From 12ee8cf9db5b6c81b0e492c64f305d7ba1cf4dc2 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Fri, 8 Aug 2014 20:45:24 +0100 Subject: Testsuite basics. Not actually excercising DANE yet, this will take additions in the fakedns and probably changes in certificates. --- test/confs/5800 | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ test/confs/5850 | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 146 insertions(+) create mode 100644 test/confs/5800 create mode 100644 test/confs/5850 (limited to 'test/confs') diff --git a/test/confs/5800 b/test/confs/5800 new file mode 100644 index 000000000..f1bd09d1c --- /dev/null +++ b/test/confs/5800 @@ -0,0 +1,74 @@ +# Exim test configuration 5800 +# DANE + +SERVER= + +exim_path = EXIM_PATH +host_lookup_order = bydns +primary_hostname = myhost.test.ex +rfc1413_query_timeout = 0s +spool_directory = DIR/spool +log_file_path = DIR/spool/log/SERVER%slog +gecos_pattern = "" +gecos_name = CALLER_NAME + +# ----- Main settings ----- + +acl_smtp_rcpt = accept + +log_selector = +tls_peerdn + +queue_only +queue_run_in_order + +tls_advertise_hosts = * +# needed to force generation +tls_dhparam = historic + +# Set certificate only if server + +tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} +tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} + +#tls_verify_hosts = * +#tls_verify_certificates = ${if eq {SERVER}{server}{DIR/aux-fixed/cert2}fail} + + +# ----- Routers ----- + +begin routers + +client: + driver = accept + condition = ${if eq {SERVER}{server}{no}{yes}} + retry_use_local_part + transport = send_to_server + +server: + driver = redirect + data = :blackhole: + + +# ----- Transports ----- + +begin transports + +send_to_server: + driver = smtp + allow_localhost + hosts = 127.0.0.1 + port = PORT_D +# tls_certificate = DIR/aux-fixed/cert2 +# tls_privatekey = DIR/aux-fixed/cert2 +# tls_verify_certificates = DIR/aux-fixed/cert2 + + +# ----- Retry ----- + + +begin retry + +* * F,5d,10s + + +# End diff --git a/test/confs/5850 b/test/confs/5850 new file mode 100644 index 000000000..ac967fcb8 --- /dev/null +++ b/test/confs/5850 @@ -0,0 +1,72 @@ +# Exim test configuration 5850 +# DANE + +SERVER= + +exim_path = EXIM_PATH +host_lookup_order = bydns +primary_hostname = myhost.test.ex +rfc1413_query_timeout = 0s +spool_directory = DIR/spool +log_file_path = DIR/spool/log/SERVER%slog +gecos_pattern = "" +gecos_name = CALLER_NAME + +# ----- Main settings ----- + +acl_smtp_rcpt = accept + +log_selector = +tls_peerdn + +queue_only +queue_run_in_order + +tls_advertise_hosts = * + +# Set certificate only if server + +tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} +tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} + +#tls_verify_hosts = * +#tls_verify_certificates = ${if eq {SERVER}{server}{DIR/aux-fixed/cert2}fail} + + +# ----- Routers ----- + +begin routers + +client: + driver = accept + condition = ${if eq {SERVER}{server}{no}{yes}} + retry_use_local_part + transport = send_to_server + +server: + driver = redirect + data = :blackhole: + + +# ----- Transports ----- + +begin transports + +send_to_server: + driver = smtp + allow_localhost + hosts = 127.0.0.1 + port = PORT_D +# tls_certificate = DIR/aux-fixed/cert2 +# tls_privatekey = DIR/aux-fixed/cert2 +# tls_verify_certificates = DIR/aux-fixed/cert2 + + +# ----- Retry ----- + + +begin retry + +* * F,5d,10s + + +# End -- cgit v1.2.3 From 7a31d6431bfe3bce4da48ac8774e3b0e3c038fc7 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Fri, 8 Aug 2014 21:37:22 +0100 Subject: Test development --- doc/doc-txt/experimental-spec.txt | 7 +++---- src/src/tls-openssl.c | 19 ++++++------------- src/src/transports/smtp.c | 30 +++++++++++++++++++++++------- src/src/transports/smtp.h | 1 + src/src/verify.c | 22 +++++++++++++++++----- test/confs/5850 | 3 +++ test/scripts/5850-DANE-OpenSSL/5850 | 2 +- 7 files changed, 54 insertions(+), 30 deletions(-) (limited to 'test/confs') diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt index 333307b74..6eeb5092c 100644 --- a/doc/doc-txt/experimental-spec.txt +++ b/doc/doc-txt/experimental-spec.txt @@ -1224,10 +1224,9 @@ for fast revocation of certificates (which would otherwise be limited by the DNS TTL on the TLSA records). -For client-side DANE there is a new smtp transport option, -hosts_try_dane. It does the obvious thing. -[ may add a hosts_require_dane, too? ] -[ should it be domain-based rather than host-based? ] +For client-side DANE there are two new smtp transport options, +hosts_try_dane and hosts_require_dane. They do the obvious thing. +[ should they be domain-based rather than host-based? ] DANE will only be usable if the target host has DNSSEC-secured MX, A and TLSA records. diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 201636db0..0bd23ac63 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1618,15 +1618,8 @@ BOOL dane_required; #endif #ifdef EXPERIMENTAL_DANE -/*XXX TBD: test for transport options, and for TLSA records */ -/*dane = TRUE;*/ - -# ifdef notyet dane_required = verify_check_this_host(&ob->hosts_require_dane, NULL, host->name, host->address, NULL) == OK; -# else -dane_required = FALSE; -#endif if (host->dnssec == DS_YES) { @@ -1637,11 +1630,10 @@ if (host->dnssec == DS_YES) { /* move this out to host.c given the similarity to dns_lookup() ? */ uschar buffer[300]; - int prefix_length; /* why do we want this? */ uschar * fullname = buffer; /* TLSA lookup string */ - (void)sprintf(CS buffer, "_%d._tcp.%n%.256s", host->port, &prefix_length, + (void)sprintf(CS buffer, "_%d._tcp.%.256s", host->port, host->name); switch (rc = dns_lookup(&tlsa_dnsa, buffer, T_TLSA, &fullname)) @@ -1653,7 +1645,7 @@ if (host->dnssec == DS_YES) case DNS_FAIL: if (dane_required) { - /* log that TLSA lookup failed */ + log_write(0, LOG_MAIN, "DANE error: TLSA lookup failed"); return FAIL; } break; @@ -1661,7 +1653,7 @@ if (host->dnssec == DS_YES) case DNS_SUCCEED: if (!dns_is_secure(&tlsa_dnsa)) { - /*log it - tlsa should never be non-dnssec */ + log_write(0, LOG_MAIN, "DANE error: TLSA lookup not DNSSEC"); return DEFER; } dane = TRUE; @@ -1669,9 +1661,10 @@ if (host->dnssec == DS_YES) } } } -else if (dane_required && !dane) +else if (dane_required) { - /* log that dnssec pre-req failed. Hmm - what? */ + /* Hmm - what lookup, precisely? */ + log_write(0, LOG_MAIN, "DANE error: previous lookup not DNSSEC"); return FAIL; } diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 2e3a6ced4..9abc69d51 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -109,6 +109,10 @@ optionlist smtp_transport_options[] = { { "hosts_require_auth", opt_stringptr, (void *)offsetof(smtp_transport_options_block, hosts_require_auth) }, #ifdef SUPPORT_TLS +# ifdef EXPERIMENTAL_DANE + { "hosts_require_dane", opt_stringptr, + (void *)offsetof(smtp_transport_options_block, hosts_require_dane) }, +# endif # ifndef DISABLE_OCSP { "hosts_require_ocsp", opt_stringptr, (void *)offsetof(smtp_transport_options_block, hosts_require_ocsp) }, @@ -118,7 +122,7 @@ optionlist smtp_transport_options[] = { #endif { "hosts_try_auth", opt_stringptr, (void *)offsetof(smtp_transport_options_block, hosts_try_auth) }, -#ifdef EXPERIMENTAL_DANE +#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE) { "hosts_try_dane", opt_stringptr, (void *)offsetof(smtp_transport_options_block, hosts_try_dane) }, #endif @@ -206,6 +210,7 @@ smtp_transport_options_block smtp_transport_option_defaults = { NULL, /* hosts_require_auth */ #ifdef EXPERIMENTAL_DANE NULL, /* hosts_try_dane */ + NULL, /* hosts_require_dane */ #endif #ifndef DISABLE_PRDR NULL, /* hosts_try_prdr */ @@ -1571,8 +1576,13 @@ if (tls_out.active >= 0) /* If the host is required to use a secure channel, ensure that we have one. */ -else if (verify_check_this_host(&(ob->hosts_require_tls), NULL, host->name, - host->address, NULL) == OK) +else if ( verify_check_this_host(&(ob->hosts_require_tls), NULL, host->name, + host->address, NULL) == OK +#ifdef EXPERIMENTAL_DANE + || verify_check_this_host(&(ob->hosts_require_dane), NULL, host->name, + host->address, NULL) == OK +#endif + ) { save_errno = ERRNO_TLSREQUIRED; message = string_sprintf("a TLS session is required for %s [%s], but %s", @@ -3268,10 +3278,16 @@ for (cutoff_retry = 0; expired && happens inside smtp_deliver().] */ #ifdef SUPPORT_TLS - if (rc == DEFER && first_addr->basic_errno == ERRNO_TLSFAILURE && - ob->tls_tempfail_tryclear && - verify_check_this_host(&(ob->hosts_require_tls), NULL, host->name, - host->address, NULL) != OK) + if ( rc == DEFER + && first_addr->basic_errno == ERRNO_TLSFAILURE + && ob->tls_tempfail_tryclear + && verify_check_this_host(&(ob->hosts_require_tls), NULL, host->name, + host->address, NULL) != OK +#ifdef EXPERIMENTAL_DANE + && verify_check_this_host(&(ob->hosts_require_dane), NULL, host->name, + host->address, NULL) != OK +#endif + ) { log_write(0, LOG_MAIN, "TLS session failure: delivering unencrypted " "to %s [%s] (not in