From 887291d23b561d0bb8cf43db80c191810e2d8ce3 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Fri, 18 Apr 2014 14:21:59 +0100 Subject: Fix logging of nomail When built with TLS support, non-TLS connections not resulting in mail transfer were crashing while building a log line. Fix by not returning a non-extensible string from the routine added in 67d81c1. --- test/log/0547 | 1 + 1 file changed, 1 insertion(+) (limited to 'test') diff --git a/test/log/0547 b/test/log/0547 index 6a5b233e0..3b86d2bd5 100644 --- a/test/log/0547 +++ b/test/log/0547 @@ -1,4 +1,5 @@ 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 no MAIL in SMTP connection from [127.0.0.1] D=0s 1999-03-02 09:44:33 no MAIL in SMTP connection from [127.0.0.1] D=0s C=QUIT 1999-03-02 09:44:33 H=(x.y.z) [127.0.0.1] rejected VRFY a@b.c 1999-03-02 09:44:33 no MAIL in SMTP connection from (x.y.z) [127.0.0.1] D=0s C=EHLO,VRFY,QUIT -- cgit v1.2.3 From 35aba663e3f1eab672a8b2082a83194bf3b7a058 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 20 Apr 2014 16:44:52 +0100 Subject: Fix handling of $tls_cipher et.al. in (non-verify) transport. Bug 1455 The split of these variables into _in and _out sets introduced by d9b231 in 4.82 was incomplete, leaving the deprecated legacy variables nonfunctional during a transport and associated client authenticator. Fix by repointing the legacy set to the outbound connection set at transport startup (and do not clear out the inbound set at this time, either). --- doc/doc-txt/ChangeLog | 3 +++ src/src/functions.h | 3 ++- src/src/tls.c | 12 ++++++++++++ src/src/transports/smtp.c | 13 ++++++------- src/src/verify.c | 17 ++--------------- test/confs/3465 | 4 ++++ 6 files changed, 29 insertions(+), 23 deletions(-) (limited to 'test') diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index e41dc3e02..56ff713cb 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -82,6 +82,9 @@ TL/07 Add new dmarc expansion variable $dmarc_domain_policy to directly is a combined value of both the record presence and the result of the analysis. +JH/13 Fix handling of $tls_cipher et.al. in (non-verify) transport. Bug 1455. + + Exim version 4.82 ----------------- diff --git a/src/src/functions.h b/src/src/functions.h index 0bd3d7267..be71345a1 100644 --- a/src/src/functions.h +++ b/src/src/functions.h @@ -45,7 +45,7 @@ extern void tls_version_report(FILE *); #ifndef USE_GNUTLS extern BOOL tls_openssl_options_parse(uschar *, long *); #endif -#endif +#endif /*SUPPORT_TLS*/ /* Everything else... */ @@ -374,6 +374,7 @@ extern int strncmpic(const uschar *, const uschar *, int); extern uschar *strstric(uschar *, uschar *, BOOL); extern uschar *tod_stamp(int); +extern void tls_modify_variables(tls_support *); extern BOOL transport_check_waiting(uschar *, uschar *, int, uschar *, BOOL *); extern void transport_init(void); diff --git a/src/src/tls.c b/src/src/tls.c index 0625c48b8..972785284 100644 --- a/src/src/tls.c +++ b/src/src/tls.c @@ -181,4 +181,16 @@ return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm; #endif /* SUPPORT_TLS */ +void +tls_modify_variables(tls_support * dest_tsp) +{ +modify_variable(US"tls_bits", &dest_tsp->bits); +modify_variable(US"tls_certificate_verified", &dest_tsp->certificate_verified); +modify_variable(US"tls_cipher", &dest_tsp->cipher); +modify_variable(US"tls_peerdn", &dest_tsp->peerdn); +#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS) +modify_variable(US"tls_sni", &dest_tsp->sni); +#endif +} + /* End of tls.c */ diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 16e5c022f..0aa95a448 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -1213,13 +1213,6 @@ outblock.authenticating = FALSE; /* Reset the parameters of a TLS session. */ -tls_in.bits = 0; -tls_in.cipher = NULL; /* for back-compatible behaviour */ -tls_in.peerdn = NULL; -#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS) -tls_in.sni = NULL; -#endif - tls_out.bits = 0; tls_out.cipher = NULL; /* the one we may use for this transport */ tls_out.peerdn = NULL; @@ -1227,6 +1220,12 @@ tls_out.peerdn = NULL; tls_out.sni = NULL; #endif +/* Flip the legacy TLS-related variables over to the outbound set in case +they're used in the context of the transport. Don't bother resetting +afterward as we're in a subprocess. */ + +tls_modify_variables(&tls_out); + #ifndef SUPPORT_TLS if (smtps) { diff --git a/src/src/verify.c b/src/src/verify.c index 8cc67f1b1..690bb8f01 100644 --- a/src/src/verify.c +++ b/src/src/verify.c @@ -1576,13 +1576,7 @@ if (address[0] == 0) return OK; they're used in the context of a transport used by verification. Reset them at exit from this routine. */ -modify_variable(US"tls_bits", &tls_out.bits); -modify_variable(US"tls_certificate_verified", &tls_out.certificate_verified); -modify_variable(US"tls_cipher", &tls_out.cipher); -modify_variable(US"tls_peerdn", &tls_out.peerdn); -#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS) -modify_variable(US"tls_sni", &tls_out.sni); -#endif +tls_modify_variables(&tls_out); /* Save a copy of the sender address for re-instating if we change it to <> while verifying a sender address (a nice bit of self-reference there). */ @@ -2041,14 +2035,7 @@ for (addr_list = addr_local, i = 0; i < 2; addr_list = addr_remote, i++) the -bv or -bt case). */ out: - -modify_variable(US"tls_bits", &tls_in.bits); -modify_variable(US"tls_certificate_verified", &tls_in.certificate_verified); -modify_variable(US"tls_cipher", &tls_in.cipher); -modify_variable(US"tls_peerdn", &tls_in.peerdn); -#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS) -modify_variable(US"tls_sni", &tls_in.sni); -#endif +tls_modify_variables(&tls_in); return yield; } diff --git a/test/confs/3465 b/test/confs/3465 index 161fff526..83592a678 100644 --- a/test/confs/3465 +++ b/test/confs/3465 @@ -70,5 +70,9 @@ t1: hosts_require_auth = * allow_localhost + # These can be made visible by adding "-d-all+deliver+transport+tls" to the script 1st queuerun + headers_add = X-tls-cipher: <$tls_cipher> + headers_add = X-tls-out-cipher: <$tls_out_cipher> + # End -- cgit v1.2.3 From 62b56dbfa456b107f09154ba014c98129a28ba3b Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 20 Apr 2014 20:53:32 +0100 Subject: Update testsuite for gnuTLS 3.1.23 --- test/log/2025 | 2 +- test/log/2029 | 2 +- test/log/3454 | 2 +- test/runtest | 16 ++++++++++++++-- 4 files changed, 17 insertions(+), 5 deletions(-) (limited to 'test') diff --git a/test/log/2025 b/test/log/2025 index aa2745cfc..fafc68d5b 100644 --- a/test/log/2025 +++ b/test/log/2025 @@ -1,6 +1,6 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (gnutls_handshake): A TLS packet with unexpected length was received. +1999-03-02 09:44:33 10HmaX-0005vi-00 a TLS session is required for ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4], but an attempt to start TLS failed 1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00" 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf diff --git a/test/log/2029 b/test/log/2029 index fc79930b2..e4510feb1 100644 --- a/test/log/2029 +++ b/test/log/2029 @@ -1,3 +1,3 @@ 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection from [127.0.0.1] (recv): A TLS packet with unexpected length was received. +1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection from [127.0.0.1] (recv): The TLS connection was non-properly terminated. 1999-03-02 09:44:33 10HmaX-0005vi-00 SMTP connection lost after final dot H=[127.0.0.1] P=smtps diff --git a/test/log/3454 b/test/log/3454 index cb4757977..e6e0cb963 100644 --- a/test/log/3454 +++ b/test/log/3454 @@ -1,5 +1,5 @@ 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (recv): A TLS packet with unexpected length was received. +1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (recv): The TLS connection was non-properly terminated. 