DANE - testcase for fail under GnuTLS with TA-mode to a selfsigned server cert
authorJeremy Harris <jgh146exb@wizmail.org>
Sat, 8 Sep 2018 18:31:49 +0000 (19:31 +0100)
committerJeremy Harris <jgh146exb@wizmail.org>
Sun, 9 Sep 2018 14:45:27 +0000 (15:45 +0100)
16 files changed:
src/src/lookups/dnsdb.c
src/src/tls-gnu.c
src/src/transports/smtp.c
test/aux-fixed/cert.HOWTO [new file with mode: 0644]
test/aux-fixed/cert.config [new file with mode: 0644]
test/aux-fixed/cert1
test/confs/5822 [new file with mode: 0644]
test/confs/5842 [new file with mode: 0644]
test/dnszones-src/db.test.ex
test/log/5822 [new file with mode: 0644]
test/log/5842 [new file with mode: 0644]
test/scripts/5820-DANE-GnuTLS/5822 [new file with mode: 0644]
test/scripts/5840-DANE-OpenSSL/5842 [new file with mode: 0644]
test/stderr/5842 [new file with mode: 0644]
test/stdout/5822 [new file with mode: 0644]
test/stdout/5842 [new file with mode: 0644]

index a8633826135d1212cdf12ab3489cfbca6e6099ab..e75bd1eddb8d6079bb0a0159598ee49346a411a4 100644 (file)
@@ -150,7 +150,7 @@ store as possible later, so we preallocate the result here */
 
 gstring * yield = string_get(256);
 
 
 gstring * yield = string_get(256);
 
-dns_record *rr;
+dns_record * rr;
 dns_answer dnsa;
 dns_scan dnss;
 
 dns_answer dnsa;
 dns_scan dnss;
 
@@ -421,7 +421,7 @@ while ((domain = string_nextinlist(&keystring, &sep, NULL, 0)))
       else if (type == T_TLSA)
         {
         uint8_t usage, selector, matching_type;
       else if (type == T_TLSA)
         {
         uint8_t usage, selector, matching_type;
-        uint16_t i, payload_length;
+        uint16_t payload_length;
         uschar s[MAX_TLSA_EXPANDED_SIZE];
        uschar * sp = s;
         uschar * p = US rr->data;
         uschar s[MAX_TLSA_EXPANDED_SIZE];
        uschar * sp = s;
         uschar * p = US rr->data;
@@ -434,10 +434,8 @@ while ((domain = string_nextinlist(&keystring, &sep, NULL, 0)))
         sp += sprintf(CS s, "%d%c%d%c%d%c", usage, *outsep2,
                selector, *outsep2, matching_type, *outsep2);
         /* Now append the cert/identifier, one hex char at a time */
         sp += sprintf(CS s, "%d%c%d%c%d%c", usage, *outsep2,
                selector, *outsep2, matching_type, *outsep2);
         /* Now append the cert/identifier, one hex char at a time */
-        for (i=0;
-             i < payload_length && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4);
-             i++)
-          sp += sprintf(CS sp, "%02x", (unsigned char)p[i]);
+       while (payload_length-- > 0 && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4))
+          sp += sprintf(CS sp, "%02x", *p++);
 
         yield = string_cat(yield, s);
         }
 
         yield = string_cat(yield, s);
         }
index dfe09200b57f07ba7fb0be38c443b6f522bd9ee3..c5ecf88f9bfc151ef7adc6540d63120d22a45249 100644 (file)
@@ -1775,7 +1775,8 @@ goodcert:
 
 #ifdef SUPPORT_DANE
 tlsa_prob:
 
