TLS: Fix handling for server cert/key file SNI re-expansion forced-fail
authorJeremy Harris <jgh146exb@wizmail.org>
Sun, 11 Dec 2022 15:14:54 +0000 (15:14 +0000)
committerJeremy Harris <jgh146exb@wizmail.org>
Sun, 11 Dec 2022 16:54:54 +0000 (16:54 +0000)
doc/doc-docbook/spec.xfpt
src/src/tls-gnu.c
src/src/tls-openssl.c
test/confs/2031
test/confs/2131
test/log/2031
test/log/2131
test/paniclog/2131 [new file with mode: 0644]
test/scripts/2000-GnuTLS/2031
test/scripts/2100-OpenSSL/2131
test/stderr/2131 [new file with mode: 0644]

index 75a53786dd339ee6280dbe34a4263c493c5784e1..cd9259612c67302f2ce0bdc731cfd9bc4bdeda17 100644 (file)
@@ -11763,8 +11763,8 @@ Case and collation order are defined per the system C locale.
 SRS decode.  See SECT &<<SECTSRS>>& for details.
 
 
-.vitem &*inlist&~{*&<&'string1'&>&*}{*&<&'string2'&>&*}*& &&&
-       &*inlisti&~{*&<&'string1'&>&*}{*&<&'string2'&>&*}*&
+.vitem &*inlist&~{*&<&'subject'&>&*}{*&<&'list'&>&*}*& &&&
+       &*inlisti&~{*&<&'subject'&>&*}{*&<&'list'&>&*}*&
 .cindex "string" "comparison"
 .cindex "list" "iterative conditions"
 Both strings are expanded; the second string is treated as a list of simple
index 69387a3a7eb7ba383de5461f97297b890d8d0101..f8cc344061be0c9d910316f7d4fa298c1900d8bd 100644 (file)
@@ -398,7 +398,8 @@ tls_error_gnu(exim_gnutls_state_st * state, const uschar *prefix, int err,
 {
 return tls_error(prefix,
   state && err == GNUTLS_E_FATAL_ALERT_RECEIVED
-  ? US gnutls_alert_get_name(gnutls_alert_get(state->session))
+  ? string_sprintf("rxd alert: %s",
+                 US gnutls_alert_get_name(gnutls_alert_get(state->session)))
   : US gnutls_strerror(err),
   state ? state->host : NULL,
   errstr);
@@ -1293,7 +1294,7 @@ while (cfile = string_nextinlist(&clist, &csep, NULL, 0))
 
   if (!(kfile = string_nextinlist(&klist, &ksep, NULL, 0)))
     return tls_error(US"cert/key setup: out of keys", NULL, NULL, errstr);
-  else if ((rc = tls_add_certfile(state, NULL, cfile, kfile, errstr)) > 0)
+  else if ((rc = tls_add_certfile(state, NULL, cfile, kfile, errstr)) != OK)
     return rc;
   else
     {
@@ -1810,8 +1811,13 @@ D-H generation. */
 
 if (!state->lib_state.conn_certs)
   {
-  if (!Expand_check_tlsvar(tls_certificate, errstr))
+  if (  !Expand_check_tlsvar(tls_certificate, errstr)
+     || f.expand_string_forcedfail)
+    {
+    if (f.expand_string_forcedfail)
+      *errstr = US"expansion of tls_certificate failed";
     return DEFER;
+    }
 
   /* certificate is mandatory in server, optional in client */
 
@@ -1823,8 +1829,14 @@ if (!state->lib_state.conn_certs)
     else
       DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
 
-  if (state->tls_privatekey && !Expand_check_tlsvar(tls_privatekey, errstr))
+  if (  state->tls_privatekey && !Expand_check_tlsvar(tls_privatekey, errstr)
+     || f.expand_string_forcedfail
+     )
+    {
+    if (f.expand_string_forcedfail)
+      *errstr = US"expansion of tls_privatekey failed";
     return DEFER;
+    }
 
