diff options
Diffstat (limited to 'test')
| -rw-r--r-- | test/aux-fixed/exim-ca/example.com/CA/CA.ocsp.signernocert.good.resp.pem | 31 | ||||
| -rw-r--r-- | test/aux-fixed/exim-ca/example.com/CA/Signer.ocsp.signernocert.good.resp.pem | 31 | ||||
| -rw-r--r-- | test/aux-fixed/exim-ca/example.com/CA/Signer.ocsp.signernocert.revoked.resp.pem | 33 | ||||
| -rw-r--r-- | test/aux-fixed/exim-ca/example.com/CA/index.revoked.txt | 1 | ||||
| -rw-r--r-- | test/aux-fixed/exim-ca/example.com/CA/index.valid.txt | 2 | ||||
| -rwxr-xr-x | test/aux-fixed/exim-ca/genall | 60 | ||||
| -rw-r--r-- | test/aux-var-src/tls_conf_prefix | 2 | ||||
| -rw-r--r-- | test/confs/5655 (renamed from test/confs/5653) | 38 | ||||
| -rw-r--r-- | test/log/5653 | 9 | ||||
| -rw-r--r-- | test/log/5655 | 27 | ||||
| -rw-r--r-- | test/scripts/5655-OCSP-GnuTLS-1.3/5655 | 59 | ||||
| -rw-r--r-- | test/scripts/5655-OCSP-GnuTLS-1.3/REQUIRES | 4 |
12 files changed, 276 insertions, 21 deletions
diff --git a/test/aux-fixed/exim-ca/example.com/CA/CA.ocsp.signernocert.good.resp.pem b/test/aux-fixed/exim-ca/example.com/CA/CA.ocsp.signernocert.good.resp.pem new file mode 100644 index 000000000..6b5d6217e --- /dev/null +++ b/test/aux-fixed/exim-ca/example.com/CA/CA.ocsp.signernocert.good.resp.pem @@ -0,0 +1,31 @@ +OCSP Response Information: + Response Status: Successful + Response Type: Basic OCSP Response + Version: 1 + Responder ID: CN=clica CA rsa,O=example.com + Produced At: Thu Sep 26 12:14:05 UTC 2019 + Responses: + Certificate ID: + Hash Algorithm: SHA256 + Issuer Name Hash: bfa7275a566efd4be2df82dbd9d1290d470186f6ff2acd8c16659f342ab56109 + Issuer Key Hash: 208f9d28c7c0bc914144dfa8c0be3d5b3bfcebb622c8a8dc27e865fc06ca0e12 + Serial Number: 41 + Certificate Status: good + This Update: Thu Sep 26 12:14:05 UTC 2019 + Next Update: Tue Sep 25 12:14:05 UTC 2029 + Extensions: + Signature Algorithm: RSA-SHA256 + +-----BEGIN OCSP RESPONSE----- +MIIB+goBAKCCAfMwggHvBgkrBgEFBQcwAQEEggHgMIIB3DCBxaEvMC0xFDASBgNV +BAoTC2V4YW1wbGUuY29tMRUwEwYDVQQDEwxjbGljYSBDQSByc2EYDzIwMTkwOTI2 +MTIxNDA1WjCBgDB+MFYwDQYJYIZIAWUDBAIBBQAEIL+nJ1pWbv1L4t+C29nRKQ1H +AYb2/yrNjBZlnzQqtWEJBCAgj50ox8C8kUFE36jAvj1bO/zrtiLIqNwn6GX8BsoO +EgIBQYAAGA8yMDE5MDkyNjEyMTQwNVqgERgPMjAyOTA5MjUxMjE0MDVaMA0GCSqG +SIb3DQEBCwUAA4IBAQAIVtY+mV3cbK0Z/itrRAJKrQGjWz4nUKK2t84KN/K/NxJd +oDvgN9sp4qp8P0RDE/fwqDLTNp35/7vHPaSB5Bi+L6U2aUwz46LJsX0/q6DuprE+ +e6Z8rOrfycACBY18h8X3foCJwP3/Igon1B7ERbJHYKut77eXJh8EEpxQDxYaDdoj +d0aFylyMjNH5Cm1nSkksC0islm5sk+ggEZjOnvM6y6ZzlPHl1nyI6TOWrTSoqm69 +mK2Gf9V59oHJPSM3OaVWL5OoUIZ57RrtDdxs3H3HO8QNPCSJY80Dk2uwpZICzYP3 +ko2KEu5rKChZ74PB59D6wAuUTEYdzF08s9waWL1m +-----END OCSP RESPONSE----- diff --git a/test/aux-fixed/exim-ca/example.com/CA/Signer.ocsp.signernocert.good.resp.pem b/test/aux-fixed/exim-ca/example.com/CA/Signer.ocsp.signernocert.good.resp.pem new file mode 100644 index 000000000..5a44d61af --- /dev/null +++ b/test/aux-fixed/exim-ca/example.com/CA/Signer.ocsp.signernocert.good.resp.pem @@ -0,0 +1,31 @@ +OCSP Response Information: + Response Status: Successful + Response Type: Basic OCSP Response + Version: 1 + Responder ID: CN=clica CA rsa,O=example.com + Produced At: Wed Sep 25 16:52:00 UTC 2019 + Responses: + Certificate ID: + Hash Algorithm: SHA256 + Issuer Name Hash: bfa7275a566efd4be2df82dbd9d1290d470186f6ff2acd8c16659f342ab56109 + Issuer Key Hash: 208f9d28c7c0bc914144dfa8c0be3d5b3bfcebb622c8a8dc27e865fc06ca0e12 + Serial Number: 42 + Certificate Status: good + This Update: Wed Sep 25 16:52:00 UTC 2019 + Next Update: Mon Sep 24 16:52:00 UTC 2029 + Extensions: + Signature Algorithm: RSA-SHA256 + +-----BEGIN OCSP RESPONSE----- +MIIB+goBAKCCAfMwggHvBgkrBgEFBQcwAQEEggHgMIIB3DCBxaEvMC0xFDASBgNV +BAoTC2V4YW1wbGUuY29tMRUwEwYDVQQDEwxjbGljYSBDQSByc2EYDzIwMTkwOTI1 +MTY1MjAwWjCBgDB+MFYwDQYJYIZIAWUDBAIBBQAEIL+nJ1pWbv1L4t+C29nRKQ1H +AYb2/yrNjBZlnzQqtWEJBCAgj50ox8C8kUFE36jAvj1bO/zrtiLIqNwn6GX8BsoO +EgIBQoAAGA8yMDE5MDkyNTE2NTIwMFqgERgPMjAyOTA5MjQxNjUyMDBaMA0GCSqG +SIb3DQEBCwUAA4IBAQAD/6WpB4+oK4S81aIp48J0CPqqPkd2tMBaAHZQ+0FG2A9c +8VPPjWfVhTYikeILbVukABNpcP5G3bWOiTrYK0bp2f+Wf3NQyiP+VXj0pGmnX4lI +Jwwg0ZvejHddoU192DTYu+fjj80YVOv09VHoehLsnsYPe16nW+2Ul2eDJ5IQv1qo +5PUjRqc1X8W0ixAR34zXnkO+tDbpkGtUo/WcGt0zVxmoqXwvWsEG65PN/OYS2rEu +q5TkTweFZllPdNfRJAXHBlZf1ndA9XpTzp4U/RGlWHP4Mp92BH9Ry50admEvObCe +ayhmuSWTc/8mrunDn+qidRFYccHtDTeoAy2XRnGA +-----END OCSP RESPONSE----- diff --git a/test/aux-fixed/exim-ca/example.com/CA/Signer.ocsp.signernocert.revoked.resp.pem b/test/aux-fixed/exim-ca/example.com/CA/Signer.ocsp.signernocert.revoked.resp.pem new file mode 100644 index 000000000..dfbed044e --- /dev/null +++ b/test/aux-fixed/exim-ca/example.com/CA/Signer.ocsp.signernocert.revoked.resp.pem @@ -0,0 +1,33 @@ +OCSP Response Information: + Response Status: Successful + Response Type: Basic OCSP Response + Version: 1 + Responder ID: CN=clica CA rsa,O=example.com + Produced At: Thu Sep 26 07:51:09 UTC 2019 + Responses: + Certificate ID: + Hash Algorithm: SHA256 + Issuer Name Hash: bfa7275a566efd4be2df82dbd9d1290d470186f6ff2acd8c16659f342ab56109 + Issuer Key Hash: 208f9d28c7c0bc914144dfa8c0be3d5b3bfcebb622c8a8dc27e865fc06ca0e12 + Serial Number: 42 + Certificate Status: revoked + Revocation time: Mon Feb 01 14:27:09 UTC 2010 + This Update: Thu Sep 26 07:51:09 UTC 2019 + Next Update: Tue Sep 25 07:51:09 UTC 2029 + Extensions: + Signature Algorithm: RSA-SHA256 + +-----BEGIN OCSP RESPONSE----- +MIICEQoBAKCCAgowggIGBgkrBgEFBQcwAQEEggH3MIIB8zCB3KEvMC0xFDASBgNV +BAoTC2V4YW1wbGUuY29tMRUwEwYDVQQDEwxjbGljYSBDQSByc2EYDzIwMTkwOTI2 +MDc1MTA5WjCBlzCBlDBWMA0GCWCGSAFlAwQCAQUABCC/pydaVm79S+LfgtvZ0SkN +RwGG9v8qzYwWZZ80KrVhCQQgII+dKMfAvJFBRN+owL49Wzv867YiyKjcJ+hl/AbK +DhICAUKhFhgPMjAxMDAyMDExNDI3MDlaoAMKAQQYDzIwMTkwOTI2MDc1MTA5WqAR +GA8yMDI5MDkyNTA3NTEwOVowDQYJKoZIhvcNAQELBQADggEBABxA6J6zKoEXgmgG +/I1hZc08x4T8WibqkGhS/1hcq66STgqYY1m3GmaOHQiwHhxsZzAUfOp1wChNgRCI +x2pFp5rsQCZPvSL244SaTRqSK6eFONnic+s7nND3b/DZuelx3Zq1y/vrg+WaNxxt +HWC1sRk2c/jAMqdHbH5obXzWB88qN8dh9Xwi8VXYCFlKjlURa6q6z5b5jhPI1BDW +oLK66ZIzSxryPGu/70EWUAAMub5NAMhGi0Vf1eoIl87PMKQRaGTkwgKe3KgqU+o9 +Oa15HFRL0iFaVBxdYEQyy/MW6iSA+1KiyqSpWEZxCvisKjUTVopx/BiVb9sEpvwE +yRNnGe8= +-----END OCSP RESPONSE----- diff --git a/test/aux-fixed/exim-ca/example.com/CA/index.revoked.txt b/test/aux-fixed/exim-ca/example.com/CA/index.revoked.txt index d69d74d0c..4670f59f0 100644 --- a/test/aux-fixed/exim-ca/example.com/CA/index.revoked.txt +++ b/test/aux-fixed/exim-ca/example.com/CA/index.revoked.txt @@ -4,3 +4,4 @@ R 130110200751Z 100201142709Z,superseded 67 unknown CN=expired1.example.com R 130110200751Z 100201142709Z,superseded c9 unknown CN=server2.example.com R 130110200751Z 100201142709Z,superseded ca unknown CN=revoked2.example.com R 130110200751Z 100201142709Z,superseded cb unknown CN=expired2.example.com +R 130110200751Z 100201142709Z,superseded 42 unknown CN=clica Signing Cert rsa diff --git a/test/aux-fixed/exim-ca/example.com/CA/index.valid.txt b/test/aux-fixed/exim-ca/example.com/CA/index.valid.txt index 126acf7e4..61dc8ac70 100644 --- a/test/aux-fixed/exim-ca/example.com/CA/index.valid.txt +++ b/test/aux-fixed/exim-ca/example.com/CA/index.valid.txt @@ -4,3 +4,5 @@ V 130110200751Z 67 unknown CN=expired1.example.com V 130110200751Z c9 unknown CN=server2.example.com V 130110200751Z ca unknown CN=revoked2.example.com V 130110200751Z cb unknown CN=expired2.example.com +V 130110200751Z 42 unknown CN=clica Signing Cert rsa +V 130110200751Z 41 unknown CN=clica CA rsa diff --git a/test/aux-fixed/exim-ca/genall b/test/aux-fixed/exim-ca/genall index a5e51e3e5..9904cfa6f 100755 --- a/test/aux-fixed/exim-ca/genall +++ b/test/aux-fixed/exim-ca/genall @@ -26,6 +26,14 @@ do rm -fr "$idir" # create CA cert + templates + # -D dir to work in + # -p passwd for cert + # -B keysize in bits + # -I create CA cert + # -N org name + # -F create sub-signing cert + # -C CRL + # -O create OCSP responder cert clica $V -D "$idir" -p password -B 2048 -I -N $iname -F -C http://crl.$iname/latest.crl -O http://oscp.$iname/ # create server certs @@ -67,8 +75,15 @@ do #### + # so, for full-chain OCSP we sill want an OCSP resp for the Signer cert and also (?) one for the + # CA cert itself. The existing bits below only create for the leaf certs, next layer down. + # + # First test will be just adding OCSP for the Signer cert. Presumably we could use the CA cert + # to sign that. + # create OCSP reqs & resps CADIR=$idir/CA + #give ourselves an OSCP key to work with pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer rsa' -d $CADIR -K password -W password openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key @@ -77,12 +92,17 @@ do pk12util -o $CADIR/Signer.p12 -n 'Signing Cert rsa' -d $CADIR -K password -W password openssl pkcs12 -in $CADIR/Signer.