hosts_require_tls)", host->name, host->address); diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h index 018f9cfef..d968a4d54 100644 --- a/src/src/transports/smtp.h +++ b/src/src/transports/smtp.h @@ -23,6 +23,7 @@ typedef struct { uschar *hosts_require_auth; #ifdef EXPERIMENTAL_DANE uschar *hosts_try_dane; + uschar *hosts_require_dane; #endif #ifndef DISABLE_PRDR uschar *hosts_try_prdr; diff --git a/src/src/verify.c b/src/src/verify.c index b1b9f29a4..c2ee47892 100644 --- a/src/src/verify.c +++ b/src/src/verify.c @@ -644,9 +644,16 @@ else if the options permit it for this host. */ if (rc != OK) { - if (rc == DEFER && ob->tls_tempfail_tryclear && !smtps && - verify_check_this_host(&(ob->hosts_require_tls), NULL, host->name, - host->address, NULL) != OK) + if ( rc == DEFER + && ob->tls_tempfail_tryclear + && !smtps + && verify_check_this_host(&(ob->hosts_require_tls), NULL, + host->name, host->address, NULL) != OK +#ifdef EXPERIMENTAL_DANE + && verify_check_this_host(&(ob->hosts_require_dane), NULL, + host->name, host->address, NULL) != OK +#endif + ) { (void)close(inblock.sock); log_write(0, LOG_MAIN, "TLS session failure: delivering unencrypted " @@ -676,8 +683,13 @@ else /* If the host is required to use a secure channel, ensure that we have one. */ if (tls_out.active < 0) - if (verify_check_this_host(&(ob->hosts_require_tls), NULL, host->name, - host->address, NULL) == OK) + if ( verify_check_this_host(&(ob->hosts_require_tls), NULL, host->name, + host->address, NULL) == OK +#ifdef EXPERIMENTAL_DANE + || verify_check_this_host(&(ob->hosts_require_dane), NULL, host->name, + host->address, NULL) == OK +#endif + ) { /*save_errno = ERRNO_TLSREQUIRED;*/ log_write(0, LOG_MAIN, "a TLS session is required for %s [%s], but %s", diff --git a/test/confs/5850 b/test/confs/5850 index ac967fcb8..53cb78ae1 100644 --- a/test/confs/5850 +++ b/test/confs/5850 @@ -60,6 +60,9 @@ send_to_server: # tls_privatekey = DIR/aux-fixed/cert2 # tls_verify_certificates = DIR/aux-fixed/cert2 +# hosts_try_dane = * + hosts_require_dane = * + # ----- Retry ----- diff --git a/test/scripts/5850-DANE-OpenSSL/5850 b/test/scripts/5850-DANE-OpenSSL/5850 index 419930e11..0776fb6b4 100644 --- a/test/scripts/5850-DANE-OpenSSL/5850 +++ b/test/scripts/5850-DANE-OpenSSL/5850 @@ -5,7 +5,7 @@ exim -DSERVER=server -bd -oX PORT_D exim CALLER@test.ex Testing **** -exim -qf +exim -d+all -qf **** killdaemon exim -DSERVER=server -DNOTDAEMON -qf -- cgit v1.2.3 From cf2b569e3a2f8956b7045191e96bc5edfd366c78 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 10 Aug 2014 11:49:49 +0100 Subject: On a host lookup name->MX->A->ip sequence, require both stages to be dnssec before declaring the lookup was secure. --- src/src/host.c | 51 ++++++++++++++++++++++++++++++++++----------------- src/src/tls-openssl.c | 1 + test/confs/5850 | 8 +++++--- 3 files changed, 40 insertions(+), 20 deletions(-) (limited to 'test/confs') diff --git a/src/src/host.c b/src/src/host.c index 00524f416..2eef0ba70 100644 --- a/src/src/host.c +++ b/src/src/host.c @@ -2207,7 +2207,7 @@ Returns: HOST_FIND_FAILED couldn't find A record static int set_address_from_dns(host_item *host, host_item **lastptr, uschar *ignore_target_hosts, BOOL allow_ip, uschar **fully_qualified_name, - BOOL dnssec_requested, BOOL dnssec_require) + BOOL dnssec_request, BOOL dnssec_require) { dns_record *rr; host_item *thishostlast = NULL; /* Indicates not yet filled in anything */ @@ -2268,7 +2268,7 @@ for (; i >= 0; i--) dns_scan dnss; int rc = dns_lookup(&dnsa, host->name, type, fully_qualified_name); - lookup_dnssec_authenticated = !dnssec_requested ? NULL + lookup_dnssec_authenticated = !dnssec_request ? NULL : dns_is_secure(&dnsa) ? US"yes" : US"no"; /* We want to return HOST_FIND_AGAIN if one of the A, A6, or AAAA lookups @@ -2292,11 +2292,31 @@ for (; i >= 0; i--) if (rc != DNS_NOMATCH && rc != DNS_NODATA) v6_find_again = TRUE; continue; } - if (dnssec_require && !dns_is_secure(&dnsa)) + + if (dnssec_request) { - log_write(L_host_lookup_failed, LOG_MAIN, "dnssec fail on %s for %.256s", + if (dns_is_secure(&dnsa)) + { + DEBUG(D_host_lookup) debug_printf("%s A DNSSEC\n", host->name); + if (host->dnssec == DS_UNK) /* set in host_find_bydns() */ + host->dnssec = DS_YES; + } + else + { + if (dnssec_require) + { + log_write(L_host_lookup_failed, LOG_MAIN, + "dnssec fail on %s for %.256s", i>1 ? "A6" : i>0 ? "AAAA" : "A", host->name); - continue; + continue; + } + if (host->dnssec == DS_YES) /* set in host_find_bydns() */ + { + DEBUG(D_host_lookup) debug_printf("%s A cancel DNSSEC\n", host->name); + host->dnssec = DS_NO; + lookup_dnssec_authenticated = US"no"; + } + } } /* Lookup succeeded: fill in the given host item with the first non-ignored @@ -2562,9 +2582,14 @@ if (rc != DNS_SUCCEED && (whichrrs & HOST_FIND_BY_MX) != 0) if (dnssec_request) { if (dns_is_secure(&dnsa)) - { dnssec = DS_YES; lookup_dnssec_authenticated = US"yes"; } + { + DEBUG(D_host_lookup) debug_printf("%s MX DNSSEC\n", host->name); + dnssec = DS_YES; lookup_dnssec_authenticated = US"yes"; + } else - { dnssec = DS_NO; lookup_dnssec_authenticated = US"no"; } + { + dnssec = DS_NO; lookup_dnssec_authenticated = US"no"; + } } switch (rc) @@ -2578,7 +2603,7 @@ if (rc != DNS_SUCCEED && (whichrrs & HOST_FIND_BY_MX) != 0) log_write(L_host_lookup_failed, LOG_MAIN, "dnssec fail on MX for %.256s", host->name); rc = DNS_FAIL; - /*FALLTRHOUGH*/ + /*FALLTHROUGH*/ case DNS_FAIL: case DNS_AGAIN: @@ -2609,19 +2634,11 @@ if (rc != DNS_SUCCEED) last = host; /* End of local chainlet */ host->mx = MX_NONE; host->port = PORT_NONE; - dnssec = DS_UNK; + host->dnssec = DS_UNK; lookup_dnssec_authenticated = NULL; rc = set_address_from_dns(host, &last, ignore_target_hosts, FALSE, fully_qualified_name, dnssec_request, dnssec_require); - if (dnssec_request) - { - if (dns_is_secure(&dnsa)) - { dnssec = DS_YES; lookup_dnssec_authenticated = US"yes"; } - else - { dnssec = DS_NO; lookup_dnssec_authenticated = US"no"; } - } - /* If one or more address records have been found, check that none of them are local. Since we know the host items all have their IP addresses inserted, host_scan_for_local_hosts() can only return HOST_FOUND or diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 0bd23ac63..eb74605da 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1664,6 +1664,7 @@ if (host->dnssec == DS_YES) else if (dane_required) { /* Hmm - what lookup, precisely? */ + /*XXX a shame we only find this after making tcp & smtp connection */ log_write(0, LOG_MAIN, "DANE error: previous lookup not DNSSEC"); return FAIL; } diff --git a/test/confs/5850 b/test/confs/5850 index 53cb78ae1..0b132e29e 100644 --- a/test/confs/5850 +++ b/test/confs/5850 @@ -37,9 +37,11 @@ tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} begin routers client: - driver = accept + driver = dnslookup condition = ${if eq {SERVER}{server}{no}{yes}} - retry_use_local_part +# retry_use_local_part + dnssec_request_domains = * + self = send transport = send_to_server server: @@ -54,7 +56,7 @@ begin transports send_to_server: driver = smtp allow_localhost - hosts = 127.0.0.1 +# hosts = 127.0.0.1 port = PORT_D # tls_certificate = DIR/aux-fixed/cert2 # tls_privatekey = DIR/aux-fixed/cert2 -- cgit v1.2.3 From 401a89359e1fcff59218ae2a05a5e9f3a603d915 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 10 Aug 2014 15:00:27 +0100 Subject: Verifiable conn with DANE-EE(3) / SPKI(1) / SHA2-512(2) --- DANE-draft-notes | 11 +++++++++++ doc/doc-txt/experimental-spec.txt | 17 +++++++++++++++-- src/src/dane-openssl.c | 4 ++-- src/src/tls-openssl.c | 4 ++-- test/confs/5850 | 10 +--------- test/dnszones-src/db.test.ex | 2 +- test/log/5850 | 11 +++++------ test/scripts/5850-DANE-OpenSSL/5850 | 3 ++- 8 files changed, 39 insertions(+), 23 deletions(-) create mode 100644 DANE-draft-notes (limited to 'test/confs') diff --git a/DANE-draft-notes b/DANE-draft-notes new file mode 100644 index 000000000..21b3992cc --- /dev/null +++ b/DANE-draft-notes @@ -0,0 +1,11 @@ + +draft 11 + +3.1.2 - Para 4 (records with Sel Full(0) are discouraged) +==> There's a matching type Full but not such a Selector type. + Should this be "Cert(0), or Matching Type Full(0)" ? + Suspect the latter. + +3.1.2 Needs a para added regarding certificate date verification, + to contrast with the requirement to NOT check for + DANE-EE defined in 3.1.1 diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt index 6eeb5092c..f1414287d 100644 --- a/doc/doc-txt/experimental-spec.txt +++ b/doc/doc-txt/experimental-spec.txt @@ -1181,7 +1181,10 @@ means not having to pay a CA for certificates. DANE requires a server operator to do three things: 1) run DNSSEC. This provides assurance to clients that DNS lookups they do for the server have not -been tampered with. +been tampered with. The domain MX record applying +to this server, its A record, its TLSA record and +any associated CNAME records must all be covered by +DNSSEC. 