   /* tls_privatekey is optional, defaulting to same file as certificate */
 
@@ -1866,7 +1878,11 @@ if (!state->lib_state.conn_certs)
                              tls_ocsp_file,
 #endif
                              errstr)
-       )  ) return rc;
+       )  )
+      {
+      DEBUG(D_tls) debug_printf("load-cert: '%s'\n", *errstr);
+      return rc;
+      }
     }
   }
 else
@@ -2710,11 +2726,12 @@ if ((rc = tls_expand_session_files(state, &dummy_errstr)) != OK)
   {
   /* If the setup of certs/etc failed before handshake, TLS would not have
   been offered.  The best we can do now is abort. */
-  return GNUTLS_E_APPLICATION_ERROR_MIN;
+  DEBUG(D_tls) debug_printf("expansion for SNI-dependent session files failed\n");
+  return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
   }
 
 rc = tls_set_remaining_x509(state, &dummy_errstr);
-if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
+if (rc != OK) return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
 
 return 0;
 }
index db77a127454c707798465839314b7bb0a66e075f..3b060cc9c695561637b7a439891df80034399ccb 100644 (file)
@@ -1553,8 +1553,13 @@ else
      )  )
     reexpand_tls_files_for_sni = TRUE;
 
-  if (!expand_check(state->certificate, US"tls_certificate", &expanded, errstr))
+  if (  !expand_check(state->certificate, US"tls_certificate", &expanded, errstr)
+     || f.expand_string_forcedfail)
+    {
+    if (f.expand_string_forcedfail)
+      *errstr = US"expansion of tls_certificate failed";
     return DEFER;
+    }
 
   if (expanded)
     if (state->is_server)
@@ -1622,9 +1627,14 @@ else
       if ((err = tls_add_certfile(sctx, state, expanded, errstr)))
        return err;
 
-  if (  state->privatekey
-     && !expand_check(state->privatekey, US"tls_privatekey", &expanded, errstr))
+  if (     state->privatekey
+        && !expand_check(state->privatekey, US"tls_privatekey", &expanded, errstr)
+     || f.expand_string_forcedfail)
+    {
+    if (f.expand_string_forcedfail)
+      *errstr = US"expansion of tls_privatekey failed";
     return DEFER;
+    }
 
   /* If expansion was forced to fail, key_expanded will be NULL. If the result
   of the expansion is an empty string, ignore it also, and assume the private
@@ -2201,13 +2211,13 @@ per https://www.openssl.org/docs/manmaster/man3/SSL_client_hello_cb_fn.html
 
 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
 static int
-tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
+tls_servername_cb(SSL * s, int * ad ARG_UNUSED, void * arg)
 {
-const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
-exim_openssl_state_st *state = (exim_openssl_state_st *) arg;
+const char * servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
+exim_openssl_state_st * state = (exim_openssl_state_st *) arg;
 int rc;
 int old_pool = store_pool;
-uschar * dummy_errstr;
+uschar * errstr;
 
 if (!servername)
   return SSL_TLSEXT_ERR_OK;
@@ -2227,7 +2237,7 @@ if (!reexpand_tls_files_for_sni)
 not confident that memcpy wouldn't break some internal reference counting.
 Especially since there's a references struct member, which would be off. */
 
-if (lib_ctx_new(&server_sni, NULL, &dummy_errstr) != OK)
+if (lib_ctx_new(&server_sni, NULL, &errstr) != OK)
   goto bad;
 
 /* Not sure how many of these are actually needed, since SSL object
@@ -2247,8 +2257,8 @@ already exists.  Might even need this selfsame callback, for reneg? */
   SSL_CTX_set_tlsext_servername_arg(server_sni, state);
  }
 
-if (  !init_dh(server_sni, state->dhparam, &dummy_errstr)
-   || !init_ecdh(server_sni, &dummy_errstr)
+if (  !init_dh(server_sni, state->dhparam, &errstr)
+   || !init_ecdh(server_sni, &errstr)
    )
   goto bad;
 