 #ifdef SUPPORT_DANE
 tlsa_prob:
-  *errstr = string_sprintf("TLSA record problem: %s", dane_strerror(rc));
+  *errstr = string_sprintf("TLSA record problem: %s",
+    rc == DANE_E_REQUESTED_DATA_NOT_AVAILABLE ? "none usable" : dane_strerror(rc));
 #endif
 
 badcert:
 #endif
 
 badcert:
index 076375158c1caa8630f781a13ac4f1303473fc92..703ee563a735761eda3fbcc304acc17ef7201194 100644 (file)
@@ -1247,7 +1247,29 @@ switch (rc)
     return DEFER; /* just defer this TLS'd conn */
 
   case DNS_SUCCEED:
     return DEFER; /* just defer this TLS'd conn */
 
   case DNS_SUCCEED:
-    if (sec) return OK;
+    if (sec)
+      {
+      DEBUG(D_transport)
+       {
+       dns_scan dnss;
+       dns_record * rr;
+       for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
+            rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == T_TLSA)
+         {
+         uint16_t payload_length = rr->size - 3;
+         uschar s[MAX_TLSA_EXPANDED_SIZE], * sp = s, * p = US rr->data;
+
+         sp += sprintf(CS sp, "%d ", *p++); /* usage */
+         sp += sprintf(CS sp, "%d ", *p++); /* selector */
+         sp += sprintf(CS sp, "%d ", *p++); /* matchtype */
+         while (payload_length-- > 0 && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4))
+           sp += sprintf(CS sp, "%02x", *p++);
+
+         debug_printf(" %s\n", s);
+         }
+       }
+      return OK;
+      }
     log_write(0, LOG_MAIN,
       "DANE error: TLSA lookup for %s not DNSSEC", host->name);
     /*FALLTRHOUGH*/
     log_write(0, LOG_MAIN,
       "DANE error: TLSA lookup for %s not DNSSEC", host->name);
     /*FALLTRHOUGH*/
diff --git a/test/aux-fixed/cert.HOWTO b/test/aux-fixed/cert.HOWTO
new file mode 100644 (file)
index 0000000..dab2915
--- /dev/null
@@ -0,0 +1,4 @@
+openssl req -x509 -config cert.config -newkey rsa:2048 -keyout key.pem -out cert.pem -days 7000
+cat key.pem cert.pem > cert1
+# or cert2, as needed.  Mind the day count above does not blow the Y2038 barrier.
+rm cert.pem key.pem
diff --git a/test/aux-fixed/cert.config b/test/aux-fixed/cert.config
new file mode 100644 (file)
index 0000000..36be59f
--- /dev/null
@@ -0,0 +1,17 @@
+prompt=no
+encrypt_key=no
+default_bits=2048
+distinguished_name=fixed_dn
+x509_extensions=fixed_ex
+
+[ fixed_dn ]
+C=UK
+O=The Exim Maintainers
