Docs: CVE note
[exim.git] / test / scripts / 2000-GnuTLS / 2014
1 # TLS server: mandatory, optional, and revoked certificates
2 gnutls
3 munge gnutls_unexpected
4 exim -DSERVER=server -bd -oX PORT_D
5 ****
6 ### No certificate, certificate required
7 client-gnutls HOSTIPV4 PORT_D
8 ??? 220
9 ehlo rhu1.barb
10 ??? 250-
11 ??? 250-
12 ??? 250-
13 ??? 250-
14 ??? 250-
15 ??? 250
16 starttls
17 ??? 220
18 nop
19 ????554
20 ****
21 ### No certificate, certificate optional at TLS time, required by ACL
22 client-gnutls 127.0.0.1 PORT_D
23 ??? 220
24 ehlo rhu2.barb
25 ??? 250-
26 ??? 250-
27 ??? 250-
28 ??? 250-
29 ??? 250-
30 ??? 250
31 starttls
32 ??? 220
33 helo rhu2tls.barb
34 ??? 250
35 mail from:<userx@test.ex>
36 ??? 250
37 rcpt to:<userx@test.ex>
38 ??? 550
39 quit
40 ??? 221
41 ****
42 ### Good certificate, certificate required
43 client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
44 ??? 220
45 ehlo rhu3.barb
46 ??? 250-
47 ??? 250-
48 ??? 250-
49 ??? 250-
50 ??? 250-
51 ??? 250
52 starttls
53 ??? 220
54 helo test
55 ??? 250
56 mail from:<userx@test.ex>
57 ??? 250
58 rcpt to:<userx@test.ex>
59 ??? 250
60 quit
61 ??? 221
62 ****
63 ### Good certificate, certificate optional at TLS time, checked by ACL
64 client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
65 ??? 220
66 ehlo rhu4.barb
67 ??? 250-
68 ??? 250-
69 ??? 250-
70 ??? 250-
71 ??? 250-
72 ??? 250
73 starttls
74 ??? 220
75 helo test
76 ??? 250
77 mail from:<userx@test.ex>
78 ??? 250
79 rcpt to:<userx@test.ex>
80 ??? 250
81 quit
82 ??? 221
83 ****
84 ### Bad certificate, certificate required
85 # Actually this test does not have the client presenting a cert at all, as it filters what it has
86 # by the options offered by the server first.  So it's not a good testcase.
87 client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
88 ??? 220
89 ehlo rhu5.barb
90 ??? 250-
91 ??? 250-
92 ??? 250-
93 ??? 250-
94 ??? 250-
95 ??? 250
96 starttls
97 ??? 220
98 nop
99 ????554
100 ****
101 ### Bad certificate, certificate optional at TLS time, reject at ACL time
102 # (situation as above)
103 client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
104 ??? 220
105 ehlo rhu6.barb
106 ??? 250-
107 ??? 250-
108 ??? 250-
109 ??? 250-
110 ??? 250-
111 ??? 250
112 starttls
113 ??? 220
114 helo test
115 ??? 250
116 mail from:<userx@test.ex>
117 ??? 250
118 rcpt to:<userx@test.ex>
119 ??? 550
120 quit
121 ??? 221
122 ****
123 killdaemon
124 #
125 #
126 #
127 #
128 exim -DCRL=DIR/aux-fixed/exim-ca/example.com/CA/crl.v2.pem -DSERVER=server -bd -oX PORT_D
129 ****
130 ### Otherwise good but revoked certificate, certificate required
131 # The trace for this test appears in the mainlog
132 # - but the stdout from the client is a problem: the server sends a TLS ALERT. If the client sees that early enough
133 # then it says that + "Failed to start TLS".  But if it's later, it says "Succeeded in starting TLS"
134 # and only another command from the client elicits anything from the server (eg "554 Security failure").
135 # How can we test this?
136 # An option on client to be quiet about tls problems.
137 #
138 # GnuTLS seems to not mind the lack of CRLs for the nonleaf certs in the chain, unlike under OpenSSL
139 client-gnutls -tls-quiet HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
140 ??? 220
141 ehlo rhu7.barb
142 ??? 250-
143 ??? 250-
144 ??? 250-
145 ??? 250-
146 ??? 250-
147 ??? 250
148 STARTTLS
149 ??? 220
150 NOP
151 ??? 554 Security failure
152 QUIT
153 220
154 ****
155 ### Revoked certificate, certificate optional at TLS time, reject at ACL time
156 client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
157 ??? 220
158 ehlo rhu8.barb
159 ??? 250-
160 ??? 250-
161 ??? 250-
162 ??? 250-
163 ??? 250-
164 ??? 250
165 starttls
166 ??? 220
167 helo test
168 ??? 250
169 mail from:<userx@test.ex>
170 ??? 250
171 rcpt to:<userx@test.ex>
172 ??? 550
173 quit
174 ??? 221
175 ****
176 ### Good certificate, certificate required - but nonmatching CRL also present
177 client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
178 ??? 220
179 ehlo rhu9.barb
180 ??? 250-
181 ??? 250-
182 ??? 250-
183 ??? 250-
184 ??? 250-
185 ??? 250
186 starttls
187 ??? 220
188 helo test
189 ??? 250
190 mail from:<userx@test.ex>
191 ??? 250
192 rcpt to:<userx@test.ex>
193 ??? 250
194 quit
195 ??? 221
196 ****
197 killdaemon