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/Signer.key + # ditto for CA + # - the "-n names" here appear to be hardcoded in clica + pk12util -o $CADIR/CA.p12 -n 'Certificate Authority rsa' -d $CADIR -K password -W password + openssl pkcs12 -in $CADIR/CA.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/CA.key + # create some index files for the ocsp responder to work with -# tab-sep +# tab-sep, and fields can be empty # 0: Revoked/Expired/Valid letter # 1: Expiry date (ASN1_UTCTIME) # 2: Revocation date -# 3: Serial no. (unique) +# 3: Serial no. (unique, in hex) # 4: file # 5: DN, index @@ -93,6 +113,8 @@ V 130110200751Z 67 unknown CN=expired1.$iname V 130110200751Z c9 unknown CN=server2.$iname V 130110200751Z ca unknown CN=revoked2.$iname V 130110200751Z cb unknown CN=expired2.$iname +V 130110200751Z 42 unknown CN=clica Signing Cert rsa +V 130110200751Z 41 unknown CN=clica CA rsa EOF cat >$CADIR/index.revoked.txt <<EOF R 130110200751Z 100201142709Z,superseded 65 unknown CN=server1.$iname @@ -101,9 +123,10 @@ R 130110200751Z 100201142709Z,superseded 67 unknown CN=expired1.$iname R 130110200751Z 100201142709Z,superseded c9 unknown CN=server2.$iname R 130110200751Z 100201142709Z,superseded ca unknown CN=revoked2.$iname R 130110200751Z 100201142709Z,superseded cb unknown CN=expired2.$iname +R 130110200751Z 100201142709Z,superseded 42 unknown CN=clica Signing Cert rsa EOF - # Now create all the ocsp requests and responses + # Now create all the ocsp requests and responses for the leaf certs IVALID="-index $CADIR/index.valid.txt" IREVOKED="-index $CADIR/index.revoked.txt" @@ -116,6 +139,8 @@ EOF openssl ocsp -issuer $CADIR/Signer.pem -sha256 -cert $SPFX.pem -no_nonce -reqout $SPFX.ocsp.req REQIN="-reqin $SPFX.ocsp.req" + # These ones get used by the "traditional" testcases. OCSP resp signed by a cert which is + # signed by the signer of the leaf-cert being attested to. OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify" openssl ocsp $IVALID $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.good.resp openssl ocsp $IVALID $OGENCOMMON -ndays 30 $REQIN -respout $SPFX.ocsp.dated.resp @@ -126,11 +151,40 @@ EOF openssl ocsp $IVALID $OGENCOMMON -ndays 30 $REQIN -respout $SPFX.ocsp.signer.dated.resp openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signer.revoked.resp + # These ones get used by the "LetsEncrypt mode" testcases. OCSP resp is signed directly by the + # signer of the leaf-cert being attested to. OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -resp_no_certs -noverify" openssl ocsp $IVALID $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signernocert.good.resp openssl ocsp $IVALID $OGENCOMMON -ndays 30 $REQIN -respout $SPFX.ocsp.signernocert.dated.resp openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signernocert.revoked.resp done + + # convert one good leaf-resp to PEM + $server=server1 + RESP=$idir/$server.