+OU=Test Suite
+CN=Phil Pennock
+
+[ fixed_ex ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=critical,CA:TRUE, pathlen:0
+subjectAltName=DNS:test.ex, DNS:*.test.ex
index 1323e39c93e7a6d4d24028edd4a21fa1682d17f9..b939fb9dfc89ab519850770bcc56cdb172def1b5 100644 (file)
@@ -1,51 +1,50 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA0dyUFZ7037DgtRfGoR0bVqUvCetxdZa42E3sLyZLviWRcKbY
-XyYD1M44zClRq6vGwQGLI0Hea4jlJdIftyr3SmuaerJt2frPVAKcHHAHJ7rOjkUT
-Kp+XHGjsinQg9Up6nz2Qo6Xdg0oPm8YRaMgIa1Qc75cWqzTn3++B5qaW2RtffYf7
-8c1OA958BHWyWlcZJNuJHYLR3CdqJb7ojtfcuCq3cWRRxJhyd/j1T51D+Xw6nGbe
-QovD2+oQ/TBTUuo3Zc2YCRE+PWIQMZakdbD335HjvVj1PAu6oBKQRdccactigkR9
-tBlBIxH0q1Uh1fOd+dgLSoccCK2HlnM/GOzcfwIDAQABAoIBAB71b1MRNAabzUpp
-y3+RD6tkit/nv8EdDv+53xHFkH7og+AefOTscrw9/9r+bXHp0VQ/qgr1eJ5cf5Fo
-wgz/ZaOw5AUdtV7mxRcbm3QGgse1oysRvZYYHO6v+9Ug9Iu7BQPgzSmXGmp3zn2o
-ZoESoUtUCUC/BTUUhPBgIMWp5a75OkaOS3fO3kSaGHPiqX1IbD8T6b7+ViR2qIwU
-LjwFNTBRjorL25VXCsfChGih5TUgR9jIJcGzN6QykCHV7D29AfkRuVrKMRLEM3VD
-3E0ObQfVRoXFEZR3fccJqU6E1Mg9BXbl+I9rwv3GUJXS7fXnmHKRhjzD1Dbo5Afv
-jnSPL+ECgYEA9hepWibJe8N3fSCb7Eqqi/Q8ufCQqnDSCrnY6WJpRIA79DKU7OFm
-3dct5pqXPUlaYC6TDQ8G0LAQL1knsuFejvV8v0y0mZspRbOg94EDTuQWp4oCIqWr
-MEYbiRVHXIg5OjylVAQLM1y9IF+n3aXQAUfcStFtiiM49vRJs9StcdsCgYEA2k+B
-lXN3UjZvwkDeZcjfCH1n0Rxrt0kZ7UbqEPZSz/77m9XIjWv32lpTDLecRdcR8KSx
-OKH24WSQXd7DTWn+DitfSwGJjiduU2c0p4eePzfK7Yeo0bMNVixvjUZt+w9ijkWH
-4CUVgo9TfuxdaTyYlmONk9JVLMeOwR8MdagVWy0CgYEAlpVn9Vgile7HoPNhNbeC
-oFz1A7oma4TZoeKSzkx/qYDmLsj8w+4w6bIPzjnuLXxDJvOY27bELtJtNOvTFOw+
-1i91BAHFyPBe0t3Vs11oTs/W5PHX2KeTFtjvZHR21DIvAmm1qLFIwUcQG00tBL2/
-h+kW7Vk1M//VjZdxue57q10CgYEAufZT+gzbrYp1dNFxIN8VLdQ1ZSmCkCSTE03/
-AOfy7v7TMZHQPrej77pVWFXnpo5n18dSt10wQhs55txlHUKWiVdk2y26EP+BuUYG
-0lZx9IQANooCwm51g9xiQcOm19/pIiwUbFjqk8anZ0zM3WIi0KiI50yaBYUQE23x
-XSAK4RkCgYBsPJiK2BGPvFNBJo6368SVgB1H2Bu9GPUpORdirbFuy/VanSEaAGIK
-vWjIOvEKnJd9NX430drAdD7hcx52fxdCsn97LSBi73Weqov4zNDadsLvTWhxlh+D
-b1SITBDYjxdm9oqv4Uj10l3Ft4/X0MN2aJ4+W3/cFTGL9pNlv21Daw==
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDbSr1VPY2sW/7a
+g4GiBfBYXbO9NroHTBJqi831QwPsN5F2Tyx/dQ0vByiOP8nxSmIkQ/eZM6IS3jl0
+8H8jqamyipfSghrQC3QSgtRl6wp8TEfJpwxdDyKAV1zP+TiIEqWYJLc1tmRwQ72J
+0gXID7ME7TNDvek4Oo9BJJ2mtn0K9oY4Z6pvv5O+uljUxTryYbBtMtgMD5ZvL12b
+FiNkRhgx3XX+9vpWw5o6vKdKUbKwT7KhwvUSC1eKOFMBZthUpxxH+RbYyNET1qJU