2) add TLSA DNS records. These say what the server certificate for a TLS connection should be. 3) offer a server certificate, or certificate chain, @@ -1214,7 +1217,17 @@ servers, each having a TLSA query-domain CNAME record, all of which point to a single TLSA record. The TLSA record should have a Selector field of SPKI(1) -and a Matching Type fiels of SHA2-512(2). +and a Matching Type field of SHA2-512(2). + +At the time of writing, https://www.huque.com/bin/gen_tlsa +is useful for quickly generating TLSA records; and commands like + + openssl x509 -in -pubkey -noout /dev/null \ + | openssl sha512 \ + | awk '{print $2}' + +are workable for 4th-field hashes. For use with the DANE_TA model, server certificates must have a correct name (SubjectName or SubjectAltName). diff --git a/src/src/dane-openssl.c b/src/src/dane-openssl.c index 4f90caa4a..aab32cabd 100644 --- a/src/src/dane-openssl.c +++ b/src/src/dane-openssl.c @@ -859,7 +859,7 @@ X509 *cert = ctx->cert; /* XXX: accessor? */ int matched = 0; int chain_length = sk_X509_num(ctx->chain); -DEBUG(D_tls) debug_printf("Dane library verify_chain fn called\n"); +DEBUG(D_tls) debug_printf("Dane verify_chain\n"); issuer_rrs = dane->selectors[SSL_DANE_USAGE_LIMIT_ISSUER]; leaf_rrs = dane->selectors[SSL_DANE_USAGE_LIMIT_LEAF]; @@ -952,7 +952,7 @@ int (*cb)(int, X509_STORE_CTX *) = ctx->verify_cb; int matched; X509 *cert = ctx->cert; /* XXX: accessor? */ -DEBUG(D_tls) debug_printf("Dane library verify_cert fn called\n"); +DEBUG(D_tls) debug_printf("Dane verify_cert\n"); if(ssl_idx < 0) ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx(); diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 70ac63f16..001403494 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1796,8 +1796,8 @@ if (dane) { default: /* log bad */ return FAIL; case 0: mdname = NULL; break; - case 1: mdname = "SHA2-256"; break; - case 2: mdname = "SHA2-512"; break; + case 1: mdname = "sha256"; break; + case 2: mdname = "sha512"; break; } switch (DANESSL_add_tlsa(client_ssl, diff --git a/test/confs/5850 b/test/confs/5850 index 0b132e29e..cd4ccc59f 100644 --- a/test/confs/5850 +++ b/test/confs/5850 @@ -26,10 +26,7 @@ tls_advertise_hosts = * # Set certificate only if server tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} -tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} - -#tls_verify_hosts = * -#tls_verify_certificates = ${if eq {SERVER}{server}{DIR/aux-fixed/cert2}fail} +#tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} # ----- Routers ----- @@ -39,7 +36,6 @@ begin routers client: driver = dnslookup condition = ${if eq {SERVER}{server}{no}{yes}} -# retry_use_local_part dnssec_request_domains = * self = send transport = send_to_server @@ -56,11 +52,7 @@ begin transports send_to_server: driver = smtp allow_localhost -# hosts = 127.0.0.1 port = PORT_D -# tls_certificate = DIR/aux-fixed/cert2 -# tls_privatekey = DIR/aux-fixed/cert2 -# tls_verify_certificates = DIR/aux-fixed/cert2 # hosts_try_dane = * hosts_require_dane = * diff --git a/test/dnszones-src/db.test.ex b/test/dnszones-src/db.test.ex index bd334918b..fed44daf9 100644 --- a/test/dnszones-src/db.test.ex +++ b/test/dnszones-src/db.test.ex @@ -82,7 +82,7 @@ v6 AAAA V6NET:ffff:836f:0a00:000a:0800:200a:c032 DNSSEC eximtesthost A HOSTIPV4 alias-eximtesthost CNAME eximtesthost.test.ex. -DNSSEC _1225._tcp.eximtesthost TLSA 3 1 2 f000baaa +DNSSEC _1225._tcp.eximtesthost TLSA 3 1 2 3d5eb81b1dfc3f93c1fa8819e3fb3fdb41bb590441d5f3811db17772f4bc6de29bdd7c4f4b723750dda871b99379192b3f979f03db1252c4f08b03ef7176528d ; A bad CNAME diff --git a/test/log/5850 b/test/log/5850 index e8b37bb61..aad1ade98 100644 --- a/test/log/5850 +++ b/test/log/5850 @@ -1,14 +1,13 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to eximtesthost.test.ex [ip4.ip4.ip4.ip4] (tlsa load): error:8006C067:DANE library:func(108):Bad TLSA record digest -1999-03-02 09:44:33 10HmaX-0005vi-00 == CALLER@mxplain.test.ex R=client T=send_to_server defer (-37): failure while setting up TLS session +1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@mxplain.test.ex R=client T=send_to_server H=eximtesthost.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <> -1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaX-0005vi-00@myhost.test.ex 1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmaX-0005vi-00 => :blackhole: R=server -1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmaY-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf diff --git a/test/scripts/5850-DANE-OpenSSL/5850 b/test/scripts/5850-DANE-OpenSSL/5850 index 963bf4f4e..449a75bf6 100644 --- a/test/scripts/5850-DANE-OpenSSL/5850 +++ b/test/scripts/5850-DANE-OpenSSL/5850 @@ -2,10 +2,11 @@ # exim -DSERVER=server -bd -oX PORT_D **** +# TLSA (3 1 2) exim CALLER@mxplain.test.ex Testing **** -exim -d+all -qf +exim -qf **** killdaemon exim -DSERVER=server -DNOTDAEMON -qf -- cgit v1.2.3 From e5cccda9bbf169ea7dc97fa3859735523dd4cec0 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 10 Aug 2014 16:57:15 +0100 Subject: Capture the knowlege that verification succeeded --- src/src/dane-openssl.c | 7 +++---- src/src/tls-openssl.c | 27 +++++++++++++++++++++++++-- test/confs/5850 | 2 +- test/log/5850 | 12 ++++++------ 4 files changed, 35 insertions(+), 13 deletions(-) (limited to 'test/confs') diff --git a/src/src/dane-openssl.c b/src/src/dane-openssl.c index aab32cabd..2430d475f 100644 --- a/src/src/dane-openssl.c +++ b/src/src/dane-openssl.c @@ -859,7 +859,7 @@ X509 *cert = ctx->cert; /* XXX: accessor? */ int matched = 0; int chain_length = sk_X509_num(ctx->chain); -DEBUG(D_tls) debug_printf("Dane verify_chain\n"); +DEBUG(D_tls) debug_printf("Dane verify-chain\n"); issuer_rrs = dane->selectors[SSL_DANE_USAGE_LIMIT_ISSUER]; leaf_rrs = dane->selectors[SSL_DANE_USAGE_LIMIT_LEAF]; @@ -952,7 +952,7 @@ int (*cb)(int, X509_STORE_CTX *) = ctx->verify_cb; int matched; X509 *cert = ctx->cert; /* XXX: accessor? */ -DEBUG(D_tls) debug_printf("Dane verify_cert\n"); +DEBUG(D_tls) debug_printf("Dane verify-cert\n"); if(ssl_idx < 0) ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx(); @@ -1084,7 +1084,7 @@ DANESSL_cleanup(SSL *ssl) ssl_dane *dane; int u; -DEBUG(D_tls) debug_printf("Dane library cleanup fn called\n"); +DEBUG(D_tls) debug_printf("Dane lib-cleanup\n"); if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx))) return; @@ -1106,7 +1106,6 @@ if(dane->roots) if(dane->chain) sk_X509_pop_free(dane->chain, X509_free); OPENSSL_free(dane); -DEBUG(D_tls) debug_printf("Dane library cleanup fn return\n"); } static dane_host_list diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 001403494..e37b1add5 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -361,7 +361,7 @@ else return 0; /* reject */ } # endif -#endif +#endif /*EXPERIMENTAL_CERTNAMES*/ DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n", *calledp ? "" : " authenticated", txt); @@ -385,6 +385,28 @@ return verify_callback(state, x509ctx, &tls_in, &server_verify_callback_called, } +#ifdef EXPERIMENTAL_DANE +/* This gets called *by* the dane library verify callback, which interposes +itself. +*/ +static int +verify_callback_client_dane(int state, X509_STORE_CTX * x509ctx) +{ +X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx); +static uschar txt[256]; + +X509_NAME_oneline(X509_get_subject_name(cert), CS txt, sizeof(txt)); + +DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s\n", txt); +tls_out.peerdn = txt; +tls_out.peercert = X509_dup(cert); + +if (state == 1) + tls_out.certificate_verified = TRUE; +return 1; +} +#endif + /************************************************* * Information callback * @@ -999,7 +1021,6 @@ return i; #endif /*!DISABLE_OCSP*/ - /************************************************* * Initialize for TLS * *************************************************/ @@ -1713,6 +1734,8 @@ if (expciphers != NULL) #ifdef EXPERIMENTAL_DANE if (dane) { + SSL_CTX_set_verify(client_ctx, SSL_VERIFY_PEER, verify_callback_client_dane); + if (!DANESSL_library_init()) return tls_error(US"library init", host, NULL); if (DANESSL_CTX_init(client_ctx) <= 0) diff --git a/test/confs/5850 b/test/confs/5850 index cd4ccc59f..b2c7cb7eb 100644 --- a/test/confs/5850 +++ b/test/confs/5850 @@ -16,7 +16,7 @@ gecos_name = CALLER_NAME acl_smtp_rcpt = accept -log_selector = +tls_peerdn +log_selector = +received_recipients +tls_peerdn +tls_certificate_verified queue_only queue_run_in_order diff --git a/test/log/5850 b/test/log/5850 index 568396d01..7266ec26a 100644 --- a/test/log/5850 +++ b/test/log/5850 @@ -1,16 +1,16 @@ -1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane256ee.test.ex +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane512ee.test.ex 1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00" 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed -1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@mxdane512ee.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@mxdane512ee.