$iname/$server.$iname.ocsp.signernocert.good.resp + ocsptool -S $RESP -j > $RESP.pem + + # Then, ocsp request and responses for the signer cert + REQ=$CADIR/Signer.ocsp.req + RESP=$CADIR/Signer.ocsp.signernocert.good.resp + openssl ocsp -issuer $CADIR/CA.pem -sha256 -cert $CADIR/Signer.pem -no_nonce -reqout $REQ + openssl ocsp $IVALID -rsigner $CADIR/CA.pem -rkey $CADIR/CA.key -CA $CADIR/CA.pem -resp_no_certs -noverify \ + -ndays 3652 -reqin $REQ -respout $RESP + ocsptool -S $RESP -j > $RESP.pem + + RESP=$CADIR/Signer.ocsp.signernocert.revoked.resp + openssl ocsp $IREVOKED -rsigner $CADIR/CA.pem -rkey $CADIR/CA.key -CA $CADIR/CA.pem -resp_no_certs -noverify \ + -ndays 3652 -reqin $REQ -respout $RESP + ocsptool -S $RESP -j > $RESP.pem + + # Then, ocsp request and response for the CA cert + REQ=$CADIR/CA.ocsp.req + RESP=$CADIR/CA.ocsp.signernocert.good.resp + openssl ocsp -issuer $CADIR/CA.pem -sha256 -cert $CADIR/CA.pem -no_nonce -reqout $REQ + openssl ocsp $IVALID -rsigner $CADIR/CA.pem -rkey $CADIR/CA.key -CA $CADIR/CA.pem -resp_no_certs -noverify \ + -ndays 3652 -reqin $REQ -respout $RESP + ocsptool -S $RESP -j > $RESP.pem + #### done diff --git a/test/aux-var-src/tls_conf_prefix b/test/aux-var-src/tls_conf_prefix index 1c464f63e..ad9501ed0 100644 --- a/test/aux-var-src/tls_conf_prefix +++ b/test/aux-var-src/tls_conf_prefix @@ -1,4 +1,4 @@ -keep_environment = PATH:SSLKEYLOGFILE +keep_environment = PATH:SSLKEYLOGFILE:EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK exim_path = EXIM_PATH host_lookup_order = bydns spool_directory = DIR/spool diff --git a/test/confs/5653 b/test/confs/5655 index 5b29f5b68..0f6fe1b98 100644 --- a/test/confs/5653 +++ b/test/confs/5655 @@ -1,5 +1,5 @@ -# Exim test configuration 5652 -# OCSP stapling, server, multiple certs +# Exim test configuration 5655 +# OCSP stapling, server, multiple chain-element OCSP .include DIR/aux-var/tls_conf_prefix @@ -7,6 +7,7 @@ primary_hostname = server1.example.com # ----- Main settings ----- +acl_smtp_connect = accept logwrite = ${env {SSLKEYLOGFILE}} acl_smtp_mail = check_mail acl_smtp_rcpt = check_recipient @@ -21,15 +22,23 @@ CADIR = DIR/aux-fixed/exim-ca DRSA = CADIR/example.com DECDSA = CADIR/example_ec.com -tls_certificate = DRSA/server1.example.com/server1.example.com.pem \ +tls_certificate = DRSA/server1.example.com/fullchain.pem \ : DECDSA/server1.example_ec.com/server1.example_ec.com.pem tls_privatekey = DRSA/server1.example.com/server1.example.com.unlocked.key \ : DECDSA/server1.example_ec.com/server1.example_ec.com.unlocked.key -tls_ocsp_file = DRSA/server1.example.com/server1.example.com.ocsp.good.resp \ - : DECDSA/server1.example_ec.com/server1.example_ec.com.ocsp.good.resp +.ifndef CONTROL +tls_ocsp_file = PEM DIR/tmp/ocsp/triple.ocsp.pem \ + : DER