@@ -2267,7 +2277,7 @@ if (state->u_ocsp.server.file)
   {
   uschar * v_certs = tls_verify_certificates;
   if ((rc = setup_certs(server_sni, &v_certs, tls_crl, NULL,
-                       &dummy_errstr)) != OK)
+                       &errstr)) != OK)
     goto bad;
 
   if (v_certs && *v_certs)
@@ -2276,14 +2286,16 @@ if (state->u_ocsp.server.file)
 
 /* do this after setup_certs, because this can require the certs for verifying
 OCSP information. */
-if ((rc = tls_expand_session_files(server_sni, state, &dummy_errstr)) != OK)
+if ((rc = tls_expand_session_files(server_sni, state, &errstr)) != OK)
   goto bad;
 
 DEBUG(D_tls) debug_printf("Switching SSL context.\n");
 SSL_set_SSL_CTX(s, server_sni);
 return SSL_TLSEXT_ERR_OK;
 
-bad: return SSL_TLSEXT_ERR_ALERT_FATAL;
+bad:
+  log_write(0, LOG_MAIN|LOG_PANIC, "%s", errstr);
+  return SSL_TLSEXT_ERR_ALERT_FATAL;
 }
 #endif /* EXIM_HAVE_OPENSSL_TLSEXT */
 
index af27b2ffd6840696f581b6c4389a17d4eaa47329..62577a61ac0e9a6cf9366486b14ac7cba1b243ec 100644 (file)
@@ -1,4 +1,4 @@
-# Exim test configuration 2030
+# Exim test configuration 2031
 # SNI
 
 SERVER =
@@ -17,21 +17,33 @@ remote_max_parallel = 1
 
 tls_advertise_hosts = *
 
-# Set certificate only if server
-
-tls_certificate = ${if eq {SERVER}{server} \
-       {DIR/aux-fixed/${if eq {$tls_in_sni}{bill} \
-           {exim-ca/example.com/server1.example.com/server1.example.com.pem} \
+tls_certificate = DIR/aux-fixed/${if inlist {$tls_in_sni}{ : normal : badkey : noneistkeyfile : expansionfailkey} \
            {cert1} \
-                       }\
-       }fail}
-
-tls_privatekey = ${if eq {SERVER}{server} \
-       {DIR/aux-fixed/${if eq {$tls_in_sni}{bill} \
-           {exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key} \
+           {${if eq {$tls_in_sni}{alternate} \
+             {exim-ca/example.com/server1.example.com/server1.example.com.pem} \
+             {${if eq {$tls_in_sni}{badcert} \
+               {exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key} \
+               {${if eq {$tls_in_sni}{nonexistcertfile} \
+                 {nonexistent_file} \
+                 fail \
+               } } \
+             } } \
+           } } \
+                       }
+
+tls_privatekey = DIR/aux-fixed/${if inlist {$tls_in_sni}{ : normal : badcert : nonexistcertfile : expansionfailedcert} \
            {cert1} \
-                       }\
-       }fail}
+           {${if eq {$tls_in_sni}{alternate} \
+             {exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key} \
+             {${if eq {$tls_in_sni}{badkey} \
+               {cert2} \
+               {${if eq {$tls_in_sni}{noneistkeyfile} \
+                 {nonexist_file} \
+                 fail \
+               } } \
+             } } \
+           } } \
+                       }
 
