/db.test.ex19
-rw-r--r--test/log/582220
-rw-r--r--test/log/584224
-rw-r--r--test/scripts/5820-DANE-GnuTLS/582219
-rw-r--r--test/scripts/5840-DANE-OpenSSL/584219
-rw-r--r--test/stderr/58428
-rw-r--r--test/stdout/58228
-rw-r--r--test/stdout/58428
16 files changed, 354 insertions, 57 deletions
diff --git a/src/src/lookups/dnsdb.c b/src/src/lookups/dnsdb.c
index a86338261..e75bd1edd 100644
--- a/src/src/lookups/dnsdb.c
+++ b/src/src/lookups/dnsdb.c
@@ -150,7 +150,7 @@ store as possible later, so we preallocate the result here */
gstring * yield = string_get(256);
-dns_record *rr;
+dns_record * rr;
dns_answer dnsa;
dns_scan dnss;
@@ -421,7 +421,7 @@ while ((domain = string_nextinlist(&keystring, &sep, NULL, 0)))
else if (type == T_TLSA)
{
uint8_t usage, selector, matching_type;
- uint16_t i, payload_length;
+ uint16_t payload_length;
uschar s[MAX_TLSA_EXPANDED_SIZE];
uschar * sp = s;
uschar * p = US rr->data;
@@ -434,10 +434,8 @@ while ((domain = string_nextinlist(&keystring, &sep, NULL, 0)))
sp += sprintf(CS s, "%d%c%d%c%d%c", usage, *outsep2,
selector, *outsep2, matching_type, *outsep2);
/* Now append the cert/identifier, one hex char at a time */
- for (i=0;
- i < payload_length && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4);
- i++)
- sp += sprintf(CS sp, "%02x", (unsigned char)p[i]);
+ while (payload_length-- > 0 && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4))
+ sp += sprintf(CS sp, "%02x", *p++);
yield = string_cat(yield, s);
}
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index dfe09200b..c5ecf88f9 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1775,7 +1775,8 @@ goodcert:
#ifdef SUPPORT_DANE
tlsa_prob:
- *errstr = string_sprintf("TLSA record problem: %s", dane_strerror(rc));
+ *errstr = string_sprintf("TLSA record problem: %s",
+ rc == DANE_E_REQUESTED_DATA_NOT_AVAILABLE ? "none usable" : dane_strerror(rc));
#endif
badcert:
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 076375158..703ee563a 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -1247,7 +1247,29 @@ switch (rc)
return DEFER; /* just defer this TLS'd conn */
case DNS_SUCCEED:
- if (sec) return OK;
+ if (sec)
+ {
+ DEBUG(D_transport)
+ {
+ dns_scan dnss;
+ dns_record * rr;
+ for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
+ rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == T_TLSA)
+ {
+ uint16_t payload_length = rr->size - 3;
+ uschar s[MAX_TLSA_EXPANDED_SIZE], * sp = s, * p = US rr->data;
+
+ sp += sprintf(CS sp, "%d ", *p++); /* usage */
+ sp += sprintf(CS sp, "%d ", *p++); /* selector */
+ sp += sprintf(CS sp, "%d ", *p++); /* matchtype */
+ while (payload_length-- > 0 && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4))
+ sp += sprintf(CS sp, "%02x", *p++);
+
+ debug_printf(" %s\n", s);
+ }
+ }
+ return OK;
+ }
log_write(0, LOG_MAIN,
"DANE error: TLSA lookup for %s not DNSSEC", host->name);
/*FALLTRHOUGH*/
diff --git a/test/aux-fixed/cert.HOWTO b/test/aux-fixed/cert.HOWTO
new file mode 100644
index 000000000..dab291548
--- /dev/null
+++ b/test/aux-fixed/cert.HOWTO
@@ -0,0 +1,4 @@
+openssl req -x509 -config cert.config -newkey rsa:2048 -keyout key.pem -out cert.pem -days 7000
+cat key.pem cert.pem > cert1
+# or cert2, as needed. Mind the day count above does not blow the Y2038 barrier.