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00" 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaX-0005vi-00@myhost.test.ex -1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaY-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@dane256ee.test.ex +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex for CALLER@mxdane512ee.test.ex 1999-03-02 09:44:33 Start queue run: pid=pppp -qf 1999-03-02 09:44:33 10HmaZ-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed -- cgit v1.2.3 From 82525c6fc2b2c12202b93250c2774bf50baae300 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 10 Aug 2014 19:06:47 +0100 Subject: Add (2 0 1) test --- .../example.com/server1.example.com/fullchain.pem | 58 ++++++++++++++++++++++ test/aux-fixed/exim-ca/genall | 10 ++++ test/confs/5850 | 17 +++++-- test/dnszones-src/db.test.ex | 5 ++ test/log/5850 | 11 ++++ test/scripts/5850-DANE-OpenSSL/5850 | 17 ++++++- 6 files changed, 113 insertions(+), 5 deletions(-) create mode 100644 test/aux-fixed/exim-ca/example.com/server1.example.com/fullchain.pem (limited to 'test/confs') diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/fullchain.pem b/test/aux-fixed/exim-ca/example.com/server1.example.com/fullchain.pem new file mode 100644 index 000000000..27ee5ef4f --- /dev/null +++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/fullchain.pem @@ -0,0 +1,58 @@ +Bag Attributes + friendlyName: server1.example.com + localKeyID: 39 11 FB 30 22 36 42 DA FC D7 A2 8A 0C 60 83 2F 66 A7 B8 4E +subject=/CN=server1.example.com +issuer=/O=example.com/CN=clica Signing Cert +-----BEGIN CERTIFICATE----- +MIIC0DCCAjmgAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt +cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy +MzQwNVoXDTM4MDEwMTEyMzQwNVowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl +LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyAGT263/ZlxGjPEi2BQj +DMa/86TF+zVzMfozEZNOLiX6Sov54fW5I0nXCm0CjACOelLa2Eos/vqffxu0w5hM +A8slRHrt0Gak7dJjwgKK/5NAQDrA+WnyJx/62u25299oCKk+egulCC0D3XczA89N +cLuz8iKvYnWT+rdnbFdAPdcCAwEAAaOCAQcwggEDMA4GA1UdDwEB/wQEAwIE8DAg +BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg +I4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB +BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5jb20vMGUGA1Ud +EQReMFyCIWFsdGVybmF0ZW5hbWUuc2VydmVyMS5leGFtcGxlLmNvbYIiYWx0ZXJu +YXRlbmFtZTIuc2VydmVyMS5leGFtcGxlLmNvbYITc2VydmVyMS5leGFtcGxlLmNv +bTANBgkqhkiG9w0BAQUFAAOBgQBWOqQ8y+u4J8KQCHQTiNxIxrUs5Sa+W5HUZ+c8 +SRLXRzDfmNtY7RiofUvbl0j1XH9wuTdjM/EkYnKSYPVu2ra8c8jC3NaVmr0WFqLv +CvHXQWj2rZha0P/ZG1GfWc4vPYTQ7ugr65syGg4CPswwiUQJKnWBRqe27X1B61pj ++pxY7w== +-----END CERTIFICATE----- +Bag Attributes + friendlyName: Signing Cert +subject=/O=example.com/CN=clica Signing Cert +issuer=/O=example.com/CN=clica CA +-----BEGIN CERTIFICATE----- +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA1WhcNMzgw +MTAxMTIzNDA1WjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzwXsp +P4RsZUoDfQfm5O5bi5unhwl+BTrKIaOtl5TBxMau+qEdKa02DD7Bx6PCzLKhWiZ3 +/MrO7V/cXIBun97dF5Zr5kk+HJk+y3es+xoPd3doknvGQEC/0cSGLcEC7aQ/bEqi +fw2CgEY5ffkEAnDrdvGGeqBfJJGft/tqmlZbeQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +Lq4cCtWMjqLHqf6lJUOBMsm+tgFcYDdxwkTquSZyUrbP1jrODkg5lQWNCdvB76B2 +tZQfMJ3F/kct2EAfsKbHqN3f+DARqPAR2qtOqzl3Ou5+TJjExKgojjzIAPFQzswH +7v4aglpReaPBaVSNOZ7bMn/E8yRy3o466bhzdEIDcII= +-----END CERTIFICATE----- +Bag Attributes + friendlyName: Certificate Authority +subject=/O=example.com/CN=clica CA +issuer=/O=example.com/CN=clica CA +-----BEGIN CERTIFICATE----- +MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA0WhcNMzgw +MTAxMTIzNDA0WjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp +Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL0wro64rve876glpdRh +tD6qFY6iH2kCarFFq3WaKmfCvOjYmn4CJr7pL7J5DuvCFh7A0H8lD/on5NK3yqkX +Yi6EUlaYWxeRo2/PuZYUGbCpejST41sibw9V2dT4MHLidjDShE0W9SfgiMmxfF02 +H5hLYswAGCL1kezsVeEJeH31AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw +DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAIn9+8uyQtaq8sBEohTl +qyJQQeZk5xxaILYP/rCIxc+z5fgOh+usB9adaiD23RPuuD/P2c3UqHJQWqIUTu46 +eOKn9K7X7ndIH3WnaC/u4nysL+SIAug72/k1BAVGNQvyNQMhth6CfZTgY0tgcS0Z +RSHyhbTD0HeiJDI281BoOJjm +-----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/genall b/test/aux-fixed/exim-ca/genall index d1901fe7e..0e3feb25e 100755 --- a/test/aux-fixed/exim-ca/genall +++ b/test/aux-fixed/exim-ca/genall @@ -17,6 +17,16 @@ do clica -D example.$tld -p password -s 201 -S server2.example.$tld clica -D example.$tld -p password -s 202 -S revoked2.example.$tld clica -D example.$tld -p password -s 203 -S expired2.example.$tld -m 1 + + + # openssl seems to generate a file (ca_chain.pam) in an order it + # cannot then use (the key applies to the first cert in the file?). + # Generate a shuffled one. + cd example.$tld/server1.example.$tld + openssl pkcs12 -in server1.example.com.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys + cat server1.example.com.pem cacerts.pem > fullchain.pem + rm cacerts.pem + cd ../.. done # and loop again diff --git a/test/confs/5850 b/test/confs/5850 index b2c7cb7eb..c381ef616 100644 --- a/test/confs/5850 +++ b/test/confs/5850 @@ -24,9 +24,20 @@ queue_run_in_order tls_advertise_hosts = * # Set certificate only if server +CDIR1 = DIR/aux-fixed +CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com -tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} -#tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} +tls_certificate = ${if eq {SERVER}{server} \ + {${if eq {DETAILS}{ta} \ + {CDIR2/fullchain.pem}\ + {CDIR1/cert1}}}\ + fail} + +tls_privatekey = ${if eq {SERVER}{server} \ + {${if eq {DETAILS}{ta} \ + {CDIR2/server1.example.com.unlocked.key}\ + {CDIR1/cert1}}}\ + fail} # ----- Routers ----- @@ -35,7 +46,7 @@ begin routers client: driver = dnslookup - condition = ${if eq {SERVER}{server}{no}{yes}} + condition = ${if eq {SERVER}{}} dnssec_request_domains = * self = send transport = send_to_server diff --git a/test/dnszones-src/db.test.ex b/test/dnszones-src/db.test.ex index 5cc61fd8a..4ec367cc9 100644 --- a/test/dnszones-src/db.test.ex +++ b/test/dnszones-src/db.test.ex @@ -394,4 +394,9 @@ DNSSEC _1225._tcp.dane512ee TLSA 3 1 2 3d5eb81b1dfc3f93c1fa8819e3fb3fdb41bb5904 DNSSEC dane256ee A HOSTIPV4 DNSSEC _1225._tcp.dane256ee TLSA 3 1 1 2bb55f418bb03411a5007cecbfcd3ec1c94404312c0d53a44bb2166b32654db3 +; full MX, sha256, TA-mode +DNSSEC mxdane256ta MX 1 dane256ta. +DNSSEC dane256ta A HOSTIPV4 +DNSSEC _1225._tcp.dane256ta TLSA 2 0 1 b2c6f27f2d16390b4f71cacc69742bf610d750534fab240516c0f2deb4042ad4 + ; End diff --git a/test/log/5850 b/test/log/5850 index 498137321..62dc13f02 100644 --- a/test/log/5850 +++ b/test/log/5850 @@ -6,6 +6,11 @@ 1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@mxdane512ee.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00" 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane256ta.test.ex +1999-03-02 09:44:33 Start queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@mxdane256ta.test.ex R=client T=send_to_server H=dane256ta.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=dane DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmbB-0005vi-00 Completed +1999-03-02 09:44:33 End queue run: pid=pppp -qf ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 @@ -17,3 +22,9 @@ 1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbB-0005vi-00@myhost.test.ex for CALLER@mxdane256ta.test.ex +1999-03-02 09:44:33 Start queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbC-0005vi-00 Completed +1999-03-02 09:44:33 End queue run: pid=pppp -qf diff --git a/test/scripts/5850-DANE-OpenSSL/5850 b/test/scripts/5850-DANE-OpenSSL/5850 index a021dee6e..814b4b0e8 100644 --- a/test/scripts/5850-DANE-OpenSSL/5850 +++ b/test/scripts/5850-DANE-OpenSSL/5850 @@ -1,6 +1,6 @@ # DANE client: general # -exim -DSERVER=server -bd -oX PORT_D +exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D **** # TLSA (3 1 1) exim CALLER@dane256ee.test.ex @@ -13,5 +13,18 @@ Testing exim -qf **** killdaemon -exim -DSERVER=server -DNOTDAEMON -qf +exim -DSERVER=server -DDETAILS=ee -DNOTDAEMON -qf +**** +# +# +exim -DSERVER=server -DDETAILS=ta -bd -oX PORT_D +**** +# TLSA (2 0 1) +exim CALLER@mxdane256ta.test.ex +Testing +**** +exim -qf +**** +killdaemon +exim -DSERVER=server -DDETAILS=ta -DNOTDAEMON -qf **** -- cgit v1.2.3 From f652fa8083925080b92b02897f1ee872ff2d3bba Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Thu, 14 Aug 2014 20:28:02 +0100 Subject: Add testcase for TLSA record access --- test/confs/5890 | 10 ++++++++++ test/scripts/5890-DANE/5890 | 12 ++++++++++++ test/scripts/5890-DANE/REQUIRES | 2 ++ test/stdout/5890 | 4 ++++ 4 files changed, 28 insertions(+) create mode 100644 test/confs/5890 create mode 100644 test/scripts/5890-DANE/5890 create mode 100644 test/scripts/5890-DANE/REQUIRES create mode 100644 test/stdout/5890 (limited to 'test/confs') diff --git a/test/confs/5890 b/test/confs/5890 new file