Call notquite ACL for synprot-error limit. Bug 3092
[exim.git] / test / scripts / 2000-GnuTLS / 2014
1 # TLS server: mandatory, optional, and revoked certificates
2 gnutls
3 munge gnutls_unexpected
4 exim -DSERVER=server -bd -oX PORT_D
5 ****
6 ### No certificate, certificate required
7 client-gnutls HOSTIPV4 PORT_D
8 ??? 220
9 ehlo rhu1.barb
10 ??? 250-
11 ??? 250-
12 ??? 250-
13 ??? 250-
14 ??? 250-
15 ??? 250-
16 ??? 250
17 starttls
18 ??? 220
19 nop
20 ????554
21 ****
22 ### No certificate, certificate optional at TLS time, required by ACL
23 client-gnutls 127.0.0.1 PORT_D
24 ??? 220
25 ehlo rhu2.barb
26 ??? 250-
27 ??? 250-
28 ??? 250-
29 ??? 250-
30 ??? 250-
31 ??? 250-
32 ??? 250
33 starttls
34 ??? 220
35 helo rhu2tls.barb
36 ??? 250
37 mail from:<userx@test.ex>
38 ??? 250
39 rcpt to:<userx@test.ex>
40 ??? 550
41 quit
42 ??? 221
43 ****
44 ### Good certificate, certificate required
45 client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
46 ??? 220
47 ehlo rhu3.barb
48 ??? 250-
49 ??? 250-
50 ??? 250-
51 ??? 250-
52 ??? 250-
53 ??? 250-
54 ??? 250
55 starttls
56 ??? 220
57 helo test
58 ??? 250
59 mail from:<userx@test.ex>
60 ??? 250
61 rcpt to:<userx@test.ex>
62 ??? 250
63 quit
64 ??? 221
65 ****
66 ### Good certificate, certificate optional at TLS time, checked by ACL
67 client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
68 ??? 220
69 ehlo rhu4.barb
70 ??? 250-
71 ??? 250-
72 ??? 250-
73 ??? 250-
74 ??? 250-
75 ??? 250-
76 ??? 250
77 starttls
78 ??? 220
79 helo test
80 ??? 250
81 mail from:<userx@test.ex>
82 ??? 250
83 rcpt to:<userx@test.ex>
84 ??? 250
85 quit
86 ??? 221
87 ****
88 ### Bad certificate, certificate required
89 # Actually this test does not have the client presenting a cert at all, as it filters what it has
90 # by the options offered by the server first.  So it's not a good testcase.
91 client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
92 ??? 220
93 ehlo rhu5.barb
94 ??? 250-
95 ??? 250-
96 ??? 250-
97 ??? 250-
98 ??? 250-
99 ??? 250-
100 ??? 250
101 starttls
102 ??? 220
103 nop
104 ????554
105 ****
106 ### Bad certificate, certificate optional at TLS time, reject at ACL time
107 # (situation as above)
108 client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
109 ??? 220
110 ehlo rhu6.barb
111 ??? 250-
112 ??? 250-
113 ??? 250-
114 ??? 250-
115 ??? 250-
116 ??? 250-
117 ??? 250
118 starttls
119 ??? 220
120 helo test
121 ??? 250
122 mail from:<userx@test.ex>
123 ??? 250
124 rcpt to:<userx@test.ex>
125 ??? 550
126 quit
127 ??? 221
128 ****
129 killdaemon
130 #
131 #
132 #
133 #
134 exim -DCRL=DIR/aux-fixed/exim-ca/example.com/CA/crl.v2.pem -DSERVER=server -bd -oX PORT_D
135 ****
136 ### Otherwise good but revoked certificate, certificate required
137 # The trace for this test appears in the mainlog
138 # - but the stdout from the client is a problem: the server sends a TLS ALERT. If the client sees that early enough
139 # then it says that + "Failed to start TLS".  But if it's later, it says "Succeeded in starting TLS"
140 # and only another command from the client elicits anything from the server (eg "554 Security failure").
141 # How can we test this?
142 # An option on client to be quiet about tls problems.
143 #
144 # GnuTLS seems to not mind the lack of CRLs for the nonleaf certs in the chain, unlike under OpenSSL
145 client-gnutls -tls-quiet HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
146 ??? 220
147 ehlo rhu7.barb
148 ??? 250-
149 ??? 250-
150 ??? 250-
151 ??? 250-
152 ??? 250-
153 ??? 250-
154 ??? 250
155 STARTTLS
156 ??? 220
157 NOP
158 ??? 554 Security failure
159 QUIT
160 220
161 ****
162 ### Revoked certificate, certificate optional at TLS time, reject at ACL time
163 client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
164 ??? 220
165 ehlo rhu8.barb
166 ??? 250-
167 ??? 250-
168 ??? 250-
169 ??? 250-
170 ??? 250-
171 ??? 250-
172 ??? 250
173 starttls
174 ??? 220
175 helo test
176 ??? 250
177 mail from:<userx@test.ex>
178 ??? 250
179 rcpt to:<userx@test.ex>
180 ??? 550
181 quit
182 ??? 221
183 ****
184 ### Good certificate, certificate required - but nonmatching CRL also present
185 client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
186 ??? 220
187 ehlo rhu9.barb
188 ??? 250-
189 ??? 250-
190 ??? 250-
191 ??? 250-
192 ??? 250-
193 ??? 250-
194 ??? 250
195 starttls
196 ??? 220
197 helo test
198 ??? 250
199 mail from:<userx@test.ex>
200 ??? 250
201 rcpt to:<userx@test.ex>
202 ??? 250
203 quit
204 ??? 221
205 ****
206 killdaemon