From e51c7be22dfccad376659a1a46cee93c9979bbf7 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Tue, 20 May 2014 21:25:10 +0100 Subject: Support optional server certificate name checking. Bug 1479 Enable EXPERIMENTAL_CERTNAMES to include. --- test/confs/2012 | 80 +++++++++++-- test/confs/2112 | 78 ++++++++++-- test/confs/5440 | 172 +++++++++++++++++++++++++++ test/confs/5450 | 172 +++++++++++++++++++++++++++ test/log/2012 | 4 +- test/log/2112 | 14 ++- test/log/5440 | 17 +++ test/log/5450 | 28 +++++ test/scripts/5440-certnames-GnuTLS/5440 | 14 +++ test/scripts/5440-certnames-GnuTLS/REQUIRES | 3 + test/scripts/5450-certnames-OpenSSL/5450 | 16 +++ test/scripts/5450-certnames-OpenSSL/REQUIRES | 3 + 12 files changed, 570 insertions(+), 31 deletions(-) create mode 100644 test/confs/5440 create mode 100644 test/confs/5450 create mode 100644 test/log/5440 create mode 100644 test/log/5450 create mode 100644 test/scripts/5440-certnames-GnuTLS/5440 create mode 100644 test/scripts/5440-certnames-GnuTLS/REQUIRES create mode 100644 test/scripts/5450-certnames-OpenSSL/5450 create mode 100644 test/scripts/5450-certnames-OpenSSL/REQUIRES (limited to 'test') diff --git a/test/confs/2012 b/test/confs/2012 index 263034435..97dc25e75 100644 --- a/test/confs/2012 +++ b/test/confs/2012 @@ -12,6 +12,16 @@ log_file_path = DIR/spool/log/SERVER%slog gecos_pattern = "" gecos_name = CALLER_NAME +FX = DIR/aux-fixed +S1 = FX/exim-ca/example.com/server1.example.com + +CA1 = S1/ca_chain.pem +CERT1 = S1/server1.example.com.pem +KEY1 = S1/server1.example.com.unlocked.key +CA2 = FX/cert2 +CERT2 = FX/cert2 +KEY2 = FX/cert2 + # ----- Main settings ----- acl_smtp_rcpt = accept @@ -25,11 +35,11 @@ tls_advertise_hosts = * # Set certificate only if server -tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} -tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} +tls_certificate = ${if eq {SERVER}{server}{CERT1}fail} +tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail} tls_verify_hosts = * -tls_verify_certificates = ${if eq {SERVER}{server}{DIR/aux-fixed/cert2}fail} +tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail} # ----- Routers ----- @@ -66,6 +76,18 @@ client_q: retry_use_local_part transport = send_to_server_req_fail +client_r: + driver = accept + local_parts = userr + retry_use_local_part + transport = send_to_server_req_failname + +client_s: + driver = accept + local_parts = users + retry_use_local_part + transport = send_to_server_req_passname + # ----- Transports ----- @@ -78,8 +100,10 @@ send_to_server_failcert: hosts = HOSTIPV4 hosts_require_tls = HOSTIPV4 port = PORT_D - tls_certificate = DIR/aux-fixed/cert2 - tls_verify_certificates = DIR/aux-fixed/cert2 + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 # this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok send_to_server_retry: @@ -88,19 +112,23 @@ send_to_server_retry: hosts = HOSTIPV4 : 127.0.0.1 hosts_require_tls = HOSTIPV4 port = PORT_D - tls_certificate = DIR/aux-fixed/cert2 + tls_certificate = CERT2 + tls_privatekey = CERT2 + tls_verify_certificates = \ - ${if eq{$host_address}{127.0.0.1}{DIR/aux-fixed/cert1}{DIR/aux-fixed/cert2}} + ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}} -# this will fail to verify the cert at HOSTIPV4 but continue unverified though crypted +# this will fail to verify the cert but continue unverified though crypted send_to_server_crypt: driver = smtp allow_localhost hosts = HOSTIPV4 hosts_require_tls = HOSTIPV4 port = PORT_D - tls_certificate = DIR/aux-fixed/cert2 - tls_verify_certificates = DIR/aux-fixed/cert2 + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 tls_try_verify_hosts = * # this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted @@ -109,8 +137,36 @@ send_to_server_req_fail: allow_localhost hosts = HOSTIPV4 port = PORT_D - tls_certificate = DIR/aux-fixed/cert2 - tls_verify_certificates = DIR/aux-fixed/cert2 + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 tls_verify_hosts = * +# # this will fail to verify the cert name and fallback to unencrypted +# send_to_server_req_failname: +# driver = smtp +# allow_localhost +# hosts = HOSTIPV4 +# port = PORT_D +# tls_certificate = CERT2 +# tls_privatekey = CERT2 +# +# tls_verify_certificates = CA1 +# tls_verify_cert_hostnames = server1.example.net : server1.example.org +# tls_verify_hosts = * +# +# # this will pass the cert verify including name check +# send_to_server_req_passname: +# driver = smtp +# allow_localhost +# hosts = HOSTIPV4 +# port = PORT_D +# tls_certificate = CERT2 +# tls_privatekey = CERT2 +# +# tls_verify_certificates = CA1 +# tls_verify_cert_hostnames = noway.example.com : server1.example.com +# tls_verify_hosts = * + # End diff --git a/test/confs/2112 b/test/confs/2112 index deb02944d..4751e6015 100644 --- a/test/confs/2112 +++ b/test/confs/2112 @@ -12,6 +12,16 @@ log_file_path = DIR/spool/log/SERVER%slog gecos_pattern = "" gecos_name = CALLER_NAME +FX = DIR/aux-fixed +S1 = FX/exim-ca/example.com/server1.example.com + +CA1 = S1/ca_chain.pem +CERT1 = S1/server1.example.com.pem +KEY1 = S1/server1.example.com.unlocked.key +CA2 = FX/cert2 +CERT2 = FX/cert2 +KEY2 = FX/cert2 + # ----- Main settings ----- acl_smtp_rcpt = accept @@ -25,11 +35,11 @@ tls_advertise_hosts = * # Set certificate only if server -tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} -tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} +tls_certificate = ${if eq {SERVER}{server}{CERT1}fail} +tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail} tls_verify_hosts = * -tls_verify_certificates = ${if eq {SERVER}{server}{DIR/aux-fixed/cert2}fail} +tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail} # ----- Routers ----- @@ -66,6 +76,18 @@ client_q: retry_use_local_part transport = send_to_server_req_fail +client_r: + driver = accept + local_parts = userr + retry_use_local_part + transport = send_to_server_req_failname + +client_s: + driver = accept + local_parts = users + retry_use_local_part + transport = send_to_server_req_passname + # ----- Transports ----- @@ -78,8 +100,10 @@ send_to_server_failcert: hosts = HOSTIPV4 hosts_require_tls = HOSTIPV4 port = PORT_D - tls_certificate = DIR/aux-fixed/cert2 - tls_verify_certificates = DIR/aux-fixed/cert2 + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 # this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok send_to_server_retry: @@ -88,9 +112,11 @@ send_to_server_retry: hosts = HOSTIPV4 : 127.0.0.1 hosts_require_tls = HOSTIPV4 port = PORT_D - tls_certificate = DIR/aux-fixed/cert2 + tls_certificate = CERT2 + tls_privatekey = CERT2 + tls_verify_certificates = \ - ${if eq{$host_address}{127.0.0.1}{DIR/aux-fixed/cert1}{DIR/aux-fixed/cert2}} + ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}} # this will fail to verify the cert but continue unverified though crypted send_to_server_crypt: @@ -99,8 +125,10 @@ send_to_server_crypt: hosts = HOSTIPV4 hosts_require_tls = HOSTIPV4 port = PORT_D - tls_certificate = DIR/aux-fixed/cert2 - tls_verify_certificates = DIR/aux-fixed/cert2 + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 tls_try_verify_hosts = * # this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted @@ -109,8 +137,36 @@ send_to_server_req_fail: allow_localhost hosts = HOSTIPV4 port = PORT_D - tls_certificate = DIR/aux-fixed/cert2 - tls_verify_certificates = DIR/aux-fixed/cert2 + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 tls_verify_hosts = * +# # this will fail to verify the cert name and fallback to unencrypted +# send_to_server_req_failname: +# driver = smtp +# allow_localhost +# hosts = HOSTIPV4 +# port = PORT_D +# tls_certificate = CERT2 +# tls_privatekey = CERT2 +# +# tls_verify_certificates = CA1 +# tls_verify_cert_hostnames = server1.example.net : server1.example.org +# tls_verify_hosts = * +# +# # this will pass the cert verify including name check +# send_to_server_req_passname: +# driver = smtp +# allow_localhost +# hosts = HOSTIPV4 +# port = PORT_D +# tls_certificate = CERT2 +# tls_privatekey = CERT2 +# +# tls_verify_certificates = CA1 +# tls_verify_cert_hostnames = noway.example.com : server1.example.com +# tls_verify_hosts = * + # End diff --git a/test/confs/5440 b/test/confs/5440 new file mode 100644 index 000000000..955641246 --- /dev/null +++ b/test/confs/5440 @@ -0,0 +1,172 @@ +# Exim test configuration 2012 +# TLS client: verify certificate from server - fails + +SERVER= + +exim_path = EXIM_PATH +host_lookup_order = bydns +primary_hostname = myhost.test.ex +rfc1413_query_timeout = 0s +spool_directory = DIR/spool +log_file_path = DIR/spool/log/SERVER%slog +gecos_pattern = "" +gecos_name = CALLER_NAME + +FX = DIR/aux-fixed +S1 = FX/exim-ca/example.com/server1.example.com + +CA1 = S1/ca_chain.pem +CERT1 = S1/server1.example.com.pem +KEY1 = S1/server1.example.com.unlocked.key +CA2 = FX/cert2 +CERT2 = FX/cert2 +KEY2 = FX/cert2 + +# ----- Main settings ----- + +acl_smtp_rcpt = accept + +log_selector = +tls_peerdn+tls_certificate_verified + +queue_only +queue_run_in_order + +tls_advertise_hosts = * + +# Set certificate only if server + +tls_certificate = ${if eq {SERVER}{server}{CERT1}fail} +tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail} + +tls_verify_hosts = * +tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail} + + +# ----- Routers ----- + +begin routers + +server_dump: + driver = redirect + condition = ${if eq {SERVER}{server}{yes}{no}} + data = :blackhole: + +client_x: + driver = accept + local_parts = userx + retry_use_local_part + transport = send_to_server_failcert + errors_to = "" + +client_y: + driver = accept + local_parts = usery + retry_use_local_part + transport = send_to_server_retry + +client_z: + driver = accept + local_parts = userz + retry_use_local_part + transport = send_to_server_crypt + +client_q: + driver = accept + local_parts = userq + retry_use_local_part + transport = send_to_server_req_fail + +client_r: + driver = accept + local_parts = userr + retry_use_local_part + transport = send_to_server_req_failname + +client_s: + driver = accept + local_parts = users + retry_use_local_part + transport = send_to_server_req_passname + + +# ----- Transports ----- + +begin transports + +# this will fail to verify the cert at HOSTIPV4 so fail the crypt requirement +send_to_server_failcert: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + hosts_require_tls = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 + +# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok +send_to_server_retry: + driver = smtp + allow_localhost + hosts = HOSTIPV4 : 127.0.0.1 + hosts_require_tls = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = \ + ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}} + +# this will fail to verify the cert but continue unverified though crypted +send_to_server_crypt: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + hosts_require_tls = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 + tls_try_verify_hosts = * + +# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted +send_to_server_req_fail: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 + tls_verify_hosts = * + +# this will fail to verify the cert name and fallback to unencrypted +send_to_server_req_failname: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA1 + tls_verify_cert_hostnames = server1.example.net : server1.example.org + tls_verify_hosts = * + +# this will pass the cert verify including name check +send_to_server_req_passname: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA1 + tls_verify_cert_hostnames = noway.example.com : server1.example.com + tls_verify_hosts = * + +# End diff --git a/test/confs/5450 b/test/confs/5450 new file mode 100644 index 000000000..398871c64 --- /dev/null +++ b/test/confs/5450 @@ -0,0 +1,172 @@ +# Exim test configuration 2112 +# TLS client: verify certificate from server - fails + +SERVER= + +exim_path = EXIM_PATH +host_lookup_order = bydns +primary_hostname = myhost.test.ex +rfc1413_query_timeout = 0s +spool_directory = DIR/spool +log_file_path = DIR/spool/log/SERVER%slog +gecos_pattern = "" +gecos_name = CALLER_NAME + +FX = DIR/aux-fixed +S1 = FX/exim-ca/example.com/server1.example.com + +CA1 = S1/ca_chain.pem +CERT1 = S1/server1.example.com.pem +KEY1 = S1/server1.example.com.unlocked.key +CA2 = FX/cert2 +CERT2 = FX/cert2 +KEY2 = FX/cert2 + +# ----- Main settings ----- + +acl_smtp_rcpt = accept + +log_selector = +tls_peerdn+tls_certificate_verified + +queue_only +queue_run_in_order + +tls_advertise_hosts = * + +# Set certificate only if server + +tls_certificate = ${if eq {SERVER}{server}{CERT1}fail} +tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail} + +tls_verify_hosts = * +tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail} + + +# ----- Routers ----- + +begin routers + +server_dump: + driver = redirect + condition = ${if eq {SERVER}{server}{yes}{no}} + data = :blackhole: + +client_x: + driver = accept + local_parts = userx + retry_use_local_part + transport = send_to_server_failcert + errors_to = "" + +client_y: + driver = accept + local_parts = usery + retry_use_local_part + transport = send_to_server_retry + +client_z: + driver = accept + local_parts = userz + retry_use_local_part + transport = send_to_server_crypt + +client_q: + driver = accept + local_parts = userq + retry_use_local_part + transport = send_to_server_req_fail + +client_r: + driver = accept + local_parts = userr + retry_use_local_part + transport = send_to_server_req_failname + +client_s: + driver = accept + local_parts = users + retry_use_local_part + transport = send_to_server_req_passname + + +# ----- Transports ----- + +begin transports + +# this will fail to verify the cert at HOSTIPV4 so fail the crypt requirement +send_to_server_failcert: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + hosts_require_tls = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 + +# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok +send_to_server_retry: + driver = smtp + allow_localhost + hosts = HOSTIPV4 : 127.0.0.1 + hosts_require_tls = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = \ + ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}} + +# this will fail to verify the cert but continue unverified though crypted +send_to_server_crypt: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + hosts_require_tls = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 + tls_try_verify_hosts = * + +# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted +send_to_server_req_fail: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 + tls_verify_hosts = * + +# this will fail to verify the cert name and fallback to unencrypted +send_to_server_req_failname: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA1 + tls_verify_cert_hostnames = server1.example.net : server1.example.org + tls_verify_hosts = * + +# this will pass the cert verify including name check +send_to_server_req_passname: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA1 + tls_verify_cert_hostnames = noway.example.com : server1.example.com + tls_verify_hosts = * + +# End diff --git a/test/log/2012 b/test/log/2012 index dbb3273af..bcb1e6fd8 100644 --- a/test/log/2012 +++ b/test/log/2012 @@ -9,9 +9,9 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 userx@test.ex: error ignored 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed 1999-03-02 09:44:33 10HmaY-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (certificate verification failed): certificate invalid -1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbB-0005vi-00" +1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbB-0005vi-00" 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed -1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed 1999-03-02 09:44:33 10HmbA-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (certificate verification failed): certificate invalid 1999-03-02 09:44:33 10HmbA-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls) diff --git a/test/log/2112 b/test/log/2112 index 3f77e65ea..ea09dd9a9 100644 --- a/test/log/2112 +++ b/test/log/2112 @@ -3,20 +3,22 @@ 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock +1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com 1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (SSL_connect): error: <> 1999-03-02 09:44:33 10HmaX-0005vi-00 == userx@test.ex R=client_x T=send_to_server_failcert defer (-37): failure while setting up TLS session 1999-03-02 09:44:33 10HmaX-0005vi-00 ** userx@test.ex: retry timeout exceeded 1999-03-02 09:44:33 10HmaX-0005vi-00 userx@test.ex: error ignored 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed -1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock +1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com 1999-03-02 09:44:33 10HmaY-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (SSL_connect): error: <> -1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbB-0005vi-00" +1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbB-0005vi-00" 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed -1999-03-02 09:44:33 10HmaZ-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock -1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com +1999-03-02 09:44:33 10HmaZ-0005vi-00 SSL