# treat the standard algorithms the same.
# So far, have seen:
# TLSv1:AES256-SHA:256
+ # TLSv1.1:AES256-SHA:256
# TLSv1.2:AES256-GCM-SHA384:256
# TLSv1.2:DHE-RSA-AES256-SHA:256
# TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128
# Mail headers (...), log-lines X=..., client-ssl output ...
# (and \b doesn't match between ' ' and '(' )
- s/( (?: (?:\b|\s) [\(=] ) | \s )TLSv1\.2:/$1TLSv1:/xg;
+ s/( (?: (?:\b|\s) [\(=] ) | \s )TLSv1\.[12]:/$1TLSv1:/xg;
s/\bAES256-GCM-SHA384\b/AES256-SHA/g;
s/\bDHE-RSA-AES256-SHA\b/AES256-SHA/g;
# GnuTLS have seen:
+ # TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256
+ # TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128
# TLS1.2:RSA_AES_256_CBC_SHA1:256 (canonical)
# TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128
#
# X=TLS1.1:RSA_AES_256_CBC_SHA1:256
# X=TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256
# and as stand-alone cipher:
+ # ECDHE-RSA-AES256-SHA
# DHE-RSA-AES256-SHA256
# DHE-RSA-AES256-SHA
# picking latter as canonical simply because regex easier that way.
s/\bDHE_RSA_AES_128_CBC_SHA1:128/RSA_AES_256_CBC_SHA1:256/g;
- s/TLS1.[012]:(DHE_)?RSA_AES_256_CBC_SHA(1|256):256/TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256/g;
- s/\bDHE-RSA-AES256-SHA256\b/DHE-RSA-AES256-SHA/g;
+ s/TLS1.[012]:((EC)?DHE_)?RSA_AES_(256|128)_(CBC|GCM)_SHA(1|256|384):(256|128)/TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256/g;
+ s/\b(ECDHE-RSA-AES256-SHA|DHE-RSA-AES256-SHA256)\b/AES256-SHA/g;
+
+ # GnuTLS library error message changes
+ s/No certificate was found/The peer did not send any certificate/g;
+#(dodgy test?) s/\(certificate verification failed\): invalid/\(gnutls_handshake\): The peer did not send any certificate./g;
+ s/\(gnutls_priority_set\): No or insufficient priorities were set/\(gnutls_handshake\): Could not negotiate a supported cipher suite/g;
+
+ # (this new one is a generic channel-read error, but the testsuite
+ # only hits it in one place)
+ s/TLS error on connection to \d{1,3}(.\d{1,3}){3} \[\d{1,3}(.\d{1,3}){3}\] \(gnutls_handshake\): Error in the pull function\./a TLS session is required for ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4], but an attempt to start TLS failed/g;
+
+ # (replace old with new, hoping that old only happens in one situation)
+ s/TLS error on connection to \d{1,3}(.\d{1,3}){3} \[\d{1,3}(.\d{1,3}){3}\] \(gnutls_handshake\): A TLS packet with unexpected length was received./a TLS session is required for ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4], but an attempt to start TLS failed/g;
+ s/TLS error on connection from \[127.0.0.1\] \(recv\): A TLS packet with unexpected length was received./TLS error on connection from [127.0.0.1] (recv): The TLS connection was non-properly terminated./g;
+
+ # signature algorithm names
+ s/RSA-SHA1/RSA-SHA/;
# ======== Caller's login, uid, gid, home, gecos ========
# other output is fragile; perhaps the debug output should be revised instead.
s%(?<!sqlite)(?<!lsearch\*@)(?<!lsearch\*)(?<!lsearch)[0-?]TESTSUITE/aux-fixed/%0TESTSUITE/aux-fixed/%g;
+ # ==========================================================
+ # MIME boundaries in RFC3461 DSN messages
+ s/\d{8,10}-eximdsn-\d{8,10}/NNNNNNNNNN-eximdsn-MMMMMMMMMM/;
+
# ==========================================================
# Some munging is specific to the specific file types
@saved = ();
}
+ # Skip hosts_require_dane checks when the options
+ # are unset, because dane ain't always there.
+
+ next if /in\shosts_require_dane\?\sno\s\(option\sunset\)/x;
+
# Skip some lines that Exim puts out at the start of debugging output
# because they will be different in different binaries.
'gnutls_handshake' =>
{ 'mainlog' => 's/\(gnutls_handshake\): Error in the push function/\(gnutls_handshake\): A TLS packet with unexpected length was received/', },
+ 'tpda' =>
+ { 'stdout' => '/tpda_delivery_action =/', },
+
};