+rm cert.pem key.pem
diff --git a/test/aux-fixed/cert.config b/test/aux-fixed/cert.config
new file mode 100644
index 000000000..36be59f60
--- /dev/null
+++ b/test/aux-fixed/cert.config
@@ -0,0 +1,17 @@
+prompt=no
+encrypt_key=no
+default_bits=2048
+distinguished_name=fixed_dn
+x509_extensions=fixed_ex
+
+[ fixed_dn ]
+C=UK
+O=The Exim Maintainers
+OU=Test Suite
+CN=Phil Pennock
+
+[ fixed_ex ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=critical,CA:TRUE, pathlen:0
+subjectAltName=DNS:test.ex, DNS:*.test.ex
diff --git a/test/aux-fixed/cert1 b/test/aux-fixed/cert1
index 1323e39c9..b939fb9df 100644
--- a/test/aux-fixed/cert1
+++ b/test/aux-fixed/cert1
@@ -1,51 +1,50 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA0dyUFZ7037DgtRfGoR0bVqUvCetxdZa42E3sLyZLviWRcKbY
-XyYD1M44zClRq6vGwQGLI0Hea4jlJdIftyr3SmuaerJt2frPVAKcHHAHJ7rOjkUT
-Kp+XHGjsinQg9Up6nz2Qo6Xdg0oPm8YRaMgIa1Qc75cWqzTn3++B5qaW2RtffYf7
-8c1OA958BHWyWlcZJNuJHYLR3CdqJb7ojtfcuCq3cWRRxJhyd/j1T51D+Xw6nGbe
-QovD2+oQ/TBTUuo3Zc2YCRE+PWIQMZakdbD335HjvVj1PAu6oBKQRdccactigkR9
-tBlBIxH0q1Uh1fOd+dgLSoccCK2HlnM/GOzcfwIDAQABAoIBAB71b1MRNAabzUpp
-y3+RD6tkit/nv8EdDv+53xHFkH7og+AefOTscrw9/9r+bXHp0VQ/qgr1eJ5cf5Fo
-wgz/ZaOw5AUdtV7mxRcbm3QGgse1oysRvZYYHO6v+9Ug9Iu7BQPgzSmXGmp3zn2o
-ZoESoUtUCUC/BTUUhPBgIMWp5a75OkaOS3fO3kSaGHPiqX1IbD8T6b7+ViR2qIwU
-LjwFNTBRjorL25VXCsfChGih5TUgR9jIJcGzN6QykCHV7D29AfkRuVrKMRLEM3VD
-3E0ObQfVRoXFEZR3fccJqU6E1Mg9BXbl+I9rwv3GUJXS7fXnmHKRhjzD1Dbo5Afv
-jnSPL+ECgYEA9hepWibJe8N3fSCb7Eqqi/Q8ufCQqnDSCrnY6WJpRIA79DKU7OFm
-3dct5pqXPUlaYC6TDQ8G0LAQL1knsuFejvV8v0y0mZspRbOg94EDTuQWp4oCIqWr
-MEYbiRVHXIg5OjylVAQLM1y9IF+n3aXQAUfcStFtiiM49vRJs9StcdsCgYEA2k+B
-lXN3UjZvwkDeZcjfCH1n0Rxrt0kZ7UbqEPZSz/77m9XIjWv32lpTDLecRdcR8KSx
-OKH24WSQXd7DTWn+DitfSwGJjiduU2c0p4eePzfK7Yeo0bMNVixvjUZt+w9ijkWH
-4CUVgo9TfuxdaTyYlmONk9JVLMeOwR8MdagVWy0CgYEAlpVn9Vgile7HoPNhNbeC
-oFz1A7oma4TZoeKSzkx/qYDmLsj8w+4w6bIPzjnuLXxDJvOY27bELtJtNOvTFOw+
-1i91BAHFyPBe0t3Vs11oTs/W5PHX2KeTFtjvZHR21DIvAmm1qLFIwUcQG00tBL2/
-h+kW7Vk1M//VjZdxue57q10CgYEAufZT+gzbrYp1dNFxIN8VLdQ1ZSmCkCSTE03/
-AOfy7v7TMZHQPrej77pVWFXnpo5n18dSt10wQhs55txlHUKWiVdk2y26EP+BuUYG
-0lZx9IQANooCwm51g9xiQcOm19/pIiwUbFjqk8anZ0zM3WIi0KiI50yaBYUQE23x
-XSAK4RkCgYBsPJiK2BGPvFNBJo6368SVgB1H2Bu9GPUpORdirbFuy/VanSEaAGIK
-vWjIOvEKnJd9NX430drAdD7hcx52fxdCsn97LSBi73Weqov4zNDadsLvTWhxlh+D
-b1SITBDYjxdm9oqv4Uj10l3Ft4/X0MN2aJ4+W3/cFTGL9pNlv21Daw==
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDbSr1VPY2sW/7a
+g4GiBfBYXbO9NroHTBJqi831QwPsN5F2Tyx/dQ0vByiOP8nxSmIkQ/eZM6IS3jl0
+8H8jqamyipfSghrQC3QSgtRl6wp8TEfJpwxdDyKAV1zP+TiIEqWYJLc1tmRwQ72J