mode 100644 index 000000000..bd0b77df2 --- /dev/null +++ b/test/confs/5890 @@ -0,0 +1,10 @@ +# Exim test configuration 5890 +# DANE common + +exim_path = EXIM_PATH +host_lookup_order = bydns +primary_hostname = myhost.test.ex +spool_directory = DIR/spool + +# ----- Main settings ----- + diff --git a/test/scripts/5890-DANE/5890 b/test/scripts/5890-DANE/5890 new file mode 100644 index 000000000..fd7b6d6d3 --- /dev/null +++ b/test/scripts/5890-DANE/5890 @@ -0,0 +1,12 @@ +# Expansion test for DANE. +# +# Some systems seem to use 1-byte fields for the leading +# 3 fields in a TLSA record, others 2-bytes. +# We need the result to match the string in dnszones-src/db.test.ex + +exim -be + +dnslookup tpda: ${lookup dnsdb {tlsa=_1225._tcp.dane512ee.test.ex} \ + {$value}{none}} + +**** diff --git a/test/scripts/5890-DANE/REQUIRES b/test/scripts/5890-DANE/REQUIRES new file mode 100644 index 000000000..2314a3236 --- /dev/null +++ b/test/scripts/5890-DANE/REQUIRES @@ -0,0 +1,2 @@ +support Experimental_DANE +running IPv4 diff --git a/test/stdout/5890 b/test/stdout/5890 new file mode 100644 index 000000000..815d95942 --- /dev/null +++ b/test/stdout/5890 @@ -0,0 +1,4 @@ +> +> dnslookup tpda: 3 1 2 3d5eb81b1dfc3f93c1fa8819e3fb3fdb41bb590441d5f3811db17772f4bc6de29bdd7c4f4b723750dda871b99379192b3f979f03db1252c4f08b03ef7176528d000000 +> +> -- cgit v1.2.3 From 360c049264151071203aee2f957472321ff0dc41 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Thu, 14 Aug 2014 20:47:31 +0100 Subject: Shuffle test order --- test/confs/5800 | 68 +--------------------------- test/confs/5820 | 74 ++++++++++++++++++++++++++++++ test/confs/5840 | 80 +++++++++++++++++++++++++++++++++ test/confs/5850 | 80 --------------------------------- test/confs/5890 | 10 ----- test/log/5840 | 30 +++++++++++++ test/log/5850 | 30 ------------- test/scripts/5800-DANE-GnuTLS/5800 | 14 ------ test/scripts/5800-DANE-GnuTLS/REQUIRES | 3 -- test/scripts/5800-DANE/5800 | 12 +++++ test/scripts/5800-DANE/REQUIRES | 2 + test/scripts/5820-DANE-GnuTLS/5820 | 14 ++++++ test/scripts/5820-DANE-GnuTLS/REQUIRES | 3 ++ test/scripts/5840-DANE-OpenSSL/5840 | 30 +++++++++++++ test/scripts/5840-DANE-OpenSSL/REQUIRES | 3 ++ test/scripts/5850-DANE-OpenSSL/5850 | 30 ------------- test/scripts/5850-DANE-OpenSSL/REQUIRES | 3 -- test/scripts/5890-DANE/5890 | 12 ----- test/scripts/5890-DANE/REQUIRES | 2 - test/stdout/5800 | 4 ++ test/stdout/5890 | 4 -- 21 files changed, 254 insertions(+), 254 deletions(-) create mode 100644 test/confs/5820 create mode 100644 test/confs/5840 delete mode 100644 test/confs/5850 delete mode 100644 test/confs/5890 create mode 100644 test/log/5840 delete mode 100644 test/log/5850 delete mode 100644 test/scripts/5800-DANE-GnuTLS/5800 delete mode 100644 test/scripts/5800-DANE-GnuTLS/REQUIRES create mode 100644 test/scripts/5800-DANE/5800 create mode 100644 test/scripts/5800-DANE/REQUIRES create mode 100644 test/scripts/5820-DANE-GnuTLS/5820 create mode 100644 test/scripts/5820-DANE-GnuTLS/REQUIRES create mode 100644 test/scripts/5840-DANE-OpenSSL/5840 create mode 100644 test/scripts/5840-DANE-OpenSSL/REQUIRES delete mode 100644 test/scripts/5850-DANE-OpenSSL/5850 delete mode 100644 test/scripts/5850-DANE-OpenSSL/REQUIRES delete mode 100644 test/scripts/5890-DANE/5890 delete mode 100644 test/scripts/5890-DANE/REQUIRES create mode 100644 test/stdout/5800 delete mode 100644 test/stdout/5890 (limited to 'test/confs') diff --git a/test/confs/5800 b/test/confs/5800 index f1bd09d1c..bd0b77df2 100644 --- a/test/confs/5800 +++ b/test/confs/5800 @@ -1,74 +1,10 @@ -# Exim test configuration 5800 -# DANE - -SERVER= +# Exim test configuration 5890 +# DANE common exim_path = EXIM_PATH host_lookup_order = bydns primary_hostname = myhost.test.ex -rfc1413_query_timeout = 0s spool_directory = DIR/spool -log_file_path = DIR/spool/log/SERVER%slog -gecos_pattern = "" -gecos_name = CALLER_NAME # ----- Main settings ----- -acl_smtp_rcpt = accept - -log_selector = +tls_peerdn - -queue_only -queue_run_in_order - -tls_advertise_hosts = * -# needed to force generation -tls_dhparam = historic - -# Set certificate only if server - -tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} -tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} - -#tls_verify_hosts = * -#tls_verify_certificates = ${if eq {SERVER}{server}{DIR/aux-fixed/cert2}fail} - - -# ----- Routers ----- - -begin routers - -client: - driver = accept - condition = ${if eq {SERVER}{server}{no}{yes}} - retry_use_local_part - transport = send_to_server - -server: - driver = redirect - data = :blackhole: - - -# ----- Transports ----- - -begin transports - -send_to_server: - driver = smtp - allow_localhost - hosts = 127.0.0.1 - port = PORT_D -# tls_certificate = DIR/aux-fixed/cert2 -# tls_privatekey = DIR/aux-fixed/cert2 -# tls_verify_certificates = DIR/aux-fixed/cert2 - - -# ----- Retry ----- - - -begin retry - -* * F,5d,10s - - -# End diff --git a/test/confs/5820 b/test/confs/5820 new file mode 100644 index 000000000..f1bd09d1c --- /dev/null +++ b/test/confs/5820 @@ -0,0 +1,74 @@ +# Exim test configuration 5800 +# DANE + +SERVER= + +exim_path = EXIM_PATH +host_lookup_order = bydns +primary_hostname = myhost.test.ex +rfc1413_query_timeout = 0s +spool_directory = DIR/spool +log_file_path = DIR/spool/log/SERVER%slog +gecos_pattern = "" +gecos_name = CALLER_NAME + +# ----- Main settings ----- + +acl_smtp_rcpt = accept + +log_selector = +tls_peerdn + +queue_only +queue_run_in_order + +tls_advertise_hosts = * +# needed to force generation +tls_dhparam = historic + +# Set certificate only if server + +tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} +tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} + +#tls_verify_hosts = * +#tls_verify_certificates = ${if eq {SERVER}{server}{DIR/aux-fixed/cert2}fail} + + +# ----- Routers ----- + +begin routers + +client: + driver = accept + condition = ${if eq {SERVER}{server}{no}{yes}} + retry_use_local_part + transport = send_to_server + +server: + driver = redirect + data = :blackhole: + + +# ----- Transports ----- + +begin transports + +send_to_server: + driver = smtp + allow_localhost + hosts = 127.0.0.1 + port = PORT_D +# tls_certificate = DIR/aux-fixed/cert2 +# tls_privatekey = DIR/aux-fixed/cert2 +# tls_verify_certificates = DIR/aux-fixed/cert2 + + +# ----- Retry ----- + + +begin retry + +* * F,5d,10s + + +# End diff --git a/test/confs/5840 b/test/confs/5840 new file mode 100644 index 000000000..c381ef616 --- /dev/null +++ b/test/confs/5840 @@ -0,0 +1,80 @@ +# Exim test configuration 5850 +# DANE + +SERVER= + +exim_path = EXIM_PATH +host_lookup_order = bydns +primary_hostname = myhost.test.ex +rfc1413_query_timeout = 0s +spool_directory = DIR/spool +log_file_path = DIR/spool/log/SERVER%slog +gecos_pattern = "" +gecos_name = CALLER_NAME + +# ----- Main settings ----- + +acl_smtp_rcpt = accept + +log_selector = +received_recipients +tls_peerdn +tls_certificate_verified + +queue_only +queue_run_in_order + +tls_advertise_hosts = * + +# Set certificate only if server +CDIR1 = DIR/aux-fixed +CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com + +tls_certificate = ${if eq {SERVER}{server} \ + {${if eq {DETAILS}{ta} \ + {CDIR2/fullchain.pem}\ + {CDIR1/cert1}}}\ + fail} + +tls_privatekey = ${if eq {SERVER}{server} \ + {${if eq {DETAILS}{ta} \ + {CDIR2/server1.example.com.unlocked.key}\ + {CDIR1/cert1}}}\ + fail} + + +# ----- Routers ----- + +begin routers + +client: + driver = dnslookup + condition = ${if eq {SERVER}{}} + dnssec_request_domains = * + self = send + transport = send_to_server + +server: + driver = redirect + data = :blackhole: + + +# ----- Transports ----- + +begin transports + +send_to_server: + driver = smtp + allow_localhost + port = PORT_D + +# hosts_try_dane = * + hosts_require_dane = * + + +# ----- Retry ----- + + +begin retry + +* * F,5d,10s + + +# End diff --git a/test/confs/5850 b/test/confs/5850 deleted file mode 100644 index c381ef616..000000000 --- a/test/confs/5850 +++ /dev/null @@ -1,80 +0,0 @@ -# Exim test configuration 5850 -# DANE - -SERVER= - -exim_path = EXIM_PATH -host_lookup_order = bydns -primary_hostname = myhost.test.ex -rfc1413_query_timeout = 0s -spool_directory = DIR/spool -log_file_path = DIR/spool/log/SERVER%slog -gecos_pattern = "" -gecos_name = CALLER_NAME - -# ----- Main settings ----- - -acl_smtp_rcpt = accept - -log_selector = +received_recipients +tls_peerdn +tls_certificate_verified - -queue_only -queue_run_in_order - -tls_advertise_hosts = * - -# Set certificate only if server -CDIR1 = DIR/aux-fixed -CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com - -tls_certificate = ${if eq {SERVER}{server} \ - {${if eq {DETAILS}{ta} \ - {CDIR2/fullchain.pem}\ - {CDIR1/cert1}}}\ - fail} - -tls_privatekey = ${if eq {SERVER}{server} \ - {${if eq {DETAILS}{ta} \ - {CDIR2/server1.example.com.unlocked.key}\ - {CDIR1/cert1}}}\ - fail} - - -# ----- Routers ----- - -begin routers - -client: - driver = dnslookup - condition = ${if eq {SERVER}{}} - dnssec_request_domains = * - self = send - transport = send_to_server - -server: - driver = redirect - data = :blackhole: - - -# ----- Transports ----- - -begin transports - -send_to_server: - driver = smtp - allow_localhost - port = PORT_D - -# hosts_try_dane = * - hosts_require_dane = * - - -# ----- Retry ----- - - -begin retry - -* * F,5d,10s - - -# End diff --git a/test/confs/5890 b/test/confs/5890 deleted file mode 100644 index bd0b77df2..000000000 --- a/test/confs/5890 +++ /dev/null @@ -1,10 +0,0 @@ -# Exim test configuration 5890 -# DANE common - -exim_path = EXIM_PATH -host_lookup_order = bydns -primary_hostname = myhost.test.ex -spool_directory = DIR/spool - -# ----- Main settings ----- - diff --git a/test/log/5840 b/test/log/5840 new file mode 100644 index 000000000..62dc13f02 --- /dev/null +++ b/test/log/5840 @@ -0,0 +1,30 @@ +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane256ee.test.ex +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane512ee.test.ex +1999-03-02 09:44:33 Start queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@mxdane512ee.