git://git.exim.org / exim.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4b57b15)
Fix TLS SNI, and add regression test cases
authorJeremy Harris <jgh146exb@wizmail.org>
Sun, 13 Jul 2014 11:18:09 +0000 (12:18 +0100)
committerJeremy Harris <jgh146exb@wizmail.org>
Sun, 13 Jul 2014 11:18:09 +0000 (12:18 +0100)
15 files changed:
doc/doc-txt/ChangeLog patch | blob | history
src/src/tls-gnu.c patch | blob | history
src/src/tls-openssl.c patch | blob | history
test/confs/2030 [new file with mode: 0644] patch | blob
test/confs/2031 [new file with mode: 0644] patch | blob
test/confs/2130 [new file with mode: 0644] patch | blob
test/confs/2131 [new file with mode: 0644] patch | blob
test/log/2030 [new file with mode: 0644] patch | blob
test/log/2031 [new file with mode: 0644] patch | blob
test/log/2130 [new file with mode: 0644] patch | blob
test/log/2131 [new file with mode: 0644] patch | blob
test/scripts/2000-GnuTLS/2030 [new file with mode: 0644] patch | blob
test/scripts/2000-GnuTLS/2031 [new file with mode: 0644] patch | blob
test/scripts/2100-OpenSSL/2130 [new file with mode: 0644] patch | blob
test/scripts/2100-OpenSSL/2131 [new file with mode: 0644] patch | blob

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 83a06633103cca54acba6dca99389dc9efca4ff6..ac8fce5f9581729bb0b866d1287d6e8d6fba747f 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -142,6 +142,8 @@ TL/14 Enhance documentation of ${run expansion and how it parses the
       commandline after expansion, particularly in the case when an
       unquoted variable expansion results in an empty value.
 
       commandline after expansion, particularly in the case when an
       unquoted variable expansion results in an empty value.
 
+JH/27 The TLS SNI feature was broken in 4.82.  Fix it.
+
 
 Exim version 4.82
 -----------------
 
 Exim version 4.82
 -----------------
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 5bdb21e6ee3447d6b9dc8198aa688bc1acbd3b12..266ab8909d1ce65263375c9632c43e1e4e9709e5 100644 (file)
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -108,7 +108,6 @@ typedef struct exim_gnutls_state {
 
   uschar *exp_tls_certificate;
   uschar *exp_tls_privatekey;
 
   uschar *exp_tls_certificate;
   uschar *exp_tls_privatekey;
-  uschar *exp_tls_sni;
   uschar *exp_tls_verify_certificates;
   uschar *exp_tls_crl;
   uschar *exp_tls_require_ciphers;
   uschar *exp_tls_verify_certificates;
   uschar *exp_tls_crl;
   uschar *exp_tls_require_ciphers;
@@ -1086,15 +1085,15 @@ if (rc != OK) return rc;
 /* set SNI in client, only */
 if (host)
   {
 /* set SNI in client, only */
 if (host)
   {
-  if (!expand_check(state->tlsp->sni, US"tls_out_sni", &state->exp_tls_sni))
+  if (!expand_check(sni, US"tls_out_sni", &state->tlsp->sni))
     return DEFER;
     return DEFER;
-  if (state->exp_tls_sni && *state->exp_tls_sni)
+  if (state->tlsp->sni && *state->tlsp->sni)
     {
     DEBUG(D_tls)
     {
     DEBUG(D_tls)
-      debug_printf("Setting TLS client SNI to \"%s\"\n", state->exp_tls_sni);
-    sz = Ustrlen(state->exp_tls_sni);
+      debug_printf("Setting TLS client SNI to \"%s\"\n", state->tlsp->sni);
+    sz = Ustrlen(state->tlsp->sni);
     rc = gnutls_server_name_set(state->session,
     rc = gnutls_server_name_set(state->session,
-        GNUTLS_NAME_DNS, state->exp_tls_sni, sz);
+        GNUTLS_NAME_DNS, state->tlsp->sni, sz);
     exim_gnutls_err_check(US"gnutls_server_name_set");
     }
   }
     exim_gnutls_err_check(US"gnutls_server_name_set");
     }
   }
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 9609d62526682e3647e5476e1393bb8de3d6f7db..18994eaa93d053894eddc5c9bd0668deeed910b2 100644 (file)
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -436,14 +436,11 @@ const char *pem;
 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
   return FALSE;
 
 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
   return FALSE;
 