+0gXID7ME7TNDvek4Oo9BJJ2mtn0K9oY4Z6pvv5O+uljUxTryYbBtMtgMD5ZvL12b
+FiNkRhgx3XX+9vpWw5o6vKdKUbKwT7KhwvUSC1eKOFMBZthUpxxH+RbYyNET1qJU
+u4UrbNI1Wdwm+Cg7JkEdU1NcJbTP8CVR8Z1U7FkbhAD5HNHaTyVWO20MVYjXU/4B
+3bVHWhhNAgMBAAECggEAJY9KmIP/dQsYvqKRnIe539jExV7PRBqyeM9TSnPdAyON
+ZZ8v9vC8flaSirLASvS7lIyTpwjh9KtdWfsrO5d+ulbkpCimoQWlLtp7uK0mUZ3b
+Gd3jzzidZzAPdIuyNBRFiqaXPrrrvxLLLwTq+pY9ylU6V5r6jCfzi2vTGM/e4PaB
+Yo0YkQG9vFveCbGwG+v66ZIq8lH4CxjAfNOVXte+dKFdk6PnUSBMAq4B3n7eFjye
+5nMl9fwFHVtZyBZI59i/1hSLzCjE1j0BrvTlL8BftU5SdF5sYdi/9yvUPjiRnvHT
+ZPQPBH/hVzE52+VcRoWZ7vNjVaBzf/W5XkJsUc35/QKBgQDs/mSpWbiJxhGVRxuf
+DiBxDAw1x+BVHd0bWe8Wp850ooBOI0TQ+wwcegySBaDpATBI1ML/plv7cWJ1+0fi
+8AdG9VSDascH0OE8Y+OnHI2WDCJjRzwKPYvD+4LuQcrF6GDCdIrbitRfwdGGF7He
+gsRS7GFqXawijDkCYolutqgUjwKBgQDs4Otrf2KieW6q12a+3MuSONPhiuLHDUuE
+hCfX7hdSRSI4O6F9vZwkt7l9UluGW5E8cASIimfKoVfJj2m3sv6T33CacB1zQlLW
+TtZb414kJ0ExbdfgxcVSvLIk+H4DSBa17iF+v8mdjbpkgT0m11QTmpqgHQamwdo0
+qUEySQgLYwKBgQDj0cjCY1VaW+UbMzgCNnpJMeOq73FfYU3jtRh5FucIiA3/Dzhg
+DHUgCtN6q557XoEkAiNRzoItvFmCQQRhy4uzUrLjggnCIbHjc8KsKm6RBykndpro
+3TE2PNkoYGakyTX6uD2jvllZk9/un2iFFf/UFxeuQE3xCArlmAO1QjFhUQKBgQCb
+waVrEN71gK1xLqPDuoEtC6resik9w5M1doSQamDxWr4Ohb9BY+0JA7m3GvFNnmYY
+fHuuoHtw9Lg5s9BK1yqoZxKuqivjPugjPMGcuBuN4DXw345EoSaHqcXlo3OQitVM
+GWHy6v8SV0AJmCVypcIGBfHIeG2INw1Y9TYGb5kXiwKBgCDqpa46uROTxQW4CU12
+TuEPeGkojRqNf/f1OzTULwO71rKxZ7Hl2LWCkygX7Nn2XogrHhBTNEoAmDzxuC6g
+hGIoBak7P/GOcaiT2GFzsCgGjRIB8REOLywnl+KkLQI2FjOCztNtBdXwaCZo4/wa
+O1GQXNSW4Ktbr4eq/l+loftA
+-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-MIID8DCCAtigAwIBAgIJALYf3pBgPTGPMA0GCSqGSIb3DQEBBQUAMFgxCzAJBgNV
-BAYTAlVLMR0wGwYDVQQKExRUaGUgRXhpbSBNYWludGFpbmVyczETMBEGA1UECxMK
-VGVzdCBTdWl0ZTEVMBMGA1UEAxMMUGhpbCBQZW5ub2NrMB4XDTEyMDUxNzE0NDYw
-M1oXDTMxMDUxMzE0NDYwM1owWDELMAkGA1UEBhMCVUsxHTAbBgNVBAoTFFRoZSBF
-eGltIE1haW50YWluZXJzMRMwEQYDVQQLEwpUZXN0IFN1aXRlMRUwEwYDVQQDEwxQ
-aGlsIFBlbm5vY2swggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDR3JQV
-nvTfsOC1F8ahHRtWpS8J63F1lrjYTewvJku+JZFwpthfJgPUzjjMKVGrq8bBAYsj
-Qd5riOUl0h+3KvdKa5p6sm3Z+s9UApwccAcnus6ORRMqn5ccaOyKdCD1SnqfPZCj
-pd2DSg+bxhFoyAhrVBzvlxarNOff74HmppbZG199h/vxzU4D3nwEdbJaVxkk24kd
-gtHcJ2olvuiO19y4KrdxZFHEmHJ3+PVPnUP5fDqcZt5Ci8Pb6hD9MFNS6jdlzZgJ
-ET49YhAxlqR1sPffkeO9WPU8C7qgEpBF1xxpy2KCRH20GUEjEfSrVSHV85352AtK
-hxwIrYeWcz8Y7Nx/AgMBAAGjgbwwgbkwHQYDVR0OBBYEFDZtAgvs96t7shvAZbPt
-YIzxz06fMIGJBgNVHSMEgYEwf4AUNm0CC+z3q3uyG8Bls+1gjPHPTp+hXKRaMFgx
-CzAJBgNVBAYTAlVLMR0wGwYDVQQKExRUaGUgRXhpbSBNYWludGFpbmVyczETMBEG
-A1UECxMKVGVzdCBTdWl0ZTEVMBMGA1UEAxMMUGhpbCBQZW5ub2NrggkAth/ekGA9
