test/scripts/2000-GnuTLS/2014

   1 # TLS server: mandatory, optional, and revoked certificates
   2 gnutls
   3 munge gnutls_unexpected
   4 exim -DSERVER=server -bd -oX PORT_D
   5 ****
   6 ### No certificate, certificate required
   7 client-gnutls HOSTIPV4 PORT_D
   8 ??? 220
   9 ehlo rhu1.barb
  10 ??? 250-
  11 ??? 250-
  12 ??? 250-
  13 ??? 250-
  14 ??? 250-
  15 ??? 250
  16 starttls
  17 ??? 220
  18 nop
  19 ????554
  20 ****
  21 ### No certificate, certificate optional at TLS time, required by ACL
  22 client-gnutls 127.0.0.1 PORT_D
  23 ??? 220
  24 ehlo rhu2.barb
  25 ??? 250-
  26 ??? 250-
  27 ??? 250-
  28 ??? 250-
  29 ??? 250-
  30 ??? 250
  31 starttls
  32 ??? 220
  33 helo rhu2tls.barb
  34 ??? 250
  35 mail from:<userx@test.ex>
  36 ??? 250
  37 rcpt to:<userx@test.ex>
  38 ??? 550
  39 quit
  40 ??? 221
  41 ****
  42 ### Good certificate, certificate required
  43 client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
  44 ??? 220
  45 ehlo rhu3.barb
  46 ??? 250-
  47 ??? 250-
  48 ??? 250-
  49 ??? 250-
  50 ??? 250-
  51 ??? 250
  52 starttls
  53 ??? 220
  54 helo test
  55 ??? 250
  56 mail from:<userx@test.ex>
  57 ??? 250
  58 rcpt to:<userx@test.ex>
  59 ??? 250
  60 quit
  61 ??? 221
  62 ****
  63 ### Good certificate, certificate optional at TLS time, checked by ACL
  64 client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
  65 ??? 220
  66 ehlo rhu4.barb
  67 ??? 250-
  68 ??? 250-
  69 ??? 250-
  70 ??? 250-
  71 ??? 250-
  72 ??? 250
  73 starttls
  74 ??? 220
  75 helo test
  76 ??? 250
  77 mail from:<userx@test.ex>
  78 ??? 250
  79 rcpt to:<userx@test.ex>
  80 ??? 250
  81 quit
  82 ??? 221
  83 ****
  84 ### Bad certificate, certificate required
  85 # Actually this test does not have the client presenting a cert at all, as it filters what it has
  86 # by the options offered by the server first.  So it's not a good testcase.
  87 client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
  88 ??? 220
  89 ehlo rhu5.barb
  90 ??? 250-
  91 ??? 250-
  92 ??? 250-
  93 ??? 250-
  94 ??? 250-
  95 ??? 250
  96 starttls
  97 ??? 220
  98 nop
  99 ????554
 100 ****
 101 ### Bad certificate, certificate optional at TLS time, reject at ACL time
 102 # (situation as above)
 103 client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
 104 ??? 220
 105 ehlo rhu6.barb
 106 ??? 250-
 107 ??? 250-
 108 ??? 250-
 109 ??? 250-
 110 ??? 250-
 111 ??? 250
 112 starttls
 113 ??? 220
 114 helo test
 115 ??? 250
 116 mail from:<userx@test.ex>
 117 ??? 250
 118 rcpt to:<userx@test.ex>
 119 ??? 550
 120 quit
 121 ??? 221
 122 ****
 123 killdaemon
 124 #
 125 #
 126 #
 127 #
 128 exim -DCRL=DIR/aux-fixed/exim-ca/example.com/CA/crl.v2.pem -DSERVER=server -bd -oX PORT_D
 129 ****
 130 ### Otherwise good but revoked certificate, certificate required
 131 # GnuTLS seems to not mind the lack of CRLs for the nonleaf certs in the chain, unlike under OpenSSL
 132 client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
 133 ??? 220
 134 ehlo rhu7.barb
 135 ??? 250-
 136 ??? 250-
 137 ??? 250-
 138 ??? 250-
 139 ??? 250-
 140 ??? 250
 141 starttls
 142 ??? 220
 143 helo test
 144 ??? 554
 145 ****
 146 ### Revoked certificate, certificate optional at TLS time, reject at ACL time
 147 client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
 148 ??? 220
 149 ehlo rhu8.barb
 150 ??? 250-
 151 ??? 250-
 152 ??? 250-
 153 ??? 250-
 154 ??? 250-
 155 ??? 250
 156 starttls
 157 ??? 220
 158 helo test
 159 ??? 250
 160 mail from:<userx@test.ex>
 161 ??? 250
 162 rcpt to:<userx@test.ex>
 163 ??? 550
 164 quit
 165 ??? 221
 166 ****
 167 ### Good certificate, certificate required - but nonmatching CRL also present
 168 client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
 169 ??? 220
 170 ehlo rhu9.barb
 171 ??? 250-
 172 ??? 250-
 173 ??? 250-
 174 ??? 250-
 175 ??? 250-
 176 ??? 250
 177 starttls
 178 ??? 220
 179 helo test
 180 ??? 250
 181 mail from:<userx@test.ex>
 182 ??? 250
 183 rcpt to:<userx@test.ex>
 184 ??? 250
 185 quit
 186 ??? 221
 187 ****
 188 killdaemon