 
 # ------ ACL ------
@@ -49,7 +61,7 @@ begin routers
 client:
   driver = accept
   condition = ${if !eq {SERVER}{server}}
-  transport = send_to_server${if eq{$local_part}{abcd}{2}{1}}
+  transport = send_to_server
 
 server:
   driver = redirect
@@ -60,22 +72,14 @@ server:
 
 begin transports
 
-send_to_server1:
-  driver = smtp
-  allow_localhost
-  hosts = HOSTIPV4
-  port = PORT_D
-  hosts_try_fastopen = :
-  tls_sni = fred
-
-send_to_server2:
-  driver = smtp
+send_to_server:
+  driver =             smtp
   allow_localhost
-  hosts = HOSTIPV4
-  port = PORT_D
+  hosts =              HOSTIPV4
+  port =               PORT_D
   hosts_try_fastopen = :
-  tls_sni = bill
-
+  hosts_require_tls =  *
+  tls_sni =            ${local_part}
 
 # ----- Retry -----
 
index e4d4ae55118960fc8421d78b3aa69da92a50f303..a9924ab5b0546185b011824c7c9d87b02f940312 100644 (file)
@@ -17,13 +17,34 @@ remote_max_parallel = 1
 
 tls_advertise_hosts = *
 
-tls_certificate = DIR/aux-fixed/${if eq {$tls_in_sni}{bill} \
-           {exim-ca/example.com/server1.example.com/server1.example.com.pem} \
-           {cert1} }
+tls_certificate = DIR/aux-fixed/${if inlist {$tls_in_sni}{ : normal : badkey : noneistkeyfile : expansionfailkey} \
+           {cert1} \
+           {${if eq {$tls_in_sni}{alternate} \
+             {exim-ca/example.com/server1.example.com/server1.example.com.pem} \
+             {${if eq {$tls_in_sni}{badcert} \
+               {exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key} \
+               {${if eq {$tls_in_sni}{nonexistcertfile} \
+                 {nonexistent_file} \
+                 fail \
+               } } \
+             } } \
+           } } \
+                       }
+
+tls_privatekey = DIR/aux-fixed/${if inlist {$tls_in_sni}{ : normal : badcert : nonexistcertfile : expansionfailedcert} \
+           {cert1} \
+           {${if eq {$tls_in_sni}{alternate} \
+             {exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key} \
+             {${if eq {$tls_in_sni}{badkey} \
+               {cert2} \
+               {${if eq {$tls_in_sni}{noneistkeyfile} \
+                 {nonexist_file} \
+                 fail \
+               } } \
+             } } \
+           } } \
+                       }
 
-tls_privatekey = DIR/aux-fixed/${if eq {$tls_in_sni}{bill} \
-           {exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key} \
-           {cert1} }
 
 # ------ ACL ------
 
@@ -40,7 +61,7 @@ begin routers
 client:
   driver = accept
   condition = ${if !eq {SERVER}{server}}
-  transport = send_to_server${if eq{$local_part}{abcd}{2}{1}}
+  transport = send_to_server_${if inlist {$local_part}{normal} {1}{2}}
 
 server:
   driver = redirect
@@ -51,29 +72,28 @@ server:
 
 begin transports
 
-send_to_server1:
-  driver = smtp
+send_to_server_1:
+  driver =             smtp
   allow_localhost
-  hosts = HOSTIPV4
-  port = PORT_D
+  hosts =              HOSTIPV4
+  port =               PORT_D
   hosts_try_fastopen = :
-  tls_sni = fred
-  hosts_require_tls = *
+  hosts_require_tls =  *
+  tls_sni =            ${local_part}
   tls_verify_certificates = DIR/aux-fixed/cert1
   tls_verify_cert_hostnames = :
 
-send_to_server2:
-  driver = smtp
+send_to_server_2:
+  driver =             smtp
   allow_localhost
-  hosts = HOSTIPV4
-  port = PORT_D
+  hosts =              HOSTIPV4
+  port =               PORT_D
   hosts_try_fastopen = :
-  tls_sni = bill
-  hosts_require_tls = *
+  hosts_require_tls =  *
+  tls_sni =            ${local_part}
   tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
   tls_verify_cert_hostnames = :
 
