From 9d1c15ef45fcc8809349378922de20ae9a774c75 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Fri, 2 May 2014 18:50:34 +0100 Subject: Certificate variables and field-extractor expansions. Bug 1358 --- test/confs/2002 | 24 +++++++-- test/confs/2102 | 24 +++++++-- test/confs/5750 | 95 +++++++++++++++++++++++++++++++++ test/confs/5760 | 95 +++++++++++++++++++++++++++++++++ test/log/2002 | 18 ++++++- test/log/2102 | 19 ++++++- test/log/5750 | 46 ++++++++++++++++ test/log/5760 | 47 ++++++++++++++++ test/mail/2002.CALLER | 2 +- test/mail/2102.CALLER | 2 +- test/scripts/2000-GnuTLS/2002 | 4 +- test/scripts/2100-OpenSSL/2102 | 4 +- test/scripts/5750-GnuTLS-TPDA/5750 | 13 +++++ test/scripts/5750-GnuTLS-TPDA/REQUIRES | 2 + test/scripts/5760-OpenSSL-TPDA/5760 | 13 +++++ test/scripts/5760-OpenSSL-TPDA/REQUIRES | 2 + test/stdout/2002 | 4 +- test/stdout/2102 | 4 +- 18 files changed, 398 insertions(+), 20 deletions(-) create mode 100644 test/confs/5750 create mode 100644 test/confs/5760 create mode 100644 test/log/5750 create mode 100644 test/log/5760 create mode 100644 test/scripts/5750-GnuTLS-TPDA/5750 create mode 100644 test/scripts/5750-GnuTLS-TPDA/REQUIRES create mode 100644 test/scripts/5760-OpenSSL-TPDA/5760 create mode 100644 test/scripts/5760-OpenSSL-TPDA/REQUIRES (limited to 'test') diff --git a/test/confs/2002 b/test/confs/2002 index e8358da25..b4d0348ca 100644 --- a/test/confs/2002 +++ b/test/confs/2002 @@ -20,11 +20,11 @@ queue_run_in_order tls_advertise_hosts = 127.0.0.1 : HOSTIPV4 -tls_certificate = DIR/aux-fixed/cert1 -tls_privatekey = DIR/aux-fixed/cert1 +tls_certificate = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem +tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key tls_verify_hosts = HOSTIPV4 -tls_verify_certificates = DIR/aux-fixed/cert2 +tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server2.example.com/ca_chain.pem # ------ ACL ------ @@ -41,7 +41,23 @@ check_recipient: DHE_RSA_AES_256_CBC_SHA1 : \ DHE_RSA_3DES_EDE_CBC_SHA : \ RSA_AES_256_CBC_SHA1 - accept + warn logwrite = ${if def:tls_in_ourcert \ + {Our cert SN: <${certextract{subject}{$tls_in_ourcert}}>} \ + {We did not present a cert}} + accept condition = ${if !def:tls_in_peercert} + logwrite = Peer did not present a cert + accept logwrite = Peer cert: + logwrite = ver ${certextract {version}{$tls_in_peercert}} + logwrite = SR <${certextract {serial_number}{$tls_in_peercert}}> + logwrite = SN <${certextract {subject} {$tls_in_peercert}}> + logwrite = IN <${certextract {issuer} {$tls_in_peercert}}> + logwrite = NB <${certextract {notbefore} {$tls_in_peercert}}> + logwrite = NA <${certextract {notafter} {$tls_in_peercert}}> + logwrite = SA <${certextract {signature_algorithm}{$tls_in_peercert}}> + logwrite = SG <${certextract {signature} {$tls_in_peercert}}> + logwrite = ${certextract {subject_altname}{$tls_in_peercert} {SAN <$value>}{(no SAN)}} +# logwrite = ${certextract {ocsp_uri} {$tls_in_peercert} {OCU <$value>}{(no OCU)}} + logwrite = ${certextract {crl_uri} {$tls_in_peercert} {CRU <$value>}{(no CRU)}} # ----- Routers ----- diff --git a/test/confs/2102 b/test/confs/2102 index 7f5771c0e..5332801dc 100644 --- a/test/confs/2102 +++ b/test/confs/2102 @@ -20,11 +20,11 @@ queue_run_in_order tls_advertise_hosts = 127.0.0.1 : HOSTIPV4 -tls_certificate = DIR/aux-fixed/cert1 -tls_privatekey = DIR/aux-fixed/cert1 +tls_certificate = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem +tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key tls_verify_hosts = HOSTIPV4 -tls_verify_certificates = DIR/aux-fixed/cert2 +tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server2.example.com/ca_chain.pem # ------ ACL ------ @@ -42,7 +42,23 @@ check_recipient: DHE-RSA-AES256-GCM-SHA384 : \ DHE_RSA_AES_256_CBC_SHA1 : \ DHE_RSA_3DES_EDE_CBC_SHA - accept + warn logwrite = ${if def:tls_in_ourcert \ + {Our cert SN: <${certextract{subject}{$tls_in_ourcert}}>} \ + {We did not present a cert}} + accept condition = ${if !def:tls_in_peercert} + logwrite = Peer did not present a cert + accept logwrite = Peer cert: + logwrite = ver ${certextract {version}{$tls_in_peercert}} + logwrite = SR <${certextract {serial_number}{$tls_in_peercert}}> + logwrite = SN <${certextract {subject} {$tls_in_peercert}}> + logwrite = IN <${certextract {issuer} {$tls_in_peercert}}> + logwrite = NB <${certextract {notbefore} {$tls_in_peercert}}> + logwrite = NA <${certextract {notafter} {$tls_in_peercert}}> + logwrite = SA <${certextract {signature_algorithm}{$tls_in_peercert}}> + logwrite = SG <${certextract {signature} {$tls_in_peercert}}> + logwrite = ${certextract {subject_altname}{$tls_in_peercert} {SAN <$value>}{(no SAN)}} + logwrite = ${certextract {ocsp_uri} {$tls_in_peercert} {OCU <$value>}{(no OCU)}} + logwrite = ${certextract {crl_uri} {$tls_in_peercert} {CRU <$value>}{(no CRU)}} # ----- Routers ----- diff --git a/test/confs/5750 b/test/confs/5750 new file mode 100644 index 000000000..a4762bd19 --- /dev/null +++ b/test/confs/5750 @@ -0,0 +1,95 @@ +# Exim test configuration 5750 (dup of 5760) +# $tls_out_peercert - GnuTLS + +SERVER= + +exim_path = EXIM_PATH +host_lookup_order = bydns +primary_hostname = myhost.test.ex +rfc1413_query_timeout = 0s +spool_directory = DIR/spool +log_file_path = DIR/spool/log/SERVER%slog +gecos_pattern = "" +gecos_name = CALLER_NAME + +# ----- Main settings ----- + +acl_smtp_rcpt = accept + +log_selector = +tls_peerdn + +queue_only +queue_run_in_order + +tls_advertise_hosts = * + +tls_certificate = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem +tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key + +tls_verify_hosts = * +tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server2.example.com/ca_chain.pem + +# + +begin acl +logger: + warn logwrite = $acl_arg1 $tpda_delivery_local_part + warn logwrite = ${if !def:tls_out_ourcert \ + {NO CLENT CERT presented} \ + {Our cert SN: ${certextract{subject}{$tls_out_ourcert}}}} + accept condition = ${if !def:tls_out_peercert} + logwrite = No Peer cert + accept logwrite = Peer cert: + logwrite = ver <${certextract {version} {$tls_out_peercert}}> + logwrite = SN <${certextract {subject} {$tls_out_peercert}}> + logwrite = IN <${certextract {issuer} {$tls_out_peercert}}> + logwrite = NB <${certextract {notbefore} {$tls_out_peercert}}> + logwrite = NA <${certextract {notafter} {$tls_out_peercert}}> + logwrite = SA <${certextract {signature_algorithm}{$tls_out_peercert}}> + logwrite = SG <${certextract {signature} {$tls_out_peercert}}> + logwrite = ${certextract {subject_altname}{$tls_out_peercert}{SAN <$value>}{(no SAN)}} + logwrite = ${certextract {ocsp_uri} {$tls_out_peercert} {OCU <$value>}{(no OCU)}} + logwrite = ${certextract {crl_uri} {$tls_out_peercert} {CRU <$value>}{(no CRU)}} + + +# ----- Routers ----- + +begin routers + +client: + driver = accept + condition = ${if eq {SERVER}{server}{no}{yes}} + retry_use_local_part + transport = send_to_server + + +# ----- Transports ----- + +begin transports + +send_to_server: + driver = smtp + allow_localhost + hosts = 127.0.0.1 + port = PORT_D + + tls_certificate = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem + tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key + + tls_verify_certificates = DIR/aux-fixed/exim-ca/\ + ${if eq {$local_part}{good}\ +{example.com/server1.example.com/ca_chain.pem}\ +{example.net/server1.example.net/ca_chain.pem}} + + tpda_delivery_action = ${acl {logger} {delivery} {$domain} } + tpda_host_defer_action = ${acl {logger} {deferral} {$domain} } + +# ----- Retry ----- + + +begin retry + +* * F,5d,10s + + +# End diff --git a/test/confs/5760 b/test/confs/5760 new file mode 100644 index 000000000..0e11ab0d3 --- /dev/null +++ b/test/confs/5760 @@ -0,0 +1,95 @@ +# Exim test configuration 5760 (dup of 5750) +# $tls_out_peercert - OpenSSL + +SERVER= + +exim_path = EXIM_PATH +host_lookup_order = bydns +primary_hostname = myhost.test.ex +rfc1413_query_timeout = 0s +spool_directory = DIR/spool +log_file_path = DIR/spool/log/SERVER%slog +gecos_pattern = "" +gecos_name = CALLER_NAME + +# ----- Main settings ----- + +acl_smtp_rcpt = accept + +log_selector = +tls_peerdn + +queue_only +queue_run_in_order + +tls_advertise_hosts = * + +tls_certificate = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem +tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key + +tls_verify_hosts = * +tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server2.example.com/ca_chain.pem + +# + +begin acl +logger: + warn logwrite = $acl_arg1 $tpda_delivery_local_part + warn logwrite = ${if !def:tls_out_ourcert \ + {NO CLENT CERT presented} \ + {Our cert SN: ${certextract{subject}{$tls_out_ourcert}}}} + accept condition = ${if !def:tls_out_peercert} + logwrite = No Peer cert + accept logwrite = Peer cert: + logwrite = ver <${certextract {version} {$tls_out_peercert}}> + logwrite = SN <${certextract {subject} {$tls_out_peercert}}> + logwrite = IN <${certextract {issuer} {$tls_out_peercert}}> + logwrite = NB <${certextract {notbefore} {$tls_out_peercert}}> + logwrite = NA <${certextract {notafter} {$tls_out_peercert}}> + logwrite = SA <${certextract {signature_algorithm}{$tls_out_peercert}}> + logwrite = SG <${certextract {signature} {$tls_out_peercert}}> + logwrite = ${certextract {subject_altname}{$tls_out_peercert}{SAN <$value>}{(no SAN)}} + logwrite = ${certextract {ocsp_uri} {$tls_out_peercert} {OCU <$value>}{(no OCU)}} + logwrite = ${certextract {crl_uri} {$tls_out_peercert} {CRU <$value>}{(no CRU)}} + + +# ----- Routers ----- + +begin routers + +client: + driver = accept + condition = ${if eq {SERVER}{server}{no}{yes}} + retry_use_local_part + transport = send_to_server + + +# ----- Transports ----- + +begin transports + +send_to_server: + driver = smtp + allow_localhost + hosts = 127.0.0.1 + port = PORT_D + + tls_certificate = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem + tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key + + tls_verify_certificates = DIR/aux-fixed/exim-ca/\ + ${if eq {$local_part}{good}\ +{example.com/server1.example.com/ca_chain.pem}\ +{example.net/server1.example.net/ca_chain.pem}} + + tpda_delivery_action = ${acl {logger} {delivery} {$domain} } + tpda_host_defer_action = ${acl {logger} {deferral} {$domain} } + +# ----- Retry ----- + + +begin retry + +* * F,5d,10s + + +# End diff --git a/test/log/2002 b/test/log/2002 index 774495514..e2777b459 100644 --- a/test/log/2002 +++ b/test/log/2002 @@ -1,8 +1,24 @@ 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 Our cert SN: +1999-03-02 09:44:33 Peer did not present a cert 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@test.ex H=[127.0.0.1] P=smtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss +1999-03-02 09:44:33 Our cert SN: +1999-03-02 09:44:33 Peer did not present a cert 1999-03-02 09:44:33 10HmaY-0005vi-00 <= "name with spaces"@test.ex H=[127.0.0.1] P=smtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (gnutls_handshake): The peer did not send any certificate. -1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@test.ex H=[ip4.ip4.ip4.ip4] P=smtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss +1999-03-02 09:44:33 Our cert SN: +1999-03-02 09:44:33 Peer cert: +1999-03-02 09:44:33 ver 3 +1999-03-02 09:44:33 SR +1999-03-02 09:44:33 SN +1999-03-02 09:44:33 IN +1999-03-02 09:44:33 NB +1999-03-02 09:44:33 NA +1999-03-02 09:44:33 SA +1999-03-02 09:44:33 SG <6c 37 41 26 4d 5d f4 b5 31 10 67 ca fb 64 b6 22 98 62 f7 1e 95 7b 6c e6 74 47 21 f4 5e 89 36 3e b9 9c 8a c5 52 bb c4 af 12 93 26 3b d7 3d e0 56 71 1e 1d 21 20 02 ed f0 4e d5 5e 45 42 fd 3c 38 41 54 83 86 0b 3b bf c5 47 39 ff 15 ea 93 dc fd c7 3d 18 58 59 ca dd 2a d8 b9 f9 2f b9 76 93 f4 ae e3 91 56 80 2f 8c 04 2f ad 57 ef d2 51 19 f4 b4 ef 32 9c ac 3a 7c 0d b8 39 db b1 e3 30 73 1a> +1999-03-02 09:44:33 SAN +1999-03-02 09:44:33 CRU +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@test.ex H=[ip4.ip4.ip4.ip4] P=smtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server2.example.com" S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf 1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER R=abc T=local_delivery 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed diff --git a/test/log/2102 b/test/log/2102 index da4ee49d7..6e0713f41 100644 --- a/test/log/2102 +++ b/test/log/2102 @@ -1,9 +1,26 @@ 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 Our cert SN: +1999-03-02 09:44:33 Peer did not present a cert 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@test.ex H=[127.0.0.1] P=smtps X=TLSv1:AES256-SHA:256 S=sss +1999-03-02 09:44:33 Our cert SN: +1999-03-02 09:44:33 Peer did not present a cert 1999-03-02 09:44:33 10HmaY-0005vi-00 <= "name with spaces"@test.ex H=[127.0.0.1] P=smtps X=TLSv1:AES256-SHA:256 S=sss 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <> 