verify error: depth=0 error=certificate not trusted cert=/CN=server1.example.com +1999-03-02 09:44:33 10HmaZ-0005vi-00 SSL verify error: depth=0 error=unable to verify the first certificate cert=/CN=server1.example.com +1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed -1999-03-02 09:44:33 10HmbA-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock +1999-03-02 09:44:33 10HmbA-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com 1999-03-02 09:44:33 10HmbA-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (SSL_connect): error: <> 1999-03-02 09:44:33 10HmbA-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls) 1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbD-0005vi-00" diff --git a/test/log/5440 b/test/log/5440 new file mode 100644 index 000000000..4d600ebc6 --- /dev/null +++ b/test/log/5440 @@ -0,0 +1,17 @@ +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 Start queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (certificate verification failed) +1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls) +1999-03-02 09:44:33 10HmaX-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmaZ-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaY-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaY-0005vi-00 Completed +1999-03-02 09:44:33 End queue run: pid=pppp -qf + +******** SERVER ******** +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad +1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason. +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex diff --git a/test/log/5450 b/test/log/5450 new file mode 100644 index 000000000..2a8aec4e7 --- /dev/null +++ b/test/log/5450 @@ -0,0 +1,28 @@ +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 Start queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com +1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (SSL_connect): error: <> +1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls) +1999-03-02 09:44:33 10HmaX-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: certificate name mismatch: "/CN=server1.example.com" + +1999-03-02 09:44:33 10HmaY-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (SSL_connect): error: <> +1999-03-02 09:44:33 10HmaY-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls) +1999-03-02 09:44:33 10HmaY-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbB-0005vi-00" +1999-03-02 09:44:33 10HmaY-0005vi-00 Completed +1999-03-02 09:44:33 10HmaZ-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed +1999-03-02 09:44:33 End queue run: pid=pppp -qf + +******** SERVER ******** +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <> +1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <> +1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaY-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex diff --git a/test/scripts/5440-certnames-GnuTLS/5440 b/test/scripts/5440-certnames-GnuTLS/5440 new file mode 100644 index 000000000..fea9551c0 --- /dev/null +++ b/test/scripts/5440-certnames-GnuTLS/5440 @@ -0,0 +1,14 @@ +# TLS client: verify certificate from server - fails +gnutls +exim -DSERVER=server -bd -oX PORT_D +**** +exim userr@test.ex +Testing +**** +exim users@test.ex +Testing +**** +exim -qf +**** +killdaemon +no_msglog_check diff --git a/test/scripts/5440-certnames-GnuTLS/REQUIRES b/test/scripts/5440-certnames-GnuTLS/REQUIRES new file mode 100644 index 000000000..5a5fac1f1 --- /dev/null +++ b/test/scripts/5440-certnames-GnuTLS/REQUIRES @@ -0,0 +1,3 @@ +support GnuTLS +support Experimental_Certnames +running IPv4 diff --git a/test/scripts/5450-certnames-OpenSSL/5450 b/test/scripts/5450-certnames-OpenSSL/5450 new file mode 100644 index 000000000..c94d1a5b2 --- /dev/null +++ b/test/scripts/5450-certnames-OpenSSL/5450 @@ -0,0 +1,16 @@ +# TLS client: verify certificate from server - fails +exim -DSERVER=server -bd -oX PORT_D +**** +exim userq@test.ex +Testing +**** +exim userr@test.ex +Testing +**** +exim users@test.ex +Testing +**** +exim -qf +**** +killdaemon +no_msglog_check diff --git a/test/scripts/5450-certnames-OpenSSL/REQUIRES b/test/scripts/5450-certnames-OpenSSL/REQUIRES new file mode 100644 index 000000000..663b390a9 --- /dev/null +++ b/test/scripts/5450-certnames-OpenSSL/REQUIRES @@ -0,0 +1,3 @@ +support OpenSSL +support Experimental_Certnames +running IPv4 -- cgit v1.2.3