1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (send): The specified session has been invalidated for some reason. 1999-03-02 09:44:33 no MAIL in SMTP connection from [127.0.0.1] D=0s X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 C=EHLO,STARTTLS,AUTH 1999-03-02 09:44:33 no MAIL in SMTP connection from (foobar) [127.0.0.1] D=0s A=plain:userx X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 C=EHLO,STARTTLS,EHLO,AUTH,QUIT diff --git a/test/runtest b/test/runtest index 443d7fcf4..fb23242e3 100755 --- a/test/runtest +++ b/test/runtest @@ -512,6 +512,8 @@ RESET_AFTER_EXTRA_LINE_READ: s/\bDHE-RSA-AES256-SHA\b/AES256-SHA/g; # GnuTLS have seen: + # TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 + # TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128 # TLS1.2:RSA_AES_256_CBC_SHA1:256 (canonical) # TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128 # @@ -520,12 +522,22 @@ RESET_AFTER_EXTRA_LINE_READ: # X=TLS1.1:RSA_AES_256_CBC_SHA1:256 # X=TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256 # and as stand-alone cipher: + # ECDHE-RSA-AES256-SHA # DHE-RSA-AES256-SHA256 # DHE-RSA-AES256-SHA # picking latter as canonical simply because regex easier that way. s/\bDHE_RSA_AES_128_CBC_SHA1:128/RSA_AES_256_CBC_SHA1:256/g; - s/TLS1.[012]:(DHE_)?RSA_AES_256_CBC_SHA(1|256):256/TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256/g; - s/\bDHE-RSA-AES256-SHA256\b/DHE-RSA-AES256-SHA/g; + s/TLS1.[012]:((EC)?DHE_)?RSA_AES_(256|128)_(CBC|GCM)_SHA(1|256|384):(256|128)/TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256/g; + s/\b(ECDHE-RSA-AES256-SHA|DHE-RSA-AES256-SHA256)\b/AES256-SHA/g; + + # GnuTLS library error message changes + s/No certificate was found/The peer did not send any certificate/g; +#(dodgy test?) s/\(certificate verification failed\): invalid/\(gnutls_handshake\): The peer did not send any certificate./g; + s/\(gnutls_priority_set\): No or insufficient priorities were set/\(gnutls_handshake\): Could not negotiate a supported cipher suite/g; + + # (replace old with new, hoping that old only happens in one situation) + s/TLS error on connection to ip4.ip4.ip4.ip4 \[ip4.ip4.ip4.ip4\] \(gnutls_handshake\): A TLS packet with unexpected length was received./a TLS session is required for ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4], but an attempt to start TLS failed/g; + s/TLS error on connection from [127.0.0.1] (recv): A TLS packet with unexpected length was received./TLS error on connection from [127.0.0.1] (recv): The TLS connection was non-properly terminated./g; # ======== Caller's login, uid, gid, home, gecos ======== -- cgit v1.2.3 From 09b164928211a9e8d4c9fb2c498f68f0b17ca042 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 20 Apr 2014 21:50:48 +0100 Subject: Restore testsuite operation under gnuTLS 2.8.5 --- test/log/2027 | 2 +- test/runtest | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'test') diff --git a/test/log/2027 b/test/log/2027 index 547303822..a54d4a5a9 100644 --- a/test/log/2027 +++ b/test/log/2027 @@ -3,7 +3,7 @@ 1999-03-02 09:44:33 Start queue run: pid=pppp -qf 1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 C="250 OK id=10HmaZ-0005vi-00" 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed -1999-03-02 09:44:33 10HmaY-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (gnutls_handshake): A TLS packet with unexpected length was received. +1999-03-02 09:44:33 10HmaY-0005vi-00 a TLS session is required for ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4], but an attempt to start TLS failed 1999-03-02 09:44:33 10HmaY-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls) 1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbA-0005vi-00" 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed diff --git a/test/runtest b/test/runtest index fb23242e3..89fd1f73e 100755 --- a/test/runtest +++ b/test/runtest @@ -536,8 +536,8 @@ RESET_AFTER_EXTRA_LINE_READ: s/\(gnutls_priority_set\): No or insufficient priorities were set/\(gnutls_handshake\): Could not negotiate a supported cipher suite/g; # (replace old with new, hoping that old only happens in one situation) - s/TLS error on connection to ip4.ip4.ip4.ip4 \[ip4.ip4.ip4.ip4\] \(gnutls_handshake\): A TLS packet with unexpected length was received./a TLS session is required for ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4], but an attempt to start TLS failed/g; - s/TLS error on connection from [127.0.0.1] (recv): A TLS packet with unexpected length was received./TLS error on connection from [127.0.0.1] (recv): The TLS connection was non-properly terminated./g; + s/TLS error on connection to \d{1,3}(.\d{1,3}){3} \[\d{1,3}(.\d{1,3}){3}\] \(gnutls_handshake\): A TLS packet with unexpected length was received./a TLS session is required for ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4], but an attempt to start TLS failed/g; + s/TLS error on connection from \[127.0.0.1\] \(recv\): A TLS packet with unexpected length was received./TLS error on connection from [127.0.0.1] (recv): The TLS connection was non-properly terminated./g; # ======== Caller's login, uid, gid, home, gecos ======== -- cgit v1.2.3 From 9f1ec64247097ad2c1600bbf0124f619b3e445b7 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 20 Apr 2014 23:28:34 +0100 Subject: Make testcase more robust vs. timing variations by restricting operations and logging to fewer items of interest --- test/confs/2026 | 9 +++++++-- test/log/2026 | 15 ++++----------- test/scripts/2000-GnuTLS/2026 | 1 + 3 files changed, 12 insertions(+), 13 deletions(-) (limited to 'test') diff --git a/test/confs/2026 b/test/confs/2026 index 4185e0b79..d70c5a2db 100644 --- a/test/confs/2026 +++ b/test/confs/2026 @@ -5,7 +5,11 @@ host_lookup_order = bydns primary_hostname = myhost.test.ex rfc1413_query_timeout = 0s spool_directory = DIR/spool +.ifdef SERVER log_file_path = DIR/spool/log/%slog +.else +log_file_path = DIR/spool/log/%D-%slog +.endif gecos_pattern = "" gecos_name = CALLER_NAME @@ -14,6 +18,7 @@ gecos_name = CALLER_NAME acl_smtp_rcpt = check_rcpt log_selector = +tls_peerdn + tls_advertise_hosts = HOSTIPV4 tls_certificate = DIR/aux-fixed/cert1 tls_privatekey = DIR/aux-fixed/cert1 @@ -25,12 +30,12 @@ begin acl check_rcpt: accept local_parts = userx + control = queue_only defer local_parts = usery hosts = 127.0.0.1 - accept - + accept control = queue_only # ----- Routers ----- diff --git a/test/log/2026 b/test/log/2026 index 8c8ab7af0..f01644496 100644 --- a/test/log/2026 +++ b/test/log/2026 @@ -1,13 +1,6 @@ 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 H=localhost (myhost.test.ex) [127.0.0.1] F= temporarily rejected RCPT -1999-03-02 09:44:33 10HmaX-0005vi-00 SMTP error from remote mail server after RCPT TO:: host 127.0.0.1 [127.0.0.1]: 451 Temporary local problem - please try later -1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex -1999-03-02 09:44:33 10HmaY-0005vi-00 => userx R=r0 T=t2 -1999-03-02 09:44:33 10HmaY-0005vi-00 Completed -1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaX-0005vi-00@myhost.test.ex -1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@myhost.test.ex R=r1 T=t1 H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaY-0005vi-00" -1999-03-02 09:44:33 10HmaX-0005vi-00 => usery@myhost.test.ex R=r1 T=t1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00" -1999-03-02 09:44:33 10HmaX-0005vi-00 Completed -1999-03-02 09:44:33 10HmaZ-0005vi-00 => usery R=r0 T=t2 -1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmaY-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmaX-0005vi-00 no immediate delivery: queued by ACL +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaY-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmaZ-0005vi-00 no immediate delivery: queued by ACL diff --git a/test/scripts/2000-GnuTLS/2026 b/test/scripts/2000-GnuTLS/2026 index 