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaY-0005vi-00 Completed +1999-03-02 09:44:33 End queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane256ta.test.ex +1999-03-02 09:44:33 Start queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@mxdane256ta.test.ex R=client T=send_to_server H=dane256ta.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=dane DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmbB-0005vi-00 Completed +1999-03-02 09:44:33 End queue run: pid=pppp -qf + +******** SERVER ******** +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@dane256ee.test.ex +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex for CALLER@mxdane512ee.test.ex +1999-03-02 09:44:33 Start queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmaZ-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed +1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbA-0005vi-00 Completed +1999-03-02 09:44:33 End queue run: pid=pppp -qf +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbB-0005vi-00@myhost.test.ex for CALLER@mxdane256ta.test.ex +1999-03-02 09:44:33 Start queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbC-0005vi-00 Completed +1999-03-02 09:44:33 End queue run: pid=pppp -qf diff --git a/test/log/5850 b/test/log/5850 deleted file mode 100644 index 62dc13f02..000000000 --- a/test/log/5850 +++ /dev/null @@ -1,30 +0,0 @@ -1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane256ee.test.ex -1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane512ee.test.ex -1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00" -1999-03-02 09:44:33 10HmaX-0005vi-00 Completed -1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@mxdane512ee.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00" -1999-03-02 09:44:33 10HmaY-0005vi-00 Completed -1999-03-02 09:44:33 End queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane256ta.test.ex -1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@mxdane256ta.test.ex R=client T=send_to_server H=dane256ta.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=dane DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" -1999-03-02 09:44:33 10HmbB-0005vi-00 Completed -1999-03-02 09:44:33 End queue run: pid=pppp -qf - -******** SERVER ******** -1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@dane256ee.test.ex -1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex for CALLER@mxdane512ee.test.ex -1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmaZ-0005vi-00 => :blackhole: R=server -1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed -1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: R=server -1999-03-02 09:44:33 10HmbA-0005vi-00 Completed -1999-03-02 09:44:33 End queue run: pid=pppp -qf -1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbB-0005vi-00@myhost.test.ex for CALLER@mxdane256ta.test.ex -1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: R=server -1999-03-02 09:44:33 10HmbC-0005vi-00 Completed -1999-03-02 09:44:33 End queue run: pid=pppp -qf diff --git a/test/scripts/5800-DANE-GnuTLS/5800 b/test/scripts/5800-DANE-GnuTLS/5800 deleted file mode 100644 index 07ad7406d..000000000 --- a/test/scripts/5800-DANE-GnuTLS/5800 +++ /dev/null @@ -1,14 +0,0 @@ -# DANE client: general -# -gnutls -# -exim -DSERVER=server -bd -oX PORT_D -**** -exim CALLER@test.ex -Testing -**** -exim -qf -**** -killdaemon -exim -DSERVER=server -DNOTDAEMON -qf -**** diff --git a/test/scripts/5800-DANE-GnuTLS/REQUIRES b/test/scripts/5800-DANE-GnuTLS/REQUIRES deleted file mode 100644 index 4234c92f8..000000000 --- a/test/scripts/5800-DANE-GnuTLS/REQUIRES +++ /dev/null @@ -1,3 +0,0 @@ -support Experimental_DANE -support GnuTLS -running IPv4 diff --git a/test/scripts/5800-DANE/5800 b/test/scripts/5800-DANE/5800 new file mode 100644 index 000000000..98a70c115 --- /dev/null +++ b/test/scripts/5800-DANE/5800 @@ -0,0 +1,12 @@ +# Expansion test for DANE. +# +# Some systems seem to use 1-byte fields for the leading +# 3 fields in a TLSA record, others 2-bytes. +# We need the result to match the string in dnszones-src/db.test.ex + +exim -be + +dnslookup tlsa: ${lookup dnsdb {tlsa=_1225._tcp.dane512ee.test.ex} \ + {$value}{none}} + +**** diff --git a/test/scripts/5800-DANE/REQUIRES b/test/scripts/5800-DANE/REQUIRES new file mode 100644 index 000000000..2314a3236 --- /dev/null +++ b/test/scripts/5800-DANE/REQUIRES @@ -0,0 +1,2 @@ +support Experimental_DANE +running IPv4 diff --git a/test/scripts/5820-DANE-GnuTLS/5820 b/test/scripts/5820-DANE-GnuTLS/5820 new file mode 100644 index 000000000..07ad7406d --- /dev/null +++ b/test/scripts/5820-DANE-GnuTLS/5820 @@ -0,0 +1,14 @@ +# DANE client: general +# +gnutls +# +exim -DSERVER=server -bd -oX PORT_D +**** +exim CALLER@test.ex +Testing +**** +exim -qf +**** +killdaemon +exim -DSERVER=server -DNOTDAEMON -qf +**** diff --git a/test/scripts/5820-DANE-GnuTLS/REQUIRES b/test/scripts/5820-DANE-GnuTLS/REQUIRES new file mode 100644 index 000000000..4234c92f8 --- /dev/null +++ b/test/scripts/5820-DANE-GnuTLS/REQUIRES @@ -0,0 +1,3 @@ +support Experimental_DANE +support GnuTLS +running IPv4 diff --git a/test/scripts/5840-DANE-OpenSSL/5840 b/test/scripts/5840-DANE-OpenSSL/5840 new file mode 100644 index 000000000..814b4b0e8 --- /dev/null +++ b/test/scripts/5840-DANE-OpenSSL/5840 @@ -0,0 +1,30 @@ +# DANE client: general +# +exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D +**** +# TLSA (3 1 1) +exim CALLER@dane256ee.test.ex +Testing +**** +# TLSA (3 1 2) +exim CALLER@mxdane512ee.test.ex +Testing +**** +exim -qf +**** +killdaemon +exim -DSERVER=server -DDETAILS=ee -DNOTDAEMON -qf +**** +# +# +exim -DSERVER=server -DDETAILS=ta -bd -oX PORT_D +**** +# TLSA (2 0 1) +exim CALLER@mxdane256ta.test.ex +Testing +**** +exim -qf +**** +killdaemon +exim -DSERVER=server -DDETAILS=ta -DNOTDAEMON -qf +**** diff --git a/test/scripts/5840-DANE-OpenSSL/REQUIRES b/test/scripts/5840-DANE-OpenSSL/REQUIRES new file mode 100644 index 000000000..59cb7dc91 --- /dev/null +++ b/test/scripts/5840-DANE-OpenSSL/REQUIRES @@ -0,0 +1,3 @@ +support Experimental_DANE +support OpenSSL +running IPv4 diff --git a/test/scripts/5850-DANE-OpenSSL/5850 b/test/scripts/5850-DANE-OpenSSL/5850 deleted file mode 100644 index 814b4b0e8..000000000 --- a/test/scripts/5850-DANE-OpenSSL/5850 +++ /dev/null @@ -1,30 +0,0 @@ -# DANE client: general -# -exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D -**** -# TLSA (3 1 1) -exim CALLER@dane256ee.test.ex -Testing -**** -# TLSA (3 1 2) -exim CALLER@mxdane512ee.test.ex -Testing -**** -exim -qf -**** -killdaemon -exim -DSERVER=server -DDETAILS=ee -DNOTDAEMON -qf -**** -# -# -exim -DSERVER=server -DDETAILS=ta -bd -oX PORT_D -**** -# TLSA (2 0 1) -exim CALLER@mxdane256ta.test.ex -Testing -**** -exim -qf -**** -killdaemon -exim -DSERVER=server -DDETAILS=ta -DNOTDAEMON -qf -**** diff --git a/test/scripts/5850-DANE-OpenSSL/REQUIRES b/test/scripts/5850-DANE-OpenSSL/REQUIRES deleted file mode 100644 index 59cb7dc91..000000000 --- a/test/scripts/5850-DANE-OpenSSL/REQUIRES +++ /dev/null @@ -1,3 +0,0 @@ -support Experimental_DANE -support OpenSSL -running IPv4 diff --git a/test/scripts/5890-DANE/5890 b/test/scripts/5890-DANE/5890 deleted file mode 100644 index fd7b6d6d3..000000000 --- a/test/scripts/5890-DANE/5890 +++ /dev/null @@ -1,12 +0,0 @@ -# Expansion test for DANE. -# -# Some systems seem to use 1-byte fields for the leading -# 3 fields in a TLSA record, others 2-bytes. -# We need the result to match the string in dnszones-src/db.test.ex - -exim -be - -dnslookup tpda: ${lookup dnsdb {tlsa=_1225._tcp.dane512ee.test.ex} \ - {$value}{none}} - -**** diff --git a/test/scripts/5890-DANE/REQUIRES b/test/scripts/5890-DANE/REQUIRES deleted file mode 100644 index 2314a3236..000000000 --- a/test/scripts/5890-DANE/REQUIRES +++ /dev/null @@ -1,2 +0,0 @@ -support Experimental_DANE -running IPv4 diff --git a/test/stdout/5800 b/test/stdout/5800 new file mode 100644 index 000000000..bcbbd88e0 --- /dev/null +++ b/test/stdout/5800 @@ -0,0 +1,4 @@ +> +> dnslookup tlsa: 3 1 2 3d5eb81b1dfc3f93c1fa8819e3fb3fdb41bb590441d5f3811db17772f4bc6de29bdd7c4f4b723750dda871b99379192b3f979f03db1252c4f08b03ef7176528d000000 +> +> diff --git a/test/stdout/5890 b/test/stdout/5890 deleted file mode 100644 index 815d95942..000000000 --- a/test/stdout/5890 +++ /dev/null @@ -1,4 +0,0 @@ -> -> dnslookup tpda: 3 1 2 3d5eb81b1dfc3f93c1fa8819e3fb3fdb41bb590441d5f3811db17772f4bc6de29bdd7c4f4b723750dda871b99379192b3f979f03db1252c4f08b03ef7176528d000000 -> -> -- cgit v1.2.3 From 594706ea2e56fe8c972eab772bd3e58c7a0c89ab Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 17 Aug 2014 00:41:17 +0100 Subject: Add observability variables and provision for avoiding OCSP conflicts --- doc/doc-txt/experimental-spec.txt | 25 ++++++++++++++++++++++++- src/src/expand.c | 6 ++++++ src/src/globals.c | 2 ++ src/src/globals.h | 1 + src/src/tls-openssl.c | 32 +++++++++++++++++++++++++------- test/confs/5840 | 3 +++ 6 files changed, 61 insertions(+), 8 deletions(-) (limited to 'test/confs') diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt index b1b89e007..c060a6c5a 100644 --- a/doc/doc-txt/experimental-spec.txt +++ b/doc/doc-txt/experimental-spec.txt @@ -1235,7 +1235,25 @@ must have a correct name (SubjectName or SubjectAltName). The use of OCSP-stapling should be considered, allowing for fast revocation of certificates (which would otherwise be limited by the DNS TTL on the TLSA records). However, -this is likely to only be usable with DANE_TA. +this is likely to only be usable with DANE_TA. NOTE: the +default is to request OCSP for all hosts; the certificate +chain in DANE_EE usage will be insufficient to validate +the OCSP proof and verification will fail. Either disable +OCSP completely or use the (new) variable $tls_out_tlsa_usage +like so: + + hosts_request_ocsp = ${if or { {= {4}{$tls_out_tlsa_usage}} \ + {= {0}{$tls_out_tlsa_usage}} } \ + {*}{}} +The variable is a bitfield with numbered bits set for TLSA +record usage codes. The zero above means DANE was not in use, +the four means that only DANE_TA usage TLSA records were +found. If the definition of hosts_require_ocsp or +hosts_request_ocsp includes the string "tls_out_tlsa_usage", +they are re-expanded in time to control the OCSP request. + +[ All a bit complicated. Should we make that definition +the default? Should we override the user's definition? ] For client-side DANE there are two new smtp transport options, @@ -1260,6 +1278,11 @@ and dnssec_require_domains is ignored. If verification was successful using DANE then the "CV" item in the delivery log line will show as "CV=dane". +There is a new variable $tls_out_dane which will have "yes" if +verification succeeded using DANE and "no" otherwise (only useful +in combination with EXPERIMENTAL_TPDA), and a new variable +$tls_out_tlsa_usage (detailed above). + -------------------------------------------------------------- End of file diff --git a/src/src/expand.c b/src/src/expand.c index e5af63d89..ba2c6f7cd 100644 --- a/src/src/expand.c +++ b/src/src/expand.c @@ -684,6 +684,9 @@ static var_entry var_table[] = { { "tls_out_bits", vtype_int, &tls_out.bits }, { "tls_out_certificate_verified", vtype_int,&tls_out.certificate_verified }, { "tls_out_cipher", vtype_stringptr, &tls_out.cipher }, +#ifdef EXPERIMENTAL_DANE + { "tls_out_dane", vtype_bool, &tls_out.dane_verified }, +#endif { "tls_out_ocsp", vtype_int, &tls_out.ocsp }, { "tls_out_ourcert", vtype_cert, &tls_out.ourcert }, { "tls_out_peercert", vtype_cert, &tls_out.peercert }, @@ -691,6 +694,9 @@ static var_entry var_table[] = { #if defined(SUPPORT_TLS) { "tls_out_sni", vtype_stringptr, &tls_out.sni }, #endif +#ifdef EXPERIMENTAL_DANE + { "tls_out_tlsa_usage", vtype_int, &tls_out.tlsa_usage }, +#endif { "tls_peerdn", vtype_stringptr, &tls_in.peerdn }, /* mind the alphabetical order! */ #if defined(SUPPORT_TLS) diff --git a/src/src/globals.c b/src/src/globals.c index d09903d65..409c324e9 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -105,6 +105,7 @@ tls_support tls_in = { FALSE,/* tls_certificate_verified */ #ifdef EXPERIMENTAL_DANE FALSE,/* dane_verified */ + 0, /* tlsa_usage */ #endif NULL, /* tls_cipher */ FALSE,/* tls_on_connect */ @@ -121,6 +122,7 @@ tls_support tls_out = { FALSE,/* tls_certificate_verified */ #ifdef EXPERIMENTAL_DANE FALSE,/* dane_verified */ + 0, /* tlsa_usage */ #endif NULL, /* tls_cipher */ FALSE,/* tls_on_connect */ diff --git a/src/src/globals.h b/src/src/globals.h index 654114848..1adda6411 100644 --- a/src/src/globals.h +++ b/src/src/globals.h @@ -84,6 +84,7 @@ typedef struct { BOOL certificate_verified; /* Client certificate verified */ #ifdef EXPERIMENTAL_DANE BOOL dane_verified; /* ... via DANE */ + int tlsa_usage; /* TLSA record(s) usage */ #endif uschar *cipher; /* Cipher used */ BOOL on_connect; /* For older MTAs that don't STARTTLS */ diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 144be6f63..57b0808fb 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1693,6 +1693,8 @@ for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); return tls_error(US"tlsa load", host, NULL); case 1: break; } + + tls_out.tlsa_usage |= 1<hosts_require_dane, NULL, host->name, host->address, NULL) == OK; @@ -1764,7 +1767,6 @@ else if (dane_required) log_write(0, LOG_MAIN, "DANE error: previous lookup not DNSSEC"); return FAIL; } - #endif #ifndef DISABLE_OCSP @@ -1855,9 +1857,31 @@ if (ob->tls_sni) } } +#ifdef EXPERIMENTAL_DANE +if (dane) + if ((rc = dane_tlsa_load(client_ssl, host, &tlsa_dnsa)) != OK) + return rc; +#endif + #ifndef DISABLE_OCSP /* Request certificate status at connection-time. If the server does OCSP stapling we will get the callback (set in tls_init()) */ +if (request_ocsp) + { + const uschar * s; + if ( (s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage") + || (s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage") + ) + { /* Re-eval now $tls_out_tlsa_usage is populated. If + this means we avoid the OCSP request, we wasted the setup + cost in tls_init(). */ + require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp, + NULL, host->name, host->address, NULL) == OK; + request_ocsp = require_ocsp ? TRUE + : verify_check_this_host(&ob->hosts_request_ocsp, + NULL, host->name, host->address, NULL) == OK; + } + } if (request_ocsp) { SSL_set_tlsext_status_type(client_ssl, TLSEXT_STATUSTYPE_ocsp); @@ -1866,12 +1890,6 @@ if (request_ocsp) } #endif -#ifdef EXPERIMENTAL_DANE -if (dane) - if ((rc = dane_tlsa_load(client_ssl, host, &tlsa_dnsa)) != OK) - return rc; -#endif - /* There doesn't seem to be a built-in timeout on connection. */ diff --git a/test/confs/5840 b/test/confs/5840 index c381ef616..4359b9a59 100644 --- a/test/confs/5840 +++ b/test/confs/5840 @@ -67,6 +67,9 @@ send_to_server: # hosts_try_dane = * hosts_require_dane = * + hosts_request_ocsp = ${if or { {= {4}{$tls_out_tlsa_usage}} \ + {= {0}{$tls_out_tlsa_usage}} } \ + {*}{}} # ----- Retry ----- -- cgit v1.2.3 From e8e86723959ffd4ab6d6b320538ec0e86f828798 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 17 Aug 2014 18:26:08 +0100 Subject: Unbreak utf8clean testcase. Broken by my compile quitening; the issue was a variable declared local in a loop body and used for carrying data from one iteration to the next. I'd blindly added an initialiser, destroying the data. However, I *think* that compilers might be at liberty to not use the same location for separate iterations; if so the code was broken (and only worked by chance). Fix by moving the declaration outside the loop. --- src/src/expand.c | 10 ++++------ test/confs/0600 | 3 ++- 2 files changed, 6 insertions(+), 7 deletions(-) (limited to 'test/confs') diff --git a/src/src/expand.c b/src/src/expand.c index ba2c6f7cd..b0e76ba27 100644 --- a/src/src/expand.c +++ b/src/src/expand.c @@ -6376,16 +6376,14 @@ while (*s != 0) { int seq_len = 0, index = 0; int bytes_left = 0; + long codepoint = -1; uschar seq_buff[4]; /* accumulate utf-8 here */ while (*sub != 0) { - int complete; - long codepoint = 0; - uschar c; + int complete = 0; + uschar c = *sub++; - complete = 0; - c = *sub++; if (bytes_left) { if ((c & 0xc0) != 0x80) @@ -6400,7 +6398,7 @@ while (*s != 0) if (--bytes_left == 0) /* codepoint complete */ { if(codepoint > 0x10FFFF) /* is it too large? */ - complete = -1; /* error */ + complete = -1; /* error (RFC3629 limit) */ else { /* finished; output utf-8 sequence */ yield = string_cat(yield, &size, &ptr, seq_buff, seq_len); diff --git a/test/confs/0600 b/test/confs/0600 index 0347e4c60..61a9c0801 100644 --- a/test/confs/0600 +++ b/test/confs/0600 @@ -1,4 +1,5 @@ -# Exim test configuration 0005 +# Exim test configuration 0600 +# utf8clean:string exim_path = EXIM_PATH host_lookup_order = bydns -- cgit v1.2.3 From 