# TLS server: mandatory, optional, and revoked certificates gnutls munge gnutls_unexpected exim -DSERVER=server -bd -oX PORT_D **** ### No certificate, certificate required client-gnutls HOSTIPV4 PORT_D ??? 220 ehlo rhu1.barb ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250 starttls ??? 220 nop ????554 **** ### No certificate, certificate optional at TLS time, required by ACL client-gnutls 127.0.0.1 PORT_D ??? 220 ehlo rhu2.barb ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250 starttls ??? 220 helo rhu2tls.barb ??? 250 mail from: ??? 250 rcpt to: ??? 550 quit ??? 221 **** ### Good certificate, certificate required client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key ??? 220 ehlo rhu3.barb ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250 starttls ??? 220 helo test ??? 250 mail from: ??? 250 rcpt to: ??? 250 quit ??? 221 **** ### Good certificate, certificate optional at TLS time, checked by ACL client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key ??? 220 ehlo rhu4.barb ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250 starttls ??? 220 helo test ??? 250 mail from: ??? 250 rcpt to: ??? 250 quit ??? 221 **** ### Bad certificate, certificate required # Actually this test does not have the client presenting a cert at all, as it filters what it has # by the options offered by the server first. So it's not a good testcase. client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key ??? 220 ehlo rhu5.barb ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250 starttls ??? 220 nop ????554 **** ### Bad certificate, certificate optional at TLS time, reject at ACL time # (situation as above) client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key ??? 220 ehlo rhu6.barb ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250 starttls ??? 220 helo test ??? 250 mail from: ??? 250 rcpt to: ??? 550 quit ??? 221 **** killdaemon # # # # exim -DCRL=DIR/aux-fixed/exim-ca/example.com/CA/crl.v2.pem -DSERVER=server -bd -oX PORT_D **** ### Otherwise good but revoked certificate, certificate required # The trace for this test appears in the mainlog # - but the stdout from the client is a problem: the server sends a TLS ALERT. If the client sees that early enough # then it says that + "Failed to start TLS". But if it's later, it says "Succeeded in starting TLS" # and only another command from the client elicits anything from the server (eg "554 Security failure"). # How can we test this? # An option on client to be quiet about tls problems. # # GnuTLS seems to not mind the lack of CRLs for the nonleaf certs in the chain, unlike under OpenSSL client-gnutls -tls-quiet HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key ??? 220 ehlo rhu7.barb ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250 STARTTLS ??? 220 NOP ??? 554 Security failure QUIT 220 **** ### Revoked certificate, certificate optional at TLS time, reject at ACL time client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key ??? 220 ehlo rhu8.barb ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250 starttls ??? 220 helo test ??? 250 mail from: ??? 250 rcpt to: ??? 550 quit ??? 221 **** ### Good certificate, certificate required - but nonmatching CRL also present client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key ??? 220 ehlo rhu9.barb ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250 starttls ??? 220 helo test ??? 250 mail from: ??? 250 rcpt to: ??? 250 quit ??? 221 **** killdaemon