-
 # ----- Retry -----
 
 
index 2173cd8fd7ae7ed70be39a0425b2c1b87c7b43dc..387ff411053f90335eb9aec92dcd441e4fd31d62 100644 (file)
@@ -1,17 +1,35 @@
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@test.ex
-1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for normal@test.ex
+1999-03-02 09:44:33 10HmaX-0005vi-00 => normal@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for abcd@test.ex
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => abcd@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for alternate@test.ex
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => alternate@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for badkey@test.ex
+1999-03-02 09:44:33 10HmbB-0005vi-00 == badkey@test.ex R=client T=send_to_server defer (-37) H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]: TLS session: (gnutls_handshake): rxd alert: Internal error
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for noneistkeyfile@test.ex
+1999-03-02 09:44:33 10HmbC-0005vi-00 == noneistkeyfile@test.ex R=client T=send_to_server defer (-37) H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]: TLS session: (gnutls_handshake): rxd alert: Internal error
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for expansionfailkey@test.ex
+1999-03-02 09:44:33 10HmbD-0005vi-00 == expansionfailkey@test.ex R=client T=send_to_server defer (-37) H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]: TLS session: (gnutls_handshake): rxd alert: Internal error
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for badcert@test.ex
+1999-03-02 09:44:33 10HmbE-0005vi-00 == badcert@test.ex R=client T=send_to_server defer (-37) H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]: TLS session: (gnutls_handshake): rxd alert: Internal error
+1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for nonexistcertfile@test.ex
+1999-03-02 09:44:33 10HmbF-0005vi-00 == nonexistcertfile@test.ex R=client T=send_to_server defer (-37) H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]: TLS session: (gnutls_handshake): rxd alert: Internal error
+1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for expansionfailedcert@test.ex
+1999-03-02 09:44:33 10HmbG-0005vi-00 == expansionfailedcert@test.ex R=client T=send_to_server defer (-37) H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]: TLS session: (gnutls_handshake): rxd alert: Internal error
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1234, no queue runs, listening for SMTP on port PORT_D
-1999-03-02 09:44:33 SNI <fred>
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=fred S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@test.ex
-1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <CALLER@test.ex> R=server
+1999-03-02 09:44:33 SNI <normal>
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=normal S=sss id=E10HmaX-0005vi-00@myhost.test.ex for normal@test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <normal@test.ex> R=server
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
-1999-03-02 09:44:33 SNI <bill>
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=bill S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for abcd@test.ex
-1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <abcd@test.ex> R=server
+1999-03-02 09:44:33 SNI <alternate>
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=alternate S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for alternate@test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <alternate@test.ex> R=server
 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (gnutls_handshake): The requested data were not available.
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (gnutls_handshake): The requested data were not available.
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (gnutls_handshake): The requested data were not available.
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (gnutls_handshake): The requested data were not available.
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (gnutls_handshake): The requested data were not available.
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (gnutls_handshake): The requested data were not available.
index 4bd677d97d47c133f8d99019eb3502e0469a3e38..96c4fe980b3fb57635ff97a8f45b16ad7d43ae27 100644 (file)
@@ -1,17 +1,41 @@
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@test.ex
