X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/dc9c8f8b52cbf2e8424f5e98f63d29aa7fb81fe7..673c6ec69065abb65e22783128b1d84a1ed79441:/test/scripts/2000-GnuTLS/2014 diff --git a/test/scripts/2000-GnuTLS/2014 b/test/scripts/2000-GnuTLS/2014 index 1e12b4ef5..5fdb361ce 100644 --- a/test/scripts/2000-GnuTLS/2014 +++ b/test/scripts/2000-GnuTLS/2014 @@ -12,9 +12,12 @@ ehlo rhu1.barb ??? 250- ??? 250- ??? 250- +??? 250- ??? 250 starttls ??? 220 +nop +????554 **** ### No certificate, certificate optional at TLS time, required by ACL client-gnutls 127.0.0.1 PORT_D @@ -25,6 +28,7 @@ ehlo rhu2.barb ??? 250- ??? 250- ??? 250- +??? 250- ??? 250 starttls ??? 220 @@ -46,9 +50,12 @@ ehlo rhu3.barb ??? 250- ??? 250- ??? 250- +??? 250- ??? 250 starttls ??? 220 +helo test +??? 250 mail from: ??? 250 rcpt to: @@ -65,9 +72,12 @@ ehlo rhu4.barb ??? 250- ??? 250- ??? 250- +??? 250- ??? 250 starttls ??? 220 +helo test +??? 250 mail from: ??? 250 rcpt to: @@ -86,9 +96,12 @@ ehlo rhu5.barb ??? 250- ??? 250- ??? 250- +??? 250- ??? 250 starttls ??? 220 +nop +????554 **** ### Bad certificate, certificate optional at TLS time, reject at ACL time # (situation as above) @@ -100,9 +113,12 @@ ehlo rhu6.barb ??? 250- ??? 250- ??? 250- +??? 250- ??? 250 starttls ??? 220 +helo test +??? 250 mail from: ??? 250 rcpt to: @@ -118,8 +134,15 @@ killdaemon exim -DCRL=DIR/aux-fixed/exim-ca/example.com/CA/crl.v2.pem -DSERVER=server -bd -oX PORT_D **** ### Otherwise good but revoked certificate, certificate required +# The trace for this test appears in the mainlog +# - but the stdout from the client is a problem: the server sends a TLS ALERT. If the client sees that early enough +# then it says that + "Failed to start TLS". But if it's later, it says "Succeeded in starting TLS" +# and only another command from the client elicits anything from the server (eg "554 Security failure"). +# How can we test this? +# An option on client to be quiet about tls problems. +# # GnuTLS seems to not mind the lack of CRLs for the nonleaf certs in the chain, unlike under OpenSSL -client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key +client-gnutls -tls-quiet HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key ??? 220 ehlo rhu7.barb ??? 250- @@ -127,9 +150,14 @@ ehlo rhu7.barb ??? 250- ??? 250- ??? 250- +??? 250- ??? 250 -starttls +STARTTLS ??? 220 +NOP +??? 554 Security failure +QUIT +220 **** ### Revoked certificate, certificate optional at TLS time, reject at ACL time client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key @@ -140,9 +168,12 @@ ehlo rhu8.barb ??? 250- ??? 250- ??? 250- +??? 250- ??? 250 starttls ??? 220 +helo test +??? 250 mail from: ??? 250 rcpt to: @@ -153,7 +184,8 @@ quit ### Good certificate, certificate required - but nonmatching CRL also present client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key ??? 220 -ehlo rhu.barb +ehlo rhu9.barb +??? 250- ??? 250- ??? 250- ??? 250- @@ -162,6 +194,8 @@ ehlo rhu.barb ??? 250 starttls ??? 220 +helo test +??? 250 mail from: ??? 250 rcpt to: