my($date1,$date2,$date3,$expired) = ($1,$2,$3,$4);
$expired = '' if !defined $expired;
- # Round the time-difference up to nearest even value
- my($increment) = ((date_seconds($date3) - date_seconds($date2) + 1) >> 1) << 1;
+ # Make time-difference minimum 2, and rounded up to even value
+ my($increment) = date_seconds($date3) - date_seconds($date2) + 1;
+ $increment = 2 if ($increment == 0);
+ $increment = ($increment >> 1) << 1;
# We used to use globally unique replacement values, but timing
# differences make this impossible. Just show the increment on the
s/(TLS error on connection from .* \(SSL_\w+\): error:)(.*)/$1 <<detail omitted>>/;
next if /SSL verify error: depth=0 error=certificate not trusted/;
+ # OpenSSL 3.2.1
# OpenSSL 3.0.0
- s/TLS error \(D-H param setting .* error:\K.*dh key too small/xxxxxxxx:SSL routines::dh key too small/;
+ s/TLS\ error\ \(D-H\ param\ setting\ .*\ error:\K
+ .*
+ (?:dh\ key\ too\ small|unknown\ security\ bits)
+ /xxxxxxxx:SSL routines::dh key too small/x;
# OpenSSL 1.1.1
s/error:\K0B080074:x509 certificate routines:X509_check_private_key(?=:key values mismatch$)/05800074:x509 certificate routines:/;
# Hints DB use of lockfiles is provider-dependent
s/Failed to open \K(?:hintsdb|database lock) file (.*\/spool\/db\/[^. ]*)(?:.lockfile)?(?: for reading)?(?=: No such file or directory$)/hintsdb $1/;
-
# openssl version variances
# Error lines on stdout from SSL contain process id values and file names.
# They also contain a source file name and line number, which may vary from
next if /SSL verify error: depth=0 error=certificate not trusted/;
s/SSL3_READ_BYTES/ssl3_read_bytes/i;
s/CONNECT_CR_FINISHED/ssl3_read_bytes/i;
- s/^[[:xdigit:]]+:error:[[:xdigit:]]+(?:E[[:xdigit:]]+)?(:SSL routines:ssl3_read_bytes:[^:]+:).*(:SSL alert number \d\d)$/pppp:error:dddddddd$1\[...\]$2/;
+ s/^[[:xdigit:]]+:error:[[:xdigit:]]+(?:E[[:xdigit:]]+)?
+ (:SSL\ routines:ssl3_read_bytes:)
+ ssl(?:v3|\/tls)
+ ([^:]+:)
+ .*
+ (:SSL\ alert\ number\ \d\d)$
+ /pppp:error:dddddddd$1sslv3$2\[...\]$3/x;
s/^error:\K[^:]*:(SSL routines:ssl3_read_bytes:(tls|ssl)v\d+ alert)/dddddddd:$1/;
s/^error:\K[[:xdigit:]]+:SSL routines::(tlsv13 alert certificate required)$/dddddddd:SSL routines:ssl3_read_bytes:$1/;
- s/^error:\K[[:xdigit:]]+:SSL routines::((tlsv1|sslv3) alert (unknown ca|certificate revoked))$/dddddddd:SSL routines:ssl3_read_bytes:$1/;
+ s/^error:\K
+ [[:xdigit:]]+:SSL\ routines::
+ ((?:tlsv1|sslv3)\ alert\ (?:unknown\ ca|certificate\ revoked))$
+ /dddddddd:SSL routines:ssl3_read_bytes:$1/x;
+ s/^error:\K
+ [[:xdigit:]]+:SSL\ routines::
+ ssl\/tls\ (alert\ (?:unknown\ ca|certificate\ revoked))$
+ /dddddddd:SSL routines:ssl3_read_bytes:sslv3 $1/x;
# gnutls version variances
next if /^Error in the pull function./;
next if /in\s(?:tls_advertise_hosts\?|hosts_require_tls\?)
\sno\s\((option\sunset|end\sof\slist)\)/x;
+ # non-TLS builds cannot have DANE
+
+ next if /lack of DNSSEC traceability precludes DANE$/;
+
# Skip auxiliary group lists because they will vary.
next if /auxiliary group list:/;
git://git.exim.org / exim.git / blobdiff