1 # TLS server: mandatory, optional, and revoked certificates
3 munge gnutls_unexpected
4 exim -DSERVER=server -bd -oX PORT_D
6 ### No certificate, certificate required
7 client-gnutls HOSTIPV4 PORT_D
21 ### No certificate, certificate optional at TLS time, required by ACL
22 client-gnutls 127.0.0.1 PORT_D
35 mail from:<userx@test.ex>
37 rcpt to:<userx@test.ex>
42 ### Good certificate, certificate required
43 client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
54 mail from:<userx@test.ex>
56 rcpt to:<userx@test.ex>
61 ### Good certificate, certificate optional at TLS time, checked by ACL
62 client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
73 mail from:<userx@test.ex>
75 rcpt to:<userx@test.ex>
80 ### Bad certificate, certificate required
81 # Actually this test does not have the client presenting a cert at all, as it filters what it has
82 # by the options offered by the server first. So it's not a good testcase.
83 client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
97 ### Bad certificate, certificate optional at TLS time, reject at ACL time
98 # (situation as above)
99 client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
110 mail from:<userx@test.ex>
112 rcpt to:<userx@test.ex>
122 exim -DCRL=DIR/aux-fixed/exim-ca/example.com/CA/crl.v2.pem -DSERVER=server -bd -oX PORT_D
124 ### Otherwise good but revoked certificate, certificate required
125 # GnuTLS seems to not mind the lack of CRLs for the nonleaf certs in the chain, unlike under OpenSSL
126 client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
138 ### Revoked certificate, certificate optional at TLS time, reject at ACL time
139 client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
150 mail from:<userx@test.ex>
152 rcpt to:<userx@test.ex>
157 ### Good certificate, certificate required - but nonmatching CRL also present
158 client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
169 mail from:<userx@test.ex>
171 rcpt to:<userx@test.ex>