+u4UrbNI1Wdwm+Cg7JkEdU1NcJbTP8CVR8Z1U7FkbhAD5HNHaTyVWO20MVYjXU/4B
+3bVHWhhNAgMBAAECggEAJY9KmIP/dQsYvqKRnIe539jExV7PRBqyeM9TSnPdAyON
+ZZ8v9vC8flaSirLASvS7lIyTpwjh9KtdWfsrO5d+ulbkpCimoQWlLtp7uK0mUZ3b
+Gd3jzzidZzAPdIuyNBRFiqaXPrrrvxLLLwTq+pY9ylU6V5r6jCfzi2vTGM/e4PaB
+Yo0YkQG9vFveCbGwG+v66ZIq8lH4CxjAfNOVXte+dKFdk6PnUSBMAq4B3n7eFjye
+5nMl9fwFHVtZyBZI59i/1hSLzCjE1j0BrvTlL8BftU5SdF5sYdi/9yvUPjiRnvHT
+ZPQPBH/hVzE52+VcRoWZ7vNjVaBzf/W5XkJsUc35/QKBgQDs/mSpWbiJxhGVRxuf
+DiBxDAw1x+BVHd0bWe8Wp850ooBOI0TQ+wwcegySBaDpATBI1ML/plv7cWJ1+0fi
+8AdG9VSDascH0OE8Y+OnHI2WDCJjRzwKPYvD+4LuQcrF6GDCdIrbitRfwdGGF7He
+gsRS7GFqXawijDkCYolutqgUjwKBgQDs4Otrf2KieW6q12a+3MuSONPhiuLHDUuE
+hCfX7hdSRSI4O6F9vZwkt7l9UluGW5E8cASIimfKoVfJj2m3sv6T33CacB1zQlLW
+TtZb414kJ0ExbdfgxcVSvLIk+H4DSBa17iF+v8mdjbpkgT0m11QTmpqgHQamwdo0
+qUEySQgLYwKBgQDj0cjCY1VaW+UbMzgCNnpJMeOq73FfYU3jtRh5FucIiA3/Dzhg
+DHUgCtN6q557XoEkAiNRzoItvFmCQQRhy4uzUrLjggnCIbHjc8KsKm6RBykndpro
+3TE2PNkoYGakyTX6uD2jvllZk9/un2iFFf/UFxeuQE3xCArlmAO1QjFhUQKBgQCb
+waVrEN71gK1xLqPDuoEtC6resik9w5M1doSQamDxWr4Ohb9BY+0JA7m3GvFNnmYY
+fHuuoHtw9Lg5s9BK1yqoZxKuqivjPugjPMGcuBuN4DXw345EoSaHqcXlo3OQitVM
+GWHy6v8SV0AJmCVypcIGBfHIeG2INw1Y9TYGb5kXiwKBgCDqpa46uROTxQW4CU12
+TuEPeGkojRqNf/f1OzTULwO71rKxZ7Hl2LWCkygX7Nn2XogrHhBTNEoAmDzxuC6g
+hGIoBak7P/GOcaiT2GFzsCgGjRIB8REOLywnl+KkLQI2FjOCztNtBdXwaCZo4/wa
+O1GQXNSW4Ktbr4eq/l+loftA
+-----END PRIVATE KEY-----
 -----BEGIN CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIID8DCCAtigAwIBAgIJALYf3pBgPTGPMA0GCSqGSIb3DQEBBQUAMFgxCzAJBgNV
-BAYTAlVLMR0wGwYDVQQKExRUaGUgRXhpbSBNYWludGFpbmVyczETMBEGA1UECxMK
-VGVzdCBTdWl0ZTEVMBMGA1UEAxMMUGhpbCBQZW5ub2NrMB4XDTEyMDUxNzE0NDYw
-M1oXDTMxMDUxMzE0NDYwM1owWDELMAkGA1UEBhMCVUsxHTAbBgNVBAoTFFRoZSBF
-eGltIE1haW50YWluZXJzMRMwEQYDVQQLEwpUZXN0IFN1aXRlMRUwEwYDVQQDEwxQ
-aGlsIFBlbm5vY2swggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDR3JQV
-nvTfsOC1F8ahHRtWpS8J63F1lrjYTewvJku+JZFwpthfJgPUzjjMKVGrq8bBAYsj
-Qd5riOUl0h+3KvdKa5p6sm3Z+s9UApwccAcnus6ORRMqn5ccaOyKdCD1SnqfPZCj
-pd2DSg+bxhFoyAhrVBzvlxarNOff74HmppbZG199h/vxzU4D3nwEdbJaVxkk24kd
-gtHcJ2olvuiO19y4KrdxZFHEmHJ3+PVPnUP5fDqcZt5Ci8Pb6hD9MFNS6jdlzZgJ
-ET49YhAxlqR1sPffkeO9WPU8C7qgEpBF1xxpy2KCRH20GUEjEfSrVSHV85352AtK
-hxwIrYeWcz8Y7Nx/AgMBAAGjgbwwgbkwHQYDVR0OBBYEFDZtAgvs96t7shvAZbPt
-YIzxz06fMIGJBgNVHSMEgYEwf4AUNm0CC+z3q3uyG8Bls+1gjPHPTp+hXKRaMFgx