1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) -1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@test.ex H=[ip4.ip4.ip4.ip4] P=smtps X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss +1999-03-02 09:44:33 Our cert SN: +1999-03-02 09:44:33 Peer cert: +1999-03-02 09:44:33 ver 2 +1999-03-02 09:44:33 SR +1999-03-02 09:44:33 SN +1999-03-02 09:44:33 IN +1999-03-02 09:44:33 NB +1999-03-02 09:44:33 NA +1999-03-02 09:44:33 SA +1999-03-02 09:44:33 SG < Signature Algorithm: sha1WithRSAEncryption\n 6c:37:41:26:4d:5d:f4:b5:31:10:67:ca:fb:64:b6:22:98:62:\n f7:1e:95:7b:6c:e6:74:47:21:f4:5e:89:36:3e:b9:9c:8a:c5:\n 52:bb:c4:af:12:93:26:3b:d7:3d:e0:56:71:1e:1d:21:20:02:\n ed:f0:4e:d5:5e:45:42:fd:3c:38:41:54:83:86:0b:3b:bf:c5:\n 47:39:ff:15:ea:93:dc:fd:c7:3d:18:58:59:ca:dd:2a:d8:b9:\n f9:2f:b9:76:93:f4:ae:e3:91:56:80:2f:8c:04:2f:ad:57:ef:\n d2:51:19:f4:b4:ef:32:9c:ac:3a:7c:0d:b8:39:db:b1:e3:30:\n 73:1a\n> +1999-03-02 09:44:33 SAN +1999-03-02 09:44:33 OCU +1999-03-02 09:44:33 CRU +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@test.ex H=[ip4.ip4.ip4.ip4] P=smtps X=TLSv1:AES256-SHA:256 DN="/CN=server2.example.com" S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf 1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER R=abc T=local_delivery 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed diff --git a/test/log/5750 b/test/log/5750 new file mode 100644 index 000000000..8c98b5b95 --- /dev/null +++ b/test/log/5750 @@ -0,0 +1,46 @@ +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 Start queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate verification failed): certificate invalid +1999-03-02 09:44:33 10HmaX-0005vi-00 deferral bad +1999-03-02 09:44:33 10HmaX-0005vi-00 NO CLENT CERT presented +1999-03-02 09:44:33 10HmaX-0005vi-00 Peer cert: +1999-03-02 09:44:33 10HmaX-0005vi-00 ver <3> +1999-03-02 09:44:33 10HmaX-0005vi-00 SN +1999-03-02 09:44:33 10HmaX-0005vi-00 IN +1999-03-02 09:44:33 10HmaX-0005vi-00 NB +1999-03-02 09:44:33 10HmaX-0005vi-00 NA +1999-03-02 09:44:33 10HmaX-0005vi-00 SA +1999-03-02 09:44:33 10HmaX-0005vi-00 SG <56 3a a4 3c cb eb b8 27 c2 90 08 74 13 88 dc 48 c6 b5 2c e5 26 be 5b 91 d4 67 e7 3c 49 12 d7 47 30 df 98 db 58 ed 18 a8 7d 4b db 97 48 f5 5c 7f 70 b9 37 63 33 f1 24 62 72 92 60 f5 6e da b6 bc 73 c8 c2 dc d6 95 9a bd 16 16 a2 ef 0a f1 d7 41 68 f6 ad 98 5a d0 ff d9 1b 51 9f 59 ce 2f 3d 84 d0 ee e8 2b eb 9b 32 1a 0e 02 3e cc 30 89 44 09 2a 75 81 46 a7 b6 ed 7d 41 eb 5a 63 fa 9c 58 ef> +1999-03-02 09:44:33 10HmaX-0005vi-00 SAN +1999-03-02 09:44:33 10HmaX-0005vi-00 OCU +1999-03-02 09:44:33 10HmaX-0005vi-00 CRU +1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to 127.0.0.1 [127.0.0.1] (not in hosts_require_tls) +1999-03-02 09:44:33 10HmaX-0005vi-00 => bad@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaZ-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 delivery bad +1999-03-02 09:44:33 10HmaX-0005vi-00 NO CLENT CERT presented +1999-03-02 09:44:33 10HmaX-0005vi-00 No Peer cert +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaY-0005vi-00 => good@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaY-0005vi-00 delivery good +1999-03-02 09:44:33 10HmaY-0005vi-00 Our cert