-MY8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEANtHbMYqw3Ln07gif
-F11TyWuUzfZ1HAdj5x+ec/ZhOrMbXJwNnQnZzdESoiqk0C1fqNsog1ur9pzYxBJo
-92OpxkTxvBr2Wi2igfUPbMXWttKu5OFTU00Y8Lp6JEJjtw1zAQB1ka+/5xGYAPfC
-lL/a4RQygNb2e+Q+fOwWz8YZZ2hsidtc7UbH96Eu4489PipD8GXH0T2SY4VEtwUT
-g6uUJjZpznusPhc/uoq5vZVP9AU1EiU+KE55bRuP0QGKIGK3K5WfodKYvF76lhsG
-gLuqb/jVqZsQKcDSj0BGnlimvgEnydeXSYYIUJichEK7dTSjsAn40hUO2dFRMYTx
-W45BdA==
+MIIDqDCCApCgAwIBAgIJAKqgt56kQKU1MA0GCSqGSIb3DQEBCwUAMFgxCzAJBgNV
+BAYTAlVLMR0wGwYDVQQKDBRUaGUgRXhpbSBNYWludGFpbmVyczETMBEGA1UECwwK
+VGVzdCBTdWl0ZTEVMBMGA1UEAwwMUGhpbCBQZW5ub2NrMB4XDTE4MDkwODIxNTkz
+M1oXDTM3MTEwNzIxNTkzM1owWDELMAkGA1UEBhMCVUsxHTAbBgNVBAoMFFRoZSBF
+eGltIE1haW50YWluZXJzMRMwEQYDVQQLDApUZXN0IFN1aXRlMRUwEwYDVQQDDAxQ
+aGlsIFBlbm5vY2swggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbSr1V
+PY2sW/7ag4GiBfBYXbO9NroHTBJqi831QwPsN5F2Tyx/dQ0vByiOP8nxSmIkQ/eZ
+M6IS3jl08H8jqamyipfSghrQC3QSgtRl6wp8TEfJpwxdDyKAV1zP+TiIEqWYJLc1
+tmRwQ72J0gXID7ME7TNDvek4Oo9BJJ2mtn0K9oY4Z6pvv5O+uljUxTryYbBtMtgM
+D5ZvL12bFiNkRhgx3XX+9vpWw5o6vKdKUbKwT7KhwvUSC1eKOFMBZthUpxxH+RbY
+yNET1qJUu4UrbNI1Wdwm+Cg7JkEdU1NcJbTP8CVR8Z1U7FkbhAD5HNHaTyVWO20M
+VYjXU/4B3bVHWhhNAgMBAAGjdTBzMB0GA1UdDgQWBBSf1ImemL7AfEX6VnxKJAfV
+0AoufDAfBgNVHSMEGDAWgBSf1ImemL7AfEX6VnxKJAfV0AoufDASBgNVHRMBAf8E
+CDAGAQH/AgEAMB0GA1UdEQQWMBSCB3Rlc3QuZXiCCSoudGVzdC5leDANBgkqhkiG
+9w0BAQsFAAOCAQEAWvHVO8qVwR9SO3DGtGPbecIcXfwdBX/uajiOr6tMhRK/9Dqk
++PW3sdHbfNc4IVREdT8RPZYLirJVR71JxCThsoM0waNtl/g6GEaq6RH8zZ4d65Kr
+ov1UaaazK+T5cxqclkTXFNelsm+Rx242U1/YlwOgV+nWmkI7TfMBY1HxkPjGfTSc
+hJ3td5/MkUnCrzLLYWZXA01bTCSsvFe0eiMeqMGIJ3qYHpoFlQOZRKF2k/E0p9Ge
+lzhhpYsbDhJHOAxD2eMTJ4z4HrAtZx9ZUJSbShB3T3yfFUkHF7SITMyTzNtv0as7
+cNViaXlSAA5v9isr/xdBvljHyhTjm9nXya4ylQ==
-----END CERTIFICATE-----
diff --git a/test/confs/5822 b/test/confs/5822
new file mode 100644
index 000000000..80a8ef43b
--- /dev/null
+++ b/test/confs/5822
@@ -0,0 +1,67 @@
+# Exim test configuration 5822
+# DANE/GnuTLS
+
+SERVER=
+
+.include DIR/aux-var/tls_conf_prefix
+
+primary_hostname = myhost.test.ex
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept logwrite = "rcpt ACL"
+
+log_selector = +received_recipients +tls_peerdn +tls_certificate_verified
+
+queue_run_in_order
+
+tls_advertise_hosts = *
+# needed to force generation
+tls_dhparam = historic
+
+tls_certificate = ${if eq {SERVER}{server} {DIR/aux-fixed/cert1} fail}
+
+# ----- Routers -----
+
+begin routers
+
+client:
+ driver = dnslookup
+ condition = ${if eq {SERVER}{}}
+ dnssec_request_domains = *
+ self = send
+ transport = send_to_server
+ errors_to = ""
+
+server:
+ driver = redirect
+ condition = ${if !eq {SERVER}{}}
+ data = :blackhole:
+
+
+# ----- Transports -----
+
+begin transports
+
+send_to_server:
+ driver = smtp
+ allow_localhost
+ port = PORT_D
+
+ hosts_try_dane = *
+ hosts_require_dane = HOSTIPV4
+ tls_verify_cert_hostnames = :
+ tls_try_verify_hosts = thishost.test.ex
+# tls_verify_certificates = CDIR2/ca_chain.pem
+
+
+
+# ----- Retry -----
+
+
+begin retry
+
+* * F,5d,10s
+
+
+# End
diff --git a/test/confs/5842 b/test/confs/5842
new file mode 100644
index 000000000..be45e847c
--- /dev/null
+++ b/test/confs/5842
@@ -0,0 +1,64 @@
+# Exim test configuration 5822
+# DANE/OpenSSL
+
+SERVER=
+
+.include DIR/aux-var/tls_conf_prefix
+
+primary_hostname = myhost.test.ex
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept logwrite = "rcpt ACL"
+
+log_selector = +received_recipients +tls_peerdn +tls_certificate_verified
+
+queue_run_in_order
+
+tls_advertise_hosts = *
+
+tls_certificate = ${if eq {SERVER}{server} {DIR/aux-fixed/cert1} fail}
+
+# ----- Routers -----
+
+begin routers
+
+client:
+ driver = dnslookup
+ condition = ${if eq {SERVER}{}}
+ dnssec_request_domains = *
+ self = send
+ transport = send_to_server
+ errors_to = ""
+
+server:
+ driver = redirect
+ data = :blackhole:
+
+
+# ----- Transports -----
+
+begin transports
+
+send_to_server:
+ driver = smtp
+ allow_localhost
+ port = PORT_D
+
+ hosts_try_dane = *
+ hosts_require_dane = HOSTIPV4
+ tls_verify_cert_hostnames = :
+ tls_try_verify_hosts = thishost.test.ex
+# tls_verify_certificates = CDIR2/ca_chain.pem
+
+
+
+# ----- Retry -----
+
+
+begin retry
+
+* * F,5d,10s
+
+
+# End
diff --git a/test/dnszones-src/db.test.ex b/test/dnszones-src/db.test.ex
index 492ee5df8..0efd1a28b 100644
--- a/test/dnszones-src/db.test.ex
+++ b/test/dnszones-src/db.test.ex
@@ -470,6 +470,25 @@ DNSSEC dane256tak A HOSTIPV4
DNSSEC _1225._tcp.dane256tak TLSA 2 1 1 73e279c0f5f5a9ee9851bbbc39023603d7b266acfd0764419c3b07cc380b79f9
+; full MX, both TA & EE modes, cert is selfsigned
+; for testing an issue in the gnutls impl
+;
+; tas:
+; openssl x509 -in aux-fixed/cert1 -fingerprint -sha256 -noout \
+; | awk -F= '{print $2}' | tr -d : | tr '[A-F]' '[a-f]'
+;
+DNSSEC mxdane256tas MX 1 dane256tas
+DNSSEC dane256tas A HOSTIPV4
+DNSSEC _1225._tcp.dane256tas TLSA 2 0 1 34d3624101b954d667c1a5ac18078b196cd17fbd61e23df73249c1afab747124
+DNSSEC mxdane256task MX 1 dane256task
+DNSSEC dane256task A HOSTIPV4
+DNSSEC _1225._tcp.dane256task TLSA 2 1 1 c1241d8cc61401079437240467a47e21db921d3398883cd9bb038cc461d7beab
+DNSSEC mxdane256ees MX 1 dane256ees
