From e326959e5e455e1b46124b023e0b202e4892e501 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Thu, 26 Sep 2019 19:28:53 +0100
Subject: GnuTLS: full-chain OCSP stapling.  Bug 1466

---
 test/confs/5653 |  84 --------------------------------------------
 test/confs/5655 | 106 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 106 insertions(+), 84 deletions(-)
 delete mode 100644 test/confs/5653
 create mode 100644 test/confs/5655

(limited to 'test/confs')

diff --git a/test/confs/5653 b/test/confs/5653
deleted file mode 100644
index 5b29f5b68..000000000
--- a/test/confs/5653
+++ /dev/null
@@ -1,84 +0,0 @@
-# Exim test configuration 5652
-# OCSP stapling, server, multiple certs
-
-.include DIR/aux-var/tls_conf_prefix
-
-primary_hostname = server1.example.com
-
-# ----- Main settings -----
-
-acl_smtp_mail = check_mail
-acl_smtp_rcpt = check_recipient
-
-log_selector = +tls_peerdn
-
-queue_only
-queue_run_in_order
-
-tls_advertise_hosts = *
-
-CADIR = DIR/aux-fixed/exim-ca
-DRSA = CADIR/example.com
-DECDSA = CADIR/example_ec.com
-
-tls_certificate = DRSA/server1.example.com/server1.example.com.pem \
-	      : DECDSA/server1.example_ec.com/server1.example_ec.com.pem
-tls_privatekey =  DRSA/server1.example.com/server1.example.com.unlocked.key \
-	      : DECDSA/server1.example_ec.com/server1.example_ec.com.unlocked.key
-tls_ocsp_file =   DRSA/server1.example.com/server1.example.com.ocsp.good.resp \
-	      : DECDSA/server1.example_ec.com/server1.example_ec.com.ocsp.good.resp
-
-
-tls_require_ciphers = NORMAL:!VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.0
-
-# ------ ACL ------
-
-begin acl
-
-check_mail:
-  accept   logwrite = acl_mail: ocsp in status: $tls_in_ocsp \
-    (${listextract {${eval:$tls_in_ocsp+1}} \
-		{notreq:notresp:vfynotdone:failed:verified}})
-
-check_recipient:
-  accept
-
-
-# ----- Routers -----
-
-begin routers
-
-client:
-  driver = manualroute
-  condition = ${if !eq {SERVER}{server}}
-  route_list = * 127.0.0.1
-  self = send
-  transport = remote_delivery
-  errors_to = ""
-
-srvr:
-  driver = accept
-  retry_use_local_part
-  transport = local_delivery
-
-
-# ----- Transports -----
-
-begin transports
-
-remote_delivery:
-  driver =			smtp
-  port =			PORT_D
-  hosts_require_tls =		*
-  tls_require_ciphers =		OPT
-  hosts_require_ocsp =		*
-  tls_verify_certificates =	CERT
-  tls_verify_cert_hostnames =	:
-
-local_delivery:
-  driver = appendfile
-  file = DIR/test-mail/$local_part
-  headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
-  user = CALLER
-
-# End
diff --git a/test/confs/5655 b/test/confs/5655
new file mode 100644
index 000000000..0f6fe1b98
--- /dev/null
+++ b/test/confs/5655
@@ -0,0 +1,106 @@
+# Exim test configuration 5655
+# OCSP stapling, server, multiple chain-element OCSP
+
+.include DIR/aux-var/tls_conf_prefix
+
+primary_hostname = server1.example.com
+
+# ----- Main settings -----
+
+acl_smtp_connect = accept logwrite = ${env {SSLKEYLOGFILE}}
+acl_smtp_mail = check_mail
+acl_smtp_rcpt = check_recipient
+
+log_selector = +tls_peerdn
+
+queue_only
+queue_run_in_order
+
+tls_advertise_hosts = *
+
+CADIR = DIR/aux-fixed/exim-ca
+DRSA = CADIR/example.com
+DECDSA = CADIR/example_ec.com
+
+tls_certificate = DRSA/server1.example.com/fullchain.pem \
+	      : DECDSA/server1.example_ec.com/server1.example_ec.com.pem
+tls_privatekey =  DRSA/server1.example.com/server1.example.com.unlocked.key \
+	      : DECDSA/server1.example_ec.com/server1.example_ec.com.unlocked.key
+
+.ifndef CONTROL
+tls_ocsp_file =   PEM DIR/tmp/ocsp/triple.ocsp.pem \
+	      : DER DECDSA/server1.example_ec.com/server1.example_ec.com.ocsp.good.resp
+.else
+tls_ocsp_file =   PEM DIR/tmp/ocsp/double_r.ocsp.pem \
+	      : DER DECDSA/server1.example_ec.com/server1.example_ec.com.ocsp.good.resp
+.endif
+
+
+.ifdef _HAVE_GNUTLS
+tls_require_ciphers = ${if eq {LIMIT}{TLS1.2} {NORMAL:!VERS-ALL:+VERS-TLS1.2} {}}
+.endif
+
+# ------ ACL ------
+
+begin acl
+
+check_mail:
+  accept   logwrite = acl_mail: ocsp in status: $tls_in_ocsp \
+    (${listextract {${eval:$tls_in_ocsp+1}} \
+		{notreq:notresp:vfynotdone:failed:verified}})
+
+check_recipient:
+  accept
+
+
+# ----- Routers -----
+
+begin routers
+
+client:
+  driver = manualroute
+  condition = ${if !eq {SERVER}{server}}
+  route_list = * 127.0.0.1
+  self = send
+  transport = remote_delivery
+  errors_to = ""
+
+srvr:
+  driver = accept
+  retry_use_local_part
+  transport = local_delivery
+
+
+# ----- Transports -----
+
+begin transports
+
+remote_delivery:
+  driver =			smtp
+  port =			PORT_D
+  hosts_require_tls =		*
+.ifdef _HAVE_GNUTLS
+
+  tls_require_ciphers =		${if eq {LIMIT}{TLS1.2} \
+				  {NONE:\
+				    ${if eq {OPT}{rsa} \
+				      {+SIGN-RSA-SHA256:+VERS-TLS-ALL:+ECDHE-RSA:+DHE-RSA:+RSA} \
+				      {+SIGN-ECDSA-SHA512:+VERS-TLS-ALL:+KX-ALL}}\
+				  :+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509} \
+				  {}}
+  tls_verify_certificates =	CADIR/\
+				  ${if eq {OPT}{rsa} \
+				    {example.com/server1.example.com} \
+				    {example_ec.com/server1.example_ec.com}}\
+				/ca_chain.pem
+.endif
+  hosts_require_ocsp =		*
+  tls_verify_cert_hostnames =	:
+
+local_delivery:
+  driver = appendfile
+  file = DIR/test-mail/$local_part
+  headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
+  user = CALLER
+
+# End
-- 
cgit v1.2.3