18361c62f..e94d7c5d0 100644 --- a/test/scripts/2000-GnuTLS/2026 +++ b/test/scripts/2000-GnuTLS/2026 @@ -7,3 +7,4 @@ exim -odi userx usery # Wait to allow delivery to finish before killing the daemon sleep 1 killdaemon +no_msglog_check -- cgit v1.2.3 From 0a92f87f7d62bb4f83fef5b8b10513cdd923fc2e Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Mon, 21 Apr 2014 16:34:01 +0100 Subject: Fix testcase "server missing/empty certificate file" GnuTLS early versions (pre 3.0.0 ?) fail to send a reasonable client-cert request when tls_verify_certificates is an empty file. Since the test is for missing *server* certs (tls_certificate) avoid this by pointing to a real (if non-verifying) cert in tls_verify_certificates. --- src/src/tls-gnu.c | 14 ++++++-------- test/confs/2024 | 3 ++- test/log/2024 | 2 +- test/stdout/2024 | 2 +- 4 files changed, 10 insertions(+), 11 deletions(-) (limited to 'test') diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 7c3625216..cbd44d6f2 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -1228,25 +1228,23 @@ unsigned int verify; *error = NULL; -rc = peer_status(state); -if (rc != OK) +if ((rc = peer_status(state)) != OK) { verify = GNUTLS_CERT_INVALID; - *error = "not supplied"; + *error = "certificate not supplied"; } else - { rc = gnutls_certificate_verify_peers2(state->session, &verify); - } /* Handle the result of verification. INVALID seems to be set as well as REVOKED, but leave the test for both. */ -if ((rc < 0) || (verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)) != 0) +if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)) { state->peer_cert_verified = FALSE; - if (*error == NULL) - *error = ((verify & GNUTLS_CERT_REVOKED) != 0) ? "revoked" : "invalid"; + if (!*error) + *error = verify & GNUTLS_CERT_REVOKED + ? "certificate revoked" : "certificate invalid"; DEBUG(D_tls) debug_printf("TLS certificate verification failed (%s): peerdn=%s\n", diff --git a/test/confs/2024 b/test/confs/2024 index a677c4c86..c59e975de 100644 --- a/test/confs/2024 +++ b/test/confs/2024 @@ -24,6 +24,7 @@ tls_certificate = CERT tls_privatekey = CERT tls_verify_hosts = HOSTIPV4 -tls_verify_certificates = TVC +#tls_verify_certificates = TVC +tls_verify_certificates = CERT # End diff --git a/test/log/2024 b/test/log/2024 index c45da6e89..117382b5a 100644 --- a/test/log/2024 +++ b/test/log/2024 @@ -1,4 +1,4 @@ 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (gnutls_handshake): The peer did not send any certificate. +1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (certificate verification failed): certificate invalid 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (cert/key setup: cert=/non/exist key=/non/exist): Error while reading file. diff --git a/test/stdout/2024 b/test/stdout/2024 index 2e30f7dd6..ecedd4193 100644 --- a/test/stdout/2024 +++ b/test/stdout/2024 @@ -20,7 +20,7 @@ Key file = aux-fixed/cert2 ??? 220 <<< 220 TLS go ahead Attempting to start TLS -Failed to start TLS +Succeeded in starting TLS End of script Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected Certificate file = aux-fixed/cert2 -- cgit v1.2.3 From b689ba95f8df67b96a098fc1710577dded2e01ae Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Mon, 21 Apr 2014 16:50:46 +0100 Subject: Updated GnuTLS error messages --- test/log/2000 | 2 +- test/log/2001 | 4 ++-- test/log/2012 | 6 +++--- test/log/2014 | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) (limited to 'test') diff --git a/test/log/2000 b/test/log/2000 index 6c690bf9e..6685d5944 100644 --- a/test/log/2000 +++ b/test/log/2000 @@ -1,6 +1,6 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate verification failed): invalid +1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate verification failed): certificate invalid 1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to 127.0.0.1 [127.0.0.1] (not in hosts_require_tls) 1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaY-0005vi-00" 