test/scripts/2000-GnuTLS/2014

   1 # TLS server: mandatory, optional, and revoked certificates
   2 gnutls
   3 munge gnutls_unexpected
   4 exim -DSERVER=server -bd -oX PORT_D
   5 ****
   6 ### No certificate, certificate required
   7 client-gnutls HOSTIPV4 PORT_D
   8 ??? 220
   9 ehlo rhu1.barb
  10 ??? 250-
  11 ??? 250-
  12 ??? 250-
  13 ??? 250-
  14 ??? 250-
  15 ??? 250-
  16 ??? 250
  17 starttls
  18 ??? 220
  19 nop
  20 ????554
  21 ****
  22 ### No certificate, certificate optional at TLS time, required by ACL
  23 client-gnutls 127.0.0.1 PORT_D
  24 ??? 220
  25 ehlo rhu2.barb
  26 ??? 250-
  27 ??? 250-
  28 ??? 250-
  29 ??? 250-
  30 ??? 250-
  31 ??? 250-
  32 ??? 250
  33 starttls
  34 ??? 220
  35 helo rhu2tls.barb
  36 ??? 250
  37 mail from:<userx@test.ex>
  38 ??? 250
  39 rcpt to:<userx@test.ex>
  40 ??? 550
  41 quit
  42 ??? 221
  43 ****
  44 ### Good certificate, certificate required
  45 client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
  46 ??? 220
  47 ehlo rhu3.barb
  48 ??? 250-
  49 ??? 250-
  50 ??? 250-
  51 ??? 250-
  52 ??? 250-
  53 ??? 250-
  54 ??? 250
  55 starttls
  56 ??? 220
  57 helo test
  58 ??? 250
  59 mail from:<userx@test.ex>
  60 ??? 250
  61 rcpt to:<userx@test.ex>
  62 ??? 250
  63 quit
  64 ??? 221
  65 ****
  66 ### Good certificate, certificate optional at TLS time, checked by ACL
  67 client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
  68 ??? 220
  69 ehlo rhu4.barb
  70 ??? 250-
  71 ??? 250-
  72 ??? 250-
  73 ??? 250-
  74 ??? 250-
  75 ??? 250-
  76 ??? 250
  77 starttls
  78 ??? 220
  79 helo test
  80 ??? 250
  81 mail from:<userx@test.ex>
  82 ??? 250
  83 rcpt to:<userx@test.ex>
  84 ??? 250
  85 quit
  86 ??? 221
  87 ****
  88 ### Bad certificate, certificate required
  89 # Actually this test does not have the client presenting a cert at all, as it filters what it has
  90 # by the options offered by the server first.  So it's not a good testcase.
  91 client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
  92 ??? 220
  93 ehlo rhu5.barb
  94 ??? 250-
  95 ??? 250-
  96 ??? 250-
  97 ??? 250-
  98 ??? 250-
  99 ??? 250-
 100 ??? 250
 101 starttls
 102 ??? 220
 103 nop
 104 ????554
 105 ****
 106 ### Bad certificate, certificate optional at TLS time, reject at ACL time
 107 # (situation as above)
 108 client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
 109 ??? 220
 110 ehlo rhu6.barb
 111 ??? 250-
 112 ??? 250-
 113 ??? 250-
 114 ??? 250-
 115 ??? 250-
 116 ??? 250-
 117 ??? 250
 118 starttls
 119 ??? 220
 120 helo test
 121 ??? 250
 122 mail from:<userx@test.ex>
 123 ??? 250
 124 rcpt to:<userx@test.ex>
 125 ??? 550
 126 quit
 127 ??? 221
 128 ****
 129 killdaemon
 130 #
 131 #
 132 #
 133 #
 134 exim -DCRL=DIR/aux-fixed/exim-ca/example.com/CA/crl.v2.pem -DSERVER=server -bd -oX PORT_D
 135 ****
 136 ### Otherwise good but revoked certificate, certificate required
 137 # The trace for this test appears in the mainlog
 138 # - but the stdout from the client is a problem: the server sends a TLS ALERT. If the client sees that early enough
 139 # then it says that + "Failed to start TLS".  But if it's later, it says "Succeeded in starting TLS"
 140 # and only another command from the client elicits anything from the server (eg "554 Security failure").
 141 # How can we test this?
 142 # An option on client to be quiet about tls problems.
 143 #
 144 # GnuTLS seems to not mind the lack of CRLs for the nonleaf certs in the chain, unlike under OpenSSL
 145 client-gnutls -tls-quiet HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
 146 ??? 220
 147 ehlo rhu7.barb
 148 ??? 250-
 149 ??? 250-
 150 ??? 250-
 151 ??? 250-
 152 ??? 250-
 153 ??? 250-
 154 ??? 250
 155 STARTTLS
 156 ??? 220
 157 NOP
 158 ??? 554 Security failure
 159 QUIT
 160 220
 161 ****
 162 ### Revoked certificate, certificate optional at TLS time, reject at ACL time
 163 client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
 164 ??? 220
 165 ehlo rhu8.barb
 166 ??? 250-
 167 ??? 250-
 168 ??? 250-
 169 ??? 250-
 170 ??? 250-
 171 ??? 250-
 172 ??? 250
 173 starttls
 174 ??? 220
 175 helo test
 176 ??? 250
 177 mail from:<userx@test.ex>
 178 ??? 250
 179 rcpt to:<userx@test.ex>
 180 ??? 550
 181 quit
 182 ??? 221
 183 ****
 184 ### Good certificate, certificate required - but nonmatching CRL also present
 185 client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
 186 ??? 220
 187 ehlo rhu9.barb
 188 ??? 250-
 189 ??? 250-
 190 ??? 250-
 191 ??? 250-
 192 ??? 250-
 193 ??? 250-
 194 ??? 250
 195 starttls
 196 ??? 220
 197 helo test
 198 ??? 250
 199 mail from:<userx@test.ex>
 200 ??? 250
 201 rcpt to:<userx@test.ex>
 202 ??? 250
 203 quit
 204 ??? 221
 205 ****
 206 killdaemon