83b2729321db62e758a300e372b2dd74e527d004 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Wed, 20 Aug 2014 20:34:17 +0100 Subject: Merge branch dane-tpda into dane Conflicts: doc/doc-txt/experimental-spec.txt src/src/deliver.c src/src/functions.h src/src/smtp_out.c src/src/tls-openssl.c src/src/transports/smtp.c src/src/verify.c --- src/src/deliver.c | 6 ++ src/src/tls-openssl.c | 26 ++++++++ src/src/verify.c | 8 ++- test/confs/5860 | 88 ++++++++++++++++++++++++++++ test/log/5860 | 40 +++++++++++++ test/scripts/5860-DANE-OpenSSL-TPDA/5860 | 30 ++++++++++ test/scripts/5860-DANE-OpenSSL-TPDA/REQUIRES | 4 ++ 7 files changed, 200 insertions(+), 2 deletions(-) create mode 100644 test/confs/5860 create mode 100644 test/log/5860 create mode 100644 test/scripts/5860-DANE-OpenSSL-TPDA/5860 create mode 100644 test/scripts/5860-DANE-OpenSSL-TPDA/REQUIRES (limited to 'test/confs') diff --git a/src/src/deliver.c b/src/src/deliver.c index d00af9c11..676de556d 100644 --- a/src/src/deliver.c +++ b/src/src/deliver.c @@ -1134,6 +1134,9 @@ if (result == OK) tls_out.cipher = addr->cipher; tls_out.peerdn = addr->peerdn; tls_out.ocsp = addr->ocsp; +# ifdef EXPERIMENTAL_DANE + tls_out.dane_verified = testflag(addr, af_dane_verified); +# endif #endif delivery_log(LOG_MAIN, addr, logchar, NULL); @@ -1152,6 +1155,9 @@ if (result == OK) tls_out.cipher = NULL; tls_out.peerdn = NULL; tls_out.ocsp = OCSP_NOT_REQ; +# ifdef EXPERIMENTAL_DANE + tls_out.dane_verified = FALSE; +# endif #endif } diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 735ebff06..2e95a467a 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -437,6 +437,9 @@ verify_callback_client_dane(int state, X509_STORE_CTX * x509ctx) { X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx); static uschar txt[256]; +#ifdef EXPERIMENTAL_TPDA +int depth = X509_STORE_CTX_get_error_depth(x509ctx); +#endif X509_NAME_oneline(X509_get_subject_name(cert), CS txt, sizeof(txt)); @@ -444,6 +447,25 @@ DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s\n", txt); tls_out.peerdn = txt; tls_out.peercert = X509_dup(cert); +#ifdef EXPERIMENTAL_TPDA + if (client_static_cbinfo->event_action) + { + if (tpda_raise_event(client_static_cbinfo->event_action, + US"tls:cert", string_sprintf("%d", depth)) == DEFER) + { + log_write(0, LOG_MAIN, "DANE verify denied by event-action: " + "depth=%d cert=%s", depth, txt); + tls_out.certificate_verified = FALSE; + return 0; /* reject */ + } + if (depth != 0) + { + X509_free(tls_out.peercert); + tls_out.peercert = NULL; + } + } +#endif + if (state == 1) tls_out.dane_verified = tls_out.certificate_verified = TRUE; @@ -1958,6 +1980,10 @@ if (request_ocsp) client_static_cbinfo->event_action = tb->tpda_event_action; #endif +#ifdef EXPERIMENTAL_TPDA +client_static_cbinfo->event_action = tb->tpda_event_action; +#endif + /* There doesn't seem to be a built-in timeout on connection. */ DEBUG(D_tls) debug_printf("Calling SSL_connect\n"); diff --git a/src/src/verify.c b/src/src/verify.c index edd9ad17d..d2ecb9cde 100644 --- a/src/src/verify.c +++ b/src/src/verify.c @@ -660,7 +660,7 @@ else /* TLS negotiation failed; give an error. Try in clear on a new connection, if the options permit it for this host. */ if (rc != OK) - { + { if ( rc == DEFER && ob->tls_tempfail_tryclear && !smtps @@ -672,7 +672,11 @@ else #endif ) { - (void)close(inblock.sock); + (void)close(inblock.sock); +#ifdef EXPERIMENTAL_TPDA + (void) tpda_raise_event(addr->transport->tpda_event_action, + US"tcp:close", NULL); +#endif log_write(0, LOG_MAIN, "TLS session failure: delivering unencrypted " "to %s [%s] (not in hosts_require_tls)", host->name, host->address); suppress_tls = TRUE; diff --git a/test/confs/5860 b/test/confs/5860 new file mode 100644 index 000000000..7dc4b0952 --- /dev/null +++ b/test/confs/5860 @@ -0,0 +1,88 @@ +# Exim test configuration 5850 +# DANE + +SERVER= + +exim_path = EXIM_PATH +host_lookup_order = bydns +primary_hostname = myhost.test.ex +rfc1413_query_timeout = 0s +spool_directory = DIR/spool +log_file_path = DIR/spool/log/SERVER%slog +gecos_pattern = "" +gecos_name = CALLER_NAME + +# ----- Main settings ----- + +acl_smtp_rcpt = accept + +log_selector = +received_recipients +tls_peerdn +tls_certificate_verified + +queue_only +queue_run_in_order + +tls_advertise_hosts = * + +# Set certificate only if server +CDIR1 = DIR/aux-fixed +CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com + +tls_certificate = ${if eq {SERVER}{server} \ + {${if eq {DETAILS}{ta} \ + {CDIR2/fullchain.pem}\ + {CDIR1/cert1}}}\ + fail} + +tls_privatekey = ${if eq {SERVER}{server} \ + {${if eq {DETAILS}{ta} \ + {CDIR2/server1.example.com.unlocked.key}\ + {CDIR1/cert1}}}\ + fail} + + +begin acl + +logger: + accept condition = ${if eq {tls} {${listextract{1}{$tpda_event}}}} + logwrite = $tpda_event depth = $tpda_data \ + <${certextract {subject} {$tls_out_peercert}}> +# message = noooo + + accept condition = ${if eq {msg} {${listextract{1}{$tpda_event}}}} + logwrite = $tpda_event dane=$tls_out_dane + accept + +# ----- Routers ----- + +begin routers + +client: + driver = dnslookup + condition = ${if eq {SERVER}{}} + dnssec_request_domains = * + self = send + transport = send_to_server + +server: + driver = redirect + data = :blackhole: + + +# ----- Transports ----- + +begin transports + +send_to_server: + driver = smtp + allow_localhost + port = PORT_D + +# hosts_try_dane = * + hosts_require_dane = * + hosts_request_ocsp = ${if or { {= {4}{$tls_out_tlsa_usage}} \ + {= {0}{$tls_out_tlsa_usage}} } \ + {*}{}} + + tpda_event_action = ${acl {logger}} + +# End diff --git a/test/log/5860 b/test/log/5860 new file mode 100644 index 000000000..7c1bf6657 --- /dev/null +++ b/test/log/5860 @@ -0,0 +1,40 @@ +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane256ee.test.ex +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane512ee.test.ex +1999-03-02 09:44:33 Start queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmaX-0005vi-00 tls:cert depth = 0 +1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 msg:delivery dane=yes +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaY-0005vi-00 tls:cert depth = 0 +1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@mxdane512ee.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaY-0005vi-00 msg:delivery dane=yes +1999-03-02 09:44:33 10HmaY-0005vi-00 Completed +1999-03-02 09:44:33 End queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane256ta.test.ex +1999-03-02 09:44:33 Start queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmbB-0005vi-00 tls:cert depth = 2 +1999-03-02 09:44:33 10HmbB-0005vi-00 tls:cert depth = 0 +1999-03-02 09:44:33 10HmbB-0005vi-00 tls:cert depth = 2 +1999-03-02 09:44:33 10HmbB-0005vi-00 tls:cert depth = 1 +1999-03-02 09:44:33 10HmbB-0005vi-00 tls:cert depth = 0 +1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@mxdane256ta.test.ex R=client T=send_to_server H=dane256ta.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=dane DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmbB-0005vi-00 msg:delivery dane=yes +1999-03-02 09:44:33 10HmbB-0005vi-00 Completed +1999-03-02 09:44:33 End queue run: pid=pppp -qf + +******** SERVER ******** +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@dane256ee.test.ex +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex for CALLER@mxdane512ee.test.ex +1999-03-02 09:44:33 Start queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmaZ-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed +1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbA-0005vi-00 Completed +1999-03-02 09:44:33 End queue run: pid=pppp -qf +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbB-0005vi-00@myhost.test.ex for CALLER@mxdane256ta.test.ex +1999-03-02 09:44:33 Start queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbC-0005vi-00 Completed +1999-03-02 09:44:33 End queue run: pid=pppp -qf diff --git a/test/scripts/5860-DANE-OpenSSL-TPDA/5860 b/test/scripts/5860-DANE-OpenSSL-TPDA/5860 new file mode 100644 index 000000000..94bc4d2b8 --- /dev/null +++ b/test/scripts/5860-DANE-OpenSSL-TPDA/5860 @@ -0,0 +1,30 @@ +# DANE client: TPDA +# +exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D +**** +# TLSA (3 1 1) +exim CALLER@dane256ee.test.ex +Testing +**** +# TLSA (3 1 2) +exim CALLER@mxdane512ee.test.ex +Testing +**** +exim -qf +**** +killdaemon +exim -DSERVER=server -DDETAILS=ee -DNOTDAEMON -qf +**** +# +# +exim -DSERVER=server -DDETAILS=ta -bd -oX PORT_D +**** +# TLSA (2 0 1) +exim CALLER@mxdane256ta.test.ex +Testing +**** +exim -qf +**** +killdaemon +exim -DSERVER=server -DDETAILS=ta -DNOTDAEMON -qf +**** diff --git a/test/scripts/5860-DANE-OpenSSL-TPDA/REQUIRES b/test/scripts/5860-DANE-OpenSSL-TPDA/REQUIRES new file mode 100644 index 000000000..7e51b4fa7 --- /dev/null +++ b/test/scripts/5860-DANE-OpenSSL-TPDA/REQUIRES @@ -0,0 +1,4 @@ +support Experimental_DANE +support Experimental_TPDA +support OpenSSL +running IPv4 -- cgit v1.2.3