-1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for normal@test.ex
+1999-03-02 09:44:33 10HmaX-0005vi-00 => normal@test.ex R=client T=send_to_server_1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for abcd@test.ex
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => abcd@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for alternate@test.ex
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => alternate@test.ex R=client T=send_to_server_2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for badkey@test.ex
+1999-03-02 09:44:33 10HmbB-0005vi-00 == badkey@test.ex R=client T=send_to_server_2 defer (-37) H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]: TLS session: (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for noneistkeyfile@test.ex
+1999-03-02 09:44:33 10HmbC-0005vi-00 == noneistkeyfile@test.ex R=client T=send_to_server_2 defer (-37) H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]: TLS session: (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for expansionfailkey@test.ex
+1999-03-02 09:44:33 10HmbD-0005vi-00 == expansionfailkey@test.ex R=client T=send_to_server_2 defer (-37) H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]: TLS session: (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for badcert@test.ex
+1999-03-02 09:44:33 10HmbE-0005vi-00 == badcert@test.ex R=client T=send_to_server_2 defer (-37) H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]: TLS session: (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for nonexistcertfile@test.ex
+1999-03-02 09:44:33 10HmbF-0005vi-00 == nonexistcertfile@test.ex R=client T=send_to_server_2 defer (-37) H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]: TLS session: (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for expansionfailedcert@test.ex
+1999-03-02 09:44:33 10HmbG-0005vi-00 == expansionfailedcert@test.ex R=client T=send_to_server_2 defer (-37) H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]: TLS session: (SSL_connect): error: <<detail omitted>>
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1234, no queue runs, listening for SMTP on port PORT_D
-1999-03-02 09:44:33 SNI <fred>
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=fred S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@test.ex
-1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <CALLER@test.ex> R=server
+1999-03-02 09:44:33 SNI <normal>
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=normal S=sss id=E10HmaX-0005vi-00@myhost.test.ex for normal@test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <normal@test.ex> R=server
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
-1999-03-02 09:44:33 SNI <bill>
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=bill S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for abcd@test.ex
-1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <abcd@test.ex> R=server
+1999-03-02 09:44:33 SNI <alternate>
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=alternate S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for alternate@test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <alternate@test.ex> R=server
 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 (SSL_CTX_use_PrivateKey_file file=TESTSUITE/aux-fixed/cert2): error:05800074:x509 certificate routines::key values mismatch
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 (SSL_CTX_use_PrivateKey_file file=TESTSUITE/aux-fixed/nonexist_file): error:80000002:system library::No such file or directory
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 expansion of tls_privatekey failed
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 (SSL_CTX_use_certificate_chain_file file=TESTSUITE/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key): error:0480006C:PEM routines::no start line
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 (SSL_CTX_use_certificate_chain_file file=TESTSUITE/aux-fixed/nonexistent_file): error:80000002:system library::No such file or directory
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 expansion of tls_certificate failed
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
diff --git a/test/paniclog/2131 b/test/paniclog/2131
new file mode 100644 (file)
index 0000000..22ed532
--- /dev/null
@@ -0,0 +1,8 @@
+
+******** SERVER ********
+1999-03-02 09:44:33 (SSL_CTX_use_PrivateKey_file file=TESTSUITE/aux-fixed/cert2): error:05800074:x509 certificate routines::key values mismatch