-CzAJBgNVBAYTAlVLMR0wGwYDVQQKExRUaGUgRXhpbSBNYWludGFpbmVyczETMBEG
-A1UECxMKVGVzdCBTdWl0ZTEVMBMGA1UEAxMMUGhpbCBQZW5ub2NrggkAth/ekGA9
-MY8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEANtHbMYqw3Ln07gif
-F11TyWuUzfZ1HAdj5x+ec/ZhOrMbXJwNnQnZzdESoiqk0C1fqNsog1ur9pzYxBJo
-92OpxkTxvBr2Wi2igfUPbMXWttKu5OFTU00Y8Lp6JEJjtw1zAQB1ka+/5xGYAPfC
-lL/a4RQygNb2e+Q+fOwWz8YZZ2hsidtc7UbH96Eu4489PipD8GXH0T2SY4VEtwUT
-g6uUJjZpznusPhc/uoq5vZVP9AU1EiU+KE55bRuP0QGKIGK3K5WfodKYvF76lhsG
-gLuqb/jVqZsQKcDSj0BGnlimvgEnydeXSYYIUJichEK7dTSjsAn40hUO2dFRMYTx
-W45BdA==
+MIIDqDCCApCgAwIBAgIJAKqgt56kQKU1MA0GCSqGSIb3DQEBCwUAMFgxCzAJBgNV
+BAYTAlVLMR0wGwYDVQQKDBRUaGUgRXhpbSBNYWludGFpbmVyczETMBEGA1UECwwK
+VGVzdCBTdWl0ZTEVMBMGA1UEAwwMUGhpbCBQZW5ub2NrMB4XDTE4MDkwODIxNTkz
+M1oXDTM3MTEwNzIxNTkzM1owWDELMAkGA1UEBhMCVUsxHTAbBgNVBAoMFFRoZSBF
+eGltIE1haW50YWluZXJzMRMwEQYDVQQLDApUZXN0IFN1aXRlMRUwEwYDVQQDDAxQ
+aGlsIFBlbm5vY2swggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbSr1V
+PY2sW/7ag4GiBfBYXbO9NroHTBJqi831QwPsN5F2Tyx/dQ0vByiOP8nxSmIkQ/eZ
+M6IS3jl08H8jqamyipfSghrQC3QSgtRl6wp8TEfJpwxdDyKAV1zP+TiIEqWYJLc1
+tmRwQ72J0gXID7ME7TNDvek4Oo9BJJ2mtn0K9oY4Z6pvv5O+uljUxTryYbBtMtgM
+D5ZvL12bFiNkRhgx3XX+9vpWw5o6vKdKUbKwT7KhwvUSC1eKOFMBZthUpxxH+RbY
+yNET1qJUu4UrbNI1Wdwm+Cg7JkEdU1NcJbTP8CVR8Z1U7FkbhAD5HNHaTyVWO20M
+VYjXU/4B3bVHWhhNAgMBAAGjdTBzMB0GA1UdDgQWBBSf1ImemL7AfEX6VnxKJAfV
+0AoufDAfBgNVHSMEGDAWgBSf1ImemL7AfEX6VnxKJAfV0AoufDASBgNVHRMBAf8E
+CDAGAQH/AgEAMB0GA1UdEQQWMBSCB3Rlc3QuZXiCCSoudGVzdC5leDANBgkqhkiG
+9w0BAQsFAAOCAQEAWvHVO8qVwR9SO3DGtGPbecIcXfwdBX/uajiOr6tMhRK/9Dqk
++PW3sdHbfNc4IVREdT8RPZYLirJVR71JxCThsoM0waNtl/g6GEaq6RH8zZ4d65Kr
+ov1UaaazK+T5cxqclkTXFNelsm+Rx242U1/YlwOgV+nWmkI7TfMBY1HxkPjGfTSc
+hJ3td5/MkUnCrzLLYWZXA01bTCSsvFe0eiMeqMGIJ3qYHpoFlQOZRKF2k/E0p9Ge
+lzhhpYsbDhJHOAxD2eMTJ4z4HrAtZx9ZUJSbShB3T3yfFUkHF7SITMyTzNtv0as7
+cNViaXlSAA5v9isr/xdBvljHyhTjm9nXya4ylQ==
 -----END CERTIFICATE-----
 -----END CERTIFICATE-----
diff --git a/test/confs/5822 b/test/confs/5822
new file mode 100644 (file)
index 0000000..80a8ef4
--- /dev/null
@@ -0,0 +1,67 @@
+# Exim test configuration 5822
+# DANE/GnuTLS
+
+SERVER=
+
+.include DIR/aux-var/tls_conf_prefix
+
+primary_hostname = myhost.test.ex
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept logwrite = "rcpt ACL"
+
+log_selector =  +received_recipients +tls_peerdn +tls_certificate_verified