+DNSSEC dane256ees A HOSTIPV4
+DNSSEC _1225._tcp.dane256ees TLSA 3 1 1 c1241d8cc61401079437240467a47e21db921d3398883cd9bb038cc461d7beab
+
+
+
; A multiple-return MX where all TLSA lookups defer
DNSSEC mxdanelazy MX 1 danelazy
DNSSEC MX 2 danelazy2
diff --git a/test/log/5822 b/test/log/5822
new file mode 100644
index 000000000..43b032b13
--- /dev/null
+++ b/test/log/5822
@@ -0,0 +1,20 @@
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane256tas.test.ex
+1999-03-02 09:44:33 10HmaX-0005vi-00 DANE attempt failed; TLS connection to dane256tas.test.ex [ip4.ip4.ip4.ip4]: (certificate verification failed): TLSA record problem: none usable
+1999-03-02 09:44:33 10HmaX-0005vi-00 !!SHOULD_WORK!! CALLER@mxdane256tas.test.ex R=client T=send_to_server defer (-37) H=dane256tas.test.ex [ip4.ip4.ip4.ip4]: TLS session: (certificate verification failed): TLSA record problem: none usable
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane256task.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 DANE attempt failed; TLS connection to dane256task.test.ex [ip4.ip4.ip4.ip4]: (certificate verification failed): TLSA record problem: none usable
+1999-03-02 09:44:33 10HmaY-0005vi-00 !!SHOULD_WORK!! CALLER@mxdane256task.test.ex R=client T=send_to_server defer (-37) H=dane256task.test.ex [ip4.ip4.ip4.ip4]: TLS session: (certificate verification failed): TLSA record problem: none usable
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane256ees.test.ex
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER@mxdane256ees.test.ex R=client T=send_to_server H=dane256ees.test.ex [ip4.ip4.ip4.ip4] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=dane DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for CALLER@mxdane256ees.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <CALLER@mxdane256ees.test.ex> R=server
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
diff --git a/test/log/5842 b/test/log/5842
new file mode 100644
index 000000000..1146cba34
--- /dev/null
+++ b/test/log/5842
@@ -0,0 +1,24 @@
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane256tas.test.ex
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@mxdane256tas.test.ex R=client T=send_to_server H=dane256tas.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane256task.test.ex
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER@mxdane256task.test.ex R=client T=send_to_server H=dane256task.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane256ees.test.ex