-if (dhexpanded == NULL || *dhexpanded == '\0')
-  {
+if (!dhexpanded || !*dhexpanded)
   bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
   bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
-  }
 else if (dhexpanded[0] == '/')
   {
 else if (dhexpanded[0] == '/')
   {
-  bio = BIO_new_file(CS dhexpanded, "r");
-  if (bio == NULL)
+  if (!(bio = BIO_new_file(CS dhexpanded, "r")))
     {
     tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
           host, US strerror(errno));
     {
     tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
           host, US strerror(errno));
@@ -458,8 +455,7 @@ else
     return TRUE;
     }
 
     return TRUE;
     }
 
-  pem = std_dh_prime_named(dhexpanded);
-  if (!pem)
+  if (!(pem = std_dh_prime_named(dhexpanded)))
     {
     tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
         host, US strerror(errno));
     {
     tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
         host, US strerror(errno));
@@ -468,8 +464,7 @@ else
   bio = BIO_new_mem_buf(CS pem, -1);
   }
 
   bio = BIO_new_mem_buf(CS pem, -1);
   }
 
-dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
-if (dh == NULL)
+if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
   {
   BIO_free(bio);
   tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
   {
   BIO_free(bio);
   tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
@@ -770,8 +765,7 @@ if (!reexpand_tls_files_for_sni)
 not confident that memcpy wouldn't break some internal reference counting.
 Especially since there's a references struct member, which would be off. */
 
 not confident that memcpy wouldn't break some internal reference counting.
 Especially since there's a references struct member, which would be off. */
 
-server_sni = SSL_CTX_new(SSLv23_server_method());
-if (!server_sni)
+if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
   {
   ERR_error_string(ERR_get_error(), ssl_errstring);
   DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
   {
   ERR_error_string(ERR_get_error(), ssl_errstring);
   DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
@@ -805,8 +799,8 @@ OCSP information. */
 rc = tls_expand_session_files(server_sni, cbinfo);
 if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
 
 rc = tls_expand_session_files(server_sni, cbinfo);
 if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
 
-rc = init_dh(server_sni, cbinfo->dhparam, NULL);
-if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
+if (!init_dh(server_sni, cbinfo->dhparam, NULL))
+  return SSL_TLSEXT_ERR_NOACK;
 
 DEBUG(D_tls) debug_printf("Switching SSL context.\n");
 SSL_set_SSL_CTX(s, server_sni);
 
 DEBUG(D_tls) debug_printf("Switching SSL context.\n");
 SSL_set_SSL_CTX(s, server_sni);
@@ -1052,6 +1046,7 @@ else
   cbinfo->u_ocsp.client.verify_store = NULL;
 #endif
 cbinfo->dhparam = dhparam;
   cbinfo->u_ocsp.client.verify_store = NULL;
 #endif
 cbinfo->dhparam = dhparam;
+cbinfo->server_cipher_list = NULL;
 cbinfo->host = host;
 
 SSL_load_error_strings();          /* basic set up */
 cbinfo->host = host;
 