+1999-03-02 09:44:33 (SSL_CTX_use_PrivateKey_file file=TESTSUITE/aux-fixed/nonexist_file): error:80000002:system library::No such file or directory
+1999-03-02 09:44:33 expansion of tls_privatekey failed
+1999-03-02 09:44:33 (SSL_CTX_use_certificate_chain_file file=TESTSUITE/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key): error:0480006C:PEM routines::no start line
+1999-03-02 09:44:33 (SSL_CTX_use_certificate_chain_file file=TESTSUITE/aux-fixed/nonexistent_file): error:80000002:system library::No such file or directory
+1999-03-02 09:44:33 expansion of tls_certificate failed
index d302738fd81b662119e46c31e2d384c3b71ea52e..fdf17f705331bbb3c9c8bc052d48efeecf26e7e8 100644 (file)
@@ -1,19 +1,56 @@
 # TLS server: SNI used to select certificate
+#
+# The interesting output is the DN of server logged by the client
 gnutls
 exim -DSERVER=server -bd -oX PORT_D
 ****
-# Extended: certificate choice is unchanged by received SNI
-exim CALLER@test.ex
+# certificate choice is unchanged by a received SNI
+exim -odf normal@test.ex
 Test message.
 ****
-sleep 1
 #
 #
-# Extended: server uses SNI to choose certificate
-exim abcd@test.ex
-Test message.
+# server uses SNI to choose certificate
+exim -odf alternate@test.ex
+****
+#
+# server picks a key file with bad content
+exim -odf badkey@test.ex
+****
+sudo rm DIR/spool/db/retry
+#
+# server picks a non-existing filenam for key
+exim -odf noneistkeyfile@test.ex
 ****
-sleep 1
+sudo rm DIR/spool/db/retry
+#
+#
+# server gets an expansion-fail for the keyfile
+exim -odf expansionfailkey@test.ex
+****
+sudo rm DIR/spool/db/retry
+#
+#
+#
+#
+# server picks a cert file with bad content
+exim -odf badcert@test.ex
+****
+sudo rm DIR/spool/db/retry
+#
+# server picks a non-existing filenam for cert
+exim -odf nonexistcertfile@test.ex
+****
+sudo rm DIR/spool/db/retry
+#
+#
+# server picks a non-existing filenam for cert
+exim -odf expansionfailedcert@test.ex
+****
+sudo rm DIR/spool/db/retry
+#
+#
 #
 #
 killdaemon
+no_msglog_check
index c1029bb8fb055ad988e349c58daa36bc4c571d41..9a08853085f1c9d10d65e717454a1376c8c5b226 100644 (file)
@@ -1,20 +1,54 @@
 # TLS server: SNI used to select certificate
 #
+# The interesting output is the DN of server logged by the client
 exim -DSERVER=server -bd -oX PORT_D
 ****
-# Extended: certificate choice is unchanged by received SNI
-exim CALLER@test.ex
+# certificate choice is unchanged by a received SNI
+exim -odf normal@test.ex
 Test message.
 ****
-sleep 2
 #
 #
-# Extended: server uses SNI to change certificate
-exim abcd@test.ex
-Test message.
+# server uses SNI to choose certificate
+exim -odf alternate@test.ex
+****
+#
+# server picks a key file with bad content
+exim -odf badkey@test.ex
+****
+sudo rm DIR/spool/db/retry
+#
+# server picks a non-existing filenam for key
+exim -odf noneistkeyfile@test.ex
 ****
-millisleep 500
+sudo rm DIR/spool/db/retry
+#
+#
+# server gets an expansion-fail for the keyfile
+exim -odf expansionfailkey@test.ex
+****
+sudo rm DIR/spool/db/retry
+#
+#
+#
+#
+# server picks a cert file with bad content
+exim -odf badcert@test.ex
+****
+sudo rm DIR/spool/db/retry
+#
+# server picks a non-existing filenam for cert
+exim -odf nonexistcertfile@test.ex
+****
+sudo rm DIR/spool/db/retry
+#
+# server gets an expansion-fail for the certfile
+exim -odf expansionfailedcert@test.ex
+****
+sudo rm DIR/spool/db/retry
+#
+#
 #
 #
 killdaemon
-sleep 2
+no_msglog_check
diff --git a/test/stderr/2131 b/test/stderr/2131
new file mode 100644 (file)
index 0000000..22ed532
--- /dev/null
@@ -0,0 +1,8 @@
+
+******** SERVER ********
+1999-03-02 09:44:33 (SSL_CTX_use_PrivateKey_file file=TESTSUITE/aux-fixed/cert2): error:05800074:x509 certificate routines::key values mismatch
+1999-03-02 09:44:33 (SSL_CTX_use_PrivateKey_file file=TESTSUITE/aux-fixed/nonexist_file): error:80000002:system library::No such file or directory
+1999-03-02 09:44:33 expansion of tls_privatekey failed
+1999-03-02 09:44:33 (SSL_CTX_use_certificate_chain_file file=TESTSUITE/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key): error:0480006C:PEM routines::no start line
+1999-03-02 09:44:33 (SSL_CTX_use_certificate_chain_file file=TESTSUITE/aux-fixed/nonexistent_file): error:80000002:system library::No such file or directory
+1999-03-02 09:44:33 expansion of tls_certificate failed