DECDSA/server1.example_ec.com/server1.example_ec.com.ocsp.good.resp +.else +tls_ocsp_file = PEM DIR/tmp/ocsp/double_r.ocsp.pem \ + : DER DECDSA/server1.example_ec.com/server1.example_ec.com.ocsp.good.resp +.endif -tls_require_ciphers = NORMAL:!VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.0 + +.ifdef _HAVE_GNUTLS +tls_require_ciphers = ${if eq {LIMIT}{TLS1.2} {NORMAL:!VERS-ALL:+VERS-TLS1.2} {}} +.endif # ------ ACL ------ @@ -70,9 +79,22 @@ remote_delivery: driver = smtp port = PORT_D hosts_require_tls = * - tls_require_ciphers = OPT +.ifdef _HAVE_GNUTLS + + tls_require_ciphers = ${if eq {LIMIT}{TLS1.2} \ + {NONE:\ + ${if eq {OPT}{rsa} \ + {+SIGN-RSA-SHA256:+VERS-TLS-ALL:+ECDHE-RSA:+DHE-RSA:+RSA} \ + {+SIGN-ECDSA-SHA512:+VERS-TLS-ALL:+KX-ALL}}\ + :+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509} \ + {}} + tls_verify_certificates = CADIR/\ + ${if eq {OPT}{rsa} \ + {example.com/server1.example.com} \ + {example_ec.com/server1.example_ec.com}}\ + /ca_chain.pem +.endif hosts_require_ocsp = * - tls_verify_certificates = CERT tls_verify_cert_hostnames = : local_delivery: diff --git a/test/log/5653 b/test/log/5653 deleted file mode 100644 index 82d2e7aeb..000000000 --- a/test/log/5653 +++ /dev/null @@ -1,9 +0,0 @@ -1999-03-02 09:44:33 1: Server sends good staple on request, to client requiring RSA auth -1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmaX-0005vi-00 => rsa.auth@test.ex R=client T=remote_delivery H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00" -1999-03-02 09:44:33 10HmaX-0005vi-00 Completed - -******** SERVER ******** -1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D -1999-03-02 09:44:33 acl_mail: ocsp in status: 4 (verified) -1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=localhost (server1.example.com) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@server1.example.com diff --git a/test/log/5655 b/test/log/5655 new file mode 100644 index 000000000..4cb16c24c --- /dev/null +++ b/test/log/5655 @@ -0,0 +1,27 @@ +1999-03-02 09:44:33 1: TLS1.2 Server sends good leaf-staple on request, to client requiring RSA auth +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaX-0005vi-00 => rsa.auth@test.ex R=client T=remote_delivery H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 2: TLS1.3 Server sends good 3-element staple on request, to client requiring RSA auth +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaZ-0005vi-00 => rsa.auth@test.ex R=client T=remote_delivery H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed +1999-03-02 09:44:33 3: TLS1.3 Server sends bad nonleaf staple, client detects it +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbB-0005vi-00 == rsa.auth@test.ex R=client T=remote_delivery defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (certificate status check failed) +1999-03-02 09:44:33 10HmbB-0005vi-00 ** rsa.auth@test.ex: retry timeout exceeded +1999-03-02 09:44:33 10HmbB-0005vi-00 rsa.auth@test.ex: error ignored +1999-03-02 09:44:33 10HmbB-0005vi-00 Completed + +******** SERVER ******** +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D +1999-03-02 09:44:33 +1999-03-02 09:44:33 acl_mail: ocsp in status: 4 (verified) +1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=localhost (server1.example.com) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@server1.example.com +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D +1999-03-02 09:44:33 +1999-03-02 09:44:33 acl_mail: ocsp in status: 1 (notresp) +1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=localhost (server1.example.com) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaZ-0005vi-00@server1.example.com +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D +1999-03-02 09:44:33 +1999-03-02 09:44:33 TLS error on connection from localhost [127.0.0.1] (recv): The TLS connection was non-properly terminated. diff --git a/test/scripts/5655-OCSP-GnuTLS-1.3/5655 b/test/scripts/5655-OCSP-GnuTLS-1.3/5655 new file mode 100644 index 000000000..25ebdfd6b --- /dev/null +++ b/test/scripts/5655-OCSP-GnuTLS-1.3/5655 @@ -0,0 +1,59 @@ +# OCSP stapling, server, multiple chain-element OCSP +# +# +# +mkdir -p DIR/tmp/ocsp +sudo chown -R EXIMUSER:EXIMGROUP tmp +sudo chmod -R a+rwx DIR/tmp/ocsp +perl +chdir 'aux-fixed/exim-ca/example.com'; +system 'cat server1.example.com/server1.example.com.ocsp.signernocert.good.resp.pem CA/Signer.ocsp.signernocert.good.resp.pem CA/CA.ocsp.signernocert.good.resp.pem > DIR/tmp/ocsp/triple.ocsp.pem'; +system 'cat server1.example.com/server1.example.com.ocsp.signernocert.good.resp.pem CA/Signer.ocsp.signernocert.revoked.resp.pem > DIR/tmp/ocsp/double_r.ocsp.pem'; +**** +# +# +exim -z '1: TLS1.2 Server sends good leaf-staple on request, to client requiring RSA auth' +**** +# +exim -bd -oX PORT_D -DSERVER=server -DLIMIT=TLS1.2 +**** +# +exim -odf -DOPT=rsa -DLIMIT=TLS1.2 rsa.auth@test.ex +Subject: test + +. +**** +killdaemon +# +# +exim -z '2: TLS1.3 Server sends good 3-element staple on request, to client requiring RSA auth' +**** +# +exim -bd -oX PORT_D -DSERVER=server -DLIMIT=TLS1.3 +**** +exim -odf -DOPT=rsa rsa.auth@test.ex +Subject: test + +. +**** +killdaemon +# +# +# +exim -z '3: TLS1.3 Server sends bad nonleaf staple, client detects it' +**** +# +EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK=y exim -bd -oX PORT_D -DSERVER=server -DLIMIT=TLS1.3 -DCONTROL=bad +**** +exim -odf -DOPT=rsa rsa.auth@test.ex +Subject: test + +. +**** +killdaemon +# +# +# +# +sudo rm -fr tmp/ +no_msglog_check diff --git a/test/scripts/5655-OCSP-GnuTLS-1.3/REQUIRES b/test/scripts/5655-OCSP-GnuTLS-1.3/REQUIRES new file mode 100644 index 000000000..ab5a9721d --- /dev/null +++ b/test/scripts/5655-OCSP-GnuTLS-1.3/REQUIRES @@ -0,0 +1,4 @@ +support GnuTLS +support OCSP +running IPv4 +feature _HAVE_TLS1_3 |