SN: CN=server2.example.com +1999-03-02 09:44:33 10HmaY-0005vi-00 Peer cert: +1999-03-02 09:44:33 10HmaY-0005vi-00 ver <3> +1999-03-02 09:44:33 10HmaY-0005vi-00 SN +1999-03-02 09:44:33 10HmaY-0005vi-00 IN +1999-03-02 09:44:33 10HmaY-0005vi-00 NB +1999-03-02 09:44:33 10HmaY-0005vi-00 NA +1999-03-02 09:44:33 10HmaY-0005vi-00 SA +1999-03-02 09:44:33 10HmaY-0005vi-00 SG <56 3a a4 3c cb eb b8 27 c2 90 08 74 13 88 dc 48 c6 b5 2c e5 26 be 5b 91 d4 67 e7 3c 49 12 d7 47 30 df 98 db 58 ed 18 a8 7d 4b db 97 48 f5 5c 7f 70 b9 37 63 33 f1 24 62 72 92 60 f5 6e da b6 bc 73 c8 c2 dc d6 95 9a bd 16 16 a2 ef 0a f1 d7 41 68 f6 ad 98 5a d0 ff d9 1b 51 9f 59 ce 2f 3d 84 d0 ee e8 2b eb 9b 32 1a 0e 02 3e cc 30 89 44 09 2a 75 81 46 a7 b6 ed 7d 41 eb 5a 63 fa 9c 58 ef> +1999-03-02 09:44:33 10HmaY-0005vi-00 SAN +1999-03-02 09:44:33 10HmaY-0005vi-00 OCU +1999-03-02 09:44:33 10HmaY-0005vi-00 CRU +1999-03-02 09:44:33 10HmaY-0005vi-00 Completed +1999-03-02 09:44:33 End queue run: pid=pppp -qf + +******** SERVER ******** +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 TLS error on connection from localhost [127.0.0.1] (recv): A TLS fatal alert has been received.: Certificate is bad +1999-03-02 09:44:33 TLS error on connection from localhost [127.0.0.1] (send): The specified session has been invalidated for some reason. +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server2.example.com" S=sss id=E10HmaY-0005vi-00@myhost.test.ex diff --git a/test/log/5760 b/test/log/5760 new file mode 100644 index 000000000..0b74e243d --- /dev/null +++ b/test/log/5760 @@ -0,0 +1,47 @@ +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 Start queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=2 error=self signed certificate in certificate chain cert=/O=example.com/CN=clica CA +1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <> +1999-03-02 09:44:33 10HmaX-0005vi-00 deferral bad +1999-03-02 09:44:33 10HmaX-0005vi-00 NO CLENT CERT presented +1999-03-02 09:44:33 10HmaX-0005vi-00 Peer cert: +1999-03-02 09:44:33 10HmaX-0005vi-00 ver <2> +1999-03-02 09:44:33 10HmaX-0005vi-00 SN +1999-03-02 09:44:33 10HmaX-0005vi-00 IN +1999-03-02 09:44:33 10HmaX-0005vi-00 NB +1999-03-02 09:44:33 10HmaX-0005vi-00 NA +1999-03-02 09:44:33 10HmaX-0005vi-00 SA +1999-03-02 09:44:33 10HmaX-0005vi-00 SG < Signature Algorithm: sha1WithRSAEncryption\n 89:fd:fb:cb:b2:42:d6:aa:f2:c0:44:a2:14:e5:ab:22:50:41:\n e6:64:e7:1c:5a:20:b6:0f:fe:b0:88:c5:cf:b3:e5:f8:0e:87:\n eb:ac:07:d6:9d:6a:20:f6:dd:13:ee:b8:3f:cf:d9:cd:d4:a8:\n 72:50:5a:a2:14:4e:ee:3a:78:e2:a7:f4:ae:d7:ee:77:48:1f:\n 75:a7:68:2f:ee:e2:7c:ac:2f:e4:88:02:e8:3b:db:f9:35:04:\n 05:46:35:0b:f2:35:03:21:b6:1e:82:7d:94:e0:63:4b:60:71:\n 2d:19:45:21:f2:85:b4:c3:d0:77:a2:24:32:36:f3:50:68:38:\n 98:e6\n> +1999-03-02 09:44:33 10HmaX-0005vi-00 (no SAN) +1999-03-02 09:44:33 10HmaX-0005vi-00 (no OCU) +1999-03-02 09:44:33 10HmaX-0005vi-00 (no CRU) +1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to 127.0.0.1 [127.0.0.1] (not in hosts_require_tls) +1999-03-02 09:44:33 10HmaX-0005vi-00 => bad@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaZ-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 delivery bad +1999-03-02 09:44:33 10HmaX-0005vi-00 