test/scripts/2000-GnuTLS/2014

   1 # TLS server: mandatory, optional, and revoked certificates
   2 gnutls
   3 munge gnutls_unexpected
   4 exim -DSERVER=server -bd -oX PORT_D
   5 ****
   6 ### No certificate, certificate required
   7 client-gnutls HOSTIPV4 PORT_D
   8 ??? 220
   9 ehlo rhu1.barb
  10 ??? 250-
  11 ??? 250-
  12 ??? 250-
  13 ??? 250-
  14 ??? 250-
  15 ??? 250
  16 starttls
  17 ??? 220
  18 nop
  19 ????554
  20 ****
  21 ### No certificate, certificate optional at TLS time, required by ACL
  22 client-gnutls 127.0.0.1 PORT_D
  23 ??? 220
  24 ehlo rhu2.barb
  25 ??? 250-
  26 ??? 250-
  27 ??? 250-
  28 ??? 250-
  29 ??? 250-
  30 ??? 250
  31 starttls
  32 ??? 220
  33 helo rhu2tls.barb
  34 ??? 250
  35 mail from:<userx@test.ex>
  36 ??? 250
  37 rcpt to:<userx@test.ex>
  38 ??? 550
  39 quit
  40 ??? 221
  41 ****
  42 ### Good certificate, certificate required
  43 client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
  44 ??? 220
  45 ehlo rhu3.barb
  46 ??? 250-
  47 ??? 250-
  48 ??? 250-
  49 ??? 250-
  50 ??? 250-
  51 ??? 250
  52 starttls
  53 ??? 220
  54 helo test
  55 ??? 250
  56 mail from:<userx@test.ex>
  57 ??? 250
  58 rcpt to:<userx@test.ex>
  59 ??? 250
  60 quit
  61 ??? 221
  62 ****
  63 ### Good certificate, certificate optional at TLS time, checked by ACL
  64 client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
  65 ??? 220
  66 ehlo rhu4.barb
  67 ??? 250-
  68 ??? 250-
  69 ??? 250-
  70 ??? 250-
  71 ??? 250-
  72 ??? 250
  73 starttls
  74 ??? 220
  75 helo test
  76 ??? 250
  77 mail from:<userx@test.ex>
  78 ??? 250
  79 rcpt to:<userx@test.ex>
  80 ??? 250
  81 quit
  82 ??? 221
  83 ****
  84 ### Bad certificate, certificate required
  85 # Actually this test does not have the client presenting a cert at all, as it filters what it has
  86 # by the options offered by the server first.  So it's not a good testcase.
  87 client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
  88 ??? 220
  89 ehlo rhu5.barb
  90 ??? 250-
  91 ??? 250-
  92 ??? 250-
  93 ??? 250-
  94 ??? 250-
  95 ??? 250
  96 starttls
  97 ??? 220
  98 nop
  99 ????554
 100 ****
 101 ### Bad certificate, certificate optional at TLS time, reject at ACL time
 102 # (situation as above)
 103 client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
 104 ??? 220
 105 ehlo rhu6.barb
 106 ??? 250-
 107 ??? 250-
 108 ??? 250-
 109 ??? 250-
 110 ??? 250-
 111 ??? 250
 112 starttls
 113 ??? 220
 114 helo test
 115 ??? 250
 116 mail from:<userx@test.ex>
 117 ??? 250
 118 rcpt to:<userx@test.ex>
 119 ??? 550
 120 quit
 121 ??? 221
 122 ****
 123 killdaemon
 124 #
 125 #
 126 #
 127 #
 128 exim -DCRL=DIR/aux-fixed/exim-ca/example.com/CA/crl.v2.pem -DSERVER=server -bd -oX PORT_D
 129 ****
 130 ### Otherwise good but revoked certificate, certificate required
 131 # The trace for this test appears in the mainlog
 132 # - but the stdout from the client is a problem: the server sends a TLS ALERT. If the client sees that early enough
 133 # then it says that + "Failed to start TLS".  But if it's later, it says "Succeeded in starting TLS"
 134 # and only another command from the client elicits anything from the server (eg "554 Security failure").
 135 # How can we test this?
 136 # An option on client to be quiet about tls problems.
 137 #
 138 # GnuTLS seems to not mind the lack of CRLs for the nonleaf certs in the chain, unlike under OpenSSL
 139 client-gnutls -tls-quiet HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
 140 ??? 220
 141 ehlo rhu7.barb
 142 ??? 250-
 143 ??? 250-
 144 ??? 250-
 145 ??? 250-
 146 ??? 250-
 147 ??? 250
 148 STARTTLS
 149 ??? 220
 150 NOP
 151 ??? 554 Security failure
 152 QUIT
 153 220
 154 ****
 155 ### Revoked certificate, certificate optional at TLS time, reject at ACL time
 156 client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
 157 ??? 220
 158 ehlo rhu8.barb
 159 ??? 250-
 160 ??? 250-
 161 ??? 250-
 162 ??? 250-
 163 ??? 250-
 164 ??? 250
 165 starttls
 166 ??? 220
 167 helo test
 168 ??? 250
 169 mail from:<userx@test.ex>
 170 ??? 250
 171 rcpt to:<userx@test.ex>
 172 ??? 550
 173 quit
 174 ??? 221
 175 ****
 176 ### Good certificate, certificate required - but nonmatching CRL also present
 177 client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
 178 ??? 220
 179 ehlo rhu9.barb
 180 ??? 250-
 181 ??? 250-
 182 ??? 250-
 183 ??? 250-
 184 ??? 250-
 185 ??? 250
 186 starttls
 187 ??? 220
 188 helo test
 189 ??? 250
 190 mail from:<userx@test.ex>
 191 ??? 250
 192 rcpt to:<userx@test.ex>
 193 ??? 250
 194 quit
 195 ??? 221
 196 ****
 197 killdaemon