+
+queue_run_in_order
+
+tls_advertise_hosts = *
+# needed to force generation
+tls_dhparam = historic
+
+tls_certificate = ${if eq {SERVER}{server} {DIR/aux-fixed/cert1} fail}
+
+# ----- Routers -----
+
+begin routers
+
+client:
+  driver = dnslookup
+  condition = ${if eq {SERVER}{}}
+  dnssec_request_domains = *
+  self = send
+  transport = send_to_server
+  errors_to = ""
+
+server:
+  driver = redirect
+  condition = ${if !eq {SERVER}{}}
+  data = :blackhole:
+
+
+# ----- Transports -----
+
+begin transports
+
+send_to_server:
+  driver = smtp
+  allow_localhost
+  port = PORT_D
+
+  hosts_try_dane =     *
+  hosts_require_dane = HOSTIPV4
+  tls_verify_cert_hostnames = :
+  tls_try_verify_hosts = thishost.test.ex
+#  tls_verify_certificates = CDIR2/ca_chain.pem
+
+
+
+# ----- Retry -----
+
+
+begin retry
+
+* * F,5d,10s
+
+
+# End
diff --git a/test/confs/5842 b/test/confs/5842
new file mode 100644 (file)
index 0000000..be45e84
--- /dev/null
@@ -0,0 +1,64 @@
+# Exim test configuration 5822
+# DANE/OpenSSL
+
+SERVER=
+
+.include DIR/aux-var/tls_conf_prefix
+
+primary_hostname = myhost.test.ex
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept logwrite = "rcpt ACL"
+
+log_selector =  +received_recipients +tls_peerdn +tls_certificate_verified
+
+queue_run_in_order
+
+tls_advertise_hosts = *
+
+tls_certificate = ${if eq {SERVER}{server} {DIR/aux-fixed/cert1} fail}
+
+# ----- Routers -----
+
+begin routers
+
+client:
+  driver = dnslookup
+  condition = ${if eq {SERVER}{}}
+  dnssec_request_domains = *
+  self = send
+  transport = send_to_server
+  errors_to = ""
+
+server:
+  driver = redirect
+  data = :blackhole:
+
+
+# ----- Transports -----
+
+begin transports
+
+send_to_server:
+  driver = smtp
+  allow_localhost
+  port = PORT_D
+
+  hosts_try_dane =     *
+  hosts_require_dane = HOSTIPV4
+  tls_verify_cert_hostnames = :
+  tls_try_verify_hosts = thishost.test.ex
+#  tls_verify_certificates = CDIR2/ca_chain.pem
+
+
+
+# ----- Retry -----
+
+
+begin retry
+
+* * F,5d,10s
+
+
+# End
index 492ee5df849d537e1649a5acf8c843ef2d3386d9..0efd1a28bcd059b0032efb4ec1098f79ad9efc3a 100644 (file)
@@ -470,6 +470,25 @@ DNSSEC dane256tak            A      HOSTIPV4
 DNSSEC _1225._tcp.dane256tak TLSA 2 1 1 73e279c0f5f5a9ee9851bbbc39023603d7b266acfd0764419c3b07cc380b79f9
 
 
 DNSSEC _1225._tcp.dane256tak TLSA 2 1 1 73e279c0f5f5a9ee9851bbbc39023603d7b266acfd0764419c3b07cc380b79f9
 
 
+; full MX, both TA & EE modes, cert is selfsigned
+; for testing an issue in the gnutls impl
+;
+; tas:
+; openssl x509 -in aux-fixed/cert1 -fingerprint -sha256 -noout \
+; | awk -F= '{print $2}' | tr -d : | tr '[A-F]' '[a-f]'
+;
+DNSSEC mxdane256tas           MX  1  dane256tas
+DNSSEC dane256tas             A      HOSTIPV4
+DNSSEC _1225._tcp.dane256tas  TLSA 2 0 1 34d3624101b954d667c1a5ac18078b196cd17fbd61e23df73249c1afab747124
+DNSSEC mxdane256task          MX  1  dane256task
+DNSSEC dane256task            A      HOSTIPV4
+DNSSEC _1225._tcp.dane256task TLSA 2 1 1 c1241d8cc61401079437240467a47e21db921d3398883cd9bb038cc461d7beab
+DNSSEC mxdane256ees           MX  1  dane256ees
+DNSSEC dane256ees             A      HOSTIPV4
+DNSSEC _1225._tcp.dane256ees  TLSA 3 1 1 c1241d8cc61401079437240467a47e21db921d3398883cd9bb038cc461d7beab
+
+
+
 ; A multiple-return MX where all TLSA lookups defer
 DNSSEC mxdanelazy           MX  1   danelazy
 DNSSEC                      MX  2   danelazy2
 ; A multiple-return MX where all TLSA lookups defer
 DNSSEC mxdanelazy           MX  1   danelazy
 DNSSEC                      MX  2   danelazy2
diff --git a/test/log/5822 b/test/log/5822
new file mode 100644 (file)
index 0000000..43b032b
--- /dev/null
@@ -0,0 +1,20 @@
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane256tas.test.ex
+1999-03-02 09:44:33 10HmaX-0005vi-00 DANE attempt failed; TLS connection to dane256tas.test.ex [ip4.ip4.ip4.ip4]: (certificate verification failed): TLSA record problem: none usable
+1999-03-02 09:44:33 10HmaX-0005vi-00 !!SHOULD_WORK!! CALLER@mxdane256tas.test.ex R=client T=send_to_server defer (-37) H=dane256tas.test.ex [ip4.ip4.ip4.ip4]: TLS session: (certificate verification failed): TLSA record problem: none usable
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane256task.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 DANE attempt failed; TLS connection to dane256task.test.ex [ip4.ip4.ip4.ip4]: (certificate verification failed): TLSA record problem: none usable
+1999-03-02 09:44:33 10HmaY-0005vi-00 !!SHOULD_WORK!! CALLER@mxdane256task.test.ex R=client T=send_to_server defer (-37) H=dane256task.test.ex [ip4.ip4.ip4.ip4]: TLS session: (certificate verification failed): TLSA record problem: none usable
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane256ees.test.ex
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER@mxdane256ees.test.ex R=client T=send_to_server H=dane256ees.test.ex [ip4.ip4.ip4.ip4] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=dane DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for CALLER@mxdane256ees.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <CALLER@mxdane256ees.test.ex> R=server
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
diff --git a/test/log/5842 b/test/log/5842
new file mode 100644 (file)
index 0000000..1146cba
--- /dev/null
