Handle TLSv1.2 in test suite.

Normalise TLSv1.2 to TLSv1.
Normalise AES256-GCM-SHA384 to AES256-SHA.
Make some test configs accept AES256-GCM-SHA384 in "encrypted =" ACLs.

Have test suite print final test id during abort, make it easier to track down.

diff --git a/test/confs/2002 b/test/confs/2002
index 22dc68ee87fe398f8ad0e76c8229a198cdd21c31..e8358da258d8fed19fc2718b5397c21e3cf6cfa3 100644 (file)
--- a/test/confs/2002
+++ b/test/confs/2002
@@ -35,6 +35,7 @@ check_recipient:
   accept  hosts = :
   deny    hosts = HOSTIPV4
          !encrypted = AES256-SHA : \
+                      AES256-GCM-SHA384 : \
                       IDEA-CBC-MD5 : \
                       DES-CBC3-SHA : \
                       DHE_RSA_AES_256_CBC_SHA1 : \

diff --git a/test/confs/2019 b/test/confs/2019
index 993c8e0935b0d3c8b4d41581e1b56a8d5347f362..8e63c05ae2b30cde9bc928d6303b88dda4ac256a 100644 (file)
--- a/test/confs/2019
+++ b/test/confs/2019
@@ -35,6 +35,7 @@ check_recipient:
   accept  hosts = :
   deny    hosts = HOSTIPV4
          !encrypted = AES256-SHA:\
+                      AES256-GCM-SHA384:\
                       IDEA-CBC-MD5:\
                       DES-CBC3-SHA:\
                       DHE_RSA_AES_256_CBC_SHA1:\

diff --git a/test/confs/2102 b/test/confs/2102
index 3caab6f7c2ae17fe53933dd60bdff6d1d604b8b4..83180721a4564d18a8fa7919dfbc8d38b1f80dde 100644 (file)
--- a/test/confs/2102
+++ b/test/confs/2102
@@ -35,6 +35,7 @@ check_recipient:
   accept  hosts = :
   deny    hosts = HOSTIPV4
          !encrypted = AES256-SHA : \
+                      AES256-GCM-SHA384 : \
                       IDEA-CBC-MD5 : \
                       DES-CBC3-SHA : \
                       DHE_RSA_AES_256_CBC_SHA1 : \

diff --git a/test/confs/2119 b/test/confs/2119
index b64ebf7c68fb40a9927729e0188fe34e2b3029a7..c5182a14e6d67513a140844d8d3baae62cf46e8e 100644 (file)
--- a/test/confs/2119
+++ b/test/confs/2119
@@ -35,6 +35,7 @@ check_recipient:
   accept  hosts = :
   deny    hosts = HOSTIPV4
          !encrypted = AES256-SHA:\
+                      AES256-GCM-SHA384:\
                       IDEA-CBC-MD5:\
                       DES-CBC3-SHA:\
                       DHE_RSA_AES_256_CBC_SHA1:\

diff --git a/test/runtest b/test/runtest
index 5f77e625652785b7beea3f5717c25a44ca14af39..51658b878b70a4c6349249c57ec2d66b7a0520f7 100755 (executable)
--- a/test/runtest
+++ b/test/runtest
@@ -181,6 +181,8 @@ system("sudo /bin/rm -rf ./spool test-* ./dnszones/*")
   if ($rc == 0 && !$save_output);
 
 system("sudo /bin/rm -rf ./eximdir/*");
+
+print "\nYou were in test $test at the end there.\n\n" if defined $test;
 exit $rc if ($rc >= 0);
 die "** runtest error: $_[1]\n";
 }
@@ -468,6 +470,23 @@ RESET_AFTER_EXTRA_LINE_READ:
     \d{4}-\d\d-\d\d\s\d\d:\d\d:\d\d/Exim statistics from <time> to <time>/x;
 
 
+  # ======== TLS certificate algorithms ========
+  # Test machines might have various different TLS library versions supporting
+  # different protocols; can't rely upon TLS 1.2's AES256-GCM-SHA384, so we
+  # treat the standard algorithms the same.
+  # So far, have seen:
+  #   TLSv1:AES256-SHA:256
+  #   TLSv1.2:AES256-GCM-SHA384:256
+  # We also need to handle the ciphersuite without the TLS part present, for
+  # client-ssl's output.  We also see some older forced ciphersuites, but
+  # negotiating TLS 1.2 instead of 1.0.
+  # Mail headers (...), log-lines X=..., client-ssl output ...
+  # (and \b doesn't match between ' ' and '(' )
+
+  s/( (?: (?:\b|\s) [\(=] ) | \s )TLSv1\.2:/$1TLSv1:/xg;
+  s/\bAES256-GCM-SHA384\b/AES256-SHA/g;
+
+
   # ======== Caller's login, uid, gid, home, gecos ========
 
   s/\Q$parm_caller_home\E/CALLER_HOME/g;   # NOTE: these must be done