 SSL_load_error_strings();          /* basic set up */
diff --git a/test/confs/2030 b/test/confs/2030
new file mode 100644 (file)
index 0000000..4ad1463
--- /dev/null
+++ b/test/confs/2030
@@ -0,0 +1,79 @@
+# Exim test configuration 2030
+# SNI
+
+SERVER =
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+
+# ----- Main settings -----
+
+domainlist local_domains = test.ex : *.test.ex
+
+acl_smtp_rcpt = acl_log_sni
+log_selector = +tls_peerdn +tls_sni
+remote_max_parallel = 1
+
+tls_advertise_hosts = *
+
+# Set certificate only if server
+
+tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
+
+
+# ------ ACL ------
+
+begin acl
+
+acl_log_sni:
+  accept
+        logwrite = SNI <$tls_in_sni>
+
+# ----- Routers -----
+
+begin routers
+
+client:
+  driver = accept
+  condition = ${if !eq {SERVER}{server}}
+  transport = send_to_server${if eq{$local_part}{abcd}{2}{1}}
+
+server:
+  driver = redirect
+  data = :blackhole:
+
+
+# ----- Transports -----
+
+begin transports
+
+send_to_server1:
+  driver = smtp
+  allow_localhost
+  hosts = HOSTIPV4
+  port = PORT_D
+  tls_sni = fred
+
+send_to_server2:
+  driver = smtp
+  allow_localhost
+  hosts = HOSTIPV4
+  port = PORT_D
+
+
+# ----- Retry -----
+
+
+begin retry
+
+* * F,5d,10s
+
+
+# End
diff --git a/test/confs/2031 b/test/confs/2031
new file mode 100644 (file)
index 0000000..a52b21e
--- /dev/null
+++ b/test/confs/2031
@@ -0,0 +1,92 @@
+# Exim test configuration 2030
+# SNI
+
+SERVER =
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+
+# ----- Main settings -----
+
+domainlist local_domains = test.ex : *.test.ex
+
+acl_smtp_rcpt = acl_log_sni
+log_selector = +tls_peerdn +tls_sni
+remote_max_parallel = 1
+
+tls_advertise_hosts = *
+
+# Set certificate only if server
+
+tls_certificate = ${if eq {SERVER}{server} \
+       {DIR/aux-fixed/${if eq {$tls_in_sni}{bill} \
+           {exim-ca/example.com/server1.example.com/server1.example.com.pem} \
+           {cert1} \
+                       }\
+       }fail}
+
+tls_privatekey = ${if eq {SERVER}{server} \
+       {DIR/aux-fixed/${if eq {$tls_in_sni}{bill} \
+           {exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key} \
+           {cert1} \
+                       }\
+       }fail}
+
+
+# ------ ACL ------
+
+begin acl
+
+acl_log_sni:
+  accept
+        logwrite = SNI <$tls_in_sni>
+
+# ----- Routers -----
+
+begin routers
+
+client:
+  driver = accept
+  condition = ${if !eq {SERVER}{server}}
+  transport = send_to_server${if eq{$local_part}{abcd}{2}{1}}
+
+server:
+  driver = redirect
+  data = :blackhole:
+
+
+# ----- Transports -----
+
+begin transports
+
+send_to_server1:
+  driver = smtp
+  allow_localhost
+  hosts = HOSTIPV4
+  port = PORT_D
+  tls_sni = fred
+
+send_to_server2:
+  driver = smtp
+  allow_localhost
+  hosts = HOSTIPV4
+  port = PORT_D
+  tls_sni = bill
+
+
+# ----- Retry -----
+
+
+begin retry
+
+* * F,5d,10s
+
+
+# End
diff --git a/test/confs/2130 b/test/confs/2130
new file mode 100644 (file)
index 0000000..4143fc8
--- /dev/null
+++ b/test/confs/2130
@@ -0,0 +1,79 @@
+# Exim test configuration 2130
+# SNI
+
+SERVER =
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+
+# ----- Main settings -----
+
+domainlist local_domains = test.ex : *.test.ex
+
+acl_smtp_rcpt = acl_log_sni
+log_selector = +tls_peerdn +tls_sni
+remote_max_parallel = 1
+
+tls_advertise_hosts = *
+
+# Set certificate only if server
+
+tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
+
+
+# ------ ACL ------
+
+begin acl
+
+acl_log_sni:
+  accept
+        logwrite = SNI <$tls_in_sni>
+
+# ----- Routers -----
+
+begin routers
+
+client:
+  driver = accept
+  condition = ${if !eq {SERVER}{server}}
+  transport = send_to_server${if eq{$local_part}{abcd}{2}{1}}
+
+server:
+  driver = redirect
+  data = :blackhole:
+
+
+# ----- Transports -----
+
+begin transports
+
+send_to_server1:
+  driver = smtp
+  allow_localhost
+  hosts = HOSTIPV4
+  port = PORT_D
+  tls_sni = fred
+
+send_to_server2:
+  driver = smtp
+  allow_localhost
+  hosts = HOSTIPV4
+  port = PORT_D
+
+
+# ----- Retry -----
+
+
+begin retry
+
+* * F,5d,10s
+
+
+# End
diff --git a/test/confs/2131 b/test/confs/2131
new file mode 100644 (file)
index 0000000..c52ceed
--- /dev/null
+++ b/test/confs/2131
@@ -0,0 +1,94 @@
+# Exim test configuration 2130
+# SNI
+
+SERVER =
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+
+# ----- Main settings -----
+
+domainlist local_domains = test.ex : *.test.ex
+
+acl_smtp_rcpt = acl_log_sni
+log_selector = +tls_peerdn +tls_sni
+remote_max_parallel = 1
+
+tls_advertise_hosts = *
+
+# Set certificate only if server
+
+tls_certificate = ${if eq {SERVER}{server} \
+       {DIR/aux-fixed/${if eq {$tls_in_sni}{bill} \
+           {exim-ca/example.com/server1.example.com/server1.example.com.pem} \
+           {cert1} \
+                       }\
+       }fail}
+
+tls_privatekey = ${if eq {SERVER}{server} \