@@ -0,0 +1,24 @@
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane256tas.test.ex
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@mxdane256tas.test.ex R=client T=send_to_server H=dane256tas.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane256task.test.ex
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER@mxdane256task.test.ex R=client T=send_to_server H=dane256task.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane256ees.test.ex
+1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@mxdane256ees.test.ex R=client T=send_to_server H=dane256ees.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@mxdane256tas.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <CALLER@mxdane256tas.test.ex> R=server
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for CALLER@mxdane256task.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <CALLER@mxdane256task.test.ex> R=server
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmbB-0005vi-00@myhost.test.ex for CALLER@mxdane256ees.test.ex
+1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <CALLER@mxdane256ees.test.ex> R=server
+1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
diff --git a/test/scripts/5820-DANE-GnuTLS/5822 b/test/scripts/5820-DANE-GnuTLS/5822
new file mode 100644 (file)
index 0000000..9e565ab
--- /dev/null
@@ -0,0 +1,19 @@
+# DANE server: selfsigned cert
+#
+exim -DSERVER=server -bd -oX PORT_D
+****
+### TLSA (2 0 1)
+exim -odf CALLER@mxdane256tas.test.ex
+Testing
+****
+### TLSA (2 1 1)
+exim -odf CALLER@mxdane256task.test.ex
+Testing
+****
+### TLSA (3 1 1)
+exim -odf CALLER@mxdane256ees.test.ex
+Testing
+****
+killdaemon
+# 
+no_msglog_check
diff --git a/test/scripts/5840-DANE-OpenSSL/5842 b/test/scripts/5840-DANE-OpenSSL/5842
new file mode 100644 (file)
index 0000000..da9e4e3
--- /dev/null
@@ -0,0 +1,19 @@
+# DANE server: selfsigned and TA-mode
+#
+exim -DSERVER=server -bd -oX PORT_D
+****
+### TLSA (2 0 1)
+exim -odf CALLER@mxdane256tas.test.ex
+Testing
+****
+### TLSA (2 1 1)
+exim -odf CALLER@mxdane256task.test.ex
+Testing
+****
+### TLSA (3 1 1)
+exim -odf CALLER@mxdane256ees.test.ex
+Testing
+****
+killdaemon
+# 
+no_msglog_check
diff --git a/test/stderr/5842 b/test/stderr/5842
new file mode 100644 (file)
index 0000000..ed5eb4f
--- /dev/null
@@ -0,0 +1,8 @@
+### TLSA (2 0 1)
+### TLSA (2 1 1)
+### TLSA (3 1 1)
+
+******** SERVER ********
+### TLSA (2 0 1)
+### TLSA (2 1 1)
+### TLSA (3 1 1)
diff --git a/test/stdout/5822 b/test/stdout/5822
new file mode 100644 (file)
index 0000000..ed5eb4f
--- /dev/null
@@ -0,0 +1,8 @@
+### TLSA (2 0 1)
+### TLSA (2 1 1)
+### TLSA (3 1 1)
+
+******** SERVER ********
+### TLSA (2 0 1)
+### TLSA (2 1 1)
+### TLSA (3 1 1)
diff --git a/test/stdout/5842 b/test/stdout/5842
new file mode 100644 (file)
index 0000000..ed5eb4f
--- /dev/null
@@ -0,0 +1,8 @@
+### TLSA (2 0 1)
+### TLSA (2 1 1)
+### TLSA (3 1 1)
+
+******** SERVER ********
+### TLSA (2 0 1)
+### TLSA (2 1 1)
+### TLSA (3 1 1)