NO CLENT CERT presented +1999-03-02 09:44:33 10HmaX-0005vi-00 No Peer cert +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaY-0005vi-00 => good@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaY-0005vi-00 delivery good +1999-03-02 09:44:33 10HmaY-0005vi-00 Our cert SN: CN=server2.example.com +1999-03-02 09:44:33 10HmaY-0005vi-00 Peer cert: +1999-03-02 09:44:33 10HmaY-0005vi-00 ver <2> +1999-03-02 09:44:33 10HmaY-0005vi-00 SN +1999-03-02 09:44:33 10HmaY-0005vi-00 IN +1999-03-02 09:44:33 10HmaY-0005vi-00 NB +1999-03-02 09:44:33 10HmaY-0005vi-00 NA +1999-03-02 09:44:33 10HmaY-0005vi-00 SA +1999-03-02 09:44:33 10HmaY-0005vi-00 SG < Signature Algorithm: sha1WithRSAEncryption\n 56:3a:a4:3c:cb:eb:b8:27:c2:90:08:74:13:88:dc:48:c6:b5:\n 2c:e5:26:be:5b:91:d4:67:e7:3c:49:12:d7:47:30:df:98:db:\n 58:ed:18:a8:7d:4b:db:97:48:f5:5c:7f:70:b9:37:63:33:f1:\n 24:62:72:92:60:f5:6e:da:b6:bc:73:c8:c2:dc:d6:95:9a:bd:\n 16:16:a2:ef:0a:f1:d7:41:68:f6:ad:98:5a:d0:ff:d9:1b:51:\n 9f:59:ce:2f:3d:84:d0:ee:e8:2b:eb:9b:32:1a:0e:02:3e:cc:\n 30:89:44:09:2a:75:81:46:a7:b6:ed:7d:41:eb:5a:63:fa:9c:\n 58:ef\n> +1999-03-02 09:44:33 10HmaY-0005vi-00 SAN +1999-03-02 09:44:33 10HmaY-0005vi-00 OCU +1999-03-02 09:44:33 10HmaY-0005vi-00 CRU +1999-03-02 09:44:33 10HmaY-0005vi-00 Completed +1999-03-02 09:44:33 End queue run: pid=pppp -qf + +******** SERVER ******** +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 TLS error on connection from localhost (myhost.test.ex) [127.0.0.1] (SSL_accept): error: <> +1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 DN="/CN=server2.example.com" S=sss id=E10HmaY-0005vi-00@myhost.test.ex diff --git a/test/mail/2002.CALLER b/test/mail/2002.CALLER index a4e0dd526..23b5f61a5 100644 --- a/test/mail/2002.CALLER +++ b/test/mail/2002.CALLER @@ -30,7 +30,7 @@ Received: from [ip4.ip4.ip4.ip4] id 10HmaZ-0005vi-00 for CALLER@test.ex; Tue, 2 Mar 1999 09:44:33 +0000 tls-certificate-verified: 1 -TLS: cipher=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock +TLS: cipher=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 peerdn=CN=server2.example.com This is a test encrypted message from a verified host. diff --git a/test/mail/2102.CALLER b/test/mail/2102.CALLER index e4be6a342..42c189f78 100644 --- a/test/mail/2102.CALLER +++ b/test/mail/2102.CALLER @@ -30,7 +30,7 @@ Received: from [ip4.ip4.ip4.ip4] id 10HmaZ-0005vi-00 for CALLER@test.ex; Tue, 2 Mar 1999 09:44:33 +0000 tls-certificate-verified: 1 -TLS: cipher=TLSv1:AES256-SHA:256 peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock +TLS: cipher=TLSv1:AES256-SHA:256 peerdn=/CN=server2.example.com This is a test encrypted message from a verified host. diff --git a/test/scripts/2000-GnuTLS/2002 b/test/scripts/2000-GnuTLS/2002 index 06a7b31d0..49f841e56 100644 --- a/test/scripts/2000-GnuTLS/2002 +++ b/test/scripts/2000-GnuTLS/2002 @@ -1,4 +1,4 @@ -# TLS server: general +# TLS server: general ops and certificate extractions gnutls exim -DSERVER=server -bd -oX PORT_D **** @@ -60,7 +60,7 @@ ehlo rhu.barb starttls ??? 220 **** -client-gnutls HOSTIPV4 PORT_D DIR/aux-fixed/cert2 DIR/aux-fixed/cert2 +client-gnutls HOSTIPV4 PORT_D DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key ??? 