+1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@mxdane256ees.test.ex R=client T=send_to_server H=dane256ees.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@mxdane256tas.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <CALLER@mxdane256tas.test.ex> R=server
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for CALLER@mxdane256task.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <CALLER@mxdane256task.test.ex> R=server
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmbB-0005vi-00@myhost.test.ex for CALLER@mxdane256ees.test.ex
+1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <CALLER@mxdane256ees.test.ex> R=server
+1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
diff --git a/test/scripts/5820-DANE-GnuTLS/5822 b/test/scripts/5820-DANE-GnuTLS/5822
new file mode 100644
index 000000000..9e565ab49
--- /dev/null
+++ b/test/scripts/5820-DANE-GnuTLS/5822
@@ -0,0 +1,19 @@
+# DANE server: selfsigned cert
+#
+exim -DSERVER=server -bd -oX PORT_D
+****
+### TLSA (2 0 1)
+exim -odf CALLER@mxdane256tas.test.ex
+Testing
+****
+### TLSA (2 1 1)
+exim -odf CALLER@mxdane256task.test.ex
+Testing
+****
+### TLSA (3 1 1)
+exim -odf CALLER@mxdane256ees.test.ex
+Testing
+****
+killdaemon
+#
+no_msglog_check
diff --git a/test/scripts/5840-DANE-OpenSSL/5842 b/test/scripts/5840-DANE-OpenSSL/5842
new file mode 100644
index 000000000..da9e4e3c7
--- /dev/null
+++ b/test/scripts/5840-DANE-OpenSSL/5842
@@ -0,0 +1,19 @@
+# DANE server: selfsigned and TA-mode
+#
+exim -DSERVER=server -bd -oX PORT_D
+****
+### TLSA (2 0 1)
+exim -odf CALLER@mxdane256tas.test.ex
+Testing
+****
+### TLSA (2 1 1)
+exim -odf CALLER@mxdane256task.test.ex
+Testing
+****
+### TLSA (3 1 1)
+exim -odf CALLER@mxdane256ees.test.ex
+Testing
+****
+killdaemon
+#
+no_msglog_check
diff --git a/test/stderr/5842 b/test/stderr/5842
new file mode 100644
index 000000000..ed5eb4f58
--- /dev/null
+++ b/test/stderr/5842
@@ -0,0 +1,8 @@
+### TLSA (2 0 1)
+### TLSA (2 1 1)
+### TLSA (3 1 1)
+
+******** SERVER ********
+### TLSA (2 0 1)
+### TLSA (2 1 1)
+### TLSA (3 1 1)
diff --git a/test/stdout/5822 b/test/stdout/5822
new file mode 100644
index 000000000..ed5eb4f58
--- /dev/null
+++ b/test/stdout/5822
@@ -0,0 +1,8 @@
+### TLSA (2 0 1)
+### TLSA (2 1 1)
+### TLSA (3 1 1)
+
+******** SERVER ********
+### TLSA (2 0 1)
+### TLSA (2 1 1)
+### TLSA (3 1 1)
diff --git a/test/stdout/5842 b/test/stdout/5842
new file mode 100644
index 000000000..ed5eb4f58
--- /dev/null
+++ b/test/stdout/5842
@@ -0,0 +1,8 @@
+### TLSA (2 0 1)
+### TLSA (2 1 1)
+### TLSA (3 1 1)
+
+******** SERVER ********
+### TLSA (2 0 1)
+### TLSA (2 1 1)
+### TLSA (3 1 1)