From 01a4a5c5cbaa40ca618d3e233991ce183b551477 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sat, 22 Nov 2014 19:16:19 +0000 Subject: Move certificate name checking to mainline, default enabled This is an exim client checking a server certificate. --- test/confs/2012 | 56 ++++++++++++++++++++++++++++++-------------------------- test/confs/2112 | 56 ++++++++++++++++++++++++++++++-------------------------- test/confs/5601 | 4 ++++ test/confs/5608 | 4 ++++ test/confs/5651 | 4 ++++ test/confs/5658 | 4 ++++ test/confs/5750 | 1 + test/confs/5760 | 1 + test/confs/5840 | 1 + 9 files changed, 79 insertions(+), 52 deletions(-) (limited to 'test/confs') diff --git a/test/confs/2012 b/test/confs/2012 index 97dc25e75..6bc5487ff 100644 --- a/test/confs/2012 +++ b/test/confs/2012 @@ -104,6 +104,7 @@ send_to_server_failcert: tls_privatekey = CERT2 tls_verify_certificates = CA2 + tls_verify_cert_hostnames = # this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok send_to_server_retry: @@ -117,6 +118,7 @@ send_to_server_retry: tls_verify_certificates = \ ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}} + tls_verify_cert_hostnames = # this will fail to verify the cert but continue unverified though crypted send_to_server_crypt: @@ -130,6 +132,7 @@ send_to_server_crypt: tls_verify_certificates = CA2 tls_try_verify_hosts = * + tls_verify_cert_hostnames = # this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted send_to_server_req_fail: @@ -142,31 +145,32 @@ send_to_server_req_fail: tls_verify_certificates = CA2 tls_verify_hosts = * - -# # this will fail to verify the cert name and fallback to unencrypted -# send_to_server_req_failname: -# driver = smtp -# allow_localhost -# hosts = HOSTIPV4 -# port = PORT_D -# tls_certificate = CERT2 -# tls_privatekey = CERT2 -# -# tls_verify_certificates = CA1 -# tls_verify_cert_hostnames = server1.example.net : server1.example.org -# tls_verify_hosts = * -# -# # this will pass the cert verify including name check -# send_to_server_req_passname: -# driver = smtp -# allow_localhost -# hosts = HOSTIPV4 -# port = PORT_D -# tls_certificate = CERT2 -# tls_privatekey = CERT2 -# -# tls_verify_certificates = CA1 -# tls_verify_cert_hostnames = noway.example.com : server1.example.com -# tls_verify_hosts = * + tls_verify_cert_hostnames = + + # this will fail to verify the cert name and fallback to unencrypted + send_to_server_req_failname: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA1 + tls_verify_cert_hostnames = server1.example.net : server1.example.org + tls_verify_hosts = * + + # this will pass the cert verify including name check + send_to_server_req_passname: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA1 + tls_verify_cert_hostnames = noway.example.com : server1.example.com + tls_verify_hosts = * # End diff --git a/test/confs/2112 b/test/confs/2112 index 4751e6015..2c81e0cf3 100644 --- a/test/confs/2112 +++ b/test/confs/2112 @@ -104,6 +104,7 @@ send_to_server_failcert: tls_privatekey = CERT2 tls_verify_certificates = CA2 + tls_verify_cert_hostnames = # this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok send_to_server_retry: @@ -117,6 +118,7 @@ send_to_server_retry: tls_verify_certificates = \ ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}} + tls_verify_cert_hostnames = # this will fail to verify the cert but continue unverified though crypted send_to_server_crypt: @@ -130,6 +132,7 @@ send_to_server_crypt: tls_verify_certificates = CA2 tls_try_verify_hosts = * + tls_verify_cert_hostnames = # this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted send_to_server_req_fail: @@ -142,31 +145,32 @@ send_to_server_req_fail: tls_verify_certificates = CA2 tls_verify_hosts = * - -# # this will fail to verify the cert name and fallback to unencrypted -# send_to_server_req_failname: -# driver = smtp -# allow_localhost -# hosts = HOSTIPV4 -# port = PORT_D -# tls_certificate = CERT2 -# tls_privatekey = CERT2 -# -# tls_verify_certificates = CA1 -# tls_verify_cert_hostnames = server1.example.net : server1.example.org -# tls_verify_hosts = * -# -# # this will pass the cert verify including name check -# send_to_server_req_passname: -# driver = smtp -# allow_localhost -# hosts = HOSTIPV4 -# port = PORT_D -# tls_certificate = CERT2 -# tls_privatekey = CERT2 -# -# tls_verify_certificates = CA1 -# tls_verify_cert_hostnames = noway.example.com : server1.example.com -# tls_verify_hosts = * + tls_verify_cert_hostnames = + + # this will fail to verify the cert name and fallback to unencrypted + send_to_server_req_failname: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA1 + tls_verify_cert_hostnames = server1.example.net : server1.example.org + tls_verify_hosts = * + + # this will pass the cert verify including name check + send_to_server_req_passname: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA1 + tls_verify_cert_hostnames = noway.example.com : server1.example.com + tls_verify_hosts = * # End diff --git a/test/confs/5601 b/test/confs/5601 index 3e97fcbea..1a7320300 100644 --- a/test/confs/5601 +++ b/test/confs/5601 @@ -90,6 +90,7 @@ send_to_server1: hosts = HOSTIPV4 port = PORT_D tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + tls_verify_cert_hostnames = hosts_require_tls = * hosts_request_ocsp = : headers_add = X-TLS-out: ocsp status $tls_out_ocsp \ @@ -102,6 +103,7 @@ send_to_server2: hosts = HOSTIPV4 port = PORT_D tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + tls_verify_cert_hostnames = hosts_require_tls = * # note no ocsp mention here headers_add = X-TLS-out: ocsp status $tls_out_ocsp \ @@ -115,6 +117,7 @@ send_to_server3: port = PORT_D helo_data = helo.data.changed tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + tls_verify_cert_hostnames = hosts_require_tls = * hosts_require_ocsp = * headers_add = X-TLS-out: ocsp status $tls_out_ocsp \ @@ -128,6 +131,7 @@ send_to_server4: port = PORT_D helo_data = helo.data.changed tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + tls_verify_cert_hostnames = protocol = smtps hosts_require_tls = * hosts_require_ocsp = * diff --git a/test/confs/5608 b/test/confs/5608 index da0f6707f..6061a1343 100644 --- a/test/confs/5608 +++ b/test/confs/5608 @@ -98,6 +98,7 @@ send_to_server1: hosts = HOSTIPV4 port = PORT_D tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + tls_verify_cert_hostnames = hosts_require_tls = * hosts_request_ocsp = : headers_add = X-TLS-out: ocsp status $tls_out_ocsp @@ -110,6 +111,7 @@ send_to_server2: hosts = HOSTIPV4 port = PORT_D tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + tls_verify_cert_hostnames = hosts_require_tls = * # note no ocsp mention here headers_add = X-TLS-out: ocsp status $tls_out_ocsp @@ -123,6 +125,7 @@ send_to_server3: port = PORT_D helo_data = helo.data.changed tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + tls_verify_cert_hostnames = hosts_require_tls = * hosts_require_ocsp = * headers_add = X-TLS-out: ocsp status $tls_out_ocsp @@ -136,6 +139,7 @@ send_to_server4: port = PORT_D helo_data = helo.data.changed tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + tls_verify_cert_hostnames = protocol = smtps hosts_require_tls = * hosts_require_ocsp = * diff --git a/test/confs/5651 b/test/confs/5651 index 6b70d33b2..19f16d03d 100644 --- a/test/confs/5651 +++ b/test/confs/5651 @@ -88,6 +88,7 @@ send_to_server1: hosts = HOSTIPV4 port = PORT_D tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + tls_verify_cert_hostnames = hosts_require_tls = * hosts_request_ocsp = : headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ @@ -100,6 +101,7 @@ send_to_server2: hosts = HOSTIPV4 port = PORT_D tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + tls_verify_cert_hostnames = hosts_require_tls = * # note no ocsp mention here headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ @@ -114,6 +116,7 @@ send_to_server3: helo_data = helo.data.changed #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + tls_verify_cert_hostnames = hosts_require_tls = * hosts_require_ocsp = * headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ @@ -128,6 +131,7 @@ send_to_server4: helo_data = helo.data.changed #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + tls_verify_cert_hostnames = protocol = smtps hosts_require_tls = * hosts_require_ocsp = * diff --git a/test/confs/5658 b/test/confs/5658 index 7ab2de68f..de486e083 100644 --- a/test/confs/5658 +++ b/test/confs/5658 @@ -95,6 +95,7 @@ send_to_server1: hosts = HOSTIPV4 port = PORT_D tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + tls_verify_cert_hostnames = hosts_require_tls = * hosts_request_ocsp = : headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ @@ -108,6 +109,7 @@ send_to_server2: hosts = HOSTIPV4 port = PORT_D tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + tls_verify_cert_hostnames = hosts_require_tls = * # note no ocsp mention here headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ @@ -123,6 +125,7 @@ send_to_server3: helo_data = helo.data.changed #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + tls_verify_cert_hostnames = hosts_require_tls = * hosts_require_ocsp = * headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ @@ -138,6 +141,7 @@ send_to_server4: helo_data = helo.data.changed #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + tls_verify_cert_hostnames = protocol = smtps hosts_require_tls = * hosts_require_ocsp = * diff --git a/test/confs/5750 b/test/confs/5750 index 364f73a90..d1e2e7ce0 100644 --- a/test/confs/5750 +++ b/test/confs/5750 @@ -104,6 +104,7 @@ send_to_server: ${if eq {$local_part}{good}\ {example.com/server1.example.com/ca_chain.pem}\ {example.net/server1.example.net/ca_chain.pem}} + tls_verify_cert_hostnames = event_action = ${acl {logger} {$event_name} {$domain} } diff --git a/test/confs/5760 b/test/confs/5760 index 60f386ba4..80dde3e15 100644 --- a/test/confs/5760 +++ b/test/confs/5760 @@ -104,6 +104,7 @@ send_to_server: ${if eq {$local_part}{good}\ {example.com/server1.example.com/ca_chain.pem}\ {example.net/server1.example.net/ca_chain.pem}} + tls_verify_cert_hostnames = event_action = ${acl {logger} {$event_name} {$domain} } diff --git a/test/confs/5840 b/test/confs/5840 index 2c72b64c3..5c0f6a51d 100644 --- a/test/confs/5840 +++ b/test/confs/5840 @@ -68,6 +68,7 @@ send_to_server: hosts_request_ocsp = ${if or { {= {4}{$tls_out_tlsa_usage}} \ {= {0}{$tls_out_tlsa_usage}} } \ {*}{}} + tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}} tls_try_verify_hosts = thishost.test.ex tls_verify_certificates = CDIR2/ca_chain.pem -- cgit v1.2.3