Testsuite: harden for TLS1.3 under GnuTLS
[exim.git] / test / scripts / 2000-GnuTLS / 2014
1 # TLS server: mandatory, optional, and revoked certificates
2 gnutls
3 munge gnutls_unexpected
4 exim -DSERVER=server -bd -oX PORT_D
5 ****
6 ### No certificate, certificate required
7 client-gnutls HOSTIPV4 PORT_D
8 ??? 220
9 ehlo rhu1.barb
10 ??? 250-
11 ??? 250-
12 ??? 250-
13 ??? 250-
14 ??? 250-
15 ??? 250
16 starttls
17 ??? 220
18 nop
19 ????554
20 ****
21 ### No certificate, certificate optional at TLS time, required by ACL
22 client-gnutls 127.0.0.1 PORT_D
23 ??? 220
24 ehlo rhu2.barb
25 ??? 250-
26 ??? 250-
27 ??? 250-
28 ??? 250-
29 ??? 250-
30 ??? 250
31 starttls
32 ??? 220
33 helo rhu2tls.barb
34 ??? 250
35 mail from:<userx@test.ex>
36 ??? 250
37 rcpt to:<userx@test.ex>
38 ??? 550
39 quit
40 ??? 221
41 ****
42 ### Good certificate, certificate required
43 client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
44 ??? 220
45 ehlo rhu3.barb
46 ??? 250-
47 ??? 250-
48 ??? 250-
49 ??? 250-
50 ??? 250-
51 ??? 250
52 starttls
53 ??? 220
54 mail from:<userx@test.ex>
55 ??? 250
56 rcpt to:<userx@test.ex>
57 ??? 250
58 quit
59 ??? 221
60 ****
61 ### Good certificate, certificate optional at TLS time, checked by ACL
62 client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
63 ??? 220
64 ehlo rhu4.barb
65 ??? 250-
66 ??? 250-
67 ??? 250-
68 ??? 250-
69 ??? 250-
70 ??? 250
71 starttls
72 ??? 220
73 mail from:<userx@test.ex>
74 ??? 250
75 rcpt to:<userx@test.ex>
76 ??? 250
77 quit
78 ??? 221
79 ****
80 ### Bad certificate, certificate required
81 # Actually this test does not have the client presenting a cert at all, as it filters what it has
82 # by the options offered by the server first.  So it's not a good testcase.
83 client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
84 ??? 220
85 ehlo rhu5.barb
86 ??? 250-
87 ??? 250-
88 ??? 250-
89 ??? 250-
90 ??? 250-
91 ??? 250
92 starttls
93 ??? 220
94 nop
95 ????554
96 ****
97 ### Bad certificate, certificate optional at TLS time, reject at ACL time
98 # (situation as above)
99 client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
100 ??? 220
101 ehlo rhu6.barb
102 ??? 250-
103 ??? 250-
104 ??? 250-
105 ??? 250-
106 ??? 250-
107 ??? 250
108 starttls
109 ??? 220
110 mail from:<userx@test.ex>
111 ??? 250
112 rcpt to:<userx@test.ex>
113 ??? 550
114 quit
115 ??? 221
116 ****
117 killdaemon
118 #
119 #
120 #
121 #
122 exim -DCRL=DIR/aux-fixed/exim-ca/example.com/CA/crl.v2.pem -DSERVER=server -bd -oX PORT_D
123 ****
124 ### Otherwise good but revoked certificate, certificate required
125 # GnuTLS seems to not mind the lack of CRLs for the nonleaf certs in the chain, unlike under OpenSSL
126 client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
127 ??? 220
128 ehlo rhu7.barb
129 ??? 250-
130 ??? 250-
131 ??? 250-
132 ??? 250-
133 ??? 250-
134 ??? 250
135 starttls
136 ??? 220
137 mail from:<userx@test.ex>
138 ??? 554
139 ****
140 ### Revoked certificate, certificate optional at TLS time, reject at ACL time
141 client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
142 ??? 220
143 ehlo rhu8.barb
144 ??? 250-
145 ??? 250-
146 ??? 250-
147 ??? 250-
148 ??? 250-
149 ??? 250
150 starttls
151 ??? 220
152 mail from:<userx@test.ex>
153 ??? 250
154 rcpt to:<userx@test.ex>
155 ??? 550
156 quit
157 ??? 221
158 ****
159 ### Good certificate, certificate required - but nonmatching CRL also present
160 client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
161 ??? 220
162 ehlo rhu9.barb
163 ??? 250-
164 ??? 250-
165 ??? 250-
166 ??? 250-
167 ??? 250-
168 ??? 250
169 starttls
170 ??? 220
171 mail from:<userx@test.ex>
172 ??? 250
173 rcpt to:<userx@test.ex>
174 ??? 250
175 quit
176 ??? 221
177 ****
178 killdaemon