X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/5b4569757c6dc749c250f065705f65c938bffb2e..refs/heads/master:/test/scripts/2000-GnuTLS/2014 diff --git a/test/scripts/2000-GnuTLS/2014 b/test/scripts/2000-GnuTLS/2014 index 3e6710b59..5fdb361ce 100644 --- a/test/scripts/2000-GnuTLS/2014 +++ b/test/scripts/2000-GnuTLS/2014 @@ -1,11 +1,13 @@ # TLS server: mandatory, optional, and revoked certificates gnutls +munge gnutls_unexpected exim -DSERVER=server -bd -oX PORT_D **** -# No certificate, certificate required +### No certificate, certificate required client-gnutls HOSTIPV4 PORT_D ??? 220 -ehlo rhu.barb +ehlo rhu1.barb +??? 250- ??? 250- ??? 250- ??? 250- @@ -14,11 +16,14 @@ ehlo rhu.barb ??? 250 starttls ??? 220 +nop +????554 **** -# No certificate, certificate optional at TLS time, required by ACL +### No certificate, certificate optional at TLS time, required by ACL client-gnutls 127.0.0.1 PORT_D ??? 220 -ehlo rhu.barb +ehlo rhu2.barb +??? 250- ??? 250- ??? 250- ??? 250- @@ -27,7 +32,7 @@ ehlo rhu.barb ??? 250 starttls ??? 220 -helo rhu.barb +helo rhu2tls.barb ??? 250 mail from: ??? 250 @@ -36,10 +41,11 @@ rcpt to: quit ??? 221 **** -# Good certificate, certificate required -client-gnutls HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2 +### Good certificate, certificate required +client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key ??? 220 -ehlo rhu.barb +ehlo rhu3.barb +??? 250- ??? 250- ??? 250- ??? 250- @@ -48,6 +54,8 @@ ehlo rhu.barb ??? 250 starttls ??? 220 +helo test +??? 250 mail from: ??? 250 rcpt to: @@ -55,10 +63,11 @@ rcpt to: quit ??? 221 **** -# Good certificate, certificate optional at TLS time, checked by ACL -client-gnutls 127.0.0.1 PORT_D aux-fixed/cert2 aux-fixed/cert2 +### Good certificate, certificate optional at TLS time, checked by ACL +client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key ??? 220 -ehlo rhu.barb +ehlo rhu4.barb +??? 250- ??? 250- ??? 250- ??? 250- @@ -67,6 +76,8 @@ ehlo rhu.barb ??? 250 starttls ??? 220 +helo test +??? 250 mail from: ??? 250 rcpt to: @@ -74,10 +85,13 @@ rcpt to: quit ??? 221 **** -# Bad certificate, certificate required -client-gnutls HOSTIPV4 PORT_D aux-fixed/cert1 aux-fixed/cert1 +### Bad certificate, certificate required +# Actually this test does not have the client presenting a cert at all, as it filters what it has +# by the options offered by the server first. So it's not a good testcase. +client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key ??? 220 -ehlo rhu.barb +ehlo rhu5.barb +??? 250- ??? 250- ??? 250- ??? 250- @@ -86,11 +100,15 @@ ehlo rhu.barb ??? 250 starttls ??? 220 +nop +????554 **** -# Bad certificate, certificate optional at TLS time, reject at ACL time -client-gnutls 127.0.0.1 PORT_D aux-fixed/cert1 aux-fixed/cert1 +### Bad certificate, certificate optional at TLS time, reject at ACL time +# (situation as above) +client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key ??? 220 -ehlo rhu.barb +ehlo rhu6.barb +??? 250- ??? 250- ??? 250- ??? 250- @@ -99,34 +117,53 @@ ehlo rhu.barb ??? 250 starttls ??? 220 +helo test +??? 250 mail from: ??? 250 rcpt to: -??? 550- ??? 550 quit ??? 221 **** killdaemon -exim -DCRL=DIR/aux-fixed/crl.pem -DSERVER=server -bd -oX PORT_D +# +# +# +# +exim -DCRL=DIR/aux-fixed/exim-ca/example.com/CA/crl.v2.pem -DSERVER=server -bd -oX PORT_D **** -# Good but revoked certificate, certificate required -client-gnutls HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2 +### Otherwise good but revoked certificate, certificate required +# The trace for this test appears in the mainlog +# - but the stdout from the client is a problem: the server sends a TLS ALERT. If the client sees that early enough +# then it says that + "Failed to start TLS". But if it's later, it says "Succeeded in starting TLS" +# and only another command from the client elicits anything from the server (eg "554 Security failure"). +# How can we test this? +# An option on client to be quiet about tls problems. +# +# GnuTLS seems to not mind the lack of CRLs for the nonleaf certs in the chain, unlike under OpenSSL +client-gnutls -tls-quiet HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key ??? 220 -ehlo rhu.barb +ehlo rhu7.barb +??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250 -starttls +STARTTLS ??? 220 +NOP +??? 554 Security failure +QUIT +220 **** -# Revoked certificate, certificate optional at TLS time, reject at ACL time -client-gnutls 127.0.0.1 PORT_D aux-fixed/cert1 aux-fixed/cert1 +### Revoked certificate, certificate optional at TLS time, reject at ACL time +client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key ??? 220 -ehlo rhu.barb +ehlo rhu8.barb +??? 250- ??? 250- ??? 250- ??? 250- @@ -135,12 +172,35 @@ ehlo rhu.barb ??? 250 starttls ??? 220 +helo test +??? 250 mail from: ??? 250 rcpt to: -??? 550- ??? 550 quit ??? 221 **** +### Good certificate, certificate required - but nonmatching CRL also present +client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key +??? 220 +ehlo rhu9.barb +??? 250- +??? 250- +??? 250- +??? 250- +??? 250- +??? 250- +??? 250 +starttls +??? 220 +helo test +??? 250 +mail from: +??? 250 +rcpt to: +??? 250 +quit +??? 221 +**** killdaemon