From 281e72e46c44d316d47ed309dcb0d781a909a181 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Wed, 3 Dec 2014 21:09:54 +0000 Subject: Testsuite: add more DANE testcases --- test/confs/5840 | 13 +++++++------ test/log/5840 | 25 ++++++++++++++++++++----- test/scripts/5840-DANE-OpenSSL/5840 | 31 +++++++++++++++++++++++++------ 3 files changed, 52 insertions(+), 17 deletions(-) diff --git a/test/confs/5840 b/test/confs/5840 index 68a47e998..2c72b64c3 100644 --- a/test/confs/5840 +++ b/test/confs/5840 @@ -18,7 +18,6 @@ acl_smtp_rcpt = accept log_selector = +received_recipients +tls_peerdn +tls_certificate_verified -queue_only queue_run_in_order tls_advertise_hosts = * @@ -28,18 +27,17 @@ CDIR1 = DIR/aux-fixed CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com tls_certificate = ${if eq {SERVER}{server} \ - {${if eq {DETAILS}{ta} \ + {${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}}} \ {CDIR2/fullchain.pem}\ {CDIR1/cert1}}}\ fail} tls_privatekey = ${if eq {SERVER}{server} \ - {${if eq {DETAILS}{ta} \ + {${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}}} \ {CDIR2/server1.example.com.unlocked.key}\ {CDIR1/cert1}}}\ fail} - # ----- Routers ----- begin routers @@ -65,11 +63,14 @@ send_to_server: allow_localhost port = PORT_D -# hosts_try_dane = * - hosts_require_dane = * + hosts_try_dane = * + hosts_require_dane = !thishost.test.ex hosts_request_ocsp = ${if or { {= {4}{$tls_out_tlsa_usage}} \ {= {0}{$tls_out_tlsa_usage}} } \ {*}{}} + tls_try_verify_hosts = thishost.test.ex + tls_verify_certificates = CDIR2/ca_chain.pem + # ----- Retry ----- diff --git a/test/log/5840 b/test/log/5840 index 62dc13f02..7507c5cba 100644 --- a/test/log/5840 +++ b/test/log/5840 @@ -11,20 +11,35 @@ 1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@mxdane256ta.test.ex R=client T=send_to_server H=dane256ta.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=dane DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" 1999-03-02 09:44:33 10HmbB-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@thishost.test.ex +1999-03-02 09:44:33 Start queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmbD-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock +1999-03-02 09:44:33 10HmbD-0005vi-00 => CALLER@thishost.test.ex R=client T=send_to_server H=thishost.test.ex [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbE-0005vi-00" +1999-03-02 09:44:33 10HmbD-0005vi-00 Completed +1999-03-02 09:44:33 End queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@thishost.test.ex +1999-03-02 09:44:33 Start queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmbF-0005vi-00 => CALLER@thishost.test.ex R=client T=send_to_server H=thishost.test.ex [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbG-0005vi-00" +1999-03-02 09:44:33 10HmbF-0005vi-00 Completed +1999-03-02 09:44:33 End queue run: pid=pppp -qf ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@dane256ee.test.ex -1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex for CALLER@mxdane512ee.test.ex -1999-03-02 09:44:33 Start queue run: pid=pppp -qf 1999-03-02 09:44:33 10HmaZ-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex for CALLER@mxdane512ee.test.ex 1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed -1999-03-02 09:44:33 End queue run: pid=pppp -qf 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbB-0005vi-00@myhost.test.ex for CALLER@mxdane256ta.test.ex -1999-03-02 09:44:33 Start queue run: pid=pppp -qf 1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbC-0005vi-00 Completed -1999-03-02 09:44:33 End queue run: pid=pppp -qf +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbD-0005vi-00@myhost.test.ex for CALLER@thishost.test.ex +1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbE-0005vi-00 Completed +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbF-0005vi-00@myhost.test.ex for CALLER@thishost.test.ex +1999-03-02 09:44:33 10HmbG-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbG-0005vi-00 Completed diff --git a/test/scripts/5840-DANE-OpenSSL/5840 b/test/scripts/5840-DANE-OpenSSL/5840 index 814b4b0e8..eef14c2fe 100644 --- a/test/scripts/5840-DANE-OpenSSL/5840 +++ b/test/scripts/5840-DANE-OpenSSL/5840 @@ -3,28 +3,47 @@ exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D **** # TLSA (3 1 1) -exim CALLER@dane256ee.test.ex +exim -odq CALLER@dane256ee.test.ex Testing **** # TLSA (3 1 2) -exim CALLER@mxdane512ee.test.ex +exim -odq CALLER@mxdane512ee.test.ex Testing **** exim -qf **** killdaemon -exim -DSERVER=server -DDETAILS=ee -DNOTDAEMON -qf -**** # # exim -DSERVER=server -DDETAILS=ta -bd -oX PORT_D **** # TLSA (2 0 1) -exim CALLER@mxdane256ta.test.ex +exim -odq CALLER@mxdane256ta.test.ex Testing **** exim -qf **** killdaemon -exim -DSERVER=server -DDETAILS=ta -DNOTDAEMON -qf +# +# A server with a nonverifying cert and no TLSA +# Check we get a non-CV but TLS connection, with try_dane but no require_dane +exim -DSERVER=server -DDETAILS=no -bd -oX PORT_D +**** +exim -odq CALLER@thishost.test.ex +Testing **** +exim -qf +**** +killdaemon +# +# A server with a verifying cert and no TLSA +# Check we get a CV and TLS connection, with try_dane but no require_dane +exim -DSERVER=server -DDETAILS=ca -bd -oX PORT_D +**** +exim -odq CALLER@thishost.test.ex +Testing +**** +exim -qf +**** +killdaemon +# -- cgit v1.2.3