Age | Commit message (Collapse) | Author |
|
|
|
|
|
that went in with dual-tls.
|
|
|
|
|
|
Also fixed bug where a predata acl was required for cutthrough.
|
|
|
|
|
|
|
|
|
|
|
|
Fixes the output of 'ls' command to a standard format (test 345).
|
|
|
|
This reverts commit 8dedb69a41c30fd82ab6e084fe567f7ee7aaa562.
Kills testcase 0137.
|
|
|
|
Pull in <features.h> on Linux.
Switch readconf log from D_all (bug) to D_tls (though D_any would have
worked).
Modified runtest to handle clamped DH bits and
tls_validate_require_cipher added debug logging.
|
|
|
|
|
|
|
|
I omitted log/2025 pending further investigation.
|
|
test-host installations.
|
|
New cert1 and cert2 but I'd only updated the GnuTLS tests.
This fixes OpenSSL ones too.
The SHELL vs /bin/sh one also fixed, finally realised that
the test output just hadn't been updated to match the munging.
|
|
|
|
A couple more cert1/2 strings updated, plus some disambiguating rhubarb.
|
|
Some tests had not been updated for the new cert because they were missing an X= log-line.
Updated those tests now.
|
|
Decided "unknown (reason)" in tls_peerdn was wrong, stripped that, added
replacement guard.
Moved cipherbuf construction to where it makes more sense, where peerdn
is extracted, so that setting the exim vars gets back closer to just
some pointer switching.
Fix missing failure check after handshake in client.
Fix tls.c tls_ungetc() and friends by pointing watermark vars at state
content.
Regenerated test-suite D-H params so we don't have too small values,
which was causing connection rejections.
Test-suite output where new test cert info is logged (there will be a
couple more, when I fix a lingering problem with tls_peerdn being unset
in client log-lines).
Give test-suite client command some --help.
|
|
|
|
Fix test-suite certs to not use MD5.
Document that we do not support MD5 certs any longer.
Make test-suite generate probably-correct gnutls-params filename for us.
|
|
Normalise TLSv1.2 to TLSv1.
Normalise AES256-GCM-SHA384 to AES256-SHA.
Make some test configs accept AES256-GCM-SHA384 in "encrypted =" ACLs.
Have test suite print final test id during abort, make it easier to track down.
|
|
GnuTLS code re-done, using cut&paste for preservation where appropriate.
Stop using deprecated APIs. Stop hard-coding lists of ciphers.
Use gnutls_priority_init() instead.
Turns tls_require_ciphers into a string in the GnuTLS case, not just
OpenSSL case.
Deprecate three gnutls_require_* options; now ignored but not errors.
(No warnings yet).
Added TLS SNI support.
Made the channel binding integration theoretically actually work. I had
it guarded by an #ifdef but the value used was an enum instead. Oops.
Fixed.
New code much more amenable to future work permitting TLS in callouts.
DH param sizes now chosen by GnuTLS maintainers, we use "normal"; that's
suddenly a lot more bits, so the saved filename was changed too.
(GNUTLS_SEC_PARAM_NORMAL).
DH param setup only done for servers now, since clients don't need/use
it.
GnuTLS a lot more robust to library negotiation using stuff we don't
support, error-ing out quickly for other authentication systems (PGP,
etc).
Renamed pseudo_random_number() to vaguely_random_number() which makes
the nature clearer.
GnuTLS now provides a vaguely_random_number() implementation, to match
OpenSSL.
Pull in <inttypes.h> to make the recent arithmetic changes compile on
MacOS.
Nuke test 2011 which related to the gnutls_require_* options now
non-functional.
|
|
|
|
|
|
|
|
|
|
|
|
Was not sending trailing dot.
Added test case to catch this.
fixes bug 1246.
|
|
|
|
|
|
Also add Retry command to more runtest testcase-fail possibilities.
|
|
|
|
Some discussion at http://bugs.exim.org/show_bug.cgi?id=817
Refer readers to Dan Bernstein's analysis of the issues.
Consensus seen from maintainers is that DJB is right on this point.
|
|
rule.
Fixes case 1003 for me (having a trailing ::).
|
|
Having looked further at the ratelimit code, the new output looks reasonable. The obscure
values of "19" derive from testing "per-byte", being the size of the test message.
|
|
|
|
Move to a table-driven approach for the parsing of "verify =".
|
|
The subtest does a readsocket (with 1s timeout) into a server
which closes immediately. The expected output in the testcase was null, the output
actually seen was the error-return expansion, which seems more correct.
Accepting the actual output.
|
|
|
|
|
|
bug 1224.
|
|
fixes bug 1226
Further investigation from Jeremy Harris showed the previous fix
left trailing whitespace on output which previously ended after
the permission bits (eg, test 0240).
This works better for me.
|