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed diff --git a/test/log/2001 b/test/log/2001 index a6a3ea8b4..da5a78a93 100644 --- a/test/log/2001 +++ b/test/log/2001 @@ -1,10 +1,10 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate verification failed): invalid +1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate verification failed): certificate invalid 1999-03-02 09:44:33 10HmaX-0005vi-00 == CALLER@test.ex R=client T=send_to_server defer (-37): failure while setting up TLS session 1999-03-02 09:44:33 End queue run: pid=pppp -qf 1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate verification failed): invalid +1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate verification failed): certificate invalid 1999-03-02 09:44:33 10HmaX-0005vi-00 == CALLER@test.ex R=client T=send_to_server defer (-37): failure while setting up TLS session 1999-03-02 09:44:33 End queue run: pid=pppp -qf diff --git a/test/log/2012 b/test/log/2012 index 1474a0bb2..dbb3273af 100644 --- a/test/log/2012 +++ b/test/log/2012 @@ -3,17 +3,17 @@ 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (certificate verification failed): invalid +1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (certificate verification failed): certificate invalid 1999-03-02 09:44:33 10HmaX-0005vi-00 == userx@test.ex R=client_x T=send_to_server_failcert defer (-37): failure while setting up TLS session 1999-03-02 09:44:33 10HmaX-0005vi-00 ** userx@test.ex: retry timeout exceeded 1999-03-02 09:44:33 10HmaX-0005vi-00 userx@test.ex: error ignored 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed -1999-03-02 09:44:33 10HmaY-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (certificate verification failed): invalid +1999-03-02 09:44:33 10HmaY-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (certificate verification failed): certificate invalid 1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbB-0005vi-00" 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed 1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbC-0005vi-00" 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed -1999-03-02 09:44:33 10HmbA-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (certificate verification failed): invalid +1999-03-02 09:44:33 10HmbA-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (certificate verification failed): certificate invalid 1999-03-02 09:44:33 10HmbA-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls) 1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbD-0005vi-00" 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed diff --git a/test/log/2014 b/test/log/2014 index 7ed753049..39531ddc3 100644 --- a/test/log/2014 +++ b/test/log/2014 @@ -1,8 +1,8 @@ 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 1999-03-02 09:44:33 TLS error on connection from (rhu1.barb) [ip4.ip4.ip4.ip4] (gnutls_handshake): The peer did not send any certificate. 1999-03-02 09:44:33 H=(rhu2tls.barb) [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 F= rejected RCPT : certificate not verified: peerdn= -1999-03-02 09:44:33 TLS error on connection from (rhu5.barb) [ip4.ip4.ip4.ip4] (certificate verification failed): invalid +1999-03-02 09:44:33 TLS error on connection from (rhu5.barb) [ip4.ip4.ip4.ip4] (certificate verification failed): certificate invalid 1999-03-02 09:44:33 H=[127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" F= rejected RCPT : certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 TLS error on connection from (rhu7.barb) [ip4.ip4.ip4.ip4] (certificate verification failed): revoked +1999-03-02 09:44:33 TLS error on connection from (rhu7.barb) [ip4.ip4.ip4.ip4] (certificate verification failed): certificate revoked 1999-03-02 09:44:33 H=[127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" F= rejected RCPT : certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock -- cgit v1.2.3