220 ehlo rhu.barb ??? 250- diff --git a/test/scripts/2100-OpenSSL/2102 b/test/scripts/2100-OpenSSL/2102 index 2e7dca0a6..cbb9ce393 100644 --- a/test/scripts/2100-OpenSSL/2102 +++ b/test/scripts/2100-OpenSSL/2102 @@ -1,4 +1,4 @@ -# TLS server: general +# TLS server: general ops and certificate extractions exim -DSERVER=server -bd -oX PORT_D **** client-ssl 127.0.0.1 PORT_D @@ -59,7 +59,7 @@ ehlo rhu.barb starttls ??? 220 **** -client-ssl HOSTIPV4 PORT_D DIR/aux-fixed/cert2 DIR/aux-fixed/cert2 +client-ssl HOSTIPV4 PORT_D DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key ??? 220 ehlo rhu.barb ??? 250- diff --git a/test/scripts/5750-GnuTLS-TPDA/5750 b/test/scripts/5750-GnuTLS-TPDA/5750 new file mode 100644 index 000000000..903c79525 --- /dev/null +++ b/test/scripts/5750-GnuTLS-TPDA/5750 @@ -0,0 +1,13 @@ +# TLS client: GnuTLS $tls_out_peercert +exim -DSERVER=server -bd -oX PORT_D +**** +exim bad@test.ex +Testing +**** +exim good@test.ex +Testing +**** +exim -qf +**** +killdaemon +no_msglog_check diff --git a/test/scripts/5750-GnuTLS-TPDA/REQUIRES b/test/scripts/5750-GnuTLS-TPDA/REQUIRES new file mode 100644 index 000000000..af1eb46f7 --- /dev/null +++ b/test/scripts/5750-GnuTLS-TPDA/REQUIRES @@ -0,0 +1,2 @@ +support Experimental_TPDA +support GnuTLS diff --git a/test/scripts/5760-OpenSSL-TPDA/5760 b/test/scripts/5760-OpenSSL-TPDA/5760 new file mode 100644 index 000000000..8fa8bd04b --- /dev/null +++ b/test/scripts/5760-OpenSSL-TPDA/5760 @@ -0,0 +1,13 @@ +# TLS client: OpenSSL certificates and extractions +exim -DSERVER=server -bd -oX PORT_D +**** +exim bad@test.ex +Testing +**** +exim good@test.ex +Testing +**** +exim -qf +**** +killdaemon +no_msglog_check diff --git a/test/scripts/5760-OpenSSL-TPDA/REQUIRES b/test/scripts/5760-OpenSSL-TPDA/REQUIRES new file mode 100644 index 000000000..5b4892059 --- /dev/null +++ b/test/scripts/5760-OpenSSL-TPDA/REQUIRES @@ -0,0 +1,2 @@ +support Experimental_TPDA +support OpenSSL diff --git a/test/stdout/2002 b/test/stdout/2002 index a248be7c0..ec3c1f954 100644 --- a/test/stdout/2002 +++ b/test/stdout/2002 @@ -97,8 +97,8 @@ Attempting to start TLS Failed to start TLS End of script Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected -Certificate file = TESTSUITE/aux-fixed/cert2 -Key file = TESTSUITE/aux-fixed/cert2 +Certificate file = TESTSUITE/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem +Key file = TESTSUITE/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key ??? 220 <<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 >>> ehlo rhu.barb diff --git a/test/stdout/2102 b/test/stdout/2102 index 23c39cdf4..77ae109b2 100644 --- a/test/stdout/2102 +++ b/test/stdout/2102 @@ -145,8 +145,8 @@ pppp:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s Failed to start TLS End of script Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected -Certificate file = TESTSUITE/aux-fixed/cert2 -Key file = TESTSUITE/aux-fixed/cert2 +Certificate file = TESTSUITE/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem +Key file = TESTSUITE/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key ??? 220 <<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 >>> ehlo rhu.barb -- cgit v1.2.3