From fc243e944ec00b59b75f41d07494116f925d58b4 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sat, 16 Feb 2019 12:59:23 +0000 Subject: GnuTLS: Fix client detection of server reject of client cert under TLS1.3 --- test/confs/2027 | 8 +++++--- test/confs/5652 | 1 + test/confs/5821 | 2 +- test/log/2027 | 2 +- test/runtest | 16 +++++++++++++++- test/scripts/2000-GnuTLS/2027 | 2 ++ 6 files changed, 25 insertions(+), 6 deletions(-) (limited to 'test') diff --git a/test/confs/2027 b/test/confs/2027 index cc47218fb..c1b93a2ce 100644 --- a/test/confs/2027 +++ b/test/confs/2027 @@ -47,9 +47,11 @@ local_delivery: user = CALLER send_to_server: - driver = smtp + driver = smtp allow_localhost - hosts = ${if eq{$local_part}{userx}{127.0.0.1}{HOSTIPV4}} - port = PORT_D + hosts = ${if eq{$local_part}{userx}{127.0.0.1}{HOSTIPV4}} + port = PORT_D + tls_verify_certificates = DIR/aux-fixed/cert1 + tls_verify_cert_hostnames = : # End diff --git a/test/confs/5652 b/test/confs/5652 index 13c8d8617..28d3a95bb 100644 --- a/test/confs/5652 +++ b/test/confs/5652 @@ -29,6 +29,7 @@ tls_ocsp_file = DRSA/server1.example.com/server1.example.com.ocsp.good.resp \ : DECDSA/server1.example_ec.com/server1.example_ec.com.ocsp.good.resp +tls_require_ciphers = NORMAL:!VERS-TLS1.3 # ------ ACL ------ diff --git a/test/confs/5821 b/test/confs/5821 index 86ddbdedd..8a2d6459e 100644 --- a/test/confs/5821 +++ b/test/confs/5821 @@ -23,7 +23,7 @@ tls_certificate = ${if eq {SERVER}{server} {CDIR2/fullchain.pem}fail} tls_privatekey = ${if eq {SERVER}{server} {CDIR2/server1.example.com.unlocked.key}fail} # Permit two specific ciphers -tls_require_ciphers = NORMAL:-KX-ALL:+RSA:-CIPHER-ALL:+AES-128-CBC:+CAMELLIA-256-GCM +tls_require_ciphers = NORMAL:-VERS-TLS1.3:-KX-ALL:+RSA:-CIPHER-ALL:+AES-128-CBC:+CAMELLIA-256-GCM # ----- Routers ----- begin routers diff --git a/test/log/2027 b/test/log/2027 index 0bdd86a57..499351cd0 100644 --- a/test/log/2027 +++ b/test/log/2027 @@ -1,7 +1,7 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no C="250 OK id=10HmaZ-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmaZ-0005vi-00" 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed 1999-03-02 09:44:33 10HmaY-0005vi-00 TLS session: (gnutls_handshake): A TLS fatal alert has been received.: delivering unencrypted to H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls) 1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbA-0005vi-00" diff --git a/test/runtest b/test/runtest index 77b701c0b..7aaf1032d 100755 --- a/test/runtest +++ b/test/runtest @@ -553,7 +553,7 @@ RESET_AFTER_EXTRA_LINE_READ: # (discarding kex, cipher, mac). For TLS 1.3 there is no kex # element (and no _WITH); insert a spurious "RSA". - s/^\s+by .+ with .+ \K tls TLS_.*?([^_]+)_WITH.+$/(TLS1.x:ke-\1-AES256-SHAnnn:xxx)/; + s/^\s+by .+ with .+ \K tls TLS_.*?([^_]+)_WITH.+$/(TLS1.x:ke-$1-AES256-SHAnnn:xxx)/; s/^\s+by .+ with .+ \K tls TLS_.+$/(TLS1.x:ke-RSA-AES256-SHAnnn:xxx)/; # Test machines might have various different TLS library versions supporting @@ -1263,6 +1263,20 @@ RESET_AFTER_EXTRA_LINE_READ: s/(DKIM: validation error: )error:[0-9A-F]{8}:rsa routines:(?:(?i)int_rsa_verify|CRYPTO_internal):(?:bad signature|algorithm mismatch)$/$1Public key signature verification has failed./; s/ARC: AMS signing: privkey PEM-block import: error:\K[0-9A-F]{8}:(PEM routines):get_name:(no start line)/0906D06C:$1:PEM_read_bio:$2/; + # gnutls version variances + if (/TLS error on connection \(recv\): .* Decode error/) + { + my $prev = $_; + $_ = ; + if (/error on first read/) + { + s/TLS session: \Kerror on first read:/(gnutls_handshake): A TLS fatal alert has been received.:/; + goto RESET_AFTER_EXTRA_LINE_READ; + } + else + { $_ = $prev; } + } + # DKIM timestamps if ( /(DKIM: d=.*) t=([0-9]*) x=([0-9]*) / ) { diff --git a/test/scripts/2000-GnuTLS/2027 b/test/scripts/2000-GnuTLS/2027 index 0d94ac4cd..3e071b665 100644 --- a/test/scripts/2000-GnuTLS/2027 +++ b/test/scripts/2000-GnuTLS/2027 @@ -3,9 +3,11 @@ gnutls munge gnutls_handshake exim -DSERVER=server -bd -oX PORT_D **** +# will send to 127.0.0.1 and the server requests a client-cert exim userx@test.ex Test message **** +# will send to HOSTIPV4 and the server requests&requires exim usery@test.ex Test message **** -- cgit v1.2.3