+       {DIR/aux-fixed/${if eq {$tls_in_sni}{bill} \
+           {exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key} \
+           {cert1} \
+                       }\
+       }fail}
+
+
+# ------ ACL ------
+
+begin acl
+
+acl_log_sni:
+  accept
+        logwrite = SNI <$tls_in_sni>
+
+# ----- Routers -----
+
+begin routers
+
+client:
+  driver = accept
+  condition = ${if !eq {SERVER}{server}}
+  transport = send_to_server${if eq{$local_part}{abcd}{2}{1}}
+
+server:
+  driver = redirect
+  data = :blackhole:
+
+
+# ----- Transports -----
+
+begin transports
+
+send_to_server1:
+  driver = smtp
+  allow_localhost
+  hosts = HOSTIPV4
+  port = PORT_D
+  tls_sni = fred
+  hosts_require_tls = *
+
+send_to_server2:
+  driver = smtp
+  allow_localhost
+  hosts = HOSTIPV4
+  port = PORT_D
+  tls_sni = bill
+  hosts_require_tls = *
+
+
+# ----- Retry -----
+
+
+begin retry
+
+* * F,5d,10s
+
+
+# End
diff --git a/test/log/2030 b/test/log/2030
new file mode 100644 (file)
index 0000000..820b84f
--- /dev/null
+++ b/test/log/2030
@@ -0,0 +1,10 @@
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 SNI <fred>
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 SNI="fred" S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <CALLER@test.ex> R=server
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
diff --git a/test/log/2031 b/test/log/2031
new file mode 100644 (file)
index 0000000..6d6b4f7
--- /dev/null
+++ b/test/log/2031
@@ -0,0 +1,17 @@
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => abcd@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 SNI <fred>
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 SNI="fred" S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <CALLER@test.ex> R=server
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 SNI <bill>
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 SNI="bill" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <abcd@test.ex> R=server
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
diff --git a/test/log/2130 b/test/log/2130
new file mode 100644 (file)
index 0000000..5b5b568
--- /dev/null
+++ b/test/log/2130
@@ -0,0 +1,10 @@
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 SNI <fred>
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 SNI="fred" S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <CALLER@test.ex> R=server
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
diff --git a/test/log/2131 b/test/log/2131
new file mode 100644 (file)
index 0000000..1fbd246
--- /dev/null
+++ b/test/log/2131
@@ -0,0 +1,17 @@
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => abcd@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 SNI <fred>
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 SNI="fred" S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <CALLER@test.ex> R=server
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 SNI <bill>
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 SNI="bill" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <abcd@test.ex> R=server
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
diff --git a/test/scripts/2000-GnuTLS/2030 b/test/scripts/2000-GnuTLS/2030
new file mode 100644 (file)
index 0000000..ef7a8de
--- /dev/null
+++ b/test/scripts/2000-GnuTLS/2030
@@ -0,0 +1,10 @@
+# TLS: SNI
+gnutls
+exim -DSERVER=server -bd -oX PORT_D
+****
+# Basic: is SNI set on tpt seen by server
+exim CALLER@test.ex
+Test message.
+****
+millisleep 500
+killdaemon
diff --git a/test/scripts/2000-GnuTLS/2031 b/test/scripts/2000-GnuTLS/2031
new file mode 100644 (file)
index 0000000..65b5290
--- /dev/null
+++ b/test/scripts/2000-GnuTLS/2031
@@ -0,0 +1,19 @@
+# TLS server: SNI used to select certificate
+gnutls
+exim -DSERVER=server -bd -oX PORT_D
+****
+# Extended: certificate choice is unchanged by received SNI
+exim CALLER@test.ex
+Test message.
+****
+millisleep 500
+#
+#
+# Extended: server uses SNI to choose certificate
+exim abcd@test.ex
+Test message.
+****
+millisleep 500
+#
+#
+killdaemon
diff --git a/test/scripts/2100-OpenSSL/2130 b/test/scripts/2100-OpenSSL/2130
new file mode 100644 (file)
index 0000000..43695f6
--- /dev/null
+++ b/test/scripts/2100-OpenSSL/2130
@@ -0,0 +1,10 @@
+# TLS: SNI
+#
+exim -DSERVER=server -bd -oX PORT_D
+****
+# Basic: is SNI set on tpt seen by server
+exim CALLER@test.ex
+Test message.
+****
+millisleep 500
+killdaemon
diff --git a/test/scripts/2100-OpenSSL/2131 b/test/scripts/2100-OpenSSL/2131
new file mode 100644 (file)
index 0000000..74d3dbb
--- /dev/null
+++ b/test/scripts/2100-OpenSSL/2131
@@ -0,0 +1,19 @@
+# TLS server: SNI used to select certificate
+#
+exim -DSERVER=server -bd -oX PORT_D
+****
+# Extended: certificate choice is unchanged by received SNI
+exim CALLER@test.ex
+Test message.
+****
+millisleep 500
+#
+#
+# Extended: server uses SNI to change certificate
+exim abcd@test.ex
+Test message.
+****
+millisleep 500
+#
+#
+killdaemon
Master Exim source repository