filter*.xml
filter.ps
filter.pdf
+filter-txt.html
+filter.txt
local_params
+exim.8
. Copyright year. Update this (only) when changing content.
.macro copyyear
-2010
+2014
.endmacro
. ===========================================================================
.set I " "
.macro copyyear
-2013
+2014
.endmacro
. /////////////////////////////////////////////////////////////////////////////
A trust path from Nigel's key to Phil's can be observed at
&url(https://www.security.spodhuis.org/exim-trustpath).
-.new
Releases have also been authorized to be performed by Todd Lyons who signs with
key &'0xC4F4F94804D29EBA'&. A direct trust path exists between previous RE Phil
Pennock and Todd Lyons through a common associate.
-.wen
The signatures for the tar bundles are in:
.display
.endblockquote
.next
-.new
.cindex "opendmarc" "acknowledgment"
The DMARC implementation uses the OpenDMARC library which is Copyrighted by
The Trusted Domain Project. Portions of Exim source which use OpenDMARC
derived code are indicated in the respective source files. The full OpenDMARC
license is provided in the LICENSE.opendmarc file contained in the distributed
source code.
-.wen
.next
Many people have contributed code fragments, some large, some small, that were
&%verify_recipient%&, which independently control the use of the router for
sender and recipient verification. You can set these options directly if
you want a router to be used for only one type of verification.
-.new "Note that cutthrough delivery is classed as a recipient verification for this purpose."
+Note that cutthrough delivery is classed as a recipient verification for this purpose.
.next
If the &%address_test%& option is set false, the router is skipped when Exim is
run with the &%-bt%& option to test an address routing. This can be helpful
.next
Routers can be designated for use only when verifying an address, as
opposed to routing it for delivery. The &%verify_only%& option controls this.
-.new "Again, cutthrough delivery counts as a verification."
+Again, cutthrough delivery counts as a verification.
.next
Individual routers can be explicitly skipped when running the routers to
check an address given in the SMTP EXPN command (see the &%expn%& option).
This option is an alias for &%-bV%& and causes version information to be
displayed.
-.new
.vitem &%-Ac%& &&&
&%-Am%&
.oindex "&%-Ac%&"
.oindex "&%-Am%&"
These options are used by Sendmail for selecting configuration files and are
ignored by Exim.
-.wen
.vitem &%-B%&<&'type'&>
.oindex "&%-B%&"
if this is required. If the &%bi_command%& option is not set, calling Exim with
&%-bi%& is a no-op.
-.new
. // Keep :help first, then the rest in alphabetical order
.vitem &%-bI:help%&
.oindex "&%-bI:help%&"
&`SIEVE`& capability response line. As the precise list may depend upon
compile-time build options, which this option will adapt to, this is the only
way to guarantee a correct response.
-.wen
.vitem &%-bm%&
.oindex "&%-bm%&"
If a list of configuration files was supplied, the value that is output here
is the name of the file that was actually used.
-.new
.cindex "options" "hiding name of"
If the &%-n%& flag is given, then for most modes of &%-bP%& operation the
name will not be output.
-.wen
.cindex "daemon" "process id (pid)"
.cindex "pid (process id)" "of daemon"
.vitem &%-G%&
.oindex "&%-G%&"
.cindex "submission fixups, suppressing (command-line)"
-.new
This option is equivalent to an ACL applying:
.code
control = suppress_local_fixups
As this affects audit information, the caller must be a trusted user to use
this option.
-.wen
.vitem &%-h%&&~<&'number'&>
.oindex "&%-h%&"
no documentation for this option in Solaris 2.4 Sendmail, but the &'mailx'&
command in Solaris 2.4 uses it. See also &%-ti%&.
-.new
.vitem &%-L%&&~<&'tag'&>
.oindex "&%-L%&"
.cindex "syslog" "process name; set with flag"
effect, so early configuration file errors will not honour this flag.
The tag should not be longer than 32 characters.
-.wen
.vitem &%-M%&&~<&'message&~id'&>&~<&'message&~id'&>&~...
.oindex "&%-M%&"
the message, and applies to any subsequent delivery attempts that may happen
for that message.
-.new
.vitem &%-n%&
.oindex "&%-n%&"
This option is interpreted by Sendmail to mean &"no aliasing"&.
For normal modes of operation, it is ignored by Exim.
When combined with &%-bP%& it suppresses the name of an option from being output.
-.wen
.vitem &%-O%&&~<&'data'&>
.oindex "&%-O%&"
using the same syntax as for &%-oMa%&. The interface address is placed in
&$received_ip_address$& and the port number, if present, in &$received_port$&.
+.vitem &%-oMm%&&~<&'message&~reference'&>
+.oindex "&%-oMm%&"
+.cindex "message reference" "message reference, specifying for local message"
+See &%-oMa%& above for general remarks about the &%-oM%& options. The &%-oMm%&
+option sets the message reference, e.g. message-id, and is logged during
+delivery. This is useful when some kind of audit trail is required to tie
+messages together. The format of the message reference is checked and will
+abort if the format is invalid. The option will only be accepted if exim is
+running in trusted mode, not as any regular user.
+
+The best example of a message reference is when Exim sends a bounce message.
+The message reference is the message-id of the original message for which Exim
+is sending the bounce.
+
.vitem &%-oMr%&&~<&'protocol&~name'&>
.oindex "&%-oMr%&"
.cindex "protocol, specifying for local message"
It sets &%-x%& when calling the MTA from its &%mail%& command. Exim ignores
this option.
-.new
.vitem &%-X%&&~<&'logfile'&>
.oindex "&%-X%&"
This option is interpreted by Sendmail to cause debug information to be sent
to the named file. It is ignored by Exim.
-.wen
.endlist
.ecindex IIDclo1
The next two lines are concerned with &'ident'& callbacks, as defined by RFC
1413 (hence their names):
.code
-rfc1413_hosts = *
-rfc1413_query_timeout = 5s
+rfc1413_query_hosts = *
+rfc1413_query_timeout = 0s
+.endd
+These settings cause Exim to avoid ident callbacks for all incoming SMTP calls.
+Few hosts offer RFC1413 service these days; calls have to be
+terminated by a timeout and this needlessly delays the startup
+of an incoming SMTP connection.
+If you have hosts for which you trust RFC1413 and need this
+information, you can change this.
+
+This line enables an efficiency SMTP option. It is negociated by clients
+and not expected to cause problems but can be disabled if needed.
+.code
+prdr_enable = true
.endd
-These settings cause Exim to make ident callbacks for all incoming SMTP calls.
-You can limit the hosts to which these calls are made, or change the timeout
-that is used. If you set the timeout to zero, all ident calls are disabled.
-Although they are cheap and can provide useful information for tracing problem
-messages, some hosts and firewalls have problems with ident calls. This can
-result in a timeout instead of an immediate refused connection, leading to
-delays on starting up an incoming SMTP session.
When Exim receives messages over SMTP connections, it expects all addresses to
be fully qualified with a domain, as required by the SMTP definition. However,
.code
remote_smtp:
driver = smtp
+ hosts_try_prdr = *
.endd
-This transport is used for delivering messages over SMTP connections. All its
-options are defaulted. The list of remote hosts comes from the router.
+This transport is used for delivering messages over SMTP connections.
+The list of remote hosts comes from the router.
+The &%hosts_try_prdr%& option enables an efficiency SMTP option.
+It is negotiated between client and server
+and not expected to cause problems but can be disabled if needed.
+All other options are defaulted.
.code
local_delivery:
driver = appendfile
&`fail`& keyword causes a &'forced expansion failure'& &-- see section
&<<SECTforexpfai>>& for an explanation of what this means.
-The supported DNS record types are A, CNAME, MX, NS, PTR, SPF, SRV, and TXT,
+The supported DNS record types are A, CNAME, MX, NS, PTR, SPF, SRV, TLSA and TXT,
and, when Exim is compiled with IPv6 support, AAAA (and A6 if that is also
configured). If no type is given, TXT is assumed. When the type is PTR,
the data can be an IP address, written as normal; inversion and the addition of
The authorization code can be &"Y"& for yes, &"N"& for no, &"X"& for explicit
authorization required but absent, or &"?"& for unknown.
-.new
.cindex "A+" "in &(dnsdb)& lookup"
The pseudo-type A+ performs an A6 lookup (if configured) followed by an AAAA
and then an A lookup. All results are returned; defer processing
.code
${lookup dnsdb {>; a+=$sender_helo_name}}
.endd
-.wen
.section "Multiple dnsdb lookups" "SECID67"
in the same way that multiple DNS records for a single item are handled. A
different separator can be specified, as described above.
+Modifiers for &(dnsdb)& lookups are givien by optional keywords,
+each followed by a comma,
+that may appear before the record type.
+
The &(dnsdb)& lookup fails only if all the DNS lookups fail. If there is a
temporary DNS error for any of them, the behaviour is controlled by
-an optional keyword followed by a comma that may appear before the record
-type. The possible keywords are &"defer_strict"&, &"defer_never"&, and
-&"defer_lax"&. With &"strict"& behaviour, any temporary DNS error causes the
+a defer-option modifier.
+The possible keywords are
+&"defer_strict"&, &"defer_never"&, and &"defer_lax"&.
+With &"strict"& behaviour, any temporary DNS error causes the
whole lookup to defer. With &"never"& behaviour, a temporary DNS error is
ignored, and the behaviour is as if the DNS lookup failed to find anything.
With &"lax"& behaviour, all the queries are attempted, but a temporary DNS
Thus, in the default case, as long as at least one of the DNS lookups
yields some data, the lookup succeeds.
+.new
+.cindex "DNSSEC" "dns lookup"
+Use of &(DNSSEC)& is controlled by a dnssec modifier.
+The possible keywords are
+&"dnssec_strict"&, &"dnssec_lax"&, and &"dnssec_never"&.
+With &"strict"& or &"lax"& DNSSEC information is requested
+with the lookup.
+With &"strict"& a response from the DNS resolver that
+is not labelled as authenticated data
+is treated as equivalent to a temporary DNS error.
+The default is &"never"&.
+
+See also the &$lookup_dnssec_authenticated$& variable.
+.wen
+
LDAP connections, rather than the SSL-on-connect &`ldaps`&.
See the &%ldap_start_tls%& option.
+.new
+Starting with Exim 4.83, the initialization of LDAP with TLS is more tightly
+controlled. Every part of the TLS configuration can be configured by settings in
+&_exim.conf_&. Depending on the version of the client libraries installed on
+your system, some of the initialization may have required setting options in
+&_/etc/ldap.conf_& or &_~/.ldaprc_& to get TLS working with self-signed
+certificates. This revealed a nuance where the current UID that exim was
+running as could affect which config files it read. With Exim 4.83, these
+methods become optional, only taking effect if not specifically set in
+&_exim.conf_&.
+.wen
+
.section "LDAP quoting" "SECID68"
.cindex "LDAP" "quoting"
&`USER `& set the DN, for authenticating the LDAP bind
&`PASS `& set the password, likewise
&`REFERRALS `& set the referrals parameter
+.new
+&`SERVERS `& set alternate server list for this query only
+.wen
&`SIZE `& set the limit for the number of entries returned
&`TIME `& set the maximum waiting time for a query
.endd
The TIME parameter (also a number of seconds) is passed to the server to
set a server-side limit on the time taken to complete a search.
+.new
+The SERVERS parameter allows you to specify an alternate list of ldap servers
+to use for an individual lookup. The global ldap_servers option provides a
+default list of ldap servers, and a single lookup can specify a single ldap
+server to use. But when you need to do a lookup with a list of servers that is
+different than the default list (maybe different order, maybe a completely
+different set of servers), the SERVERS parameter allows you to specify this
+alternate list.
+.wen
Here is an example of an LDAP query in an Exim lookup that uses some of these
values. This is a single line, folded to fit on the page:
list.
.new
-To explain the host/ip processing logic a different way for the same ACL:
+.section "Mixing wildcarded host names and addresses in host lists" &&&
+ "SECTmixwilhos"
+.cindex "host list" "mixing names and addresses in"
+
+This section explains the host/ip processing logic with the same concepts
+as the previous section, but specifically addresses what happens when a
+wildcarded hostname is one of the items in the hostlist.
.ilist
If you have name lookups or wildcarded host names and
.wen
-
.section "Temporary DNS errors when looking up host information" &&&
"SECTtemdnserr"
.cindex "host" "lookup failures, temporary"
-.section "Mixing wildcarded host names and addresses in host lists" &&&
- "SECTmixwilhos"
-.cindex "host list" "mixing names and addresses in"
-If you have name lookups or wildcarded host names and IP addresses in the same
-host list, you should normally put the IP addresses first. For example, in an
-ACL you could have:
-.code
-accept hosts = 10.9.8.7 : *.friend.example
-.endd
-The reason for this lies in the left-to-right way that Exim processes lists.
-It can test IP addresses without doing any DNS lookups, but when it reaches an
-item that requires a host name, it fails if it cannot find a host name to
-compare with the pattern. If the above list is given in the opposite order, the
-&%accept%& statement fails for a host whose name cannot be found, even if its
-IP address is 10.9.8.7.
-
-If you really do want to do the name check first, and still recognize the IP
-address, you can rewrite the ACL like this:
-.code
-accept hosts = *.friend.example
-accept hosts = 10.9.8.7
-.endd
-If the first &%accept%& fails, Exim goes on to try the second one. See chapter
-&<<CHAPACL>>& for details of ACLs.
-
-
-
.section "Address lists" "SECTaddresslist"
expansion item below.
-.new
.vitem "&*${acl{*&<&'name'&>&*}{*&<&'arg'&>&*}...}*&"
.cindex "expansion" "calling an acl"
.cindex "&%acl%&" "call from expansion"
If no message is set and the ACL returns accept or deny
the expansion result is an empty string.
If the ACL returns defer the result is a forced-fail. Otherwise the expansion fails.
-.wen
+.new
+.vitem "&*${certextract{*&<&'field'&>&*}{*&<&'certificate'&>&*}&&&
+ {*&<&'string2'&>&*}{*&<&'string3'&>&*}}*&"
+.cindex "expansion" "extracting cerificate fields"
+.cindex "&%certextract%&" "certificate fields"
+.cindex "certificate" "extracting fields"
+The <&'certificate'&> must be a variable of type certificate.
+The field name is expanded and used to retrive the relevant field from
+the certificate. Supported fields are:
+.display
+&`version `&
+&`serial_number `&
+&`subject `& RFC4514 DN
+&`issuer `& RFC4514 DN
+&`notbefore `& time
+&`notafter `& time
+&`sig_algorithm `&
+&`signature `&
+&`subj_altname `& tagged list
+&`ocsp_uri `& list
+&`crl_uri `& list
+.endd
+If the field is found,
+<&'string2'&> is expanded, and replaces the whole item;
+otherwise <&'string3'&> is used. During the expansion of <&'string2'&> the
+variable &$value$& contains the value that has been extracted. Afterwards, it
+is restored to any previous value it might have had.
+
+If {<&'string3'&>} is omitted, the item is replaced by an empty string if the
+key is not found. If {<&'string2'&>} is also omitted, the value that was
+extracted is used.
+
+Some field names take optional modifiers, appended and separated by commas.
+
+The field selectors marked as "RFC4514" above
+output a Distinguished Name string which is
+not quite
+parseable by Exim as a comma-separated tagged list
+(the exceptions being elements containin commas).
+RDN elements of a single type may be selected by
+a modifier of the type label; if so the expansion
+result is a list (newline-separated by default).
+The separator may be changed by another modifer of
+a right angle-bracket followed immediately by the new separator.
+Recognised RDN type labels include "CN", "O", "OU" and "DC".
+
+The field selectors marked as "time" above
+may output a number of seconds since epoch
+if the modifier "int" is used.
+
+The field selectors marked as "list" above return a list,
+newline-separated by default,
+(embedded separator characters in elements are doubled).
+The separator may be changed by a modifier of
+a right angle-bracket followed immediately by the new separator.
+
+The field selectors marked as "tagged" above
+prefix each list element with a type string and an equals sign.
+Elements of only one type may be selected by a modifier
+which is one of "dns", "uri" or "mail";
+if so the elenment tags are omitted.
+
+If not otherwise noted field values are presented in human-readable form.
+.wen
+
.vitem "&*${dlfunc{*&<&'file'&>&*}{*&<&'function'&>&*}{*&<&'arg'&>&*}&&&
{*&<&'arg'&>&*}...}*&"
.cindex &%dlfunc%&
&%strlen%&, which gives the length of a string.
+.vitem "&*${listextract{*&<&'number'&>&*}&&&
+ {*&<&'string1'&>&*}{*&<&'string2'&>&*}{*&<&'string3'&>&*}}*&"
+.cindex "expansion" "extracting list elements by number"
+.cindex "&%listextract%&" "extract list elements by number"
+.cindex "list" "extracting elements by number"
+The <&'number'&> argument must consist entirely of decimal digits,
+apart from an optional leading minus,
+and leading and trailing white space (which is ignored).
+
+After expansion, <&'string1'&> is interpreted as a list, colon-separated by
+default, but the separator can be changed in the usual way.
+
+The first field of the list is numbered one.
+If the number is negative, the fields are
+counted from the end of the list, with the rightmost one numbered -1.
+The numbered element of the list is extracted and placed in &$value$&,
+then <&'string2'&> is expanded as the result.
+
+If the modulus of the
+number is zero or greater than the number of fields in the string,
+the result is the expansion of <&'string3'&>.
+
+For example:
+.code
+${listextract{2}{x:42:99}}
+.endd
+yields &"42"&, and
+.code
+${listextract{-3}{<, x,42,99,& Mailer,,/bin/bash}{result: $value}}
+.endd
+yields &"result: 99"&.
+
+If {<&'string3'&>} is omitted, an empty string is used for string3.
+If {<&'string2'&>} is also omitted, the value that was
+extracted is used.
+You can use &`fail`& instead of {<&'string3'&>} as in a string extract.
+
+
.vitem "&*${lookup{*&<&'key'&>&*}&~*&<&'search&~type'&>&*&~&&&
{*&<&'file'&>&*}&~{*&<&'string1'&>&*}&~{*&<&'string2'&>&*}}*&"
This is the first of one of two different types of lookup item, which are both
command does not succeed. If both strings are omitted, the result is contents
of the standard output/error on success, and nothing on failure.
-.new
.vindex "&$run_in_acl$&"
The standard output/error of the command is put in the variable &$value$&.
In this ACL example, the output of a command is logged for the admin to
.code
${run{/bin/bash -c "/usr/bin/id >/tmp/id"}{yes}{yes}}
.endd
-.wen
.vindex "&$runrc$&"
The return code from the command is put in the variable &$runrc$&, and this
address. See the &*filter*&, &*map*&, and &*reduce*& items for ways of
processing lists.
-.new
To clarify "list of addresses in RFC 2822 format" mentioned above, Exim follows
a strict interpretation of header line formatting. Exim parses the bare,
unquoted portion of an email address and if it finds a comma, treats it as an
# exim -be '${addresses:From: "Last, First" <user@example.com>}'
user@example.com
.endd
-.wen
.vitem &*${base62:*&<&'digits'&>&*}*&
.cindex "&%base62%& expansion item"
-.new
.vitem &*${hexquote:*&<&'string'&>&*}*&
.cindex "quoting" "hex-encoded unprintable characters"
.cindex "&%hexquote%& expansion item"
escape form. Byte values between 33 (!) and 126 (~) inclusive are left
as is, and other byte values are converted to &`\xNN`&, for example a
byte value 127 is converted to &`\x7f`&.
-.wen
.vitem &*${lc:*&<&'string'&>&*}*&
when &%length%& is used as an operator.
-.new
.vitem &*${listcount:*&<&'string'&>&*}*&
.cindex "expansion" "list item count"
.cindex "list" "item count"
and selects address-, domain-, host- or localpart- lists to search among respectively.
Otherwise all types are searched in an undefined order and the first
matching list is returned.
-.wen
.vitem &*${local_part:*&<&'string'&>&*}*&
.vitem &*${md5:*&<&'string'&>&*}*&
.cindex "MD5 hash"
.cindex "expansion" "MD5 hash"
+.cindex "certificate fingerprint"
.cindex "&%md5%& expansion item"
The &%md5%& operator computes the MD5 hash value of the string, and returns it
as a 32-digit hexadecimal number, in which any letters are in lower case.
.vitem &*${sha1:*&<&'string'&>&*}*&
.cindex "SHA-1 hash"
.cindex "expansion" "SHA-1 hashing"
+.cindex "certificate fingerprint"
.cindex "&%sha2%& expansion item"
The &%sha1%& operator computes the SHA-1 hash value of the string, and returns
it as a 40-digit hexadecimal number, in which any letters are in upper case.
+.vitem &*${sha256:*&<&'certificate'&>&*}*&
+.cindex "SHA-256 hash"
+.cindex "certificate fingerprint"
+.cindex "expansion" "SHA-256 hashing"
+.cindex "&%sha256%& expansion item"
+The &%sha256%& operator computes the SHA-256 hash fingerprint of the
+certificate,
+and returns
+it as a 64-digit hexadecimal number, in which any letters are in upper case.
+Only arguments which are a single variable of certificate type are supported.
+
+
.vitem &*${stat:*&<&'string'&>&*}*&
.cindex "expansion" "statting a file"
.cindex "file" "extracting characteristics"
.cindex "expansion" "case forcing"
.cindex "&%uc%& expansion item"
This forces the letters in the string into upper-case.
+
+.vitem &*${utf8clean:*&<&'string'&>&*}*&
+.cindex "correction of invalid utf-8 sequences in strings"
+.cindex "utf-8" "utf-8 sequences"
+.cindex "incorrect utf-8"
+.cindex "expansion" "utf-8 forcing"
+.cindex "&%utf8clean%& expansion item"
+This replaces any invalid utf-8 sequence in the string by the character &`?`&.
.endlist
10M, not if 10M is larger than &$message_size$&.
-.new
.vitem &*acl&~{{*&<&'name'&>&*}{*&<&'arg1'&>&*}&&&
{*&<&'arg2'&>&*}...}*&
.cindex "expansion" "calling an acl"
the result of the expansion, otherwise it is empty.
If the ACL returns accept the condition is true; if deny, false.
If the ACL returns defer the result is a forced-fail.
-.wen
.vitem &*bool&~{*&<&'string'&>&*}*&
.cindex "expansion" "boolean parsing"
.cindex "&%bool%& expansion condition"
This condition turns a string holding a true or false representation into
a boolean state. It parses &"true"&, &"false"&, &"yes"& and &"no"&
-(case-insensitively); also positive integer numbers map to true if non-zero,
+(case-insensitively); also integer numbers map to true if non-zero,
false if zero.
An empty string is treated as false.
Leading and trailing whitespace is ignored;
The value of &$item$& is saved and restored while &*forany*& or &*forall*& is
being processed, to enable these expansion items to be nested.
-.new "To scan a named list, expand it with the &*listnamed*& operator."
+To scan a named list, expand it with the &*listnamed*& operator.
.vitem &*ge&~{*&<&'string1'&>&*}{*&<&'string2'&>&*}*& &&&
process. However, a trusted user can override this by means of the &%-oMai%&
command line option.
-.new
.vitem &$authenticated_fail_id$&
.cindex "authentication" "fail" "id"
.vindex "&$authenticated_fail_id$&"
A message to a local recipient could still be accepted without requiring
authentication, which means this variable could also be visible in all of
the ACL's as well.
-.wen
.vitem &$authenticated_sender$&
be terminated by colon or white space, because it may contain a wide variety of
characters. Note also that braces must &'not'& be used.
-.new
.vitem &$headers_added$&
.vindex "&$headers_added$&"
Within an ACL this variable contains the headers added so far by
the ACL modifier add_header (section &<<SECTaddheadacl>>&).
The headers are a newline-separated list.
-.wen
.vitem &$home$&
.vindex "&$home$&"
the space value is -1. See also the &%check_log_space%& option.
+.new
+.vitem &$lookup_dnssec_authenticated$&
+.vindex "&$lookup_dnssec_authenticated$&"
+This variable is set after a DNS lookup done by
+a dnsdb lookup expansion, dnslookup router or smtp transport.
+It will be empty if &(DNSSEC)& was not requested,
+&"no"& if the result was not labelled as authenticated data
+and &"yes"& if it was.
+.wen
+
.vitem &$mailstore_basename$&
.vindex "&$mailstore_basename$&"
This variable is set only when doing deliveries in &"mailstore"& format in the
.vindex "&$return_size_limit$&"
This is an obsolete name for &$bounce_return_size_limit$&.
-.new
.vitem &$router_name$&
.cindex "router" "name"
.cindex "name" "of router"
.vindex "&$router_name$&"
During the running of a router this variable contains its name.
-.wen
.vitem &$runrc$&
.cindex "return code" "from &%run%& expansion"
received. It is empty if there was no successful authentication. See also
&$authenticated_id$&.
-.new
.vitem &$sender_host_dnssec$&
.vindex "&$sender_host_dnssec$&"
If &$sender_host_name$& has been populated (by reference, &%hosts_lookup%& or
It is likely that you will need to coerce DNSSEC support on in the resolver
library, by setting:
.code
-dns_use_dnssec = 1
+dns_dnssec_ok = 1
.endd
Exim does not perform DNSSEC validation itself, instead leaving that to a
If you have changed &%host_lookup_order%& so that &`bydns`& is not the first
mechanism in the list, then this variable will be false.
-.wen
.vitem &$sender_host_name$&
command, which can be found in the separate document entitled &'Exim's
interfaces to mail filtering'&.
-.new
.vitem &$tls_in_bits$&
.vindex "&$tls_in_bits$&"
Contains an approximation of the TLS cipher's bit-strength
this depends upon the TLS implementation used.
If TLS has not been negotiated, the value will be 0.
+.new
+.vitem &$tls_in_ourcert$&
+.vindex "&$tls_in_ourcert$&"
+This variable refers to the certificate presented to the peer of an
+inbound connection when the message was received.
+It is only useful as the argument of a
+&%certextract%& expansion item, &%md5%& or &%sha1%& operator,
+or a &%def%& condition.
+.wen
+
+.new
+.vitem &$tls_in_peercert$&
+.vindex "&$tls_in_peercert$&"
+This variable refers to the certificate presented by the peer of an
+inbound connection when the message was received.
+It is only useful as the argument of a
+&%certextract%& expansion item, &%md5%& or &%sha1%& operator,
+or a &%def%& condition.
+.wen
+
+.new
+.vitem &$tls_out_ourcert$&
+.vindex "&$tls_out_ourcert$&"
+This variable refers to the certificate presented to the peer of an
+outbound connection. It is only useful as the argument of a
+&%certextract%& expansion item, &%md5%& or &%sha1%& operator,
+or a &%def%& condition.
+.wen
+
+.new
+.vitem &$tls_out_peercert$&
+.vindex "&$tls_out_peercert$&"
+This variable refers to the certificate presented by the peer of an
+outbound connection. It is only useful as the argument of a
+&%certextract%& expansion item, &%md5%& or &%sha1%& operator,
+or a &%def%& condition.
+.wen
+
.vitem &$tls_in_certificate_verified$&
.vindex "&$tls_in_certificate_verified$&"
This variable is set to &"1"& if a TLS certificate was verified when the
During outbound
SMTP deliveries, this variable reflects the value of the &%tls_sni%& option on
the transport.
-.wen
.vitem &$tod_bsdinbox$&
.vindex "&$tod_bsdinbox$&"
This variable contains the UTC date and time in &"Zulu"& format, as specified
by ISO 8601, for example: 20030221154023Z.
-.new
.vitem &$transport_name$&
.cindex "transport" "name"
.cindex "name" "of transport"
.vindex "&$transport_name$&"
During the running of a transport, this variable contains its name.
-.wen
.vitem &$value$&
.vindex "&$value$&"
.row &%acl_smtp_auth%& "ACL for AUTH"
.row &%acl_smtp_connect%& "ACL for connection"
.row &%acl_smtp_data%& "ACL for DATA"
+.row &%acl_smtp_data_prdr%& "ACL for DATA, per-recipient"
.row &%acl_smtp_dkim%& "ACL for DKIM verification"
.row &%acl_smtp_etrn%& "ACL for ETRN"
.row &%acl_smtp_expn%& "ACL for EXPN"
.row &%tls_crl%& "certificate revocation list"
.row &%tls_dh_max_bits%& "clamp D-H bit count suggestion"
.row &%tls_dhparam%& "DH parameters for server"
+.row &%tls_ocsp_file%& "location of server certificate status proof"
.row &%tls_on_connect_ports%& "specify SSMTP (SMTPS) ports"
.row &%tls_privatekey%& "location of server private key"
.row &%tls_remember_esmtp%& "don't reset after starting TLS"
.row &%ignore_fromline_hosts%& "allow &""From ""& from these hosts"
.row &%ignore_fromline_local%& "allow &""From ""& from local SMTP"
.row &%pipelining_advertise_hosts%& "advertise pipelining to these hosts"
+.row &%prdr_enable%& "advertise PRDR to all hosts"
.row &%tls_advertise_hosts%& "advertise TLS to these hosts"
.endtable
.row &%disable_ipv6%& "do no IPv6 processing"
.row &%dns_again_means_nonexist%& "for broken domains"
.row &%dns_check_names_pattern%& "pre-DNS syntax check"
+.row &%dns_dnssec_ok%& "parameter for resolver"
.row &%dns_ipv4_lookup%& "only v4 lookup for these domains"
.row &%dns_retrans%& "parameter for resolver"
.row &%dns_retry%& "parameter for resolver"
-.row &%dns_use_dnssec%& "parameter for resolver"
.row &%dns_use_edns0%& "parameter for resolver"
.row &%hold_domains%& "hold delivery for these domains"
.row &%local_interfaces%& "for routing checks"
&url(http://cr.yp.to/smtp/8bitmime.html)
.endd
-.new
To log received 8BITMIME status use
.code
log_selector = +8bitmime
.endd
-.wen
.option acl_not_smtp main string&!! unset
.cindex "&ACL;" "for non-SMTP messages"
processed and the message itself has been received, but before the final
acknowledgment is sent. See chapter &<<CHAPACL>>& for further details.
+.option acl_smtp_data_prdr main string&!! unset
+.cindex "DATA" "ACL for"
+.cindex "&ACL;" "PRDR-related"
+.cindex "&ACL;" "per-user data processing"
+This option defines the ACL that,
+if the PRDR feature has been negotiated,
+is run for each recipient after an SMTP DATA command has been
+processed and the message itself has been received, but before the
+acknowledgment is sent. See chapter &<<CHAPACL>>& for further details.
+
.option acl_smtp_etrn main string&!! unset
.cindex "ETRN" "ACL for"
This option defines the ACL that is run when an SMTP ETRN command is
.code
delay_warning = 2h:12h:99d
.endd
+Note that the option is only evaluated at the time a delivery attempt fails,
+which depends on retry and queue-runner configuration.
+Typically retries will be configured more frequently than warning messages.
.option delay_warning_condition main string&!! "see below"
.vindex "&$domain$&"
reversed and looked up in the reverse DNS, as described in more detail in
section &<<SECTverifyCSA>>&.
+
+.option dns_dnssec_ok main integer -1
+.cindex "DNS" "resolver options"
+.cindex "DNS" "DNSSEC"
+If this option is set to a non-negative number then Exim will initialise the
+DNS resolver library to either use or not use DNSSEC, overriding the system
+default. A value of 0 coerces DNSSEC off, a value of 1 coerces DNSSEC on.
+
+If the resolver library does not support DNSSEC then this option has no effect.
+
+
.option dns_ipv4_lookup main "domain list&!!" unset
.cindex "IPv6" "DNS lookup for AAAA records"
.cindex "DNS" "IPv6 lookup for AAAA records"
See &%dns_retrans%& above.
-.new
-.option dns_use_dnssec main integer -1
-.cindex "DNS" "resolver options"
-.cindex "DNS" "DNSSEC"
-If this option is set to a non-negative number then Exim will initialise the
-DNS resolver library to either use or not use DNSSEC, overriding the system
-default. A value of 0 coerces DNSSEC off, a value of 1 coerces DNSSEC on.
-
-If the resolver library does not support DNSSEC then this option has no effect.
-.wen
-
-
.option dns_use_edns0 main integer -1
.cindex "DNS" "resolver options"
.cindex "DNS" "EDNS0"
implementations of TLS.
-.new
option gnutls_allow_auto_pkcs11 main boolean unset
This option will let GnuTLS (2.12.0 or later) autoload PKCS11 modules with
the p11-kit configuration files in &_/etc/pkcs11/modules/_&.
See
&url(http://www.gnutls.org/manual/gnutls.html#Smart-cards-and-HSMs)
for documentation.
-.wen
.next
&`no_tlsv1_2`&
.next
-.new
&`safari_ecdhe_ecdsa_bug`&
-.wen
.next
&`single_dh_use`&
.next
&`tls_rollback_bug`&
.endlist
-.new
As an aside, the &`safari_ecdhe_ecdsa_bug`& item is a misnomer and affects
all clients connecting using the MacOS SecureTransport TLS facility prior
to MacOS 10.8.4, including email clients. If you see old MacOS clients failing
to negotiate TLS then this option value might help, provided that your OpenSSL
release is new enough to contain this work-around. This may be a situation
where you have to upgrade OpenSSL to get buggy clients working.
-.wen
.option oracle_servers main "string list" unset
not count as protocol errors (see &%smtp_max_synprot_errors%&).
+.option prdr_enable main boolean false
+.cindex "PRDR" "enabling on server"
+This option can be used to enable the Per-Recipient Data Response extension
+to SMTP, defined by Eric Hall.
+If the option is set, PRDR is advertised by Exim when operating as a server.
+If the client requests PRDR, and more than one recipient, for a message
+an additional ACL is called for each recipient after the message content
+is recieved. See section &<<SECTPRDRACL>>&.
+
.option preserve_message_logs main boolean false
.cindex "message logs" "preserving"
If this option is set, message log files are not deleted when messages are
Some of these will be too small to be accepted by clients.
Some may be too large to be accepted by clients.
-.new
The TLS protocol does not negotiate an acceptable size for this; clients tend
to hard-drop connections if what is offered by the server is unacceptable,
whether too large or too small, and there's no provision for the client to
mail user agents (MUAs). The lower bound comes from Debian installs of Exim4
prior to the 4.80 release, as Debian used to patch Exim to raise the minimum
acceptable bound from 1024 to 2048.
-.wen
+
+
+.option tls_ocsp_file main string&!! unset
+This option
+must if set expand to the absolute path to a file which contains a current
+status proof for the server's certificate, as obtained from the
+Certificate Authority.
.option tls_on_connect_ports main "string list" unset
See &<<SECTtlssni>>& for discussion of when this option might be re-expanded.
-.new
A forced expansion failure or setting to an empty string is equivalent to
being unset.
-.wen
.option tls_verify_hosts main "host list&!!" unset
-.option headers_add routers string&!! unset
+.option headers_add routers list&!! unset
.cindex "header lines" "adding"
.cindex "router" "adding header lines"
-This option specifies a string of text that is expanded at routing time, and
-associated with any addresses that are accepted by the router. However, this
+This option specifies a list of text headers, newline-separated,
+that is associated with any addresses that are accepted by the router.
+Each item is separately expanded, at routing time. However, this
option has no effect when an address is just being verified. The way in which
the text is used to add header lines at transport time is described in section
&<<SECTheadersaddrem>>&. New header lines are not actually added until the
&"see"& the added header lines.
The &%headers_add%& option is expanded after &%errors_to%&, but before
-&%headers_remove%& and &%transport%&. If the expanded string is empty, or if
-the expansion is forced to fail, the option has no effect. Other expansion
+&%headers_remove%& and &%transport%&. If an item is empty, or if
+an item expansion is forced to fail, the item has no effect. Other expansion
failures are treated as configuration errors.
-.new
Unlike most options, &%headers_add%& can be specified multiple times
for a router; all listed headers are added.
-.wen
&*Warning 1*&: The &%headers_add%& option cannot be used for a &(redirect)&
router that has the &%one_time%& option set.
-.option headers_remove routers string&!! unset
+.option headers_remove routers list&!! unset
.cindex "header lines" "removing"
.cindex "router" "removing header lines"
-This option specifies a string of text that is expanded at routing time, and
-associated with any addresses that are accepted by the router. However, this
+This option specifies a list of text headers, colon-separated,
+that is associated with any addresses that are accepted by the router.
+Each item is separately expanded, at routing time. However, this
option has no effect when an address is just being verified. The way in which
the text is used to remove header lines at transport time is described in
section &<<SECTheadersaddrem>>&. Header lines are not actually removed until
&"see"& the original header lines.
The &%headers_remove%& option is expanded after &%errors_to%& and
-&%headers_add%&, but before &%transport%&. If the expansion is forced to fail,
-the option has no effect. Other expansion failures are treated as configuration
+&%headers_add%&, but before &%transport%&. If an item expansion is forced to fail,
+the item has no effect. Other expansion failures are treated as configuration
errors.
Unlike most options, &%headers_remove%& can be specified multiple times
.oindex "&%-bv%&"
.cindex "router" "used only when verifying"
If this option is set, the router is used only when verifying an address,
-.new "delivering in cutthrough mode or"
+delivering in cutthrough mode or
testing with the &%-bv%& option, not when actually doing a delivery, testing
with the &%-bt%& option, or running the SMTP EXPN command. It can be further
restricted to verifying only senders or recipients by means of
+.new
+.option dnssec_request_domains dnslookup "domain list&!!" unset
+.cindex "MX record" "security"
+.cindex "DNSSEC" "MX lookup"
+.cindex "security" "MX lookup"
+.cindex "DNS" "DNSSEC"
+DNS lookups for domains matching &%dnssec_request_domains%& will be done with
+the dnssec request bit set.
+This applies to all of the SRV, MX A6, AAAA, A lookup sequence.
+.wen
+
+
+
+.new
+.option dnssec_require_domains dnslookup "domain list&!!" unset
+.cindex "MX record" "security"
+.cindex "DNSSEC" "MX lookup"
+.cindex "security" "MX lookup"
+.cindex "DNS" "DNSSEC"
+DNS lookups for domains matching &%dnssec_request_domains%& will be done with
+the dnssec request bit set. Any returns not having the Authenticated Data bit
+(AD bit) set wil be ignored and logged as a host-lookup failure.
+This applies to all of the SRV, MX A6, AAAA, A lookup sequence.
+.wen
+
+
+
.option mx_domains dnslookup "domain list&!!" unset
.cindex "MX record" "required to exist"
.cindex "SRV record" "required to exist"
.endd
is interpreted as a pipe with a rather strange command name, and no arguments.
-.new
Note that the above example assumes that the text comes from a lookup source
of some sort, so that the quotes are part of the data. If composing a
redirect router with a &%data%& option directly specifying this command, the
data itself, or avoid using this mechanism and instead create a custom
transport with the &%command%& option set and reference that transport from
an &%accept%& router.
-.wen
.next
.cindex "file" "in redirection list"
option is not working properly, &%debug_print%& could be used to output the
variables it references. A newline is added to the text if it does not end with
one.
-.new
The variables &$transport_name$& and &$router_name$& contain the name of the
transport and the router that called it.
-.wen
.option delivery_date_add transports boolean false
.cindex "&'Delivery-date:'& header line"
&%user%& (see below).
-.option headers_add transports string&!! unset
+.option headers_add transports list&!! unset
.cindex "header lines" "adding in transport"
.cindex "transport" "header lines; adding"
-This option specifies a string of text that is expanded and added to the header
+This option specifies a list of text headers, newline-separated,
+which are (separately) expanded and added to the header
portion of a message as it is transported, as described in section
&<<SECTheadersaddrem>>&. Additional header lines can also be specified by
routers. If the result of the expansion is an empty string, or if the expansion
is forced to fail, no action is taken. Other expansion failures are treated as
errors and cause the delivery to be deferred.
-.new
Unlike most options, &%headers_add%& can be specified multiple times
for a transport; all listed headers are added.
-.wen
.option headers_only transports boolean false
checked, since this option does not automatically suppress them.
-.option headers_remove transports string&!! unset
+.option headers_remove transports list&!! unset
.cindex "header lines" "removing"
.cindex "transport" "header lines; removing"
-This option specifies a string that is expanded into a list of header names;
+This option specifies a list of header names, colon-separated;
these headers are omitted from the message as it is transported, as described
in section &<<SECTheadersaddrem>>&. Header removal can also be specified by
-routers. If the result of the expansion is an empty string, or if the expansion
+routers.
+Each list item is separately expanded.
+If the result of the expansion is an empty string, or if the expansion
is forced to fail, no action is taken. Other expansion failures are treated as
errors and cause the delivery to be deferred.
Unlike most options, &%headers_remove%& can be specified multiple times
-for a router; all listed headers are added.
+for a router; all listed headers are removed.
avoids any problems with spaces or shell metacharacters, and is of use when a
&(pipe)& transport is handling groups of addresses in a batch.
-.new
If &%force_command%& is enabled on the transport, Special handling takes place
for an argument that consists of precisely the text &`$address_pipe`&. It
is handled similarly to &$pipe_addresses$& above. It is expanded and each
the only item in the argument; in fact, if it were then &%force_command%&
should behave as a no-op. Rather, it should be used to adjust the command
run while preserving the argument vector separation.
-.wen
After splitting up into arguments and expansion, the resulting command is run
in a subprocess directly from the transport, &'not'& under a shell. The
frozen in Exim's queue instead.
-.new
.option force_command pipe boolean false
.cindex "force command"
.cindex "&(pipe)& transport", "force command"
Note that &$address_pipe$& is handled specially in &%command%& when
&%force_command%& is set, expanding out to the original argument vector as
separate items, similarly to a Unix shell &`"$@"`& construct.
-.wen
.option ignore_status pipe boolean false
If this option is true, the status returned by the subprocess that is set up to
are in force when any authenticators are run and when the
&%authenticated_sender%& option is expanded.
-.new
These variables are deprecated in favour of &$tls_in_cipher$& et. al.
and will be removed in a future release.
-.wen
.section "Private options for smtp" "SECID146"
.new
+.option dnssec_request_domains smtp "domain list&!!" unset
+.cindex "MX record" "security"
+.cindex "DNSSEC" "MX lookup"
+.cindex "security" "MX lookup"
+.cindex "DNS" "DNSSEC"
+DNS lookups for domains matching &%dnssec_request_domains%& will be done with
+the dnssec request bit set.
+This applies to all of the SRV, MX A6, AAAA, A lookup sequence.
+.wen
+
+
+
+.new
+.option dnssec_require_domains smtp "domain list&!!" unset
+.cindex "MX record" "security"
+.cindex "DNSSEC" "MX lookup"
+.cindex "security" "MX lookup"
+.cindex "DNS" "DNSSEC"
+DNS lookups for domains matching &%dnssec_request_domains%& will be done with
+the dnssec request bit set. Any returns not having the Authenticated Data bit
+(AD bit) set wil be ignored and logged as a host-lookup failure.
+This applies to all of the SRV, MX A6, AAAA, A lookup sequence.
+.wen
+
+
+
.option dscp smtp string&!! unset
.cindex "DCSP" "outbound"
This option causes the DSCP value associated with a socket to be set to one
that these values will have any effect, not be stripped by networking
equipment, or do much of anything without cooperation with your Network
Engineer and those of all network operators between the source and destination.
-.wen
.option fallback_hosts smtp "string list" unset
Exim will not try to start a TLS session when delivering to any host that
matches this list. See chapter &<<CHAPTLS>>& for details of TLS.
-.new
.option hosts_verify_avoid_tls smtp "host list&!!" *
.cindex "TLS" "avoiding for certain hosts"
Exim will not try to start a TLS session for a verify callout,
or when delivering in cutthrough mode,
to any host that matches this list.
Note that the default is to not use TLS.
-.wen
.option hosts_max_try smtp integer 5
&<<CHAPSMTPAUTH>>& for details of authentication.
+.option hosts_request_ocsp smtp "host list&!!" *
+.cindex "TLS" "requiring for certain servers"
+Exim will request a Certificate Status on a
+TLS session for any host that matches this list.
+&%tls_verify_certificates%& should also be set for the transport.
+
+.option hosts_require_ocsp smtp "host list&!!" unset
+.cindex "TLS" "requiring for certain servers"
+Exim will request, and check for a valid Certificate Status being given, on a
+TLS session for any host that matches this list.
+&%tls_verify_certificates%& should also be set for the transport.
+
.option hosts_require_tls smtp "host list&!!" unset
.cindex "TLS" "requiring for certain servers"
Exim will insist on using a TLS session when delivering to any host that
unauthenticated. See also &%hosts_require_auth%&, and chapter
&<<CHAPSMTPAUTH>>& for details of authentication.
+.option hosts_try_prdr smtp "host list&!!" unset
+.cindex "PRDR" "enabling, optional in client"
+This option provides a list of servers to which, provided they announce
+PRDR support, Exim will attempt to negotiate PRDR
+for multi-recipient messages.
+
.option interface smtp "string list&!!" unset
.cindex "bind IP address"
.cindex "IP address" "binding"
be the name of a file that contains a CRL in PEM format.
-.new
.option tls_dh_min_bits smtp integer 1024
.cindex "TLS" "Diffie-Hellman minimum acceptable size"
When establishing a TLS session, if a ciphersuite which uses Diffie-Hellman
will fail.
Only supported when using GnuTLS.
-.wen
.option tls_privatekey smtp string&!! unset
in clear.
+.option tls_try_verify_hosts smtp "host list&!! unset
+.cindex "TLS" "server certificate verification"
+.cindex "certificate" "verification of server"
+This option gives a list of hosts for which, on encrypted connections,
+certificate verification will be tried but need not succeed.
+The &%tls_verify_certificates%& option must also be set.
+Note that unless the host is in this list
+TLS connections will be denied to hosts using self-signed certificates
+when &%tls_verify_certificates%& is set.
+The &$tls_out_certificate_verified$& variable is set when
+certificate verification succeeds.
+
+
.option tls_verify_certificates smtp string&!! unset
.cindex "TLS" "server certificate verification"
.cindex "certificate" "verification of server"
&$host_address$& are set to the name and address of the server during the
expansion of this option. See chapter &<<CHAPTLS>>& for details of TLS.
+For back-compatability,
+if neither tls_verify_hosts nor tls_try_verify_hosts are set
+and certificate verification fails the TLS connection is closed.
+
+
+.option tls_verify_hosts smtp "host list&!! unset
+.cindex "TLS" "server certificate verification"
+.cindex "certificate" "verification of server"
+This option gives a list of hosts for which. on encrypted connections,
+certificate verification must succeed.
+The &%tls_verify_certificates%& option must also be set.
+If both this option and &%tls_try_verify_hosts%& are unset
+operation is as if this option selected all hosts.
+
.endd
-.new
.option client_set_id authenticators string&!! unset
When client authentication succeeds, this condition is expanded; the
result is used in the log lines for outbound messasges.
Typically it will be the user name used for authentication.
-.wen
.option driver authenticators string unset
generic &%server_set_id%& option is expanded and saved in &$authenticated_id$&.
For any other result, a temporary error code is returned, with the expanded
string as the error text
-.new ", and the failed id saved in &$authenticated_fail_id$&."
&*Warning*&: If you use a lookup in the expansion to find the user's
password, be sure to make the authentication fail if the user is unknown.
driver = dovecot
public_name = PLAIN
server_socket = /var/run/dovecot/auth-client
- server_set_id = $auth2
+ server_set_id = $auth1
dovecot_ntlm:
driver = dovecot
The &%tls_require_ciphers%& options operate differently, as described in the
sections &<<SECTreqciphssl>>& and &<<SECTreqciphgnu>>&.
.next
-.new
The &%tls_dh_min_bits%& SMTP transport option is only honoured by GnuTLS.
When using OpenSSL, this option is ignored.
(If an API is found to let OpenSSL be configured in this way,
let the Exim Maintainers know and we'll likely use it).
-.wen
.next
Some other recently added features may only be available in one or the other.
This should be documented with the feature. If the documentation does not
contexts is known as TLS_RSA_WITH_3DES_EDE_CBC_SHA. Check the OpenSSL or GnuTLS
documentation for more details.
-.new
For outgoing SMTP deliveries, &$tls_out_cipher$& is used and logged
(again depending on the &%tls_cipher%& log selector).
-.wen
.section "Requesting and verifying client certificates" "SECID183"
.cindex "TLS" "revoked certificates"
.cindex "revocation list"
.cindex "certificate" "revocation list"
+.cindex "OCSP" "stapling"
Certificate issuing authorities issue Certificate Revocation Lists (CRLs) when
certificates are revoked. If you have such a list, you can pass it to an Exim
server using the global option called &%tls_crl%& and to an Exim client using
an identically named option for the &(smtp)& transport. In each case, the value
of the option is expanded and must then be the name of a file that contains a
CRL in PEM format.
+The downside is that clients have to periodically re-download a potentially huge
+file from every certificate authority the know of.
+
+The way with most moving parts at query time is Online Certificate
+Status Protocol (OCSP), where the client verifies the certificate
+against an OCSP server run by the CA. This lets the CA track all
+usage of the certs. It requires running software with access to the
+private key of the CA, to sign the responses to the OCSP queries. OCSP
+is based on HTTP and can be proxied accordingly.
+
+The only widespread OCSP server implementation (known to this writer)
+comes as part of OpenSSL and aborts on an invalid request, such as
+connecting to the port and then disconnecting. This requires
+re-entering the passphrase each time some random client does this.
+
+The third way is OCSP Stapling; in this, the server using a certificate
+issued by the CA periodically requests an OCSP proof of validity from
+the OCSP server, then serves it up inline as part of the TLS
+negotiation. This approach adds no extra round trips, does not let the
+CA track users, scales well with number of certs issued by the CA and is
+resilient to temporary OCSP server failures, as long as the server
+starts retrying to fetch an OCSP proof some time before its current
+proof expires. The downside is that it requires server support.
+
+Unless Exim is built with the support disabled,
+or with GnuTLS earlier than version 3.1.3,
+support for OCSP stapling is included.
+
+There is a global option called &%tls_ocsp_file%&.
+The file specified therein is expected to be in DER format, and contain
+an OCSP proof. Exim will serve it as part of the TLS handshake. This
+option will be re-expanded for SNI, if the &%tls_certificate%& option
+contains &`tls_in_sni`&, as per other TLS options.
+
+Exim does not at this time implement any support for fetching a new OCSP
+proof. The burden is on the administrator to handle this, outside of
+Exim. The file specified should be replaced atomically, so that the
+contents are always valid. Exim will expand the &%tls_ocsp_file%& option
+on each connection, so a new file will be handled transparently on the
+next connection.
+
+When built with OpenSSL Exim will check for a valid next update timestamp
+in the OCSP proof; if not present, or if the proof has expired, it will be
+ignored.
+
+For the client to be able to verify the stapled OCSP the server must
+also supply, in its stapled information, any intermediate
+certificates for the chain leading to the OCSP proof from the signer
+of the server certificate. There may be zero or one such. These
+intermediate certificates should be added to the server OCSP stapling
+file named by &%tls_ocsp_file%&.
+
+Note that the proof only covers the terminal server certificate,
+not any of the chain from CA to it.
+
+.code
+ A helper script "ocsp_fetch.pl" for fetching a proof from a CA
+ OCSP server is supplied. The server URL may be included in the
+ server certificate, if the CA is helpful.
+
+ One failure mode seen was the OCSP Signer cert expiring before the end
+ of validity of the OCSP proof. The checking done by Exim/OpenSSL
+ noted this as invalid overall, but the re-fetch script did not.
+.endd
+
+
.section "Configuring an Exim client to use TLS" "SECID185"
expected server certificates. The client verifies the server's certificate
against this collection, taking into account any revoked certificates that are
in the list defined by &%tls_crl%&.
+Failure to verify fails the TLS connection unless either of the
+&%tls_verify_hosts%& or &%tls_try_verify_hosts%& options are set.
+
+The &%tls_verify_hosts%& and &%tls_try_verify_hosts%& options restrict
+certificate verification to the listed servers. Verification either must
+or need not succeed respectively.
+
+The &(smtp)& transport has two OCSP-related options:
+&%hosts_require_ocsp%&; a host-list for which a Certificate Status
+is requested and required for the connection to proceed. The default
+value is empty.
+&%hosts_request_ocsp%&; a host-list for which (additionally)
+a Certificate Status is requested (but not necessarily verified). The default
+value is "*" meaning that requests are made unless configured
+otherwise.
+
+The host(s) should also be in &%hosts_require_tls%&, and
+&%tls_verify_certificates%& configured for the transport,
+for OCSP to be relevant.
If
&%tls_require_ciphers%& is set on the &(smtp)& transport, it must contain a
.next
.vindex "&%tls_verify_certificates%&"
&%tls_verify_certificates%&
+.next
+.vindex "&%tls_ocsp_file%&"
+&%tls_verify_certificates%&
.endlist
Great care should be taken to deal with matters of case, various injection
root certificate along with the rest makes it available for the user to
install if the receiving end is a client MUA that can interact with a user.
+Note that certificates using MD5 are unlikely to work on today's Internet;
+even if your libraries allow loading them for use in Exim when acting as a
+server, increasingly clients will not accept such certificates. The error
+diagnostics in such a case can be frustratingly vague.
+
+
.section "Self-signed certificates" "SECID187"
.cindex "certificate" "self-signed"
You can create a self-signed certificate using the &'req'& command provided
with OpenSSL, like this:
-.new
. ==== Do not shorten the duration here without reading and considering
. ==== the text below. Please leave it at 9999 days.
-.wen
.code
openssl req -x509 -newkey rsa:1024 -keyout file1 -out file2 \
-days 9999 -nodes
prompting for the passphrase. This is not helpful if you are going to use
this certificate and key in an MTA, where prompting is not possible.
-.new
. ==== I expect to still be working 26 years from now. The less technical
. ==== debt I create, in terms of storing up trouble for my later years, the
. ==== happier I will be then. We really have reached the point where we
writing, reducing the duration is the most likely choice, but the inexorable
progression of time takes us steadily towards an era where this will not
be a sensible resolution).
-.wen
A self-signed certificate made in this way is sufficient for testing, and
may be adequate for all your requirements if you are mainly interested in
.cindex "SMTP" "connection, ACL for"
.cindex "non-SMTP messages" "ACLs for"
.cindex "MIME content scanning" "ACL for"
+.cindex "PRDR" "ACL for"
.table2 140pt
.irow &%acl_not_smtp%& "ACL for non-SMTP messages"
.irow &%acl_smtp_auth%& "ACL for AUTH"
.irow &%acl_smtp_connect%& "ACL for start of SMTP connection"
.irow &%acl_smtp_data%& "ACL after DATA is complete"
+.irow &%acl_smtp_data_prdr%& "ACL for each recipient, after DATA is complete"
.irow &%acl_smtp_etrn%& "ACL for ETRN"
.irow &%acl_smtp_expn%& "ACL for EXPN"
.irow &%acl_smtp_helo%& "ACL for HELO or EHLO"
and try again later, but that is their problem, though it does waste some of
your resources.
-.new
-The &%acl_smtp_data%& ACL is run after both the &%acl_smtp_dkim%& and
-the &%acl_smtp_mime%& ACLs.
-.wen
+The &%acl_smtp_data%& ACL is run after
+the &%acl_smtp_data_prdr%&,
+the &%acl_smtp_dkim%&
+and the &%acl_smtp_mime%& ACLs.
.section "The SMTP DKIM ACL" "SECTDKIMACL"
The &%acl_smtp_dkim%& ACL is available only when Exim is compiled with DKIM support
received, and is executed for each DKIM signature found in a message. If not
otherwise specified, the default action is to accept.
-.new
This ACL is evaluated before &%acl_smtp_mime%& and &%acl_smtp_data%&.
For details on the operation of DKIM, see chapter &<<CHAPdkim>>&.
-.wen
.section "The SMTP MIME ACL" "SECID194"
This ACL is evaluated after &%acl_smtp_dkim%& but before &%acl_smtp_data%&.
+.section "The SMTP PRDR ACL" "SECTPRDRACL"
+.oindex "&%prdr_enable%&"
+The &%acl_smtp_data_prdr%& ACL is available only when Exim is compiled
+with PRDR support enabled (which is the default).
+It becomes active only when the PRDR feature is negotiated between
+client and server for a message, and more than one recipient
+has been accepted.
+
+The ACL test specfied by &%acl_smtp_data_prdr%& happens after a message
+has been recieved, and is executed for each recipient of the message.
+The test may accept or deny for inividual recipients.
+The &%acl_smtp_data%& will still be called after this ACL and
+can reject the message overall, even if this ACL has accepted it
+for some or all recipients.
+
+PRDR may be used to support per-user content filtering. Without it
+one must defer any recipient after the first that has a different
+content-filter configuration. With PRDR, the RCPT-time check
+for this can be disabled when the MAIL-time $smtp_command included
+"PRDR". Any required difference in behaviour of the main DATA-time
+ACL should however depend on the PRDR-time ACL having run, as Exim
+will avoid doing so in some situations (eg. single-recipient mails).
+
+See also the &%prdr_enable%& global option
+and the &%hosts_try_prdr%& smtp transport option.
+
+This ACL is evaluated after &%acl_smtp_dkim%& but before &%acl_smtp_data%&.
+If the ACL is not defined, processing completes as if
+the feature was not requested by the client.
+
.section "The QUIT ACL" "SECTQUITACL"
.cindex "QUIT, ACL for"
The ACL for the SMTP QUIT command is anomalous, in that the outcome of the ACL
effect.
-.new
.vitem &*remove_header*&&~=&~<&'text'&>
This modifier specifies one or more header names in a colon-separated list
that are to be removed from an incoming message, assuming, of course, that
the message is ultimately accepted. For details, see section &<<SECTremoveheadacl>>&.
-.wen
.vitem &*set*&&~<&'acl_name'&>&~=&~<&'value'&>
&<<SECTaclvariables>>&).
-.new
.vitem &*udpsend*&&~=&~<&'parameters'&>
This modifier sends a UDP packet, for purposes such as statistics
collection or behaviour monitoring. The parameters are expanded, and
udpsend = <; 2001:dB8::dead:beef ; 1234 ;\
$tod_zulu $sender_host_address
.endd
-.wen
.endlist
is what is wanted for subsequent tests.
-.new
.vitem &*control&~=&~cutthrough_delivery*&
.cindex "&ACL;" "cutthrough routing"
.cindex "cutthrough" "requesting"
from one SMTP connection to another. If a recipient-verify callout connection is
requested in the same ACL it is held open and used for the data, otherwise one is made
after the ACL completes.
-.new "Note that routers are used in verify mode."
+
+Note that routers are used in verify mode,
+and cannot depend on content of received headers.
+Note also that headers cannot be
+modified by any of the post-data ACLs (DATA, MIME and DKIM).
+Headers may be modified by routers (subject to the above) and transports.
+
+Cutthrough delivery is not supported via transport-filters or when DKIM signing
+of outgoing messages is done, because it sends data to the ultimate destination
+before the entire message has been received from the source.
Should the ultimate destination system positively accept or reject the mail,
a corresponding indication is given to the source system and nothing is queued.
Delivery in this mode avoids the generation of a bounce mail to a (possibly faked)
sender when the destination system is doing content-scan based rejection.
-.wen
-.new
.vitem &*control&~=&~debug/*&<&'options'&>
.cindex "&ACL;" "enabling debug logging"
.cindex "debugging" "enabling from an ACL"
control = debug/opts=+expand+acl
control = debug/tag=.$message_exim_id/opts=+expand
.endd
-.wen
.vitem &*control&~=&~dkim_disable_verify*&
the operation and configuration of DKIM, see chapter &<<CHAPdkim>>&.
-.new
.vitem &*control&~=&~dscp/*&<&'value'&>
.cindex "&ACL;" "setting DSCP value"
.cindex "DSCP" "inbound"
that these values will have any effect, not be stripped by networking
equipment, or do much of anything without cooperation with your Network
Engineer and those of all network operators between the source and destination.
-.wen
.vitem &*control&~=&~enforce_sync*& &&&
add_header = X-blacklisted-at: $dnslist_domain
.endd
The &%add_header%& modifier is permitted in the MAIL, RCPT, PREDATA, DATA,
-MIME, and non-SMTP ACLs (in other words, those that are concerned with
+MIME, DKIM, and non-SMTP ACLs (in other words, those that are concerned with
receiving a message). The message must ultimately be accepted for
&%add_header%& to have any significant effect. You can use &%add_header%& with
any ACL verb, including &%deny%& (though this is potentially useful only in a
RCPT ACL).
+Headers will not be added to the message if the modifier is used in
+DATA, MIME or DKIM ACLs for messages delivered by cutthrough routing.
+
Leading and trailing newlines are removed from
the data for the &%add_header%& modifier; if it then
contains one or more newlines that
this, you can use ACL variables, as described in section
&<<SECTaclvariables>>&.
-.new
The list of headers yet to be added is given by the &%$headers_added%& variable.
-.wen
The &%add_header%& modifier acts immediately as it is encountered during the
processing of an ACL. Notice the difference between these two cases:
-.new
.section "Removing header lines in ACLs" "SECTremoveheadacl"
.cindex "header lines" "removing in an ACL"
.cindex "header lines" "position of removed lines"
remove_header = x-route-mail1 : x-route-mail2
.endd
The &%remove_header%& modifier is permitted in the MAIL, RCPT, PREDATA, DATA,
-MIME, and non-SMTP ACLs (in other words, those that are concerned with
+MIME, DKIM, and non-SMTP ACLs (in other words, those that are concerned with
receiving a message). The message must ultimately be accepted for
&%remove_header%& to have any significant effect. You can use &%remove_header%&
with any ACL verb, including &%deny%&, though this is really not useful for
any verb that doesn't result in a delivered message.
+Headers will not be removed to the message if the modifier is used in
+DATA, MIME or DKIM ACLs for messages delivered by cutthrough routing.
+
More than one header can be removed at the same time by using a colon separated
list of header names. The header matching is case insensitive. Wildcards are
not permitted, nor is list expansion performed, so you cannot use hostlists to
&*Warning*&: This facility currently applies only to header lines that are
present during ACL processing. It does NOT remove header lines that are added
in a system filter or in a router or transport.
-.wen
condition false. This means that further processing of the &%warn%& verb
ceases, but processing of the ACL continues.
-.new
If the argument is a named ACL, up to nine space-separated optional values
can be appended; they appear within the called ACL in $acl_arg1 to $acl_arg9,
and $acl_narg is set to the count of values.
Previous values of these variables are restored after the call returns.
The name and values are expanded separately.
-.wen
If the nested &%acl%& returns &"drop"& and the outer condition denies access,
the connection is dropped. If it returns &"discard"&, the verb must be
send email. Details of how this works are given in section
&<<SECTverifyCSA>>&.
+.new
+.vitem &*verify&~=&~header_names_ascii*&
+.cindex "&%verify%& ACL condition"
+.cindex "&ACL;" "verifying header names only ASCII"
+.cindex "header lines" "verifying header names only ASCII"
+.cindex "verifying" "header names only ASCII"
+This condition is relevant only in an ACL that is run after a message has been
+received, that is, in an ACL specified by &%acl_smtp_data%& or
+&%acl_not_smtp%&. It checks all header names (not the content) to make sure
+there are no non-ASCII characters, also excluding control characters. The
+allowable characters are decimal ASCII values 33 through 126.
+
+Exim itself will handle headers with non-ASCII characters, but it can cause
+problems for downstream applications, so this option will allow their
+detection and rejection in the DATA ACL's.
+.wen
+
.vitem &*verify&~=&~header_sender/*&<&'options'&>
.cindex "&%verify%& ACL condition"
.cindex "&ACL;" "verifying sender in the header"
dnslists = some.list.example
.endd
+If an explicit key is being used for a DNS lookup and it may be an IPv6
+address you should specify alternate list separators for both the outer
+(DNS list name) list and inner (lookup keys) list:
+.code
+ dnslists = <; dnsbl.example.com/<|$acl_m_addrslist
+.endd
+
.section "Rate limiting incoming messages" "SECTratelimiting"
.cindex "rate limiting" "client sending"
.cindex "limiting client sending rates"
&%hosts%& setting, the transport's hosts are used. If an &(smtp)& transport has
&%hosts_override%& set, its hosts are always used, whether or not the router
supplies a host list.
+Callouts are only supported on &(smtp)& transports.
The port that is used is taken from the transport, if it is specified and is a
remote transport. (For routers that do verification only, no transport need be
LHLO is used instead of HELO if the transport's &%protocol%& option is
set to &"lmtp"&.
-.new
The callout may use EHLO, AUTH and/or STARTTLS given appropriate option
settings.
-.wen
A recipient callout check is similar. By default, it also uses an empty address
for the sender. This default is chosen because most hosts do not make use of
There is an option WITH_OLD_CLAMAV_STREAM in &_src/EDITME_& available, should
you be running a version of ClamAV prior to 0.95.
-.new
The final example shows that multiple TCP targets can be specified. Exim will
randomly use one for each incoming email (i.e. it load balances them). Note
that only TCP targets may be used if specifying a list of scanners; a UNIX
clamd: connection to localhost, port 3310 failed
(Connection refused)
.endd
-.wen
If the option is unset, the default is &_/tmp/clamd_&. Thanks to David Saez for
contributing the code for this scanner.
.endd
You can safely omit this option (the default value is 1).
+.vitem &%sock%&
+.cindex "virus scanners" "simple socket-connected"
+This is a general-purpose way of talking to simple scanner daemons
+running on the local machine.
+There are four options:
+an address (which may be an IP addres and port, or the path of a Unix socket),
+a commandline to send (may include a single %s which will be replaced with
+the path to the mail file to be scanned),
+an RE to trigger on from the returned data,
+an RE to extract malware_name from the returned data.
+For example:
+.code
+av_scanner = sock:127.0.0.1 6001:%s:(SPAM|VIRUS):(.*)\$
+.endd
+Default for the socket specifier is &_/tmp/malware.sock_&.
+Default for the commandline is &_%s\n_&.
+Both regular-expressions are required.
+
.vitem &%sophie%&
.cindex "virus scanners" "Sophos and Sophie"
Sophie is a daemon that uses Sophos' &%libsavi%& library to scan for viruses.
the transport cannot refer to the modified header lines, because such
expansions all occur before the message is actually transported.
-For both routers and transports, the result of expanding a &%headers_add%&
+For both routers and transports, the argument of a &%headers_add%&
option must be in the form of one or more RFC 2822 header lines, separated by
newlines (coded as &"\n"&). For example:
.code
.endd
Exim does not check the syntax of these added header lines.
-.new
Multiple &%headers_add%& options for a single router or transport can be
-specified; the values will be concatenated (with a separating newline
-added) before expansion.
-.wen
+specified; the values will append to a single list of header lines.
+Each header-line is separately expanded.
-The result of expanding &%headers_remove%& must consist of a colon-separated
+The argument of a &%headers_remove%& option must consist of a colon-separated
list of header names. This is confusing, because header names themselves are
often terminated by colons. In this case, the colons are the list separators,
not part of the names. For example:
.endd
Multiple &%headers_remove%& options for a single router or transport can be
-specified; the values will be concatenated (with a separating colon
-added) before expansion.
+specified; the arguments will append to a single header-names list.
+Each item is separately expanded.
-When &%headers_add%& or &%headers_remove%& is specified on a router, its value
-is expanded at routing time, and then associated with all addresses that are
+When &%headers_add%& or &%headers_remove%& is specified on a router,
+items are expanded at routing time,
+and then associated with all addresses that are
accepted by that router, and also with any new addresses that it generates. If
an address passes through several routers as a result of aliasing or
forwarding, the changes are cumulative.
&`<=`& message arrival
&`=>`& normal message delivery
&`->`& additional address in same delivery
-.new
&`>>`& cutthrough message delivery
-.wen
&`*>`& delivery suppressed by &%-N%&
&`**`& delivery failed; address bounced
&`==`& delivery deferred; temporary problem
last of these is given in parentheses after the final address. The R and T
fields record the router and transport that were used to process the address.
-.new
If SMTP AUTH was used for the delivery there is an additional item A=
followed by the name of the authenticator that was used.
If an authenticated identification was set up by the authenticator's &%client_set_id%&
option, this is logged too, separated by a colon from the authenticator name.
-.wen
If a shadow transport was run after a successful local delivery, the log line
for the successful delivery has an item added on the end, of the form
down a single SMTP connection, an asterisk follows the IP address in the log
lines for the second and subsequent messages.
-.new
.cindex "delivery" "cutthrough; logging"
.cindex "cutthrough" "logging"
When delivery is done in cutthrough mode it is flagged with &`>>`& and the log
line precedes the reception line, since cutthrough waits for a possible
rejection from the destination in case it can reject the sourced item.
-.wen
The generation of a reply message by a filter file gets logged as a
&"delivery"& to the addressee, preceded by &">"&.
&`R `& on &`<=`& lines: reference for local bounce
&` `& on &`=>`& &`**`& and &`==`& lines: router name
&`S `& size of message
+&`SNI `& server name indication from TLS client hello
&`ST `& shadow transport name
&`T `& on &`<=`& lines: message subject (topic)
&` `& on &`=>`& &`**`& and &`==`& lines: transport name
The list of optional log items is in the following table, with the default
selection marked by asterisks:
.display
-.new
&` 8bitmime `& received 8BITMIME status
-.wen
&`*acl_warn_skipped `& skipped &%warn%& statement in ACL
&` address_rewrite `& address rewriting
&` all_parents `& all parents in => lines
&`*sender_verify_fail `& sender verification failures
&`*size_reject `& rejection because too big
&`*skip_delivery `& delivery skipped in a queue run
-.new
&`*smtp_confirmation `& SMTP confirmation on => lines
-.wen
&` smtp_connection `& SMTP connections
&` smtp_incomplete_transaction`& incomplete SMTP transactions
-.new
&` smtp_mailauth `& AUTH argument to MAIL commands
-.wen
&` smtp_no_mail `& session with no MAIL commands
&` smtp_protocol_error `& SMTP protocol errors
&` smtp_syntax_error `& SMTP syntax errors
More details on each of these items follows:
.ilist
-.new
.cindex "8BITMIME"
.cindex "log" "8BITMIME"
&%8bitmime%&: This causes Exim to log any 8BITMIME status of received messages,
that are not 8bit clean. This is added to the &"<="& line, tagged with
&`M8S=`& and a value of &`0`&, &`7`& or &`8`&, corresponding to "not given",
&`7BIT`& and &`8BITMIME`& respectively.
-.wen
.next
.cindex "&%warn%& ACL verb" "log when skipping"
&%acl_warn_skipped%&: When an ACL &%warn%& statement is skipped because one of
.next
.cindex "log" "smtp confirmation"
.cindex "SMTP" "logging confirmation"
-&%smtp_confirmation%&: The response to the final &"."& in the SMTP dialogue for
+.cindex "LMTP" "logging confirmation"
+&%smtp_confirmation%&: The response to the final &"."& in the SMTP or LMTP dialogue for
outgoing messages is added to delivery log lines in the form &`C=`&<&'text'&>.
A number of MTAs (including Exim) return an identifying string in this
response.
setting of 10 for &%smtp_accep_max_nonmail%&, the connection will in any case
have been aborted before 20 non-mail commands are processed.
.next
-.new
&%smtp_mailauth%&: A third subfield with the authenticated sender,
colon-separated, is appended to the A= item for a message arrival or delivery
log line, if an AUTH argument to the SMTP MAIL command (see &<<SECTauthparamail>>&)
was accepted or used.
-.wen
.next
.cindex "log" "SMTP protocol error"
.cindex "SMTP" "logging protocol error"
.code
exim -bpu
.endd
-to obtain a queue listing with undelivered recipients only, and then greps the
-output to select messages that match given criteria. The following selection
-options are available:
+or (in case &*-a*& switch is specified)
+.code
+exim -bp
+.endd
+.new
+The &*-C*& option is used to specify an alternate &_exim.conf_& which might
+contain alternate exim configuration the queue management might be using.
+.wen
+
+to obtain a queue listing, and then greps the output to select messages
+that match given criteria. The following selection options are available:
.vlist
.vitem &*-f*&&~<&'regex'&>
.vitem &*-R*&
Display messages in reverse order.
+
+.vitem &*-a*&
+Include delivered recipients in queue listing.
.endlist
There is one more option, &%-h%&, which outputs a list of options.
-.new
.section "Running local commands" "SECTsecconslocalcmds"
.cindex "security" "local commands"
.cindex "security" "command injection attacks"
injected in, for SQL injection attacks.
Consider the use of the &%inlisti%& expansion condition instead.
.endlist
-.wen
-.new
.section "Trust in configuration data" "SECTsecconfdata"
.cindex "security" "data sources"
.cindex "security" "regular expressions"
Some lookups might return multiple results, even though normal usage is only
expected to yield one result.
.endlist
-.wen
Exim's DKIM implementation allows to
.olist
Sign outgoing messages: This function is implemented in the SMTP transport.
-It can co-exist with all other Exim features, including transport filters.
+It can co-exist with all other Exim features
+(including transport filters)
+except cutthrough delivery.
.next
Verify signatures in incoming messages: This is implemented by an additional
ACL (acl_smtp_dkim), which can be called several times per message, with
Verification of DKIM signatures in incoming email is implemented via the
&%acl_smtp_dkim%& ACL. By default, this ACL is called once for each
syntactically(!) correct signature in the incoming message.
+A missing ACL definition defaults to accept.
+If any ACL call does not acccept, the message is not accepted.
+If a cutthrough delivery was in progress for the message it is
+summarily dropped (having wasted the transmission effort).
To evaluate the signature in the ACL a large number of expansion variables
containing the signature status and its details are set up during the
Edit &_src/drtables.c_&, adding conditional code to pull in the private header
and create a table entry as is done for all the other drivers and lookup types.
.next
-.new
Edit &_scripts/lookups-Makefile_& if this is a new lookup; there is a for-loop
near the bottom, ranging the &`name_mod`& variable over a list of all lookups.
Add your &`NEWDRIVER`& to that list.
As long as the dynamic module would be named &_newdriver.so_&, you can use the
simple form that most lookups have.
-.wen
.next
Edit &_Makefile_& in the appropriate sub-directory (&_src/routers_&,
&_src/transports_&, &_src/auths_&, or &_src/lookups_&); add a line for the new
Change log file for Exim from version 4.21
-------------------------------------------
+
+Exim version 4.83
+-----------------
+
+TF/01 Correctly close the server side of TLS when forking for delivery.
+
+ When a message was received over SMTP with TLS, Exim failed to clear up
+ the incoming connection properly after forking off the child process to
+ deliver the message. In some situations the subsequent outgoing
+ delivery connection happened to have the same fd number as the incoming
+ connection previously had. Exim would try to use TLS and fail, logging
+ a "Bad file descriptor" error.
+
+TF/02 Portability fix for building lookup modules on Solaris when the xpg4
+ utilities have not been installed.
+
+JH/01 Fix memory-handling in use of acl as a conditional; avoid free of
+ temporary space as the ACL may create new global variables.
+
+TL/01 LDAP support uses per connection or global context settings, depending
+ upon the detected version of the libraries at build time.
+
+TL/02 Experimental Proxy Protocol support: allows a proxied SMTP connection
+ to extract and use the src ip:port in logging and expansions as if it
+ were a direct connection from the outside internet. PPv2 support was
+ updated based on HAProxy spec change in May 2014.
+
+JH/02 Add ${listextract {number}{list}{success}{fail}}.
+
+TL/03 Bugzilla 1433: Fix DMARC SEGV with specific From header contents.
+ Properly escape header and check for NULL return.
+
+PP/01 Continue incomplete 4.82 PP/19 by fixing docs too: use dns_dnssec_ok
+ not dns_use_dnssec.
+
+JH/03 Bugzilla 1157: support log_selector smtp_confirmation for lmtp.
+
+TL/04 Add verify = header_names_ascii check to reject email with non-ASCII
+ characters in header names, implemented as a verify condition.
+ Contributed by Michael Fischer v. Mollard.
+
+TL/05 Rename SPF condition results err_perm and err_temp to standardized
+ results permerror and temperror. Previous values are deprecated but
+ still accepted. In a future release, err_perm and err_temp will be
+ completely removed, which will be a backward incompatibility if the
+ ACL tests for either of these two old results. Patch contributed by
+ user bes-internal on the mailing list.
+
+JH/04 Add ${utf8clean:} operator. Contributed by Alex Rau.
+
+JH/05 Bugzilla 305: Log incoming-TLS details on rejects, subject to log
+ selectors, in both main and reject logs.
+
+JH/06 Log outbound-TLS and port details, subject to log selectors, for a
+ failed delivery.
+
+JH/07 Add malware type "sock" for talking to simple daemon.
+
+JH/08 Bugzilla 1371: Add tls_{,try_}verify_hosts to smtp transport.
+
+JH/09 Bugzilla 1431: Support (with limitations) headers_add/headers_remove in
+ routers/transports under cutthrough routing.
+
+JH/10 Bugzilla 1005: ACL "condition =" should accept values which are negative
+ numbers. Touch up "bool" conditional to keep the same definition.
+
+TL/06 Remove duplicated language in spec file from 4.82 TL/16.
+
+JH/11 Add dnsdb tlsa lookup. From Todd Lyons.
+
+JH/12 Expand items in router/transport headers_add or headers_remove lists
+ individually rather than the list as a whole. Bug 1452.
+
+ Required for reasonable handling of multiple headers_ options when
+ they may be empty; requires that headers_remove items with embedded
+ colons must have them doubled (or the list-separator changed).
+
+TL/07 Add new dmarc expansion variable $dmarc_domain_policy to directly
+ view the policy declared in the DMARC record. Currently, $dmarc_status
+ is a combined value of both the record presence and the result of the
+ analysis.
+
+JH/13 Fix handling of $tls_cipher et.al. in (non-verify) transport. Bug 1455.
+
+JH/14 New options dnssec_request_domains, dnssec_require_domains on the
+ dnslookup router and the smtp transport (applying to the forward
+ lookup).
+
+TL/08 Bugzilla 1453: New LDAP "SERVERS=" option allows admin to override list
+ of ldap servers used for a specific lookup. Patch provided by Heiko
+ Schlichting.
+
+JH/18 New options dnssec_lax, dnssec_strict on dnsdb lookups.
+ New variable $lookup_dnssec_authenticated for observability.
+
+TL/09 Bugzilla 609: Add -C option to exiqgrep, specify which exim.conf to use.
+ Patch submitted by Lars Timman.
+
+JH/19 EXPERIMENTAL_OCSP support under GnuTLS. Bug 1459.
+
+TL/10 Bugzilla 1454: New -oMm option to pass message reference to Exim.
+ Requires trusted mode and valid format message id, aborts otherwise.
+ Patch contributed by Heiko Schlichting.
+
+JH/20 New expansion variables tls_(in,out)_(our,peer)cert, and expansion item
+ certextract with support for various fields. Bug 1358.
+
+JH/21 Observability of OCSP via variables tls_(in,out)_ocsp. Stapling
+ is requested by default, modifiable by smtp transport option
+ hosts_request_ocsp.
+
+JH/22 Expansion operators ${md5:string} and ${sha1::string} can now
+ operate on certificate variables to give certificate fingerprints
+ Also new ${sha256:cert_variable}.
+
+JH/23 The PRDR feature is moved from being Experimental into the mainline.
+
+TL/11 Bug 1119: fix memory allocation in string_printing2(). Patch from
+ Christian Aistleitner.
+
+JH/24 The OCSP stapling feature is moved from Experimental into the mainline.
+
+
Exim version 4.82
-----------------
test from the snapshots or the CVS before the documentation is updated. Once
the documentation is updated, this file is reduced to a short list.
+Version 4.83
+------------
+
+ 1. If built with the EXPERIMENTAL_PROXY feature enabled, Exim can be
+ configured to expect an initial header from a proxy that will make the
+ actual external source IP:host be used in exim instead of the IP of the
+ proxy that is connecting to it.
+
+ 2. New verify option header_names_ascii, which will check to make sure
+ there are no non-ASCII characters in header names. Exim itself handles
+ those non-ASCII characters, but downstream apps may not, so Exim can
+ detect and reject if those characters are present.
+
+ 3. New expansion operator ${utf8clean:string} to replace malformed UTF8
+ codepoints with valid ones.
+
+ 4. New malware type "sock". Talks over a Unix or TCP socket, sending one
+ command line and matching a regex against the return data for trigger
+ and a second regex to extract malware_name. The mail spoofile name can
+ be included in the command line.
+
+ 5. The smtp transport now supports options "tls_verify_hosts" and
+ "tls_try_verify_hosts". If either is set the certificate verification
+ is split from the encryption operation. The default remains that a failed
+ verification cancels the encryption.
+
+ 6. New SERVERS override of default ldap server list. In the ACLs, an ldap
+ lookup can now set a list of servers to use that is different from the
+ default list.
+
+ 7. New command-line option -C for exiqgrep to specify alternate exim.conf
+ file when searching the queue.
+
+ 8. OCSP now supports GnuTLS also, if you have version 3.1.3 or later of that.
+
+ 9. Support for DNSSEC on outbound connections.
+
+10. New variables "tls_(in,out)_(our,peer)cert" and expansion item
+ "certextract" to extract fields from them. Hash operators md5 and sha1
+ work over them for generating fingerprints, and a new sha256 operator
+ for them added.
+
+11. PRDR is now supported dy default.
+
+12. OCSP stapling is now supported by default.
+
+13. If built with the EXPERIMENTAL_DSN feature enabled, Exim will output
+ Delivery Status Notification messages in MIME format, and negociate
+ DSN features per RFC 3461.
+
+
Version 4.82
------------
dns_check_names_pattern string + main 2.11
dns_csa_search_limit integer 5 main 4.60
dns_csa_use_reverse boolean true main 4.60
+dns_dnssec_ok integer -1 main 4.82
dns_ipv4_lookup boolean false main 3.20
dns_qualify_single boolean true smtp
dns_retrans time 0s main 1.60
dns_retry integer 0 main 1.60
dns_search_parents boolean false smtp
-dns_use_dnssec integer -1 main 4.82
dns_use_edns0 integer -1 main 4.76
domains domain list unset routers 4.00
driver string unset authenticators
-oMai # Supply authenticated id
-oMas # Supply authenticated sender
-oMi # Supply interface address
+-oMm # Supply message reference
-oMr # Supply protocol name
-oMs # Supply host name
-oMt # Supply ident string
liable to incompatible change.
-PRDR support
---------------------------------------------------------------
-
-Per-Recipient Data Reponse is an SMTP extension proposed by Eric Hall
-in a (now-expired) IETF draft from 2007. It's not hit mainstream
-use, but has apparently been implemented in the META1 MTA.
-
-There is mention at http://mail.aegee.org/intern/sendmail.html
-of a patch to sendmail "to make it PRDR capable".
-
- ref: http://www.eric-a-hall.com/specs/draft-hall-prdr-00.txt
-
-If Exim is built with EXPERIMENTAL_PRDR there is a new config
-boolean "prdr_enable" which controls whether PRDR is advertised
-as part of an EHLO response, a new "acl_data_smtp_prdr" ACL
-(called for each recipient, after data arrives but before the
-data ACL), and a new smtp transport option "hosts_try_prdr".
-
-PRDR may be used to support per-user content filtering. Without it
-one must defer any recipient after the first that has a different
-content-filter configuration. With PRDR, the RCPT-time check
-for this can be disabled when the MAIL-time $smtp_command included
-"PRDR". Any required difference in behaviour of the main DATA-time
-ACL should however depend on the PRDR-time ACL having run, as Exim
-will avoid doing so in some situations (eg. single-recipient mails).
-
-
-
-OCSP Stapling support
---------------------------------------------------------------
-
-X.509 PKI certificates expire and can be revoked; to handle this, the
-clients need some way to determine if a particular certificate, from a
-particular Certificate Authority (CA), is still valid. There are three
-main ways to do so.
-
-The simplest way is to serve up a Certificate Revocation List (CRL) with
-an ordinary web-server, regenerating the CRL before it expires. The
-downside is that clients have to periodically re-download a potentially
-huge file from every certificate authority it knows of.
-
-The way with most moving parts at query time is Online Certificate
-Status Protocol (OCSP), where the client verifies the certificate
-against an OCSP server run by the CA. This lets the CA track all
-usage of the certs. This requires running software with access to the
-private key of the CA, to sign the responses to the OCSP queries. OCSP
-is based on HTTP and can be proxied accordingly.
-
-The only widespread OCSP server implementation (known to this writer)
-comes as part of OpenSSL and aborts on an invalid request, such as
-connecting to the port and then disconnecting. This requires
-re-entering the passphrase each time some random client does this.
-
-The third way is OCSP Stapling; in this, the server using a certificate
-issued by the CA periodically requests an OCSP proof of validity from
-the OCSP server, then serves it up inline as part of the TLS
-negotiation. This approach adds no extra round trips, does not let the
-CA track users, scales well with number of certs issued by the CA and is
-resilient to temporary OCSP server failures, as long as the server
-starts retrying to fetch an OCSP proof some time before its current
-proof expires. The downside is that it requires server support.
-
-If Exim is built with EXPERIMENTAL_OCSP and it was built with OpenSSL,
-then it gains a new global option: "tls_ocsp_file".
-
-The file specified therein is expected to be in DER format, and contain
-an OCSP proof. Exim will serve it as part of the TLS handshake. This
-option will be re-expanded for SNI, if the tls_certificate option
-contains $tls_sni, as per other TLS options.
-
-Exim does not at this time implement any support for fetching a new OCSP
-proof. The burden is on the administrator to handle this, outside of
-Exim. The file specified should be replaced atomically, so that the
-contents are always valid. Exim will expand the "tls_ocsp_file" option
-on each connection, so a new file will be handled transparently on the
-next connection.
-
-Exim will check for a valid next update timestamp in the OCSP proof;
-if not present, or if the proof has expired, it will be ignored.
-
-Also, given EXPERIMENTAL_OCSP and OpenSSL, the smtp transport gains
-a "hosts_require_ocsp" option; a host-list for which an OCSP Stapling
-is requested and required for the connection to proceed. The host(s)
-should also be in "hosts_require_tls", and "tls_verify_certificates"
-configured for the transport.
-
-For the client to be able to verify the stapled OCSP the server must
-also supply, in its stapled information, any intermediate
-certificates for the chain leading to the OCSP proof from the signer
-of the server certificate. There may be zero or one such. These
-intermediate certificates should be added to the server OCSP stapling
-file (named by tls_ocsp_file).
-
-At this point in time, we're gathering feedback on use, to determine if
-it's worth adding complexity to the Exim daemon to periodically re-fetch
-OCSP files and somehow handling multiple files.
-
- A helper script "ocsp_fetch.pl" for fetching a proof from a CA
- OCSP server is supplied. The server URL may be included in the
- server certificate, if the CA is helpful.
-
- One fail mode seen was the OCSP Signer cert expiring before the end
- of vailidity of the OCSP proof. The checking done by Exim/OpenSSL
- noted this as invalid overall, but the re-fetch script did not.
-
-
-
-
Brightmail AntiSpam (BMI) suppport
--------------------------------------------------------------
This means the queried domain has published
a SPF record, but wants to allow outside
servers to send mail under its domain as well.
- o err_perm This indicates a syntax error in the SPF
- record of the queried domain. This should be
- treated like "none".
- o err_temp This indicates a temporary error during all
+ This should be treated like "none".
+ o permerror This indicates a syntax error in the SPF
+ record of the queried domain. You may deny
+ messages when this occurs. (Changed in 4.83)
+ o temperror This indicates a temporary error during all
processing, including Exim's SPF processing.
You may defer messages when this occurs.
+ (Changed in 4.83)
+ o err_temp Same as permerror, deprecated in 4.83, will be
+ removed in a future release.
+ o err_perm Same as temperror, deprecated in 4.83, will be
+ removed in a future release.
You can prefix each string with an exclamation mark to invert
-is meaning, for example "!fail" will match all results but
+its meaning, for example "!fail" will match all results but
"fail". The string list is evaluated left-to-right, in a
short-circuit fashion. When a string matches the outcome of
the SPF check, the condition succeeds. If none of the listed
$spf_result
This contains the outcome of the SPF check in string form,
- one of pass, fail, softfail, none, neutral, err_perm or
- err_temp.
+ one of pass, fail, softfail, none, neutral, permerror or
+ temperror.
$spf_smtp_comment
This contains a string that can be used in a SMTP response
Of course, you can also use any other lookup method that Exim
supports, including LDAP, Postgres, MySQL, etc, as long as the
-result is a list of colon-separated strings;
+result is a list of colon-separated strings.
Several expansion variables are set before the DATA ACL is
processed, and you can use them in this ACL. The following
o $dmarc_status
This is a one word status indicating what the DMARC library
- thinks of the email.
+ thinks of the email. It is a combination of the results of
+ DMARC record lookup and the SPF/DKIM/DMARC processing results
+ (if a DMARC record was found). The actual policy declared
+ in the DMARC record is in a separate expansion variable.
o $dmarc_status_text
This is a slightly longer, human readable status.
This is the domain which DMARC used to look up the DMARC
policy record.
+ o $dmarc_domain_policy
+ This is the policy declared in the DMARC record. Valid values
+ are "none", "reject" and "quarantine". It is blank when there
+ is any error, including no DMARC record.
+
o $dmarc_ar_header
This is the entire Authentication-Results header which you can
add using an add_header modifier.
warn !domains = +screwed_up_dmarc_records
control = dmarc_enable_forensic
+ warn condition = (lookup if destined to mailing list)
+ set acl_m_mailing_list = 1
+
(DATA ACL)
warn dmarc_status = accept : none : off
!authenticated = *
set $acl_m_quarantine = 1
# Do something in a transport with this flag variable
+ deny condition = ${if eq{$dmarc_domain_policy}{reject}}
+ condition = ${if eq{$acl_m_mailing_list}{1}}
+ message = Messages from $dmarc_used_domain break mailing lists
+
deny dmarc_status = reject
!authenticated = *
message = Message from $domain_used_domain failed sender's DMARC policy, REJECT
set acl_c_spam_host = ${lookup redis{GET...}}
+Proxy Protocol Support
+--------------------------------------------------------------
+
+Exim now has Experimental "Proxy Protocol" support. It was built on
+specifications from:
+http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt
+Above URL revised May 2014 to change version 2 spec:
+http://git.1wt.eu/web?p=haproxy.git;a=commitdiff;h=afb768340c9d7e50d8e
+
+The purpose of this function is so that an application load balancer,
+such as HAProxy, can sit in front of several Exim servers and Exim
+will log the IP that is connecting to the proxy server instead of
+the IP of the proxy server when it connects to Exim. It resets the
+$sender_address_host and $sender_address_port to the IP:port of the
+connection to the proxy. It also re-queries the DNS information for
+this new IP address so that the original sender's hostname and IP
+get logged in the Exim logfile. There is no logging if a host passes or
+fails Proxy Protocol negotiation, but it can easily be determined and
+recorded in an ACL (example is below).
+
+1. To compile Exim with Proxy Protocol support, put this in
+Local/Makefile:
+
+EXPERIMENTAL_PROXY=yes
+
+2. Global configuration settings:
+
+proxy_required_hosts = HOSTLIST
+
+The proxy_required_hosts option will require any IP in that hostlist
+to use Proxy Protocol. The specification of Proxy Protocol is very
+strict, and if proxy negotiation fails, Exim will not allow any SMTP
+command other than QUIT. (See end of this section for an example.)
+The option is expanded when used, so it can be a hostlist as well as
+string of IP addresses. Since it is expanded, specifying an alternate
+separator is supported for ease of use with IPv6 addresses.
+
+To log the IP of the proxy in the incoming logline, add:
+ log_selector = +proxy
+
+A default incoming logline (wrapped for appearance) will look like this:
+
+ 2013-11-04 09:25:06 1VdNti-0001OY-1V <= me@example.net
+ H=mail.example.net [1.2.3.4] P=esmtp S=433
+
+With the log selector enabled, an email that was proxied through a
+Proxy Protocol server at 192.168.1.2 will look like this:
+
+ 2013-11-04 09:25:06 1VdNti-0001OY-1V <= me@example.net
+ H=mail.example.net [1.2.3.4] P=esmtp PRX=192.168.1.2 S=433
+
+3. In the ACL's the following expansion variables are available.
+
+proxy_host_address The (internal) src IP of the proxy server
+ making the connection to the Exim server.
+proxy_host_port The (internal) src port the proxy server is
+ using to connect to the Exim server.
+proxy_target_address The dest (public) IP of the remote host to
+ the proxy server.
+proxy_target_port The dest port the remote host is using to
+ connect to the proxy server.
+proxy_session Boolean, yes/no, the connected host is required
+ to use Proxy Protocol.
+
+There is no expansion for a failed proxy session, however you can detect
+it by checking if $proxy_session is true but $proxy_host is empty. As
+an example, in my connect ACL, I have:
+
+ warn condition = ${if and{ {bool{$proxy_session}} \
+ {eq{$proxy_host_address}{}} } }
+ log_message = Failed required proxy protocol negotiation \
+ from $sender_host_name [$sender_host_address]
+
+ warn condition = ${if and{ {bool{$proxy_session}} \
+ {!eq{$proxy_host_address}{}} } }
+ # But don't log health probes from the proxy itself
+ condition = ${if eq{$proxy_host_address}{$sender_host_address} \
+ {false}{true}}
+ log_message = Successfully proxied from $sender_host_name \
+ [$sender_host_address] through proxy protocol \
+ host $proxy_host_address
+
+ # Possibly more clear
+ warn logwrite = Remote Source Address: $sender_host_address:$sender_host_port
+ logwrite = Proxy Target Address: $proxy_target_address:$proxy_target_port
+ logwrite = Proxy Internal Address: $proxy_host_address:$proxy_host_port
+ logwrite = Internal Server Address: $received_ip_address:$received_port
+
+
+4. Recommended ACL additions:
+ - Since the real connections are all coming from your proxy, and the
+ per host connection tracking is done before Proxy Protocol is
+ evaluated, smtp_accept_max_per_host must be set high enough to
+ handle all of the parallel volume you expect per inbound proxy.
+ - With the smtp_accept_max_per_host set so high, you lose the ability
+ to protect your server from massive numbers of inbound connections
+ from one IP. In order to prevent your server from being DOS'd, you
+ need to add a per connection ratelimit to your connect ACL. I
+ suggest something like this:
+
+ # Set max number of connections per host
+ LIMIT = 5
+ # Or do some kind of IP lookup in a flat file or database
+ # LIMIT = ${lookup{$sender_host_address}iplsearch{/etc/exim/proxy_limits}}
+
+ defer message = Too many connections from this IP right now
+ ratelimit = LIMIT / 5s / per_conn / strict
+
+
+5. Runtime issues to be aware of:
+ - The proxy has 3 seconds (hard-coded in the source code) to send the
+ required Proxy Protocol header after it connects. If it does not,
+ the response to any commands will be:
+ "503 Command refused, required Proxy negotiation failed"
+ - If the incoming connection is configured in Exim to be a Proxy
+ Protocol host, but the proxy is not sending the header, the banner
+ does not get sent until the timeout occurs. If the sending host
+ sent any input (before the banner), this causes a standard Exim
+ synchronization error (i.e. trying to pipeline before PIPELINING
+ was advertised).
+ - This is not advised, but is mentioned for completeness if you have
+ a specific internal configuration that you want this: If the Exim
+ server only has an internal IP address and no other machines in your
+ organization will connect to it to try to send email, you may
+ simply set the hostlist to "*", however, this will prevent local
+ mail programs from working because that would require mail from
+ localhost to use Proxy Protocol. Again, not advised!
+
+6. Example of a refused connection because the Proxy Protocol header was
+not sent from a host configured to use Proxy Protocol. In the example,
+the 3 second timeout occurred (when a Proxy Protocol banner should have
+been sent), the banner was displayed to the user, but all commands are
+rejected except for QUIT:
+
+# nc mail.example.net 25
+220-mail.example.net, ESMTP Exim 4.82+proxy, Mon, 04 Nov 2013 10:45:59
+220 -0800 RFC's enforced
+EHLO localhost
+503 Command refused, required Proxy negotiation failed
+QUIT
+221 mail.example.net closing connection
+
+
+DSN Support
+--------------------------------------------------------------
+
+DSN Support tries to add RFC 3461 support to Exim. It adds support for
+*) the additional parameters for MAIL FROM and RCPT TO
+*) RFC complient MIME DSN messages for all of
+ success, failure and delay notifications
+*) dsn_advertise_hosts main option to select which hosts are able
+ to use the extension
+*) dsn_lasthop router switch to end DSN processing
+
+In case of failure reports this means that the last three parts, the message body
+intro, size info and final text, of the defined template are ignored since there is no
+logical place to put them in the MIME message.
+
+All the other changes are made without changing any defaults
+
+Building exim:
+--------------
+
+Define
+EXPERIMENTAL_DSN=YES
+in your Local/Makefile.
+
+Configuration:
+--------------
+All DSNs are sent in MIME format if you built exim with EXPERIMENTAL_DSN=YES
+No option needed to activate it, and no way to turn it off.
+
+Failure and delay DSNs are triggered as usual except a sender used NOTIFY=...
+to prevent them.
+
+Support for Success DSNs is added and activated by NOTIFY=SUCCESS by clients.
+
+Add
+dsn_advertise_hosts = *
+or a more restrictive host_list to announce DSN in EHLO answers
+
+Those hosts can then use NOTIFY,ENVID,RET,ORCPT options.
+
+If a message is relayed to a DSN aware host without changing the envelope
+recipient the options are passed along and no success DSN is generated.
+
+A redirect router will always trigger a success DSN if requested and the DSN
+options are not passed any further.
+
+A success DSN always contains the recipient address as submitted by the
+client as required by RFC. Rewritten addresses are never exposed.
+
+If you used DSN patch up to 1.3 before remove all "dsn_process" switches from
+your routers since you don't need them anymore. There is no way to "gag"
+success DSNs anymore. Announcing DSN means answering as requested.
+
+You can prevent Exim from passing DSN options along to other DSN aware hosts by defining
+dsn_lasthop
+in a router. Exim will then send the success DSN himself if requested as if
+the next hop does not support DSN.
+Adding it to a redirect router makes no difference.
+
+Certificate name checking
+--------------------------------------------------------------
+The X509 certificates used for TLS are supposed be verified
+that they are owned by the expected host. The coding of TLS
+support to date has not made these checks.
+
+If built with EXPERIMENTAL_CERTNAMES defined, code is
+included to do so, and a new smtp transport option
+"tls_verify_cert_hostname" supported which takes a list of
+names for which the checks must be made. The host must
+also be in "tls_verify_hosts".
+
+Both Subject and Subject-Alternate-Name certificate fields
+are supported, as are wildcard certificates (limited to
+a single wildcard being the initial component of a 3-or-more
+component FQDN).
+
+
--------------------------------------------------------------
End of file
my @cmd = (
$genpath, '--spec', $spec, '--filter',
$filter, '--latest', $context->{trelease}, '--tmpl',
- $templates, '--docroot', $dir, '--localstatic'
+ $templates, '--docroot', $dir, '--localstatic',
+ (($verbose||$debug) ? '--verbose' : '')
);
print "Executing ", join( ' ', @cmd ), "\n";
--- /dev/null
+#!/bin/sh
+#
+# A really dumb script for making a quick tarball of Exim
+
+set -e
+
+OWD=$(pwd -P)
+
+GWD=$(git rev-parse --git-dir)
+
+TWD=$(mktemp -d -t exim) || exit 1
+echo $TWD
+cd $TWD
+
+git clone $GWD
+
+cd exim/src/src
+../scripts/reversion
+. version.sh
+EXIM=exim-${EXIM_RELEASE_VERSION}${EXIM_VARIANT_VERSION}
+
+cd ../..
+mv src $EXIM
+tar cfz $EXIM.tar.gz $EXIM
+mv $EXIM src
+
+cd $OWD
+mv $TWD/exim/$EXIM.tar.gz .
+rm -rf $EXIM
+echo $EXIM.tar.gz
# appropriate links, and then creating and running the main makefile in that
# directory.
-# Copyright (c) University of Cambridge, 1995 - 2007
+# Copyright (c) University of Cambridge, 1995 - 2014
# See the file NOTICE for conditions of use and distribution.
# IRIX make uses the shell that is in the SHELL variable, which often defaults
cscope.files: FRC
echo "-q" > $@
echo "-p3" >> $@
- find src Local -name "*.[cshyl]" -print \
+ find src Local OS -name "*.[cshyl]" -print \
+ -o -name "os.h*" -print \
-o -name "*akefile*" -print \
-o -name EDITME -print >> $@
+ ls OS/* >> $@
FRC:
transport-filter.pl convert4r3 convert4r4 \
exim_checkaccess \
exim_dbmbuild exim_dumpdb exim_fixdb exim_tidydb exim_lock \
- buildlookups buildrouters buildtransports \
- buildauths buildpdkim exim
+ exim
# Targets for special-purpose configuration header builders
local_scan.o $(EXIM_PERL) $(OBJ_WITH_CONTENT_SCAN) \
$(OBJ_WITH_OLD_DEMIME) $(OBJ_EXPERIMENTAL)
-exim: lookups/lookups.a auths/auths.a pdkim/pdkim.a \
- routers/routers.a transports/transports.a \
+exim: buildlookups buildauths pdkim/pdkim.a \
+ buildrouters buildtransports \
$(OBJ_EXIM) version.o
@echo "$(LNCC) -o exim"
$(FE)$(PURIFY) $(LNCC) -o exim $(LFLAGS) $(OBJ_EXIM) version.o \
OBJ_FIXDB = exim_fixdb.o util-os.o util-store.o
-exim_fixdb: $(OBJ_FIXDB) auths/auths.a
+exim_fixdb: $(OBJ_FIXDB) buildauths
@echo "$(LNCC) -o exim_fixdb"
$(FE)$(LNCC) $(CFLAGS) $(INCLUDE) -o exim_fixdb $(LFLAGS) $(OBJ_FIXDB) \
auths/auths.a $(LIBS) $(EXTRALIBS) $(DBMLIB)
std-crypto.o: $(HDRS) std-crypto.c
store.o: $(HDRS) store.c
string.o: $(HDRS) string.c
-tls.o: $(HDRS) tls.c tls-gnu.c tls-openssl.c
+tls.o: $(HDRS) tls.c tls-gnu.c tlscert-gnu.c tls-openssl.c tlscert-openssl.c
tod.o: $(HDRS) tod.c
transport.o: $(HDRS) transport.c
tree.o: $(HDRS) tree.c
# When using parallel make, we don't have the dependency to force building
# in the sub-directory unless we force that dependency:
-$(OBJ_LOOKUPS): lookups/lookups.a
+$(OBJ_LOOKUPS): buildlookups
# The exim monitor's private modules - the sources live in a private
# subdirectory. The final binary combines the private modules with some
# The lookups library.
-buildlookups lookups/lookups.a: config.h version.h
+buildlookups:
@cd lookups && $(MAKE) SHELL=$(SHELL) AR="$(AR)" $(MFLAGS) CC="$(CC)" CFLAGS="$(CFLAGS)" \
CFLAGS_DYNAMIC="$(CFLAGS_DYNAMIC)" HDRS="../version.h $(PHDRS)" \
FE="$(FE)" RANLIB="$(RANLIB)" RM_COMMAND="$(RM_COMMAND)" \
# The routers library.
-buildrouters routers/routers.a: config.h
+buildrouters:
@cd routers && $(MAKE) SHELL=$(SHELL) AR="$(AR)" $(MFLAGS) CC="$(CC)" CFLAGS="$(CFLAGS)" \
FE="$(FE)" RANLIB="$(RANLIB)" RM_COMMAND="$(RM_COMMAND)" HDRS="$(PHDRS)" \
INCLUDE="$(INCLUDE) $(IPV6_INCLUDE) $(TLS_INCLUDE)"
# The transports library.
-buildtransports transports/transports.a: config.h
+buildtransports:
@cd transports && $(MAKE) SHELL=$(SHELL) AR="$(AR)" $(MFLAGS) CC="$(CC)" CFLAGS="$(CFLAGS)" \
FE="$(FE)" RANLIB="$(RANLIB)" RM_COMMAND="$(RM_COMMAND)" HDRS="$(PHDRS)" \
INCLUDE="$(INCLUDE) $(IPV6_INCLUDE) $(TLS_INCLUDE)"
# The library of authorization modules
-buildauths auths/auths.a: config.h
+buildauths:
@cd auths && $(MAKE) SHELL=$(SHELL) AR="$(AR)" $(MFLAGS) CC="$(CC)" CFLAGS="$(CFLAGS)" \
FE="$(FE)" RANLIB="$(RANLIB)" RM_COMMAND="$(RM_COMMAND)" HDRS="$(PHDRS)" \
INCLUDE="$(INCLUDE) $(IPV6_INCLUDE) $(TLS_INCLUDE)"
# The PDKIM library
-buildpdkim pdkim/pdkim.a: config.h
+buildpdkim: pdkim/pdkim.a
+pdkim/pdkim.a: config.h
@cd pdkim && $(MAKE) SHELL=$(SHELL) AR="$(AR)" $(MFLAGS) CC="$(CC)" CFLAGS="$(CFLAGS)" \
FE="$(FE)" RANLIB="$(RANLIB)" RM_COMMAND="$(RM_COMMAND)" HDRS="$(PHDRS)" \
INCLUDE="$(INCLUDE) $(IPV6_INCLUDE) $(TLS_INCLUDE)"
ip_address_item *next;
char addr6p[8][5];
unsigned int plen, scope, dad_status, if_idx;
-char devname[20];
+char devname[20+1];
FILE *f;
#endif
--- /dev/null
+Exim DSN Patch (4.82)
+---------------------
+
+This patch is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2 of the License, or
+(at your option) any later version.
+
+This patch is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this patch; if not, write to the Free Software
+Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111 USA.
+
+Installation & Usage
+--------------------
+See docs/experimental-spec.txt
+
+Credits
+-------
+
+The original work for the patch was done by Philip Hazel in Exim 3
+
+The extract was taken and re-applied to Exim 4 by the following :-
+Phil Bingham (phil.bingham@cwipapps.net)
+Steve Falla (steve.falla@cwipapps.net)
+Ray Edah (ray.edah@cwipapps.net)
+Andrew Johnson (andrew.johnson@cwippaps.net)
+Adrian Hungate (adrian.hungate@cwipapps.net)
+
+Now Primarily maintained by :-
+Andrew Johnson (andrew.johnson@cwippaps.net)
+
+Updated for 4.82, improved and submitted to
+http://bugs.exim.org/show_bug.cgi?id=118
+by :-
+Wolfgang Breyha (wbreyha@gmx.net)
+
+Contributions
+-------------
+Andrey J. Melnikoff (TEMHOTA) (temnota@kmv.ru)
+
+
+ChangeLog
+---------
+14-Apr-2006 : Changed subject to "Delivery Status Notification"
+
+17-May-2006 : debug_printf in spool-in.c were not wrapped with #ifndef COMPILE_UTILITY
+ thanks to Andrey J. Melnikoff for this information
+
+12-Sep-2006 : Now supports Exim 4.63
+
+12-Sep-2006 : src/EDITME did not include the #define SUPPORT_DSN as stated
+ in the documentation, this has now been corrected
+ thanks to Robert Kehl for this information
+
+28-Jul-2008 : New version for exim 4.69 released.
+
+02-Jul-2010 : New version for exim 4.72 released.
+
+25-Apr-2014 : Version 1.4
+ *) fix ENVID and ORCPT addition in SMTP transport
+ *) p was not moved to the end of the string. new content
+ added afterwards overwrites ENVID and/or ORCPT
+ *) change spool file format to be compatible with the
+ extensible format of exim 4 by prepending new values and
+ setting the extended bitmask accordingly
+ *) use SUPPORT_DSN_LEGACY=yes in Makefile to be able to read
+ the legacy format of older patches until all messages are out of queue.
+ *) change "dsn" boolean toggle to "dsn_advertise_hosts" to
+ be able to select who actually can use the extension
+ *) Add all RFC 3461 MUST fields to delivery-status section
+ *) convert xtext in ENVID
+ *) add all successful rcpts to ONE message instead of sending several messages
+
+26-Apr-2014 : Version 1.5
+ fixes:
+ *) fixed wrong order for ENVID
+ *) fixed wrong Final-Recipient value
+ *) af_ignore_failure is ignored for success reports
+ *) fixed DSN_LEGACY switch
+ improvements:
+ *) added MIME "failure" reports
+ *) bounce_return_message is ignored (required by RFC)
+ *) in case RET= is defined we honor these values
+ otherwise bounce_return_body is honored.
+ *) bounce_return_size_limit is always honored.
+ *) message body intro and final text is ignored
+ *) do not send report if DSN flags say NO
+ *) added MIME "delay" reports
+ *) do not send report if DSN flags say NO
+ *) changed from SUPPORT_DSN to EXPERIMENTAL_DSN
+ *) updated documentation
+
+01-May-2014 : Version 1.6
+ fixes:
+ *) code cleanup
+ *) use text/rfc822-headers were applicable
+ *) fix NOTIFY=FAILURE
+
+ improvements:
+ *) do not truncated MIME messages
+ *) if bounce_return_size_limit is smaller then the actual message
+ only the header is returned
+ *) if bounce_return_body or bounce_return_size_limit prevents Exim
+ from returning the requested (RET=FULL) body this fact is added
+ as X-Exim-DSN-Information Header
+ *) this also means that all of the last three parts of the "failure"
+ template are not used anymore
+
+ *) dsn_process switch removed
+ *) every router "processes" DSN by default
+ *) there is no possibilty to "gag" DSN anymore since this violates RFC
+ *) dsn_lasthop switch added for routers
+ *) if dsn_lasthop is set by a router it is handled as relaying to a
+ non DSN aware relay. success mails are sent if Exim successfully
+ delivers the message.
+ *) redirect routers always "act" as if dsn_lasthop is set
+
+ *) address_item.dsn_aware changed from uschar to int for easier handling.
+
+02-May-2014 : fixes:
+ *) Reporting-MTA: use smtp_active_hostname instead of qualify_domain from
+ original patch.
+
+20-May-2014 : fixes:
+ *) removed support for EXPERIMENTAL_DSN_LEGACY for codebase inclusion
+ *) fixed build of exim_monitor tree
+ *) fixed late declaration of dsn_all_lasthop
+
+-----------------
+
+Support for this patch up to 1.3 (limited though it is) will only be provided through the SourceForge
+project page (http://sourceforge.net/projects/eximdsn/)
+
+From 1.4 onward feel free to ask on the exim-users mailinglist or add comments to
+http://bugs.exim.org/show_bug.cgi?id=118
+
BOOL dont_deliver = FALSE;
+#ifdef EXPERIMENTAL_DSN
+int dsn_ret = 0;
+uschar *dsn_envid = NULL;
+#endif
+
#ifdef WITH_CONTENT_SCAN
int fake_response = OK;
#endif
* Exim Monitor *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* This module contains code for scanning the main log,
fi
if [ ".$need_this" != "." ]; then
tls_include=`pkg-config --cflags $pc_value`
+ if [ $? -ne 0 ]; then
+ echo >&2 "*** Missing pkg-config for package $pc_value (for Exim $var build option)"
+ exit 1
+ fi
tls_libs=`pkg-config --libs $pc_value`
echo "TLS_INCLUDE=$tls_include"
echo "TLS_LIBS=$tls_libs"
else
# main binary
cflags=`pkg-config --cflags $pc_value`
+ if [ $? -ne 0 ]; then
+ echo >&2 "*** Missing pkg-config for package $pc_value (for Exim $var build option)"
+ exit 1
+ fi
libs=`pkg-config --libs $pc_value`
if [ "$var" != "${var#LOOKUP_}" ]; then
echo "LOOKUP_INCLUDE += $cflags"
case $PCRE_CONFIG in
yes|YES|y|Y)
cflags=`pcre-config --cflags`
+ if [ $? -ne 0 ]; then
+ echo >&2 "*** Missing pcre-config for regular expression support"
+ exit 1
+ fi
libs=`pcre-config --libs`
if [ ".$cflags" != "." ]; then
echo "INCLUDE += $cflags"
echo "# End of pkg-config fixups"
echo
) >> $mft
+ subexit=$?
+ if [ $subexit -ne 0 ]; then
+ exit $subexit
+ fi
fi
rm -f $mftt
ln -s ../src/store.c store.c
ln -s ../src/string.c string.c
ln -s ../src/tls.c tls.c
+ln -s ../src/tlscert-gnu.c tlscert-gnu.c
+ln -s ../src/tlscert-openssl.c tlscert-openssl.c
ln -s ../src/tls-gnu.c tls-gnu.c
ln -s ../src/tls-openssl.c tls-openssl.c
ln -s ../src/tod.c tod.c
_XPG=1
export _XPG
+ # We need the _right_ tr, so must do that first; but if a shell which
+ # we're more confident is sane is available, let's try that. Mostly,
+ # the problem is that "local" is not actually in "the" standard, it's
+ # just in every not-insane shell. Though arguably, there are no shells
+ # with POSIX-ish syntax which qualify as "not insane".
+ for b in /bin/dash /bin/bash /usr/local/bin/bash
+ do
+ if [ -x "$b" ]
+ then
+ SHELL="$b"
+ break
+ fi
+ done
+ # if we get a report of a system with zsh but not bash, we can add that
+ # to the list, but be sure to enable sh_word_split in that case.
+
exec "$SHELL" "$0" "$@"
fi
LC_ALL=C
export LC_ALL
+if [ -f "$defs_source" ]
+then
+ :
+ # we are happy
+else
+ echo >&2 "$0: ERROR: MISSING FILE '${defs_source}'"
+ echo >&2 "$0: SHOULD HAVE BEEN CALLED FROM scripts/Configure-Makefile"
+ exit 1
+fi
+
# nb: do not permit leading whitespace for this, as CFLAGS_DYNAMIC is exported
# to the lookups subdir via a line with leading whitespace which otherwise
# matches
local mod_name pkgconf
if [ "${lookup_name%:*}" = "$lookup_name" ]
then
- mod_name=$(echo $lookup_name | tr A-Z a-z)
+ # Square brackets are redundant but benign for POSIX compliant tr,
+ # however Solaris /usr/bin/tr requires them. Sometimes Solaris
+ # gets installed without a complete set of xpg4 tools, sigh.
+ mod_name=$(echo $lookup_name | tr [A-Z] [a-z])
else
mod_name="${lookup_name#*:}"
lookup_name="${lookup_name%:*}"
# DISABLE_DKIM=yes
+#------------------------------------------------------------------------------
+# Uncomment the following line to remove Per-Recipient-Data-Response support.
+
+# DISABLE_PRDR=yes
+
+#------------------------------------------------------------------------------
+# Uncomment the following line to remove OCSP stapling support in TLS,
+# from Exim. Note it can only be supported when built with
+# GnuTLS 3.1.3 or later, or OpenSSL
+
+# DISABLE_OCSP=yes
#------------------------------------------------------------------------------
# By default, Exim has support for checking the AD bit in a DNS response, to
# CFLAGS += -I/opt/brightmail/bsdk-6.0/include
# LDFLAGS += -lxml2_single -lbmiclient_single -L/opt/brightmail/bsdk-6.0/lib
-# Uncomment the following line to add OCSP stapling support in TLS, if Exim
-# was built using OpenSSL.
-
-# EXPERIMENTAL_OCSP=yes
-
# Uncomment the following line to add DMARC checking capability, implemented
# using libopendmarc libraries.
# EXPERIMENTAL_DMARC=yes
# CFLAGS += -I/usr/local/include
# LDFLAGS += -lopendmarc
-# Uncomment the following line to add Per-Recipient-Data-Response support.
-# EXPERIMENTAL_PRDR=yes
# Uncomment the following line to support Transport post-delivery actions,
# eg. for logging to a database.
# CFLAGS += -I/usr/local/include
# LDFLAGS += -lhiredis
+# Uncomment the following line to enable Experimental Proxy Protocol
+# EXPERIMENTAL_PROXY=yes
+
+# Uncomment the following line to enable support for checking certiticate
+# ownership
+# EXPERIMENTAL_CERTNAMES=yes
+
+# Uncomment the following line to add DSN support
+# EXPERIMENTAL_DSN=yes
###############################################################################
# THESE ARE THINGS YOU MIGHT WANT TO SPECIFY #
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Code for handling Access Control Lists (ACLs) */
(unsigned int)
~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* add_header */
(1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
- #ifdef EXPERIMENTAL_PRDR
+ #ifndef DISABLE_PRDR
(1<<ACL_WHERE_PRDR)|
#endif
(1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
(1<<ACL_WHERE_AUTH)| /* bmi_optin */
(1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
(1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
- #ifdef EXPERIMENTAL_PRDR
+ #ifndef DISABLE_PRDR
(1<<ACL_WHERE_PRDR)|
#endif
(1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
#ifdef EXPERIMENTAL_DCC
(unsigned int)
~((1<<ACL_WHERE_DATA)| /* dcc */
- #ifdef EXPERIMENTAL_PRDR
+ #ifndef DISABLE_PRDR
(1<<ACL_WHERE_PRDR)|
- #endif /* EXPERIMENTAL_PRDR */
+ #endif
(1<<ACL_WHERE_NOTSMTP)),
#endif
#ifdef WITH_OLD_DEMIME
(unsigned int)
~((1<<ACL_WHERE_DATA)| /* demime */
- #ifdef EXPERIMENTAL_PRDR
+ #ifndef DISABLE_PRDR
(1<<ACL_WHERE_PRDR)|
- #endif /* EXPERIMENTAL_PRDR */
+ #endif
(1<<ACL_WHERE_NOTSMTP)),
#endif
(unsigned int)
~((1<<ACL_WHERE_RCPT) /* domains */
- #ifdef EXPERIMENTAL_PRDR
+ #ifndef DISABLE_PRDR
|(1<<ACL_WHERE_PRDR)
#endif
),
(unsigned int)
~((1<<ACL_WHERE_RCPT) /* local_parts */
- #ifdef EXPERIMENTAL_PRDR
+ #ifndef DISABLE_PRDR
|(1<<ACL_WHERE_PRDR)
#endif
),
#ifdef WITH_CONTENT_SCAN
(unsigned int)
~((1<<ACL_WHERE_DATA)| /* malware */
- #ifdef EXPERIMENTAL_PRDR
+ #ifndef DISABLE_PRDR
(1<<ACL_WHERE_PRDR)|
- #endif /* EXPERIMENTAL_PRDR */
+ #endif
(1<<ACL_WHERE_NOTSMTP)),
#endif
#ifdef WITH_CONTENT_SCAN
(unsigned int)
~((1<<ACL_WHERE_DATA)| /* regex */
- #ifdef EXPERIMENTAL_PRDR
+ #ifndef DISABLE_PRDR
(1<<ACL_WHERE_PRDR)|
- #endif /* EXPERIMENTAL_PRDR */
+ #endif
(1<<ACL_WHERE_NOTSMTP)|
(1<<ACL_WHERE_MIME)),
#endif
(unsigned int)
~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* remove_header */
(1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
- #ifdef EXPERIMENTAL_PRDR
+ #ifndef DISABLE_PRDR
(1<<ACL_WHERE_PRDR)|
#endif
(1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
#ifdef WITH_CONTENT_SCAN
(unsigned int)
~((1<<ACL_WHERE_DATA)| /* spam */
- #ifdef EXPERIMENTAL_PRDR
+ #ifndef DISABLE_PRDR
(1<<ACL_WHERE_PRDR)|
- #endif /* EXPERIMENTAL_PRDR */
+ #endif
(1<<ACL_WHERE_NOTSMTP)),
#endif
#ifndef DISABLE_DKIM
(1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dkim_disable_verify */
- #ifdef EXPERIMENTAL_PRDR
+ #ifndef DISABLE_PRDR
(1<<ACL_WHERE_PRDR)|
- #endif /* EXPERIMENTAL_PRDR */
+ #endif
(1<<ACL_WHERE_NOTSMTP_START),
#endif
(unsigned int)
~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
(1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
- #ifdef EXPERIMENTAL_PRDR
+ #ifndef DISABLE_PRDR
(1<<ACL_WHERE_PRDR)|
- #endif /* EXPERIMENTAL_PRDR */
+ #endif
(1<<ACL_WHERE_MIME)),
(unsigned int)
~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
(1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
- #ifdef EXPERIMENTAL_PRDR
+ #ifndef DISABLE_PRDR
(1<<ACL_WHERE_PRDR)|
- #endif /* EXPERIMENTAL_PRDR */
+ #endif
(1<<ACL_WHERE_MIME)),
(1<<ACL_WHERE_NOTSMTP)| /* no_multiline */
DNS_LOOKUP_AGAIN:
#endif
+lookup_dnssec_authenticated = NULL;
switch (dns_lookup(&dnsa, target, type, NULL))
{
/* If something bad happened (most commonly DNS_AGAIN), defer. */
*************************************************/
enum { VERIFY_REV_HOST_LKUP, VERIFY_CERT, VERIFY_HELO, VERIFY_CSA, VERIFY_HDR_SYNTAX,
- VERIFY_NOT_BLIND, VERIFY_HDR_SNDR, VERIFY_SNDR, VERIFY_RCPT
+ VERIFY_NOT_BLIND, VERIFY_HDR_SNDR, VERIFY_SNDR, VERIFY_RCPT,
+ VERIFY_HDR_NAMES_ASCII
};
typedef struct {
uschar * name;
{ US"sender", VERIFY_SNDR, (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)
|(1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP),
FALSE, 6 },
- { US"recipient", VERIFY_RCPT, (1<<ACL_WHERE_RCPT), FALSE, 0 }
+ { US"recipient", VERIFY_RCPT, (1<<ACL_WHERE_RCPT), FALSE, 0 },
+ { US"header_names_ascii", VERIFY_HDR_NAMES_ASCII, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 }
};
*user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
return rc;
+ case VERIFY_HDR_NAMES_ASCII:
+ /* Check that all header names are true 7 bit strings
+ See RFC 5322, 2.2. and RFC 6532, 3. */
+
+ rc = verify_check_header_names_ascii(log_msgptr);
+ if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
+ *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
+ return rc;
+
case VERIFY_NOT_BLIND:
/* Check that no recipient of this message is "blind", that is, every envelope
recipient must be mentioned in either To: or Cc:. */
BAD_VERIFY:
*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
- "\"helo\", \"header_syntax\", \"header_sender\" or "
- "\"reverse_host_lookup\" at start of ACL condition "
+ "\"helo\", \"header_syntax\", \"header_sender\", \"header_names_ascii\" "
+ "or \"reverse_host_lookup\" at start of ACL condition "
"\"verify %s\"", arg);
return ERROR;
}
uschar *portend;
host_item *h;
int portnum;
-int host_af;
int len;
int r, s;
+uschar * errstr;
hostname = string_nextinlist(&arg, &sep, NULL, 0);
portstr = string_nextinlist(&arg, &sep, NULL, 0);
HDEBUG(D_acl)
debug_printf("udpsend [%s]:%d %s\n", h->address, portnum, arg);
-host_af = (Ustrchr(h->address, ':') == NULL)? AF_INET:AF_INET6;
-r = s = ip_socket(SOCK_DGRAM, host_af);
-if (r < 0) goto defer;
-r = ip_connect(s, host_af, h->address, portnum, 1);
+r = s = ip_connectedsocket(SOCK_DGRAM, h->address, portnum, portnum,
+ 1, NULL, &errstr);
if (r < 0) goto defer;
len = Ustrlen(arg);
r = send(s, arg, len, 0);
-if (r < 0) goto defer;
+if (r < 0)
+ {
+ errstr = US strerror(errno);
+ close(s);
+ goto defer;
+ }
+close(s);
if (r < len)
{
*log_msgptr =
return OK;
defer:
-*log_msgptr = string_sprintf("\"udpsend\" failed: %s", strerror(errno));
+*log_msgptr = string_sprintf("\"udpsend\" failed: %s", errstr);
return DEFER;
}
if (cb->type == ACLC_MESSAGE)
{
+ HDEBUG(D_acl) debug_printf(" message: %s\n", cb->arg);
user_message = cb->arg;
continue;
}
if (cb->type == ACLC_LOG_MESSAGE)
{
+ HDEBUG(D_acl) debug_printf("l_message: %s\n", cb->arg);
log_message = cb->arg;
continue;
}
/* The true/false parsing here should be kept in sync with that used in
expand.c when dealing with ECOND_BOOL so that we don't have too many
different definitions of what can be a boolean. */
- if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
+ if (*arg == '-'
+ ? Ustrspn(arg+1, "0123456789") == Ustrlen(arg+1) /* Negative number */
+ : Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
rc = (Uatoi(arg) == 0)? FAIL : OK;
else
rc = (strcmpic(arg, US"no") == 0 ||
disable_callout_flush = TRUE;
break;
- case CONTROL_FAKEDEFER:
case CONTROL_FAKEREJECT:
+ cancel_cutthrough_connection("fakereject");
+ case CONTROL_FAKEDEFER:
fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
if (*p == '/')
{
*log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
return ERROR;
}
+ cancel_cutthrough_connection("item frozen");
break;
case CONTROL_QUEUE_ONLY:
queue_only_policy = TRUE;
+ cancel_cutthrough_connection("queueing forced");
break;
case CONTROL_SUBMISSION:
case CONTROL_CUTTHROUGH_DELIVERY:
if (deliver_freeze)
- {
- *log_msgptr = string_sprintf("\"control=%s\" on frozen item", arg);
- return ERROR;
- }
- if (queue_only_policy)
- {
- *log_msgptr = string_sprintf("\"control=%s\" on queue-only item", arg);
- return ERROR;
- }
- cutthrough_delivery = TRUE;
- break;
+ *log_msgptr = US"frozen";
+ else if (queue_only_policy)
+ *log_msgptr = US"queue-only";
+ else if (fake_response == FAIL)
+ *log_msgptr = US"fakereject";
+ else
+ {
+ cutthrough_delivery = TRUE;
+ break;
+ }
+ *log_msgptr = string_sprintf("\"control=%s\" on %s item",
+ arg, *log_msgptr);
+ return ERROR;
}
break;
ratelimiters_cmd = NULL;
log_reject_target = LOG_MAIN|LOG_REJECT;
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
if (where == ACL_WHERE_RCPT || where == ACL_WHERE_PRDR )
#else
if (where == ACL_WHERE_RCPT )
switch (where)
{
case ACL_WHERE_RCPT:
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
case ACL_WHERE_PRDR:
#endif
if( rcpt_count > 1 )
fprintf(f, "-acl%c %s %d\n%s\n", name[0], name+1, Ustrlen(value), value);
}
+/* vi: aw ai sw=2
+*/
/* End of acl.c */
/*
* Copyright (c) 2004 Andrey Panin <pazke@donpac.ru>
+ * Copyright (c) 2006-2014 The Exim Maintainers
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* The default settings for Exim configuration variables. A #define without
#define DELIVER_IN_BUFFER_SIZE 8192
#define DELIVER_OUT_BUFFER_SIZE 8192
#define DISABLE_DKIM
+#define DISABLE_PRDR
+#define DISABLE_OCSP
#define DISABLE_DNSSEC
#define DISABLE_D_OPTION
/* EXPERIMENTAL features */
#define EXPERIMENTAL_BRIGHTMAIL
+#define EXPERIMENTAL_CERTNAMES
#define EXPERIMENTAL_DCC
#define EXPERIMENTAL_DMARC
-#define EXPERIMENTAL_OCSP
-#define EXPERIMENTAL_PRDR
+#define EXPERIMENTAL_DSN
+#define EXPERIMENTAL_PROXY
#define EXPERIMENTAL_REDIS
#define EXPERIMENTAL_SPF
#define EXPERIMENTAL_SRS
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Functions concerned with running Exim as a daemon */
the data structures if necessary. */
#ifdef SUPPORT_TLS
- tls_close(FALSE, FALSE);
+ tls_close(TRUE, FALSE);
#endif
/* Reset SIGHUP and SIGCHLD in the child in both cases. */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* The main code for delivering a message. */
static address_item *addr_remote = NULL;
static address_item *addr_route = NULL;
static address_item *addr_succeed = NULL;
+#ifdef EXPERIMENTAL_DSN
+static address_item *addr_dsntmp = NULL;
+static address_item *addr_senddsn = NULL;
+#endif
static FILE *message_log = NULL;
static BOOL update_spool;
+static uschar *
+d_hostlog(uschar * s, int * sizep, int * ptrp, address_item * addr)
+{
+ s = string_append(s, sizep, ptrp, 5, US" H=", addr->host_used->name,
+ US" [", addr->host_used->address, US"]");
+ if ((log_extra_selector & LX_outgoing_port) != 0)
+ s = string_append(s, sizep, ptrp, 2, US":", string_sprintf("%d",
+ addr->host_used->port));
+ return s;
+}
+
+#ifdef SUPPORT_TLS
+static uschar *
+d_tlslog(uschar * s, int * sizep, int * ptrp, address_item * addr)
+{
+ if ((log_extra_selector & LX_tls_cipher) != 0 && addr->cipher != NULL)
+ s = string_append(s, sizep, ptrp, 2, US" X=", addr->cipher);
+ if ((log_extra_selector & LX_tls_certificate_verified) != 0 &&
+ addr->cipher != NULL)
+ s = string_append(s, sizep, ptrp, 2, US" CV=",
+ testflag(addr, af_cert_verified)? "yes":"no");
+ if ((log_extra_selector & LX_tls_peerdn) != 0 && addr->peerdn != NULL)
+ s = string_append(s, sizep, ptrp, 3, US" DN=\"",
+ string_printing(addr->peerdn), US"\"");
+ return s;
+}
+#endif
+
/* If msg is NULL this is a delivery log and logchar is used. Otherwise
-this is a nonstandard call; no two-characher delivery flag is written
+this is a nonstandard call; no two-character delivery flag is written
but sender-host and sender are prefixed and "msg" is inserted in the log line.
Arguments:
tpda_delivery_local_part = NULL;
tpda_delivery_domain = NULL;
tpda_delivery_confirmation = NULL;
+ lookup_dnssec_authenticated = NULL;
#endif
s = reset_point = store_get(size);
else
{
- if (addr->host_used != NULL)
+ if (addr->host_used)
{
- s = string_append(s, &size, &ptr, 5, US" H=", addr->host_used->name,
- US" [", addr->host_used->address, US"]");
- if ((log_extra_selector & LX_outgoing_port) != 0)
- s = string_append(s, &size, &ptr, 2, US":", string_sprintf("%d",
- addr->host_used->port));
+ s = d_hostlog(s, &size, &ptr, addr);
if (continue_sequence > 1)
s = string_cat(s, &size, &ptr, US"*", 1);
tpda_delivery_local_part = addr->local_part;
tpda_delivery_domain = addr->domain;
tpda_delivery_confirmation = addr->message;
+
+ /* DNS lookup status */
+ lookup_dnssec_authenticated = addr->host_used->dnssec==DS_YES ? US"yes"
+ : addr->host_used->dnssec==DS_NO ? US"no"
+ : NULL;
#endif
}
#ifdef SUPPORT_TLS
- if ((log_extra_selector & LX_tls_cipher) != 0 && addr->cipher != NULL)
- s = string_append(s, &size, &ptr, 2, US" X=", addr->cipher);
- if ((log_extra_selector & LX_tls_certificate_verified) != 0 &&
- addr->cipher != NULL)
- s = string_append(s, &size, &ptr, 2, US" CV=",
- testflag(addr, af_cert_verified)? "yes":"no");
- if ((log_extra_selector & LX_tls_peerdn) != 0 && addr->peerdn != NULL)
- s = string_append(s, &size, &ptr, 3, US" DN=\"",
- string_printing(addr->peerdn), US"\"");
+ s = d_tlslog(s, &size, &ptr, addr);
#endif
if (addr->authenticator)
}
}
- #ifdef EXPERIMENTAL_PRDR
+ #ifndef DISABLE_PRDR
if (addr->flags & af_prdr_used)
s = string_append(s, &size, &ptr, 1, US" PRDR");
#endif
+ }
- if ((log_extra_selector & LX_smtp_confirmation) != 0 &&
- addr->message != NULL)
- {
- int i;
- uschar *p = big_buffer;
- uschar *ss = addr->message;
- *p++ = '\"';
- for (i = 0; i < 100 && ss[i] != 0; i++)
- {
- if (ss[i] == '\"' || ss[i] == '\\') *p++ = '\\';
- *p++ = ss[i];
- }
- *p++ = '\"';
- *p = 0;
- s = string_append(s, &size, &ptr, 2, US" C=", big_buffer);
- }
+/* confirmation message (SMTP (host_used) and LMTP (driver_name)) */
+
+if (log_extra_selector & LX_smtp_confirmation &&
+ addr->message &&
+ (addr->host_used || Ustrcmp(addr->transport->driver_name, "lmtp") == 0))
+ {
+ int i;
+ uschar *p = big_buffer;
+ uschar *ss = addr->message;
+ *p++ = '\"';
+ for (i = 0; i < 256 && ss[i] != 0; i++) /* limit logged amount */
+ {
+ if (ss[i] == '\"' || ss[i] == '\\') *p++ = '\\'; /* quote \ and " */
+ *p++ = ss[i];
+ }
+ *p++ = '\"';
+ *p = 0;
+ s = string_append(s, &size, &ptr, 2, US" C=", big_buffer);
}
/* Time on queue and actual time taken to deliver */
(void)close(addr->return_file);
}
-/* The sucess case happens only after delivery by a transport. */
+/* The success case happens only after delivery by a transport. */
if (result == OK)
{
DEBUG(D_deliver) debug_printf("%s delivered\n", addr->address);
if (addr->parent == NULL)
- {
deliver_msglog("%s %s: %s%s succeeded\n", now, addr->address,
driver_name, driver_kind);
- }
else
{
deliver_msglog("%s %s <%s>: %s%s succeeded\n", now, addr->address,
child_done(addr, now);
}
+ /* Certificates for logging (via TPDA) */
+ #ifdef SUPPORT_TLS
+ tls_out.ourcert = addr->ourcert;
+ addr->ourcert = NULL;
+ tls_out.peercert = addr->peercert;
+ addr->peercert = NULL;
+
+ tls_out.cipher = addr->cipher;
+ tls_out.peerdn = addr->peerdn;
+ tls_out.ocsp = addr->ocsp;
+ #endif
+
delivery_log(LOG_MAIN, addr, logchar, NULL);
+
+ #ifdef SUPPORT_TLS
+ if (tls_out.ourcert)
+ {
+ tls_free_cert(tls_out.ourcert);
+ tls_out.ourcert = NULL;
+ }
+ if (tls_out.peercert)
+ {
+ tls_free_cert(tls_out.peercert);
+ tls_out.peercert = NULL;
+ }
+ tls_out.cipher = NULL;
+ tls_out.peerdn = NULL;
+ tls_out.ocsp = OCSP_NOT_REQ;
+ #endif
}
if (used_return_path != NULL &&
(log_extra_selector & LX_return_path_on_delivery) != 0)
- {
s = string_append(s, &size, &ptr, 3, US" P=<", used_return_path, US">");
- }
if (addr->router != NULL)
s = string_append(s, &size, &ptr, 2, US" R=", addr->router->name);
s = string_append(s, &size, &ptr, 2, US" T=", addr->transport->name);
if (addr->host_used != NULL)
- s = string_append(s, &size, &ptr, 5, US" H=", addr->host_used->name,
- US" [", addr->host_used->address, US"]");
+ s = d_hostlog(s, &size, &ptr, addr);
+
+ #ifdef SUPPORT_TLS
+ s = d_tlslog(s, &size, &ptr, addr);
+ #endif
if (addr->basic_errno > 0)
s = string_append(s, &size, &ptr, 2, US": ",
#ifdef SUPPORT_TLS
case 'X':
- if (addr == NULL) goto ADDR_MISMATCH; /* Below, in 'A' handler */
- addr->cipher = (*ptr)? string_copy(ptr) : NULL;
- while (*ptr++);
- addr->peerdn = (*ptr)? string_copy(ptr) : NULL;
+ if (addr == NULL) goto ADDR_MISMATCH; /* Below, in 'A' handler */
+ switch (*ptr++)
+ {
+ case '1':
+ addr->cipher = NULL;
+ addr->peerdn = NULL;
+
+ if (*ptr)
+ addr->cipher = string_copy(ptr);
+ while (*ptr++);
+ if (*ptr)
+ addr->peerdn = string_copy(ptr);
+ break;
+
+ case '2':
+ addr->peercert = NULL;
+ if (*ptr)
+ (void) tls_import_cert(ptr, &addr->peercert);
+ break;
+
+ case '3':
+ addr->ourcert = NULL;
+ if (*ptr)
+ (void) tls_import_cert(ptr, &addr->ourcert);
+ break;
+
+ #ifndef DISABLE_OCSP
+ case '4':
+ addr->ocsp = OCSP_NOT_REQ;
+ if (*ptr)
+ addr->ocsp = *ptr - '0';
+ break;
+ #endif
+ }
while (*ptr++);
break;
- #endif
+ #endif /*SUPPORT_TLS*/
case 'C': /* client authenticator information */
switch (*ptr++)
- {
- case '1':
- addr->authenticator = (*ptr)? string_copy(ptr) : NULL;
- break;
- case '2':
- addr->auth_id = (*ptr)? string_copy(ptr) : NULL;
- break;
- case '3':
- addr->auth_sndr = (*ptr)? string_copy(ptr) : NULL;
- break;
- }
+ {
+ case '1':
+ addr->authenticator = (*ptr)? string_copy(ptr) : NULL;
+ break;
+ case '2':
+ addr->auth_id = (*ptr)? string_copy(ptr) : NULL;
+ break;
+ case '3':
+ addr->auth_sndr = (*ptr)? string_copy(ptr) : NULL;
+ break;
+ }
while (*ptr++);
break;
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
case 'P':
- addr->flags |= af_prdr_used; break;
+ addr->flags |= af_prdr_used;
+ break;
#endif
+ #ifdef EXPERIMENTAL_DSN
+ case 'D':
+ if (addr == NULL) break;
+ memcpy(&(addr->dsn_aware), ptr, sizeof(addr->dsn_aware));
+ ptr += sizeof(addr->dsn_aware);
+ DEBUG(D_deliver) debug_printf("DSN read: addr->dsn_aware = %d\n", addr->dsn_aware);
+ break;
+ #endif
+
case 'A':
if (addr == NULL)
{
addr->user_message = (*ptr)? string_copy(ptr) : NULL;
while(*ptr++);
- /* Always two strings for host information, followed by the port number */
+ /* Always two strings for host information, followed by the port number and DNSSEC mark */
if (*ptr != 0)
{
while(*ptr++);
memcpy(&(h->port), ptr, sizeof(h->port));
ptr += sizeof(h->port);
+ h->dnssec = *ptr == '2' ? DS_YES
+ : *ptr == '1' ? DS_NO
+ : DS_UNK;
+ ptr++;
addr->host_used = h;
}
else ptr++;
retry_item *r;
/* The certificate verification status goes into the flags */
-
if (tls_out.certificate_verified) setflag(addr, af_cert_verified);
/* Use an X item only if there's something to send */
-
#ifdef SUPPORT_TLS
- if (addr->cipher != NULL)
+ if (addr->cipher)
{
ptr = big_buffer;
- sprintf(CS ptr, "X%.128s", addr->cipher);
+ sprintf(CS ptr, "X1%.128s", addr->cipher);
while(*ptr++);
- if (addr->peerdn == NULL) *ptr++ = 0; else
+ if (!addr->peerdn)
+ *ptr++ = 0;
+ else
{
sprintf(CS ptr, "%.512s", addr->peerdn);
while(*ptr++);
}
+
rmt_dlv_checked_write(fd, big_buffer, ptr - big_buffer);
}
- #endif
+ if (addr->peercert)
+ {
+ ptr = big_buffer;
+ *ptr++ = 'X'; *ptr++ = '2';
+ if (!tls_export_cert(ptr, big_buffer_size-2, addr->peercert))
+ while(*ptr++);
+ else
+ *ptr++ = 0;
+ rmt_dlv_checked_write(fd, big_buffer, ptr - big_buffer);
+ }
+ if (addr->ourcert)
+ {
+ ptr = big_buffer;
+ *ptr++ = 'X'; *ptr++ = '3';
+ if (!tls_export_cert(ptr, big_buffer_size-2, addr->ourcert))
+ while(*ptr++);
+ else
+ *ptr++ = 0;
+ rmt_dlv_checked_write(fd, big_buffer, ptr - big_buffer);
+ }
+ #ifndef DISABLE_OCSP
+ if (addr->ocsp > OCSP_NOT_REQ)
+ {
+ ptr = big_buffer;
+ sprintf(CS ptr, "X4%c", addr->ocsp + '0');
+ while(*ptr++);
+ rmt_dlv_checked_write(fd, big_buffer, ptr - big_buffer);
+ }
+ # endif
+ #endif /*SUPPORT_TLS*/
if (client_authenticator)
{
rmt_dlv_checked_write(fd, big_buffer, ptr - big_buffer);
}
- #ifdef EXPERIMENTAL_PRDR
- if (addr->flags & af_prdr_used) rmt_dlv_checked_write(fd, "P", 1);
+ #ifndef DISABLE_PRDR
+ if (addr->flags & af_prdr_used)
+ rmt_dlv_checked_write(fd, "P", 1);
+ #endif
+
+ #ifdef EXPERIMENTAL_DSN
+ big_buffer[0] = 'D';
+ memcpy(big_buffer+1, &addr->dsn_aware, sizeof(addr->dsn_aware));
+ rmt_dlv_checked_write(fd, big_buffer, sizeof(addr->dsn_aware) + 1);
+ DEBUG(D_deliver) debug_printf("DSN write: addr->dsn_aware = %d\n", addr->dsn_aware);
#endif
/* Retry information: for most success cases this will be null. */
while(*ptr++);
memcpy(ptr, &(addr->host_used->port), sizeof(addr->host_used->port));
ptr += sizeof(addr->host_used->port);
+
+ /* DNS lookup status */
+ *ptr++ = addr->host_used->dnssec==DS_YES ? '2'
+ : addr->host_used->dnssec==DS_NO ? '1' : '0';
+
}
rmt_dlv_checked_write(fd, big_buffer, ptr - big_buffer);
}
if (r->pno >= 0)
new->onetime_parent = recipients_list[r->pno].address;
+ #ifdef EXPERIMENTAL_DSN
+ /* If DSN support is enabled, set the dsn flags and the original receipt
+ to be passed on to other DSN enabled MTAs */
+ new->dsn_flags = r->dsn_flags & rf_dsnflags;
+ new->dsn_orcpt = r->orcpt;
+ DEBUG(D_deliver) debug_printf("DSN: set orcpt: %s flags: %d\n", new->dsn_orcpt, new->dsn_flags);
+ #endif
+
switch (process_recipients)
{
/* RECIP_DEFER is set when a system filter freezes a message. */
regex_must_compile(US"\\n250[\\s\\-]STARTTLS(\\s|\\n|$)", FALSE, TRUE);
#endif
- #ifdef EXPERIMENTAL_PRDR
+ #ifndef DISABLE_PRDR
if (regex_PRDR == NULL) regex_PRDR =
regex_must_compile(US"\\n250[\\s\\-]PRDR(\\s|\\n|$)", FALSE, TRUE);
#endif
+ #ifdef EXPERIMENTAL_DSN
+ /* Set the regex to check for DSN support on remote MTA */
+ if (regex_DSN == NULL) regex_DSN =
+ regex_must_compile(US"\\n250[\\s\\-]DSN(\\s|\\n|$)", FALSE, TRUE);
+ #endif
+
/* Now sort the addresses if required, and do the deliveries. The yield of
do_remote_deliveries is FALSE when mua_wrapper is set and all addresses
cannot be delivered in one transaction. */
else if (!dont_deliver) retry_update(&addr_defer, &addr_failed, &addr_succeed);
+#ifdef EXPERIMENTAL_DSN
+/* Send DSN for successful messages */
+addr_dsntmp = addr_succeed;
+addr_senddsn = NULL;
+
+while(addr_dsntmp != NULL)
+ {
+ DEBUG(D_deliver)
+ debug_printf("DSN: processing router : %s\n", addr_dsntmp->router->name);
+
+ DEBUG(D_deliver)
+ debug_printf("DSN: processing successful delivery address: %s\n", addr_dsntmp->address);
+
+ /* af_ignore_error not honored here. it's not an error */
+
+ DEBUG(D_deliver) debug_printf("DSN: Sender_address: %s\n", sender_address);
+ DEBUG(D_deliver) debug_printf("DSN: orcpt: %s flags: %d\n", addr_dsntmp->dsn_orcpt, addr_dsntmp->dsn_flags);
+ DEBUG(D_deliver) debug_printf("DSN: envid: %s ret: %d\n", dsn_envid, dsn_ret);
+ DEBUG(D_deliver) debug_printf("DSN: Final recipient: %s\n", addr_dsntmp->address);
+ DEBUG(D_deliver) debug_printf("DSN: Remote SMTP server supports DSN: %d\n", addr_dsntmp->dsn_aware);
+
+ /* send report if next hop not DSN aware or a router flagged "last DSN hop"
+ and a report was requested */
+ if (((addr_dsntmp->dsn_aware != dsn_support_yes) ||
+ ((addr_dsntmp->dsn_flags & rf_dsnlasthop) != 0))
+ &&
+ (((addr_dsntmp->dsn_flags & rf_dsnflags) != 0) &&
+ ((addr_dsntmp->dsn_flags & rf_notify_success) != 0)))
+ {
+ /* copy and relink address_item and send report with all of them at once later */
+ address_item *addr_next;
+ addr_next = addr_senddsn;
+ addr_senddsn = store_get(sizeof(address_item));
+ memcpy(addr_senddsn, addr_dsntmp, sizeof(address_item));
+ addr_senddsn->next = addr_next;
+ }
+ else
+ {
+ DEBUG(D_deliver) debug_printf("DSN: *** NOT SENDING DSN SUCCESS Message ***\n");
+ }
+
+ addr_dsntmp = addr_dsntmp->next;
+ }
+
+if (addr_senddsn != NULL)
+ {
+ pid_t pid;
+ int fd;
+
+ /* create exim process to send message */
+ pid = child_open_exim(&fd);
+
+ DEBUG(D_deliver) debug_printf("DSN: child_open_exim returns: %d\n", pid);
+
+ if (pid < 0) /* Creation of child failed */
+ {
+ log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Process %d (parent %d) failed to "
+ "create child process to send failure message: %s", getpid(),
+ getppid(), strerror(errno));
+
+ DEBUG(D_deliver) debug_printf("DSN: child_open_exim failed\n");
+
+ }
+ else /* Creation of child succeeded */
+ {
+ FILE *f = fdopen(fd, "wb");
+ /* header only as required by RFC. only failure DSN needs to honor RET=FULL */
+ int topt = topt_add_return_path | topt_no_body;
+ uschar boundaryStr[64];
+
+ DEBUG(D_deliver) debug_printf("sending error message to: %s\n", sender_address);
+
+ /* build unique id for MIME boundary */
+ snprintf(boundaryStr, 63, "%d-eximdsn-%d", time(NULL), rand());
+ DEBUG(D_deliver) debug_printf("DSN: MIME boundary: %s\n", boundaryStr);
+
+ if (errors_reply_to != NULL) fprintf(f,"Reply-To: %s\n", errors_reply_to);
+
+ fprintf(f,"Auto-Submitted: auto-generated\n");
+ fprintf(f,"From: Mail Delivery System <Mailer-Daemon@%s>\n", qualify_domain_sender);
+ fprintf(f,"To: %s\n", sender_address);
+ fprintf(f,"Subject: Delivery Status Notification\n");
+ fprintf(f,"Content-Type: multipart/report; report-type=delivery-status; boundary=%s\n", boundaryStr);
+ fprintf(f,"MIME-Version: 1.0\n\n");
+
+ fprintf(f,"--%s\n", boundaryStr);
+ fprintf(f,"Content-type: text/plain; charset=us-ascii\n\n");
+
+ fprintf(f,"This message was created automatically by mail delivery software.\n");
+ fprintf(f," ----- The following addresses had successful delivery notifications -----\n");
+
+ addr_dsntmp = addr_senddsn;
+ while(addr_dsntmp != NULL)
+ {
+ if ((addr_dsntmp->dsn_flags & rf_dsnlasthop) == 1) {
+ fprintf(f,"<%s> (relayed via non DSN router)\n\n", addr_dsntmp->address);
+ }
+ else if (addr_dsntmp->dsn_aware == dsn_support_no) {
+ fprintf(f,"<%s> (relayed to non-DSN-aware mailer)\n\n", addr_dsntmp->address);
+ }
+ else {
+ fprintf(f,"<%s> (relayed via non \"Remote SMTP\" router)\n\n", addr_dsntmp->address);
+ }
+ addr_dsntmp = addr_dsntmp->next;
+ }
+ fprintf(f,"--%s\n", boundaryStr);
+ fprintf(f,"Content-type: message/delivery-status\n\n");
+
+ fprintf(f,"Reporting-MTA: dns; %s\n", smtp_active_hostname);
+ if (dsn_envid != NULL) {
+ /* must be decoded from xtext: see RFC 3461:6.3a */
+ uschar *xdec_envid;
+ if (auth_xtextdecode(dsn_envid, &xdec_envid) > 0)
+ fprintf(f,"Original-Envelope-ID: %s\n", dsn_envid);
+ else
+ fprintf(f,"X-Original-Envelope-ID: error decoding xtext formated ENVID\n");
+ }
+ fprintf(f,"\n");
+
+ addr_dsntmp = addr_senddsn;
+ while(addr_dsntmp != NULL)
+ {
+ if (addr_dsntmp->dsn_orcpt != NULL) {
+ fprintf(f,"Original-Recipient: %s\n", addr_dsntmp->dsn_orcpt);
+ }
+ fprintf(f,"Action: delivered\n");
+ fprintf(f,"Final-Recipient: rfc822;%s\n", addr_dsntmp->address);
+ fprintf(f,"Status: 2.0.0\n");
+ if ((addr_dsntmp->host_used != NULL) && (addr_dsntmp->host_used->name != NULL))
+ fprintf(f,"Remote-MTA: dns; %s\nDiagnostic-Code: smtp; 250 Ok\n", addr_dsntmp->host_used->name);
+ else
+ if ((addr_dsntmp->dsn_flags & rf_dsnlasthop) == 1)
+ fprintf(f,"Diagnostic-Code: X-Exim; relayed via non DSN router\n");
+ else
+ fprintf(f,"Diagnostic-Code: X-Exim; relayed via non SMTP router\n");
+ fprintf(f,"\n");
+ addr_dsntmp = addr_dsntmp->next;
+ }
+
+ fprintf(f,"--%s\n", boundaryStr);
+ fprintf(f,"Content-type: text/rfc822-headers\n\n");
+
+ fflush(f);
+ transport_filter_argv = NULL; /* Just in case */
+ return_path = sender_address; /* In case not previously set */
+
+ /* Write the original email out */
+ transport_write_message(NULL, fileno(f), topt, 0, NULL, NULL, NULL, NULL, NULL, 0);
+ fflush(f);
+
+ fprintf(f,"\n");
+ fprintf(f,"--%s--\n", boundaryStr);
+
+ fflush(f);
+ fclose(f);
+ rc = child_close(pid, 0); /* Waits for child to close, no timeout */
+ }
+ }
+#endif
+
/* If any addresses failed, we must send a message to somebody, unless
af_ignore_error is set, in which case no action is taken. It is possible for
several messages to get sent if there are addresses with different
it from the list, throw away any saved message file, log it, and
mark the recipient done. */
- if (testflag(addr_failed, af_ignore_error))
- {
+ if (testflag(addr_failed, af_ignore_error)
+#ifdef EXPERIMENTAL_DSN
+ || (((addr_failed->dsn_flags & rf_dsnflags) != 0)
+ && ((addr_failed->dsn_flags & rf_notify_failure) != rf_notify_failure))
+#endif
+ )
+ {
addr = addr_failed;
addr_failed = addr->next;
if (addr->return_filename != NULL) Uunlink(addr->return_filename);
moan_write_from(f);
fprintf(f, "To: %s\n", bounce_recipient);
+#ifdef EXPERIMENTAL_DSN
+ /* generate boundary string and output MIME-Headers */
+ uschar boundaryStr[64];
+ snprintf(boundaryStr, 63, "%d-eximdsn-%d", time(NULL), rand());
+ fprintf(f,"Content-Type: multipart/report; report-type=delivery-status; boundary=%s\n", boundaryStr);
+ fprintf(f,"MIME-Version: 1.0\n");
+#endif
+
/* Open a template file if one is provided. Log failure to open, but
carry on - default texts will be used. */
to_sender? ": returning message to sender" : "");
}
+#ifdef EXPERIMENTAL_DSN
+ /* output human readable part as text/plain section */
+ fprintf(f,"--%s\n", boundaryStr);
+ fprintf(f,"Content-type: text/plain; charset=us-ascii\n\n");
+#endif
+
emf_text = next_emf(emf, US"intro");
if (emf_text != NULL) fprintf(f, "%s", CS emf_text); else
{
fprintf(f, "\n");
}
+#ifdef EXPERIMENTAL_DSN
+ /* output machine readable part */
+ fprintf(f,"--%s\n", boundaryStr);
+ fprintf(f,"Content-type: message/delivery-status\n\n");
+
+ fprintf(f,"Reporting-MTA: dns; %s\n", smtp_active_hostname);
+ if (dsn_envid != NULL) {
+ /* must be decoded from xtext: see RFC 3461:6.3a */
+ uschar *xdec_envid;
+ if (auth_xtextdecode(dsn_envid, &xdec_envid) > 0)
+ fprintf(f,"Original-Envelope-ID: %s\n", dsn_envid);
+ else
+ fprintf(f,"X-Original-Envelope-ID: error decoding xtext formated ENVID\n");
+ }
+ fprintf(f,"\n");
+
+ for (addr = handled_addr; addr != NULL; addr = addr->next)
+ {
+ fprintf(f,"Action: failed\n");
+ fprintf(f,"Final-Recipient: rfc822;%s\n", addr->address);
+ fprintf(f,"Status: 5.0.0\n");
+ if ((addr->host_used != NULL) && (addr->host_used->name != NULL))
+ fprintf(f,"Remote-MTA: dns; %s\nDiagnostic-Code: smtp; %d\n", addr->host_used->name, addr->basic_errno);
+ }
+#endif
+
/* Now copy the message, trying to give an intelligible comment if
it is too long for it all to be copied. The limit isn't strictly
applied because of the buffering. There is, however, an option
emf_text = next_emf(emf, US"copy");
+#ifndef EXPERIMENTAL_DSN
if (bounce_return_message)
{
int topt = topt_add_return_path;
if (emf_text != NULL) fprintf(f, "%s", CS emf_text);
(void)fclose(emf);
}
+#else
+ /* add message body
+ we ignore the intro text from template and add
+ the text for bounce_return_size_limit at the end.
+
+ bounce_return_message is ignored
+ in case RET= is defined we honor these values
+ otherwise bounce_return_body is honored.
+
+ bounce_return_size_limit is always honored.
+ */
+
+ fprintf(f,"\n--%s\n", boundaryStr);
+
+ uschar *dsnlimitmsg = US"X-Exim-DSN-Information: Due to administrative limits only headers are returned";
+ uschar *dsnnotifyhdr = NULL;
+ int topt = topt_add_return_path;
+ /* RET=HDRS? top priority */
+ if (dsn_ret == dsn_ret_hdrs)
+ topt |= topt_no_body;
+ else
+ /* no full body return at all? */
+ if (!bounce_return_body)
+ {
+ topt |= topt_no_body;
+ /* add header if we overrule RET=FULL */
+ if (dsn_ret == dsn_ret_full)
+ dsnnotifyhdr = dsnlimitmsg;
+ }
+ /* size limited ... return headers only if limit reached */
+ else if (bounce_return_size_limit > 0)
+ {
+ struct stat statbuf;
+ if (fstat(deliver_datafile, &statbuf) == 0 && statbuf.st_size > max)
+ {
+ topt |= topt_no_body;
+ dsnnotifyhdr = dsnlimitmsg;
+ }
+ }
+
+ if (topt & topt_no_body)
+ fprintf(f,"Content-type: text/rfc822-headers\n\n");
+ else
+ fprintf(f,"Content-type: message/rfc822\n\n");
+
+ fflush(f);
+ transport_filter_argv = NULL; /* Just in case */
+ return_path = sender_address; /* In case not previously set */
+ transport_write_message(NULL, fileno(f), topt,
+ 0, dsnnotifyhdr, NULL, NULL, NULL, NULL, 0);
+ fflush(f);
+
+ /* we never add the final text. close the file */
+ if (emf != NULL)
+ (void)fclose(emf);
+
+ fprintf(f,"\n");
+ fprintf(f,"--%s--\n", boundaryStr);
+#endif
/* Close the file, which should send an EOF to the child process
that is receiving the message. Wait for it to finish. */
it also defers). */
if (!queue_2stage && delivery_attempted &&
+#ifdef EXPERIMENTAL_DSN
+ (((addr_defer->dsn_flags & rf_dsnflags) == 0) ||
+ (addr_defer->dsn_flags & rf_notify_delay) == rf_notify_delay) &&
+#endif
delay_warning[1] > 0 && sender_address[0] != 0 &&
(delay_warning_condition == NULL ||
expand_check_condition(delay_warning_condition,
moan_write_from(f);
fprintf(f, "To: %s\n", recipients);
+#ifdef EXPERIMENTAL_DSN
+ /* generated boundary string and output MIME-Headers */
+ uschar boundaryStr[64];
+ snprintf(boundaryStr, 63, "%d-eximdsn-%d", time(NULL), rand());
+ fprintf(f,"Content-Type: multipart/report; report-type=delivery-status; boundary=%s\n", boundaryStr);
+ fprintf(f,"MIME-Version: 1.0\n");
+#endif
+
wmf_text = next_emf(wmf, US"header");
if (wmf_text != NULL)
fprintf(f, "%s\n", wmf_text);
fprintf(f, "Subject: Warning: message %s delayed %s\n\n",
message_id, warnmsg_delay);
+#ifdef EXPERIMENTAL_DSN
+ /* output human readable part as text/plain section */
+ fprintf(f,"--%s\n", boundaryStr);
+ fprintf(f,"Content-type: text/plain; charset=us-ascii\n\n");
+#endif
+
wmf_text = next_emf(wmf, US"intro");
if (wmf_text != NULL) fprintf(f, "%s", CS wmf_text); else
{
/* List the addresses, with error information if allowed */
+#ifdef EXPERIMENTAL_DSN
+ /* store addr_defer for machine readable part */
+ address_item *addr_dsndefer = addr_defer;
+#endif
fprintf(f, "\n");
while (addr_defer != NULL)
{
"and when that happens, the message will be returned to you.\n");
}
+#ifdef EXPERIMENTAL_DSN
+ /* output machine readable part */
+ fprintf(f,"\n--%s\n", boundaryStr);
+ fprintf(f,"Content-type: message/delivery-status\n\n");
+
+ fprintf(f,"Reporting-MTA: dns; %s\n", smtp_active_hostname);
+ if (dsn_envid != NULL) {
+ /* must be decoded from xtext: see RFC 3461:6.3a */
+ uschar *xdec_envid;
+ if (auth_xtextdecode(dsn_envid, &xdec_envid) > 0)
+ fprintf(f,"Original-Envelope-ID: %s\n", dsn_envid);
+ else
+ fprintf(f,"X-Original-Envelope-ID: error decoding xtext formated ENVID\n");
+ }
+ fprintf(f,"\n");
+
+ while (addr_dsndefer != NULL)
+ {
+ if (addr_dsndefer->dsn_orcpt != NULL) {
+ fprintf(f,"Original-Recipient: %s\n", addr_dsndefer->dsn_orcpt);
+ }
+ fprintf(f,"Action: delayed\n");
+ fprintf(f,"Final-Recipient: rfc822;%s\n", addr_dsndefer->address);
+ fprintf(f,"Status: 4.0.0\n");
+ if ((addr_dsndefer->host_used != NULL) && (addr_dsndefer->host_used->name != NULL))
+ fprintf(f,"Remote-MTA: dns; %s\nDiagnostic-Code: smtp; %d\n",
+ addr_dsndefer->host_used->name, addr_dsndefer->basic_errno);
+ addr_dsndefer = addr_dsndefer->next;
+ }
+
+ fprintf(f,"\n--%s\n", boundaryStr);
+ fprintf(f,"Content-type: text/rfc822-headers\n\n");
+
+ fflush(f);
+ /* header only as required by RFC. only failure DSN needs to honor RET=FULL */
+ int topt = topt_add_return_path | topt_no_body;
+ transport_filter_argv = NULL; /* Just in case */
+ return_path = sender_address; /* In case not previously set */
+ /* Write the original email out */
+ transport_write_message(NULL, fileno(f), topt, 0, NULL, NULL, NULL, NULL, NULL, 0);
+ fflush(f);
+
+ fprintf(f,"\n");
+ fprintf(f,"--%s--\n", boundaryStr);
+
+ fflush(f);
+#endif
+
/* Close and wait for child process to complete, without a timeout.
If there's an error, don't update the count. */
return final_yield;
}
+/* vi: aw ai sw=2
+*/
/* End of deliver.c */
dns_scan dnss;
dns_record *rr;
+ lookup_dnssec_authenticated = NULL;
if (dns_lookup(&dnsa, (uschar *)name, T_TXT, NULL) != DNS_SUCCEED) return PDKIM_FAIL;
/* Search for TXT record */
* Exim - an Internet mail transport agent *
*************************************************/
/* Experimental DMARC support.
- Copyright (c) Todd Lyons <tlyons@exim.org> 2012, 2013
+ Copyright (c) Todd Lyons <tlyons@exim.org> 2012 - 2014
License: GPL */
/* Portions Copyright (c) 2012, 2013, The Trusted Domain Project;
int history_file_status = DMARC_HIST_OK;
uschar *dkim_history_buffer= NULL;
+typedef struct dmarc_exim_p {
+ uschar *name;
+ int value;
+} dmarc_exim_p;
+
+static dmarc_exim_p dmarc_policy_description[] = {
+ { US"", DMARC_RECORD_P_UNSPECIFIED },
+ { US"none", DMARC_RECORD_P_NONE },
+ { US"quarantine", DMARC_RECORD_P_QUARANTINE },
+ { US"reject", DMARC_RECORD_P_REJECT },
+ { NULL, 0 }
+};
/* Accept an error_block struct, initialize if empty, parse to the
* end, and append the two strings passed to it. Used for adding
* variable amounts of value:pair data to the forensic emails. */
int dmarc_process() {
int sr, origin; /* used in SPF section */
int dmarc_spf_result = 0; /* stores spf into dmarc conn ctx */
+ int tmp_ans, c;
pdkim_signature *sig = NULL;
BOOL has_dmarc_record = TRUE;
u_char **ruf; /* forensic report addressees, if called for */
dmarc_abort = TRUE;
else
{
- uschar * errormsg;
- int dummy, domain;
- uschar * p;
- uschar saveend;
-
- parse_allow_group = TRUE;
- p = parse_find_address_end(from_header->text, FALSE);
- saveend = *p; *p = '\0';
- if ((header_from_sender = parse_extract_address(from_header->text, &errormsg,
- &dummy, &dummy, &domain, FALSE)))
- header_from_sender += domain;
- *p = saveend;
-
- /* The opendmarc library extracts the domain from the email address, but
- * only try to store it if it's not empty. Otherwise, skip out of DMARC. */
- if (!header_from_sender || (strcmp( CCS header_from_sender, "") == 0))
- dmarc_abort = TRUE;
- libdm_status = dmarc_abort ?
- DMARC_PARSE_OKAY :
- opendmarc_policy_store_from_domain(dmarc_pctx, header_from_sender);
- if (libdm_status != DMARC_PARSE_OKAY)
+ uschar * errormsg;
+ int dummy, domain;
+ uschar * p;
+ uschar saveend;
+
+ parse_allow_group = TRUE;
+ p = parse_find_address_end(from_header->text, FALSE);
+ saveend = *p; *p = '\0';
+ if ((header_from_sender = parse_extract_address(from_header->text, &errormsg,
+ &dummy, &dummy, &domain, FALSE)))
+ header_from_sender += domain;
+ *p = saveend;
+
+ /* The opendmarc library extracts the domain from the email address, but
+ * only try to store it if it's not empty. Otherwise, skip out of DMARC. */
+ if (!header_from_sender || (strcmp( CCS header_from_sender, "") == 0))
+ dmarc_abort = TRUE;
+ libdm_status = dmarc_abort ?
+ DMARC_PARSE_OKAY :
+ opendmarc_policy_store_from_domain(dmarc_pctx, header_from_sender);
+ if (libdm_status != DMARC_PARSE_OKAY)
{
log_write(0, LOG_MAIN|LOG_PANIC,
"failure to store header From: in DMARC: %s, header was '%s'",
( vs == PDKIM_VERIFY_INVALID ) ? DMARC_POLICY_DKIM_OUTCOME_TMPFAIL :
DMARC_POLICY_DKIM_OUTCOME_NONE;
libdm_status = opendmarc_policy_store_dkim(dmarc_pctx, (uschar *)sig->domain,
- dkim_result, US"");
+ dkim_result, US"");
DEBUG(D_receive)
debug_printf("DMARC adding DKIM sender domain = %s\n", sig->domain);
if (libdm_status != DMARC_PARSE_OKAY)
log_write(0, LOG_MAIN|LOG_PANIC, "failure to store dkim (%s) for DMARC: %s",
- sig->domain, opendmarc_policy_status_to_str(libdm_status));
+ sig->domain, opendmarc_policy_status_to_str(libdm_status));
dkim_ares_result = ( vs == PDKIM_VERIFY_PASS ) ? ARES_RESULT_PASS :
- ( vs == PDKIM_VERIFY_FAIL ) ? ARES_RESULT_FAIL :
- ( vs == PDKIM_VERIFY_NONE ) ? ARES_RESULT_NONE :
- ( vs == PDKIM_VERIFY_INVALID ) ?
+ ( vs == PDKIM_VERIFY_FAIL ) ? ARES_RESULT_FAIL :
+ ( vs == PDKIM_VERIFY_NONE ) ? ARES_RESULT_NONE :
+ ( vs == PDKIM_VERIFY_INVALID ) ?
( ves == PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE ? ARES_RESULT_PERMERROR :
ves == PDKIM_VERIFY_INVALID_BUFFER_SIZE ? ARES_RESULT_PERMERROR :
ves == PDKIM_VERIFY_INVALID_PUBKEY_PARSING ? ARES_RESULT_PERMERROR :
ARES_RESULT_UNKNOWN ) :
ARES_RESULT_UNKNOWN;
dkim_history_buffer = string_sprintf("%sdkim %s %d\n", dkim_history_buffer,
- sig->domain, dkim_ares_result);
+ sig->domain, dkim_ares_result);
sig = sig->next;
}
libdm_status = opendmarc_policy_query_dmarc(dmarc_pctx, US"");
has_dmarc_record = FALSE;
break;
}
+
+ /* Store the policy string in an expandable variable. */
+ libdm_status = opendmarc_policy_fetch_p(dmarc_pctx, &tmp_ans);
+ for (c=0; dmarc_policy_description[c].name != NULL; c++) {
+ if (tmp_ans == dmarc_policy_description[c].value) {
+ dmarc_domain_policy = string_sprintf("%s",dmarc_policy_description[c].name);
+ break;
+ }
+ }
+
/* Can't use exim's string manipulation functions so allocate memory
* for libopendmarc using its max hostname length definition. */
uschar *dmarc_domain = (uschar *)calloc(DMARC_MAXHOSTNAMELEN, sizeof(uschar));
libdm_status = opendmarc_policy_fetch_utilized_domain(dmarc_pctx, dmarc_domain,
- DMARC_MAXHOSTNAMELEN-1);
+ DMARC_MAXHOSTNAMELEN-1);
dmarc_used_domain = string_copy(dmarc_domain);
free(dmarc_domain);
if (libdm_status != DMARC_PARSE_OKAY)
if (spf_response != NULL)
history_buffer = string_sprintf("%sspf %d\n", history_buffer, dmarc_spf_ares_result);
- // history_buffer = string_sprintf("%sspf -1\n", history_buffer);
+ /* history_buffer = string_sprintf("%sspf -1\n", history_buffer); */
history_buffer = string_sprintf("%s%s", history_buffer, dkim_history_buffer);
history_buffer = string_sprintf("%spdomain %s\n", history_buffer, dmarc_used_domain);
#endif /* EXPERIMENTAL_SPF */
#endif /* EXPERIMENTAL_DMARC */
-
-// vim:sw=2 expandtab
*************************************************/
/* Experimental DMARC support.
- Copyright (c) Todd Lyons <tlyons@exim.org> 2012, 2013
+ Copyright (c) Todd Lyons <tlyons@exim.org> 2012 - 2014
License: GPL */
/* Portions Copyright (c) 2012, 2013, The Trusted Domain Project;
#define ARES_RESULT_DISCARD 12
#endif /* EXPERIMENTAL_DMARC */
-
-// vim:sw=2 expandtab
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Functions for interfacing with the DNS. */
Arguments:
qualify_single TRUE to set the RES_DEFNAMES option
search_parents TRUE to set the RES_DNSRCH option
+ use_dnssec TRUE to set the RES_USE_DNSSEC option
Returns: nothing
*/
void
-dns_init(BOOL qualify_single, BOOL search_parents)
+dns_init(BOOL qualify_single, BOOL search_parents, BOOL use_dnssec)
{
res_state resp = os_get_dns_resolver_res();
# ifndef RES_USE_EDNS0
# error Have RES_USE_DNSSEC but not RES_USE_EDNS0? Something hinky ...
# endif
+if (use_dnssec)
+ resp->options |= RES_USE_DNSSEC;
if (dns_dnssec_ok >= 0)
{
if (dns_use_edns0 == 0 && dns_dnssec_ok != 0)
DEBUG(D_resolver)
debug_printf("Unable to %sset DNSSEC without resolver support.\n",
dns_dnssec_ok ? "" : "un");
+if (use_dnssec)
+ DEBUG(D_resolver)
+ debug_printf("Unable to set DNSSEC without resolver support.\n");
# endif
#endif /* DISABLE_DNSSEC */
case T_SRV: return US"SRV";
case T_NS: return US"NS";
case T_CNAME: return US"CNAME";
+ case T_TLSA: return US"TLSA";
default: return US"?";
}
}
return yield;
}
+/* vi: aw ai sw=2
+*/
/* End of dns.c */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
use strict;
-# Copyright (c) 2007 University of Cambridge.
+# Copyright (c) 2007-2014 University of Cambridge.
# See the file NOTICE for conditions of use and distribution.
# Except when they appear in comments, the following placeholders in this
{ print "$_\n"; }
}
+# Rotated log files are frequently compressed and there are a variety of
+# formats it could be compressed with. Rather than use just one that is
+# detected and hardcoded at Exim compile time, detect and use what the
+# logfile is compressed with on the fly.
+#
+# List of known compression extensions and their associated commands:
+my $compressors = {
+ gz => { cmd => 'zcat', args => '' },
+ bz2 => { cmd => 'bzcat', args => '' },
+ xz => { cmd => 'xzcat', args => '' },
+ lzma => { cmd => 'lzma', args => '-dc' }
+};
+my $csearch = 0;
+
+sub detect_compressor_bin
+ {
+ my $ext = shift();
+ my $c = $compressors->{$ext}->{cmd};
+ $compressors->{$ext}->{bin} = `which $c 2>/dev/null`;
+ chomp($compressors->{$ext}->{bin});
+ }
+
+sub detect_compressor_capable
+ {
+ my $filename = shift();
+ map { &detect_compressor_bin($_) } keys %$compressors
+ if (!$csearch);
+ $csearch = 1;
+ return undef
+ unless (grep {$filename =~ /\.(?:$_)$/} keys %$compressors);
+ # Loop through them, figure out which one it detected,
+ # and build the commandline.
+ my $cmdline = undef;
+ foreach my $ext (keys %$compressors)
+ {
+ if ($filename =~ /\.(?:$ext)$/)
+ {
+ # Just die if compressor not found; if this occurrs in the middle of
+ # two valid files with a lot of matches, error could easily be missed.
+ die("Didn't find $ext decompressor for $filename\n")
+ if ($compressors->{$ext}->{bin} eq '');
+ $cmdline = $compressors->{$ext}->{bin} ." ".
+ $compressors->{$ext}->{args};
+ last;
+ }
+ }
+ return $cmdline;
+ }
# The main program. Extract the pattern and make sure any relevant characters
# are quoted if the -l flag is given. The -t flag gives a time-on-queue value
open(LOG, "ZCAT_COMMAND $filename |") ||
die "Unable to zcat $filename: $!\n";
}
+ elsif (my $cmdline = &detect_compressor_capable($filename))
+ {
+ open(LOG, "$cmdline $filename |") ||
+ die "Unable to decompress $filename: $!\n";
+ }
else
{
open(LOG, "<$filename") || die "Unable to open $filename: $!\n";
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
if (!running_in_test_harness)
{
debug_printf("tick check: %lu.%06lu %lu.%06lu\n",
- then_tv->tv_sec, then_tv->tv_usec, now_tv.tv_sec, now_tv.tv_usec);
+ then_tv->tv_sec, (long) then_tv->tv_usec,
+ now_tv.tv_sec, (long) now_tv.tv_usec);
debug_printf("waiting %lu.%06lu\n", itval.it_value.tv_sec,
- itval.it_value.tv_usec);
+ (long) itval.it_value.tv_usec);
}
}
if (smtp_input)
{
#ifdef SUPPORT_TLS
- tls_close(FALSE, FALSE); /* Shut down the TLS library */
+ tls_close(TRUE, FALSE); /* Shut down the TLS library */
#endif
(void)close(fileno(smtp_in));
(void)close(fileno(smtp_out));
#ifdef WITH_OLD_DEMIME
fprintf(f, " Old_Demime");
#endif
+#ifndef DISABLE_PRDR
+ fprintf(f, " PRDR");
+#endif
+#ifndef DISABLE_OCSP
+ fprintf(f, " OCSP");
+#endif
#ifdef EXPERIMENTAL_SPF
fprintf(f, " Experimental_SPF");
#endif
#ifdef EXPERIMENTAL_DMARC
fprintf(f, " Experimental_DMARC");
#endif
-#ifdef EXPERIMENTAL_OCSP
- fprintf(f, " Experimental_OCSP");
-#endif
-#ifdef EXPERIMENTAL_PRDR
- fprintf(f, " Experimental_PRDR");
+#ifdef EXPERIMENTAL_PROXY
+ fprintf(f, " Experimental_Proxy");
#endif
#ifdef EXPERIMENTAL_TPDA
fprintf(f, " Experimental_TPDA");
#ifdef EXPERIMENTAL_REDIS
fprintf(f, " Experimental_Redis");
#endif
+#ifdef EXPERIMENTAL_CERTNAMES
+ fprintf(f, " Experimental_Certnames");
+#endif
+#ifdef EXPERIMENTAL_DSN
+ fprintf(f, " Experimental_DSN");
+#endif
fprintf(f, "\n");
fprintf(f, "Lookups (built-in):");
break;
}
+ #ifdef EXPERIMENTAL_DSN
+ /* -MCD: set the smtp_use_dsn flag; this indicates that the host
+ that exim is connected to supports the esmtp extension DSN */
+ else if (strcmp(argrest, "CD") == 0)
+ {
+ smtp_use_dsn = TRUE;
+ break;
+ }
+ #endif
+
/* -MCP: set the smtp_use_pipelining flag; this is useful only when
it preceded -MC (see above) */
else if (Ustrcmp(argrest, "Mi") == 0) interface_address = argv[++i];
+ /* -oMm: Message reference */
+
+ else if (Ustrcmp(argrest, "Mm") == 0)
+ {
+ if (!mac_ismsgid(argv[i+1]))
+ {
+ fprintf(stderr,"-oMm must be a valid message ID\n");
+ exit(EXIT_FAILURE);
+ }
+ if (!trusted_config)
+ {
+ fprintf(stderr,"-oMm must be called by a trusted user/config\n");
+ exit(EXIT_FAILURE);
+ }
+ message_reference = argv[++i];
+ }
+
/* -oMr: Received protocol */
else if (Ustrcmp(argrest, "Mr") == 0) received_protocol = argv[++i];
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
#define T_SPF 99
#endif
+/* New TLSA record for DANE */
+#ifndef T_TLSA
+#define T_TLSA 52
+#endif
+#define MAX_TLSA_EXPANDED_SIZE 8192
+
/* It seems that some versions of arpa/nameser.h don't define *any* of the
T_xxx macros, which seem to be non-standard nowadays. Just to be on the safe
side, put in definitions for all the ones that Exim uses. */
#!PERL_COMMAND -w
-# Copyright (c) 2001 University of Cambridge.
+# Copyright (c) 2001-2014 University of Cambridge.
# See the file NOTICE for conditions of use and distribution.
# Perl script to generate statistics from one or more Exim log files.
$base = 62;
};
-getopts('hf:r:y:o:s:zxlibRc',\%opt);
+getopts('hf:r:y:o:s:C:zxlibRca',\%opt);
if ($opt{h}) { &help; exit;}
+if ($opt{a}) { $eargs = '-bp'; }
+if ($opt{C}) { $eargs .= ' -C '.$opt{C}; }
# Read message queue output into hash
&collect();
Exim message queue display utility.
-h This help message.
+ -C Specify which exim.conf to use.
Selection criteria:
-f <regexp> Match sender address sender (field is "< >" wrapped)
-i Message IDs only
-b Brief Format
-R Reverse order
+ -a All recipients (including delivered)
EOF
}
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Recursively called function */
-static uschar *expand_string_internal(uschar *, BOOL, uschar **, BOOL, BOOL);
+static uschar *expand_string_internal(uschar *, BOOL, uschar **, BOOL, BOOL, BOOL *);
#ifdef STAND_ALONE
#ifndef SUPPORT_CRYPTEQ
+#ifndef nelements
+# define nelements(arr) (sizeof(arr) / sizeof(*arr))
+#endif
/*************************************************
* Local statics and tables *
static uschar *item_table[] = {
US"acl",
+ US"certextract",
US"dlfunc",
US"extract",
US"filter",
US"hmac",
US"if",
US"length",
+ US"listextract",
US"lookup",
US"map",
US"nhash",
enum {
EITEM_ACL,
+ EITEM_CERTEXTRACT,
EITEM_DLFUNC,
EITEM_EXTRACT,
EITEM_FILTER,
EITEM_HMAC,
EITEM_IF,
EITEM_LENGTH,
+ EITEM_LISTEXTRACT,
EITEM_LOOKUP,
EITEM_MAP,
EITEM_NHASH,
US"rxquote",
US"s",
US"sha1",
+ US"sha256",
US"stat",
US"str2b64",
US"strlen",
US"substr",
- US"uc" };
+ US"uc",
+ US"utf8clean" };
enum {
EOP_ADDRESS = sizeof(op_table_underscore)/sizeof(uschar *),
EOP_RXQUOTE,
EOP_S,
EOP_SHA1,
+ EOP_SHA256,
EOP_STAT,
EOP_STR2B64,
EOP_STRLEN,
EOP_SUBSTR,
- EOP_UC };
+ EOP_UC,
+ EOP_UTF8CLEAN };
/* Table of condition names, and corresponding switch numbers. The names must
vtype_host_lookup, /* value not used; get host name */
vtype_load_avg, /* value not used; result is int from os_getloadavg */
vtype_pspace, /* partition space; value is T/F for spool/log */
- vtype_pinodes /* partition inodes; value is T/F for spool/log */
+ vtype_pinodes, /* partition inodes; value is T/F for spool/log */
+ vtype_cert /* SSL certificate */
#ifndef DISABLE_DKIM
,vtype_dkim /* Lookup of value in DKIM signature */
#endif
#endif
#ifdef EXPERIMENTAL_DMARC
{ "dmarc_ar_header", vtype_stringptr, &dmarc_ar_header },
+ { "dmarc_domain_policy", vtype_stringptr, &dmarc_domain_policy },
{ "dmarc_status", vtype_stringptr, &dmarc_status },
{ "dmarc_status_text", vtype_stringptr, &dmarc_status_text },
{ "dmarc_used_domain", vtype_stringptr, &dmarc_used_domain },
{ "localhost_number", vtype_int, &host_number },
{ "log_inodes", vtype_pinodes, (void *)FALSE },
{ "log_space", vtype_pspace, (void *)FALSE },
+ { "lookup_dnssec_authenticated",vtype_stringptr,&lookup_dnssec_authenticated},
{ "mailstore_basename", vtype_stringptr, &mailstore_basename },
#ifdef WITH_CONTENT_SCAN
{ "malware_name", vtype_stringptr, &malware_name },
{ "parent_local_part", vtype_stringptr, &deliver_localpart_parent },
{ "pid", vtype_pid, NULL },
{ "primary_hostname", vtype_stringptr, &primary_hostname },
+#ifdef EXPERIMENTAL_PROXY
+ { "proxy_host_address", vtype_stringptr, &proxy_host_address },
+ { "proxy_host_port", vtype_int, &proxy_host_port },
+ { "proxy_session", vtype_bool, &proxy_session },
+ { "proxy_target_address",vtype_stringptr, &proxy_target_address },
+ { "proxy_target_port", vtype_int, &proxy_target_port },
+#endif
{ "prvscheck_address", vtype_stringptr, &prvscheck_address },
{ "prvscheck_keynum", vtype_stringptr, &prvscheck_keynum },
{ "prvscheck_result", vtype_stringptr, &prvscheck_result },
{ "tls_in_bits", vtype_int, &tls_in.bits },
{ "tls_in_certificate_verified", vtype_int, &tls_in.certificate_verified },
{ "tls_in_cipher", vtype_stringptr, &tls_in.cipher },
+ { "tls_in_ocsp", vtype_int, &tls_in.ocsp },
+ { "tls_in_ourcert", vtype_cert, &tls_in.ourcert },
+ { "tls_in_peercert", vtype_cert, &tls_in.peercert },
{ "tls_in_peerdn", vtype_stringptr, &tls_in.peerdn },
#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
{ "tls_in_sni", vtype_stringptr, &tls_in.sni },
{ "tls_out_bits", vtype_int, &tls_out.bits },
{ "tls_out_certificate_verified", vtype_int,&tls_out.certificate_verified },
{ "tls_out_cipher", vtype_stringptr, &tls_out.cipher },
+ { "tls_out_ocsp", vtype_int, &tls_out.ocsp },
+ { "tls_out_ourcert", vtype_cert, &tls_out.ourcert },
+ { "tls_out_peercert", vtype_cert, &tls_out.peercert },
{ "tls_out_peerdn", vtype_stringptr, &tls_out.peerdn },
#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
{ "tls_out_sni", vtype_stringptr, &tls_out.sni },
+static var_entry *
+find_var_ent(uschar * name)
+{
+int first = 0;
+int last = var_table_size;
+
+while (last > first)
+ {
+ int middle = (first + last)/2;
+ int c = Ustrcmp(name, var_table[middle].name);
+
+ if (c > 0) { first = middle + 1; continue; }
+ if (c < 0) { last = middle; continue; }
+ return &var_table[middle];
+ }
+return NULL;
+}
/*************************************************
* Extract numbered subfield from string *
}
+static uschar *
+expand_getlistele(int field, uschar * list)
+{
+uschar * tlist= list;
+int sep= 0;
+uschar dummy;
+
+if(field<0)
+{
+ for(field++; string_nextinlist(&tlist, &sep, &dummy, 1); ) field++;
+ sep= 0;
+}
+if(field==0) return NULL;
+while(--field>0 && (string_nextinlist(&list, &sep, &dummy, 1))) ;
+return string_nextinlist(&list, &sep, NULL, 0);
+}
+
+
+/* Certificate fields, by name. Worry about by-OID later */
+/* Names are chosen to not have common prefixes */
+
+#ifdef SUPPORT_TLS
+typedef struct
+{
+uschar * name;
+int namelen;
+uschar * (*getfn)(void * cert, uschar * mod);
+} certfield;
+static certfield certfields[] =
+{ /* linear search; no special order */
+ { US"version", 7, &tls_cert_version },
+ { US"serial_number", 13, &tls_cert_serial_number },
+ { US"subject", 7, &tls_cert_subject },
+ { US"notbefore", 9, &tls_cert_not_before },
+ { US"notafter", 8, &tls_cert_not_after },
+ { US"issuer", 6, &tls_cert_issuer },
+ { US"signature", 9, &tls_cert_signature },
+ { US"sig_algorithm", 13, &tls_cert_signature_algorithm },
+ { US"subj_altname", 12, &tls_cert_subject_altname },
+ { US"ocsp_uri", 8, &tls_cert_ocsp_uri },
+ { US"crl_uri", 7, &tls_cert_crl_uri },
+};
+
+static uschar *
+expand_getcertele(uschar * field, uschar * certvar)
+{
+var_entry * vp;
+certfield * cp;
+
+if (!(vp = find_var_ent(certvar)))
+ {
+ expand_string_message =
+ string_sprintf("no variable named \"%s\"", certvar);
+ return NULL; /* Unknown variable name */
+ }
+/* NB this stops us passing certs around in variable. Might
+want to do that in future */
+if (vp->type != vtype_cert)
+ {
+ expand_string_message =
+ string_sprintf("\"%s\" is not a certificate", certvar);
+ return NULL; /* Unknown variable name */
+ }
+if (!*(void **)vp->value)
+ return NULL;
+
+if (*field >= '0' && *field <= '9')
+ return tls_cert_ext_by_oid(*(void **)vp->value, field, 0);
+
+for(cp = certfields;
+ cp < certfields + nelements(certfields);
+ cp++)
+ if (Ustrncmp(cp->name, field, cp->namelen) == 0)
+ {
+ uschar * modifier = *(field += cp->namelen) == ','
+ ? ++field : NULL;
+ return (*cp->getfn)( *(void **)vp->value, modifier );
+ }
+
+expand_string_message =
+ string_sprintf("bad field selector \"%s\" for certextract", field);
+return NULL;
+}
+#endif /*SUPPORT_TLS*/
/*************************************************
* Extract a substring from a string *
static uschar *
find_variable(uschar *name, BOOL exists_only, BOOL skipping, int *newsize)
{
-int first = 0;
-int last = var_table_size;
+var_entry * vp;
+uschar *s, *domain;
+uschar **ss;
+void * val;
/* Handle ACL variables, whose names are of the form acl_cxxx or acl_mxxx.
Originally, xxx had to be a number in the range 0-9 (later 0-19), but from
/* For all other variables, search the table */
-while (last > first)
- {
- uschar *s, *domain;
- uschar **ss;
- int middle = (first + last)/2;
- int c = Ustrcmp(name, var_table[middle].name);
-
- if (c > 0) { first = middle + 1; continue; }
- if (c < 0) { last = middle; continue; }
+if (!(vp = find_var_ent(name)))
+ return NULL; /* Unknown variable name */
- /* Found an existing variable. If in skipping state, the value isn't needed,
- and we want to avoid processing (such as looking up the host name). */
+/* Found an existing variable. If in skipping state, the value isn't needed,
+and we want to avoid processing (such as looking up the host name). */
- if (skipping) return US"";
+if (skipping)
+ return US"";
- switch (var_table[middle].type)
+val = vp->value;
+switch (vp->type)
+ {
+ case vtype_filter_int:
+ if (!filter_running) return NULL;
+ /* Fall through */
+ /* VVVVVVVVVVVV */
+ case vtype_int:
+ sprintf(CS var_buffer, "%d", *(int *)(val)); /* Integer */
+ return var_buffer;
+
+ case vtype_ino:
+ sprintf(CS var_buffer, "%ld", (long int)(*(ino_t *)(val))); /* Inode */
+ return var_buffer;
+
+ case vtype_gid:
+ sprintf(CS var_buffer, "%ld", (long int)(*(gid_t *)(val))); /* gid */
+ return var_buffer;
+
+ case vtype_uid:
+ sprintf(CS var_buffer, "%ld", (long int)(*(uid_t *)(val))); /* uid */
+ return var_buffer;
+
+ case vtype_bool:
+ sprintf(CS var_buffer, "%s", *(BOOL *)(val) ? "yes" : "no"); /* bool */
+ return var_buffer;
+
+ case vtype_stringptr: /* Pointer to string */
+ s = *((uschar **)(val));
+ return (s == NULL)? US"" : s;
+
+ case vtype_pid:
+ sprintf(CS var_buffer, "%d", (int)getpid()); /* pid */
+ return var_buffer;
+
+ case vtype_load_avg:
+ sprintf(CS var_buffer, "%d", OS_GETLOADAVG()); /* load_average */
+ return var_buffer;
+
+ case vtype_host_lookup: /* Lookup if not done so */
+ if (sender_host_name == NULL && sender_host_address != NULL &&
+ !host_lookup_failed && host_name_lookup() == OK)
+ host_build_sender_fullhost();
+ return (sender_host_name == NULL)? US"" : sender_host_name;
+
+ case vtype_localpart: /* Get local part from address */
+ s = *((uschar **)(val));
+ if (s == NULL) return US"";
+ domain = Ustrrchr(s, '@');
+ if (domain == NULL) return s;
+ if (domain - s > sizeof(var_buffer) - 1)
+ log_write(0, LOG_MAIN|LOG_PANIC_DIE, "local part longer than " SIZE_T_FMT
+ " in string expansion", sizeof(var_buffer));
+ Ustrncpy(var_buffer, s, domain - s);
+ var_buffer[domain - s] = 0;
+ return var_buffer;
+
+ case vtype_domain: /* Get domain from address */
+ s = *((uschar **)(val));
+ if (s == NULL) return US"";
+ domain = Ustrrchr(s, '@');
+ return (domain == NULL)? US"" : domain + 1;
+
+ case vtype_msgheaders:
+ return find_header(NULL, exists_only, newsize, FALSE, NULL);
+
+ case vtype_msgheaders_raw:
+ return find_header(NULL, exists_only, newsize, TRUE, NULL);
+
+ case vtype_msgbody: /* Pointer to msgbody string */
+ case vtype_msgbody_end: /* Ditto, the end of the msg */
+ ss = (uschar **)(val);
+ if (*ss == NULL && deliver_datafile >= 0) /* Read body when needed */
{
- case vtype_filter_int:
- if (!filter_running) return NULL;
- /* Fall through */
- /* VVVVVVVVVVVV */
- case vtype_int:
- sprintf(CS var_buffer, "%d", *(int *)(var_table[middle].value)); /* Integer */
- return var_buffer;
-
- case vtype_ino:
- sprintf(CS var_buffer, "%ld", (long int)(*(ino_t *)(var_table[middle].value))); /* Inode */
- return var_buffer;
-
- case vtype_gid:
- sprintf(CS var_buffer, "%ld", (long int)(*(gid_t *)(var_table[middle].value))); /* gid */
- return var_buffer;
-
- case vtype_uid:
- sprintf(CS var_buffer, "%ld", (long int)(*(uid_t *)(var_table[middle].value))); /* uid */
- return var_buffer;
-
- case vtype_bool:
- sprintf(CS var_buffer, "%s", *(BOOL *)(var_table[middle].value) ? "yes" : "no"); /* bool */
- return var_buffer;
-
- case vtype_stringptr: /* Pointer to string */
- s = *((uschar **)(var_table[middle].value));
- return (s == NULL)? US"" : s;
-
- case vtype_pid:
- sprintf(CS var_buffer, "%d", (int)getpid()); /* pid */
- return var_buffer;
-
- case vtype_load_avg:
- sprintf(CS var_buffer, "%d", OS_GETLOADAVG()); /* load_average */
- return var_buffer;
-
- case vtype_host_lookup: /* Lookup if not done so */
- if (sender_host_name == NULL && sender_host_address != NULL &&
- !host_lookup_failed && host_name_lookup() == OK)
- host_build_sender_fullhost();
- return (sender_host_name == NULL)? US"" : sender_host_name;
-
- case vtype_localpart: /* Get local part from address */
- s = *((uschar **)(var_table[middle].value));
- if (s == NULL) return US"";
- domain = Ustrrchr(s, '@');
- if (domain == NULL) return s;
- if (domain - s > sizeof(var_buffer) - 1)
- log_write(0, LOG_MAIN|LOG_PANIC_DIE, "local part longer than " SIZE_T_FMT
- " in string expansion", sizeof(var_buffer));
- Ustrncpy(var_buffer, s, domain - s);
- var_buffer[domain - s] = 0;
- return var_buffer;
-
- case vtype_domain: /* Get domain from address */
- s = *((uschar **)(var_table[middle].value));
- if (s == NULL) return US"";
- domain = Ustrrchr(s, '@');
- return (domain == NULL)? US"" : domain + 1;
-
- case vtype_msgheaders:
- return find_header(NULL, exists_only, newsize, FALSE, NULL);
-
- case vtype_msgheaders_raw:
- return find_header(NULL, exists_only, newsize, TRUE, NULL);
-
- case vtype_msgbody: /* Pointer to msgbody string */
- case vtype_msgbody_end: /* Ditto, the end of the msg */
- ss = (uschar **)(var_table[middle].value);
- if (*ss == NULL && deliver_datafile >= 0) /* Read body when needed */
+ uschar *body;
+ off_t start_offset = SPOOL_DATA_START_OFFSET;
+ int len = message_body_visible;
+ if (len > message_size) len = message_size;
+ *ss = body = store_malloc(len+1);
+ body[0] = 0;
+ if (vp->type == vtype_msgbody_end)
{
- uschar *body;
- off_t start_offset = SPOOL_DATA_START_OFFSET;
- int len = message_body_visible;
- if (len > message_size) len = message_size;
- *ss = body = store_malloc(len+1);
- body[0] = 0;
- if (var_table[middle].type == vtype_msgbody_end)
- {
- struct stat statbuf;
- if (fstat(deliver_datafile, &statbuf) == 0)
- {
- start_offset = statbuf.st_size - len;
- if (start_offset < SPOOL_DATA_START_OFFSET)
- start_offset = SPOOL_DATA_START_OFFSET;
- }
- }
- lseek(deliver_datafile, start_offset, SEEK_SET);
- len = read(deliver_datafile, body, len);
- if (len > 0)
- {
- body[len] = 0;
- if (message_body_newlines) /* Separate loops for efficiency */
- {
- while (len > 0)
- { if (body[--len] == 0) body[len] = ' '; }
- }
- else
- {
- while (len > 0)
- { if (body[--len] == '\n' || body[len] == 0) body[len] = ' '; }
- }
- }
+ struct stat statbuf;
+ if (fstat(deliver_datafile, &statbuf) == 0)
+ {
+ start_offset = statbuf.st_size - len;
+ if (start_offset < SPOOL_DATA_START_OFFSET)
+ start_offset = SPOOL_DATA_START_OFFSET;
+ }
+ }
+ lseek(deliver_datafile, start_offset, SEEK_SET);
+ len = read(deliver_datafile, body, len);
+ if (len > 0)
+ {
+ body[len] = 0;
+ if (message_body_newlines) /* Separate loops for efficiency */
+ {
+ while (len > 0)
+ { if (body[--len] == 0) body[len] = ' '; }
+ }
+ else
+ {
+ while (len > 0)
+ { if (body[--len] == '\n' || body[len] == 0) body[len] = ' '; }
+ }
}
- return (*ss == NULL)? US"" : *ss;
+ }
+ return (*ss == NULL)? US"" : *ss;
- case vtype_todbsdin: /* BSD inbox time of day */
- return tod_stamp(tod_bsdin);
+ case vtype_todbsdin: /* BSD inbox time of day */
+ return tod_stamp(tod_bsdin);
- case vtype_tode: /* Unix epoch time of day */
- return tod_stamp(tod_epoch);
+ case vtype_tode: /* Unix epoch time of day */
+ return tod_stamp(tod_epoch);
- case vtype_todel: /* Unix epoch/usec time of day */
- return tod_stamp(tod_epoch_l);
+ case vtype_todel: /* Unix epoch/usec time of day */
+ return tod_stamp(tod_epoch_l);
- case vtype_todf: /* Full time of day */
- return tod_stamp(tod_full);
+ case vtype_todf: /* Full time of day */
+ return tod_stamp(tod_full);
- case vtype_todl: /* Log format time of day */
- return tod_stamp(tod_log_bare); /* (without timezone) */
+ case vtype_todl: /* Log format time of day */
+ return tod_stamp(tod_log_bare); /* (without timezone) */
- case vtype_todzone: /* Time zone offset only */
- return tod_stamp(tod_zone);
+ case vtype_todzone: /* Time zone offset only */
+ return tod_stamp(tod_zone);
- case vtype_todzulu: /* Zulu time */
- return tod_stamp(tod_zulu);
+ case vtype_todzulu: /* Zulu time */
+ return tod_stamp(tod_zulu);
- case vtype_todlf: /* Log file datestamp tod */
- return tod_stamp(tod_log_datestamp_daily);
+ case vtype_todlf: /* Log file datestamp tod */
+ return tod_stamp(tod_log_datestamp_daily);
- case vtype_reply: /* Get reply address */
- s = find_header(US"reply-to:", exists_only, newsize, TRUE,
- headers_charset);
- if (s != NULL) while (isspace(*s)) s++;
- if (s == NULL || *s == 0)
- {
- *newsize = 0; /* For the *s==0 case */
- s = find_header(US"from:", exists_only, newsize, TRUE, headers_charset);
- }
- if (s != NULL)
- {
- uschar *t;
- while (isspace(*s)) s++;
- for (t = s; *t != 0; t++) if (*t == '\n') *t = ' ';
- while (t > s && isspace(t[-1])) t--;
- *t = 0;
- }
- return (s == NULL)? US"" : s;
+ case vtype_reply: /* Get reply address */
+ s = find_header(US"reply-to:", exists_only, newsize, TRUE,
+ headers_charset);
+ if (s != NULL) while (isspace(*s)) s++;
+ if (s == NULL || *s == 0)
+ {
+ *newsize = 0; /* For the *s==0 case */
+ s = find_header(US"from:", exists_only, newsize, TRUE, headers_charset);
+ }
+ if (s != NULL)
+ {
+ uschar *t;
+ while (isspace(*s)) s++;
+ for (t = s; *t != 0; t++) if (*t == '\n') *t = ' ';
+ while (t > s && isspace(t[-1])) t--;
+ *t = 0;
+ }
+ return (s == NULL)? US"" : s;
- case vtype_string_func:
- {
- uschar * (*fn)() = var_table[middle].value;
- return fn();
- }
+ case vtype_string_func:
+ {
+ uschar * (*fn)() = val;
+ return fn();
+ }
- case vtype_pspace:
- {
- int inodes;
- sprintf(CS var_buffer, "%d",
- receive_statvfs(var_table[middle].value == (void *)TRUE, &inodes));
- }
- return var_buffer;
+ case vtype_pspace:
+ {
+ int inodes;
+ sprintf(CS var_buffer, "%d",
+ receive_statvfs(val == (void *)TRUE, &inodes));
+ }
+ return var_buffer;
- case vtype_pinodes:
- {
- int inodes;
- (void) receive_statvfs(var_table[middle].value == (void *)TRUE, &inodes);
- sprintf(CS var_buffer, "%d", inodes);
- }
- return var_buffer;
+ case vtype_pinodes:
+ {
+ int inodes;
+ (void) receive_statvfs(val == (void *)TRUE, &inodes);
+ sprintf(CS var_buffer, "%d", inodes);
+ }
+ return var_buffer;
- #ifndef DISABLE_DKIM
- case vtype_dkim:
- return dkim_exim_expand_query((int)(long)var_table[middle].value);
- #endif
+ case vtype_cert:
+ return *(void **)val ? US"<cert>" : US"";
- }
- }
+ #ifndef DISABLE_DKIM
+ case vtype_dkim:
+ return dkim_exim_expand_query((int)(long)val);
+ #endif
-return NULL; /* Unknown variable name */
+ }
}
void
modify_variable(uschar *name, void * value)
{
-int first = 0;
-int last = var_table_size;
-
-while (last > first)
- {
- int middle = (first + last)/2;
- int c = Ustrcmp(name, var_table[middle].name);
-
- if (c > 0) { first = middle + 1; continue; }
- if (c < 0) { last = middle; continue; }
-
- /* Found an existing variable; change the item it refers to */
- var_table[middle].value = value;
- return;
- }
+var_entry * vp;
+if ((vp = find_var_ent(name))) vp->value = value;
return; /* Unknown variable name, fail silently */
}
skipping the skipping flag
check_end if TRUE, check for final '}'
name name of item, for error message
+ resetok if not NULL, pointer to flag - write FALSE if unsafe to reset
+ the store.
Returns: 0 OK; string pointer updated
1 curly bracketing error (too few arguments)
static int
read_subs(uschar **sub, int n, int m, uschar **sptr, BOOL skipping,
- BOOL check_end, uschar *name)
+ BOOL check_end, uschar *name, BOOL *resetok)
{
int i;
uschar *s = *sptr;
sub[i] = NULL;
break;
}
- sub[i] = expand_string_internal(s+1, TRUE, &s, skipping, TRUE);
+ sub[i] = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, resetok);
if (sub[i] == NULL) return 3;
if (*s++ != '}') return 1;
while (isspace(*s)) s++;
/*
Arguments:
s points to the start of the condition text
+ resetok points to a BOOL which is written false if it is unsafe to
+ free memory. Certain condition types (acl) may have side-effect
+ allocation which must be preserved.
yield points to a BOOL to hold the result of the condition test;
if NULL, we are just reading through a condition that is
part of an "or" combination to check syntax, or in a state
*/
static uschar *
-eval_condition(uschar *s, BOOL *yield)
+eval_condition(uschar *s, BOOL *resetok, BOOL *yield)
{
BOOL testfor = TRUE;
BOOL tempcond, combined_cond;
while (isspace(*s)) s++;
if (*s != '{') goto COND_FAILED_CURLY_START; /* }-for-text-editors */
- sub[0] = expand_string_internal(s+1, TRUE, &s, yield == NULL, TRUE);
+ sub[0] = expand_string_internal(s+1, TRUE, &s, yield == NULL, TRUE, resetok);
if (sub[0] == NULL) return NULL;
/* {-for-text-editors */
if (*s++ != '}') goto COND_FAILED_CURLY_END;
like the saslauthd condition does, to permit a variable number of args.
See also the expansion-item version EITEM_ACL and the traditional
acl modifier ACLC_ACL.
+ Since the ACL may allocate new global variables, tell our caller to not
+ reclaim memory.
*/
case ECOND_ACL:
if (*s++ != '{') goto COND_FAILED_CURLY_START; /*}*/
switch(read_subs(sub, sizeof(sub)/sizeof(*sub), 1,
- &s, yield == NULL, TRUE, US"acl"))
+ &s, yield == NULL, TRUE, US"acl", resetok))
{
case 1: expand_string_message = US"too few arguments or bracketing "
"error for acl";
case 3: return NULL;
}
+ *resetok = FALSE;
if (yield != NULL) switch(eval_acl(sub, sizeof(sub)/sizeof(*sub), &user_msg))
{
case OK:
/* saslauthd: does Cyrus saslauthd authentication. Four parameters are used:
- ${if saslauthd {{username}{password}{service}{realm}} {yes}[no}}
+ ${if saslauthd {{username}{password}{service}{realm}} {yes}{no}}
However, the last two are optional. That is why the whole set is enclosed
in their own set of braces. */
#else
while (isspace(*s)) s++;
if (*s++ != '{') goto COND_FAILED_CURLY_START; /* }-for-text-editors */
- switch(read_subs(sub, 4, 2, &s, yield == NULL, TRUE, US"saslauthd"))
+ switch(read_subs(sub, 4, 2, &s, yield == NULL, TRUE, US"saslauthd", resetok))
{
case 1: expand_string_message = US"too few arguments or bracketing "
"error for saslauthd";
return NULL;
}
sub[i] = expand_string_internal(s+1, TRUE, &s, yield == NULL,
- honour_dollar);
+ honour_dollar, resetok);
if (sub[i] == NULL) return NULL;
if (*s++ != '}') goto COND_FAILED_CURLY_END;
return NULL;
}
- s = eval_condition(s+1, subcondptr);
- if (s == NULL)
+ if (!(s = eval_condition(s+1, resetok, subcondptr)))
{
expand_string_message = string_sprintf("%s inside \"%s{...}\" condition",
expand_string_message, name);
while (isspace(*s)) s++;
if (*s++ != '{') goto COND_FAILED_CURLY_START; /* }-for-text-editors */
- sub[0] = expand_string_internal(s, TRUE, &s, (yield == NULL), TRUE);
+ sub[0] = expand_string_internal(s, TRUE, &s, (yield == NULL), TRUE, resetok);
if (sub[0] == NULL) return NULL;
/* {-for-text-editors */
if (*s++ != '}') goto COND_FAILED_CURLY_END;
"false" part). This allows us to find the end of the condition, because if
the list it empty, we won't actually evaluate the condition for real. */
- s = eval_condition(sub[1], NULL);
- if (s == NULL)
+ if (!(s = eval_condition(sub[1], resetok, NULL)))
{
expand_string_message = string_sprintf("%s inside \"%s\" condition",
expand_string_message, name);
while ((iterate_item = string_nextinlist(&sub[0], &sep, NULL, 0)) != NULL)
{
DEBUG(D_expand) debug_printf("%s: $item = \"%s\"\n", name, iterate_item);
- if (eval_condition(sub[1], &tempcond) == NULL)
+ if (!eval_condition(sub[1], resetok, &tempcond))
{
expand_string_message = string_sprintf("%s inside \"%s\" condition",
expand_string_message, name);
while (isspace(*s)) s++;
if (*s != '{') goto COND_FAILED_CURLY_START; /* }-for-text-editors */
ourname = cond_type == ECOND_BOOL_LAX ? US"bool_lax" : US"bool";
- switch(read_subs(sub_arg, 1, 1, &s, yield == NULL, FALSE, ourname))
+ switch(read_subs(sub_arg, 1, 1, &s, yield == NULL, FALSE, ourname, resetok))
{
case 1: expand_string_message = string_sprintf(
"too few arguments or bracketing error for %s",
be no maintenance burden from replicating it. */
if (len == 0)
boolvalue = FALSE;
- else if (Ustrspn(t, "0123456789") == len)
+ else if (*t == '-'
+ ? Ustrspn(t+1, "0123456789") == len-1
+ : Ustrspn(t, "0123456789") == len)
{
boolvalue = (Uatoi(t) == 0) ? FALSE : TRUE;
/* expand_check_condition only does a literal string "0" check */
sizeptr points to the output string size
ptrptr points to the output string pointer
type "lookup" or "if" or "extract" or "run", for error message
+ resetok if not NULL, pointer to flag - write FALSE if unsafe to reset
+ the store.
Returns: 0 OK; lookup_value has been reset to save_lookup
1 expansion failed
static int
process_yesno(BOOL skipping, BOOL yes, uschar *save_lookup, uschar **sptr,
- uschar **yieldptr, int *sizeptr, int *ptrptr, uschar *type)
+ uschar **yieldptr, int *sizeptr, int *ptrptr, uschar *type, BOOL *resetok)
{
int rc = 0;
uschar *s = *sptr; /* Local value */
want this string. Set skipping in the call in the fail case (this will always
be the case if we were already skipping). */
-sub1 = expand_string_internal(s, TRUE, &s, !yes, TRUE);
+sub1 = expand_string_internal(s, TRUE, &s, !yes, TRUE, resetok);
if (sub1 == NULL && (yes || !expand_string_forcedfail)) goto FAILED;
expand_string_forcedfail = FALSE;
if (*s++ != '}') goto FAILED_CURLY;
while (isspace(*s)) s++;
if (*s == '{')
{
- sub2 = expand_string_internal(s+1, TRUE, &s, yes || skipping, TRUE);
+ sub2 = expand_string_internal(s+1, TRUE, &s, yes || skipping, TRUE, resetok);
if (sub2 == NULL && (!yes || !expand_string_forcedfail)) goto FAILED;
expand_string_forcedfail = FALSE;
if (*s++ != '}') goto FAILED_CURLY;
There's a problem if a ${dlfunc item has side-effects that cause allocation,
since resetting the store at the end of the expansion will free store that was
allocated by the plugin code as well as the slop after the expanded string. So
-we skip any resets if ${dlfunc has been used. The same applies for ${acl. This
-is an unfortunate consequence of string expansion becoming too powerful.
+we skip any resets if ${dlfunc } has been used. The same applies for ${acl }
+and, given the acl condition, ${if }. This is an unfortunate consequence of
+string expansion becoming too powerful.
Arguments:
string the string to be expanded
to be used (to allow for optimisation)
honour_dollar TRUE if $ is to be expanded,
FALSE if it's just another character
+ resetok_p if not NULL, pointer to flag - write FALSE if unsafe to reset
+ the store.
Returns: NULL if expansion fails:
expand_string_forcedfail is set TRUE if failure was forced
static uschar *
expand_string_internal(uschar *string, BOOL ket_ends, uschar **left,
- BOOL skipping, BOOL honour_dollar)
+ BOOL skipping, BOOL honour_dollar, BOOL *resetok_p)
{
int ptr = 0;
int size = Ustrlen(string)+ 64;
continue;
}
+ /*{*/
/* Anything other than $ is just copied verbatim, unless we are
looking for a terminating } character. */
+ /*{*/
if (ket_ends && *s == '}') break;
if (*s != '$' || !honour_dollar)
names can contain any printing characters except space and colon.
For those that don't like typing this much, "$h_" is a synonym for
"$header_". A non-existent header yields a NULL value; nothing is
- inserted. */
+ inserted. */ /*}*/
if (isalpha((*(++s))))
{
continue;
}
- /* Otherwise, if there's no '{' after $ it's an error. */
+ /* Otherwise, if there's no '{' after $ it's an error. */ /*}*/
- if (*s != '{')
+ if (*s != '{') /*}*/
{
- expand_string_message = US"$ not followed by letter, digit, or {";
+ expand_string_message = US"$ not followed by letter, digit, or {"; /*}*/
goto EXPAND_FAILED;
}
if (isdigit((*(++s))))
{
int n;
- s = read_number(&n, s);
+ s = read_number(&n, s); /*{*/
if (*s++ != '}')
- {
+ { /*{*/
expand_string_message = US"} expected after number";
goto EXPAND_FAILED;
}
if (!isalpha(*s))
{
- expand_string_message = US"letter or digit expected after ${";
+ expand_string_message = US"letter or digit expected after ${"; /*}*/
goto EXPAND_FAILED;
}
uschar *sub[10]; /* name + arg1-arg9 (which must match number of acl_arg[]) */
uschar *user_msg;
- switch(read_subs(sub, 10, 1, &s, skipping, TRUE, US"acl"))
+ switch(read_subs(sub, 10, 1, &s, skipping, TRUE, US"acl", &resetok))
{
case 1: goto EXPAND_FAILED_CURLY;
case 2:
{
case OK:
case FAIL:
+ DEBUG(D_expand)
+ debug_printf("acl expansion yield: %s\n", user_msg);
if (user_msg)
yield = string_cat(yield, &size, &ptr, user_msg, Ustrlen(user_msg));
continue;
save_expand_strings(save_expand_nstring, save_expand_nlength);
while (isspace(*s)) s++;
- next_s = eval_condition(s, skipping? NULL : &cond);
+ next_s = eval_condition(s, &resetok, skipping? NULL : &cond);
if (next_s == NULL) goto EXPAND_FAILED; /* message already set */
DEBUG(D_expand)
&yield, /* output pointer */
&size, /* output size */
&ptr, /* output current point */
- US"if")) /* condition type */
+ US"if", /* condition type */
+ &resetok))
{
case 1: goto EXPAND_FAILED; /* when all is well, the */
case 2: goto EXPAND_FAILED_CURLY; /* returned value is 0 */
Otherwise set the key NULL pro-tem. */
while (isspace(*s)) s++;
- if (*s == '{')
+ if (*s == '{') /*}*/
{
- key = expand_string_internal(s+1, TRUE, &s, skipping, TRUE);
- if (key == NULL) goto EXPAND_FAILED;
+ key = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, &resetok);
+ if (key == NULL) goto EXPAND_FAILED; /*{*/
if (*s++ != '}') goto EXPAND_FAILED_CURLY;
while (isspace(*s)) s++;
}
/* The type is a string that may contain special characters of various
kinds. Allow everything except space or { to appear; the actual content
- is checked by search_findtype_partial. */
+ is checked by search_findtype_partial. */ /*}*/
- while (*s != 0 && *s != '{' && !isspace(*s))
+ while (*s != 0 && *s != '{' && !isspace(*s)) /*}*/
{
if (nameptr < sizeof(name) - 1) name[nameptr++] = *s;
s++;
first. */
if (*s != '{') goto EXPAND_FAILED_CURLY;
- filename = expand_string_internal(s+1, TRUE, &s, skipping, TRUE);
+ filename = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, &resetok);
if (filename == NULL) goto EXPAND_FAILED;
if (*s++ != '}') goto EXPAND_FAILED_CURLY;
while (isspace(*s)) s++;
&yield, /* output pointer */
&size, /* output size */
&ptr, /* output current point */
- US"lookup")) /* condition type */
+ US"lookup", /* condition type */
+ &resetok))
{
case 1: goto EXPAND_FAILED; /* when all is well, the */
case 2: goto EXPAND_FAILED_CURLY; /* returned value is 0 */
case EITEM_PERL:
#ifndef EXIM_PERL
- expand_string_message = US"\"${perl\" encountered, but this facility "
+ expand_string_message = US"\"${perl\" encountered, but this facility " /*}*/
"is not included in this binary";
goto EXPAND_FAILED;
}
switch(read_subs(sub_arg, EXIM_PERL_MAX_ARGS + 1, 1, &s, skipping, TRUE,
- US"perl"))
+ US"perl", &resetok))
{
case 1: goto EXPAND_FAILED_CURLY;
case 2:
uschar *sub_arg[3];
uschar *p,*domain;
- switch(read_subs(sub_arg, 3, 2, &s, skipping, TRUE, US"prvs"))
+ switch(read_subs(sub_arg, 3, 2, &s, skipping, TRUE, US"prvs", &resetok))
{
case 1: goto EXPAND_FAILED_CURLY;
case 2:
prvscheck_address = NULL;
prvscheck_keynum = NULL;
- switch(read_subs(sub_arg, 1, 1, &s, skipping, FALSE, US"prvs"))
+ switch(read_subs(sub_arg, 1, 1, &s, skipping, FALSE, US"prvs", &resetok))
{
case 1: goto EXPAND_FAILED_CURLY;
case 2:
prvscheck_keynum = string_copy(key_num);
/* Now expand the second argument */
- switch(read_subs(sub_arg, 1, 1, &s, skipping, FALSE, US"prvs"))
+ switch(read_subs(sub_arg, 1, 1, &s, skipping, FALSE, US"prvs", &resetok))
{
case 1: goto EXPAND_FAILED_CURLY;
case 2:
/* Now expand the final argument. We leave this till now so that
it can include $prvscheck_result. */
- switch(read_subs(sub_arg, 1, 0, &s, skipping, TRUE, US"prvs"))
+ switch(read_subs(sub_arg, 1, 0, &s, skipping, TRUE, US"prvs", &resetok))
{
case 1: goto EXPAND_FAILED_CURLY;
case 2:
We need to make sure all subs are expanded first, so as to skip over
the entire item. */
- switch(read_subs(sub_arg, 2, 1, &s, skipping, TRUE, US"prvs"))
+ switch(read_subs(sub_arg, 2, 1, &s, skipping, TRUE, US"prvs", &resetok))
{
case 1: goto EXPAND_FAILED_CURLY;
case 2:
goto EXPAND_FAILED;
}
- switch(read_subs(sub_arg, 2, 1, &s, skipping, TRUE, US"readfile"))
+ switch(read_subs(sub_arg, 2, 1, &s, skipping, TRUE, US"readfile", &resetok))
{
case 1: goto EXPAND_FAILED_CURLY;
case 2:
/* Read up to 4 arguments, but don't do the end of item check afterwards,
because there may be a string for expansion on failure. */
- switch(read_subs(sub_arg, 4, 2, &s, skipping, FALSE, US"readsocket"))
+ switch(read_subs(sub_arg, 4, 2, &s, skipping, FALSE, US"readsocket", &resetok))
{
case 1: goto EXPAND_FAILED_CURLY;
case 2: /* Won't occur: no end check */
if (Ustrncmp(sub_arg[0], "inet:", 5) == 0)
{
- BOOL connected = FALSE;
- int namelen, port;
- host_item shost;
- host_item *h;
+ int port;
uschar *server_name = sub_arg[0] + 5;
uschar *port_name = Ustrrchr(server_name, ':');
port = ntohs(service_info->s_port);
}
- /* Sort out the server. */
-
- shost.next = NULL;
- shost.address = NULL;
- shost.port = port;
- shost.mx = -1;
-
- namelen = Ustrlen(server_name);
-
- /* Anything enclosed in [] must be an IP address. */
-
- if (server_name[0] == '[' &&
- server_name[namelen - 1] == ']')
- {
- server_name[namelen - 1] = 0;
- server_name++;
- if (string_is_ip_address(server_name, NULL) == 0)
- {
- expand_string_message =
- string_sprintf("malformed IP address \"%s\"", server_name);
- goto EXPAND_FAILED;
- }
- shost.name = shost.address = server_name;
- }
-
- /* Otherwise check for an unadorned IP address */
-
- else if (string_is_ip_address(server_name, NULL) != 0)
- shost.name = shost.address = server_name;
-
- /* Otherwise lookup IP address(es) from the name */
-
- else
- {
- shost.name = server_name;
- if (host_find_byname(&shost, NULL, HOST_FIND_QUALIFY_SINGLE, NULL,
- FALSE) != HOST_FOUND)
- {
- expand_string_message =
- string_sprintf("no IP address found for host %s", shost.name);
- goto EXPAND_FAILED;
- }
- }
-
- /* Try to connect to the server - test each IP till one works */
-
- for (h = &shost; h != NULL; h = h->next)
- {
- int af = (Ustrchr(h->address, ':') != 0)? AF_INET6 : AF_INET;
- if ((fd = ip_socket(SOCK_STREAM, af)) == -1)
- {
- expand_string_message = string_sprintf("failed to create socket: "
- "%s", strerror(errno));
+ if ((fd = ip_connectedsocket(SOCK_STREAM, server_name, port, port,
+ timeout, NULL, &expand_string_message)) < 0)
goto SOCK_FAIL;
- }
-
- if (ip_connect(fd, af, h->address, port, timeout) == 0)
- {
- connected = TRUE;
- break;
- }
- }
-
- if (!connected)
- {
- expand_string_message = string_sprintf("failed to connect to "
- "socket %s: couldn't connect to any host", sub_arg[0],
- strerror(errno));
- goto SOCK_FAIL;
- }
}
/* Handle a Unix domain socket */
if (*s == '{')
{
- if (expand_string_internal(s+1, TRUE, &s, TRUE, TRUE) == NULL)
+ if (expand_string_internal(s+1, TRUE, &s, TRUE, TRUE, &resetok) == NULL)
goto EXPAND_FAILED;
if (*s++ != '}') goto EXPAND_FAILED_CURLY;
while (isspace(*s)) s++;
SOCK_FAIL:
if (*s != '{') goto EXPAND_FAILED;
DEBUG(D_any) debug_printf("%s\n", expand_string_message);
- arg = expand_string_internal(s+1, TRUE, &s, FALSE, TRUE);
+ arg = expand_string_internal(s+1, TRUE, &s, FALSE, TRUE, &resetok);
if (arg == NULL) goto EXPAND_FAILED;
yield = string_cat(yield, &size, &ptr, arg, Ustrlen(arg));
if (*s++ != '}') goto EXPAND_FAILED_CURLY;
while (isspace(*s)) s++;
if (*s != '{') goto EXPAND_FAILED_CURLY;
- arg = expand_string_internal(s+1, TRUE, &s, skipping, TRUE);
+ arg = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, &resetok);
if (arg == NULL) goto EXPAND_FAILED;
while (isspace(*s)) s++;
if (*s++ != '}') goto EXPAND_FAILED_CURLY;
&yield, /* output pointer */
&size, /* output size */
&ptr, /* output current point */
- US"run")) /* condition type */
+ US"run", /* condition type */
+ &resetok))
{
case 1: goto EXPAND_FAILED; /* when all is well, the */
case 2: goto EXPAND_FAILED_CURLY; /* returned value is 0 */
int o2m;
uschar *sub[3];
- switch(read_subs(sub, 3, 3, &s, skipping, TRUE, US"tr"))
+ switch(read_subs(sub, 3, 3, &s, skipping, TRUE, US"tr", &resetok))
{
case 1: goto EXPAND_FAILED_CURLY;
case 2:
uschar *sub[3];
/* "length" takes only 2 arguments whereas the others take 2 or 3.
- Ensure that sub[2] is set in the ${length case. */
+ Ensure that sub[2] is set in the ${length } case. */
sub[2] = NULL;
switch(read_subs(sub, (item_type == EITEM_LENGTH)? 2:3, 2, &s, skipping,
- TRUE, name))
+ TRUE, name, &resetok))
{
case 1: goto EXPAND_FAILED_CURLY;
case 2:
uschar innerkey[MAX_HASHBLOCKLEN];
uschar outerkey[MAX_HASHBLOCKLEN];
- switch (read_subs(sub, 3, 3, &s, skipping, TRUE, name))
+ switch (read_subs(sub, 3, 3, &s, skipping, TRUE, name, &resetok))
{
case 1: goto EXPAND_FAILED_CURLY;
case 2:
int save_expand_nmax =
save_expand_strings(save_expand_nstring, save_expand_nlength);
- switch(read_subs(sub, 3, 3, &s, skipping, TRUE, US"sg"))
+ switch(read_subs(sub, 3, 3, &s, skipping, TRUE, US"sg", &resetok))
{
case 1: goto EXPAND_FAILED_CURLY;
case 2:
for (i = 0; i < j; i++)
{
while (isspace(*s)) s++;
- if (*s == '{')
+ if (*s == '{') /*}*/
{
- sub[i] = expand_string_internal(s+1, TRUE, &s, skipping, TRUE);
- if (sub[i] == NULL) goto EXPAND_FAILED;
+ sub[i] = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, &resetok);
+ if (sub[i] == NULL) goto EXPAND_FAILED; /*{*/
if (*s++ != '}') goto EXPAND_FAILED_CURLY;
/* After removal of leading and trailing white space, the first
&yield, /* output pointer */
&size, /* output size */
&ptr, /* output current point */
- US"extract")) /* condition type */
+ US"extract", /* condition type */
+ &resetok))
{
case 1: goto EXPAND_FAILED; /* when all is well, the */
case 2: goto EXPAND_FAILED_CURLY; /* returned value is 0 */
continue;
}
+ /* return the Nth item from a list */
+
+ case EITEM_LISTEXTRACT:
+ {
+ int i;
+ int field_number = 1;
+ uschar *save_lookup_value = lookup_value;
+ uschar *sub[2];
+ int save_expand_nmax =
+ save_expand_strings(save_expand_nstring, save_expand_nlength);
+
+ /* Read the field & list arguments */
+
+ for (i = 0; i < 2; i++)
+ {
+ while (isspace(*s)) s++;
+ if (*s != '{') /*}*/
+ goto EXPAND_FAILED_CURLY;
+
+ sub[i] = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, &resetok);
+ if (!sub[i]) goto EXPAND_FAILED; /*{*/
+ if (*s++ != '}') goto EXPAND_FAILED_CURLY;
+
+ /* After removal of leading and trailing white space, the first
+ argument must be numeric and nonempty. */
+
+ if (i == 0)
+ {
+ int len;
+ int x = 0;
+ uschar *p = sub[0];
+
+ while (isspace(*p)) p++;
+ sub[0] = p;
+
+ len = Ustrlen(p);
+ while (len > 0 && isspace(p[len-1])) len--;
+ p[len] = 0;
+
+ if (!*p && !skipping)
+ {
+ expand_string_message = US"first argument of \"listextract\" must "
+ "not be empty";
+ goto EXPAND_FAILED;
+ }
+
+ if (*p == '-')
+ {
+ field_number = -1;
+ p++;
+ }
+ while (*p && isdigit(*p)) x = x * 10 + *p++ - '0';
+ if (*p)
+ {
+ expand_string_message = US"first argument of \"listextract\" must "
+ "be numeric";
+ goto EXPAND_FAILED;
+ }
+ field_number *= x;
+ }
+ }
+
+ /* Extract the numbered element into $value. If
+ skipping, just pretend the extraction failed. */
+
+ lookup_value = skipping? NULL : expand_getlistele(field_number, sub[1]);
+
+ /* If no string follows, $value gets substituted; otherwise there can
+ be yes/no strings, as for lookup or if. */
+
+ switch(process_yesno(
+ skipping, /* were previously skipping */
+ lookup_value != NULL, /* success/failure indicator */
+ save_lookup_value, /* value to reset for string2 */
+ &s, /* input pointer */
+ &yield, /* output pointer */
+ &size, /* output size */
+ &ptr, /* output current point */
+ US"extract", /* condition type */
+ &resetok))
+ {
+ case 1: goto EXPAND_FAILED; /* when all is well, the */
+ case 2: goto EXPAND_FAILED_CURLY; /* returned value is 0 */
+ }
+
+ /* All done - restore numerical variables. */
+
+ restore_expand_strings(save_expand_nmax, save_expand_nstring,
+ save_expand_nlength);
+
+ continue;
+ }
+
+#ifdef SUPPORT_TLS
+ case EITEM_CERTEXTRACT:
+ {
+ uschar *save_lookup_value = lookup_value;
+ uschar *sub[2];
+ int save_expand_nmax =
+ save_expand_strings(save_expand_nstring, save_expand_nlength);
+
+ /* Read the field argument */
+ while (isspace(*s)) s++;
+ if (*s != '{') /*}*/
+ goto EXPAND_FAILED_CURLY;
+ sub[0] = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, &resetok);
+ if (!sub[0]) goto EXPAND_FAILED; /*{*/
+ if (*s++ != '}') goto EXPAND_FAILED_CURLY;
+ /* strip spaces fore & aft */
+ {
+ int len;
+ uschar *p = sub[0];
+
+ while (isspace(*p)) p++;
+ sub[0] = p;
+
+ len = Ustrlen(p);
+ while (len > 0 && isspace(p[len-1])) len--;
+ p[len] = 0;
+ }
+
+ /* inspect the cert argument */
+ while (isspace(*s)) s++;
+ if (*s != '{') /*}*/
+ goto EXPAND_FAILED_CURLY;
+ if (*++s != '$')
+ {
+ expand_string_message = US"second argument of \"certextract\" must "
+ "be a certificate variable";
+ goto EXPAND_FAILED;
+ }
+ sub[1] = expand_string_internal(s+1, TRUE, &s, skipping, FALSE, &resetok);
+ if (!sub[1]) goto EXPAND_FAILED; /*{*/
+ if (*s++ != '}') goto EXPAND_FAILED_CURLY;
+
+ if (skipping)
+ lookup_value = NULL;
+ else
+ {
+ lookup_value = expand_getcertele(sub[0], sub[1]);
+ if (*expand_string_message) goto EXPAND_FAILED;
+ }
+ switch(process_yesno(
+ skipping, /* were previously skipping */
+ lookup_value != NULL, /* success/failure indicator */
+ save_lookup_value, /* value to reset for string2 */
+ &s, /* input pointer */
+ &yield, /* output pointer */
+ &size, /* output size */
+ &ptr, /* output current point */
+ US"extract", /* condition type */
+ &resetok))
+ {
+ case 1: goto EXPAND_FAILED; /* when all is well, the */
+ case 2: goto EXPAND_FAILED_CURLY; /* returned value is 0 */
+ }
+
+ restore_expand_strings(save_expand_nmax, save_expand_nstring,
+ save_expand_nlength);
+ continue;
+ }
+#endif /*SUPPORT_TLS*/
/* Handle list operations */
while (isspace(*s)) s++;
if (*s++ != '{') goto EXPAND_FAILED_CURLY;
- list = expand_string_internal(s, TRUE, &s, skipping, TRUE);
+ list = expand_string_internal(s, TRUE, &s, skipping, TRUE, &resetok);
if (list == NULL) goto EXPAND_FAILED;
if (*s++ != '}') goto EXPAND_FAILED_CURLY;
{
while (isspace(*s)) s++;
if (*s++ != '{') goto EXPAND_FAILED_CURLY;
- temp = expand_string_internal(s, TRUE, &s, skipping, TRUE);
+ temp = expand_string_internal(s, TRUE, &s, skipping, TRUE, &resetok);
if (temp == NULL) goto EXPAND_FAILED;
lookup_value = temp;
if (*s++ != '}') goto EXPAND_FAILED_CURLY;
if (item_type == EITEM_FILTER)
{
- temp = eval_condition(expr, NULL);
+ temp = eval_condition(expr, &resetok, NULL);
if (temp != NULL) s = temp;
}
else
{
- temp = expand_string_internal(s, TRUE, &s, TRUE, TRUE);
+ temp = expand_string_internal(s, TRUE, &s, TRUE, TRUE, &resetok);
}
if (temp == NULL)
while (isspace(*s)) s++;
if (*s++ != '}')
- {
+ { /*{*/
expand_string_message = string_sprintf("missing } at end of condition "
"or expression inside \"%s\"", name);
goto EXPAND_FAILED;
}
- while (isspace(*s)) s++;
+ while (isspace(*s)) s++; /*{*/
if (*s++ != '}')
- {
+ { /*{*/
expand_string_message = string_sprintf("missing } at end of \"%s\"",
name);
goto EXPAND_FAILED;
if (item_type == EITEM_FILTER)
{
BOOL condresult;
- if (eval_condition(expr, &condresult) == NULL)
+ if (eval_condition(expr, &resetok, &condresult) == NULL)
{
iterate_item = save_iterate_item;
lookup_value = save_lookup_value;
else
{
- temp = expand_string_internal(expr, TRUE, NULL, skipping, TRUE);
+ temp = expand_string_internal(expr, TRUE, NULL, skipping, TRUE, &resetok);
if (temp == NULL)
{
iterate_item = save_iterate_item;
}
- /* If ${dlfunc support is configured, handle calling dynamically-loaded
+ /* If ${dlfunc } support is configured, handle calling dynamically-loaded
functions, unless locked out at this time. Syntax is ${dlfunc{file}{func}}
or ${dlfunc{file}{func}{arg}} or ${dlfunc{file}{func}{arg1}{arg2}} or up to
a maximum of EXPAND_DLFUNC_MAX_ARGS arguments (defined below). */
case EITEM_DLFUNC:
#ifndef EXPAND_DLFUNC
- expand_string_message = US"\"${dlfunc\" encountered, but this facility "
+ expand_string_message = US"\"${dlfunc\" encountered, but this facility " /*}*/
"is not included in this binary";
goto EXPAND_FAILED;
}
switch(read_subs(argv, EXPAND_DLFUNC_MAX_ARGS + 2, 2, &s, skipping,
- TRUE, US"dlfunc"))
+ TRUE, US"dlfunc", &resetok))
{
case 1: goto EXPAND_FAILED_CURLY;
case 2:
}
}
#endif /* EXPAND_DLFUNC */
- }
+ } /* EITEM_* switch */
/* Control reaches here if the name is not recognized as one of the more
complicated expansion items. Check for the "operator" syntax (name terminated
{
int c;
uschar *arg = NULL;
- uschar *sub = expand_string_internal(s+1, TRUE, &s, skipping, TRUE);
- if (sub == NULL) goto EXPAND_FAILED;
- s++;
+ uschar *sub;
+ var_entry *vp = NULL;
/* Owing to an historical mis-design, an underscore may be part of the
operator name, or it may introduce arguments. We therefore first scan the
table of names that contain underscores. If there is no match, we cut off
the arguments and then scan the main table. */
- c = chop_match(name, op_table_underscore,
- sizeof(op_table_underscore)/sizeof(uschar *));
-
- if (c < 0)
+ if ((c = chop_match(name, op_table_underscore,
+ sizeof(op_table_underscore)/sizeof(uschar *))) < 0)
{
arg = Ustrchr(name, '_');
if (arg != NULL) *arg = 0;
if (arg != NULL) *arg++ = '_'; /* Put back for error messages */
}
+ /* Deal specially with operators that might take a certificate variable
+ as we do not want to do the usual expansion. For most, expand the string.*/
+ switch(c)
+ {
+#ifdef SUPPORT_TLS
+ case EOP_MD5:
+ case EOP_SHA1:
+ case EOP_SHA256:
+ if (s[1] == '$')
+ {
+ uschar * s1 = s;
+ sub = expand_string_internal(s+2, TRUE, &s1, skipping,
+ FALSE, &resetok);
+ if (!sub) goto EXPAND_FAILED; /*{*/
+ if (*s1 != '}') goto EXPAND_FAILED_CURLY;
+ if ((vp = find_var_ent(sub)) && vp->type == vtype_cert)
+ {
+ s = s1+1;
+ break;
+ }
+ vp = NULL;
+ }
+ /*FALLTHROUGH*/
+#endif
+ default:
+ sub = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, &resetok);
+ if (!sub) goto EXPAND_FAILED;
+ s++;
+ break;
+ }
+
/* If we are skipping, we don't need to perform the operation at all.
This matters for operations like "mask", because the data may not be
in the correct format when skipping. For example, the expression may test
case EOP_EXPAND:
{
- uschar *expanded = expand_string_internal(sub, FALSE, NULL, skipping, TRUE);
+ uschar *expanded = expand_string_internal(sub, FALSE, NULL, skipping, TRUE, &resetok);
if (expanded == NULL)
{
expand_string_message =
}
case EOP_MD5:
- {
- md5 base;
- uschar digest[16];
- int j;
- char st[33];
- md5_start(&base);
- md5_end(&base, sub, Ustrlen(sub), digest);
- for(j = 0; j < 16; j++) sprintf(st+2*j, "%02x", digest[j]);
- yield = string_cat(yield, &size, &ptr, US st, (int)strlen(st));
+#ifdef SUPPORT_TLS
+ if (vp && *(void **)vp->value)
+ {
+ uschar * cp = tls_cert_fprt_md5(*(void **)vp->value);
+ yield = string_cat(yield, &size, &ptr, cp, Ustrlen(cp));
+ }
+ else
+#endif
+ {
+ md5 base;
+ uschar digest[16];
+ int j;
+ char st[33];
+ md5_start(&base);
+ md5_end(&base, sub, Ustrlen(sub), digest);
+ for(j = 0; j < 16; j++) sprintf(st+2*j, "%02x", digest[j]);
+ yield = string_cat(yield, &size, &ptr, US st, (int)strlen(st));
+ }
continue;
- }
case EOP_SHA1:
- {
- sha1 base;
- uschar digest[20];
- int j;
- char st[41];
- sha1_start(&base);
- sha1_end(&base, sub, Ustrlen(sub), digest);
- for(j = 0; j < 20; j++) sprintf(st+2*j, "%02X", digest[j]);
- yield = string_cat(yield, &size, &ptr, US st, (int)strlen(st));
+#ifdef SUPPORT_TLS
+ if (vp && *(void **)vp->value)
+ {
+ uschar * cp = tls_cert_fprt_sha1(*(void **)vp->value);
+ yield = string_cat(yield, &size, &ptr, cp, Ustrlen(cp));
+ }
+ else
+#endif
+ {
+ sha1 base;
+ uschar digest[20];
+ int j;
+ char st[41];
+ sha1_start(&base);
+ sha1_end(&base, sub, Ustrlen(sub), digest);
+ for(j = 0; j < 20; j++) sprintf(st+2*j, "%02X", digest[j]);
+ yield = string_cat(yield, &size, &ptr, US st, (int)strlen(st));
+ }
+ continue;
+
+ case EOP_SHA256:
+#ifdef SUPPORT_TLS
+ if (vp && *(void **)vp->value)
+ {
+ uschar * cp = tls_cert_fprt_sha256(*(void **)vp->value);
+ yield = string_cat(yield, &size, &ptr, cp, (int)strlen(cp));
+ }
+ else
+#endif
+ expand_string_message = US"sha256 only supported for certificates";
continue;
- }
/* Convert hex encoding to base64 encoding */
if (*item == '+') /* list item is itself a named list */
{
uschar * sub = string_sprintf("${listnamed%s:%s}", suffix, item);
- item = expand_string_internal(sub, FALSE, NULL, FALSE, TRUE);
+ item = expand_string_internal(sub, FALSE, NULL, FALSE, TRUE, &resetok);
}
else if (sep != ':') /* item from non-colon-sep list, re-quote for colon list-separator */
{
continue;
}
+ /* replace illegal UTF-8 sequences by replacement character */
+
+ #define UTF8_REPLACEMENT_CHAR US"?"
+
+ case EOP_UTF8CLEAN:
+ {
+ int seq_len, index = 0;
+ int bytes_left = 0;
+ uschar seq_buff[4]; /* accumulate utf-8 here */
+
+ while (*sub != 0)
+ {
+ int complete;
+ long codepoint;
+ uschar c;
+
+ complete = 0;
+ c = *sub++;
+ if (bytes_left)
+ {
+ if ((c & 0xc0) != 0x80)
+ {
+ /* wrong continuation byte; invalidate all bytes */
+ complete = 1; /* error */
+ }
+ else
+ {
+ codepoint = (codepoint << 6) | (c & 0x3f);
+ seq_buff[index++] = c;
+ if (--bytes_left == 0) /* codepoint complete */
+ {
+ if(codepoint > 0x10FFFF) /* is it too large? */
+ complete = -1; /* error */
+ else
+ { /* finished; output utf-8 sequence */
+ yield = string_cat(yield, &size, &ptr, seq_buff, seq_len);
+ index = 0;
+ }
+ }
+ }
+ }
+ else /* no bytes left: new sequence */
+ {
+ if((c & 0x80) == 0) /* 1-byte sequence, US-ASCII, keep it */
+ {
+ yield = string_cat(yield, &size, &ptr, &c, 1);
+ continue;
+ }
+ if((c & 0xe0) == 0xc0) /* 2-byte sequence */
+ {
+ if(c == 0xc0 || c == 0xc1) /* 0xc0 and 0xc1 are illegal */
+ complete = -1;
+ else
+ {
+ bytes_left = 1;
+ codepoint = c & 0x1f;
+ }
+ }
+ else if((c & 0xf0) == 0xe0) /* 3-byte sequence */
+ {
+ bytes_left = 2;
+ codepoint = c & 0x0f;
+ }
+ else if((c & 0xf8) == 0xf0) /* 4-byte sequence */
+ {
+ bytes_left = 3;
+ codepoint = c & 0x07;
+ }
+ else /* invalid or too long (RFC3629 allows only 4 bytes) */
+ complete = -1;
+
+ seq_buff[index++] = c;
+ seq_len = bytes_left + 1;
+ } /* if(bytes_left) */
+
+ if (complete != 0)
+ {
+ bytes_left = index = 0;
+ yield = string_cat(yield, &size, &ptr, UTF8_REPLACEMENT_CHAR, 1);
+ }
+ if ((complete == 1) && ((c & 0x80) == 0))
+ { /* ASCII character follows incomplete sequence */
+ yield = string_cat(yield, &size, &ptr, &c, 1);
+ }
+ }
+ continue;
+ }
+
/* escape turns all non-printing characters into escape sequences. */
case EOP_ESCAPE:
store instead of copying. Many expansion strings contain just one reference,
so this is a useful optimization, especially for humungous headers
($message_headers). */
-
+ /*{*/
if (*s++ == '}')
{
int len;
will be optimal store usage. */
if (resetok) store_reset(yield + ptr + 1);
+else if (resetok_p) *resetok_p = FALSE;
+
DEBUG(D_expand)
{
debug_printf("expanding: %.*s\n result: %s\n", (int)(s - string), string,
debug_printf(" error message: %s\n", expand_string_message);
if (expand_string_forcedfail) debug_printf("failure was forced\n");
}
+if (resetok_p) *resetok_p = resetok;
return NULL;
}
search_find_defer = FALSE;
malformed_header = FALSE;
return (Ustrpbrk(string, "$\\") == NULL)? string :
- expand_string_internal(string, FALSE, NULL, FALSE, TRUE);
+ expand_string_internal(string, FALSE, NULL, FALSE, TRUE, NULL);
}
#endif
+/* vi: aw ai sw=2
+*/
/* End of expand.c */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
std_dh_prime_default(void);
extern const char *
std_dh_prime_named(const uschar *);
+
+extern uschar * tls_cert_crl_uri(void *, uschar * mod);
+extern uschar * tls_cert_ext_by_oid(void *, uschar *, int);
+extern uschar * tls_cert_issuer(void *, uschar * mod);
+extern uschar * tls_cert_not_before(void *, uschar * mod);
+extern uschar * tls_cert_not_after(void *, uschar * mod);
+extern uschar * tls_cert_ocsp_uri(void *, uschar * mod);
+extern uschar * tls_cert_serial_number(void *, uschar * mod);
+extern uschar * tls_cert_signature(void *, uschar * mod);
+extern uschar * tls_cert_signature_algorithm(void *, uschar * mod);
+extern uschar * tls_cert_subject(void *, uschar * mod);
+extern uschar * tls_cert_subject_altname(void *, uschar * mod);
+extern uschar * tls_cert_version(void *, uschar * mod);
+
+extern uschar * tls_cert_fprt_md5(void *);
+extern uschar * tls_cert_fprt_sha1(void *);
+extern uschar * tls_cert_fprt_sha256(void *);
+
extern int tls_client_start(int, host_item *, address_item *,
- uschar *, uschar *, uschar *, uschar *, uschar *, uschar *,
-# ifdef EXPERIMENTAL_OCSP
- uschar *,
-# endif
- int, int);
+ void *);
extern void tls_close(BOOL, BOOL);
+extern int tls_export_cert(uschar *, size_t, void *);
extern int tls_feof(void);
extern int tls_ferror(void);
+extern void tls_free_cert(void *);
extern int tls_getc(void);
+extern int tls_import_cert(const uschar *, void **);
extern int tls_read(BOOL, uschar *, size_t);
extern int tls_server_start(const uschar *);
extern BOOL tls_smtp_buffered(void);
extern int tls_write(BOOL, const uschar *, size_t);
extern uschar *tls_validate_require_cipher(void);
extern void tls_version_report(FILE *);
-#ifndef USE_GNUTLS
+# ifndef USE_GNUTLS
extern BOOL tls_openssl_options_parse(uschar *, long *);
-#endif
-#endif
+# endif
+extern uschar * tls_field_from_dn(uschar *, uschar *);
+# ifdef EXPERIMENTAL_CERTNAMES
+extern BOOL tls_is_name_for_cert(uschar *, void *);
+# endif
+#endif /*SUPPORT_TLS*/
/* Everything else... */
#endif
extern dns_address *dns_address_from_rr(dns_answer *, dns_record *);
extern void dns_build_reverse(uschar *, uschar *);
-extern void dns_init(BOOL, BOOL);
+extern void dns_init(BOOL, BOOL, BOOL);
extern int dns_basic_lookup(dns_answer *, uschar *, int);
extern BOOL dns_is_secure(dns_answer *);
extern int dns_lookup(dns_answer *, uschar *, int, uschar **);
extern void host_build_sender_fullhost(void);
extern BOOL host_find_byname(host_item *, uschar *, int, uschar **, BOOL);
extern int host_find_bydns(host_item *, uschar *, int, uschar *, uschar *,
- uschar *,uschar **, BOOL *);
+ uschar *, uschar *, uschar *, uschar **, BOOL *);
extern ip_address_item *host_find_interfaces(void);
extern BOOL host_is_in_net(uschar *, uschar *, int);
extern BOOL host_is_tls_on_connect_port(int);
extern void invert_address(uschar *, uschar *);
extern int ip_bind(int, int, uschar *, int);
extern int ip_connect(int, int, uschar *, int, int);
+extern int ip_connectedsocket(int, const uschar *, int, int,
+ int, host_item *, uschar **);
extern int ip_get_address_family(int);
extern void ip_keepalive(int, uschar *, BOOL);
extern int ip_recv(int, uschar *, int, int);
extern int stdin_ferror(void);
extern int stdin_ungetc(int);
extern uschar *string_append(uschar *, int *, int *, int, ...);
+extern uschar *string_append_listele(uschar *, uschar, const uschar *);
extern uschar *string_base62(unsigned long int);
extern uschar *string_cat(uschar *, int *, int *, const uschar *, int);
extern uschar *string_copy_dnsdomain(uschar *);
extern BOOL string_format(uschar *, int, const char *, ...) ALMOST_PRINTF(3,4);
extern uschar *string_format_size(int, uschar *);
extern int string_interpret_escape(uschar **);
-extern int string_is_ip_address(uschar *, int *);
+extern int string_is_ip_address(const uschar *, int *);
extern uschar *string_log_address(address_item *, BOOL, BOOL);
extern uschar *string_nextinlist(uschar **, int *, uschar *, int);
extern uschar *string_open_failed(int, const char *, ...) PRINTF_FUNCTION(2,3);
extern uschar *strstric(uschar *, uschar *, BOOL);
extern uschar *tod_stamp(int);
+extern void tls_modify_variables(tls_support *);
extern BOOL transport_check_waiting(uschar *, uschar *, int, uschar *,
BOOL *);
extern void transport_init(void);
extern void transport_update_waiting(host_item *, uschar *);
extern BOOL transport_write_block(int, uschar *, int);
extern BOOL transport_write_string(int, const char *, ...);
+extern BOOL transport_headers_send(address_item *, int, uschar *, uschar *,
+ BOOL (*)(int, uschar *, int, BOOL), BOOL, rewrite_rule *, int);
extern BOOL transport_write_message(address_item *, int, int, int, uschar *,
uschar *, uschar *, uschar *, rewrite_rule *, int);
extern void tree_add_duplicate(uschar *, address_item *);
extern int verify_check_header_address(uschar **, uschar **, int, int, int,
uschar *, uschar *, int, int *);
extern int verify_check_headers(uschar **);
+extern int verify_check_header_names_ascii(uschar **);
extern int verify_check_host(uschar **);
extern int verify_check_notblind(void);
extern int verify_check_this_host(uschar **, unsigned int *, uschar*,
extern ssize_t write_to_fd_buf(int, const uschar *, size_t);
+/* vi: aw
+*/
/* End of functions.h */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* All the global variables are defined together in this one module, so
NULL, /* tls_cipher */
FALSE,/* tls_on_connect */
NULL, /* tls_on_connect_ports */
+ NULL, /* tls_ourcert */
+ NULL, /* tls_peercert */
NULL, /* tls_peerdn */
- NULL /* tls_sni */
+ NULL, /* tls_sni */
+ 0 /* tls_ocsp */
};
tls_support tls_out = {
-1, /* tls_active */
NULL, /* tls_cipher */
FALSE,/* tls_on_connect */
NULL, /* tls_on_connect_ports */
+ NULL, /* tls_ourcert */
+ NULL, /* tls_peercert */
NULL, /* tls_peerdn */
- NULL /* tls_sni */
+ NULL, /* tls_sni */
+ 0 /* tls_ocsp */
};
+#ifdef EXPERIMENTAL_DSN
+uschar *dsn_envid = NULL;
+int dsn_ret = 0;
+const pcre *regex_DSN = NULL;
+BOOL smtp_use_dsn = FALSE;
+uschar *dsn_advertise_hosts = NULL;
+#endif
#ifdef SUPPORT_TLS
BOOL gnutls_compat_mode = FALSE;
bit-count as "NORMAL" (2432) and Thunderbird dropping connection. */
int tls_dh_max_bits = 2236;
uschar *tls_dhparam = NULL;
-#if defined(EXPERIMENTAL_OCSP) && !defined(USE_GNUTLS)
+#ifndef DISABLE_OCSP
uschar *tls_ocsp_file = NULL;
#endif
BOOL tls_offered = FALSE;
uschar *tls_verify_hosts = NULL;
#endif
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
/* Per Recipient Data Response variables */
BOOL prdr_enable = FALSE;
BOOL prdr_requested = FALSE;
uschar *acl_smtp_auth = NULL;
uschar *acl_smtp_connect = NULL;
uschar *acl_smtp_data = NULL;
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
uschar *acl_smtp_data_prdr = NULL;
#endif
#ifndef DISABLE_DKIM
US"MIME",
US"DKIM",
US"DATA",
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
US"PRDR",
#endif
US"non-SMTP",
US"550", /* MIME */
US"550", /* DKIM */
US"550", /* DATA */
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
US"550", /* RCPT PRDR */
#endif
US"0", /* not SMTP; not relevant */
NULL, /* shadow_message */
#ifdef SUPPORT_TLS
NULL, /* cipher */
+ NULL, /* ourcert */
+ NULL, /* peercert */
NULL, /* peerdn */
+ OCSP_NOT_REQ, /* ocsp */
#endif
NULL, /* authenticator */
NULL, /* auth_id */
NULL, /* auth_sndr */
+ #ifdef EXPERIMENTAL_DSN
+ NULL, /* dsn_orcpt */
+ 0, /* dsn_flags */
+ 0, /* dsn_aware */
+ #endif
(uid_t)(-1), /* uid */
(gid_t)(-1), /* gid */
0, /* flags */
#ifdef EXPERIMENTAL_DMARC
BOOL dmarc_has_been_checked = FALSE;
uschar *dmarc_ar_header = NULL;
+uschar *dmarc_domain_policy = NULL;
uschar *dmarc_forensic_sender = NULL;
uschar *dmarc_history_file = NULL;
uschar *dmarc_status = NULL;
{ US"lost_incoming_connection", L_lost_incoming_connection },
{ US"outgoing_port", LX_outgoing_port },
{ US"pid", LX_pid },
+#ifdef EXPERIMENTAL_PROXY
+ { US"proxy", LX_proxy },
+#endif
{ US"queue_run", L_queue_run },
{ US"queue_time", LX_queue_time },
{ US"queue_time_overall", LX_queue_time_overall },
BOOL log_timezone = FALSE;
unsigned int log_write_selector= L_default;
uschar *login_sender_address = NULL;
+uschar *lookup_dnssec_authenticated = NULL;
int lookup_open_max = 25;
uschar *lookup_value = NULL;
int process_info_len = 0;
uschar *process_log_path = NULL;
BOOL prod_requires_admin = TRUE;
+
+#ifdef EXPERIMENTAL_PROXY
+uschar *proxy_host_address = US"";
+int proxy_host_port = 0;
+uschar *proxy_required_hosts = US"";
+BOOL proxy_session = FALSE;
+BOOL proxy_session_failed = FALSE;
+uschar *proxy_target_address = US"";
+int proxy_target_port = 0;
+#endif
+
uschar *prvscheck_address = NULL;
uschar *prvscheck_keynum = NULL;
uschar *prvscheck_result = NULL;
TRUE, /* verify_sender */
FALSE, /* uid_set */
FALSE, /* unseen */
+#ifdef EXPERIMENTAL_DSN
+ FALSE, /* dsn_lasthop */
+#endif
self_freeze, /* self_code */
(uid_t)(-1), /* uid */
FALSE, /* log_defer_output */
TRUE_UNSET /* retry_use_local_part: BOOL, but set neither
1 nor 0 so can detect unset */
+#ifdef EXPERIMENTAL_TPDA
+ ,NULL /* tpda_delivery_action */
+#endif
};
int transport_count;
BOOL write_rejectlog = TRUE;
uschar *version_copyright =
- US"Copyright (c) University of Cambridge, 1995 - 2013\n"
- "(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2013";
+ US"Copyright (c) University of Cambridge, 1995 - 2014\n"
+ "(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2014";
uschar *version_date = US"?";
uschar *version_cnumber = US"????";
uschar *version_string = US"?";
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Almost all the global variables are defined together in this one header, so
uschar *cipher; /* Cipher used */
BOOL on_connect; /* For older MTAs that don't STARTTLS */
uschar *on_connect_ports; /* Ports always tls-on-connect */
+ void *ourcert; /* Certificate we presented, binary */
+ void *peercert; /* Certificate of peer, binary */
uschar *peerdn; /* DN from peer */
uschar *sni; /* Server Name Indication */
+ enum {
+ OCSP_NOT_REQ=0, /* not requested */
+ OCSP_NOT_RESP, /* no response to request */
+ OCSP_VFY_NOT_TRIED, /* response not verified */
+ OCSP_FAILED, /* verify failed */
+ OCSP_VFIED /* verified */
+ } ocsp; /* Stapled OCSP status */
} tls_support;
extern tls_support tls_in;
extern tls_support tls_out;
extern uschar *tls_crl; /* CRL File */
extern int tls_dh_max_bits; /* don't accept higher lib suggestions */
extern uschar *tls_dhparam; /* DH param file */
-#if defined(EXPERIMENTAL_OCSP) && !defined(USE_GNUTLS)
+#ifndef DISABLE_OCSP
extern uschar *tls_ocsp_file; /* OCSP stapling proof file */
#endif
extern BOOL tls_offered; /* Server offered TLS */
extern uschar *tls_verify_hosts; /* Mandatory client verification */
#endif
+#ifdef EXPERIMENTAL_DSN
+extern uschar *dsn_envid; /* DSN envid string */
+extern int dsn_ret; /* DSN ret type*/
+extern const pcre *regex_DSN; /* For recognizing DSN settings */
+extern BOOL smtp_use_dsn; /* Global for passed connections */
+extern uschar *dsn_advertise_hosts; /* host for which TLS is advertised */
+#endif
/* Input-reading functions for messages, so we can use special ones for
incoming TCP/IP. */
extern uschar *acl_smtp_auth; /* ACL run for AUTH */
extern uschar *acl_smtp_connect; /* ACL run on SMTP connection */
extern uschar *acl_smtp_data; /* ACL run after DATA received */
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
extern uschar *acl_smtp_data_prdr; /* ACL run after DATA received if in PRDR mode*/
const extern pcre *regex_PRDR; /* For recognizing PRDR settings */
#endif
#ifdef EXPERIMENTAL_DMARC
extern BOOL dmarc_has_been_checked; /* Global variable to check if test has been called yet */
extern uschar *dmarc_ar_header; /* Expansion variable, suggested header for dmarc auth results */
+extern uschar *dmarc_domain_policy; /* Expansion for declared policy of used domain */
extern uschar *dmarc_forensic_sender; /* Set sender address for forensic reports */
extern uschar *dmarc_history_file; /* Expansion variable, file to store dmarc results */
extern uschar *dmarc_status; /* Expansion variable, one word value */
extern uschar *login_sender_address; /* The actual sender address */
extern lookup_info **lookup_list; /* Array of pointers to available lookups */
extern int lookup_list_count; /* Number of entries in the list */
+extern uschar *lookup_dnssec_authenticated; /* AD status of dns lookup */
extern int lookup_open_max; /* Max lookup files to cache */
extern uschar *lookup_value; /* Value looked up from file */
extern uschar *pid_file_path; /* For writing daemon pids */
extern uschar *pipelining_advertise_hosts; /* As it says */
extern BOOL pipelining_enable; /* As it says */
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
extern BOOL prdr_enable; /* As it says */
extern BOOL prdr_requested; /* Connecting mail server wants PRDR */
#endif
extern int process_info_len;
extern uschar *process_log_path; /* Alternate path */
extern BOOL prod_requires_admin; /* TRUE if prodding requires admin */
+
+#ifdef EXPERIMENTAL_PROXY
+extern uschar *proxy_host_address; /* IP of host being proxied */
+extern int proxy_host_port; /* Port of host being proxied */
+extern uschar *proxy_required_hosts; /* Hostlist which (require) use proxy protocol */
+extern BOOL proxy_session; /* TRUE if receiving mail from valid proxy */
+extern BOOL proxy_session_failed; /* TRUE if required proxy negotiation failed */
+extern uschar *proxy_target_address; /* IP of proxy server inbound */
+extern int proxy_target_port; /* Port of proxy server inbound */
+#endif
+
extern uschar *prvscheck_address; /* Set during prvscheck expansion item */
extern uschar *prvscheck_keynum; /* Set during prvscheck expansion item */
extern uschar *prvscheck_result; /* Set during prvscheck expansion item */
int rc = dns_lookup(&dnsa, lname, type, NULL);
int count = 0;
+ lookup_dnssec_authenticated = NULL;
+
switch(rc)
{
case DNS_SUCCEED: break;
{
if (strcmpic(ordername, US"bydns") == 0)
{
- dns_init(FALSE, FALSE);
+ dns_init(FALSE, FALSE, FALSE); /* dnssec ctrl by dns_dnssec_ok glbl */
dns_build_reverse(sender_host_address, buffer);
rc = dns_lookup(&dnsa, buffer, T_PTR, NULL);
some circumstances when the get..byname() function actually calls the DNS. */
dns_init((flags & HOST_FIND_QUALIFY_SINGLE) != 0,
- (flags & HOST_FIND_SEARCH_PARENTS) != 0);
+ (flags & HOST_FIND_SEARCH_PARENTS) != 0,
+ FALSE); /*XXX dnssec? */
/* In an IPv6 world, unless IPv6 has been disabled, we need to scan for both
kinds of address, so go round the loop twice. Note that we have ensured that
host->port = PORT_NONE;
host->status = hstatus_unknown;
host->why = hwhy_unknown;
+ host->dnssec = DS_UNK;
last = host;
}
next->port = PORT_NONE;
next->status = hstatus_unknown;
next->why = hwhy_unknown;
+ next->dnssec = DS_UNK;
next->last_try = 0;
next->next = last->next;
last->next = next;
fully_qualified_name if not NULL, return fully qualified name here if
the contents are different (i.e. it must be preset
to something)
+ dnnssec_require if TRUE check the DNS result AD bit
Returns: HOST_FIND_FAILED couldn't find A record
HOST_FIND_AGAIN try again later
static int
set_address_from_dns(host_item *host, host_item **lastptr,
- uschar *ignore_target_hosts, BOOL allow_ip, uschar **fully_qualified_name)
+ uschar *ignore_target_hosts, BOOL allow_ip, uschar **fully_qualified_name,
+ BOOL dnssec_requested, BOOL dnssec_require)
{
dns_record *rr;
host_item *thishostlast = NULL; /* Indicates not yet filled in anything */
dns_scan dnss;
int rc = dns_lookup(&dnsa, host->name, type, fully_qualified_name);
+ lookup_dnssec_authenticated = !dnssec_requested ? NULL
+ : dns_is_secure(&dnsa) ? US"yes" : US"no";
/* We want to return HOST_FIND_AGAIN if one of the A, A6, or AAAA lookups
fails or times out, but not if another one succeeds. (In the early
if (rc != DNS_NOMATCH && rc != DNS_NODATA) v6_find_again = TRUE;
continue;
}
+ if (dnssec_require && !dns_is_secure(&dnsa))
+ {
+ log_write(L_host_lookup_failed, LOG_MAIN, "dnssec fail on %s for %.256s",
+ i>1 ? "A6" : i>0 ? "AAAA" : "A", host->name);
+ continue;
+ }
/* Lookup succeeded: fill in the given host item with the first non-ignored
address found; create additional items for any others. A single A6 record
srv_service when SRV used, the service name
srv_fail_domains DNS errors for these domains => assume nonexist
mx_fail_domains DNS errors for these domains => assume nonexist
+ dnssec_request_domains => make dnssec request
+ dnssec_require_domains => ditto and nonexist failures
fully_qualified_name if not NULL, return fully-qualified name
removed set TRUE if local host was removed from the list
int
host_find_bydns(host_item *host, uschar *ignore_target_hosts, int whichrrs,
uschar *srv_service, uschar *srv_fail_domains, uschar *mx_fail_domains,
+ uschar *dnssec_request_domains, uschar *dnssec_require_domains,
uschar **fully_qualified_name, BOOL *removed)
{
host_item *h, *last;
int yield;
dns_answer dnsa;
dns_scan dnss;
+BOOL dnssec_require = match_isinlist(host->name, &dnssec_require_domains,
+ 0, NULL, NULL, MCL_DOMAIN, TRUE, NULL) == OK;
+BOOL dnssec_request = dnssec_require
+ || match_isinlist(host->name, &dnssec_request_domains,
+ 0, NULL, NULL, MCL_DOMAIN, TRUE, NULL) == OK;
+dnssec_status_t dnssec;
/* Set the default fully qualified name to the incoming name, initialize the
resolver if necessary, set up the relevant options, and initialize the flag
if (fully_qualified_name != NULL) *fully_qualified_name = host->name;
dns_init((whichrrs & HOST_FIND_QUALIFY_SINGLE) != 0,
- (whichrrs & HOST_FIND_SEARCH_PARENTS) != 0);
+ (whichrrs & HOST_FIND_SEARCH_PARENTS) != 0,
+ dnssec_request
+ );
host_find_failed_syntax = FALSE;
/* First, if requested, look for SRV records. The service name is given; we
the input name, pass back the new original domain, without the prepended
magic. */
+ dnssec = DS_UNK;
+ lookup_dnssec_authenticated = NULL;
rc = dns_lookup(&dnsa, buffer, ind_type, &temp_fully_qualified_name);
+
+ if (dnssec_request)
+ {
+ if (dns_is_secure(&dnsa))
+ { dnssec = DS_YES; lookup_dnssec_authenticated = US"yes"; }
+ else
+ { dnssec = DS_NO; lookup_dnssec_authenticated = US"no"; }
+ }
+
if (temp_fully_qualified_name != buffer && fully_qualified_name != NULL)
*fully_qualified_name = temp_fully_qualified_name + prefix_length;
/* On DNS failures, we give the "try again" error unless the domain is
listed as one for which we continue. */
+ if (rc == DNS_SUCCEED && dnssec_require && !dns_is_secure(&dnsa))
+ {
+ log_write(L_host_lookup_failed, LOG_MAIN,
+ "dnssec fail on SRV for %.256s", host->name);
+ rc = DNS_FAIL;
+ }
if (rc == DNS_FAIL || rc == DNS_AGAIN)
{
#ifndef STAND_ALONE
if (match_isinlist(host->name, &srv_fail_domains, 0, NULL, NULL, MCL_DOMAIN,
TRUE, NULL) != OK)
#endif
- return HOST_FIND_AGAIN;
+ { yield = HOST_FIND_AGAIN; goto out; }
DEBUG(D_host_lookup) debug_printf("DNS_%s treated as DNS_NODATA "
"(domain in srv_fail_domains)\n", (rc == DNS_FAIL)? "FAIL":"AGAIN");
}
if (rc != DNS_SUCCEED && (whichrrs & HOST_FIND_BY_MX) != 0)
{
ind_type = T_MX;
+ dnssec = DS_UNK;
+ lookup_dnssec_authenticated = NULL;
rc = dns_lookup(&dnsa, host->name, ind_type, fully_qualified_name);
- if (rc == DNS_NOMATCH) return HOST_FIND_FAILED;
- if (rc == DNS_FAIL || rc == DNS_AGAIN)
+
+ if (dnssec_request)
{
- #ifndef STAND_ALONE
- if (match_isinlist(host->name, &mx_fail_domains, 0, NULL, NULL, MCL_DOMAIN,
- TRUE, NULL) != OK)
- #endif
- return HOST_FIND_AGAIN;
- DEBUG(D_host_lookup) debug_printf("DNS_%s treated as DNS_NODATA "
- "(domain in mx_fail_domains)\n", (rc == DNS_FAIL)? "FAIL":"AGAIN");
+ if (dns_is_secure(&dnsa))
+ { dnssec = DS_YES; lookup_dnssec_authenticated = US"yes"; }
+ else
+ { dnssec = DS_NO; lookup_dnssec_authenticated = US"no"; }
+ }
+
+ switch (rc)
+ {
+ case DNS_NOMATCH:
+ yield = HOST_FIND_FAILED; goto out;
+
+ case DNS_SUCCEED:
+ if (!dnssec_require || dns_is_secure(&dnsa))
+ break;
+ log_write(L_host_lookup_failed, LOG_MAIN,
+ "dnssec fail on MX for %.256s", host->name);
+ rc = DNS_FAIL;
+ /*FALLTRHOUGH*/
+
+ case DNS_FAIL:
+ case DNS_AGAIN:
+ #ifndef STAND_ALONE
+ if (match_isinlist(host->name, &mx_fail_domains, 0, NULL, NULL, MCL_DOMAIN,
+ TRUE, NULL) != OK)
+ #endif
+ { yield = HOST_FIND_AGAIN; goto out; }
+ DEBUG(D_host_lookup) debug_printf("DNS_%s treated as DNS_NODATA "
+ "(domain in mx_fail_domains)\n", (rc == DNS_FAIL)? "FAIL":"AGAIN");
+ break;
}
}
if ((whichrrs & HOST_FIND_BY_A) == 0)
{
DEBUG(D_host_lookup) debug_printf("Address records are not being sought\n");
- return HOST_FIND_FAILED;
+ yield = HOST_FIND_FAILED;
+ goto out;
}
last = host; /* End of local chainlet */
host->mx = MX_NONE;
host->port = PORT_NONE;
+ dnssec = DS_UNK;
+ lookup_dnssec_authenticated = NULL;
rc = set_address_from_dns(host, &last, ignore_target_hosts, FALSE,
- fully_qualified_name);
+ fully_qualified_name, dnssec_request, dnssec_require);
+
+ if (dnssec_request)
+ {
+ if (dns_is_secure(&dnsa))
+ { dnssec = DS_YES; lookup_dnssec_authenticated = US"yes"; }
+ else
+ { dnssec = DS_NO; lookup_dnssec_authenticated = US"no"; }
+ }
/* If one or more address records have been found, check that none of them
are local. Since we know the host items all have their IP addresses
}
}
- return rc;
+ yield = rc;
+ goto out;
}
/* We have found one or more MX or SRV records. Sort them according to
the same precedence to sort randomly. */
if (ind_type == T_MX)
- {
weight = random_number(500);
- }
/* SRV records are specified with a port and a weight. The weight is used
in a special algorithm. However, to start with, we just use it to order the
host->sort_key = precedence * 1000 + weight;
host->status = hstatus_unknown;
host->why = hwhy_unknown;
+ host->dnssec = dnssec;
last = host;
}
next->sort_key = sort_key;
next->status = hstatus_unknown;
next->why = hwhy_unknown;
+ next->dnssec = dnssec;
next->last_try = 0;
/* Handle the case when we have to insert before the first item. */
if (host == last && host->name[0] == 0)
{
DEBUG(D_host_lookup) debug_printf("the single SRV record is \".\"\n");
- return HOST_FIND_FAILED;
+ yield = HOST_FIND_FAILED;
+ goto out;
}
DEBUG(D_host_lookup)
if they happen to match something local. */
yield = HOST_FIND_FAILED; /* Default yield */
-dns_init(FALSE, FALSE); /* Disable qualify_single and search_parents */
+dns_init(FALSE, FALSE, /* Disable qualify_single and search_parents */
+ dnssec_request || dnssec_require);
for (h = host; h != last->next; h = h->next)
{
if (h->address != NULL) continue; /* Inserted by a multihomed host */
- rc = set_address_from_dns(h, &last, ignore_target_hosts, allow_mx_to_ip, NULL);
+ rc = set_address_from_dns(h, &last, ignore_target_hosts, allow_mx_to_ip,
+ NULL, dnssec_request, dnssec_require);
if (rc != HOST_FOUND)
{
h->status = hstatus_unusable;
}
}
+out:
+
+dns_init(FALSE, FALSE, FALSE); /* clear the dnssec bit for getaddrbyname */
return yield;
}
BOOL byname = FALSE;
BOOL qualify_single = TRUE;
BOOL search_parents = FALSE;
+BOOL request_dnssec = FALSE;
+BOOL require_dnssec = FALSE;
uschar **argv = USS cargv;
uschar buffer[256];
/* So that debug level changes can be done first */
-dns_init(qualify_single, search_parents);
+dns_init(qualify_single, search_parents, FALSE);
printf("Testing host lookup\n");
printf("> ");
whichrrs = HOST_FIND_BY_SRV | HOST_FIND_BY_MX;
else if (Ustrcmp(buffer, "srv+mx+a") == 0)
whichrrs = HOST_FIND_BY_SRV | HOST_FIND_BY_MX | HOST_FIND_BY_A;
- else if (Ustrcmp(buffer, "qualify_single") == 0) qualify_single = TRUE;
+ else if (Ustrcmp(buffer, "qualify_single") == 0) qualify_single = TRUE;
else if (Ustrcmp(buffer, "no_qualify_single") == 0) qualify_single = FALSE;
- else if (Ustrcmp(buffer, "search_parents") == 0) search_parents = TRUE;
+ else if (Ustrcmp(buffer, "search_parents") == 0) search_parents = TRUE;
else if (Ustrcmp(buffer, "no_search_parents") == 0) search_parents = FALSE;
+ else if (Ustrcmp(buffer, "request_dnssec") == 0) request_dnssec = TRUE;
+ else if (Ustrcmp(buffer, "no_request_dnssec") == 0) request_dnssec = FALSE;
+ else if (Ustrcmp(buffer, "require_dnssec") == 0) require_dnssec = TRUE;
+ else if (Ustrcmp(buffer, "no_reqiret_dnssec") == 0) require_dnssec = FALSE;
else if (Ustrcmp(buffer, "test_harness") == 0)
running_in_test_harness = !running_in_test_harness;
else if (Ustrcmp(buffer, "ipv6") == 0) disable_ipv6 = !disable_ipv6;
if (qualify_single) flags |= HOST_FIND_QUALIFY_SINGLE;
if (search_parents) flags |= HOST_FIND_SEARCH_PARENTS;
- rc = byname?
- host_find_byname(&h, NULL, flags, &fully_qualified_name, TRUE)
- :
- host_find_bydns(&h, NULL, flags, US"smtp", NULL, NULL,
- &fully_qualified_name, NULL);
+ rc = byname
+ ? host_find_byname(&h, NULL, flags, &fully_qualified_name, TRUE)
+ : host_find_bydns(&h, NULL, flags, US"smtp", NULL, NULL,
+ request_dnssec ? &h.name : NULL,
+ require_dnssec ? &h.name : NULL,
+ &fully_qualified_name, NULL);
if (rc == HOST_FIND_FAILED) printf("Failed\n");
else if (rc == HOST_FIND_AGAIN) printf("Again\n");
}
#endif /* STAND_ALONE */
+/* vi: aw ai sw=2
+*/
/* End of host.c */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Functions for doing things with sockets. With the advent of IPv6 this has
af AF_INET6 or AF_INET for the socket type
address the remote address, in text form
port the remote port
- timeout a timeout
+ timeout a timeout (zero for indefinite timeout)
Returns: 0 on success; -1 on failure, with errno set
*/
}
+/* Create a socket and connect to host (name or number, ipv6 ok)
+ at one of port-range.
+Arguments:
+ type SOCK_DGRAM or SOCK_STREAM
+ af AF_INET6 or AF_INET for the socket type
+ address the remote address, in text form
+ portlo,porthi the remote port range
+ timeout a timeout
+ connhost if not NULL, host_item filled in with connection details
+ errstr pointer for allocated string on error
+
+Return:
+ socket fd, or -1 on failure (having allocated an error string)
+*/
+int
+ip_connectedsocket(int type, const uschar * hostname, int portlo, int porthi,
+ int timeout, host_item * connhost, uschar ** errstr)
+{
+int namelen, port;
+host_item shost;
+host_item *h;
+int af = 0, fd, fd4 = -1, fd6 = -1;
+
+shost.next = NULL;
+shost.address = NULL;
+shost.port = portlo;
+shost.mx = -1;
+
+namelen = Ustrlen(hostname);
+
+/* Anything enclosed in [] must be an IP address. */
+
+if (hostname[0] == '[' &&
+ hostname[namelen - 1] == ']')
+ {
+ uschar * host = string_copy(hostname);
+ host[namelen - 1] = 0;
+ host++;
+ if (string_is_ip_address(host, NULL) == 0)
+ {
+ *errstr = string_sprintf("malformed IP address \"%s\"", hostname);
+ return -1;
+ }
+ shost.name = shost.address = host;
+ }
+
+/* Otherwise check for an unadorned IP address */
+
+else if (string_is_ip_address(hostname, NULL) != 0)
+ shost.name = shost.address = string_copy(hostname);
+
+/* Otherwise lookup IP address(es) from the name */
+
+else
+ {
+ shost.name = string_copy(hostname);
+ if (host_find_byname(&shost, NULL, HOST_FIND_QUALIFY_SINGLE, NULL,
+ FALSE) != HOST_FOUND)
+ {
+ *errstr = string_sprintf("no IP address found for host %s", shost.name);
+ return -1;
+ }
+ }
+
+/* Try to connect to the server - test each IP till one works */
+
+for (h = &shost; h != NULL; h = h->next)
+ {
+ fd = (Ustrchr(h->address, ':') != 0)
+ ? (fd6 < 0) ? (fd6 = ip_socket(SOCK_STREAM, af = AF_INET6)) : fd6
+ : (fd4 < 0) ? (fd4 = ip_socket(SOCK_STREAM, af = AF_INET )) : fd4;
+
+ if (fd < 0)
+ {
+ *errstr = string_sprintf("failed to create socket: %s", strerror(errno));
+ goto bad;
+ }
+
+ for(port = portlo; port <= porthi; port++)
+ if (ip_connect(fd, af, h->address, port, timeout) == 0)
+ {
+ if (fd != fd6) close(fd6);
+ if (fd != fd4) close(fd4);
+ if (connhost) {
+ h->port = port;
+ *connhost = *h;
+ connhost->next = NULL;
+ }
+ return fd;
+ }
+ }
+
+*errstr = string_sprintf("failed to connect to "
+ "%s: couldn't connect to any host", hostname, strerror(errno));
+
+bad:
+ close(fd4); close(fd6); return -1;
+}
+
/*************************************************
* Set keepalive on a socket *
*level = IPPROTO_IP;
*optname = IP_TOS;
}
-#if HAVE_IPV6
+#if HAVE_IPV6 && defined(IPV6_TCLASS)
else if (af == AF_INET6)
{
*level = IPPROTO_IPV6;
uschar *address; /* the recipient address */
int pno; /* parent number for "one_time" alias, or -1 */
uschar *errors_to; /* the errors_to address or NULL */
+#ifdef EXPERIMENTAL_DSN
+ uschar *orcpt; /* DSN orcpt */
+ int dsn_flags; /* DSN flags */
+#endif
#ifdef EXPERIMENTAL_BRIGHTMAIL
uschar *bmi_optin;
#endif
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Functions for writing log files. The code for maintaining datestamped
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
#include "../exim.h"
#define T_SPF 99
#endif
+/* New TLSA record for DANE */
+#ifndef T_TLSA
+#define T_TLSA 52
+#endif
+
/* Table of recognized DNS record types and their integer values. */
static const char *type_names[] = {
"ptr",
"spf",
"srv",
+ "tlsa",
"txt",
"zns"
};
T_PTR,
T_SPF,
T_SRV,
+ T_TLSA,
T_TXT,
T_ZNS /* Private type for "zone nameservers" */
};
whole lookup to defer only if none of the DNS queries succeeds; and 'never',
where all defers are as if the lookup failed. The default is 'lax'.
-(d) If the next sequence of characters is a sequence of letters and digits
+(d) Another optional comma-sep field: 'dnssec_FOO', with 'strict', 'lax'
+and 'never' (default); can appear before or after (c). The meanings are
+require, try and don't-try dnssec respectively.
+
+(e) If the next sequence of characters is a sequence of letters and digits
followed by '=', it is interpreted as the name of the DNS record type. The
default is "TXT".
-(e) Then there follows list of domain names. This is a generalized Exim list,
+(f) Then there follows list of domain names. This is a generalized Exim list,
which may start with '<' in order to set a specific separator. The default
separator, as always, is colon. */
int ptr = 0;
int sep = 0;
int defer_mode = PASS;
+int dnssec_mode = OK;
int type;
int failrc = FAIL;
uschar *outsep = US"\n";
while (isspace(*keystring)) keystring++;
}
-/* Check for a defer behaviour keyword. */
+/* Check for a modifier keyword. */
-if (strncmpic(keystring, US"defer_", 6) == 0)
+while ( strncmpic(keystring, US"defer_", 6) == 0
+ || strncmpic(keystring, US"dnssec_", 7) == 0
+ )
{
- keystring += 6;
- if (strncmpic(keystring, US"strict", 6) == 0)
+ if (strncmpic(keystring, US"defer_", 6) == 0)
{
- defer_mode = DEFER;
keystring += 6;
- }
- else if (strncmpic(keystring, US"lax", 3) == 0)
- {
- defer_mode = PASS;
- keystring += 3;
- }
- else if (strncmpic(keystring, US"never", 5) == 0)
- {
- defer_mode = OK;
- keystring += 5;
+ if (strncmpic(keystring, US"strict", 6) == 0)
+ {
+ defer_mode = DEFER;
+ keystring += 6;
+ }
+ else if (strncmpic(keystring, US"lax", 3) == 0)
+ {
+ defer_mode = PASS;
+ keystring += 3;
+ }
+ else if (strncmpic(keystring, US"never", 5) == 0)
+ {
+ defer_mode = OK;
+ keystring += 5;
+ }
+ else
+ {
+ *errmsg = US"unsupported dnsdb defer behaviour";
+ return DEFER;
+ }
}
else
{
- *errmsg = US"unsupported dnsdb defer behaviour";
- return DEFER;
+ keystring += 7;
+ if (strncmpic(keystring, US"strict", 6) == 0)
+ {
+ dnssec_mode = DEFER;
+ keystring += 6;
+ }
+ else if (strncmpic(keystring, US"lax", 3) == 0)
+ {
+ dnssec_mode = PASS;
+ keystring += 3;
+ }
+ else if (strncmpic(keystring, US"never", 5) == 0)
+ {
+ dnssec_mode = OK;
+ keystring += 5;
+ }
+ else
+ {
+ *errmsg = US"unsupported dnsdb dnssec behaviour";
+ return DEFER;
+ }
}
while (isspace(*keystring)) keystring++;
if (*keystring++ != ',')
{
- *errmsg = US"dnsdb defer behaviour syntax error";
+ *errmsg = US"dnsdb modifier syntax error";
return DEFER;
}
while (isspace(*keystring)) keystring++;
/* Initialize the resolver in case this is the first time it has been used. */
-dns_init(FALSE, FALSE);
+dns_init(FALSE, FALSE, dnssec_mode != OK);
/* The remainder of the string must be a list of domains. As long as the lookup
for at least one of them succeeds, we return success. Failure means that none
#endif
rc = dns_special_lookup(&dnsa, domain, type, &found);
+ lookup_dnssec_authenticated = dnssec_mode==OK ? NULL
+ : dns_is_secure(&dnsa) ? US"yes" : US"no";
+
if (rc == DNS_NOMATCH || rc == DNS_NODATA) continue;
if (rc != DNS_SUCCEED)
{
- if (defer_mode == DEFER) return DEFER; /* always defer */
+ if (defer_mode == DEFER)
+ {
+ dns_init(FALSE, FALSE, FALSE); /* clr dnssec bit */
+ return DEFER; /* always defer */
+ }
if (defer_mode == PASS) failrc = DEFER; /* defer only if all do */
continue; /* treat defer as fail */
}
+ if (dnssec_mode == DEFER && !dns_is_secure(&dnsa))
+ {
+ failrc = DEFER;
+ continue;
+ }
+
/* Search the returned records */
}
}
}
+ else if (type == T_TLSA)
+ {
+ uint8_t usage, selector, matching_type;
+ uint16_t i, payload_length;
+ uschar s[MAX_TLSA_EXPANDED_SIZE];
+ uschar * sp = s;
+ uschar *p = (uschar *)(rr->data);
+
+ usage = *p++;
+ selector = *p++;
+ matching_type = *p++;
+ /* What's left after removing the first 3 bytes above */
+ payload_length = rr->size - 3;
+ sp += sprintf(CS s, "%d %d %d ", usage, selector, matching_type);
+ /* Now append the cert/identifier, one hex char at a time */
+ for (i=0;
+ i < payload_length && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4);
+ i++)
+ {
+ sp += sprintf(CS sp, "%02x", (unsigned char)p[i]);
+ }
+ yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
+ }
else /* T_CNAME, T_CSA, T_MX, T_MXH, T_NS, T_PTR, T_SRV */
{
int priority, weight, port;
/* If ptr == 0 we have not found anything. Otherwise, insert the terminating
zero and return the result. */
+dns_init(FALSE, FALSE, FALSE); /* clear the dnssec bit for getaddrbyname */
+
if (ptr == 0) return failrc;
yield[ptr] = 0;
*result = yield;
static lookup_info *_lookup_list[] = { &_lookup_info };
lookup_module_info dnsdb_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };
+/* vi: aw ai sw=2
+*/
/* End of lookups/dnsdb.c */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Many thanks to Stuart Lynne for contributing the original code for this
{
LDAP *ld;
+ #ifdef LDAP_OPT_X_TLS_NEWCTX
+ int am_server = 0;
+ LDAP *ldsetctx;
+ #else
+ LDAP *ldsetctx = NULL;
+ #endif
+
/* --------------------------- OpenLDAP ------------------------ */
goto RETURN_ERROR;
}
+ #ifdef LDAP_OPT_X_TLS_NEWCTX
+ ldsetctx = ld;
+ #endif
+
/* Set the TCP connect time limit if available. This is something that is
in Netscape SDK v4.1; I don't know about other libraries. */
#ifdef LDAP_OPT_X_TLS_CACERTFILE
if (eldap_ca_cert_file != NULL)
{
- ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, eldap_ca_cert_file);
+ ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CACERTFILE, eldap_ca_cert_file);
}
#endif
#ifdef LDAP_OPT_X_TLS_CACERTDIR
if (eldap_ca_cert_dir != NULL)
{
- ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, eldap_ca_cert_dir);
+ ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CACERTDIR, eldap_ca_cert_dir);
}
#endif
#ifdef LDAP_OPT_X_TLS_CERTFILE
if (eldap_cert_file != NULL)
{
- ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE, eldap_cert_file);
+ ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CERTFILE, eldap_cert_file);
}
#endif
#ifdef LDAP_OPT_X_TLS_KEYFILE
if (eldap_cert_key != NULL)
{
- ldap_set_option(ld, LDAP_OPT_X_TLS_KEYFILE, eldap_cert_key);
+ ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_KEYFILE, eldap_cert_key);
}
#endif
#ifdef LDAP_OPT_X_TLS_CIPHER_SUITE
if (eldap_cipher_suite != NULL)
{
- ldap_set_option(ld, LDAP_OPT_X_TLS_CIPHER_SUITE, eldap_cipher_suite);
+ ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CIPHER_SUITE, eldap_cipher_suite);
}
#endif
#ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
{
cert_option = LDAP_OPT_X_TLS_TRY;
}
- /* Use NULL ldap handle because is a global option */
- ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option);
+ /* This ldap handle is set at compile time based on client libs. Older
+ * versions want it to be global and newer versions can force a reload
+ * of the TLS context (to reload these settings we are changing from the
+ * default that loaded at instantiation). */
+ rc = ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option);
+ if (rc)
+ {
+ DEBUG(D_lookup)
+ debug_printf("Unable to set TLS require cert_option(%d) globally: %s\n",
+ cert_option, ldap_err2string(rc));
+ }
+ }
+ #endif
+ #ifdef LDAP_OPT_X_TLS_NEWCTX
+ rc = ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_NEWCTX, &am_server);
+ if (rc)
+ {
+ DEBUG(D_lookup)
+ debug_printf("Unable to reload TLS context %d: %s\n",
+ rc, ldap_err2string(rc));
}
#endif
uschar *p;
uschar *user = NULL;
uschar *password = NULL;
+uschar *local_servers = NULL;
uschar *server, *list;
uschar buffer[512];
else if (strncmpic(name, US"TIME=", namelen) == 0) timelimit = Uatoi(value);
else if (strncmpic(name, US"CONNECT=", namelen) == 0) tcplimit = Uatoi(value);
else if (strncmpic(name, US"NETTIME=", namelen) == 0) tcplimit = Uatoi(value);
+ else if (strncmpic(name, US"SERVERS=", namelen) == 0) local_servers = value;
/* Don't know if all LDAP libraries have LDAP_OPT_DEREF */
/* No default servers, or URL contains a server name: just one attempt */
-if (eldap_default_servers == NULL || p[3] != '/')
+if ((eldap_default_servers == NULL && local_servers == NULL) || p[3] != '/')
{
return perform_ldap_search(url, NULL, 0, search_type, res, errmsg,
&defer_break, user, password, sizelimit, timelimit, tcplimit, dereference,
referrals);
}
-/* Loop through the default servers until OK or FAIL */
-
-list = eldap_default_servers;
+/* Loop through the default servers until OK or FAIL. Use local_servers list
+ * if defined in the lookup, otherwise use the global default list */
+list = (local_servers == NULL) ? eldap_default_servers : local_servers;
while ((server = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL)
{
int rc;
{
DEBUG(D_lookup) debug_printf("unbind LDAP connection to %s:%d\n", lcp->host,
lcp->port);
- ldap_unbind(lcp->ld);
+ if(lcp->bound == TRUE)
+ ldap_unbind(lcp->ld);
ldap_connections = lcp->next;
}
}
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
#define WAIT_NAME_MAX 50
+/* Wait this long before determining that a Proxy Protocol configured
+host isn't speaking the protocol, and so is disallowed. Can be moved to
+runtime configuration if per site settings become needed. */
+#ifdef EXPERIMENTAL_PROXY
+#define PROXY_NEGOTIATION_TIMEOUT_SEC 3
+#define PROXY_NEGOTIATION_TIMEOUT_USEC 0
+#endif
+
/* Fixed option values for all PCRE functions */
#define PCRE_COPT 0 /* compile */
#define LX_unknown_in_list 0x81000000
#define LX_8bitmime 0x82000000
#define LX_smtp_mailauth 0x84000000
+#define LX_proxy 0x88000000
#define L_default (L_connection_reject | \
L_delay_delivery | \
#define ERRNO_RCPT4XX (-44) /* RCPT gave 4xx error */
#define ERRNO_MAIL4XX (-45) /* MAIL gave 4xx error */
#define ERRNO_DATA4XX (-46) /* DATA gave 4xx error */
+#define ERRNO_PROXYFAIL (-47) /* Negotiation failed for proxy configured host */
/* These must be last, so all retry deferments can easily be identified */
#define topt_no_body 0x040 /* Omit body */
#define topt_escape_headers 0x080 /* Apply escape check to headers */
+#ifdef EXPERIMENTAL_DSN
+/* Flags for recipient_block, used in DSN support */
+
+#define rf_dsnlasthop 0x01 /* Do not propagate DSN any further */
+#define rf_notify_never 0x02 /* NOTIFY= settings */
+#define rf_notify_success 0x04
+#define rf_notify_failure 0x08
+#define rf_notify_delay 0x10
+
+#define rf_dsnflags (rf_notify_never | rf_notify_success | \
+ rf_notify_failure | rf_notify_delay)
+
+/* DSN RET types */
+
+#define dsn_ret_full 1
+#define dsn_ret_hdrs 2
+
+#define dsn_support_unknown 0
+#define dsn_support_yes 1
+#define dsn_support_no 2
+
+#endif
+
/* Codes for the host_find_failed and host_all_ignored options. */
#define hff_freeze 0
ACL_WHERE_MIME, /* ) implemented by <= WHERE_NOTSMTP */
ACL_WHERE_DKIM, /* ) */
ACL_WHERE_DATA, /* ) */
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
ACL_WHERE_PRDR, /* ) */
#endif
ACL_WHERE_NOTSMTP, /* ) */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) Tom Kistner <tom@duncanthrax.net> 2003-???? */
+/* Copyright (c) Tom Kistner <tom@duncanthrax.net> 2003-2014 */
/* License: GPL */
/* Code for calling virus (malware) scanners. Called from acl.c. */
#include "exim.h"
#ifdef WITH_CONTENT_SCAN
+typedef enum {M_FPROTD, M_DRWEB, M_AVES, M_FSEC, M_KAVD, M_CMDL,
+ M_SOPHIE, M_CLAMD, M_SOCK, M_MKSD} scanner_t;
+typedef enum {MC_NONE, MC_TCP, MC_UNIX, MC_STRM} contype_t;
+static struct scan
+{
+ scanner_t scancode;
+ const uschar * name;
+ const uschar * options_default;
+ contype_t conn;
+} m_scans[] =
+{
+ { M_FPROTD, US"f-protd", US"localhost 10200-10204", MC_TCP },
+ { M_DRWEB, US"drweb", US"/usr/local/drweb/run/drwebd.sock", MC_STRM },
+ { M_AVES, US"aveserver", US"/var/run/aveserver", MC_UNIX },
+ { M_FSEC, US"fsecure", US"/var/run/.fsav", MC_UNIX },
+ { M_KAVD, US"kavdaemon", US"/var/run/AvpCtl", MC_UNIX },
+ { M_CMDL, US"cmdline", NULL, MC_NONE },
+ { M_SOPHIE, US"sophie", US"/var/run/sophie", MC_UNIX },
+ { M_CLAMD, US"clamd", US"/tmp/clamd", MC_NONE },
+ { M_SOCK, US"sock", US"/tmp/malware.sock", MC_STRM },
+ { M_MKSD, US"mksd", NULL, MC_NONE },
+ { -1, NULL, NULL, MC_NONE } /* end-marker */
+};
+
/* The maximum number of clamd servers that are supported in the configuration */
#define MAX_CLAMD_SERVERS 32
#define MAX_CLAMD_SERVERS_S "32"
#define MAX_CLAMD_ADDRESS_LENGTH_S "64"
typedef struct clamd_address_container {
- uschar tcp_addr[MAX_CLAMD_ADDRESS_LENGTH];
+ uschar tcp_addr[MAX_CLAMD_ADDRESS_LENGTH+1];
unsigned int tcp_port;
} clamd_address_container;
/* declaration of private routines */
-static int mksd_scan_packed(int sock, uschar *scan_filename);
+static int mksd_scan_packed(struct scan * scanent, int sock, uschar *scan_filename);
static int malware_internal(uschar **listptr, uschar *eml_filename, BOOL faking);
-/* SHUT_WR seems to be undefined on Unixware? */
-#ifndef SHUT_WR
-#define SHUT_WR 1
+#ifndef nelements
+# define nelements(arr) (sizeof(arr) / sizeof(arr[0]))
#endif
#define DERR_TIMEOUT (1<<9) /* scan timeout has run out */
#define DERR_BAD_CALL (1<<15) /* wrong command */
-/* Routine to check whether a system is big- or litte-endian.
+/* Routine to check whether a system is big- or little-endian.
Ripped from http://www.faqs.org/faqs/graphics/fileformats-faq/part4/section-7.html
Needed for proper kavdaemon implementation. Sigh. */
#define BIG_MY_ENDIAN 0
#define LITTLE_MY_ENDIAN 1
-int test_byte_order(void);
-int test_byte_order() {
- short int word = 0x0001;
- char *byte = (char *) &word;
- return(byte[0] ? LITTLE_MY_ENDIAN : BIG_MY_ENDIAN);
+static int test_byte_order(void);
+static inline int
+test_byte_order()
+{
+ short int word = 0x0001;
+ char *byte = (char *) &word;
+ return(byte[0] ? LITTLE_MY_ENDIAN : BIG_MY_ENDIAN);
}
-uschar malware_name_buffer[256];
-int malware_ok = 0;
+BOOL malware_ok = FALSE;
/* Gross hacks for the -bmalware option; perhaps we should just create
the scan directory normally for that case, but look into rigging up the
Returns: Exim message processing code (OK, FAIL, DEFER, ...)
where true means malware was found (condition applies)
*/
-int malware(uschar **listptr) {
- uschar scan_filename[1024];
- BOOL fits;
+int
+malware(uschar **listptr)
+{
+ uschar * scan_filename;
int ret;
- fits = string_format(scan_filename, sizeof(scan_filename),
- CS"%s/scan/%s/%s.eml", spool_directory, message_id, message_id);
- if (!fits)
- {
- av_failed = TRUE;
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware filename does not fit in buffer [malware()]");
- return DEFER;
- }
-
+ scan_filename = string_sprintf("%s/scan/%s/%s.eml",
+ spool_directory, message_id, message_id);
ret = malware_internal(listptr, scan_filename, FALSE);
if (ret == DEFER) av_failed = TRUE;
where true means malware was found (condition applies)
*/
int
-malware_in_file(uschar *eml_filename) {
+malware_in_file(uschar *eml_filename)
+{
uschar *scan_options[2];
uschar message_id_buf[64];
int ret;
}
+static inline int
+malware_errlog_defer(const uschar * str)
+{
+ log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: %s", str);
+ return DEFER;
+}
+
+static int
+m_errlog_defer(struct scan * scanent, const uschar * str)
+{
+ return malware_errlog_defer(string_sprintf("%s: %s", scanent->name, str));
+}
+static int
+m_errlog_defer_3(struct scan * scanent, const uschar * str,
+ int fd_to_close)
+{
+ (void) close(fd_to_close);
+ return m_errlog_defer(scanent, str);
+}
+
+/*************************************************/
+
+/* Only used by the Clamav code, which is working from a list of servers and
+uses the returned in_addr to get a second connection to the same system.
+*/
+static inline int
+m_tcpsocket(const uschar * hostname, unsigned int port,
+ host_item * host, uschar ** errstr)
+{
+ return ip_connectedsocket(SOCK_STREAM, hostname, port, port, 5, host, errstr);
+}
+
+static int
+m_tcpsocket_fromdef(const uschar * hostport, uschar ** errstr)
+{
+ int scan;
+ uschar hostname[256];
+ unsigned int portlow, porthigh;
+
+ /* extract host and port part */
+ scan = sscanf(CS hostport, "%255s %u-%u", hostname, &portlow, &porthigh);
+ if ( scan != 3 ) {
+ if ( scan != 2 ) {
+ *errstr = string_sprintf("invalid socket '%s'", hostport);
+ return -1;
+ }
+ porthigh = portlow;
+ }
+
+ return ip_connectedsocket(SOCK_STREAM, hostname, portlow, porthigh,
+ 5, NULL, errstr);
+}
+
+static int
+m_unixsocket(const uschar * path, uschar ** errstr)
+{
+ int sock;
+ struct sockaddr_un server;
+
+ if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) {
+ *errstr = US"can't open UNIX socket.";
+ return -1;
+ }
+
+ server.sun_family = AF_UNIX;
+ Ustrncpy(server.sun_path, path, sizeof(server.sun_path)-1);
+ server.sun_path[sizeof(server.sun_path)-1] = '\0';
+ if (connect(sock, (struct sockaddr *) &server, sizeof(server)) < 0) {
+ int err = errno;
+ (void)close(sock);
+ *errstr = string_sprintf("unable to connect to UNIX socket (%s): %s",
+ path, strerror(err));
+ return -1;
+ }
+ return sock;
+}
+
+static inline int
+m_streamsocket(const uschar * spec, uschar ** errstr)
+{
+ return *spec == '/'
+ ? m_unixsocket(spec, errstr) : m_tcpsocket_fromdef(spec, errstr);
+}
+
+static int
+m_sock_send(int sock, uschar * buf, int cnt, uschar ** errstr)
+{
+ if (send(sock, buf, cnt, 0) < 0) {
+ int err = errno;
+ (void)close(sock);
+ *errstr = string_sprintf("unable to send to socket (%s): %s",
+ buf, strerror(err));
+ return -1;
+ }
+ return sock;
+}
+
+static const pcre *
+m_pcre_compile(const uschar * re, uschar ** errstr)
+{
+ const uschar * rerror;
+ int roffset;
+ const pcre * cre;
+
+ cre = pcre_compile(CS re, PCRE_COPT, (const char **)&rerror, &roffset, NULL);
+ if (!cre)
+ *errstr= string_sprintf("regular expression error in '%s': %s at offset %d",
+ re, rerror, roffset);
+ return cre;
+}
+
+uschar *
+m_pcre_exec(const pcre * cre, uschar * text)
+{
+ int ovector[10*3];
+ int i = pcre_exec(cre, NULL, CS text, Ustrlen(text), 0, 0,
+ ovector, nelements(ovector));
+ uschar * substr = NULL;
+ if (i >= 2) /* Got it */
+ pcre_get_substring(CS text, ovector, i, 1, (const char **) &substr);
+ return substr;
+}
+
+static const pcre *
+m_pcre_nextinlist(uschar ** list, int * sep, char * listerr, uschar ** errstr)
+{
+ const uschar * list_ele;
+ const pcre * cre = NULL;
+
+ if (!(list_ele = string_nextinlist(list, sep, NULL, 0)))
+ *errstr = US listerr;
+ else
+ cre = m_pcre_compile(CUS list_ele, errstr);
+ return cre;
+}
+
/*************************************************
* Scan content for malware *
*************************************************/
Returns: Exim message processing code (OK, FAIL, DEFER, ...)
where true means malware was found (condition applies)
*/
-static int malware_internal(uschar **listptr, uschar *eml_filename, BOOL faking) {
+static int
+malware_internal(uschar **listptr, uschar *eml_filename, BOOL faking)
+{
int sep = 0;
uschar *list = *listptr;
uschar *av_scanner_work = av_scanner;
uschar *scanner_name;
- uschar scanner_name_buffer[16];
uschar *malware_regex;
- uschar malware_regex_buffer[64];
uschar malware_regex_default[] = ".+";
unsigned long mbox_size;
FILE *mbox_file;
- int roffset;
const pcre *re;
- const uschar *rerror;
+ uschar * errstr;
+ struct scan * scanent;
+ const uschar * scanner_options;
+ int sock = -1;
/* make sure the eml mbox file is spooled up */
- mbox_file = spool_mbox(&mbox_size, faking ? eml_filename : NULL);
- if (mbox_file == NULL) {
- /* error while spooling */
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: error while creating mbox spool file");
- return DEFER;
- };
+ if (!(mbox_file = spool_mbox(&mbox_size, faking ? eml_filename : NULL)))
+ return malware_errlog_defer(US"error while creating mbox spool file");
+
/* none of our current scanners need the mbox
file as a stream, so we can close it right away */
(void)fclose(mbox_file);
/* extract the malware regex to match against from the option list */
- if ((malware_regex = string_nextinlist(&list, &sep,
- malware_regex_buffer,
- sizeof(malware_regex_buffer))) != NULL) {
+ if (!(malware_regex = string_nextinlist(&list, &sep, NULL, 0)))
+ return FAIL; /* empty means "don't match anything" */
- /* parse 1st option */
+ /* parse 1st option */
if ( (strcmpic(malware_regex,US"false") == 0) ||
- (Ustrcmp(malware_regex,"0") == 0) ) {
- /* explicitly no matching */
- return FAIL;
- };
-
- /* special cases (match anything except empty) */
- if ( (strcmpic(malware_regex,US"true") == 0) ||
- (Ustrcmp(malware_regex,"*") == 0) ||
- (Ustrcmp(malware_regex,"1") == 0) ) {
- malware_regex = malware_regex_default;
- };
- }
- else {
- /* empty means "don't match anything" */
- return FAIL;
- };
+ (Ustrcmp(malware_regex,"0") == 0) )
+ return FAIL; /* explicitly no matching */
+
+ /* special cases (match anything except empty) */
+ if ( (strcmpic(malware_regex,US"true") == 0) ||
+ (Ustrcmp(malware_regex,"*") == 0) ||
+ (Ustrcmp(malware_regex,"1") == 0) )
+ malware_regex = malware_regex_default;
/* Reset sep that is set by previous string_nextinlist() call */
sep = 0;
/* compile the regex, see if it works */
- re = pcre_compile(CS malware_regex, PCRE_COPT, (const char **)&rerror, &roffset, NULL);
- if (re == NULL) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: regular expression error in '%s': %s at offset %d", malware_regex, rerror, roffset);
- return DEFER;
- };
+ if (!(re = m_pcre_compile(malware_regex, &errstr)))
+ return malware_errlog_defer(errstr);
/* if av_scanner starts with a dollar, expand it first */
if (*av_scanner == '$') {
- av_scanner_work = expand_string(av_scanner);
- if (av_scanner_work == NULL) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: av_scanner starts with $, but expansion failed: %s", expand_string_message);
- return DEFER;
- }
- else {
- debug_printf("Expanded av_scanner global: %s\n", av_scanner_work);
- /* disable result caching in this case */
- malware_name = NULL;
- malware_ok = 0;
- };
+ if (!(av_scanner_work = expand_string(av_scanner)))
+ return malware_errlog_defer(
+ string_sprintf("av_scanner starts with $, but expansion failed: %s",
+ expand_string_message));
+
+ debug_printf("Expanded av_scanner global: %s\n", av_scanner_work);
+ /* disable result caching in this case */
+ malware_name = NULL;
+ malware_ok = FALSE;
}
- /* Do not scan twice. */
- if (malware_ok == 0) {
+ /* Do not scan twice (unless av_scanner is dynamic). */
+ if (!malware_ok) {
/* find the scanner type from the av_scanner option */
- if ((scanner_name = string_nextinlist(&av_scanner_work, &sep,
- scanner_name_buffer,
- sizeof(scanner_name_buffer))) == NULL) {
- /* no scanner given */
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: av_scanner configuration variable is empty");
- return DEFER;
- };
-
- /* "f-protd" scanner type ----------------------------------------------- */
- if (strcmpic(scanner_name, US"f-protd") == 0) {
- uschar *fp_options, *fp_scan_option;
- uschar fp_scan_option_buffer[1024];
- uschar fp_options_buffer[1024];
- uschar fp_options_default[] = "localhost 10200-10204";
- uschar hostname[256];
- unsigned int port, portlow, porthigh, connect_ok=0, detected=0, par_count = 0;
- struct hostent *he;
- struct in_addr in;
- int sock;
- uschar scanrequest[2048], buf[32768], *strhelper, *strhelper2;
-
- if ((fp_options = string_nextinlist(&av_scanner_work, &sep,
- fp_options_buffer, sizeof(fp_options_buffer))) == NULL) {
- /* no options supplied, use default options */
- fp_options = fp_options_default;
- };
-
- /* extract host and port part */
- if ( sscanf(CS fp_options, "%s %u-%u", hostname, &portlow, &porthigh) != 3 ) {
- if ( sscanf(CS fp_options, "%s %u", hostname, &portlow) != 2 ) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: f-protd: invalid socket '%s'", fp_options);
- return DEFER;
- }
- porthigh = portlow;
- }
-
- /* Lookup the host */
- if((he = gethostbyname(CS hostname)) == 0) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: f-protd: failed to lookup host '%s'", hostname);
- return DEFER;
- }
-
- in = *(struct in_addr *) he->h_addr_list[0];
- port = portlow;
-
-
- /* Open the f-protd TCP socket */
- if ( (sock = ip_socket(SOCK_STREAM, AF_INET)) < 0) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: f-protd: unable to acquire socket (%s)",
- strerror(errno));
- return DEFER;
- }
-
- /* Try to connect to all portslow-high until connection is established */
- for (port = portlow; !connect_ok && port < porthigh; port++) {
- if (ip_connect(sock, AF_INET, (uschar*)inet_ntoa(in), port, 5) >= 0) {
- connect_ok = 1;
- }
- }
-
- if ( !connect_ok ) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: f-protd: connection to %s, port %u-%u failed (%s)",
- inet_ntoa(in), portlow, porthigh, strerror(errno));
- (void)close(sock);
- return DEFER;
- }
-
- DEBUG(D_acl) debug_printf("Malware scan: issuing %s GET\n", scanner_name);
- (void)string_format(scanrequest, 1024, CS"GET %s", eml_filename);
-
- while ((fp_scan_option = string_nextinlist(&av_scanner_work, &sep,
- fp_scan_option_buffer, sizeof(fp_scan_option_buffer))) != NULL) {
- if ( par_count ) {
- Ustrcat(scanrequest, "%20");
- } else {
- Ustrcat(scanrequest, "?");
- }
- Ustrcat(scanrequest, fp_scan_option);
- par_count++;
- }
- Ustrcat(scanrequest, " HTTP/1.0\r\n\r\n");
-
- /* send scan request */
- if (send(sock, &scanrequest, Ustrlen(scanrequest)+1, 0) < 0) {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: f-protd: unable to send command to socket (%s)", scanrequest);
- return DEFER;
- }
-
- /* We get a lot of empty lines, so we need this hack to check for any data at all */
- while( recv(sock, buf, 1, MSG_PEEK) > 0 ) {
- if ( recv_line(sock, buf, 32768) > 0) {
- if ( Ustrstr(buf, US"<detected type=\"") != NULL ) {
- detected = 1;
- } else if ( detected && (strhelper = Ustrstr(buf, US"<name>")) ) {
- if ((strhelper2 = Ustrstr(buf, US"</name>")) != NULL) {
- *strhelper2 = '\0';
- Ustrcpy(malware_name_buffer, strhelper + 6);
- }
- } else if ( Ustrstr(buf, US"<summary code=\"") ) {
- if ( Ustrstr(buf, US"<summary code=\"11\">") ) {
- malware_name = malware_name_buffer;
- } else {
- malware_name = NULL;
- }
- }
- }
- }
- (void)close(sock);
- }
- /* "drweb" scanner type ----------------------------------------------- */
- /* v0.1 - added support for tcp sockets */
- /* v0.0 - initial release -- support for unix sockets */
- else if (strcmpic(scanner_name,US"drweb") == 0) {
- uschar *drweb_options;
- uschar drweb_options_buffer[1024];
- uschar drweb_options_default[] = "/usr/local/drweb/run/drwebd.sock";
- struct sockaddr_un server;
- int sock, result, ovector[30];
- unsigned int port, fsize;
- uschar tmpbuf[1024], *drweb_fbuf;
- uschar drweb_match_string[128];
- int drweb_rc, drweb_cmd, drweb_flags = 0x0000, drweb_fd,
- drweb_vnum, drweb_slen, drweb_fin = 0x0000;
- unsigned long bread;
- uschar hostname[256];
- struct hostent *he;
- struct in_addr in;
- pcre *drweb_re;
-
- if ((drweb_options = string_nextinlist(&av_scanner_work, &sep,
- drweb_options_buffer, sizeof(drweb_options_buffer))) == NULL) {
- /* no options supplied, use default options */
- drweb_options = drweb_options_default;
- };
-
- if (*drweb_options != '/') {
-
- /* extract host and port part */
- if( sscanf(CS drweb_options, "%s %u", hostname, &port) != 2 ) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: drweb: invalid socket '%s'", drweb_options);
- return DEFER;
- }
-
- /* Lookup the host */
- if((he = gethostbyname(CS hostname)) == 0) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: drweb: failed to lookup host '%s'", hostname);
- return DEFER;
- }
-
- in = *(struct in_addr *) he->h_addr_list[0];
-
- /* Open the drwebd TCP socket */
- if ( (sock = ip_socket(SOCK_STREAM, AF_INET)) < 0) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: drweb: unable to acquire socket (%s)",
- strerror(errno));
- return DEFER;
- }
-
- if (ip_connect(sock, AF_INET, (uschar*)inet_ntoa(in), port, 5) < 0) {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: drweb: connection to %s, port %u failed (%s)",
- inet_ntoa(in), port, strerror(errno));
- return DEFER;
- }
-
- /* prepare variables */
- drweb_cmd = htonl(DRWEBD_SCAN_CMD);
- drweb_flags = htonl(DRWEBD_RETURN_VIRUSES | DRWEBD_IS_MAIL);
-
- /* calc file size */
- drweb_fd = open(CS eml_filename, O_RDONLY);
- if (drweb_fd == -1) {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: drweb: can't open spool file %s: %s",
- eml_filename, strerror(errno));
- return DEFER;
- }
- fsize = lseek(drweb_fd, 0, SEEK_END);
- if (fsize == -1) {
- (void)close(sock);
- (void)close(drweb_fd);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: drweb: can't seek spool file %s: %s",
- eml_filename, strerror(errno));
- return DEFER;
- }
- drweb_slen = htonl(fsize);
- lseek(drweb_fd, 0, SEEK_SET);
-
- DEBUG(D_acl) debug_printf("Malware scan: issuing %s remote scan [%s %u]\n",
- scanner_name, hostname, port);
-
- /* send scan request */
- if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) ||
- (send(sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) ||
- (send(sock, &drweb_fin, sizeof(drweb_fin), 0) < 0) ||
- (send(sock, &drweb_slen, sizeof(drweb_slen), 0) < 0)) {
- (void)close(sock);
- (void)close(drweb_fd);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: drweb: unable to send commands to socket (%s)", drweb_options);
- return DEFER;
- }
-
- drweb_fbuf = (uschar *) malloc (fsize);
- if (!drweb_fbuf) {
- (void)close(sock);
- (void)close(drweb_fd);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: drweb: unable to allocate memory %u for file (%s)",
- fsize, eml_filename);
- return DEFER;
- }
-
- result = read (drweb_fd, drweb_fbuf, fsize);
- if (result == -1) {
- (void)close(sock);
- (void)close(drweb_fd);
- free(drweb_fbuf);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: drweb: can't read spool file %s: %s",
- eml_filename, strerror(errno));
- return DEFER;
- }
- (void)close(drweb_fd);
-
- /* send file body to socket */
- if (send(sock, drweb_fbuf, fsize, 0) < 0) {
- (void)close(sock);
- free(drweb_fbuf);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: drweb: unable to send file body to socket (%s)", drweb_options);
- return DEFER;
- }
- (void)close(drweb_fd);
- }
- else {
- /* open the drwebd UNIX socket */
- sock = socket(AF_UNIX, SOCK_STREAM, 0);
- if (sock < 0) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: drweb: can't open UNIX socket");
- return DEFER;
- }
- server.sun_family = AF_UNIX;
- Ustrcpy(server.sun_path, drweb_options);
- if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: drweb: unable to connect to socket (%s). errno=%d", drweb_options, errno);
- return DEFER;
- }
-
- /* prepare variables */
- drweb_cmd = htonl(DRWEBD_SCAN_CMD);
- drweb_flags = htonl(DRWEBD_RETURN_VIRUSES | DRWEBD_IS_MAIL);
- drweb_slen = htonl(Ustrlen(eml_filename));
-
- DEBUG(D_acl) debug_printf("Malware scan: issuing %s local scan [%s]\n",
- scanner_name, drweb_options);
-
- /* send scan request */
- if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) ||
- (send(sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) ||
- (send(sock, &drweb_slen, sizeof(drweb_slen), 0) < 0) ||
- (send(sock, eml_filename, Ustrlen(eml_filename), 0) < 0) ||
- (send(sock, &drweb_fin, sizeof(drweb_fin), 0) < 0)) {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: drweb: unable to send commands to socket (%s)", drweb_options);
- return DEFER;
- }
- }
-
- /* wait for result */
- if ((bread = recv(sock, &drweb_rc, sizeof(drweb_rc), 0) != sizeof(drweb_rc))) {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: drweb: unable to read return code");
- return DEFER;
- }
- drweb_rc = ntohl(drweb_rc);
-
- if ((bread = recv(sock, &drweb_vnum, sizeof(drweb_vnum), 0) != sizeof(drweb_vnum))) {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: drweb: unable to read the number of viruses");
- return DEFER;
- }
- drweb_vnum = ntohl(drweb_vnum);
-
- /* "virus(es) found" if virus number is > 0 */
- if (drweb_vnum)
- {
- int i;
- uschar pre_malware_nb[256];
-
- malware_name = malware_name_buffer;
-
- /* setup default virus name */
- Ustrcpy(malware_name_buffer,"unknown");
-
- /* read and concatenate virus names into one string */
- for (i=0;i<drweb_vnum;i++)
+ if (!(scanner_name = string_nextinlist(&av_scanner_work, &sep, NULL, 0)))
+ return malware_errlog_defer(US"av_scanner configuration variable is empty");
+
+ for (scanent = m_scans; ; scanent++) {
+ if (!scanent->name)
+ return malware_errlog_defer(string_sprintf("unknown scanner type '%s'",
+ scanner_name));
+ if (strcmpic(scanner_name, US scanent->name) != 0)
+ continue;
+ if (!(scanner_options = string_nextinlist(&av_scanner_work, &sep, NULL, 0)))
+ scanner_options = scanent->options_default;
+ if (scanent->conn == MC_NONE)
+ break;
+ switch(scanent->conn)
{
- /* read the size of report */
- if ((bread = recv(sock, &drweb_slen, sizeof(drweb_slen), 0) != sizeof(drweb_slen))) {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: drweb: cannot read report size");
- return DEFER;
- };
- drweb_slen = ntohl(drweb_slen);
-
- /* read report body */
- if ((bread = recv(sock, tmpbuf, drweb_slen, 0)) != drweb_slen) {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: drweb: cannot read report string");
- return DEFER;
- };
- tmpbuf[drweb_slen] = '\0';
-
- /* set up match regex, depends on retcode */
- Ustrcpy(drweb_match_string, "infected\\swith\\s*(.+?)$");
-
- drweb_re = pcre_compile( CS drweb_match_string,
- PCRE_COPT,
- (const char **)&rerror,
- &roffset,
- NULL );
-
- /* try matcher on the line, grab substring */
- result = pcre_exec(drweb_re, NULL, CS tmpbuf, Ustrlen(tmpbuf), 0, 0, ovector, 30);
- if (result >= 2) {
- pcre_copy_substring(CS tmpbuf, ovector, result, 1, CS pre_malware_nb, 255);
- }
- /* the first name we just copy to malware_name */
- if (i==0)
- Ustrcpy(CS malware_name_buffer, CS pre_malware_nb);
- else {
- /* concatenate each new virus name to previous */
- int slen = Ustrlen(malware_name_buffer);
- if (slen < (slen+Ustrlen(pre_malware_nb))) {
- Ustrcat(malware_name_buffer, "/");
- Ustrcat(malware_name_buffer, pre_malware_nb);
- }
- }
+ case MC_TCP: sock = m_tcpsocket_fromdef(scanner_options, &errstr); break;
+ case MC_UNIX: sock = m_unixsocket(scanner_options, &errstr); break;
+ case MC_STRM: sock = m_streamsocket(scanner_options, &errstr); break;
+ default: /* compiler quietening */ break;
}
+ if (sock < 0)
+ return m_errlog_defer(scanent, errstr);
+ break;
}
- else {
- const char *drweb_s = NULL;
-
- if (drweb_rc & DERR_READ_ERR) drweb_s = "read error";
- if (drweb_rc & DERR_NOMEMORY) drweb_s = "no memory";
- if (drweb_rc & DERR_TIMEOUT) drweb_s = "timeout";
- if (drweb_rc & DERR_BAD_CALL) drweb_s = "wrong command";
- /* retcodes DERR_SYMLINK, DERR_NO_REGFILE, DERR_SKIPPED.
- * DERR_TOO_BIG, DERR_TOO_COMPRESSED, DERR_SPAM,
- * DERR_CRC_ERROR, DERR_READSOCKET, DERR_WRITE_ERR
- * and others are ignored */
- if (drweb_s) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: drweb: drweb daemon retcode 0x%x (%s)", drweb_rc, drweb_s);
- (void)close(sock);
- return DEFER;
- }
- /* no virus found */
- malware_name = NULL;
- };
- (void)close(sock);
- }
- /* ----------------------------------------------------------------------- */
- else if (strcmpic(scanner_name,US"aveserver") == 0) {
- uschar *kav_options;
- uschar kav_options_buffer[1024];
- uschar kav_options_default[] = "/var/run/aveserver";
- uschar buf[32768];
- struct sockaddr_un server;
- int sock;
- int result;
-
- if ((kav_options = string_nextinlist(&av_scanner_work, &sep,
- kav_options_buffer,
- sizeof(kav_options_buffer))) == NULL) {
- /* no options supplied, use default options */
- kav_options = kav_options_default;
- };
-
- /* open the aveserver socket */
- sock = socket(AF_UNIX, SOCK_STREAM, 0);
- if (sock < 0) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: can't open UNIX socket.");
- return DEFER;
- }
- server.sun_family = AF_UNIX;
- Ustrcpy(server.sun_path, kav_options);
- if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: unable to connect to aveserver UNIX socket (%s). errno=%d", kav_options, errno);
- return DEFER;
- }
-
- /* read aveserver's greeting and see if it is ready (2xx greeting) */
- recv_line(sock, buf, 32768);
-
- if (buf[0] != '2') {
- /* aveserver is having problems */
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: aveserver is unavailable (Responded: %s).", ((buf[0] != 0) ? buf : (uschar *)"nothing") );
- return DEFER;
- };
+ DEBUG(D_lookup) debug_printf("Malware scan: %s\n", scanner_name);
- /* prepare our command */
- (void)string_format(buf, 32768, "SCAN bPQRSTUW %s\r\n", eml_filename);
-
- DEBUG(D_acl) debug_printf("Malware scan: issuing %s SCAN\n", scanner_name);
-
- /* and send it */
- if (send(sock, buf, Ustrlen(buf), 0) < 0) {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: unable to write to aveserver UNIX socket (%s)", kav_options);
- return DEFER;
- }
-
- malware_name = NULL;
- result = 0;
- /* read response lines, find malware name and final response */
- while (recv_line(sock, buf, 32768) > 0) {
- debug_printf("aveserver: %s\n", buf);
- if (buf[0] == '2') {
- break;
- } else if (buf[0] == '5') {
- /* aveserver is having problems */
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: unable to scan file %s (Responded: %s).",
- eml_filename, buf);
- result = DEFER;
- break;
- } else if (Ustrncmp(buf,"322",3) == 0) {
- uschar *p = Ustrchr(&buf[4],' ');
- *p = '\0';
- Ustrcpy(malware_name_buffer,&buf[4]);
- malware_name = malware_name_buffer;
- };
- }
-
- /* prepare our command */
- (void)string_format(buf, 32768, "quit\r\n");
-
- /* and send it */
- if (send(sock, buf, Ustrlen(buf), 0) < 0) {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: unable to write to aveserver UNIX socket (%s)", kav_options);
- return DEFER;
- }
-
- /* read aveserver's greeting and see if it is ready (2xx greeting) */
- recv_line(sock, buf, 32768);
-
- if (buf[0] != '2') {
- /* aveserver is having problems */
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: unable to quit aveserver dialogue (Responded: %s).", ((buf[0] != 0) ? buf : (uschar *)"nothing") );
- return DEFER;
- };
-
- (void)close(sock);
+ switch (scanent->scancode) {
+ case M_FPROTD: /* "f-protd" scanner type -------------------------------- */
+ {
+ uschar *fp_scan_option;
+ unsigned int detected=0, par_count=0;
+ uschar * scanrequest;
+ uschar buf[32768], *strhelper, *strhelper2;
+ uschar * malware_name_internal = NULL;
+
+ DEBUG(D_acl) debug_printf("Malware scan: issuing %s GET\n", scanner_name);
+ scanrequest = string_sprintf("GET %s", eml_filename);
+
+ while ((fp_scan_option = string_nextinlist(&av_scanner_work, &sep,
+ NULL, 0))) {
+ scanrequest = string_sprintf("%s%s%s", scanrequest,
+ par_count ? "%20" : "?", fp_scan_option);
+ par_count++;
+ }
+ scanrequest = string_sprintf("%s HTTP/1.0\r\n\r\n", scanrequest);
+
+ /* send scan request */
+ if (m_sock_send(sock, scanrequest, Ustrlen(scanrequest)+1, &errstr) < 0)
+ return m_errlog_defer(scanent, errstr);
+
+ /* We get a lot of empty lines, so we need this hack to check for any data at all */
+ while( recv(sock, buf, 1, MSG_PEEK) > 0 ) {
+ if ( recv_line(sock, buf, sizeof(buf)) > 0) {
+ if ( Ustrstr(buf, US"<detected type=\"") != NULL )
+ detected = 1;
+ else if ( detected && (strhelper = Ustrstr(buf, US"<name>")) ) {
+ if ((strhelper2 = Ustrstr(buf, US"</name>")) != NULL) {
+ *strhelper2 = '\0';
+ malware_name_internal = string_copy(strhelper+6);
+ }
+ } else if ( Ustrstr(buf, US"<summary code=\"") )
+ malware_name = Ustrstr(buf, US"<summary code=\"11\">")
+ ? malware_name_internal : NULL;
+ }
+ }
+ break;
+ } /* f-protd */
- if (result == DEFER) return DEFER;
- }
- /* "fsecure" scanner type ------------------------------------------------- */
- else if (strcmpic(scanner_name,US"fsecure") == 0) {
- uschar *fsecure_options;
- uschar fsecure_options_buffer[1024];
- uschar fsecure_options_default[] = "/var/run/.fsav";
- struct sockaddr_un server;
- int sock, i, j, bread = 0;
- uschar file_name[1024];
- uschar av_buffer[1024];
- pcre *fs_inf;
- static uschar *cmdoptions[] = { US"CONFIGURE\tARCHIVE\t1\n",
- US"CONFIGURE\tTIMEOUT\t0\n",
- US"CONFIGURE\tMAXARCH\t5\n",
- US"CONFIGURE\tMIME\t1\n" };
-
- malware_name = NULL;
- if ((fsecure_options = string_nextinlist(&av_scanner_work, &sep,
- fsecure_options_buffer,
- sizeof(fsecure_options_buffer))) == NULL) {
- /* no options supplied, use default options */
- fsecure_options = fsecure_options_default;
- };
-
- /* open the fsecure socket */
- sock = socket(AF_UNIX, SOCK_STREAM, 0);
- if (sock < 0) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: unable to open fsecure socket %s (%s)",
- fsecure_options, strerror(errno));
- return DEFER;
- }
- server.sun_family = AF_UNIX;
- Ustrcpy(server.sun_path, fsecure_options);
- if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: unable to connect to fsecure socket %s (%s)",
- fsecure_options, strerror(errno));
- return DEFER;
- }
+ case M_DRWEB: /* "drweb" scanner type ----------------------------------- */
+ /* v0.1 - added support for tcp sockets */
+ /* v0.0 - initial release -- support for unix sockets */
+ {
+ int result;
+ unsigned int fsize;
+ uschar * tmpbuf, *drweb_fbuf;
+ int drweb_rc, drweb_cmd, drweb_flags = 0x0000, drweb_fd,
+ drweb_vnum, drweb_slen, drweb_fin = 0x0000;
+ unsigned long bread;
+ const pcre *drweb_re;
+
+ /* prepare variables */
+ drweb_cmd = htonl(DRWEBD_SCAN_CMD);
+ drweb_flags = htonl(DRWEBD_RETURN_VIRUSES | DRWEBD_IS_MAIL);
+
+ if (*scanner_options != '/') {
+
+ /* calc file size */
+ if ((drweb_fd = open(CS eml_filename, O_RDONLY)) == -1)
+ return m_errlog_defer_3(scanent,
+ string_sprintf("can't open spool file %s: %s",
+ eml_filename, strerror(errno)),
+ sock);
+
+ if ((fsize = lseek(drweb_fd, 0, SEEK_END)) == -1) {
+ int err = errno;
+ (void)close(drweb_fd);
+ return m_errlog_defer_3(scanent,
+ string_sprintf("can't seek spool file %s: %s",
+ eml_filename, strerror(err)),
+ sock);
+ }
+ drweb_slen = htonl(fsize);
+ lseek(drweb_fd, 0, SEEK_SET);
+
+ DEBUG(D_acl) debug_printf("Malware scan: issuing %s remote scan [%s]\n",
+ scanner_name, scanner_options);
+
+ /* send scan request */
+ if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) ||
+ (send(sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) ||
+ (send(sock, &drweb_fin, sizeof(drweb_fin), 0) < 0) ||
+ (send(sock, &drweb_slen, sizeof(drweb_slen), 0) < 0)) {
+ (void)close(drweb_fd);
+ return m_errlog_defer_3(scanent,
+ string_sprintf("unable to send commands to socket (%s)", scanner_options),
+ sock);
+ }
+
+ if (!(drweb_fbuf = (uschar *) malloc (fsize))) {
+ (void)close(drweb_fd);
+ return m_errlog_defer_3(scanent,
+ string_sprintf("unable to allocate memory %u for file (%s)",
+ fsize, eml_filename),
+ sock);
+ }
+
+ if ((result = read (drweb_fd, drweb_fbuf, fsize)) == -1) {
+ int err = errno;
+ (void)close(drweb_fd);
+ free(drweb_fbuf);
+ return m_errlog_defer_3(scanent,
+ string_sprintf("can't read spool file %s: %s",
+ eml_filename, strerror(err)),
+ sock);
+ }
+ (void)close(drweb_fd);
+
+ /* send file body to socket */
+ if (send(sock, drweb_fbuf, fsize, 0) < 0) {
+ free(drweb_fbuf);
+ return m_errlog_defer_3(scanent,
+ string_sprintf("unable to send file body to socket (%s)", scanner_options),
+ sock);
+ }
+ (void)close(drweb_fd);
+
+ } else {
+
+ drweb_slen = htonl(Ustrlen(eml_filename));
+
+ DEBUG(D_acl) debug_printf("Malware scan: issuing %s local scan [%s]\n",
+ scanner_name, scanner_options);
+
+ /* send scan request */
+ if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) ||
+ (send(sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) ||
+ (send(sock, &drweb_slen, sizeof(drweb_slen), 0) < 0) ||
+ (send(sock, eml_filename, Ustrlen(eml_filename), 0) < 0) ||
+ (send(sock, &drweb_fin, sizeof(drweb_fin), 0) < 0))
+ return m_errlog_defer_3(scanent,
+ string_sprintf("unable to send commands to socket (%s)", scanner_options),
+ sock);
+ }
- DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n",
- scanner_name, fsecure_options);
-
- /* pass options */
- memset(av_buffer, 0, sizeof(av_buffer));
- for (i=0; i != 4; i++) {
- /* debug_printf("send option \"%s\"",cmdoptions[i]); */
- if (write(sock, cmdoptions[i], Ustrlen(cmdoptions[i])) < 0) {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: unable to write fsecure option %d to %s (%s)",
- i, fsecure_options, strerror(errno));
- return DEFER;
- };
-
- bread = ip_recv(sock, av_buffer, sizeof(av_buffer), MALWARE_TIMEOUT);
- if (bread >0) av_buffer[bread]='\0';
- if (bread < 0) {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: unable to read fsecure answer %d (%s)", i, strerror(errno));
- return DEFER;
- };
- for (j=0;j<bread;j++) if((av_buffer[j]=='\r')||(av_buffer[j]=='\n')) av_buffer[j] ='@';
- /* debug_printf("read answer %d read=%d \"%s\"\n", i, bread, av_buffer ); */
- /* while (Ustrstr(av_buffer, "OK\tServer configured.@") == NULL); */
- };
-
- /* pass the mailfile to fsecure */
- (void)string_format(file_name,1024,"SCAN\t%s\n", eml_filename);
- /* debug_printf("send scan %s",file_name); */
- if (write(sock, file_name, Ustrlen(file_name)) < 0) {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: unable to write fsecure scan to %s (%s)",
- fsecure_options, strerror(errno));
- return DEFER;
- };
-
- /* set up match */
- /* todo also SUSPICION\t */
- fs_inf = pcre_compile("\\S{0,5}INFECTED\\t[^\\t]*\\t([^\\t]+)\\t\\S*$", PCRE_COPT, (const char **)&rerror, &roffset, NULL);
-
- /* read report, linewise */
- do {
- int ovector[30];
- i = 0;
- memset(av_buffer, 0, sizeof(av_buffer));
- do {
- bread=ip_recv(sock, &av_buffer[i], 1, MALWARE_TIMEOUT);
- if (bread < 0) {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: unable to read fsecure result (%s)", strerror(errno));
- return DEFER;
- };
- i++;
- }
- while ((i < sizeof(av_buffer)-1 ) && (av_buffer[i-1] != '\n'));
- av_buffer[i-1] = '\0';
- /* debug_printf("got line \"%s\"\n",av_buffer); */
-
- /* Really search for virus again? */
- if (malware_name == NULL) {
- /* try matcher on the line, grab substring */
- i = pcre_exec(fs_inf, NULL, CS av_buffer, Ustrlen(av_buffer), 0, 0, ovector, 30);
- if (i >= 2) {
- /* Got it */
- pcre_copy_substring(CS av_buffer, ovector, i, 1, CS malware_name_buffer, 255);
- malware_name = malware_name_buffer;
- };
- };
- }
- while (Ustrstr(av_buffer, "OK\tScan ok.") == NULL);
- (void)close(sock);
- }
- /* ----------------------------------------------------------------------- */
-
- /* "kavdaemon" scanner type ------------------------------------------------ */
- else if (strcmpic(scanner_name,US"kavdaemon") == 0) {
- uschar *kav_options;
- uschar kav_options_buffer[1024];
- uschar kav_options_default[] = "/var/run/AvpCtl";
- struct sockaddr_un server;
- int sock;
- time_t t;
- uschar tmpbuf[1024];
- uschar scanrequest[1024];
- uschar kav_match_string[128];
- int kav_rc;
- unsigned long kav_reportlen, bread;
- pcre *kav_re;
- uschar *p;
- int fits;
-
- if ((kav_options = string_nextinlist(&av_scanner_work, &sep,
- kav_options_buffer,
- sizeof(kav_options_buffer))) == NULL) {
- /* no options supplied, use default options */
- kav_options = kav_options_default;
- };
-
- /* open the kavdaemon socket */
- sock = socket(AF_UNIX, SOCK_STREAM, 0);
- if (sock < 0) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: can't open UNIX socket.");
- return DEFER;
- }
- server.sun_family = AF_UNIX;
- Ustrcpy(server.sun_path, kav_options);
- if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: unable to connect to kavdaemon UNIX socket (%s). errno=%d", kav_options, errno);
- return DEFER;
- }
+ /* wait for result */
+ if ((bread = recv(sock, &drweb_rc, sizeof(drweb_rc), 0) != sizeof(drweb_rc)))
+ return m_errlog_defer_3(scanent,
+ US"unable to read return code", sock);
+ drweb_rc = ntohl(drweb_rc);
+
+ if ((bread = recv(sock, &drweb_vnum, sizeof(drweb_vnum), 0) != sizeof(drweb_vnum)))
+ return m_errlog_defer_3(scanent,
+ US"unable to read the number of viruses", sock);
+ drweb_vnum = ntohl(drweb_vnum);
+
+ /* "virus(es) found" if virus number is > 0 */
+ if (drweb_vnum) {
+ int i;
+
+ /* setup default virus name */
+ malware_name = US"unknown";
+
+ /* set up match regex */
+ drweb_re = m_pcre_compile(US"infected\\swith\\s*(.+?)$", &errstr);
+
+ /* read and concatenate virus names into one string */
+ for (i=0;i<drweb_vnum;i++)
+ {
+ int size = 0, off = 0, ovector[10*3];
+ /* read the size of report */
+ if ((bread = recv(sock, &drweb_slen, sizeof(drweb_slen), 0) != sizeof(drweb_slen)))
+ return m_errlog_defer_3(scanent,
+ US"cannot read report size", sock);
+ drweb_slen = ntohl(drweb_slen);
+ tmpbuf = store_get(drweb_slen);
+
+ /* read report body */
+ if ((bread = recv(sock, tmpbuf, drweb_slen, 0)) != drweb_slen)
+ return m_errlog_defer_3(scanent,
+ US"cannot read report string", sock);
+ tmpbuf[drweb_slen] = '\0';
+
+ /* try matcher on the line, grab substring */
+ result = pcre_exec(drweb_re, NULL, CS tmpbuf, Ustrlen(tmpbuf), 0, 0,
+ ovector, nelements(ovector));
+ if (result >= 2) {
+ const char * pre_malware_nb;
+
+ pcre_get_substring(CS tmpbuf, ovector, result, 1, &pre_malware_nb);
+
+ if (i==0) /* the first name we just copy to malware_name */
+ malware_name = string_append(NULL, &size, &off,
+ 1, pre_malware_nb);
+
+ else /* concatenate each new virus name to previous */
+ malware_name = string_append(malware_name, &size, &off,
+ 2, "/", pre_malware_nb);
+
+ pcre_free_substring(pre_malware_nb);
+ }
+ }
+ }
+ else {
+ const char *drweb_s = NULL;
+
+ if (drweb_rc & DERR_READ_ERR) drweb_s = "read error";
+ if (drweb_rc & DERR_NOMEMORY) drweb_s = "no memory";
+ if (drweb_rc & DERR_TIMEOUT) drweb_s = "timeout";
+ if (drweb_rc & DERR_BAD_CALL) drweb_s = "wrong command";
+ /* retcodes DERR_SYMLINK, DERR_NO_REGFILE, DERR_SKIPPED.
+ * DERR_TOO_BIG, DERR_TOO_COMPRESSED, DERR_SPAM,
+ * DERR_CRC_ERROR, DERR_READSOCKET, DERR_WRITE_ERR
+ * and others are ignored */
+ if (drweb_s)
+ return m_errlog_defer_3(scanent,
+ string_sprintf("drweb daemon retcode 0x%x (%s)", drweb_rc, drweb_s),
+ sock);
+
+ /* no virus found */
+ malware_name = NULL;
+ }
+ break;
+ } /* drweb */
- /* get current date and time, build scan request */
- time(&t);
- /* pdp note: before the eml_filename parameter, this scanned the
- directory; not finding documentation, so we'll strip off the directory.
- The side-effect is that the test framework scanning may end up in
- scanning more than was requested, but for the normal interface, this is
- fine. */
- strftime(CS tmpbuf, sizeof(tmpbuf), "<0>%d %b %H:%M:%S:%%s", localtime(&t));
- fits = string_format(scanrequest, 1024,CS tmpbuf, eml_filename);
- if (!fits) {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware filename does not fit in buffer [malware_internal() kavdaemon]");
- }
- p = Ustrrchr(scanrequest, '/');
- if (p)
- *p = '\0';
+ case M_AVES: /* "aveserver" scanner type -------------------------------- */
+ {
+ uschar buf[32768];
+ int result;
- DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n",
- scanner_name, kav_options);
+ /* read aveserver's greeting and see if it is ready (2xx greeting) */
+ recv_line(sock, buf, sizeof(buf));
- /* send scan request */
- if (send(sock, scanrequest, Ustrlen(scanrequest)+1, 0) < 0) {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: unable to write to kavdaemon UNIX socket (%s)", kav_options);
- return DEFER;
- }
+ if (buf[0] != '2') /* aveserver is having problems */
+ return m_errlog_defer_3(scanent,
+ string_sprintf("unavailable (Responded: %s).",
+ ((buf[0] != 0) ? buf : (uschar *)"nothing") ),
+ sock);
- /* wait for result */
- if ((bread = recv(sock, tmpbuf, 2, 0) != 2)) {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: unable to read 2 bytes from kavdaemon socket.");
- return DEFER;
- }
+ /* prepare our command */
+ (void)string_format(buf, sizeof(buf), "SCAN bPQRSTUW %s\r\n",
+ eml_filename);
- /* get errorcode from one nibble */
- if (test_byte_order() == LITTLE_MY_ENDIAN) {
- kav_rc = tmpbuf[0] & 0x0F;
- }
- else {
- kav_rc = tmpbuf[1] & 0x0F;
- };
-
- /* improper kavdaemon configuration */
- if ( (kav_rc == 5) || (kav_rc == 6) ) {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: please reconfigure kavdaemon to NOT disinfect or remove infected files.");
- return DEFER;
- };
-
- if (kav_rc == 1) {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: kavdaemon reported 'scanning not completed' (code 1).");
- return DEFER;
- };
-
- if (kav_rc == 7) {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: kavdaemon reported 'kavdaemon damaged' (code 7).");
- return DEFER;
- };
-
- /* code 8 is not handled, since it is ambigous. It appears mostly on
- bounces where part of a file has been cut off */
-
- /* "virus found" return codes (2-4) */
- if ((kav_rc > 1) && (kav_rc < 5)) {
- int report_flag = 0;
-
- /* setup default virus name */
- Ustrcpy(malware_name_buffer,"unknown");
- malware_name = malware_name_buffer;
-
- if (test_byte_order() == LITTLE_MY_ENDIAN) {
- report_flag = tmpbuf[1];
- }
- else {
- report_flag = tmpbuf[0];
- };
-
- /* read the report, if available */
- if( report_flag == 1 ) {
- /* read report size */
- if ((bread = recv(sock, &kav_reportlen, 4, 0)) != 4) {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: cannot read report size from kavdaemon");
- return DEFER;
- };
-
- /* it's possible that avp returns av_buffer[1] == 1 but the
- reportsize is 0 (!?) */
- if (kav_reportlen > 0) {
- /* set up match regex, depends on retcode */
- if( kav_rc == 3 )
- Ustrcpy(kav_match_string, "suspicion:\\s*(.+?)\\s*$");
- else
- Ustrcpy(kav_match_string, "infected:\\s*(.+?)\\s*$");
-
- kav_re = pcre_compile( CS kav_match_string,
- PCRE_COPT,
- (const char **)&rerror,
- &roffset,
- NULL );
-
- /* read report, linewise */
- while (kav_reportlen > 0) {
- int result = 0;
- int ovector[30];
-
- bread = 0;
- while ( recv(sock, &tmpbuf[bread], 1, 0) == 1 ) {
- kav_reportlen--;
- if ( (tmpbuf[bread] == '\n') || (bread > 1021) ) break;
- bread++;
- };
- bread++;
- tmpbuf[bread] = '\0';
-
- /* try matcher on the line, grab substring */
- result = pcre_exec(kav_re, NULL, CS tmpbuf, Ustrlen(tmpbuf), 0, 0, ovector, 30);
- if (result >= 2) {
- pcre_copy_substring(CS tmpbuf, ovector, result, 1, CS malware_name_buffer, 255);
- break;
- };
- };
- };
- };
- }
- else {
- /* no virus found */
- malware_name = NULL;
- };
+ DEBUG(D_acl) debug_printf("Malware scan: issuing %s SCAN\n", scanner_name);
- (void)close(sock);
- }
- /* ----------------------------------------------------------------------- */
-
-
- /* "cmdline" scanner type ------------------------------------------------ */
- else if (strcmpic(scanner_name,US"cmdline") == 0) {
- uschar *cmdline_scanner;
- uschar cmdline_scanner_buffer[1024];
- uschar *cmdline_trigger;
- uschar cmdline_trigger_buffer[1024];
- const pcre *cmdline_trigger_re;
- uschar *cmdline_regex;
- uschar cmdline_regex_buffer[1024];
- const pcre *cmdline_regex_re;
- uschar file_name[1024];
- uschar commandline[1024];
- void (*eximsigchld)(int);
- void (*eximsigpipe)(int);
- FILE *scanner_out = NULL;
- FILE *scanner_record = NULL;
- uschar linebuffer[32767];
- int trigger = 0;
- int result;
- int ovector[30];
- uschar *p;
- BOOL fits;
-
- /* find scanner command line */
- if ((cmdline_scanner = string_nextinlist(&av_scanner_work, &sep,
- cmdline_scanner_buffer,
- sizeof(cmdline_scanner_buffer))) == NULL) {
- /* no command line supplied */
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: missing commandline specification for cmdline scanner type.");
- return DEFER;
- };
-
- /* find scanner output trigger */
- if ((cmdline_trigger = string_nextinlist(&av_scanner_work, &sep,
- cmdline_trigger_buffer,
- sizeof(cmdline_trigger_buffer))) == NULL) {
- /* no trigger regex supplied */
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: missing trigger specification for cmdline scanner type.");
- return DEFER;
- };
-
- /* precompile trigger regex */
- cmdline_trigger_re = pcre_compile(CS cmdline_trigger, PCRE_COPT, (const char **)&rerror, &roffset, NULL);
- if (cmdline_trigger_re == NULL) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: regular expression error in '%s': %s at offset %d", cmdline_trigger, rerror, roffset);
- return DEFER;
- };
-
- /* find scanner name regex */
- if ((cmdline_regex = string_nextinlist(&av_scanner_work, &sep,
- cmdline_regex_buffer,
- sizeof(cmdline_regex_buffer))) == NULL) {
- /* no name regex supplied */
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: missing virus name regex specification for cmdline scanner type.");
- return DEFER;
- };
-
- /* precompile name regex */
- cmdline_regex_re = pcre_compile(CS cmdline_regex, PCRE_COPT, (const char **)&rerror, &roffset, NULL);
- if (cmdline_regex_re == NULL) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: regular expression error in '%s': %s at offset %d", cmdline_regex, rerror, roffset);
- return DEFER;
- };
-
- /* prepare scanner call; despite the naming, file_name holds a directory
- name which is documented as the value given to %s. */
- if (Ustrlen(eml_filename) > sizeof(file_name) - 1)
- {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware filename does not fit in buffer [malware_internal() cmdline]");
- return DEFER;
- }
- Ustrcpy(file_name, eml_filename);
- p = Ustrrchr(file_name, '/');
- if (p)
- *p = '\0';
- fits = string_format(commandline, sizeof(commandline), CS cmdline_scanner, file_name);
- if (!fits)
- {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "cmdline scanner command-line does not fit in buffer");
- return DEFER;
- }
-
- /* redirect STDERR too */
- if (Ustrlen(commandline) + 5 > sizeof(commandline))
- {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "cmdline scanner command-line does not fit in buffer (STDERR redirect)");
- return DEFER;
- }
- Ustrcat(commandline," 2>&1");
-
- DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n", scanner_name, commandline);
-
- /* store exims signal handlers */
- eximsigchld = signal(SIGCHLD,SIG_DFL);
- eximsigpipe = signal(SIGPIPE,SIG_DFL);
-
- scanner_out = popen(CS commandline,"r");
- if (scanner_out == NULL) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: calling cmdline scanner (%s) failed: %s.", commandline, strerror(errno));
- signal(SIGCHLD,eximsigchld);
- signal(SIGPIPE,eximsigpipe);
- return DEFER;
- };
-
- (void)string_format(file_name,1024,"%s/scan/%s/%s_scanner_output", spool_directory, message_id, message_id);
- scanner_record = modefopen(file_name,"wb",SPOOL_MODE);
-
- if (scanner_record == NULL) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: opening scanner output file (%s) failed: %s.", file_name, strerror(errno));
- pclose(scanner_out);
- signal(SIGCHLD,eximsigchld);
- signal(SIGPIPE,eximsigpipe);
- return DEFER;
- };
-
- /* look for trigger while recording output */
- while(fgets(CS linebuffer,32767,scanner_out) != NULL) {
- if ( Ustrlen(linebuffer) > fwrite(linebuffer, 1, Ustrlen(linebuffer), scanner_record) ) {
- /* short write */
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: short write on scanner output file (%s).", file_name);
- pclose(scanner_out);
- signal(SIGCHLD,eximsigchld);
- signal(SIGPIPE,eximsigpipe);
- return DEFER;
- };
- /* try trigger match */
- if (!trigger && regex_match_and_setup(cmdline_trigger_re, linebuffer, 0, -1))
- trigger = 1;
- };
-
- (void)fclose(scanner_record);
- pclose(scanner_out);
- signal(SIGCHLD,eximsigchld);
- signal(SIGPIPE,eximsigpipe);
-
- if (trigger) {
- /* setup default virus name */
- Ustrcpy(malware_name_buffer,"unknown");
- malware_name = malware_name_buffer;
-
- /* re-open the scanner output file, look for name match */
- scanner_record = fopen(CS file_name,"rb");
- while(fgets(CS linebuffer,32767,scanner_record) != NULL) {
- /* try match */
- result = pcre_exec(cmdline_regex_re, NULL, CS linebuffer, Ustrlen(linebuffer), 0, 0, ovector, 30);
- if (result >= 2) {
- pcre_copy_substring(CS linebuffer, ovector, result, 1, CS malware_name_buffer, 255);
- };
- };
- (void)fclose(scanner_record);
- }
- else {
- /* no virus found */
- malware_name = NULL;
- };
- }
- /* ----------------------------------------------------------------------- */
-
-
- /* "sophie" scanner type ------------------------------------------------- */
- else if (strcmpic(scanner_name,US"sophie") == 0) {
- uschar *sophie_options;
- uschar sophie_options_buffer[1024];
- uschar sophie_options_default[] = "/var/run/sophie";
- int bread = 0;
- struct sockaddr_un server;
- int sock, len;
- uschar *p;
- uschar file_name[1024];
- uschar av_buffer[1024];
-
- if ((sophie_options = string_nextinlist(&av_scanner_work, &sep,
- sophie_options_buffer,
- sizeof(sophie_options_buffer))) == NULL) {
- /* no options supplied, use default options */
- sophie_options = sophie_options_default;
- }
+ /* and send it */
+ if (m_sock_send(sock, buf, Ustrlen(buf), &errstr) < 0)
+ return m_errlog_defer(scanent, errstr);
- /* open the sophie socket */
- sock = socket(AF_UNIX, SOCK_STREAM, 0);
- if (sock < 0) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: can't open UNIX socket.");
- return DEFER;
- }
- server.sun_family = AF_UNIX;
- Ustrcpy(server.sun_path, sophie_options);
- if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: unable to connect to sophie UNIX socket (%s). errno=%d", sophie_options, errno);
- return DEFER;
- }
+ malware_name = NULL;
+ result = 0;
+ /* read response lines, find malware name and final response */
+ while (recv_line(sock, buf, sizeof(buf)) > 0) {
+ debug_printf("aveserver: %s\n", buf);
+ if (buf[0] == '2')
+ break;
+ if (buf[0] == '5') { /* aveserver is having problems */
+ result = m_errlog_defer(scanent,
+ string_sprintf("unable to scan file %s (Responded: %s).",
+ eml_filename, buf));
+ break;
+ } else if (Ustrncmp(buf,"322",3) == 0) {
+ uschar *p = Ustrchr(&buf[4],' ');
+ *p = '\0';
+ malware_name = string_copy(&buf[4]);
+ }
+ }
- /* pass the scan directory to sophie */
- len = Ustrlen(eml_filename) + 1;
- if (len > sizeof(file_name))
- {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware filename does not fit in buffer [malware_internal() sophie]");
- return DEFER;
- }
- memcpy(file_name, eml_filename, len);
- p = Ustrrchr(file_name, '/');
- if (p)
- *p = '\0';
+ /* and send it */
+ if (m_sock_send(sock, US"quit\r\n", 6, &errstr) < 0)
+ return m_errlog_defer(scanent, errstr);
- DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n",
- scanner_name, sophie_options);
+ /* read aveserver's greeting and see if it is ready (2xx greeting) */
+ recv_line(sock, buf, sizeof(buf));
- if ( write(sock, file_name, Ustrlen(file_name)) < 0
- || write(sock, "\n", 1) != 1
- ) {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: unable to write to sophie UNIX socket (%s)", sophie_options);
- return DEFER;
- }
+ if (buf[0] != '2') /* aveserver is having problems */
+ return m_errlog_defer_3(scanent,
+ string_sprintf("unable to quit dialogue (Responded: %s).",
+ ((buf[0] != 0) ? buf : (uschar *)"nothing") ),
+ sock);
- /* wait for result */
- memset(av_buffer, 0, sizeof(av_buffer));
- if ((!(bread = ip_recv(sock, av_buffer, sizeof(av_buffer), MALWARE_TIMEOUT)) > 0)) {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: unable to read from sophie UNIX socket (%s)", sophie_options);
- return DEFER;
- }
+ if (result == DEFER) {
+ (void)close(sock);
+ return DEFER;
+ }
+ break;
+ } /* aveserver */
- (void)close(sock);
+ case M_FSEC: /* "fsecure" scanner type ---------------------------------- */
+ {
+ int i, j, bread = 0;
+ uschar * file_name;
+ uschar av_buffer[1024];
+ const pcre * fs_inf;
+ static uschar *cmdopt[] = { US"CONFIGURE\tARCHIVE\t1\n",
+ US"CONFIGURE\tTIMEOUT\t0\n",
+ US"CONFIGURE\tMAXARCH\t5\n",
+ US"CONFIGURE\tMIME\t1\n" };
- /* infected ? */
- if (av_buffer[0] == '1') {
- if (Ustrchr(av_buffer, '\n')) *Ustrchr(av_buffer, '\n') = '\0';
- Ustrcpy(malware_name_buffer,&av_buffer[2]);
- malware_name = malware_name_buffer;
- }
- else if (!strncmp(CS av_buffer, "-1", 2)) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: malware acl condition: sophie reported error");
- return DEFER;
- }
- else {
- /* all ok, no virus */
- malware_name = NULL;
- }
- }
- /* ----------------------------------------------------------------------- */
-
-
- /* "clamd" scanner type ------------------------------------------------- */
- /* This code was originally contributed by David Saez */
- /* There are three scanning methods available to us:
- * (1) Use the SCAN command, pointing to a file in the filesystem
- * (2) Use the STREAM command, send the data on a separate port
- * (3) Use the zINSTREAM command, send the data inline
- * The zINSTREAM command was introduced with ClamAV 0.95, which marked
- * STREAM deprecated; see: http://wiki.clamav.net/bin/view/Main/UpgradeNotes095
- * In Exim, we use SCAN if using a Unix-domain socket or explicitly told that
- * the TCP-connected daemon is actually local; otherwise we use zINSTREAM unless
- * WITH_OLD_CLAMAV_STREAM is defined.
- * See Exim bug 926 for details. */
- else if (strcmpic(scanner_name,US"clamd") == 0) {
- uschar *clamd_options = NULL;
- uschar clamd_options_buffer[1024];
- uschar clamd_options_default[] = "/tmp/clamd";
- uschar *p, *vname, *result_tag, *response_end;
- struct sockaddr_un server;
- int sock,bread=0;
- unsigned int port;
- uschar file_name[1024];
- uschar av_buffer[1024];
- uschar *hostname = "";
- struct hostent *he;
- struct in_addr in;
- uschar *clamav_fbuf;
- int clam_fd, result;
- unsigned int fsize;
- BOOL use_scan_command = FALSE, fits;
- clamd_address_container * clamd_address_vector[MAX_CLAMD_SERVERS];
- int current_server;
- int num_servers = 0;
-#ifdef WITH_OLD_CLAMAV_STREAM
- uschar av_buffer2[1024];
- int sockData;
-#else
- uint32_t send_size, send_final_zeroblock;
-#endif
+ malware_name = NULL;
- if ((clamd_options = string_nextinlist(&av_scanner_work, &sep,
- clamd_options_buffer,
- sizeof(clamd_options_buffer))) == NULL) {
- /* no options supplied, use default options */
- clamd_options = clamd_options_default;
- }
+ DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n",
+ scanner_name, scanner_options);
+
+ /* pass options */
+ memset(av_buffer, 0, sizeof(av_buffer));
+ for (i=0; i != nelements(cmdopt); i++) {
+
+ if (m_sock_send(sock, cmdopt[i], Ustrlen(cmdopt[i]), &errstr) < 0)
+ return m_errlog_defer(scanent, errstr);
+
+ bread = ip_recv(sock, av_buffer, sizeof(av_buffer), MALWARE_TIMEOUT);
+ if (bread >0) av_buffer[bread]='\0';
+ if (bread < 0)
+ return m_errlog_defer_3(scanent,
+ string_sprintf("unable to read answer %d (%s)", i, strerror(errno)),
+ sock);
+ for (j=0;j<bread;j++)
+ if((av_buffer[j]=='\r')||(av_buffer[j]=='\n'))
+ av_buffer[j] ='@';
+ }
- if (*clamd_options == '/')
- /* Local file; so we def want to use_scan_command and don't want to try
- * passing IP/port combinations */
- use_scan_command = TRUE;
- else {
- uschar *address = clamd_options;
- uschar address_buffer[MAX_CLAMD_ADDRESS_LENGTH + 20];
-
- /* Go through the rest of the list of host/port and construct an array
- * of servers to try. The first one is the bit we just passed from
- * clamd_options so process that first and then scan the remainder of
- * the address buffer */
- do {
- clamd_address_container *this_clamd;
-
- /* The 'local' option means use the SCAN command over the network
- * socket (ie common file storage in use) */
- if (strcmpic(address,US"local") == 0) {
- use_scan_command = TRUE;
- continue;
- }
+ /* pass the mailfile to fsecure */
+ file_name = string_sprintf("SCAN\t%s\n", eml_filename);
+
+ if (m_sock_send(sock, file_name, Ustrlen(file_name), &errstr) < 0)
+ return m_errlog_defer(scanent, errstr);
+
+ /* set up match */
+ /* todo also SUSPICION\t */
+ fs_inf = m_pcre_compile(US"\\S{0,5}INFECTED\\t[^\\t]*\\t([^\\t]+)\\t\\S*$", &errstr);
+
+ /* read report, linewise */
+ do {
+ i = 0;
+ memset(av_buffer, 0, sizeof(av_buffer));
+ do {
+ if ((bread= ip_recv(sock, &av_buffer[i], 1, MALWARE_TIMEOUT)) < 0)
+ return m_errlog_defer_3(scanent,
+ string_sprintf("unable to read result (%s)", strerror(errno)),
+ sock);
+ } while (++i < sizeof(av_buffer)-1 && av_buffer[i-1] != '\n');
+ av_buffer[i-1] = '\0';
+
+ /* Really search for virus again? */
+ if (malware_name == NULL)
+ /* try matcher on the line, grab substring */
+ malware_name = m_pcre_exec(fs_inf, av_buffer);
+ }
+ while (Ustrstr(av_buffer, "OK\tScan ok.") == NULL);
+ break;
+ } /* fsecure */
- /* XXX: If unsuccessful we should free this memory */
- this_clamd =
- (clamd_address_container *)store_get(sizeof(clamd_address_container));
+ case M_KAVD: /* "kavdaemon" scanner type -------------------------------- */
+ {
+ time_t t;
+ uschar tmpbuf[1024];
+ uschar * scanrequest;
+ int kav_rc;
+ unsigned long kav_reportlen, bread;
+ const pcre *kav_re;
+ uschar *p;
+
+ /* get current date and time, build scan request */
+ time(&t);
+ /* pdp note: before the eml_filename parameter, this scanned the
+ directory; not finding documentation, so we'll strip off the directory.
+ The side-effect is that the test framework scanning may end up in
+ scanning more than was requested, but for the normal interface, this is
+ fine. */
+
+ strftime(CS tmpbuf, sizeof(tmpbuf), "%d %b %H:%M:%S", localtime(&t));
+ scanrequest = string_sprintf("<0>%s:%s", CS tmpbuf, eml_filename);
+ p = Ustrrchr(scanrequest, '/');
+ if (p)
+ *p = '\0';
+
+ DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n",
+ scanner_name, scanner_options);
+
+ /* send scan request */
+ if (m_sock_send(sock, scanrequest, Ustrlen(scanrequest)+1, &errstr) < 0)
+ return m_errlog_defer(scanent, errstr);
+
+ /* wait for result */
+ if ((bread = recv(sock, tmpbuf, 2, 0) != 2))
+ return m_errlog_defer_3(scanent,
+ US"unable to read 2 bytes from socket.", sock);
+
+ /* get errorcode from one nibble */
+ kav_rc = tmpbuf[ test_byte_order()==LITTLE_MY_ENDIAN ? 0 : 1 ] & 0x0F;
+ switch(kav_rc)
+ {
+ case 5: case 6: /* improper kavdaemon configuration */
+ return m_errlog_defer_3(scanent,
+ US"please reconfigure kavdaemon to NOT disinfect or remove infected files.",
+ sock);
+ case 1:
+ return m_errlog_defer_3(scanent,
+ US"reported 'scanning not completed' (code 1).", sock);
+ case 7:
+ return m_errlog_defer_3(scanent,
+ US"reported 'kavdaemon damaged' (code 7).", sock);
+ }
- /* extract host and port part */
- if( sscanf(CS address, "%" MAX_CLAMD_ADDRESS_LENGTH_S "s %u", this_clamd->tcp_addr,
- &(this_clamd->tcp_port)) != 2 ) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: invalid address '%s'", address);
- continue;
- }
+ /* code 8 is not handled, since it is ambigous. It appears mostly on
+ bounces where part of a file has been cut off */
+
+ /* "virus found" return codes (2-4) */
+ if ((kav_rc > 1) && (kav_rc < 5)) {
+ int report_flag = 0;
+
+ /* setup default virus name */
+ malware_name = US"unknown";
+
+ report_flag = tmpbuf[ test_byte_order() == LITTLE_MY_ENDIAN ? 1 : 0 ];
+
+ /* read the report, if available */
+ if( report_flag == 1 ) {
+ /* read report size */
+ if ((bread = recv(sock, &kav_reportlen, 4, 0)) != 4)
+ return m_errlog_defer_3(scanent,
+ US"cannot read report size", sock);
+
+ /* it's possible that avp returns av_buffer[1] == 1 but the
+ reportsize is 0 (!?) */
+ if (kav_reportlen > 0) {
+ /* set up match regex, depends on retcode */
+ kav_re = m_pcre_compile( kav_rc == 3
+ ? US"suspicion:\\s*(.+?)\\s*$"
+ : US"infected:\\s*(.+?)\\s*$",
+ &errstr );
+
+ /* read report, linewise */
+ while (kav_reportlen > 0) {
+ bread = 0;
+ while ( recv(sock, &tmpbuf[bread], 1, 0) == 1 ) {
+ kav_reportlen--;
+ if ( (tmpbuf[bread] == '\n') || (bread > 1021) ) break;
+ bread++;
+ }
+ bread++;
+ tmpbuf[bread] = '\0';
+
+ /* try matcher on the line, grab substring */
+ if ((malware_name = m_pcre_exec(kav_re, tmpbuf)))
+ break;
+ }
+ }
+ }
+ }
+ else /* no virus found */
+ malware_name = NULL;
- clamd_address_vector[num_servers] = this_clamd;
- num_servers++;
- if (num_servers >= MAX_CLAMD_SERVERS) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "More than " MAX_CLAMD_SERVERS_S " clamd servers specified; "
- "only using the first " MAX_CLAMD_SERVERS_S );
- break;
- }
- } while ((address = string_nextinlist(&av_scanner_work, &sep,
- address_buffer,
- sizeof(address_buffer))) != NULL);
-
- /* check if we have at least one server */
- if (!num_servers) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: no useable clamd server addresses in malware configuration option.");
- return DEFER;
- }
+ break;
}
- /* See the discussion of response formats below to see why we really don't
- like colons in filenames when passing filenames to ClamAV. */
- if (use_scan_command && Ustrchr(eml_filename, ':')) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: local/SCAN mode incompatible with" \
- " : in path to email filename [%s]", eml_filename);
- return DEFER;
- }
+ case M_CMDL: /* "cmdline" scanner type ---------------------------------- */
+ {
+ const uschar *cmdline_scanner = scanner_options;
+ const pcre *cmdline_trigger_re;
+ const pcre *cmdline_regex_re;
+ uschar * file_name;
+ uschar * commandline;
+ void (*eximsigchld)(int);
+ void (*eximsigpipe)(int);
+ FILE *scanner_out = NULL;
+ FILE *scanner_record = NULL;
+ uschar linebuffer[32767];
+ int trigger = 0;
+ uschar *p;
+
+ if (!cmdline_scanner)
+ return m_errlog_defer(scanent, errstr);
+
+ /* find scanner output trigger */
+ cmdline_trigger_re = m_pcre_nextinlist(&av_scanner_work, &sep,
+ "missing trigger specification", &errstr);
+ if (!cmdline_trigger_re)
+ return m_errlog_defer(scanent, errstr);
+
+ /* find scanner name regex */
+ cmdline_regex_re = m_pcre_nextinlist(&av_scanner_work, &sep,
+ "missing virus name regex specification", &errstr);
+ if (!cmdline_regex_re)
+ return m_errlog_defer(scanent, errstr);
+
+ /* prepare scanner call; despite the naming, file_name holds a directory
+ name which is documented as the value given to %s. */
+
+ file_name = string_copy(eml_filename);
+ p = Ustrrchr(file_name, '/');
+ if (p)
+ *p = '\0';
+ commandline = string_sprintf(CS cmdline_scanner, file_name);
+
+ /* redirect STDERR too */
+ commandline = string_sprintf("%s 2>&1", commandline);
+
+ DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n", scanner_name, commandline);
+
+ /* store exims signal handlers */
+ eximsigchld = signal(SIGCHLD,SIG_DFL);
+ eximsigpipe = signal(SIGPIPE,SIG_DFL);
+
+ if (!(scanner_out = popen(CS commandline,"r"))) {
+ int err = errno;
+ signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
+ return m_errlog_defer(scanent,
+ string_sprintf("call (%s) failed: %s.", commandline, strerror(err)));
+ }
- /* We have some network servers specified */
- if (num_servers) {
-
- /* Confirmed in ClamAV source (0.95.3) that the TCPAddr option of clamd
- * only supports AF_INET, but we should probably be looking to the
- * future and rewriting this to be protocol-independent anyway. */
-
- while ( num_servers > 0 ) {
- /* Randomly pick a server to start with */
- current_server = random_number( num_servers );
-
- debug_printf("trying server name %s, port %u\n",
- clamd_address_vector[current_server]->tcp_addr,
- clamd_address_vector[current_server]->tcp_port);
-
- /* Lookup the host. This is to ensure that we connect to the same IP
- * on both connections (as one host could resolve to multiple ips) */
- if((he = gethostbyname(CS clamd_address_vector[current_server]->tcp_addr))
- == 0) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: failed to lookup host '%s'",
- clamd_address_vector[current_server]->tcp_addr
- );
- goto try_next_server;
- }
+ file_name = string_sprintf("%s/scan/%s/%s_scanner_output",
+ spool_directory, message_id, message_id);
+ scanner_record = modefopen(file_name, "wb", SPOOL_MODE);
+
+ if (scanner_record == NULL) {
+ int err = errno;
+ (void) pclose(scanner_out);
+ signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
+ return m_errlog_defer(scanent,
+ string_sprintf("opening scanner output file (%s) failed: %s.",
+ file_name, strerror(err)));
+ }
- in = *(struct in_addr *) he->h_addr_list[0];
+ /* look for trigger while recording output */
+ while(fgets(CS linebuffer, sizeof(linebuffer), scanner_out)) {
+ if ( Ustrlen(linebuffer) > fwrite(linebuffer, 1, Ustrlen(linebuffer), scanner_record) ) {
+ /* short write */
+ (void) pclose(scanner_out);
+ signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
+ return m_errlog_defer(scanent,
+ string_sprintf("short write on scanner output file (%s).", file_name));
+ }
+ /* try trigger match */
+ if (!trigger && regex_match_and_setup(cmdline_trigger_re, linebuffer, 0, -1))
+ trigger = 1;
+ }
- /* Open the ClamAV Socket */
- if ( (sock = ip_socket(SOCK_STREAM, AF_INET)) < 0) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: unable to acquire socket (%s)",
- strerror(errno));
- goto try_next_server;
- }
+ (void)fclose(scanner_record);
+ sep = pclose(scanner_out);
+ signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
+ if (sep != 0)
+ return m_errlog_defer(scanent,
+ sep == -1
+ ? string_sprintf("running scanner failed: %s", strerror(sep))
+ : string_sprintf("scanner returned error code: %d", sep));
+
+ if (trigger) {
+ uschar * s;
+ /* setup default virus name */
+ malware_name = US"unknown";
+
+ /* re-open the scanner output file, look for name match */
+ scanner_record = fopen(CS file_name, "rb");
+ while(fgets(CS linebuffer, sizeof(linebuffer), scanner_record)) {
+ /* try match */
+ if ((s = m_pcre_exec(cmdline_regex_re, linebuffer)))
+ malware_name = s;
+ }
+ (void)fclose(scanner_record);
+ }
+ else /* no virus found */
+ malware_name = NULL;
+ break;
+ } /* cmdline */
- if (ip_connect( sock,
- AF_INET,
- (uschar*)inet_ntoa(in),
- clamd_address_vector[current_server]->tcp_port,
- 5 ) > -1) {
- /* Connection successfully established with a server */
- hostname = clamd_address_vector[current_server]->tcp_addr;
- break;
- } else {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: connection to %s, port %u failed (%s)",
- clamd_address_vector[current_server]->tcp_addr,
- clamd_address_vector[current_server]->tcp_port,
- strerror(errno));
-
- (void)close(sock);
- }
+ case M_SOPHIE: /* "sophie" scanner type --------------------------------- */
+ {
+ int bread = 0;
+ uschar *p;
+ uschar * file_name;
+ uschar av_buffer[1024];
+
+ /* pass the scan directory to sophie */
+ file_name = string_copy(eml_filename);
+ if ((p = Ustrrchr(file_name, '/')))
+ *p = '\0';
+
+ DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n",
+ scanner_name, scanner_options);
+
+ if ( write(sock, file_name, Ustrlen(file_name)) < 0
+ || write(sock, "\n", 1) != 1
+ )
+ return m_errlog_defer_3(scanent,
+ string_sprintf("unable to write to UNIX socket (%s)", scanner_options),
+ sock);
+
+ /* wait for result */
+ memset(av_buffer, 0, sizeof(av_buffer));
+ if ((!(bread = ip_recv(sock, av_buffer, sizeof(av_buffer), MALWARE_TIMEOUT)) > 0))
+ return m_errlog_defer_3(scanent,
+ string_sprintf("unable to read from UNIX socket (%s)", scanner_options),
+ sock);
+
+ /* infected ? */
+ if (av_buffer[0] == '1') {
+ uschar * s = Ustrchr(av_buffer, '\n');
+ if (s)
+ *s = '\0';
+ malware_name = string_copy(&av_buffer[2]);
+ }
+ else if (!strncmp(CS av_buffer, "-1", 2))
+ return m_errlog_defer_3(scanent, US"scanner reported error", sock);
+ else /* all ok, no virus */
+ malware_name = NULL;
-try_next_server:
- /* Remove the server from the list. XXX We should free the memory */
- num_servers--;
- int i;
- for( i = current_server; i < num_servers; i++ )
- clamd_address_vector[i] = clamd_address_vector[i+1];
- }
-
- if ( num_servers == 0 ) {
- log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: all clamd servers failed");
- return DEFER;
- }
- } else {
- /* open the local socket */
- if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: unable to acquire socket (%s)",
- strerror(errno));
- return DEFER;
- }
-
- server.sun_family = AF_UNIX;
- Ustrcpy(server.sun_path, clamd_options);
-
- if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: unable to connect to UNIX socket %s (%s)",
- clamd_options, strerror(errno) );
- return DEFER;
- }
+ break;
}
- /* have socket in variable "sock"; command to use is semi-independent of
- * the socket protocol. We use SCAN if is local (either Unix/local
- * domain socket, or explicitly told local) else we stream the data.
- * How we stream the data depends upon how we were built. */
-
- if (!use_scan_command) {
-
-#ifdef WITH_OLD_CLAMAV_STREAM
- /* "STREAM\n" command, get back a "PORT <N>\n" response, send data to
- * that port on a second connection; then in the scan-method-neutral
- * part, read the response back on the original connection. */
-
- DEBUG(D_acl) debug_printf("Malware scan: issuing %s old-style remote scan (PORT)\n",
- scanner_name);
-
- /* Pass the string to ClamAV (7 = "STREAM\n") */
- if (send(sock, "STREAM\n", 7, 0) < 0) {
- log_write(0, LOG_MAIN|LOG_PANIC,"malware acl condition: clamd: unable to write to socket (%s)",
- strerror(errno));
- (void)close(sock);
- return DEFER;
- }
- memset(av_buffer2, 0, sizeof(av_buffer2));
- bread = ip_recv(sock, av_buffer2, sizeof(av_buffer2), MALWARE_TIMEOUT);
-
- if (bread < 0) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: unable to read PORT from socket (%s)",
- strerror(errno));
- (void)close(sock);
- return DEFER;
- }
-
- if (bread == sizeof(av_buffer)) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: buffer too small");
- (void)close(sock);
- return DEFER;
- }
-
- if (!(*av_buffer2)) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: ClamAV returned null");
- (void)close(sock);
- return DEFER;
- }
-
- av_buffer2[bread] = '\0';
- if( sscanf(CS av_buffer2, "PORT %u\n", &port) != 1 ) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: Expected port information from clamd, got '%s'", av_buffer2);
- (void)close(sock);
- return DEFER;
- };
-
- if ( (sockData = ip_socket(SOCK_STREAM, AF_INET)) < 0) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: unable to acquire socket (%s)",
- strerror(errno));
- (void)close(sock);
- return DEFER;
- }
-
- if (ip_connect(sockData, AF_INET, (uschar*)inet_ntoa(in), port, 5) < 0) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: connection to %s, port %u failed (%s)",
- inet_ntoa(in), port, strerror(errno));
- (void)close(sockData); (void)close(sock);
- return DEFER;
- }
-
-#define CLOSE_SOCKDATA (void)close(sockData)
-#else /* WITH_OLD_CLAMAV_STREAM not defined */
- /* New protocol: "zINSTREAM\n" followed by a sequence of <length><data>
- chunks, <n> a 4-byte number (network order), terminated by a zero-length
- chunk. */
-
- DEBUG(D_acl) debug_printf("Malware scan: issuing %s new-style remote scan (zINSTREAM)\n",
- scanner_name);
-
- /* Pass the string to ClamAV (10 = "zINSTREAM\0") */
- if (send(sock, "zINSTREAM", 10, 0) < 0) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: unable to send zINSTREAM to socket (%s)",
- strerror(errno));
- (void)close(sock);
- return DEFER;
- }
-
-#define CLOSE_SOCKDATA /**/
-#endif
-
- /* calc file size */
- clam_fd = open(CS eml_filename, O_RDONLY);
- if (clam_fd == -1) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: can't open spool file %s: %s",
- eml_filename, strerror(errno));
- CLOSE_SOCKDATA; (void)close(sock);
- return DEFER;
- }
- fsize = lseek(clam_fd, 0, SEEK_END);
- if (fsize == -1) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: can't seek spool file %s: %s",
- eml_filename, strerror(errno));
- CLOSE_SOCKDATA; (void)close(sock);
- return DEFER;
- }
- lseek(clam_fd, 0, SEEK_SET);
-
- clamav_fbuf = (uschar *) malloc (fsize);
- if (!clamav_fbuf) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: unable to allocate memory %u for file (%s)",
- fsize, eml_filename);
- CLOSE_SOCKDATA; (void)close(sock); (void)close(clam_fd);
- return DEFER;
- }
-
- result = read (clam_fd, clamav_fbuf, fsize);
- if (result == -1) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: can't read spool file %s: %s",
- eml_filename, strerror(errno));
- CLOSE_SOCKDATA; (void)close(sock); (void)close(clam_fd);
- free(clamav_fbuf);
- return DEFER;
- }
- (void)close(clam_fd);
-
- /* send file body to socket */
-#ifdef WITH_OLD_CLAMAV_STREAM
- if (send(sockData, clamav_fbuf, fsize, 0) < 0) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: unable to send file body to socket (%s:%u)", hostname, port);
- CLOSE_SOCKDATA; (void)close(sock);
- free(clamav_fbuf);
- return DEFER;
- }
-#else
- send_size = htonl(fsize);
- send_final_zeroblock = 0;
- if ((send(sock, &send_size, sizeof(send_size), 0) < 0) ||
- (send(sock, clamav_fbuf, fsize, 0) < 0) ||
- (send(sock, &send_final_zeroblock, sizeof(send_final_zeroblock), 0) < 0))
- {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: unable to send file body to socket (%s:%u)", hostname, port);
- (void)close(sock);
- free(clamav_fbuf);
- return DEFER;
- }
-#endif
+ case M_CLAMD: /* "clamd" scanner type ----------------------------------- */
+ {
+ /* This code was originally contributed by David Saez */
+ /* There are three scanning methods available to us:
+ * (1) Use the SCAN command, pointing to a file in the filesystem
+ * (2) Use the STREAM command, send the data on a separate port
+ * (3) Use the zINSTREAM command, send the data inline
+ * The zINSTREAM command was introduced with ClamAV 0.95, which marked
+ * STREAM deprecated; see: http://wiki.clamav.net/bin/view/Main/UpgradeNotes095
+ * In Exim, we use SCAN if using a Unix-domain socket or explicitly told that
+ * the TCP-connected daemon is actually local; otherwise we use zINSTREAM unless
+ * WITH_OLD_CLAMAV_STREAM is defined.
+ * See Exim bug 926 for details. */
+
+ uschar *p, *vname, *result_tag, *response_end;
+ int bread=0;
+ uschar * file_name;
+ uschar av_buffer[1024];
+ uschar *hostname = US"";
+ host_item connhost;
+ uschar *clamav_fbuf;
+ int clam_fd, result;
+ unsigned int fsize;
+ BOOL use_scan_command = FALSE;
+ clamd_address_container * clamd_address_vector[MAX_CLAMD_SERVERS];
+ int current_server;
+ int num_servers = 0;
+ #ifdef WITH_OLD_CLAMAV_STREAM
+ unsigned int port;
+ uschar av_buffer2[1024];
+ int sockData;
+ #else
+ uint32_t send_size, send_final_zeroblock;
+ #endif
+
+ if (*scanner_options == '/')
+ /* Local file; so we def want to use_scan_command and don't want to try
+ * passing IP/port combinations */
+ use_scan_command = TRUE;
+ else {
+ const uschar *address = scanner_options;
+ uschar address_buffer[MAX_CLAMD_ADDRESS_LENGTH + 20];
+
+ /* Go through the rest of the list of host/port and construct an array
+ * of servers to try. The first one is the bit we just passed from
+ * scanner_options so process that first and then scan the remainder of
+ * the address buffer */
+ do {
+ clamd_address_container *this_clamd;
+
+ /* The 'local' option means use the SCAN command over the network
+ * socket (ie common file storage in use) */
+ if (strcmpic(address,US"local") == 0) {
+ use_scan_command = TRUE;
+ continue;
+ }
+
+ /* XXX: If unsuccessful we should free this memory */
+ this_clamd =
+ (clamd_address_container *)store_get(sizeof(clamd_address_container));
+
+ /* extract host and port part */
+ if( sscanf(CS address, "%" MAX_CLAMD_ADDRESS_LENGTH_S "s %u",
+ this_clamd->tcp_addr, &(this_clamd->tcp_port)) != 2 ) {
+ (void) m_errlog_defer(scanent,
+ string_sprintf("invalid address '%s'", address));
+ continue;
+ }
+
+ clamd_address_vector[num_servers] = this_clamd;
+ num_servers++;
+ if (num_servers >= MAX_CLAMD_SERVERS) {
+ (void) m_errlog_defer(scanent,
+ US"More than " MAX_CLAMD_SERVERS_S " clamd servers "
+ "specified; only using the first " MAX_CLAMD_SERVERS_S );
+ break;
+ }
+ } while ((address = string_nextinlist(&av_scanner_work, &sep,
+ address_buffer,
+ sizeof(address_buffer))) != NULL);
+
+ /* check if we have at least one server */
+ if (!num_servers)
+ return m_errlog_defer(scanent,
+ US"no useable server addresses in malware configuration option.");
+ }
- free(clamav_fbuf);
-
- CLOSE_SOCKDATA;
-#undef CLOSE_SOCKDATA
-
- } else { /* use scan command */
- /* Send a SCAN command pointing to a filename; then in the then in the
- * scan-method-neutral part, read the response back */
-
-/* ================================================================= */
-
- /* Prior to the reworking post-Exim-4.72, this scanned a directory,
- which dates to when ClamAV needed us to break apart the email into the
- MIME parts (eg, with the now deprecated demime condition coming first).
- Some time back, ClamAV gained the ability to deconstruct the emails, so
- doing this would actually have resulted in the mail attachments being
- scanned twice, in the broken out files and from the original .eml.
- Since ClamAV now handles emails (and has for quite some time) we can
- just use the email file itself. */
- /* Pass the string to ClamAV (7 = "SCAN \n" + \0) */
- fits = string_format(file_name, sizeof(file_name), "SCAN %s\n",
- eml_filename);
- if (!fits) {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware filename does not fit in buffer [malware_internal() clamd]");
- }
-
- DEBUG(D_acl) debug_printf("Malware scan: issuing %s local-path scan [%s]\n",
- scanner_name, clamd_options);
-
- if (send(sock, file_name, Ustrlen(file_name), 0) < 0) {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,"malware acl condition: clamd: unable to write to socket (%s)",
- strerror(errno));
- return DEFER;
- }
-
- /* Do not shut down the socket for writing; a user report noted that
- * clamd 0.70 does not react well to this. */
- }
- /* Commands have been sent, no matter which scan method or connection
- * type we're using; now just read the result, independent of method. */
-
- /* Read the result */
- memset(av_buffer, 0, sizeof(av_buffer));
- bread = ip_recv(sock, av_buffer, sizeof(av_buffer), MALWARE_TIMEOUT);
- (void)close(sock);
-
- if (!(bread > 0)) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: unable to read from socket (%s)",
- strerror(errno));
- return DEFER;
- }
+ /* See the discussion of response formats below to see why we really don't
+ like colons in filenames when passing filenames to ClamAV. */
+ if (use_scan_command && Ustrchr(eml_filename, ':'))
+ return m_errlog_defer(scanent,
+ string_sprintf("local/SCAN mode incompatible with" \
+ " : in path to email filename [%s]", eml_filename));
+
+ /* We have some network servers specified */
+ if (num_servers) {
+
+ /* Confirmed in ClamAV source (0.95.3) that the TCPAddr option of clamd
+ * only supports AF_INET, but we should probably be looking to the
+ * future and rewriting this to be protocol-independent anyway. */
+
+ while ( num_servers > 0 ) {
+ /* Randomly pick a server to start with */
+ current_server = random_number( num_servers );
+
+ debug_printf("trying server name %s, port %u\n",
+ clamd_address_vector[current_server]->tcp_addr,
+ clamd_address_vector[current_server]->tcp_port);
+
+ /* Lookup the host. This is to ensure that we connect to the same IP
+ * on both connections (as one host could resolve to multiple ips) */
+ sock= m_tcpsocket(clamd_address_vector[current_server]->tcp_addr,
+ clamd_address_vector[current_server]->tcp_port,
+ &connhost, &errstr);
+ if (sock >= 0) {
+ /* Connection successfully established with a server */
+ hostname = clamd_address_vector[current_server]->tcp_addr;
+ break;
+ }
+
+ (void) m_errlog_defer(scanent, errstr);
+
+ /* Remove the server from the list. XXX We should free the memory */
+ num_servers--;
+ int i;
+ for( i = current_server; i < num_servers; i++ )
+ clamd_address_vector[i] = clamd_address_vector[i+1];
+ }
+
+ if ( num_servers == 0 )
+ return m_errlog_defer(scanent, US"all servers failed");
+
+ } else {
+ if ((sock = m_unixsocket(scanner_options, &errstr)) < 0)
+ return m_errlog_defer(scanent, errstr);
+ }
- if (bread == sizeof(av_buffer)) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: buffer too small");
- return DEFER;
+ /* have socket in variable "sock"; command to use is semi-independent of
+ * the socket protocol. We use SCAN if is local (either Unix/local
+ * domain socket, or explicitly told local) else we stream the data.
+ * How we stream the data depends upon how we were built. */
+
+ if (!use_scan_command) {
+
+ #ifdef WITH_OLD_CLAMAV_STREAM
+ /* "STREAM\n" command, get back a "PORT <N>\n" response, send data to
+ * that port on a second connection; then in the scan-method-neutral
+ * part, read the response back on the original connection. */
+
+ DEBUG(D_acl) debug_printf("Malware scan: issuing %s old-style remote scan (PORT)\n",
+ scanner_name);
+
+ /* Pass the string to ClamAV (7 = "STREAM\n") */
+ if (m_sock_send(sock, US"STREAM\n", 7, &errstr) < 0)
+ return m_errlog_defer(scanent, errstr);
+
+ memset(av_buffer2, 0, sizeof(av_buffer2));
+ bread = ip_recv(sock, av_buffer2, sizeof(av_buffer2), MALWARE_TIMEOUT);
+
+ if (bread < 0)
+ return m_errlog_defer_3(scanent,
+ string_sprintf("unable to read PORT from socket (%s)",
+ strerror(errno)),
+ sock);
+
+ if (bread == sizeof(av_buffer2))
+ return m_errlog_defer_3(scanent, "buffer too small", sock);
+
+ if (!(*av_buffer2))
+ return m_errlog_defer_3(scanent, "ClamAV returned null", sock);
+
+ av_buffer2[bread] = '\0';
+ if( sscanf(CS av_buffer2, "PORT %u\n", &port) != 1 )
+ return m_errlog_defer_3(scanent,
+ string_sprintf("Expected port information from clamd, got '%s'",
+ av_buffer2),
+ sock);
+
+ sockData = m_tcpsocket(connhost.address, port, NULL, &errstr);
+ if (sockData < 0)
+ return m_errlog_defer_3(scanent, errstr, sock);
+
+ #define CLOSE_SOCKDATA (void)close(sockData)
+ #else /* WITH_OLD_CLAMAV_STREAM not defined */
+ /* New protocol: "zINSTREAM\n" followed by a sequence of <length><data>
+ chunks, <n> a 4-byte number (network order), terminated by a zero-length
+ chunk. */
+
+ DEBUG(D_acl) debug_printf("Malware scan: issuing %s new-style remote scan (zINSTREAM)\n",
+ scanner_name);
+
+ /* Pass the string to ClamAV (10 = "zINSTREAM\0") */
+ if (send(sock, "zINSTREAM", 10, 0) < 0)
+ return m_errlog_defer_3(scanent,
+ string_sprintf("unable to send zINSTREAM to socket (%s)",
+ strerror(errno)),
+ sock);
+
+ #define CLOSE_SOCKDATA /**/
+ #endif
+
+ /* calc file size */
+ if ((clam_fd = open(CS eml_filename, O_RDONLY)) < 0) {
+ int err = errno;
+ CLOSE_SOCKDATA;
+ return m_errlog_defer_3(scanent,
+ string_sprintf("can't open spool file %s: %s",
+ eml_filename, strerror(err)),
+ sock);
+ }
+ if ((fsize = lseek(clam_fd, 0, SEEK_END)) < 0) {
+ int err = errno;
+ CLOSE_SOCKDATA; (void)close(clam_fd);
+ return m_errlog_defer_3(scanent,
+ string_sprintf("can't seek spool file %s: %s",
+ eml_filename, strerror(err)),
+ sock);
+ }
+ lseek(clam_fd, 0, SEEK_SET);
+
+ if (!(clamav_fbuf = (uschar *) malloc (fsize))) {
+ CLOSE_SOCKDATA; (void)close(clam_fd);
+ return m_errlog_defer_3(scanent,
+ string_sprintf("unable to allocate memory %u for file (%s)",
+ fsize, eml_filename),
+ sock);
+ }
+
+ if ((result = read(clam_fd, clamav_fbuf, fsize)) < 0) {
+ int err = errno;
+ free(clamav_fbuf); CLOSE_SOCKDATA; (void)close(clam_fd);
+ return m_errlog_defer_3(scanent,
+ string_sprintf("can't read spool file %s: %s",
+ eml_filename, strerror(err)),
+ sock);
+ }
+ (void)close(clam_fd);
+
+ /* send file body to socket */
+ #ifdef WITH_OLD_CLAMAV_STREAM
+ if (send(sockData, clamav_fbuf, fsize, 0) < 0) {
+ free(clamav_fbuf); CLOSE_SOCKDATA;
+ return m_errlog_defer_3(scanent,
+ string_sprintf("unable to send file body to socket (%s:%u)",
+ hostname, port),
+ sock);
+ }
+ #else
+ send_size = htonl(fsize);
+ send_final_zeroblock = 0;
+ if ((send(sock, &send_size, sizeof(send_size), 0) < 0) ||
+ (send(sock, clamav_fbuf, fsize, 0) < 0) ||
+ (send(sock, &send_final_zeroblock, sizeof(send_final_zeroblock), 0) < 0))
+ {
+ free(clamav_fbuf);
+ return m_errlog_defer_3(scanent,
+ string_sprintf("unable to send file body to socket (%s)", hostname),
+ sock);
+ }
+ #endif
+
+ free(clamav_fbuf);
+
+ CLOSE_SOCKDATA;
+ #undef CLOSE_SOCKDATA
+
+ } else { /* use scan command */
+ /* Send a SCAN command pointing to a filename; then in the then in the
+ * scan-method-neutral part, read the response back */
+
+ /* ================================================================= */
+
+ /* Prior to the reworking post-Exim-4.72, this scanned a directory,
+ which dates to when ClamAV needed us to break apart the email into the
+ MIME parts (eg, with the now deprecated demime condition coming first).
+ Some time back, ClamAV gained the ability to deconstruct the emails, so
+ doing this would actually have resulted in the mail attachments being
+ scanned twice, in the broken out files and from the original .eml.
+ Since ClamAV now handles emails (and has for quite some time) we can
+ just use the email file itself. */
+ /* Pass the string to ClamAV (7 = "SCAN \n" + \0) */
+ file_name = string_sprintf("SCAN %s\n", eml_filename);
+
+ DEBUG(D_acl) debug_printf("Malware scan: issuing %s local-path scan [%s]\n",
+ scanner_name, scanner_options);
+
+ if (send(sock, file_name, Ustrlen(file_name), 0) < 0)
+ return m_errlog_defer_3(scanent,
+ string_sprintf("unable to write to socket (%s)", strerror(errno)),
+ sock);
+
+ /* Do not shut down the socket for writing; a user report noted that
+ * clamd 0.70 does not react well to this. */
+ }
+ /* Commands have been sent, no matter which scan method or connection
+ * type we're using; now just read the result, independent of method. */
+
+ /* Read the result */
+ memset(av_buffer, 0, sizeof(av_buffer));
+ bread = ip_recv(sock, av_buffer, sizeof(av_buffer), MALWARE_TIMEOUT);
+ (void)close(sock);
+ sock = -1;
+
+ if (!(bread > 0))
+ return m_errlog_defer(scanent,
+ string_sprintf("unable to read from socket (%s)", strerror(errno)));
+
+ if (bread == sizeof(av_buffer))
+ return m_errlog_defer(scanent, US"buffer too small");
+ /* We're now assured of a NULL at the end of av_buffer */
+
+ /* Check the result. ClamAV returns one of two result formats.
+ In the basic mode, the response is of the form:
+ infected: -> "<filename>: <virusname> FOUND"
+ not-infected: -> "<filename>: OK"
+ error: -> "<filename>: <errcode> ERROR
+ If the ExtendedDetectionInfo option has been turned on, then we get:
+ "<filename>: <virusname>(<virushash>:<virussize>) FOUND"
+ for the infected case. Compare:
+ /tmp/eicar.com: Eicar-Test-Signature FOUND
+ /tmp/eicar.com: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND
+
+ In the streaming case, clamd uses the filename "stream" which you should
+ be able to verify with { ktrace clamdscan --stream /tmp/eicar.com }. (The
+ client app will replace "stream" with the original filename before returning
+ results to stdout, but the trace shows the data).
+
+ We will assume that the pathname passed to clamd from Exim does not contain
+ a colon. We will have whined loudly above if the eml_filename does (and we're
+ passing a filename to clamd). */
+
+ if (!(*av_buffer))
+ return m_errlog_defer(scanent, US"ClamAV returned null");
+
+ /* strip newline at the end (won't be present for zINSTREAM)
+ (also any trailing whitespace, which shouldn't exist, but we depend upon
+ this below, so double-check) */
+ p = av_buffer + Ustrlen(av_buffer) - 1;
+ if (*p == '\n') *p = '\0';
+
+ DEBUG(D_acl) debug_printf("Malware response: %s\n", av_buffer);
+
+ while (isspace(*--p) && (p > av_buffer))
+ *p = '\0';
+ if (*p) ++p;
+ response_end = p;
+
+ /* colon in returned output? */
+ if((p = Ustrchr(av_buffer,':')) == NULL)
+ return m_errlog_defer(scanent,
+ string_sprintf("ClamAV returned malformed result (missing colon): %s",
+ av_buffer));
+
+ /* strip filename */
+ while (*p && isspace(*++p)) /**/;
+ vname = p;
+
+ /* It would be bad to encounter a virus with "FOUND" in part of the name,
+ but we should at least be resistant to it. */
+ p = Ustrrchr(vname, ' ');
+ result_tag = p ? p+1 : vname;
+
+ if (Ustrcmp(result_tag, "FOUND") == 0) {
+ /* p should still be the whitespace before the result_tag */
+ while (isspace(*p)) --p;
+ *++p = '\0';
+ /* Strip off the extended information too, which will be in parens
+ after the virus name, with no intervening whitespace. */
+ if (*--p == ')') {
+ /* "(hash:size)", so previous '(' will do; if not found, we have
+ a curious virus name, but not an error. */
+ p = Ustrrchr(vname, '(');
+ if (p)
+ *p = '\0';
+ }
+ malware_name = string_copy(vname);
+ DEBUG(D_acl) debug_printf("Malware found, name \"%s\"\n", malware_name);
+
+ } else if (Ustrcmp(result_tag, "ERROR") == 0)
+ return m_errlog_defer(scanent,
+ string_sprintf("ClamAV returned: %s", av_buffer));
+
+ else if (Ustrcmp(result_tag, "OK") == 0) {
+ /* Everything should be OK */
+ malware_name = NULL;
+ DEBUG(D_acl) debug_printf("Malware not found\n");
+
+ } else
+ return m_errlog_defer(scanent,
+ string_sprintf("unparseable response from ClamAV: {%s}", av_buffer));
+
+ break;
+ } /* clamd */
+
+ case M_SOCK: /* "sock" scanner type ------------------------------------- */
+ /* This code was derived by Martin Poole from the clamd code contributed
+ by David Saez and the cmdline code
+ */
+ {
+ int bread;
+ uschar * commandline;
+ uschar av_buffer[1024];
+ uschar * linebuffer;
+ uschar * sockline_scanner;
+ uschar sockline_scanner_default[] = "%s\n";
+ const pcre *sockline_trig_re;
+ const pcre *sockline_name_re;
+
+ /* find scanner command line */
+ if ((sockline_scanner = string_nextinlist(&av_scanner_work, &sep,
+ NULL, 0)))
+ { /* check for no expansions apart from one %s */
+ char * s = index(CS sockline_scanner, '%');
+ if (s++)
+ if ((*s != 's' && *s != '%') || index(s+1, '%'))
+ return m_errlog_defer_3(scanent,
+ US"unsafe sock scanner call spec", sock);
+ }
+ else
+ sockline_scanner = sockline_scanner_default;
+
+ /* find scanner output trigger */
+ sockline_trig_re = m_pcre_nextinlist(&av_scanner_work, &sep,
+ "missing trigger specification", &errstr);
+ if (!sockline_trig_re)
+ return m_errlog_defer_3(scanent, errstr, sock);
+
+ /* find virus name regex */
+ sockline_name_re = m_pcre_nextinlist(&av_scanner_work, &sep,
+ "missing virus name regex specification", &errstr);
+ if (!sockline_name_re)
+ return m_errlog_defer_3(scanent, errstr, sock);
+
+ /* prepare scanner call - security depends on expansions check above */
+ commandline = string_sprintf("%s/scan/%s/%s.eml", spool_directory, message_id, message_id);
+ commandline = string_sprintf( CS sockline_scanner, CS commandline);
+
+
+ /* Pass the command string to the socket */
+ if (m_sock_send(sock, commandline, Ustrlen(commandline), &errstr) < 0)
+ return m_errlog_defer(scanent, errstr);
+
+ /* Read the result */
+ memset(av_buffer, 0, sizeof(av_buffer));
+ bread = read(sock, av_buffer, sizeof(av_buffer));
+
+ if (!(bread > 0))
+ return m_errlog_defer_3(scanent,
+ string_sprintf("unable to read from socket (%s)", strerror(errno)),
+ sock);
+
+ if (bread == sizeof(av_buffer))
+ return m_errlog_defer_3(scanent, US"buffer too small", sock);
+ linebuffer = string_copy(av_buffer);
+
+ /* try trigger match */
+ if (regex_match_and_setup(sockline_trig_re, linebuffer, 0, -1)) {
+ if (!(malware_name = m_pcre_exec(sockline_name_re, av_buffer)))
+ malware_name = US "unknown";
+ }
+ else /* no virus found */
+ malware_name = NULL;
+ break;
}
- /* Check the result. ClamAV returns one of two result formats.
- In the basic mode, the response is of the form:
- infected: -> "<filename>: <virusname> FOUND"
- not-infected: -> "<filename>: OK"
- error: -> "<filename>: <errcode> ERROR
- If the ExtendedDetectionInfo option has been turned on, then we get:
- "<filename>: <virusname>(<virushash>:<virussize>) FOUND"
- for the infected case. Compare:
-/tmp/eicar.com: Eicar-Test-Signature FOUND
-/tmp/eicar.com: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND
-
- In the streaming case, clamd uses the filename "stream" which you should
- be able to verify with { ktrace clamdscan --stream /tmp/eicar.com }. (The
- client app will replace "stream" with the original filename before returning
- results to stdout, but the trace shows the data).
-
- We will assume that the pathname passed to clamd from Exim does not contain
- a colon. We will have whined loudly above if the eml_filename does (and we're
- passing a filename to clamd). */
-
- if (!(*av_buffer)) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: ClamAV returned null");
- return DEFER;
- }
+ case M_MKSD: /* "mksd" scanner type ------------------------------------- */
+ {
+ char *mksd_options_end;
+ int mksd_maxproc = 1; /* default, if no option supplied */
+ int sock;
+ int retval;
+
+ if (scanner_options) {
+ mksd_maxproc = (int)strtol(CS scanner_options, &mksd_options_end, 10);
+ if ( *scanner_options == '\0'
+ || *mksd_options_end != '\0'
+ || mksd_maxproc < 1
+ || mksd_maxproc > 32
+ )
+ return m_errlog_defer(scanent,
+ string_sprintf("invalid option '%s'", scanner_options));
+ }
- /* strip newline at the end (won't be present for zINSTREAM)
- (also any trailing whitespace, which shouldn't exist, but we depend upon
- this below, so double-check) */
- p = av_buffer + Ustrlen(av_buffer) - 1;
- if (*p == '\n') *p = '\0';
-
- DEBUG(D_acl) debug_printf("Malware response: %s\n", av_buffer);
-
- while (isspace(*--p) && (p > av_buffer))
- *p = '\0';
- if (*p) ++p;
- response_end = p;
-
- /* colon in returned output? */
- if((p = Ustrchr(av_buffer,':')) == NULL) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: ClamAV returned malformed result (missing colon): %s",
- av_buffer);
- return DEFER;
- }
+ if((sock = m_unixsocket(US "/var/run/mksd/socket", &errstr)) < 0)
+ return m_errlog_defer(scanent, errstr);
- /* strip filename */
- while (*p && isspace(*++p)) /**/;
- vname = p;
-
- /* It would be bad to encounter a virus with "FOUND" in part of the name,
- but we should at least be resistant to it. */
- p = Ustrrchr(vname, ' ');
- if (p)
- result_tag = p + 1;
- else
- result_tag = vname;
-
- if (Ustrcmp(result_tag, "FOUND") == 0) {
- /* p should still be the whitespace before the result_tag */
- while (isspace(*p)) --p;
- *++p = '\0';
- /* Strip off the extended information too, which will be in parens
- after the virus name, with no intervening whitespace. */
- if (*--p == ')') {
- /* "(hash:size)", so previous '(' will do; if not found, we have
- a curious virus name, but not an error. */
- p = Ustrrchr(vname, '(');
- if (p)
- *p = '\0';
- }
- Ustrncpy(malware_name_buffer, vname, sizeof(malware_name_buffer)-1);
- malware_name = malware_name_buffer;
- DEBUG(D_acl) debug_printf("Malware found, name \"%s\"\n", malware_name);
-
- } else if (Ustrcmp(result_tag, "ERROR") == 0) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: ClamAV returned: %s",
- av_buffer);
- return DEFER;
-
- } else if (Ustrcmp(result_tag, "OK") == 0) {
- /* Everything should be OK */
malware_name = NULL;
- DEBUG(D_acl) debug_printf("Malware not found\n");
- } else {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: unparseable response from ClamAV: {%s}",
- av_buffer);
- return DEFER;
- }
+ DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan\n", scanner_name);
- } /* clamd */
-
- /* ----------------------------------------------------------------------- */
-
-
- /* "mksd" scanner type --------------------------------------------------- */
- else if (strcmpic(scanner_name,US"mksd") == 0) {
- uschar *mksd_options;
- char *mksd_options_end;
- uschar mksd_options_buffer[32];
- int mksd_maxproc = 1; /* default, if no option supplied */
- struct sockaddr_un server;
- int sock;
- int retval;
-
- if ((mksd_options = string_nextinlist(&av_scanner_work, &sep,
- mksd_options_buffer,
- sizeof(mksd_options_buffer))) != NULL) {
- mksd_maxproc = (int) strtol(CS mksd_options, &mksd_options_end, 10);
- if ((*mksd_options == '\0') || (*mksd_options_end != '\0') ||
- (mksd_maxproc < 1) || (mksd_maxproc > 32)) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: mksd: invalid option '%s'", mksd_options);
- return DEFER;
- }
- }
-
- /* open the mksd socket */
- sock = socket(AF_UNIX, SOCK_STREAM, 0);
- if (sock < 0) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: can't open UNIX socket.");
- return DEFER;
- }
- server.sun_family = AF_UNIX;
- Ustrcpy(server.sun_path, "/var/run/mksd/socket");
- if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: unable to connect to mksd UNIX socket (/var/run/mksd/socket). errno=%d", errno);
- return DEFER;
+ if ((retval = mksd_scan_packed(scanent, sock, eml_filename)) != OK) {
+ close (sock);
+ return retval;
+ }
+ break;
}
-
- malware_name = NULL;
-
- DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan\n", scanner_name);
-
- retval = mksd_scan_packed(sock, eml_filename);
-
- if (retval != OK)
- return retval;
}
- /* ----------------------------------------------------------------------- */
- /* "unknown" scanner type ------------------------------------------------- */
- else {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware condition: unknown scanner type '%s'", scanner_name);
- return DEFER;
- };
- /* ----------------------------------------------------------------------- */
-
- /* set "been here, done that" marker */
- malware_ok = 1;
- };
+ if (sock >= 0)
+ (void) close (sock);
+ malware_ok = TRUE; /* set "been here, done that" marker */
+ }
/* match virus name against pattern (caseless ------->----------v) */
- if ( (malware_name != NULL) &&
- (regex_match_and_setup(re, malware_name, 0, -1)) ) {
+ if ( malware_name && (regex_match_and_setup(re, malware_name, 0, -1)) ) {
DEBUG(D_acl) debug_printf("Matched regex to malware [%s] [%s]\n", malware_regex, malware_name);
return OK;
}
- else {
+ else
return FAIL;
- };
}
/* simple wrapper for reading lines from sockets */
-int recv_line(int sock, uschar *buffer, int size) {
+int
+recv_line(int sock, uschar *buffer, int size)
+{
uschar *p = buffer;
memset(buffer,0,size);
if ((p-buffer) > (size-2)) break;
if (*p == '\n') break;
if (*p != '\r') p++;
- };
+ }
*p = '\0';
return (p-buffer);
#include <sys/uio.h>
-static int mksd_writev (int sock, struct iovec *iov, int iovcnt)
+static inline int
+mksd_writev (int sock, struct iovec *iov, int iovcnt)
{
int i;
i = writev (sock, iov, iovcnt);
while ((i < 0) && (errno == EINTR));
if (i <= 0) {
- close (sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: unable to write to mksd UNIX socket (/var/run/mksd/socket)");
+ (void) malware_errlog_defer(US"unable to write to mksd UNIX socket (/var/run/mksd/socket)");
return -1;
}
}
}
-static int mksd_read_lines (int sock, uschar *av_buffer, int av_buffer_size)
+static inline int
+mksd_read_lines (int sock, uschar *av_buffer, int av_buffer_size)
{
int offset = 0;
int i;
do {
if ((i = recv (sock, av_buffer+offset, av_buffer_size-offset, 0)) <= 0) {
- close (sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: unable to read from mksd UNIX socket (/var/run/mksd/socket)");
+ (void) malware_errlog_defer(US"unable to read from mksd UNIX socket (/var/run/mksd/socket)");
return -1;
}
offset += i;
/* offset == av_buffer_size -> buffer full */
if (offset == av_buffer_size) {
- close (sock);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: malformed reply received from mksd");
+ (void) malware_errlog_defer(US"malformed reply received from mksd");
return -1;
}
} while (av_buffer[offset-1] != '\n');
return offset;
}
-static int mksd_parse_line (char *line)
+static inline int
+mksd_parse_line(struct scan * scanent, char *line)
{
char *p;
switch (*line) {
- case 'O':
- /* OK */
+ case 'O': /* OK */
return OK;
+
case 'E':
- case 'A':
- /* ERR */
+ case 'A': /* ERR */
if ((p = strchr (line, '\n')) != NULL)
- (*p) = '\0';
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: mksd scanner failed: %s", line);
- return DEFER;
- default:
- /* VIR */
+ *p = '\0';
+ return m_errlog_defer(scanent,
+ string_sprintf("scanner failed: %s", line));
+
+ default: /* VIR */
if ((p = strchr (line, '\n')) != NULL) {
- (*p) = '\0';
- if (((p-line) > 5) && ((p-line) < sizeof (malware_name_buffer)) && (line[3] == ' '))
+ *p = '\0';
+ if (((p-line) > 5) && (line[3] == ' '))
if (((p = strchr (line+4, ' ')) != NULL) && ((p-line) > 4)) {
- (*p) = '\0';
- Ustrcpy (malware_name_buffer, line+4);
- malware_name = malware_name_buffer;
+ *p = '\0';
+ malware_name = string_copy(US line+4);
return OK;
}
}
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: malformed reply received from mksd: %s", line);
- return DEFER;
+ return m_errlog_defer(scanent,
+ string_sprintf("malformed reply received: %s", line));
}
}
-static int mksd_scan_packed(int sock, uschar *scan_filename)
+static int
+mksd_scan_packed(struct scan * scanent, int sock, uschar *scan_filename)
{
struct iovec iov[3];
const char *cmd = "MSQ\n";
if (mksd_read_lines (sock, av_buffer, sizeof (av_buffer)) < 0)
return DEFER;
- close (sock);
-
- return mksd_parse_line (CS av_buffer);
+ return mksd_parse_line (scanent, CS av_buffer);
}
-#endif
+#endif /*WITH_CONTENT_SCAN*/
+/*
+ * vi: aw ai sw=2
+ */
NULL, /* service name not relevant */
NULL, /* srv_fail_domains not relevant */
NULL, /* mx_fail_domains not relevant */
+ NULL, /* no dnssec request XXX ? */
+ NULL, /* no dnssec require XXX ? */
NULL, /* no feedback FQDN */
&removed); /* feedback if local removed */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Functions for sending messages to sender or to mailmaster. */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Functions for reading the configuration file, and for displaying
{ "acl_smtp_auth", opt_stringptr, &acl_smtp_auth },
{ "acl_smtp_connect", opt_stringptr, &acl_smtp_connect },
{ "acl_smtp_data", opt_stringptr, &acl_smtp_data },
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
{ "acl_smtp_data_prdr", opt_stringptr, &acl_smtp_data_prdr },
#endif
#ifndef DISABLE_DKIM
/* This option is now a no-op, retained for compability */
{ "drop_cr", opt_bool, &drop_cr },
/*********************************************************/
+#ifdef EXPERIMENTAL_DSN
+ { "dsn_advertise_hosts", opt_stringptr, &dsn_advertise_hosts },
+#endif
{ "dsn_from", opt_stringptr, &dsn_from },
{ "envelope_to_remove", opt_bool, &envelope_to_remove },
{ "errors_copy", opt_stringptr, &errors_copy },
#endif
{ "pid_file_path", opt_stringptr, &pid_file_path },
{ "pipelining_advertise_hosts", opt_stringptr, &pipelining_advertise_hosts },
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
{ "prdr_enable", opt_bool, &prdr_enable },
#endif
{ "preserve_message_logs", opt_bool, &preserve_message_logs },
{ "print_topbitchars", opt_bool, &print_topbitchars },
{ "process_log_path", opt_stringptr, &process_log_path },
{ "prod_requires_admin", opt_bool, &prod_requires_admin },
+#ifdef EXPERIMENTAL_PROXY
+ { "proxy_required_hosts", opt_stringptr, &proxy_required_hosts },
+#endif
{ "qualify_domain", opt_stringptr, &qualify_domain_sender },
{ "qualify_recipient", opt_stringptr, &qualify_domain_recipient },
{ "queue_domains", opt_stringptr, &queue_domains },
{ "tls_crl", opt_stringptr, &tls_crl },
{ "tls_dh_max_bits", opt_int, &tls_dh_max_bits },
{ "tls_dhparam", opt_stringptr, &tls_dhparam },
-# if defined(EXPERIMENTAL_OCSP) && !defined(USE_GNUTLS)
+# ifndef DISABLE_OCSP
{ "tls_ocsp_file", opt_stringptr, &tls_ocsp_file },
# endif
{ "tls_on_connect_ports", opt_stringptr, &tls_in.on_connect_ports },
Because we only do this once, near process start-up, I'm prepared to
let this slide for the time being, even though it rankles. */
}
- else if (*str_target && (ol->type & opt_rep_str))
- {
+ else if (ol->type & opt_rep_str)
+ {
uschar sep = Ustrncmp(name, "headers_add", 11)==0 ? '\n' : ':';
- saved_condition = *str_target;
- strtemp = saved_condition + Ustrlen(saved_condition)-1;
- if (*strtemp == sep) *strtemp = 0; /* eliminate trailing list-sep */
- strtemp = string_sprintf("%s%c%s", saved_condition, sep, sptr);
- *str_target = string_copy_malloc(strtemp);
- }
+ uschar * cp;
+
+ /* Strip trailing whitespace and seperators */
+ for (cp = sptr + Ustrlen(sptr) - 1;
+ cp >= sptr && (*cp == '\n' || *cp == '\t' || *cp == ' ' || *cp == sep);
+ cp--) *cp = '\0';
+
+ if (cp >= sptr)
+ *str_target = string_copy_malloc(
+ *str_target ? string_sprintf("%s%c%s", *str_target, sep, sptr)
+ : sptr);
+ }
else
{
*str_target = sptr;
(void)fclose(config_file);
}
+/* vi: aw ai sw=2
+*/
/* End of readconf.c */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Code for receiving a message and setting up spool files. */
/* reset optin string pointer for next recipient */
bmi_current_optin = NULL;
#endif
+#ifdef EXPERIMENTAL_DSN
+recipients_list[recipients_count].orcpt = NULL;
+recipients_list[recipients_count].dsn_flags = 0;
+#endif
recipients_list[recipients_count++].errors_to = NULL;
}
Returns: nothing
*/
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
static void
smtp_user_msg(uschar *code, uschar *user_msg)
{
*/
static void
-add_acl_headers(uschar *acl_name)
+add_acl_headers(int where, uschar *acl_name)
{
header_line *h, *next;
header_line *last_received = NULL;
+switch(where)
+ {
+ case ACL_WHERE_DKIM:
+ case ACL_WHERE_MIME:
+ case ACL_WHERE_DATA:
+ if (cutthrough_fd >= 0 && (acl_removed_headers || acl_added_headers))
+ {
+ log_write(0, LOG_MAIN|LOG_PANIC, "Header modification in data ACLs"
+ " will not take effect on cutthrough deliveries");
+ return;
+ }
+ }
+
if (acl_removed_headers != NULL)
{
DEBUG(D_receive|D_acl) debug_printf(">>Headers removed by %s ACL:\n", acl_name);
}
END_MIME_ACL:
-add_acl_headers(US"MIME");
+add_acl_headers(ACL_WHERE_MIME, US"MIME");
if (rc == DISCARD)
{
recipients_count = 0;
uschar *resent_prefix = US"";
uschar *blackholed_by = NULL;
uschar *blackhole_log_msg = US"";
-enum {NOT_TRIED, TMP_REJ, PERM_REJ, ACCEPTED} cutthrough_done;
+enum {NOT_TRIED, TMP_REJ, PERM_REJ, ACCEPTED} cutthrough_done = NOT_TRIED;
flock_t lock_data;
error_block *bad_addresses = NULL;
goto TIDYUP; /* Skip to end of function */
}
received_header_gen();
- add_acl_headers(US"MAIL or RCPT");
+ add_acl_headers(ACL_WHERE_RCPT, US"MAIL or RCPT");
(void) cutthrough_headers_send();
}
/* If an ACL from any RCPT commands set up any warning headers to add, do so
now, before running the DATA ACL. */
- add_acl_headers(US"MAIL or RCPT");
+ add_acl_headers(ACL_WHERE_RCPT, US"MAIL or RCPT");
}
else
message_body_size = (fstat(data_fd, &statbuf) == 0)?
break;
}
}
- add_acl_headers(US"DKIM");
+ add_acl_headers(ACL_WHERE_DKIM, US"DKIM");
if (rc == DISCARD)
{
recipients_count = 0;
dmarc_up = dmarc_store_data(from_header);
#endif /* EXPERIMENTAL_DMARC */
-#ifdef EXPERIMENTAL_PRDR
- if (prdr_requested && recipients_count > 1 && acl_smtp_data_prdr != NULL )
+#ifndef DISABLE_PRDR
+ if (prdr_requested && recipients_count > 1 && acl_smtp_data_prdr)
{
unsigned int c;
int all_pass = OK;
}
else
prdr_requested = FALSE;
-#endif /* EXPERIMENTAL_PRDR */
+#endif /* !DISABLE_PRDR */
/* Check the recipients count again, as the MIME ACL might have changed
them. */
if (acl_smtp_data != NULL && recipients_count > 0)
{
rc = acl_check(ACL_WHERE_DATA, NULL, acl_smtp_data, &user_msg, &log_msg);
- add_acl_headers(US"DATA");
+ add_acl_headers(ACL_WHERE_DATA, US"DATA");
if (rc == DISCARD)
{
recipients_count = 0;
/* Does not return */
}
}
- add_acl_headers(US"non-SMTP");
+ add_acl_headers(ACL_WHERE_NOTSMTP, US"non-SMTP");
}
}
s = add_host_info_for_log(s, &size, &sptr);
#ifdef SUPPORT_TLS
-if ((log_extra_selector & LX_tls_cipher) != 0 && tls_in.cipher != NULL)
+if (log_extra_selector & LX_tls_cipher && tls_in.cipher)
s = string_append(s, &size, &sptr, 2, US" X=", tls_in.cipher);
-if ((log_extra_selector & LX_tls_certificate_verified) != 0 &&
- tls_in.cipher != NULL)
+if (log_extra_selector & LX_tls_certificate_verified && tls_in.cipher)
s = string_append(s, &size, &sptr, 2, US" CV=",
tls_in.certificate_verified? "yes":"no");
-if ((log_extra_selector & LX_tls_peerdn) != 0 && tls_in.peerdn != NULL)
+if (log_extra_selector & LX_tls_peerdn && tls_in.peerdn)
s = string_append(s, &size, &sptr, 3, US" DN=\"",
string_printing(tls_in.peerdn), US"\"");
-if ((log_extra_selector & LX_tls_sni) != 0 && tls_in.sni != NULL)
+if (log_extra_selector & LX_tls_sni && tls_in.sni)
s = string_append(s, &size, &sptr, 3, US" SNI=\"",
string_printing(tls_in.sni), US"\"");
#endif
-if (sender_host_authenticated != NULL)
+if (sender_host_authenticated)
{
s = string_append(s, &size, &sptr, 2, US" A=", sender_host_authenticated);
if (authenticated_id != NULL)
}
}
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
if (prdr_requested)
s = string_append(s, &size, &sptr, 1, US" PRDR");
#endif
+#ifdef EXPERIMENTAL_PROXY
+if (proxy_session && log_extra_selector & LX_proxy)
+ s = string_append(s, &size, &sptr, 2, US" PRX=", proxy_host_address);
+#endif
+
sprintf(CS big_buffer, "%d", msg_size);
s = string_append(s, &size, &sptr, 2, US" S=", big_buffer);
XXX We do not handle queue-only, freezing, or blackholes.
*/
-cutthrough_done = NOT_TRIED;
if(cutthrough_fd >= 0)
{
uschar * msg= cutthrough_finaldot(); /* Ask the target system to accept the messsage */
}
}
-if(smtp_reply == NULL
-#ifdef EXPERIMENTAL_PRDR
- || prdr_requested
+#ifndef DISABLE_PRDR
+if(!smtp_reply || prdr_requested)
+#else
+if(!smtp_reply)
#endif
- )
{
log_write(0, LOG_MAIN |
(((log_extra_selector & LX_received_recipients) != 0)? LOG_RECIPIENTS : 0) |
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Functions concerned with routing, and the list of generic router options. */
(void *)offsetof(router_instance, domains) },
{ "driver", opt_stringptr|opt_public,
(void *)offsetof(router_instance, driver_name) },
+ #ifdef EXPERIMENTAL_DSN
+ { "dsn_lasthop", opt_bool|opt_public,
+ (void *)offsetof(router_instance, dsn_lasthop) },
+ #endif
{ "errors_to", opt_stringptr|opt_public,
(void *)(offsetof(router_instance, errors_to)) },
{ "expn", opt_bool|opt_public,
if (r->pass_router_name != NULL)
set_router(r, r->pass_router_name, &(r->pass_router), TRUE);
+
+ #ifdef EXPERIMENTAL_DSN
+ DEBUG(D_route) {
+ if (r->dsn_lasthop == FALSE)
+ debug_printf("DSN: %s propagating DSN\n", r->name);
+ else
+ debug_printf("DSN: %s lasthop set\n", r->name);
+ }
+ #endif
}
}
copyflag(new, addr, af_propagate);
new->p.address_data = addr->p.address_data;
+#ifdef EXPERIMENTAL_DSN
+new->dsn_flags = addr->dsn_flags;
+new->dsn_orcpt = addr->dsn_orcpt;
+#endif
/* As it has turned out, we haven't set headers_add or headers_remove for the
/* Run the router, and handle the consequences. */
+#ifdef EXPERIMENTAL_DSN
+/* ... but let us check on DSN before. If this should be the last hop for DSN
+ set flag
+*/
+ if ((r->dsn_lasthop == TRUE) && ((addr->dsn_flags & rf_dsnlasthop) == 0))
+ {
+ addr->dsn_flags |= rf_dsnlasthop;
+ HDEBUG(D_route) debug_printf("DSN: last hop for %s\n", addr->address);
+ }
+#endif
+
HDEBUG(D_route) debug_printf("calling %s router\n", r->name);
yield = (r->info->code)(r, addr, pw, verify, paddr_local, paddr_remote,
if (h->mx >= 0) debug_printf(" MX=%d", h->mx);
else if (h->mx != MX_NONE) debug_printf(" rgroup=%d", h->mx);
if (h->port != PORT_NONE) debug_printf(" port=%d", h->port);
+ /* if (h->dnssec != DS_UNK) debug_printf(" dnssec=%s", h->dnssec==DS_YES ? "yes" : "no"); */
debug_printf("\n");
}
}
(void *)(offsetof(dnslookup_router_options_block, check_secondary_mx)) },
{ "check_srv", opt_stringptr,
(void *)(offsetof(dnslookup_router_options_block, check_srv)) },
+ { "dnssec_request_domains", opt_stringptr,
+ (void *)(offsetof(dnslookup_router_options_block, dnssec_request_domains)) },
+ { "dnssec_require_domains", opt_stringptr,
+ (void *)(offsetof(dnslookup_router_options_block, dnssec_require_domains)) },
{ "mx_domains", opt_stringptr,
(void *)(offsetof(dnslookup_router_options_block, mx_domains)) },
{ "mx_fail_domains", opt_stringptr,
NULL, /* mx_domains */
NULL, /* mx_fail_domains */
NULL, /* srv_fail_domains */
- NULL /* check_srv */
+ NULL, /* check_srv */
+ NULL, /* dnssec_request_domains */
+ NULL /* dnssec_require_domains */
};
}
rc = host_find_bydns(&h, rblock->ignore_target_hosts, flags, srv_service,
- ob->srv_fail_domains, ob->mx_fail_domains, &fully_qualified_name, &removed);
+ ob->srv_fail_domains, ob->mx_fail_domains,
+ ob->dnssec_request_domains, ob->dnssec_require_domains,
+ &fully_qualified_name, &removed);
if (removed) setflag(addr, af_local_host_removed);
/* If host found with only address records, test for the domain's being in
uschar *mx_fail_domains;
uschar *srv_fail_domains;
uschar *check_srv;
+ uschar *dnssec_request_domains;
+ uschar *dnssec_require_domains;
} dnslookup_router_options_block;
/* Data for reading the private options. */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
#include "../exim.h"
* Get additional headers for a router *
*************************************************/
-/* This function is called by both routers to sort out the additional headers
+/* This function is called by routers to sort out the additional headers
and header remove list for a particular address.
Arguments:
header_line **extra_headers, uschar **remove_headers)
{
/* Default is to retain existing headers */
-
*extra_headers = addr->p.extra_headers;
-if (rblock->extra_headers != NULL)
+if (rblock->extra_headers)
{
- header_line *h;
- uschar *s = expand_string(rblock->extra_headers);
+ uschar * list = rblock->extra_headers;
+ int sep = '\n';
+ uschar * s;
+ int slen;
- if (s == NULL)
- {
- if (!expand_string_forcedfail)
+ while ((s = string_nextinlist(&list, &sep, NULL, 0)))
+ if (!(s = expand_string(s)))
{
- addr->message = string_sprintf("%s router failed to expand \"%s\": %s",
- rblock->name, rblock->extra_headers, expand_string_message);
- return DEFER;
+ if (!expand_string_forcedfail)
+ {
+ addr->message = string_sprintf("%s router failed to expand \"%s\": %s",
+ rblock->name, rblock->extra_headers, expand_string_message);
+ return DEFER;
+ }
}
- }
-
- /* Expand succeeded. Put extra header at the start of the chain because
- further down it may point to headers from other routers, which may be
- shared with other addresses. The output function outputs them in reverse
- order. */
-
- else
- {
- int slen = Ustrlen(s);
- if (slen > 0)
+ else if ((slen = Ustrlen(s)) > 0)
{
- h = store_get(sizeof(header_line));
+ /* Expand succeeded. Put extra headers at the start of the chain because
+ further down it may point to headers from other routers, which may be
+ shared with other addresses. The output function outputs them in reverse
+ order. */
+
+ header_line * h = store_get(sizeof(header_line));
/* We used to use string_sprintf() to add the newline if needed, but that
causes problems if the header line is exceedingly long (e.g. adding
something to a pathologically long line). So avoid it. */
if (s[slen-1] == '\n')
- {
- h->text = s;
- }
+ h->text = s;
else
- {
- h->text = store_get(slen+2);
- memcpy(h->text, s, slen);
- h->text[slen++] = '\n';
- h->text[slen] = 0;
- }
-
- h->next = addr->p.extra_headers;
+ {
+ h->text = store_get(slen+2);
+ memcpy(h->text, s, slen);
+ h->text[slen++] = '\n';
+ h->text[slen] = 0;
+ }
+
+ h->next = *extra_headers;
h->type = htype_other;
h->slen = slen;
*extra_headers = h;
}
- }
}
/* Default is to retain existing removes */
-
*remove_headers = addr->p.remove_headers;
-if (rblock->remove_headers != NULL)
+/* Expand items from colon-sep list separately, then build new list */
+if (rblock->remove_headers)
{
- uschar *s = expand_string(rblock->remove_headers);
- if (s == NULL)
- {
- if (!expand_string_forcedfail)
+ uschar * list = rblock->remove_headers;
+ int sep = ':';
+ uschar * s;
+ uschar buffer[128];
+
+ while ((s = string_nextinlist(&list, &sep, buffer, sizeof(buffer))))
+ if (!(s = expand_string(s)))
{
- addr->message = string_sprintf("%s router failed to expand \"%s\": %s",
- rblock->name, rblock->remove_headers, expand_string_message);
- return DEFER;
+ if (!expand_string_forcedfail)
+ {
+ addr->message = string_sprintf("%s router failed to expand \"%s\": %s",
+ rblock->name, rblock->remove_headers, expand_string_message);
+ return DEFER;
+ }
}
- }
- else if (*s != 0)
- {
- if (addr->p.remove_headers == NULL)
- *remove_headers = s;
- else
- *remove_headers = string_sprintf("%s : %s", addr->p.remove_headers, s);
- }
+ else if (*s)
+ *remove_headers = string_append_listele(*remove_headers, ':', s);
}
return OK;
NULL, /* SRV service not relevant */
NULL, /* failing srv domains not relevant */
NULL, /* no special mx failing domains */
+ NULL, /* no dnssec request XXX ? */
+ NULL, /* no dnssec require XXX ? */
NULL, /* fully_qualified_name */
NULL); /* indicate local host removed */
}
BOOL removed;
DEBUG(D_route|D_host_lookup) debug_printf("doing DNS lookup\n");
rc = host_find_bydns(h, ignore_target_hosts, HOST_FIND_BY_A, NULL, NULL,
- NULL, &canonical_name, &removed);
+ NULL,
+ NULL, NULL, /*XXX dnssec? */
+ &canonical_name, &removed);
if (rc == HOST_FOUND)
{
if (removed) setflag(addr, af_local_host_removed);
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Functions for handling an incoming SMTP call. */
QUIT_CMD, HELP_CMD,
+#ifdef EXPERIMENTAL_PROXY
+ PROXY_FAIL_IGNORE_CMD,
+#endif
+
/* These are specials that don't correspond to actual commands */
EOF_CMD, OTHER_CMD, BADARG_CMD, BADCHAR_CMD, BADSYN_CMD,
#ifdef SUPPORT_TLS
static BOOL tls_advertised;
#endif
+#ifdef EXPERIMENTAL_DSN
+static BOOL dsn_advertised;
+#endif
static BOOL esmtp;
static BOOL helo_required = FALSE;
static BOOL helo_verify = FALSE;
/* Sanity check and validate optional args to MAIL FROM: envelope */
enum {
ENV_MAIL_OPT_SIZE, ENV_MAIL_OPT_BODY, ENV_MAIL_OPT_AUTH,
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
ENV_MAIL_OPT_PRDR,
+#endif
+#ifdef EXPERIMENTAL_DSN
+ ENV_MAIL_OPT_RET, ENV_MAIL_OPT_ENVID,
#endif
ENV_MAIL_OPT_NULL
};
{ US"SIZE", ENV_MAIL_OPT_SIZE, TRUE },
{ US"BODY", ENV_MAIL_OPT_BODY, TRUE },
{ US"AUTH", ENV_MAIL_OPT_AUTH, TRUE },
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
{ US"PRDR", ENV_MAIL_OPT_PRDR, FALSE },
+#endif
+#ifdef EXPERIMENTAL_DSN
+ { US"RET", ENV_MAIL_OPT_RET, TRUE },
+ { US"ENVID", ENV_MAIL_OPT_ENVID, TRUE },
#endif
{ US"NULL", ENV_MAIL_OPT_NULL, FALSE }
};
+#ifdef EXPERIMENTAL_PROXY
+/*************************************************
+* Restore socket timeout to previous value *
+*************************************************/
+/* If the previous value was successfully retrieved, restore
+it before returning control to the non-proxy routines
+
+Arguments: fd - File descriptor for input
+ get_ok - Successfully retrieved previous values
+ tvtmp - Time struct with previous values
+ vslen - Length of time struct
+Returns: none
+*/
+static void
+restore_socket_timeout(int fd, int get_ok, struct timeval tvtmp, socklen_t vslen)
+{
+if (get_ok == 0)
+ setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, (char *)&tvtmp, vslen);
+}
+
+/*************************************************
+* Check if host is required proxy host *
+*************************************************/
+/* The function determines if inbound host will be a regular smtp host
+or if it is configured that it must use Proxy Protocol.
+
+Arguments: none
+Returns: bool
+*/
+
+static BOOL
+check_proxy_protocol_host()
+{
+int rc;
+/* Cannot configure local connection as a proxy inbound */
+if (sender_host_address == NULL) return proxy_session;
+
+rc = verify_check_this_host(&proxy_required_hosts, NULL, NULL,
+ sender_host_address, NULL);
+if (rc == OK)
+ {
+ DEBUG(D_receive)
+ debug_printf("Detected proxy protocol configured host\n");
+ proxy_session = TRUE;
+ }
+return proxy_session;
+}
+
+
+/*************************************************
+* Setup host for proxy protocol *
+*************************************************/
+/* The function configures the connection based on a header from the
+inbound host to use Proxy Protocol. The specification is very exact
+so exit with an error if do not find the exact required pieces. This
+includes an incorrect number of spaces separating args.
+
+Arguments: none
+Returns: int
+*/
+
+static BOOL
+setup_proxy_protocol_host()
+{
+union {
+ struct {
+ uschar line[108];
+ } v1;
+ struct {
+ uschar sig[12];
+ uint8_t ver_cmd;
+ uint8_t fam;
+ uint16_t len;
+ union {
+ struct { /* TCP/UDP over IPv4, len = 12 */
+ uint32_t src_addr;
+ uint32_t dst_addr;
+ uint16_t src_port;
+ uint16_t dst_port;
+ } ip4;
+ struct { /* TCP/UDP over IPv6, len = 36 */
+ uint8_t src_addr[16];
+ uint8_t dst_addr[16];
+ uint16_t src_port;
+ uint16_t dst_port;
+ } ip6;
+ struct { /* AF_UNIX sockets, len = 216 */
+ uschar src_addr[108];
+ uschar dst_addr[108];
+ } unx;
+ } addr;
+ } v2;
+} hdr;
+
+/* Temp variables used in PPv2 address:port parsing */
+uint16_t tmpport;
+char tmpip[INET_ADDRSTRLEN];
+struct sockaddr_in tmpaddr;
+char tmpip6[INET6_ADDRSTRLEN];
+struct sockaddr_in6 tmpaddr6;
+
+int get_ok = 0;
+int size, ret, fd;
+const char v2sig[12] = "\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A";
+uschar *iptype; /* To display debug info */
+struct timeval tv;
+socklen_t vslen = 0;
+struct timeval tvtmp;
+
+vslen = sizeof(struct timeval);
+
+fd = fileno(smtp_in);
+
+/* Save current socket timeout values */
+get_ok = getsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, (char *)&tvtmp,
+ &vslen);
+
+/* Proxy Protocol host must send header within a short time
+(default 3 seconds) or it's considered invalid */
+tv.tv_sec = PROXY_NEGOTIATION_TIMEOUT_SEC;
+tv.tv_usec = PROXY_NEGOTIATION_TIMEOUT_USEC;
+setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, (char *)&tv,
+ sizeof(struct timeval));
+
+do
+ {
+ /* The inbound host was declared to be a Proxy Protocol host, so
+ don't do a PEEK into the data, actually slurp it up. */
+ ret = recv(fd, &hdr, sizeof(hdr), 0);
+ }
+ while (ret == -1 && errno == EINTR);
+
+if (ret == -1)
+ {
+ restore_socket_timeout(fd, get_ok, tvtmp, vslen);
+ return (errno == EAGAIN) ? 0 : ERRNO_PROXYFAIL;
+ }
+
+if (ret >= 16 &&
+ memcmp(&hdr.v2, v2sig, 12) == 0)
+ {
+ uint8_t ver, cmd;
+
+ /* May 2014: haproxy combined the version and command into one byte to
+ allow two full bytes for the length field in order to proxy SSL
+ connections. SSL Proxy is not supported in this version of Exim, but
+ must still seperate values here. */
+ ver = (hdr.v2.ver_cmd & 0xf0) >> 4;
+ cmd = (hdr.v2.ver_cmd & 0x0f);
+
+ if (ver != 0x02)
+ {
+ DEBUG(D_receive) debug_printf("Invalid Proxy Protocol version: %d\n", ver);
+ goto proxyfail;
+ }
+ DEBUG(D_receive) debug_printf("Detected PROXYv2 header\n");
+ /* The v2 header will always be 16 bytes per the spec. */
+ size = 16 + hdr.v2.len;
+ if (ret < size)
+ {
+ DEBUG(D_receive) debug_printf("Truncated or too large PROXYv2 header (%d/%d)\n",
+ ret, size);
+ goto proxyfail;
+ }
+ switch (cmd)
+ {
+ case 0x01: /* PROXY command */
+ switch (hdr.v2.fam)
+ {
+ case 0x11: /* TCPv4 address type */
+ iptype = US"IPv4";
+ tmpaddr.sin_addr.s_addr = hdr.v2.addr.ip4.src_addr;
+ inet_ntop(AF_INET, &(tmpaddr.sin_addr), (char *)&tmpip, sizeof(tmpip));
+ if (!string_is_ip_address(US tmpip,NULL))
+ {
+ DEBUG(D_receive) debug_printf("Invalid %s source IP\n", iptype);
+ return ERRNO_PROXYFAIL;
+ }
+ proxy_host_address = sender_host_address;
+ sender_host_address = string_copy(US tmpip);
+ tmpport = ntohs(hdr.v2.addr.ip4.src_port);
+ proxy_host_port = sender_host_port;
+ sender_host_port = tmpport;
+ /* Save dest ip/port */
+ tmpaddr.sin_addr.s_addr = hdr.v2.addr.ip4.dst_addr;
+ inet_ntop(AF_INET, &(tmpaddr.sin_addr), (char *)&tmpip, sizeof(tmpip));
+ if (!string_is_ip_address(US tmpip,NULL))
+ {
+ DEBUG(D_receive) debug_printf("Invalid %s dest port\n", iptype);
+ return ERRNO_PROXYFAIL;
+ }
+ proxy_target_address = string_copy(US tmpip);
+ tmpport = ntohs(hdr.v2.addr.ip4.dst_port);
+ proxy_target_port = tmpport;
+ goto done;
+ case 0x21: /* TCPv6 address type */
+ iptype = US"IPv6";
+ memmove(tmpaddr6.sin6_addr.s6_addr, hdr.v2.addr.ip6.src_addr, 16);
+ inet_ntop(AF_INET6, &(tmpaddr6.sin6_addr), (char *)&tmpip6, sizeof(tmpip6));
+ if (!string_is_ip_address(US tmpip6,NULL))
+ {
+ DEBUG(D_receive) debug_printf("Invalid %s source IP\n", iptype);
+ return ERRNO_PROXYFAIL;
+ }
+ proxy_host_address = sender_host_address;
+ sender_host_address = string_copy(US tmpip6);
+ tmpport = ntohs(hdr.v2.addr.ip6.src_port);
+ proxy_host_port = sender_host_port;
+ sender_host_port = tmpport;
+ /* Save dest ip/port */
+ memmove(tmpaddr6.sin6_addr.s6_addr, hdr.v2.addr.ip6.dst_addr, 16);
+ inet_ntop(AF_INET6, &(tmpaddr6.sin6_addr), (char *)&tmpip6, sizeof(tmpip6));
+ if (!string_is_ip_address(US tmpip6,NULL))
+ {
+ DEBUG(D_receive) debug_printf("Invalid %s dest port\n", iptype);
+ return ERRNO_PROXYFAIL;
+ }
+ proxy_target_address = string_copy(US tmpip6);
+ tmpport = ntohs(hdr.v2.addr.ip6.dst_port);
+ proxy_target_port = tmpport;
+ goto done;
+ default:
+ DEBUG(D_receive)
+ debug_printf("Unsupported PROXYv2 connection type: 0x%02x\n",
+ hdr.v2.fam);
+ goto proxyfail;
+ }
+ /* Unsupported protocol, keep local connection address */
+ break;
+ case 0x00: /* LOCAL command */
+ /* Keep local connection address for LOCAL */
+ break;
+ default:
+ DEBUG(D_receive)
+ debug_printf("Unsupported PROXYv2 command: 0x%x\n", cmd);
+ goto proxyfail;
+ }
+ }
+else if (ret >= 8 &&
+ memcmp(hdr.v1.line, "PROXY", 5) == 0)
+ {
+ uschar *p = string_copy(hdr.v1.line);
+ uschar *end = memchr(p, '\r', ret - 1);
+ uschar *sp; /* Utility variables follow */
+ int tmp_port;
+ char *endc;
+
+ if (!end || end[1] != '\n')
+ {
+ DEBUG(D_receive) debug_printf("Partial or invalid PROXY header\n");
+ goto proxyfail;
+ }
+ *end = '\0'; /* Terminate the string */
+ size = end + 2 - hdr.v1.line; /* Skip header + CRLF */
+ DEBUG(D_receive) debug_printf("Detected PROXYv1 header\n");
+ /* Step through the string looking for the required fields. Ensure
+ strict adherance to required formatting, exit for any error. */
+ p += 5;
+ if (!isspace(*(p++)))
+ {
+ DEBUG(D_receive) debug_printf("Missing space after PROXY command\n");
+ goto proxyfail;
+ }
+ if (!Ustrncmp(p, CCS"TCP4", 4))
+ iptype = US"IPv4";
+ else if (!Ustrncmp(p,CCS"TCP6", 4))
+ iptype = US"IPv6";
+ else if (!Ustrncmp(p,CCS"UNKNOWN", 7))
+ {
+ iptype = US"Unknown";
+ goto done;
+ }
+ else
+ {
+ DEBUG(D_receive) debug_printf("Invalid TCP type\n");
+ goto proxyfail;
+ }
+
+ p += Ustrlen(iptype);
+ if (!isspace(*(p++)))
+ {
+ DEBUG(D_receive) debug_printf("Missing space after TCP4/6 command\n");
+ goto proxyfail;
+ }
+ /* Find the end of the arg */
+ if ((sp = Ustrchr(p, ' ')) == NULL)
+ {
+ DEBUG(D_receive)
+ debug_printf("Did not find proxied src %s\n", iptype);
+ goto proxyfail;
+ }
+ *sp = '\0';
+ if(!string_is_ip_address(p,NULL))
+ {
+ DEBUG(D_receive)
+ debug_printf("Proxied src arg is not an %s address\n", iptype);
+ goto proxyfail;
+ }
+ proxy_host_address = sender_host_address;
+ sender_host_address = p;
+ p = sp + 1;
+ if ((sp = Ustrchr(p, ' ')) == NULL)
+ {
+ DEBUG(D_receive)
+ debug_printf("Did not find proxy dest %s\n", iptype);
+ goto proxyfail;
+ }
+ *sp = '\0';
+ if(!string_is_ip_address(p,NULL))
+ {
+ DEBUG(D_receive)
+ debug_printf("Proxy dest arg is not an %s address\n", iptype);
+ goto proxyfail;
+ }
+ proxy_target_address = p;
+ p = sp + 1;
+ if ((sp = Ustrchr(p, ' ')) == NULL)
+ {
+ DEBUG(D_receive) debug_printf("Did not find proxied src port\n");
+ goto proxyfail;
+ }
+ *sp = '\0';
+ tmp_port = strtol(CCS p,&endc,10);
+ if (*endc || tmp_port == 0)
+ {
+ DEBUG(D_receive)
+ debug_printf("Proxied src port '%s' not an integer\n", p);
+ goto proxyfail;
+ }
+ proxy_host_port = sender_host_port;
+ sender_host_port = tmp_port;
+ p = sp + 1;
+ if ((sp = Ustrchr(p, '\0')) == NULL)
+ {
+ DEBUG(D_receive) debug_printf("Did not find proxy dest port\n");
+ goto proxyfail;
+ }
+ tmp_port = strtol(CCS p,&endc,10);
+ if (*endc || tmp_port == 0)
+ {
+ DEBUG(D_receive)
+ debug_printf("Proxy dest port '%s' not an integer\n", p);
+ goto proxyfail;
+ }
+ proxy_target_port = tmp_port;
+ /* Already checked for /r /n above. Good V1 header received. */
+ goto done;
+ }
+else
+ {
+ /* Wrong protocol */
+ DEBUG(D_receive) debug_printf("Invalid proxy protocol version negotiation\n");
+ goto proxyfail;
+ }
+
+proxyfail:
+restore_socket_timeout(fd, get_ok, tvtmp, vslen);
+/* Don't flush any potential buffer contents. Any input should cause a
+ synchronization failure */
+return FALSE;
+
+done:
+restore_socket_timeout(fd, get_ok, tvtmp, vslen);
+DEBUG(D_receive)
+ debug_printf("Valid %s sender from Proxy Protocol header\n", iptype);
+return proxy_session;
+}
+#endif
+
/*************************************************
* Read one command line *
*************************************************/
for (p = cmd_list; p < cmd_list_end; p++)
{
+ #ifdef EXPERIMENTAL_PROXY
+ /* Only allow QUIT command if Proxy Protocol parsing failed */
+ if (proxy_session && proxy_session_failed)
+ {
+ if (p->cmd != QUIT_CMD)
+ continue;
+ }
+ #endif
if (strncmpic(smtp_cmd_buffer, US p->name, p->len) == 0 &&
(smtp_cmd_buffer[p->len-1] == ':' || /* "mail from:" or "rcpt to:" */
smtp_cmd_buffer[p->len] == 0 ||
}
}
+#ifdef EXPERIMENTAL_PROXY
+/* Only allow QUIT command if Proxy Protocol parsing failed */
+if (proxy_session && proxy_session_failed)
+ return PROXY_FAIL_IGNORE_CMD;
+#endif
+
/* Enforce synchronization for unknown commands */
if (smtp_inptr < smtp_inend && /* Outstanding input */
+#ifdef SUPPORT_TLS
+/* Append TLS-related information to a log line
+
+Arguments:
+ s String under construction: allocated string to extend, or NULL
+ sizep Pointer to current allocation size (update on return), or NULL
+ ptrp Pointer to index for new entries in string (update on return), or NULL
+
+Returns: Allocated string or NULL
+*/
+static uschar *
+s_tlslog(uschar * s, int * sizep, int * ptrp)
+{
+ int size = sizep ? *sizep : 0;
+ int ptr = ptrp ? *ptrp : 0;
+
+ if ((log_extra_selector & LX_tls_cipher) != 0 && tls_in.cipher != NULL)
+ s = string_append(s, &size, &ptr, 2, US" X=", tls_in.cipher);
+ if ((log_extra_selector & LX_tls_certificate_verified) != 0 &&
+ tls_in.cipher != NULL)
+ s = string_append(s, &size, &ptr, 2, US" CV=",
+ tls_in.certificate_verified? "yes":"no");
+ if ((log_extra_selector & LX_tls_peerdn) != 0 && tls_in.peerdn != NULL)
+ s = string_append(s, &size, &ptr, 3, US" DN=\"",
+ string_printing(tls_in.peerdn), US"\"");
+ if ((log_extra_selector & LX_tls_sni) != 0 && tls_in.sni != NULL)
+ s = string_append(s, &size, &ptr, 3, US" SNI=\"",
+ string_printing(tls_in.sni), US"\"");
+
+ if (s)
+ {
+ s[ptr] = '\0';
+ if (sizep) *sizep = size;
+ if (ptrp) *ptrp = ptr;
+ }
+ return s;
+}
+#endif
+
/*************************************************
* Log lack of MAIL if so configured *
*************************************************/
}
#ifdef SUPPORT_TLS
-if ((log_extra_selector & LX_tls_cipher) != 0 && tls_in.cipher != NULL)
- s = string_append(s, &size, &ptr, 2, US" X=", tls_in.cipher);
-if ((log_extra_selector & LX_tls_certificate_verified) != 0 &&
- tls_in.cipher != NULL)
- s = string_append(s, &size, &ptr, 2, US" CV=",
- tls_in.certificate_verified? "yes":"no");
-if ((log_extra_selector & LX_tls_peerdn) != 0 && tls_in.peerdn != NULL)
- s = string_append(s, &size, &ptr, 3, US" DN=\"",
- string_printing(tls_in.peerdn), US"\"");
-if ((log_extra_selector & LX_tls_sni) != 0 && tls_in.sni != NULL)
- s = string_append(s, &size, &ptr, 3, US" SNI=\"",
- string_printing(tls_in.sni), US"\"");
+s = s_tlslog(s, &size, &ptr);
#endif
sep = (smtp_connection_had[SMTP_HBUFF_SIZE-1] != SCH_NONE)?
sender_verified_list = NULL; /* No senders verified */
memset(sender_address_cache, 0, sizeof(sender_address_cache));
memset(sender_domain_cache, 0, sizeof(sender_domain_cache));
+
+#ifdef EXPERIMENTAL_DSN
+/* Reset the DSN flags */
+dsn_ret = 0;
+dsn_envid = NULL;
+#endif
+
authenticated_sender = NULL;
#ifdef EXPERIMENTAL_BRIGHTMAIL
bmi_run = 0;
#ifdef SUPPORT_TLS
tls_in.cipher = tls_in.peerdn = NULL;
+tls_in.ourcert = tls_in.peercert = NULL;
+tls_in.sni = NULL;
+tls_in.ocsp = OCSP_NOT_REQ;
tls_advertised = FALSE;
#endif
+#ifdef EXPERIMENTAL_DSN
+dsn_advertised = FALSE;
+#endif
/* Reset ACL connection variables */
if (smtp_batched_input) return TRUE;
+#ifdef EXPERIMENTAL_PROXY
+/* If valid Proxy Protocol source is connecting, set up session.
+ * Failure will not allow any SMTP function other than QUIT. */
+proxy_session = FALSE;
+proxy_session_failed = FALSE;
+if (check_proxy_protocol_host())
+ {
+ if (setup_proxy_protocol_host() == FALSE)
+ {
+ proxy_session_failed = TRUE;
+ DEBUG(D_receive)
+ debug_printf("Failure to extract proxied host, only QUIT allowed\n");
+ }
+ else
+ {
+ sender_host_name = NULL;
+ (void)host_name_lookup();
+ host_build_sender_fullhost();
+ }
+ }
+#endif
+
/* Run the ACL if it exists */
user_msg = NULL;
#endif
(where == ACL_WHERE_PREDATA)? US"DATA" :
(where == ACL_WHERE_DATA)? US"after DATA" :
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
(where == ACL_WHERE_PRDR)? US"after DATA PRDR" :
#endif
(smtp_cmd_data == NULL)?
is closing if required and return 2. */
if (log_reject_target != 0)
- log_write(0, log_reject_target, "%s %s%srejected %s%s",
- host_and_ident(TRUE),
+ {
+#ifdef SUPPORT_TLS
+ uschar * s = s_tlslog(NULL, NULL, NULL);
+ if (!s) s = US"";
+#else
+ uschar * s = US"";
+#endif
+ log_write(0, log_reject_target, "%s%s %s%srejected %s%s",
+ host_and_ident(TRUE), s,
sender_info, (rc == FAIL)? US"" : US"temporarily ", what, log_msg);
+ }
if (!drop) return 0;
-
/*************************************************
* Initialize for SMTP incoming message *
*************************************************/
int ptr, size, rc;
int c, i;
auth_instance *au;
+#ifdef EXPERIMENTAL_DSN
+ uschar *orcpt = NULL;
+ int flags;
+#endif
switch(smtp_read_command(TRUE))
{
#ifdef SUPPORT_TLS
tls_advertised = FALSE;
#endif
+ #ifdef EXPERIMENTAL_DSN
+ dsn_advertised = FALSE;
+ #endif
smtp_code = US"250 "; /* Default response code plus space*/
if (user_msg == NULL)
s = string_cat(s, &size, &ptr, US"-8BITMIME\r\n", 11);
}
+ #ifdef EXPERIMENTAL_DSN
+ /* Advertise DSN support if configured to do so. */
+ if (verify_check_host(&dsn_advertise_hosts) != FAIL)
+ {
+ s = string_cat(s, &size, &ptr, smtp_code, 3);
+ s = string_cat(s, &size, &ptr, US"-DSN\r\n", 6);
+ dsn_advertised = TRUE;
+ }
+ #endif
+
/* Advertise ETRN if there's an ACL checking whether a host is
permitted to issue it; a check is made when any host actually tries. */
}
#endif
- #ifdef EXPERIMENTAL_PRDR
+ #ifndef DISABLE_PRDR
/* Per Recipient Data Response, draft by Eric A. Hall extending RFC */
- if (prdr_enable) {
+ if (prdr_enable)
+ {
s = string_cat(s, &size, &ptr, smtp_code, 3);
s = string_cat(s, &size, &ptr, US"-PRDR\r\n", 7);
- }
+ }
#endif
/* Finish off the multiline reply with one that is always available. */
arg_error = TRUE;
break;
+ #ifdef EXPERIMENTAL_DSN
+
+ /* Handle the two DSN options, but only if configured to do so (which
+ will have caused "DSN" to be given in the EHLO response). The code itself
+ is included only if configured in at build time. */
+
+ case ENV_MAIL_OPT_RET:
+ if (dsn_advertised) {
+ /* Check if RET has already been set */
+ if (dsn_ret > 0) {
+ synprot_error(L_smtp_syntax_error, 501, NULL,
+ US"RET can be specified once only");
+ goto COMMAND_LOOP;
+ }
+ dsn_ret = (strcmpic(value, US"HDRS") == 0)? dsn_ret_hdrs :
+ (strcmpic(value, US"FULL") == 0)? dsn_ret_full : 0;
+ DEBUG(D_receive) debug_printf("DSN_RET: %d\n", dsn_ret);
+ /* Check for invalid invalid value, and exit with error */
+ if (dsn_ret == 0) {
+ synprot_error(L_smtp_syntax_error, 501, NULL,
+ US"Value for RET is invalid");
+ goto COMMAND_LOOP;
+ }
+ }
+ break;
+ case ENV_MAIL_OPT_ENVID:
+ if (dsn_advertised) {
+ /* Check if the dsn envid has been already set */
+ if (dsn_envid != NULL) {
+ synprot_error(L_smtp_syntax_error, 501, NULL,
+ US"ENVID can be specified once only");
+ goto COMMAND_LOOP;
+ }
+ dsn_envid = string_copy(value);
+ DEBUG(D_receive) debug_printf("DSN_ENVID: %s\n", dsn_envid);
+ }
+ break;
+ #endif
+
/* Handle the AUTH extension. If the value given is not "<>" and either
the ACL says "yes" or there is no ACL but the sending host is
authenticated, we set it up as the authenticated sender. However, if the
}
break;
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
case ENV_MAIL_OPT_PRDR:
- if ( prdr_enable )
+ if (prdr_enable)
prdr_requested = TRUE;
break;
#endif
when pipelining is not advertised, do another sync check in case the ACL
delayed and the client started sending in the meantime. */
- if (acl_smtp_mail == NULL) rc = OK; else
+ if (acl_smtp_mail)
{
rc = acl_check(ACL_WHERE_MAIL, NULL, acl_smtp_mail, &user_msg, &log_msg);
if (rc == OK && !pipelining_advertised && !check_sync())
goto SYNC_FAILURE;
}
+ else
+ rc = OK;
if (rc == OK || rc == DISCARD)
{
- if (user_msg == NULL)
+ if (!user_msg)
smtp_printf("%s%s%s", US"250 OK",
- #ifdef EXPERIMENTAL_PRDR
- prdr_requested == TRUE ? US", PRDR Requested" :
- #endif
+ #ifndef DISABLE_PRDR
+ prdr_requested ? US", PRDR Requested" : US"",
+ #else
US"",
+ #endif
US"\r\n");
else
{
- #ifdef EXPERIMENTAL_PRDR
- if ( prdr_requested == TRUE )
+ #ifndef DISABLE_PRDR
+ if (prdr_requested)
user_msg = string_sprintf("%s%s", user_msg, US", PRDR Requested");
#endif
- smtp_user_msg(US"250",user_msg);
+ smtp_user_msg(US"250", user_msg);
}
smtp_delay_rcpt = smtp_rlr_base;
recipients_discarded = (rc == DISCARD);
rcpt_fail_count++;
break;
}
+
+ #ifdef EXPERIMENTAL_DSN
+ /* Set the DSN flags orcpt and dsn_flags from the session*/
+ orcpt = NULL;
+ flags = 0;
+
+ if (esmtp) for(;;)
+ {
+ uschar *name, *value, *end;
+ int size;
+
+ if (!extract_option(&name, &value))
+ {
+ break;
+ }
+
+ if (dsn_advertised && strcmpic(name, US"ORCPT") == 0)
+ {
+ /* Check whether orcpt has been already set */
+ if (orcpt != NULL) {
+ synprot_error(L_smtp_syntax_error, 501, NULL,
+ US"ORCPT can be specified once only");
+ goto COMMAND_LOOP;
+ }
+ orcpt = string_copy(value);
+ DEBUG(D_receive) debug_printf("DSN orcpt: %s\n", orcpt);
+ }
+
+ else if (dsn_advertised && strcmpic(name, US"NOTIFY") == 0)
+ {
+ /* Check if the notify flags have been already set */
+ if (flags > 0) {
+ synprot_error(L_smtp_syntax_error, 501, NULL,
+ US"NOTIFY can be specified once only");
+ goto COMMAND_LOOP;
+ }
+ if (strcmpic(value, US"NEVER") == 0) flags |= rf_notify_never; else
+ {
+ uschar *p = value;
+ while (*p != 0)
+ {
+ uschar *pp = p;
+ while (*pp != 0 && *pp != ',') pp++;
+ if (*pp == ',') *pp++ = 0;
+ if (strcmpic(p, US"SUCCESS") == 0) {
+ DEBUG(D_receive) debug_printf("DSN: Setting notify success\n");
+ flags |= rf_notify_success;
+ }
+ else if (strcmpic(p, US"FAILURE") == 0) {
+ DEBUG(D_receive) debug_printf("DSN: Setting notify failure\n");
+ flags |= rf_notify_failure;
+ }
+ else if (strcmpic(p, US"DELAY") == 0) {
+ DEBUG(D_receive) debug_printf("DSN: Setting notify delay\n");
+ flags |= rf_notify_delay;
+ }
+ else {
+ /* Catch any strange values */
+ synprot_error(L_smtp_syntax_error, 501, NULL,
+ US"Invalid value for NOTIFY parameter");
+ goto COMMAND_LOOP;
+ }
+ p = pp;
+ }
+ DEBUG(D_receive) debug_printf("DSN Flags: %x\n", flags);
+ }
+ }
+
+ /* Unknown option. Stick back the terminator characters and break
+ the loop. An error for a malformed address will occur. */
+
+ else
+ {
+ DEBUG(D_receive) debug_printf("Invalid RCPT option: %s : %s\n", name, value);
+ name[-1] = ' ';
+ value[-1] = '=';
+ break;
+ }
+ }
+ #endif
/* Apply SMTP rewriting then extract the working address. Don't allow "<>"
as a recipient address */
if (user_msg == NULL) smtp_printf("250 Accepted\r\n");
else smtp_user_msg(US"250", user_msg);
receive_add_recipient(recipient, -1);
+
+ #ifdef EXPERIMENTAL_DSN
+ /* Set the dsn flags in the recipients_list */
+ if (orcpt != NULL)
+ recipients_list[recipients_count-1].orcpt = orcpt;
+ else
+ recipients_list[recipients_count-1].orcpt = NULL;
+
+ if (flags != 0)
+ recipients_list[recipients_count-1].dsn_flags = flags;
+ else
+ recipients_list[recipients_count-1].dsn_flags = 0;
+ DEBUG(D_receive) debug_printf("DSN: orcpt: %s flags: %d\n", recipients_list[recipients_count-1].orcpt, recipients_list[recipients_count-1].dsn_flags);
+ #endif
+
}
/* The recipient was discarded */
done = 1; /* Pretend eof - drops connection */
break;
+ #ifdef EXPERIMENTAL_PROXY
+ case PROXY_FAIL_IGNORE_CMD:
+ smtp_printf("503 Command refused, required Proxy negotiation failed\r\n");
+ break;
+ #endif
default:
if (unknown_command_count++ >= smtp_max_unknown_commands)
return done - 2; /* Convert yield values */
}
+/* vi: aw ai sw=2
+*/
/* End of smtp_in.c */
*************************************************/
/* Experimental SPF support.
- Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004
+ Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004 - 2014
License: GPL */
/* Code for calling spf checks via libspf-alt. Called from acl.c. */
{ US"fail", 3 },
{ US"softfail", 4 },
{ US"none", 5 },
- { US"err_temp", 6 },
- { US"err_perm", 7 }
+ { US"err_temp", 6 }, /* Deprecated Apr 2014 */
+ { US"err_perm", 7 }, /* Deprecated Apr 2014 */
+ { US"temperror", 6 }, /* RFC 4408 defined */
+ { US"permerror", 7 } /* RFC 4408 defined */
};
SPF_server_t *spf_server = NULL;
#ifdef SUPPORT_TLS
tls_in.certificate_verified = FALSE;
tls_in.cipher = NULL;
+tls_in.ourcert = NULL;
+tls_in.peercert = NULL;
tls_in.peerdn = NULL;
tls_in.sni = NULL;
+tls_in.ocsp = OCSP_NOT_REQ;
#endif
#ifdef WITH_CONTENT_SCAN
spam_score_int = NULL;
#endif
+#ifdef EXPERIMENTAL_DSN
+dsn_ret = 0;
+dsn_envid = NULL;
+#endif
+
/* Generate the full name and open the file. If message_subdir is already
set, just look in the given directory. Otherwise, look in both the split
and unsplit directories, as for the data file above. */
case 'd':
if (Ustrcmp(p, "eliver_firsttime") == 0)
deliver_firsttime = TRUE;
+ #ifdef EXPERIMENTAL_DSN
+ /* Check if the dsn flags have been set in the header file */
+ else if (Ustrncmp(p, "sn_ret", 6) == 0)
+ {
+ dsn_ret= atoi(big_buffer + 8);
+ }
+ else if (Ustrncmp(p, "sn_envid", 8) == 0)
+ {
+ dsn_envid = string_copy(big_buffer + 11);
+ }
+ #endif
break;
case 'f':
tls_in.certificate_verified = TRUE;
else if (Ustrncmp(p, "ls_cipher", 9) == 0)
tls_in.cipher = string_copy(big_buffer + 12);
+#ifndef COMPILE_UTILITY
+ else if (Ustrncmp(p, "ls_ourcert", 10) == 0)
+ (void) tls_import_cert(big_buffer + 13, &tls_in.ourcert);
+ else if (Ustrncmp(p, "ls_peercert", 11) == 0)
+ (void) tls_import_cert(big_buffer + 14, &tls_in.peercert);
+#endif
else if (Ustrncmp(p, "ls_peerdn", 9) == 0)
tls_in.peerdn = string_unprinting(string_copy(big_buffer + 12));
else if (Ustrncmp(p, "ls_sni", 6) == 0)
tls_in.sni = string_unprinting(string_copy(big_buffer + 9));
+ else if (Ustrncmp(p, "ls_ocsp", 7) == 0)
+ tls_in.ocsp = big_buffer[10] - '0';
break;
#endif
{
int nn;
int pno = -1;
+ #ifdef EXPERIMENTAL_DSN
+ int dsn_flags = 0;
+ uschar *orcpt = NULL;
+ #endif
uschar *errors_to = NULL;
uschar *p;
ends with <errors_to address><space><len>,<pno> where pno is
the parent number for one_time addresses, and len is the length
of the errors_to address (zero meaning none).
+
+ Bit 02 indicates that, again reading from right to left, the data continues
+ with orcpt len(orcpt),dsn_flags
*/
while (isdigit(*p)) p--;
else if (*p == '#')
{
int flags;
+
+ #ifdef EXPERIMENTAL_DSN
+ #ifndef COMPILE_UTILITY
+ DEBUG(D_deliver) debug_printf("**** SPOOL_IN - Exim 4 standard format spoolfile\n");
+ #endif /* COMPILE_UTILITY */
+ #endif
+
(void)sscanf(CS p+1, "%d", &flags);
if ((flags & 0x01) != 0) /* one_time data exists */
{
p -= len;
errors_to = string_copy(p);
- }
+ }
}
*(--p) = 0; /* Terminate address */
+#ifdef EXPERIMENTAL_DSN
+ if ((flags & 0x02) != 0) /* one_time data exists */
+ {
+ int len;
+ while (isdigit(*(--p)) || *p == ',' || *p == '-');
+ (void)sscanf(CS p+1, "%d,%d", &len, &dsn_flags);
+ *p = 0;
+ if (len > 0)
+ {
+ p -= len;
+ orcpt = string_copy(p);
+ }
+ }
+
+ *(--p) = 0; /* Terminate address */
+#endif /* EXPERIMENTAL_DSN */
+ }
+#ifdef EXPERIMENTAL_DSN
+ #ifndef COMPILE_UTILITY
+ else
+ {
+ DEBUG(D_deliver) debug_printf("**** SPOOL_IN - No additional fields\n");
+ }
+
+ if ((orcpt != NULL) || (dsn_flags != 0))
+ {
+ DEBUG(D_deliver) debug_printf("**** SPOOL_IN - address: |%s| orcpt: |%s| dsn_flags: %d\n",
+ big_buffer, orcpt, dsn_flags);
}
+ if (errors_to != NULL)
+ {
+ DEBUG(D_deliver) debug_printf("**** SPOOL_IN - address: |%s| errorsto: |%s|\n",
+ big_buffer, errors_to);
+ }
+ #endif /* COMPILE_UTILITY */
+#endif /* EXPERIMENTAL_DSN */
recipients_list[recipients_count].address = string_copy(big_buffer);
recipients_list[recipients_count].pno = pno;
recipients_list[recipients_count].errors_to = errors_to;
+ #ifdef EXPERIMENTAL_DSN
+ recipients_list[recipients_count].orcpt = orcpt;
+ recipients_list[recipients_count].dsn_flags = dsn_flags;
+ #endif
}
/* The remainder of the spool header file contains the headers for the message,
return inheader? spool_read_hdrerror : spool_read_enverror;
}
+/* vi: aw ai sw=2
+*/
/* End of spool_in.c */
#ifdef SUPPORT_TLS
if (tls_in.certificate_verified) fprintf(f, "-tls_certificate_verified\n");
-if (tls_in.cipher != NULL) fprintf(f, "-tls_cipher %s\n", tls_in.cipher);
-if (tls_in.peerdn != NULL) fprintf(f, "-tls_peerdn %s\n", string_printing(tls_in.peerdn));
-if (tls_in.sni != NULL) fprintf(f, "-tls_sni %s\n", string_printing(tls_in.sni));
+if (tls_in.cipher) fprintf(f, "-tls_cipher %s\n", tls_in.cipher);
+if (tls_in.peercert)
+ {
+ (void) tls_export_cert(big_buffer, big_buffer_size, tls_in.peercert);
+ fprintf(f, "-tls_peercert %s\n", CS big_buffer);
+ }
+if (tls_in.peerdn) fprintf(f, "-tls_peerdn %s\n", string_printing(tls_in.peerdn));
+if (tls_in.sni) fprintf(f, "-tls_sni %s\n", string_printing(tls_in.sni));
+if (tls_in.ourcert)
+ {
+ (void) tls_export_cert(big_buffer, big_buffer_size, tls_in.ourcert);
+ fprintf(f, "-tls_ourcert %s\n", CS big_buffer);
+ }
+if (tls_in.ocsp) fprintf(f, "-tls_ocsp %d\n", tls_in.ocsp);
+#endif
+
+#ifdef EXPERIMENTAL_DSN
+/* Write the dsn flags to the spool header file */
+DEBUG(D_deliver) debug_printf("DSN: Write SPOOL :-dsn_envid %s\n", dsn_envid);
+if (dsn_envid != NULL) fprintf(f, "-dsn_envid %s\n", dsn_envid);
+DEBUG(D_deliver) debug_printf("DSN: Write SPOOL :-dsn_ret %d\n", dsn_ret);
+if (dsn_ret != 0) fprintf(f, "-dsn_ret %d\n", dsn_ret);
#endif
/* To complete the envelope, write out the tree of non-recipients, followed by
for (i = 0; i < recipients_count; i++)
{
recipient_item *r = recipients_list + i;
- if (r->pno < 0 && r->errors_to == NULL)
+#ifdef EXPERIMENTAL_DSN
+DEBUG(D_deliver) debug_printf("DSN: Flags :%d\n", r->dsn_flags);
+#endif
+ if (r->pno < 0 && r->errors_to == NULL
+ #ifdef EXPERIMENTAL_DSN
+ && r->dsn_flags == 0
+ #endif
+ )
fprintf(f, "%s\n", r->address);
else
{
uschar *errors_to = (r->errors_to == NULL)? US"" : r->errors_to;
+ #ifdef EXPERIMENTAL_DSN
+ /* for DSN SUPPORT extend exim 4 spool in a compatible way by
+ adding new values upfront and add flag 0x02 */
+ uschar *orcpt = (r->orcpt == NULL)? US"" : r->orcpt;
+ fprintf(f, "%s %s %d,%d %s %d,%d#3\n", r->address, orcpt, Ustrlen(orcpt), r->dsn_flags,
+ errors_to, Ustrlen(errors_to), r->pno);
+ #else
fprintf(f, "%s %s %d,%d#1\n", r->address, errors_to,
Ustrlen(errors_to), r->pno);
+ #endif
}
+
+ #ifdef EXPERIMENTAL_DSN
+ DEBUG(D_deliver) debug_printf("DSN: **** SPOOL_OUT - address: |%s| errorsto: |%s| orcpt: |%s| dsn_flags: %d\n",
+ r->address, r->errors_to, r->orcpt, r->dsn_flags);
+ #endif
}
/* Put a blank line before the headers */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Miscellaneous string-handling functions. Some are not required for
*/
int
-string_is_ip_address(uschar *s, int *maskptr)
+string_is_ip_address(const uschar *s, int *maskptr)
{
int i;
int yield = 4;
if (maskptr != NULL)
{
- uschar *ss = s + Ustrlen(s);
+ const uschar *ss = s + Ustrlen(s);
*maskptr = 0;
if (s != ss && isdigit(*(--ss)))
{
/* Get a new block of store guaranteed big enough to hold the
expanded string. */
-ss = store_get(length + nonprintcount * 4 + 1);
+ss = store_get(length + nonprintcount * 3 + 1);
/* Copy everying, escaping non printers. */
{
if (*p == '\\')
{
- *q = string_interpret_escape(&p);
+ *q++ = string_interpret_escape(&p);
+ p++;
}
else
{
va_start(ap, format);
if (!string_vformat(buffer, sizeof(buffer), format, ap))
log_write(0, LOG_MAIN|LOG_PANIC_DIE,
- "string_sprintf expansion was longer than " SIZE_T_FMT, sizeof(buffer));
+ "string_sprintf expansion was longer than " SIZE_T_FMT " (%s)",
+ sizeof(buffer), format);
va_end(ap);
return string_copy(buffer);
}
#endif /* COMPILE_UTILITY */
+#ifndef COMPILE_UTILITY
+/************************************************
+* Add element to seperated list *
+************************************************/
+/* This function is used to build a list, returning
+an allocated null-terminated growable string. The
+given element has any embedded seperator characters
+doubled.
+
+Arguments:
+ list points to the start of the list that is being built, or NULL
+ if this is a new list that has no contents yet
+ sep list seperator charactoer
+ ele new lement to be appended to the list
+
+Returns: pointer to the start of the list, changed if copied for expansion.
+*/
+
+uschar *
+string_append_listele(uschar * list, uschar sep, const uschar * ele)
+{
+uschar * new = NULL;
+int sz = 0, off = 0;
+uschar * sp;
+
+if (list)
+ {
+ new = string_cat(new, &sz, &off, list, Ustrlen(list));
+ new = string_cat(new, &sz, &off, &sep, 1);
+ }
+
+while((sp = Ustrchr(ele, sep)))
+ {
+ new = string_cat(new, &sz, &off, ele, sp-ele+1);
+ new = string_cat(new, &sz, &off, &sep, 1);
+ ele = sp+1;
+ }
+new = string_cat(new, &sz, &off, ele, Ustrlen(ele));
+new[off] = '\0';
+return new;
+}
+#endif /* COMPILE_UTILITY */
+
+
#ifndef COMPILE_UTILITY
/*************************************************
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
but also used when checking lists of hosts and when transporting. Looking up
host addresses is done using this structure. */
+typedef enum {DS_UNK=-1, DS_NO, DS_YES} dnssec_status_t;
+
typedef struct host_item {
struct host_item *next;
uschar *name; /* Host name */
int status; /* Usable, unusable, or unknown */
int why; /* Why host is unusable */
int last_try; /* Time of last try if known */
+ dnssec_status_t dnssec;
} host_item;
/* Chain of rewrite rules, read from the rewrite config, or parsed from the
BOOL verify_sender; /* Use this router when verifying a sender */
BOOL uid_set; /* Flag to indicate uid is set */
BOOL unseen; /* If TRUE carry on, even after success */
+#ifdef EXPERIMENTAL_DSN
+ BOOL dsn_lasthop; /* If TRUE, this router is a DSN endpoint */
+#endif
int self_code; /* Encoded version of "self" */
uid_t uid; /* Fixed uid value */
#define af_cert_verified 0x01000000 /* delivered with verified TLS cert */
#define af_pass_message 0x02000000 /* pass message in bounces */
#define af_bad_reply 0x04000000 /* filter could not generate autoreply */
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
# define af_prdr_used 0x08000000 /* delivery used SMTP PRDR */
#endif
#define af_force_command 0x10000000 /* force_command in pipe transport */
#ifdef SUPPORT_TLS
uschar *cipher; /* Cipher used for transport */
+ void *ourcert; /* Certificate offered to peer, binary */
+ void *peercert; /* Certificate from peer, binary */
uschar *peerdn; /* DN of server's certificate */
+ int ocsp; /* OCSP status of peer cert */
#endif
uschar *authenticator; /* auth driver name used by transport */
uschar *auth_id; /* auth "login" name used by transport */
uschar *auth_sndr; /* AUTH arg to SMTP MAIL, used by transport */
+ #ifdef EXPERIMENTAL_DSN
+ uschar *dsn_orcpt; /* DSN orcpt value */
+ int dsn_flags; /* DSN flags */
+ int dsn_aware; /* DSN aware flag */
+ #endif
+
uid_t uid; /* uid for transporting */
gid_t gid; /* gid for transporting */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Copyright (c) Phil Pennock 2012 */
#if GNUTLS_VERSION_NUMBER >= 0x020c00
# include <gnutls/pkcs11.h>
#endif
+#if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
+# warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile"
+# define DISABLE_OCSP
+#endif
+
+#ifndef DISABLE_OCSP
+# include <gnutls/ocsp.h>
+#endif
/* GnuTLS 2 vs 3
/* Values for verify_requirement */
-enum peer_verify_requirement { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED };
+enum peer_verify_requirement
+ { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED
+#ifdef EXPERIMENTAL_CERTNAMES
+ ,VERIFY_WITHHOST
+#endif
+ };
/* This holds most state for server or client; with this, we can set up an
outbound TLS-enabled connection in an ACL callout, while not stomping all
*/
typedef struct exim_gnutls_state {
- gnutls_session_t session;
+ gnutls_session_t session;
gnutls_certificate_credentials_t x509_cred;
- gnutls_priority_t priority_cache;
+ gnutls_priority_t priority_cache;
enum peer_verify_requirement verify_requirement;
- int fd_in;
- int fd_out;
- BOOL peer_cert_verified;
- BOOL trigger_sni_changes;
- BOOL have_set_peerdn;
+ int fd_in;
+ int fd_out;
+ BOOL peer_cert_verified;
+ BOOL trigger_sni_changes;
+ BOOL have_set_peerdn;
const struct host_item *host;
- uschar *peerdn;
- uschar *ciphersuite;
- uschar *received_sni;
+ gnutls_x509_crt_t peercert;
+ uschar *peerdn;
+ uschar *ciphersuite;
+ uschar *received_sni;
const uschar *tls_certificate;
const uschar *tls_privatekey;
const uschar *tls_verify_certificates;
const uschar *tls_crl;
const uschar *tls_require_ciphers;
+
uschar *exp_tls_certificate;
uschar *exp_tls_privatekey;
uschar *exp_tls_sni;
uschar *exp_tls_verify_certificates;
uschar *exp_tls_crl;
uschar *exp_tls_require_ciphers;
+ uschar *exp_tls_ocsp_file;
+#ifdef EXPERIMENTAL_CERTNAMES
+ uschar *exp_tls_verify_cert_hostnames;
+#endif
tls_support *tlsp; /* set in tls_init() */
NULL, NULL, NULL, VERIFY_NONE, -1, -1, FALSE, FALSE, FALSE,
NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, NULL,
- NULL, NULL, NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL, NULL, NULL, NULL,
+#ifdef EXPERIMENTAL_CERTNAMES
+ NULL,
+#endif
NULL,
NULL, 0, 0, 0, 0,
};
#define expand_check_tlsvar(Varname) expand_check(state->Varname, US #Varname, &state->exp_##Varname)
#if GNUTLS_VERSION_NUMBER >= 0x020c00
-#define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
-#define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
-#define HAVE_GNUTLS_RND
+# define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
+# define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
+# define HAVE_GNUTLS_RND
/* The security fix we provide with the gnutls_allow_auto_pkcs11 option
* (4.82 PP/09) introduces a compatibility regression. The symbol simply
* isn't available sometimes, so this needs to become a conditional
* compilation; the sanest way to deal with this being a problem on
* older OSes is to block it in the Local/Makefile with this compiler
* definition */
-#ifndef AVOID_GNUTLS_PKCS11
-#define HAVE_GNUTLS_PKCS11
-#endif /* AVOID_GNUTLS_PKCS11 */
+# ifndef AVOID_GNUTLS_PKCS11
+# define HAVE_GNUTLS_PKCS11
+# endif /* AVOID_GNUTLS_PKCS11 */
#endif
static int exim_sni_handling_cb(gnutls_session_t session);
+#ifndef DISABLE_OCSP
+static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
+ gnutls_datum_t * ocsp_response);
+#endif
* Set various Exim expansion vars *
*************************************************/
+#define exim_gnutls_cert_err(Label) \
+ do \
+ { \
+ if (rc != GNUTLS_E_SUCCESS) \
+ { \
+ DEBUG(D_tls) debug_printf("TLS: cert problem: %s: %s\n", \
+ (Label), gnutls_strerror(rc)); \
+ return rc; \
+ } \
+ } while (0)
+
+static int
+import_cert(const gnutls_datum * cert, gnutls_x509_crt_t * crtp)
+{
+int rc;
+
+rc = gnutls_x509_crt_init(crtp);
+exim_gnutls_cert_err(US"gnutls_x509_crt_init (crt)");
+
+rc = gnutls_x509_crt_import(*crtp, cert, GNUTLS_X509_FMT_DER);
+exim_gnutls_cert_err(US"failed to import certificate [gnutls_x509_crt_import(cert)]");
+
+return rc;
+}
+
+#undef exim_gnutls_cert_err
+
+
/* We set various Exim global variables from the state, once a session has
been established. With TLS callouts, may need to change this to stack
variables, or just re-call it with the server state after client callout
has finished.
-Make sure anything set here is inset in tls_getc().
+Make sure anything set here is unset in tls_getc().
Sets:
tls_active fd
tls_certificate_verified bool indicator
tls_channelbinding_b64 for some SASL mechanisms
tls_cipher a string
+ tls_peercert pointer to library internal
tls_peerdn a string
tls_sni a (UTF-8) string
+ tls_ourcert pointer to library internal
Argument:
state the relevant exim_gnutls_state_st *
*/
static void
-extract_exim_vars_from_tls_state(exim_gnutls_state_st *state, BOOL is_server)
+extract_exim_vars_from_tls_state(exim_gnutls_state_st * state)
{
gnutls_cipher_algorithm_t cipher;
#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
int rc;
gnutls_datum_t channel;
#endif
+tls_support * tlsp = state->tlsp;
-state->tlsp->active = state->fd_out;
+tlsp->active = state->fd_out;
cipher = gnutls_cipher_get(state->session);
/* returns size in "bytes" */
-state->tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
+tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
-state->tlsp->cipher = state->ciphersuite;
+tlsp->cipher = state->ciphersuite;
DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite);
-state->tlsp->certificate_verified = state->peer_cert_verified;
+tlsp->certificate_verified = state->peer_cert_verified;
/* note that tls_channelbinding_b64 is not saved to the spool file, since it's
only available for use for authenticators while this TLS session is running. */
}
#endif
-state->tlsp->peerdn = state->peerdn;
-state->tlsp->sni = state->received_sni;
+/* peercert is set in peer_status() */
+tlsp->peerdn = state->peerdn;
+tlsp->sni = state->received_sni;
+
+/* record our certificate */
+ {
+ const gnutls_datum * cert = gnutls_certificate_get_ours(state->session);
+ gnutls_x509_crt_t crt;
+
+ tlsp->ourcert = cert && import_cert(cert, &crt)==0 ? crt : NULL;
+ }
}
int cert_count;
/* We check for tls_sni *before* expansion. */
-if (!state->host)
+if (!host) /* server */
{
if (!state->received_sni)
{
if ((state->exp_tls_certificate == NULL) ||
(*state->exp_tls_certificate == '\0'))
{
- if (state->host == NULL)
+ if (!host)
return tls_error(US"no TLS server certificate is specified", NULL, NULL);
else
DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
} /* tls_certificate */
+
+/* Set the OCSP stapling server info */
+
+#ifndef DISABLE_OCSP
+if ( !host /* server */
+ && tls_ocsp_file
+ )
+ {
+ if (!expand_check(tls_ocsp_file, US"tls_ocsp_file",
+ &state->exp_tls_ocsp_file))
+ return DEFER;
+
+ /* Use the full callback method for stapling just to get observability.
+ More efficient would be to read the file once only, if it never changed
+ (due to SNI). Would need restart on file update, or watch datestamp. */
+
+ gnutls_certificate_set_ocsp_status_request_function(state->x509_cred,
+ server_ocsp_stapling_cb, state->exp_tls_ocsp_file);
+
+ DEBUG(D_tls) debug_printf("Set OCSP response file %s\n", &state->exp_tls_ocsp_file);
+ }
+#endif
+
+
/* Set the trusted CAs file if one is provided, and then add the CRL if one is
provided. Experiment shows that, if the certificate file is empty, an unhelpful
error message is provided. However, if we just refrain from setting anything up
-
/*************************************************
* Extract peer information *
*************************************************/
{
DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
cert_list, cert_list_size);
- if (state->verify_requirement == VERIFY_REQUIRED)
+ if (state->verify_requirement >= VERIFY_REQUIRED)
return tls_error(US"certificate verification failed",
"no certificate received from peer", state->host);
return OK;
const char *ctn = gnutls_certificate_type_get_name(ct);
DEBUG(D_tls)
debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
- if (state->verify_requirement == VERIFY_REQUIRED)
+ if (state->verify_requirement >= VERIFY_REQUIRED)
return tls_error(US"certificate verification not possible, unhandled type",
ctn, state->host);
return OK;
}
-#define exim_gnutls_peer_err(Label) do { \
- if (rc != GNUTLS_E_SUCCESS) { \
- DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", (Label), gnutls_strerror(rc)); \
- if (state->verify_requirement == VERIFY_REQUIRED) { return tls_error((Label), gnutls_strerror(rc), state->host); } \
- return OK; } } while (0)
+#define exim_gnutls_peer_err(Label) \
+ do { \
+ if (rc != GNUTLS_E_SUCCESS) \
+ { \
+ DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \
+ (Label), gnutls_strerror(rc)); \
+ if (state->verify_requirement >= VERIFY_REQUIRED) \
+ return tls_error((Label), gnutls_strerror(rc), state->host); \
+ return OK; \
+ } \
+ } while (0)
-rc = gnutls_x509_crt_init(&crt);
-exim_gnutls_peer_err(US"gnutls_x509_crt_init (crt)");
+rc = import_cert(&cert_list[0], &crt);
+exim_gnutls_peer_err(US"cert 0");
+
+state->tlsp->peercert = state->peercert = crt;
-rc = gnutls_x509_crt_import(crt, &cert_list[0], GNUTLS_X509_FMT_DER);
-exim_gnutls_peer_err(US"failed to import certificate [gnutls_x509_crt_import(cert 0)]");
sz = 0;
rc = gnutls_x509_crt_get_dn(crt, NULL, &sz);
if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
dn_buf = store_get_perm(sz);
rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
+
state->peerdn = dn_buf;
return OK;
*error = NULL;
-rc = peer_status(state);
-if (rc != OK)
+if ((rc = peer_status(state)) != OK)
{
verify = GNUTLS_CERT_INVALID;
- *error = "not supplied";
+ *error = "certificate not supplied";
}
else
- {
rc = gnutls_certificate_verify_peers2(state->session, &verify);
- }
/* Handle the result of verification. INVALID seems to be set as well
as REVOKED, but leave the test for both. */
-if ((rc < 0) || (verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)) != 0)
+if (rc < 0 ||
+ verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)
+ )
{
state->peer_cert_verified = FALSE;
- if (*error == NULL)
- *error = ((verify & GNUTLS_CERT_REVOKED) != 0) ? "revoked" : "invalid";
+ if (!*error)
+ *error = verify & GNUTLS_CERT_REVOKED
+ ? "certificate revoked" : "certificate invalid";
DEBUG(D_tls)
- debug_printf("TLS certificate verification failed (%s): peerdn=%s\n",
+ debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",
*error, state->peerdn ? state->peerdn : US"<unset>");
- if (state->verify_requirement == VERIFY_REQUIRED)
+ if (state->verify_requirement >= VERIFY_REQUIRED)
{
- gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
+ gnutls_alert_send(state->session,
+ GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
return FALSE;
}
DEBUG(D_tls)
debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n");
}
+
else
{
+#ifdef EXPERIMENTAL_CERTNAMES
+ if (state->verify_requirement == VERIFY_WITHHOST)
+ {
+ int sep = 0;
+ uschar * list = state->exp_tls_verify_cert_hostnames;
+ uschar * name;
+ while (name = string_nextinlist(&list, &sep, NULL, 0))
+ if (gnutls_x509_crt_check_hostname(state->tlsp->peercert, CS name))
+ break;
+ if (!name)
+ {
+ DEBUG(D_tls)
+ debug_printf("TLS certificate verification failed: cert name mismatch\n");
+ gnutls_alert_send(state->session,
+ GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
+ return FALSE;
+ }
+ }
+#endif
state->peer_cert_verified = TRUE;
- DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=%s\n",
+ DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n",
state->peerdn ? state->peerdn : US"<unset>");
}
+#ifndef DISABLE_OCSP
+
+static int
+server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
+ gnutls_datum_t * ocsp_response)
+{
+int ret;
+
+if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
+ {
+ DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
+ (char *)ptr);
+ tls_in.ocsp = OCSP_NOT_RESP;
+ return GNUTLS_E_NO_CERTIFICATE_STATUS;
+ }
+
+tls_in.ocsp = OCSP_VFY_NOT_TRIED;
+return 0;
+}
+
+#endif
+
+
+
+
/* ------------------------------------------------------------------------ */
/* Exported functions */
if (verify_check_host(&tls_verify_hosts) == OK)
{
- DEBUG(D_tls) debug_printf("TLS: a client certificate will be required.\n");
+ DEBUG(D_tls)
+ debug_printf("TLS: a client certificate will be required.\n");
state->verify_requirement = VERIFY_REQUIRED;
gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
}
else if (verify_check_host(&tls_try_verify_hosts) == OK)
{
- DEBUG(D_tls) debug_printf("TLS: a client certificate will be requested but not required.\n");
+ DEBUG(D_tls)
+ debug_printf("TLS: a client certificate will be requested but not required.\n");
state->verify_requirement = VERIFY_OPTIONAL;
gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
}
else
{
- DEBUG(D_tls) debug_printf("TLS: a client certificate will not be requested.\n");
+ DEBUG(D_tls)
+ debug_printf("TLS: a client certificate will not be requested.\n");
state->verify_requirement = VERIFY_NONE;
gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
}
if (!state->tlsp->on_connect)
{
smtp_printf("220 TLS go ahead\r\n");
- fflush(smtp_out); /*XXX JGH */
+ fflush(smtp_out);
}
/* Now negotiate the TLS session. We put our own timer on it, since it seems
that the GnuTLS library doesn't. */
gnutls_transport_set_ptr2(state->session,
- (gnutls_transport_ptr)fileno(smtp_in),
- (gnutls_transport_ptr)fileno(smtp_out));
+ (gnutls_transport_ptr)(long) fileno(smtp_in),
+ (gnutls_transport_ptr)(long) fileno(smtp_out));
state->fd_in = fileno(smtp_in);
state->fd_out = fileno(smtp_out);
/* Verify after the fact */
-if (state->verify_requirement != VERIFY_NONE)
+if ( state->verify_requirement != VERIFY_NONE
+ && !verify_certificate(state, &error))
{
- if (!verify_certificate(state, &error))
+ if (state->verify_requirement != VERIFY_OPTIONAL)
{
- if (state->verify_requirement == VERIFY_OPTIONAL)
- {
- DEBUG(D_tls)
- debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
- error);
- }
- else
- {
- tls_error(US"certificate verification failed", error, NULL);
- return FAIL;
- }
+ tls_error(US"certificate verification failed", error, NULL);
+ return FAIL;
}
+ DEBUG(D_tls)
+ debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
+ error);
}
/* Figure out peer DN, and if authenticated, etc. */
/* Sets various Exim expansion variables; always safe within server */
-extract_exim_vars_from_tls_state(state, TRUE);
+extract_exim_vars_from_tls_state(state);
/* TLS has been set up. Adjust the input functions to read via TLS,
and initialize appropriately. */
fd the fd of the connection
host connected host (for messages)
addr the first address (not used)
- certificate certificate file
- privatekey private key file
- sni TLS SNI to send to remote host
- verify_certs file for certificate verify
- verify_crl CRL for verify
- require_ciphers list of allowed ciphers or NULL
- dh_min_bits minimum number of bits acceptable in server's DH prime
- timeout startup timeout
+ ob smtp transport options
Returns: OK/DEFER/FAIL (because using common functions),
but for a client, DEFER and FAIL have the same meaning
int
tls_client_start(int fd, host_item *host,
address_item *addr ARG_UNUSED,
- uschar *certificate, uschar *privatekey, uschar *sni,
- uschar *verify_certs, uschar *verify_crl,
- uschar *require_ciphers,
-#ifdef EXPERIMENTAL_OCSP
- uschar *require_ocsp ARG_UNUSED,
-#endif
- int dh_min_bits, int timeout)
+ void *v_ob)
{
+smtp_transport_options_block *ob = v_ob;
int rc;
const char *error;
exim_gnutls_state_st *state = NULL;
+#ifndef DISABLE_OCSP
+BOOL require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
+ NULL, host->name, host->address, NULL) == OK;
+BOOL request_ocsp = require_ocsp ? TRUE
+ : verify_check_this_host(&ob->hosts_request_ocsp,
+ NULL, host->name, host->address, NULL) == OK;
+#endif
DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", fd);
-rc = tls_init(host, certificate, privatekey,
- sni, verify_certs, verify_crl, require_ciphers, &state);
-if (rc != OK) return rc;
+if ((rc = tls_init(host, ob->tls_certificate, ob->tls_privatekey,
+ ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
+ ob->tls_require_ciphers, &state)) != OK)
+ return rc;
-if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
{
- DEBUG(D_tls)
- debug_printf("WARNING: tls_dh_min_bits far too low, clamping %d up to %d\n",
- dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
- dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
- }
+ int dh_min_bits = ob->tls_dh_min_bits;
+ if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
+ {
+ DEBUG(D_tls)
+ debug_printf("WARNING: tls_dh_min_bits far too low,"
+ " clamping %d up to %d\n",
+ dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
+ dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
+ }
-DEBUG(D_tls) debug_printf("Setting D-H prime minimum acceptable bits to %d\n",
- dh_min_bits);
-gnutls_dh_set_prime_bits(state->session, dh_min_bits);
+ DEBUG(D_tls) debug_printf("Setting D-H prime minimum"
+ " acceptable bits to %d\n",
+ dh_min_bits);
+ gnutls_dh_set_prime_bits(state->session, dh_min_bits);
+ }
-if (verify_certs == NULL)
+/* Stick to the old behaviour for compatibility if tls_verify_certificates is
+set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
+the specified host patterns if one of them is defined */
+
+if (( state->exp_tls_verify_certificates
+ && !ob->tls_verify_hosts
+ && !ob->tls_try_verify_hosts
+ )
+ ||
+ verify_check_host(&ob->tls_verify_hosts) == OK
+ )
{
- DEBUG(D_tls) debug_printf("TLS: server certificate verification not required\n");
- state->verify_requirement = VERIFY_NONE;
- /* we still ask for it, to log it, etc */
+#ifdef EXPERIMENTAL_CERTNAMES
+ if (ob->tls_verify_cert_hostnames)
+ {
+ DEBUG(D_tls)
+ debug_printf("TLS: server cert incl. hostname verification required.\n");
+ state->verify_requirement = VERIFY_WITHHOST;
+ if (!expand_check(ob->tls_verify_cert_hostnames,
+ US"tls_verify_cert_hostnames",
+ &state->exp_tls_verify_cert_hostnames))
+ return FAIL;
+ if (state->exp_tls_verify_cert_hostnames)
+ DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
+ state->exp_tls_verify_cert_hostnames);
+ }
+ else
+#endif
+ {
+ DEBUG(D_tls)
+ debug_printf("TLS: server certificate verification required.\n");
+ state->verify_requirement = VERIFY_REQUIRED;
+ }
+ gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
+ }
+else if (verify_check_host(&ob->tls_try_verify_hosts) == OK)
+ {
+ DEBUG(D_tls)
+ debug_printf("TLS: server certificate verification optional.\n");
+ state->verify_requirement = VERIFY_OPTIONAL;
gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
}
else
{
- DEBUG(D_tls) debug_printf("TLS: server certificate verification required\n");
- state->verify_requirement = VERIFY_REQUIRED;
- gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
+ DEBUG(D_tls)
+ debug_printf("TLS: server certificate verification not required.\n");
+ state->verify_requirement = VERIFY_NONE;
+ gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
}
-gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr)fd);
+#ifndef DISABLE_OCSP
+ /* supported since GnuTLS 3.1.3 */
+if (request_ocsp)
+ {
+ DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
+ if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
+ NULL, 0, NULL)) != OK)
+ return tls_error(US"cert-status-req",
+ gnutls_strerror(rc), state->host);
+ tls_out.ocsp = OCSP_NOT_RESP;
+ }
+#endif
+
+gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr)(long) fd);
state->fd_in = fd;
state->fd_out = fd;
+DEBUG(D_tls) debug_printf("about to gnutls_handshake\n");
/* There doesn't seem to be a built-in timeout on connection. */
sigalrm_seen = FALSE;
-alarm(timeout);
+alarm(ob->command_timeout);
do
{
rc = gnutls_handshake(state->session);
!verify_certificate(state, &error))
return tls_error(US"certificate verification failed", error, state->host);
+#ifndef DISABLE_OCSP
+if (require_ocsp)
+ {
+ DEBUG(D_tls)
+ {
+ gnutls_datum_t stapling;
+ gnutls_ocsp_resp_t resp;
+ gnutls_datum_t printed;
+ if ( (rc= gnutls_ocsp_status_request_get(state->session, &stapling)) == 0
+ && (rc= gnutls_ocsp_resp_init(&resp)) == 0
+ && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
+ && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_FULL, &printed)) == 0
+ )
+ {
+ debug_printf("%.4096s", printed.data);
+ gnutls_free(printed.data);
+ }
+ else
+ (void) tls_error(US"ocsp decode", gnutls_strerror(rc), state->host);
+ }
+
+ if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
+ {
+ tls_out.ocsp = OCSP_FAILED;
+ return tls_error(US"certificate status check failed", NULL, state->host);
+ }
+ DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
+ tls_out.ocsp = OCSP_VFIED;
+ }
+#endif
+
/* Figure out peer DN, and if authenticated, etc. */
-rc = peer_status(state);
-if (rc != OK) return rc;
+if ((rc = peer_status(state)) != OK)
+ return rc;
/* Sets various Exim expansion variables; may need to adjust for ACL callouts */
-extract_exim_vars_from_tls_state(state, FALSE);
+extract_exim_vars_from_tls_state(state);
return OK;
}
state->tlsp->active = -1;
state->tlsp->bits = 0;
state->tlsp->certificate_verified = FALSE;
- tls_channelbinding_b64 = NULL; /*XXX JGH */
+ tls_channelbinding_b64 = NULL;
state->tlsp->cipher = NULL;
+ state->tlsp->peercert = NULL;
state->tlsp->peerdn = NULL;
return smtp_getc();
gnutls_check_version(NULL));
}
+/* vi: aw ai sw=2
+*/
/* End of tls-gnu.c */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Portions Copyright (c) The OpenSSL Project 1999 */
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/rand.h>
-#ifdef EXPERIMENTAL_OCSP
-#include <openssl/ocsp.h>
+#ifndef DISABLE_OCSP
+# include <openssl/ocsp.h>
#endif
-#ifdef EXPERIMENTAL_OCSP
-#define EXIM_OCSP_SKEW_SECONDS (300L)
-#define EXIM_OCSP_MAX_AGE (-1L)
+#ifndef DISABLE_OCSP
+# define EXIM_OCSP_SKEW_SECONDS (300L)
+# define EXIM_OCSP_MAX_AGE (-1L)
#endif
#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
-#define EXIM_HAVE_OPENSSL_TLSEXT
+# define EXIM_HAVE_OPENSSL_TLSEXT
+#endif
+
+#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
+# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
+# define DISABLE_OCSP
#endif
/* Structure for collecting random data for seeding. */
typedef struct tls_ext_ctx_cb {
uschar *certificate;
uschar *privatekey;
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
BOOL is_server;
union {
struct {
OCSP_RESPONSE *response;
} server;
struct {
- X509_STORE *verify_store;
+ X509_STORE *verify_store; /* non-null if status requested */
+ BOOL verify_required;
} client;
} u_ocsp;
#endif
uschar *server_cipher_list;
/* only passed down to tls_error: */
host_item *host;
+
+#ifdef EXPERIMENTAL_CERTNAMES
+ uschar * verify_cert_hostnames;
+#endif
} tls_ext_ctx_cb;
/* should figure out a cleanup of API to handle state preserved per
#ifdef EXIM_HAVE_OPENSSL_TLSEXT
static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
#endif
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
static int tls_server_stapling_cb(SSL *s, void *arg);
#endif
/* Extreme debug
-#if defined(EXPERIMENTAL_OCSP)
+#ifndef DISABLE_OCSP
void
x509_store_dump_cert_s_names(X509_STORE * store)
{
*/
static int
-verify_callback(int state, X509_STORE_CTX *x509ctx, tls_support *tlsp, BOOL *calledp, BOOL *optionalp)
+verify_callback(int state, X509_STORE_CTX *x509ctx,
+ tls_support *tlsp, BOOL *calledp, BOOL *optionalp)
{
+X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
static uschar txt[256];
-X509_NAME_oneline(X509_get_subject_name(x509ctx->current_cert),
- CS txt, sizeof(txt));
+X509_NAME_oneline(X509_get_subject_name(cert), CS txt, sizeof(txt));
if (state == 0)
{
log_write(0, LOG_MAIN, "SSL verify error: depth=%d error=%s cert=%s",
- x509ctx->error_depth,
- X509_verify_cert_error_string(x509ctx->error),
+ X509_STORE_CTX_get_error_depth(x509ctx),
+ X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)),
txt);
tlsp->certificate_verified = FALSE;
*calledp = TRUE;
- if (!*optionalp) return 0; /* reject */
+ if (!*optionalp)
+ {
+ tlsp->peercert = X509_dup(cert);
+ return 0; /* reject */
+ }
DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
"tls_try_verify_hosts)\n");
- return 1; /* accept */
}
-if (x509ctx->error_depth != 0)
+else if (X509_STORE_CTX_get_error_depth(x509ctx) != 0)
{
- DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d cert=%s\n",
- x509ctx->error_depth, txt);
-#ifdef EXPERIMENTAL_OCSP
+ DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n",
+ X509_STORE_CTX_get_error_depth(x509ctx), txt);
+#ifndef DISABLE_OCSP
if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
{ /* client, wanting stapling */
/* Add the server cert's signing chain as the one
for the verification of the OCSP stapled information. */
if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
- x509ctx->current_cert))
+ cert))
ERR_clear_error();
}
#endif
}
else
{
- DEBUG(D_tls) debug_printf("SSL%s peer: %s\n",
- *calledp ? "" : " authenticated", txt);
+#ifdef EXPERIMENTAL_CERTNAMES
+ uschar * verify_cert_hostnames;
+#endif
+
tlsp->peerdn = txt;
- }
+ tlsp->peercert = X509_dup(cert);
-/*XXX JGH: this looks bogus - we set "verified" first time through, which
-will be for the root CS cert (calls work down the chain). Why should it
-not be on the last call, where we're setting peerdn?
+#ifdef EXPERIMENTAL_CERTNAMES
+ if ( tlsp == &tls_out
+ && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
+ /* client, wanting hostname check */
-To test: set up a chain anchored by a good root-CA but with a bad server cert.
-Does certificate_verified get set?
-*/
-if (!*calledp) tlsp->certificate_verified = TRUE;
-*calledp = TRUE;
+# if OPENSSL_VERSION_NUMBER >= 0x010100000L || OPENSSL_VERSION_NUMBER >= 0x010002000L
+# ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
+# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
+# endif
+ {
+ int sep = 0;
+ uschar * list = verify_cert_hostnames;
+ uschar * name;
+ int rc;
+ while ((name = string_nextinlist(&list, &sep, NULL, 0)))
+ if ((rc = X509_check_host(cert, name, 0,
+ X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS)))
+ {
+ if (rc < 0)
+ {
+ log_write(0, LOG_MAIN, "SSL verify error: internal error\n");
+ name = NULL;
+ }
+ break;
+ }
+ if (!name)
+ {
+ log_write(0, LOG_MAIN,
+ "SSL verify error: certificate name mismatch: \"%s\"\n", txt);
+ return 0; /* reject */
+ }
+ }
+# else
+ if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
+ {
+ log_write(0, LOG_MAIN,
+ "SSL verify error: certificate name mismatch: \"%s\"\n", txt);
+ return 0; /* reject */
+ }
+# endif
+#endif
+
+ DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
+ *calledp ? "" : " authenticated", txt);
+ if (!*calledp) tlsp->certificate_verified = TRUE;
+ *calledp = TRUE;
+ }
return 1; /* accept */
}
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
/*************************************************
* Load OCSP information into state *
*************************************************/
}
supply_response:
-cbinfo->u_ocsp.server.response = resp;
+ cbinfo->u_ocsp.server.response = resp;
return;
bad:
-if (running_in_test_harness)
- {
- extern char ** environ;
- uschar ** p;
- for (p = USS environ; *p != NULL; p++)
- if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
- {
- DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
- goto supply_response;
- }
- }
+ if (running_in_test_harness)
+ {
+ extern char ** environ;
+ uschar ** p;
+ for (p = USS environ; *p != NULL; p++)
+ if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
+ {
+ DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
+ goto supply_response;
+ }
+ }
return;
}
-#endif /*EXPERIMENTAL_OCSP*/
+#endif /*!DISABLE_OCSP*/
"SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL);
}
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
if (cbinfo->is_server && cbinfo->u_ocsp.server.file != NULL)
{
if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded))
SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
if (cbinfo->server_cipher_list)
SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list);
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
if (cbinfo->u_ocsp.server.file)
{
SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
/*************************************************
* Callback to handle OCSP Stapling *
uschar *response_der;
int response_der_len;
-if (log_extra_selector & LX_tls_cipher)
- log_write(0, LOG_MAIN, "[%s] Recieved OCSP stapling req;%s responding",
- sender_host_address, cbinfo->u_ocsp.server.response ? "":" not");
-else
- DEBUG(D_tls) debug_printf("Received TLS status request (OCSP stapling); %s response.",
+DEBUG(D_tls)
+ debug_printf("Received TLS status request (OCSP stapling); %s response.",
cbinfo->u_ocsp.server.response ? "have" : "lack");
+tls_in.ocsp = OCSP_NOT_RESP;
if (!cbinfo->u_ocsp.server.response)
return SSL_TLSEXT_ERR_NOACK;
response_der = NULL;
-response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response, &response_der);
+response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response,
+ &response_der);
if (response_der_len <= 0)
return SSL_TLSEXT_ERR_NOACK;
SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
+tls_in.ocsp = OCSP_VFIED;
return SSL_TLSEXT_ERR_OK;
}
len = SSL_get_tlsext_status_ocsp_resp(s, &p);
if(!p)
{
- if (log_extra_selector & LX_tls_cipher)
- log_write(0, LOG_MAIN, "Received TLS status response, null content");
+ /* Expect this when we requested ocsp but got none */
+ if ( cbinfo->u_ocsp.client.verify_required
+ && log_extra_selector & LX_tls_cipher)
+ log_write(0, LOG_MAIN, "Received TLS status callback, null content");
else
DEBUG(D_tls) debug_printf(" null\n");
- return 0; /* This is the fail case for require-ocsp; none from server */
+ return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
}
+
if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
{
+ tls_out.ocsp = OCSP_FAILED;
if (log_extra_selector & LX_tls_cipher)
log_write(0, LOG_MAIN, "Received TLS status response, parse error");
else
if(!(bs = OCSP_response_get1_basic(rsp)))
{
+ tls_out.ocsp = OCSP_FAILED;
if (log_extra_selector & LX_tls_cipher)
log_write(0, LOG_MAIN, "Received TLS status response, error parsing response");
else
/* We'd check the nonce here if we'd put one in the request. */
/* However that would defeat cacheability on the server so we don't. */
-
/* This section of code reworked from OpenSSL apps source;
The OpenSSL Project retains copyright:
Copyright (c) 1999 The OpenSSL Project. All rights reserved.
*/
{
BIO * bp = NULL;
- OCSP_CERTID *id;
int status, reason;
ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
/* Use the chain that verified the server cert to verify the stapled info */
/* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
- if ((i = OCSP_basic_verify(bs, NULL, cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
+ if ((i = OCSP_basic_verify(bs, NULL,
+ cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
{
+ tls_out.ocsp = OCSP_FAILED;
BIO_printf(bp, "OCSP response verify failure\n");
ERR_print_errors(bp);
- i = 0;
+ i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
goto out;
}
if (sk_OCSP_SINGLERESP_num(sresp) != 1)
{
- log_write(0, LOG_MAIN, "OCSP stapling with multiple responses not handled");
+ tls_out.ocsp = OCSP_FAILED;
+ log_write(0, LOG_MAIN, "OCSP stapling "
+ "with multiple responses not handled");
+ i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
goto out;
}
single = OCSP_resp_get0(bs, 0);
- status = OCSP_single_get0_status(single, &reason, &rev, &thisupd, &nextupd);
+ status = OCSP_single_get0_status(single, &reason, &rev,
+ &thisupd, &nextupd);
}
- i = 0;
DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
- if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
+ if (!OCSP_check_validity(thisupd, nextupd,
+ EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
{
+ tls_out.ocsp = OCSP_FAILED;
DEBUG(D_tls) ERR_print_errors(bp);
log_write(0, LOG_MAIN, "Server OSCP dates invalid");
- goto out;
+ i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
}
-
- DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n", OCSP_cert_status_str(status));
- switch(status)
+ else
{
- case V_OCSP_CERTSTATUS_GOOD:
- i = 1;
- break;
- case V_OCSP_CERTSTATUS_REVOKED:
- log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
- reason != -1 ? "; reason: " : "", reason != -1 ? OCSP_crl_reason_str(reason) : "");
- DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
- i = 0;
- break;
- default:
- log_write(0, LOG_MAIN, "Server certificate status unknown, in OCSP stapling");
- i = 0;
- break;
+ DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
+ OCSP_cert_status_str(status));
+ switch(status)
+ {
+ case V_OCSP_CERTSTATUS_GOOD:
+ tls_out.ocsp = OCSP_VFIED;
+ i = 1;
+ break;
+ case V_OCSP_CERTSTATUS_REVOKED:
+ tls_out.ocsp = OCSP_FAILED;
+ log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
+ reason != -1 ? "; reason: " : "",
+ reason != -1 ? OCSP_crl_reason_str(reason) : "");
+ DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
+ i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
+ break;
+ default:
+ tls_out.ocsp = OCSP_FAILED;
+ log_write(0, LOG_MAIN,
+ "Server certificate status unknown, in OCSP stapling");
+ i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
+ break;
+ }
}
out:
BIO_free(bp);
OCSP_RESPONSE_free(rsp);
return i;
}
-#endif /*EXPERIMENTAL_OCSP*/
+#endif /*!DISABLE_OCSP*/
* Initialize for TLS *
*************************************************/
-/* Called from both server and client code, to do preliminary initialization of
-the library.
+/* Called from both server and client code, to do preliminary initialization
+of the library. We allocate and return a context structure.
Arguments:
host connected host, if client; NULL if server
privatekey private key
ocsp_file file of stapling info (server); flag for require ocsp (client)
addr address if client; NULL if server (for some randomness)
+ cbp place to put allocated context
Returns: OK/DEFER/FAIL
*/
static int
tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
uschar *privatekey,
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
uschar *ocsp_file,
#endif
address_item *addr, tls_ext_ctx_cb ** cbp)
cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
cbinfo->certificate = certificate;
cbinfo->privatekey = privatekey;
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
if ((cbinfo->is_server = host==NULL))
{
cbinfo->u_ocsp.server.file = ocsp_file;
#ifdef EXIM_HAVE_OPENSSL_TLSEXT
if (host == NULL) /* server */
{
-# ifdef EXPERIMENTAL_OCSP
+# ifndef DISABLE_OCSP
/* We check u_ocsp.server.file, not server.response, because we care about if
the option exists, not what the current expansion might be, as SNI might
change the certificate and OCSP file in use between now and the time the
SSL_CTX_set_tlsext_servername_callback(*ctxp, tls_servername_cb);
SSL_CTX_set_tlsext_servername_arg(*ctxp, cbinfo);
}
-# ifdef EXPERIMENTAL_OCSP
+# ifndef DISABLE_OCSP
else /* client */
if(ocsp_file) /* wanting stapling */
{
# endif
#endif
+#ifdef EXPERIMENTAL_CERTNAMES
+cbinfo->verify_cert_hostnames = NULL;
+#endif
+
/* Set up the RSA callback */
SSL_CTX_set_tmp_rsa_callback(*ctxp, rsa_callback);
yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
the accessor functions use const in the prototype. */
const SSL_CIPHER *c;
-uschar *ver;
-
-switch (ssl->session->ssl_version)
- {
- case SSL2_VERSION:
- ver = US"SSLv2";
- break;
-
- case SSL3_VERSION:
- ver = US"SSLv3";
- break;
-
- case TLS1_VERSION:
- ver = US"TLSv1";
- break;
-
-#ifdef TLS1_1_VERSION
- case TLS1_1_VERSION:
- ver = US"TLSv1.1";
- break;
-#endif
+const uschar *ver;
-#ifdef TLS1_2_VERSION
- case TLS1_2_VERSION:
- ver = US"TLSv1.2";
- break;
-#endif
-
- default:
- ver = US"UNKNOWN";
- }
+ver = (const uschar *)SSL_get_version(ssl);
c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
SSL_CIPHER_get_bits(c, bits);
the error. */
rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
tls_ocsp_file,
#endif
NULL, &server_static_cbinfo);
debug_printf("Shared ciphers: %s\n", buf);
}
+/* Record the certificate we presented */
+ {
+ X509 * crt = SSL_get_certificate(server_ssl);
+ tls_in.ourcert = crt ? X509_dup(crt) : NULL;
+ }
/* Only used by the server-side tls (tls_in), including tls_getc.
Client-side (tls_out) reads (seem to?) go via
fd the fd of the connection
host connected host (for messages)
addr the first address
- certificate certificate file
- privatekey private key file
- sni TLS SNI to send to remote host
- verify_certs file for certificate verify
- crl file containing CRL
- require_ciphers list of allowed ciphers
- dh_min_bits minimum number of bits acceptable in server's DH prime
- (unused in OpenSSL)
- timeout startup timeout
+ ob smtp transport options
Returns: OK on success
FAIL otherwise - note that tls_error() will not give DEFER
int
tls_client_start(int fd, host_item *host, address_item *addr,
- uschar *certificate, uschar *privatekey, uschar *sni,
- uschar *verify_certs, uschar *crl,
- uschar *require_ciphers,
-#ifdef EXPERIMENTAL_OCSP
- uschar *hosts_require_ocsp,
-#endif
- int dh_min_bits ARG_UNUSED, int timeout)
+ void *v_ob)
{
+smtp_transport_options_block * ob = v_ob;
static uschar txt[256];
uschar *expciphers;
X509* server_cert;
int rc;
static uschar cipherbuf[256];
-#ifdef EXPERIMENTAL_OCSP
-BOOL require_ocsp = verify_check_this_host(&hosts_require_ocsp,
+#ifndef DISABLE_OCSP
+BOOL require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
NULL, host->name, host->address, NULL) == OK;
+BOOL request_ocsp = require_ocsp ? TRUE
+ : verify_check_this_host(&ob->hosts_request_ocsp,
+ NULL, host->name, host->address, NULL) == OK;
#endif
-rc = tls_init(&client_ctx, host, NULL, certificate, privatekey,
-#ifdef EXPERIMENTAL_OCSP
- require_ocsp ? US"" : NULL,
+rc = tls_init(&client_ctx, host, NULL,
+ ob->tls_certificate, ob->tls_privatekey,
+#ifndef DISABLE_OCSP
+ (void *)(long)request_ocsp,
#endif
addr, &client_static_cbinfo);
if (rc != OK) return rc;
tls_out.certificate_verified = FALSE;
client_verify_callback_called = FALSE;
-if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
+if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
+ &expciphers))
return FAIL;
/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
}
-rc = setup_certs(client_ctx, verify_certs, crl, host, FALSE, verify_callback_client);
-if (rc != OK) return rc;
+/* stick to the old behaviour for compatibility if tls_verify_certificates is
+ set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
+ the specified host patterns if one of them is defined */
-if ((client_ssl = SSL_new(client_ctx)) == NULL) return tls_error(US"SSL_new", host, NULL);
+if ((!ob->tls_verify_hosts && !ob->tls_try_verify_hosts) ||
+ (verify_check_host(&ob->tls_verify_hosts) == OK))
+ {
+ if ((rc = setup_certs(client_ctx, ob->tls_verify_certificates,
+ ob->tls_crl, host, FALSE, verify_callback_client)) != OK)
+ return rc;
+ client_verify_optional = FALSE;
+
+#ifdef EXPERIMENTAL_CERTNAMES
+ if (ob->tls_verify_cert_hostnames)
+ {
+ if (!expand_check(ob->tls_verify_cert_hostnames,
+ US"tls_verify_cert_hostnames",
+ &client_static_cbinfo->verify_cert_hostnames))
+ return FAIL;
+ if (client_static_cbinfo->verify_cert_hostnames)
+ DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
+ client_static_cbinfo->verify_cert_hostnames);
+ }
+#endif
+ }
+else if (verify_check_host(&ob->tls_try_verify_hosts) == OK)
+ {
+ if ((rc = setup_certs(client_ctx, ob->tls_verify_certificates,
+ ob->tls_crl, host, TRUE, verify_callback_client)) != OK)
+ return rc;
+ client_verify_optional = TRUE;
+ }
+
+if ((client_ssl = SSL_new(client_ctx)) == NULL)
+ return tls_error(US"SSL_new", host, NULL);
SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx));
SSL_set_fd(client_ssl, fd);
SSL_set_connect_state(client_ssl);
-if (sni)
+if (ob->tls_sni)
{
- if (!expand_check(sni, US"tls_sni", &tls_out.sni))
+ if (!expand_check(ob->tls_sni, US"tls_sni", &tls_out.sni))
return FAIL;
if (tls_out.sni == NULL)
{
}
}
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
/* Request certificate status at connection-time. If the server
does OCSP stapling we will get the callback (set in tls_init()) */
-if (require_ocsp)
+if (request_ocsp)
+ {
SSL_set_tlsext_status_type(client_ssl, TLSEXT_STATUSTYPE_ocsp);
+ client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
+ tls_out.ocsp = OCSP_NOT_RESP;
+ }
#endif
/* There doesn't seem to be a built-in timeout on connection. */
DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
sigalrm_seen = FALSE;
-alarm(timeout);
+alarm(ob->command_timeout);
rc = SSL_connect(client_ssl);
alarm(0);
DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
/* Beware anonymous ciphers which lead to server_cert being NULL */
+/*XXX server_cert is never freed... use X509_free() */
server_cert = SSL_get_peer_certificate (client_ssl);
if (server_cert)
{
tls_out.peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert),
CS txt, sizeof(txt));
- tls_out.peerdn = txt;
+ tls_out.peerdn = txt; /*XXX a static buffer... */
}
else
tls_out.peerdn = NULL;
construct_cipher_name(client_ssl, cipherbuf, sizeof(cipherbuf), &tls_out.bits);
tls_out.cipher = cipherbuf;
+/* Record the certificate we presented */
+ {
+ X509 * crt = SSL_get_certificate(client_ssl);
+ tls_out.ourcert = crt ? X509_dup(crt) : NULL;
+ }
+
tls_out.active = fd;
return OK;
}
it can result in serious failures, including crashing with a SIGSEGV. So
report the version found by the compiler and the run-time version.
+Note: some OS vendors backport security fixes without changing the version
+number/string, and the version date remains unchanged. The _build_ date
+will change, so we can more usefully assist with version diagnosis by also
+reporting the build date.
+
Arguments: a FILE* to print the results to
Returns: nothing
*/
tls_version_report(FILE *f)
{
fprintf(f, "Library version: OpenSSL: Compile: %s\n"
- " Runtime: %s\n",
+ " Runtime: %s\n"
+ " : %s\n",
OPENSSL_VERSION_TEXT,
- SSLeay_version(SSLEAY_VERSION));
+ SSLeay_version(SSLEAY_VERSION),
+ SSLeay_version(SSLEAY_BUILT_ON));
+/* third line is 38 characters for the %s and the line is 73 chars long;
+the OpenSSL output includes a "built on: " prefix already. */
}
return TRUE;
}
+/* vi: aw ai sw=2
+*/
/* End of tls-openssl.c */
#include "exim.h"
+#include "transports/smtp.h"
/* This module is compiled only when it is specifically requested in the
build-time configuration. However, some compilers don't like compiling empty
#ifdef USE_GNUTLS
#include "tls-gnu.c"
+#include "tlscert-gnu.c"
#define ssl_xfer_buffer (state_server.xfer_buffer)
#define ssl_xfer_buffer_lwm (state_server.xfer_buffer_lwm)
#else
#include "tls-openssl.c"
+#include "tlscert-openssl.c"
#endif
#endif /* SUPPORT_TLS */
+void
+tls_modify_variables(tls_support * dest_tsp)
+{
+modify_variable(US"tls_bits", &dest_tsp->bits);
+modify_variable(US"tls_certificate_verified", &dest_tsp->certificate_verified);
+modify_variable(US"tls_cipher", &dest_tsp->cipher);
+modify_variable(US"tls_peerdn", &dest_tsp->peerdn);
+#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
+modify_variable(US"tls_sni", &dest_tsp->sni);
+#endif
+}
+
+
+#ifdef SUPPORT_TLS
+/************************************************
+* TLS certificate name operations *
+************************************************/
+
+/* Convert an rfc4514 DN to an exim comma-sep list.
+Backslashed commas need to be replaced by doublecomma
+for Exim's list quoting. We modify the given string
+inplace.
+*/
+
+static void
+dn_to_list(uschar * dn)
+{
+uschar * cp;
+for (cp = dn; *cp; cp++)
+ if (cp[0] == '\\' && cp[1] == ',')
+ *cp++ = ',';
+}
+
+
+/* Extract fields of a given type from an RFC4514-
+format Distinguished Name. Return an Exim list.
+NOTE: We modify the supplied dn string during operation.
+
+Arguments:
+ dn Distinguished Name string
+ mod string containing optional list-sep and
+ field selector match, comma-separated
+Return:
+ allocated string with list of matching fields,
+ field type stripped
+*/
+
+uschar *
+tls_field_from_dn(uschar * dn, uschar * mod)
+{
+int insep = ',';
+uschar outsep = '\n';
+uschar * ele;
+uschar * match = NULL;
+int len;
+uschar * list = NULL;
+
+while ((ele = string_nextinlist(&mod, &insep, NULL, 0)))
+ if (ele[0] != '>')
+ match = ele; /* field tag to match */
+ else if (ele[1])
+ outsep = ele[1]; /* nondefault separator */
+
+dn_to_list(dn);
+insep = ',';
+len = Ustrlen(match);
+while ((ele = string_nextinlist(&dn, &insep, NULL, 0)))
+ if (Ustrncmp(ele, match, len) == 0 && ele[len] == '=')
+ list = string_append_listele(list, outsep, ele+len+1);
+return list;
+}
+
+
+# ifdef EXPERIMENTAL_CERTNAMES
+/* Compare a domain name with a possibly-wildcarded name. Wildcards
+are restricted to a single one, as the first element of patterns
+having at least three dot-separated elements. Case-independent.
+Return TRUE for a match
+*/
+static BOOL
+is_name_match(const uschar * name, const uschar * pat)
+{
+uschar * cp;
+return *pat == '*' /* possible wildcard match */
+ ? *++pat == '.' /* starts star, dot */
+ && !Ustrchr(++pat, '*') /* has no more stars */
+ && Ustrchr(pat, '.') /* and has another dot. */
+ && (cp = Ustrchr(name, '.'))/* The name has at least one dot */
+ && strcmpic(++cp, pat) == 0 /* and we only compare after it. */
+ : !Ustrchr(pat+1, '*')
+ && strcmpic(name, pat) == 0;
+}
+
+/* Compare a list of names with the dnsname elements
+of the Subject Alternate Name, if any, and the
+Subject otherwise.
+
+Arguments:
+ namelist names to compare
+ cert certificate
+
+Returns:
+ TRUE/FALSE
+*/
+
+BOOL
+tls_is_name_for_cert(uschar * namelist, void * cert)
+{
+uschar * altnames = tls_cert_subject_altname(cert, US"dns");
+uschar * subjdn;
+uschar * certname;
+int cmp_sep = 0;
+uschar * cmpname;
+
+if ((altnames = tls_cert_subject_altname(cert, US"dns")))
+ {
+ int alt_sep = '\n';
+ while ((cmpname = string_nextinlist(&namelist, &cmp_sep, NULL, 0)))
+ {
+ uschar * an = altnames;
+ while ((certname = string_nextinlist(&an, &alt_sep, NULL, 0)))
+ if (is_name_match(cmpname, certname))
+ return TRUE;
+ }
+ }
+
+else if ((subjdn = tls_cert_subject(cert, NULL)))
+ {
+ int sn_sep = ',';
+
+ dn_to_list(subjdn);
+ while ((cmpname = string_nextinlist(&namelist, &cmp_sep, NULL, 0)))
+ {
+ uschar * sn = subjdn;
+ while ((certname = string_nextinlist(&sn, &sn_sep, NULL, 0)))
+ if ( *certname++ == 'C'
+ && *certname++ == 'N'
+ && *certname++ == '='
+ && is_name_match(cmpname, certname)
+ )
+ return TRUE;
+ }
+ }
+return FALSE;
+}
+# endif /*EXPERIMENTAL_CERTNAMES*/
+#endif /*SUPPORT_TLS*/
+
+/* vi: aw ai sw=2
+*/
/* End of tls.c */
--- /dev/null
+/*************************************************
+* Exim - an Internet mail transport agent *
+*************************************************/
+
+/* Copyright (c) Jeremy Harris 2014 */
+
+/* This file provides TLS/SSL support for Exim using the GnuTLS library,
+one of the available supported implementations. This file is #included into
+tls.c when USE_GNUTLS has been set.
+*/
+
+#include <gnutls/gnutls.h>
+/* needed for cert checks in verification and DN extraction: */
+#include <gnutls/x509.h>
+/* needed to disable PKCS11 autoload unless requested */
+#if GNUTLS_VERSION_NUMBER >= 0x020c00
+# include <gnutls/pkcs11.h>
+#endif
+
+
+/*****************************************************
+* Export/import a certificate, binary/printable
+*****************************************************/
+int
+tls_export_cert(uschar * buf, size_t buflen, void * cert)
+{
+size_t sz = buflen;
+void * reset_point = store_get(0);
+int fail;
+uschar * cp;
+
+if ((fail = gnutls_x509_crt_export((gnutls_x509_crt_t)cert,
+ GNUTLS_X509_FMT_PEM, buf, &sz)))
+ {
+ log_write(0, LOG_MAIN, "TLS error in certificate export: %s",
+ gnutls_strerror(fail));
+ return 1;
+ }
+if ((cp = string_printing(buf)) != buf)
+ {
+ Ustrncpy(buf, cp, buflen);
+ if (buf[buflen-1])
+ fail = 1;
+ }
+store_reset(reset_point);
+return fail;
+}
+
+int
+tls_import_cert(const uschar * buf, void ** cert)
+{
+void * reset_point = store_get(0);
+gnutls_datum_t datum;
+gnutls_x509_crt_t crt;
+int fail = 0;
+
+gnutls_global_init();
+gnutls_x509_crt_init(&crt);
+
+datum.data = string_unprinting(US buf);
+datum.size = Ustrlen(datum.data);
+if ((fail = gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM)))
+ {
+ log_write(0, LOG_MAIN, "TLS error in certificate import: %s",
+ gnutls_strerror(fail));
+ fail = 1;
+ }
+else
+ *cert = (void *)crt;
+
+store_reset(reset_point);
+return fail;
+}
+
+void
+tls_free_cert(void * cert)
+{
+gnutls_x509_crt_deinit((gnutls_x509_crt_t) cert);
+gnutls_global_deinit();
+}
+
+/*****************************************************
+* Certificate field extraction routines
+*****************************************************/
+
+/* First, some internal service functions */
+
+static uschar *
+g_err(const char * tag, const char * from, int gnutls_err)
+{
+expand_string_message = string_sprintf("%s: %s fail: %s\n",
+ from, tag, gnutls_strerror(gnutls_err));
+return NULL;
+}
+
+
+static uschar *
+time_copy(time_t t, uschar * mod)
+{
+uschar * cp;
+struct tm * tp;
+size_t len;
+
+if (mod && Ustrcmp(mod, "int") == 0)
+ return string_sprintf("%u", (unsigned)t);
+
+cp = store_get(32);
+tp = gmtime(&t);
+len = strftime(CS cp, 32, "%b %e %T %Y %Z", tp);
+return len > 0 ? cp : NULL;
+}
+
+
+/**/
+/* Now the extractors, called from expand.c
+Arguments:
+ cert The certificate
+ mod Optional modifiers for the operator
+
+Return:
+ Allocated string with extracted value
+*/
+
+uschar *
+tls_cert_issuer(void * cert, uschar * mod)
+{
+uschar * cp = NULL;
+int ret;
+size_t siz = 0;
+
+if ((ret = gnutls_x509_crt_get_issuer_dn(cert, cp, &siz))
+ != GNUTLS_E_SHORT_MEMORY_BUFFER)
+ return g_err("gi0", __FUNCTION__, ret);
+
+cp = store_get(siz);
+if ((ret = gnutls_x509_crt_get_issuer_dn(cert, cp, &siz)) < 0)
+ return g_err("gi1", __FUNCTION__, ret);
+
+return mod ? tls_field_from_dn(cp, mod) : cp;
+}
+
+uschar *
+tls_cert_not_after(void * cert, uschar * mod)
+{
+return time_copy(
+ gnutls_x509_crt_get_expiration_time((gnutls_x509_crt_t)cert),
+ mod);
+}
+
+uschar *
+tls_cert_not_before(void * cert, uschar * mod)
+{
+return time_copy(
+ gnutls_x509_crt_get_activation_time((gnutls_x509_crt_t)cert),
+ mod);
+}
+
+uschar *
+tls_cert_serial_number(void * cert, uschar * mod)
+{
+uschar bin[50], txt[150];
+size_t sz = sizeof(bin);
+uschar * sp;
+uschar * dp;
+int ret;
+
+if ((ret = gnutls_x509_crt_get_serial((gnutls_x509_crt_t)cert,
+ bin, &sz)))
+ return g_err("gs0", __FUNCTION__, ret);
+
+for(dp = txt, sp = bin; sz; dp += 2, sp++, sz--)
+ sprintf(dp, "%.2x", *sp);
+for(sp = txt; sp[0]=='0' && sp[1]; ) sp++; /* leading zeroes */
+return string_copy(sp);
+}
+
+uschar *
+tls_cert_signature(void * cert, uschar * mod)
+{
+uschar * cp1;
+uschar * cp2;
+uschar * cp3;
+size_t len = 0;
+int ret;
+
+if ((ret = gnutls_x509_crt_get_signature((gnutls_x509_crt_t)cert, cp1, &len))
+ != GNUTLS_E_SHORT_MEMORY_BUFFER)
+ return g_err("gs0", __FUNCTION__, ret);
+
+cp1 = store_get(len*4+1);
+if (gnutls_x509_crt_get_signature((gnutls_x509_crt_t)cert, cp1, &len) != 0)
+ return g_err("gs1", __FUNCTION__, ret);
+
+for(cp3 = cp2 = cp1+len; cp1 < cp2; cp3 += 3, cp1++)
+ sprintf(cp3, "%.2x ", *cp1);
+cp3[-1]= '\0';
+
+return cp2;
+}
+
+uschar *
+tls_cert_signature_algorithm(void * cert, uschar * mod)
+{
+gnutls_sign_algorithm_t algo =
+ gnutls_x509_crt_get_signature_algorithm((gnutls_x509_crt_t)cert);
+return algo < 0 ? NULL : string_copy(gnutls_sign_get_name(algo));
+}
+
+uschar *
+tls_cert_subject(void * cert, uschar * mod)
+{
+uschar * cp = NULL;
+int ret;
+size_t siz = 0;
+
+if ((ret = gnutls_x509_crt_get_dn(cert, cp, &siz))
+ != GNUTLS_E_SHORT_MEMORY_BUFFER)
+ return g_err("gs0", __FUNCTION__, ret);
+
+cp = store_get(siz);
+if ((ret = gnutls_x509_crt_get_dn(cert, cp, &siz)) < 0)
+ return g_err("gs1", __FUNCTION__, ret);
+
+return mod ? tls_field_from_dn(cp, mod) : cp;
+}
+
+uschar *
+tls_cert_version(void * cert, uschar * mod)
+{
+return string_sprintf("%d", gnutls_x509_crt_get_version(cert));
+}
+
+uschar *
+tls_cert_ext_by_oid(void * cert, uschar * oid, int idx)
+{
+uschar * cp1 = NULL;
+uschar * cp2;
+uschar * cp3;
+size_t siz = 0;
+unsigned int crit;
+int ret;
+
+ret = gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t)cert,
+ oid, idx, cp1, &siz, &crit);
+if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
+ return g_err("ge0", __FUNCTION__, ret);
+
+cp1 = store_get(siz*4 + 1);
+
+ret = gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t)cert,
+ oid, idx, cp1, &siz, &crit);
+if (ret < 0)
+ return g_err("ge1", __FUNCTION__, ret);
+
+/* binary data, DER encoded */
+
+/* just dump for now */
+for(cp3 = cp2 = cp1+siz; cp1 < cp2; cp3 += 3, cp1++)
+ sprintf(cp3, "%.2x ", *cp1);
+cp3[-1]= '\0';
+
+return cp2;
+}
+
+uschar *
+tls_cert_subject_altname(void * cert, uschar * mod)
+{
+uschar * list = NULL;
+int index;
+size_t siz;
+int ret;
+uschar sep = '\n';
+uschar * tag = US"";
+uschar * ele;
+int match = -1;
+
+while (mod)
+ {
+ if (*mod == '>' && *++mod) sep = *mod++;
+ else if (Ustrcmp(mod, "dns")==0) { match = GNUTLS_SAN_DNSNAME; mod += 3; }
+ else if (Ustrcmp(mod, "uri")==0) { match = GNUTLS_SAN_URI; mod += 3; }
+ else if (Ustrcmp(mod, "mail")==0) { match = GNUTLS_SAN_RFC822NAME; mod += 4; }
+ else continue;
+
+ if (*mod++ != ',')
+ break;
+ }
+
+for(index = 0;; index++)
+ {
+ siz = 0;
+ switch(ret = gnutls_x509_crt_get_subject_alt_name(
+ (gnutls_x509_crt_t)cert, index, NULL, &siz, NULL))
+ {
+ case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE:
+ return list; /* no more elements; normal exit */
+
+ case GNUTLS_E_SHORT_MEMORY_BUFFER:
+ break;
+
+ default:
+ return g_err("gs0", __FUNCTION__, ret);
+ }
+
+ ele = store_get(siz+1);
+ if ((ret = gnutls_x509_crt_get_subject_alt_name(
+ (gnutls_x509_crt_t)cert, index, ele, &siz, NULL)) < 0)
+ return g_err("gs1", __FUNCTION__, ret);
+ ele[siz] = '\0';
+
+ if ( match != -1 && match != ret /* wrong type of SAN */
+ || Ustrlen(ele) != siz) /* contains a NUL */
+ continue;
+ switch (ret)
+ {
+ case GNUTLS_SAN_DNSNAME: tag = US"DNS"; break;
+ case GNUTLS_SAN_URI: tag = US"URI"; break;
+ case GNUTLS_SAN_RFC822NAME: tag = US"MAIL"; break;
+ default: continue; /* ignore unrecognised types */
+ }
+ list = string_append_listele(list, sep,
+ match == -1 ? string_sprintf("%s=%s", tag, ele) : ele);
+ }
+/*NOTREACHED*/
+}
+
+uschar *
+tls_cert_ocsp_uri(void * cert, uschar * mod)
+{
+#if GNUTLS_VERSION_NUMBER >= 0x030000
+gnutls_datum_t uri;
+int ret;
+uschar sep = '\n';
+int index;
+uschar * list = NULL;
+
+if (mod)
+ if (*mod == '>' && *++mod) sep = *mod++;
+
+for(index = 0;; index++)
+ {
+ ret = gnutls_x509_crt_get_authority_info_access((gnutls_x509_crt_t)cert,
+ index, GNUTLS_IA_OCSP_URI, &uri, NULL);
+
+ if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
+ return list;
+ if (ret < 0)
+ return g_err("gai", __FUNCTION__, ret);
+
+ list = string_append_listele(list, sep,
+ string_copyn(uri.data, uri.size));
+ }
+/*NOTREACHED*/
+
+#else
+
+expand_string_message =
+ string_sprintf("%s: OCSP support with GnuTLS requires version 3.0.0\n",
+ __FUNCTION__);
+return NULL;
+
+#endif
+}
+
+uschar *
+tls_cert_crl_uri(void * cert, uschar * mod)
+{
+int ret;
+size_t siz;
+uschar sep = '\n';
+int index;
+uschar * list = NULL;
+uschar * ele;
+
+if (mod)
+ if (*mod == '>' && *++mod) sep = *mod++;
+
+for(index = 0;; index++)
+ {
+ siz = 0;
+ switch(ret = gnutls_x509_crt_get_crl_dist_points(
+ (gnutls_x509_crt_t)cert, index, NULL, &siz, NULL, NULL))
+ {
+ case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE:
+ return list;
+ case GNUTLS_E_SHORT_MEMORY_BUFFER:
+ break;
+ default:
+ return g_err("gc0", __FUNCTION__, ret);
+ }
+
+ ele = store_get(siz+1);
+ if ((ret = gnutls_x509_crt_get_crl_dist_points(
+ (gnutls_x509_crt_t)cert, index, ele, &siz, NULL, NULL)) < 0)
+ return g_err("gc1", __FUNCTION__, ret);
+
+ ele[siz] = '\0';
+ list = string_append_listele(list, sep, ele);
+ }
+/*NOTREACHED*/
+}
+
+
+/*****************************************************
+* Certificate operator routines
+*****************************************************/
+static uschar *
+fingerprint(gnutls_x509_crt_t cert, gnutls_digest_algorithm_t algo)
+{
+int ret;
+size_t siz = 0;
+uschar * cp;
+uschar * cp2;
+uschar * cp3;
+
+if ((ret = gnutls_x509_crt_get_fingerprint(cert, algo, NULL, &siz))
+ != GNUTLS_E_SHORT_MEMORY_BUFFER)
+ return g_err("gf0", __FUNCTION__, ret);
+
+cp = store_get(siz*3+1);
+if ((ret = gnutls_x509_crt_get_fingerprint(cert, algo, cp, &siz)) < 0)
+ return g_err("gf1", __FUNCTION__, ret);
+
+for (cp3 = cp2 = cp+siz; cp < cp2; cp++, cp3+=2)
+ sprintf(cp3, "%02X",*cp);
+return cp2;
+}
+
+
+uschar *
+tls_cert_fprt_md5(void * cert)
+{
+return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_MD5);
+}
+
+uschar *
+tls_cert_fprt_sha1(void * cert)
+{
+return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_SHA1);
+}
+
+uschar *
+tls_cert_fprt_sha256(void * cert)
+{
+return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_SHA256);
+}
+
+
+/* vi: aw ai sw=2
+*/
+/* End of tlscert-gnu.c */
--- /dev/null
+/*************************************************
+* Exim - an Internet mail transport agent *
+*************************************************/
+
+/* Copyright (c) Jeremy Harris 2014 */
+
+/* This module provides TLS (aka SSL) support for Exim using the OpenSSL
+library. It is #included into the tls.c file when that library is used.
+*/
+
+
+/* Heading stuff */
+
+#include <openssl/lhash.h>
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+#include <openssl/x509v3.h>
+
+
+/*****************************************************
+* Export/import a certificate, binary/printable
+*****************************************************/
+int
+tls_export_cert(uschar * buf, size_t buflen, void * cert)
+{
+BIO * bp = BIO_new(BIO_s_mem());
+int fail;
+
+if ((fail = PEM_write_bio_X509(bp, (X509 *)cert) ? 0 : 1))
+ log_write(0, LOG_MAIN, "TLS error in certificate export: %s",
+ ERR_error_string(ERR_get_error(), NULL));
+else
+ {
+ char * cp = CS buf;
+ int n;
+ buflen -= 2;
+ for(;;)
+ {
+ if ((n = BIO_gets(bp, cp, (int)buflen)) <= 0) break;
+ cp += n+1;
+ buflen -= n+1;
+ cp[-2] = '\\'; cp[-1] = 'n'; /* newline->"\n" */
+ } /* compat with string_printing() */
+ *cp = '\0';
+ }
+
+BIO_free(bp);
+return fail;
+}
+
+int
+tls_import_cert(const uschar * buf, void ** cert)
+{
+void * reset_point = store_get(0);
+const uschar * cp = string_unprinting(US buf);
+BIO * bp;
+X509 * x;
+int fail = 0;
+
+bp = BIO_new_mem_buf(US cp, -1);
+if (!(x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
+ {
+ log_write(0, LOG_MAIN, "TLS error in certificate import: %s",
+ ERR_error_string(ERR_get_error(), NULL));
+ fail = 1;
+ }
+else
+ *cert = (void *)x;
+BIO_free(bp);
+store_reset(reset_point);
+return fail;
+}
+
+void
+tls_free_cert(void * cert)
+{
+X509_free((X509 *)cert);
+}
+
+
+/*****************************************************
+* Certificate field extraction routines
+*****************************************************/
+
+/* First, some internal service functions */
+
+static uschar *
+badalloc(void)
+{
+expand_string_message = US"allocation failure";
+return NULL;
+}
+
+static uschar *
+bio_string_copy(BIO * bp, int len)
+{
+uschar * cp = US"";
+len = len > 0 ? (int) BIO_get_mem_data(bp, &cp) : 0;
+cp = string_copyn(cp, len);
+BIO_free(bp);
+return cp;
+}
+
+static uschar *
+bio_string_time_to_int(BIO * bp, int len)
+{
+uschar * cp = US"";
+struct tm t;
+len = len > 0 ? (int) BIO_get_mem_data(bp, &cp) : 0;
+/*XXX %Z might be glibc-specific? */
+(void) strptime(CS cp, "%b%t%e%t%T%t%Y%t%Z", &t);
+BIO_free(bp);
+/*XXX timegm might not be portable? */
+return string_sprintf("%u", (unsigned) timegm(&t));
+}
+
+static uschar *
+asn1_time_copy(const ASN1_TIME * time, uschar * mod)
+{
+BIO * bp = BIO_new(BIO_s_mem());
+int len;
+
+if (!bp) return badalloc();
+
+len = ASN1_TIME_print(bp, time);
+return mod && Ustrcmp(mod, "int") == 0
+ ? bio_string_time_to_int(bp, len)
+ : bio_string_copy(bp, len);
+}
+
+static uschar *
+x509_name_copy(X509_NAME * name)
+{
+BIO * bp = BIO_new(BIO_s_mem());
+int len_good;
+
+if (!bp) return badalloc();
+
+len_good =
+ X509_NAME_print_ex(bp, name, 0, XN_FLAG_RFC2253) >= 0
+ ? 1 : 0;
+return bio_string_copy(bp, len_good);
+}
+
+/**/
+/* Now the extractors, called from expand.c
+Arguments:
+ cert The certificate
+ mod Optional modifiers for the operator
+
+Return:
+ Allocated string with extracted value
+*/
+
+uschar *
+tls_cert_issuer(void * cert, uschar * mod)
+{
+uschar * cp = x509_name_copy(X509_get_issuer_name((X509 *)cert));
+return mod ? tls_field_from_dn(cp, mod) : cp;
+}
+
+uschar *
+tls_cert_not_before(void * cert, uschar * mod)
+{
+return asn1_time_copy(X509_get_notBefore((X509 *)cert), mod);
+}
+
+uschar *
+tls_cert_not_after(void * cert, uschar * mod)
+{
+return asn1_time_copy(X509_get_notAfter((X509 *)cert), mod);
+}
+
+uschar *
+tls_cert_serial_number(void * cert, uschar * mod)
+{
+uschar txt[256];
+BIO * bp = BIO_new(BIO_s_mem());
+int len;
+
+if (!bp) return badalloc();
+
+len = i2a_ASN1_INTEGER(bp, X509_get_serialNumber((X509 *)cert));
+if (len < sizeof(txt))
+ BIO_read(bp, txt, len);
+else
+ len = 0;
+BIO_free(bp);
+return string_copynlc(txt, len); /* lowercase */
+}
+
+uschar *
+tls_cert_signature(void * cert, uschar * mod)
+{
+uschar * cp = NULL;
+BIO * bp = BIO_new(BIO_s_mem());
+
+if (!bp) return badalloc();
+
+if (X509_print_ex(bp, (X509 *)cert, 0,
+ X509_FLAG_NO_HEADER | X509_FLAG_NO_VERSION | X509_FLAG_NO_SERIAL |
+ X509_FLAG_NO_SIGNAME | X509_FLAG_NO_ISSUER | X509_FLAG_NO_VALIDITY |
+ X509_FLAG_NO_SUBJECT | X509_FLAG_NO_PUBKEY | X509_FLAG_NO_EXTENSIONS |
+ /* X509_FLAG_NO_SIGDUMP is the missing one */
+ X509_FLAG_NO_AUX) == 1)
+ {
+ long len = BIO_get_mem_data(bp, &cp);
+ cp = string_copyn(cp, len);
+ }
+BIO_free(bp);
+return cp;
+}
+
+uschar *
+tls_cert_signature_algorithm(void * cert, uschar * mod)
+{
+return string_copy(US OBJ_nid2ln(X509_get_signature_type((X509 *)cert)));
+}
+
+uschar *
+tls_cert_subject(void * cert, uschar * mod)
+{
+uschar * cp = x509_name_copy(X509_get_subject_name((X509 *)cert));
+return mod ? tls_field_from_dn(cp, mod) : cp;
+}
+
+uschar *
+tls_cert_version(void * cert, uschar * mod)
+{
+return string_sprintf("%d", X509_get_version((X509 *)cert));
+}
+
+uschar *
+tls_cert_ext_by_oid(void * cert, uschar * oid, int idx)
+{
+int nid = OBJ_create(CS oid, "", "");
+int nidx = X509_get_ext_by_NID((X509 *)cert, nid, idx);
+X509_EXTENSION * ex = X509_get_ext((X509 *)cert, nidx);
+ASN1_OCTET_STRING * adata = X509_EXTENSION_get_data(ex);
+BIO * bp = BIO_new(BIO_s_mem());
+long len;
+uschar * cp1;
+uschar * cp2;
+uschar * cp3;
+
+if (!bp) return badalloc();
+
+M_ASN1_OCTET_STRING_print(bp, adata);
+/* binary data, DER encoded */
+
+/* just dump for now */
+len = BIO_get_mem_data(bp, &cp1);
+cp3 = cp2 = store_get(len*3+1);
+
+while(len)
+ {
+ sprintf(CS cp2, "%.2x ", *cp1++);
+ cp2 += 3;
+ len--;
+ }
+cp2[-1] = '\0';
+
+return cp3;
+}
+
+uschar *
+tls_cert_subject_altname(void * cert, uschar * mod)
+{
+uschar * list = NULL;
+STACK_OF(GENERAL_NAME) * san = (STACK_OF(GENERAL_NAME) *)
+ X509_get_ext_d2i((X509 *)cert, NID_subject_alt_name, NULL, NULL);
+uschar sep = '\n';
+uschar * tag = US"";
+uschar * ele;
+int match = -1;
+int len;
+
+if (!san) return NULL;
+
+while (mod)
+ {
+ if (*mod == '>' && *++mod) sep = *mod++;
+ else if (Ustrcmp(mod, "dns")==0) { match = GEN_DNS; mod += 3; }
+ else if (Ustrcmp(mod, "uri")==0) { match = GEN_URI; mod += 3; }
+ else if (Ustrcmp(mod, "mail")==0) { match = GEN_EMAIL; mod += 4; }
+ else continue;
+
+ if (*mod++ != ',')
+ break;
+ }
+
+while (sk_GENERAL_NAME_num(san) > 0)
+ {
+ GENERAL_NAME * namePart = sk_GENERAL_NAME_pop(san);
+ if (match != -1 && match != namePart->type)
+ continue;
+ switch (namePart->type)
+ {
+ case GEN_DNS:
+ tag = US"DNS";
+ ele = ASN1_STRING_data(namePart->d.dNSName);
+ len = ASN1_STRING_length(namePart->d.dNSName);
+ break;
+ case GEN_URI:
+ tag = US"URI";
+ ele = ASN1_STRING_data(namePart->d.uniformResourceIdentifier);
+ len = ASN1_STRING_length(namePart->d.uniformResourceIdentifier);
+ break;
+ case GEN_EMAIL:
+ tag = US"MAIL";
+ ele = ASN1_STRING_data(namePart->d.rfc822Name);
+ len = ASN1_STRING_length(namePart->d.rfc822Name);
+ break;
+ default:
+ continue; /* ignore unrecognised types */
+ }
+ if (ele[len]) /* not nul-terminated */
+ ele = string_copyn(ele, len);
+
+ if (strnlen(CS ele, len) == len) /* ignore any with embedded nul */
+ list = string_append_listele(list, sep,
+ match == -1 ? string_sprintf("%s=%s", tag, ele) : ele);
+ }
+
+sk_GENERAL_NAME_free(san);
+return list;
+}
+
+uschar *
+tls_cert_ocsp_uri(void * cert, uschar * mod)
+{
+STACK_OF(ACCESS_DESCRIPTION) * ads = (STACK_OF(ACCESS_DESCRIPTION) *)
+ X509_get_ext_d2i((X509 *)cert, NID_info_access, NULL, NULL);
+int adsnum = sk_ACCESS_DESCRIPTION_num(ads);
+int i;
+uschar sep = '\n';
+uschar * list = NULL;
+
+if (mod)
+ if (*mod == '>' && *++mod) sep = *mod++;
+
+for (i = 0; i < adsnum; i++)
+ {
+ ACCESS_DESCRIPTION * ad = sk_ACCESS_DESCRIPTION_value(ads, i);
+
+ if (ad && OBJ_obj2nid(ad->method) == NID_ad_OCSP)
+ list = string_append_listele(list, sep,
+ ASN1_STRING_data(ad->location->d.ia5));
+ }
+return list;
+}
+
+uschar *
+tls_cert_crl_uri(void * cert, uschar * mod)
+{
+STACK_OF(DIST_POINT) * dps = (STACK_OF(DIST_POINT) *)
+ X509_get_ext_d2i((X509 *)cert, NID_crl_distribution_points,
+ NULL, NULL);
+DIST_POINT * dp;
+int dpsnum = sk_DIST_POINT_num(dps);
+int i;
+uschar sep = '\n';
+uschar * list = NULL;
+
+if (mod)
+ if (*mod == '>' && *++mod) sep = *mod++;
+
+if (dps) for (i = 0; i < dpsnum; i++)
+ if ((dp = sk_DIST_POINT_value(dps, i)))
+ {
+ STACK_OF(GENERAL_NAME) * names = dp->distpoint->name.fullname;
+ GENERAL_NAME * np;
+ int nnum = sk_GENERAL_NAME_num(names);
+ int j;
+
+ for (j = 0; j < nnum; j++)
+ if ( (np = sk_GENERAL_NAME_value(names, j))
+ && np->type == GEN_URI
+ )
+ list = string_append_listele(list, sep,
+ ASN1_STRING_data(np->d.uniformResourceIdentifier));
+ }
+return list;
+}
+
+
+
+/*****************************************************
+* Certificate operator routines
+*****************************************************/
+static uschar *
+fingerprint(X509 * cert, const EVP_MD * fdig)
+{
+int j;
+unsigned int n;
+uschar md[EVP_MAX_MD_SIZE];
+uschar * cp;
+
+if (!X509_digest(cert,fdig,md,&n))
+ {
+ expand_string_message = US"tls_cert_fprt: out of mem\n";
+ return NULL;
+ }
+cp = store_get(n*2+1);
+for (j = 0; j < (int)n; j++) sprintf(CS cp+2*j, "%02X", md[j]);
+return(cp);
+}
+
+uschar *
+tls_cert_fprt_md5(void * cert)
+{
+return fingerprint((X509 *)cert, EVP_md5());
+}
+
+uschar *
+tls_cert_fprt_sha1(void * cert)
+{
+return fingerprint((X509 *)cert, EVP_sha1());
+}
+
+uschar *
+tls_cert_fprt_sha256(void * cert)
+{
+return fingerprint((X509 *)cert, EVP_sha256());
+}
+
+
+/* vi: aw ai sw=2
+*/
+/* End of tlscert-openssl.c */
{
struct timeval tv;
gettimeofday(&tv, NULL);
- (void) sprintf(CS timebuf, "%ld%06ld", tv.tv_sec, tv.tv_usec ); /* Unix epoch/usec format */
+ /* Unix epoch/usec format */
+ (void) sprintf(CS timebuf, "%ld%06ld", tv.tv_sec, (long) tv.tv_usec );
return timebuf;
}
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* General functions concerned with transportation, and generic options for all
+/* Add/remove/rewwrite headers, and send them plus the empty-line sparator.
+
+Globals:
+ header_list
+
+Arguments:
+ addr (chain of) addresses (for extra headers), or NULL;
+ only the first address is used
+ fd file descriptor to write the message to
+ sendfn function for output
+ use_crlf turn NL into CR LF
+ rewrite_rules chain of header rewriting rules
+ rewrite_existflags flags for the rewriting rules
+
+Returns: TRUE on success; FALSE on failure.
+*/
+BOOL
+transport_headers_send(address_item *addr, int fd, uschar *add_headers, uschar *remove_headers,
+ BOOL (*sendfn)(int fd, uschar * s, int len, BOOL use_crlf),
+ BOOL use_crlf, rewrite_rule *rewrite_rules, int rewrite_existflags)
+{
+header_line *h;
+
+/* Then the message's headers. Don't write any that are flagged as "old";
+that means they were rewritten, or are a record of envelope rewriting, or
+were removed (e.g. Bcc). If remove_headers is not null, skip any headers that
+match any entries therein. It is a colon-sep list; expand the items
+separately and squash any empty ones.
+Then check addr->p.remove_headers too, provided that addr is not NULL. */
+
+for (h = header_list; h != NULL; h = h->next) if (h->type != htype_old)
+ {
+ int i;
+ uschar *list = remove_headers;
+
+ BOOL include_header = TRUE;
+
+ for (i = 0; i < 2; i++) /* For remove_headers && addr->p.remove_headers */
+ {
+ if (list)
+ {
+ int sep = ':'; /* This is specified as a colon-separated list */
+ uschar *s, *ss;
+ uschar buffer[128];
+ while ((s = string_nextinlist(&list, &sep, buffer, sizeof(buffer))))
+ {
+ int len;
+
+ if (i == 0)
+ if (!(s = expand_string(s)) && !expand_string_forcedfail)
+ {
+ errno = ERRNO_CHHEADER_FAIL;
+ return FALSE;
+ }
+ len = Ustrlen(s);
+ if (strncmpic(h->text, s, len) != 0) continue;
+ ss = h->text + len;
+ while (*ss == ' ' || *ss == '\t') ss++;
+ if (*ss == ':') break;
+ }
+ if (s != NULL) { include_header = FALSE; break; }
+ }
+ if (addr != NULL) list = addr->p.remove_headers;
+ }
+
+ /* If this header is to be output, try to rewrite it if there are rewriting
+ rules. */
+
+ if (include_header)
+ {
+ if (rewrite_rules)
+ {
+ void *reset_point = store_get(0);
+ header_line *hh;
+
+ if ((hh = rewrite_header(h, NULL, NULL, rewrite_rules, rewrite_existflags, FALSE)))
+ {
+ if (!sendfn(fd, hh->text, hh->slen, use_crlf)) return FALSE;
+ store_reset(reset_point);
+ continue; /* With the next header line */
+ }
+ }
+
+ /* Either no rewriting rules, or it didn't get rewritten */
+
+ if (!sendfn(fd, h->text, h->slen, use_crlf)) return FALSE;
+ }
+
+ /* Header removed */
+
+ else
+ {
+ DEBUG(D_transport) debug_printf("removed header line:\n%s---\n", h->text);
+ }
+ }
+
+/* Add on any address-specific headers. If there are multiple addresses,
+they will all have the same headers in order to be batched. The headers
+are chained in reverse order of adding (so several addresses from the
+same alias might share some of them) but we want to output them in the
+opposite order. This is a bit tedious, but there shouldn't be very many
+of them. We just walk the list twice, reversing the pointers each time,
+but on the second time, write out the items.
+
+Headers added to an address by a router are guaranteed to end with a newline.
+*/
+
+if (addr)
+ {
+ int i;
+ header_line *hprev = addr->p.extra_headers;
+ header_line *hnext;
+ for (i = 0; i < 2; i++)
+ {
+ for (h = hprev, hprev = NULL; h != NULL; h = hnext)
+ {
+ hnext = h->next;
+ h->next = hprev;
+ hprev = h;
+ if (i == 1)
+ {
+ if (!sendfn(fd, h->text, h->slen, use_crlf)) return FALSE;
+ DEBUG(D_transport)
+ debug_printf("added header line(s):\n%s---\n", h->text);
+ }
+ }
+ }
+ }
+
+/* If a string containing additional headers exists it is a newline-sep
+list. Expand each item and write out the result. This is done last so that
+if it (deliberately or accidentally) isn't in header format, it won't mess
+up any other headers. An empty string or a forced expansion failure are
+noops. An added header string from a transport may not end with a newline;
+add one if it does not. */
+
+if (add_headers)
+ {
+ int sep = '\n';
+ uschar * s;
+
+ while ((s = string_nextinlist(&add_headers, &sep, NULL, 0)))
+ if (!(s = expand_string(s)))
+ {
+ if (!expand_string_forcedfail)
+ { errno = ERRNO_CHHEADER_FAIL; return FALSE; }
+ }
+ else
+ {
+ int len = Ustrlen(s);
+ if (len > 0)
+ {
+ if (!sendfn(fd, s, len, use_crlf)) return FALSE;
+ if (s[len-1] != '\n' && !sendfn(fd, US"\n", 1, use_crlf))
+ return FALSE;
+ DEBUG(D_transport)
+ {
+ debug_printf("added header line:\n%s", s);
+ if (s[len-1] != '\n') debug_printf("\n");
+ debug_printf("---\n");
+ }
+ }
+ }
+ }
+
+/* Separate headers from body with a blank line */
+
+return sendfn(fd, US"\n", 1, use_crlf);
+}
+
+
/*************************************************
* Write the message *
*************************************************/
{
int written = 0;
int len;
-header_line *h;
BOOL use_crlf = (options & topt_use_crlf) != 0;
/* Initialize pointer in output buffer. */
were removed (e.g. Bcc). If remove_headers is not null, skip any headers that
match any entries therein. Then check addr->p.remove_headers too, provided that
addr is not NULL. */
-
- if (remove_headers != NULL)
- {
- uschar *s = expand_string(remove_headers);
- if (s == NULL && !expand_string_forcedfail)
- {
- errno = ERRNO_CHHEADER_FAIL;
- return FALSE;
- }
- remove_headers = s;
- }
-
- for (h = header_list; h != NULL; h = h->next)
- {
- int i;
- uschar *list = NULL;
- BOOL include_header;
-
- if (h->type == htype_old) continue;
-
- include_header = TRUE;
- list = remove_headers;
-
- for (i = 0; i < 2; i++) /* For remove_headers && addr->p.remove_headers */
- {
- if (list != NULL)
- {
- int sep = ':'; /* This is specified as a colon-separated list */
- uschar *s, *ss;
- uschar buffer[128];
- while ((s = string_nextinlist(&list, &sep, buffer, sizeof(buffer)))
- != NULL)
- {
- int len = Ustrlen(s);
- if (strncmpic(h->text, s, len) != 0) continue;
- ss = h->text + len;
- while (*ss == ' ' || *ss == '\t') ss++;
- if (*ss == ':') break;
- }
- if (s != NULL) { include_header = FALSE; break; }
- }
- if (addr != NULL) list = addr->p.remove_headers;
- }
-
- /* If this header is to be output, try to rewrite it if there are rewriting
- rules. */
-
- if (include_header)
- {
- if (rewrite_rules != NULL)
- {
- void *reset_point = store_get(0);
- header_line *hh =
- rewrite_header(h, NULL, NULL, rewrite_rules, rewrite_existflags,
- FALSE);
- if (hh != NULL)
- {
- if (!write_chunk(fd, hh->text, hh->slen, use_crlf)) return FALSE;
- store_reset(reset_point);
- continue; /* With the next header line */
- }
- }
-
- /* Either no rewriting rules, or it didn't get rewritten */
-
- if (!write_chunk(fd, h->text, h->slen, use_crlf)) return FALSE;
- }
-
- /* Header removed */
-
- else
- {
- DEBUG(D_transport) debug_printf("removed header line:\n%s---\n",
- h->text);
- }
- }
-
- /* Add on any address-specific headers. If there are multiple addresses,
- they will all have the same headers in order to be batched. The headers
- are chained in reverse order of adding (so several addresses from the
- same alias might share some of them) but we want to output them in the
- opposite order. This is a bit tedious, but there shouldn't be very many
- of them. We just walk the list twice, reversing the pointers each time,
- but on the second time, write out the items.
-
- Headers added to an address by a router are guaranteed to end with a newline.
- */
-
- if (addr != NULL)
- {
- int i;
- header_line *hprev = addr->p.extra_headers;
- header_line *hnext;
- for (i = 0; i < 2; i++)
- {
- for (h = hprev, hprev = NULL; h != NULL; h = hnext)
- {
- hnext = h->next;
- h->next = hprev;
- hprev = h;
- if (i == 1)
- {
- if (!write_chunk(fd, h->text, h->slen, use_crlf)) return FALSE;
- DEBUG(D_transport)
- debug_printf("added header line(s):\n%s---\n", h->text);
- }
- }
- }
- }
-
- /* If a string containing additional headers exists, expand it and write
- out the result. This is done last so that if it (deliberately or accidentally)
- isn't in header format, it won't mess up any other headers. An empty string
- or a forced expansion failure are noops. An added header string from a
- transport may not end with a newline; add one if it does not. */
-
- if (add_headers != NULL)
- {
- uschar *s = expand_string(add_headers);
- if (s == NULL)
- {
- if (!expand_string_forcedfail)
- {
- errno = ERRNO_CHHEADER_FAIL;
- return FALSE;
- }
- }
- else
- {
- int len = Ustrlen(s);
- if (len > 0)
- {
- if (!write_chunk(fd, s, len, use_crlf)) return FALSE;
- if (s[len-1] != '\n' && !write_chunk(fd, US"\n", 1, use_crlf))
- return FALSE;
- DEBUG(D_transport)
- {
- debug_printf("added header line(s):\n%s", s);
- if (s[len-1] != '\n') debug_printf("\n");
- debug_printf("---\n");
- }
- }
- }
- }
-
- /* Separate headers from body with a blank line */
-
- if (!write_chunk(fd, US"\n", 1, use_crlf)) return FALSE;
+ if (!transport_headers_send(addr, fd, add_headers, remove_headers, &write_chunk,
+ use_crlf, rewrite_rules, rewrite_existflags))
+ return FALSE;
}
/* If the body is required, ensure that the data for check strings (formerly
argv = child_exec_exim(CEE_RETURN_ARGV, TRUE, &i, FALSE, 0);
+ #ifdef EXPERIMENTAL_DSN
+ /* Call with the dsn flag */
+ if (smtp_use_dsn) argv[i++] = US"-MCD";
+ #endif
+
if (smtp_authenticated) argv[i++] = US"-MCA";
#ifdef SUPPORT_TLS
return TRUE;
}
+/* vi: aw ai sw=2
+*/
/* End of transport.c */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
if (addr->transport_return != PENDING_OK) continue;
if (lmtp_read_response(out, buffer, sizeof(buffer), '2', timeout))
+ {
addr->transport_return = OK;
-
+ if ((log_extra_selector & LX_smtp_confirmation) != 0)
+ {
+ uschar *s = string_printing(buffer);
+ addr->message = (s == buffer)? (uschar *)string_copy(s) : s;
+ }
+ }
/* If the response has failed badly, use it for all the remaining pending
addresses and give up. */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Private structure for the private options. */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
#include "../exim.h"
(void *)offsetof(smtp_transport_options_block, dns_qualify_single) },
{ "dns_search_parents", opt_bool,
(void *)offsetof(smtp_transport_options_block, dns_search_parents) },
+ { "dnssec_request_domains", opt_stringptr,
+ (void *)offsetof(smtp_transport_options_block, dnssec_request_domains) },
+ { "dnssec_require_domains", opt_stringptr,
+ (void *)offsetof(smtp_transport_options_block, dnssec_require_domains) },
{ "dscp", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, dscp) },
{ "fallback_hosts", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_override) },
{ "hosts_randomize", opt_bool,
(void *)offsetof(smtp_transport_options_block, hosts_randomize) },
+#if defined(SUPPORT_TLS) && !defined(DISABLE_OCSP)
+ { "hosts_request_ocsp", opt_stringptr,
+ (void *)offsetof(smtp_transport_options_block, hosts_request_ocsp) },
+#endif
{ "hosts_require_auth", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_require_auth) },
#ifdef SUPPORT_TLS
-# if defined EXPERIMENTAL_OCSP
+# ifndef DISABLE_OCSP
{ "hosts_require_ocsp", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_require_ocsp) },
# endif
#endif
{ "hosts_try_auth", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_try_auth) },
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
{ "hosts_try_prdr", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_try_prdr) },
#endif
(void *)offsetof(smtp_transport_options_block, tls_sni) },
{ "tls_tempfail_tryclear", opt_bool,
(void *)offsetof(smtp_transport_options_block, tls_tempfail_tryclear) },
+ { "tls_try_verify_hosts", opt_stringptr,
+ (void *)offsetof(smtp_transport_options_block, tls_try_verify_hosts) },
+#ifdef EXPERIMENTAL_CERTNAMES
+ { "tls_verify_cert_hostnames", opt_stringptr,
+ (void *)offsetof(smtp_transport_options_block,tls_verify_cert_hostnames)},
+#endif
{ "tls_verify_certificates", opt_stringptr,
- (void *)offsetof(smtp_transport_options_block, tls_verify_certificates) }
+ (void *)offsetof(smtp_transport_options_block, tls_verify_certificates) },
+ { "tls_verify_hosts", opt_stringptr,
+ (void *)offsetof(smtp_transport_options_block, tls_verify_hosts) }
#endif
#ifdef EXPERIMENTAL_TPDA
,{ "tpda_host_defer_action", opt_stringptr,
NULL, /* serialize_hosts */
NULL, /* hosts_try_auth */
NULL, /* hosts_require_auth */
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
NULL, /* hosts_try_prdr */
#endif
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
+ US"*", /* hosts_request_ocsp */
NULL, /* hosts_require_ocsp */
#endif
NULL, /* hosts_require_tls */
FALSE, /* gethostbyname */
TRUE, /* dns_qualify_single */
FALSE, /* dns_search_parents */
+ NULL, /* dnssec_request_domains */
+ NULL, /* dnssec_require_domains */
TRUE, /* delay_after_cutoff */
FALSE, /* hosts_override */
FALSE, /* hosts_randomize */
NULL, /* tls_verify_certificates */
EXIM_CLIENT_DH_DEFAULT_MIN_BITS,
/* tls_dh_min_bits */
- TRUE /* tls_tempfail_tryclear */
+ TRUE, /* tls_tempfail_tryclear */
+ NULL, /* tls_verify_hosts */
+ NULL /* tls_try_verify_hosts */
+# ifdef EXPERIMENTAL_CERTNAMES
+ ,NULL /* tls_verify_cert_hostnames */
+# endif
#endif
#ifndef DISABLE_DKIM
,NULL, /* dkim_canon */
#endif
};
+#ifdef EXPERIMENTAL_DSN
+/* some DSN flags for use later */
+
+static int rf_list[] = {rf_notify_never, rf_notify_success,
+ rf_notify_failure, rf_notify_delay };
+
+static uschar *rf_names[] = { "NEVER", "SUCCESS", "FAILURE", "DELAY" };
+#endif
+
+
/* Local statics */
? string_sprintf("%s: %s", addr->message, strerror(addr->basic_errno))
: string_copy(addr->message)
: addr->basic_errno > 0
- ? string_copy(strerror(addr->basic_errno))
+ ? string_copy(US strerror(addr->basic_errno))
: NULL;
DEBUG(D_transport)
BOOL esmtp = TRUE;
BOOL pending_MAIL;
BOOL pass_message = FALSE;
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
BOOL prdr_offered = FALSE;
BOOL prdr_active;
#endif
+#ifdef EXPERIMENTAL_DSN
+BOOL dsn_all_lasthop = TRUE;
+#endif
smtp_inblock inblock;
smtp_outblock outblock;
int max_rcpt = tblock->max_addresses;
/* Reset the parameters of a TLS session. */
-tls_in.bits = 0;
-tls_in.cipher = NULL; /* for back-compatible behaviour */
-tls_in.peerdn = NULL;
-#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
-tls_in.sni = NULL;
-#endif
-
tls_out.bits = 0;
tls_out.cipher = NULL; /* the one we may use for this transport */
+tls_out.ourcert = NULL;
+tls_out.peercert = NULL;
tls_out.peerdn = NULL;
#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
tls_out.sni = NULL;
#endif
+tls_out.ocsp = OCSP_NOT_REQ;
+
+/* Flip the legacy TLS-related variables over to the outbound set in case
+they're used in the context of the transport. Don't bother resetting
+afterward as we're in a subprocess. */
+
+tls_modify_variables(&tls_out);
#ifndef SUPPORT_TLS
if (smtps)
{
- set_errno(addrlist, 0, US"TLS support not available", DEFER, FALSE);
- return ERROR;
+ set_errno(addrlist, 0, US"TLS support not available", DEFER, FALSE);
+ return ERROR;
}
#endif
PCRE_EOPT, NULL, 0) >= 0;
#endif
- #ifdef EXPERIMENTAL_PRDR
+ #ifndef DISABLE_PRDR
prdr_offered = esmtp &&
(pcre_exec(regex_PRDR, NULL, CS buffer, Ustrlen(buffer), 0,
PCRE_EOPT, NULL, 0) >= 0) &&
else
TLS_NEGOTIATE:
{
- int rc = tls_client_start(inblock.sock,
- host,
- addrlist,
- ob->tls_certificate,
- ob->tls_privatekey,
- ob->tls_sni,
- ob->tls_verify_certificates,
- ob->tls_crl,
- ob->tls_require_ciphers,
-#ifdef EXPERIMENTAL_OCSP
- ob->hosts_require_ocsp,
-#endif
- ob->tls_dh_min_bits,
- ob->command_timeout);
+ int rc = tls_client_start(inblock.sock, host, addrlist, ob);
/* TLS negotiation failed; give an error. From outside, this function may
be called again to try in clear on a new connection, if the options permit
if (addr->transport_return == PENDING_DEFER)
{
addr->cipher = tls_out.cipher;
+ addr->ourcert = tls_out.ourcert;
+ addr->peercert = tls_out.peercert;
addr->peerdn = tls_out.peerdn;
+ addr->ocsp = tls_out.ocsp;
}
}
}
DEBUG(D_transport) debug_printf("%susing PIPELINING\n",
smtp_use_pipelining? "" : "not ");
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
prdr_offered = esmtp &&
pcre_exec(regex_PRDR, NULL, CS buffer, Ustrlen(CS buffer), 0,
PCRE_EOPT, NULL, 0) >= 0 &&
{DEBUG(D_transport) debug_printf("PRDR usable\n");}
#endif
+#ifdef EXPERIMENTAL_DSN
+ /* Note if the server supports DSN */
+ smtp_use_dsn = esmtp && pcre_exec(regex_DSN, NULL, CS buffer, (int)Ustrlen(CS buffer), 0,
+ PCRE_EOPT, NULL, 0) >= 0;
+ DEBUG(D_transport) debug_printf("use_dsn=%d\n", smtp_use_dsn);
+#endif
+
/* Note if the response to EHLO specifies support for the AUTH extension.
If it has, check that this host is one we want to authenticate to, and do
the business. The host name and address must be available when the
while (*p) p++;
}
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
prdr_active = FALSE;
if (prdr_offered)
{
prdr_is_active:
#endif
+#ifdef EXPERIMENTAL_DSN
+/* check if all addresses have lasthop flag */
+/* do not send RET and ENVID if true */
+dsn_all_lasthop = TRUE;
+for (addr = first_addr;
+ address_count < max_rcpt && addr != NULL;
+ addr = addr->next)
+ if ((addr->dsn_flags & rf_dsnlasthop) != 1)
+ dsn_all_lasthop = FALSE;
+
+/* Add any DSN flags to the mail command */
+
+if ((smtp_use_dsn) && (dsn_all_lasthop == FALSE))
+ {
+ if (dsn_ret == dsn_ret_hdrs)
+ {
+ strcpy(p, " RET=HDRS");
+ while (*p) p++;
+ }
+ else if (dsn_ret == dsn_ret_full)
+ {
+ strcpy(p, " RET=FULL");
+ while (*p) p++;
+ }
+ if (dsn_envid != NULL)
+ {
+ string_format(p, sizeof(buffer) - (p-buffer), " ENVID=%s", dsn_envid);
+ while (*p) p++;
+ }
+ }
+#endif
+
/* If an authenticated_sender override has been specified for this transport
instance, expand it. If the expansion is forced to fail, and there was already
an authenticated_sender for this message, the original value will be used.
int count;
BOOL no_flush;
+ #ifdef EXPERIMENTAL_DSN
+ if(smtp_use_dsn)
+ addr->dsn_aware = dsn_support_yes;
+ else
+ addr->dsn_aware = dsn_support_no;
+ #endif
+
if (addr->transport_return != PENDING_DEFER) continue;
address_count++;
no_flush = smtp_use_pipelining && (!mua_wrapper || addr->next != NULL);
+ #ifdef EXPERIMENTAL_DSN
+ /* Add any DSN flags to the rcpt command and add to the sent string */
+
+ p = buffer;
+ *p = 0;
+
+ if ((smtp_use_dsn) && ((addr->dsn_flags & rf_dsnlasthop) != 1))
+ {
+ if ((addr->dsn_flags & rf_dsnflags) != 0)
+ {
+ int i;
+ BOOL first = TRUE;
+ strcpy(p, " NOTIFY=");
+ while (*p) p++;
+ for (i = 0; i < 4; i++)
+ {
+ if ((addr->dsn_flags & rf_list[i]) != 0)
+ {
+ if (!first) *p++ = ',';
+ first = FALSE;
+ strcpy(p, rf_names[i]);
+ while (*p) p++;
+ }
+ }
+ }
+
+ if (addr->dsn_orcpt != NULL) {
+ string_format(p, sizeof(buffer) - (p-buffer), " ORCPT=%s",
+ addr->dsn_orcpt);
+ while (*p) p++;
+ }
+ }
+ #endif
+
+
/* Now send the RCPT command, and process outstanding responses when
necessary. After a timeout on RCPT, we just end the function, leaving the
yield as OK, because this error can often mean that there is a problem with
just one address, so we don't want to delay the host. */
+ #ifdef EXPERIMENTAL_DSN
+ count = smtp_write_command(&outblock, no_flush, "RCPT TO:<%s>%s%s\r\n",
+ transport_rcpt_address(addr, tblock->rcpt_include_affixes), igquotstr, buffer);
+ #else
count = smtp_write_command(&outblock, no_flush, "RCPT TO:<%s>%s\r\n",
transport_rcpt_address(addr, tblock->rcpt_include_affixes), igquotstr);
+ #endif
+
if (count < 0) goto SEND_FAILED;
if (count > 0)
{
smtp_command = US"end of data";
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
/* For PRDR we optionally get a partial-responses warning
* followed by the individual responses, before going on with
* the overall response. If we don't get the warning then deal
address. For temporary errors, add a retry item for the address so that
it doesn't get tried again too soon. */
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
if (lmtp || prdr_active)
#else
if (lmtp)
{
if (errno != 0 || buffer[0] == 0) goto RESPONSE_FAILED;
addr->message = string_sprintf(
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
"%s error after %s: %s", prdr_active ? "PRDR":"LMTP",
#else
"LMTP error after %s: %s",
errno = ERRNO_DATA4XX;
addr->more_errno |= ((buffer[1] - '0')*10 + buffer[2] - '0') << 8;
addr->transport_return = DEFER;
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
if (!prdr_active)
#endif
retry_add_item(addr, addr->address_retry_key, 0);
addr->host_used = thost;
addr->special_action = flag;
addr->message = conf;
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
if (prdr_active) addr->flags |= af_prdr_used;
#endif
flag = '-';
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
if (!prdr_active)
#endif
{
}
}
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
if (prdr_active)
{
/* PRDR - get the final, overall response. For any non-success
#endif
/* Close the socket, and return the appropriate value, first setting
-continue_transport and continue_hostname NULL to prevent any other addresses
-that may include the host from trying to re-use a continuation socket. This
works because the NULL setting is passed back to the calling process, and
remote_max_parallel is forced to 1 when delivering over an existing connection,
addr->message = NULL;
#ifdef SUPPORT_TLS
addr->cipher = NULL;
+ addr->ourcert = NULL;
+ addr->peercert = NULL;
addr->peerdn = NULL;
+ addr->ocsp = OCSP_NOT_REQ;
#endif
}
return first_addr;
rc = host_find_byname(host, NULL, flags, &canonical_name, TRUE);
else
rc = host_find_bydns(host, NULL, flags, NULL, NULL, NULL,
+ ob->dnssec_request_domains, ob->dnssec_require_domains,
&canonical_name, NULL);
/* Update the host (and any additional blocks, resulting from
deliver_host = host->name;
deliver_host_address = host->address;
+ lookup_dnssec_authenticated = host->dnssec == DS_YES ? US"yes"
+ : host->dnssec == DS_NO ? US"no"
+ : US"";
/* Set up a string for adding to the retry key if the port number is not
the standard SMTP port. A host may have its own port setting that overrides
return TRUE; /* Each address has its status */
}
+/* vi: aw ai sw=2
+*/
/* End of transport/smtp.c */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Private structure for the private options and other private data. */
uschar *serialize_hosts;
uschar *hosts_try_auth;
uschar *hosts_require_auth;
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
uschar *hosts_try_prdr;
#endif
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
+ uschar *hosts_request_ocsp;
uschar *hosts_require_ocsp;
#endif
uschar *hosts_require_tls;
BOOL gethostbyname;
BOOL dns_qualify_single;
BOOL dns_search_parents;
+ uschar *dnssec_request_domains;
+ uschar *dnssec_require_domains;
BOOL delay_after_cutoff;
BOOL hosts_override;
BOOL hosts_randomize;
BOOL keepalive;
BOOL lmtp_ignore_quota;
BOOL retry_include_ip_address;
- #ifdef SUPPORT_TLS
+#ifdef SUPPORT_TLS
uschar *tls_certificate;
uschar *tls_crl;
uschar *tls_privatekey;
uschar *tls_verify_certificates;
int tls_dh_min_bits;
BOOL tls_tempfail_tryclear;
- #endif
- #ifndef DISABLE_DKIM
+ uschar *tls_verify_hosts;
+ uschar *tls_try_verify_hosts;
+# ifdef EXPERIMENTAL_CERTNAMES
+ uschar *tls_verify_cert_hostnames;
+# endif
+#endif
+#ifndef DISABLE_DKIM
uschar *dkim_domain;
uschar *dkim_private_key;
uschar *dkim_selector;
uschar *dkim_canon;
uschar *dkim_sign_headers;
uschar *dkim_strict;
- #endif
- #ifdef EXPERIMENTAL_TPDA
+#endif
+#ifdef EXPERIMENTAL_TPDA
uschar *tpda_host_defer_action;
- #endif
+#endif
} smtp_transport_options_block;
/* Data for reading the private options. */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Functions concerned with verifying things. The original code for callout
{
HDEBUG(D_verify) debug_printf("cannot callout via null transport\n");
}
+else if (Ustrcmp(addr->transport->driver_name, "smtp") != 0)
+ log_write(0, LOG_MAIN|LOG_PANIC|LOG_CONFIG_FOR, "callout transport '%s': %s is non-smtp",
+ addr->transport->name, addr->transport->driver_name);
else
{
smtp_transport_options_block *ob =
- (smtp_transport_options_block *)(addr->transport->options_block);
+ (smtp_transport_options_block *)addr->transport->options_block;
/* The information wasn't available in the cache, so we have to do a real
callout and save the result in the cache for next time, unless no_cache is set,
#endif
if (!(done= smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer), '2', callout)))
goto RESPONSE_FAILED;
-
+
/* Not worth checking greeting line for ESMTP support */
if (!(esmtp = verify_check_this_host(&(ob->hosts_avoid_esmtp), NULL,
host->name, host->address, NULL) != OK))
/* STARTTLS accepted or ssl-on-connect: try to negotiate a TLS session. */
else
{
- int rc = tls_client_start(inblock.sock, host, addr,
- ob->tls_certificate, ob->tls_privatekey,
- ob->tls_sni,
- ob->tls_verify_certificates, ob->tls_crl,
- ob->tls_require_ciphers,
-#ifdef EXPERIMENTAL_OCSP
- ob->hosts_require_ocsp,
-#endif
- ob->tls_dh_min_bits, callout);
+ int oldtimeout = ob->command_timeout;
+ int rc;
+
+ ob->command_timeout = callout;
+ rc = tls_client_start(inblock.sock, host, addr, ob);
+ ob->command_timeout = oldtimeout;
/* TLS negotiation failed; give an error. Try in clear on a new connection,
if the options permit it for this host. */
done = TRUE; /* so far so good; have response to HELO */
- /*XXX the EHLO response would be analyzed here for IGNOREQUOTA, SIZE, PIPELINING, AUTH */
- /* If we haven't authenticated, but are required to, give up. */
+ /*XXX the EHLO response would be analyzed here for IGNOREQUOTA, SIZE, PIPELINING */
- /*XXX "filter command specified for this transport" ??? */
- /* for now, transport_filter by cutthrough-delivery is not supported */
+ /* For now, transport_filter by cutthrough-delivery is not supported */
/* Need proper integration with the proper transport mechanism. */
-
+ if (cutthrough_delivery)
+ {
+ if (addr->transport->filter_command)
+ {
+ cutthrough_delivery= FALSE;
+ HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of transport filter\n");
+ }
+ #ifndef DISABLE_DKIM
+ if (ob->dkim_domain)
+ {
+ cutthrough_delivery= FALSE;
+ HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of DKIM signing\n");
+ }
+ #endif
+ }
SEND_FAILED:
RESPONSE_FAILED:
}
}
+ /* If we haven't authenticated, but are required to, give up. */
/* Try to AUTH */
else done = smtp_auth(responsebuffer, sizeof(responsebuffer),
{
cutthrough_fd= outblock.sock; /* We assume no buffer in use in the outblock */
cutthrough_addr = *addr; /* Save the address_item for later logging */
+ cutthrough_addr.next = NULL;
cutthrough_addr.host_used = store_get(sizeof(host_item));
cutthrough_addr.host_used->name = host->name;
cutthrough_addr.host_used->address = host->address;
}
+/* fd and use_crlf args only to match write_chunk() */
+static BOOL
+cutthrough_write_chunk(int fd, uschar * s, int len, BOOL use_crlf)
+{
+uschar * s2;
+while(s && (s2 = Ustrchr(s, '\n')))
+ {
+ if(!cutthrough_puts(s, s2-s) || !cutthrough_put_nl())
+ return FALSE;
+ s = s2+1;
+ }
+return TRUE;
+}
+
+
/* Buffered send of headers. Return success boolean. */
/* Expands newlines to wire format (CR,NL). */
/* Also sends header-terminating blank line. */
BOOL
cutthrough_headers_send( void )
{
-header_line * h;
-uschar * cp1, * cp2;
-
if(cutthrough_fd < 0)
return FALSE;
-for(h= header_list; h != NULL; h= h->next)
- if(h->type != htype_old && h->text != NULL)
- for (cp1 = h->text; *cp1 && (cp2 = Ustrchr(cp1, '\n')); cp1 = cp2+1)
- if( !cutthrough_puts(cp1, cp2-cp1)
- || !cutthrough_put_nl())
- return FALSE;
+/* We share a routine with the mainline transport to handle header add/remove/rewrites,
+ but having a separate buffered-output function (for now)
+*/
+HDEBUG(D_acl) debug_printf("----------- start cutthrough headers send -----------\n");
+
+if (!transport_headers_send(&cutthrough_addr, cutthrough_fd,
+ cutthrough_addr.transport->add_headers, cutthrough_addr.transport->remove_headers,
+ &cutthrough_write_chunk, TRUE,
+ cutthrough_addr.transport->rewrite_rules, cutthrough_addr.transport->rewrite_existflags))
+ return FALSE;
-HDEBUG(D_transport|D_acl|D_v) debug_printf(" SMTP>>(nl)\n");
-return cutthrough_put_nl();
+HDEBUG(D_acl) debug_printf("----------- done cutthrough headers send ------------\n");
+return TRUE;
}
they're used in the context of a transport used by verification. Reset them
at exit from this routine. */
-modify_variable(US"tls_bits", &tls_out.bits);
-modify_variable(US"tls_certificate_verified", &tls_out.certificate_verified);
-modify_variable(US"tls_cipher", &tls_out.cipher);
-modify_variable(US"tls_peerdn", &tls_out.peerdn);
-#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
-modify_variable(US"tls_sni", &tls_out.sni);
-#endif
+tls_modify_variables(&tls_out);
/* Save a copy of the sender address for re-instating if we change it to <>
while verifying a sender address (a nice bit of self-reference there). */
string_is_ip_address(host->name, NULL) != 0)
(void)host_find_byname(host, NULL, flags, &canonical_name, TRUE);
else
+ {
+ uschar * d_request = NULL, * d_require = NULL;
+ if (Ustrcmp(addr->transport->driver_name, "smtp") == 0)
+ {
+ smtp_transport_options_block * ob =
+ (smtp_transport_options_block *)
+ addr->transport->options_block;
+ d_request = ob->dnssec_request_domains;
+ d_require = ob->dnssec_require_domains;
+ }
+
(void)host_find_bydns(host, NULL, flags, NULL, NULL, NULL,
- &canonical_name, NULL);
+ d_request, d_require, &canonical_name, NULL);
+ }
}
}
}
the -bv or -bt case). */
out:
-
-modify_variable(US"tls_bits", &tls_in.bits);
-modify_variable(US"tls_certificate_verified", &tls_in.certificate_verified);
-modify_variable(US"tls_cipher", &tls_in.cipher);
-modify_variable(US"tls_peerdn", &tls_in.peerdn);
-#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
-modify_variable(US"tls_sni", &tls_in.sni);
-#endif
+tls_modify_variables(&tls_in);
return yield;
}
}
+/*************************************************
+* Check header names for 8-bit characters *
+*************************************************/
+
+/* This function checks for invalid charcters in header names. See
+RFC 5322, 2.2. and RFC 6532, 3.
+
+Arguments:
+ msgptr where to put an error message
+
+Returns: OK
+ FAIL
+*/
+
+int
+verify_check_header_names_ascii(uschar **msgptr)
+{
+header_line *h;
+uschar *colon, *s;
+
+for (h = header_list; h != NULL; h = h->next)
+ {
+ colon = Ustrchr(h->text, ':');
+ for(s = h->text; s < colon; s++)
+ {
+ if ((*s < 33) || (*s > 126))
+ {
+ *msgptr = string_sprintf("Invalid character in header \"%.*s\" found",
+ colon - h->text, h->text);
+ return FAIL;
+ }
+ }
+ }
+return OK;
+}
/*************************************************
* Check for blind recipients *
/* In case this is the first time the DNS resolver is being used. */
-dns_init(FALSE, FALSE);
+dns_init(FALSE, FALSE, FALSE); /*XXX dnssec? */
/* Loop through all the domains supplied, until something matches */
return FAIL;
}
+/* vi: aw ai sw=2
+*/
/* End of verify.c */
--- /dev/null
+#!/usr/bin/perl
+#
+# Copyright (C) 2014 Todd Lyons
+# License GPLv2: GNU GPL version 2
+# <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
+#
+# This script emulates a proxy which uses Proxy Protocol to communicate
+# to a backend server. It should be run from an IP which is configured
+# to be a Proxy Protocol connection (or not, if you are testing error
+# scenarios) because Proxy Protocol specs require not to fall back to a
+# non-proxied mode.
+#
+# The script is interactive, so when you run it, you are expected to
+# perform whatever conversation is required for the protocol being
+# tested. It uses STDIN/STDOUT, so you can also pipe output to/from the
+# script. It was originally written to test Exim's Proxy Protocol
+# code, and it could be tested like this:
+#
+# swaks --pipe 'perl proxy_protocol_client.pl --server-ip
+# host.internal.lan' --from user@example.com --to user@example.net
+#
+use strict;
+use warnings;
+use IO::Select;
+use IO::Socket;
+use Getopt::Long;
+use Data::Dumper;
+
+my %opts;
+GetOptions( \%opts,
+ 'help',
+ '6|ipv6',
+ 'dest-ip:s',
+ 'dest-port:i',
+ 'source-ip:s',
+ 'source-port:i',
+ 'server-ip:s',
+ 'server-port:i',
+ 'version:i'
+);
+&usage() if ($opts{help} || !$opts{'server-ip'});
+
+my ($dest_ip,$source_ip,$dest_port,$source_port);
+my %socket_map;
+my $status_line = "Testing Proxy Protocol Version " .
+ ($opts{version} ? $opts{version} : '2') .
+ ":\n";
+
+# All ip's and ports are in network byte order in version 2 mode, but are
+# simple strings when in version 1 mode. The binary_pack_*() functions
+# return the required data for the Proxy Protocol version being used.
+
+# Use provided source or fall back to www.mrball.net
+$source_ip = $opts{'source-ip'} ? binary_pack_ip($opts{'source-ip'}) :
+ $opts{6} ?
+ binary_pack_ip("2001:470:d:367::50") :
+ binary_pack_ip("208.89.139.252");
+$source_port = $opts{'source-port'} ?
+ binary_pack_port($opts{'source-port'}) :
+ binary_pack_port(43118);
+
+$status_line .= "-> " if (!$opts{version} || $opts{version} == 2);
+
+# Use provided dest or fall back to mail.exim.org
+$dest_ip = $opts{'dest-ip'} ? binary_pack_ip($opts{'dest-ip'}) :
+ $opts{6} ?
+ binary_pack_ip("2001:630:212:8:204:23ff:fed6:b664") :
+ binary_pack_ip("131.111.8.192");
+$dest_port = $opts{'dest-port'} ?
+ binary_pack_port($opts{'dest-port'}) :
+ binary_pack_port(25);
+
+# The IP and port of the Proxy Protocol backend real server being tested,
+# don't binary pack it.
+my $server_ip = $opts{'server-ip'};
+my $server_port = $opts{'server-port'} ? $opts{'server-port'} : 25;
+
+my $s = IO::Select->new(); # for socket polling
+
+sub generate_preamble {
+ my @preamble;
+ if (!$opts{version} || $opts{version} == 2) {
+ @preamble = (
+ "\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A", # 12 byte v2 header
+ "\x21", # top 4 bits declares v2
+ # bottom 4 bits is command
+ $opts{6} ? "\x21" : "\x11", # inet6/4 and TCP (stream)
+ $opts{6} ? "\x00\x24" : "\x00\x0b", # 36 bytes / 12 bytes
+ $source_ip,
+ $dest_ip,
+ $source_port,
+ $dest_port
+ );
+ }
+ else {
+ @preamble = (
+ "PROXY", " ", # Request proxy mode
+ $opts{6} ? "TCP6" : "TCP4", " ", # inet6/4 and TCP (stream)
+ $source_ip, " ",
+ $dest_ip, " ",
+ $source_port, " ",
+ $dest_port,
+ "\x0d\x0a"
+ );
+ $status_line .= join "", @preamble;
+ }
+ print "\n", $status_line, "\n";
+ print "\n" if (!$opts{version} || $opts{version} == 2);
+ return @preamble;
+}
+
+sub binary_pack_port {
+ my $port = shift();
+ if ($opts{version} && $opts{version} == 1) {
+ return $port
+ if ($port && $port =~ /^\d+$/ && $port > 0 && $port < 65536);
+ die "Not a valid port: $port";
+ }
+ $status_line .= $port." ";
+ $port = pack "S", $port;
+ return $port;
+}
+
+sub binary_pack_ip {
+ my $ip = shift();
+ if ( $ip =~ m/\./ && !$opts{6}) {
+ if (IP4_valid($ip)) {
+ return $ip if ($opts{version} && $opts{version} == 1);
+ $status_line .= $ip.":";
+ $ip = pack "C*", split /\./, $ip;
+ }
+ else { die "Invalid IPv4: $ip"; }
+ }
+ elsif ($ip =~ m/:/ && $opts{6}) {
+ $ip = pad_ipv6($ip);
+ if (IP6_valid($ip)) {
+ return $ip if ($opts{version} && $opts{version} == 1);
+ $status_line .= $ip.":";
+ $ip = pack "S>*", map hex, split /:/, $ip;
+ }
+ else { die "Invalid IPv6: $ip"; }
+ }
+ else { die "Mismatching IP families passed: $ip"; }
+ return $ip;
+}
+
+sub pad_ipv6 {
+ my $ip = shift();
+ my @ip = split /:/, $ip;
+ my $segments = scalar @ip;
+ return $ip if ($segments == 8);
+ $ip = "";
+ for (my $count=1; $count <= $segments; $count++) {
+ my $block = $ip[$count-1];
+ if ($block) {
+ $ip .= $block;
+ $ip .= ":" unless $count == $segments;
+ }
+ elsif ($count == 1) {
+ # Somebody passed us ::1, fix it, but it's not really valid
+ $ip = "0:";
+ }
+ else {
+ $ip .= join ":", map "0", 0..(8-$segments);
+ $ip .= ":";
+ }
+ }
+ return $ip;
+}
+
+sub IP6_valid {
+ my $ip = shift;
+ $ip = lc($ip);
+ return 0 unless ($ip =~ /^[0-9a-f:]+$/);
+ my @ip = split /:/, $ip;
+ return 0 if (scalar @ip != 8);
+ return 1;
+}
+
+sub IP4_valid {
+ my $ip = shift;
+ $ip =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/;
+ foreach ($1,$2,$3,$4){
+ if ($_ <256 && $_ >0) {next;}
+ return 0;
+ }
+ return 1;
+}
+
+sub go_interactive {
+ my $continue = 1;
+ while($continue) {
+ # Check for input on both ends, recheck every 5 sec
+ for my $socket ($s->can_read(5)) {
+ my $remote = $socket_map{$socket};
+ my $buffer;
+ my $read = $socket->sysread($buffer, 4096);
+ if ($read) {
+ $remote->syswrite($buffer);
+ }
+ else {
+ $continue = 0;
+ }
+ }
+ }
+}
+
+sub connect_stdin_to_proxy {
+ my $sock = new IO::Socket::INET(
+ PeerAddr => $server_ip,
+ PeerPort => $server_port,
+ Proto => 'tcp'
+ );
+
+ die "Could not create socket: $!\n" unless $sock;
+ # Add sockets to the Select group
+ $s->add(\*STDIN);
+ $s->add($sock);
+ # Tie the sockets together using this hash
+ $socket_map{\*STDIN} = $sock;
+ $socket_map{$sock} = \*STDOUT;
+ return $sock;
+}
+
+sub usage {
+ chomp(my $prog = `basename $0`);
+ print <<EOF;
+Usage: $prog [required] [optional]
+ Required:
+ --server-ip IP of server to test proxy configuration,
+ a hostname is ok, but for only this setting
+ Optional:
+ --server-port Port server is listening on (default 25)
+ --6 IPv6 source/dest (default IPv4), if none specified,
+ some default, reverse resolvable IP's are used for
+ the source and dest ip/port
+ --dest-ip Public IP of the proxy server
+ --dest-port Port of public IP of proxy server
+ --source-ip IP connecting to the proxy server
+ --source-port Port of IP connecting to the proxy server
+ --help This output
+EOF
+ exit;
+}
+
+
+my $sock = connect_stdin_to_proxy();
+my @preamble = generate_preamble();
+print $sock @preamble;
+go_interactive();
CLIENT_GNUTLS=@CLIENT_GNUTLS@
LOADED=@LOADED@
LOADED_OPT=@LOADED_OPT@
+LIBS=@LIBS@
##############################################################################
@echo " "
bin/client: src/client.c Makefile
- $(CC) $(CFLAGS) $(LDFLAGS) -o bin/client src/client.c
+ $(CC) $(CFLAGS) $(LDFLAGS) -o bin/client src/client.c $(LIBS)
@echo ">>> bin/client command built"
@echo " "
bin/client-gnutls: src/client.c Makefile
- $(CC) $(CFLAGS) -DHAVE_GNUTLS $(LDFLAGS) -o bin/client-gnutls src/client.c -lgnutls -lgcrypt
+ $(CC) $(CFLAGS) -DHAVE_GNUTLS $(LDFLAGS) -o bin/client-gnutls src/client.c -lgnutls -lgcrypt $(LIBS)
@echo ">>> bin/client-gnutls command built"
@echo " "
bin/client-ssl: src/client.c Makefile
- $(CC) $(CFLAGS) -DHAVE_OPENSSL $(LDFLAGS) -o bin/client-ssl src/client.c -lssl -lcrypto
+ $(CC) $(CFLAGS) -DHAVE_OPENSSL $(LDFLAGS) -o bin/client-ssl src/client.c -lssl -lcrypto $(LIBS)
@echo ">>> bin/client-ssl command built"
@echo " "
@echo " "
bin/server: src/server.c Makefile
- $(CC) $(CFLAGS) $(LDFLAGS) -o bin/server src/server.c
+ $(CC) $(CFLAGS) $(LDFLAGS) -o bin/server src/server.c $(LIBS)
@echo ">>> bin/server command built"
@echo " "
is out-of-date, and "revoked" meaning the cert has been revoked.
-The files were created using the genall script which utilises a
+The files were created using the "genall" script which utilises a
combination of tools,
openssl
http://people.redhat.com/mpoole/clica/
+NOTE:
+ During running of "genall" you need to manipulate the system
+ date/time. Shutdown ntpd service before doing this, and restart
+ after.
-----BEGIN CERTIFICATE-----
-MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAwWhcNMzgw\r
-MTAxMTIzNDAwWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp\r
-Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxYR8NYQvEd7/e4MvOj9dh2+o\r
-mnywT9ajMo1589DWt2z14ouRKhSZWlx4O4AicPZc6n4uvt7++t0tTHhmm5JIbwID\r
-AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq\r
-hkiG9w0BAQUFAANBALjVd1KMBadFJFIzTEspoPYxJvXKvLMclekQs5QY0lmmUj5+\r
-ugITEG6ywu3s+REUB+8Dj+ofQz3tgIm9NBpkfsA=
+MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA0WhcNMzgw\r
+MTAxMTIzNDA0WjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp\r
+Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL0wro64rve876glpdRh\r
+tD6qFY6iH2kCarFFq3WaKmfCvOjYmn4CJr7pL7J5DuvCFh7A0H8lD/on5NK3yqkX\r
+Yi6EUlaYWxeRo2/PuZYUGbCpejST41sibw9V2dT4MHLidjDShE0W9SfgiMmxfF02\r
+H5hLYswAGCL1kezsVeEJeH31AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw\r
+DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAIn9+8uyQtaq8sBEohTl\r
+qyJQQeZk5xxaILYP/rCIxc+z5fgOh+usB9adaiD23RPuuD/P2c3UqHJQWqIUTu46\r
+eOKn9K7X7ndIH3WnaC/u4nysL+SIAug72/k1BAVGNQvyNQMhth6CfZTgY0tgcS0Z\r
+RSHyhbTD0HeiJDI281BoOJjm
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw\r
-MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp\r
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y\r
-7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St\r
-u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB\r
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s\r
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa\r
-ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA1WhcNMzgw\r
+MTAxMTIzNDA1WjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp\r
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzwXsp\r
+P4RsZUoDfQfm5O5bi5unhwl+BTrKIaOtl5TBxMau+qEdKa02DD7Bx6PCzLKhWiZ3\r
+/MrO7V/cXIBun97dF5Zr5kk+HJk+y3es+xoPd3doknvGQEC/0cSGLcEC7aQ/bEqi\r
+fw2CgEY5ffkEAnDrdvGGeqBfJJGft/tqmlZbeQIDAQABo1owWDAOBgNVHQ8BAf8E\r
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw\r
+Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA\r
+Lq4cCtWMjqLHqf6lJUOBMsm+tgFcYDdxwkTquSZyUrbP1jrODkg5lQWNCdvB76B2\r
+tZQfMJ3F/kct2EAfsKbHqN3f+DARqPAR2qtOqzl3Ou5+TJjExKgojjzIAPFQzswH\r
+7v4aglpReaPBaVSNOZ7bMn/E8yRy3o466bhzdEIDcII=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAwWhcNMzgw\r
-MTAxMTIzNDAwWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp\r
-Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxYR8NYQvEd7/e4MvOj9dh2+o\r
-mnywT9ajMo1589DWt2z14ouRKhSZWlx4O4AicPZc6n4uvt7++t0tTHhmm5JIbwID\r
-AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq\r
-hkiG9w0BAQUFAANBALjVd1KMBadFJFIzTEspoPYxJvXKvLMclekQs5QY0lmmUj5+\r
-ugITEG6ywu3s+REUB+8Dj+ofQz3tgIm9NBpkfsA=
+MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA0WhcNMzgw\r
+MTAxMTIzNDA0WjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp\r
+Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL0wro64rve876glpdRh\r
+tD6qFY6iH2kCarFFq3WaKmfCvOjYmn4CJr7pL7J5DuvCFh7A0H8lD/on5NK3yqkX\r
+Yi6EUlaYWxeRo2/PuZYUGbCpejST41sibw9V2dT4MHLidjDShE0W9SfgiMmxfF02\r
+H5hLYswAGCL1kezsVeEJeH31AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw\r
+DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAIn9+8uyQtaq8sBEohTl\r
+qyJQQeZk5xxaILYP/rCIxc+z5fgOh+usB9adaiD23RPuuD/P2c3UqHJQWqIUTu46\r
+eOKn9K7X7ndIH3WnaC/u4nysL+SIAug72/k1BAVGNQvyNQMhth6CfZTgY0tgcS0Z\r
+RSHyhbTD0HeiJDI281BoOJjm
-----END CERTIFICATE-----
Bag Attributes
friendlyName: OCSP Signer
- localKeyID: A6 E7 21 3B BE A3 47 BE 58 6F 34 77 E2 AA D5 22 91 AA 0F D6
+ localKeyID: A6 CA B2 02 9F 97 B7 22 79 C0 88 21 64 7D 68 9D F1 AE EB B4
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
-MIIBUwIBADANBgkqhkiG9w0BAQEFAASCAT0wggE5AgEAAkEAuGANFQATQUtX6l1r
-tDa/TimQ722a/2wGSmty/n9Va36t7O9S0Uxi7yQMN11I284FekjzP82THLWv4TJZ
-x7AvywIDAQABAkAhrko1f+IEl4Lj6VT3gtjHqogzdM5PwqgTiDVlkFVGYXp6a8o6
-ySmMofHeEjDgPFI7sz12eQOoofjhjTCnTcJhAiEA3Afe796M2vm5+V6t1ayFhgP0
-9QnSVde6mLvqHFHAKHUCIQDWhAVspNc3bw2PIBqlK2ibANwi9BFurBlATBHhKP3v
-PwIgTiwttKMpABOBU2uj7ypgNgDp4rUemYkPrnv07SLOVpECIAVXhEsQT8uxmETY
-J9G1IwW5H8I/EbAP2REg09EnlCtBAiBgZn9NxSr05na0P+NjyIPQ44Y9L5R9P3PL
-2PceGVDcQw==
+MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAM6cTVJb3XKpcx/R
+yywzRGgPTlu5kmOdDMliOvkCKy79zYfkguzTi1twxUWCxbQTGNOsYLZ5IaLCU5lc
+feQPe77YvWMgH1qZ2S87OpURTJRe/SSP2ufy7c+a9oGSXjD6wLfzfKjQPUMq7po0
+NwI877gJg5dybIYL+ZrHPuKtQkbtAgMBAAECgYA20FrnLb4bjH8hgvw/Fr7gSKdG
+SH5g9SqORwRUSdIBHo6nreVaRWlkcg+0OFSRSLu+dK4X2x0kXB/nwRUZK05twnOR
+4/yxB3yYRLWKSSs+wNyCEB/nmLqY4gxgkwiYvMhGqcRz5PIFO+kWs0NhZCnI5haO
+eRwbokPoJSwnDsZptQJBAOgDC/t9AhT2+n3+fhs3QMHJYBXb5TU6bUeK7d3EkpBk
+5R43S3iC5JyDMVoimH9Ml6qE9gpUFSmp2tGactmSGe8CQQDj+OzyrtiNoo8unA74
+ebasVZL3YhcYMHtcfHSxAUbRpRT00m/UaLlfboHcts4iH50rqUx4iIGiUInzuU/C
+hzjjAkEAim9G9wff9iJn1EXFePe+6+H8Mw7B9MCn88gxpeFkkkOhciYMIhv3zGt7
+RwzdcReCZ3xuUjtZZUK0DdzaKnfCgQJAG9wK0OmPK1fnWZHWvoTZTxwyFqtVGS6r
+lLTc6di3F92tvvGMmw+lP8VYd2mbrU3hvjk1UDGWbgiboz5NQf+WcwJACZuXjzTr
+LT9uWdLvfAkp02YxSemGgzNiF/MAEdA4Wx3YIFsWIoktRqMVTX/+eBUxCSKCaOf0
+9d7cy6kI01EH0Q==
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-MIIBgDCCASqgAwIBAgIBAzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt\r
+MIICBTCCAW6gAwIBAgIBAzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt\r
cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy\r
-MzQwMVoXDTM4MDEwMTEyMzQwMVowMjEUMBIGA1UEChMLZXhhbXBsZS5jb20xGjAY\r
-BgNVBAMTEWNsaWNhIE9DU1AgU2lnbmVyMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJB\r
-ALhgDRUAE0FLV+pda7Q2v04pkO9tmv9sBkprcv5/VWt+rezvUtFMYu8kDDddSNvO\r
-BXpI8z/Nkxy1r+EyWcewL8sCAwEAAaMqMCgwDgYDVR0PAQH/BAQDAgeAMBYGA1Ud\r
-JQEB/wQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBBQUAA0EAQalK8cinGimBjryO\r
-q8scOPr7Zkv2RlhnUUTtpPfFKkTne9yXyXxBVDfy8wwPTz7ZTOzMVtPTgFT9g0Kf\r
-tXze7g==
+MzQwNVoXDTM4MDEwMTEyMzQwNVowMjEUMBIGA1UEChMLZXhhbXBsZS5jb20xGjAY\r
+BgNVBAMTEWNsaWNhIE9DU1AgU2lnbmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB\r
+iQKBgQDOnE1SW91yqXMf0cssM0RoD05buZJjnQzJYjr5Aisu/c2H5ILs04tbcMVF\r
+gsW0ExjTrGC2eSGiwlOZXH3kD3u+2L1jIB9amdkvOzqVEUyUXv0kj9rn8u3PmvaB\r
+kl4w+sC383yo0D1DKu6aNDcCPO+4CYOXcmyGC/maxz7irUJG7QIDAQABoyowKDAO\r
+BgNVHQ8BAf8EBAMCB4AwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwkwDQYJKoZIhvcN\r
+AQEFBQADgYEASKF8V7Ykc7MK5uVOcL272uheZzwFUtlx4HjWRI11QliwyBzegL3b\r
+ZdhmnDr/XbtWFTF2pId76dRWNPcWd9nCV8yvhwOgydLHnDov20soUyJeqJJuXonb\r
+InlafhkIGJ8wMEeCjY70VbIip+akW8lSCw8ralCMg2ewNuKv5D0ujsQ=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw\r
-MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp\r
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y\r
-7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St\r
-u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB\r
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s\r
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa\r
-ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA1WhcNMzgw\r
+MTAxMTIzNDA1WjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp\r
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzwXsp\r
+P4RsZUoDfQfm5O5bi5unhwl+BTrKIaOtl5TBxMau+qEdKa02DD7Bx6PCzLKhWiZ3\r
+/MrO7V/cXIBun97dF5Zr5kk+HJk+y3es+xoPd3doknvGQEC/0cSGLcEC7aQ/bEqi\r
+fw2CgEY5ffkEAnDrdvGGeqBfJJGft/tqmlZbeQIDAQABo1owWDAOBgNVHQ8BAf8E\r
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw\r
+Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA\r
+Lq4cCtWMjqLHqf6lJUOBMsm+tgFcYDdxwkTquSZyUrbP1jrODkg5lQWNCdvB76B2\r
+tZQfMJ3F/kct2EAfsKbHqN3f+DARqPAR2qtOqzl3Ou5+TJjExKgojjzIAPFQzswH\r
+7v4aglpReaPBaVSNOZ7bMn/E8yRy3o466bhzdEIDcII=
-----END CERTIFICATE-----
; Config::Simple 4.59
-; Thu Nov 1 12:34:00 2012
+; Thu Nov 1 12:34:02 2012
[CLICA]
crl_url=http://crl.example.com/latest.crl
org=example.com
subject=clica CA
name=Certificate Authority
-bits=512
+bits=1024
-update=20130127152434Z
+update=20140422152734Z
-----BEGIN X509 CRL-----
-MIGsMFgCAQEwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhhbXBsZS5jb20x
-GzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydBgPMjAxMzAxMjcxNTI0MzRaMA0G
-CSqGSIb3DQEBBQUAA0EAjClqFKe0w0T5ARNSMOSfuDtbOA0iN2yOrUwJfidgQdVQ
-YPW+5TwKhe+Vm6skgHSIWNcuMVzojsuDZcBZnNimPA==
+MIHtMFgCAQEwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhhbXBsZS5jb20x
+GzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydBgPMjAxNDA0MjIxNTI3MzRaMA0G
+CSqGSIb3DQEBBQUAA4GBAHoGAZpobbrLkTayml3YbpVuF8Ig9FAAj6zmvNuqqsha
+dSn0qL1ca9RgVaa1XIlqVeIs1uHFF0zA/F3BVvxWfPxTbgn8b/QyKEwG36f6Urax
+nngK87UT2z8M5+prZeSIaroYV+sG5M2+4fFsUt62RmJr1rAnsxO+vguM97LSOJaB
-----END X509 CRL-----
-update=20130127152437Z
-addcert 102 20130127152437Z
-addcert 202 20130127152437Z
+update=20140422152736Z
+addcert 102 20140422152736Z
+addcert 202 20140422152736Z
-----BEGIN X509 CRL-----
-MIHcMIGHAgEBMA0GCSqGSIb3DQEBBQUAMDMxFDASBgNVBAoTC2V4YW1wbGUuY29t
-MRswGQYDVQQDExJjbGljYSBTaWduaW5nIENlcnQYDzIwMTMwMTI3MTUyNDM3WjAt
-MBQCAWYYDzIwMTMwMTI3MTUyNDM3WjAVAgIAyhgPMjAxMzAxMjcxNTI0MzdaMA0G
-CSqGSIb3DQEBBQUAA0EAS5A0/pStULkfIhBRMt+DfehLBbppc6FftG3TpBMvBW4k
-xGwMPKUN8lk3uMuQxk/cvbaFqPtiR/WnkAFc3i1bpA==
+MIIBHTCBhwIBATANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFtcGxlLmNv
+bTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0GA8yMDE0MDQyMjE1MjczNlow
+LTAUAgFmGA8yMDE0MDQyMjE1MjczNlowFQICAMoYDzIwMTQwNDIyMTUyNzM2WjAN
+BgkqhkiG9w0BAQUFAAOBgQBNEXTCKmqCrYZ5/C4lKqSjKsy2iXoJCNcYoFj60AA2
+Lc8yju8/TkUe8DkZ/leefksdLGzsCGsAgpgSSqMClfL83r9a50OBSCg21dvahyEx
+A45RfUx7M9Hy+ITWSY7hV7VaMoaL76ZxPBtdjMoqp8pxOj8k68d9V32OdcEpRsT+
+wA==
-----END X509 CRL-----
processor : 0
vendor_id : GenuineIntel
cpu family : 6
-model : 26
-model name : Intel(R) Xeon(R) CPU E5520 @ 2.27GHz
-stepping : 5
-cpu MHz : 2260.628
-cache size : 8192 KB
+model : 13
+model name : QEMU Virtual CPU version (cpu64-rhel6)
+stepping : 3
+cpu MHz : 1994.999
+cache size : 4096 KB
fpu : yes
fpu_exception : yes
-cpuid level : 11
+cpuid level : 4
wp : yes
-flags : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts xtopology tsc_reliable nonstop_tsc aperfmperf unfair_spinlock pni ssse3 cx16 sse4_1 sse4_2 x2apic popcnt hypervisor lahf_lm ida dts
-bogomips : 4521.25
+flags : fpu de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pse36 clflush mmx fxsr sse sse2 syscall nx lm up unfair_spinlock pni cx16 hypervisor lahf_lm
+bogomips : 3989.99
clflush size : 64
cache_alignment : 64
-address sizes : 40 bits physical, 48 bits virtual
+address sizes : 38 bits physical, 48 bits virtual
power management:
-processor : 1
-vendor_id : GenuineIntel
-cpu family : 6
-model : 26
-model name : Intel(R) Xeon(R) CPU E5520 @ 2.27GHz
-stepping : 5
-cpu MHz : 2260.628
-cache size : 8192 KB
-fpu : yes
-fpu_exception : yes
-cpuid level : 11
-wp : yes
-flags : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts xtopology tsc_reliable nonstop_tsc aperfmperf unfair_spinlock pni ssse3 cx16 sse4_1 sse4_2 x2apic popcnt hypervisor lahf_lm ida dts
-bogomips : 4521.25
-clflush size : 64
-cache_alignment : 64
-address sizes : 40 bits physical, 48 bits virtual
-power management:
-
- CPU0 CPU1
- 0: 2481 0 IO-APIC-edge timer
- 1: 21441 346 IO-APIC-edge i8042
- 3: 1 0 IO-APIC-edge
- 4: 1 0 IO-APIC-edge
- 7: 0 0 IO-APIC-edge parport0
- 8: 1 0 IO-APIC-edge rtc0
- 9: 0 0 IO-APIC-fasteoi acpi
- 12: 78986 1718 IO-APIC-edge i8042
- 14: 0 0 IO-APIC-edge ata_piix
- 15: 2423330 1435 IO-APIC-edge ata_piix
- 16: 1025 0 IO-APIC-fasteoi Ensoniq AudioPCI
- 17: 239842 2559 IO-APIC-fasteoi ehci_hcd:usb1, ioc0
- 18: 246 0 IO-APIC-fasteoi uhci_hcd:usb2
- 19: 1868676 51479 IO-APIC-fasteoi eth0
- 24: 0 0 PCI-MSI-edge pciehp
- 25: 0 0 PCI-MSI-edge pciehp
- 26: 0 0 PCI-MSI-edge pciehp
- 27: 0 0 PCI-MSI-edge pciehp
- 28: 0 0 PCI-MSI-edge pciehp
- 29: 0 0 PCI-MSI-edge pciehp
- 30: 0 0 PCI-MSI-edge pciehp
- 31: 0 0 PCI-MSI-edge pciehp
- 32: 0 0 PCI-MSI-edge pciehp
- 33: 0 0 PCI-MSI-edge pciehp
- 34: 0 0 PCI-MSI-edge pciehp
- 35: 0 0 PCI-MSI-edge pciehp
- 36: 0 0 PCI-MSI-edge pciehp
- 37: 0 0 PCI-MSI-edge pciehp
- 38: 0 0 PCI-MSI-edge pciehp
- 39: 0 0 PCI-MSI-edge pciehp
- 40: 0 0 PCI-MSI-edge pciehp
- 41: 0 0 PCI-MSI-edge pciehp
- 42: 0 0 PCI-MSI-edge pciehp
- 43: 0 0 PCI-MSI-edge pciehp
- 44: 0 0 PCI-MSI-edge pciehp
- 45: 0 0 PCI-MSI-edge pciehp
- 46: 0 0 PCI-MSI-edge pciehp
- 47: 0 0 PCI-MSI-edge pciehp
- 48: 0 0 PCI-MSI-edge pciehp
- 49: 0 0 PCI-MSI-edge pciehp
- 50: 0 0 PCI-MSI-edge pciehp
- 51: 0 0 PCI-MSI-edge pciehp
- 52: 0 0 PCI-MSI-edge pciehp
- 53: 0 0 PCI-MSI-edge pciehp
- 54: 0 0 PCI-MSI-edge pciehp
- 55: 0 0 PCI-MSI-edge pciehp
- 56: 1 0 PCI-MSI-edge vmci
- 57: 0 0 PCI-MSI-edge vmci
-NMI: 0 0 Non-maskable interrupts
-LOC: 12397935 14240444 Local timer interrupts
-SPU: 0 0 Spurious interrupts
-PMI: 0 0 Performance monitoring interrupts
-IWI: 0 0 IRQ work interrupts
-RES: 282548 308972 Rescheduling interrupts
-CAL: 1955 163540 Function call interrupts
-TLB: 17884 15542 TLB shootdowns
-TRM: 0 0 Thermal event interrupts
-THR: 0 0 Threshold APIC interrupts
-MCE: 0 0 Machine check exceptions
-MCP: 2310 2310 Machine check polls
+ CPU0
+ 0: 258 IO-APIC-edge timer
+ 1: 6 IO-APIC-edge i8042
+ 4: 1 IO-APIC-edge
+ 8: 0 IO-APIC-edge rtc0
+ 9: 0 IO-APIC-fasteoi acpi
+ 10: 953 IO-APIC-fasteoi virtio3
+ 11: 62 IO-APIC-fasteoi uhci_hcd:usb1, snd_hda_intel
+ 12: 104 IO-APIC-edge i8042
+ 14: 0 IO-APIC-edge ata_piix
+ 15: 106 IO-APIC-edge ata_piix
+ 24: 0 PCI-MSI-edge virtio2-config
+ 25: 48985 PCI-MSI-edge virtio2-requests
+ 26: 0 PCI-MSI-edge virtio0-config
+ 27: 296814 PCI-MSI-edge virtio0-input
+ 28: 1 PCI-MSI-edge virtio0-output
+ 29: 0 PCI-MSI-edge virtio1-config
+ 30: 18867 PCI-MSI-edge virtio1-input
+ 31: 1 PCI-MSI-edge virtio1-output
+NMI: 0 Non-maskable interrupts
+LOC: 771688 Local timer interrupts
+SPU: 0 Spurious interrupts
+PMI: 0 Performance monitoring interrupts
+IWI: 0 IRQ work interrupts
+RES: 0 Rescheduling interrupts
+CAL: 0 Function call interrupts
+TLB: 0 TLB shootdowns
+TRM: 0 Thermal event interrupts
+THR: 0 Threshold APIC interrupts
+MCE: 0 Machine check exceptions
+MCP: 271 Machine check polls
ERR: 0
MIS: 0
-MemTotal: 1914844 kB
-MemFree: 135496 kB
-Buffers: 142048 kB
-Cached: 951840 kB
-SwapCached: 108 kB
-Active: 980724 kB
-Inactive: 540136 kB
-Active(anon): 287056 kB
-Inactive(anon): 143480 kB
-Active(file): 693668 kB
-Inactive(file): 396656 kB
+MemTotal: 487904 kB
+MemFree: 74352 kB
+Buffers: 73812 kB
+Cached: 140872 kB
+SwapCached: 0 kB
+Active: 131704 kB
+Inactive: 118904 kB
+Active(anon): 15124 kB
+Inactive(anon): 21900 kB
+Active(file): 116580 kB
+Inactive(file): 97004 kB
Unevictable: 0 kB
Mlocked: 0 kB
-SwapTotal: 4194296 kB
-SwapFree: 4193560 kB
-Dirty: 928 kB
+SwapTotal: 524280 kB
+SwapFree: 524280 kB
+Dirty: 848 kB
Writeback: 0 kB
-AnonPages: 427064 kB
-Mapped: 70976 kB
-Shmem: 3400 kB
-Slab: 190892 kB
-SReclaimable: 125404 kB
-SUnreclaim: 65488 kB
-KernelStack: 2304 kB
-PageTables: 23476 kB
+AnonPages: 35972 kB
+Mapped: 15624 kB
+Shmem: 1128 kB
+Slab: 136276 kB
+SReclaimable: 83896 kB
+SUnreclaim: 52380 kB
+KernelStack: 752 kB
+PageTables: 3420 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
WritebackTmp: 0 kB
-CommitLimit: 5151716 kB
-Committed_AS: 973184 kB
+CommitLimit: 768232 kB
+Committed_AS: 116976 kB
VmallocTotal: 34359738367 kB
-VmallocUsed: 280772 kB
-VmallocChunk: 34359441168 kB
+VmallocUsed: 12116 kB
+VmallocChunk: 34359713232 kB
HardwareCorrupted: 0 kB
-AnonHugePages: 249856 kB
+AnonHugePages: 2048 kB
HugePages_Total: 0
HugePages_Free: 0
HugePages_Rsvd: 0
HugePages_Surp: 0
Hugepagesize: 2048 kB
-DirectMap4k: 8192 kB
-DirectMap2M: 2088960 kB
+DirectMap4k: 7156 kB
+DirectMap2M: 1492992 kB
slabinfo - version: 2.1
# name <active_objs> <num_objs> <objsize> <objperslab> <pagesperslab> : tunables <limit> <batchcount> <sharedfactor> : slabdata <active_slabs> <num_slabs> <sharedavail>
-bridge_fdb_cache 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
-fuse_request 0 0 632 6 1 : tunables 54 27 8 : slabdata 0 0 0
-fuse_inode 0 0 768 5 1 : tunables 54 27 8 : slabdata 0 0 0
-rpc_buffers 8 8 2048 2 1 : tunables 24 12 8 : slabdata 4 4 0
-rpc_tasks 8 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0
-rpc_inode_cache 8 8 832 4 1 : tunables 54 27 8 : slabdata 2 2 0
-hgfsInodeCache 1 6 640 6 1 : tunables 54 27 8 : slabdata 1 1 0
-AF_VMCI 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0
-nf_conntrack_expect 0 0 240 16 1 : tunables 120 60 8 : slabdata 0 0 0
-nf_conntrack_ffffffff8200cec0 22 26 304 13 1 : tunables 54 27 8 : slabdata 2 2 0
-fib6_nodes 22 59 64 59 1 : tunables 120 60 8 : slabdata 1 1 0
-ip6_dst_cache 13 30 384 10 1 : tunables 54 27 8 : slabdata 3 3 0
-ndisc_cache 1 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0
-ip6_mrt_cache 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0
-RAWv6 67 68 1024 4 1 : tunables 54 27 8 : slabdata 17 17 0
-UDPLITEv6 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0
-UDPv6 4 4 1024 4 1 : tunables 54 27 8 : slabdata 1 1 0
-tw_sock_TCPv6 0 0 320 12 1 : tunables 54 27 8 : slabdata 0 0 0
-request_sock_TCPv6 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0
-TCPv6 9 10 1856 2 1 : tunables 24 12 8 : slabdata 5 5 0
-jbd2_1k 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0
-avtab_node 502203 502416 24 144 1 : tunables 120 60 8 : slabdata 3489 3489 0
-ext4_inode_cache 74762 74820 1024 4 1 : tunables 54 27 8 : slabdata 18705 18705 0
-ext4_xattr 9 44 88 44 1 : tunables 120 60 8 : slabdata 1 1 0
-ext4_free_block_extents 32 67 56 67 1 : tunables 120 60 8 : slabdata 1 1 0
-ext4_alloc_context 28 28 136 28 1 : tunables 120 60 8 : slabdata 1 1 0
-ext4_prealloc_space 18 37 104 37 1 : tunables 120 60 8 : slabdata 1 1 0
-ext4_system_zone 0 0 40 92 1 : tunables 120 60 8 : slabdata 0 0 0
-jbd2_journal_handle 32 144 24 144 1 : tunables 120 60 8 : slabdata 1 1 0
-jbd2_journal_head 74 102 112 34 1 : tunables 120 60 8 : slabdata 3 3 0
-jbd2_revoke_table 4 202 16 202 1 : tunables 120 60 8 : slabdata 1 1 0
-jbd2_revoke_record 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0
-dm_crypt_io 50 50 152 25 1 : tunables 120 60 8 : slabdata 2 2 0
-sd_ext_cdb 2 112 32 112 1 : tunables 120 60 8 : slabdata 1 1 0
-scsi_sense_cache 25 60 128 30 1 : tunables 120 60 8 : slabdata 2 2 0
-scsi_cmd_cache 28 45 256 15 1 : tunables 120 60 8 : slabdata 3 3 0
-dm_raid1_read_record 0 0 1064 7 2 : tunables 24 12 8 : slabdata 0 0 0
-kcopyd_job 0 0 3240 2 2 : tunables 24 12 8 : slabdata 0 0 0
-io 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
-dm_uevent 0 0 2608 3 2 : tunables 24 12 8 : slabdata 0 0 0
-dm_rq_clone_bio_info 0 0 16 202 1 : tunables 120 60 8 : slabdata 0 0 0
-dm_rq_target_io 0 0 392 10 1 : tunables 54 27 8 : slabdata 0 0 0
-dm_target_io 844 864 24 144 1 : tunables 120 60 8 : slabdata 6 6 0
-dm_io 828 828 40 92 1 : tunables 120 60 8 : slabdata 9 9 0
-flow_cache 0 0 96 40 1 : tunables 120 60 8 : slabdata 0 0 0
-uhci_urb_priv 6 67 56 67 1 : tunables 120 60 8 : slabdata 1 1 0
-cfq_io_context 4 28 136 28 1 : tunables 120 60 8 : slabdata 1 1 0
-cfq_queue 5 16 240 16 1 : tunables 120 60 8 : slabdata 1 1 0
-bsg_cmd 0 0 312 12 1 : tunables 54 27 8 : slabdata 0 0 0
-mqueue_inode_cache 1 4 896 4 1 : tunables 54 27 8 : slabdata 1 1 0
-isofs_inode_cache 0 0 640 6 1 : tunables 54 27 8 : slabdata 0 0 0
-hugetlbfs_inode_cache 1 6 608 6 1 : tunables 54 27 8 : slabdata 1 1 0
-dquot 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0
-kioctx 0 0 384 10 1 : tunables 54 27 8 : slabdata 0 0 0
-kiocb 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0
-inotify_event_private_data 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0
-inotify_inode_mark_entry 186 204 112 34 1 : tunables 120 60 8 : slabdata 6 6 0
-dnotify_mark_entry 1 34 112 34 1 : tunables 120 60 8 : slabdata 1 1 0
-dnotify_struct 1 112 32 112 1 : tunables 120 60 8 : slabdata 1 1 0
-fasync_cache 6 144 24 144 1 : tunables 120 60 8 : slabdata 1 1 0
-khugepaged_mm_slot 83 92 40 92 1 : tunables 120 60 8 : slabdata 1 1 0
-ksm_mm_slot 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0
-ksm_stable_node 0 0 40 92 1 : tunables 120 60 8 : slabdata 0 0 0
-ksm_rmap_item 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
-utrace_engine 0 0 56 67 1 : tunables 120 60 8 : slabdata 0 0 0
-utrace 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
-pid_namespace 0 0 2120 3 2 : tunables 24 12 8 : slabdata 0 0 0
-nsproxy 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0
-posix_timers_cache 0 0 176 22 1 : tunables 120 60 8 : slabdata 0 0 0
-uid_cache 10 60 128 30 1 : tunables 120 60 8 : slabdata 2 2 0
-UNIX 459 480 768 5 1 : tunables 54 27 8 : slabdata 96 96 0
-ip_mrt_cache 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0
-UDP-Lite 0 0 832 9 2 : tunables 54 27 8 : slabdata 0 0 0
-tcp_bind_bucket 15 59 64 59 1 : tunables 120 60 8 : slabdata 1 1 0
-inet_peer_cache 4 59 64 59 1 : tunables 120 60 8 : slabdata 1 1 0
-secpath_cache 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
-xfrm_dst_cache 0 0 384 10 1 : tunables 54 27 8 : slabdata 0 0 0
-ip_fib_alias 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0
-ip_fib_hash 10 106 72 53 1 : tunables 120 60 8 : slabdata 2 2 0
-ip_dst_cache 29 50 384 10 1 : tunables 54 27 8 : slabdata 5 5 0
-arp_cache 4 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0
-RAW 65 72 832 9 2 : tunables 54 27 8 : slabdata 8 8 0
-UDP 6 18 832 9 2 : tunables 54 27 8 : slabdata 2 2 0
-tw_sock_TCP 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0
-request_sock_TCP 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0
-TCP 20 24 1664 4 2 : tunables 24 12 8 : slabdata 6 6 0
-eventpoll_pwq 126 212 72 53 1 : tunables 120 60 8 : slabdata 4 4 0
-eventpoll_epi 126 180 128 30 1 : tunables 120 60 8 : slabdata 6 6 0
-sgpool-128 2 2 4096 1 1 : tunables 24 12 8 : slabdata 2 2 0
-sgpool-64 2 2 2048 2 1 : tunables 24 12 8 : slabdata 1 1 0
-sgpool-32 2 4 1024 4 1 : tunables 54 27 8 : slabdata 1 1 0
-sgpool-16 2 8 512 8 1 : tunables 54 27 8 : slabdata 1 1 0
-sgpool-8 15 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0
-scsi_data_buffer 0 0 24 144 1 : tunables 120 60 8 : slabdata 0 0 0
-blkdev_integrity 0 0 112 34 1 : tunables 120 60 8 : slabdata 0 0 0
-blkdev_queue 29 30 2856 2 2 : tunables 24 12 8 : slabdata 15 15 0
-blkdev_requests 42 66 352 11 1 : tunables 54 27 8 : slabdata 5 6 0
-blkdev_ioc 5 48 80 48 1 : tunables 120 60 8 : slabdata 1 1 0
-fsnotify_event_holder 0 0 24 144 1 : tunables 120 60 8 : slabdata 0 0 0
-fsnotify_event 0 0 104 37 1 : tunables 120 60 8 : slabdata 0 0 0
-bio-0 180 180 192 20 1 : tunables 120 60 8 : slabdata 9 9 0
-biovec-256 66 66 4096 1 1 : tunables 24 12 8 : slabdata 66 66 0
-biovec-128 0 0 2048 2 1 : tunables 24 12 8 : slabdata 0 0 0
-biovec-64 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0
-biovec-16 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0
+nf_conntrack_expect 0 0 240 16 1 : tunables 120 60 0 : slabdata 0 0 0
+nf_conntrack_ffffffff81b18540 35 36 312 12 1 : tunables 54 27 0 : slabdata 3 3 0
+fib6_nodes 45 59 64 59 1 : tunables 120 60 0 : slabdata 1 1 0
+ip6_dst_cache 24 40 384 10 1 : tunables 54 27 0 : slabdata 4 4 0
+ndisc_cache 24 30 256 15 1 : tunables 120 60 0 : slabdata 2 2 0
+ip6_mrt_cache 0 0 128 30 1 : tunables 120 60 0 : slabdata 0 0 0
+RAWv6 4 4 1024 4 1 : tunables 54 27 0 : slabdata 1 1 0
+UDPLITEv6 0 0 1024 4 1 : tunables 54 27 0 : slabdata 0 0 0
+UDPv6 0 0 1024 4 1 : tunables 54 27 0 : slabdata 0 0 0
+tw_sock_TCPv6 0 0 320 12 1 : tunables 54 27 0 : slabdata 0 0 0
+request_sock_TCPv6 0 0 192 20 1 : tunables 120 60 0 : slabdata 0 0 0
+TCPv6 9 10 1920 2 1 : tunables 24 12 0 : slabdata 5 5 0
+jbd2_1k 0 0 1024 4 1 : tunables 54 27 0 : slabdata 0 0 0
+avtab_node 551039 551088 24 144 1 : tunables 120 60 0 : slabdata 3827 3827 0
+ext4_inode_cache 36092 36888 1016 4 1 : tunables 54 27 0 : slabdata 9222 9222 0
+ext4_xattr 5 44 88 44 1 : tunables 120 60 0 : slabdata 1 1 0
+ext4_free_block_extents 16 67 56 67 1 : tunables 120 60 0 : slabdata 1 1 0
+ext4_alloc_context 16 28 136 28 1 : tunables 120 60 0 : slabdata 1 1 0
+ext4_prealloc_space 3 37 104 37 1 : tunables 120 60 0 : slabdata 1 1 0
+ext4_system_zone 0 0 40 92 1 : tunables 120 60 0 : slabdata 0 0 0
+jbd2_journal_handle 16 144 24 144 1 : tunables 120 60 0 : slabdata 1 1 0
+jbd2_journal_head 68 68 112 34 1 : tunables 120 60 0 : slabdata 2 2 0
+jbd2_revoke_table 4 202 16 202 1 : tunables 120 60 0 : slabdata 1 1 0
+jbd2_revoke_record 0 0 32 112 1 : tunables 120 60 0 : slabdata 0 0 0
+scsi_sense_cache 2 30 128 30 1 : tunables 120 60 0 : slabdata 1 1 0
+scsi_cmd_cache 2 15 256 15 1 : tunables 120 60 0 : slabdata 1 1 0
+dm_raid1_read_record 0 0 1064 7 2 : tunables 24 12 0 : slabdata 0 0 0
+kcopyd_job 0 0 3240 2 2 : tunables 24 12 0 : slabdata 0 0 0
+io 0 0 64 59 1 : tunables 120 60 0 : slabdata 0 0 0
+dm_uevent 0 0 2608 3 2 : tunables 24 12 0 : slabdata 0 0 0
+dm_rq_clone_bio_info 0 0 16 202 1 : tunables 120 60 0 : slabdata 0 0 0
+dm_rq_target_io 0 0 392 10 1 : tunables 54 27 0 : slabdata 0 0 0
+dm_target_io 576 576 24 144 1 : tunables 120 60 0 : slabdata 4 4 0
+dm_io 552 552 40 92 1 : tunables 120 60 0 : slabdata 6 6 0
+flow_cache 0 0 104 37 1 : tunables 120 60 0 : slabdata 0 0 0
+uhci_urb_priv 0 0 56 67 1 : tunables 120 60 0 : slabdata 0 0 0
+cfq_io_context 0 0 136 28 1 : tunables 120 60 0 : slabdata 0 0 0
+cfq_queue 0 0 240 16 1 : tunables 120 60 0 : slabdata 0 0 0
+bsg_cmd 0 0 312 12 1 : tunables 54 27 0 : slabdata 0 0 0
+mqueue_inode_cache 1 4 896 4 1 : tunables 54 27 0 : slabdata 1 1 0
+isofs_inode_cache 0 0 640 6 1 : tunables 54 27 0 : slabdata 0 0 0
+hugetlbfs_inode_cache 1 6 608 6 1 : tunables 54 27 0 : slabdata 1 1 0
+dquot 0 0 256 15 1 : tunables 120 60 0 : slabdata 0 0 0
+kioctx 0 0 384 10 1 : tunables 54 27 0 : slabdata 0 0 0
+kiocb 0 0 256 15 1 : tunables 120 60 0 : slabdata 0 0 0
+inotify_event_private_data 0 0 32 112 1 : tunables 120 60 0 : slabdata 0 0 0
+inotify_inode_mark_entry 110 136 112 34 1 : tunables 120 60 0 : slabdata 4 4 0
+dnotify_mark_entry 0 0 112 34 1 : tunables 120 60 0 : slabdata 0 0 0
+dnotify_struct 0 0 32 112 1 : tunables 120 60 0 : slabdata 0 0 0
+dio 0 0 640 6 1 : tunables 54 27 0 : slabdata 0 0 0
+fasync_cache 0 0 24 144 1 : tunables 120 60 0 : slabdata 0 0 0
+khugepaged_mm_slot 17 92 40 92 1 : tunables 120 60 0 : slabdata 1 1 0
+ksm_mm_slot 0 0 48 77 1 : tunables 120 60 0 : slabdata 0 0 0
+ksm_stable_node 0 0 48 77 1 : tunables 120 60 0 : slabdata 0 0 0
+ksm_rmap_item 0 0 64 59 1 : tunables 120 60 0 : slabdata 0 0 0
+utrace_engine 0 0 56 67 1 : tunables 120 60 0 : slabdata 0 0 0
+utrace 0 0 64 59 1 : tunables 120 60 0 : slabdata 0 0 0
+pid_namespace 0 0 2168 3 2 : tunables 24 12 0 : slabdata 0 0 0
+posix_timers_cache 0 0 176 22 1 : tunables 120 60 0 : slabdata 0 0 0
+uid_cache 3 30 128 30 1 : tunables 120 60 0 : slabdata 1 1 0
+UNIX 107 110 768 5 1 : tunables 54 27 0 : slabdata 22 22 0
+ip_mrt_cache 0 0 128 30 1 : tunables 120 60 0 : slabdata 0 0 0
+UDP-Lite 0 0 832 9 2 : tunables 54 27 0 : slabdata 0 0 0
+tcp_bind_bucket 9 59 64 59 1 : tunables 120 60 0 : slabdata 1 1 0
+inet_peer_cache 2 59 64 59 1 : tunables 120 60 0 : slabdata 1 1 0
+secpath_cache 0 0 64 59 1 : tunables 120 60 0 : slabdata 0 0 0
+xfrm_dst_cache 0 0 448 8 1 : tunables 54 27 0 : slabdata 0 0 0
+ip_fib_alias 1 112 32 112 1 : tunables 120 60 0 : slabdata 1 1 0
+ip_fib_hash 14 53 72 53 1 : tunables 120 60 0 : slabdata 1 1 0
+ip_dst_cache 26 30 384 10 1 : tunables 54 27 0 : slabdata 3 3 0
+arp_cache 6 15 256 15 1 : tunables 120 60 0 : slabdata 1 1 0
+PING 0 0 832 9 2 : tunables 54 27 0 : slabdata 0 0 0
+RAW 2 9 832 9 2 : tunables 54 27 0 : slabdata 1 1 0
+UDP 1 9 832 9 2 : tunables 54 27 0 : slabdata 1 1 0
+tw_sock_TCP 0 0 256 15 1 : tunables 120 60 0 : slabdata 0 0 0
+request_sock_TCP 0 0 128 30 1 : tunables 120 60 0 : slabdata 0 0 0
+TCP 10 12 1728 4 2 : tunables 24 12 0 : slabdata 3 3 0
+eventpoll_pwq 59 106 72 53 1 : tunables 120 60 0 : slabdata 2 2 0
+eventpoll_epi 59 90 128 30 1 : tunables 120 60 0 : slabdata 3 3 0
+sgpool-128 2 2 4096 1 1 : tunables 24 12 0 : slabdata 2 2 0
+sgpool-64 2 2 2048 2 1 : tunables 24 12 0 : slabdata 1 1 0
+sgpool-32 2 4 1024 4 1 : tunables 54 27 0 : slabdata 1 1 0
+sgpool-16 2 8 512 8 1 : tunables 54 27 0 : slabdata 1 1 0
+sgpool-8 2 15 256 15 1 : tunables 120 60 0 : slabdata 1 1 0
+scsi_data_buffer 0 0 24 144 1 : tunables 120 60 0 : slabdata 0 0 0
+blkdev_integrity 0 0 112 34 1 : tunables 120 60 0 : slabdata 0 0 0
+blkdev_queue 28 28 2864 2 2 : tunables 24 12 0 : slabdata 14 14 0
+blkdev_requests 22 22 352 11 1 : tunables 54 27 0 : slabdata 2 2 0
+blkdev_ioc 3 48 80 48 1 : tunables 120 60 0 : slabdata 1 1 0
+fsnotify_event_holder 0 0 24 144 1 : tunables 120 60 0 : slabdata 0 0 0
+fsnotify_event 0 0 104 37 1 : tunables 120 60 0 : slabdata 0 0 0
+bio-0 80 80 192 20 1 : tunables 120 60 0 : slabdata 4 4 0
+biovec-256 34 34 4096 1 1 : tunables 24 12 0 : slabdata 34 34 0
+biovec-128 0 0 2048 2 1 : tunables 24 12 0 : slabdata 0 0 0
+biovec-64 4 4 1024 4 1 : tunables 54 27 0 : slabdata 1 1 0
+biovec-16 15 15 256 15 1 : tunables 120 60 0 : slabdata 1 1 0
bip-256 2 2 4224 1 2 : tunables 8 4 0 : slabdata 2 2 0
-bip-128 0 0 2176 3 2 : tunables 24 12 8 : slabdata 0 0 0
-bip-64 0 0 1152 7 2 : tunables 24 12 8 : slabdata 0 0 0
-bip-16 0 0 384 10 1 : tunables 54 27 8 : slabdata 0 0 0
-bip-4 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0
-bip-1 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0
-sock_inode_cache 667 685 704 5 1 : tunables 54 27 8 : slabdata 137 137 0
-skbuff_fclone_cache 7 7 512 7 1 : tunables 54 27 8 : slabdata 1 1 0
-skbuff_head_cache 302 450 256 15 1 : tunables 120 60 8 : slabdata 30 30 0
-file_lock_cache 38 44 176 22 1 : tunables 120 60 8 : slabdata 2 2 0
-net_namespace 0 0 2112 3 2 : tunables 24 12 8 : slabdata 0 0 0
-shmem_inode_cache 774 775 800 5 1 : tunables 54 27 8 : slabdata 155 155 0
-Acpi-Operand 4563 4664 72 53 1 : tunables 120 60 8 : slabdata 88 88 0
-Acpi-ParseExt 0 0 72 53 1 : tunables 120 60 8 : slabdata 0 0 0
-Acpi-Parse 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0
-Acpi-State 0 0 80 48 1 : tunables 120 60 8 : slabdata 0 0 0
-Acpi-Namespace 3311 3312 40 92 1 : tunables 120 60 8 : slabdata 36 36 0
-task_delay_info 332 340 112 34 1 : tunables 120 60 8 : slabdata 10 10 0
-taskstats 5 12 328 12 1 : tunables 54 27 8 : slabdata 1 1 0
-proc_inode_cache 1008 1008 640 6 1 : tunables 54 27 8 : slabdata 168 168 0
-sigqueue 35 48 160 24 1 : tunables 120 60 8 : slabdata 2 2 0
-bdev_cache 32 36 832 4 1 : tunables 54 27 8 : slabdata 9 9 0
-sysfs_dir_cache 11356 11367 144 27 1 : tunables 120 60 8 : slabdata 421 421 0
-mnt_cache 37 45 256 15 1 : tunables 120 60 8 : slabdata 3 3 0
-filp 4614 4700 192 20 1 : tunables 120 60 8 : slabdata 235 235 60
-inode_cache 6883 7308 592 6 1 : tunables 54 27 8 : slabdata 1218 1218 0
-dentry 61000 63960 192 20 1 : tunables 120 60 8 : slabdata 3198 3198 0
-names_cache 26 26 4096 1 1 : tunables 24 12 8 : slabdata 26 26 0
-avc_node 518 1239 64 59 1 : tunables 120 60 8 : slabdata 21 21 0
-selinux_inode_security 84086 86072 72 53 1 : tunables 120 60 8 : slabdata 1624 1624 0
-radix_tree_node 11552 11781 560 7 1 : tunables 54 27 8 : slabdata 1683 1683 0
-key_jar 11 20 192 20 1 : tunables 120 60 8 : slabdata 1 1 0
-buffer_head 220986 230214 104 37 1 : tunables 120 60 8 : slabdata 6222 6222 0
-vm_area_struct 12932 13034 200 19 1 : tunables 120 60 8 : slabdata 686 686 60
-mm_struct 145 145 1408 5 2 : tunables 24 12 8 : slabdata 29 29 0
-fs_cache 137 177 64 59 1 : tunables 120 60 8 : slabdata 3 3 0
-files_cache 162 165 704 11 2 : tunables 54 27 8 : slabdata 15 15 0
-signal_cache 204 204 1024 4 1 : tunables 54 27 8 : slabdata 51 51 0
-sighand_cache 195 195 2112 3 2 : tunables 24 12 8 : slabdata 65 65 0
-task_xstate 232 232 512 8 1 : tunables 54 27 8 : slabdata 29 29 0
-task_struct 303 303 2656 3 2 : tunables 24 12 8 : slabdata 101 101 0
-cred_jar 580 580 192 20 1 : tunables 120 60 8 : slabdata 29 29 0
-anon_vma_chain 7844 8162 48 77 1 : tunables 120 60 8 : slabdata 106 106 60
-anon_vma 5773 5888 40 92 1 : tunables 120 60 8 : slabdata 64 64 60
-pid 322 330 128 30 1 : tunables 120 60 8 : slabdata 11 11 0
-shared_policy_node 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0
-numa_policy 1 28 136 28 1 : tunables 120 60 8 : slabdata 1 1 0
-idr_layer_cache 428 434 544 7 1 : tunables 54 27 8 : slabdata 62 62 0
+bip-128 0 0 2176 3 2 : tunables 24 12 0 : slabdata 0 0 0
+bip-64 0 0 1152 7 2 : tunables 24 12 0 : slabdata 0 0 0
+bip-16 0 0 384 10 1 : tunables 54 27 0 : slabdata 0 0 0
+bip-4 0 0 192 20 1 : tunables 120 60 0 : slabdata 0 0 0
+bip-1 0 0 128 30 1 : tunables 120 60 0 : slabdata 0 0 0
+sock_inode_cache 151 160 704 5 1 : tunables 54 27 0 : slabdata 32 32 0
+skbuff_fclone_cache 7 7 512 7 1 : tunables 54 27 0 : slabdata 1 1 0
+skbuff_head_cache 66 105 256 15 1 : tunables 120 60 0 : slabdata 7 7 0
+file_lock_cache 21 22 176 22 1 : tunables 120 60 0 : slabdata 1 1 0
+net_namespace 0 0 2432 3 2 : tunables 24 12 0 : slabdata 0 0 0
+shmem_inode_cache 654 655 784 5 1 : tunables 54 27 0 : slabdata 131 131 0
+Acpi-Operand 1211 1219 72 53 1 : tunables 120 60 0 : slabdata 23 23 0
+Acpi-ParseExt 0 0 72 53 1 : tunables 120 60 0 : slabdata 0 0 0
+Acpi-Parse 0 0 48 77 1 : tunables 120 60 0 : slabdata 0 0 0
+Acpi-State 0 0 80 48 1 : tunables 120 60 0 : slabdata 0 0 0
+Acpi-Namespace 407 460 40 92 1 : tunables 120 60 0 : slabdata 5 5 0
+task_delay_info 102 102 112 34 1 : tunables 120 60 0 : slabdata 3 3 0
+taskstats 0 0 328 12 1 : tunables 54 27 0 : slabdata 0 0 0
+proc_inode_cache 408 408 656 6 1 : tunables 54 27 0 : slabdata 68 68 0
+sigqueue 9 24 160 24 1 : tunables 120 60 0 : slabdata 1 1 0
+bdev_cache 31 32 832 4 1 : tunables 54 27 0 : slabdata 8 8 0
+sysfs_dir_cache 7588 7614 144 27 1 : tunables 120 60 0 : slabdata 282 282 0
+mnt_cache 27 30 256 15 1 : tunables 120 60 0 : slabdata 2 2 0
+filp 840 840 192 20 1 : tunables 120 60 0 : slabdata 42 42 0
+inode_cache 5826 5826 592 6 1 : tunables 54 27 0 : slabdata 971 971 0
+dentry 189280 189280 192 20 1 : tunables 120 60 0 : slabdata 9464 9464 0
+names_cache 1 1 4096 1 1 : tunables 24 12 0 : slabdata 1 1 0
+avc_node 518 708 64 59 1 : tunables 120 60 0 : slabdata 12 12 0
+selinux_inode_security 43199 46799 72 53 1 : tunables 120 60 0 : slabdata 883 883 0
+radix_tree_node 2964 3598 560 7 1 : tunables 54 27 0 : slabdata 514 514 0
+key_jar 5 20 192 20 1 : tunables 120 60 0 : slabdata 1 1 0
+buffer_head 24032 25493 104 37 1 : tunables 120 60 0 : slabdata 689 689 0
+nsproxy 0 0 48 77 1 : tunables 120 60 0 : slabdata 0 0 0
+vm_area_struct 2565 2565 200 19 1 : tunables 120 60 0 : slabdata 135 135 0
+mm_struct 40 40 1408 5 2 : tunables 24 12 0 : slabdata 8 8 0
+fs_cache 59 59 64 59 1 : tunables 120 60 0 : slabdata 1 1 0
+files_cache 44 44 704 11 2 : tunables 54 27 0 : slabdata 4 4 0
+signal_cache 91 91 1088 7 2 : tunables 24 12 0 : slabdata 13 13 0
+sighand_cache 90 90 2112 3 2 : tunables 24 12 0 : slabdata 30 30 0
+task_xstate 48 48 512 8 1 : tunables 54 27 0 : slabdata 6 6 0
+task_struct 96 96 2656 3 2 : tunables 24 12 0 : slabdata 32 32 0
+cred_jar 240 240 192 20 1 : tunables 120 60 0 : slabdata 12 12 0
+anon_vma_chain 1795 2079 48 77 1 : tunables 120 60 0 : slabdata 27 27 0
+anon_vma 1209 1380 40 92 1 : tunables 120 60 0 : slabdata 15 15 0
+pid 107 120 128 30 1 : tunables 120 60 0 : slabdata 4 4 0
+shared_policy_node 0 0 48 77 1 : tunables 120 60 0 : slabdata 0 0 0
+numa_policy 0 0 136 28 1 : tunables 120 60 0 : slabdata 0 0 0
+idr_layer_cache 281 287 544 7 1 : tunables 54 27 0 : slabdata 41 41 0
size-4194304(DMA) 0 0 4194304 1 1024 : tunables 1 1 0 : slabdata 0 0 0
size-4194304 0 0 4194304 1 1024 : tunables 1 1 0 : slabdata 0 0 0
size-2097152(DMA) 0 0 2097152 1 512 : tunables 1 1 0 : slabdata 0 0 0
size-262144(DMA) 0 0 262144 1 64 : tunables 1 1 0 : slabdata 0 0 0
size-262144 0 0 262144 1 64 : tunables 1 1 0 : slabdata 0 0 0
size-131072(DMA) 0 0 131072 1 32 : tunables 8 4 0 : slabdata 0 0 0
-size-131072 1 1 131072 1 32 : tunables 8 4 0 : slabdata 1 1 0
+size-131072 0 0 131072 1 32 : tunables 8 4 0 : slabdata 0 0 0
size-65536(DMA) 0 0 65536 1 16 : tunables 8 4 0 : slabdata 0 0 0
size-65536 2 2 65536 1 16 : tunables 8 4 0 : slabdata 2 2 0
size-32768(DMA) 0 0 32768 1 8 : tunables 8 4 0 : slabdata 0 0 0
size-32768 3 3 32768 1 8 : tunables 8 4 0 : slabdata 3 3 0
size-16384(DMA) 0 0 16384 1 4 : tunables 8 4 0 : slabdata 0 0 0
-size-16384 11 11 16384 1 4 : tunables 8 4 0 : slabdata 11 11 0
+size-16384 7 7 16384 1 4 : tunables 8 4 0 : slabdata 7 7 0
size-8192(DMA) 0 0 8192 1 2 : tunables 8 4 0 : slabdata 0 0 0
-size-8192 27 27 8192 1 2 : tunables 8 4 0 : slabdata 27 27 0
-size-4096(DMA) 0 0 4096 1 1 : tunables 24 12 8 : slabdata 0 0 0
-size-4096 425 425 4096 1 1 : tunables 24 12 8 : slabdata 425 425 0
-size-2048(DMA) 0 0 2048 2 1 : tunables 24 12 8 : slabdata 0 0 0
-size-2048 578 578 2048 2 1 : tunables 24 12 8 : slabdata 289 289 0
-size-1024(DMA) 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0
-size-1024 1304 1304 1024 4 1 : tunables 54 27 8 : slabdata 326 326 0
-size-512(DMA) 0 0 512 8 1 : tunables 54 27 8 : slabdata 0 0 0
-size-512 1123 1176 512 8 1 : tunables 54 27 8 : slabdata 147 147 0
-size-256(DMA) 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0
-size-256 870 870 256 15 1 : tunables 120 60 8 : slabdata 58 58 0
-size-192(DMA) 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0
-size-192 2119 2160 192 20 1 : tunables 120 60 8 : slabdata 108 108 0
-size-128(DMA) 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0
-size-64(DMA) 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
-size-64 33003 40887 64 59 1 : tunables 120 60 8 : slabdata 693 693 0
-size-32(DMA) 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0
-size-128 3921 4800 128 30 1 : tunables 120 60 8 : slabdata 160 160 0
-size-32 332359 332976 32 112 1 : tunables 120 60 8 : slabdata 2973 2973 0
-kmem_cache 191 191 32896 1 16 : tunables 8 4 0 : slabdata 191 191 0
+size-8192 12 12 8192 1 2 : tunables 8 4 0 : slabdata 12 12 0
+size-4096(DMA) 0 0 4096 1 1 : tunables 24 12 0 : slabdata 0 0 0
+size-4096 119 119 4096 1 1 : tunables 24 12 0 : slabdata 119 119 0
+size-2048(DMA) 0 0 2048 2 1 : tunables 24 12 0 : slabdata 0 0 0
+size-2048 200 200 2048 2 1 : tunables 24 12 0 : slabdata 100 100 0
+size-1024(DMA) 0 0 1024 4 1 : tunables 54 27 0 : slabdata 0 0 0
+size-1024 578 588 1024 4 1 : tunables 54 27 0 : slabdata 147 147 0
+size-512(DMA) 0 0 512 8 1 : tunables 54 27 0 : slabdata 0 0 0
+size-512 608 608 512 8 1 : tunables 54 27 0 : slabdata 76 76 0
+size-256(DMA) 0 0 256 15 1 : tunables 120 60 0 : slabdata 0 0 0
+size-256 815 825 256 15 1 : tunables 120 60 0 : slabdata 55 55 0
+size-192(DMA) 0 0 192 20 1 : tunables 120 60 0 : slabdata 0 0 0
+size-192 1260 1260 192 20 1 : tunables 120 60 0 : slabdata 63 63 0
+size-128(DMA) 0 0 128 30 1 : tunables 120 60 0 : slabdata 0 0 0
+size-64(DMA) 0 0 64 59 1 : tunables 120 60 0 : slabdata 0 0 0
+size-64 23094 25783 64 59 1 : tunables 120 60 0 : slabdata 437 437 0
+size-32(DMA) 0 0 32 112 1 : tunables 120 60 0 : slabdata 0 0 0
+size-128 3271 3450 128 30 1 : tunables 120 60 0 : slabdata 115 115 0
+size-32 352497 352576 32 112 1 : tunables 120 60 0 : slabdata 3148 3148 0
+kmem_cache 183 183 32896 1 16 : tunables 8 4 0 : slabdata 183 183 0
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
- lo:267102759 105357 0 0 0 0 0 0 267102759 105357 0 0 0 0 0 0
- eth0:1013756074 1354469 0 0 0 0 0 0 245526499 966773 0 0 0 0 0 0
- pan0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
+ lo: 5243413 23981 0 0 0 0 0 0 5243413 23981 0 0 0 0 0 0
+ eth0:25462133 318845 0 0 0 0 0 0 2039181 15966 0 0 0 0 0 0
+ eth1: 1386405 18972 0 0 0 0 0 0 95634 1485 0 0 0 0 0 0
subject=/O=example.com/CN=clica Signing Cert
issuer=/O=example.com/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
-MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y
-7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St
-u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa
-ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA1WhcNMzgw
+MTAxMTIzNDA1WjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzwXsp
+P4RsZUoDfQfm5O5bi5unhwl+BTrKIaOtl5TBxMau+qEdKa02DD7Bx6PCzLKhWiZ3
+/MrO7V/cXIBun97dF5Zr5kk+HJk+y3es+xoPd3doknvGQEC/0cSGLcEC7aQ/bEqi
+fw2CgEY5ffkEAnDrdvGGeqBfJJGft/tqmlZbeQIDAQABo1owWDAOBgNVHQ8BAf8E
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
+Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA
+Lq4cCtWMjqLHqf6lJUOBMsm+tgFcYDdxwkTquSZyUrbP1jrODkg5lQWNCdvB76B2
+tZQfMJ3F/kct2EAfsKbHqN3f+DARqPAR2qtOqzl3Ou5+TJjExKgojjzIAPFQzswH
+7v4aglpReaPBaVSNOZ7bMn/E8yRy3o466bhzdEIDcII=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: Certificate Authority
subject=/O=example.com/CN=clica CA
issuer=/O=example.com/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAwWhcNMzgw
-MTAxMTIzNDAwWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
-Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxYR8NYQvEd7/e4MvOj9dh2+o
-mnywT9ajMo1589DWt2z14ouRKhSZWlx4O4AicPZc6n4uvt7++t0tTHhmm5JIbwID
-AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
-hkiG9w0BAQUFAANBALjVd1KMBadFJFIzTEspoPYxJvXKvLMclekQs5QY0lmmUj5+
-ugITEG6ywu3s+REUB+8Dj+ofQz3tgIm9NBpkfsA=
+MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA0WhcNMzgw
+MTAxMTIzNDA0WjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
+Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL0wro64rve876glpdRh
+tD6qFY6iH2kCarFFq3WaKmfCvOjYmn4CJr7pL7J5DuvCFh7A0H8lD/on5NK3yqkX
+Yi6EUlaYWxeRo2/PuZYUGbCpejST41sibw9V2dT4MHLidjDShE0W9SfgiMmxfF02
+H5hLYswAGCL1kezsVeEJeH31AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
+DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAIn9+8uyQtaq8sBEohTl
+qyJQQeZk5xxaILYP/rCIxc+z5fgOh+usB9adaiD23RPuuD/P2c3UqHJQWqIUTu46
+eOKn9K7X7ndIH3WnaC/u4nysL+SIAug72/k1BAVGNQvyNQMhth6CfZTgY0tgcS0Z
+RSHyhbTD0HeiJDI281BoOJjm
-----END CERTIFICATE-----
Bag Attributes
friendlyName: expired1.example.com
- localKeyID: C3 70 0A 4C 75 DB 50 B7 1F 67 60 9C DC AD 17 A3 C0 65 5F FF
+ localKeyID: 54 BE 44 70 F3 50 A6 ED E3 73 5C F3 DC BB E0 12 26 DC 31 A1
subject=/CN=expired1.example.com
issuer=/O=example.com/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+MIICiTCCAfKgAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwMVoXDTEyMTIwMTEyMzQwMVowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
-ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAuhbGp8Jqy4UZdYGiPLl+q1m4
-dBdrY6689kqn5x5FUZ4PNl9ty9+mnC2Dx5WiYbrOybQZViM9lAIvGRI1GKsHdwID
-AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
-AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
-LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
-cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w
-bGUuY29tMA0GCSqGSIb3DQEBBQUAA0EAkrXPLW+etluRGUilUcMsAWEZJ8Syu317
-kXvPuyjNVz3+lGo/4hzhehSusTzy4+22UgsBmgZpjG+uI8tNRmDnAQ==
+MzQwNloXDTEyMTIwMTEyMzQwNlowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
+ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANUk3PULhKJc9xJO2RQU
+MeMwVInv1cw7Izt2VRgM+G9GgKlK8ZUN+99b7UW7zIbeOlOLjbbSBWxkg7FhynFk
+XL8xoYXgKutwSvCTxtCEzssUidmUcuQiLvGn5HVj4lBpzHU7VErirBi2yoYIEWuI
+5Rbv3nvvUhGZTVLIP4VLGjlHAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG
+A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
+hiFodHRwOi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
+KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLmNvbS8wHwYDVR0R
+BBgwFoIUZXhwaXJlZDEuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQEFBQADgYEARc5Z
+IIljQytcuQHIwHLWNPG1JxCDpIBbJs9fRpN9KgsE2G+PIWK1YYP65f6VfiMt1SWT
+gx+qt9/WJX8g5r8xyr+pBIhjcMo9lACK/hMVCfm7/0GX5f5WAPmepK47KF7llp/5
+hAqmARw/XJgkEPmcZ0lRinR3J/eeRo1dNpP/IIU=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: expired1.example.com
- localKeyID: C3 70 0A 4C 75 DB 50 B7 1F 67 60 9C DC AD 17 A3 C0 65 5F FF
+ localKeyID: 54 BE 44 70 F3 50 A6 ED E3 73 5C F3 DC BB E0 12 26 DC 31 A1
subject=/CN=expired1.example.com
issuer=/O=example.com/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+MIICiTCCAfKgAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwMVoXDTEyMTIwMTEyMzQwMVowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
-ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAuhbGp8Jqy4UZdYGiPLl+q1m4
-dBdrY6689kqn5x5FUZ4PNl9ty9+mnC2Dx5WiYbrOybQZViM9lAIvGRI1GKsHdwID
-AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
-AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
-LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
-cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w
-bGUuY29tMA0GCSqGSIb3DQEBBQUAA0EAkrXPLW+etluRGUilUcMsAWEZJ8Syu317
-kXvPuyjNVz3+lGo/4hzhehSusTzy4+22UgsBmgZpjG+uI8tNRmDnAQ==
+MzQwNloXDTEyMTIwMTEyMzQwNlowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
+ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANUk3PULhKJc9xJO2RQU
+MeMwVInv1cw7Izt2VRgM+G9GgKlK8ZUN+99b7UW7zIbeOlOLjbbSBWxkg7FhynFk
+XL8xoYXgKutwSvCTxtCEzssUidmUcuQiLvGn5HVj4lBpzHU7VErirBi2yoYIEWuI
+5Rbv3nvvUhGZTVLIP4VLGjlHAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG
+A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
+hiFodHRwOi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
+KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLmNvbS8wHwYDVR0R
+BBgwFoIUZXhwaXJlZDEuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQEFBQADgYEARc5Z
+IIljQytcuQHIwHLWNPG1JxCDpIBbJs9fRpN9KgsE2G+PIWK1YYP65f6VfiMt1SWT
+gx+qt9/WJX8g5r8xyr+pBIhjcMo9lACK/hMVCfm7/0GX5f5WAPmepK47KF7llp/5
+hAqmARw/XJgkEPmcZ0lRinR3J/eeRo1dNpP/IIU=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw\r
-MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp\r
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y\r
-7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St\r
-u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB\r
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s\r
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa\r
-ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA1WhcNMzgw\r
+MTAxMTIzNDA1WjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp\r
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzwXsp\r
+P4RsZUoDfQfm5O5bi5unhwl+BTrKIaOtl5TBxMau+qEdKa02DD7Bx6PCzLKhWiZ3\r
+/MrO7V/cXIBun97dF5Zr5kk+HJk+y3es+xoPd3doknvGQEC/0cSGLcEC7aQ/bEqi\r
+fw2CgEY5ffkEAnDrdvGGeqBfJJGft/tqmlZbeQIDAQABo1owWDAOBgNVHQ8BAf8E\r
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw\r
+Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA\r
+Lq4cCtWMjqLHqf6lJUOBMsm+tgFcYDdxwkTquSZyUrbP1jrODkg5lQWNCdvB76B2\r
+tZQfMJ3F/kct2EAfsKbHqN3f+DARqPAR2qtOqzl3Ou5+TJjExKgojjzIAPFQzswH\r
+7v4aglpReaPBaVSNOZ7bMn/E8yRy3o466bhzdEIDcII=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: expired1.example.com
- localKeyID: C3 70 0A 4C 75 DB 50 B7 1F 67 60 9C DC AD 17 A3 C0 65 5F FF
+ localKeyID: 54 BE 44 70 F3 50 A6 ED E3 73 5C F3 DC BB E0 12 26 DC 31 A1
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-MIIBnjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQINZM2aHxF3EcCAggA
-MBQGCCqGSIb3DQMHBAjc9XMhJPg/ZwSCAVicoTPaeGXGPJyPdhflErlI9EWbj0PH
-bv8AchovLDfYq1Q4EJzkUG1XyelHNha+BS/zFxCcmtpdQtXedL/SdXsOyM99wdJH
-tjpJyWxM3bysqDUdhv2g11KTG0M9L7RBtKmbQq0zcHf9oTZbABKSe4EzX6a9khJY
-5bRVBSQPNtj3/5aAr0BOQQnythh0880FcYmvbFmZQNR12Cexc0+X0/aTaQ/LhM1y
-8GlRBFXGACP+mrY4RfEk/EatcGmqn4JCVASF7Z7zu7JKsEskLDArF9nvVh2xN22n
-DugUfQDRPph4ug2MyUcKNSZzGs+khWmS2TgPgUV0gr1tqS4Sqo+59NuZInyGSMRn
-FeiFTSYcd+zmxinF20MCs+Y6fFasErs6/zdK5oeV8pMlTCX0/yky9Ye4kfth2oHl
-UV+Rfe2Bo40wn6QkxuptagYdoDTJrMUCH9WL/ODRn4IA1Q==
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIEJETKcyNPKkCAggA
+MBQGCCqGSIb3DQMHBAj+HLWzdCLulASCAoCle4sKpW54xzwgFBCtdLDXFO55QrNL
+rjiwWrmMDKP/SQTu6srl4wrB75aghZQTv9yuvhhiyrkEUm87m+J/scLIE8XEMiDv
+64S0nsLkvRt/5ysZnAVHbpgR6GBHCa+aMSFLZcWeZ4mRRePJy3dxi2MID9Cu7P/Z
+llAbQHC4yYAO/sboesY4k7Qp4x0Q1fwVqrhl/N2BtuBHJeeU/mug2SXJl7m3panu
+cxUko+aGwHr/p3xQqHpCZ6RSTo1h+N8DqJHVs57JrN5l5/DYJbuo53MQpbahzLpL
+SIXYq6lAni05+B88hXDW5ZPNMQwnjPL6SVSLUH2aDntJY5Ezor74NMSXKOmVf++q
+MqUbxf5EpzwW/H/3clXA0UCoUXs6/Xr7DydsAyORMLFS7CI+ehF48BAhwYcpEjGv
+uQyZdWsJMU5qaB3XnGFTwnsted1oVszu1FCqtQntfeuuG1V8s4LZgPtP25sE6zFP
+NGvFU5SCkuoj5+lhbsFSoF6YjJO5rcbIbd3OuUUZgo6posHeoo49T7gI0G563E7E
+KcMhpYR+/ayHGWRXm4J92x1X7NGCbbF+j1if76U8zd0fpgrXWdZKP2npA5gfp0Ae
+un4KhQOSLSvJQ0Vq0Vzc788j9jeHowYlnNoItgfoUIJ1DaILZjEtXlXPkH/sUgkF
+jsvmcjsMp4DpwDacmjzMvAu76Aw3FX3iU9aR9iYEwD9XkRkZzSf1hhB7Cfs4RXQX
+Zj0y2KTP/cltPghKdc6Gx1UyzX3ZvHZNA516pV73vHpkMzkiiSo7Ko2Vz71m9QwA
+dIkyMUVP00uZo6prpM/SfkEbrVmH8nwRbVNfR1Gwkol2Bk8mer+ifI+L
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
friendlyName: expired1.example.com
- localKeyID: C3 70 0A 4C 75 DB 50 B7 1F 67 60 9C DC AD 17 A3 C0 65 5F FF
+ localKeyID: 54 BE 44 70 F3 50 A6 ED E3 73 5C F3 DC BB E0 12 26 DC 31 A1
subject=/CN=expired1.example.com
issuer=/O=example.com/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+MIICiTCCAfKgAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwMVoXDTEyMTIwMTEyMzQwMVowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
-ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAuhbGp8Jqy4UZdYGiPLl+q1m4
-dBdrY6689kqn5x5FUZ4PNl9ty9+mnC2Dx5WiYbrOybQZViM9lAIvGRI1GKsHdwID
-AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
-AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
-LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
-cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w
-bGUuY29tMA0GCSqGSIb3DQEBBQUAA0EAkrXPLW+etluRGUilUcMsAWEZJ8Syu317
-kXvPuyjNVz3+lGo/4hzhehSusTzy4+22UgsBmgZpjG+uI8tNRmDnAQ==
+MzQwNloXDTEyMTIwMTEyMzQwNlowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
+ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANUk3PULhKJc9xJO2RQU
+MeMwVInv1cw7Izt2VRgM+G9GgKlK8ZUN+99b7UW7zIbeOlOLjbbSBWxkg7FhynFk
+XL8xoYXgKutwSvCTxtCEzssUidmUcuQiLvGn5HVj4lBpzHU7VErirBi2yoYIEWuI
+5Rbv3nvvUhGZTVLIP4VLGjlHAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG
+A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
+hiFodHRwOi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
+KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLmNvbS8wHwYDVR0R
+BBgwFoIUZXhwaXJlZDEuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQEFBQADgYEARc5Z
+IIljQytcuQHIwHLWNPG1JxCDpIBbJs9fRpN9KgsE2G+PIWK1YYP65f6VfiMt1SWT
+gx+qt9/WJX8g5r8xyr+pBIhjcMo9lACK/hMVCfm7/0GX5f5WAPmepK47KF7llp/5
+hAqmARw/XJgkEPmcZ0lRinR3J/eeRo1dNpP/IIU=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-MIIBOQIBAAJBALoWxqfCasuFGXWBojy5fqtZuHQXa2OuvPZKp+ceRVGeDzZfbcvf
-ppwtg8eVomG6zsm0GVYjPZQCLxkSNRirB3cCAwEAAQJAbb0wuY21XP/I27ru6dCa
-GoJ2fD+zXL2XQccU7P608kO6R9g73lx48QT21OGvLkKGA4J2U3qqvqJWKP580o3X
-gQIhAN8A4PM0w3cLBnibnQcr+5TfhSUye/4AQcaqUQBnjQW5AiEA1Z+eWtugFdR3
-D6ntc4UdyXsO1DMDn6QyuyEyrJqUDq8CIGGfrtqJVLB+gRy3cuy60m3/0/fOu/0b
-+6+Oy9sTeebxAiBK7m5RWHBSt+/7YpOTzcGhBrUw4aQHv0S8Nuzbdm0wqQIgYW0B
-7KVyChX6OpKifrdrSK3Jp3iXP9pgNunxGNj1QbM=
+MIICXAIBAAKBgQDVJNz1C4SiXPcSTtkUFDHjMFSJ79XMOyM7dlUYDPhvRoCpSvGV
+DfvfW+1Fu8yG3jpTi4220gVsZIOxYcpxZFy/MaGF4CrrcErwk8bQhM7LFInZlHLk
+Ii7xp+R1Y+JQacx1O1RK4qwYtsqGCBFriOUW795771IRmU1SyD+FSxo5RwIDAQAB
+AoGAPhr3pw8sHoMoGtWOuyMHRkOW3npbuZ6hrXnVYaSl3waUBsAnlF72vSZ0BJWs
+CsBGDoHjURnxKpw/IzhzXIb53tNj5h8jIwxZfylqXQirkv7TfAW6WuxfAXwW7/Ca
+OQnriyz0UB8AVohZ6UZQG4MrHcUypHrEsw8uwEkdb4I4f0ECQQD+BOlQuRuVOZ26
+iKrJs4K0DrJHTD/3cLtRYNGWRAF+q+tG2hAu0L7Dh4BDYA62A21hEHBp1XCBBk8h
+2Q0rZ/uzAkEA1s5aq2tZCEPlvR+aRLJz4yEHAOtuj2wyVAq3weY/2SfDbtqTrHNa
+sRWHGx2ofyO22jHDRXG4GdyhvBhHAk9yHQJAQEF5y4OnqI3UilT77t3L2ERHcKWn
+IK6Rk7pMChjVz/cpItkScuU2/DsQhPqNfhlL19vSs9LcDKdN6SAAptQ85QJBALy0
+0Aaj6bVPILbC2p3bP9+bFjICokAxRw151PDsu86kFhZ+wxjOxi+nv+dcaLg4wdxx
+tyB8xMVDhHpfwZIQBSkCQDmP11qxf43phqxiUo8T6uqMG7DfA5YdDtGlV43sgKmd
+8iuIc26FKxdvr3kxn5w0qEIe1QqVisUHGvBYRfrF3so=
-----END RSA PRIVATE KEY-----
subject=/O=example.com/CN=clica Signing Cert
issuer=/O=example.com/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
-MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y
-7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St
-u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa
-ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA1WhcNMzgw
+MTAxMTIzNDA1WjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzwXsp
+P4RsZUoDfQfm5O5bi5unhwl+BTrKIaOtl5TBxMau+qEdKa02DD7Bx6PCzLKhWiZ3
+/MrO7V/cXIBun97dF5Zr5kk+HJk+y3es+xoPd3doknvGQEC/0cSGLcEC7aQ/bEqi
+fw2CgEY5ffkEAnDrdvGGeqBfJJGft/tqmlZbeQIDAQABo1owWDAOBgNVHQ8BAf8E
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
+Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA
+Lq4cCtWMjqLHqf6lJUOBMsm+tgFcYDdxwkTquSZyUrbP1jrODkg5lQWNCdvB76B2
+tZQfMJ3F/kct2EAfsKbHqN3f+DARqPAR2qtOqzl3Ou5+TJjExKgojjzIAPFQzswH
+7v4aglpReaPBaVSNOZ7bMn/E8yRy3o466bhzdEIDcII=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: Certificate Authority
subject=/O=example.com/CN=clica CA
issuer=/O=example.com/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAwWhcNMzgw
-MTAxMTIzNDAwWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
-Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxYR8NYQvEd7/e4MvOj9dh2+o
-mnywT9ajMo1589DWt2z14ouRKhSZWlx4O4AicPZc6n4uvt7++t0tTHhmm5JIbwID
-AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
-hkiG9w0BAQUFAANBALjVd1KMBadFJFIzTEspoPYxJvXKvLMclekQs5QY0lmmUj5+
-ugITEG6ywu3s+REUB+8Dj+ofQz3tgIm9NBpkfsA=
+MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA0WhcNMzgw
+MTAxMTIzNDA0WjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
+Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL0wro64rve876glpdRh
+tD6qFY6iH2kCarFFq3WaKmfCvOjYmn4CJr7pL7J5DuvCFh7A0H8lD/on5NK3yqkX
+Yi6EUlaYWxeRo2/PuZYUGbCpejST41sibw9V2dT4MHLidjDShE0W9SfgiMmxfF02
+H5hLYswAGCL1kezsVeEJeH31AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
+DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAIn9+8uyQtaq8sBEohTl
+qyJQQeZk5xxaILYP/rCIxc+z5fgOh+usB9adaiD23RPuuD/P2c3UqHJQWqIUTu46
+eOKn9K7X7ndIH3WnaC/u4nysL+SIAug72/k1BAVGNQvyNQMhth6CfZTgY0tgcS0Z
+RSHyhbTD0HeiJDI281BoOJjm
-----END CERTIFICATE-----
Bag Attributes
friendlyName: expired2.example.com
- localKeyID: 00 5E 8C 89 32 69 66 73 D9 E7 D3 9C E8 6A 72 27 1D C2 65 87
+ localKeyID: C6 AF 42 A4 62 E4 DE A3 FA 0A 88 C9 9F 8A 3A 95 F8 BD 5F 68
subject=/CN=expired2.example.com
issuer=/O=example.com/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+MIICijCCAfOgAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDJaFw0xMjEyMDExMjM0MDJaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
-bGUuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANs6ryDCjUepqaS5l0ZmpJ3m
-bU0/nDE43cIfDCU+70Jjvf4rxfiQu1N1iiTO2IdRcxai/STBGxpaJRvo/G5l778C
-AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
-AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
-ZS5jb20vbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
-dHA6Ly9vc2NwL2V4YW1wbGUuY29tLzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt
-cGxlLmNvbTANBgkqhkiG9w0BAQUFAANBABTJbEBMPo/NbiMz+shKPbN+T+oAoneT
-mb1n+3cM5I3RGkkzF8mYDyamimNn+T8GKWdVkiM/Jov1kv+KY5Twg+U=
+MjM0MDdaFw0xMjEyMDExMjM0MDdaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
+bGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1CGIJL05trceWyUkd
+Jdp3QFiQGuYn+nRTLUOOJR4v9cYUFomihLdPZ2ElUZuQUQaP3mo0rNwSZBnUWaS+
+2MBOInu3DwBMhCqX2lPmVtOoj9PC0jsxl18pIYW5tKKpVdSVuTXZa/bUCbf351DN
+clNIEfh7zFXevzbwrI2x5qrteQIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg
+BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
+I4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
+BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1Ud
+EQQYMBaCFGV4cGlyZWQyLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBBQUAA4GBAGNy
+FvCmqIUPn/BSasd66jOrg46+YkCh/YN8zt1ysQr5ZgM+mP26W+el9JiknnD17G26
+ImFaxP+X8ghPM54sErbAB3euFpjsdqVqdOr2g7SJJnVvD0XygYqxEy7h7XAl8M9n
+ofNIBV2IWKQ1wLHnHquM1v5e3s1dL0ptyfBMPhDE
-----END CERTIFICATE-----
Bag Attributes
friendlyName: expired2.example.com
- localKeyID: 00 5E 8C 89 32 69 66 73 D9 E7 D3 9C E8 6A 72 27 1D C2 65 87
+ localKeyID: C6 AF 42 A4 62 E4 DE A3 FA 0A 88 C9 9F 8A 3A 95 F8 BD 5F 68
subject=/CN=expired2.example.com
issuer=/O=example.com/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+MIICijCCAfOgAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDJaFw0xMjEyMDExMjM0MDJaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
-bGUuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANs6ryDCjUepqaS5l0ZmpJ3m
-bU0/nDE43cIfDCU+70Jjvf4rxfiQu1N1iiTO2IdRcxai/STBGxpaJRvo/G5l778C
-AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
-AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
-ZS5jb20vbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
-dHA6Ly9vc2NwL2V4YW1wbGUuY29tLzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt
-cGxlLmNvbTANBgkqhkiG9w0BAQUFAANBABTJbEBMPo/NbiMz+shKPbN+T+oAoneT
-mb1n+3cM5I3RGkkzF8mYDyamimNn+T8GKWdVkiM/Jov1kv+KY5Twg+U=
+MjM0MDdaFw0xMjEyMDExMjM0MDdaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
+bGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1CGIJL05trceWyUkd
+Jdp3QFiQGuYn+nRTLUOOJR4v9cYUFomihLdPZ2ElUZuQUQaP3mo0rNwSZBnUWaS+
+2MBOInu3DwBMhCqX2lPmVtOoj9PC0jsxl18pIYW5tKKpVdSVuTXZa/bUCbf351DN
+clNIEfh7zFXevzbwrI2x5qrteQIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg
+BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
+I4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
+BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1Ud
+EQQYMBaCFGV4cGlyZWQyLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBBQUAA4GBAGNy
+FvCmqIUPn/BSasd66jOrg46+YkCh/YN8zt1ysQr5ZgM+mP26W+el9JiknnD17G26
+ImFaxP+X8ghPM54sErbAB3euFpjsdqVqdOr2g7SJJnVvD0XygYqxEy7h7XAl8M9n
+ofNIBV2IWKQ1wLHnHquM1v5e3s1dL0ptyfBMPhDE
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw\r
-MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp\r
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y\r
-7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St\r
-u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB\r
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s\r
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa\r
-ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA1WhcNMzgw\r
+MTAxMTIzNDA1WjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp\r
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzwXsp\r
+P4RsZUoDfQfm5O5bi5unhwl+BTrKIaOtl5TBxMau+qEdKa02DD7Bx6PCzLKhWiZ3\r
+/MrO7V/cXIBun97dF5Zr5kk+HJk+y3es+xoPd3doknvGQEC/0cSGLcEC7aQ/bEqi\r
+fw2CgEY5ffkEAnDrdvGGeqBfJJGft/tqmlZbeQIDAQABo1owWDAOBgNVHQ8BAf8E\r
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw\r
+Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA\r
+Lq4cCtWMjqLHqf6lJUOBMsm+tgFcYDdxwkTquSZyUrbP1jrODkg5lQWNCdvB76B2\r
+tZQfMJ3F/kct2EAfsKbHqN3f+DARqPAR2qtOqzl3Ou5+TJjExKgojjzIAPFQzswH\r
+7v4aglpReaPBaVSNOZ7bMn/E8yRy3o466bhzdEIDcII=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: expired2.example.com
- localKeyID: 00 5E 8C 89 32 69 66 73 D9 E7 D3 9C E8 6A 72 27 1D C2 65 87
+ localKeyID: C6 AF 42 A4 62 E4 DE A3 FA 0A 88 C9 9F 8A 3A 95 F8 BD 5F 68
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI0nrN9i220lwCAggA
-MBQGCCqGSIb3DQMHBAjYbPQkuir8nQSCAWANYVbKcEW9iaRzdj6AmMMZw4wnklZI
-rR+R/Eaz92xDWHLv9Qo03JK2OoGgkhE3QvyNxP7Sm69hgErN202M1s7CW66HAt60
-T0XmvbZoXYkn3iPzi6Txi1GQnzo7gfd1S0phD/4q+Tq38nRzJjvHjsL1ebjiFZ2y
-t5cF+gW7+3LEKT/s0K/WpS6QKTgl/W5iV09Tix1eOPckv7z4Cs2fiurohPocUTFa
-B/hdKTun4MwmcchFrgjRda+jz/P42xtgaSmhIETD+C3jnbdEZWFY4xYijyffEUR0
-gUHKH6UPxqoJyeL8ziQmz2jc4j1glnedslHjS+fKlLCU1QKYbhgCcRB4tqILxd9M
-e3/QQksgTFZtGymqPuwPMngcR2Om+E3f0UJnCXcaINJp971l971H/yhieYjxQua4
-8NNKVdz6EzYa/46Gv77Nu7+OQ0zGhMowpjGS4kTE9qOQ3udrdL2kFYJm
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIcKV+HaIPaikCAggA
+MBQGCCqGSIb3DQMHBAi+airF86oTpgSCAoAQpQyqLzxpkwzliQxxYsv2vMv+YzZy
+k0w0p7KUl8ZP3n/UxfM7oPZqASlDkaGEMTcXG7CbH3f5geqYt3utdD4DoaKwDWcc
+FI9NlgyqNrYttaF6cTI42OytDlafmQodvD0Wky3OVN3m+RvSNZqXkQb1zeS5Z2OR
+exjM7K7IVqy33O4ShrrI7/tajBneKPZos/z56ubDKcSJvJw6D50xxzWXt9QiQR1r
+be8vr2HP5kg/XnckX9KByMACqIBjGaWyG6AzvSmsmy0AWME5b+wTSDUxPaVcjLt0
+OjqWz4SsgS3xxlr2yWQzyxJgSQilNcaj9w0/z/3lEinDt+osTulMl0bT5mGm736c
+P7v5A7qoBWgjBbgs61NzZy9+pP6721zBjXPG9UAEkSdjkx7gxhLe4ZN5j4Jvz4AW
+dpHtcEntmmVF8aYjoCTNhHCpKaiP9NVr3pIuo6vXTufDmkwEEB56sKt/Cgku4jdC
+agvMlgAy4iQTZcKPwMc6h9dsfLaj0NBdJ1t8kKkz0dD1VchlX5YoYcua6RSmvVM0
+ziCyznqOB2meSLLAMLcXQAt9waVATgy3UcaW9f7zr4Dq2kTKkfjAHJPArNStWmkR
+XdiTTNJ5eiO7lEM3uY9PLpYpZBavbA3D02RRbxDds0PemJzb0SQicInPkLs+gjzJ
+Dvj9LGm2/3v9Wlu6AJttYHTur7pYk5vOyJ8QhpnwYe3a1JZ6jQ1NurDRK/UHEzOV
+GaWvrsWPzdVS9kJSmHnHdKMxXMZ6HLPgkBwEOQormnAxtIOR3HP43/UzV5RlmO0c
+UHjiZgr+rwe88fd6SHegk7KZkNPboZMlVAA9kIk/+0OzySiLDtCsphse
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
friendlyName: expired2.example.com
- localKeyID: 00 5E 8C 89 32 69 66 73 D9 E7 D3 9C E8 6A 72 27 1D C2 65 87
+ localKeyID: C6 AF 42 A4 62 E4 DE A3 FA 0A 88 C9 9F 8A 3A 95 F8 BD 5F 68
subject=/CN=expired2.example.com
issuer=/O=example.com/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+MIICijCCAfOgAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDJaFw0xMjEyMDExMjM0MDJaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
-bGUuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANs6ryDCjUepqaS5l0ZmpJ3m
-bU0/nDE43cIfDCU+70Jjvf4rxfiQu1N1iiTO2IdRcxai/STBGxpaJRvo/G5l778C
-AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
-AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
-ZS5jb20vbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
-dHA6Ly9vc2NwL2V4YW1wbGUuY29tLzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt
-cGxlLmNvbTANBgkqhkiG9w0BAQUFAANBABTJbEBMPo/NbiMz+shKPbN+T+oAoneT
-mb1n+3cM5I3RGkkzF8mYDyamimNn+T8GKWdVkiM/Jov1kv+KY5Twg+U=
+MjM0MDdaFw0xMjEyMDExMjM0MDdaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
+bGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1CGIJL05trceWyUkd
+Jdp3QFiQGuYn+nRTLUOOJR4v9cYUFomihLdPZ2ElUZuQUQaP3mo0rNwSZBnUWaS+
+2MBOInu3DwBMhCqX2lPmVtOoj9PC0jsxl18pIYW5tKKpVdSVuTXZa/bUCbf351DN
+clNIEfh7zFXevzbwrI2x5qrteQIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg
+BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
+I4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
+BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1Ud
+EQQYMBaCFGV4cGlyZWQyLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBBQUAA4GBAGNy
+FvCmqIUPn/BSasd66jOrg46+YkCh/YN8zt1ysQr5ZgM+mP26W+el9JiknnD17G26
+ImFaxP+X8ghPM54sErbAB3euFpjsdqVqdOr2g7SJJnVvD0XygYqxEy7h7XAl8M9n
+ofNIBV2IWKQ1wLHnHquM1v5e3s1dL0ptyfBMPhDE
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-MIIBOgIBAAJBANs6ryDCjUepqaS5l0ZmpJ3mbU0/nDE43cIfDCU+70Jjvf4rxfiQ
-u1N1iiTO2IdRcxai/STBGxpaJRvo/G5l778CAwEAAQJAads7RulKSMkuxgBrgC39
-3NSwAHXvmIDp61sMhUuPQhF8kxF9IistHoa4TBW3tdSVepBSDoMk0Ote+0UgO3wK
-SQIhAPC8xBwjNC+gpnaxOvz2iLGbVwISPgM/TMaa+goBJ3o1AiEA6SDVyZi34Gia
-W0YYzmQaJv2VcmGYh0JQ+diJT7qaoKMCIQCfZy6nvvu4KbTv1MzNYWUDzWsgePnM
-5qYsv8OeykLcnQIgU4JDkrd2Bpjx0ghGEoihJZ5ozlRPgwQqZZU/eqPph+kCIBAd
-MOImezJcizVRRG9PuyxuSvwLlPqjvFKnw2ixRkuW
+MIICXQIBAAKBgQC1CGIJL05trceWyUkdJdp3QFiQGuYn+nRTLUOOJR4v9cYUFomi
+hLdPZ2ElUZuQUQaP3mo0rNwSZBnUWaS+2MBOInu3DwBMhCqX2lPmVtOoj9PC0jsx
+l18pIYW5tKKpVdSVuTXZa/bUCbf351DNclNIEfh7zFXevzbwrI2x5qrteQIDAQAB
+AoGAAaTA1xqB2McSH9FWA5i7YgfIhg5odoZ0lei8S0cU/hR6JuaJe1s/Gs5yeFdE
+VUwXBilbx3ymRth3z5C8ySrInCkRewoskB4CBzAqEXxgq/njX6cvCdqf/6afzgvE
+YQ6UTSASRYnd+dUrdz5m+XP8BU3iW+9aT0ZRWnc4nkKb3gECQQDq4OC7PWtqU1b/
+8fDqp5Loejw1zSVhBTCEyfXKP+s+uWfLoM4e4krGxhjBgBrNS0Qdv006J/nDUPlK
+0uT12UTBAkEAxU/tR3RytfW3hRUYFMNhkUGhC/906IoKajKoIiK17vBIA1qynAZ3
+jviT6Q5JQCYCRh25PHQvk+/0jZRNDuG+uQJAPkyNbzyYTCh00Ah1VVhDUCRz6fVS
+78v3lZEX/6A6nnWBAXLSmUB+gwCyOkjnUwKeu6EtM7q8tcC5js4naspJQQJBAMEc
+vvCmafbo7JrV0GHR79YI06Q4e6V0JUlXFvOB4WpfxTtzM0g9lBpb8/evQcYE7UjO
+opMma8JwoXtH4DtmehECQQDWG5T5BXZMPkVSSG9pF6BYlLZveYK6Y7PK6naYj7VN
+gR8uaIdeHDlIfvSCxTdiTNeC0y5bEKGNgAjkfrZNsNwn
-----END RSA PRIVATE KEY-----
subject=/O=example.com/CN=clica Signing Cert
issuer=/O=example.com/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
-MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y
-7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St
-u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa
-ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA1WhcNMzgw
+MTAxMTIzNDA1WjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzwXsp
+P4RsZUoDfQfm5O5bi5unhwl+BTrKIaOtl5TBxMau+qEdKa02DD7Bx6PCzLKhWiZ3
+/MrO7V/cXIBun97dF5Zr5kk+HJk+y3es+xoPd3doknvGQEC/0cSGLcEC7aQ/bEqi
+fw2CgEY5ffkEAnDrdvGGeqBfJJGft/tqmlZbeQIDAQABo1owWDAOBgNVHQ8BAf8E
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
+Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA
+Lq4cCtWMjqLHqf6lJUOBMsm+tgFcYDdxwkTquSZyUrbP1jrODkg5lQWNCdvB76B2
+tZQfMJ3F/kct2EAfsKbHqN3f+DARqPAR2qtOqzl3Ou5+TJjExKgojjzIAPFQzswH
+7v4aglpReaPBaVSNOZ7bMn/E8yRy3o466bhzdEIDcII=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: Certificate Authority
subject=/O=example.com/CN=clica CA
issuer=/O=example.com/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAwWhcNMzgw
-MTAxMTIzNDAwWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
-Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxYR8NYQvEd7/e4MvOj9dh2+o
-mnywT9ajMo1589DWt2z14ouRKhSZWlx4O4AicPZc6n4uvt7++t0tTHhmm5JIbwID
-AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
-hkiG9w0BAQUFAANBALjVd1KMBadFJFIzTEspoPYxJvXKvLMclekQs5QY0lmmUj5+
-ugITEG6ywu3s+REUB+8Dj+ofQz3tgIm9NBpkfsA=
+MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA0WhcNMzgw
+MTAxMTIzNDA0WjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
+Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL0wro64rve876glpdRh
+tD6qFY6iH2kCarFFq3WaKmfCvOjYmn4CJr7pL7J5DuvCFh7A0H8lD/on5NK3yqkX
+Yi6EUlaYWxeRo2/PuZYUGbCpejST41sibw9V2dT4MHLidjDShE0W9SfgiMmxfF02
+H5hLYswAGCL1kezsVeEJeH31AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
+DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAIn9+8uyQtaq8sBEohTl
+qyJQQeZk5xxaILYP/rCIxc+z5fgOh+usB9adaiD23RPuuD/P2c3UqHJQWqIUTu46
+eOKn9K7X7ndIH3WnaC/u4nysL+SIAug72/k1BAVGNQvyNQMhth6CfZTgY0tgcS0Z
+RSHyhbTD0HeiJDI281BoOJjm
-----END CERTIFICATE-----
Bag Attributes
friendlyName: revoked1.example.com
- localKeyID: 33 F8 A9 1F FC 62 68 49 CC C9 26 E0 24 22 40 40 B5 8E E6 07
+ localKeyID: 20 71 F8 DC E7 30 30 96 0E C4 15 76 D6 41 24 BA ED 19 8C 15
subject=/CN=revoked1.example.com
issuer=/O=example.com/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+MIICiTCCAfKgAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwMVoXDTM4MDEwMTEyMzQwMVowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
-ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAtmfFkNpuJsl8xF0EINs9YniA
-h0NKsf8Tt61IVzDsR5ULJOSpA7rcqmbniYuWJ7H1q8Rm5WTqjLs5zIKG+cR/lwID
-AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
-AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
-LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
-cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w
-bGUuY29tMA0GCSqGSIb3DQEBBQUAA0EAXzFO3fDq0RRzNgmAa9aorYUQUx1f6ifG
-e9zS1V/Qua9HguY4FCm5NkLDSA46OA/NYEtnC3tDNF6PLSNi1Ww9NQ==
+MzQwNloXDTM4MDEwMTEyMzQwNlowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
+ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKu5DqPk2+MvI4TMS/rU
+60uPCkU7DuVVJzyOSkUzxZFsQcEJxfd6sfkicGbzoMkhx2UclbtcP9ll9dLuUplh
+hZVbQVI5vAeuEUKPGnHp1KIN776sOYDilf4PCOhQVDNR91OcOwcCKROjCfXu6w7c
+RqVCdrIoaCRf/bpBrIyou8WxAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG
+A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
+hiFodHRwOi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
+KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLmNvbS8wHwYDVR0R
+BBgwFoIUcmV2b2tlZDEuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQEFBQADgYEAMOti
+HVUrF17HKVH9eRvCKNJ+1h1R76otCpevvmujGxY/2wrYpbZ5NIWPWoF2tDXfBNDK
+r5w5f1DlNWeVZKW5dYtmVS8O7IxhICGlAq9U4A0laj3x6iglbGggqRnQl/QRUd7s
+jCG0Bbsa1/nc+9JbPqWGz5LXT3t5cF/6NDeKi68=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: revoked1.example.com
- localKeyID: 33 F8 A9 1F FC 62 68 49 CC C9 26 E0 24 22 40 40 B5 8E E6 07
+ localKeyID: 20 71 F8 DC E7 30 30 96 0E C4 15 76 D6 41 24 BA ED 19 8C 15
subject=/CN=revoked1.example.com
issuer=/O=example.com/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+MIICiTCCAfKgAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwMVoXDTM4MDEwMTEyMzQwMVowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
-ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAtmfFkNpuJsl8xF0EINs9YniA
-h0NKsf8Tt61IVzDsR5ULJOSpA7rcqmbniYuWJ7H1q8Rm5WTqjLs5zIKG+cR/lwID
-AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
-AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
-LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
-cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w
-bGUuY29tMA0GCSqGSIb3DQEBBQUAA0EAXzFO3fDq0RRzNgmAa9aorYUQUx1f6ifG
-e9zS1V/Qua9HguY4FCm5NkLDSA46OA/NYEtnC3tDNF6PLSNi1Ww9NQ==
+MzQwNloXDTM4MDEwMTEyMzQwNlowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
+ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKu5DqPk2+MvI4TMS/rU
+60uPCkU7DuVVJzyOSkUzxZFsQcEJxfd6sfkicGbzoMkhx2UclbtcP9ll9dLuUplh
+hZVbQVI5vAeuEUKPGnHp1KIN776sOYDilf4PCOhQVDNR91OcOwcCKROjCfXu6w7c
+RqVCdrIoaCRf/bpBrIyou8WxAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG
+A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
+hiFodHRwOi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
+KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLmNvbS8wHwYDVR0R
+BBgwFoIUcmV2b2tlZDEuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQEFBQADgYEAMOti
+HVUrF17HKVH9eRvCKNJ+1h1R76otCpevvmujGxY/2wrYpbZ5NIWPWoF2tDXfBNDK
+r5w5f1DlNWeVZKW5dYtmVS8O7IxhICGlAq9U4A0laj3x6iglbGggqRnQl/QRUd7s
+jCG0Bbsa1/nc+9JbPqWGz5LXT3t5cF/6NDeKi68=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw\r
-MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp\r
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y\r
-7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St\r
-u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB\r
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s\r
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa\r
-ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA1WhcNMzgw\r
+MTAxMTIzNDA1WjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp\r
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzwXsp\r
+P4RsZUoDfQfm5O5bi5unhwl+BTrKIaOtl5TBxMau+qEdKa02DD7Bx6PCzLKhWiZ3\r
+/MrO7V/cXIBun97dF5Zr5kk+HJk+y3es+xoPd3doknvGQEC/0cSGLcEC7aQ/bEqi\r
+fw2CgEY5ffkEAnDrdvGGeqBfJJGft/tqmlZbeQIDAQABo1owWDAOBgNVHQ8BAf8E\r
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw\r
+Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA\r
+Lq4cCtWMjqLHqf6lJUOBMsm+tgFcYDdxwkTquSZyUrbP1jrODkg5lQWNCdvB76B2\r
+tZQfMJ3F/kct2EAfsKbHqN3f+DARqPAR2qtOqzl3Ou5+TJjExKgojjzIAPFQzswH\r
+7v4aglpReaPBaVSNOZ7bMn/E8yRy3o466bhzdEIDcII=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: revoked1.example.com
- localKeyID: 33 F8 A9 1F FC 62 68 49 CC C9 26 E0 24 22 40 40 B5 8E E6 07
+ localKeyID: 20 71 F8 DC E7 30 30 96 0E C4 15 76 D6 41 24 BA ED 19 8C 15
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-MIIBnjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIxIBGy/hgXxwCAggA
-MBQGCCqGSIb3DQMHBAj96WZ8xRBC6QSCAVjQ7DTLCFeVW0ah1ECV+1bvGiQy9JwH
-fxHD3s2Wg7+McsAfF2oSx8R0Za7miR70Ke94xrraIuH0NeltyalI5iQOjbGe1W8V
-exnRfXI+87W9QHVI85TW2l6pXCR96cj6zrxQAhXFamDY/SfgwTbaQibrduD2eoct
-IvJ8QsaywSKwpnQAN/4XlQ6aus7w1ywtvFek+15oAfgACG/mXaZZa9sg/pRzHT3a
-8qJjMpJSDOd5QUxKIShidYPNKA88EIvdg9+0wNj42w9A4rAwaoqol4RzdLu8dXbG
-lGjiRdGwkMvlwnAWY68hPnAPOiH8ev7lNPkOkk+YsIVoJK7AoEGyvNk2N02kaBBf
-xfrHIt8jh8Suvfp0HJbdeBTTT1qu/acwNbeA2TVVXdXyoZTrSWiwmv4P0lBYXJIx
-raWLqaaImi5JvL1o5ATr3s8RtD+0iWH5LUuWdzI/agJKUw==
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIaz4go+5KBqgCAggA
+MBQGCCqGSIb3DQMHBAhtc8IZfwyFPwSCAoAPcxPLBxhSJXrDApap04PKVC86gzJ9
+4c0mZu50tugE1nDu7jDRCErbmYF9QH2IEoGFVL33gO5q+BH+c5r2D5vkiQ8csrfb
+s8DZoPnk36cR40q1LjFBXmxut+Xq3Dw+K4fTzl3vgOtkUqaXYPnMvaB6iejjWNiF
+bOIh7A8rlOxJZjVF3wVRVE/j3TyVFqzJ4NMaSfZwW/bMPDMsRpc06UyiX3ffb7i3
+N2I2Sb+MerlIbt/NCM5MRAOP5QzTg08qN959nuPjPyiRtvXwcExj70yqL+fC5KxL
+gM2fO3rPIU5bOCJFZJxitddKSC2r99vyIUG+qEXqllGfYKaLvo8xbNJ3JK4kAum+
+j2oF2/PkYDxjhGVd6yLk37xmnMHNqwqNFS1lf9tXbpYD2sOQeyPqiYUSfSEbXniv
+j+Gh4nJOccOPvTYakNLk4vSbg6tSmYjICoZIzwiNT5Um7Qstji53UCBggPOplIfN
+Eqzxy7m5CxR/l5w2wx5El4F7ECN5lvg3eX2lMp5NT4Bui6lNQOAiAmE3e6MkJ+38
+9tv+NKEYVi5V2BdqOFXEUrZSI2azuSL5q4Ws0Qpp3It6541y/IE85hljvjiYvxqC
+oPLdNdI/R5ANmCVNxKWVVmFe7ScoY/spePt2L93Zpikfa0cmheE5TePlfTJVHAVK
+KH8fIAHo717gqfQYnE40IVzcLcL9v6WYQ3+nasnvM818CVNWsCKSDLkPFBoKuU8c
+Ec0AXFIa+EPIwD96EEIZaZhcG9DicDaaEzLKssP9WL1MFuqDgpRpTKD8tqh3ytqq
+PKqDohc0uRQRQuTodSjT73FtAyTZNVe62fxmfDQ0uxkDQzxaiBOzZEmm
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
friendlyName: revoked1.example.com
- localKeyID: 33 F8 A9 1F FC 62 68 49 CC C9 26 E0 24 22 40 40 B5 8E E6 07
+ localKeyID: 20 71 F8 DC E7 30 30 96 0E C4 15 76 D6 41 24 BA ED 19 8C 15
subject=/CN=revoked1.example.com
issuer=/O=example.com/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+MIICiTCCAfKgAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwMVoXDTM4MDEwMTEyMzQwMVowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
-ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAtmfFkNpuJsl8xF0EINs9YniA
-h0NKsf8Tt61IVzDsR5ULJOSpA7rcqmbniYuWJ7H1q8Rm5WTqjLs5zIKG+cR/lwID
-AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
-AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
-LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
-cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w
-bGUuY29tMA0GCSqGSIb3DQEBBQUAA0EAXzFO3fDq0RRzNgmAa9aorYUQUx1f6ifG
-e9zS1V/Qua9HguY4FCm5NkLDSA46OA/NYEtnC3tDNF6PLSNi1Ww9NQ==
+MzQwNloXDTM4MDEwMTEyMzQwNlowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
+ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKu5DqPk2+MvI4TMS/rU
+60uPCkU7DuVVJzyOSkUzxZFsQcEJxfd6sfkicGbzoMkhx2UclbtcP9ll9dLuUplh
+hZVbQVI5vAeuEUKPGnHp1KIN776sOYDilf4PCOhQVDNR91OcOwcCKROjCfXu6w7c
+RqVCdrIoaCRf/bpBrIyou8WxAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG
+A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
+hiFodHRwOi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
+KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLmNvbS8wHwYDVR0R
+BBgwFoIUcmV2b2tlZDEuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQEFBQADgYEAMOti
+HVUrF17HKVH9eRvCKNJ+1h1R76otCpevvmujGxY/2wrYpbZ5NIWPWoF2tDXfBNDK
+r5w5f1DlNWeVZKW5dYtmVS8O7IxhICGlAq9U4A0laj3x6iglbGggqRnQl/QRUd7s
+jCG0Bbsa1/nc+9JbPqWGz5LXT3t5cF/6NDeKi68=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-MIIBOQIBAAJBALZnxZDabibJfMRdBCDbPWJ4gIdDSrH/E7etSFcw7EeVCyTkqQO6
-3Kpm54mLliex9avEZuVk6oy7OcyChvnEf5cCAwEAAQJALGjPfRjxQJhFvDk5TBaU
-t2jHQidsBDIqRsn1luTeYf7KVwL5p51LV27UBqIF+UPa3Wl04rc5IWSCp5CIpASa
-IQIhAN6Ekj/LESey/9nn85fDMUH45PgW/7J+NeqwgK6zoyulAiEA0doPRY/U2ano
-Hu94mggwB693XasYuRsSsGZWK1+nCYsCIF1BXjGSH0xt/kAKr9IoodouP3eh2+Oo
-dVw4QJX2/ylpAiAZUYjUKLVSiZhS2yue0ewRkU8CgxkZhDWuCLrOwtyhXwIgJr3H
-b3LNAipslDnHrNzBK2GB6MlM7/+foJ7Lu7pbK+o=
+MIICXAIBAAKBgQCruQ6j5NvjLyOEzEv61OtLjwpFOw7lVSc8jkpFM8WRbEHBCcX3
+erH5InBm86DJIcdlHJW7XD/ZZfXS7lKZYYWVW0FSObwHrhFCjxpx6dSiDe++rDmA
+4pX+DwjoUFQzUfdTnDsHAikTown17usO3EalQnayKGgkX/26QayMqLvFsQIDAQAB
+AoGAJghnkK8YcFm5YSkqTtSnhGWa3bh11R8mAIh3NJqB0HKMoad7fBNlpYsWIAcn
+fkSH+AH7u7Jzxb+KUXxNOQFbZ1r6+Ye8nX0Gj1zEeRM9FWbJ3KB5hgd0jWS9tqoW
+fbuqKMsxiPTzo10yJ8RNegtsUmx6KCc2om0RvROtiLrH79ECQQDdS826UMtHQwNk
+518YWEQ6XogJpu9yO3HNhMfBG3mVpIZRw1vUhNuMAze4I2IAD7gqYPzx1QeX5pq1
+s57VKj19AkEAxqcTv/wwm9tPEUyPx/EBf9cQ4ta+XEpOkwy8VRHkZYi1vUcuniMO
+7aQVLHDBG/Ksh2GWpFC7v5qjo9eNgXBvRQJAOhooBs4lwS0YHAsfja3HJCgjwZ0B
+61UuOQ6uv8Xt81tCJP+NAcxsNGO34nHvziJScVYLs5cCKmDSp/hkMIWppQJAD6QI
+Ag2xJhRWXV5R08Q+AfrE8ZdG1a1kEl/mVCxcd0IUTRrVqM3J1xwcLquSCMlKnD4q
+xjU1Exjx2WyXT6GyoQJBAMM9muE6OBGpbcVM4g2jQFH5hUpLRt12+Zth9j6ZmprU
+LljRN27vg++BFGdRSKk8dszK9RYJdRhenKqLUUagOoY=
-----END RSA PRIVATE KEY-----
subject=/O=example.com/CN=clica Signing Cert
issuer=/O=example.com/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
-MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y
-7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St
-u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa
-ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA1WhcNMzgw
+MTAxMTIzNDA1WjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzwXsp
+P4RsZUoDfQfm5O5bi5unhwl+BTrKIaOtl5TBxMau+qEdKa02DD7Bx6PCzLKhWiZ3
+/MrO7V/cXIBun97dF5Zr5kk+HJk+y3es+xoPd3doknvGQEC/0cSGLcEC7aQ/bEqi
+fw2CgEY5ffkEAnDrdvGGeqBfJJGft/tqmlZbeQIDAQABo1owWDAOBgNVHQ8BAf8E
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
+Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA
+Lq4cCtWMjqLHqf6lJUOBMsm+tgFcYDdxwkTquSZyUrbP1jrODkg5lQWNCdvB76B2
+tZQfMJ3F/kct2EAfsKbHqN3f+DARqPAR2qtOqzl3Ou5+TJjExKgojjzIAPFQzswH
+7v4aglpReaPBaVSNOZ7bMn/E8yRy3o466bhzdEIDcII=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: Certificate Authority
subject=/O=example.com/CN=clica CA
issuer=/O=example.com/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAwWhcNMzgw
-MTAxMTIzNDAwWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
-Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxYR8NYQvEd7/e4MvOj9dh2+o
-mnywT9ajMo1589DWt2z14ouRKhSZWlx4O4AicPZc6n4uvt7++t0tTHhmm5JIbwID
-AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
-hkiG9w0BAQUFAANBALjVd1KMBadFJFIzTEspoPYxJvXKvLMclekQs5QY0lmmUj5+
-ugITEG6ywu3s+REUB+8Dj+ofQz3tgIm9NBpkfsA=
+MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA0WhcNMzgw
+MTAxMTIzNDA0WjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
+Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL0wro64rve876glpdRh
+tD6qFY6iH2kCarFFq3WaKmfCvOjYmn4CJr7pL7J5DuvCFh7A0H8lD/on5NK3yqkX
+Yi6EUlaYWxeRo2/PuZYUGbCpejST41sibw9V2dT4MHLidjDShE0W9SfgiMmxfF02
+H5hLYswAGCL1kezsVeEJeH31AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
+DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAIn9+8uyQtaq8sBEohTl
+qyJQQeZk5xxaILYP/rCIxc+z5fgOh+usB9adaiD23RPuuD/P2c3UqHJQWqIUTu46
+eOKn9K7X7ndIH3WnaC/u4nysL+SIAug72/k1BAVGNQvyNQMhth6CfZTgY0tgcS0Z
+RSHyhbTD0HeiJDI281BoOJjm
-----END CERTIFICATE-----
Bag Attributes
friendlyName: revoked2.example.com
- localKeyID: 17 78 A2 B6 AD CE 30 23 61 D1 78 DA EF AD AC 2D 72 C6 16 34
+ localKeyID: F6 B8 57 6A D8 2D CB DC DC 43 07 E6 86 40 B7 FA 7B 99 A1 E5
subject=/CN=revoked2.example.com
issuer=/O=example.com/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+MIICijCCAfOgAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDJaFw0zODAxMDExMjM0MDJaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
-bGUuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALl7NO1x6uz5p6etz9g+bD4n
-/s5Wh/XGDL1IHD78fRFFX9B8dCyoMrzjFTIz8QkOr/sA4RD2B2uk83ZnqtNImY0C
-AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
-AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
-ZS5jb20vbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
-dHA6Ly9vc2NwL2V4YW1wbGUuY29tLzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt
-cGxlLmNvbTANBgkqhkiG9w0BAQUFAANBAKtwWm1WtnL+jH97DwIutT6s4CkIY2uY
-JkpV4segUV03S1pN9Cnamy4prQYPCfOI1BQO4krsDNOoV/PtDvqxuso=
+MjM0MDdaFw0zODAxMDExMjM0MDdaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
+bGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNy5rRDiIwXth1Wi0p
+FFPOoZ/cXt9lQ3blYjE4gdk0gMZk4Tjqa0UEb/m0bB3EIgVa7IXWo84hMso2fMCP
+ElM3Xm8oGzCQ1i9Ju+CKTFc+6yLJD4Ql/pN4tzBxC/Dc3sYWEvRKLNbsd082cO3L
+GpKCgIly36apDf7pfQZxqEt1RwIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg
+BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
+I4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
+BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1Ud
+EQQYMBaCFHJldm9rZWQyLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBBQUAA4GBAIDM
+Wzp1Bzw74TGL96zIVmr92SKV+6EeFKiSm07CXHd7amfj+rIAabexTzEMxFil+VCD
+om3NIObOF5HTtCOygBtnMc8/lF9r0rpYMo2cJTQXwUQVQ4UDtj2SsR3BofbCDxb5
+XPMB4J50KwXz7U3M/Kd1cGdSmbkutI56lJWDXSAI
-----END CERTIFICATE-----
Bag Attributes
friendlyName: revoked2.example.com
- localKeyID: 17 78 A2 B6 AD CE 30 23 61 D1 78 DA EF AD AC 2D 72 C6 16 34
+ localKeyID: F6 B8 57 6A D8 2D CB DC DC 43 07 E6 86 40 B7 FA 7B 99 A1 E5
subject=/CN=revoked2.example.com
issuer=/O=example.com/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+MIICijCCAfOgAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDJaFw0zODAxMDExMjM0MDJaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
-bGUuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALl7NO1x6uz5p6etz9g+bD4n
-/s5Wh/XGDL1IHD78fRFFX9B8dCyoMrzjFTIz8QkOr/sA4RD2B2uk83ZnqtNImY0C
-AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
-AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
-ZS5jb20vbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
-dHA6Ly9vc2NwL2V4YW1wbGUuY29tLzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt
-cGxlLmNvbTANBgkqhkiG9w0BAQUFAANBAKtwWm1WtnL+jH97DwIutT6s4CkIY2uY
-JkpV4segUV03S1pN9Cnamy4prQYPCfOI1BQO4krsDNOoV/PtDvqxuso=
+MjM0MDdaFw0zODAxMDExMjM0MDdaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
+bGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNy5rRDiIwXth1Wi0p
+FFPOoZ/cXt9lQ3blYjE4gdk0gMZk4Tjqa0UEb/m0bB3EIgVa7IXWo84hMso2fMCP
+ElM3Xm8oGzCQ1i9Ju+CKTFc+6yLJD4Ql/pN4tzBxC/Dc3sYWEvRKLNbsd082cO3L
+GpKCgIly36apDf7pfQZxqEt1RwIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg
+BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
+I4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
+BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1Ud
+EQQYMBaCFHJldm9rZWQyLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBBQUAA4GBAIDM
+Wzp1Bzw74TGL96zIVmr92SKV+6EeFKiSm07CXHd7amfj+rIAabexTzEMxFil+VCD
+om3NIObOF5HTtCOygBtnMc8/lF9r0rpYMo2cJTQXwUQVQ4UDtj2SsR3BofbCDxb5
+XPMB4J50KwXz7U3M/Kd1cGdSmbkutI56lJWDXSAI
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw\r
-MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp\r
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y\r
-7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St\r
-u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB\r
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s\r
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa\r
-ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA1WhcNMzgw\r
+MTAxMTIzNDA1WjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp\r
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzwXsp\r
+P4RsZUoDfQfm5O5bi5unhwl+BTrKIaOtl5TBxMau+qEdKa02DD7Bx6PCzLKhWiZ3\r
+/MrO7V/cXIBun97dF5Zr5kk+HJk+y3es+xoPd3doknvGQEC/0cSGLcEC7aQ/bEqi\r
+fw2CgEY5ffkEAnDrdvGGeqBfJJGft/tqmlZbeQIDAQABo1owWDAOBgNVHQ8BAf8E\r
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw\r
+Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA\r
+Lq4cCtWMjqLHqf6lJUOBMsm+tgFcYDdxwkTquSZyUrbP1jrODkg5lQWNCdvB76B2\r
+tZQfMJ3F/kct2EAfsKbHqN3f+DARqPAR2qtOqzl3Ou5+TJjExKgojjzIAPFQzswH\r
+7v4aglpReaPBaVSNOZ7bMn/E8yRy3o466bhzdEIDcII=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: revoked2.example.com
- localKeyID: 17 78 A2 B6 AD CE 30 23 61 D1 78 DA EF AD AC 2D 72 C6 16 34
+ localKeyID: F6 B8 57 6A D8 2D CB DC DC 43 07 E6 86 40 B7 FA 7B 99 A1 E5
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIFV1GIQOsrw4CAggA
-MBQGCCqGSIb3DQMHBAgtBn7nWaro7ASCAWArJ92GA0suBbeIF2CisKcYFfGP+KD5
-LUOKocnSVgVeEvjQmoLzb/YAnXQsh3HtfHjbsJg1Hix4XIRI6skZD33JhhQZha/0
-M8QsA3GBCPcskjQCIMg0FVltjZOVnR20JxlI0HtMybZrIlhNCcWrLkVhU8CRbzFc
-Pubs7P9xIxlfuWVAEBmlOb1LkctHKnWlvVDR4Bef7epwa/KttSmLbBHuayQiwvms
-axUke+NYJvzFWfKpTXP0OHOfz7cdb5dN/BcF642LIGu2f7nY7vGbSG9+iZ4Mb85k
-FBbuSFquqAdxho6IHL7p/xfsW3k8+o6jKhCqkFaY1O1TNLmNtyJSyULDEbJMBiBF
-Q0pLC3AF6EtPDvN7gIvlY6jERZb7j8DJrCnjbEJR1IF09DrH3EdfaYLnGd+0/SRn
-UPY0jNEmT8hwj1ANacuSlBaIXYSjtjDYwJTz4DJA36z+03TDo/ahxwaW
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIlxIrxmJRt8QCAggA
+MBQGCCqGSIb3DQMHBAgod4MeM3j+0ASCAoBwu4gld5x2UyoP3M2re8SrlwbNnWut
+VQH6reInjBZfOOYco4PekLMSoD2kZYcdcupquBe6cmb72ODBkmDHa84p/NtQznhI
+FO1oF/isGm0OSQBp1odVoSY9ZqYrMlbikBHoCVljLFGimFZcdU69xRnNk9LKReB2
+sUVF2DzYQkgPM+OCQjza53nJh8XJTgXJkKjaqcjkfbP8QuVQBzBXgVRPqh2WnXA3
+St4Pj3qXuG177Q86X+NDS0S4mRuVwkarB8jDqkWnhdl3fcZz3NHCSj4aDxuOxos1
+3XcGCXG50W+31cAoj6oRfPKgaDt0zOfMySBJqhBYSYTV36Wddoq3rzPJyNOTHpFW
+Y5K+792SYC++bIFEyJOrTH0a/NsVDrFHvX9ib94KscD9TM2yUP06Yr8j3jh9ecDs
+YNfsVqdNq62Hj+B9hBPIrBUufuAMHwOengcB+tcpJvNX5/ckBIPCSFjxlbFWZ/nr
+E87+AEmt4xYAQAXvutBRC/W6kLvcdD7oGIEKEmhUrBPegA6hFaAo7L+whpW5dp90
+cVwGTpPMqiHkbBEl5XOQmmpqtyZteRfccvAD6+obJHt59dZ6T/il7GItPmBOxO9Q
+UWd4bCOLvI1gmSsfpP0akX2gUDFPAlzCuYgalMZ5krkk1VlEunRTMBUuW5zziiEE
+YKw8I0AV9LjmYCsGHl00LGKgOof0GjCbh+RV+qcuJIlVe26Q+gl1ubsI/3sfPu+e
+l+SFAdtxmWh0gQVrQIW6SdZJ5gfqIZZOleq6PXOl4em7/GnRD1+xtnzsEZRRMILt
++UF6GFSlar8Ug87RLEsTbA0uqcXA8KhsACU//Zof3ZWzGor4+dqcEabj
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
friendlyName: revoked2.example.com
- localKeyID: 17 78 A2 B6 AD CE 30 23 61 D1 78 DA EF AD AC 2D 72 C6 16 34
+ localKeyID: F6 B8 57 6A D8 2D CB DC DC 43 07 E6 86 40 B7 FA 7B 99 A1 E5
subject=/CN=revoked2.example.com
issuer=/O=example.com/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+MIICijCCAfOgAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDJaFw0zODAxMDExMjM0MDJaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
-bGUuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALl7NO1x6uz5p6etz9g+bD4n
-/s5Wh/XGDL1IHD78fRFFX9B8dCyoMrzjFTIz8QkOr/sA4RD2B2uk83ZnqtNImY0C
-AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
-AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
-ZS5jb20vbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
-dHA6Ly9vc2NwL2V4YW1wbGUuY29tLzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt
-cGxlLmNvbTANBgkqhkiG9w0BAQUFAANBAKtwWm1WtnL+jH97DwIutT6s4CkIY2uY
-JkpV4segUV03S1pN9Cnamy4prQYPCfOI1BQO4krsDNOoV/PtDvqxuso=
+MjM0MDdaFw0zODAxMDExMjM0MDdaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
+bGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNy5rRDiIwXth1Wi0p
+FFPOoZ/cXt9lQ3blYjE4gdk0gMZk4Tjqa0UEb/m0bB3EIgVa7IXWo84hMso2fMCP
+ElM3Xm8oGzCQ1i9Ju+CKTFc+6yLJD4Ql/pN4tzBxC/Dc3sYWEvRKLNbsd082cO3L
+GpKCgIly36apDf7pfQZxqEt1RwIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg
+BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
+I4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
+BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1Ud
+EQQYMBaCFHJldm9rZWQyLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBBQUAA4GBAIDM
+Wzp1Bzw74TGL96zIVmr92SKV+6EeFKiSm07CXHd7amfj+rIAabexTzEMxFil+VCD
+om3NIObOF5HTtCOygBtnMc8/lF9r0rpYMo2cJTQXwUQVQ4UDtj2SsR3BofbCDxb5
+XPMB4J50KwXz7U3M/Kd1cGdSmbkutI56lJWDXSAI
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-MIIBPAIBAAJBALl7NO1x6uz5p6etz9g+bD4n/s5Wh/XGDL1IHD78fRFFX9B8dCyo
-MrzjFTIz8QkOr/sA4RD2B2uk83ZnqtNImY0CAwEAAQJBAKkeAI07YDOAEnCd1zPY
-/sLRns+uMDtUwArZs/9uIe7a3X4ussXCv60z9epuGre7StXrVyDGBnGqGexsKIiH
-uaECIQDzrY97z+Zcb1RZ/ncQfiep40jMGmpDX/un+wtfkeICWQIhAMLcSIgL/FTH
-t7ehuH5pClcJY0bX0tbOpfNgOWvMniJVAiEAyrYMkewOb8Dxg/gLJn48ErkP2zLy
-SWA0orZV7MgYIukCIBcGcIui3u4lq0/HjEVjpBUkxtZYKlG3mWRoumBCjW0BAiEA
-tqIijH5G06iofDnTIJzXFfetUPNl/wqJ1Xz6ECFh84s=
+MIICXQIBAAKBgQDNy5rRDiIwXth1Wi0pFFPOoZ/cXt9lQ3blYjE4gdk0gMZk4Tjq
+a0UEb/m0bB3EIgVa7IXWo84hMso2fMCPElM3Xm8oGzCQ1i9Ju+CKTFc+6yLJD4Ql
+/pN4tzBxC/Dc3sYWEvRKLNbsd082cO3LGpKCgIly36apDf7pfQZxqEt1RwIDAQAB
+AoGAS7io5Fcg+U9MshFWIJFcLOGHYpx98lKagthYaARPGWRwm1nLiWWi5XkWFe7a
+HPqvob75l/p5s/luMhJA/+OsPkAwxCN7+o1vBBAT2NFtF7AVk3gjaK5eAIdE+4XV
+Og7njMoQM0yvHkN4JbHQrQgefla/R6JkOFn9cMxYQhoQLpECQQDvPOVaMSR+LPri
+UAlxnPfiMB7wRSGCNMVXEoocOa6+2KJltxwospcqTgqFM4OUJQIMnETN9UBUaMZy
+kUlrJGX1AkEA3DbdXbwSypr0IhMH9uIDSnU6UJozy04WXndC3Ucdxjl3prs49na5
+9S7EPjY/MYuaxJe8hXQ6/Oq3/S0W43asywJBAL5LAN/B0RYv7wtOwIRHaADZZ/KT
++nhYQ1PkIkkbNL0HEf24LcTNcWIsG0AiXpna6gtfzXbJinbZtGfy2qRHmnUCQHE7
+2PoQ8kyx/uTiik7dirmnq9O0ZvucbI4onv4vSlUaSbc3QCQjip1Tbd9bf4UXdv6t
+02eAC7DvdKo/nCxcYp8CQQDsyIFsn5fVBGXTceFtFYVTw5KwG1b7+l6gM4q0IkKn
+BS0IhuSjRpJuw6QfHMaxb2d6d2z/JOiRVCRJwpTnl9Zz
-----END RSA PRIVATE KEY-----
subject=/O=example.com/CN=clica Signing Cert
issuer=/O=example.com/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
-MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y
-7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St
-u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa
-ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA1WhcNMzgw
+MTAxMTIzNDA1WjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzwXsp
+P4RsZUoDfQfm5O5bi5unhwl+BTrKIaOtl5TBxMau+qEdKa02DD7Bx6PCzLKhWiZ3
+/MrO7V/cXIBun97dF5Zr5kk+HJk+y3es+xoPd3doknvGQEC/0cSGLcEC7aQ/bEqi
+fw2CgEY5ffkEAnDrdvGGeqBfJJGft/tqmlZbeQIDAQABo1owWDAOBgNVHQ8BAf8E
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
+Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA
+Lq4cCtWMjqLHqf6lJUOBMsm+tgFcYDdxwkTquSZyUrbP1jrODkg5lQWNCdvB76B2
+tZQfMJ3F/kct2EAfsKbHqN3f+DARqPAR2qtOqzl3Ou5+TJjExKgojjzIAPFQzswH
+7v4aglpReaPBaVSNOZ7bMn/E8yRy3o466bhzdEIDcII=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: Certificate Authority
subject=/O=example.com/CN=clica CA
issuer=/O=example.com/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAwWhcNMzgw
-MTAxMTIzNDAwWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
-Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxYR8NYQvEd7/e4MvOj9dh2+o
-mnywT9ajMo1589DWt2z14ouRKhSZWlx4O4AicPZc6n4uvt7++t0tTHhmm5JIbwID
-AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
-hkiG9w0BAQUFAANBALjVd1KMBadFJFIzTEspoPYxJvXKvLMclekQs5QY0lmmUj5+
-ugITEG6ywu3s+REUB+8Dj+ofQz3tgIm9NBpkfsA=
+MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA0WhcNMzgw
+MTAxMTIzNDA0WjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
+Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL0wro64rve876glpdRh
+tD6qFY6iH2kCarFFq3WaKmfCvOjYmn4CJr7pL7J5DuvCFh7A0H8lD/on5NK3yqkX
+Yi6EUlaYWxeRo2/PuZYUGbCpejST41sibw9V2dT4MHLidjDShE0W9SfgiMmxfF02
+H5hLYswAGCL1kezsVeEJeH31AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
+DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAIn9+8uyQtaq8sBEohTl
+qyJQQeZk5xxaILYP/rCIxc+z5fgOh+usB9adaiD23RPuuD/P2c3UqHJQWqIUTu46
+eOKn9K7X7ndIH3WnaC/u4nysL+SIAug72/k1BAVGNQvyNQMhth6CfZTgY0tgcS0Z
+RSHyhbTD0HeiJDI281BoOJjm
-----END CERTIFICATE-----
Bag Attributes
friendlyName: server1.example.com
- localKeyID: 7B 32 26 98 D0 B8 1E 75 99 29 DC F8 13 EE 29 B7 59 E3 DC DC
+ localKeyID: 39 11 FB 30 22 36 42 DA FC D7 A2 8A 0C 60 83 2F 66 A7 B8 4E
subject=/CN=server1.example.com
issuer=/O=example.com/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+MIIC0DCCAjmgAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwMVoXDTM4MDEwMTEyMzQwMVowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
-LmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC6EbKf3ZB2Zm+SVn7KzSofX5I+
-3KANkvS0aVxUS/mtnKJg6JLKc2dVav1OmPTF/M8J21F6tVd8EHWBrlsgS3QdAgMB
-AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB
-BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu
-Y29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw
-Oi8vb3NjcC9leGFtcGxlLmNvbS8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl
-LmNvbTANBgkqhkiG9w0BAQUFAANBALDva+1Fm8VMNtBTzLmk0wd+rAGNry/HPB++
-vNngBR33/8N/529Zr4WPrL2BeOZkQeDO1qH/2giCAvYfZoBOIO4=
+MzQwNVoXDTM4MDEwMTEyMzQwNVowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
+LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyAGT263/ZlxGjPEi2BQj
+DMa/86TF+zVzMfozEZNOLiX6Sov54fW5I0nXCm0CjACOelLa2Eos/vqffxu0w5hM
+A8slRHrt0Gak7dJjwgKK/5NAQDrA+WnyJx/62u25299oCKk+egulCC0D3XczA89N
+cLuz8iKvYnWT+rdnbFdAPdcCAwEAAaOCAQcwggEDMA4GA1UdDwEB/wQEAwIE8DAg
+BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
+I4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
+BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5jb20vMGUGA1Ud
+EQReMFyCIWFsdGVybmF0ZW5hbWUuc2VydmVyMS5leGFtcGxlLmNvbYIiYWx0ZXJu
+YXRlbmFtZTIuc2VydmVyMS5leGFtcGxlLmNvbYITc2VydmVyMS5leGFtcGxlLmNv
+bTANBgkqhkiG9w0BAQUFAAOBgQBWOqQ8y+u4J8KQCHQTiNxIxrUs5Sa+W5HUZ+c8
+SRLXRzDfmNtY7RiofUvbl0j1XH9wuTdjM/EkYnKSYPVu2ra8c8jC3NaVmr0WFqLv
+CvHXQWj2rZha0P/ZG1GfWc4vPYTQ7ugr65syGg4CPswwiUQJKnWBRqe27X1B61pj
++pxY7w==
-----END CERTIFICATE-----
Bag Attributes
friendlyName: server1.example.com
- localKeyID: 7B 32 26 98 D0 B8 1E 75 99 29 DC F8 13 EE 29 B7 59 E3 DC DC
+ localKeyID: 39 11 FB 30 22 36 42 DA FC D7 A2 8A 0C 60 83 2F 66 A7 B8 4E
subject=/CN=server1.example.com
issuer=/O=example.com/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+MIIC0DCCAjmgAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwMVoXDTM4MDEwMTEyMzQwMVowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
-LmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC6EbKf3ZB2Zm+SVn7KzSofX5I+
-3KANkvS0aVxUS/mtnKJg6JLKc2dVav1OmPTF/M8J21F6tVd8EHWBrlsgS3QdAgMB
-AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB
-BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu
-Y29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw
-Oi8vb3NjcC9leGFtcGxlLmNvbS8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl
-LmNvbTANBgkqhkiG9w0BAQUFAANBALDva+1Fm8VMNtBTzLmk0wd+rAGNry/HPB++
-vNngBR33/8N/529Zr4WPrL2BeOZkQeDO1qH/2giCAvYfZoBOIO4=
+MzQwNVoXDTM4MDEwMTEyMzQwNVowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
+LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyAGT263/ZlxGjPEi2BQj
+DMa/86TF+zVzMfozEZNOLiX6Sov54fW5I0nXCm0CjACOelLa2Eos/vqffxu0w5hM
+A8slRHrt0Gak7dJjwgKK/5NAQDrA+WnyJx/62u25299oCKk+egulCC0D3XczA89N
+cLuz8iKvYnWT+rdnbFdAPdcCAwEAAaOCAQcwggEDMA4GA1UdDwEB/wQEAwIE8DAg
+BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
+I4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
+BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5jb20vMGUGA1Ud
+EQReMFyCIWFsdGVybmF0ZW5hbWUuc2VydmVyMS5leGFtcGxlLmNvbYIiYWx0ZXJu
+YXRlbmFtZTIuc2VydmVyMS5leGFtcGxlLmNvbYITc2VydmVyMS5leGFtcGxlLmNv
+bTANBgkqhkiG9w0BAQUFAAOBgQBWOqQ8y+u4J8KQCHQTiNxIxrUs5Sa+W5HUZ+c8
+SRLXRzDfmNtY7RiofUvbl0j1XH9wuTdjM/EkYnKSYPVu2ra8c8jC3NaVmr0WFqLv
+CvHXQWj2rZha0P/ZG1GfWc4vPYTQ7ugr65syGg4CPswwiUQJKnWBRqe27X1B61pj
++pxY7w==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw\r
-MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp\r
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y\r
-7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St\r
-u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB\r
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s\r
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa\r
-ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA1WhcNMzgw\r
+MTAxMTIzNDA1WjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp\r
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzwXsp\r
+P4RsZUoDfQfm5O5bi5unhwl+BTrKIaOtl5TBxMau+qEdKa02DD7Bx6PCzLKhWiZ3\r
+/MrO7V/cXIBun97dF5Zr5kk+HJk+y3es+xoPd3doknvGQEC/0cSGLcEC7aQ/bEqi\r
+fw2CgEY5ffkEAnDrdvGGeqBfJJGft/tqmlZbeQIDAQABo1owWDAOBgNVHQ8BAf8E\r
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw\r
+Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA\r
+Lq4cCtWMjqLHqf6lJUOBMsm+tgFcYDdxwkTquSZyUrbP1jrODkg5lQWNCdvB76B2\r
+tZQfMJ3F/kct2EAfsKbHqN3f+DARqPAR2qtOqzl3Ou5+TJjExKgojjzIAPFQzswH\r
+7v4aglpReaPBaVSNOZ7bMn/E8yRy3o466bhzdEIDcII=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: server1.example.com
- localKeyID: 7B 32 26 98 D0 B8 1E 75 99 29 DC F8 13 EE 29 B7 59 E3 DC DC
+ localKeyID: 39 11 FB 30 22 36 42 DA FC D7 A2 8A 0C 60 83 2F 66 A7 B8 4E
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-MIIBnjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIt+n3xYebFlACAggA
-MBQGCCqGSIb3DQMHBAi30QtCXj3kIQSCAVjO+WdU7jaPYN1v7ev2qNehi8MrvllJ
-Q03/xCaiGTI7fUQM55W4Tc5+b952ni6ZtCnYfCojIQ6Wr0uyrabRE9nCRTudKAGv
-+RG/vO576Wv69XblZaKwPp1ru5Fb+TqMRDmHsJKzmjx4/iN3l/673w8QEW+opYjI
-i+azRCzMjUcFDkExEqXunJCDD4k0iWv/LTiXa/WfKoPncY6dmtjGt/ceGG7gn+sy
-IGTPbVyX85I4lfSb42mQjticlqpNWNv+BasZNGIAGkreGEIR1HqvoIeIjyze4j/k
-yAA/oAO7WucowZfX6Rcno9yO5Cjsbn60RPMe5aSnCKXH8OnaklegbzQCIXwlRapH
-VCE28ladQ1+7zwCBhCW60WwhRN0UDQz9aFTrbhZ0uUZ13t/EcRr17f43hXnjwCVg
-+q6ixyRnx4zSncCTL6iOe2ybUV8IXCFdrWnd7CYJOz804w==
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI6fjxhvGKYVoCAggA
+MBQGCCqGSIb3DQMHBAjQxvdFIdms8gSCAoAULVw7VEEz159PQHH1BB4asGdSs50D
+q7BYWQR35O+NEsAPVc/fMn2XnV50X9ETPIYX+5U+5jwAJvYxaRfgkHAoo8Nkh06F
+dMxgd0Ks2k5ri9satjESMmDVce55pFP2QIK+nqFDlpXmAg1hzYFFT0CLKRxzbPCY
+sopcEUpg5zoXUVtMZbQ26HRPbagsIF5gmg7yKAgDBr6cbWkNbFhEjH5P6zV16t1A
+dmhYOvAJgVd32arHiFLE3uj6mmi8qN+HUSTRATTXwVFgwYVz75wJL0+9TsFqqXXP
+JIl/zM7FHa67kzSOXzhzkr3CqzVM498GadDl19hIuTGrw9lwvVlNEnPJQw2GerjQ
+02R6A3FC9areZv+Ixoe/L2G30Z1Js9OIkuQbyTjAvLsPQg5yL+/Z6J4KPdY0SHZh
+a4MIZ12vX4qzQPPQHiIZ8yTEcXBCq3v5towxnKutdtszonvHiTWTcwf2fMNIO6Kc
+5H8V5l87Tl0LzIWC/gjA0nChDf7ckTJAzVPBWP8CI9Dhf0KbE7Z3d99+lSlhA9+u
+Tjkrk13qjCSvaROlnI/tE9H99LwN74b6/BMfYy5F8hwYYeIYXZsZUdbY/S+Ugb+L
+BvUxW3Z6ObTI4RPKOKVY9cCQilfUYjnnLTx9JagqkBnpgC4g6CgB8bEU7ClOulv4
+Y0+Z4WZySNAXBEC1nb5F/4V+zY2pSVbKaMRttILz7c0Uo/2lcBsQVy7lN6bD18ea
+s/jWj3oDfM/pKHSGR+DY/VEy1AGnXrovqlV6NlpeuKUnk/cLtQNOFCRPMJLub7z6
+JF3aDC4L1yiIYyMGUZDagv70kTWhH7glcB1TzUsipET88HU8HM9t1yyO
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
friendlyName: server1.example.com
- localKeyID: 7B 32 26 98 D0 B8 1E 75 99 29 DC F8 13 EE 29 B7 59 E3 DC DC
+ localKeyID: 39 11 FB 30 22 36 42 DA FC D7 A2 8A 0C 60 83 2F 66 A7 B8 4E
subject=/CN=server1.example.com
issuer=/O=example.com/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+MIIC0DCCAjmgAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwMVoXDTM4MDEwMTEyMzQwMVowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
-LmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC6EbKf3ZB2Zm+SVn7KzSofX5I+
-3KANkvS0aVxUS/mtnKJg6JLKc2dVav1OmPTF/M8J21F6tVd8EHWBrlsgS3QdAgMB
-AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB
-BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu
-Y29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw
-Oi8vb3NjcC9leGFtcGxlLmNvbS8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl
-LmNvbTANBgkqhkiG9w0BAQUFAANBALDva+1Fm8VMNtBTzLmk0wd+rAGNry/HPB++
-vNngBR33/8N/529Zr4WPrL2BeOZkQeDO1qH/2giCAvYfZoBOIO4=
+MzQwNVoXDTM4MDEwMTEyMzQwNVowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
+LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyAGT263/ZlxGjPEi2BQj
+DMa/86TF+zVzMfozEZNOLiX6Sov54fW5I0nXCm0CjACOelLa2Eos/vqffxu0w5hM
+A8slRHrt0Gak7dJjwgKK/5NAQDrA+WnyJx/62u25299oCKk+egulCC0D3XczA89N
+cLuz8iKvYnWT+rdnbFdAPdcCAwEAAaOCAQcwggEDMA4GA1UdDwEB/wQEAwIE8DAg
+BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
+I4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
+BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5jb20vMGUGA1Ud
+EQReMFyCIWFsdGVybmF0ZW5hbWUuc2VydmVyMS5leGFtcGxlLmNvbYIiYWx0ZXJu
+YXRlbmFtZTIuc2VydmVyMS5leGFtcGxlLmNvbYITc2VydmVyMS5leGFtcGxlLmNv
+bTANBgkqhkiG9w0BAQUFAAOBgQBWOqQ8y+u4J8KQCHQTiNxIxrUs5Sa+W5HUZ+c8
+SRLXRzDfmNtY7RiofUvbl0j1XH9wuTdjM/EkYnKSYPVu2ra8c8jC3NaVmr0WFqLv
+CvHXQWj2rZha0P/ZG1GfWc4vPYTQ7ugr65syGg4CPswwiUQJKnWBRqe27X1B61pj
++pxY7w==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-MIIBOQIBAAJBALoRsp/dkHZmb5JWfsrNKh9fkj7coA2S9LRpXFRL+a2comDokspz
-Z1Vq/U6Y9MX8zwnbUXq1V3wQdYGuWyBLdB0CAwEAAQJAC7hRqAAsuUh6fp00H1IM
-9Szv6UW8Tx6Si0qXpjei4mx/reGBvQGTIUJuGdXmuBH5tQHLPskjEqXmgiccWydz
-gQIhAPCP3JccbCUpKELah84ikXuQs0PEnGfyg4oP22x0B5q3AiEAxgKV7eFrd5Qa
-FfjHsK/HfrL8YQYynm8yDqqHnSsJY8sCIFei4Sa/uPoUs1EfkWfcGgnc3iGrB5uq
-spbiTfqFjpujAiAcWvhvdU13dUz7AoJOKg3udeEwX7vV9mR7ty3ucuBIWwIgEy7b
-le8z7zokRTzIKSMpl5xr/0Vp6DWlS0KwuLNuJjc=
+MIICXAIBAAKBgQDIAZPbrf9mXEaM8SLYFCMMxr/zpMX7NXMx+jMRk04uJfpKi/nh
+9bkjSdcKbQKMAI56UtrYSiz++p9/G7TDmEwDyyVEeu3QZqTt0mPCAor/k0BAOsD5
+afInH/ra7bnb32gIqT56C6UILQPddzMDz01wu7PyIq9idZP6t2dsV0A91wIDAQAB
+AoGAIT/Z48heUBcBB4dC4qceWI5l9MwsuaFeIC3W9ZIGijd4D5KLnRvrhklNPYd3
+x+yDwyQpC5HxPwZNI6VofKfB4whObRomItHBYDvy0u2xVGinZydYXdIgg9XUw4zj
+FETx7NeIa+zQMA8oGbKfnk6c+5sFqJInylh9oYcVC5mr1BkCQQDnf/5cTco79KC+
+HDHO/XKiRrWZGlrl8m4BJldYvmocRtiYD7nu7YccrvNV5vRHiTY0xTScMZchoSaO
+vWZ13i9LAkEA3SxTPa675S4Or+Ab2wKWORdvK1rKWXYgH4th3zfN9sWB5X7XTFe1
+tmelJjlb0diGYBX3ZyNLo3aHcqSOPYE4JQJAFuvkao1FPeR92fT+tYkAxbKMnoku
+gOAdJj3+ngnUhdI59exws4iPPTbRXysL+t1KIbV4/RIn7auAHtgAAiGquwJAdtiq
+oiqSrMPjAH7ceQMa1fLRueo/cXMYL9sl7FyAQGpBMqDF8C/xZOKsy61muYwwKNGk
+77b3ng7DGcdy53nYQQJBAKxU/egi+ss4im9KOhzFLtnAS0VIqvKv5KXMUQ42bP6x
+kKM6yiLi2005IjEKmO/eq3bD2ryXETMwS9Lc8/Ecm0A=
-----END RSA PRIVATE KEY-----
subject=/O=example.com/CN=clica Signing Cert
issuer=/O=example.com/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw
-MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y
-7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St
-u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa
-ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA1WhcNMzgw
+MTAxMTIzNDA1WjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzwXsp
+P4RsZUoDfQfm5O5bi5unhwl+BTrKIaOtl5TBxMau+qEdKa02DD7Bx6PCzLKhWiZ3
+/MrO7V/cXIBun97dF5Zr5kk+HJk+y3es+xoPd3doknvGQEC/0cSGLcEC7aQ/bEqi
+fw2CgEY5ffkEAnDrdvGGeqBfJJGft/tqmlZbeQIDAQABo1owWDAOBgNVHQ8BAf8E
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
+Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA
+Lq4cCtWMjqLHqf6lJUOBMsm+tgFcYDdxwkTquSZyUrbP1jrODkg5lQWNCdvB76B2
+tZQfMJ3F/kct2EAfsKbHqN3f+DARqPAR2qtOqzl3Ou5+TJjExKgojjzIAPFQzswH
+7v4aglpReaPBaVSNOZ7bMn/E8yRy3o466bhzdEIDcII=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: Certificate Authority
subject=/O=example.com/CN=clica CA
issuer=/O=example.com/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAwWhcNMzgw
-MTAxMTIzNDAwWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
-Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxYR8NYQvEd7/e4MvOj9dh2+o
-mnywT9ajMo1589DWt2z14ouRKhSZWlx4O4AicPZc6n4uvt7++t0tTHhmm5JIbwID
-AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
-hkiG9w0BAQUFAANBALjVd1KMBadFJFIzTEspoPYxJvXKvLMclekQs5QY0lmmUj5+
-ugITEG6ywu3s+REUB+8Dj+ofQz3tgIm9NBpkfsA=
+MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA0WhcNMzgw
+MTAxMTIzNDA0WjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp
+Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL0wro64rve876glpdRh
+tD6qFY6iH2kCarFFq3WaKmfCvOjYmn4CJr7pL7J5DuvCFh7A0H8lD/on5NK3yqkX
+Yi6EUlaYWxeRo2/PuZYUGbCpejST41sibw9V2dT4MHLidjDShE0W9SfgiMmxfF02
+H5hLYswAGCL1kezsVeEJeH31AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
+DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAIn9+8uyQtaq8sBEohTl
+qyJQQeZk5xxaILYP/rCIxc+z5fgOh+usB9adaiD23RPuuD/P2c3UqHJQWqIUTu46
+eOKn9K7X7ndIH3WnaC/u4nysL+SIAug72/k1BAVGNQvyNQMhth6CfZTgY0tgcS0Z
+RSHyhbTD0HeiJDI281BoOJjm
-----END CERTIFICATE-----
Bag Attributes
friendlyName: server2.example.com
- localKeyID: 69 B2 C3 8A B6 1C C2 19 F4 1B 4E 74 28 AF 12 89 E8 2E D9 BE
+ localKeyID: 40 B2 13 5E 6B 67 AE 36 A3 97 69 6D A3 28 42 36 85 E7 4C E3
subject=/CN=server2.example.com
issuer=/O=example.com/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+MIICiDCCAfGgAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDFaFw0zODAxMDExMjM0MDFaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
-ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA2TCJENbO0UK+Cjs2HSqq1OlM
-VIJQs/ctua3DEcPOphjNwLrUqVGv5qkWFDHbsJ00hpiW7uK9tDfawSWmcFis1wID
-AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
-AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
-LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
-cDovL29zY3AvZXhhbXBsZS5jb20vMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs
-ZS5jb20wDQYJKoZIhvcNAQEFBQADQQCeF6NprEufUaSaqXhBk7hP7kX2NtTEkHmg
-hm1yvEzKL1/7gmqhMAGFapGV90k/8J6L4FiIEaxIHuTvm94KfKZi
+MjM0MDZaFw0zODAxMDExMjM0MDZaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
+ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALLgFpuQXy2obzVio/WK
+IQr7+KQt3p1umyTBM0FgRS2wEvbobbp5yi304Ob3v2BOpBwpKBbH+SXwAWKg5z8j
+XVf/h76XGcKdbwSQtt7Rq1ANKW63urh0+MaGyHeBFC1zYdQHqvqHcfFzSA1Ai4yy
+tXf7OdNmRI7cK/FwtPLji28xAgMBAAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAG
+A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
+hiFodHRwOi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
+KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLmNvbS8wHgYDVR0R
+BBcwFYITc2VydmVyMi5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQUFAAOBgQBsN0Em
+TV30tTEQZ8r7ZLYimGL3HpV7bOZ0RyH0Xok2PrmcisVSu8SvEpMmO9c94FZxHh0h
+IALt8E7VXkVC/Tw4QVSDhgs7v8VHOf8V6pPc/cc9GFhZyt0q2Ln5L7l2k/Su45FW
+gC+MBC+tV+/SURn0tO8ynKw6fA24Odux4zBzGg==
-----END CERTIFICATE-----
Bag Attributes
friendlyName: server2.example.com
- localKeyID: 69 B2 C3 8A B6 1C C2 19 F4 1B 4E 74 28 AF 12 89 E8 2E D9 BE
+ localKeyID: 40 B2 13 5E 6B 67 AE 36 A3 97 69 6D A3 28 42 36 85 E7 4C E3
subject=/CN=server2.example.com
issuer=/O=example.com/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+MIICiDCCAfGgAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDFaFw0zODAxMDExMjM0MDFaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
-ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA2TCJENbO0UK+Cjs2HSqq1OlM
-VIJQs/ctua3DEcPOphjNwLrUqVGv5qkWFDHbsJ00hpiW7uK9tDfawSWmcFis1wID
-AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
-AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
-LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
-cDovL29zY3AvZXhhbXBsZS5jb20vMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs
-ZS5jb20wDQYJKoZIhvcNAQEFBQADQQCeF6NprEufUaSaqXhBk7hP7kX2NtTEkHmg
-hm1yvEzKL1/7gmqhMAGFapGV90k/8J6L4FiIEaxIHuTvm94KfKZi
+MjM0MDZaFw0zODAxMDExMjM0MDZaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
+ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALLgFpuQXy2obzVio/WK
+IQr7+KQt3p1umyTBM0FgRS2wEvbobbp5yi304Ob3v2BOpBwpKBbH+SXwAWKg5z8j
+XVf/h76XGcKdbwSQtt7Rq1ANKW63urh0+MaGyHeBFC1zYdQHqvqHcfFzSA1Ai4yy
+tXf7OdNmRI7cK/FwtPLji28xAgMBAAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAG
+A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
+hiFodHRwOi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
+KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLmNvbS8wHgYDVR0R
+BBcwFYITc2VydmVyMi5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQUFAAOBgQBsN0Em
+TV30tTEQZ8r7ZLYimGL3HpV7bOZ0RyH0Xok2PrmcisVSu8SvEpMmO9c94FZxHh0h
+IALt8E7VXkVC/Tw4QVSDhgs7v8VHOf8V6pPc/cc9GFhZyt0q2Ln5L7l2k/Su45FW
+gC+MBC+tV+/SURn0tO8ynKw6fA24Odux4zBzGg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
-cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw\r
-MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp\r
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y\r
-7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St\r
-u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB\r
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s\r
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa\r
-ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
+cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA1WhcNMzgw\r
+MTAxMTIzNDA1WjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp\r
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzwXsp\r
+P4RsZUoDfQfm5O5bi5unhwl+BTrKIaOtl5TBxMau+qEdKa02DD7Bx6PCzLKhWiZ3\r
+/MrO7V/cXIBun97dF5Zr5kk+HJk+y3es+xoPd3doknvGQEC/0cSGLcEC7aQ/bEqi\r
+fw2CgEY5ffkEAnDrdvGGeqBfJJGft/tqmlZbeQIDAQABo1owWDAOBgNVHQ8BAf8E\r
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw\r
+Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA\r
+Lq4cCtWMjqLHqf6lJUOBMsm+tgFcYDdxwkTquSZyUrbP1jrODkg5lQWNCdvB76B2\r
+tZQfMJ3F/kct2EAfsKbHqN3f+DARqPAR2qtOqzl3Ou5+TJjExKgojjzIAPFQzswH\r
+7v4aglpReaPBaVSNOZ7bMn/E8yRy3o466bhzdEIDcII=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: server2.example.com
- localKeyID: 69 B2 C3 8A B6 1C C2 19 F4 1B 4E 74 28 AF 12 89 E8 2E D9 BE
+ localKeyID: 40 B2 13 5E 6B 67 AE 36 A3 97 69 6D A3 28 42 36 85 E7 4C E3
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-MIIBnjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIFmRnQVx4IM4CAggA
-MBQGCCqGSIb3DQMHBAj96PHFOGcW+gSCAVhUx92WT6m/52ZEGgqV+RyBKgHPv0Vk
-NCrmKEJJAvGRWGl+jnpU780hLNx+qWHxGV6r+wyPN9F81oDhqeYQtIRIYC8tWBeC
-9mouIU/iNXYUkun4ZaH6sIJSFfB/2l/pz5/GaiCqgQPPufGmRFsHcGcZlYpnLHkb
-PyRFagan7QYIwUouBTyJ0o/OKBU/r6QM+ZO1zB4YqUutpYMTUbcD9zkj3eAFpIDZ
-fuci+WK1imuUek9LdKifM8f5jdc4n/Ya5rFcpHg45CXz+pLntsprjQVzhFdQblZW
-60ZyiJm682h7ioHhcJYmYyEa5DMItEqzLasQncMi/s8+SUCqTE0QaWYWJ+ofv1cD
-GBYWoM7Ar47zaqgQYlKMKs9mDfUQ4FQy382yrnsPnyo+K8ra5ESUA++uIxMwouHo
-x3dD4wV51jP8VC9VN2GWprZWffnxwMP4PxZejmZVbSWvPw==
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI9nwG/TOpp3MCAggA
+MBQGCCqGSIb3DQMHBAilpHreae+faASCAoBx69kd96hrjqkgteXaXrMEVH/9sbBQ
+GXzBvazDadBDfUGHJweJKHJfJMujbHCL+ogsQsfwilWZotbkStMjg5ik5pwmq7ry
+nRZF/6vm5lusqXc/4XJcb1tiag8ItcMrgfKCBHIA7HuJveE02C1z20vU40CAvgBW
+QV1+0yZ7t4PPncYU/Mia1DY+hfEDX0U/pV3btevlIqAB38a6/pMptdwEdfQqsgjW
+T+Fu7oW9C9Flo2R5xfGOzfeA4/Ujng9uxQTQoC3fE9j/jp64wE0vRDr6SRTfXM70
+F8YH38oKnhCkAwmnWAV65UBS9k90NIqgqdKljpSmikBuGi7oawgYWFXokAGWru9E
+m8LoMsf6eyxKD9NVJ0F+2lK+qBfHEdR5VOCVZP1VveY/CgZq/E7nRejhQjKsrf/6
+eKmxFYsH4zuz8heEqjZKfl0YAHffKd34dsBetmPviegf6FUBXAUAdtm5nEshYt1g
+A8YQtBNOzoM42T/7temhyo7ZrYBKeXLmej/ZQXCoDT6t1o0vtjPMBBMqTmKZXLGt
+lf2xjAy7uQYvZfarPNVO8ENUSgwsKIfF4ty5wVOQfHrHjRpe51AWi/AcTOcM87r+
+cUvOEUERq6zjC72WEPZB0X2+sTN6yWZgPipIOCuPEiChvs5hjcmXGkOlEjhH11F9
+diTTUvjQh2v8x1Iz+wMlbTVSJnqZXFrXEgQe212zKy8RpKA8tat2y57cgchHJ2n1
+BSSJbWom2HVZ2yYtZoHZSgH9rVJul7QsGI0/MgEuAGy3TKYZhlsSRgjBKqSz+mgU
+Kw7KQxhJnF4nzRsZ17pGWxoEzs0cSTO7c+QGZI126KwCMGIFHFXwcHwV
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
friendlyName: server2.example.com
- localKeyID: 69 B2 C3 8A B6 1C C2 19 F4 1B 4E 74 28 AF 12 89 E8 2E D9 BE
+ localKeyID: 40 B2 13 5E 6B 67 AE 36 A3 97 69 6D A3 28 42 36 85 E7 4C E3
subject=/CN=server2.example.com
issuer=/O=example.com/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+MIICiDCCAfGgAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDFaFw0zODAxMDExMjM0MDFaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
-ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA2TCJENbO0UK+Cjs2HSqq1OlM
-VIJQs/ctua3DEcPOphjNwLrUqVGv5qkWFDHbsJ00hpiW7uK9tDfawSWmcFis1wID
-AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
-AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
-LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
-cDovL29zY3AvZXhhbXBsZS5jb20vMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs
-ZS5jb20wDQYJKoZIhvcNAQEFBQADQQCeF6NprEufUaSaqXhBk7hP7kX2NtTEkHmg
-hm1yvEzKL1/7gmqhMAGFapGV90k/8J6L4FiIEaxIHuTvm94KfKZi
+MjM0MDZaFw0zODAxMDExMjM0MDZaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
+ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALLgFpuQXy2obzVio/WK
+IQr7+KQt3p1umyTBM0FgRS2wEvbobbp5yi304Ob3v2BOpBwpKBbH+SXwAWKg5z8j
+XVf/h76XGcKdbwSQtt7Rq1ANKW63urh0+MaGyHeBFC1zYdQHqvqHcfFzSA1Ai4yy
+tXf7OdNmRI7cK/FwtPLji28xAgMBAAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAG
+A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
+hiFodHRwOi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
+KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLmNvbS8wHgYDVR0R
+BBcwFYITc2VydmVyMi5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQUFAAOBgQBsN0Em
+TV30tTEQZ8r7ZLYimGL3HpV7bOZ0RyH0Xok2PrmcisVSu8SvEpMmO9c94FZxHh0h
+IALt8E7VXkVC/Tw4QVSDhgs7v8VHOf8V6pPc/cc9GFhZyt0q2Ln5L7l2k/Su45FW
+gC+MBC+tV+/SURn0tO8ynKw6fA24Odux4zBzGg==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-MIIBOQIBAAJBANkwiRDWztFCvgo7Nh0qqtTpTFSCULP3LbmtwxHDzqYYzcC61KlR
-r+apFhQx27CdNIaYlu7ivbQ32sElpnBYrNcCAwEAAQJAAT7+ClKxLRIs9PISBWjR
-Qhd0kKeOvvmUEZSlodx1uw42qqDQ0vfYMSOWzn8dlGQ/XGJ4xVwvFFklNCfWva4M
-QQIhAPaoF/TqmR/dc2CLsQkWoZQqdu7w+uBnTnqqcQ1A2ci9AiEA4Wqw3SszsAwV
-ELV+DCDouyncyMmCzJkDjYA1WYNiVyMCIAc3AYRjfFknRCG11Fbct5s65sG0gNIh
-k3UZGTd3ByfNAiAbwAqt75eZYKNnPzCZRaPhBrJLdaNIlL2/Ob1Xm7kLiQIgWtVa
-weFGKWW86QXScrel5sjNDxFv+ZvMd+heAiPqkXs=
+MIICXgIBAAKBgQCy4BabkF8tqG81YqP1iiEK+/ikLd6dbpskwTNBYEUtsBL26G26
+ecot9ODm979gTqQcKSgWx/kl8AFioOc/I11X/4e+lxnCnW8EkLbe0atQDSlut7q4
+dPjGhsh3gRQtc2HUB6r6h3Hxc0gNQIuMsrV3+znTZkSO3CvxcLTy44tvMQIDAQAB
+AoGBAK76UIM6tjBmvOq/JF50EaC6HV8VU9gzM2a/65C/SMzJmbOYaIZqzuEn0718
+iuP96cF2bTXjxpBa+C/v8GYuBQcFv6Pkg02KTDOCyjjcZrvArhUcgmOx4n2BVVR/
+8nR1R0JDvdw0HJbIom4ABYLTAjNVG5HZcnWC3ylA/n57p+ABAkEA4XUa5Lc7U0b1
+rwRqHH2pdF/zYpDxSaLXcjP9YC2r1+siwyvbL7qtQy3DQyw3AM1WtCefUAQhL5Jq
+Ex630RwiAQJBAMsbgoAwiI2ZQQ1eJyIjbG8pn3Pprq6QPbUKE9NdWaoUcxjyPRSB
+1nhJcjgrk1T3BvooktNUEzseSUI8A7Wu7TECQQCpx03hPjpmk+EfUuu1WMvq3vah
+GxUYppAnaA8+BiaKCn+7CaOdZa5kEGoig4FIEVlhgRTvZKy47kEC9PbneZABAkEA
+mzhB6n+szDI0IegzlgZmZynzHx2WjvfTANlbv2uXC8EnGQh/n31+j1zp+n1q0kMb
+RPDfDLwzGjoSGJlO6Hlv8QJAZHPfEo+GCWA18JwI1HM3o+idyJ7fH92Sig0/ZwwE
+MG9RVzhYuCaqCBGlx6mRm1LIe3mjQCn4cE+x/gheyRfZhw==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw\r
-MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp\r
-Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp2tm7DhEtMNQPz23MpsxYVje\r
-SgMgmkDx8qdr97SBBVqtPcHMMrCEZ9dQiYCFxbshxXfeova+DbLZISDlHA9xjQID\r
-AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq\r
-hkiG9w0BAQUFAANBAG/rfiV0UE6Q//VIKN5CprvNXDGQFfcFCWNRCu6ZGTPpaDf2\r
-iPqVISD9trZrvtlUIgKjGgOQQbdNH9RBj5+6QKo=
+MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw\r
+MTAxMTIzNDExWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp\r
+Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALUSMNgU8YE8fsiB8Wm7\r
+lpclDOwQXJVbP/Ef2NVwoE6NnoPTWMNgvSyCddVz7709URkIy+jtrlpbyQYVdwgO\r
+HAnI8/bx2WoGtGzWTbAM1Mp+WHtiOO7LpsldWQmeHuF9uBOghFytVyqNT2l/iG7x\r
+XQCA6Q6P59vpb3Z+4PH8kgVlAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw\r
+DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBACs6X9bwml5hcwf82pyb\r
+bKOnRGP6pJsvx1yv6SULaxg4+mCelEHNPycQqidqs+84RrDma8Kkz3DVZuV11Yca\r
+o2ibon7rWhaTc9SR0j5B8BMU1Z9VEVF5uejepHWf1iCeOhxl6tNQuTTJP0uE4h6h\r
+VAtQ+ux57x052IuOi9FtrqVR
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw\r
-MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp\r
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY\r
-392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a\r
-d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB\r
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s\r
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit\r
-Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw\r
+MTAxMTIzNDExWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp\r
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCf/Mo\r
+cl7+ta84A85TdEcSPfv+JV6/0ynu98Z+EHaz221TGgNYkOtlBDc80kZZ2QBndE6e\r
+RZAuIaPgTVk0mZJ7XUxAVx7AAlGSWenScV/k/VChgqddRaCmmLQoPT/wUkrDqlOW\r
+7omdM0BTaMxdEv2QRyUCVrrZKOJkRsTILkUvaQIDAQABo1owWDAOBgNVHQ8BAf8E\r
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw\r
+Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA\r
+P/kvw/kOJI5Yja+W8/xmbAma4NeAWE48eLDzp6AWJBUU7oIj4Ca+PqwpaxxeNioZ\r
+ihLL5LCRrS8lsSGgyD3UzqYGCMOwqX5pBytpWXz1NRzzey9mCV55LHckBF7dRBuh\r
+XQiz+EvE4Dr1ZikrB6UjgHW7Bal9Y5QMDs8qZAsRkJ0=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw\r
-MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp\r
-Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp2tm7DhEtMNQPz23MpsxYVje\r
-SgMgmkDx8qdr97SBBVqtPcHMMrCEZ9dQiYCFxbshxXfeova+DbLZISDlHA9xjQID\r
-AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq\r
-hkiG9w0BAQUFAANBAG/rfiV0UE6Q//VIKN5CprvNXDGQFfcFCWNRCu6ZGTPpaDf2\r
-iPqVISD9trZrvtlUIgKjGgOQQbdNH9RBj5+6QKo=
+MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw\r
+MTAxMTIzNDExWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp\r
+Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALUSMNgU8YE8fsiB8Wm7\r
+lpclDOwQXJVbP/Ef2NVwoE6NnoPTWMNgvSyCddVz7709URkIy+jtrlpbyQYVdwgO\r
+HAnI8/bx2WoGtGzWTbAM1Mp+WHtiOO7LpsldWQmeHuF9uBOghFytVyqNT2l/iG7x\r
+XQCA6Q6P59vpb3Z+4PH8kgVlAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw\r
+DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBACs6X9bwml5hcwf82pyb\r
+bKOnRGP6pJsvx1yv6SULaxg4+mCelEHNPycQqidqs+84RrDma8Kkz3DVZuV11Yca\r
+o2ibon7rWhaTc9SR0j5B8BMU1Z9VEVF5uejepHWf1iCeOhxl6tNQuTTJP0uE4h6h\r
+VAtQ+ux57x052IuOi9FtrqVR
-----END CERTIFICATE-----
Bag Attributes
friendlyName: OCSP Signer
- localKeyID: 16 61 1B 08 43 C0 0E C4 AF 4D 7B E9 27 1D EB B0 D7 05 E9 75
+ localKeyID: EB 2F EB 2A 88 BA 65 6E B7 DF 67 0B D9 87 99 E4 7A C3 D7 FA
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
-MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAsT/jRe87h2kyfvbt
-YbvgOPS3y6+BPP8pVdU2CefZAy4mYhuj4ZejZgOf8W9XoonCKTW0Y31feBcy0cM+
-2TNM3QIDAQABAkEApPyuBevggnP2T95zKfUiioGoD43HA8sTY9T53xCTnPOrNNCv
-Vn5+ZXao86JF3ly2jY8Eg0b1hFpfZsZMhG/PgQIhAOg/SgSXqPL8oON/Uot1IUHe
-xLfwqW4toMwTknwdWO39AiEAw2ClhCYw/YTDdbh8sstP7k9HDNBPynwAuURLqc6/
-oGECIBDxVQgCvFuFnIMcLbxovhVdGALHNsUH5RweLWiKh4tNAiBSgpVD6tETr6bQ
-J1paM6yM6uQJkEuyKo4vr5z4mHyq4QIhAMtfRG4+QspRY6aaAAebWBS4zwDiAZCH
-6bnyjSzbUHsm
+MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMQaJ47PbQGWMcH3
+JT2ec4ZEeNrDzreTs0wjeQ8B12FJ8t+xuPYbeYOLU4rchEPA/spnSQY8TrMBFSNy
+bGuyrxUmqvolZt3RASK7olbOgUiQ6yFKdhu0dghS1Fonhi2a+iJN/AKH6FWla9o6
+G6XaoijCmaNK+0crLOOCUGw5SznJAgMBAAECgYBnhbseS+gqr0RDNholxlEML3dx
+XW7yQHmllxBgWMN/q48YgfS3j1d9lv6aTsFQF0EqTo4hSZLuMoMbPFt6G1ELNsYE
+jAmMALYLGhDNHH/h0B76qXviQIBLL0nOi88gKN9tpwvvHtJg3bFu02LGzkiydB2K
+/uNE1Xr0oaomFBR3EQJBAPZd4j390E+bu/hvz8LEb/qxcxUTQKncIqpcGXwr4mYz
+vQI8s5sdUwrk6y9dKVGI6Q8FSffyFX0b7c4HeNr/v2UCQQDLxSAd8aHVaNYOriRb
+T9HYioG2RhS7e1jRwkkjH4rGb9jwXeDHLX/n7k7hpnlFnJHHKJbiiDzmQImjN0o8
+kkSVAkEAkqhetrJyIAHACutcjT/svRqHPGOCmdsek7VRwnZJRrfD6yIBdPQm7BRL
+4J0frJbIzhVC7COjIR/QF1ahXhTidQJAYxHRHp3XF8HjqLmD1Z1GIiidDfiepdQ/
+h6QVGO2B9B52885AtbXqZOHZGh5tAaowugqC6VpheXTRNjhwcGiQzQJBAJLOlkmD
+KhKvuSwWaWq5OkPR0qR9u95/Jp09J6oLcxkvCPx7L38fbDKe6Fd9wvI06rCd7FoK
+mbVOWS+NUGd9VR4=
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-MIIBgDCCASqgAwIBAgIBAzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt\r
+MIICBTCCAW6gAwIBAgIBAzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt\r
cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy\r
-MzQwM1oXDTM4MDEwMTEyMzQwM1owMjEUMBIGA1UEChMLZXhhbXBsZS5uZXQxGjAY\r
-BgNVBAMTEWNsaWNhIE9DU1AgU2lnbmVyMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJB\r
-ALE/40XvO4dpMn727WG74Dj0t8uvgTz/KVXVNgnn2QMuJmIbo+GXo2YDn/FvV6KJ\r
-wik1tGN9X3gXMtHDPtkzTN0CAwEAAaMqMCgwDgYDVR0PAQH/BAQDAgeAMBYGA1Ud\r
-JQEB/wQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBBQUAA0EAjPHbFyZJZHxLSqn5\r
-i4i7+sWFAueHbbVXyDkzbspOeAbUeuc+lyZ7gMkRofbfIyXIMzSggVKiBetK5gf8\r
-OhXNJA==
+MzQxMloXDTM4MDEwMTEyMzQxMlowMjEUMBIGA1UEChMLZXhhbXBsZS5uZXQxGjAY\r
+BgNVBAMTEWNsaWNhIE9DU1AgU2lnbmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB\r
+iQKBgQDEGieOz20BljHB9yU9nnOGRHjaw863k7NMI3kPAddhSfLfsbj2G3mDi1OK\r
+3IRDwP7KZ0kGPE6zARUjcmxrsq8VJqr6JWbd0QEiu6JWzoFIkOshSnYbtHYIUtRa\r
+J4YtmvoiTfwCh+hVpWvaOhul2qIowpmjSvtHKyzjglBsOUs5yQIDAQABoyowKDAO\r
+BgNVHQ8BAf8EBAMCB4AwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwkwDQYJKoZIhvcN\r
+AQEFBQADgYEAZbAMzBc7Vaf2dW5zVH6/ImlnZe3qwZ2r/vb5nJlpF/Zc3AN13rrY\r
++7h7uvcG+wcwyteU0OmFs7cTWRRyjoJmmLMp4bYBjOliRKAjFgEYT9e1FmoxjmP3\r
+1XbEu2eUgEVUp+dBM7orlNcHYXs62GYQiVyA2WPCWoMahhIqEK4IBqw=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw\r
-MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp\r
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY\r
-392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a\r
-d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB\r
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s\r
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit\r
-Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw\r
+MTAxMTIzNDExWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp\r
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCf/Mo\r
+cl7+ta84A85TdEcSPfv+JV6/0ynu98Z+EHaz221TGgNYkOtlBDc80kZZ2QBndE6e\r
+RZAuIaPgTVk0mZJ7XUxAVx7AAlGSWenScV/k/VChgqddRaCmmLQoPT/wUkrDqlOW\r
+7omdM0BTaMxdEv2QRyUCVrrZKOJkRsTILkUvaQIDAQABo1owWDAOBgNVHQ8BAf8E\r
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw\r
+Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA\r
+P/kvw/kOJI5Yja+W8/xmbAma4NeAWE48eLDzp6AWJBUU7oIj4Ca+PqwpaxxeNioZ\r
+ihLL5LCRrS8lsSGgyD3UzqYGCMOwqX5pBytpWXz1NRzzey9mCV55LHckBF7dRBuh\r
+XQiz+EvE4Dr1ZikrB6UjgHW7Bal9Y5QMDs8qZAsRkJ0=
-----END CERTIFICATE-----
; Config::Simple 4.59
-; Thu Nov 1 12:34:03 2012
+; Thu Nov 1 12:34:11 2012
[CLICA]
crl_url=http://crl.example.net/latest.crl
org=example.net
subject=clica CA
name=Certificate Authority
-bits=512
+bits=1024
-update=20130127152434Z
+update=20140422152734Z
-----BEGIN X509 CRL-----
-MIGsMFgCAQEwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhhbXBsZS5uZXQx
-GzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydBgPMjAxMzAxMjcxNTI0MzRaMA0G
-CSqGSIb3DQEBBQUAA0EAnGNQN1GnKB2PGg9C+vguhNlTRLgf9j9lziLPBkPff4+k
-8JLTVhcuQYnYTdw1WKq/DeXJRyZwd7Z8vAMMdsW5ZA==
+MIHtMFgCAQEwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhhbXBsZS5uZXQx
+GzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydBgPMjAxNDA0MjIxNTI3MzRaMA0G
+CSqGSIb3DQEBBQUAA4GBAFoXyOzTFY7uLHW/UjKfxOP4NP9S+4PF4nHz4fvn0tcC
+3A7VE3ucmoNFWyxpkp4cSPYNGUJctBoJhS5t3WRvYd7ZweKKDO0/qsI8AQcfzY0n
+YBu/pjphxfs6dHnXFcRdhaP7nz/eoArkWGXn1UlsneJQXnBK/ZSsld472GPL5XaM
-----END X509 CRL-----
-update=20130127152437Z
-addcert 102 20130127152437Z
-addcert 202 20130127152437Z
+update=20140422152736Z
+addcert 102 20140422152736Z
+addcert 202 20140422152736Z
-----BEGIN X509 CRL-----
-MIHcMIGHAgEBMA0GCSqGSIb3DQEBBQUAMDMxFDASBgNVBAoTC2V4YW1wbGUubmV0
-MRswGQYDVQQDExJjbGljYSBTaWduaW5nIENlcnQYDzIwMTMwMTI3MTUyNDM3WjAt
-MBQCAWYYDzIwMTMwMTI3MTUyNDM3WjAVAgIAyhgPMjAxMzAxMjcxNTI0MzdaMA0G
-CSqGSIb3DQEBBQUAA0EAL1D/ZMfKSVVozt/TtAPIR/PMLTvBCGrRDbH31tI3pGUJ
-l+FZTnkR48HXOkuaPCxMclubZ0ptQ6wXHP58iwKacA==
+MIIBHTCBhwIBATANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFtcGxlLm5l
+dDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0GA8yMDE0MDQyMjE1MjczNlow
+LTAUAgFmGA8yMDE0MDQyMjE1MjczNlowFQICAMoYDzIwMTQwNDIyMTUyNzM2WjAN
+BgkqhkiG9w0BAQUFAAOBgQCCvMQ1eAkuztnM/mIUCWFRyRZuqVyf/gnCISf3Ha5w
+nOBMSJLn6vr2WYaTqe3vENqHYupQi5T2mK6B1JS/i3PGx2N+lCPAwTr/j08HAKwv
+WICtPYMdjx+HuoXRbGO4V/Q9YeaEucde0Ldk99P2bMRn2msGPdpoXlWuLUX9aneA
+Tg==
-----END X509 CRL-----
processor : 0
vendor_id : GenuineIntel
cpu family : 6
-model : 26
-model name : Intel(R) Xeon(R) CPU E5520 @ 2.27GHz
-stepping : 5
-cpu MHz : 2260.628
-cache size : 8192 KB
+model : 13
+model name : QEMU Virtual CPU version (cpu64-rhel6)
+stepping : 3
+cpu MHz : 1994.999
+cache size : 4096 KB
fpu : yes
fpu_exception : yes
-cpuid level : 11
+cpuid level : 4
wp : yes
-flags : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts xtopology tsc_reliable nonstop_tsc aperfmperf unfair_spinlock pni ssse3 cx16 sse4_1 sse4_2 x2apic popcnt hypervisor lahf_lm ida dts
-bogomips : 4521.25
+flags : fpu de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pse36 clflush mmx fxsr sse sse2 syscall nx lm up unfair_spinlock pni cx16 hypervisor lahf_lm
+bogomips : 3989.99
clflush size : 64
cache_alignment : 64
-address sizes : 40 bits physical, 48 bits virtual
+address sizes : 38 bits physical, 48 bits virtual
power management:
-processor : 1
-vendor_id : GenuineIntel
-cpu family : 6
-model : 26
-model name : Intel(R) Xeon(R) CPU E5520 @ 2.27GHz
-stepping : 5
-cpu MHz : 2260.628
-cache size : 8192 KB
-fpu : yes
-fpu_exception : yes
-cpuid level : 11
-wp : yes
-flags : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts xtopology tsc_reliable nonstop_tsc aperfmperf unfair_spinlock pni ssse3 cx16 sse4_1 sse4_2 x2apic popcnt hypervisor lahf_lm ida dts
-bogomips : 4521.25
-clflush size : 64
-cache_alignment : 64
-address sizes : 40 bits physical, 48 bits virtual
-power management:
-
- CPU0 CPU1
- 0: 2481 0 IO-APIC-edge timer
- 1: 21441 346 IO-APIC-edge i8042
- 3: 1 0 IO-APIC-edge
- 4: 1 0 IO-APIC-edge
- 7: 0 0 IO-APIC-edge parport0
- 8: 1 0 IO-APIC-edge rtc0
- 9: 0 0 IO-APIC-fasteoi acpi
- 12: 78986 1718 IO-APIC-edge i8042
- 14: 0 0 IO-APIC-edge ata_piix
- 15: 2423337 1435 IO-APIC-edge ata_piix
- 16: 1025 0 IO-APIC-fasteoi Ensoniq AudioPCI
- 17: 239858 2559 IO-APIC-fasteoi ehci_hcd:usb1, ioc0
- 18: 246 0 IO-APIC-fasteoi uhci_hcd:usb2
- 19: 1868825 51479 IO-APIC-fasteoi eth0
- 24: 0 0 PCI-MSI-edge pciehp
- 25: 0 0 PCI-MSI-edge pciehp
- 26: 0 0 PCI-MSI-edge pciehp
- 27: 0 0 PCI-MSI-edge pciehp
- 28: 0 0 PCI-MSI-edge pciehp
- 29: 0 0 PCI-MSI-edge pciehp
- 30: 0 0 PCI-MSI-edge pciehp
- 31: 0 0 PCI-MSI-edge pciehp
- 32: 0 0 PCI-MSI-edge pciehp
- 33: 0 0 PCI-MSI-edge pciehp
- 34: 0 0 PCI-MSI-edge pciehp
- 35: 0 0 PCI-MSI-edge pciehp
- 36: 0 0 PCI-MSI-edge pciehp
- 37: 0 0 PCI-MSI-edge pciehp
- 38: 0 0 PCI-MSI-edge pciehp
- 39: 0 0 PCI-MSI-edge pciehp
- 40: 0 0 PCI-MSI-edge pciehp
- 41: 0 0 PCI-MSI-edge pciehp
- 42: 0 0 PCI-MSI-edge pciehp
- 43: 0 0 PCI-MSI-edge pciehp
- 44: 0 0 PCI-MSI-edge pciehp
- 45: 0 0 PCI-MSI-edge pciehp
- 46: 0 0 PCI-MSI-edge pciehp
- 47: 0 0 PCI-MSI-edge pciehp
- 48: 0 0 PCI-MSI-edge pciehp
- 49: 0 0 PCI-MSI-edge pciehp
- 50: 0 0 PCI-MSI-edge pciehp
- 51: 0 0 PCI-MSI-edge pciehp
- 52: 0 0 PCI-MSI-edge pciehp
- 53: 0 0 PCI-MSI-edge pciehp
- 54: 0 0 PCI-MSI-edge pciehp
- 55: 0 0 PCI-MSI-edge pciehp
- 56: 1 0 PCI-MSI-edge vmci
- 57: 0 0 PCI-MSI-edge vmci
-NMI: 0 0 Non-maskable interrupts
-LOC: 12398590 14242910 Local timer interrupts
-SPU: 0 0 Spurious interrupts
-PMI: 0 0 Performance monitoring interrupts
-IWI: 0 0 IRQ work interrupts
-RES: 282808 309226 Rescheduling interrupts
-CAL: 1955 163556 Function call interrupts
-TLB: 18075 15578 TLB shootdowns
-TRM: 0 0 Thermal event interrupts
-THR: 0 0 Threshold APIC interrupts
-MCE: 0 0 Machine check exceptions
-MCP: 2310 2310 Machine check polls
+ CPU0
+ 0: 258 IO-APIC-edge timer
+ 1: 6 IO-APIC-edge i8042
+ 4: 1 IO-APIC-edge
+ 8: 0 IO-APIC-edge rtc0
+ 9: 0 IO-APIC-fasteoi acpi
+ 10: 953 IO-APIC-fasteoi virtio3
+ 11: 62 IO-APIC-fasteoi uhci_hcd:usb1, snd_hda_intel
+ 12: 104 IO-APIC-edge i8042
+ 14: 0 IO-APIC-edge ata_piix
+ 15: 106 IO-APIC-edge ata_piix
+ 24: 0 PCI-MSI-edge virtio2-config
+ 25: 49006 PCI-MSI-edge virtio2-requests
+ 26: 0 PCI-MSI-edge virtio0-config
+ 27: 296912 PCI-MSI-edge virtio0-input
+ 28: 1 PCI-MSI-edge virtio0-output
+ 29: 0 PCI-MSI-edge virtio1-config
+ 30: 18868 PCI-MSI-edge virtio1-input
+ 31: 1 PCI-MSI-edge virtio1-output
+NMI: 0 Non-maskable interrupts
+LOC: 778283 Local timer interrupts
+SPU: 0 Spurious interrupts
+PMI: 0 Performance monitoring interrupts
+IWI: 0 IRQ work interrupts
+RES: 0 Rescheduling interrupts
+CAL: 0 Function call interrupts
+TLB: 0 TLB shootdowns
+TRM: 0 Thermal event interrupts
+THR: 0 Threshold APIC interrupts
+MCE: 0 Machine check exceptions
+MCP: 271 Machine check polls
ERR: 0
MIS: 0
-MemTotal: 1914844 kB
-MemFree: 133340 kB
-Buffers: 142048 kB
-Cached: 953728 kB
-SwapCached: 108 kB
-Active: 982140 kB
-Inactive: 540820 kB
-Active(anon): 287228 kB
-Inactive(anon): 143480 kB
-Active(file): 694912 kB
-Inactive(file): 397340 kB
+MemTotal: 487904 kB
+MemFree: 72616 kB
+Buffers: 73820 kB
+Cached: 142556 kB
+SwapCached: 0 kB
+Active: 133212 kB
+Inactive: 119168 kB
+Active(anon): 15164 kB
+Inactive(anon): 21900 kB
+Active(file): 118048 kB
+Inactive(file): 97268 kB
Unevictable: 0 kB
Mlocked: 0 kB
-SwapTotal: 4194296 kB
-SwapFree: 4193560 kB
-Dirty: 2760 kB
+SwapTotal: 524280 kB
+SwapFree: 524280 kB
+Dirty: 2456 kB
Writeback: 0 kB
-AnonPages: 427016 kB
-Mapped: 70844 kB
-Shmem: 3400 kB
-Slab: 191064 kB
-SReclaimable: 125460 kB
-SUnreclaim: 65604 kB
-KernelStack: 2312 kB
-PageTables: 23528 kB
+AnonPages: 35924 kB
+Mapped: 15592 kB
+Shmem: 1128 kB
+Slab: 136348 kB
+SReclaimable: 83960 kB
+SUnreclaim: 52388 kB
+KernelStack: 752 kB
+PageTables: 3420 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
WritebackTmp: 0 kB
-CommitLimit: 5151716 kB
-Committed_AS: 973184 kB
+CommitLimit: 768232 kB
+Committed_AS: 116976 kB
VmallocTotal: 34359738367 kB
-VmallocUsed: 280772 kB
-VmallocChunk: 34359441168 kB
+VmallocUsed: 12116 kB
+VmallocChunk: 34359713232 kB
HardwareCorrupted: 0 kB
-AnonHugePages: 249856 kB
+AnonHugePages: 2048 kB
HugePages_Total: 0
HugePages_Free: 0
HugePages_Rsvd: 0
HugePages_Surp: 0
Hugepagesize: 2048 kB
-DirectMap4k: 8192 kB
-DirectMap2M: 2088960 kB
+DirectMap4k: 7156 kB
+DirectMap2M: 1492992 kB
slabinfo - version: 2.1
# name <active_objs> <num_objs> <objsize> <objperslab> <pagesperslab> : tunables <limit> <batchcount> <sharedfactor> : slabdata <active_slabs> <num_slabs> <sharedavail>
-bridge_fdb_cache 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
-fuse_request 0 0 632 6 1 : tunables 54 27 8 : slabdata 0 0 0
-fuse_inode 0 0 768 5 1 : tunables 54 27 8 : slabdata 0 0 0
-rpc_buffers 8 8 2048 2 1 : tunables 24 12 8 : slabdata 4 4 0
-rpc_tasks 8 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0
-rpc_inode_cache 8 8 832 4 1 : tunables 54 27 8 : slabdata 2 2 0
-hgfsInodeCache 1 6 640 6 1 : tunables 54 27 8 : slabdata 1 1 0
-AF_VMCI 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0
-nf_conntrack_expect 0 0 240 16 1 : tunables 120 60 8 : slabdata 0 0 0
-nf_conntrack_ffffffff8200cec0 11 26 304 13 1 : tunables 54 27 8 : slabdata 2 2 0
-fib6_nodes 22 59 64 59 1 : tunables 120 60 8 : slabdata 1 1 0
-ip6_dst_cache 13 30 384 10 1 : tunables 54 27 8 : slabdata 3 3 0
-ndisc_cache 1 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0
-ip6_mrt_cache 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0
-RAWv6 67 68 1024 4 1 : tunables 54 27 8 : slabdata 17 17 0
-UDPLITEv6 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0
-UDPv6 4 4 1024 4 1 : tunables 54 27 8 : slabdata 1 1 0
-tw_sock_TCPv6 0 0 320 12 1 : tunables 54 27 8 : slabdata 0 0 0
-request_sock_TCPv6 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0
-TCPv6 9 10 1856 2 1 : tunables 24 12 8 : slabdata 5 5 0
-jbd2_1k 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0
-avtab_node 502203 502416 24 144 1 : tunables 120 60 8 : slabdata 3489 3489 0
-ext4_inode_cache 74880 74880 1024 4 1 : tunables 54 27 8 : slabdata 18720 18720 0
-ext4_xattr 9 44 88 44 1 : tunables 120 60 8 : slabdata 1 1 0
-ext4_free_block_extents 32 67 56 67 1 : tunables 120 60 8 : slabdata 1 1 0
-ext4_alloc_context 28 28 136 28 1 : tunables 120 60 8 : slabdata 1 1 0
-ext4_prealloc_space 18 37 104 37 1 : tunables 120 60 8 : slabdata 1 1 0
-ext4_system_zone 0 0 40 92 1 : tunables 120 60 8 : slabdata 0 0 0
-jbd2_journal_handle 32 144 24 144 1 : tunables 120 60 8 : slabdata 1 1 0
-jbd2_journal_head 102 102 112 34 1 : tunables 120 60 8 : slabdata 3 3 0
-jbd2_revoke_table 4 202 16 202 1 : tunables 120 60 8 : slabdata 1 1 0
-jbd2_revoke_record 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0
-dm_crypt_io 50 50 152 25 1 : tunables 120 60 8 : slabdata 2 2 0
-sd_ext_cdb 2 112 32 112 1 : tunables 120 60 8 : slabdata 1 1 0
-scsi_sense_cache 22 60 128 30 1 : tunables 120 60 8 : slabdata 2 2 0
-scsi_cmd_cache 23 45 256 15 1 : tunables 120 60 8 : slabdata 3 3 0
-dm_raid1_read_record 0 0 1064 7 2 : tunables 24 12 8 : slabdata 0 0 0
-kcopyd_job 0 0 3240 2 2 : tunables 24 12 8 : slabdata 0 0 0
-io 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
-dm_uevent 0 0 2608 3 2 : tunables 24 12 8 : slabdata 0 0 0
-dm_rq_clone_bio_info 0 0 16 202 1 : tunables 120 60 8 : slabdata 0 0 0
-dm_rq_target_io 0 0 392 10 1 : tunables 54 27 8 : slabdata 0 0 0
-dm_target_io 844 864 24 144 1 : tunables 120 60 8 : slabdata 6 6 0
-dm_io 828 828 40 92 1 : tunables 120 60 8 : slabdata 9 9 0
-flow_cache 0 0 96 40 1 : tunables 120 60 8 : slabdata 0 0 0
-uhci_urb_priv 6 67 56 67 1 : tunables 120 60 8 : slabdata 1 1 0
-cfq_io_context 4 28 136 28 1 : tunables 120 60 8 : slabdata 1 1 0
-cfq_queue 5 16 240 16 1 : tunables 120 60 8 : slabdata 1 1 0
-bsg_cmd 0 0 312 12 1 : tunables 54 27 8 : slabdata 0 0 0
-mqueue_inode_cache 1 4 896 4 1 : tunables 54 27 8 : slabdata 1 1 0
-isofs_inode_cache 0 0 640 6 1 : tunables 54 27 8 : slabdata 0 0 0
-hugetlbfs_inode_cache 1 6 608 6 1 : tunables 54 27 8 : slabdata 1 1 0
-dquot 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0
-kioctx 0 0 384 10 1 : tunables 54 27 8 : slabdata 0 0 0
-kiocb 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0
-inotify_event_private_data 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0
-inotify_inode_mark_entry 186 204 112 34 1 : tunables 120 60 8 : slabdata 6 6 0
-dnotify_mark_entry 1 34 112 34 1 : tunables 120 60 8 : slabdata 1 1 0
-dnotify_struct 1 112 32 112 1 : tunables 120 60 8 : slabdata 1 1 0
-fasync_cache 6 144 24 144 1 : tunables 120 60 8 : slabdata 1 1 0
-khugepaged_mm_slot 83 92 40 92 1 : tunables 120 60 8 : slabdata 1 1 0
-ksm_mm_slot 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0
-ksm_stable_node 0 0 40 92 1 : tunables 120 60 8 : slabdata 0 0 0
-ksm_rmap_item 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
-utrace_engine 0 0 56 67 1 : tunables 120 60 8 : slabdata 0 0 0
-utrace 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
-pid_namespace 0 0 2120 3 2 : tunables 24 12 8 : slabdata 0 0 0
-nsproxy 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0
-posix_timers_cache 0 0 176 22 1 : tunables 120 60 8 : slabdata 0 0 0
-uid_cache 10 60 128 30 1 : tunables 120 60 8 : slabdata 2 2 0
-UNIX 459 480 768 5 1 : tunables 54 27 8 : slabdata 96 96 0
-ip_mrt_cache 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0
-UDP-Lite 0 0 832 9 2 : tunables 54 27 8 : slabdata 0 0 0
-tcp_bind_bucket 15 59 64 59 1 : tunables 120 60 8 : slabdata 1 1 0
-inet_peer_cache 4 59 64 59 1 : tunables 120 60 8 : slabdata 1 1 0
-secpath_cache 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
-xfrm_dst_cache 0 0 384 10 1 : tunables 54 27 8 : slabdata 0 0 0
-ip_fib_alias 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0
-ip_fib_hash 10 106 72 53 1 : tunables 120 60 8 : slabdata 2 2 0
-ip_dst_cache 29 50 384 10 1 : tunables 54 27 8 : slabdata 5 5 0
-arp_cache 4 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0
-RAW 65 72 832 9 2 : tunables 54 27 8 : slabdata 8 8 0
-UDP 6 18 832 9 2 : tunables 54 27 8 : slabdata 2 2 0
-tw_sock_TCP 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0
-request_sock_TCP 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0
-TCP 20 24 1664 4 2 : tunables 24 12 8 : slabdata 6 6 0
-eventpoll_pwq 126 212 72 53 1 : tunables 120 60 8 : slabdata 4 4 0
-eventpoll_epi 126 180 128 30 1 : tunables 120 60 8 : slabdata 6 6 0
-sgpool-128 2 2 4096 1 1 : tunables 24 12 8 : slabdata 2 2 0
-sgpool-64 2 2 2048 2 1 : tunables 24 12 8 : slabdata 1 1 0
-sgpool-32 2 4 1024 4 1 : tunables 54 27 8 : slabdata 1 1 0
-sgpool-16 2 8 512 8 1 : tunables 54 27 8 : slabdata 1 1 0
-sgpool-8 15 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0
-scsi_data_buffer 0 0 24 144 1 : tunables 120 60 8 : slabdata 0 0 0
-blkdev_integrity 0 0 112 34 1 : tunables 120 60 8 : slabdata 0 0 0
-blkdev_queue 29 30 2856 2 2 : tunables 24 12 8 : slabdata 15 15 0
-blkdev_requests 31 44 352 11 1 : tunables 54 27 8 : slabdata 4 4 0
-blkdev_ioc 5 48 80 48 1 : tunables 120 60 8 : slabdata 1 1 0
-fsnotify_event_holder 0 0 24 144 1 : tunables 120 60 8 : slabdata 0 0 0
-fsnotify_event 0 0 104 37 1 : tunables 120 60 8 : slabdata 0 0 0
-bio-0 180 180 192 20 1 : tunables 120 60 8 : slabdata 9 9 0
-biovec-256 66 66 4096 1 1 : tunables 24 12 8 : slabdata 66 66 0
-biovec-128 0 0 2048 2 1 : tunables 24 12 8 : slabdata 0 0 0
-biovec-64 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0
-biovec-16 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0
+nf_conntrack_expect 0 0 240 16 1 : tunables 120 60 0 : slabdata 0 0 0
+nf_conntrack_ffffffff81b18540 35 36 312 12 1 : tunables 54 27 0 : slabdata 3 3 0
+fib6_nodes 59 59 64 59 1 : tunables 120 60 0 : slabdata 1 1 0
+ip6_dst_cache 40 40 384 10 1 : tunables 54 27 0 : slabdata 4 4 0
+ndisc_cache 20 30 256 15 1 : tunables 120 60 0 : slabdata 2 2 0
+ip6_mrt_cache 0 0 128 30 1 : tunables 120 60 0 : slabdata 0 0 0
+RAWv6 4 4 1024 4 1 : tunables 54 27 0 : slabdata 1 1 0
+UDPLITEv6 0 0 1024 4 1 : tunables 54 27 0 : slabdata 0 0 0
+UDPv6 0 0 1024 4 1 : tunables 54 27 0 : slabdata 0 0 0
+tw_sock_TCPv6 0 0 320 12 1 : tunables 54 27 0 : slabdata 0 0 0
+request_sock_TCPv6 0 0 192 20 1 : tunables 120 60 0 : slabdata 0 0 0
+TCPv6 9 10 1920 2 1 : tunables 24 12 0 : slabdata 5 5 0
+jbd2_1k 0 0 1024 4 1 : tunables 54 27 0 : slabdata 0 0 0
+avtab_node 551039 551088 24 144 1 : tunables 120 60 0 : slabdata 3827 3827 0
+ext4_inode_cache 36254 36888 1016 4 1 : tunables 54 27 0 : slabdata 9222 9222 0
+ext4_xattr 5 44 88 44 1 : tunables 120 60 0 : slabdata 1 1 0
+ext4_free_block_extents 16 67 56 67 1 : tunables 120 60 0 : slabdata 1 1 0
+ext4_alloc_context 16 28 136 28 1 : tunables 120 60 0 : slabdata 1 1 0
+ext4_prealloc_space 11 37 104 37 1 : tunables 120 60 0 : slabdata 1 1 0
+ext4_system_zone 0 0 40 92 1 : tunables 120 60 0 : slabdata 0 0 0
+jbd2_journal_handle 16 144 24 144 1 : tunables 120 60 0 : slabdata 1 1 0
+jbd2_journal_head 102 102 112 34 1 : tunables 120 60 0 : slabdata 3 3 0
+jbd2_revoke_table 4 202 16 202 1 : tunables 120 60 0 : slabdata 1 1 0
+jbd2_revoke_record 0 0 32 112 1 : tunables 120 60 0 : slabdata 0 0 0
+scsi_sense_cache 2 30 128 30 1 : tunables 120 60 0 : slabdata 1 1 0
+scsi_cmd_cache 2 15 256 15 1 : tunables 120 60 0 : slabdata 1 1 0
+dm_raid1_read_record 0 0 1064 7 2 : tunables 24 12 0 : slabdata 0 0 0
+kcopyd_job 0 0 3240 2 2 : tunables 24 12 0 : slabdata 0 0 0
+io 0 0 64 59 1 : tunables 120 60 0 : slabdata 0 0 0
+dm_uevent 0 0 2608 3 2 : tunables 24 12 0 : slabdata 0 0 0
+dm_rq_clone_bio_info 0 0 16 202 1 : tunables 120 60 0 : slabdata 0 0 0
+dm_rq_target_io 0 0 392 10 1 : tunables 54 27 0 : slabdata 0 0 0
+dm_target_io 576 576 24 144 1 : tunables 120 60 0 : slabdata 4 4 0
+dm_io 552 552 40 92 1 : tunables 120 60 0 : slabdata 6 6 0
+flow_cache 0 0 104 37 1 : tunables 120 60 0 : slabdata 0 0 0
+uhci_urb_priv 0 0 56 67 1 : tunables 120 60 0 : slabdata 0 0 0
+cfq_io_context 0 0 136 28 1 : tunables 120 60 0 : slabdata 0 0 0
+cfq_queue 0 0 240 16 1 : tunables 120 60 0 : slabdata 0 0 0
+bsg_cmd 0 0 312 12 1 : tunables 54 27 0 : slabdata 0 0 0
+mqueue_inode_cache 1 4 896 4 1 : tunables 54 27 0 : slabdata 1 1 0
+isofs_inode_cache 0 0 640 6 1 : tunables 54 27 0 : slabdata 0 0 0
+hugetlbfs_inode_cache 1 6 608 6 1 : tunables 54 27 0 : slabdata 1 1 0
+dquot 0 0 256 15 1 : tunables 120 60 0 : slabdata 0 0 0
+kioctx 0 0 384 10 1 : tunables 54 27 0 : slabdata 0 0 0
+kiocb 0 0 256 15 1 : tunables 120 60 0 : slabdata 0 0 0
+inotify_event_private_data 0 0 32 112 1 : tunables 120 60 0 : slabdata 0 0 0
+inotify_inode_mark_entry 110 136 112 34 1 : tunables 120 60 0 : slabdata 4 4 0
+dnotify_mark_entry 0 0 112 34 1 : tunables 120 60 0 : slabdata 0 0 0
+dnotify_struct 0 0 32 112 1 : tunables 120 60 0 : slabdata 0 0 0
+dio 0 0 640 6 1 : tunables 54 27 0 : slabdata 0 0 0
+fasync_cache 0 0 24 144 1 : tunables 120 60 0 : slabdata 0 0 0
+khugepaged_mm_slot 17 92 40 92 1 : tunables 120 60 0 : slabdata 1 1 0
+ksm_mm_slot 0 0 48 77 1 : tunables 120 60 0 : slabdata 0 0 0
+ksm_stable_node 0 0 48 77 1 : tunables 120 60 0 : slabdata 0 0 0
+ksm_rmap_item 0 0 64 59 1 : tunables 120 60 0 : slabdata 0 0 0
+utrace_engine 0 0 56 67 1 : tunables 120 60 0 : slabdata 0 0 0
+utrace 0 0 64 59 1 : tunables 120 60 0 : slabdata 0 0 0
+pid_namespace 0 0 2168 3 2 : tunables 24 12 0 : slabdata 0 0 0
+posix_timers_cache 0 0 176 22 1 : tunables 120 60 0 : slabdata 0 0 0
+uid_cache 3 30 128 30 1 : tunables 120 60 0 : slabdata 1 1 0
+UNIX 107 110 768 5 1 : tunables 54 27 0 : slabdata 22 22 0
+ip_mrt_cache 0 0 128 30 1 : tunables 120 60 0 : slabdata 0 0 0
+UDP-Lite 0 0 832 9 2 : tunables 54 27 0 : slabdata 0 0 0
+tcp_bind_bucket 9 59 64 59 1 : tunables 120 60 0 : slabdata 1 1 0
+inet_peer_cache 2 59 64 59 1 : tunables 120 60 0 : slabdata 1 1 0
+secpath_cache 0 0 64 59 1 : tunables 120 60 0 : slabdata 0 0 0
+xfrm_dst_cache 0 0 448 8 1 : tunables 54 27 0 : slabdata 0 0 0
+ip_fib_alias 1 112 32 112 1 : tunables 120 60 0 : slabdata 1 1 0
+ip_fib_hash 14 53 72 53 1 : tunables 120 60 0 : slabdata 1 1 0
+ip_dst_cache 26 30 384 10 1 : tunables 54 27 0 : slabdata 3 3 0
+arp_cache 6 15 256 15 1 : tunables 120 60 0 : slabdata 1 1 0
+PING 0 0 832 9 2 : tunables 54 27 0 : slabdata 0 0 0
+RAW 2 9 832 9 2 : tunables 54 27 0 : slabdata 1 1 0
+UDP 1 9 832 9 2 : tunables 54 27 0 : slabdata 1 1 0
+tw_sock_TCP 0 0 256 15 1 : tunables 120 60 0 : slabdata 0 0 0
+request_sock_TCP 0 0 128 30 1 : tunables 120 60 0 : slabdata 0 0 0
+TCP 10 12 1728 4 2 : tunables 24 12 0 : slabdata 3 3 0
+eventpoll_pwq 59 106 72 53 1 : tunables 120 60 0 : slabdata 2 2 0
+eventpoll_epi 59 90 128 30 1 : tunables 120 60 0 : slabdata 3 3 0
+sgpool-128 2 2 4096 1 1 : tunables 24 12 0 : slabdata 2 2 0
+sgpool-64 2 2 2048 2 1 : tunables 24 12 0 : slabdata 1 1 0
+sgpool-32 2 4 1024 4 1 : tunables 54 27 0 : slabdata 1 1 0
+sgpool-16 2 8 512 8 1 : tunables 54 27 0 : slabdata 1 1 0
+sgpool-8 2 15 256 15 1 : tunables 120 60 0 : slabdata 1 1 0
+scsi_data_buffer 0 0 24 144 1 : tunables 120 60 0 : slabdata 0 0 0
+blkdev_integrity 0 0 112 34 1 : tunables 120 60 0 : slabdata 0 0 0
+blkdev_queue 28 28 2864 2 2 : tunables 24 12 0 : slabdata 14 14 0
+blkdev_requests 22 22 352 11 1 : tunables 54 27 0 : slabdata 2 2 0
+blkdev_ioc 3 48 80 48 1 : tunables 120 60 0 : slabdata 1 1 0
+fsnotify_event_holder 0 0 24 144 1 : tunables 120 60 0 : slabdata 0 0 0
+fsnotify_event 0 0 104 37 1 : tunables 120 60 0 : slabdata 0 0 0
+bio-0 120 120 192 20 1 : tunables 120 60 0 : slabdata 6 6 0
+biovec-256 34 34 4096 1 1 : tunables 24 12 0 : slabdata 34 34 0
+biovec-128 0 0 2048 2 1 : tunables 24 12 0 : slabdata 0 0 0
+biovec-64 0 0 1024 4 1 : tunables 54 27 0 : slabdata 0 0 0
+biovec-16 1 15 256 15 1 : tunables 120 60 0 : slabdata 1 1 0
bip-256 2 2 4224 1 2 : tunables 8 4 0 : slabdata 2 2 0
-bip-128 0 0 2176 3 2 : tunables 24 12 8 : slabdata 0 0 0
-bip-64 0 0 1152 7 2 : tunables 24 12 8 : slabdata 0 0 0
-bip-16 0 0 384 10 1 : tunables 54 27 8 : slabdata 0 0 0
-bip-4 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0
-bip-1 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0
-sock_inode_cache 666 685 704 5 1 : tunables 54 27 8 : slabdata 137 137 0
-skbuff_fclone_cache 42 42 512 7 1 : tunables 54 27 8 : slabdata 6 6 0
-skbuff_head_cache 302 450 256 15 1 : tunables 120 60 8 : slabdata 30 30 0
-file_lock_cache 38 44 176 22 1 : tunables 120 60 8 : slabdata 2 2 0
-net_namespace 0 0 2112 3 2 : tunables 24 12 8 : slabdata 0 0 0
-shmem_inode_cache 774 775 800 5 1 : tunables 54 27 8 : slabdata 155 155 0
-Acpi-Operand 4563 4664 72 53 1 : tunables 120 60 8 : slabdata 88 88 0
-Acpi-ParseExt 0 0 72 53 1 : tunables 120 60 8 : slabdata 0 0 0
-Acpi-Parse 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0
-Acpi-State 0 0 80 48 1 : tunables 120 60 8 : slabdata 0 0 0
-Acpi-Namespace 3311 3312 40 92 1 : tunables 120 60 8 : slabdata 36 36 0
-task_delay_info 332 340 112 34 1 : tunables 120 60 8 : slabdata 10 10 0
-taskstats 5 12 328 12 1 : tunables 54 27 8 : slabdata 1 1 0
-proc_inode_cache 1008 1008 640 6 1 : tunables 54 27 8 : slabdata 168 168 0
-sigqueue 35 48 160 24 1 : tunables 120 60 8 : slabdata 2 2 0
-bdev_cache 32 36 832 4 1 : tunables 54 27 8 : slabdata 9 9 0
-sysfs_dir_cache 11356 11367 144 27 1 : tunables 120 60 8 : slabdata 421 421 0
-mnt_cache 37 45 256 15 1 : tunables 120 60 8 : slabdata 3 3 0
-filp 4644 4700 192 20 1 : tunables 120 60 8 : slabdata 235 235 120
-inode_cache 6883 7308 592 6 1 : tunables 54 27 8 : slabdata 1218 1218 0
-dentry 61240 63960 192 20 1 : tunables 120 60 8 : slabdata 3198 3198 0
-names_cache 26 26 4096 1 1 : tunables 24 12 8 : slabdata 26 26 0
-avc_node 510 1239 64 59 1 : tunables 120 60 8 : slabdata 21 21 0
-selinux_inode_security 84206 86072 72 53 1 : tunables 120 60 8 : slabdata 1624 1624 0
-radix_tree_node 11606 11781 560 7 1 : tunables 54 27 8 : slabdata 1683 1683 0
-key_jar 11 20 192 20 1 : tunables 120 60 8 : slabdata 1 1 0
-buffer_head 221526 230214 104 37 1 : tunables 120 60 8 : slabdata 6222 6222 0
-vm_area_struct 12962 13034 200 19 1 : tunables 120 60 8 : slabdata 686 686 0
-mm_struct 145 145 1408 5 2 : tunables 24 12 8 : slabdata 29 29 0
-fs_cache 177 177 64 59 1 : tunables 120 60 8 : slabdata 3 3 0
-files_cache 162 165 704 11 2 : tunables 54 27 8 : slabdata 15 15 0
-signal_cache 208 208 1024 4 1 : tunables 54 27 8 : slabdata 52 52 0
-sighand_cache 201 201 2112 3 2 : tunables 24 12 8 : slabdata 67 67 0
-task_xstate 240 240 512 8 1 : tunables 54 27 8 : slabdata 30 30 0
-task_struct 306 306 2656 3 2 : tunables 24 12 8 : slabdata 102 102 0
-cred_jar 580 580 192 20 1 : tunables 120 60 8 : slabdata 29 29 0
-anon_vma_chain 7874 8162 48 77 1 : tunables 120 60 8 : slabdata 106 106 0
-anon_vma 5773 5888 40 92 1 : tunables 120 60 8 : slabdata 64 64 0
-pid 322 330 128 30 1 : tunables 120 60 8 : slabdata 11 11 0
-shared_policy_node 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0
-numa_policy 1 28 136 28 1 : tunables 120 60 8 : slabdata 1 1 0
-idr_layer_cache 428 434 544 7 1 : tunables 54 27 8 : slabdata 62 62 0
+bip-128 0 0 2176 3 2 : tunables 24 12 0 : slabdata 0 0 0
+bip-64 0 0 1152 7 2 : tunables 24 12 0 : slabdata 0 0 0
+bip-16 0 0 384 10 1 : tunables 54 27 0 : slabdata 0 0 0
+bip-4 0 0 192 20 1 : tunables 120 60 0 : slabdata 0 0 0
+bip-1 0 0 128 30 1 : tunables 120 60 0 : slabdata 0 0 0
+sock_inode_cache 150 160 704 5 1 : tunables 54 27 0 : slabdata 32 32 0
+skbuff_fclone_cache 7 7 512 7 1 : tunables 54 27 0 : slabdata 1 1 0
+skbuff_head_cache 66 105 256 15 1 : tunables 120 60 0 : slabdata 7 7 0
+file_lock_cache 21 22 176 22 1 : tunables 120 60 0 : slabdata 1 1 0
+net_namespace 0 0 2432 3 2 : tunables 24 12 0 : slabdata 0 0 0
+shmem_inode_cache 654 655 784 5 1 : tunables 54 27 0 : slabdata 131 131 0
+Acpi-Operand 1211 1219 72 53 1 : tunables 120 60 0 : slabdata 23 23 0
+Acpi-ParseExt 0 0 72 53 1 : tunables 120 60 0 : slabdata 0 0 0
+Acpi-Parse 0 0 48 77 1 : tunables 120 60 0 : slabdata 0 0 0
+Acpi-State 0 0 80 48 1 : tunables 120 60 0 : slabdata 0 0 0
+Acpi-Namespace 407 460 40 92 1 : tunables 120 60 0 : slabdata 5 5 0
+task_delay_info 102 102 112 34 1 : tunables 120 60 0 : slabdata 3 3 0
+taskstats 0 0 328 12 1 : tunables 54 27 0 : slabdata 0 0 0
+proc_inode_cache 408 408 656 6 1 : tunables 54 27 0 : slabdata 68 68 0
+sigqueue 9 24 160 24 1 : tunables 120 60 0 : slabdata 1 1 0
+bdev_cache 31 32 832 4 1 : tunables 54 27 0 : slabdata 8 8 0
+sysfs_dir_cache 7588 7614 144 27 1 : tunables 120 60 0 : slabdata 282 282 0
+mnt_cache 27 30 256 15 1 : tunables 120 60 0 : slabdata 2 2 0
+filp 840 840 192 20 1 : tunables 120 60 0 : slabdata 42 42 0
+inode_cache 5826 5826 592 6 1 : tunables 54 27 0 : slabdata 971 971 0
+dentry 189540 189540 192 20 1 : tunables 120 60 0 : slabdata 9477 9477 0
+names_cache 1 1 4096 1 1 : tunables 24 12 0 : slabdata 1 1 0
+avc_node 572 708 64 59 1 : tunables 120 60 0 : slabdata 12 12 0
+selinux_inode_security 43319 46799 72 53 1 : tunables 120 60 0 : slabdata 883 883 0
+radix_tree_node 3018 3598 560 7 1 : tunables 54 27 0 : slabdata 514 514 0
+key_jar 5 20 192 20 1 : tunables 120 60 0 : slabdata 1 1 0
+buffer_head 24452 25493 104 37 1 : tunables 120 60 0 : slabdata 689 689 0
+nsproxy 0 0 48 77 1 : tunables 120 60 0 : slabdata 0 0 0
+vm_area_struct 2565 2565 200 19 1 : tunables 120 60 0 : slabdata 135 135 0
+mm_struct 40 40 1408 5 2 : tunables 24 12 0 : slabdata 8 8 0
+fs_cache 59 59 64 59 1 : tunables 120 60 0 : slabdata 1 1 0
+files_cache 44 44 704 11 2 : tunables 54 27 0 : slabdata 4 4 0
+signal_cache 91 91 1088 7 2 : tunables 24 12 0 : slabdata 13 13 0
+sighand_cache 90 90 2112 3 2 : tunables 24 12 0 : slabdata 30 30 0
+task_xstate 48 48 512 8 1 : tunables 54 27 0 : slabdata 6 6 0
+task_struct 96 96 2656 3 2 : tunables 24 12 0 : slabdata 32 32 0
+cred_jar 240 240 192 20 1 : tunables 120 60 0 : slabdata 12 12 0
+anon_vma_chain 1795 2079 48 77 1 : tunables 120 60 0 : slabdata 27 27 0
+anon_vma 1209 1380 40 92 1 : tunables 120 60 0 : slabdata 15 15 0
+pid 107 120 128 30 1 : tunables 120 60 0 : slabdata 4 4 0
+shared_policy_node 0 0 48 77 1 : tunables 120 60 0 : slabdata 0 0 0
+numa_policy 0 0 136 28 1 : tunables 120 60 0 : slabdata 0 0 0
+idr_layer_cache 281 287 544 7 1 : tunables 54 27 0 : slabdata 41 41 0
size-4194304(DMA) 0 0 4194304 1 1024 : tunables 1 1 0 : slabdata 0 0 0
size-4194304 0 0 4194304 1 1024 : tunables 1 1 0 : slabdata 0 0 0
size-2097152(DMA) 0 0 2097152 1 512 : tunables 1 1 0 : slabdata 0 0 0
size-262144(DMA) 0 0 262144 1 64 : tunables 1 1 0 : slabdata 0 0 0
size-262144 0 0 262144 1 64 : tunables 1 1 0 : slabdata 0 0 0
size-131072(DMA) 0 0 131072 1 32 : tunables 8 4 0 : slabdata 0 0 0
-size-131072 1 1 131072 1 32 : tunables 8 4 0 : slabdata 1 1 0
+size-131072 0 0 131072 1 32 : tunables 8 4 0 : slabdata 0 0 0
size-65536(DMA) 0 0 65536 1 16 : tunables 8 4 0 : slabdata 0 0 0
size-65536 2 2 65536 1 16 : tunables 8 4 0 : slabdata 2 2 0
size-32768(DMA) 0 0 32768 1 8 : tunables 8 4 0 : slabdata 0 0 0
size-32768 3 3 32768 1 8 : tunables 8 4 0 : slabdata 3 3 0
size-16384(DMA) 0 0 16384 1 4 : tunables 8 4 0 : slabdata 0 0 0
-size-16384 12 12 16384 1 4 : tunables 8 4 0 : slabdata 12 12 0
+size-16384 7 7 16384 1 4 : tunables 8 4 0 : slabdata 7 7 0
size-8192(DMA) 0 0 8192 1 2 : tunables 8 4 0 : slabdata 0 0 0
-size-8192 27 27 8192 1 2 : tunables 8 4 0 : slabdata 27 27 0
-size-4096(DMA) 0 0 4096 1 1 : tunables 24 12 8 : slabdata 0 0 0
-size-4096 425 425 4096 1 1 : tunables 24 12 8 : slabdata 425 425 0
-size-2048(DMA) 0 0 2048 2 1 : tunables 24 12 8 : slabdata 0 0 0
-size-2048 573 578 2048 2 1 : tunables 24 12 8 : slabdata 289 289 0
-size-1024(DMA) 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0
-size-1024 1340 1340 1024 4 1 : tunables 54 27 8 : slabdata 335 335 0
-size-512(DMA) 0 0 512 8 1 : tunables 54 27 8 : slabdata 0 0 0
-size-512 1123 1176 512 8 1 : tunables 54 27 8 : slabdata 147 147 0
-size-256(DMA) 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0
-size-256 930 930 256 15 1 : tunables 120 60 8 : slabdata 62 62 0
-size-192(DMA) 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0
-size-192 2119 2160 192 20 1 : tunables 120 60 8 : slabdata 108 108 0
-size-128(DMA) 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0
-size-64(DMA) 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
-size-64 33093 40887 64 59 1 : tunables 120 60 8 : slabdata 693 693 0
-size-32(DMA) 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0
-size-128 3921 4800 128 30 1 : tunables 120 60 8 : slabdata 160 160 0
-size-32 332389 332976 32 112 1 : tunables 120 60 8 : slabdata 2973 2973 0
-kmem_cache 191 191 32896 1 16 : tunables 8 4 0 : slabdata 191 191 0
+size-8192 12 12 8192 1 2 : tunables 8 4 0 : slabdata 12 12 0
+size-4096(DMA) 0 0 4096 1 1 : tunables 24 12 0 : slabdata 0 0 0
+size-4096 119 119 4096 1 1 : tunables 24 12 0 : slabdata 119 119 0
+size-2048(DMA) 0 0 2048 2 1 : tunables 24 12 0 : slabdata 0 0 0
+size-2048 200 200 2048 2 1 : tunables 24 12 0 : slabdata 100 100 0
+size-1024(DMA) 0 0 1024 4 1 : tunables 54 27 0 : slabdata 0 0 0
+size-1024 578 588 1024 4 1 : tunables 54 27 0 : slabdata 147 147 0
+size-512(DMA) 0 0 512 8 1 : tunables 54 27 0 : slabdata 0 0 0
+size-512 608 608 512 8 1 : tunables 54 27 0 : slabdata 76 76 0
+size-256(DMA) 0 0 256 15 1 : tunables 120 60 0 : slabdata 0 0 0
+size-256 815 825 256 15 1 : tunables 120 60 0 : slabdata 55 55 0
+size-192(DMA) 0 0 192 20 1 : tunables 120 60 0 : slabdata 0 0 0
+size-192 1253 1260 192 20 1 : tunables 120 60 0 : slabdata 63 63 0
+size-128(DMA) 0 0 128 30 1 : tunables 120 60 0 : slabdata 0 0 0
+size-64(DMA) 0 0 64 59 1 : tunables 120 60 0 : slabdata 0 0 0
+size-64 23094 25783 64 59 1 : tunables 120 60 0 : slabdata 437 437 0
+size-32(DMA) 0 0 32 112 1 : tunables 120 60 0 : slabdata 0 0 0
+size-128 3271 3450 128 30 1 : tunables 120 60 0 : slabdata 115 115 0
+size-32 352497 352576 32 112 1 : tunables 120 60 0 : slabdata 3148 3148 0
+kmem_cache 183 183 32896 1 16 : tunables 8 4 0 : slabdata 183 183 0
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
- lo:267102759 105357 0 0 0 0 0 0 267102759 105357 0 0 0 0 0 0
- eth0:1013761672 1354551 0 0 0 0 0 0 245537245 966850 0 0 0 0 0 0
- pan0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
+ lo: 5243413 23981 0 0 0 0 0 0 5243413 23981 0 0 0 0 0 0
+ eth0:25468831 318944 0 0 0 0 0 0 2048323 16057 0 0 0 0 0 0
+ eth1: 1386465 18973 0 0 0 0 0 0 95634 1485 0 0 0 0 0 0
subject=/O=example.net/CN=clica Signing Cert
issuer=/O=example.net/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY
-392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a
-d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit
-Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw
+MTAxMTIzNDExWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCf/Mo
+cl7+ta84A85TdEcSPfv+JV6/0ynu98Z+EHaz221TGgNYkOtlBDc80kZZ2QBndE6e
+RZAuIaPgTVk0mZJ7XUxAVx7AAlGSWenScV/k/VChgqddRaCmmLQoPT/wUkrDqlOW
+7omdM0BTaMxdEv2QRyUCVrrZKOJkRsTILkUvaQIDAQABo1owWDAOBgNVHQ8BAf8E
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
+Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA
+P/kvw/kOJI5Yja+W8/xmbAma4NeAWE48eLDzp6AWJBUU7oIj4Ca+PqwpaxxeNioZ
+ihLL5LCRrS8lsSGgyD3UzqYGCMOwqX5pBytpWXz1NRzzey9mCV55LHckBF7dRBuh
+XQiz+EvE4Dr1ZikrB6UjgHW7Bal9Y5QMDs8qZAsRkJ0=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: Certificate Authority
subject=/O=example.net/CN=clica CA
issuer=/O=example.net/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
-Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp2tm7DhEtMNQPz23MpsxYVje
-SgMgmkDx8qdr97SBBVqtPcHMMrCEZ9dQiYCFxbshxXfeova+DbLZISDlHA9xjQID
-AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
-hkiG9w0BAQUFAANBAG/rfiV0UE6Q//VIKN5CprvNXDGQFfcFCWNRCu6ZGTPpaDf2
-iPqVISD9trZrvtlUIgKjGgOQQbdNH9RBj5+6QKo=
+MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw
+MTAxMTIzNDExWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
+Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALUSMNgU8YE8fsiB8Wm7
+lpclDOwQXJVbP/Ef2NVwoE6NnoPTWMNgvSyCddVz7709URkIy+jtrlpbyQYVdwgO
+HAnI8/bx2WoGtGzWTbAM1Mp+WHtiOO7LpsldWQmeHuF9uBOghFytVyqNT2l/iG7x
+XQCA6Q6P59vpb3Z+4PH8kgVlAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
+DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBACs6X9bwml5hcwf82pyb
+bKOnRGP6pJsvx1yv6SULaxg4+mCelEHNPycQqidqs+84RrDma8Kkz3DVZuV11Yca
+o2ibon7rWhaTc9SR0j5B8BMU1Z9VEVF5uejepHWf1iCeOhxl6tNQuTTJP0uE4h6h
+VAtQ+ux57x052IuOi9FtrqVR
-----END CERTIFICATE-----
Bag Attributes
friendlyName: expired1.example.net
- localKeyID: 1E 0D 7E 35 C6 DD 12 8A 56 2B C8 44 4B 60 A9 95 DC 68 6F 37
+ localKeyID: 95 17 AC C5 EF E3 7C 42 C9 E2 14 CF CC CA 19 19 06 2B F6 6C
subject=/CN=expired1.example.net
issuer=/O=example.net/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+MIICiTCCAfKgAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwNFoXDTEyMTIwMTEyMzQwNFowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
-ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA+LXqjv5NnRW2OlKWyYYH8ZFb
-Fj4xAdg4qSa1WK/wlUUdpQldGzpDuq/BzuyQdJjp1vSnqhKjfxz0ef9xJievdwID
-AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
-AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
-Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
-cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w
-bGUubmV0MA0GCSqGSIb3DQEBBQUAA0EA0dUUjXeu21xQo+AsptLSwmzhn+EV8ixI
-757XRkCnAN0mOZZHcv+imuiEXpf62J+wNyWKNCWu2iPttov/JAcYKA==
+MzQxM1oXDTEyMTIwMTEyMzQxM1owHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
+ZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANlhAgxfclTrlENHgOLp
+okcI0OF605Nkvp4mXu+3NkJ7hxHtw5ZemQZr8yPqxCjn8GpuL6ADWdUr0T3eELM5
+bP0EwJqmXbZ+F9rp0DAl50dtGyLFdZMXe7IXe+ej+k2cGqf0M/gNp95AOSekhuwg
+8wpCRTeOP6zzK0g4SMjOcw7LAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG
+A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
+hiFodHRwOi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
+KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm5ldC8wHwYDVR0R
+BBgwFoIUZXhwaXJlZDEuZXhhbXBsZS5uZXQwDQYJKoZIhvcNAQEFBQADgYEAtoii
+zSaNrMH7SDRVVF+A2Ox59vck78T8Kx/YYZz6/p4dgaVWVK6LHzL1VjiYkZwTeSxG
+ZgnbqY8JNeGTUlDC0XZLwTmsIufpaeUd75JkvIniI9I9XhmOgwGOrijSqjNDgWyg
+DsS34gVsXLkAlSyegGiLY4UWtKPU+oXQLdYa5Vk=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: expired1.example.net
- localKeyID: 1E 0D 7E 35 C6 DD 12 8A 56 2B C8 44 4B 60 A9 95 DC 68 6F 37
+ localKeyID: 95 17 AC C5 EF E3 7C 42 C9 E2 14 CF CC CA 19 19 06 2B F6 6C
subject=/CN=expired1.example.net
issuer=/O=example.net/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+MIICiTCCAfKgAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwNFoXDTEyMTIwMTEyMzQwNFowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
-ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA+LXqjv5NnRW2OlKWyYYH8ZFb
-Fj4xAdg4qSa1WK/wlUUdpQldGzpDuq/BzuyQdJjp1vSnqhKjfxz0ef9xJievdwID
-AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
-AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
-Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
-cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w
-bGUubmV0MA0GCSqGSIb3DQEBBQUAA0EA0dUUjXeu21xQo+AsptLSwmzhn+EV8ixI
-757XRkCnAN0mOZZHcv+imuiEXpf62J+wNyWKNCWu2iPttov/JAcYKA==
+MzQxM1oXDTEyMTIwMTEyMzQxM1owHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
+ZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANlhAgxfclTrlENHgOLp
+okcI0OF605Nkvp4mXu+3NkJ7hxHtw5ZemQZr8yPqxCjn8GpuL6ADWdUr0T3eELM5
+bP0EwJqmXbZ+F9rp0DAl50dtGyLFdZMXe7IXe+ej+k2cGqf0M/gNp95AOSekhuwg
+8wpCRTeOP6zzK0g4SMjOcw7LAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG
+A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
+hiFodHRwOi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
+KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm5ldC8wHwYDVR0R
+BBgwFoIUZXhwaXJlZDEuZXhhbXBsZS5uZXQwDQYJKoZIhvcNAQEFBQADgYEAtoii
+zSaNrMH7SDRVVF+A2Ox59vck78T8Kx/YYZz6/p4dgaVWVK6LHzL1VjiYkZwTeSxG
+ZgnbqY8JNeGTUlDC0XZLwTmsIufpaeUd75JkvIniI9I9XhmOgwGOrijSqjNDgWyg
+DsS34gVsXLkAlSyegGiLY4UWtKPU+oXQLdYa5Vk=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw\r
-MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp\r
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY\r
-392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a\r
-d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB\r
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s\r
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit\r
-Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw\r
+MTAxMTIzNDExWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp\r
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCf/Mo\r
+cl7+ta84A85TdEcSPfv+JV6/0ynu98Z+EHaz221TGgNYkOtlBDc80kZZ2QBndE6e\r
+RZAuIaPgTVk0mZJ7XUxAVx7AAlGSWenScV/k/VChgqddRaCmmLQoPT/wUkrDqlOW\r
+7omdM0BTaMxdEv2QRyUCVrrZKOJkRsTILkUvaQIDAQABo1owWDAOBgNVHQ8BAf8E\r
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw\r
+Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA\r
+P/kvw/kOJI5Yja+W8/xmbAma4NeAWE48eLDzp6AWJBUU7oIj4Ca+PqwpaxxeNioZ\r
+ihLL5LCRrS8lsSGgyD3UzqYGCMOwqX5pBytpWXz1NRzzey9mCV55LHckBF7dRBuh\r
+XQiz+EvE4Dr1ZikrB6UjgHW7Bal9Y5QMDs8qZAsRkJ0=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: expired1.example.net
- localKeyID: 1E 0D 7E 35 C6 DD 12 8A 56 2B C8 44 4B 60 A9 95 DC 68 6F 37
+ localKeyID: 95 17 AC C5 EF E3 7C 42 C9 E2 14 CF CC CA 19 19 06 2B F6 6C
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIEobdAguY51UCAggA
-MBQGCCqGSIb3DQMHBAjyQJzMIkx+swSCAWBoW5JocLm3XvmW7cnK8Np23KqUs4ST
-MG68rJY6pLqdGkn8aK0yZfecdpuHoFCZRdxQy9ztdofB50tkr7evlTuM1u40/9b0
-ygZ9ajxESZmF5mS8r6dFGXOBq7UrMpEvod1lujpP3hwtkqJOlPFhacPUestqDjP4
-zDmEmKQYyRx4DQ3QM4T2Wuc1S8TSECcMLsOgZhOxGULIzmtxceftS/V9NYewZsne
-Q05TKH7ygWGvUyYEgDlFlBAk8CAiqIBBz3fU2bmWfR5p6hoSTqGeLlAL7fTid8Vf
-g4HEfthygRC28+s5r/MbMBJKwTdRHnQbmK4rOxFUhYCkV8Df28Ukx/RaA9CKjbQl
-2fnuTRAms72szZRoKsdS3xVgyaOdgdhVJKWP2QAUvzblX/wpKr9BwrbqIhXOqEiv
-9/yCVqUg20sjNvYyw/2Zv9t+g9u3d5CMyU37e8AT8X3DExmpleiOdX4J
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIUxc2uzk9xFgCAggA
+MBQGCCqGSIb3DQMHBAjVv35cwAcHJwSCAoCFZGCfB6837klYjG3Bc4tCDax/XuNq
+KLLVzyT9DH0K/vmyHDUU93GXGhNrNTRkXNZcXHFNWwY/gUi6jvkDNRz9SFmtCWXM
+8wj1O9H8fTUF0qJZW8BSK5/sCHLywCLP5UfMJvr4q7Zm/p5RY1lfmrupyeR8RfTz
+B+ZLDpO3TJw1fJgM/UyVvZFJsaGNgsj/gDEqSa7sngGDYy04F2PQoyAoorEiCIK1
+n+mWeE1a/rcrfIflcG324v2tHvXYncU0tt10sUsgWxS3YB2x/FJ73VyGZZWvKpsW
+WUgz2+NAr/iD6MfcYeAXUT2Kz2fsV9Lbqgxj/fU0vaGops0dtp0WaV2MPUY9t3gw
+Iv78OSDnIpmD5L7i7+SVrlo8DxKFjnxtJg3vBDyHbe005Ehsy5/5vcTl9rN+RjJh
+meHTY6RPjko1jFKa+xsTN89EJ6ln9fGNppmA71PKiJGLDH17mNo1FuIoMB9vjTqc
+gzX5B+Ao6+MH95RwDBdhaaHEJG0V54VVc6fi0agdfZKKIR7OwG/dgqaUpkykKnFh
+rQqG75dpyvwK4l11Wvmgblxoxy0IqPZr22t1AKRfZ92MxmQKkmlal7cT1cIgwWc+
+zMQd/LvfEsZbMa5iC5ajATFuxXp1bXlvJviBuyBGDt5oCd5RG94NxSs533T8BAZi
+e8YRULQV3JG2ADdrN3yQWX/ZHw9jI+Hgg9JseO2U2I8Q9SSwMz5tB6mdQGPwnV8f
+fN/DIiF9TjTWQoJ45q8qJCr4h/UJ8GF5J8h19lh9MHi6VZYbQpjy4NbAwQ6yxNEU
+DWan+ET8FLSB6SdeMi1bNBKBoOcMVhLqKIxM9lO+mj+eWlSfOsjd6AKL
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
friendlyName: expired1.example.net
- localKeyID: 1E 0D 7E 35 C6 DD 12 8A 56 2B C8 44 4B 60 A9 95 DC 68 6F 37
+ localKeyID: 95 17 AC C5 EF E3 7C 42 C9 E2 14 CF CC CA 19 19 06 2B F6 6C
subject=/CN=expired1.example.net
issuer=/O=example.net/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+MIICiTCCAfKgAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwNFoXDTEyMTIwMTEyMzQwNFowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
-ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA+LXqjv5NnRW2OlKWyYYH8ZFb
-Fj4xAdg4qSa1WK/wlUUdpQldGzpDuq/BzuyQdJjp1vSnqhKjfxz0ef9xJievdwID
-AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
-AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
-Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
-cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w
-bGUubmV0MA0GCSqGSIb3DQEBBQUAA0EA0dUUjXeu21xQo+AsptLSwmzhn+EV8ixI
-757XRkCnAN0mOZZHcv+imuiEXpf62J+wNyWKNCWu2iPttov/JAcYKA==
+MzQxM1oXDTEyMTIwMTEyMzQxM1owHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
+ZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANlhAgxfclTrlENHgOLp
+okcI0OF605Nkvp4mXu+3NkJ7hxHtw5ZemQZr8yPqxCjn8GpuL6ADWdUr0T3eELM5
+bP0EwJqmXbZ+F9rp0DAl50dtGyLFdZMXe7IXe+ej+k2cGqf0M/gNp95AOSekhuwg
+8wpCRTeOP6zzK0g4SMjOcw7LAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG
+A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
+hiFodHRwOi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
+KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm5ldC8wHwYDVR0R
+BBgwFoIUZXhwaXJlZDEuZXhhbXBsZS5uZXQwDQYJKoZIhvcNAQEFBQADgYEAtoii
+zSaNrMH7SDRVVF+A2Ox59vck78T8Kx/YYZz6/p4dgaVWVK6LHzL1VjiYkZwTeSxG
+ZgnbqY8JNeGTUlDC0XZLwTmsIufpaeUd75JkvIniI9I9XhmOgwGOrijSqjNDgWyg
+DsS34gVsXLkAlSyegGiLY4UWtKPU+oXQLdYa5Vk=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-MIIBOgIBAAJBAPi16o7+TZ0VtjpSlsmGB/GRWxY+MQHYOKkmtViv8JVFHaUJXRs6
-Q7qvwc7skHSY6db0p6oSo38c9Hn/cSYnr3cCAwEAAQJBAK1O9tgV1Te1PXp+upxL
-TZXD2FkzlSrX5QPZ+VyHnXolg8XNhx2pA1J4iJrnvooWQRZuWRhi/p8g2ygJ8B6I
-60ECIQD/cO5OrdRWg3EBgoCWN7WAZ53qMmSRxAnMt95W5yujGQIhAPlBNzbQr2Z7
-DVvwCc2ERxuaFGTcLZH/x+oRhZ9jr0kPAiB/79froDSRgBPBZdNxaUWGol79RXAJ
-cd5WomDBtdatQQIgAVyP1qbRLnghnIz1IMBGOypeTia9wPxqtSafWj2LKZUCID/d
-8buaLYm3yYYAQwbTBtb89+gpRg0I51DFS6fNIuU4
+MIICWwIBAAKBgQDZYQIMX3JU65RDR4Di6aJHCNDhetOTZL6eJl7vtzZCe4cR7cOW
+XpkGa/Mj6sQo5/Bqbi+gA1nVK9E93hCzOWz9BMCapl22fhfa6dAwJedHbRsixXWT
+F3uyF3vno/pNnBqn9DP4DafeQDknpIbsIPMKQkU3jj+s8ytIOEjIznMOywIDAQAB
+AoGAO3wuYVBlKxPkWJziijXA8ItbDbjc2QLCnuiFJjgOoxbGmYNk+GsemQFFYdjG
+oSMHSTip07HXDVyWP8Xa8BCQ4BMkzBj/1fpasm1t3BHrS8xatukWAvW9xm4rHKo2
+bOZSkoUaJ/IICifBKmlgoyNIocnF5eLEFpmdijK4vQb+BbECQQDuoiW0oZZAAyoA
+orZkvuVwfszm//MveYTHxFvcxIA2f7gvuC6JV8Auvo0OxXZ0QLT787TkJYHJnQkv
+CdgVMTFnAkEA6TLhWSQH4yu4EytXcQ7V2BbLCZWDavPttGqQz/zcCCvloyDmfdUg
+CoXK8H+W6CrwFz7Qyz+FGKcO3rkMa49k/QJASb3ZoQP+BjH0HNYrPt6u0CCe+RNG
+9vi6S3EmYgZnCHBXXoev+ckgHlHMDTB/9lS4mNMqpwXgIYlheSO1nnbhKQJAY70N
+QND2RqUmP5yj84kC0T8+a8T0xkO6ARYrBaoCecQ8nT6vFlaXM6jxmVcYtgfXVDnb
+l3J9fIPHCl9e/ooACQJAGhJ1JPgzQT3QytWx8mmZwuI5JVaRGboz7UQJ+4wTp9JE
+4oWHDbtGGanvpCWmMd47BHvOlWHT2iWCxMIez6ZwGg==
-----END RSA PRIVATE KEY-----
subject=/O=example.net/CN=clica Signing Cert
issuer=/O=example.net/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY
-392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a
-d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit
-Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw
+MTAxMTIzNDExWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCf/Mo
+cl7+ta84A85TdEcSPfv+JV6/0ynu98Z+EHaz221TGgNYkOtlBDc80kZZ2QBndE6e
+RZAuIaPgTVk0mZJ7XUxAVx7AAlGSWenScV/k/VChgqddRaCmmLQoPT/wUkrDqlOW
+7omdM0BTaMxdEv2QRyUCVrrZKOJkRsTILkUvaQIDAQABo1owWDAOBgNVHQ8BAf8E
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
+Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA
+P/kvw/kOJI5Yja+W8/xmbAma4NeAWE48eLDzp6AWJBUU7oIj4Ca+PqwpaxxeNioZ
+ihLL5LCRrS8lsSGgyD3UzqYGCMOwqX5pBytpWXz1NRzzey9mCV55LHckBF7dRBuh
+XQiz+EvE4Dr1ZikrB6UjgHW7Bal9Y5QMDs8qZAsRkJ0=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: Certificate Authority
subject=/O=example.net/CN=clica CA
issuer=/O=example.net/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
-Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp2tm7DhEtMNQPz23MpsxYVje
-SgMgmkDx8qdr97SBBVqtPcHMMrCEZ9dQiYCFxbshxXfeova+DbLZISDlHA9xjQID
-AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
-hkiG9w0BAQUFAANBAG/rfiV0UE6Q//VIKN5CprvNXDGQFfcFCWNRCu6ZGTPpaDf2
-iPqVISD9trZrvtlUIgKjGgOQQbdNH9RBj5+6QKo=
+MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw
+MTAxMTIzNDExWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
+Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALUSMNgU8YE8fsiB8Wm7
+lpclDOwQXJVbP/Ef2NVwoE6NnoPTWMNgvSyCddVz7709URkIy+jtrlpbyQYVdwgO
+HAnI8/bx2WoGtGzWTbAM1Mp+WHtiOO7LpsldWQmeHuF9uBOghFytVyqNT2l/iG7x
+XQCA6Q6P59vpb3Z+4PH8kgVlAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
+DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBACs6X9bwml5hcwf82pyb
+bKOnRGP6pJsvx1yv6SULaxg4+mCelEHNPycQqidqs+84RrDma8Kkz3DVZuV11Yca
+o2ibon7rWhaTc9SR0j5B8BMU1Z9VEVF5uejepHWf1iCeOhxl6tNQuTTJP0uE4h6h
+VAtQ+ux57x052IuOi9FtrqVR
-----END CERTIFICATE-----
Bag Attributes
friendlyName: expired2.example.net
- localKeyID: 1A 68 61 A3 03 A4 DC 65 19 7A 7E 5E 65 37 39 DB E3 CB 56 AC
+ localKeyID: 4C 57 EE 41 10 81 8F 15 98 AD 20 D9 85 06 8B 7D A2 3A 4D 05
subject=/CN=expired2.example.net
issuer=/O=example.net/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+MIICijCCAfOgAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDVaFw0xMjEyMDExMjM0MDVaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
-bGUubmV0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMRPNIrjXhmHfWrc/c+K9esj
-3cXECi38lpKgZyhqN8CjRvifIaMoZaCPoXoppyC3MmtLhT5JnYe8+1vSApl9jPUC
-AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
-AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
-ZS5uZXQvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
-dHA6Ly9vc2NwL2V4YW1wbGUubmV0LzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt
-cGxlLm5ldDANBgkqhkiG9w0BAQUFAANBAMmrnrUFZRECJcDk4BGSMQp5vvC/uHi0
-1NSP3Ki4Yu+CbXUHtgZqwOB5abU8INeLbJoab2stMFsdevzRYuuqb7s=
+MjM0MTRaFw0xMjEyMDExMjM0MTRaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
+bGUubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDXEgubmOBQOTfeVoMK
+VTyqO7QB9NUL0gMxPgF/Cv+r14dpuAEMmzB5w0waANwVyJ3RHeqMCx9uHCLpk37W
+2LSIsx3j74Oz6Plyh+vac3HDv6Z2TapetEiwTz/XaaObAaU3WHt2pIpPkju8xlqP
+s9tgzD8i3VMZqSQMC+8+HMGELwIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg
+BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
+I4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
+BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1Ud
+EQQYMBaCFGV4cGlyZWQyLmV4YW1wbGUubmV0MA0GCSqGSIb3DQEBBQUAA4GBAE6e
+wvdUVSaQqtamGhj7R4SRX6606y4bG+/RUmFRLZWXzoUmCTA8za0A8fK4uxHUcGnV
+LNWL5SpOxdDhRNuOgRqLG1J5h6gBDfrNz2ifsPqkrVXGkWWGSML4OLDhB5NIwT3W
+76zE2YzQAfjdQGYqlJ+guw6qP503tFzletcxOk5b
-----END CERTIFICATE-----
Bag Attributes
friendlyName: expired2.example.net
- localKeyID: 1A 68 61 A3 03 A4 DC 65 19 7A 7E 5E 65 37 39 DB E3 CB 56 AC
+ localKeyID: 4C 57 EE 41 10 81 8F 15 98 AD 20 D9 85 06 8B 7D A2 3A 4D 05
subject=/CN=expired2.example.net
issuer=/O=example.net/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+MIICijCCAfOgAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDVaFw0xMjEyMDExMjM0MDVaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
-bGUubmV0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMRPNIrjXhmHfWrc/c+K9esj
-3cXECi38lpKgZyhqN8CjRvifIaMoZaCPoXoppyC3MmtLhT5JnYe8+1vSApl9jPUC
-AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
-AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
-ZS5uZXQvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
-dHA6Ly9vc2NwL2V4YW1wbGUubmV0LzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt
-cGxlLm5ldDANBgkqhkiG9w0BAQUFAANBAMmrnrUFZRECJcDk4BGSMQp5vvC/uHi0
-1NSP3Ki4Yu+CbXUHtgZqwOB5abU8INeLbJoab2stMFsdevzRYuuqb7s=
+MjM0MTRaFw0xMjEyMDExMjM0MTRaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
+bGUubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDXEgubmOBQOTfeVoMK
+VTyqO7QB9NUL0gMxPgF/Cv+r14dpuAEMmzB5w0waANwVyJ3RHeqMCx9uHCLpk37W
+2LSIsx3j74Oz6Plyh+vac3HDv6Z2TapetEiwTz/XaaObAaU3WHt2pIpPkju8xlqP
+s9tgzD8i3VMZqSQMC+8+HMGELwIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg
+BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
+I4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
+BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1Ud
+EQQYMBaCFGV4cGlyZWQyLmV4YW1wbGUubmV0MA0GCSqGSIb3DQEBBQUAA4GBAE6e
+wvdUVSaQqtamGhj7R4SRX6606y4bG+/RUmFRLZWXzoUmCTA8za0A8fK4uxHUcGnV
+LNWL5SpOxdDhRNuOgRqLG1J5h6gBDfrNz2ifsPqkrVXGkWWGSML4OLDhB5NIwT3W
+76zE2YzQAfjdQGYqlJ+guw6qP503tFzletcxOk5b
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw\r
-MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp\r
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY\r
-392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a\r
-d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB\r
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s\r
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit\r
-Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw\r
+MTAxMTIzNDExWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp\r
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCf/Mo\r
+cl7+ta84A85TdEcSPfv+JV6/0ynu98Z+EHaz221TGgNYkOtlBDc80kZZ2QBndE6e\r
+RZAuIaPgTVk0mZJ7XUxAVx7AAlGSWenScV/k/VChgqddRaCmmLQoPT/wUkrDqlOW\r
+7omdM0BTaMxdEv2QRyUCVrrZKOJkRsTILkUvaQIDAQABo1owWDAOBgNVHQ8BAf8E\r
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw\r
+Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA\r
+P/kvw/kOJI5Yja+W8/xmbAma4NeAWE48eLDzp6AWJBUU7oIj4Ca+PqwpaxxeNioZ\r
+ihLL5LCRrS8lsSGgyD3UzqYGCMOwqX5pBytpWXz1NRzzey9mCV55LHckBF7dRBuh\r
+XQiz+EvE4Dr1ZikrB6UjgHW7Bal9Y5QMDs8qZAsRkJ0=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: expired2.example.net
- localKeyID: 1A 68 61 A3 03 A4 DC 65 19 7A 7E 5E 65 37 39 DB E3 CB 56 AC
+ localKeyID: 4C 57 EE 41 10 81 8F 15 98 AD 20 D9 85 06 8B 7D A2 3A 4D 05
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIU+oGNqBSHjcCAggA
-MBQGCCqGSIb3DQMHBAjYaI7Iob+lDASCAWDAZIbvl/AbphvMZhynrCFGzj6iN309
-N+U1mQPGWD6hisPfA4aTpIQyHtVah6KCE1fbzGFgiNULsfByVj4XBRbetiVKMuWA
-xs/EEcPhNRG0KOeRxzDtSpM0lG078XAC4p7wgqvhf4R9524Vq4PpYzt+tKfh0rPC
-leF7VFJ5vi7Tms7q1wqtL76Wgibq4m43XoFrYMbQL2qbXl98rRAP6R6u852f4L/D
-Cy1EGsgWIdGjCPQRxdwC0Vf1vIjaspXBmVhbFJR9Djp48DShbAO11cXRSIligH6t
-7p+aesQM/illunmCaMzMYFAjdrMYZEO1bqVdU5Nd7/tlQQLgHSdo+iD6XLnci7dw
-elQ9bRxYVMEDX16kTXd4NU6xP0Zpac5XHu4ji2PKlSOSxQh5GbPICXdEH7K/Oshv
-CUIZbYnlGsOT2uFgnChtUeIwc6OXcSv3LLXIwzg0ec7yN83j0r3jQRQx
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIVx/Vy3DgJSECAggA
+MBQGCCqGSIb3DQMHBAj90r/LCeWw8wSCAoB4xKSRp9hTsIfobieMallpU3Jk8Oy4
+wZieRLtvch0Bteo1H5UfnRgQo0djdTV7JGE94Kelh9o72pkv1hyIwfDhYlA4nACM
+4gVUfhi2B93zLgKD2KqYWjD3xKo+ci11q0ByklsoHRsiixP5rA0dZaAvru9p8Gog
+xx8vubDRer8coZLOEoaRtl7bV27d1N8GJPOCWu5SAR4xk76SAXUoUSThS1WrhKWK
+ZRNSEcHN5xyi4RSRvOon1WP1mhVkW8wbgjXKHuGyIOlP9NdgGJ+1YNUH1pWngg3p
+kZaMOy9A+gsE3w2owfqIpZtvbT8ByQTiwxpuTGS5O3lDF6IY1a+dYc1Hxa6KSktC
+stTL/OI97sTS+g417AWlVT6rEsAHwLETE/Ve3EygkFC0LM5QmX8rtsrQT8ZLvI1B
+53ocek2fIlXsCWzJL4Pd4to+CwZATHEjPCobXfNZrvuJ7PiYQQcPCzzJz7XZnPyN
+Hw5hFhAKKfHXCjt/NnA8Nzqn21KHv76WVPZLlCQu8OnCRw0Zg2kK+R/km4CpCyXd
+CivWV3Te8JmuISVZth6TK+5AWjpb/2MRm+1+aAsnYsK36TTxBBmC8VzhBbYdStKZ
+4TOypvo0sVVQeXfGWEjrsWytbepQlSErhXZ7q6vceHEtYTdEcM2YiFPA59axF+r9
+2H4A97AKMreFchLoJHEPZ1KVzfL8SI73UfsV7vzWow8kseP9DS33/mV1LV1rzbPb
+yiYZOjwYdnWqTfWmQm2AD29TTmBR85xapRDZkQXA6/FRFyFRVBpiGuiuCNOqGF9X
+7Kplfv/q8aienf2ULf7lVOb6SQ5urAxcevzablwUOgG9WopZad2pfs5K
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
friendlyName: expired2.example.net
- localKeyID: 1A 68 61 A3 03 A4 DC 65 19 7A 7E 5E 65 37 39 DB E3 CB 56 AC
+ localKeyID: 4C 57 EE 41 10 81 8F 15 98 AD 20 D9 85 06 8B 7D A2 3A 4D 05
subject=/CN=expired2.example.net
issuer=/O=example.net/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+MIICijCCAfOgAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDVaFw0xMjEyMDExMjM0MDVaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
-bGUubmV0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMRPNIrjXhmHfWrc/c+K9esj
-3cXECi38lpKgZyhqN8CjRvifIaMoZaCPoXoppyC3MmtLhT5JnYe8+1vSApl9jPUC
-AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
-AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
-ZS5uZXQvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
-dHA6Ly9vc2NwL2V4YW1wbGUubmV0LzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt
-cGxlLm5ldDANBgkqhkiG9w0BAQUFAANBAMmrnrUFZRECJcDk4BGSMQp5vvC/uHi0
-1NSP3Ki4Yu+CbXUHtgZqwOB5abU8INeLbJoab2stMFsdevzRYuuqb7s=
+MjM0MTRaFw0xMjEyMDExMjM0MTRaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
+bGUubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDXEgubmOBQOTfeVoMK
+VTyqO7QB9NUL0gMxPgF/Cv+r14dpuAEMmzB5w0waANwVyJ3RHeqMCx9uHCLpk37W
+2LSIsx3j74Oz6Plyh+vac3HDv6Z2TapetEiwTz/XaaObAaU3WHt2pIpPkju8xlqP
+s9tgzD8i3VMZqSQMC+8+HMGELwIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg
+BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
+I4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
+BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1Ud
+EQQYMBaCFGV4cGlyZWQyLmV4YW1wbGUubmV0MA0GCSqGSIb3DQEBBQUAA4GBAE6e
+wvdUVSaQqtamGhj7R4SRX6606y4bG+/RUmFRLZWXzoUmCTA8za0A8fK4uxHUcGnV
+LNWL5SpOxdDhRNuOgRqLG1J5h6gBDfrNz2ifsPqkrVXGkWWGSML4OLDhB5NIwT3W
+76zE2YzQAfjdQGYqlJ+guw6qP503tFzletcxOk5b
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-MIIBOgIBAAJBAMRPNIrjXhmHfWrc/c+K9esj3cXECi38lpKgZyhqN8CjRvifIaMo
-ZaCPoXoppyC3MmtLhT5JnYe8+1vSApl9jPUCAwEAAQJAOCkksfs8B3ewlKrmXcK2
-ee/H2XUtKFzTwtzqxjAlBRHwxgSOZr4rn10t+R4j6cvLqhfbXGu0p+1oGgFCYAe6
-/QIhAOU/L1TRGgE1Q0gR+BSyWTlHNSXu1wmy0j/nVSk1fb2bAiEA2zgBX7vxRt1M
-d7AKLfqjpMKolmMUyWNQdGFI/+Ch0K8CIHsFMkAgygS18XoecnOg1bKgHMxTZEBH
-Hv6+BHxNwUFbAiBpXA98/Y1G69F2rMsXsiC4bT4tmU1CRVNDvAYjxMjAzQIhAOHO
-1ynQHqtSfjlkpZtcNqey2SlcqXz7xI/aEXVYj5Q4
+MIICXQIBAAKBgQDXEgubmOBQOTfeVoMKVTyqO7QB9NUL0gMxPgF/Cv+r14dpuAEM
+mzB5w0waANwVyJ3RHeqMCx9uHCLpk37W2LSIsx3j74Oz6Plyh+vac3HDv6Z2Tape
+tEiwTz/XaaObAaU3WHt2pIpPkju8xlqPs9tgzD8i3VMZqSQMC+8+HMGELwIDAQAB
+AoGBAKfLeWj1FhUg/xilkGkwZTs/h0p7dPha6oixosM2lpDAf/KYT6FBNsnY9/fV
+seAA/DfZylNmnifvJcHshGok+nu6VjWekae6GP5U3HiOIThNqJRt4iky5q8Q2RKM
+I29fTeOWPeYHXy/YpLuAF+ZuTTCkc/WzN9o29/8xN1SrONfRAkEA8QiBbyOnhNh7
+6e4z0rXtbI88muLGs+S27pokTf5YlZbyLuNS9cJgvkafX7mA2n6fc4aatppUC/np
+WZ+s/U4KqQJBAORs1TUIQ3yStul6gc9sO5YuhXaQyNO3RYR5kCzDgfbKmXm2/+c2
+AVLgKTAJ3yOGL7ZLPmk2rzg6Pc6XX826dxcCQHTL51SAlXNFJ75yg8AuEg+R1Q9E
+pn6TbKVwIfl9L1XFYDOiShf2icSKGj5beHnn88IaTqv/Woy3HAEm47+W6okCQDZ8
+44rn8rk3ghxFlct1xOz5Ier7dHxUPmfwW3ziEhFdmKiZB4gOsNglEo4b/LdLnfv9
+DOEqIzflZLLwFvFLJncCQQCdNUfRNBWn832WkGQHIwvMpMq3vjwyVUCPOq8Hz9jK
+cDNuKQfw8/ZbH/IRDqgTsSWUDoZlIj3CTGeygPYEfGTg
-----END RSA PRIVATE KEY-----
subject=/O=example.net/CN=clica Signing Cert
issuer=/O=example.net/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY
-392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a
-d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit
-Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw
+MTAxMTIzNDExWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCf/Mo
+cl7+ta84A85TdEcSPfv+JV6/0ynu98Z+EHaz221TGgNYkOtlBDc80kZZ2QBndE6e
+RZAuIaPgTVk0mZJ7XUxAVx7AAlGSWenScV/k/VChgqddRaCmmLQoPT/wUkrDqlOW
+7omdM0BTaMxdEv2QRyUCVrrZKOJkRsTILkUvaQIDAQABo1owWDAOBgNVHQ8BAf8E
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
+Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA
+P/kvw/kOJI5Yja+W8/xmbAma4NeAWE48eLDzp6AWJBUU7oIj4Ca+PqwpaxxeNioZ
+ihLL5LCRrS8lsSGgyD3UzqYGCMOwqX5pBytpWXz1NRzzey9mCV55LHckBF7dRBuh
+XQiz+EvE4Dr1ZikrB6UjgHW7Bal9Y5QMDs8qZAsRkJ0=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: Certificate Authority
subject=/O=example.net/CN=clica CA
issuer=/O=example.net/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
-Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp2tm7DhEtMNQPz23MpsxYVje
-SgMgmkDx8qdr97SBBVqtPcHMMrCEZ9dQiYCFxbshxXfeova+DbLZISDlHA9xjQID
-AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
-hkiG9w0BAQUFAANBAG/rfiV0UE6Q//VIKN5CprvNXDGQFfcFCWNRCu6ZGTPpaDf2
-iPqVISD9trZrvtlUIgKjGgOQQbdNH9RBj5+6QKo=
+MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw
+MTAxMTIzNDExWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
+Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALUSMNgU8YE8fsiB8Wm7
+lpclDOwQXJVbP/Ef2NVwoE6NnoPTWMNgvSyCddVz7709URkIy+jtrlpbyQYVdwgO
+HAnI8/bx2WoGtGzWTbAM1Mp+WHtiOO7LpsldWQmeHuF9uBOghFytVyqNT2l/iG7x
+XQCA6Q6P59vpb3Z+4PH8kgVlAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
+DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBACs6X9bwml5hcwf82pyb
+bKOnRGP6pJsvx1yv6SULaxg4+mCelEHNPycQqidqs+84RrDma8Kkz3DVZuV11Yca
+o2ibon7rWhaTc9SR0j5B8BMU1Z9VEVF5uejepHWf1iCeOhxl6tNQuTTJP0uE4h6h
+VAtQ+ux57x052IuOi9FtrqVR
-----END CERTIFICATE-----
Bag Attributes
friendlyName: revoked1.example.net
- localKeyID: 3A 08 2E BA 85 F0 DD 7E C5 FE 51 92 BD 0B C7 35 9D 56 6B A5
+ localKeyID: C6 B2 B8 34 FA C7 C9 8E E1 B8 07 7F B4 BD 83 C0 75 0F 5D F4
subject=/CN=revoked1.example.net
issuer=/O=example.net/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+MIICiTCCAfKgAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwNFoXDTM4MDEwMTEyMzQwNFowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
-ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAr20bGUprpXdQGlk/FW+RJ19l
-FZ//slFysFeG3PEVjVjCnvsoxBFZJFVyfHhyxTvVYdoC6BVZfs9HRAjgZuBImQID
-AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
-AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
-Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
-cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w
-bGUubmV0MA0GCSqGSIb3DQEBBQUAA0EACw87yNDj6DBkvF+i1qUyw6vqijmPyOQZ
-4S+UOCyyNSsJrA1VMjRjAqGTgyU0OFtfcGuhvZ1ZnlFrvVog/icGcw==
+MzQxMloXDTM4MDEwMTEyMzQxMlowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
+ZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANpxOtIHAc+C9AgJudRl
+8x4gNYbKoNoAM5nzCNv7ou3KKh05w3BwBPsbEl88KWOpiEc3CbLYFZva5z34A4Gf
+cwMYHjqWWThXOe4L06C3fTWT4oQM4906KloEPHFrIWyyVbFuhVpoyR/wC/BwJqCx
+Mc2fMUGwN1YAFJUKxUZR62NzAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG
+A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
+hiFodHRwOi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
+KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm5ldC8wHwYDVR0R
+BBgwFoIUcmV2b2tlZDEuZXhhbXBsZS5uZXQwDQYJKoZIhvcNAQEFBQADgYEAoB/8
+WmtU0/qjy0TglfTk+etUveul1GHAKdpBxq9UkVKWxQZrek9TFHpMTnlEUZpSS5PO
+1lXj9VckDNThQROcGg+bL9p6ZXeb7pOIY16TFyjycjhRPyukIprcoBvDyCoMH29y
+PrtI7xLKj4UBZEoJf7/+BKV24Nk7V8yAvCI8tYM=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: revoked1.example.net
- localKeyID: 3A 08 2E BA 85 F0 DD 7E C5 FE 51 92 BD 0B C7 35 9D 56 6B A5
+ localKeyID: C6 B2 B8 34 FA C7 C9 8E E1 B8 07 7F B4 BD 83 C0 75 0F 5D F4
subject=/CN=revoked1.example.net
issuer=/O=example.net/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+MIICiTCCAfKgAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwNFoXDTM4MDEwMTEyMzQwNFowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
-ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAr20bGUprpXdQGlk/FW+RJ19l
-FZ//slFysFeG3PEVjVjCnvsoxBFZJFVyfHhyxTvVYdoC6BVZfs9HRAjgZuBImQID
-AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
-AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
-Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
-cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w
-bGUubmV0MA0GCSqGSIb3DQEBBQUAA0EACw87yNDj6DBkvF+i1qUyw6vqijmPyOQZ
-4S+UOCyyNSsJrA1VMjRjAqGTgyU0OFtfcGuhvZ1ZnlFrvVog/icGcw==
+MzQxMloXDTM4MDEwMTEyMzQxMlowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
+ZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANpxOtIHAc+C9AgJudRl
+8x4gNYbKoNoAM5nzCNv7ou3KKh05w3BwBPsbEl88KWOpiEc3CbLYFZva5z34A4Gf
+cwMYHjqWWThXOe4L06C3fTWT4oQM4906KloEPHFrIWyyVbFuhVpoyR/wC/BwJqCx
+Mc2fMUGwN1YAFJUKxUZR62NzAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG
+A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
+hiFodHRwOi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
+KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm5ldC8wHwYDVR0R
+BBgwFoIUcmV2b2tlZDEuZXhhbXBsZS5uZXQwDQYJKoZIhvcNAQEFBQADgYEAoB/8
+WmtU0/qjy0TglfTk+etUveul1GHAKdpBxq9UkVKWxQZrek9TFHpMTnlEUZpSS5PO
+1lXj9VckDNThQROcGg+bL9p6ZXeb7pOIY16TFyjycjhRPyukIprcoBvDyCoMH29y
+PrtI7xLKj4UBZEoJf7/+BKV24Nk7V8yAvCI8tYM=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw\r
-MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp\r
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY\r
-392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a\r
-d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB\r
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s\r
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit\r
-Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw\r
+MTAxMTIzNDExWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp\r
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCf/Mo\r
+cl7+ta84A85TdEcSPfv+JV6/0ynu98Z+EHaz221TGgNYkOtlBDc80kZZ2QBndE6e\r
+RZAuIaPgTVk0mZJ7XUxAVx7AAlGSWenScV/k/VChgqddRaCmmLQoPT/wUkrDqlOW\r
+7omdM0BTaMxdEv2QRyUCVrrZKOJkRsTILkUvaQIDAQABo1owWDAOBgNVHQ8BAf8E\r
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw\r
+Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA\r
+P/kvw/kOJI5Yja+W8/xmbAma4NeAWE48eLDzp6AWJBUU7oIj4Ca+PqwpaxxeNioZ\r
+ihLL5LCRrS8lsSGgyD3UzqYGCMOwqX5pBytpWXz1NRzzey9mCV55LHckBF7dRBuh\r
+XQiz+EvE4Dr1ZikrB6UjgHW7Bal9Y5QMDs8qZAsRkJ0=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: revoked1.example.net
- localKeyID: 3A 08 2E BA 85 F0 DD 7E C5 FE 51 92 BD 0B C7 35 9D 56 6B A5
+ localKeyID: C6 B2 B8 34 FA C7 C9 8E E1 B8 07 7F B4 BD 83 C0 75 0F 5D F4
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQITLxrgeizo7ACAggA
-MBQGCCqGSIb3DQMHBAiR0pknm91lSASCAWAoe8AKx1R5elFbE1FAZaGyPjegmgc5
-qFLKuVzK43OMKRphZJPKRSa12rzz40qRozJItXiDNL1+qt+IbOirtUlvvKu+5cdC
-oHQgSjA58Is1DN6f+OqD7v7S1ZdXrtyMmtvaHLfjsgX7f9acq8Q7OrcdVcJksVRL
-7yCULtR0NRxG+elh5lF9SNY+1f8Hee/dfP3LmyE+leO5ECfOWcIFLBCjLbdmMQFf
-lIodgPiy1qjuGwuXZQy/3s1tZ4p2R6dQ7FrPWCyDAxkd/Vw5+BWZ/UJD8GDKtvLL
-E9lyYuUg7KUaWiSSdsHmXMyrs+xdW+1GHqAVkuJqjWR2nxtXBDQ7GIaDfZr7nosR
-OR5ABpVtZ0eAiJz7qX3WjxtoQJ/7RRPYOnINzyRVgHHHVekyFdYd1OiQDgVoh+08
-HOOA6ZbXLyOCGqh5Syp0RAn7d8qSfX/Z8l6wnxblNG16noDPRbNGf9rU
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIvvFLah6OKzwCAggA
+MBQGCCqGSIb3DQMHBAinGg7Lbn4gWwSCAoDWgZmIa/W0nhBW4CDqAJRok/fKaTp2
+Meq5m4AwZUVJmMBX3TQa8S7Ea/18TsBaIhzL2Klbea9x0oa2m/U3af6mytzlkRWU
+7UkgdsKjWa1GHvvA1EBnDteMK5Zhx8mlRw1MzFbHDRkkhaAY+qmOLU72DvKKm5iz
+lFrTu9OTefxa1LGGOQ77l/oULkhpRE68uBRpu3vHFWYCJ978vdk72OwxkSyhK2OY
+HOXZ/U7CzG9u8PFAb/Qdd06UGLhXPS7NpNjE82zD1tr8lKitpQqQZOKnDVksThU3
+sF6rgWkwJB4ubDpeEyNAuKXuQM5/9pdYL11iJGASMwKKhV6jqyGktWTFodg/oWcm
+nRmG3HTPpqewMJ228nsmV3N1PrucW210Bp6svUyoM8OvC5yMT9b0BR3STAxW01ft
+Ock7gkU4YvsaJ/tvUrifcPWuoyLm196dYOlVK9voszMBwfOjHwOaM/kloVKrYA5L
+Mn6Xk8fe+tSvHMf2J81fDDzQDoaUbniKhNSfn1mfp1UGJQfBqqyAVfGikaA7NJ5/
+a96vf442lveZFBNDzoMztiDNseswGeWAKFfHJhEMGzNZm3SxIJvGNTvKjeHJ30S3
+Qgm52ckB+520VeDP+Ehtmx+zBoxPBxdIt9igh0rB0a3MhnpUsyxZwtvLVcPQ1zBg
+1mrDOfK0A/OMPpy8Es9N8JGwftrcdKbXdPWHh3n4ZbKeB9Ub+mEiuXrMIB7YrcoM
+Y25+nh2Qu4vRjkUI/Hmuw2UpXRWrcoGGTFcjLc1zmTs2tXS3+RVb5s8C+9fOTsdL
+Skwb7ln43ONDVpOOrnisdVPNuuR9bHYHqSPPePUg+AMyfjk27Y73I5Q8
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
friendlyName: revoked1.example.net
- localKeyID: 3A 08 2E BA 85 F0 DD 7E C5 FE 51 92 BD 0B C7 35 9D 56 6B A5
+ localKeyID: C6 B2 B8 34 FA C7 C9 8E E1 B8 07 7F B4 BD 83 C0 75 0F 5D F4
subject=/CN=revoked1.example.net
issuer=/O=example.net/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+MIICiTCCAfKgAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwNFoXDTM4MDEwMTEyMzQwNFowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
-ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAr20bGUprpXdQGlk/FW+RJ19l
-FZ//slFysFeG3PEVjVjCnvsoxBFZJFVyfHhyxTvVYdoC6BVZfs9HRAjgZuBImQID
-AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
-AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
-Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
-cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w
-bGUubmV0MA0GCSqGSIb3DQEBBQUAA0EACw87yNDj6DBkvF+i1qUyw6vqijmPyOQZ
-4S+UOCyyNSsJrA1VMjRjAqGTgyU0OFtfcGuhvZ1ZnlFrvVog/icGcw==
+MzQxMloXDTM4MDEwMTEyMzQxMlowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
+ZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANpxOtIHAc+C9AgJudRl
+8x4gNYbKoNoAM5nzCNv7ou3KKh05w3BwBPsbEl88KWOpiEc3CbLYFZva5z34A4Gf
+cwMYHjqWWThXOe4L06C3fTWT4oQM4906KloEPHFrIWyyVbFuhVpoyR/wC/BwJqCx
+Mc2fMUGwN1YAFJUKxUZR62NzAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG
+A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
+hiFodHRwOi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
+KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm5ldC8wHwYDVR0R
+BBgwFoIUcmV2b2tlZDEuZXhhbXBsZS5uZXQwDQYJKoZIhvcNAQEFBQADgYEAoB/8
+WmtU0/qjy0TglfTk+etUveul1GHAKdpBxq9UkVKWxQZrek9TFHpMTnlEUZpSS5PO
+1lXj9VckDNThQROcGg+bL9p6ZXeb7pOIY16TFyjycjhRPyukIprcoBvDyCoMH29y
+PrtI7xLKj4UBZEoJf7/+BKV24Nk7V8yAvCI8tYM=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-MIIBOwIBAAJBAK9tGxlKa6V3UBpZPxVvkSdfZRWf/7JRcrBXhtzxFY1Ywp77KMQR
-WSRVcnx4csU71WHaAugVWX7PR0QI4GbgSJkCAwEAAQJAMvRiFqqDMgDCB6U8qaFK
-bEFNP0bGIql9wrLpvWtZc0CFyhV6LSjMBQSQp92r1tMlB4NKQ7leLb7XXgrPRswY
-AQIhANW94AFeO6+yIhd1OQuizl8SBQwCi0gvlMqsrf3kyDrZAiEA0hv3G/VQWPKY
-n/wikupIE/8jbJvLWLRYYWn6eGg6Y8ECIQC7RN0a1cFdsqkD/IS6mS5PRa5+U0xN
-NsMawCjBps14IQIhAL24JLypGSEIBYrIl8uDIwxzYGBMmSQCzJ9Bm7onmznBAiAe
-YGSy1e3Vji/YwZGuEyGrVl+BEIQ1p0vUgRZ7aEpVpQ==
+MIICXAIBAAKBgQDacTrSBwHPgvQICbnUZfMeIDWGyqDaADOZ8wjb+6LtyiodOcNw
+cAT7GxJfPCljqYhHNwmy2BWb2uc9+AOBn3MDGB46llk4VznuC9Ogt301k+KEDOPd
+OipaBDxxayFsslWxboVaaMkf8AvwcCagsTHNnzFBsDdWABSVCsVGUetjcwIDAQAB
+AoGAeIrFX8MYH6/vBESBtJCx0W0KvKAylTpJP2oa+HHrHfdSuB/5FqHqTbtJrx4e
+5O1X05yukG+ntQLeWpbzMGOR7hyhaVErZAzxahab6Wi5acUWcQpI/oClzqxHHswz
+TaIylvaHYEwOCunrM5sj7BfB1gX1rp/0p4sLWkTKZ4o+GvECQQD8j9iG0wMutVyu
+Ow2ElGbUHOXzxqKuxhUBuLah9S+28Fu/rEdQZ6qpnOHf1tvYF9VKcp3aIMD2ZF21
+AH8z23cLAkEA3Wp6/NMQ9nJ3q31ZriEHrBWtKAdXy8xb7hDV0vY+SbveyfMjtLB9
+3KDPIu2kjrSFJ83nj3n9z7NdK2QYU47mOQJAQ4dmmq4C9NMzQ7awZ5mSYPaVGXgr
++VUnOr2bv3QiXOSpc3dp3frJ6+3xivsU7xN4SR6aTD9juL2fPI00dbYhfwJAAN1p
+nZM1fcD0trbGoud+IC31fzKIJUOnGEb4jtpnY+JX/HH2sb3+v93g8UH8YpJR8tXb
+EbRoSWdp9cFuVuU4AQJBAIfT/Fv5fS3wunAxWoJREcZNE3QoIrZ2elqZCETkaQpE
+GdF6kOzF1S9xH10p4jvrmaT9vIw5nQOtSWprWje5lcc=
-----END RSA PRIVATE KEY-----
subject=/O=example.net/CN=clica Signing Cert
issuer=/O=example.net/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY
-392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a
-d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit
-Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw
+MTAxMTIzNDExWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCf/Mo
+cl7+ta84A85TdEcSPfv+JV6/0ynu98Z+EHaz221TGgNYkOtlBDc80kZZ2QBndE6e
+RZAuIaPgTVk0mZJ7XUxAVx7AAlGSWenScV/k/VChgqddRaCmmLQoPT/wUkrDqlOW
+7omdM0BTaMxdEv2QRyUCVrrZKOJkRsTILkUvaQIDAQABo1owWDAOBgNVHQ8BAf8E
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
+Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA
+P/kvw/kOJI5Yja+W8/xmbAma4NeAWE48eLDzp6AWJBUU7oIj4Ca+PqwpaxxeNioZ
+ihLL5LCRrS8lsSGgyD3UzqYGCMOwqX5pBytpWXz1NRzzey9mCV55LHckBF7dRBuh
+XQiz+EvE4Dr1ZikrB6UjgHW7Bal9Y5QMDs8qZAsRkJ0=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: Certificate Authority
subject=/O=example.net/CN=clica CA
issuer=/O=example.net/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
-Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp2tm7DhEtMNQPz23MpsxYVje
-SgMgmkDx8qdr97SBBVqtPcHMMrCEZ9dQiYCFxbshxXfeova+DbLZISDlHA9xjQID
-AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
-hkiG9w0BAQUFAANBAG/rfiV0UE6Q//VIKN5CprvNXDGQFfcFCWNRCu6ZGTPpaDf2
-iPqVISD9trZrvtlUIgKjGgOQQbdNH9RBj5+6QKo=
+MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw
+MTAxMTIzNDExWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
+Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALUSMNgU8YE8fsiB8Wm7
+lpclDOwQXJVbP/Ef2NVwoE6NnoPTWMNgvSyCddVz7709URkIy+jtrlpbyQYVdwgO
+HAnI8/bx2WoGtGzWTbAM1Mp+WHtiOO7LpsldWQmeHuF9uBOghFytVyqNT2l/iG7x
+XQCA6Q6P59vpb3Z+4PH8kgVlAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
+DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBACs6X9bwml5hcwf82pyb
+bKOnRGP6pJsvx1yv6SULaxg4+mCelEHNPycQqidqs+84RrDma8Kkz3DVZuV11Yca
+o2ibon7rWhaTc9SR0j5B8BMU1Z9VEVF5uejepHWf1iCeOhxl6tNQuTTJP0uE4h6h
+VAtQ+ux57x052IuOi9FtrqVR
-----END CERTIFICATE-----
Bag Attributes
friendlyName: revoked2.example.net
- localKeyID: 60 8E D5 FB A7 97 B2 E8 F9 84 11 4F 91 1D 3C 91 B8 19 E8 97
+ localKeyID: 70 BF 9C CD 8D 0C AB 91 82 4D 75 C2 EF AF DC 82 97 0B 7D 55
subject=/CN=revoked2.example.net
issuer=/O=example.net/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+MIICijCCAfOgAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDRaFw0zODAxMDExMjM0MDRaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
-bGUubmV0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMj2mEnZY8N38XJ5ZLTymH2J
-hBNiubBU4ddvVQ0y48E/b5fbYwJI458bKgyNhqQtO/MG15oIndFpbazcp1p8++8C
-AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
-AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
-ZS5uZXQvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
-dHA6Ly9vc2NwL2V4YW1wbGUubmV0LzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt
-cGxlLm5ldDANBgkqhkiG9w0BAQUFAANBAD46Iw05ofRAaw9+yeTDPIydjl1Pkb1/
-ma4/qSK7p8BU/pMN3SH4qxKW7z6nNregMW48d5KcSxUPBmWmDCM8u70=
+MjM0MTNaFw0zODAxMDExMjM0MTNaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
+bGUubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNFaI/6qFhbiFFb+jO
+60Qfp6d0KH7PKnxI1rmCQw24g4y2HyQ7cgT26mXQr3gsxj5bnRCKB9uG7DpJ1RaY
+QVvVUApFdIHnLExVjNynwvKaNMZNwb6HVPVfjUTwwPdSgLxTRU2xAAmkIrbFUPuP
+vhAbcmNKmq7hjr7AVHxNI4XnDwIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg
+BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
+I4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
+BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1Ud
+EQQYMBaCFHJldm9rZWQyLmV4YW1wbGUubmV0MA0GCSqGSIb3DQEBBQUAA4GBAGEv
+YIEr7x4/jtbVZHfcVk369td5KZdrozHyaZOAhluUX9Q3qHpWuubeBJ/GjiJkLMGC
+v5Px5F8yI0RQmQOOxeu4vINhL1dIbksPn7oxaWpPlx+40Tuub0qQlJYyPzXSYhv0
+dcScT5CK2e0GGzk7pEwT+S7WZNtFzeeOd6gOR9dE
-----END CERTIFICATE-----
Bag Attributes
friendlyName: revoked2.example.net
- localKeyID: 60 8E D5 FB A7 97 B2 E8 F9 84 11 4F 91 1D 3C 91 B8 19 E8 97
+ localKeyID: 70 BF 9C CD 8D 0C AB 91 82 4D 75 C2 EF AF DC 82 97 0B 7D 55
subject=/CN=revoked2.example.net
issuer=/O=example.net/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+MIICijCCAfOgAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDRaFw0zODAxMDExMjM0MDRaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
-bGUubmV0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMj2mEnZY8N38XJ5ZLTymH2J
-hBNiubBU4ddvVQ0y48E/b5fbYwJI458bKgyNhqQtO/MG15oIndFpbazcp1p8++8C
-AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
-AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
-ZS5uZXQvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
-dHA6Ly9vc2NwL2V4YW1wbGUubmV0LzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt
-cGxlLm5ldDANBgkqhkiG9w0BAQUFAANBAD46Iw05ofRAaw9+yeTDPIydjl1Pkb1/
-ma4/qSK7p8BU/pMN3SH4qxKW7z6nNregMW48d5KcSxUPBmWmDCM8u70=
+MjM0MTNaFw0zODAxMDExMjM0MTNaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
+bGUubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNFaI/6qFhbiFFb+jO
+60Qfp6d0KH7PKnxI1rmCQw24g4y2HyQ7cgT26mXQr3gsxj5bnRCKB9uG7DpJ1RaY
+QVvVUApFdIHnLExVjNynwvKaNMZNwb6HVPVfjUTwwPdSgLxTRU2xAAmkIrbFUPuP
+vhAbcmNKmq7hjr7AVHxNI4XnDwIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg
+BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
+I4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
+BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1Ud
+EQQYMBaCFHJldm9rZWQyLmV4YW1wbGUubmV0MA0GCSqGSIb3DQEBBQUAA4GBAGEv
+YIEr7x4/jtbVZHfcVk369td5KZdrozHyaZOAhluUX9Q3qHpWuubeBJ/GjiJkLMGC
+v5Px5F8yI0RQmQOOxeu4vINhL1dIbksPn7oxaWpPlx+40Tuub0qQlJYyPzXSYhv0
+dcScT5CK2e0GGzk7pEwT+S7WZNtFzeeOd6gOR9dE
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw\r
-MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp\r
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY\r
-392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a\r
-d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB\r
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s\r
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit\r
-Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw\r
+MTAxMTIzNDExWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp\r
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCf/Mo\r
+cl7+ta84A85TdEcSPfv+JV6/0ynu98Z+EHaz221TGgNYkOtlBDc80kZZ2QBndE6e\r
+RZAuIaPgTVk0mZJ7XUxAVx7AAlGSWenScV/k/VChgqddRaCmmLQoPT/wUkrDqlOW\r
+7omdM0BTaMxdEv2QRyUCVrrZKOJkRsTILkUvaQIDAQABo1owWDAOBgNVHQ8BAf8E\r
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw\r
+Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA\r
+P/kvw/kOJI5Yja+W8/xmbAma4NeAWE48eLDzp6AWJBUU7oIj4Ca+PqwpaxxeNioZ\r
+ihLL5LCRrS8lsSGgyD3UzqYGCMOwqX5pBytpWXz1NRzzey9mCV55LHckBF7dRBuh\r
+XQiz+EvE4Dr1ZikrB6UjgHW7Bal9Y5QMDs8qZAsRkJ0=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: revoked2.example.net
- localKeyID: 60 8E D5 FB A7 97 B2 E8 F9 84 11 4F 91 1D 3C 91 B8 19 E8 97
+ localKeyID: 70 BF 9C CD 8D 0C AB 91 82 4D 75 C2 EF AF DC 82 97 0B 7D 55
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIfHUUKZHRP88CAggA
-MBQGCCqGSIb3DQMHBAiGHts1xOcjYASCAWA+TB8P6+MMx7kHWAIrO7eIwxXI/ivw
-gKWa/XVFtZeZcBYCdjR0Ubfsv3emeWtZ72badVNNOgbUqaMsTraqYePGS9fVIk8e
-Pn3PjKdd7rODvSTN647CrN6ng0x1yYW/RVo5v5CnoantSojUY5eNhO+iSGPFgbvj
-h8s0uKZ3+KxlySpIJX9RU/LJQUfrdCAGkdIuPEi4graL8Z9pjyORqppYNCI+u+VG
-m76zMJq9vxBcn6v3/DpVCFL7gokwD0GgMtWtTeXiP1Yn92dsn3DPVNI/ieE1ogJs
-8WVWmTNBm0UuN0GiUWqQUXv3cqFpNArL/BObHJGWyHObUz3FgDpkP4crmhrFN2Ao
-cT34tYaN9SGfoYA+MI2DqKQ0M8aGBvbL5CVGqJqWiVB71jG+JsdS0Q+7K5JQ5d/O
-xiynUVJ8FhZBQshqPXAkPD8lOeFQ2QZp53RUSlI3d04Cy8FAZr3HzqEZ
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIlFvWRNTHWPsCAggA
+MBQGCCqGSIb3DQMHBAgnEwmcCNcQrgSCAoDD+93FeCLH5UVzsfPd0zbfjfeEOZRe
+4JbFS5eKLYNG5yTN7sOfaP3gFoB1V7XnTzu1SO9IjXaOKUt/Nj/XOsppARGn91ec
+vHi5zyP+6irN6lpP8gaz2TTnpek/rdYHNd050+osef+c9u4nQEduCq8YWPjU0Y3F
+Q3C8yPKotiUxlAYEavdG7WFqn8Ir9dgwh6VlU9HOc8LJ9q/eSJ6O8Z0Jyf9AWuKd
+IMSY1251u8UoJePZgVmFfTt4q9tZVbb/i19veej8jS/um/pcYZd3WcEtRP3AE5Xh
+l7mkZS/H9USiFZRYRK89dICeohIy6Lwzzv9db0kLwtdWFQ43GNiCRIwa52SK9uYr
+/EGLyTUrI1gzOABqKoHTzQ5GZuG1OBRE7//gRYf7px2BtUyKEkTdhZo+XEMM9J7K
+NyVBZg/YO4WTxL5RsvJ8Asfdr6dXJ2FNE110jaRyb/JKB4AXYbLw4I4wwOdirozR
+mVFw6kMP0bVH2plQzntVokOW3p4M+betmQQgifD+mqWSrDSypZylkfrVaYKARiXe
+IKgcD7UsDpy9T1Fjmk08KdPDLpogdM+iUcO0/sZk+Eo+wRjjtcKeq4T2HX3Zjdcp
+eUMZ/1+1i+7jndpdTpLGXLVuR5S8xAw8cnkb8i0IO+lW4VGuJSSidkz/qxUqgTNw
+Ilgt4Ye+0W0uVJedherpWwImyiDjdHtLtkkOpt/CPS/QRxeF6raSHsbjp4uIZGor
+PNXAV5lWV+IIBHDIbIFOqcCQxJdKanWsEjkOXLLz254OGAB3vKZgWWorpsdpYMYI
+Tk1jTSJxjefwzLPx+mLAesOr//4EtFmll3Im+GYQAZw3btVm6GVrXrqQ
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
friendlyName: revoked2.example.net
- localKeyID: 60 8E D5 FB A7 97 B2 E8 F9 84 11 4F 91 1D 3C 91 B8 19 E8 97
+ localKeyID: 70 BF 9C CD 8D 0C AB 91 82 4D 75 C2 EF AF DC 82 97 0B 7D 55
subject=/CN=revoked2.example.net
issuer=/O=example.net/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+MIICijCCAfOgAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDRaFw0zODAxMDExMjM0MDRaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
-bGUubmV0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMj2mEnZY8N38XJ5ZLTymH2J
-hBNiubBU4ddvVQ0y48E/b5fbYwJI458bKgyNhqQtO/MG15oIndFpbazcp1p8++8C
-AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
-AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
-ZS5uZXQvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
-dHA6Ly9vc2NwL2V4YW1wbGUubmV0LzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt
-cGxlLm5ldDANBgkqhkiG9w0BAQUFAANBAD46Iw05ofRAaw9+yeTDPIydjl1Pkb1/
-ma4/qSK7p8BU/pMN3SH4qxKW7z6nNregMW48d5KcSxUPBmWmDCM8u70=
+MjM0MTNaFw0zODAxMDExMjM0MTNaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
+bGUubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNFaI/6qFhbiFFb+jO
+60Qfp6d0KH7PKnxI1rmCQw24g4y2HyQ7cgT26mXQr3gsxj5bnRCKB9uG7DpJ1RaY
+QVvVUApFdIHnLExVjNynwvKaNMZNwb6HVPVfjUTwwPdSgLxTRU2xAAmkIrbFUPuP
+vhAbcmNKmq7hjr7AVHxNI4XnDwIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg
+BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
+I4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
+BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1Ud
+EQQYMBaCFHJldm9rZWQyLmV4YW1wbGUubmV0MA0GCSqGSIb3DQEBBQUAA4GBAGEv
+YIEr7x4/jtbVZHfcVk369td5KZdrozHyaZOAhluUX9Q3qHpWuubeBJ/GjiJkLMGC
+v5Px5F8yI0RQmQOOxeu4vINhL1dIbksPn7oxaWpPlx+40Tuub0qQlJYyPzXSYhv0
+dcScT5CK2e0GGzk7pEwT+S7WZNtFzeeOd6gOR9dE
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-MIIBOwIBAAJBAMj2mEnZY8N38XJ5ZLTymH2JhBNiubBU4ddvVQ0y48E/b5fbYwJI
-458bKgyNhqQtO/MG15oIndFpbazcp1p8++8CAwEAAQJAdkDE9A+7qLXXmejc3a0z
-FgvpcA7T/XK1QjP89DtR0dAbM0tLdWyhshLNcNSW6urwYKkPmw7jPmW1wC14/Ob3
-IQIhAOg4d+nA1BNR2+L2dDJhdTPWzVWERwsMaBVMsKYg8TbjAiEA3Yq7xYMK0aNU
-XTvzTnmr+y51Ce5BQK9U2q/B1kyIKIUCIDQZ902K5govo5YYlZl4JEOtPgSh2Q6x
-iei9fCTJ31ThAiEAg28IQYCiDYeJyJqFmZwjxSxlsVORkO+0Nt2o8RuMeAUCIQCj
-IPd5zjwu8dkolqvof1uMm3An3YhSLWSlJK1BSAk2Yw==
+MIICWwIBAAKBgQDNFaI/6qFhbiFFb+jO60Qfp6d0KH7PKnxI1rmCQw24g4y2HyQ7
+cgT26mXQr3gsxj5bnRCKB9uG7DpJ1RaYQVvVUApFdIHnLExVjNynwvKaNMZNwb6H
+VPVfjUTwwPdSgLxTRU2xAAmkIrbFUPuPvhAbcmNKmq7hjr7AVHxNI4XnDwIDAQAB
+AoGAFrP5ZSf9O4LsjfpIhHeI8BQoNnSxLQ/f+FRE7wWrRCzT6+lgonAJ2qeyI7r5
+C8PabVvi09Tw2WvXPAsp2CsMFks/Orjhlktx15VE9ClFoRxI0kkA0MIfGgF1TEzu
+sO2mZJQWF0t/Rq5oUs79xidmeb/Cu8Ij8Ly2Ac9DGV9JEzECQQD5ZOC9zivkFmL4
+7QVI4bhbE6gzBAY4xijdTHJfK6ccSwT2cHhwHb9qSIKQzTt2YQC7WRgduxeA85az
+j2G0Nna5AkEA0oRL1Ui8+YSiZ3TuFjbEEnCtU570UjZWP6UD93qoYYmuMtLMUbo0
+VjrFVUdynq1VtHJp7Uc+uMNqprcxJXnoBwJAD2h1HiTrv0bGzJxQNEWFz1KylJxO
+ChnsEmgTtN+Mjonv/43JUxvzZIygTHPxlYm+stR5UfTqKdRi3isgnTK0OQJAYGNQ
+sXRfikOvdH02chdbSTIsOkhih633aaatnUedByPaDc003grK4dyA894F3h9xSXDF
+jW38iu52y6S/LPCXSwJAGD8Su7ax9CO4CFW0giEU/km7JN0r7Y75CV+G/G8IqpJT
+uo9t2r23Y9HAnCSnw2/sPyXeYv9eeiqhL2VfLB95CA==
-----END RSA PRIVATE KEY-----
subject=/O=example.net/CN=clica Signing Cert
issuer=/O=example.net/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY
-392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a
-d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit
-Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw
+MTAxMTIzNDExWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCf/Mo
+cl7+ta84A85TdEcSPfv+JV6/0ynu98Z+EHaz221TGgNYkOtlBDc80kZZ2QBndE6e
+RZAuIaPgTVk0mZJ7XUxAVx7AAlGSWenScV/k/VChgqddRaCmmLQoPT/wUkrDqlOW
+7omdM0BTaMxdEv2QRyUCVrrZKOJkRsTILkUvaQIDAQABo1owWDAOBgNVHQ8BAf8E
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
+Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA
+P/kvw/kOJI5Yja+W8/xmbAma4NeAWE48eLDzp6AWJBUU7oIj4Ca+PqwpaxxeNioZ
+ihLL5LCRrS8lsSGgyD3UzqYGCMOwqX5pBytpWXz1NRzzey9mCV55LHckBF7dRBuh
+XQiz+EvE4Dr1ZikrB6UjgHW7Bal9Y5QMDs8qZAsRkJ0=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: Certificate Authority
subject=/O=example.net/CN=clica CA
issuer=/O=example.net/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
-Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp2tm7DhEtMNQPz23MpsxYVje
-SgMgmkDx8qdr97SBBVqtPcHMMrCEZ9dQiYCFxbshxXfeova+DbLZISDlHA9xjQID
-AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
-hkiG9w0BAQUFAANBAG/rfiV0UE6Q//VIKN5CprvNXDGQFfcFCWNRCu6ZGTPpaDf2
-iPqVISD9trZrvtlUIgKjGgOQQbdNH9RBj5+6QKo=
+MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw
+MTAxMTIzNDExWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
+Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALUSMNgU8YE8fsiB8Wm7
+lpclDOwQXJVbP/Ef2NVwoE6NnoPTWMNgvSyCddVz7709URkIy+jtrlpbyQYVdwgO
+HAnI8/bx2WoGtGzWTbAM1Mp+WHtiOO7LpsldWQmeHuF9uBOghFytVyqNT2l/iG7x
+XQCA6Q6P59vpb3Z+4PH8kgVlAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
+DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBACs6X9bwml5hcwf82pyb
+bKOnRGP6pJsvx1yv6SULaxg4+mCelEHNPycQqidqs+84RrDma8Kkz3DVZuV11Yca
+o2ibon7rWhaTc9SR0j5B8BMU1Z9VEVF5uejepHWf1iCeOhxl6tNQuTTJP0uE4h6h
+VAtQ+ux57x052IuOi9FtrqVR
-----END CERTIFICATE-----
Bag Attributes
friendlyName: server1.example.net
- localKeyID: 4C 81 72 95 D9 D6 9C FD 7A B1 C0 66 9F 85 A7 01 93 A4 6E D7
+ localKeyID: EF E6 02 06 86 D6 C6 E5 49 FA 05 3D AA 45 2E FE A4 7E 79 E6
subject=/CN=server1.example.net
issuer=/O=example.net/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+MIIC0DCCAjmgAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwNFoXDTM4MDEwMTEyMzQwNFowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
-Lm5ldDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDCtN2Y0S4oROnlfkTeUH2ULUVs
-RShAIKdxlXRo+F09rEBzNKKNC4ZWIr+pc8U+iQzGGTiiCTfeq9bI0Uef1493AgMB
-AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB
-BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu
-bmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw
-Oi8vb3NjcC9leGFtcGxlLm5ldC8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl
-Lm5ldDANBgkqhkiG9w0BAQUFAANBAEMi4SnbMDOvnQk2UkvvNVGyBEXNsuskNzo9
-5wAY6x0bUZ6XWZ8+kM60gbmOqwfPA6pw/w7ui3XJ1Ac3BAUverQ=
+MzQxMloXDTM4MDEwMTEyMzQxMlowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
+Lm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzQuAXxpDWTI5zD1RqQJb
+TzdmdFsB2Y2IXMhnysg54lBGKV4pMhglVjJUNhDCqkmops0RvIYdSLjMPsvharvx
+93lNsVWn7d0rw7GS8sX/dNzUArJITOeyGFHoVK2FOgILdtmJrb9s79WweYc77VOb
+R3TmqCFuDfesYmoRcRkW0KcCAwEAAaOCAQcwggEDMA4GA1UdDwEB/wQEAwIE8DAg
+BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
+I4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
+BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5uZXQvMGUGA1Ud
+EQReMFyCImFsdGVybmF0ZW5hbWUyLnNlcnZlcjEuZXhhbXBsZS5uZXSCE3NlcnZl
+cjEuZXhhbXBsZS5uZXSCIWFsdGVybmF0ZW5hbWUuc2VydmVyMS5leGFtcGxlLm5l
+dDANBgkqhkiG9w0BAQUFAAOBgQAyeEckORsshBm4i97WDwuAi3VNbUcXDNSflE5u
+hTPKZnwVNUgvt62XGy35hzI1lUNom7UzuA71T9RLza65d9s70YEfWqjqurp0Fh/a
+qWILyzSdOYHPaQlvp0qqoGNY6MKHylEVfGFvAH0qgF5bTzitwp7YOmKVyVSdYsGQ
+MyjouQ==
-----END CERTIFICATE-----
Bag Attributes
friendlyName: server1.example.net
- localKeyID: 4C 81 72 95 D9 D6 9C FD 7A B1 C0 66 9F 85 A7 01 93 A4 6E D7
+ localKeyID: EF E6 02 06 86 D6 C6 E5 49 FA 05 3D AA 45 2E FE A4 7E 79 E6
subject=/CN=server1.example.net
issuer=/O=example.net/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+MIIC0DCCAjmgAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwNFoXDTM4MDEwMTEyMzQwNFowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
-Lm5ldDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDCtN2Y0S4oROnlfkTeUH2ULUVs
-RShAIKdxlXRo+F09rEBzNKKNC4ZWIr+pc8U+iQzGGTiiCTfeq9bI0Uef1493AgMB
-AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB
-BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu
-bmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw
-Oi8vb3NjcC9leGFtcGxlLm5ldC8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl
-Lm5ldDANBgkqhkiG9w0BAQUFAANBAEMi4SnbMDOvnQk2UkvvNVGyBEXNsuskNzo9
-5wAY6x0bUZ6XWZ8+kM60gbmOqwfPA6pw/w7ui3XJ1Ac3BAUverQ=
+MzQxMloXDTM4MDEwMTEyMzQxMlowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
+Lm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzQuAXxpDWTI5zD1RqQJb
+TzdmdFsB2Y2IXMhnysg54lBGKV4pMhglVjJUNhDCqkmops0RvIYdSLjMPsvharvx
+93lNsVWn7d0rw7GS8sX/dNzUArJITOeyGFHoVK2FOgILdtmJrb9s79WweYc77VOb
+R3TmqCFuDfesYmoRcRkW0KcCAwEAAaOCAQcwggEDMA4GA1UdDwEB/wQEAwIE8DAg
+BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
+I4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
+BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5uZXQvMGUGA1Ud
+EQReMFyCImFsdGVybmF0ZW5hbWUyLnNlcnZlcjEuZXhhbXBsZS5uZXSCE3NlcnZl
+cjEuZXhhbXBsZS5uZXSCIWFsdGVybmF0ZW5hbWUuc2VydmVyMS5leGFtcGxlLm5l
+dDANBgkqhkiG9w0BAQUFAAOBgQAyeEckORsshBm4i97WDwuAi3VNbUcXDNSflE5u
+hTPKZnwVNUgvt62XGy35hzI1lUNom7UzuA71T9RLza65d9s70YEfWqjqurp0Fh/a
+qWILyzSdOYHPaQlvp0qqoGNY6MKHylEVfGFvAH0qgF5bTzitwp7YOmKVyVSdYsGQ
+MyjouQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw\r
-MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp\r
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY\r
-392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a\r
-d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB\r
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s\r
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit\r
-Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw\r
+MTAxMTIzNDExWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp\r
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCf/Mo\r
+cl7+ta84A85TdEcSPfv+JV6/0ynu98Z+EHaz221TGgNYkOtlBDc80kZZ2QBndE6e\r
+RZAuIaPgTVk0mZJ7XUxAVx7AAlGSWenScV/k/VChgqddRaCmmLQoPT/wUkrDqlOW\r
+7omdM0BTaMxdEv2QRyUCVrrZKOJkRsTILkUvaQIDAQABo1owWDAOBgNVHQ8BAf8E\r
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw\r
+Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA\r
+P/kvw/kOJI5Yja+W8/xmbAma4NeAWE48eLDzp6AWJBUU7oIj4Ca+PqwpaxxeNioZ\r
+ihLL5LCRrS8lsSGgyD3UzqYGCMOwqX5pBytpWXz1NRzzey9mCV55LHckBF7dRBuh\r
+XQiz+EvE4Dr1ZikrB6UjgHW7Bal9Y5QMDs8qZAsRkJ0=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: server1.example.net
- localKeyID: 4C 81 72 95 D9 D6 9C FD 7A B1 C0 66 9F 85 A7 01 93 A4 6E D7
+ localKeyID: EF E6 02 06 86 D6 C6 E5 49 FA 05 3D AA 45 2E FE A4 7E 79 E6
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQItqv8KkyfDOECAggA
-MBQGCCqGSIb3DQMHBAi+cLfRJYwdhASCAWDijpItKwM1N1Tk9po65/Et0DLcJt8h
-UNc26UWxg4uGMcbyHJv5+OZDhAjla1GwFLBZDQwCsnvwfjHfpwFpSx4Mxj4SMGrx
-YCwSB8smLl5cZNJpm2N3JVlrX/ZHR1plwtVccOf9Ry7MFoyj9YcXTs9N39zmpYDD
-Oi81eD2CzGEP2NqyycJK3Fu0OMUNT5RYHF7Nja6mGjzyul8rDPHPOcwQ0CCEHUmF
-3FaMqji+aCpJ+BeFwcVYZjiuQx4ajKXnu8g4KEa1S59KgSRiAdL8Ih1dN5qrDJB5
-dDTo37DneR1RkudMs2OcbMnbhyWQZ/AhfUqqFM7NLnDSVwhUtL9kPzjqIA1+l9V6
-27ANditdhs3fS6026sC3MMJRrPXmZGU3GuItxi1hU/CjiCb54VsK8MEhWpzU6QiS
-+UXkPYKauZKsGtfn0sI8ZUCEyo2vF79KAIGK6DYQ6dIOmjvKqz2xgng/
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIbTjOvT/3UgUCAggA
+MBQGCCqGSIb3DQMHBAiB4UitE/+LGwSCAoBtoxcf7PnMIhZKauwym1cVW1HTAGoW
+9RRdtk4Ymp0nZP851hKGg8DFxCLRDX2rAsSS15Rro3O3aaYLFvn/nFvgCypMYj/i
+vI3feiLCg2Z2n2nIfB7iFbOvdRd6EKh3ctbQGYSWTHIHcAqINMY9wsw42LzOTvNj
+TfoFZSVHVfaMC1jx3Y1lEYdqMub7DcugLOYYJAuW5gyivMgiklMzLlrPGbUCwrvq
+aJAPwd1GECTFusUCe0Vhwt2eq7p0Zub2pCpS5j1fOLoFZ89keB8Y6MxmBA3SMm73
+evMJXmCcymD2ZHAYRbogT/3U7F73ubn48kmfZTNwcBryBauo1ZVatQE/d8iYJeke
+q2i8ttUvTQ0nz33s/4v+rmJFfv4VkbljYc8rl/WvFKszLi5DtPcrd2klSORFVHRD
+xEie/EU7V4oiYA9SznzgcEfqGU64ep49hhxTsTRwhkGfKoM6C1OeCFho2Vv3uWNs
+sBWGU1+wh71jZAlhYxIRRxI7TK33fHDwWfaCZq3IfTToRtFzwbvjmXOcLrQD3zzw
+Mc0FVFaBHgrZMWy9cKAXJANGHXCtK0IBZ7f7wyGtJDzbFOp2JgrZhOCzzHrBAsnW
+PVALnVgLY6ydculgm0l4h4idToFfYIX7C6M5YRv0SsQ+uzZfOEpjP9BNOe+A3mTF
+1Z5cO7Y8jPDZGV0WsdmitX4Me1+l359lRNER7hJKOi9Py/YCwGxxd037cwunEWGG
+bWb2BKURho/r2iZcGL7PLLyRW5CKmV6qQVumlJSIFXcCenR3uSoJEvEzpwZ19KYb
+rH/IRcVkOd2leegIu9cSt5unYAVAZJ6CX5SplI5+5RoNEaIvTevQ3MGi
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
friendlyName: server1.example.net
- localKeyID: 4C 81 72 95 D9 D6 9C FD 7A B1 C0 66 9F 85 A7 01 93 A4 6E D7
+ localKeyID: EF E6 02 06 86 D6 C6 E5 49 FA 05 3D AA 45 2E FE A4 7E 79 E6
subject=/CN=server1.example.net
issuer=/O=example.net/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+MIIC0DCCAjmgAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwNFoXDTM4MDEwMTEyMzQwNFowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
-Lm5ldDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDCtN2Y0S4oROnlfkTeUH2ULUVs
-RShAIKdxlXRo+F09rEBzNKKNC4ZWIr+pc8U+iQzGGTiiCTfeq9bI0Uef1493AgMB
-AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB
-BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu
-bmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw
-Oi8vb3NjcC9leGFtcGxlLm5ldC8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl
-Lm5ldDANBgkqhkiG9w0BAQUFAANBAEMi4SnbMDOvnQk2UkvvNVGyBEXNsuskNzo9
-5wAY6x0bUZ6XWZ8+kM60gbmOqwfPA6pw/w7ui3XJ1Ac3BAUverQ=
+MzQxMloXDTM4MDEwMTEyMzQxMlowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
+Lm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzQuAXxpDWTI5zD1RqQJb
+TzdmdFsB2Y2IXMhnysg54lBGKV4pMhglVjJUNhDCqkmops0RvIYdSLjMPsvharvx
+93lNsVWn7d0rw7GS8sX/dNzUArJITOeyGFHoVK2FOgILdtmJrb9s79WweYc77VOb
+R3TmqCFuDfesYmoRcRkW0KcCAwEAAaOCAQcwggEDMA4GA1UdDwEB/wQEAwIE8DAg
+BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
+I4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
+BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5uZXQvMGUGA1Ud
+EQReMFyCImFsdGVybmF0ZW5hbWUyLnNlcnZlcjEuZXhhbXBsZS5uZXSCE3NlcnZl
+cjEuZXhhbXBsZS5uZXSCIWFsdGVybmF0ZW5hbWUuc2VydmVyMS5leGFtcGxlLm5l
+dDANBgkqhkiG9w0BAQUFAAOBgQAyeEckORsshBm4i97WDwuAi3VNbUcXDNSflE5u
+hTPKZnwVNUgvt62XGy35hzI1lUNom7UzuA71T9RLza65d9s70YEfWqjqurp0Fh/a
+qWILyzSdOYHPaQlvp0qqoGNY6MKHylEVfGFvAH0qgF5bTzitwp7YOmKVyVSdYsGQ
+MyjouQ==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-MIIBOgIBAAJBAMK03ZjRLihE6eV+RN5QfZQtRWxFKEAgp3GVdGj4XT2sQHM0oo0L
-hlYiv6lzxT6JDMYZOKIJN96r1sjRR5/Xj3cCAwEAAQJAYR333g6QeFOPWwH1dfIu
-ASfnlc6U+g+PlY8XhnhDgcu2le3IQuOaI0sw/X0vZdhEKJpDHJ1hKGxIQpOB2R/P
-EQIhAPUMh9+sUsZSnNbhEggO8h6F4TeLoAVJNzUtW5UvmBgvAiEAy2hlFkLXlP0t
-VYwmNqyCs8Jhf0SIrnhPw3ynJhxgYzkCIQDlHd48yAZs3/k9ABu35SGEYHD/WlE4
-IAi6c7pZdrKiiQIgEH48hBuTY29L973Pc2t1haHjSfCCrLLwtMcsvnhakHECIEuy
-0/MQz7IYZNJ7g36j3jjv8vFkAdDCGyKzuMGLoq9p
+MIICXgIBAAKBgQDNC4BfGkNZMjnMPVGpAltPN2Z0WwHZjYhcyGfKyDniUEYpXiky
+GCVWMlQ2EMKqSaimzRG8hh1IuMw+y+Fqu/H3eU2xVaft3SvDsZLyxf903NQCskhM
+57IYUehUrYU6Agt22Ymtv2zv1bB5hzvtU5tHdOaoIW4N96xiahFxGRbQpwIDAQAB
+AoGAQ+VME7G5nV6BPv0K/kDWhWud1GeSPDyea8K8g6w7ZpIYOXiBgaH3MwylT+XK
+3+JWIy2Ccv+h0MPIdf7C3LnxS92aLrL5ur8e4kgU/rhQAFWiPFV1ulESlmZ8CbgT
+o/eWMut0Qtlj98q2PIfLB+EvR7hrBL4EfGEO4GeMafTzvRkCQQD6obmU4DOkU3xt
+drR+lRzfleBXI4DZXryLJLCN6Q6tu+cTp4ViKhoTD8ys+VJU2Y9xh/XfFYhNkrJr
+GY8NF1X9AkEA0W/QGj3BsO1+8mQxkf9UCqkeaGD/jQXxaqaGQ8M9R/46sAKeW+IN
+g+R6z4fF98t2x/D2LBs4ynGgWToXhFbwcwJBALfn3b4xOZOVsxK7bLwJfHNPjZtD
+MPPPgTf0hxzKa3vuCiQw4z3huNpN2JkAJXqfXZMn+bFlImwRfZv62C359p0CQQCG
+GEos0we16YoTVlVqvgkoPjoK6LgWqgx1laN3tYUCGGOpGDQebnDq1ppPUAZP7sTh
+pYVonhFRhUj+eDRgdm3DAkEAhEl0G7wNvhiA1KR7Wz4lhZGj5rQnL0qgNjlIC/Wa
+EobRaD0Gz6v+jHOH2ePYQWXu7ySiIoUDwtI8n1r1ePCRFw==
-----END RSA PRIVATE KEY-----
subject=/O=example.net/CN=clica Signing Cert
issuer=/O=example.net/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY
-392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a
-d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit
-Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw
+MTAxMTIzNDExWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCf/Mo
+cl7+ta84A85TdEcSPfv+JV6/0ynu98Z+EHaz221TGgNYkOtlBDc80kZZ2QBndE6e
+RZAuIaPgTVk0mZJ7XUxAVx7AAlGSWenScV/k/VChgqddRaCmmLQoPT/wUkrDqlOW
+7omdM0BTaMxdEv2QRyUCVrrZKOJkRsTILkUvaQIDAQABo1owWDAOBgNVHQ8BAf8E
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
+Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA
+P/kvw/kOJI5Yja+W8/xmbAma4NeAWE48eLDzp6AWJBUU7oIj4Ca+PqwpaxxeNioZ
+ihLL5LCRrS8lsSGgyD3UzqYGCMOwqX5pBytpWXz1NRzzey9mCV55LHckBF7dRBuh
+XQiz+EvE4Dr1ZikrB6UjgHW7Bal9Y5QMDs8qZAsRkJ0=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: Certificate Authority
subject=/O=example.net/CN=clica CA
issuer=/O=example.net/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw
-MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
-Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp2tm7DhEtMNQPz23MpsxYVje
-SgMgmkDx8qdr97SBBVqtPcHMMrCEZ9dQiYCFxbshxXfeova+DbLZISDlHA9xjQID
-AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
-hkiG9w0BAQUFAANBAG/rfiV0UE6Q//VIKN5CprvNXDGQFfcFCWNRCu6ZGTPpaDf2
-iPqVISD9trZrvtlUIgKjGgOQQbdNH9RBj5+6QKo=
+MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw
+MTAxMTIzNDExWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp
+Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALUSMNgU8YE8fsiB8Wm7
+lpclDOwQXJVbP/Ef2NVwoE6NnoPTWMNgvSyCddVz7709URkIy+jtrlpbyQYVdwgO
+HAnI8/bx2WoGtGzWTbAM1Mp+WHtiOO7LpsldWQmeHuF9uBOghFytVyqNT2l/iG7x
+XQCA6Q6P59vpb3Z+4PH8kgVlAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
+DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBACs6X9bwml5hcwf82pyb
+bKOnRGP6pJsvx1yv6SULaxg4+mCelEHNPycQqidqs+84RrDma8Kkz3DVZuV11Yca
+o2ibon7rWhaTc9SR0j5B8BMU1Z9VEVF5uejepHWf1iCeOhxl6tNQuTTJP0uE4h6h
+VAtQ+ux57x052IuOi9FtrqVR
-----END CERTIFICATE-----
Bag Attributes
friendlyName: server2.example.net
- localKeyID: E6 14 E8 D3 C2 D6 33 C5 46 4A 62 47 B7 C2 BA D6 3B 26 F2 56
+ localKeyID: A4 A7 36 66 9C 5A FC 72 B7 08 6B 0B 9F 20 62 78 D8 DF 1D 98
subject=/CN=server2.example.net
issuer=/O=example.net/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+MIICiDCCAfGgAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDRaFw0zODAxMDExMjM0MDRaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
-ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAoXux6WdUK5xq7w+eMCFo2iEE
-GCUYpmqc4H6AmgxmglEfrndnKMv/fLRJpMUMe65a2fIPdMaZO6uX/fBDYSeUjwID
-AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
-AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
-Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
-cDovL29zY3AvZXhhbXBsZS5uZXQvMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs
-ZS5uZXQwDQYJKoZIhvcNAQEFBQADQQBhKq+CoKmxvdEJ4+AlNsJGpByKiwsDo0Cz
-mtgyGnn4a+3kkKYb2/KWosrBBLIzZbuzQ6sAjDKKioKJy7+ENuki
+MjM0MTNaFw0zODAxMDExMjM0MTNaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
+ZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALwP/FMqk/TKRQWwWsmz
+rt0QEKGC8M+3ot5LrXijR1RD9DTSSCDB6tI9J4s3rpM8jYZN2in/844/zHaZPHLe
+sM5/YLBWQD0YGy6eJUA+Ym/ySV0VTVZTwHwC78TvjETq1BRvi9fTNBp5P5CBN08L
+7QA5ebrmrLdpUNmjSRXqQc6ZAgMBAAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAG
+A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
+hiFodHRwOi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
+KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm5ldC8wHgYDVR0R
+BBcwFYITc2VydmVyMi5leGFtcGxlLm5ldDANBgkqhkiG9w0BAQUFAAOBgQAO/PIL
+r1x6F86iuKP1ww7Gb/fG9KoRVdijXvwFKurrTGLlK9gq0+w+j+vxMIBW+UeeXpRt
+JY/231AhPwxvMR4/MYQLrZUmtYO/FCIIdkjDFkt4wGszxEYSn5Ks94PftsJGrEm2
+yjc1w7gnzx2ybtYRZnpaTgOaWaYepc6wnfXXvw==
-----END CERTIFICATE-----
Bag Attributes
friendlyName: server2.example.net
- localKeyID: E6 14 E8 D3 C2 D6 33 C5 46 4A 62 47 B7 C2 BA D6 3B 26 F2 56
+ localKeyID: A4 A7 36 66 9C 5A FC 72 B7 08 6B 0B 9F 20 62 78 D8 DF 1D 98
subject=/CN=server2.example.net
issuer=/O=example.net/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+MIICiDCCAfGgAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDRaFw0zODAxMDExMjM0MDRaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
-ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAoXux6WdUK5xq7w+eMCFo2iEE
-GCUYpmqc4H6AmgxmglEfrndnKMv/fLRJpMUMe65a2fIPdMaZO6uX/fBDYSeUjwID
-AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
-AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
-Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
-cDovL29zY3AvZXhhbXBsZS5uZXQvMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs
-ZS5uZXQwDQYJKoZIhvcNAQEFBQADQQBhKq+CoKmxvdEJ4+AlNsJGpByKiwsDo0Cz
-mtgyGnn4a+3kkKYb2/KWosrBBLIzZbuzQ6sAjDKKioKJy7+ENuki
+MjM0MTNaFw0zODAxMDExMjM0MTNaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
+ZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALwP/FMqk/TKRQWwWsmz
+rt0QEKGC8M+3ot5LrXijR1RD9DTSSCDB6tI9J4s3rpM8jYZN2in/844/zHaZPHLe
+sM5/YLBWQD0YGy6eJUA+Ym/ySV0VTVZTwHwC78TvjETq1BRvi9fTNBp5P5CBN08L
+7QA5ebrmrLdpUNmjSRXqQc6ZAgMBAAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAG
+A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
+hiFodHRwOi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
+KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm5ldC8wHgYDVR0R
+BBcwFYITc2VydmVyMi5leGFtcGxlLm5ldDANBgkqhkiG9w0BAQUFAAOBgQAO/PIL
+r1x6F86iuKP1ww7Gb/fG9KoRVdijXvwFKurrTGLlK9gq0+w+j+vxMIBW+UeeXpRt
+JY/231AhPwxvMR4/MYQLrZUmtYO/FCIIdkjDFkt4wGszxEYSn5Ks94PftsJGrEm2
+yjc1w7gnzx2ybtYRZnpaTgOaWaYepc6wnfXXvw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
-cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw\r
-MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp\r
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY\r
-392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a\r
-d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB\r
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s\r
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit\r
-Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
+cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw\r
+MTAxMTIzNDExWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp\r
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCf/Mo\r
+cl7+ta84A85TdEcSPfv+JV6/0ynu98Z+EHaz221TGgNYkOtlBDc80kZZ2QBndE6e\r
+RZAuIaPgTVk0mZJ7XUxAVx7AAlGSWenScV/k/VChgqddRaCmmLQoPT/wUkrDqlOW\r
+7omdM0BTaMxdEv2QRyUCVrrZKOJkRsTILkUvaQIDAQABo1owWDAOBgNVHQ8BAf8E\r
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw\r
+Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA\r
+P/kvw/kOJI5Yja+W8/xmbAma4NeAWE48eLDzp6AWJBUU7oIj4Ca+PqwpaxxeNioZ\r
+ihLL5LCRrS8lsSGgyD3UzqYGCMOwqX5pBytpWXz1NRzzey9mCV55LHckBF7dRBuh\r
+XQiz+EvE4Dr1ZikrB6UjgHW7Bal9Y5QMDs8qZAsRkJ0=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: server2.example.net
- localKeyID: E6 14 E8 D3 C2 D6 33 C5 46 4A 62 47 B7 C2 BA D6 3B 26 F2 56
+ localKeyID: A4 A7 36 66 9C 5A FC 72 B7 08 6B 0B 9F 20 62 78 D8 DF 1D 98
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQId2/8mqWfInACAggA
-MBQGCCqGSIb3DQMHBAgvDNlX6TpnZQSCAWD27NSWhbC88NONthVEEIHARSoUieXl
-Hsker9qC52voq+kSQf4sFmifD9SgestoXFoxBOWi4mnO2uwUqu/yC3Igrr0DE0VH
-zXapBoEbd7Yr4y5BN7M5+oQPGjxCUocP3Bp9dxvo5T3lFLtmaBvdBucVHvn6UqzX
-uUZw3O1LdoMm6PqZXBh8vzhapYq5I5oMOhWJsJrauSfXaBJObeo3MgFF6WfUQlnI
-fR/O7uJ00t+ArvdkQVIDT70FWWAFvt9DDtVIUcva8BfiGEjPjqso0tElTzPRqRrs
-WmS1jn1Lf/EVaVSOIIecjHodxeA7R/vMlG+5U/PcgfeYMEFyn0Aj/tUvdR6tTAUy
-1K5zFEGG5YCY2e0HmVyc/qvOoSPwi7f8eJEziTuv2nXlPrjd74OcGn1ffXyMeDZ6
-gDAQB9pe/7m9OZ9MAxuak4DEyFMdNJTFJ3il0ILAi8R2GOGA+TVSrGAT
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIjidyN2LNmEICAggA
+MBQGCCqGSIb3DQMHBAiM9kZJAE+TJASCAoAif/peX3iuR+MZUyC89O7/xMcYAdua
+bDFVrbNrdO5+XZG+U6elpnF/jWMKZUKxzrjkKEaJKWqQKthJp8Ds/ncD7Bx13qr9
+wTA7V+pVoVepG9JGHY1QkUTA9PNG4Txt0WrrjDU23iEYynh3G0QOoMhNYE50xCf/
+2CsWfIC6gSTL/OM2tb5ynwoDbAwS2Xml0Ky0USqCmsyJFqLq1QRo5l8EmWJ4HNut
+yQjvCbu5PAW8pAf2neJmAVlkTzwhmN5gl3vDfVKSKx2faaua0b13kCnYu8HjkbAo
+RskvJvOmOfByN04mMeUY6jhdwx7WYzvxybMFTjUlQ2ckJ3C2Yb24RrJ8m/k4GTWf
+Egy4KisBe5DFeXCh31ZSfNA5wxhNETIDYw/V/Bd5F8UvLGgOysDdn8wNIDcvR/EM
+AA/EKmj8+/0ayAxWCSQ5Rpnl9+XJKGmqlGynKF2LvvaGm/yRmq9apq1bS6CY+Plw
+Yz8webSEdIhq7BPIt09v4AiyW7VOm/GHvacfRxXlPNHakABZA/XR5Mg2HfdxV3/V
+O7lEXylQtUedyU+U36P+NtEW2PP+EkcUFkW/hno0zMWG8SdKesYTvMBz9zwPjZBz
+BfpSysxoz3pZQ3FNiRCOnPjIq5Esxp0PVMGnIQqYvptbwklUKEpq2rslSgyZJYot
+x5ui5RuQXKlLzU+bai557ofR6J0TZJnSIq7Wg0XSo2kFfMZFAUT8QAAD8cotDmwS
+q7+ncWNWIT+c/AOrUW1W8ypK11tAvytLXPifIb6R0+SXKhOzU0DB1euZwoWtBtaa
+GaKaYt+t0U/Q9umTCXXXd7gm/8+ZnpYhqNadsB2SmwGlyGU6HDsbXZW6
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
friendlyName: server2.example.net
- localKeyID: E6 14 E8 D3 C2 D6 33 C5 46 4A 62 47 B7 C2 BA D6 3B 26 F2 56
+ localKeyID: A4 A7 36 66 9C 5A FC 72 B7 08 6B 0B 9F 20 62 78 D8 DF 1D 98
subject=/CN=server2.example.net
issuer=/O=example.net/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+MIICiDCCAfGgAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDRaFw0zODAxMDExMjM0MDRaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
-ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAoXux6WdUK5xq7w+eMCFo2iEE
-GCUYpmqc4H6AmgxmglEfrndnKMv/fLRJpMUMe65a2fIPdMaZO6uX/fBDYSeUjwID
-AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
-AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
-Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
-cDovL29zY3AvZXhhbXBsZS5uZXQvMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs
-ZS5uZXQwDQYJKoZIhvcNAQEFBQADQQBhKq+CoKmxvdEJ4+AlNsJGpByKiwsDo0Cz
-mtgyGnn4a+3kkKYb2/KWosrBBLIzZbuzQ6sAjDKKioKJy7+ENuki
+MjM0MTNaFw0zODAxMDExMjM0MTNaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
+ZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALwP/FMqk/TKRQWwWsmz
+rt0QEKGC8M+3ot5LrXijR1RD9DTSSCDB6tI9J4s3rpM8jYZN2in/844/zHaZPHLe
+sM5/YLBWQD0YGy6eJUA+Ym/ySV0VTVZTwHwC78TvjETq1BRvi9fTNBp5P5CBN08L
+7QA5ebrmrLdpUNmjSRXqQc6ZAgMBAAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAG
+A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
+hiFodHRwOi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
+KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm5ldC8wHgYDVR0R
+BBcwFYITc2VydmVyMi5leGFtcGxlLm5ldDANBgkqhkiG9w0BAQUFAAOBgQAO/PIL
+r1x6F86iuKP1ww7Gb/fG9KoRVdijXvwFKurrTGLlK9gq0+w+j+vxMIBW+UeeXpRt
+JY/231AhPwxvMR4/MYQLrZUmtYO/FCIIdkjDFkt4wGszxEYSn5Ks94PftsJGrEm2
+yjc1w7gnzx2ybtYRZnpaTgOaWaYepc6wnfXXvw==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-MIIBOgIBAAJBAKF7selnVCucau8PnjAhaNohBBglGKZqnOB+gJoMZoJRH653ZyjL
-/3y0SaTFDHuuWtnyD3TGmTurl/3wQ2EnlI8CAwEAAQJAGXXkRjWperrNzWV7/oC2
-BHZiK+Blc4+prmejpSZBX1hk5XFL8vMx3H1yYnYj3LLr2MzuZ7W410GXBvZkfOy5
-uQIhANSjR5qV2dgzdI7nTjPXZOVPHfh9S4RbgCa8nbm+Yg59AiEAwmnlkEP8BMHx
-8GeuItJyuIQYXU/TRFIAB5N9nDWO4PsCIFvZj/OJaUlHqMCVz6T7FL0suMB+tuEc
-eTXCYcs7HrYtAiEAi4ivv+xbbBq7B72SSOHcfrwoNIi/bBCifs2H4N67zpMCIBpU
-fl/bfvpZ2FtBsZ1yMTgTXzaZyOllhYkaZO3bvQYU
+MIICWwIBAAKBgQC8D/xTKpP0ykUFsFrJs67dEBChgvDPt6LeS614o0dUQ/Q00kgg
+werSPSeLN66TPI2GTdop//OOP8x2mTxy3rDOf2CwVkA9GBsuniVAPmJv8kldFU1W
+U8B8Au/E74xE6tQUb4vX0zQaeT+QgTdPC+0AOXm65qy3aVDZo0kV6kHOmQIDAQAB
+AoGAI61gsCJmuUzaNU8UmilVZijTDuD5cF6lLkjrGvTW5lyR6qdt+ZDwTHw/kUC6
+BMK7EpyYY9ljyju+PU2q0xv+LIrQONRcBPbGxSrU2W3+3S3jkWZ03tMJLRqCraFV
+w17thkexWZaqVP8eC27jcjgZMU6B3gtpsf/CeMaYYjrBGnUCQQD3g0lugwfG47kI
+Ih7M2ImeUuI/aVov0ep/nDUboLD8ZWoJylko7JpqYVMdhmNZ7CH7stqu8ufW4KkZ
+99LpZLNnAkEAwoLVEoImAJHU4uq5xjNAeklkKj5kNLvPb0ag0IkJ1pH5S5fVrgH+
+fodg2O9jvxxo4eYpbmYKbjXIx7k54QYt/wJAWM0glmaqbqAbLaDYPhReY5BHHgsV
+UVzV7kzD/RKNDTDxd2vCy10AFbSvVkN197gxhRVpQiViKoTWBrwUTqpTdwJAYHSm
+mrYFiFTI3/oMQ9gYikuoqzYjVO8pb4Hzr1W1ljzvBeh2YwLEJBSYFxunOBcrf5I2
+S3O4imyLc1dL92WsGwJALBziva48HYruICrk94ofAbMDqF3xNJS5YFMtXBvZDY/S
+WecxphaKpVPDLsABXUgDsKUKQmHBJuOYCTPqcL5FeA==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw\r
-MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp\r
-Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxY7JyBAI+e4vb4bz0HcjtE+O\r
-x0nLBB19Kz04yNARj1z/ZvY2c+uvOR3muHROCgFUQxGobP3n2HaTS/cmv2SVPwID\r
-AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq\r
-hkiG9w0BAQUFAANBAJLhs/m5Jx4oV++aylcAvIHa0vHSK4eh3zX1HqWwqK9I0/nl\r
-LqwwPgtgHQOpe7nd2g2B9wPZ82i6LiqY76A+9hI=
+MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw\r
+MTAxMTIzNDA4WjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp\r
+Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPmGE/1NBbn57y9RAMTa\r
+/jWgErk9jUKo+z0vzO5me7MUE+C3Jhk2YFF+w3ryEny3DikQOZEdRU4NFrQKZKu5\r
+1jjYg5ilg8EJTP6h9GzZmacH9olW3hdMvVqMkiLuZF97H41AYx95XPDibxwrpMgD\r
+oDVoYTQIPBwdjj8d88SdbgYjAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw\r
+DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAINsDZLZin7u8iOLguRG\r
+37mUDNhAQ9qUAtiFV8JnjJU9DZGb0TvSpYmOkjK2iH4cH6AsEXptB6duvkkpp6ly\r
++aGvlqy69D/MfPpLjLX7e6WOISshaWCGB7/rQqbRtAePFpa07gijUqxM22LfiHXz\r
+YHJSTjLx4idfdLNS+U5iir1Y
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw\r
-MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp\r
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE\r
-zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo\r
-F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB\r
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s\r
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X\r
-PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw\r
+MTAxMTIzNDA4WjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp\r
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrlUzB\r
+ANKQi0cI+jOYOVy2EYu2LOXihiMHi3dX/boaZ2+rIwbWaaAy7gMXLvfay/ml+pyY\r
+hnxQbnfADZN0xXQoHZ3AjBIU6YP2CWpOk/3jrnjW7P84fCie/6SXhfH2l6ZZFaro\r
+yRw10jnO/kgEtFKBQpN7eZ2oPDaGGwuyBVaXqQIDAQABo1owWDAOBgNVHQ8BAf8E\r
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw\r
+Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA\r
+n2I9uY34QxYLfMCIwI3oMkR+v0ehEmjLcF3S2SILybtKFOxHUvFx10IiYJOCjPKr\r
+vTwbprTp4R9HffQyiGoe9jLYu+8Tfjf86hDcoChOg8SZm1u3rXCgXPus+19XON0g\r
+UWiJmIBAWDhz8+0vQ3QyrgtLuweoX4tTcbYOlTzO5KU=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw\r
-MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp\r
-Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxY7JyBAI+e4vb4bz0HcjtE+O\r
-x0nLBB19Kz04yNARj1z/ZvY2c+uvOR3muHROCgFUQxGobP3n2HaTS/cmv2SVPwID\r
-AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq\r
-hkiG9w0BAQUFAANBAJLhs/m5Jx4oV++aylcAvIHa0vHSK4eh3zX1HqWwqK9I0/nl\r
-LqwwPgtgHQOpe7nd2g2B9wPZ82i6LiqY76A+9hI=
+MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw\r
+MTAxMTIzNDA4WjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp\r
+Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPmGE/1NBbn57y9RAMTa\r
+/jWgErk9jUKo+z0vzO5me7MUE+C3Jhk2YFF+w3ryEny3DikQOZEdRU4NFrQKZKu5\r
+1jjYg5ilg8EJTP6h9GzZmacH9olW3hdMvVqMkiLuZF97H41AYx95XPDibxwrpMgD\r
+oDVoYTQIPBwdjj8d88SdbgYjAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw\r
+DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAINsDZLZin7u8iOLguRG\r
+37mUDNhAQ9qUAtiFV8JnjJU9DZGb0TvSpYmOkjK2iH4cH6AsEXptB6duvkkpp6ly\r
++aGvlqy69D/MfPpLjLX7e6WOISshaWCGB7/rQqbRtAePFpa07gijUqxM22LfiHXz\r
+YHJSTjLx4idfdLNS+U5iir1Y
-----END CERTIFICATE-----
Bag Attributes
friendlyName: OCSP Signer
- localKeyID: 89 7C 3C C4 3E 60 FD AA 47 69 0A 11 1B 17 C9 BD 6B D2 DA 1E
+ localKeyID: CA FD 34 A0 02 63 3E 50 60 F9 97 9A 4F 56 8C A5 12 90 66 00
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
-MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAl1EzD7A3887Wit6D
-uE5WOuTdCD4RVQFBa85RFHZd/Q3Yiw5SXh7gQaykL/4mrFHzgbKNgj6WmjBp4tNI
-FQYqJQIDAQABAkBNigd/X46cef5IdRPMayAW19ZH9f5Nr/IFO1kjAjDRjfASDkBN
-V/rMV+78Rh5fOAj1S74VILvKTaaLWhvkDOF1AiEAxxhzyV1rOrdo/tp7W6uD5m0g
-OTxUZYn/6Ec/Kkb6SjsCIQDCkN8rSD+IkhJ3zQOvCi2Onxjon5mE4mkbhZLq84W3
-HwIhAJbbRlCbwnY5JwuEjNgG++iLY1E7D0/o4skjww7LvTalAiBCCbH1mtwVmp6y
-Et/BNY8o7U8jBaixtbc/JCMto+IquQIhAI6flaLC9nQbBh6BX6GVeGu3XS9M/jFe
-EK9fMWn71opJ
+MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAMYp+j3nm7+amKqt
+uV0wTUbE3KVXBqj8TGbTm0K839Zd+ZYuAUabDhBhkvvsbGMamvv3liF3iPdHg+z0
+vSoH7b3HODevq+SzOUSNZXz9Ha50PL5oZyP87AhqbotEMp8YkNQHDhABNDNK4mOK
+W3AvGfoXUkqodA2JBxRT/8IMg4mlAgMBAAECgYEAv9wMqLsBlLU9cqLYgV0utIIN
+jxd/H0WHQ1dFT4xGu+ooqDrKiW2+ZCXUhY0WM62iuKmx9Z0iQyg+lsEuFO+wQQSY
+Ry20gPko1qr9MfmuRITHmnojq5j5OFDfHSQj119K3vk9m6c+BPV6iL+O+a/FWWI7
+uLpi0BRlVP7nuiRjpYECQQDza+kP0qLGyDcY09NVGhcSLhJY/vXxUt+/d/y735bm
+CmpbSmKq6ngg4NmVsZ3FnA+3/qw3+BunxGQsMvYxu2B5AkEA0GdhPWgy4EhBhI//
+IO+7hTCMlW0Hy5Mmdu+X1MRXFZSKajVuebRfFOY5XowO3urLkPaWIsfZUiAQ60dk
+0/bfjQJAdb/fb43+u5WiQVpGQkZqnpq2uWIr6l6iaWZLVT4lKoYjSKHE9NSS46Sg
+3C6dGTgSynhhKnnUNuVjZ5YHTatMUQJAE+zudSqTQrJl4UDLSeDh8vgTWO4VwrcN
+BG4f/C3RjbSoD0OQjn5aYOsqLQoDGfklAXUyIZ0uABYkx/oJf+KouQJALomqbA6e
+2wII/ficucWliDecgCm3Q9E5iQTru+awd7nEyFmyGhNSbNlF/SmxkIl+Ust5JhhG
+5Lu+UkKWJ7aK+w==
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-MIIBgDCCASqgAwIBAgIBAzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt\r
+MIICBTCCAW6gAwIBAgIBAzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt\r
cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy\r
-MzQwMloXDTM4MDEwMTEyMzQwMlowMjEUMBIGA1UEChMLZXhhbXBsZS5vcmcxGjAY\r
-BgNVBAMTEWNsaWNhIE9DU1AgU2lnbmVyMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJB\r
-AJdRMw+wN/PO1oreg7hOVjrk3Qg+EVUBQWvOURR2Xf0N2IsOUl4e4EGspC/+JqxR\r
-84GyjYI+lpowaeLTSBUGKiUCAwEAAaMqMCgwDgYDVR0PAQH/BAQDAgeAMBYGA1Ud\r
-JQEB/wQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBBQUAA0EAZe2NAm2FGEJuLkyZ\r
-AiGPi2pdu5ngE+vQhyTFR3EJ4L6HDkNGE5Mv7lrsSSWU47N3R+Oo+glEau6SyTb1\r
-zMIYxQ==
+MzQwOFoXDTM4MDEwMTEyMzQwOFowMjEUMBIGA1UEChMLZXhhbXBsZS5vcmcxGjAY\r
+BgNVBAMTEWNsaWNhIE9DU1AgU2lnbmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB\r
+iQKBgQDGKfo955u/mpiqrbldME1GxNylVwao/Exm05tCvN/WXfmWLgFGmw4QYZL7\r
+7GxjGpr795Yhd4j3R4Ps9L0qB+29xzg3r6vkszlEjWV8/R2udDy+aGcj/OwIam6L\r
+RDKfGJDUBw4QATQzSuJjiltwLxn6F1JKqHQNiQcUU//CDIOJpQIDAQABoyowKDAO\r
+BgNVHQ8BAf8EBAMCB4AwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwkwDQYJKoZIhvcN\r
+AQEFBQADgYEAdbT6NKoq7DehBoMSAt8zojI26q2qR1xUmC/IN4QN3NAkmBk8R5a5\r
+Kn9oaimw0DvXO5+HP/B5Q64l9y/Prjm+08vQvK5zOP+IGZv0NcmORgzAo7n9ZePN\r
+t101UYlJMKay24ksvhcW1Xv/g9S570DncOr+vTKDYjyWGHQn2Z7terE=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw\r
-MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp\r
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE\r
-zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo\r
-F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB\r
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s\r
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X\r
-PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw\r
+MTAxMTIzNDA4WjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp\r
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrlUzB\r
+ANKQi0cI+jOYOVy2EYu2LOXihiMHi3dX/boaZ2+rIwbWaaAy7gMXLvfay/ml+pyY\r
+hnxQbnfADZN0xXQoHZ3AjBIU6YP2CWpOk/3jrnjW7P84fCie/6SXhfH2l6ZZFaro\r
+yRw10jnO/kgEtFKBQpN7eZ2oPDaGGwuyBVaXqQIDAQABo1owWDAOBgNVHQ8BAf8E\r
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw\r
+Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA\r
+n2I9uY34QxYLfMCIwI3oMkR+v0ehEmjLcF3S2SILybtKFOxHUvFx10IiYJOCjPKr\r
+vTwbprTp4R9HffQyiGoe9jLYu+8Tfjf86hDcoChOg8SZm1u3rXCgXPus+19XON0g\r
+UWiJmIBAWDhz8+0vQ3QyrgtLuweoX4tTcbYOlTzO5KU=
-----END CERTIFICATE-----
; Config::Simple 4.59
-; Thu Nov 1 12:34:02 2012
+; Thu Nov 1 12:34:07 2012
[CLICA]
crl_url=http://crl.example.org/latest.crl
org=example.org
subject=clica CA
name=Certificate Authority
-bits=512
+bits=1024
-update=20130127152434Z
+update=20140422152734Z
-----BEGIN X509 CRL-----
-MIGsMFgCAQEwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhhbXBsZS5vcmcx
-GzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydBgPMjAxMzAxMjcxNTI0MzRaMA0G
-CSqGSIb3DQEBBQUAA0EAL3N9NbP2jClLBlaFsAFB959JN6Hm7B6H5uYdGo55Rvt6
-1BZvz36DEQemcEmzrelVOR+bCBTTBkH8SC6jv9dsAQ==
+MIHtMFgCAQEwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhhbXBsZS5vcmcx
+GzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydBgPMjAxNDA0MjIxNTI3MzRaMA0G
+CSqGSIb3DQEBBQUAA4GBABztztS8Xe1KA+6lLFt0sZOFQGGErlzPjIzxtiG3xpFb
+zLA1m8qTBZdwmGTmWw0Al0zEyPH+1ApLy8uedoJu0oiRmLCjkRUoL6XCwA+0KV5m
+96f9y8AbrbdfbAK1zl8NTtJdKlCy/vuYBMLYQQn1ix63d28PcqACJrK+8tDq5G31
-----END X509 CRL-----
-update=20130127152437Z
-addcert 102 20130127152437Z
-addcert 202 20130127152437Z
+update=20140422152736Z
+addcert 102 20140422152736Z
+addcert 202 20140422152736Z
-----BEGIN X509 CRL-----
-MIHcMIGHAgEBMA0GCSqGSIb3DQEBBQUAMDMxFDASBgNVBAoTC2V4YW1wbGUub3Jn
-MRswGQYDVQQDExJjbGljYSBTaWduaW5nIENlcnQYDzIwMTMwMTI3MTUyNDM3WjAt
-MBQCAWYYDzIwMTMwMTI3MTUyNDM3WjAVAgIAyhgPMjAxMzAxMjcxNTI0MzdaMA0G
-CSqGSIb3DQEBBQUAA0EAVWskomLMAt1QAPrpuIC7WsNrAmPRG1XL+Ggm8d4rESya
-WGQxA0p4ZM6THLfJ3ZWAxlMHEGVkqAUQpUnZhNHmEQ==
+MIIBHTCBhwIBATANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFtcGxlLm9y
+ZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0GA8yMDE0MDQyMjE1MjczNlow
+LTAUAgFmGA8yMDE0MDQyMjE1MjczNlowFQICAMoYDzIwMTQwNDIyMTUyNzM2WjAN
+BgkqhkiG9w0BAQUFAAOBgQAAsD6wBUQvXRStoEQu/x7SYC3K7kNU3tcvD2klq62U
+svU/gRGhyOCD3/iamcoUHkTZeCGdNjJmGG4U52zUUSvlY6qMFBe75xHDL7/8BMsl
+Db5VpBobfmDJOzyL4pJ7/Zrn7pAEuUEDT/ZUBD5Slk5IMsAvnKIrzYpN5EyYB62Z
+MA==
-----END X509 CRL-----
processor : 0
vendor_id : GenuineIntel
cpu family : 6
-model : 26
-model name : Intel(R) Xeon(R) CPU E5520 @ 2.27GHz
-stepping : 5
-cpu MHz : 2260.628
-cache size : 8192 KB
+model : 13
+model name : QEMU Virtual CPU version (cpu64-rhel6)
+stepping : 3
+cpu MHz : 1994.999
+cache size : 4096 KB
fpu : yes
fpu_exception : yes
-cpuid level : 11
+cpuid level : 4
wp : yes
-flags : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts xtopology tsc_reliable nonstop_tsc aperfmperf unfair_spinlock pni ssse3 cx16 sse4_1 sse4_2 x2apic popcnt hypervisor lahf_lm ida dts
-bogomips : 4521.25
+flags : fpu de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pse36 clflush mmx fxsr sse sse2 syscall nx lm up unfair_spinlock pni cx16 hypervisor lahf_lm
+bogomips : 3989.99
clflush size : 64
cache_alignment : 64
-address sizes : 40 bits physical, 48 bits virtual
+address sizes : 38 bits physical, 48 bits virtual
power management:
-processor : 1
-vendor_id : GenuineIntel
-cpu family : 6
-model : 26
-model name : Intel(R) Xeon(R) CPU E5520 @ 2.27GHz
-stepping : 5
-cpu MHz : 2260.628
-cache size : 8192 KB
-fpu : yes
-fpu_exception : yes
-cpuid level : 11
-wp : yes
-flags : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts xtopology tsc_reliable nonstop_tsc aperfmperf unfair_spinlock pni ssse3 cx16 sse4_1 sse4_2 x2apic popcnt hypervisor lahf_lm ida dts
-bogomips : 4521.25
-clflush size : 64
-cache_alignment : 64
-address sizes : 40 bits physical, 48 bits virtual
-power management:
-
- CPU0 CPU1
- 0: 2481 0 IO-APIC-edge timer
- 1: 21441 346 IO-APIC-edge i8042
- 3: 1 0 IO-APIC-edge
- 4: 1 0 IO-APIC-edge
- 7: 0 0 IO-APIC-edge parport0
- 8: 1 0 IO-APIC-edge rtc0
- 9: 0 0 IO-APIC-fasteoi acpi
- 12: 78986 1718 IO-APIC-edge i8042
- 14: 0 0 IO-APIC-edge ata_piix
- 15: 2423330 1435 IO-APIC-edge ata_piix
- 16: 1025 0 IO-APIC-fasteoi Ensoniq AudioPCI
- 17: 239850 2559 IO-APIC-fasteoi ehci_hcd:usb1, ioc0
- 18: 246 0 IO-APIC-fasteoi uhci_hcd:usb2
- 19: 1868741 51479 IO-APIC-fasteoi eth0
- 24: 0 0 PCI-MSI-edge pciehp
- 25: 0 0 PCI-MSI-edge pciehp
- 26: 0 0 PCI-MSI-edge pciehp
- 27: 0 0 PCI-MSI-edge pciehp
- 28: 0 0 PCI-MSI-edge pciehp
- 29: 0 0 PCI-MSI-edge pciehp
- 30: 0 0 PCI-MSI-edge pciehp
- 31: 0 0 PCI-MSI-edge pciehp
- 32: 0 0 PCI-MSI-edge pciehp
- 33: 0 0 PCI-MSI-edge pciehp
- 34: 0 0 PCI-MSI-edge pciehp
- 35: 0 0 PCI-MSI-edge pciehp
- 36: 0 0 PCI-MSI-edge pciehp
- 37: 0 0 PCI-MSI-edge pciehp
- 38: 0 0 PCI-MSI-edge pciehp
- 39: 0 0 PCI-MSI-edge pciehp
- 40: 0 0 PCI-MSI-edge pciehp
- 41: 0 0 PCI-MSI-edge pciehp
- 42: 0 0 PCI-MSI-edge pciehp
- 43: 0 0 PCI-MSI-edge pciehp
- 44: 0 0 PCI-MSI-edge pciehp
- 45: 0 0 PCI-MSI-edge pciehp
- 46: 0 0 PCI-MSI-edge pciehp
- 47: 0 0 PCI-MSI-edge pciehp
- 48: 0 0 PCI-MSI-edge pciehp
- 49: 0 0 PCI-MSI-edge pciehp
- 50: 0 0 PCI-MSI-edge pciehp
- 51: 0 0 PCI-MSI-edge pciehp
- 52: 0 0 PCI-MSI-edge pciehp
- 53: 0 0 PCI-MSI-edge pciehp
- 54: 0 0 PCI-MSI-edge pciehp
- 55: 0 0 PCI-MSI-edge pciehp
- 56: 1 0 PCI-MSI-edge vmci
- 57: 0 0 PCI-MSI-edge vmci
-NMI: 0 0 Non-maskable interrupts
-LOC: 12398298 14241637 Local timer interrupts
-SPU: 0 0 Spurious interrupts
-PMI: 0 0 Performance monitoring interrupts
-IWI: 0 0 IRQ work interrupts
-RES: 282673 309097 Rescheduling interrupts
-CAL: 1955 163548 Function call interrupts
-TLB: 17977 15562 TLB shootdowns
-TRM: 0 0 Thermal event interrupts
-THR: 0 0 Threshold APIC interrupts
-MCE: 0 0 Machine check exceptions
-MCP: 2310 2310 Machine check polls
+ CPU0
+ 0: 258 IO-APIC-edge timer
+ 1: 6 IO-APIC-edge i8042
+ 4: 1 IO-APIC-edge
+ 8: 0 IO-APIC-edge rtc0
+ 9: 0 IO-APIC-fasteoi acpi
+ 10: 953 IO-APIC-fasteoi virtio3
+ 11: 62 IO-APIC-fasteoi uhci_hcd:usb1, snd_hda_intel
+ 12: 104 IO-APIC-edge i8042
+ 14: 0 IO-APIC-edge ata_piix
+ 15: 106 IO-APIC-edge ata_piix
+ 24: 0 PCI-MSI-edge virtio2-config
+ 25: 48993 PCI-MSI-edge virtio2-requests
+ 26: 0 PCI-MSI-edge virtio0-config
+ 27: 296865 PCI-MSI-edge virtio0-input
+ 28: 1 PCI-MSI-edge virtio0-output
+ 29: 0 PCI-MSI-edge virtio1-config
+ 30: 18867 PCI-MSI-edge virtio1-input
+ 31: 1 PCI-MSI-edge virtio1-output
+NMI: 0 Non-maskable interrupts
+LOC: 774993 Local timer interrupts
+SPU: 0 Spurious interrupts
+PMI: 0 Performance monitoring interrupts
+IWI: 0 IRQ work interrupts
+RES: 0 Rescheduling interrupts
+CAL: 0 Function call interrupts
+TLB: 0 TLB shootdowns
+TRM: 0 Thermal event interrupts
+THR: 0 Threshold APIC interrupts
+MCE: 0 Machine check exceptions
+MCP: 271 Machine check polls
ERR: 0
MIS: 0
-MemTotal: 1914844 kB
-MemFree: 134216 kB
-Buffers: 142048 kB
-Cached: 952796 kB
-SwapCached: 108 kB
-Active: 981384 kB
-Inactive: 540556 kB
-Active(anon): 287092 kB
-Inactive(anon): 143480 kB
-Active(file): 694292 kB
-Inactive(file): 397076 kB
+MemTotal: 487904 kB
+MemFree: 73484 kB
+Buffers: 73812 kB
+Cached: 141708 kB
+SwapCached: 0 kB
+Active: 132460 kB
+Inactive: 119036 kB
+Active(anon): 15152 kB
+Inactive(anon): 21900 kB
+Active(file): 117308 kB
+Inactive(file): 97136 kB
Unevictable: 0 kB
Mlocked: 0 kB
-SwapTotal: 4194296 kB
-SwapFree: 4193560 kB
-Dirty: 1732 kB
+SwapTotal: 524280 kB
+SwapFree: 524280 kB
+Dirty: 1628 kB
Writeback: 0 kB
-AnonPages: 427116 kB
-Mapped: 70924 kB
-Shmem: 3400 kB
-Slab: 190944 kB
-SReclaimable: 125404 kB
-SUnreclaim: 65540 kB
-KernelStack: 2312 kB
-PageTables: 23536 kB
+AnonPages: 35928 kB
+Mapped: 15596 kB
+Shmem: 1128 kB
+Slab: 136308 kB
+SReclaimable: 83924 kB
+SUnreclaim: 52384 kB
+KernelStack: 752 kB
+PageTables: 3412 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
WritebackTmp: 0 kB
-CommitLimit: 5151716 kB
-Committed_AS: 973184 kB
+CommitLimit: 768232 kB
+Committed_AS: 116976 kB
VmallocTotal: 34359738367 kB
-VmallocUsed: 280772 kB
-VmallocChunk: 34359441168 kB
+VmallocUsed: 12116 kB
+VmallocChunk: 34359713232 kB
HardwareCorrupted: 0 kB
-AnonHugePages: 249856 kB
+AnonHugePages: 2048 kB
HugePages_Total: 0
HugePages_Free: 0
HugePages_Rsvd: 0
HugePages_Surp: 0
Hugepagesize: 2048 kB
-DirectMap4k: 8192 kB
-DirectMap2M: 2088960 kB
+DirectMap4k: 7156 kB
+DirectMap2M: 1492992 kB
slabinfo - version: 2.1
# name <active_objs> <num_objs> <objsize> <objperslab> <pagesperslab> : tunables <limit> <batchcount> <sharedfactor> : slabdata <active_slabs> <num_slabs> <sharedavail>
-bridge_fdb_cache 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
-fuse_request 0 0 632 6 1 : tunables 54 27 8 : slabdata 0 0 0
-fuse_inode 0 0 768 5 1 : tunables 54 27 8 : slabdata 0 0 0
-rpc_buffers 8 8 2048 2 1 : tunables 24 12 8 : slabdata 4 4 0
-rpc_tasks 8 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0
-rpc_inode_cache 8 8 832 4 1 : tunables 54 27 8 : slabdata 2 2 0
-hgfsInodeCache 1 6 640 6 1 : tunables 54 27 8 : slabdata 1 1 0
-AF_VMCI 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0
-nf_conntrack_expect 0 0 240 16 1 : tunables 120 60 8 : slabdata 0 0 0
-nf_conntrack_ffffffff8200cec0 22 26 304 13 1 : tunables 54 27 8 : slabdata 2 2 0
-fib6_nodes 22 59 64 59 1 : tunables 120 60 8 : slabdata 1 1 0
-ip6_dst_cache 13 30 384 10 1 : tunables 54 27 8 : slabdata 3 3 0
-ndisc_cache 1 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0
-ip6_mrt_cache 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0
-RAWv6 67 68 1024 4 1 : tunables 54 27 8 : slabdata 17 17 0
-UDPLITEv6 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0
-UDPv6 4 4 1024 4 1 : tunables 54 27 8 : slabdata 1 1 0
-tw_sock_TCPv6 0 0 320 12 1 : tunables 54 27 8 : slabdata 0 0 0
-request_sock_TCPv6 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0
-TCPv6 9 10 1856 2 1 : tunables 24 12 8 : slabdata 5 5 0
-jbd2_1k 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0
-avtab_node 502203 502416 24 144 1 : tunables 120 60 8 : slabdata 3489 3489 0
-ext4_inode_cache 74816 74820 1024 4 1 : tunables 54 27 8 : slabdata 18705 18705 0
-ext4_xattr 9 44 88 44 1 : tunables 120 60 8 : slabdata 1 1 0
-ext4_free_block_extents 32 67 56 67 1 : tunables 120 60 8 : slabdata 1 1 0
-ext4_alloc_context 28 28 136 28 1 : tunables 120 60 8 : slabdata 1 1 0
-ext4_prealloc_space 18 37 104 37 1 : tunables 120 60 8 : slabdata 1 1 0
-ext4_system_zone 0 0 40 92 1 : tunables 120 60 8 : slabdata 0 0 0
-jbd2_journal_handle 32 144 24 144 1 : tunables 120 60 8 : slabdata 1 1 0
-jbd2_journal_head 74 102 112 34 1 : tunables 120 60 8 : slabdata 3 3 0
-jbd2_revoke_table 4 202 16 202 1 : tunables 120 60 8 : slabdata 1 1 0
-jbd2_revoke_record 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0
-dm_crypt_io 50 50 152 25 1 : tunables 120 60 8 : slabdata 2 2 0
-sd_ext_cdb 2 112 32 112 1 : tunables 120 60 8 : slabdata 1 1 0
-scsi_sense_cache 25 60 128 30 1 : tunables 120 60 8 : slabdata 2 2 0
-scsi_cmd_cache 28 45 256 15 1 : tunables 120 60 8 : slabdata 3 3 0
-dm_raid1_read_record 0 0 1064 7 2 : tunables 24 12 8 : slabdata 0 0 0
-kcopyd_job 0 0 3240 2 2 : tunables 24 12 8 : slabdata 0 0 0
-io 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
-dm_uevent 0 0 2608 3 2 : tunables 24 12 8 : slabdata 0 0 0
-dm_rq_clone_bio_info 0 0 16 202 1 : tunables 120 60 8 : slabdata 0 0 0
-dm_rq_target_io 0 0 392 10 1 : tunables 54 27 8 : slabdata 0 0 0
-dm_target_io 844 864 24 144 1 : tunables 120 60 8 : slabdata 6 6 0
-dm_io 828 828 40 92 1 : tunables 120 60 8 : slabdata 9 9 0
-flow_cache 0 0 96 40 1 : tunables 120 60 8 : slabdata 0 0 0
-uhci_urb_priv 6 67 56 67 1 : tunables 120 60 8 : slabdata 1 1 0
-cfq_io_context 4 28 136 28 1 : tunables 120 60 8 : slabdata 1 1 0
-cfq_queue 5 16 240 16 1 : tunables 120 60 8 : slabdata 1 1 0
-bsg_cmd 0 0 312 12 1 : tunables 54 27 8 : slabdata 0 0 0
-mqueue_inode_cache 1 4 896 4 1 : tunables 54 27 8 : slabdata 1 1 0
-isofs_inode_cache 0 0 640 6 1 : tunables 54 27 8 : slabdata 0 0 0
-hugetlbfs_inode_cache 1 6 608 6 1 : tunables 54 27 8 : slabdata 1 1 0
-dquot 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0
-kioctx 0 0 384 10 1 : tunables 54 27 8 : slabdata 0 0 0
-kiocb 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0
-inotify_event_private_data 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0
-inotify_inode_mark_entry 186 204 112 34 1 : tunables 120 60 8 : slabdata 6 6 0
-dnotify_mark_entry 1 34 112 34 1 : tunables 120 60 8 : slabdata 1 1 0
-dnotify_struct 1 112 32 112 1 : tunables 120 60 8 : slabdata 1 1 0
-fasync_cache 6 144 24 144 1 : tunables 120 60 8 : slabdata 1 1 0
-khugepaged_mm_slot 83 92 40 92 1 : tunables 120 60 8 : slabdata 1 1 0
-ksm_mm_slot 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0
-ksm_stable_node 0 0 40 92 1 : tunables 120 60 8 : slabdata 0 0 0
-ksm_rmap_item 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
-utrace_engine 0 0 56 67 1 : tunables 120 60 8 : slabdata 0 0 0
-utrace 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
-pid_namespace 0 0 2120 3 2 : tunables 24 12 8 : slabdata 0 0 0
-nsproxy 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0
-posix_timers_cache 0 0 176 22 1 : tunables 120 60 8 : slabdata 0 0 0
-uid_cache 10 60 128 30 1 : tunables 120 60 8 : slabdata 2 2 0
-UNIX 459 480 768 5 1 : tunables 54 27 8 : slabdata 96 96 0
-ip_mrt_cache 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0
-UDP-Lite 0 0 832 9 2 : tunables 54 27 8 : slabdata 0 0 0
-tcp_bind_bucket 15 59 64 59 1 : tunables 120 60 8 : slabdata 1 1 0
-inet_peer_cache 4 59 64 59 1 : tunables 120 60 8 : slabdata 1 1 0
-secpath_cache 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
-xfrm_dst_cache 0 0 384 10 1 : tunables 54 27 8 : slabdata 0 0 0
-ip_fib_alias 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0
-ip_fib_hash 10 106 72 53 1 : tunables 120 60 8 : slabdata 2 2 0
-ip_dst_cache 29 50 384 10 1 : tunables 54 27 8 : slabdata 5 5 0
-arp_cache 4 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0
-RAW 65 72 832 9 2 : tunables 54 27 8 : slabdata 8 8 0
-UDP 6 18 832 9 2 : tunables 54 27 8 : slabdata 2 2 0
-tw_sock_TCP 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0
-request_sock_TCP 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0
-TCP 20 24 1664 4 2 : tunables 24 12 8 : slabdata 6 6 0
-eventpoll_pwq 126 212 72 53 1 : tunables 120 60 8 : slabdata 4 4 0
-eventpoll_epi 126 180 128 30 1 : tunables 120 60 8 : slabdata 6 6 0
-sgpool-128 2 2 4096 1 1 : tunables 24 12 8 : slabdata 2 2 0
-sgpool-64 2 2 2048 2 1 : tunables 24 12 8 : slabdata 1 1 0
-sgpool-32 2 4 1024 4 1 : tunables 54 27 8 : slabdata 1 1 0
-sgpool-16 2 8 512 8 1 : tunables 54 27 8 : slabdata 1 1 0
-sgpool-8 15 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0
-scsi_data_buffer 0 0 24 144 1 : tunables 120 60 8 : slabdata 0 0 0
-blkdev_integrity 0 0 112 34 1 : tunables 120 60 8 : slabdata 0 0 0
-blkdev_queue 29 30 2856 2 2 : tunables 24 12 8 : slabdata 15 15 0
-blkdev_requests 42 66 352 11 1 : tunables 54 27 8 : slabdata 5 6 0
-blkdev_ioc 5 48 80 48 1 : tunables 120 60 8 : slabdata 1 1 0
-fsnotify_event_holder 0 0 24 144 1 : tunables 120 60 8 : slabdata 0 0 0
-fsnotify_event 0 0 104 37 1 : tunables 120 60 8 : slabdata 0 0 0
-bio-0 180 180 192 20 1 : tunables 120 60 8 : slabdata 9 9 0
-biovec-256 66 66 4096 1 1 : tunables 24 12 8 : slabdata 66 66 0
-biovec-128 0 0 2048 2 1 : tunables 24 12 8 : slabdata 0 0 0
-biovec-64 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0
-biovec-16 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0
+nf_conntrack_expect 0 0 240 16 1 : tunables 120 60 0 : slabdata 0 0 0
+nf_conntrack_ffffffff81b18540 36 36 312 12 1 : tunables 54 27 0 : slabdata 3 3 0
+fib6_nodes 42 59 64 59 1 : tunables 120 60 0 : slabdata 1 1 0
+ip6_dst_cache 24 40 384 10 1 : tunables 54 27 0 : slabdata 4 4 0
+ndisc_cache 21 30 256 15 1 : tunables 120 60 0 : slabdata 2 2 0
+ip6_mrt_cache 0 0 128 30 1 : tunables 120 60 0 : slabdata 0 0 0
+RAWv6 4 4 1024 4 1 : tunables 54 27 0 : slabdata 1 1 0
+UDPLITEv6 0 0 1024 4 1 : tunables 54 27 0 : slabdata 0 0 0
+UDPv6 0 0 1024 4 1 : tunables 54 27 0 : slabdata 0 0 0
+tw_sock_TCPv6 0 0 320 12 1 : tunables 54 27 0 : slabdata 0 0 0
+request_sock_TCPv6 0 0 192 20 1 : tunables 120 60 0 : slabdata 0 0 0
+TCPv6 9 10 1920 2 1 : tunables 24 12 0 : slabdata 5 5 0
+jbd2_1k 0 0 1024 4 1 : tunables 54 27 0 : slabdata 0 0 0
+avtab_node 551039 551088 24 144 1 : tunables 120 60 0 : slabdata 3827 3827 0
+ext4_inode_cache 36173 36888 1016 4 1 : tunables 54 27 0 : slabdata 9222 9222 0
+ext4_xattr 5 44 88 44 1 : tunables 120 60 0 : slabdata 1 1 0
+ext4_free_block_extents 16 67 56 67 1 : tunables 120 60 0 : slabdata 1 1 0
+ext4_alloc_context 16 28 136 28 1 : tunables 120 60 0 : slabdata 1 1 0
+ext4_prealloc_space 3 37 104 37 1 : tunables 120 60 0 : slabdata 1 1 0
+ext4_system_zone 0 0 40 92 1 : tunables 120 60 0 : slabdata 0 0 0
+jbd2_journal_handle 16 144 24 144 1 : tunables 120 60 0 : slabdata 1 1 0
+jbd2_journal_head 68 68 112 34 1 : tunables 120 60 0 : slabdata 2 2 0
+jbd2_revoke_table 4 202 16 202 1 : tunables 120 60 0 : slabdata 1 1 0
+jbd2_revoke_record 0 0 32 112 1 : tunables 120 60 0 : slabdata 0 0 0
+scsi_sense_cache 2 30 128 30 1 : tunables 120 60 0 : slabdata 1 1 0
+scsi_cmd_cache 2 15 256 15 1 : tunables 120 60 0 : slabdata 1 1 0
+dm_raid1_read_record 0 0 1064 7 2 : tunables 24 12 0 : slabdata 0 0 0
+kcopyd_job 0 0 3240 2 2 : tunables 24 12 0 : slabdata 0 0 0
+io 0 0 64 59 1 : tunables 120 60 0 : slabdata 0 0 0
+dm_uevent 0 0 2608 3 2 : tunables 24 12 0 : slabdata 0 0 0
+dm_rq_clone_bio_info 0 0 16 202 1 : tunables 120 60 0 : slabdata 0 0 0
+dm_rq_target_io 0 0 392 10 1 : tunables 54 27 0 : slabdata 0 0 0
+dm_target_io 576 576 24 144 1 : tunables 120 60 0 : slabdata 4 4 0
+dm_io 552 552 40 92 1 : tunables 120 60 0 : slabdata 6 6 0
+flow_cache 0 0 104 37 1 : tunables 120 60 0 : slabdata 0 0 0
+uhci_urb_priv 0 0 56 67 1 : tunables 120 60 0 : slabdata 0 0 0
+cfq_io_context 0 0 136 28 1 : tunables 120 60 0 : slabdata 0 0 0
+cfq_queue 0 0 240 16 1 : tunables 120 60 0 : slabdata 0 0 0
+bsg_cmd 0 0 312 12 1 : tunables 54 27 0 : slabdata 0 0 0
+mqueue_inode_cache 1 4 896 4 1 : tunables 54 27 0 : slabdata 1 1 0
+isofs_inode_cache 0 0 640 6 1 : tunables 54 27 0 : slabdata 0 0 0
+hugetlbfs_inode_cache 1 6 608 6 1 : tunables 54 27 0 : slabdata 1 1 0
+dquot 0 0 256 15 1 : tunables 120 60 0 : slabdata 0 0 0
+kioctx 0 0 384 10 1 : tunables 54 27 0 : slabdata 0 0 0
+kiocb 0 0 256 15 1 : tunables 120 60 0 : slabdata 0 0 0
+inotify_event_private_data 0 0 32 112 1 : tunables 120 60 0 : slabdata 0 0 0
+inotify_inode_mark_entry 110 136 112 34 1 : tunables 120 60 0 : slabdata 4 4 0
+dnotify_mark_entry 0 0 112 34 1 : tunables 120 60 0 : slabdata 0 0 0
+dnotify_struct 0 0 32 112 1 : tunables 120 60 0 : slabdata 0 0 0
+dio 0 0 640 6 1 : tunables 54 27 0 : slabdata 0 0 0
+fasync_cache 0 0 24 144 1 : tunables 120 60 0 : slabdata 0 0 0
+khugepaged_mm_slot 17 92 40 92 1 : tunables 120 60 0 : slabdata 1 1 0
+ksm_mm_slot 0 0 48 77 1 : tunables 120 60 0 : slabdata 0 0 0
+ksm_stable_node 0 0 48 77 1 : tunables 120 60 0 : slabdata 0 0 0
+ksm_rmap_item 0 0 64 59 1 : tunables 120 60 0 : slabdata 0 0 0
+utrace_engine 0 0 56 67 1 : tunables 120 60 0 : slabdata 0 0 0
+utrace 0 0 64 59 1 : tunables 120 60 0 : slabdata 0 0 0
+pid_namespace 0 0 2168 3 2 : tunables 24 12 0 : slabdata 0 0 0
+posix_timers_cache 0 0 176 22 1 : tunables 120 60 0 : slabdata 0 0 0
+uid_cache 3 30 128 30 1 : tunables 120 60 0 : slabdata 1 1 0
+UNIX 107 110 768 5 1 : tunables 54 27 0 : slabdata 22 22 0
+ip_mrt_cache 0 0 128 30 1 : tunables 120 60 0 : slabdata 0 0 0
+UDP-Lite 0 0 832 9 2 : tunables 54 27 0 : slabdata 0 0 0
+tcp_bind_bucket 9 59 64 59 1 : tunables 120 60 0 : slabdata 1 1 0
+inet_peer_cache 2 59 64 59 1 : tunables 120 60 0 : slabdata 1 1 0
+secpath_cache 0 0 64 59 1 : tunables 120 60 0 : slabdata 0 0 0
+xfrm_dst_cache 0 0 448 8 1 : tunables 54 27 0 : slabdata 0 0 0
+ip_fib_alias 1 112 32 112 1 : tunables 120 60 0 : slabdata 1 1 0
+ip_fib_hash 14 53 72 53 1 : tunables 120 60 0 : slabdata 1 1 0
+ip_dst_cache 26 30 384 10 1 : tunables 54 27 0 : slabdata 3 3 0
+arp_cache 6 15 256 15 1 : tunables 120 60 0 : slabdata 1 1 0
+PING 0 0 832 9 2 : tunables 54 27 0 : slabdata 0 0 0
+RAW 2 9 832 9 2 : tunables 54 27 0 : slabdata 1 1 0
+UDP 1 9 832 9 2 : tunables 54 27 0 : slabdata 1 1 0
+tw_sock_TCP 0 0 256 15 1 : tunables 120 60 0 : slabdata 0 0 0
+request_sock_TCP 0 0 128 30 1 : tunables 120 60 0 : slabdata 0 0 0
+TCP 10 12 1728 4 2 : tunables 24 12 0 : slabdata 3 3 0
+eventpoll_pwq 59 106 72 53 1 : tunables 120 60 0 : slabdata 2 2 0
+eventpoll_epi 59 90 128 30 1 : tunables 120 60 0 : slabdata 3 3 0
+sgpool-128 2 2 4096 1 1 : tunables 24 12 0 : slabdata 2 2 0
+sgpool-64 2 2 2048 2 1 : tunables 24 12 0 : slabdata 1 1 0
+sgpool-32 2 4 1024 4 1 : tunables 54 27 0 : slabdata 1 1 0
+sgpool-16 2 8 512 8 1 : tunables 54 27 0 : slabdata 1 1 0
+sgpool-8 2 15 256 15 1 : tunables 120 60 0 : slabdata 1 1 0
+scsi_data_buffer 0 0 24 144 1 : tunables 120 60 0 : slabdata 0 0 0
+blkdev_integrity 0 0 112 34 1 : tunables 120 60 0 : slabdata 0 0 0
+blkdev_queue 28 28 2864 2 2 : tunables 24 12 0 : slabdata 14 14 0
+blkdev_requests 22 22 352 11 1 : tunables 54 27 0 : slabdata 2 2 0
+blkdev_ioc 3 48 80 48 1 : tunables 120 60 0 : slabdata 1 1 0
+fsnotify_event_holder 0 0 24 144 1 : tunables 120 60 0 : slabdata 0 0 0
+fsnotify_event 0 0 104 37 1 : tunables 120 60 0 : slabdata 0 0 0
+bio-0 80 80 192 20 1 : tunables 120 60 0 : slabdata 4 4 0
+biovec-256 34 34 4096 1 1 : tunables 24 12 0 : slabdata 34 34 0
+biovec-128 0 0 2048 2 1 : tunables 24 12 0 : slabdata 0 0 0
+biovec-64 2 4 1024 4 1 : tunables 54 27 0 : slabdata 1 1 0
+biovec-16 7 15 256 15 1 : tunables 120 60 0 : slabdata 1 1 0
bip-256 2 2 4224 1 2 : tunables 8 4 0 : slabdata 2 2 0
-bip-128 0 0 2176 3 2 : tunables 24 12 8 : slabdata 0 0 0
-bip-64 0 0 1152 7 2 : tunables 24 12 8 : slabdata 0 0 0
-bip-16 0 0 384 10 1 : tunables 54 27 8 : slabdata 0 0 0
-bip-4 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0
-bip-1 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0
-sock_inode_cache 667 685 704 5 1 : tunables 54 27 8 : slabdata 137 137 0
-skbuff_fclone_cache 35 35 512 7 1 : tunables 54 27 8 : slabdata 5 5 0
-skbuff_head_cache 302 450 256 15 1 : tunables 120 60 8 : slabdata 30 30 0
-file_lock_cache 38 44 176 22 1 : tunables 120 60 8 : slabdata 2 2 0
-net_namespace 0 0 2112 3 2 : tunables 24 12 8 : slabdata 0 0 0
-shmem_inode_cache 774 775 800 5 1 : tunables 54 27 8 : slabdata 155 155 0
-Acpi-Operand 4563 4664 72 53 1 : tunables 120 60 8 : slabdata 88 88 0
-Acpi-ParseExt 0 0 72 53 1 : tunables 120 60 8 : slabdata 0 0 0
-Acpi-Parse 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0
-Acpi-State 0 0 80 48 1 : tunables 120 60 8 : slabdata 0 0 0
-Acpi-Namespace 3311 3312 40 92 1 : tunables 120 60 8 : slabdata 36 36 0
-task_delay_info 332 340 112 34 1 : tunables 120 60 8 : slabdata 10 10 0
-taskstats 5 12 328 12 1 : tunables 54 27 8 : slabdata 1 1 0
-proc_inode_cache 1008 1008 640 6 1 : tunables 54 27 8 : slabdata 168 168 0
-sigqueue 35 48 160 24 1 : tunables 120 60 8 : slabdata 2 2 0
-bdev_cache 32 36 832 4 1 : tunables 54 27 8 : slabdata 9 9 0
-sysfs_dir_cache 11356 11367 144 27 1 : tunables 120 60 8 : slabdata 421 421 0
-mnt_cache 37 45 256 15 1 : tunables 120 60 8 : slabdata 3 3 0
-filp 4614 4700 192 20 1 : tunables 120 60 8 : slabdata 235 235 0
-inode_cache 6883 7308 592 6 1 : tunables 54 27 8 : slabdata 1218 1218 0
-dentry 61120 63960 192 20 1 : tunables 120 60 8 : slabdata 3198 3198 0
-names_cache 26 26 4096 1 1 : tunables 24 12 8 : slabdata 26 26 0
-avc_node 518 1239 64 59 1 : tunables 120 60 8 : slabdata 21 21 0
-selinux_inode_security 84146 86072 72 53 1 : tunables 120 60 8 : slabdata 1624 1624 0
-radix_tree_node 11579 11781 560 7 1 : tunables 54 27 8 : slabdata 1683 1683 0
-key_jar 11 20 192 20 1 : tunables 120 60 8 : slabdata 1 1 0
-buffer_head 221286 230214 104 37 1 : tunables 120 60 8 : slabdata 6222 6222 0
-vm_area_struct 12992 13034 200 19 1 : tunables 120 60 8 : slabdata 686 686 60
-mm_struct 145 145 1408 5 2 : tunables 24 12 8 : slabdata 29 29 0
-fs_cache 177 177 64 59 1 : tunables 120 60 8 : slabdata 3 3 0
-files_cache 162 165 704 11 2 : tunables 54 27 8 : slabdata 15 15 0
-signal_cache 208 208 1024 4 1 : tunables 54 27 8 : slabdata 52 52 0
-sighand_cache 198 198 2112 3 2 : tunables 24 12 8 : slabdata 66 66 0
-task_xstate 232 232 512 8 1 : tunables 54 27 8 : slabdata 29 29 0
-task_struct 303 303 2656 3 2 : tunables 24 12 8 : slabdata 101 101 0
-cred_jar 580 580 192 20 1 : tunables 120 60 8 : slabdata 29 29 0
-anon_vma_chain 7904 8162 48 77 1 : tunables 120 60 8 : slabdata 106 106 60
-anon_vma 5773 5888 40 92 1 : tunables 120 60 8 : slabdata 64 64 0
-pid 322 330 128 30 1 : tunables 120 60 8 : slabdata 11 11 0
-shared_policy_node 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0
-numa_policy 1 28 136 28 1 : tunables 120 60 8 : slabdata 1 1 0
-idr_layer_cache 428 434 544 7 1 : tunables 54 27 8 : slabdata 62 62 0
+bip-128 0 0 2176 3 2 : tunables 24 12 0 : slabdata 0 0 0
+bip-64 0 0 1152 7 2 : tunables 24 12 0 : slabdata 0 0 0
+bip-16 0 0 384 10 1 : tunables 54 27 0 : slabdata 0 0 0
+bip-4 0 0 192 20 1 : tunables 120 60 0 : slabdata 0 0 0
+bip-1 0 0 128 30 1 : tunables 120 60 0 : slabdata 0 0 0
+sock_inode_cache 150 160 704 5 1 : tunables 54 27 0 : slabdata 32 32 0
+skbuff_fclone_cache 7 7 512 7 1 : tunables 54 27 0 : slabdata 1 1 0
+skbuff_head_cache 66 105 256 15 1 : tunables 120 60 0 : slabdata 7 7 0
+file_lock_cache 21 22 176 22 1 : tunables 120 60 0 : slabdata 1 1 0
+net_namespace 0 0 2432 3 2 : tunables 24 12 0 : slabdata 0 0 0
+shmem_inode_cache 654 655 784 5 1 : tunables 54 27 0 : slabdata 131 131 0
+Acpi-Operand 1211 1219 72 53 1 : tunables 120 60 0 : slabdata 23 23 0
+Acpi-ParseExt 0 0 72 53 1 : tunables 120 60 0 : slabdata 0 0 0
+Acpi-Parse 0 0 48 77 1 : tunables 120 60 0 : slabdata 0 0 0
+Acpi-State 0 0 80 48 1 : tunables 120 60 0 : slabdata 0 0 0
+Acpi-Namespace 407 460 40 92 1 : tunables 120 60 0 : slabdata 5 5 0
+task_delay_info 102 102 112 34 1 : tunables 120 60 0 : slabdata 3 3 0
+taskstats 0 0 328 12 1 : tunables 54 27 0 : slabdata 0 0 0
+proc_inode_cache 408 408 656 6 1 : tunables 54 27 0 : slabdata 68 68 0
+sigqueue 9 24 160 24 1 : tunables 120 60 0 : slabdata 1 1 0
+bdev_cache 31 32 832 4 1 : tunables 54 27 0 : slabdata 8 8 0
+sysfs_dir_cache 7588 7614 144 27 1 : tunables 120 60 0 : slabdata 282 282 0
+mnt_cache 27 30 256 15 1 : tunables 120 60 0 : slabdata 2 2 0
+filp 840 840 192 20 1 : tunables 120 60 0 : slabdata 42 42 0
+inode_cache 5826 5826 592 6 1 : tunables 54 27 0 : slabdata 971 971 0
+dentry 189420 189420 192 20 1 : tunables 120 60 0 : slabdata 9471 9471 0
+names_cache 1 1 4096 1 1 : tunables 24 12 0 : slabdata 1 1 0
+avc_node 514 708 64 59 1 : tunables 120 60 0 : slabdata 12 12 0
+selinux_inode_security 43259 46799 72 53 1 : tunables 120 60 0 : slabdata 883 883 0
+radix_tree_node 2991 3598 560 7 1 : tunables 54 27 0 : slabdata 514 514 0
+key_jar 5 20 192 20 1 : tunables 120 60 0 : slabdata 1 1 0
+buffer_head 24272 25493 104 37 1 : tunables 120 60 0 : slabdata 689 689 0
+nsproxy 0 0 48 77 1 : tunables 120 60 0 : slabdata 0 0 0
+vm_area_struct 2565 2565 200 19 1 : tunables 120 60 0 : slabdata 135 135 0
+mm_struct 40 40 1408 5 2 : tunables 24 12 0 : slabdata 8 8 0
+fs_cache 59 59 64 59 1 : tunables 120 60 0 : slabdata 1 1 0
+files_cache 44 44 704 11 2 : tunables 54 27 0 : slabdata 4 4 0
+signal_cache 91 91 1088 7 2 : tunables 24 12 0 : slabdata 13 13 0
+sighand_cache 90 90 2112 3 2 : tunables 24 12 0 : slabdata 30 30 0
+task_xstate 48 48 512 8 1 : tunables 54 27 0 : slabdata 6 6 0
+task_struct 96 96 2656 3 2 : tunables 24 12 0 : slabdata 32 32 0
+cred_jar 240 240 192 20 1 : tunables 120 60 0 : slabdata 12 12 0
+anon_vma_chain 1795 2079 48 77 1 : tunables 120 60 0 : slabdata 27 27 0
+anon_vma 1209 1380 40 92 1 : tunables 120 60 0 : slabdata 15 15 0
+pid 107 120 128 30 1 : tunables 120 60 0 : slabdata 4 4 0
+shared_policy_node 0 0 48 77 1 : tunables 120 60 0 : slabdata 0 0 0
+numa_policy 0 0 136 28 1 : tunables 120 60 0 : slabdata 0 0 0
+idr_layer_cache 281 287 544 7 1 : tunables 54 27 0 : slabdata 41 41 0
size-4194304(DMA) 0 0 4194304 1 1024 : tunables 1 1 0 : slabdata 0 0 0
size-4194304 0 0 4194304 1 1024 : tunables 1 1 0 : slabdata 0 0 0
size-2097152(DMA) 0 0 2097152 1 512 : tunables 1 1 0 : slabdata 0 0 0
size-262144(DMA) 0 0 262144 1 64 : tunables 1 1 0 : slabdata 0 0 0
size-262144 0 0 262144 1 64 : tunables 1 1 0 : slabdata 0 0 0
size-131072(DMA) 0 0 131072 1 32 : tunables 8 4 0 : slabdata 0 0 0
-size-131072 1 1 131072 1 32 : tunables 8 4 0 : slabdata 1 1 0
+size-131072 0 0 131072 1 32 : tunables 8 4 0 : slabdata 0 0 0
size-65536(DMA) 0 0 65536 1 16 : tunables 8 4 0 : slabdata 0 0 0
size-65536 2 2 65536 1 16 : tunables 8 4 0 : slabdata 2 2 0
size-32768(DMA) 0 0 32768 1 8 : tunables 8 4 0 : slabdata 0 0 0
size-32768 3 3 32768 1 8 : tunables 8 4 0 : slabdata 3 3 0
size-16384(DMA) 0 0 16384 1 4 : tunables 8 4 0 : slabdata 0 0 0
-size-16384 12 12 16384 1 4 : tunables 8 4 0 : slabdata 12 12 0
+size-16384 7 7 16384 1 4 : tunables 8 4 0 : slabdata 7 7 0
size-8192(DMA) 0 0 8192 1 2 : tunables 8 4 0 : slabdata 0 0 0
-size-8192 27 27 8192 1 2 : tunables 8 4 0 : slabdata 27 27 0
-size-4096(DMA) 0 0 4096 1 1 : tunables 24 12 8 : slabdata 0 0 0
-size-4096 425 425 4096 1 1 : tunables 24 12 8 : slabdata 425 425 0
-size-2048(DMA) 0 0 2048 2 1 : tunables 24 12 8 : slabdata 0 0 0
-size-2048 578 578 2048 2 1 : tunables 24 12 8 : slabdata 289 289 0
-size-1024(DMA) 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0
-size-1024 1332 1332 1024 4 1 : tunables 54 27 8 : slabdata 333 333 0
-size-512(DMA) 0 0 512 8 1 : tunables 54 27 8 : slabdata 0 0 0
-size-512 1123 1176 512 8 1 : tunables 54 27 8 : slabdata 147 147 0
-size-256(DMA) 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0
-size-256 930 930 256 15 1 : tunables 120 60 8 : slabdata 62 62 0
-size-192(DMA) 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0
-size-192 2119 2160 192 20 1 : tunables 120 60 8 : slabdata 108 108 0
-size-128(DMA) 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0
-size-64(DMA) 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0
-size-64 33063 40887 64 59 1 : tunables 120 60 8 : slabdata 693 693 60
-size-32(DMA) 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0
-size-128 3921 4800 128 30 1 : tunables 120 60 8 : slabdata 160 160 0
-size-32 332419 332976 32 112 1 : tunables 120 60 8 : slabdata 2973 2973 60
-kmem_cache 191 191 32896 1 16 : tunables 8 4 0 : slabdata 191 191 0
+size-8192 12 12 8192 1 2 : tunables 8 4 0 : slabdata 12 12 0
+size-4096(DMA) 0 0 4096 1 1 : tunables 24 12 0 : slabdata 0 0 0
+size-4096 119 119 4096 1 1 : tunables 24 12 0 : slabdata 119 119 0
+size-2048(DMA) 0 0 2048 2 1 : tunables 24 12 0 : slabdata 0 0 0
+size-2048 200 200 2048 2 1 : tunables 24 12 0 : slabdata 100 100 0
+size-1024(DMA) 0 0 1024 4 1 : tunables 54 27 0 : slabdata 0 0 0
+size-1024 578 588 1024 4 1 : tunables 54 27 0 : slabdata 147 147 0
+size-512(DMA) 0 0 512 8 1 : tunables 54 27 0 : slabdata 0 0 0
+size-512 608 608 512 8 1 : tunables 54 27 0 : slabdata 76 76 0
+size-256(DMA) 0 0 256 15 1 : tunables 120 60 0 : slabdata 0 0 0
+size-256 815 825 256 15 1 : tunables 120 60 0 : slabdata 55 55 0
+size-192(DMA) 0 0 192 20 1 : tunables 120 60 0 : slabdata 0 0 0
+size-192 1256 1260 192 20 1 : tunables 120 60 0 : slabdata 63 63 0
+size-128(DMA) 0 0 128 30 1 : tunables 120 60 0 : slabdata 0 0 0
+size-64(DMA) 0 0 64 59 1 : tunables 120 60 0 : slabdata 0 0 0
+size-64 23094 25783 64 59 1 : tunables 120 60 0 : slabdata 437 437 0
+size-32(DMA) 0 0 32 112 1 : tunables 120 60 0 : slabdata 0 0 0
+size-128 3271 3450 128 30 1 : tunables 120 60 0 : slabdata 115 115 0
+size-32 352497 352576 32 112 1 : tunables 120 60 0 : slabdata 3148 3148 0
+kmem_cache 183 183 32896 1 16 : tunables 8 4 0 : slabdata 183 183 0
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
- lo:267102759 105357 0 0 0 0 0 0 267102759 105357 0 0 0 0 0 0
- eth0:1013758516 1354506 0 0 0 0 0 0 245531629 966810 0 0 0 0 0 0
- pan0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
+ lo: 5243413 23981 0 0 0 0 0 0 5243413 23981 0 0 0 0 0 0
+ eth0:25465657 318897 0 0 0 0 0 0 2043751 16011 0 0 0 0 0 0
+ eth1: 1386405 18972 0 0 0 0 0 0 95634 1485 0 0 0 0 0 0
subject=/O=example.org/CN=clica Signing Cert
issuer=/O=example.org/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE
-zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo
-F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X
-PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw
+MTAxMTIzNDA4WjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrlUzB
+ANKQi0cI+jOYOVy2EYu2LOXihiMHi3dX/boaZ2+rIwbWaaAy7gMXLvfay/ml+pyY
+hnxQbnfADZN0xXQoHZ3AjBIU6YP2CWpOk/3jrnjW7P84fCie/6SXhfH2l6ZZFaro
+yRw10jnO/kgEtFKBQpN7eZ2oPDaGGwuyBVaXqQIDAQABo1owWDAOBgNVHQ8BAf8E
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
+Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA
+n2I9uY34QxYLfMCIwI3oMkR+v0ehEmjLcF3S2SILybtKFOxHUvFx10IiYJOCjPKr
+vTwbprTp4R9HffQyiGoe9jLYu+8Tfjf86hDcoChOg8SZm1u3rXCgXPus+19XON0g
+UWiJmIBAWDhz8+0vQ3QyrgtLuweoX4tTcbYOlTzO5KU=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: Certificate Authority
subject=/O=example.org/CN=clica CA
issuer=/O=example.org/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
-Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxY7JyBAI+e4vb4bz0HcjtE+O
-x0nLBB19Kz04yNARj1z/ZvY2c+uvOR3muHROCgFUQxGobP3n2HaTS/cmv2SVPwID
-AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
-hkiG9w0BAQUFAANBAJLhs/m5Jx4oV++aylcAvIHa0vHSK4eh3zX1HqWwqK9I0/nl
-LqwwPgtgHQOpe7nd2g2B9wPZ82i6LiqY76A+9hI=
+MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw
+MTAxMTIzNDA4WjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
+Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPmGE/1NBbn57y9RAMTa
+/jWgErk9jUKo+z0vzO5me7MUE+C3Jhk2YFF+w3ryEny3DikQOZEdRU4NFrQKZKu5
+1jjYg5ilg8EJTP6h9GzZmacH9olW3hdMvVqMkiLuZF97H41AYx95XPDibxwrpMgD
+oDVoYTQIPBwdjj8d88SdbgYjAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
+DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAINsDZLZin7u8iOLguRG
+37mUDNhAQ9qUAtiFV8JnjJU9DZGb0TvSpYmOkjK2iH4cH6AsEXptB6duvkkpp6ly
++aGvlqy69D/MfPpLjLX7e6WOISshaWCGB7/rQqbRtAePFpa07gijUqxM22LfiHXz
+YHJSTjLx4idfdLNS+U5iir1Y
-----END CERTIFICATE-----
Bag Attributes
friendlyName: expired1.example.org
- localKeyID: 0B 77 EA 83 E1 31 8B 71 88 DB 88 4E DE 08 91 19 A5 4A 4D A6
+ localKeyID: 99 C2 8F 9C 7D C1 19 76 88 B2 B0 83 4D 00 ED C9 E9 2B 7E EB
subject=/CN=expired1.example.org
issuer=/O=example.org/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+MIICiTCCAfKgAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwM1oXDTEyMTIwMTEyMzQwM1owHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
-ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA4TTv655lwyf5lL4RkuLHqPdg
-mXI36dkjEL/864WoszwLRYYfnlOj4hmKfjq9VoslfDRnOoZSm0NebJJ9Y/ea2wID
-AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
-AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
-Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
-cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w
-bGUub3JnMA0GCSqGSIb3DQEBBQUAA0EABG4yReI+VPyFc3kEejJr31rOi3BpgEfP
-FsN+9WoTa0B+VW125F47/FySYat+M6KBSW8fe6HFexU6FXQF+mCNvQ==
+MzQwOVoXDTEyMTIwMTEyMzQwOVowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
+ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL3J/GWAVGm/d/nUnwDr
+3zeq85l1l1Zmp9r9XLUcw9cDbLM1hg4Ej557Cg9bXDZ7yCoa9tZnMUr6yKw1AxiV
+6DaoRt2HcPdAdge448/s96F8TtpfU9FOOm4iW2gAhhQVy/L0py76SPxadjI+IxwL
+MoaaIHevy6v+8wdafJVHe3cNAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG
+A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
+hiFodHRwOi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
+KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm9yZy8wHwYDVR0R
+BBgwFoIUZXhwaXJlZDEuZXhhbXBsZS5vcmcwDQYJKoZIhvcNAQEFBQADgYEAChRl
+3S8Jylp0qbbYnIfnGFYgmzExHYuBkJv81j19n74NeD6cwmIE+rBL2+g459o1f3TZ
+ngfnX16kXvG2xCRozPbv8VAOiF7kGHg4RdQqS3GTlnxeDuGqTTZXhMkRHeEHNp1N
+J7d7YZlHna/txyMBbrg4oUESHhtUBzHC7zixHzo=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: expired1.example.org
- localKeyID: 0B 77 EA 83 E1 31 8B 71 88 DB 88 4E DE 08 91 19 A5 4A 4D A6
+ localKeyID: 99 C2 8F 9C 7D C1 19 76 88 B2 B0 83 4D 00 ED C9 E9 2B 7E EB
subject=/CN=expired1.example.org
issuer=/O=example.org/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+MIICiTCCAfKgAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwM1oXDTEyMTIwMTEyMzQwM1owHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
-ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA4TTv655lwyf5lL4RkuLHqPdg
-mXI36dkjEL/864WoszwLRYYfnlOj4hmKfjq9VoslfDRnOoZSm0NebJJ9Y/ea2wID
-AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
-AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
-Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
-cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w
-bGUub3JnMA0GCSqGSIb3DQEBBQUAA0EABG4yReI+VPyFc3kEejJr31rOi3BpgEfP
-FsN+9WoTa0B+VW125F47/FySYat+M6KBSW8fe6HFexU6FXQF+mCNvQ==
+MzQwOVoXDTEyMTIwMTEyMzQwOVowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
+ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL3J/GWAVGm/d/nUnwDr
+3zeq85l1l1Zmp9r9XLUcw9cDbLM1hg4Ej557Cg9bXDZ7yCoa9tZnMUr6yKw1AxiV
+6DaoRt2HcPdAdge448/s96F8TtpfU9FOOm4iW2gAhhQVy/L0py76SPxadjI+IxwL
+MoaaIHevy6v+8wdafJVHe3cNAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG
+A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
+hiFodHRwOi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
+KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm9yZy8wHwYDVR0R
+BBgwFoIUZXhwaXJlZDEuZXhhbXBsZS5vcmcwDQYJKoZIhvcNAQEFBQADgYEAChRl
+3S8Jylp0qbbYnIfnGFYgmzExHYuBkJv81j19n74NeD6cwmIE+rBL2+g459o1f3TZ
+ngfnX16kXvG2xCRozPbv8VAOiF7kGHg4RdQqS3GTlnxeDuGqTTZXhMkRHeEHNp1N
+J7d7YZlHna/txyMBbrg4oUESHhtUBzHC7zixHzo=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw\r
-MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp\r
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE\r
-zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo\r
-F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB\r
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s\r
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X\r
-PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw\r
+MTAxMTIzNDA4WjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp\r
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrlUzB\r
+ANKQi0cI+jOYOVy2EYu2LOXihiMHi3dX/boaZ2+rIwbWaaAy7gMXLvfay/ml+pyY\r
+hnxQbnfADZN0xXQoHZ3AjBIU6YP2CWpOk/3jrnjW7P84fCie/6SXhfH2l6ZZFaro\r
+yRw10jnO/kgEtFKBQpN7eZ2oPDaGGwuyBVaXqQIDAQABo1owWDAOBgNVHQ8BAf8E\r
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw\r
+Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA\r
+n2I9uY34QxYLfMCIwI3oMkR+v0ehEmjLcF3S2SILybtKFOxHUvFx10IiYJOCjPKr\r
+vTwbprTp4R9HffQyiGoe9jLYu+8Tfjf86hDcoChOg8SZm1u3rXCgXPus+19XON0g\r
+UWiJmIBAWDhz8+0vQ3QyrgtLuweoX4tTcbYOlTzO5KU=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: expired1.example.org
- localKeyID: 0B 77 EA 83 E1 31 8B 71 88 DB 88 4E DE 08 91 19 A5 4A 4D A6
+ localKeyID: 99 C2 8F 9C 7D C1 19 76 88 B2 B0 83 4D 00 ED C9 E9 2B 7E EB
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIL+kummor3pQCAggA
-MBQGCCqGSIb3DQMHBAhpvl78t5As+QSCAWBlOt1XpYY+o5G0MSANfiL7BfKlwwYh
-MDpKzsNWfwxrNZNmeT293TKVlXEav4FsEnbU0yVJ0HSLC1peXM32mjdezDdMQAwq
-QPrIRj5r5m4mTTWhUPnDUrzdwrYbD4flg0H6eO7gX1w2gJw8E/LS8nhAy6ZOfEvL
-jlghGljcALDPVDvNEAtcx+Wd4p71vp6wm/3kl3SAl7WXO1HcKwYYIEEL9DFZ/P4n
-kqlgCu3pcgKbH9HHjImOkYRWP2Poy3OLJ7h+i/rIEaxiaJFt/1zTm+DxkkM6nbwR
-2C0VnX6/gSbpz58xBlJUMiZqvh9ciFhuLCYeiJx+HnKKzTEIfnSyKV7Y7GSzqkUE
-kKPVa6NTXq0nlH1fuecTGv3iUE4AXWJPmGNYS0caR8oTFd5pFlOQGazRjLDxTIb/
-N6zXiTCpQt4MWHi71a/GnfUrv0e/Bl24ARJnVWcP4brT8jA/oiPeQGEq
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIEOl5NEvFezQCAggA
+MBQGCCqGSIb3DQMHBAgdwEOOYf+K8ASCAoCngEY2Iy7JaI0Pq/wcmj5CBp1cTDS3
++CvdphRSw9W2LBNbCNjwQmyZptgDva4umoS3ex0vhiDiak+XzeBtHTdkDBhI5yW1
+H8+4+JgvEBphHYDOtMu6c27DeshuWUhh5xSJ42E+P7WDQXRB3ZbSPeR/WwpQWuc1
+Kf39b8M9dSNeOFkWuZ6lZSLVapNxZsQ1YmdOFIbzC31B94jdvKs5WL17sOO5P50b
+lUomYEs981S09uyt/Jaot7fNR6AAgZR8tZtA/Lf5sEr2H2OxLhyhX5GGHuM6kY1B
+BbX85yg2eZjw/XVREdmUHd7dO4eLAtYYY2wNOBllwfVY0+3Bi8YjAUJwwlgPwBmO
+0/MGDAYluRh8xApI/gdKxOnDhqY4Q85n3o7iczEyJDw5FtXORPaEGQ01zie2RT86
+LyUd2e6w6wtC+GNBPb15LwNMPmFFhhBfW/LnqFhb9xydquUPeH6Vs2veDWaqflnf
+cHR0ZXqfs3l/QWFtDOuvUoPxZoRSoKPxQtTsc3b8Mh6b69MgFsIu84vJHDGi2fbw
+vLFXscoEanMP2BRhBSjHHcIcoMcZHOgT915zDJArolc3aDhmf/qU1lOr7hXcPyW4
+ijixkJSRJV8Cvx3Qx62ToNzmXVYc2P/b1dG7wgms6vl+GFk5HUCrkV+D3OABuaKi
+f2BqzuoKTp5AUjPdFC9kFQ+7dApR6YI+MqWqAvBvSZmTYyGRuYVtuvvNxNK5qlKF
+pJMDA49V3WA2Dr3DLhOPo2ZbFUjj+1Ojm667Z+ls6TWinMoQKx+VbbBudbYHMj5h
+JLSjR9Y67quErC/yogcWfTdgQ/yN5LE4UPm7GaQEcvwQAzt6BQtN/U9i
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
friendlyName: expired1.example.org
- localKeyID: 0B 77 EA 83 E1 31 8B 71 88 DB 88 4E DE 08 91 19 A5 4A 4D A6
+ localKeyID: 99 C2 8F 9C 7D C1 19 76 88 B2 B0 83 4D 00 ED C9 E9 2B 7E EB
subject=/CN=expired1.example.org
issuer=/O=example.org/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+MIICiTCCAfKgAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwM1oXDTEyMTIwMTEyMzQwM1owHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
-ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA4TTv655lwyf5lL4RkuLHqPdg
-mXI36dkjEL/864WoszwLRYYfnlOj4hmKfjq9VoslfDRnOoZSm0NebJJ9Y/ea2wID
-AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
-AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
-Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
-cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w
-bGUub3JnMA0GCSqGSIb3DQEBBQUAA0EABG4yReI+VPyFc3kEejJr31rOi3BpgEfP
-FsN+9WoTa0B+VW125F47/FySYat+M6KBSW8fe6HFexU6FXQF+mCNvQ==
+MzQwOVoXDTEyMTIwMTEyMzQwOVowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs
+ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL3J/GWAVGm/d/nUnwDr
+3zeq85l1l1Zmp9r9XLUcw9cDbLM1hg4Ej557Cg9bXDZ7yCoa9tZnMUr6yKw1AxiV
+6DaoRt2HcPdAdge448/s96F8TtpfU9FOOm4iW2gAhhQVy/L0py76SPxadjI+IxwL
+MoaaIHevy6v+8wdafJVHe3cNAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG
+A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
+hiFodHRwOi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
+KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm9yZy8wHwYDVR0R
+BBgwFoIUZXhwaXJlZDEuZXhhbXBsZS5vcmcwDQYJKoZIhvcNAQEFBQADgYEAChRl
+3S8Jylp0qbbYnIfnGFYgmzExHYuBkJv81j19n74NeD6cwmIE+rBL2+g459o1f3TZ
+ngfnX16kXvG2xCRozPbv8VAOiF7kGHg4RdQqS3GTlnxeDuGqTTZXhMkRHeEHNp1N
+J7d7YZlHna/txyMBbrg4oUESHhtUBzHC7zixHzo=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-MIIBOgIBAAJBAOE07+ueZcMn+ZS+EZLix6j3YJlyN+nZIxC//OuFqLM8C0WGH55T
-o+IZin46vVaLJXw0ZzqGUptDXmySfWP3mtsCAwEAAQJAbjXB08TIeCDv+uKpJwDk
-RMQK+gzzX/VrO5843umiDVPBs3FoDJJMMI1YIxiqmj61BNvh6YdTeYMbgsqdvUT/
-AQIhAP2hXPtUNCfSMbDZujRe7weCDynq2SdT9v5GwCABKNRLAiEA40+XExCBf3zV
-Eibj6fEWBlJjQPjCEvFLkbeOi44UmbECIF8u9qkvkZ88J//ZxiKvWf80VSKDC1nS
-DgihXqrkJIF/AiAhsUBhUQcA0I38fMs3d8ad9URE8xpBGIbs+FomkU64YQIhALds
-zCAiNfSE9O4vQvnSlbPdKT5KSbux/uGuPIhK+RA0
+MIICWwIBAAKBgQC9yfxlgFRpv3f51J8A6983qvOZdZdWZqfa/Vy1HMPXA2yzNYYO
+BI+eewoPW1w2e8gqGvbWZzFK+sisNQMYleg2qEbdh3D3QHYHuOPP7PehfE7aX1PR
+TjpuIltoAIYUFcvy9Kcu+kj8WnYyPiMcCzKGmiB3r8ur/vMHWnyVR3t3DQIDAQAB
+AoGAE9BUk1w0c93Tbret6fC2Gx+z0t+d7x1EhO5SkW3xXC81V/hMiIYdYFREFppZ
+JC8EFLE/995KHSPVc3UNX7G2zl/j5ArHzer4E3AcFPGmp1VbY0rhzN+quoK5ihzQ
+u58vR2XzIv1XPxZcfgCy7IB7Hq2kiq2dFwpK5VBlBpLuI8ECQQDp9bVXD4V9XQ/+
+YNsI7APATQpg9CXQS3tIkwCJE1hDMYT6rFrYFg6qmSlSKeYvcJKFQ4qdC/vUmaJ0
+/N8nXqn1AkEAz6sIXDzmeJCu/Cg4jIHQUgShvMeyBbGBRrx5fOEYKxh/4+Jl9pAn
+LCzKxEcj68krND8rGmPrdJW5LwvCsufxuQJAePDRGv4lDVcMK305/PS0Q7YPhWrw
+GSrLwgprnnBnkeSJT2PFWiqczkd6esS5/w/8TfNKNkC5n38D4eHOIXXn+QJARExp
+2XwmCGz9P+0ye/ONwgvH7cB3qiuw6sS95/ZX7oSGOzqQckECwSKSJW+IPtnQncRQ
+tsM6AwPi/bgOdqyV8QJAcCGZoUWDmiMpnYl5XScX/5oVlEdD+PvFn6DAH6Y/IYtV
+5GM7VZpSvK9pZi0JpgdHEOIz3FjVyIV8U9RD1LGqZw==
-----END RSA PRIVATE KEY-----
subject=/O=example.org/CN=clica Signing Cert
issuer=/O=example.org/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE
-zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo
-F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X
-PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw
+MTAxMTIzNDA4WjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrlUzB
+ANKQi0cI+jOYOVy2EYu2LOXihiMHi3dX/boaZ2+rIwbWaaAy7gMXLvfay/ml+pyY
+hnxQbnfADZN0xXQoHZ3AjBIU6YP2CWpOk/3jrnjW7P84fCie/6SXhfH2l6ZZFaro
+yRw10jnO/kgEtFKBQpN7eZ2oPDaGGwuyBVaXqQIDAQABo1owWDAOBgNVHQ8BAf8E
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
+Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA
+n2I9uY34QxYLfMCIwI3oMkR+v0ehEmjLcF3S2SILybtKFOxHUvFx10IiYJOCjPKr
+vTwbprTp4R9HffQyiGoe9jLYu+8Tfjf86hDcoChOg8SZm1u3rXCgXPus+19XON0g
+UWiJmIBAWDhz8+0vQ3QyrgtLuweoX4tTcbYOlTzO5KU=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: Certificate Authority
subject=/O=example.org/CN=clica CA
issuer=/O=example.org/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
-Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxY7JyBAI+e4vb4bz0HcjtE+O
-x0nLBB19Kz04yNARj1z/ZvY2c+uvOR3muHROCgFUQxGobP3n2HaTS/cmv2SVPwID
-AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
-hkiG9w0BAQUFAANBAJLhs/m5Jx4oV++aylcAvIHa0vHSK4eh3zX1HqWwqK9I0/nl
-LqwwPgtgHQOpe7nd2g2B9wPZ82i6LiqY76A+9hI=
+MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw
+MTAxMTIzNDA4WjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
+Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPmGE/1NBbn57y9RAMTa
+/jWgErk9jUKo+z0vzO5me7MUE+C3Jhk2YFF+w3ryEny3DikQOZEdRU4NFrQKZKu5
+1jjYg5ilg8EJTP6h9GzZmacH9olW3hdMvVqMkiLuZF97H41AYx95XPDibxwrpMgD
+oDVoYTQIPBwdjj8d88SdbgYjAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
+DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAINsDZLZin7u8iOLguRG
+37mUDNhAQ9qUAtiFV8JnjJU9DZGb0TvSpYmOkjK2iH4cH6AsEXptB6duvkkpp6ly
++aGvlqy69D/MfPpLjLX7e6WOISshaWCGB7/rQqbRtAePFpa07gijUqxM22LfiHXz
+YHJSTjLx4idfdLNS+U5iir1Y
-----END CERTIFICATE-----
Bag Attributes
friendlyName: expired2.example.org
- localKeyID: C5 6F 48 06 54 0E B3 BB 1A BF 6D F3 86 B8 E6 D7 37 A4 65 F3
+ localKeyID: BB 61 99 E6 F7 7B 14 59 32 E1 10 99 42 D0 42 05 CB 5C E4 7F
subject=/CN=expired2.example.org
issuer=/O=example.org/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+MIICijCCAfOgAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDNaFw0xMjEyMDExMjM0MDNaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
-bGUub3JnMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAK1KoNb3Cu3dTkQQssg1cXUb
-0Oo/o0v/BCm5A9JjE8eL0K694hJrk2pSmI+nF1ujtC+0Ilylzd2JyXvyu6jZqRUC
-AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
-AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
-ZS5vcmcvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
-dHA6Ly9vc2NwL2V4YW1wbGUub3JnLzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt
-cGxlLm9yZzANBgkqhkiG9w0BAQUFAANBAATDk4AOeRU7z4FPpjK6J2BvKeStcuon
-xoli6qipNnf95JXgo4ZOktbGD5eankcp4QRFEUMQ79DJuTCkOl/Zgs4=
+MjM0MTFaFw0xMjEyMDExMjM0MTFaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
+bGUub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUaWxrKTL6SzYcTEyX
+FVJZqEYxiTWmks5kA//fGFICyMaOIeBUgk4m+8jHrXqfSZh7hnzk9RuTp+/bbROh
+pUKnJWbMvjbQ2bxuCeRgzvvJYtGfVRqYA7dARY0cQuTa1lo9YsGFW6ojLUvbrhMp
+gXxrrOQx2+omKoYulM76Une5sQIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg
+BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
+I4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
+BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1Ud
+EQQYMBaCFGV4cGlyZWQyLmV4YW1wbGUub3JnMA0GCSqGSIb3DQEBBQUAA4GBAJE7
+jNxIZvZcwM6UIWS8qYG93YfOdNNvzk6JfxGA4jyUFmdbTYYThKK7X6q+cStAWcpd
+8AQsYqlfuUqwwXgeEDkdtMKdB4N/sz8Cbj0UfuHJSVxIiJ/22QNnUk8lrH2+llQz
+y3Ahp9noeQCXD/eplTuTSlksu8rvMddKMvSA9p3C
-----END CERTIFICATE-----
Bag Attributes
friendlyName: expired2.example.org
- localKeyID: C5 6F 48 06 54 0E B3 BB 1A BF 6D F3 86 B8 E6 D7 37 A4 65 F3
+ localKeyID: BB 61 99 E6 F7 7B 14 59 32 E1 10 99 42 D0 42 05 CB 5C E4 7F
subject=/CN=expired2.example.org
issuer=/O=example.org/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+MIICijCCAfOgAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDNaFw0xMjEyMDExMjM0MDNaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
-bGUub3JnMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAK1KoNb3Cu3dTkQQssg1cXUb
-0Oo/o0v/BCm5A9JjE8eL0K694hJrk2pSmI+nF1ujtC+0Ilylzd2JyXvyu6jZqRUC
-AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
-AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
-ZS5vcmcvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
-dHA6Ly9vc2NwL2V4YW1wbGUub3JnLzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt
-cGxlLm9yZzANBgkqhkiG9w0BAQUFAANBAATDk4AOeRU7z4FPpjK6J2BvKeStcuon
-xoli6qipNnf95JXgo4ZOktbGD5eankcp4QRFEUMQ79DJuTCkOl/Zgs4=
+MjM0MTFaFw0xMjEyMDExMjM0MTFaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
+bGUub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUaWxrKTL6SzYcTEyX
+FVJZqEYxiTWmks5kA//fGFICyMaOIeBUgk4m+8jHrXqfSZh7hnzk9RuTp+/bbROh
+pUKnJWbMvjbQ2bxuCeRgzvvJYtGfVRqYA7dARY0cQuTa1lo9YsGFW6ojLUvbrhMp
+gXxrrOQx2+omKoYulM76Une5sQIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg
+BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
+I4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
+BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1Ud
+EQQYMBaCFGV4cGlyZWQyLmV4YW1wbGUub3JnMA0GCSqGSIb3DQEBBQUAA4GBAJE7
+jNxIZvZcwM6UIWS8qYG93YfOdNNvzk6JfxGA4jyUFmdbTYYThKK7X6q+cStAWcpd
+8AQsYqlfuUqwwXgeEDkdtMKdB4N/sz8Cbj0UfuHJSVxIiJ/22QNnUk8lrH2+llQz
+y3Ahp9noeQCXD/eplTuTSlksu8rvMddKMvSA9p3C
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw\r
-MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp\r
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE\r
-zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo\r
-F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB\r
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s\r
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X\r
-PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw\r
+MTAxMTIzNDA4WjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp\r
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrlUzB\r
+ANKQi0cI+jOYOVy2EYu2LOXihiMHi3dX/boaZ2+rIwbWaaAy7gMXLvfay/ml+pyY\r
+hnxQbnfADZN0xXQoHZ3AjBIU6YP2CWpOk/3jrnjW7P84fCie/6SXhfH2l6ZZFaro\r
+yRw10jnO/kgEtFKBQpN7eZ2oPDaGGwuyBVaXqQIDAQABo1owWDAOBgNVHQ8BAf8E\r
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw\r
+Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA\r
+n2I9uY34QxYLfMCIwI3oMkR+v0ehEmjLcF3S2SILybtKFOxHUvFx10IiYJOCjPKr\r
+vTwbprTp4R9HffQyiGoe9jLYu+8Tfjf86hDcoChOg8SZm1u3rXCgXPus+19XON0g\r
+UWiJmIBAWDhz8+0vQ3QyrgtLuweoX4tTcbYOlTzO5KU=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: expired2.example.org
- localKeyID: C5 6F 48 06 54 0E B3 BB 1A BF 6D F3 86 B8 E6 D7 37 A4 65 F3
+ localKeyID: BB 61 99 E6 F7 7B 14 59 32 E1 10 99 42 D0 42 05 CB 5C E4 7F
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIqYRYZdwd4cwCAggA
-MBQGCCqGSIb3DQMHBAguS/XNjyFFMASCAWBxEYbvvuvMpVOunc6orT3lMpGxNbCV
-kNeLvBHH2LkW1lQfLoo0zgqzyvjF7hTbeNm9NS8dL3ZzMG7Xb3hiR22ypuP7gdaA
-NFxt7XfO7pCLsFScmOthYseIBvuxAGN8Qze2KDrXTVnOyrgPGk2q6XTIblUnGekt
-MuxJAJIIGW0le9Ci23Z+156zv7BAPWiAR7qL4Lm6V3T4ppfSeGkpBhGVpCmdjnT1
-IhR4rcrLjvqE+QhqEY/gA4chFcnkZsmcLNjMAMgHXdsGgpkrv8WrbS4nTsNY71p5
-d+qA6Z6ORVyUOrxzr34NpAM9tpsvHniMEvlJAq5DMz64qnG/iZymTKH8tOhgvD9d
-a7pENj+x1Eo+qb/2g6zut4+O5WnkWfXQXtuh+rnUOB09IteV33o8OYOlLR0eQxqJ
-BOLi5FgNVfoSJuCZrR9oqufOb4ue7x7lmOw0r3EQYUp0weYLvDyh0ih+
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQISqiwtlVu2dUCAggA
+MBQGCCqGSIb3DQMHBAgI9HkegsmvpQSCAoA3dgmkiQthpGrdWwOEUqZpajmMqivG
+RQv9Qxg4JoTSoHm9WkR+0x4vHahAaqYKDq6ca9uIHFx2dOTXH589F0lrGf+osmiB
+L44C1z8aqYjJcYBPmeVHtSJsr5XFpBSWv88OQ85Z/qqtXL3jdRC98IywmDRqjYa/
+xoJyfGlLuz530Rv1iLcNQ3XGkoxmxlbV1WrmhkRythD7psUVHClt/InkFX4I6iQl
+msOkNP5RBIn8BED4mHhZ2PTDAIyANgpWTeBwBOEilb/mVdctzqM1XgyzZ2469zJ+
+ZFoPTN7gtXmuNXSOBCvAJQT0vL8GYQNIkdfWi+cfhC3azq2MZcdWzIPjvSyht42c
+4O4of89tUqrgLkvUiVaO74WqLtmwtTdgQg4ZIin8HPXNsVm7tYB5LMvHPKdoFOZ8
+FTD0XWWgDwoZ5tTOp31Kz5Tczab3eJ+lgPK4bqqtLusobwfI8YmCZGYrS6V+S6RZ
+Qk0xrYo8mYjpjmjmpr2xkEiQ4YQiEwmuwzw4eNT1bAGL2V+hwDuxjD7f+pMQfKai
+5VChf0VEHb+1pwIjnMfY4ua99IhP5bj/7Z2327CkehtzLF4ineRkVnVXy9ELomn+
+8bIFt5qBeaHfijX1MPn2Lugs8bY0xhQaRR15yBI4fQ62ekvxntLSmp5BLnaSLFsW
+gjxjzRL5X4jtjSZtoxypHWBxKMW7fdxbqxAVKba1rLygqAt5QmsS5kKUDjEJBv0q
+0yrdjo2Tb8UtY75oNw59cF9hgfV6xtyGLgyjw8f3eQQ88i8nKBQ+iLpHOF5t/waf
+1vopHqu/zJEDskIwJpkEM3L3/wy//NMDCpop3BF7Si/aqy/j7mZUtUFV
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
friendlyName: expired2.example.org
- localKeyID: C5 6F 48 06 54 0E B3 BB 1A BF 6D F3 86 B8 E6 D7 37 A4 65 F3
+ localKeyID: BB 61 99 E6 F7 7B 14 59 32 E1 10 99 42 D0 42 05 CB 5C E4 7F
subject=/CN=expired2.example.org
issuer=/O=example.org/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+MIICijCCAfOgAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDNaFw0xMjEyMDExMjM0MDNaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
-bGUub3JnMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAK1KoNb3Cu3dTkQQssg1cXUb
-0Oo/o0v/BCm5A9JjE8eL0K694hJrk2pSmI+nF1ujtC+0Ilylzd2JyXvyu6jZqRUC
-AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
-AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
-ZS5vcmcvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
-dHA6Ly9vc2NwL2V4YW1wbGUub3JnLzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt
-cGxlLm9yZzANBgkqhkiG9w0BAQUFAANBAATDk4AOeRU7z4FPpjK6J2BvKeStcuon
-xoli6qipNnf95JXgo4ZOktbGD5eankcp4QRFEUMQ79DJuTCkOl/Zgs4=
+MjM0MTFaFw0xMjEyMDExMjM0MTFaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w
+bGUub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUaWxrKTL6SzYcTEyX
+FVJZqEYxiTWmks5kA//fGFICyMaOIeBUgk4m+8jHrXqfSZh7hnzk9RuTp+/bbROh
+pUKnJWbMvjbQ2bxuCeRgzvvJYtGfVRqYA7dARY0cQuTa1lo9YsGFW6ojLUvbrhMp
+gXxrrOQx2+omKoYulM76Une5sQIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg
+BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
+I4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
+BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1Ud
+EQQYMBaCFGV4cGlyZWQyLmV4YW1wbGUub3JnMA0GCSqGSIb3DQEBBQUAA4GBAJE7
+jNxIZvZcwM6UIWS8qYG93YfOdNNvzk6JfxGA4jyUFmdbTYYThKK7X6q+cStAWcpd
+8AQsYqlfuUqwwXgeEDkdtMKdB4N/sz8Cbj0UfuHJSVxIiJ/22QNnUk8lrH2+llQz
+y3Ahp9noeQCXD/eplTuTSlksu8rvMddKMvSA9p3C
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-MIIBPAIBAAJBAK1KoNb3Cu3dTkQQssg1cXUb0Oo/o0v/BCm5A9JjE8eL0K694hJr
-k2pSmI+nF1ujtC+0Ilylzd2JyXvyu6jZqRUCAwEAAQJBAIKMYjcPzW/89OVaHxWt
-DVhIKE8Quhiaeaxk8Xgho9kDQXb9VUnY9uY+hQFL8jAlmr1xyqPL1ztA8Rx7b7DH
-toECIQDifcfwxsjaF2XMdkDdEtmoYlEow5sRoGzgNz29EQtUiQIhAMPedhNwRb2J
-0Vc6OgL4DCwu4oyjxcyGU3TywinwhCUtAiAnnYaGR87DzsngfGKWCIEHocK+VZBf
-AedpRGBJHJ0VuQIhALHy6Ylthh7WGBfMcaoC22RE0FR/8hOHskjcyGQ7/IKdAiEA
-lLVprJ0QmF5Z1+6RbIOcWwRWNOHEqAz4xY6HR65E2HE=
+MIICXAIBAAKBgQCUaWxrKTL6SzYcTEyXFVJZqEYxiTWmks5kA//fGFICyMaOIeBU
+gk4m+8jHrXqfSZh7hnzk9RuTp+/bbROhpUKnJWbMvjbQ2bxuCeRgzvvJYtGfVRqY
+A7dARY0cQuTa1lo9YsGFW6ojLUvbrhMpgXxrrOQx2+omKoYulM76Une5sQIDAQAB
+AoGAGASPpS//rf3p/d5jLrgmoZfX9EBOTGzJtennyMT40LaJW4sj8Mk9uJVawuXS
+SGDyqlrzb2IzWkv9Rzd5y9kg1gjiJ675pVl1Z0vDhZZWYGVI3VKJh1TmYC2lPra3
+53t9N788B7fgT6bTW8KRfk2rCp0UU+hIffDgmv9wK9l/RPkCQQDEbF9VoFlVFRxX
+nLBdU9IHLSZQzIgUV/OVvL8gAIJycTupT3H6CINMDfFZHcFfaKNytzzXBS2jKzSh
+Fzl2s+ofAkEAwW0dMnz4VhlG84cKhxdFCjic2dneWMNACc/GnfopGIlkrSQW3AGz
+yjDFQj8BIqwhPhyFGpu7nxfgtBBOW/SCLwJACMXKUDm0I6+or2UJH3Hx7G4gyvUH
+ktkGwQZIBvbe3JugDYTF02Pz8T6iK9e/XjJ/Mk1qwzOxARuZ4yP1Zg7NAwJAO6mj
+gupHU49ycjWqSqcj1ZZG02+/hNOdEimz0xDR0k627i0em/guc+R9RATZHc/IZTc4
+209EHTupRQFumjCeYwJBAI38tud4nIYB2/x53KOG18eBtc+QQM8gX7XwRaiK936V
+mvNng2HahharF0WKqhkmLNCOR4c7nGhUs2OHoi7vDNQ=
-----END RSA PRIVATE KEY-----
subject=/O=example.org/CN=clica Signing Cert
issuer=/O=example.org/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE
-zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo
-F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X
-PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw
+MTAxMTIzNDA4WjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrlUzB
+ANKQi0cI+jOYOVy2EYu2LOXihiMHi3dX/boaZ2+rIwbWaaAy7gMXLvfay/ml+pyY
+hnxQbnfADZN0xXQoHZ3AjBIU6YP2CWpOk/3jrnjW7P84fCie/6SXhfH2l6ZZFaro
+yRw10jnO/kgEtFKBQpN7eZ2oPDaGGwuyBVaXqQIDAQABo1owWDAOBgNVHQ8BAf8E
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
+Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA
+n2I9uY34QxYLfMCIwI3oMkR+v0ehEmjLcF3S2SILybtKFOxHUvFx10IiYJOCjPKr
+vTwbprTp4R9HffQyiGoe9jLYu+8Tfjf86hDcoChOg8SZm1u3rXCgXPus+19XON0g
+UWiJmIBAWDhz8+0vQ3QyrgtLuweoX4tTcbYOlTzO5KU=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: Certificate Authority
subject=/O=example.org/CN=clica CA
issuer=/O=example.org/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
-Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxY7JyBAI+e4vb4bz0HcjtE+O
-x0nLBB19Kz04yNARj1z/ZvY2c+uvOR3muHROCgFUQxGobP3n2HaTS/cmv2SVPwID
-AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
-hkiG9w0BAQUFAANBAJLhs/m5Jx4oV++aylcAvIHa0vHSK4eh3zX1HqWwqK9I0/nl
-LqwwPgtgHQOpe7nd2g2B9wPZ82i6LiqY76A+9hI=
+MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw
+MTAxMTIzNDA4WjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
+Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPmGE/1NBbn57y9RAMTa
+/jWgErk9jUKo+z0vzO5me7MUE+C3Jhk2YFF+w3ryEny3DikQOZEdRU4NFrQKZKu5
+1jjYg5ilg8EJTP6h9GzZmacH9olW3hdMvVqMkiLuZF97H41AYx95XPDibxwrpMgD
+oDVoYTQIPBwdjj8d88SdbgYjAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
+DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAINsDZLZin7u8iOLguRG
+37mUDNhAQ9qUAtiFV8JnjJU9DZGb0TvSpYmOkjK2iH4cH6AsEXptB6duvkkpp6ly
++aGvlqy69D/MfPpLjLX7e6WOISshaWCGB7/rQqbRtAePFpa07gijUqxM22LfiHXz
+YHJSTjLx4idfdLNS+U5iir1Y
-----END CERTIFICATE-----
Bag Attributes
friendlyName: revoked1.example.org
- localKeyID: CB 4F CF EE 43 43 65 BB 23 74 E0 40 65 36 FE 99 31 DF AB A8
+ localKeyID: BD BF 30 04 34 2D 03 C9 AA FE 25 10 2C DB 7C 74 89 B0 9A C9
subject=/CN=revoked1.example.org
issuer=/O=example.org/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+MIICiTCCAfKgAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwMloXDTM4MDEwMTEyMzQwMlowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
-ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAtH5k2k62LbnSi/B5Bgxk+zMn
-GiOYjeojLffbE73oSIws/sAwigOroZRxeDCK1Bvqlt3CsRlh1j7qGHTdf3JPEQID
-AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
-AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
-Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
-cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w
-bGUub3JnMA0GCSqGSIb3DQEBBQUAA0EAh2MZRLrAaQlspQCSvzB8GauDjhyc1ZMz
-/YeE550dEXzC3YtnTK6PKmDfm0xw/eVcSnwlsYUdLFzB5xBGbkxQbg==
+MzQwOVoXDTM4MDEwMTEyMzQwOVowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
+ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMOKMcTBoKYBCz8Sxb/B
+5/RGvTdDMmkNO/e91ni4S/3OjvvksMmg38fv1e4DQOazkE4dp9ttllheaw0O6lEO
+cpuFSFC6BLDlaDEaJqDAlm9++vTZ+azhM1nUIKbUhmlPSMnagL1GhWBX1w3EVP2F
+n02386NEAY/kPJMoR2r/4Kb5AgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG
+A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
+hiFodHRwOi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
+KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm9yZy8wHwYDVR0R
+BBgwFoIUcmV2b2tlZDEuZXhhbXBsZS5vcmcwDQYJKoZIhvcNAQEFBQADgYEAc4B0
+aoj+H7UoNbV39uIQIV3Z//V+AqQuOaBtUTf3izNDG/r3tpJ+La6s6FxH55dRvQdc
+lvF6WdHgD++J5Vx7MUVcXMyVmpJrLpnJk4BBSFMn/fgvoPFfONL1p9Z33HnIUrY1
+hCmJrHtAqS0pztH5YioEH97ihYz5Teoc6mws/Yc=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: revoked1.example.org
- localKeyID: CB 4F CF EE 43 43 65 BB 23 74 E0 40 65 36 FE 99 31 DF AB A8
+ localKeyID: BD BF 30 04 34 2D 03 C9 AA FE 25 10 2C DB 7C 74 89 B0 9A C9
subject=/CN=revoked1.example.org
issuer=/O=example.org/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+MIICiTCCAfKgAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwMloXDTM4MDEwMTEyMzQwMlowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
-ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAtH5k2k62LbnSi/B5Bgxk+zMn
-GiOYjeojLffbE73oSIws/sAwigOroZRxeDCK1Bvqlt3CsRlh1j7qGHTdf3JPEQID
-AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
-AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
-Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
-cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w
-bGUub3JnMA0GCSqGSIb3DQEBBQUAA0EAh2MZRLrAaQlspQCSvzB8GauDjhyc1ZMz
-/YeE550dEXzC3YtnTK6PKmDfm0xw/eVcSnwlsYUdLFzB5xBGbkxQbg==
+MzQwOVoXDTM4MDEwMTEyMzQwOVowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
+ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMOKMcTBoKYBCz8Sxb/B
+5/RGvTdDMmkNO/e91ni4S/3OjvvksMmg38fv1e4DQOazkE4dp9ttllheaw0O6lEO
+cpuFSFC6BLDlaDEaJqDAlm9++vTZ+azhM1nUIKbUhmlPSMnagL1GhWBX1w3EVP2F
+n02386NEAY/kPJMoR2r/4Kb5AgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG
+A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
+hiFodHRwOi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
+KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm9yZy8wHwYDVR0R
+BBgwFoIUcmV2b2tlZDEuZXhhbXBsZS5vcmcwDQYJKoZIhvcNAQEFBQADgYEAc4B0
+aoj+H7UoNbV39uIQIV3Z//V+AqQuOaBtUTf3izNDG/r3tpJ+La6s6FxH55dRvQdc
+lvF6WdHgD++J5Vx7MUVcXMyVmpJrLpnJk4BBSFMn/fgvoPFfONL1p9Z33HnIUrY1
+hCmJrHtAqS0pztH5YioEH97ihYz5Teoc6mws/Yc=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw\r
-MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp\r
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE\r
-zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo\r
-F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB\r
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s\r
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X\r
-PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw\r
+MTAxMTIzNDA4WjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp\r
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrlUzB\r
+ANKQi0cI+jOYOVy2EYu2LOXihiMHi3dX/boaZ2+rIwbWaaAy7gMXLvfay/ml+pyY\r
+hnxQbnfADZN0xXQoHZ3AjBIU6YP2CWpOk/3jrnjW7P84fCie/6SXhfH2l6ZZFaro\r
+yRw10jnO/kgEtFKBQpN7eZ2oPDaGGwuyBVaXqQIDAQABo1owWDAOBgNVHQ8BAf8E\r
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw\r
+Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA\r
+n2I9uY34QxYLfMCIwI3oMkR+v0ehEmjLcF3S2SILybtKFOxHUvFx10IiYJOCjPKr\r
+vTwbprTp4R9HffQyiGoe9jLYu+8Tfjf86hDcoChOg8SZm1u3rXCgXPus+19XON0g\r
+UWiJmIBAWDhz8+0vQ3QyrgtLuweoX4tTcbYOlTzO5KU=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: revoked1.example.org
- localKeyID: CB 4F CF EE 43 43 65 BB 23 74 E0 40 65 36 FE 99 31 DF AB A8
+ localKeyID: BD BF 30 04 34 2D 03 C9 AA FE 25 10 2C DB 7C 74 89 B0 9A C9
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-MIIBnjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIYvHqW0ndOlQCAggA
-MBQGCCqGSIb3DQMHBAgXAj3LlhSYaQSCAVhHtecAjwqd7AvQnGWaErxhdo/AMfio
-SWCovkatfN0ExC0Q43QX2P7HKcP6ysQDg+oLHWiIP+2N6lOkQLBxF4KCAfEa9hcR
-GJhbBDLiL5mNgfxdPzM+NUfxGainUfwiGFM5ZZg4vZgvP8hMoVeCRJ+sBP4rHzyw
-0AdAMzAeJym8MVONUMadr/D7ReMGgxQdGGl/GrrmwOAeJNCh8KJVfI7hQZE0Ell7
-XWWZPl1VafuzErUz0Lm4NdbstlfpVE/ZWWuXCxGgJ5cPyMu5oloHPpPm+x0oR4Ik
-NxPkXZ74OZtc58nTgh+SEVe/myWTujMdj9jCxfJknyAlMwZCv/wu/EwcRFopvo16
-zLCsb2x4+sW5Uhduv0mQYEIPBjl+9Eg5eHrX6z+E/AhikE3C7OmQ7MM/8PLPqoUo
-xoXYK2O5seWWA5IjCbm7I9mMQpmZi847H9WpHLEaoh8gew==
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIT05M1SXZo7oCAggA
+MBQGCCqGSIb3DQMHBAgKjXdFWgevnASCAoDJx6CMm3lv2+3DdMJOrODuXYc04hqm
+OYUHWPas6aMaE9ZU2WQ+05envov/obUhJ3T1laRTnAhbMIrIuQDDkR4Tx+njdpS0
+WwEmGxlv4JL7bW+TG2g9LfpMUGTcK+pTNmM7pNSylnN6E1EvqTrMLqc6VaPG2Ohc
+KCPbWiqDKyM3WHxrgRkhg3sQmW0KyyU1QT9nNHZAW2ip1sJVzRKbiIsx+t020kH2
+abemY+ZDpfwKJKZpzm5CjeWLP/zO0q07ZkEgLjjhXAtLwCEfkt7SiShOOYFaYQUo
+psk9WSDU/ieF1Uywz6nrqWSH/TBDbbqrYXPshTXeFE2UzCvSdPYHPEvOnQTIVya5
+T9P54rWQKIo3GnPxJaEXo+tzCnV9B4kyFcEtjwKrh9jWu2MMLzLMdRrm1VKcjgts
+kXHbeyfrZouWOdoPUNRSdc004oWYvvweG3DmObUQBxKh+PojMCbaBpJFkE+bbfxo
+JZ49baXcqXx7vph8PszJBzS2FgmN/r3eMgYQDqzydfnoTPhyjsU8ompeHVbH53VU
+PKUkNyeac7lAwj6JwcXOMDnc51KFQ80i+/0gHwrRSd+bmgmnpwO1TTiEeIUaYCQa
+/Ic7LxXhi/gWrQg4U8bIsibXBHEefcwtWWuDD1uUlxezuqdFrSUUC0Da5AmD516Q
+8aznlBljvQUpiQQHH3KB7eQEp+bbgYZJagFeZIn9FiLlHzPpIZetsB+ynPSvjz/V
+zVszLHuLaswKcC1N66LAOqyCKcPYI35+OqE8/6SCe9iJFOoIYlJkxDBKwZk/NhvD
+/CRD6hsaeUnAHpNEuus5qrRICbDAoi1LoK8hDadb7Zv+wSLY/uo0JzxL
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
friendlyName: revoked1.example.org
- localKeyID: CB 4F CF EE 43 43 65 BB 23 74 E0 40 65 36 FE 99 31 DF AB A8
+ localKeyID: BD BF 30 04 34 2D 03 C9 AA FE 25 10 2C DB 7C 74 89 B0 9A C9
subject=/CN=revoked1.example.org
issuer=/O=example.org/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+MIICiTCCAfKgAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwMloXDTM4MDEwMTEyMzQwMlowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
-ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAtH5k2k62LbnSi/B5Bgxk+zMn
-GiOYjeojLffbE73oSIws/sAwigOroZRxeDCK1Bvqlt3CsRlh1j7qGHTdf3JPEQID
-AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
-AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
-Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
-cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w
-bGUub3JnMA0GCSqGSIb3DQEBBQUAA0EAh2MZRLrAaQlspQCSvzB8GauDjhyc1ZMz
-/YeE550dEXzC3YtnTK6PKmDfm0xw/eVcSnwlsYUdLFzB5xBGbkxQbg==
+MzQwOVoXDTM4MDEwMTEyMzQwOVowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs
+ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMOKMcTBoKYBCz8Sxb/B
+5/RGvTdDMmkNO/e91ni4S/3OjvvksMmg38fv1e4DQOazkE4dp9ttllheaw0O6lEO
+cpuFSFC6BLDlaDEaJqDAlm9++vTZ+azhM1nUIKbUhmlPSMnagL1GhWBX1w3EVP2F
+n02386NEAY/kPJMoR2r/4Kb5AgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG
+A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
+hiFodHRwOi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
+KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm9yZy8wHwYDVR0R
+BBgwFoIUcmV2b2tlZDEuZXhhbXBsZS5vcmcwDQYJKoZIhvcNAQEFBQADgYEAc4B0
+aoj+H7UoNbV39uIQIV3Z//V+AqQuOaBtUTf3izNDG/r3tpJ+La6s6FxH55dRvQdc
+lvF6WdHgD++J5Vx7MUVcXMyVmpJrLpnJk4BBSFMn/fgvoPFfONL1p9Z33HnIUrY1
+hCmJrHtAqS0pztH5YioEH97ihYz5Teoc6mws/Yc=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-MIIBOQIBAAJBALR+ZNpOti250ovweQYMZPszJxojmI3qIy332xO96EiMLP7AMIoD
-q6GUcXgwitQb6pbdwrEZYdY+6hh03X9yTxECAwEAAQJADLoAyHfWVqEMnHtnPSrw
-j9nKfwhVgGQq+NnKI7k3QK4rQX1Z+wfSw0rxpE5sFqDUVheeFY/IMolXD32zJwUM
-pQIhAOEb6HbVqVqYr5lgN7CoRSVRXJEm1PvxmI6RKewtAPGTAiEAzUMl+oAfRboT
-tywwc4N8MdvAAapLnP9u7NmhG7fP80sCIHkXgCdcrCs180/4ODzpZ7i5WagjUXLt
-9XjLkdegJd/NAiAweI7bXK4F1S8arkCyxnXpgC8TNZetd1RGcg3tcbaViQIgIDmb
-d9wZOnDeMg3BlC5X+zfOyiGk3+/Jnp7Msya+nfc=
+MIICXgIBAAKBgQDDijHEwaCmAQs/EsW/wef0Rr03QzJpDTv3vdZ4uEv9zo775LDJ
+oN/H79XuA0Dms5BOHafbbZZYXmsNDupRDnKbhUhQugSw5WgxGiagwJZvfvr02fms
+4TNZ1CCm1IZpT0jJ2oC9RoVgV9cNxFT9hZ9Nt/OjRAGP5DyTKEdq/+Cm+QIDAQAB
+AoGBAKShEB/QybmZ/WcAHh/BWNHwUNRbLfEGZGvDl/ORbuFkbDulojZPzLjfsySt
+9pGFssQh8bYrwL3r2INpAFx4JoJRjdBOrFsrB+xZhW+GyHJamd7dDEOqFz8zW/z+
+yhELiLeifXcJBBRrC5X4+rgbYVVb6A2y36SJTf5TPjo1PRoVAkEA845G/VVs66X9
+h1XmHM58kU2qOrLypTT4c6UrXKZrN7KFfl9BCWQSOShLW5S5/Oz/3ypkrDZSqggj
+30y0goZjzwJBAM2H3arwjg8mxJnkShmrTHamtdpzByEyF5hM+SDsdb/onWETf8M+
+BIj1J/x8r/rXx4r0ZQ5BbnMDsoCxpDd5UrcCQQCVdIFrg7hLApkJK1UB6FPYdmg3
+jQgJCPBNRtXNDPJOQ2ZXnewy7w2ftXJIyIM5CdYaA9GzO8KORGB+7nr2fbFRAkBQ
+YaWo+AGnHVNgmG7+kQcLlHGk6L3OFsgxkVERtkjq8C+0yqp6EmQ1qCOmVKGCqidp
+SeHH7IEkzDpgqJj/9RwLAkEAlu/rjtfcW3PRsSqNGbwvtPreeM/TWSfBH2wwMb0l
+9kd1lEpfJeqUkX9B9qCVighX7pJ6y1FJbwuW9xgvbo9mbA==
-----END RSA PRIVATE KEY-----
subject=/O=example.org/CN=clica Signing Cert
issuer=/O=example.org/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE
-zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo
-F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X
-PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw
+MTAxMTIzNDA4WjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrlUzB
+ANKQi0cI+jOYOVy2EYu2LOXihiMHi3dX/boaZ2+rIwbWaaAy7gMXLvfay/ml+pyY
+hnxQbnfADZN0xXQoHZ3AjBIU6YP2CWpOk/3jrnjW7P84fCie/6SXhfH2l6ZZFaro
+yRw10jnO/kgEtFKBQpN7eZ2oPDaGGwuyBVaXqQIDAQABo1owWDAOBgNVHQ8BAf8E
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
+Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA
+n2I9uY34QxYLfMCIwI3oMkR+v0ehEmjLcF3S2SILybtKFOxHUvFx10IiYJOCjPKr
+vTwbprTp4R9HffQyiGoe9jLYu+8Tfjf86hDcoChOg8SZm1u3rXCgXPus+19XON0g
+UWiJmIBAWDhz8+0vQ3QyrgtLuweoX4tTcbYOlTzO5KU=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: Certificate Authority
subject=/O=example.org/CN=clica CA
issuer=/O=example.org/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
-Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxY7JyBAI+e4vb4bz0HcjtE+O
-x0nLBB19Kz04yNARj1z/ZvY2c+uvOR3muHROCgFUQxGobP3n2HaTS/cmv2SVPwID
-AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
-hkiG9w0BAQUFAANBAJLhs/m5Jx4oV++aylcAvIHa0vHSK4eh3zX1HqWwqK9I0/nl
-LqwwPgtgHQOpe7nd2g2B9wPZ82i6LiqY76A+9hI=
+MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw
+MTAxMTIzNDA4WjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
+Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPmGE/1NBbn57y9RAMTa
+/jWgErk9jUKo+z0vzO5me7MUE+C3Jhk2YFF+w3ryEny3DikQOZEdRU4NFrQKZKu5
+1jjYg5ilg8EJTP6h9GzZmacH9olW3hdMvVqMkiLuZF97H41AYx95XPDibxwrpMgD
+oDVoYTQIPBwdjj8d88SdbgYjAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
+DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAINsDZLZin7u8iOLguRG
+37mUDNhAQ9qUAtiFV8JnjJU9DZGb0TvSpYmOkjK2iH4cH6AsEXptB6duvkkpp6ly
++aGvlqy69D/MfPpLjLX7e6WOISshaWCGB7/rQqbRtAePFpa07gijUqxM22LfiHXz
+YHJSTjLx4idfdLNS+U5iir1Y
-----END CERTIFICATE-----
Bag Attributes
friendlyName: revoked2.example.org
- localKeyID: B9 99 5C A3 65 F8 67 93 A4 96 45 B2 7C B6 64 28 CB 71 1D 6C
+ localKeyID: 0E 81 86 02 8B 4D 55 65 C2 E8 26 F3 9B C2 9F 15 B0 6C 9C F1
subject=/CN=revoked2.example.org
issuer=/O=example.org/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+MIICijCCAfOgAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDNaFw0zODAxMDExMjM0MDNaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
-bGUub3JnMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANLUlL/Fx0qhl0rhRZ3HTr+d
-wbKi0cDyZa97S5EDr3Dq1qurHmEs92C6P27df1r6ltVT7O1xH1+s40hTL5yzQ3sC
-AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
-AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
-ZS5vcmcvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
-dHA6Ly9vc2NwL2V4YW1wbGUub3JnLzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt
-cGxlLm9yZzANBgkqhkiG9w0BAQUFAANBAC0aZSfdH/PlvY+jfQnVAkmmYyawPdSu
-Osv4lwZYhBo2FSJdlufbwo3ElD4JK/BIHHTGiphM9++hpGLWaAcvT4k=
+MjM0MTBaFw0zODAxMDExMjM0MTBaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
+bGUub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcWJ1VXZJIIYfk/S5f
+VL5bDZdjajlmC/gSkq8Q8hm5oKG72+VvGaZzwphT86Sc66BLauR4wcazmHO+TJvF
+1AIKFA+yzd48iux3Rb1StoPqdSdJ1BplPQuJgWg2DG/Mglhgc2IDbWSbNhnVqLrQ
+kc0HiOMZGktm0CaL6IjayzFFEQIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg
+BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
+I4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
+BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1Ud
+EQQYMBaCFHJldm9rZWQyLmV4YW1wbGUub3JnMA0GCSqGSIb3DQEBBQUAA4GBAAlw
+6O54t5HfF6TqyO1C4PX7Cibt1qFXR1fFPeExBoWlLhowWzTLUipwG2DqT6s04Lcz
+HodtDZ4pTUO6mt65VvudvZDmLjvvmTWtaFtDLnm5E+Y5BV3yLwqcjL9ztdH+P5r7
+qMFLL3hqlFvOVisbDfOP85ALGAjew1pNMWX9P0VC
-----END CERTIFICATE-----
Bag Attributes
friendlyName: revoked2.example.org
- localKeyID: B9 99 5C A3 65 F8 67 93 A4 96 45 B2 7C B6 64 28 CB 71 1D 6C
+ localKeyID: 0E 81 86 02 8B 4D 55 65 C2 E8 26 F3 9B C2 9F 15 B0 6C 9C F1
subject=/CN=revoked2.example.org
issuer=/O=example.org/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+MIICijCCAfOgAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDNaFw0zODAxMDExMjM0MDNaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
-bGUub3JnMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANLUlL/Fx0qhl0rhRZ3HTr+d
-wbKi0cDyZa97S5EDr3Dq1qurHmEs92C6P27df1r6ltVT7O1xH1+s40hTL5yzQ3sC
-AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
-AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
-ZS5vcmcvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
-dHA6Ly9vc2NwL2V4YW1wbGUub3JnLzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt
-cGxlLm9yZzANBgkqhkiG9w0BAQUFAANBAC0aZSfdH/PlvY+jfQnVAkmmYyawPdSu
-Osv4lwZYhBo2FSJdlufbwo3ElD4JK/BIHHTGiphM9++hpGLWaAcvT4k=
+MjM0MTBaFw0zODAxMDExMjM0MTBaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
+bGUub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcWJ1VXZJIIYfk/S5f
+VL5bDZdjajlmC/gSkq8Q8hm5oKG72+VvGaZzwphT86Sc66BLauR4wcazmHO+TJvF
+1AIKFA+yzd48iux3Rb1StoPqdSdJ1BplPQuJgWg2DG/Mglhgc2IDbWSbNhnVqLrQ
+kc0HiOMZGktm0CaL6IjayzFFEQIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg
+BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
+I4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
+BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1Ud
+EQQYMBaCFHJldm9rZWQyLmV4YW1wbGUub3JnMA0GCSqGSIb3DQEBBQUAA4GBAAlw
+6O54t5HfF6TqyO1C4PX7Cibt1qFXR1fFPeExBoWlLhowWzTLUipwG2DqT6s04Lcz
+HodtDZ4pTUO6mt65VvudvZDmLjvvmTWtaFtDLnm5E+Y5BV3yLwqcjL9ztdH+P5r7
+qMFLL3hqlFvOVisbDfOP85ALGAjew1pNMWX9P0VC
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw\r
-MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp\r
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE\r
-zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo\r
-F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB\r
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s\r
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X\r
-PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw\r
+MTAxMTIzNDA4WjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp\r
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrlUzB\r
+ANKQi0cI+jOYOVy2EYu2LOXihiMHi3dX/boaZ2+rIwbWaaAy7gMXLvfay/ml+pyY\r
+hnxQbnfADZN0xXQoHZ3AjBIU6YP2CWpOk/3jrnjW7P84fCie/6SXhfH2l6ZZFaro\r
+yRw10jnO/kgEtFKBQpN7eZ2oPDaGGwuyBVaXqQIDAQABo1owWDAOBgNVHQ8BAf8E\r
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw\r
+Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA\r
+n2I9uY34QxYLfMCIwI3oMkR+v0ehEmjLcF3S2SILybtKFOxHUvFx10IiYJOCjPKr\r
+vTwbprTp4R9HffQyiGoe9jLYu+8Tfjf86hDcoChOg8SZm1u3rXCgXPus+19XON0g\r
+UWiJmIBAWDhz8+0vQ3QyrgtLuweoX4tTcbYOlTzO5KU=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: revoked2.example.org
- localKeyID: B9 99 5C A3 65 F8 67 93 A4 96 45 B2 7C B6 64 28 CB 71 1D 6C
+ localKeyID: 0E 81 86 02 8B 4D 55 65 C2 E8 26 F3 9B C2 9F 15 B0 6C 9C F1
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIatK6XJ1l+7MCAggA
-MBQGCCqGSIb3DQMHBAjUZXz3pKENmgSCAWDbQs9Kd21OIstOoQdgYviX33loF2bH
-wpn0IP4P/2dFUmK07M146AEwPgXTI/mCewMgJ/cRQqnFAyoE1hjbZnk3WRi2SRXs
-dmIWAveseDuDsL7og72bHSvHIqsvcYs9SS8KBPCH6wY14a40QO1X26t7S8ZLTspu
-4V/YSNNiug6n8Z3N1Y2tuWPC8CQ9bBtL2jcqZT0WBJ8BXtn69jmVSWNm1DBaByET
-M4dqHGC//hFk1jnKBXaJ/VvBS5E6lOANwfUAr0gQT08NaJ7qJ6WUhpca7Rtky/KQ
-/passZZKeu7/R8VyQLvfk+vH2wW+5EX8+WtutWQJycW57+pnoXORrvIz3lc6B/6+
-Q91EJzABv5n93nynoZgEEr4vKiCCmLGYYJEciqQTERzCDNw3P73R+sd9PiTrku9g
-pKp12ieWWHZjeHcAMUZl8xWSytVT1fkeSPXcA43KoW93s78DegMh/HTr
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIrlpJvn2t12oCAggA
+MBQGCCqGSIb3DQMHBAjluKGzhc3i+QSCAoCwOwH/u1apPvqKoEcKjI2lED1f3rs5
+yGDzUuQpHbQhWByTtOW5wF1GvO2J8tA35wbWvLlxWt3+fLzRk2rPju0mncVskOyK
+vhu362BkOPODTRmoEQEVXSthQQWFuWicM/DgWgD5rSkDmy8A3YH2lPd0z+0ngIbC
+jl5VtDJoBw1zZPK8K+REw4bZI2Ok+SemtWMfO4krTcq4BltfOfIWky2hwPjPUzB3
+l32ioabUIxes5QaPekclFfqg54QNgInygQv5w7UOAJdfNyM952RycyTfS0YdTuhM
+a72VWT50nQzypNMK1giXlRq+qTfTZGeRAsYFdknMbq8UEYHDOG9XJP94+JushawI
+b1L6+Pv284bRPaTfdxDBn8cPj/mck3wIPiyh3wEVr3ozi9EDh2H0X3y98WtnCfHI
+VBIbZaTq6wuTjtdFMNA4gdkgry36sXOH3K9e0+iCqG3BKKjYi8oIPxj/mSdTdSiU
+TePpjZFWvScWZiq57g31pX4rZnw7wdXKhNtEdC6uifM73PuwlNO52t42Zy+n9GZ7
++jalk+c4pe4bw58SBT/vIS9H4RUiGjAaNKfcesRYh7LYkTKRLF6CH5Q3I8yh61Mo
+e0tvr+pliI7OqbwVyYxiqf7r1XCU8FfXyQPs8YROwKhe1MtFH5xYPa37FVIPkn1D
+1zm6IrKw/CGbS+5MASC2ALyiadvDhNijfYtuVzuAzJDH1C+daGwh17oNnYMzGUUy
+yEOIyQvGU0to8dyS0ngPXK6kTc0XvPaqhH8wgu5nNVnFaZjZYkzVOF77cYQMBmFx
+S/Ypn+OoKON/PNG6/MuWP1fg3WdgzAW/xcgZrUSVjeIu6u1VgyApDZJd
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
friendlyName: revoked2.example.org
- localKeyID: B9 99 5C A3 65 F8 67 93 A4 96 45 B2 7C B6 64 28 CB 71 1D 6C
+ localKeyID: 0E 81 86 02 8B 4D 55 65 C2 E8 26 F3 9B C2 9F 15 B0 6C 9C F1
subject=/CN=revoked2.example.org
issuer=/O=example.org/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+MIICijCCAfOgAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDNaFw0zODAxMDExMjM0MDNaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
-bGUub3JnMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANLUlL/Fx0qhl0rhRZ3HTr+d
-wbKi0cDyZa97S5EDr3Dq1qurHmEs92C6P27df1r6ltVT7O1xH1+s40hTL5yzQ3sC
-AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH
-AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs
-ZS5vcmcvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
-dHA6Ly9vc2NwL2V4YW1wbGUub3JnLzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt
-cGxlLm9yZzANBgkqhkiG9w0BAQUFAANBAC0aZSfdH/PlvY+jfQnVAkmmYyawPdSu
-Osv4lwZYhBo2FSJdlufbwo3ElD4JK/BIHHTGiphM9++hpGLWaAcvT4k=
+MjM0MTBaFw0zODAxMDExMjM0MTBaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w
+bGUub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcWJ1VXZJIIYfk/S5f
+VL5bDZdjajlmC/gSkq8Q8hm5oKG72+VvGaZzwphT86Sc66BLauR4wcazmHO+TJvF
+1AIKFA+yzd48iux3Rb1StoPqdSdJ1BplPQuJgWg2DG/Mglhgc2IDbWSbNhnVqLrQ
+kc0HiOMZGktm0CaL6IjayzFFEQIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg
+BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
+I4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
+BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1Ud
+EQQYMBaCFHJldm9rZWQyLmV4YW1wbGUub3JnMA0GCSqGSIb3DQEBBQUAA4GBAAlw
+6O54t5HfF6TqyO1C4PX7Cibt1qFXR1fFPeExBoWlLhowWzTLUipwG2DqT6s04Lcz
+HodtDZ4pTUO6mt65VvudvZDmLjvvmTWtaFtDLnm5E+Y5BV3yLwqcjL9ztdH+P5r7
+qMFLL3hqlFvOVisbDfOP85ALGAjew1pNMWX9P0VC
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-MIIBOwIBAAJBANLUlL/Fx0qhl0rhRZ3HTr+dwbKi0cDyZa97S5EDr3Dq1qurHmEs
-92C6P27df1r6ltVT7O1xH1+s40hTL5yzQ3sCAwEAAQJBALGnYBCY3+4LbCk02iyx
-nbHphSa5/HXRy82q32o66MMEGIfyMaluRfMoQHS9n3yieOn2i41s7+4w52ormZEx
-hEECIQDpSgUGrakvx2mqhAxIkfYTJgS3bMUINlRveYpYNvL65QIhAOda2XxChB3H
-TxTgJURPl1i4LOEm9ecMHlBNhzhadn7fAiEA0pp8BxdnkTaY8dLbs/fxCkBcKasM
-BOnnN+ulNRYGLPECIDrXJFEyKZ/ZPQe2KkRBaeCqlt98pTXqIxuRXD684z5JAiBi
-aAtGEXlUtwnseKyflSrEh0bAwnOsEEA7qEUCl/ExPw==
+MIICWwIBAAKBgQDcWJ1VXZJIIYfk/S5fVL5bDZdjajlmC/gSkq8Q8hm5oKG72+Vv
+GaZzwphT86Sc66BLauR4wcazmHO+TJvF1AIKFA+yzd48iux3Rb1StoPqdSdJ1Bpl
+PQuJgWg2DG/Mglhgc2IDbWSbNhnVqLrQkc0HiOMZGktm0CaL6IjayzFFEQIDAQAB
+AoGAFWS5Kd+i40P2KMJ4LSNSNA72wt0+Y20IEe2R98g5vS8eZNntxcKsyZJ8LbJ7
+Kg0qjAf91Mejni5QForjmOqDo/6odwLAaBaUZjfGMQ5hwUZOHZSF95Nkq6f6ek3J
+5berAyW5wdju+n5SpcxdTxhZ6s34JtKKR5uOIT4DYDW25gECQQD8Thv4aIqGyJd1
+mJwCerJrKbugla1hJJ7xxXyryHIamAGsq3qzMwwt72uTZR+LobPsVGfH3FpSN3Vh
+MGCGdcVhAkEA35Kw+e8VZCfdjZUMxydyiOiZUemJfx2hbq4EpFtp89oqr4CuCQ51
+bo1NHYmxmdzTmJN9HMy0TwiF7U9036ntsQJAV67tmY77VYww1vWKgnIRv5xpUI20
+C6amdm+jvC+VOBjLvC58HfsHqI8kW70xEV3JIcDTsGmsGhab/ILLiO81AQJASnlr
++KW6w3VAKTSYYBL05UROJmocAjsVlm/jXfiRj8iB5ZqA3sVxOtVY9djzT2SvG6kt
+yRUrjxQwwL9yGDtb0QJAfgt36rEFyKnmP+rOqXE6P1/iq+5n/fxvlsHsAFitavvp
+30+KhXbetYydYaOsJQbN779gSdyAYLyhmMpUCRA3aw==
-----END RSA PRIVATE KEY-----
subject=/O=example.org/CN=clica Signing Cert
issuer=/O=example.org/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE
-zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo
-F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X
-PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw
+MTAxMTIzNDA4WjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrlUzB
+ANKQi0cI+jOYOVy2EYu2LOXihiMHi3dX/boaZ2+rIwbWaaAy7gMXLvfay/ml+pyY
+hnxQbnfADZN0xXQoHZ3AjBIU6YP2CWpOk/3jrnjW7P84fCie/6SXhfH2l6ZZFaro
+yRw10jnO/kgEtFKBQpN7eZ2oPDaGGwuyBVaXqQIDAQABo1owWDAOBgNVHQ8BAf8E
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
+Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA
+n2I9uY34QxYLfMCIwI3oMkR+v0ehEmjLcF3S2SILybtKFOxHUvFx10IiYJOCjPKr
+vTwbprTp4R9HffQyiGoe9jLYu+8Tfjf86hDcoChOg8SZm1u3rXCgXPus+19XON0g
+UWiJmIBAWDhz8+0vQ3QyrgtLuweoX4tTcbYOlTzO5KU=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: Certificate Authority
subject=/O=example.org/CN=clica CA
issuer=/O=example.org/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
-Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxY7JyBAI+e4vb4bz0HcjtE+O
-x0nLBB19Kz04yNARj1z/ZvY2c+uvOR3muHROCgFUQxGobP3n2HaTS/cmv2SVPwID
-AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
-hkiG9w0BAQUFAANBAJLhs/m5Jx4oV++aylcAvIHa0vHSK4eh3zX1HqWwqK9I0/nl
-LqwwPgtgHQOpe7nd2g2B9wPZ82i6LiqY76A+9hI=
+MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw
+MTAxMTIzNDA4WjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
+Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPmGE/1NBbn57y9RAMTa
+/jWgErk9jUKo+z0vzO5me7MUE+C3Jhk2YFF+w3ryEny3DikQOZEdRU4NFrQKZKu5
+1jjYg5ilg8EJTP6h9GzZmacH9olW3hdMvVqMkiLuZF97H41AYx95XPDibxwrpMgD
+oDVoYTQIPBwdjj8d88SdbgYjAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
+DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAINsDZLZin7u8iOLguRG
+37mUDNhAQ9qUAtiFV8JnjJU9DZGb0TvSpYmOkjK2iH4cH6AsEXptB6duvkkpp6ly
++aGvlqy69D/MfPpLjLX7e6WOISshaWCGB7/rQqbRtAePFpa07gijUqxM22LfiHXz
+YHJSTjLx4idfdLNS+U5iir1Y
-----END CERTIFICATE-----
Bag Attributes
friendlyName: server1.example.org
- localKeyID: 5E 7F 83 85 31 F1 CA DC 88 07 2C 58 95 FA 36 16 65 F6 BB 8D
+ localKeyID: 88 14 08 19 07 0E 31 A2 11 CA 6A F9 94 D0 81 D2 E2 C4 6C A0
subject=/CN=server1.example.org
issuer=/O=example.org/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+MIIC0DCCAjmgAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwMloXDTM4MDEwMTEyMzQwMlowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
-Lm9yZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDFIpfEcK4d3IEq3F7B6AIpepZk
-mKln9pcCm0RbAxm77YlhHucDzyVu9rmW7XSW/c4Dv3clwzHLpaoF2KURKLZ7AgMB
-AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB
-BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu
-b3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw
-Oi8vb3NjcC9leGFtcGxlLm9yZy8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl
-Lm9yZzANBgkqhkiG9w0BAQUFAANBACfk1MYCSbT2gbaT1Dv9FrMEybkFZtxUfz69
-Gnx/55Wfw936z2en+RImD3qF1qQxUwIMlWGm6SaitfmlQ5qVJ1A=
+MzQwOVoXDTM4MDEwMTEyMzQwOVowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
+Lm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqEYtZQEwUPQUjTUDYJDb
+mFhMifuXoKfmFsGIYoy99JG36tQLzgFET+lkEoKXmXf/MRecneA0TtiL3bac/ZT5
+us46SnYCqpIhw9PAuvjUjpfe0gc7KOAv9DDdVr5n11XOuNYPak/SThICGOlAQlkk
+ih47uzqcuTpnJb/t+kuuNMsCAwEAAaOCAQcwggEDMA4GA1UdDwEB/wQEAwIE8DAg
+BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
+I4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
+BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5vcmcvMGUGA1Ud
+EQReMFyCImFsdGVybmF0ZW5hbWUyLnNlcnZlcjEuZXhhbXBsZS5vcmeCE3NlcnZl
+cjEuZXhhbXBsZS5vcmeCIWFsdGVybmF0ZW5hbWUuc2VydmVyMS5leGFtcGxlLm9y
+ZzANBgkqhkiG9w0BAQUFAAOBgQBDuJv1EXKwOrrY2CShqo9tUuB6rzAItWbLFEmW
+kbTkmeG3W2IlHUco86NJPKu70CEmAkxEUTbWYoJLSVkq1LSgc8NGbuXPiQxQdiAc
+QXUrDYWeFYMuejZmFRd4gHOHRUQ07YmFr2IXEEitq5UG/AZTYoSIVF3UI7jL4gHS
+fpDLrg==
-----END CERTIFICATE-----
Bag Attributes
friendlyName: server1.example.org
- localKeyID: 5E 7F 83 85 31 F1 CA DC 88 07 2C 58 95 FA 36 16 65 F6 BB 8D
+ localKeyID: 88 14 08 19 07 0E 31 A2 11 CA 6A F9 94 D0 81 D2 E2 C4 6C A0
subject=/CN=server1.example.org
issuer=/O=example.org/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+MIIC0DCCAjmgAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwMloXDTM4MDEwMTEyMzQwMlowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
-Lm9yZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDFIpfEcK4d3IEq3F7B6AIpepZk
-mKln9pcCm0RbAxm77YlhHucDzyVu9rmW7XSW/c4Dv3clwzHLpaoF2KURKLZ7AgMB
-AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB
-BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu
-b3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw
-Oi8vb3NjcC9leGFtcGxlLm9yZy8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl
-Lm9yZzANBgkqhkiG9w0BAQUFAANBACfk1MYCSbT2gbaT1Dv9FrMEybkFZtxUfz69
-Gnx/55Wfw936z2en+RImD3qF1qQxUwIMlWGm6SaitfmlQ5qVJ1A=
+MzQwOVoXDTM4MDEwMTEyMzQwOVowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
+Lm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqEYtZQEwUPQUjTUDYJDb
+mFhMifuXoKfmFsGIYoy99JG36tQLzgFET+lkEoKXmXf/MRecneA0TtiL3bac/ZT5
+us46SnYCqpIhw9PAuvjUjpfe0gc7KOAv9DDdVr5n11XOuNYPak/SThICGOlAQlkk
+ih47uzqcuTpnJb/t+kuuNMsCAwEAAaOCAQcwggEDMA4GA1UdDwEB/wQEAwIE8DAg
+BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
+I4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
+BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5vcmcvMGUGA1Ud
+EQReMFyCImFsdGVybmF0ZW5hbWUyLnNlcnZlcjEuZXhhbXBsZS5vcmeCE3NlcnZl
+cjEuZXhhbXBsZS5vcmeCIWFsdGVybmF0ZW5hbWUuc2VydmVyMS5leGFtcGxlLm9y
+ZzANBgkqhkiG9w0BAQUFAAOBgQBDuJv1EXKwOrrY2CShqo9tUuB6rzAItWbLFEmW
+kbTkmeG3W2IlHUco86NJPKu70CEmAkxEUTbWYoJLSVkq1LSgc8NGbuXPiQxQdiAc
+QXUrDYWeFYMuejZmFRd4gHOHRUQ07YmFr2IXEEitq5UG/AZTYoSIVF3UI7jL4gHS
+fpDLrg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw\r
-MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp\r
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE\r
-zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo\r
-F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB\r
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s\r
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X\r
-PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw\r
+MTAxMTIzNDA4WjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp\r
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrlUzB\r
+ANKQi0cI+jOYOVy2EYu2LOXihiMHi3dX/boaZ2+rIwbWaaAy7gMXLvfay/ml+pyY\r
+hnxQbnfADZN0xXQoHZ3AjBIU6YP2CWpOk/3jrnjW7P84fCie/6SXhfH2l6ZZFaro\r
+yRw10jnO/kgEtFKBQpN7eZ2oPDaGGwuyBVaXqQIDAQABo1owWDAOBgNVHQ8BAf8E\r
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw\r
+Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA\r
+n2I9uY34QxYLfMCIwI3oMkR+v0ehEmjLcF3S2SILybtKFOxHUvFx10IiYJOCjPKr\r
+vTwbprTp4R9HffQyiGoe9jLYu+8Tfjf86hDcoChOg8SZm1u3rXCgXPus+19XON0g\r
+UWiJmIBAWDhz8+0vQ3QyrgtLuweoX4tTcbYOlTzO5KU=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: server1.example.org
- localKeyID: 5E 7F 83 85 31 F1 CA DC 88 07 2C 58 95 FA 36 16 65 F6 BB 8D
+ localKeyID: 88 14 08 19 07 0E 31 A2 11 CA 6A F9 94 D0 81 D2 E2 C4 6C A0
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIhfu7ElRn7TUCAggA
-MBQGCCqGSIb3DQMHBAggde7b8jzc2ASCAWCNar4Td+ZM5Elbb16QeDTfzMoKoScb
-jQo/GS7f5h4An9vh/aTaKBoWDQ8gLcvbTUlpGxRznGt9mmOk9AOWsd03rTJ3TUud
-+Cm4GfyEslvF8zXSPgJOz4YMiMMNZF3sEGGxs+D6Dav7isMrAIE/Se4Uh3pBY3Fg
-kio9fZfJSWorb3XO6LY9wyg33sz0ZxfhLfhenpeuveQfGuwc9l/DtYuhorqa4xXv
-+T5W6HQ7g7nB/GMQF0rkm7BUSqawuLPK7ippBjpNg07iGOYNvQ5GKPahuBTbKyDc
-7LYzGNjZ+mNyL8vDNkwcdnUUqIbYsdMqmEZX+cu2wugXF1GshI9krcDHBXGcZH4G
-sogntcL8qR5KpPfBQCcp9An7TfLJkJtZOH6IYVZVy3/wb+OEou3UNckMe7PF8PWa
-T6/N9/zs49U6RxiYn+Vz/x0hQmRbLvLEsbotT1WStJq8LkcI0Zu9cJab
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI6QbC42AGV6YCAggA
+MBQGCCqGSIb3DQMHBAjv7nw+WSc5QwSCAoAHFMKm+elgjvRxlzMIxSgLKDyo/Npr
+aiodIy+5/YM0QkvpYpkZIExjgpaUovVFKHxvBOgNX7+mjofDixNjRkBwOFbY0v8j
+e5rsuO4LlKkRf30wAqJZOUCNDU9KrthdfsgF7QXj3fv2crQzolZ8Ab7vH8+S/FpR
+edS4mK7klvm08Dy4zzF1T+RIzcl0hJjpk4Lnqx8xdLUOKeTotV1kF4S1kKeRiV9T
+zAVZtnj8iA2QFKBM2Kz8Npcu3965EPdTQl8ZCRSbzvqKcCvRNZF6RWcp2qxgoNF8
+6ghEOZeRni74dvnoafXrqQE8LmF2lARQkT/zU0OCULvihBQ85eRkxzk/fe5ndUZ2
+LuH/Zd9E0cDj+qiqlYbfb4LmL30E/cq6r76prz8HPK2JTYONgV8efGZrLb3UfAle
+jSfJu1LyZtAAIT+2AXWIDH2GmGTB3X2MLeBjwPnKgiPH7uzW7aRFMMnCExBAmORE
+KnYRnOVIuN9IlMYMf4YIX3PTrjqO4OIhgh7kBPO5wzgMcp8KseJCFlQG1h5JWgFN
+31Po6IHdp8/gR05QPBWgJ9l2DMNnhuJmvrcpsNq5kLkN8cKBS+xGeXKrHJoGEWIq
+f5X50QqWw/poUrArRW3K3SsAImLOMi7SMypBofRt7f0N8FlC/25+Vgd+ZCrETKlS
+Hz4c21CyV1qxtSy19i8RUrhUDj8Mn/nRYbIOsX/Et1Rpe/QVyqRaf8unjwp7bJPj
+eTDuEKEuAZ5dbHBVYBKHF0kPF7ha92h78wzQKDKr7gmx/QS2iXTx+Xy0yfdNuijr
+HEBPUmLZpE5fhuKdIKNCm7MAwmCm5jusPyPNga5c1p1Mq1GqUfyhvjGu
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
friendlyName: server1.example.org
- localKeyID: 5E 7F 83 85 31 F1 CA DC 88 07 2C 58 95 FA 36 16 65 F6 BB 8D
+ localKeyID: 88 14 08 19 07 0E 31 A2 11 CA 6A F9 94 D0 81 D2 E2 C4 6C A0
subject=/CN=server1.example.org
issuer=/O=example.org/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
+MIIC0DCCAjmgAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt
cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy
-MzQwMloXDTM4MDEwMTEyMzQwMlowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
-Lm9yZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDFIpfEcK4d3IEq3F7B6AIpepZk
-mKln9pcCm0RbAxm77YlhHucDzyVu9rmW7XSW/c4Dv3clwzHLpaoF2KURKLZ7AgMB
-AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB
-BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu
-b3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw
-Oi8vb3NjcC9leGFtcGxlLm9yZy8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl
-Lm9yZzANBgkqhkiG9w0BAQUFAANBACfk1MYCSbT2gbaT1Dv9FrMEybkFZtxUfz69
-Gnx/55Wfw936z2en+RImD3qF1qQxUwIMlWGm6SaitfmlQ5qVJ1A=
+MzQwOVoXDTM4MDEwMTEyMzQwOVowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl
+Lm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqEYtZQEwUPQUjTUDYJDb
+mFhMifuXoKfmFsGIYoy99JG36tQLzgFET+lkEoKXmXf/MRecneA0TtiL3bac/ZT5
+us46SnYCqpIhw9PAuvjUjpfe0gc7KOAv9DDdVr5n11XOuNYPak/SThICGOlAQlkk
+ih47uzqcuTpnJb/t+kuuNMsCAwEAAaOCAQcwggEDMA4GA1UdDwEB/wQEAwIE8DAg
+BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg
+I4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB
+BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5vcmcvMGUGA1Ud
+EQReMFyCImFsdGVybmF0ZW5hbWUyLnNlcnZlcjEuZXhhbXBsZS5vcmeCE3NlcnZl
+cjEuZXhhbXBsZS5vcmeCIWFsdGVybmF0ZW5hbWUuc2VydmVyMS5leGFtcGxlLm9y
+ZzANBgkqhkiG9w0BAQUFAAOBgQBDuJv1EXKwOrrY2CShqo9tUuB6rzAItWbLFEmW
+kbTkmeG3W2IlHUco86NJPKu70CEmAkxEUTbWYoJLSVkq1LSgc8NGbuXPiQxQdiAc
+QXUrDYWeFYMuejZmFRd4gHOHRUQ07YmFr2IXEEitq5UG/AZTYoSIVF3UI7jL4gHS
+fpDLrg==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-MIIBPQIBAAJBAMUil8Rwrh3cgSrcXsHoAil6lmSYqWf2lwKbRFsDGbvtiWEe5wPP
-JW72uZbtdJb9zgO/dyXDMculqgXYpREotnsCAwEAAQJBAKDzsX4NkduHoV5hNmyT
-BNDg6dGQYyAi0QCrzI+SZHxt8ZYksM//or03aXE7xUUAeFmlSQYc9KfhADAB+mL8
-3YECIQDi4Q5nPCDr99odHTguDlTDi9vEEIiY2N7g8jsGAZH6KwIhAN5wME90eCX/
-oIzlAVqCbq9JuO8Zt3lxvqbasOGT3pzxAiEAwXcifhvDAxUGNF9vQa7Mzzca/vUO
-VjBQ1kcY18VNAqMCIQCxMe/aK67WnldYRcmZP1RLANB4cCUPcoPsyUOkvzXUEQIh
-AJEKAaavDZzn70+xnPw/8QPzHExNxIRtYrxBnc0Kv74r
+MIICXAIBAAKBgQCoRi1lATBQ9BSNNQNgkNuYWEyJ+5egp+YWwYhijL30kbfq1AvO
+AURP6WQSgpeZd/8xF5yd4DRO2Ivdtpz9lPm6zjpKdgKqkiHD08C6+NSOl97SBzso
+4C/0MN1WvmfXVc641g9qT9JOEgIY6UBCWSSKHju7Opy5Omclv+36S640ywIDAQAB
+AoGBAJ4OvNjg0vdXLG6uWuu7ZOimF86LqZLX4kGBq4+Vz18H+I70edoYSogdG0hf
+rfITSnpcSVnpnHhq4oVw3+k4o5ATbgCcDsYuxbB5hd28ZDW9L97KO+67ruaAdJe+
+et+tACJooOhVgbQIfhv22vMe2q9+/wzgkXpdHJwYc9L6nwORAkEA2svVm0NeOtO0
+BFohczUU7PU/Zde5WyWe2a8CvoErO/5jhfFCNYGKMiLnGsLAhZIxetIr0XPLXprD
+3+QgPOZ21QJBAMTjH7e992fy0K0mApo3in8D1s6wqIUoiG2u5aPzOPbSzlPOI8BH
+qNee1Tr6ZHNKbLFbuHvFzIlrUFAS2oFJDR8CQGKhNlZ6ZPTx0BmSI7gSeq9i0sRv
+HaBn8hbBHOSRx9KQl36exjDmh0yYjUNz/WN5BpMOQTB3GXs5GwlHhfzOC00CQAHE
+N+iiH7IjD5Q+Hw/bJ7b0Bd1c4GYxcufpBc5uxDgStB80XkW/XthwaGFbFcOjC06c
+EA+sOqWQ/Ot6/9LhIOkCQCIb1PetefpIBtCEx4AIVibiIuwnQGlS0786nSWTxskD
+SAE8HLJwbdsohGK0iSTE840gvUtaH+57TSg6YAVTFPo=
-----END RSA PRIVATE KEY-----
subject=/O=example.org/CN=clica Signing Cert
issuer=/O=example.org/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE
-zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo
-F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X
-PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw
+MTAxMTIzNDA4WjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrlUzB
+ANKQi0cI+jOYOVy2EYu2LOXihiMHi3dX/boaZ2+rIwbWaaAy7gMXLvfay/ml+pyY
+hnxQbnfADZN0xXQoHZ3AjBIU6YP2CWpOk/3jrnjW7P84fCie/6SXhfH2l6ZZFaro
+yRw10jnO/kgEtFKBQpN7eZ2oPDaGGwuyBVaXqQIDAQABo1owWDAOBgNVHQ8BAf8E
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw
+Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA
+n2I9uY34QxYLfMCIwI3oMkR+v0ehEmjLcF3S2SILybtKFOxHUvFx10IiYJOCjPKr
+vTwbprTp4R9HffQyiGoe9jLYu+8Tfjf86hDcoChOg8SZm1u3rXCgXPus+19XON0g
+UWiJmIBAWDhz8+0vQ3QyrgtLuweoX4tTcbYOlTzO5KU=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: Certificate Authority
subject=/O=example.org/CN=clica CA
issuer=/O=example.org/CN=clica CA
-----BEGIN CERTIFICATE-----
-MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw
-MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
-Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxY7JyBAI+e4vb4bz0HcjtE+O
-x0nLBB19Kz04yNARj1z/ZvY2c+uvOR3muHROCgFUQxGobP3n2HaTS/cmv2SVPwID
-AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq
-hkiG9w0BAQUFAANBAJLhs/m5Jx4oV++aylcAvIHa0vHSK4eh3zX1HqWwqK9I0/nl
-LqwwPgtgHQOpe7nd2g2B9wPZ82i6LiqY76A+9hI=
+MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw
+MTAxMTIzNDA4WjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp
+Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPmGE/1NBbn57y9RAMTa
+/jWgErk9jUKo+z0vzO5me7MUE+C3Jhk2YFF+w3ryEny3DikQOZEdRU4NFrQKZKu5
+1jjYg5ilg8EJTP6h9GzZmacH9olW3hdMvVqMkiLuZF97H41AYx95XPDibxwrpMgD
+oDVoYTQIPBwdjj8d88SdbgYjAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw
+DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAINsDZLZin7u8iOLguRG
+37mUDNhAQ9qUAtiFV8JnjJU9DZGb0TvSpYmOkjK2iH4cH6AsEXptB6duvkkpp6ly
++aGvlqy69D/MfPpLjLX7e6WOISshaWCGB7/rQqbRtAePFpa07gijUqxM22LfiHXz
+YHJSTjLx4idfdLNS+U5iir1Y
-----END CERTIFICATE-----
Bag Attributes
friendlyName: server2.example.org
- localKeyID: 86 3E B2 BF BC 60 4F 3F C4 EA AA FE 97 44 A9 48 6B 4F C1 77
+ localKeyID: 86 EB 3E FE 4D A0 AA B2 44 D0 9C 33 41 91 11 0F E4 B5 77 94
subject=/CN=server2.example.org
issuer=/O=example.org/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+MIICiDCCAfGgAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDNaFw0zODAxMDExMjM0MDNaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
-ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1bNd+LEj7UV8Riahrn/3TL1n
-NwaIvqkqCFscP5ae3dB5rJ8vdfIc0hOzh782zpXxJxYa7S340zjxfgdUzMAeWQID
-AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
-AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
-Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
-cDovL29zY3AvZXhhbXBsZS5vcmcvMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs
-ZS5vcmcwDQYJKoZIhvcNAQEFBQADQQBCORy4CO4MMENsEtYwU7xE0Ck5i8VefJ6D
-txODMnRUzsthdbfjgXm3BfVPrhOuT0/bIKfyJtoSdCtN1SRPTJxO
+MjM0MTBaFw0zODAxMDExMjM0MTBaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
+ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALLE1hEpg5JGIpYSHMWN
+E/s8UpUxBYBqQI0cecr5uwwoNfBybw6cpEwP1XMHlVqlz4nP9Gfo7XLI3dE/GQ0H
+4/Urlw8tP/hydlP8LxXG3ZDyL7f4yYvoHCxsUy7jC3yv9Z0lQx59gvdTho3OZkIW
+he3mmSY/aH7pXrP+Y0CcPdNvAgMBAAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAG
+A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
+hiFodHRwOi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
+KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm9yZy8wHgYDVR0R
+BBcwFYITc2VydmVyMi5leGFtcGxlLm9yZzANBgkqhkiG9w0BAQUFAAOBgQCOfWb9
+Dt+2W6GH3500f4QJ8ORluURIEn1rtZaT+Nz9AliREjhBgMInwYhkvzESGqbpeZHG
+mnE8zGHlXBs2H8BAp0jpXpm0BCrCe9B2NPa98CLUuNlraTr+eWoMmf85DHmML/rl
+8N6BKUMgUFBP1KKvDthUFbQ/S+IcsuP2tRH6tg==
-----END CERTIFICATE-----
Bag Attributes
friendlyName: server2.example.org
- localKeyID: 86 3E B2 BF BC 60 4F 3F C4 EA AA FE 97 44 A9 48 6B 4F C1 77
+ localKeyID: 86 EB 3E FE 4D A0 AA B2 44 D0 9C 33 41 91 11 0F E4 B5 77 94
subject=/CN=server2.example.org
issuer=/O=example.org/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+MIICiDCCAfGgAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDNaFw0zODAxMDExMjM0MDNaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
-ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1bNd+LEj7UV8Riahrn/3TL1n
-NwaIvqkqCFscP5ae3dB5rJ8vdfIc0hOzh782zpXxJxYa7S340zjxfgdUzMAeWQID
-AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
-AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
-Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
-cDovL29zY3AvZXhhbXBsZS5vcmcvMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs
-ZS5vcmcwDQYJKoZIhvcNAQEFBQADQQBCORy4CO4MMENsEtYwU7xE0Ck5i8VefJ6D
-txODMnRUzsthdbfjgXm3BfVPrhOuT0/bIKfyJtoSdCtN1SRPTJxO
+MjM0MTBaFw0zODAxMDExMjM0MTBaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
+ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALLE1hEpg5JGIpYSHMWN
+E/s8UpUxBYBqQI0cecr5uwwoNfBybw6cpEwP1XMHlVqlz4nP9Gfo7XLI3dE/GQ0H
+4/Urlw8tP/hydlP8LxXG3ZDyL7f4yYvoHCxsUy7jC3yv9Z0lQx59gvdTho3OZkIW
+he3mmSY/aH7pXrP+Y0CcPdNvAgMBAAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAG
+A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
+hiFodHRwOi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
+KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm9yZy8wHgYDVR0R
+BBcwFYITc2VydmVyMi5leGFtcGxlLm9yZzANBgkqhkiG9w0BAQUFAAOBgQCOfWb9
+Dt+2W6GH3500f4QJ8ORluURIEn1rtZaT+Nz9AliREjhBgMInwYhkvzESGqbpeZHG
+mnE8zGHlXBs2H8BAp0jpXpm0BCrCe9B2NPa98CLUuNlraTr+eWoMmf85DHmML/rl
+8N6BKUMgUFBP1KKvDthUFbQ/S+IcsuP2tRH6tg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
-cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw\r
-MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp\r
-Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE\r
-zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo\r
-F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB\r
-Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s\r
-YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X\r
-PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw==
+MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt\r
+cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw\r
+MTAxMTIzNDA4WjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp\r
+Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrlUzB\r
+ANKQi0cI+jOYOVy2EYu2LOXihiMHi3dX/boaZ2+rIwbWaaAy7gMXLvfay/ml+pyY\r
+hnxQbnfADZN0xXQoHZ3AjBIU6YP2CWpOk/3jrnjW7P84fCie/6SXhfH2l6ZZFaro\r
+yRw10jnO/kgEtFKBQpN7eZ2oPDaGGwuyBVaXqQIDAQABo1owWDAOBgNVHQ8BAf8E\r
+BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw\r
+Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA\r
+n2I9uY34QxYLfMCIwI3oMkR+v0ehEmjLcF3S2SILybtKFOxHUvFx10IiYJOCjPKr\r
+vTwbprTp4R9HffQyiGoe9jLYu+8Tfjf86hDcoChOg8SZm1u3rXCgXPus+19XON0g\r
+UWiJmIBAWDhz8+0vQ3QyrgtLuweoX4tTcbYOlTzO5KU=
-----END CERTIFICATE-----
Bag Attributes
friendlyName: server2.example.org
- localKeyID: 86 3E B2 BF BC 60 4F 3F C4 EA AA FE 97 44 A9 48 6B 4F C1 77
+ localKeyID: 86 EB 3E FE 4D A0 AA B2 44 D0 9C 33 41 91 11 0F E4 B5 77 94
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIjfdds7UVEY0CAggA
-MBQGCCqGSIb3DQMHBAiY22+2lkjkEASCAWDm5MmTuUgMOkSWscoH1Qn/GVM2sawP
-TsknGm/HMV+bJlpGLCXwBrAKe6RDC+zlEmGVUSWJoxoPz1qQT9fcooyEFSCS8asN
-omSw+8wrxXTSB57b1OqpHoV8VlTT60/sdVV8l9B1Ef/vsdjKB0NDwqUwDVg4Xw32
-wV3Tv8pFRLg3CBCEDeykcJ+FkodSope9UL6E95Ukhae335bTmWsxbrR4IZCUhI2t
-/MOLyPnd6huPGlti2SH8PRRnei6TM/O8mH1uUzdSAqxoDA6wV+P6pIDI8GY1k61q
-53oeq9ocSJOQ+q3kIyBQlGgApME47hog3sVZ/WsU3r071g9VKhzlFUFPOOkbUR9+
-gl7MDV/r/6IjOAHEaLFBQrnRVKbs93sTtf8pNhIHJLJtTWjDV/nBbiHxsNFIWqGU
-ZlH0FU2DENHZqPiLxsfH1J9EmtTiHXgu/naD0m7RbmPm6ffIDPuYPVMw
+MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI/rBIbDk6nrECAggA
+MBQGCCqGSIb3DQMHBAjeDfpn4LPrpgSCAoAqkEeSEHhFDrXw2s6WkSJurj4Pr7+J
+ZliDli+SjbfZfx6aDUEzYmkqQqi2emuNmPirCzE/Ue42+Gd4WA2Yiyj8Rm+oAym6
+y528ujQNEP3w4ItkDT1W2E5IqgXrFfTsnXhFUegDVt2XY//ByYSJTQqn3/Fjm0bC
+ttNoRdnpVhmJYwKJOfrvPLuyZEA0Y/zcY0hJ8oFGWZkvJ6aPx3FqDy1o30i3tJax
+t+plehWN6pxOMwNIwOLZRsMjn1gX+d4XzTlDEk+foX8bSNi1AzClPsF/haU5kjfr
+lcnww7VOU5rXz6r8RJhlLDqyYyNGPrl4oxORoVtBZGBJHqkHB0pPdC39gdrtc8P1
+IDY2GC0hd+QAQCTwb/wmqLTmJXRFQSmvQFGB0/jym2GQxeZHzuXYftY/oGaoOIll
+dy8vrtsMEzz37PZxsT8vJs/aPkqULBI30PpHLiPsJqUd2MeB+w0LNzZokkg44XQU
+o208UXKD90UjyUplv1XdvTHW2uIkL9X5ssVZOcQC1eHZ2Z2ahphDx3mU9hqqW8aI
+43ToptxzxlBMbRU5SJtOWKSzUqXpXAha1T5LDwqE0tgF5H99s6qvdaLN1iTUsCav
++DfkrniH34WzmeE+u5SxvKT0h4XsRW4TOLEdTnoaAF4qIK/1rzcp/X7XxgDsJd3z
+RJBxAogwmaKoxa3GQJjJSjg5qw9EFHUnI9g8Ct+rm5lgHFR0amBHGumqwzTelJ09
+/IZfEMkpgJYJkWkDbvT1NNHNiAgh1VGOUmVsLCoQNhurdHKrF7Uw5QrVOlsrj/pz
+ojArIa6IkJJ85RyzGNToZTwlXHxGyltsosEOt0R5pn176ILRFcWDhguk
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
friendlyName: server2.example.org
- localKeyID: 86 3E B2 BF BC 60 4F 3F C4 EA AA FE 97 44 A9 48 6B 4F C1 77
+ localKeyID: 86 EB 3E FE 4D A0 AA B2 44 D0 9C 33 41 91 11 0F E4 B5 77 94
subject=/CN=server2.example.org
issuer=/O=example.org/CN=clica Signing Cert
-----BEGIN CERTIFICATE-----
-MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
+MIICiDCCAfGgAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh
bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx
-MjM0MDNaFw0zODAxMDExMjM0MDNaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
-ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1bNd+LEj7UV8Riahrn/3TL1n
-NwaIvqkqCFscP5ae3dB5rJ8vdfIc0hOzh782zpXxJxYa7S340zjxfgdUzMAeWQID
-AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD
-AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl
-Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0
-cDovL29zY3AvZXhhbXBsZS5vcmcvMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs
-ZS5vcmcwDQYJKoZIhvcNAQEFBQADQQBCORy4CO4MMENsEtYwU7xE0Ck5i8VefJ6D
-txODMnRUzsthdbfjgXm3BfVPrhOuT0/bIKfyJtoSdCtN1SRPTJxO
+MjM0MTBaFw0zODAxMDExMjM0MTBaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs
+ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALLE1hEpg5JGIpYSHMWN
+E/s8UpUxBYBqQI0cecr5uwwoNfBybw6cpEwP1XMHlVqlz4nP9Gfo7XLI3dE/GQ0H
+4/Urlw8tP/hydlP8LxXG3ZDyL7f4yYvoHCxsUy7jC3yv9Z0lQx59gvdTho3OZkIW
+he3mmSY/aH7pXrP+Y0CcPdNvAgMBAAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAG
+A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj
+hiFodHRwOi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE
+KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm9yZy8wHgYDVR0R
+BBcwFYITc2VydmVyMi5leGFtcGxlLm9yZzANBgkqhkiG9w0BAQUFAAOBgQCOfWb9
+Dt+2W6GH3500f4QJ8ORluURIEn1rtZaT+Nz9AliREjhBgMInwYhkvzESGqbpeZHG
+mnE8zGHlXBs2H8BAp0jpXpm0BCrCe9B2NPa98CLUuNlraTr+eWoMmf85DHmML/rl
+8N6BKUMgUFBP1KKvDthUFbQ/S+IcsuP2tRH6tg==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-MIIBOwIBAAJBANWzXfixI+1FfEYmoa5/90y9ZzcGiL6pKghbHD+Wnt3QeayfL3Xy
-HNITs4e/Ns6V8ScWGu0t+NM48X4HVMzAHlkCAwEAAQJATzDe2+/Y3m5ndR+PvriR
-DhEKFKwJNI4/k0UgHLhWOt/+y02ZfO5zhZaLvYG1BQbGKyhypdAGS8QP19xRVjI9
-uQIhAPs7Ql00hIvZvfRMmgh90otggbrWIrkW8Oh10BMFBdkTAiEA2cG+l36A5NAs
-PlA7sOlQyFs5F4XNXzEy76vPsGR/pGMCIBjo3UGkjWfYZQ8t8S/aWd/b58EArlyv
-u58w3zqjitrlAiEAsJeqlPkGVolsF+zBO6s61AEGv8jG0Ff50twmxgn6abkCIQDJ
-pUSYU/YF7bYj5QuHRyemhzDytTQcAB7A4IEWZsSL9A==
+MIICWwIBAAKBgQCyxNYRKYOSRiKWEhzFjRP7PFKVMQWAakCNHHnK+bsMKDXwcm8O
+nKRMD9VzB5Vapc+Jz/Rn6O1yyN3RPxkNB+P1K5cPLT/4cnZT/C8Vxt2Q8i+3+MmL
+6BwsbFMu4wt8r/WdJUMefYL3U4aNzmZCFoXt5pkmP2h+6V6z/mNAnD3TbwIDAQAB
+AoGAHxMYIuOUe1i1qmB7n9tmHcXelRBwZGIT1nOcuCuw1+wldCZwJ5oS9SXLdLNc
+wuUPrmT3lxhmLg28gSL2t80nUqxTiVGBJhP17hHlOpVqVYSuJTSk9nAPOh21WfOo
+ghHEwK6bUiMvrOo9jzNzYozqZ1aJsFc7kh3WugXvsBLGvAECQQDeTIyF5EDPBkgx
+8Uhznw5kzn/UfcFGQIbAUupSo9hSlGtxIQl6nZZx7lZpUbQz/IGrx9avrG0x8CGf
+kRh5XN5LAkEAzd7gviJg3zZ46uLqNaaIr9B1M+NF2GHj8WgBfDb5WOloo68CWSW8
+WALKbabBp0eHiNEn/X1MHKBfY6LrrScY7QJAJA56hIUfVfUI5MDkJYzZAtTTux2i
+qchxkuRgCYN15P8Z5kGbjf3dlyE3duG/vuboCXrigaAQHhd6/KzGMXk0vQJAFmKD
+oWjvi5XKtA+UU90Vw7gw5kFyGMMcG+WpM65ukmJexF2FLdhSkGdNR3r4V44JiLDl
+XkS/f+VYOec/JQa5SQJAPaND0R38kuFxDDngET/1Lh2vXTpza7Xi0/1ec3i4jXe0
+HckZVHpVE7PWt1iqKRShoZmXI+ccIGLDdFTDYPSMMg==
-----END RSA PRIVATE KEY-----
read junk
for tld in com org net
do
- clica -D example.$tld -p password -B 512 -I -N example.$tld -F -C http://crl.example.$tld/latest.crl -O http://oscp/example.$tld/
- clica -D example.$tld -p password -s 101 -S server1.example.$tld
+ clica -D example.$tld -p password -B 1024 -I -N example.$tld -F \
+ -C http://crl.example.$tld/latest.crl -O http://oscp/example.$tld/
+
+ clica -D example.$tld -p password -s 101 -S server1.example.$tld \
+ -8 alternatename.server1.example.$tld,alternatename2.server1.example.$tld
clica -D example.$tld -p password -s 102 -S revoked1.example.$tld
clica -D example.$tld -p password -s 103 -S expired1.example.$tld -m 1
clica -D example.$tld -p password -s 201 -S server2.example.$tld
do
SPFX=example.$tld/$server.example.$tld/$server.example.$tld
openssl ocsp -issuer $CADIR/Signer.pem -cert $SPFX.pem -reqout $SPFX.ocsp.req
- openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.good.resp
- openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 30 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.dated.resp
- openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.revoked.resp
+ openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 3652 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.good.resp
+ openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 30 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.dated.resp
+ openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -ndays 3652 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.revoked.resp
done
done
# and loop again to generate unlocked keys and client cert bundles
for tld in com org net
do
- for server in server1 revoked1 expired1 server2 revoked2 expired2 do
+ for server in server1 revoked1 expired1 server2 revoked2 expired2
+ do
SDIR=example.$tld/$server.example.$tld
SPFX=$SDIR/$server.example.$tld
openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem
done
+find example.* -type d -print0 | xargs -0 chmod 755
+find example.* -type f -print0 | xargs -0 chmod 644
+
echo "CA, Certificate, CRL and OSCP Response generation complete"
;;
esac
+dnl Solaris requires additional libraries for networking functions.
+
+AC_SEARCH_LIBS([inet_addr], [nsl])
+AC_SEARCH_LIBS([connect], [socket])
+
dnl "Export" these variables
AC_SUBST(BIND_8_COMPAT)
AC_SUBST(CLIENT_GNUTLS)
AC_SUBST(LOADED)
AC_SUBST(LOADED_OPT)
+AC_SUBST(LIBS)
dnl This must be last; it determines what files are written
driver = accept
local_parts = userx
headers_add = "${if def:h_x-rbl-warning: {Added: xxxx}fail}"
- headers_remove = "${if def:h_x-rbl-warning: {subject}fail}"
+ # Colon-sep list!
+ headers_remove = "${if def::h_x-rbl-warning:: {subject}fail}"
transport = local_delivery
driver = accept
local_parts = userx
headers_add = "${if def:h_x-rbl-warning: {Added: by router}}"
- headers_remove = "${if def:h_x-rbl-warning: {subject}}"
+ # Colon-sep list!
+ headers_remove = "${if def::h_x-rbl-warning:: {subject}}"
transport = local_delivery
envelope_to_add
file = DIR/test-mail/$local_part
headers_add = "${if def:h_tadd: {Added: by transport}}"
- headers_remove = "${if def:h_tadd: {tadd}}"
+ headers_remove = "${if def::h_tadd:: {tadd}}"
return_path_add
user = CALLER
headers_add = X-Delivered-To: $local_part@$domain
retry_use_local_part
transport = local_delivery
+ headers_add = X-rtr-hdr: 1
+ headers_add = ${if bool{false} {X-rtr-hdr: 2}}
+ headers_add = X-rtr-hdr: 3
# ----- Transports -----
envelope_to_add
file = DIR/test-mail/$local_part
user = CALLER
+ headers_add = X-tpt-hdr: 1
+ headers_add = ${if bool{false} {X-tpt-hdr: 2}}
+ headers_add = X-tpt-hdr: 3
# End
--- /dev/null
+# Exim test configuration 0569
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+# ----- Main settings -----
+
+acl_smtp_mail = check_from
+acl_smtp_rcpt = accept
+acl_smtp_data = check_message
+
+recipient_unqualified_hosts = V4NET.10.10.9
+
+# ----- ACL -----
+
+begin acl
+
+check_from:
+ accept senders = usery@exim.test.ex
+ set acl_m_message = I do not like your message
+ accept
+
+check_message:
+ require message = ${if def:acl_m_message {$acl_m_message}}
+ verify = header_names_ascii
+ accept
+
+# End
--- /dev/null
+# Exim test configuration 0005
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+# ----- Main settings -----
+
+domainlist local_domains = @
+
+acl_smtp_rcpt = accept
+acl_smtp_data = check_data
+
+trusted_users = CALLER
+
+
+# ----- ACL -----
+
+begin acl
+
+check_data:
+ accept logwrite = \
+ x-test-header-good1: ${utf8clean:$h_x-test-header-good1:}
+ logwrite = \
+ x-test-header-good2: ${utf8clean:$h_x-test-header-good2:}
+ logwrite = \
+ x-test-header-too-short: ${utf8clean:$h_x-test-header-too-short:}
+ logwrite = \
+ x-test-header-too-long: ${utf8clean:$h_x-test-header-too-long:}
+ logwrite = \
+ x-test-header-too-big: ${utf8clean:$h_x-test-header-too-big:}
+
+
+
+# ----- Routers -----
+
+begin routers
+
+fail_remote_domains:
+ driver = redirect
+ domains = ! +local_domains
+ data = :fail: unrouteable mail domain "$domain"
+
+localuser:
+ driver = accept
+ check_local_user
+ transport = local_delivery
+ headers_add = X-local-user: uid=$local_user_uid gid=$local_user_gid
+
+
+# ----- Transports -----
+
+begin transports
+
+local_delivery:
+ driver = appendfile
+ delivery_date_add
+ envelope_to_add
+ file = DIR/test-mail/$local_part
+ headers_add = "X-body-linecount: $body_linecount\n\
+ X-message-linecount: $message_linecount\n\
+ X-received-count: $received_count"
+ return_path_add
+
+# End
tls_advertise_hosts = 127.0.0.1 : HOSTIPV4
-tls_certificate = DIR/aux-fixed/cert1
-tls_privatekey = DIR/aux-fixed/cert1
+tls_certificate = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem
+tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
tls_verify_hosts = HOSTIPV4
-tls_verify_certificates = DIR/aux-fixed/cert2
+tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server2.example.com/ca_chain.pem
# ------ ACL ------
DHE_RSA_AES_256_CBC_SHA1 : \
DHE_RSA_3DES_EDE_CBC_SHA : \
RSA_AES_256_CBC_SHA1
- accept
+ warn logwrite = ${if def:tls_in_ourcert \
+ {Our cert SN: <${certextract{subject}{$tls_in_ourcert}}>} \
+ {We did not present a cert}}
+ accept condition = ${if !def:tls_in_peercert}
+ logwrite = Peer did not present a cert
+ accept logwrite = Peer cert:
+ logwrite = ver ${certextract {version}{$tls_in_peercert}}
+ logwrite = SR <${certextract {serial_number}{$tls_in_peercert}}>
+ logwrite = SN <${certextract {subject} {$tls_in_peercert}}>
+ logwrite = IN <${certextract {issuer} {$tls_in_peercert}}>
+ logwrite = IN/O <${certextract {issuer,O} {$tls_in_peercert}}>
+ logwrite = NB <${certextract {notbefore} {$tls_in_peercert}}>
+ logwrite = NB/i <${certextract {notbefore,int}{$tls_in_peercert}}>
+ logwrite = NA <${certextract {notafter} {$tls_in_peercert}}>
+ logwrite = SA <${certextract {sig_algorithm}{$tls_in_peercert}}>
+ logwrite = SG <${certextract {signature} {$tls_in_peercert}}>
+ logwrite = ${certextract {subj_altname} {$tls_in_peercert} {SAN <$value>}{(no SAN)}}
+# logwrite = ${certextract {ocsp_uri} {$tls_in_peercert} {OCU <$value>}{(no OCU)}}
+ logwrite = ${certextract {crl_uri} {$tls_in_peercert} {CRU <$value>}{(no CRU)}}
+ logwrite = md5 fingerprint ${md5:$tls_in_peercert}
+ logwrite = sha1 fingerprint ${sha1:$tls_in_peercert}
+ logwrite = sha256 fingerprint ${sha256:$tls_in_peercert}
# ----- Routers -----
# Exim test configuration 2012
+# TLS client: verify certificate from server - fails
SERVER=
gecos_pattern = ""
gecos_name = CALLER_NAME
+FX = DIR/aux-fixed
+S1 = FX/exim-ca/example.com/server1.example.com
+
+CA1 = S1/ca_chain.pem
+CERT1 = S1/server1.example.com.pem
+KEY1 = S1/server1.example.com.unlocked.key
+CA2 = FX/cert2
+CERT2 = FX/cert2
+KEY2 = FX/cert2
+
# ----- Main settings -----
acl_smtp_rcpt = accept
# Set certificate only if server
-tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
-tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
+tls_certificate = ${if eq {SERVER}{server}{CERT1}fail}
+tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail}
tls_verify_hosts = *
-tls_verify_certificates = ${if eq {SERVER}{server}{DIR/aux-fixed/cert2}fail}
+tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail}
# ----- Routers -----
begin routers
-client:
+server_dump:
+ driver = redirect
+ condition = ${if eq {SERVER}{server}{yes}{no}}
+ data = :blackhole:
+
+client_x:
+ driver = accept
+ local_parts = userx
+ retry_use_local_part
+ transport = send_to_server_failcert
+ errors_to = ""
+
+client_y:
+ driver = accept
+ local_parts = usery
+ retry_use_local_part
+ transport = send_to_server_retry
+
+client_z:
+ driver = accept
+ local_parts = userz
+ retry_use_local_part
+ transport = send_to_server_crypt
+
+client_q:
+ driver = accept
+ local_parts = userq
+ retry_use_local_part
+ transport = send_to_server_req_fail
+
+client_r:
+ driver = accept
+ local_parts = userr
+ retry_use_local_part
+ transport = send_to_server_req_failname
+
+client_s:
driver = accept
- condition = ${if eq {SERVER}{server}{no}{yes}}
+ local_parts = users
retry_use_local_part
- transport = send_to_server
+ transport = send_to_server_req_passname
# ----- Transports -----
begin transports
-send_to_server:
+# this will fail to verify the cert at HOSTIPV4 so fail the crypt requirement
+send_to_server_failcert:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ hosts_require_tls = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA2
+
+# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
+send_to_server_retry:
driver = smtp
allow_localhost
hosts = HOSTIPV4 : 127.0.0.1
hosts_require_tls = HOSTIPV4
port = PORT_D
- tls_certificate = DIR/aux-fixed/cert2
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
tls_verify_certificates = \
- ${if eq{$host_address}{127.0.0.1}{DIR/aux-fixed/cert1}{DIR/aux-fixed/cert2}}
+ ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
+
+# this will fail to verify the cert but continue unverified though crypted
+send_to_server_crypt:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ hosts_require_tls = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA2
+ tls_try_verify_hosts = *
+
+# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted
+send_to_server_req_fail:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA2
+ tls_verify_hosts = *
+
+# # this will fail to verify the cert name and fallback to unencrypted
+# send_to_server_req_failname:
+# driver = smtp
+# allow_localhost
+# hosts = HOSTIPV4
+# port = PORT_D
+# tls_certificate = CERT2
+# tls_privatekey = CERT2
+#
+# tls_verify_certificates = CA1
+# tls_verify_cert_hostnames = server1.example.net : server1.example.org
+# tls_verify_hosts = *
+#
+# # this will pass the cert verify including name check
+# send_to_server_req_passname:
+# driver = smtp
+# allow_localhost
+# hosts = HOSTIPV4
+# port = PORT_D
+# tls_certificate = CERT2
+# tls_privatekey = CERT2
+#
+# tls_verify_certificates = CA1
+# tls_verify_cert_hostnames = noway.example.com : server1.example.com
+# tls_verify_hosts = *
# End
tls_privatekey = CERT
tls_verify_hosts = HOSTIPV4
-tls_verify_certificates = TVC
+#tls_verify_certificates = TVC
+tls_verify_certificates = CERT
# End
tls_advertise_hosts = *
tls_require_ciphers = ${if eq{$sender_host_address}{HOSTIPV4}\
- {IDEA-CBC-MD5}{!RSA_AES_256:DES-CBC3-SHA}}
+ {NONE}{SECURE256}}
# Set certificate only if server
primary_hostname = myhost.test.ex
rfc1413_query_timeout = 0s
spool_directory = DIR/spool
+.ifdef SERVER
log_file_path = DIR/spool/log/%slog
+.else
+log_file_path = DIR/spool/log/%D-%slog
+.endif
gecos_pattern = ""
gecos_name = CALLER_NAME
acl_smtp_rcpt = check_rcpt
log_selector = +tls_peerdn
+
tls_advertise_hosts = HOSTIPV4
tls_certificate = DIR/aux-fixed/cert1
tls_privatekey = DIR/aux-fixed/cert1
check_rcpt:
accept local_parts = userx
+ control = queue_only
defer local_parts = usery
hosts = 127.0.0.1
- accept
-
+ accept control = queue_only
# ----- Routers -----
tls_advertise_hosts = 127.0.0.1 : HOSTIPV4
-tls_certificate = DIR/aux-fixed/cert1
-tls_privatekey = DIR/aux-fixed/cert1
+tls_certificate = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem
+tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
tls_verify_hosts = HOSTIPV4
-tls_verify_certificates = DIR/aux-fixed/cert2
+tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server2.example.com/ca_chain.pem
# ------ ACL ------
DHE-RSA-AES256-GCM-SHA384 : \
DHE_RSA_AES_256_CBC_SHA1 : \
DHE_RSA_3DES_EDE_CBC_SHA
- accept
+ warn logwrite = ${if def:tls_in_ourcert \
+ {Our cert SN: <${certextract{subject}{$tls_in_ourcert}}>} \
+ {We did not present a cert}}
+ accept condition = ${if !def:tls_in_peercert}
+ logwrite = Peer did not present a cert
+ accept logwrite = Peer cert:
+ logwrite = ver ${certextract {version}{$tls_in_peercert}}
+ logwrite = SR <${certextract {serial_number}{$tls_in_peercert}}>
+ logwrite = SN <${certextract {subject} {$tls_in_peercert}}>
+ logwrite = IN <${certextract {issuer} {$tls_in_peercert}}>
+ logwrite = IN/O <${certextract {issuer,O} {$tls_in_peercert}}>
+ logwrite = NB <${certextract {notbefore} {$tls_in_peercert}}>
+ logwrite = NB/i <${certextract {notbefore,int}{$tls_in_peercert}}>
+ logwrite = NA <${certextract {notafter} {$tls_in_peercert}}>
+ logwrite = SA <${certextract {sig_algorithm}{$tls_in_peercert}}>
+ logwrite = SG <${certextract {signature} {$tls_in_peercert}}>
+ logwrite = ${certextract {subj_altname} {$tls_in_peercert} {SAN <$value>}{(no SAN)}}
+ logwrite = ${certextract {ocsp_uri} {$tls_in_peercert} {OCU <$value>}{(no OCU)}}
+ logwrite = ${certextract {crl_uri} {$tls_in_peercert} {CRU <$value>}{(no CRU)}}
+ logwrite = md5 fingerprint ${md5:$tls_in_peercert}
+ logwrite = sha1 fingerprint ${sha1:$tls_in_peercert}
+ logwrite = sha256 fingerprint ${sha256:$tls_in_peercert}
# ----- Routers -----
# Exim test configuration 2112
+# TLS client: verify certificate from server - fails
SERVER=
gecos_pattern = ""
gecos_name = CALLER_NAME
+FX = DIR/aux-fixed
+S1 = FX/exim-ca/example.com/server1.example.com
+
+CA1 = S1/ca_chain.pem
+CERT1 = S1/server1.example.com.pem
+KEY1 = S1/server1.example.com.unlocked.key
+CA2 = FX/cert2
+CERT2 = FX/cert2
+KEY2 = FX/cert2
+
# ----- Main settings -----
acl_smtp_rcpt = accept
# Set certificate only if server
-tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
-tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
+tls_certificate = ${if eq {SERVER}{server}{CERT1}fail}
+tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail}
tls_verify_hosts = *
-tls_verify_certificates = ${if eq {SERVER}{server}{DIR/aux-fixed/cert2}fail}
+tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail}
# ----- Routers -----
begin routers
-client:
+server_dump:
+ driver = redirect
+ condition = ${if eq {SERVER}{server}{yes}{no}}
+ data = :blackhole:
+
+client_x:
+ driver = accept
+ local_parts = userx
+ retry_use_local_part
+ transport = send_to_server_failcert
+ errors_to = ""
+
+client_y:
+ driver = accept
+ local_parts = usery
+ retry_use_local_part
+ transport = send_to_server_retry
+
+client_z:
+ driver = accept
+ local_parts = userz
+ retry_use_local_part
+ transport = send_to_server_crypt
+
+client_q:
+ driver = accept
+ local_parts = userq
+ retry_use_local_part
+ transport = send_to_server_req_fail
+
+client_r:
+ driver = accept
+ local_parts = userr
+ retry_use_local_part
+ transport = send_to_server_req_failname
+
+client_s:
driver = accept
- condition = ${if eq {SERVER}{server}{no}{yes}}
+ local_parts = users
retry_use_local_part
- transport = send_to_server
+ transport = send_to_server_req_passname
# ----- Transports -----
begin transports
-send_to_server:
+# this will fail to verify the cert at HOSTIPV4 so fail the crypt requirement
+send_to_server_failcert:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ hosts_require_tls = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA2
+
+# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
+send_to_server_retry:
driver = smtp
allow_localhost
hosts = HOSTIPV4 : 127.0.0.1
hosts_require_tls = HOSTIPV4
port = PORT_D
- tls_certificate = DIR/aux-fixed/cert2
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
tls_verify_certificates = \
- ${if eq{$host_address}{127.0.0.1}{DIR/aux-fixed/cert1}{DIR/aux-fixed/cert2}}
+ ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
+
+# this will fail to verify the cert but continue unverified though crypted
+send_to_server_crypt:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ hosts_require_tls = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA2
+ tls_try_verify_hosts = *
+
+# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted
+send_to_server_req_fail:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA2
+ tls_verify_hosts = *
+
+# # this will fail to verify the cert name and fallback to unencrypted
+# send_to_server_req_failname:
+# driver = smtp
+# allow_localhost
+# hosts = HOSTIPV4
+# port = PORT_D
+# tls_certificate = CERT2
+# tls_privatekey = CERT2
+#
+# tls_verify_certificates = CA1
+# tls_verify_cert_hostnames = server1.example.net : server1.example.org
+# tls_verify_hosts = *
+#
+# # this will pass the cert verify including name check
+# send_to_server_req_passname:
+# driver = smtp
+# allow_localhost
+# hosts = HOSTIPV4
+# port = PORT_D
+# tls_certificate = CERT2
+# tls_privatekey = CERT2
+#
+# tls_verify_certificates = CA1
+# tls_verify_cert_hostnames = noway.example.com : server1.example.com
+# tls_verify_hosts = *
# End
hosts_require_auth = *
allow_localhost
+ # These can be made visible by adding "-d-all+deliver+transport+tls" to the script 1st queuerun
+ headers_add = X-tls-cipher: <$tls_cipher>
+ headers_add = X-tls-out-cipher: <$tls_out_cipher>
+
# End
route_list = * 127.0.0.1
self = send
transport = smtp
+ headers_remove = X-hdr-rtr
+ headers_add = X-hdr-rtr-new: $h_X-hdr-rtr:+++
no_more
driver = smtp
interface = HOSTIPV4
port = PORT_S
+ headers_add = ${if def:h_X-hdr-rtr {X-hdr-tpt-new: new} {}}
# End
--- /dev/null
+# Exim test configuration 2012
+# TLS client: verify certificate from server - fails
+
+SERVER=
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+FX = DIR/aux-fixed
+S1 = FX/exim-ca/example.com/server1.example.com
+
+CA1 = S1/ca_chain.pem
+CERT1 = S1/server1.example.com.pem
+KEY1 = S1/server1.example.com.unlocked.key
+CA2 = FX/cert2
+CERT2 = FX/cert2
+KEY2 = FX/cert2
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept
+
+log_selector = +tls_peerdn+tls_certificate_verified
+
+queue_only
+queue_run_in_order
+
+tls_advertise_hosts = *
+
+# Set certificate only if server
+
+tls_certificate = ${if eq {SERVER}{server}{CERT1}fail}
+tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail}
+
+tls_verify_hosts = *
+tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail}
+
+
+# ----- Routers -----
+
+begin routers
+
+server_dump:
+ driver = redirect
+ condition = ${if eq {SERVER}{server}{yes}{no}}
+ data = :blackhole:
+
+client_x:
+ driver = accept
+ local_parts = userx
+ retry_use_local_part
+ transport = send_to_server_failcert
+ errors_to = ""
+
+client_y:
+ driver = accept
+ local_parts = usery
+ retry_use_local_part
+ transport = send_to_server_retry
+
+client_z:
+ driver = accept
+ local_parts = userz
+ retry_use_local_part
+ transport = send_to_server_crypt
+
+client_q:
+ driver = accept
+ local_parts = userq
+ retry_use_local_part
+ transport = send_to_server_req_fail
+
+client_r:
+ driver = accept
+ local_parts = userr
+ retry_use_local_part
+ transport = send_to_server_req_failname
+
+client_s:
+ driver = accept
+ local_parts = users
+ retry_use_local_part
+ transport = send_to_server_req_passname
+
+
+# ----- Transports -----
+
+begin transports
+
+# this will fail to verify the cert at HOSTIPV4 so fail the crypt requirement
+send_to_server_failcert:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ hosts_require_tls = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA2
+
+# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
+send_to_server_retry:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4 : 127.0.0.1
+ hosts_require_tls = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = \
+ ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
+
+# this will fail to verify the cert but continue unverified though crypted
+send_to_server_crypt:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ hosts_require_tls = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA2
+ tls_try_verify_hosts = *
+
+# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted
+send_to_server_req_fail:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA2
+ tls_verify_hosts = *
+
+# this will fail to verify the cert name and fallback to unencrypted
+send_to_server_req_failname:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA1
+ tls_verify_cert_hostnames = server1.example.net : server1.example.org
+ tls_verify_hosts = *
+
+# this will pass the cert verify including name check
+send_to_server_req_passname:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA1
+ tls_verify_cert_hostnames = noway.example.com : server1.example.com
+ tls_verify_hosts = *
+
+# End
--- /dev/null
+# Exim test configuration 2112
+# TLS client: verify certificate from server - fails
+
+SERVER=
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+FX = DIR/aux-fixed
+S1 = FX/exim-ca/example.com/server1.example.com
+
+CA1 = S1/ca_chain.pem
+CERT1 = S1/server1.example.com.pem
+KEY1 = S1/server1.example.com.unlocked.key
+CA2 = FX/cert2
+CERT2 = FX/cert2
+KEY2 = FX/cert2
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept
+
+log_selector = +tls_peerdn+tls_certificate_verified
+
+queue_only
+queue_run_in_order
+
+tls_advertise_hosts = *
+
+# Set certificate only if server
+
+tls_certificate = ${if eq {SERVER}{server}{CERT1}fail}
+tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail}
+
+tls_verify_hosts = *
+tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail}
+
+
+# ----- Routers -----
+
+begin routers
+
+server_dump:
+ driver = redirect
+ condition = ${if eq {SERVER}{server}{yes}{no}}
+ data = :blackhole:
+
+client_x:
+ driver = accept
+ local_parts = userx
+ retry_use_local_part
+ transport = send_to_server_failcert
+ errors_to = ""
+
+client_y:
+ driver = accept
+ local_parts = usery
+ retry_use_local_part
+ transport = send_to_server_retry
+
+client_z:
+ driver = accept
+ local_parts = userz
+ retry_use_local_part
+ transport = send_to_server_crypt
+
+client_q:
+ driver = accept
+ local_parts = userq
+ retry_use_local_part
+ transport = send_to_server_req_fail
+
+client_r:
+ driver = accept
+ local_parts = userr
+ retry_use_local_part
+ transport = send_to_server_req_failname
+
+client_s:
+ driver = accept
+ local_parts = users
+ retry_use_local_part
+ transport = send_to_server_req_passname
+
+
+# ----- Transports -----
+
+begin transports
+
+# this will fail to verify the cert at HOSTIPV4 so fail the crypt requirement
+send_to_server_failcert:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ hosts_require_tls = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA2
+
+# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
+send_to_server_retry:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4 : 127.0.0.1
+ hosts_require_tls = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = \
+ ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
+
+# this will fail to verify the cert but continue unverified though crypted
+send_to_server_crypt:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ hosts_require_tls = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA2
+ tls_try_verify_hosts = *
+
+# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted
+send_to_server_req_fail:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA2
+ tls_verify_hosts = *
+
+# this will fail to verify the cert name and fallback to unencrypted
+send_to_server_req_failname:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA1
+ tls_verify_cert_hostnames = server1.example.net : server1.example.org
+ tls_verify_hosts = *
+
+# this will pass the cert verify including name check
+send_to_server_req_passname:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA1
+ tls_verify_cert_hostnames = noway.example.com : server1.example.com
+ tls_verify_hosts = *
+
+# End
# ----- Main settings -----
+acl_smtp_connect = check_connect
+acl_smtp_mail = check_mail
acl_smtp_rcpt = check_recipient
log_selector = +tls_peerdn
begin acl
+check_connect:
+ accept logwrite = acl_conn: ocsp in status: $tls_in_ocsp \
+ (${listextract {${eval:$tls_in_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
+
+check_mail:
+ accept logwrite = acl_mail: ocsp in status: $tls_in_ocsp \
+ (${listextract {${eval:$tls_in_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
+
check_recipient:
deny message = certificate not verified: peerdn=$tls_peerdn
! verify = certificate
domainlist local_domains = test.ex : *.test.ex
acl_smtp_rcpt = check_recipient
+acl_smtp_data = check_data
+
log_selector = +tls_peerdn
remote_max_parallel = 1
accept domains = +local_domains
deny message = relay not permitted
+check_data:
+ warn condition = ${if def:h_X-TLS-out:}
+ logwrite = client claims: $h_X-TLS-out:
+ accept
# ----- Routers -----
condition = ${if eq {SERVER}{server}{no}{yes}}
retry_use_local_part
transport = send_to_server${if eq{$local_part}{nostaple}{1} \
- {${if eq{$local_part}{smtps} {3}{2}}} \
- }
+ {${if eq{$local_part}{norequire} {2} \
+ {${if eq{$local_part}{smtps} {4}{3}}} \
+ }}}
server:
driver = redirect
port = PORT_D
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
hosts_require_tls = *
-# note no ocsp here
+ hosts_request_ocsp = :
+ headers_add = X-TLS-out: ocsp status $tls_out_ocsp \
+ (${listextract {${eval:$tls_out_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
send_to_server2:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ hosts_require_tls = *
+# note no ocsp mention here
+ headers_add = X-TLS-out: ocsp status $tls_out_ocsp \
+ (${listextract {${eval:$tls_out_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
+
+send_to_server3:
driver = smtp
allow_localhost
hosts = 127.0.0.1
port = PORT_D
helo_data = helo.data.changed
- #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
hosts_require_tls = *
hosts_require_ocsp = *
+ headers_add = X-TLS-out: ocsp status $tls_out_ocsp \
+ (${listextract {${eval:$tls_out_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
-send_to_server3:
+send_to_server4:
driver = smtp
allow_localhost
hosts = 127.0.0.1
port = PORT_D
helo_data = helo.data.changed
- #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
protocol = smtps
hosts_require_tls = *
hosts_require_ocsp = *
+ headers_add = X-TLS-out: ocsp status $tls_out_ocsp \
+ (${listextract {${eval:$tls_out_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
# ----- Retry -----
--- /dev/null
+# Exim test configuration 5601
+# OCSP stapling, client, tpda
+
+SERVER =
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = server1.example.com
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+
+# ----- Main settings -----
+
+domainlist local_domains = test.ex : *.test.ex
+
+acl_smtp_rcpt = check_recipient
+acl_smtp_data = check_data
+
+log_selector = +tls_peerdn
+remote_max_parallel = 1
+
+tls_advertise_hosts = *
+
+# Set certificate only if server
+
+tls_certificate = ${if eq {SERVER}{server}\
+{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem}\
+fail\
+}
+
+#{DIR/aux-fixed/exim-ca/example.com/CA/CA.pem}\
+
+tls_privatekey = ${if eq {SERVER}{server}\
+{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key}\
+fail}
+
+tls_ocsp_file = OCSP
+
+
+# ------ ACL ------
+
+begin acl
+
+check_recipient:
+ accept domains = +local_domains
+ deny message = relay not permitted
+
+check_data:
+ warn condition = ${if def:h_X-TLS-out:}
+ logwrite = client claims: $h_X-TLS-out:
+ accept
+
+logger:
+ warn logwrite = client ocsp status: $tls_out_ocsp \
+ (${listextract {${eval:$tls_out_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
+ accept
+
+# ----- Routers -----
+
+begin routers
+
+client:
+ driver = accept
+ condition = ${if eq {SERVER}{server}{no}{yes}}
+ retry_use_local_part
+ transport = send_to_server${if eq{$local_part}{nostaple}{1} \
+ {${if eq{$local_part}{norequire} {2} \
+ {${if eq{$local_part}{smtps} {4}{3}}} \
+ }}}
+
+server:
+ driver = redirect
+ data = :blackhole:
+ #retry_use_local_part
+ #transport = local_delivery
+
+
+# ----- Transports -----
+
+begin transports
+
+local_delivery:
+ driver = appendfile
+ file = DIR/test-mail/$local_part
+ headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
+ user = CALLER
+
+# nostaple: deliberately do not request cert-status
+send_to_server1:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ hosts_require_tls = *
+ hosts_request_ocsp = :
+ headers_add = X-TLS-out: ocsp status $tls_out_ocsp
+ tpda_delivery_action = ${acl {logger}}
+ tpda_host_defer_action = ${acl {logger}}
+
+# norequire: request stapling but do not verify
+send_to_server2:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ hosts_require_tls = *
+# note no ocsp mention here
+ headers_add = X-TLS-out: ocsp status $tls_out_ocsp
+ tpda_delivery_action = ${acl {logger}}
+ tpda_host_defer_action = ${acl {logger}}
+
+# (any other name): request and verify
+send_to_server3:
+ driver = smtp
+ allow_localhost
+ hosts = 127.0.0.1
+ port = PORT_D
+ helo_data = helo.data.changed
+ tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ hosts_require_tls = *
+ hosts_require_ocsp = *
+ headers_add = X-TLS-out: ocsp status $tls_out_ocsp
+ tpda_delivery_action = ${acl {logger}}
+ tpda_host_defer_action = ${acl {logger}}
+
+# (any other name): request and verify, ssl-on-connect
+send_to_server4:
+ driver = smtp
+ allow_localhost
+ hosts = 127.0.0.1
+ port = PORT_D
+ helo_data = helo.data.changed
+ tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ protocol = smtps
+ hosts_require_tls = *
+ hosts_require_ocsp = *
+ headers_add = X-TLS-out: ocsp status $tls_out_ocsp
+ tpda_delivery_action = ${acl {logger}}
+ tpda_host_defer_action = ${acl {logger}}
+
+
+# ----- Retry -----
+
+
+begin retry
+
+* * F,5d,1s
+
+
+# End
--- /dev/null
+# Exim test configuration 5650
+# OCSP stapling, server
+
+CRL=
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = server1.example.com
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+# ----- Main settings -----
+
+acl_smtp_connect = check_connect
+acl_smtp_mail = check_mail
+acl_smtp_rcpt = check_recipient
+
+log_selector = +tls_peerdn
+
+queue_only
+queue_run_in_order
+
+tls_advertise_hosts = *
+
+tls_certificate = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem
+tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+tls_crl = CRL
+tls_ocsp_file = OCSP
+
+#tls_verify_hosts = HOSTIPV4
+#tls_try_verify_hosts = *
+#tls_verify_certificates = DIR/aux-fixed/cert2
+
+
+
+# ------ ACL ------
+
+begin acl
+
+check_connect:
+ accept logwrite = acl_conn: ocsp in status: $tls_in_ocsp \
+ (${listextract {${eval:$tls_in_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
+
+check_mail:
+ accept logwrite = acl_mail: ocsp in status: $tls_in_ocsp \
+ (${listextract {${eval:$tls_in_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
+
+check_recipient:
+ accept
+
+
+# ----- Routers -----
+
+begin routers
+
+abc:
+ driver = accept
+ retry_use_local_part
+ transport = local_delivery
+
+
+# ----- Transports -----
+
+begin transports
+
+local_delivery:
+ driver = appendfile
+ file = DIR/test-mail/$local_part
+ headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
+ user = CALLER
+
+# End
--- /dev/null
+# Exim test configuration 5651
+# OCSP stapling, client
+
+SERVER =
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = server1.example.com
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+
+# ----- Main settings -----
+
+domainlist local_domains = test.ex : *.test.ex
+
+acl_smtp_rcpt = check_recipient
+acl_smtp_data = check_data
+
+log_selector = +tls_peerdn
+remote_max_parallel = 1
+
+tls_advertise_hosts = *
+
+# Set certificate only if server
+tls_certificate = ${if eq {SERVER}{server}\
+{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem}\
+fail\
+}
+tls_privatekey = ${if eq {SERVER}{server}\
+{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key}\
+fail}
+
+# from cmdline define
+tls_ocsp_file = OCSP
+
+
+# ------ ACL ------
+
+begin acl
+
+check_recipient:
+ accept domains = +local_domains
+ deny message = relay not permitted
+
+check_data:
+ warn condition = ${if def:h_X-TLS-out:}
+ logwrite = client claims: $h_X-TLS-out:
+ accept
+
+
+# ----- Routers -----
+
+begin routers
+
+client:
+ driver = accept
+ condition = ${if eq {SERVER}{server}{no}{yes}}
+ retry_use_local_part
+ transport = send_to_server${if eq{$local_part}{nostaple}{1} \
+ {${if eq{$local_part}{norequire} {2} \
+ {${if eq{$local_part}{smtps} {4}{3}}} \
+ }}}
+
+server:
+ driver = redirect
+ data = :blackhole:
+ #retry_use_local_part
+ #transport = local_delivery
+
+
+# ----- Transports -----
+
+begin transports
+
+local_delivery:
+ driver = appendfile
+ file = DIR/test-mail/$local_part
+ headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
+ user = CALLER
+
+send_to_server1:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ hosts_require_tls = *
+ hosts_request_ocsp = :
+ headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
+ (${listextract {${eval:$tls_out_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
+
+send_to_server2:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ hosts_require_tls = *
+# note no ocsp mention here
+ headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
+ (${listextract {${eval:$tls_out_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
+
+send_to_server3:
+ driver = smtp
+ allow_localhost
+ hosts = 127.0.0.1
+ port = PORT_D
+ helo_data = helo.data.changed
+ #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
+ tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ hosts_require_tls = *
+ hosts_require_ocsp = *
+ headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
+ (${listextract {${eval:$tls_out_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
+
+send_to_server4:
+ driver = smtp
+ allow_localhost
+ hosts = 127.0.0.1
+ port = PORT_D
+ helo_data = helo.data.changed
+ #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
+ tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ protocol = smtps
+ hosts_require_tls = *
+ hosts_require_ocsp = *
+ headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
+ (${listextract {${eval:$tls_out_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
+
+
+# ----- Retry -----
+
+
+begin retry
+
+* * F,5d,1s
+
+
+# End
--- /dev/null
+# Exim test configuration 5658
+# OCSP stapling, client, tpda
+
+SERVER =
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = server1.example.com
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+
+# ----- Main settings -----
+
+domainlist local_domains = test.ex : *.test.ex
+
+acl_smtp_rcpt = check_recipient
+acl_smtp_data = check_data
+
+log_selector = +tls_peerdn
+remote_max_parallel = 1
+
+tls_advertise_hosts = *
+
+# Set certificate only if server
+tls_certificate = ${if eq {SERVER}{server}\
+{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem}\
+fail\
+}
+tls_privatekey = ${if eq {SERVER}{server}\
+{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key}\
+fail}
+
+# from cmdline define
+tls_ocsp_file = OCSP
+
+
+# ------ ACL ------
+
+begin acl
+
+check_recipient:
+ accept domains = +local_domains
+ deny message = relay not permitted
+
+check_data:
+ warn condition = ${if def:h_X-TLS-out:}
+ logwrite = client claims: $h_X-TLS-out:
+ accept
+
+logger:
+ warn logwrite = client ocsp status: $tls_out_ocsp \
+ (${listextract {${eval:$tls_out_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
+ accept
+
+
+# ----- Routers -----
+
+begin routers
+
+client:
+ driver = accept
+ condition = ${if eq {SERVER}{server}{no}{yes}}
+ retry_use_local_part
+ transport = send_to_server${if eq{$local_part}{nostaple}{1} \
+ {${if eq{$local_part}{norequire} {2} \
+ {${if eq{$local_part}{smtps} {4}{3}}} \
+ }}}
+
+server:
+ driver = redirect
+ data = :blackhole:
+ #retry_use_local_part
+ #transport = local_delivery
+
+
+# ----- Transports -----
+
+begin transports
+
+local_delivery:
+ driver = appendfile
+ file = DIR/test-mail/$local_part
+ headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
+ user = CALLER
+
+send_to_server1:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ hosts_require_tls = *
+ hosts_request_ocsp = :
+ headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
+ (${listextract {${eval:$tls_out_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
+ tpda_delivery_action = ${acl {logger}}
+ tpda_host_defer_action = ${acl {logger}}
+
+send_to_server2:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ hosts_require_tls = *
+# note no ocsp mention here
+ headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
+ (${listextract {${eval:$tls_out_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
+ tpda_delivery_action = ${acl {logger}}
+ tpda_host_defer_action = ${acl {logger}}
+
+send_to_server3:
+ driver = smtp
+ allow_localhost
+ hosts = 127.0.0.1
+ port = PORT_D
+ helo_data = helo.data.changed
+ #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
+ tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ hosts_require_tls = *
+ hosts_require_ocsp = *
+ headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
+ (${listextract {${eval:$tls_out_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
+ tpda_delivery_action = ${acl {logger}}
+ tpda_host_defer_action = ${acl {logger}}
+
+send_to_server4:
+ driver = smtp
+ allow_localhost
+ hosts = 127.0.0.1
+ port = PORT_D
+ helo_data = helo.data.changed
+ #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
+ tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ protocol = smtps
+ hosts_require_tls = *
+ hosts_require_ocsp = *
+ headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
+ (${listextract {${eval:$tls_out_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
+ tpda_delivery_action = ${acl {logger}}
+ tpda_host_defer_action = ${acl {logger}}
+
+
+# ----- Retry -----
+
+
+begin retry
+
+* * F,5d,1s
+
+
+# End
--- /dev/null
+# Exim test configuration 5750 (dup of 5760)
+# $tls_out_peercert - GnuTLS
+
+SERVER=
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept
+
+log_selector = +tls_peerdn
+
+queue_only
+queue_run_in_order
+
+tls_advertise_hosts = *
+
+tls_certificate = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem
+tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+
+tls_verify_hosts = *
+tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server2.example.com/ca_chain.pem
+
+#
+
+begin acl
+logger:
+ warn logwrite = $acl_arg1 $tpda_delivery_local_part
+ warn logwrite = ${if !def:tls_out_ourcert \
+ {NO CLENT CERT presented} \
+ {Our cert SN: ${certextract{subject}{$tls_out_ourcert}}}}
+ accept condition = ${if !def:tls_out_peercert}
+ logwrite = No Peer cert
+ accept logwrite = Peer cert:
+ logwrite = ver <${certextract {version} {$tls_out_peercert}}>
+ logwrite = SN <${certextract {subject} {$tls_out_peercert}}>
+ logwrite = IN <${certextract {issuer} {$tls_out_peercert}}>
+ logwrite = NB <${certextract {notbefore} {$tls_out_peercert}}>
+ logwrite = NA <${certextract {notafter} {$tls_out_peercert}}>
+ logwrite = SA <${certextract {sig_algorithm} {$tls_out_peercert}}>
+ logwrite = SG <${certextract {signature} {$tls_out_peercert}}>
+ logwrite = ${certextract {subj_altname} {$tls_out_peercert}{SAN <$value>}{(no SAN)}}
+# logwrite = ${certextract {ocsp_uri} {$tls_out_peercert} {OCU <$value>}{(no OCU)}}
+ logwrite = ${certextract {crl_uri} {$tls_out_peercert} {CRU <$value>}{(no CRU)}}
+
+
+# ----- Routers -----
+
+begin routers
+
+client:
+ driver = accept
+ condition = ${if eq {SERVER}{server}{no}{yes}}
+ retry_use_local_part
+ transport = send_to_server
+
+
+# ----- Transports -----
+
+begin transports
+
+send_to_server:
+ driver = smtp
+ allow_localhost
+ hosts = 127.0.0.1
+ port = PORT_D
+
+ tls_certificate = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem
+ tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key
+
+ tls_verify_certificates = DIR/aux-fixed/exim-ca/\
+ ${if eq {$local_part}{good}\
+{example.com/server1.example.com/ca_chain.pem}\
+{example.net/server1.example.net/ca_chain.pem}}
+
+ tpda_delivery_action = ${acl {logger} {delivery} {$domain} }
+ tpda_host_defer_action = ${acl {logger} {deferral} {$domain} }
+
+# ----- Retry -----
+
+
+begin retry
+
+* * F,5d,10s
+
+
+# End
--- /dev/null
+# Exim test configuration 5760 (dup of 5750)
+# $tls_out_peercert - OpenSSL
+
+SERVER=
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept
+
+log_selector = +tls_peerdn
+
+queue_only
+queue_run_in_order
+
+tls_advertise_hosts = *
+
+tls_certificate = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem
+tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+
+tls_verify_hosts = *
+tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server2.example.com/ca_chain.pem
+
+#
+
+begin acl
+logger:
+ warn logwrite = $acl_arg1 $tpda_delivery_local_part
+ warn logwrite = ${if !def:tls_out_ourcert \
+ {NO CLENT CERT presented} \
+ {Our cert SN: ${certextract{subject}{$tls_out_ourcert}}}}
+ accept condition = ${if !def:tls_out_peercert}
+ logwrite = No Peer cert
+ accept logwrite = Peer cert:
+ logwrite = ver <${certextract {version} {$tls_out_peercert}}>
+ logwrite = SN <${certextract {subject} {$tls_out_peercert}}>
+ logwrite = IN <${certextract {issuer} {$tls_out_peercert}}>
+ logwrite = NB <${certextract {notbefore} {$tls_out_peercert}}>
+ logwrite = NA <${certextract {notafter} {$tls_out_peercert}}>
+ logwrite = SA <${certextract {sig_algorithm} {$tls_out_peercert}}>
+ logwrite = SG <${certextract {signature} {$tls_out_peercert}}>
+ logwrite = ${certextract {subj_altname,>;}{$tls_out_peercert}{SAN <$value>}{(no SAN)}}
+ logwrite = ${certextract {ocsp_uri} {$tls_out_peercert} {OCU <$value>}{(no OCU)}}
+ logwrite = ${certextract {crl_uri} {$tls_out_peercert} {CRU <$value>}{(no CRU)}}
+
+
+# ----- Routers -----
+
+begin routers
+
+client:
+ driver = accept
+ condition = ${if eq {SERVER}{server}{no}{yes}}
+ retry_use_local_part
+ transport = send_to_server
+
+
+# ----- Transports -----
+
+begin transports
+
+send_to_server:
+ driver = smtp
+ allow_localhost
+ hosts = 127.0.0.1
+ port = PORT_D
+
+ tls_certificate = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem
+ tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key
+
+ tls_verify_certificates = DIR/aux-fixed/exim-ca/\
+ ${if eq {$local_part}{good}\
+{example.com/server1.example.com/ca_chain.pem}\
+{example.net/server1.example.net/ca_chain.pem}}
+
+ tpda_delivery_action = ${acl {logger} {delivery} {$domain} }
+ tpda_host_defer_action = ${acl {logger} {deferral} {$domain} }
+
+# ----- Retry -----
+
+
+begin retry
+
+* * F,5d,10s
+
+
+# End
1999-03-02 09:44:33 10HmbK-0005vi-00 => cond-yes <cond-yes@test.ex> R=r1 T=t1
1999-03-02 09:44:33 10HmbK-0005vi-00 Completed
1999-03-02 09:44:33 H=[56.56.57.57] U=CALLER F=<userx@test.ex> temporarily rejected RCPT <cond-rhubarb@test.ex>: invalid "condition" value "rhubarb"
-1999-03-02 09:44:33 10HmbL-0005vi-00 <= userx@test.ex H=[56.56.56.56] U=CALLER P=smtp S=sss
-1999-03-02 09:44:33 10HmbL-0005vi-00 => cond-rhubarb <cond-rhubarb@test.ex> R=r1 T=t1
+1999-03-02 09:44:33 10HmbL-0005vi-00 <= userx@test.ex H=[56.56.57.57] U=CALLER P=smtp S=sss
+1999-03-02 09:44:33 10HmbL-0005vi-00 => cond--1 <cond--1@test.ex> R=r1 T=t1
1999-03-02 09:44:33 10HmbL-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbM-0005vi-00 <= userx@test.ex H=[56.56.56.56] U=CALLER P=smtp S=sss
+1999-03-02 09:44:33 10HmbM-0005vi-00 => cond-rhubarb <cond-rhubarb@test.ex> R=r1 T=t1
+1999-03-02 09:44:33 10HmbM-0005vi-00 Completed
1999-03-02 09:44:33 H=[56.56.58.58] U=CALLER F=<rcpttest@test.ex> rejected RCPT <bad1@test.ex>
1999-03-02 09:44:33 H=[56.56.58.58] U=CALLER F=<rcpttest@test.ex> rejected RCPT <bad2@test.ex>
1999-03-02 09:44:33 H=[56.56.58.58] U=CALLER F=<rcpttest@test.ex> rejected RCPT <bad3@test.ex>
-1999-03-02 09:44:33 10HmbM-0005vi-00 <= rcpttest@test.ex H=[56.56.58.58] U=CALLER P=smtp S=sss
-1999-03-02 09:44:33 10HmbM-0005vi-00 => ok1 <ok1@test.ex> R=r0 T=t2
-1999-03-02 09:44:33 10HmbM-0005vi-00 -> ok2 <ok2@test.ex> R=r0 T=t2
-1999-03-02 09:44:33 10HmbM-0005vi-00 -> ok3 <ok3@test.ex> R=r0 T=t2
-1999-03-02 09:44:33 10HmbM-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbN-0005vi-00 <= rcpttest@test.ex H=[56.56.58.58] U=CALLER P=smtp S=sss
+1999-03-02 09:44:33 10HmbN-0005vi-00 => ok1 <ok1@test.ex> R=r0 T=t2
+1999-03-02 09:44:33 10HmbN-0005vi-00 -> ok2 <ok2@test.ex> R=r0 T=t2
+1999-03-02 09:44:33 10HmbN-0005vi-00 -> ok3 <ok3@test.ex> R=r0 T=t2
+1999-03-02 09:44:33 10HmbN-0005vi-00 Completed
1999-03-02 09:44:33 H=[56.56.59.59] U=CALLER F=<rcpttest@test.ex> rejected RCPT <fail@test.ex>: here is a fail message
1999-03-02 09:44:33 H=[V4NET.11.12.13] U=CALLER F=<x@y> rejected RCPT <x@y>: DNSLIST (rbl.test.ex: This is a test blacklisting message)
1999-03-02 09:44:33 H=[V4NET.11.12.13] U=CALLER F=<x@y> rejected RCPT <x1@y>: DNSLIST (rbl.test.ex: This is a test blacklisting message)
1999-03-02 09:44:33 U=CALLER F=<x@y> rejected RCPT <postmaster@test.ex>: Sender verify failed
1999-03-02 09:44:33 U=CALLER F=<userx@test.ex> rejected RCPT <userx@test.ex>: deny for userx
1999-03-02 09:44:33 U=CALLER F=<> temporarily rejected RCPT <"deny verify = header_syntax"@test.ex>: cannot verify header_syntax in ACL for RCPT
-1999-03-02 09:44:33 U=CALLER F=<> temporarily rejected RCPT <"deny verify = junk"@test.ex>: expected "sender[=address]", "recipient", "helo", "header_syntax", "header_sender" or "reverse_host_lookup" at start of ACL condition "verify junk"
+1999-03-02 09:44:33 U=CALLER F=<> temporarily rejected RCPT <"deny verify = junk"@test.ex>: expected "sender[=address]", "recipient", "helo", "header_syntax", "header_sender", "header_names_ascii" or "reverse_host_lookup" at start of ACL condition "verify junk"
1999-03-02 09:44:33 U=CALLER F=<> temporarily rejected RCPT <"deny vorify = junk"@test.ex>: unknown ACL condition/modifier in "deny vorify = junk"
1999-03-02 09:44:33 U=CALLER F=<> temporarily rejected RCPT <"dony verify = junk"@test.ex>: unknown ACL verb "dony" in "dony verify = junk"
1999-03-02 09:44:33 U=CALLER F=<> temporarily rejected RCPT <"deny !message = abcd"@test.ex>: ACL error: negation is not allowed with "message"
--- /dev/null
+1999-03-02 09:44:33 10HmaX-0005vi-00 x-test-header-good1: 1234567890qwertzuiopasdfghjklyxcvbnm,.-QWERTZUIOP+*ASDFGHJKL#'YXCVBNM,.-;:_
+1999-03-02 09:44:33 10HmaX-0005vi-00 x-test-header-good2: \303\237\303\274\303\266\303\244\342\202\254\303\234\303\226\303\204\302\264\340\244\221\340\244\225\340\244\234\341\220\201\341\221\214\341\221\225\360\253\235\206\360\253\237\230
+1999-03-02 09:44:33 10HmaX-0005vi-00 x-test-header-too-short: ?.?.?.\303\244-?.-\303\234.?..?.-?.-?..-?.-?.-?.-?.-?..-?..?.
+1999-03-02 09:44:33 10HmaX-0005vi-00 x-test-header-too-long: ?????-\303\244-?????--\303\226-\303\204-\302\264-\340\244\221-\340\244\225-\340\244\234-\341\220\201-\341\221\214-\341\221\225-?????\360\253\237\206
+1999-03-02 09:44:33 10HmaX-0005vi-00 x-test-header-too-big: ?-----\363\200\200\200
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@the.local.host.name U=CALLER P=local-smtp S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER <CALLER@the.local.host.name> R=localuser T=local_delivery
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaY-0005vi-00 x-test-header-good1:
+1999-03-02 09:44:33 10HmaY-0005vi-00 x-test-header-good2:
+1999-03-02 09:44:33 10HmaY-0005vi-00 x-test-header-too-short:
+1999-03-02 09:44:33 10HmaY-0005vi-00 x-test-header-too-long:
+1999-03-02 09:44:33 10HmaY-0005vi-00 x-test-header-too-big:
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@the.local.host.name U=CALLER P=local-smtp S=sss
+1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER <CALLER@the.local.host.name> R=localuser T=local_delivery
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 Start queue run: pid=pppp
+1999-03-02 09:44:33 End queue run: pid=pppp
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate verification failed): invalid
+1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate verification failed): certificate invalid
1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to 127.0.0.1 [127.0.0.1] (not in hosts_require_tls)
1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaY-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate verification failed): invalid
+1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate verification failed): certificate invalid
1999-03-02 09:44:33 10HmaX-0005vi-00 == CALLER@test.ex R=client T=send_to_server defer (-37): failure while setting up TLS session
1999-03-02 09:44:33 End queue run: pid=pppp -qf
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate verification failed): invalid
+1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate verification failed): certificate invalid
1999-03-02 09:44:33 10HmaX-0005vi-00 == CALLER@test.ex R=client T=send_to_server defer (-37): failure while setting up TLS session
1999-03-02 09:44:33 End queue run: pid=pppp -qf
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 Our cert SN: <CN=server1.example.com>
+1999-03-02 09:44:33 Peer did not present a cert
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@test.ex H=[127.0.0.1] P=smtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss
+1999-03-02 09:44:33 Our cert SN: <CN=server1.example.com>
+1999-03-02 09:44:33 Peer did not present a cert
1999-03-02 09:44:33 10HmaY-0005vi-00 <= "name with spaces"@test.ex H=[127.0.0.1] P=smtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss
1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (gnutls_handshake): The peer did not send any certificate.
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@test.ex H=[ip4.ip4.ip4.ip4] P=smtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss
+1999-03-02 09:44:33 Our cert SN: <CN=server1.example.com>
+1999-03-02 09:44:33 Peer cert:
+1999-03-02 09:44:33 ver 3
+1999-03-02 09:44:33 SR <c9>
+1999-03-02 09:44:33 SN <CN=server2.example.com>
+1999-03-02 09:44:33 IN <O=example.com,CN=clica Signing Cert>
+1999-03-02 09:44:33 IN/O <example.com>
+1999-03-02 09:44:33 NB <Nov 1 12:34:06 2012 GMT>
+1999-03-02 09:44:33 NB/i <1351773246>
+1999-03-02 09:44:33 NA <Jan 1 12:34:06 2038 GMT>
+1999-03-02 09:44:33 SA <RSA-SHA>
+1999-03-02 09:44:33 SG <6c 37 41 26 4d 5d f4 b5 31 10 67 ca fb 64 b6 22 98 62 f7 1e 95 7b 6c e6 74 47 21 f4 5e 89 36 3e b9 9c 8a c5 52 bb c4 af 12 93 26 3b d7 3d e0 56 71 1e 1d 21 20 02 ed f0 4e d5 5e 45 42 fd 3c 38 41 54 83 86 0b 3b bf c5 47 39 ff 15 ea 93 dc fd c7 3d 18 58 59 ca dd 2a d8 b9 f9 2f b9 76 93 f4 ae e3 91 56 80 2f 8c 04 2f ad 57 ef d2 51 19 f4 b4 ef 32 9c ac 3a 7c 0d b8 39 db b1 e3 30 73 1a>
+1999-03-02 09:44:33 SAN <DNS=server2.example.com>
+1999-03-02 09:44:33 CRU <http://crl.example.com/latest.crl>
+1999-03-02 09:44:33 md5 fingerprint C5FA6C8B1BE926DBC4E436AF08F92B55
+1999-03-02 09:44:33 sha1 fingerprint 40B2135E6B67AE36A397696DA328423685E74CE3
+1999-03-02 09:44:33 sha256 fingerprint 6064D93E235FBA6FC66788F2AAC087752D856ECC7901FFCB8B53B21A09D232D2
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@test.ex H=[ip4.ip4.ip4.ip4] P=smtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server2.example.com" S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER <CALLER@test.ex> R=abc T=local_delivery
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 H=[ip4.ip4.ip4.ip4] F=<userx@test.ex> rejected RCPT <userx@test.ex>: unacceptable cipher TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256
+1999-03-02 09:44:33 H=[ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 F=<userx@test.ex> rejected RCPT <userx@test.ex>: unacceptable cipher TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256
1999-03-02 09:44:33 10HmaX-0005vi-00 <= userx@test.ex H=(rhu.barb) [127.0.0.1] P=smtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 => userx <userx@test.ex> R=abc T=local_delivery
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (certificate verification failed): invalid
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (certificate verification failed): certificate invalid
+1999-03-02 09:44:33 10HmaX-0005vi-00 == userx@test.ex R=client_x T=send_to_server_failcert defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmaX-0005vi-00 ** userx@test.ex: retry timeout exceeded
+1999-03-02 09:44:33 10HmaX-0005vi-00 userx@test.ex: error ignored
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaY-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (certificate verification failed): certificate invalid
+1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbB-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbA-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (certificate verification failed): certificate invalid
+1999-03-02 09:44:33 10HmbA-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbD-0005vi-00"
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad
1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@myhost.test.ex
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
1999-03-02 09:44:33 TLS error on connection from (rhu1.barb) [ip4.ip4.ip4.ip4] (gnutls_handshake): The peer did not send any certificate.
-1999-03-02 09:44:33 H=(rhu2tls.barb) [127.0.0.1] F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=
-1999-03-02 09:44:33 TLS error on connection from (rhu5.barb) [ip4.ip4.ip4.ip4] (certificate verification failed): invalid
-1999-03-02 09:44:33 H=[127.0.0.1] F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock
+1999-03-02 09:44:33 H=(rhu2tls.barb) [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=
+1999-03-02 09:44:33 TLS error on connection from (rhu5.barb) [ip4.ip4.ip4.ip4] (certificate verification failed): certificate invalid
+1999-03-02 09:44:33 H=[127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 TLS error on connection from (rhu7.barb) [ip4.ip4.ip4.ip4] (certificate verification failed): revoked
-1999-03-02 09:44:33 H=[127.0.0.1] F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock
+1999-03-02 09:44:33 TLS error on connection from (rhu7.barb) [ip4.ip4.ip4.ip4] (certificate verification failed): certificate revoked
+1999-03-02 09:44:33 H=[127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (gnutls_handshake): The peer did not send any certificate.
+1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (certificate verification failed): certificate invalid
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (cert/key setup: cert=/non/exist key=/non/exist): Error while reading file.
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (gnutls_handshake): A TLS packet with unexpected length was received.
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_3DES_EDE_CBC_SHA1:192 CV=no DN="C=UK,L=Cambridge,O=University of Cambridge,OU=Computing Service,CN=Philip Hazel"
+1999-03-02 09:44:33 10HmaX-0005vi-00 a TLS session is required for ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4], but an attempt to start TLS failed
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (gnutls_handshake): No supported cipher suites have been found.
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.2:RSA_3DES_EDE_CBC_SHA1:192 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (gnutls_handshake): Could not negotiate a supported cipher suite.
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 H=localhost (myhost.test.ex) [127.0.0.1] F=<CALLER@myhost.test.ex> temporarily rejected RCPT <usery@myhost.test.ex>
-1999-03-02 09:44:33 10HmaX-0005vi-00 SMTP error from remote mail server after RCPT TO:<usery@myhost.test.ex>: host 127.0.0.1 [127.0.0.1]: 451 Temporary local problem - please try later
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmaY-0005vi-00 => userx <userx@myhost.test.ex> R=r0 T=t2
-1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaX-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@myhost.test.ex R=r1 T=t1 H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaY-0005vi-00"
-1999-03-02 09:44:33 10HmaX-0005vi-00 => usery@myhost.test.ex R=r1 T=t1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00"
-1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => usery <usery@myhost.test.ex> R=r0 T=t2
-1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmaY-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaX-0005vi-00 no immediate delivery: queued by ACL
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaY-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaZ-0005vi-00 no immediate delivery: queued by ACL
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 C="250 OK id=10HmaZ-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (gnutls_handshake): A TLS packet with unexpected length was received.
+1999-03-02 09:44:33 10HmaY-0005vi-00 a TLS session is required for ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4], but an attempt to start TLS failed
1999-03-02 09:44:33 10HmaY-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbA-0005vi-00"
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection from [127.0.0.1] (recv): A TLS packet with unexpected length was received.
+1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection from [127.0.0.1] (recv): The TLS connection was non-properly terminated.
1999-03-02 09:44:33 10HmaX-0005vi-00 SMTP connection lost after final dot H=[127.0.0.1] P=smtps
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 Our cert SN: <CN=server1.example.com>
+1999-03-02 09:44:33 Peer did not present a cert
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@test.ex H=[127.0.0.1] P=smtps X=TLSv1:AES256-SHA:256 S=sss
+1999-03-02 09:44:33 Our cert SN: <CN=server1.example.com>
+1999-03-02 09:44:33 Peer did not present a cert
1999-03-02 09:44:33 10HmaY-0005vi-00 <= "name with spaces"@test.ex H=[127.0.0.1] P=smtps X=TLSv1:AES256-SHA:256 S=sss
1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@test.ex H=[ip4.ip4.ip4.ip4] P=smtps X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss
+1999-03-02 09:44:33 Our cert SN: <CN=server1.example.com>
+1999-03-02 09:44:33 Peer cert:
+1999-03-02 09:44:33 ver 2
+1999-03-02 09:44:33 SR <c9>
+1999-03-02 09:44:33 SN <CN=server2.example.com>
+1999-03-02 09:44:33 IN <CN=clica Signing Cert,O=example.com>
+1999-03-02 09:44:33 IN/O <example.com>
+1999-03-02 09:44:33 NB <Nov 1 12:34:06 2012 GMT>
+1999-03-02 09:44:33 NB/i <1351773246>
+1999-03-02 09:44:33 NA <Jan 1 12:34:06 2038 GMT>
+1999-03-02 09:44:33 SA <undefined>
+1999-03-02 09:44:33 SG < Signature Algorithm: sha1WithRSAEncryption\n 6c:37:41:26:4d:5d:f4:b5:31:10:67:ca:fb:64:b6:22:98:62:\n f7:1e:95:7b:6c:e6:74:47:21:f4:5e:89:36:3e:b9:9c:8a:c5:\n 52:bb:c4:af:12:93:26:3b:d7:3d:e0:56:71:1e:1d:21:20:02:\n ed:f0:4e:d5:5e:45:42:fd:3c:38:41:54:83:86:0b:3b:bf:c5:\n 47:39:ff:15:ea:93:dc:fd:c7:3d:18:58:59:ca:dd:2a:d8:b9:\n f9:2f:b9:76:93:f4:ae:e3:91:56:80:2f:8c:04:2f:ad:57:ef:\n d2:51:19:f4:b4:ef:32:9c:ac:3a:7c:0d:b8:39:db:b1:e3:30:\n 73:1a\n>
+1999-03-02 09:44:33 SAN <DNS=server2.example.com>
+1999-03-02 09:44:33 OCU <http://oscp/example.com/>
+1999-03-02 09:44:33 CRU <http://crl.example.com/latest.crl>
+1999-03-02 09:44:33 md5 fingerprint C5FA6C8B1BE926DBC4E436AF08F92B55
+1999-03-02 09:44:33 sha1 fingerprint 40B2135E6B67AE36A397696DA328423685E74CE3
+1999-03-02 09:44:33 sha256 fingerprint 6064D93E235FBA6FC66788F2AAC087752D856ECC7901FFCB8B53B21A09D232D2
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@test.ex H=[ip4.ip4.ip4.ip4] P=smtps X=TLSv1:AES256-SHA:256 DN="/CN=server2.example.com" S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER <CALLER@test.ex> R=abc T=local_delivery
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 H=[ip4.ip4.ip4.ip4] F=<userx@test.ex> rejected RCPT <userx@test.ex>: unacceptable cipher TLSv1:AES256-SHA:256
+1999-03-02 09:44:33 H=[ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 F=<userx@test.ex> rejected RCPT <userx@test.ex>: unacceptable cipher TLSv1:AES256-SHA:256
1999-03-02 09:44:33 10HmaX-0005vi-00 <= userx@test.ex H=(rhu.barb) [127.0.0.1] P=smtps X=TLSv1:AES256-SHA:256 S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 => userx <userx@test.ex> R=abc T=local_delivery
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 == userx@test.ex R=client_x T=send_to_server_failcert defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmaX-0005vi-00 ** userx@test.ex: retry timeout exceeded
+1999-03-02 09:44:33 10HmaX-0005vi-00 userx@test.ex: error ignored
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
+1999-03-02 09:44:33 10HmaY-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbB-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
+1999-03-02 09:44:33 10HmaZ-0005vi-00 SSL verify error: depth=0 error=certificate not trusted cert=/CN=server1.example.com
+1999-03-02 09:44:33 10HmaZ-0005vi-00 SSL verify error: depth=0 error=unable to verify the first certificate cert=/CN=server1.example.com
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbA-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
+1999-03-02 09:44:33 10HmbA-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbA-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbD-0005vi-00"
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@myhost.test.ex
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
-1999-03-02 09:44:33 H=(rhu.barb) [127.0.0.1] F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=
+1999-03-02 09:44:33 H=(rhu.barb) [127.0.0.1] X=TLSv1:AES256-SHA:256 F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=
1999-03-02 09:44:33 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
1999-03-02 09:44:33 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
-1999-03-02 09:44:33 H=[127.0.0.1] F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 H=[127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
1999-03-02 09:44:33 SSL verify error: depth=0 error=certificate revoked cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
1999-03-02 09:44:33 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
1999-03-02 09:44:33 SSL verify error: depth=0 error=CRL signature failure cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
-1999-03-02 09:44:33 H=[127.0.0.1] F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 H=[127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (recv): A TLS packet with unexpected length was received.
+1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (recv): The TLS connection was non-properly terminated.
1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (send): The specified session has been invalidated for some reason.
1999-03-02 09:44:33 no MAIL in SMTP connection from [127.0.0.1] D=0s X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 C=EHLO,STARTTLS,AUTH
1999-03-02 09:44:33 no MAIL in SMTP connection from (foobar) [127.0.0.1] D=0s A=plain:userx X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 C=EHLO,STARTTLS,EHLO,AUTH,QUIT
QUIT
<<< QUIT
250 OK
-1999-03-02 09:44:33 10HmbD-0005vi-00 => userx <userx@myhost.test.ex> R=smartuser T=lmtp
+1999-03-02 09:44:33 10HmbD-0005vi-00 => userx <userx@myhost.test.ex> R=smartuser T=lmtp C="250 Number 1 is OK"
1999-03-02 09:44:33 10HmbD-0005vi-00 == jack@myhost.test.ex R=smartuser T=lmtp defer (-46): LMTP error after end of data: 450 Number 2 is now delayed
1999-03-02 09:44:33 10HmbD-0005vi-00 ** jill@myhost.test.ex R=smartuser T=lmtp: LMTP error after end of data: 550 Number 3 is now rejected
1999-03-02 09:44:33 10HmbD-0005vi-00 == tom@myhost.test.ex R=smartuser T=lmtp defer (-44): LMTP error after RCPT TO:<tom@myhost.test.ex>: 450 This one is delayed on RCPT
1999-03-02 09:44:33 10HmbD-0005vi-00 ** dick@myhost.test.ex R=smartuser T=lmtp: LMTP error after RCPT TO:<dick@myhost.test.ex>: 550 This one is unknown on RCPT
-1999-03-02 09:44:33 10HmbD-0005vi-00 -> harry <harry@myhost.test.ex> R=smartuser T=lmtp
+1999-03-02 09:44:33 10HmbD-0005vi-00 -> harry <harry@myhost.test.ex> R=smartuser T=lmtp C="250 Number 6 is OK"
1999-03-02 09:44:33 10HmbE-0005vi-00 <= <> R=10HmbD-0005vi-00 U=EXIMUSER P=local S=sss
1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: <CALLER@myhost.test.ex> R=bounces
1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
<<< This is a test message.
<<< .
250 Number 1 is OK
-1999-03-02 09:44:33 10HmbF-0005vi-00 => userx <userx@myhost.test.ex> R=smartuser T=lmtp
+1999-03-02 09:44:33 10HmbF-0005vi-00 => userx <userx@myhost.test.ex> R=smartuser T=lmtp C="250 Number 1 is OK"
1999-03-02 09:44:33 10HmbF-0005vi-00 == jack@myhost.test.ex R=smartuser T=lmtp defer (-1): LMTP timeout after end of data (ddd bytes written)
1999-03-02 09:44:33 10HmbF-0005vi-00 == jill@myhost.test.ex R=smartuser T=lmtp defer (-1): LMTP timeout after end of data (ddd bytes written)
1999-03-02 09:44:33 10HmbF-0005vi-00 == tom@myhost.test.ex R=smartuser T=lmtp defer (-44): LMTP error after RCPT TO:<tom@myhost.test.ex>: 450 This one is delayed on RCPT
QUIT
<<< QUIT
220 OK
-1999-03-02 09:44:33 10HmbI-0005vi-00 => jack <jack@myhost.test.ex> R=smartuser T=lmtp
-1999-03-02 09:44:33 10HmbI-0005vi-00 -> jill <jill@myhost.test.ex> R=smartuser T=lmtp
+1999-03-02 09:44:33 10HmbI-0005vi-00 => jack <jack@myhost.test.ex> R=smartuser T=lmtp C="250 OK"
+1999-03-02 09:44:33 10HmbI-0005vi-00 -> jill <jill@myhost.test.ex> R=smartuser T=lmtp C="250 OK"
1999-03-02 09:44:33 10HmbI-0005vi-00 Completed
1999-03-02 09:44:33 10HmbJ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
220 Welcome to this LMTP simulation
QUIT
<<< QUIT
220 OK
-1999-03-02 09:44:33 10HmbJ-0005vi-00 => jack <jack@myhost.test.ex> R=smartuser T=lmtp
-1999-03-02 09:44:33 10HmbJ-0005vi-00 -> jill <jill@myhost.test.ex> R=smartuser T=lmtp
+1999-03-02 09:44:33 10HmbJ-0005vi-00 => jack <jack@myhost.test.ex> R=smartuser T=lmtp C="250 OK"
+1999-03-02 09:44:33 10HmbJ-0005vi-00 -> jill <jill@myhost.test.ex> R=smartuser T=lmtp C="250 OK"
1999-03-02 09:44:33 10HmbJ-0005vi-00 Completed
1999-03-02 09:44:33 10HmbK-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
220 Welcome to this LMTP simulation
QUIT
<<< QUIT
250 OK
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx <userx@myhost.test.ex> R=smartuser T=lmtp ST=local_delivery
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userx <userx@myhost.test.ex> R=smartuser T=lmtp ST=local_delivery C="250 Number 1 is OK"
1999-03-02 09:44:33 10HmaX-0005vi-00 ** jack@myhost.test.ex R=smartuser T=lmtp: LMTP error after end of data: 550 Number 2 fails
-1999-03-02 09:44:33 10HmaX-0005vi-00 -> jill <jill@myhost.test.ex> R=smartuser T=lmtp ST=local_delivery
+1999-03-02 09:44:33 10HmaX-0005vi-00 -> jill <jill@myhost.test.ex> R=smartuser T=lmtp ST=local_delivery C="250 Number 3 is OK"
1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> R=10HmaX-0005vi-00 U=EXIMUSER P=local S=sss
1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER <CALLER@myhost.test.ex> R=bounces T=local_delivery
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
QUIT
<<< QUIT
250 OK
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => userx <userx@myhost.test.ex> R=smartuser T=lmtp ST=local_delivery (mailbox TESTSUITE/test-mail/ has too many links (2))
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => userx <userx@myhost.test.ex> R=smartuser T=lmtp ST=local_delivery (mailbox TESTSUITE/test-mail/ has too many links (2)) C="250 Number 1 is OK"
1999-03-02 09:44:33 10HmaZ-0005vi-00 ** jack@myhost.test.ex R=smartuser T=lmtp: LMTP error after end of data: 550 Number 2 fails
-1999-03-02 09:44:33 10HmaZ-0005vi-00 -> jill <jill@myhost.test.ex> R=smartuser T=lmtp ST=local_delivery (mailbox TESTSUITE/test-mail/ has too many links (2))
+1999-03-02 09:44:33 10HmaZ-0005vi-00 -> jill <jill@myhost.test.ex> R=smartuser T=lmtp ST=local_delivery (mailbox TESTSUITE/test-mail/ has too many links (2)) C="250 Number 3 is OK"
1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> R=10HmaZ-0005vi-00 U=EXIMUSER P=local S=sss
1999-03-02 09:44:33 10HmbA-0005vi-00 => CALLER <CALLER@myhost.test.ex> R=bounces T=local_delivery
1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx <userx@myhost.test.ex> R=smartuser T=lmtp
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userx <userx@myhost.test.ex> R=smartuser T=lmtp C="250 OK"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmaY-0005vi-00 == userx@myhost.test.ex R=smartuser T=lmtp defer (-1): LMTP timeout after initial connection
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbA-0005vi-00 => lp1 <lp1@myhost.test.ex> R=smartuser T=lmtp
+1999-03-02 09:44:33 10HmbA-0005vi-00 => lp1 <lp1@myhost.test.ex> R=smartuser T=lmtp C="250 Number 1 is OK"
1999-03-02 09:44:33 10HmbA-0005vi-00 == lp2@myhost.test.ex R=smartuser T=lmtp defer (-46): LMTP error after end of data: 450 Number 2 is now delayed
1999-03-02 09:44:33 10HmbA-0005vi-00 ** lp3@myhost.test.ex R=smartuser T=lmtp: LMTP error after end of data: 550 Number 3 is now rejected
1999-03-02 09:44:33 10HmbA-0005vi-00 == lp4@myhost.test.ex R=smartuser T=lmtp defer (-44): LMTP error after RCPT TO:<lp4@myhost.test.ex>: 450 This one is delayed on RCPT
1999-03-02 09:44:33 10HmbA-0005vi-00 ** lp5@myhost.test.ex R=smartuser T=lmtp: LMTP error after RCPT TO:<lp5@myhost.test.ex>: 550 This one is unknown on RCPT
-1999-03-02 09:44:33 10HmbA-0005vi-00 -> lp6 <lp6@myhost.test.ex> R=smartuser T=lmtp
+1999-03-02 09:44:33 10HmbA-0005vi-00 -> lp6 <lp6@myhost.test.ex> R=smartuser T=lmtp C="250 Number 6 is OK"
1999-03-02 09:44:33 10HmbB-0005vi-00 <= <> R=10HmbA-0005vi-00 U=EXIMUSER P=local S=sss
1999-03-02 09:44:33 10HmbB-0005vi-00 => :blackhole: <CALLER@myhost.test.ex> R=bounces
1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
1999-03-02 09:44:33 10HmaZ-0005vi-00 => usery@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] C="250 OK"
1999-03-02 09:44:33 10HmaZ-0005vi-00 -> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] C="250 OK"
1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 rcpt for userx@domain.com
+1999-03-02 09:44:33 10HmbA-0005vi-00 >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] C="250 OK"
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
--- /dev/null
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 Start queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (certificate verification failed)
+1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmaZ-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaY-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 End queue run: pid=pppp -qf
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex
--- /dev/null
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 Start queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
+1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: certificate name mismatch: "/CN=server1.example.com"
+
+1999-03-02 09:44:33 10HmaY-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmaY-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmaY-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbB-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 End queue run: pid=pppp -qf
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaY-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; responding
+1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq)
+1999-03-02 09:44:33 acl_mail: ocsp in status: 4 (verified)
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; not responding
+1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq)
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; not responding
+1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq)
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaX-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER@test.ex R=client T=send_to_server2 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbB-0005vi-00 Received TLS status response, null content
-1999-03-02 09:44:33 10HmbB-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmbB-0005vi-00 == CALLER@test.ex R=client T=send_to_server2 defer (-37): failure while setting up TLS session
-1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbC-0005vi-00 Server certificate revoked; reason: superseded
-1999-03-02 09:44:33 10HmbC-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmbC-0005vi-00 == CALLER@test.ex R=client T=send_to_server2 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@test.ex R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbD-0005vi-00 Server OSCP dates invalid
+1999-03-02 09:44:33 10HmbD-0005vi-00 Received TLS status callback, null content
1999-03-02 09:44:33 10HmbD-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmbD-0005vi-00 == CALLER@test.ex R=client T=send_to_server2 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbD-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbE-0005vi-00 Server certificate revoked; reason: superseded
+1999-03-02 09:44:33 10HmbE-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbE-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbF-0005vi-00 Server OSCP dates invalid
+1999-03-02 09:44:33 10HmbF-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbF-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: ocsp status 1 (notresp)
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaX-0005vi-00@server1.example.com
-1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <nostaple@test.ex> R=server
+1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <norequire@test.ex> R=server
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 [127.0.0.1] Recieved OCSP stapling req; responding
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaZ-0005vi-00@server1.example.com
-1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <CALLER@test.ex> R=server
+1999-03-02 09:44:33 10HmbA-0005vi-00 client claims: ocsp status 0 (notreq)
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaZ-0005vi-00@server1.example.com
+1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <nostaple@test.ex> R=server
1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: ocsp status 4 (verified)
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmbB-0005vi-00@server1.example.com
+1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <CALLER@test.ex> R=server
+1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 [127.0.0.1] Recieved OCSP stapling req; not responding
1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 [127.0.0.1] Recieved OCSP stapling req; responding
1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 [127.0.0.1] Recieved OCSP stapling req; responding
1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
--- /dev/null
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 client ocsp status: 1 (notresp)
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 client ocsp status: 4 (verified)
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbB-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 client ocsp status: 0 (notreq)
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbD-0005vi-00 => good@test.ex R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
+1999-03-02 09:44:33 10HmbD-0005vi-00 client ocsp status: 4 (verified)
+1999-03-02 09:44:33 10HmbD-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbF-0005vi-00 Received TLS status callback, null content
+1999-03-02 09:44:33 10HmbF-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbF-0005vi-00 client ocsp status: 1 (notresp)
+1999-03-02 09:44:33 10HmbF-0005vi-00 == failrequire@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbG-0005vi-00 Server certificate revoked; reason: superseded
+1999-03-02 09:44:33 10HmbG-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbG-0005vi-00 client ocsp status: 3 (failed)
+1999-03-02 09:44:33 10HmbG-0005vi-00 == failrevoked@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbH-0005vi-00 Server OSCP dates invalid
+1999-03-02 09:44:33 10HmbH-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbH-0005vi-00 client ocsp status: 3 (failed)
+1999-03-02 09:44:33 10HmbH-0005vi-00 == failexpired@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: ocsp status 1
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaX-0005vi-00@server1.example.com
+1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <norequire@test.ex> R=server
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 10HmbA-0005vi-00 client claims: ocsp status 4
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaZ-0005vi-00@server1.example.com
+1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <norequire@test.ex> R=server
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: ocsp status 0
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmbB-0005vi-00@server1.example.com
+1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <nostaple@test.ex> R=server
+1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbE-0005vi-00 client claims: ocsp status 4
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmbD-0005vi-00@server1.example.com
+1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: <good@test.ex> R=server
+1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
--- /dev/null
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq)
+1999-03-02 09:44:33 acl_mail: ocsp in status: 2 (vfynotdone)
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq)
+1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (recv): The TLS connection was non-properly terminated.
+1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq)
+1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (recv): The TLS connection was non-properly terminated.
+1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
--- /dev/null
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@test.ex R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbD-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate status check failed)
+1999-03-02 09:44:33 10HmbD-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbE-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate verification failed): certificate revoked
+1999-03-02 09:44:33 10HmbE-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbF-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate status check failed)
+1999-03-02 09:44:33 10HmbF-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: OCSP status 1 (notresp)
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaX-0005vi-00@server1.example.com
+1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <norequire@test.ex> R=server
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 10HmbA-0005vi-00 client claims: OCSP status 0 (notreq)
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaZ-0005vi-00@server1.example.com
+1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <nostaple@test.ex> R=server
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: OCSP status 4 (verified)
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmbB-0005vi-00@server1.example.com
+1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <CALLER@test.ex> R=server
+1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (recv): The TLS connection was non-properly terminated.
+1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (send): The specified session has been invalidated for some reason.
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (recv): A TLS fatal alert has been received.: Certificate is bad
+1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (send): The specified session has been invalidated for some reason.
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (recv): The TLS connection was non-properly terminated.
+1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (send): The specified session has been invalidated for some reason.
--- /dev/null
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 client ocsp status: 1 (notresp)
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 client ocsp status: 1 (notresp)
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbB-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 client ocsp status: 0 (notreq)
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbD-0005vi-00 => good@test.ex R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
+1999-03-02 09:44:33 10HmbD-0005vi-00 client ocsp status: 4 (verified)
+1999-03-02 09:44:33 10HmbD-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbF-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate status check failed)
+1999-03-02 09:44:33 10HmbF-0005vi-00 client ocsp status: 3 (failed)
+1999-03-02 09:44:33 10HmbF-0005vi-00 == failrequire@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbG-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate verification failed): certificate revoked
+1999-03-02 09:44:33 10HmbG-0005vi-00 client ocsp status: 1 (notresp)
+1999-03-02 09:44:33 10HmbG-0005vi-00 == failrevoked@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbH-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate status check failed)
+1999-03-02 09:44:33 10HmbH-0005vi-00 client ocsp status: 3 (failed)
+1999-03-02 09:44:33 10HmbH-0005vi-00 == failexpired@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: OCSP status 1 (notresp)
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaX-0005vi-00@server1.example.com
+1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <norequire@test.ex> R=server
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 10HmbA-0005vi-00 client claims: OCSP status 1 (notresp)
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaZ-0005vi-00@server1.example.com
+1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <norequire@test.ex> R=server
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: OCSP status 0 (notreq)
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmbB-0005vi-00@server1.example.com
+1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <nostaple@test.ex> R=server
+1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbE-0005vi-00 client claims: OCSP status 4 (verified)
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmbD-0005vi-00@server1.example.com
+1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: <good@test.ex> R=server
+1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (recv): The TLS connection was non-properly terminated.
+1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (send): The specified session has been invalidated for some reason.
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (recv): A TLS fatal alert has been received.: Certificate is bad
+1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (send): The specified session has been invalidated for some reason.
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (recv): The TLS connection was non-properly terminated.
+1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (send): The specified session has been invalidated for some reason.
--- /dev/null
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 Start queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate verification failed): certificate invalid
+1999-03-02 09:44:33 10HmaX-0005vi-00 deferral bad
+1999-03-02 09:44:33 10HmaX-0005vi-00 NO CLENT CERT presented
+1999-03-02 09:44:33 10HmaX-0005vi-00 Peer cert:
+1999-03-02 09:44:33 10HmaX-0005vi-00 ver <3>
+1999-03-02 09:44:33 10HmaX-0005vi-00 SN <CN=server1.example.com>
+1999-03-02 09:44:33 10HmaX-0005vi-00 IN <O=example.com,CN=clica Signing Cert>
+1999-03-02 09:44:33 10HmaX-0005vi-00 NB <Nov 1 12:34:05 2012 GMT>
+1999-03-02 09:44:33 10HmaX-0005vi-00 NA <Jan 1 12:34:05 2038 GMT>
+1999-03-02 09:44:33 10HmaX-0005vi-00 SA <RSA-SHA>
+1999-03-02 09:44:33 10HmaX-0005vi-00 SG <56 3a a4 3c cb eb b8 27 c2 90 08 74 13 88 dc 48 c6 b5 2c e5 26 be 5b 91 d4 67 e7 3c 49 12 d7 47 30 df 98 db 58 ed 18 a8 7d 4b db 97 48 f5 5c 7f 70 b9 37 63 33 f1 24 62 72 92 60 f5 6e da b6 bc 73 c8 c2 dc d6 95 9a bd 16 16 a2 ef 0a f1 d7 41 68 f6 ad 98 5a d0 ff d9 1b 51 9f 59 ce 2f 3d 84 d0 ee e8 2b eb 9b 32 1a 0e 02 3e cc 30 89 44 09 2a 75 81 46 a7 b6 ed 7d 41 eb 5a 63 fa 9c 58 ef>
+1999-03-02 09:44:33 10HmaX-0005vi-00 SAN <DNS=alternatename.server1.example.com\nDNS=alternatename2.server1.example.com\nDNS=server1.example.com>
+1999-03-02 09:44:33 10HmaX-0005vi-00 CRU <http://crl.example.com/latest.crl>
+1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to 127.0.0.1 [127.0.0.1] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmaX-0005vi-00 => bad@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaZ-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 delivery bad
+1999-03-02 09:44:33 10HmaX-0005vi-00 NO CLENT CERT presented
+1999-03-02 09:44:33 10HmaX-0005vi-00 No Peer cert
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaY-0005vi-00 => good@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 delivery good
+1999-03-02 09:44:33 10HmaY-0005vi-00 Our cert SN: CN=server2.example.com
+1999-03-02 09:44:33 10HmaY-0005vi-00 Peer cert:
+1999-03-02 09:44:33 10HmaY-0005vi-00 ver <3>
+1999-03-02 09:44:33 10HmaY-0005vi-00 SN <CN=server1.example.com>
+1999-03-02 09:44:33 10HmaY-0005vi-00 IN <O=example.com,CN=clica Signing Cert>
+1999-03-02 09:44:33 10HmaY-0005vi-00 NB <Nov 1 12:34:05 2012 GMT>
+1999-03-02 09:44:33 10HmaY-0005vi-00 NA <Jan 1 12:34:05 2038 GMT>
+1999-03-02 09:44:33 10HmaY-0005vi-00 SA <RSA-SHA>
+1999-03-02 09:44:33 10HmaY-0005vi-00 SG <56 3a a4 3c cb eb b8 27 c2 90 08 74 13 88 dc 48 c6 b5 2c e5 26 be 5b 91 d4 67 e7 3c 49 12 d7 47 30 df 98 db 58 ed 18 a8 7d 4b db 97 48 f5 5c 7f 70 b9 37 63 33 f1 24 62 72 92 60 f5 6e da b6 bc 73 c8 c2 dc d6 95 9a bd 16 16 a2 ef 0a f1 d7 41 68 f6 ad 98 5a d0 ff d9 1b 51 9f 59 ce 2f 3d 84 d0 ee e8 2b eb 9b 32 1a 0e 02 3e cc 30 89 44 09 2a 75 81 46 a7 b6 ed 7d 41 eb 5a 63 fa 9c 58 ef>
+1999-03-02 09:44:33 10HmaY-0005vi-00 SAN <DNS=alternatename.server1.example.com\nDNS=alternatename2.server1.example.com\nDNS=server1.example.com>
+1999-03-02 09:44:33 10HmaY-0005vi-00 CRU <http://crl.example.com/latest.crl>
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 End queue run: pid=pppp -qf
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 TLS error on connection from localhost [127.0.0.1] (recv): A TLS fatal alert has been received.: Certificate is bad
+1999-03-02 09:44:33 TLS error on connection from localhost [127.0.0.1] (send): The specified session has been invalidated for some reason.
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server2.example.com" S=sss id=E10HmaY-0005vi-00@myhost.test.ex
--- /dev/null
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 Start queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=2 error=self signed certificate in certificate chain cert=/O=example.com/CN=clica CA
+1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmaX-0005vi-00 deferral bad
+1999-03-02 09:44:33 10HmaX-0005vi-00 NO CLENT CERT presented
+1999-03-02 09:44:33 10HmaX-0005vi-00 Peer cert:
+1999-03-02 09:44:33 10HmaX-0005vi-00 ver <2>
+1999-03-02 09:44:33 10HmaX-0005vi-00 SN <CN=clica CA,O=example.com>
+1999-03-02 09:44:33 10HmaX-0005vi-00 IN <CN=clica CA,O=example.com>
+1999-03-02 09:44:33 10HmaX-0005vi-00 NB <Nov 1 12:34:04 2012 GMT>
+1999-03-02 09:44:33 10HmaX-0005vi-00 NA <Jan 1 12:34:04 2038 GMT>
+1999-03-02 09:44:33 10HmaX-0005vi-00 SA <undefined>
+1999-03-02 09:44:33 10HmaX-0005vi-00 SG < Signature Algorithm: sha1WithRSAEncryption\n 89:fd:fb:cb:b2:42:d6:aa:f2:c0:44:a2:14:e5:ab:22:50:41:\n e6:64:e7:1c:5a:20:b6:0f:fe:b0:88:c5:cf:b3:e5:f8:0e:87:\n eb:ac:07:d6:9d:6a:20:f6:dd:13:ee:b8:3f:cf:d9:cd:d4:a8:\n 72:50:5a:a2:14:4e:ee:3a:78:e2:a7:f4:ae:d7:ee:77:48:1f:\n 75:a7:68:2f:ee:e2:7c:ac:2f:e4:88:02:e8:3b:db:f9:35:04:\n 05:46:35:0b:f2:35:03:21:b6:1e:82:7d:94:e0:63:4b:60:71:\n 2d:19:45:21:f2:85:b4:c3:d0:77:a2:24:32:36:f3:50:68:38:\n 98:e6\n>
+1999-03-02 09:44:33 10HmaX-0005vi-00 (no SAN)
+1999-03-02 09:44:33 10HmaX-0005vi-00 (no OCU)
+1999-03-02 09:44:33 10HmaX-0005vi-00 (no CRU)
+1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to 127.0.0.1 [127.0.0.1] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmaX-0005vi-00 => bad@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaZ-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 delivery bad
+1999-03-02 09:44:33 10HmaX-0005vi-00 NO CLENT CERT presented
+1999-03-02 09:44:33 10HmaX-0005vi-00 No Peer cert
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaY-0005vi-00 => good@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 delivery good
+1999-03-02 09:44:33 10HmaY-0005vi-00 Our cert SN: CN=server2.example.com
+1999-03-02 09:44:33 10HmaY-0005vi-00 Peer cert:
+1999-03-02 09:44:33 10HmaY-0005vi-00 ver <2>
+1999-03-02 09:44:33 10HmaY-0005vi-00 SN <CN=server1.example.com>
+1999-03-02 09:44:33 10HmaY-0005vi-00 IN <CN=clica Signing Cert,O=example.com>
+1999-03-02 09:44:33 10HmaY-0005vi-00 NB <Nov 1 12:34:05 2012 GMT>
+1999-03-02 09:44:33 10HmaY-0005vi-00 NA <Jan 1 12:34:05 2038 GMT>
+1999-03-02 09:44:33 10HmaY-0005vi-00 SA <undefined>
+1999-03-02 09:44:33 10HmaY-0005vi-00 SG < Signature Algorithm: sha1WithRSAEncryption\n 56:3a:a4:3c:cb:eb:b8:27:c2:90:08:74:13:88:dc:48:c6:b5:\n 2c:e5:26:be:5b:91:d4:67:e7:3c:49:12:d7:47:30:df:98:db:\n 58:ed:18:a8:7d:4b:db:97:48:f5:5c:7f:70:b9:37:63:33:f1:\n 24:62:72:92:60:f5:6e:da:b6:bc:73:c8:c2:dc:d6:95:9a:bd:\n 16:16:a2:ef:0a:f1:d7:41:68:f6:ad:98:5a:d0:ff:d9:1b:51:\n 9f:59:ce:2f:3d:84:d0:ee:e8:2b:eb:9b:32:1a:0e:02:3e:cc:\n 30:89:44:09:2a:75:81:46:a7:b6:ed:7d:41:eb:5a:63:fa:9c:\n 58:ef\n>
+1999-03-02 09:44:33 10HmaY-0005vi-00 SAN <DNS=server1.example.com;DNS=alternatename2.server1.example.com;DNS=alternatename.server1.example.com>
+1999-03-02 09:44:33 10HmaY-0005vi-00 OCU <http://oscp/example.com/>
+1999-03-02 09:44:33 10HmaY-0005vi-00 CRU <http://crl.example.com/latest.crl>
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 End queue run: pid=pppp -qf
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 TLS error on connection from localhost (myhost.test.ex) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 DN="/CN=server2.example.com" S=sss id=E10HmaY-0005vi-00@myhost.test.ex
--- /dev/null
+From userx@test.ex Tue Mar 02 09:44:33 1999
+Received: from [56.56.57.57] (ident=CALLER)
+ by myhost.test.ex with smtp (Exim x.yz)
+ (envelope-from <userx@test.ex>)
+ id 10HmbL-0005vi-00
+ for cond--1@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
+X-message-body-size: 0
+
+
Received: from [56.56.56.56] (ident=CALLER)
by myhost.test.ex with smtp (Exim x.yz)
(envelope-from <userx@test.ex>)
- id 10HmbL-0005vi-00
+ id 10HmbM-0005vi-00
for cond-rhubarb@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
X-message-body-size: 0
Received: from [56.56.58.58] (ident=CALLER)
by myhost.test.ex with smtp (Exim x.yz)
(envelope-from <rcpttest@test.ex>)
- id 10HmbM-0005vi-00; Tue, 2 Mar 1999 09:44:33 +0000
+ id 10HmbN-0005vi-00; Tue, 2 Mar 1999 09:44:33 +0000
xx: rcpt_count = 1
rcpt_defer_count = 0
rcpt_fail_count = 0
X-Delivered-To: c@test.ex
X-Delivered-To: d@test.ex
X-Delivered-To: userx@test.ex
+X-rtr-hdr: 1
+X-rtr-hdr: 3
+X-tpt-hdr: 1
+X-tpt-hdr: 3
X-Delivered-To: bb@test.ex
X-Delivered-To: e@test.ex
X-Delivered-To: usery@test.ex
+X-rtr-hdr: 1
+X-rtr-hdr: 3
+X-tpt-hdr: 1
+X-tpt-hdr: 3
Found: yes
Found2: yes
FOUND-found2: !!
-
TO: userx@test.ex,
usery@test.ex
--------------------------------
Message-Id: <E10HmaX-0005vi-00@the.local.host.name>
Date: Tue, 2 Mar 1999 09:44:33 +0000
Found: no
-
FROM: CALLER_NAME <CALLER@test.ex>
--------------------------------
REPLY_ADDRESS: CALLER_NAME <CALLER@test.ex>
Message-Id: <E10HmaY-0005vi-00@the.local.host.name>
Date: Tue, 2 Mar 1999 09:44:33 +0000
Found: no
-
FROM: CALLER_NAME <CALLER@test.ex>
--------------------------------
REPLY_ADDRESS: CALLER_NAME <CALLER@test.ex>
Message-Id: <E10HmaZ-0005vi-00@the.local.host.name>
Date: Tue, 2 Mar 1999 09:44:33 +0000
Found: no
-
FROM: CALLER_NAME <CALLER@test.ex>
--------------------------------
REPLY_ADDRESS: usery@test.ex
Sender: CALLER_NAME <CALLER@test.ex>
Date: Tue, 2 Mar 1999 09:44:33 +0000
Found: no
-
FROM:
--------------------------------
REPLY_ADDRESS:
--- /dev/null
+From CALLER@the.local.host.name Tue Mar 02 09:44:33 1999
+Return-path: <CALLER@the.local.host.name>
+Envelope-to: CALLER@the.local.host.name
+Delivery-date: Tue, 2 Mar 1999 09:44:33 +0000
+Received: from CALLER by the.local.host.name with local-smtp (Exim x.yz)
+ (envelope-from <CALLER@the.local.host.name>)
+ id 10HmaX-0005vi-00
+ for CALLER@the.local.host.name; Tue, 2 Mar 1999 09:44:33 +0000
+x-test-header-good1: 1234567890qwertzuiopasdfghjklyxcvbnm,.-QWERTZUIOP+*ASDFGHJKL#'YXCVBNM,.-;:_
+x-test-header-good2: ßüöä€ÜÖÄ´ऑकजáᑌᑕð«†ð«Ÿ˜
+x-test-header-too-short: Ã.Ã.Ã.ä-â\82.-Ã\9c.Ã..Ã.-Â.-à ..-à ¤.-à ¤.-á\90.-á\91.-á..-ð«\9d..ð«\9f.
+x-test-header-too-long: ø\88\88\88\88-ä-ø\88\88\88\88--Ã\96-Ã\84-´-à ¤\91-à ¤\95-à ¤\9c-á\90\81-á\91\8c-á\91\95-ø\80\80\80\80ð«\9f\86
+x-test-header-too-big: ÷€€€-----ó€€€
+Subject: This is a test message.
+Message-Id: <E10HmaX-0005vi-00@the.local.host.name>
+From: CALLER@the.local.host.name
+Date: Tue, 2 Mar 1999 09:44:33 +0000
+X-local-user: uid=CALLER_UID gid=CALLER_GID
+X-body-linecount: 3
+X-message-linecount: 16
+X-received-count: 1
+
+This is a test message.
+It has three lines.
+This is the last line.
+
+From CALLER@the.local.host.name Tue Mar 02 09:44:33 1999
+Return-path: <CALLER@the.local.host.name>
+Envelope-to: CALLER@the.local.host.name
+Delivery-date: Tue, 2 Mar 1999 09:44:33 +0000
+Received: from CALLER by the.local.host.name with local-smtp (Exim x.yz)
+ (envelope-from <CALLER@the.local.host.name>)
+ id 10HmaY-0005vi-00
+ for CALLER@the.local.host.name; Tue, 2 Mar 1999 09:44:33 +0000
+Subject: second
+Message-Id: <E10HmaY-0005vi-00@the.local.host.name>
+From: CALLER@the.local.host.name
+Date: Tue, 2 Mar 1999 09:44:33 +0000
+X-local-user: uid=CALLER_UID gid=CALLER_GID
+X-body-linecount: 1
+X-message-linecount: 9
+X-received-count: 1
+
+This is a second test message.
+
id 10HmaZ-0005vi-00
for CALLER@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
tls-certificate-verified: 1
-TLS: cipher=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock
+TLS: cipher=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 peerdn=CN=server2.example.com
This is a test encrypted message from a verified host.
id 10HmaZ-0005vi-00
for CALLER@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
tls-certificate-verified: 1
-TLS: cipher=TLSv1:AES256-SHA:256 peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+TLS: cipher=TLSv1:AES256-SHA:256 peerdn=/CN=server2.example.com
This is a test encrypted message from a verified host.
1999-03-02 09:44:33 U=CALLER F=<x@y> rejected RCPT <postmaster@test.ex>: Sender verify failed
1999-03-02 09:44:33 U=CALLER F=<userx@test.ex> rejected RCPT <userx@test.ex>: deny for userx
1999-03-02 09:44:33 U=CALLER F=<> temporarily rejected RCPT <"deny verify = header_syntax"@test.ex>: cannot verify header_syntax in ACL for RCPT
-1999-03-02 09:44:33 U=CALLER F=<> temporarily rejected RCPT <"deny verify = junk"@test.ex>: expected "sender[=address]", "recipient", "helo", "header_syntax", "header_sender" or "reverse_host_lookup" at start of ACL condition "verify junk"
+1999-03-02 09:44:33 U=CALLER F=<> temporarily rejected RCPT <"deny verify = junk"@test.ex>: expected "sender[=address]", "recipient", "helo", "header_syntax", "header_sender", "header_names_ascii" or "reverse_host_lookup" at start of ACL condition "verify junk"
1999-03-02 09:44:33 U=CALLER F=<> temporarily rejected RCPT <"deny vorify = junk"@test.ex>: unknown ACL condition/modifier in "deny vorify = junk"
1999-03-02 09:44:33 U=CALLER F=<> temporarily rejected RCPT <"dony verify = junk"@test.ex>: unknown ACL verb "dony" in "dony verify = junk"
1999-03-02 09:44:33 U=CALLER F=<> temporarily rejected RCPT <"deny !message = abcd"@test.ex>: ACL error: negation is not allowed with "message"
-1999-03-02 09:44:33 H=[ip4.ip4.ip4.ip4] F=<userx@test.ex> rejected RCPT <userx@test.ex>: unacceptable cipher TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256
+1999-03-02 09:44:33 H=[ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 F=<userx@test.ex> rejected RCPT <userx@test.ex>: unacceptable cipher TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256
-1999-03-02 09:44:33 H=(rhu2tls.barb) [127.0.0.1] F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=
-1999-03-02 09:44:33 H=[127.0.0.1] F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock
-1999-03-02 09:44:33 H=[127.0.0.1] F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock
+1999-03-02 09:44:33 H=(rhu2tls.barb) [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=
+1999-03-02 09:44:33 H=[127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock
+1999-03-02 09:44:33 H=[127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock
-1999-03-02 09:44:33 H=[ip4.ip4.ip4.ip4] F=<userx@test.ex> rejected RCPT <userx@test.ex>: unacceptable cipher TLSv1:AES256-SHA:256
+1999-03-02 09:44:33 H=[ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 F=<userx@test.ex> rejected RCPT <userx@test.ex>: unacceptable cipher TLSv1:AES256-SHA:256
-1999-03-02 09:44:33 H=(rhu.barb) [127.0.0.1] F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=
-1999-03-02 09:44:33 H=[127.0.0.1] F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
-1999-03-02 09:44:33 H=[127.0.0.1] F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 H=(rhu.barb) [127.0.0.1] X=TLSv1:AES256-SHA:256 F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=
+1999-03-02 09:44:33 H=[127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 H=[127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
# treat the standard algorithms the same.
# So far, have seen:
# TLSv1:AES256-SHA:256
+ # TLSv1.1:AES256-SHA:256
# TLSv1.2:AES256-GCM-SHA384:256
# TLSv1.2:DHE-RSA-AES256-SHA:256
# TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128
# Mail headers (...), log-lines X=..., client-ssl output ...
# (and \b doesn't match between ' ' and '(' )
- s/( (?: (?:\b|\s) [\(=] ) | \s )TLSv1\.2:/$1TLSv1:/xg;
+ s/( (?: (?:\b|\s) [\(=] ) | \s )TLSv1\.[12]:/$1TLSv1:/xg;
s/\bAES256-GCM-SHA384\b/AES256-SHA/g;
s/\bDHE-RSA-AES256-SHA\b/AES256-SHA/g;
# GnuTLS have seen:
+ # TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256
+ # TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128
# TLS1.2:RSA_AES_256_CBC_SHA1:256 (canonical)
# TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128
#
# X=TLS1.1:RSA_AES_256_CBC_SHA1:256
# X=TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256
# and as stand-alone cipher:
+ # ECDHE-RSA-AES256-SHA
# DHE-RSA-AES256-SHA256
# DHE-RSA-AES256-SHA
# picking latter as canonical simply because regex easier that way.
s/\bDHE_RSA_AES_128_CBC_SHA1:128/RSA_AES_256_CBC_SHA1:256/g;
- s/TLS1.[012]:(DHE_)?RSA_AES_256_CBC_SHA(1|256):256/TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256/g;
- s/\bDHE-RSA-AES256-SHA256\b/DHE-RSA-AES256-SHA/g;
+ s/TLS1.[012]:((EC)?DHE_)?RSA_AES_(256|128)_(CBC|GCM)_SHA(1|256|384):(256|128)/TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256/g;
+ s/\b(ECDHE-RSA-AES256-SHA|DHE-RSA-AES256-SHA256)\b/AES256-SHA/g;
+
+ # GnuTLS library error message changes
+ s/No certificate was found/The peer did not send any certificate/g;
+#(dodgy test?) s/\(certificate verification failed\): invalid/\(gnutls_handshake\): The peer did not send any certificate./g;
+ s/\(gnutls_priority_set\): No or insufficient priorities were set/\(gnutls_handshake\): Could not negotiate a supported cipher suite/g;
+
+ # (this new one is a generic channel-read error, but the testsuite
+ # only hits it in one place)
+ s/TLS error on connection to \d{1,3}(.\d{1,3}){3} \[\d{1,3}(.\d{1,3}){3}\] \(gnutls_handshake\): Error in the pull function\./a TLS session is required for ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4], but an attempt to start TLS failed/g;
+
+ # (replace old with new, hoping that old only happens in one situation)
+ s/TLS error on connection to \d{1,3}(.\d{1,3}){3} \[\d{1,3}(.\d{1,3}){3}\] \(gnutls_handshake\): A TLS packet with unexpected length was received./a TLS session is required for ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4], but an attempt to start TLS failed/g;
+ s/TLS error on connection from \[127.0.0.1\] \(recv\): A TLS packet with unexpected length was received./TLS error on connection from [127.0.0.1] (recv): The TLS connection was non-properly terminated./g;
+
+ # signature algorithm names
+ s/RSA-SHA1/RSA-SHA/;
# ======== Caller's login, uid, gid, home, gecos ========
listcount: ${listcount:<;a;b;c}
listcount: ${listcount:${listnamed:dlist}}
+listextract: ${listextract{ 2}{a:b:c:d}}
+listextract: ${listextract{-2}{<,a,b,c,d}{X${value}X}}
+listextract: ${listextract{ 5}{a:b:c:d}}
+listextract: ${listextract{-5}{a:b:c:d}}
+listextract: ${listextract{ 5}{a:b:c:d}{}{fail}}
+listextract: ${listextract{ 5}{a:b:c:d}{}fail}
+
# Tests with iscntrl() and illegal separators
map: ${map{<\n a\n\nb\nc}{'$item'}}
" yes" ${if bool{ yes}{true}{false}} EXPECT: true
" no" ${if bool{ no}{true}{false}} EXPECT: false
"yes " ${if bool{yes }{true}{false}} EXPECT: true
-"-1" ${if bool{-1}{true}{false}} EXPECT: error
+"-1" ${if bool{-1}{true}{false}} EXPECT: true
"0" ${if bool{0}{true}{false}} EXPECT: false
"1" ${if bool{1}{true}{false}} EXPECT: true
" 0 " ${if bool{ 0 }{true}{false}} EXPECT: false
" " ${if bool{ }{true}{false}} EXPECT: false
"text" ${if bool{text}{true}{false}} EXPECT: error
" text" ${if bool{ text}{true}{false}} EXPECT: error
+"-text" ${if bool{-text}{true}{false}} EXPECT: error
"text " ${if bool{text }{true}{false}} EXPECT: error
" text " ${if bool{ text }{true}{false}} EXPECT: error
"00" ${if bool{00}{true}{false}} EXPECT: false
.
mail from:<userx@test.ex>
rcpt to:<cond-rhubarb@test.ex>
+rset
+mail from:<userx@test.ex>
+rcpt to:<cond--1@test.ex>
+data
+.
quit
****
exim -DLOG_SELECTOR=log_selector=-acl_warn_skipped -odi -bs -oMa 56.56.56.56
# Checking -oMa etc
exim -odi -f jc@rome -F 'Julius Caesar' -oMa 1.1.1.1 -oMi 2.2.2.2 -oMr latin -oMs forum.rome -oMt jc44bc userx@test.ex
This is a test message.
+****
+1
+exim -odi -f jc@rome -F 'Julius Caesar' -oMm 123456-67890-11 -oMt jc44bc userx@test.x
+This is a test message.
+****
+1
+exim -odi -f jc@rome -F 'Julius Caesar' -oMm 10HmaX-0005vi-00 -oMt jc44bc userx@test.x
+This is a test message.
+****
-# multiple remove_headers and trailing colons
+# multiple remove_headers in routers, and trailing colons
exim -odi userx
Remove-Me: this header is to be removed
Another: This is another header
--- /dev/null
+# verify = header_names_ascii
+# 1. Headers are good, make sure no misfires.
+exim -bh V4NET.10.10.10
+mail from:<userx@exim.test.ex>
+rcpt to:<userx@test.ex>
+data
+Received: from mail.example.com([10.11.12.13] helo=mail.example.com)
+ by mail1-int.example.com with esmtp (Exim 4.80)
+ envelope-from <userx@exim.test.ex>
+ id 1WIJRL-0005Dw-MW
+ for XX@YY; Tue, 25 Feb 2014 15:57:00 +0000
+Received: from mail1-int.example.com([10.120.12.12] helo=mail1-int.example.com)
+ by webmail1.example.com with esmtp (Exim 4.80)
+ envelope-from <userx@exim.test.ex>
+ id 1WIJRK-0005Dw-MW
+ for XX@YY; Tue, 25 Feb 2014 15:56:58 +0000
+From: userx@exim.test.ex
+To: userx@test.ex
+Cc: <abcd@x.y.z
+Subject: testing
+
+.
+QUIT
+****
+# 2. A non-ASCII in header name, uses default rejection message
+exim -bh V4NET.10.10.10
+mail from:<userx@exim.test.ex>
+rcpt to:<userx@test.ex>
+data
+Received: from mail.example.com([10.11.12.13] helo=mail.example.com)
+ by mail1-int.example.com with esmtp (Exim 4.80)
+ envelope-from <userx@exim.test.ex>
+ id 1WIJRL-0005Dw-MW
+ for XX@YY; Tue, 25 Feb 2014 15:57:00 +0000
+Received: from mail1-int.example.com([10.120.12.12] helo=mail1-int.example.com)
+ by webmail1.example.com with esmtp (Exim 4.80)
+ envelope-from <userx@exim.test.ex>
+ id 1WIJRK-0005Dw-MW
+ for XX@YY; Tue, 25 Feb 2014 15:56:58 +0000
+From: userx@exim.test.ex
+To: userx@test.ex
+Cc: <abcd@x.y.z>
+Subject: testing
+
+.
+QUIT
+****
+# 3. A non-ASCII character in header name, different from sets an acl variable
+# causing custom log message
+exim -bh V4NET.10.10.10
+mail from:<usery@exim.test.ex>
+rcpt to:<userx@test.ex>
+data
+Received: from mail.example.com([10.11.12.13] helo=mail.example.com)
+ by mail1-int.example.com with esmtp (Exim 4.80)
+ envelope-from <userx@exim.test.ex>
+ id 1WIJRL-0005Dw-MW
+ for XX@YY; Tue, 25 Feb 2014 15:57:00 +0000
+Received: from mail1-int.example.com([10.120.12.12] helo=mail1-int.example.com)
+ by webmail1.example.com with esmtp (Exim 4.80)
+ envelope-from <userx@exim.test.ex>
+ id 1WIJRK-0005Dw-MW
+ for XX@YY; Tue, 25 Feb 2014 15:56:58 +0000
+From: userx@exim.test.ex
+To: userx@test.ex
+Cc: <abcd@x.y.z>
+Subjecâ…: testing
+
+.
+QUIT
+****
+# 4. A non-ASCII character in header name, uses default rejection message
+exim -bh V4NET.10.10.10
+mail from:<userx@exim.test.ex>
+rcpt to:<userx@test.ex>
+data
+Received: from mail.example.com([10.11.12.13] helo=mail.example.com)
+ by mail1-int.example.com with esmtp (Exim 4.80)
+ envelope-from <userx@exim.test.ex>
+ id 1WIJRL-0005Dw-MW
+ for XX@YY; Tue, 25 Feb 2014 15:57:00 +0000
+Received: from mail1-int.example.com([10.120.12.12] helo=mail1-int.example.com)
+ by webmail1.example.com with esmtp (Exim 4.80)
+ envelope-from <userx@exim.test.ex>
+ id 1WIJRK-0005Dw-MW
+ for XX@YY; Tue, 25 Feb 2014 15:56:58 +0000
+From: userx@exim.test.ex
+To: userx@test.ex
+Cc: <abcd@x.y.z>
+Subjecâ…: testing
+
+.
+QUIT
+****
+# 5. Headers are good, Unicode in message body, make sure no misfires.
+exim -bh V4NET.10.10.10
+mail from:<userx@exim.test.ex>
+rcpt to:<userx@test.ex>
+data
+Received: from mail.example.com([10.11.12.13] helo=mail.example.com)
+ by mail1-int.example.com with esmtp (Exim 4.80)
+ envelope-from <userx@exim.test.ex>
+ id 1WIJRL-0005Dw-MW
+ for XX@YY; Tue, 25 Feb 2014 15:57:00 +0000
+Received: from mail1-int.example.com([10.120.12.12] helo=mail1-int.example.com)
+ by webmail1.example.com with esmtp (Exim 4.80)
+ envelope-from <userx@exim.test.ex>
+ id 1WIJRK-0005Dw-MW
+ for XX@YY; Tue, 25 Feb 2014 15:56:58 +0000
+From: userx@exim.test.ex
+To: userx@test.ex
+Cc: <abcd@x.y.z>
+Subject: testing
+
+Some unicode characters: 顷晦٦
+This email should be accepted because the headers are ok.
+.
+QUIT
+****
+# 6. Headers are good, Unicode in a header content *and* message body,
+# make sure no misfires.
+exim -bh V4NET.10.10.10
+mail from:<userx@exim.test.ex>
+rcpt to:<userx@test.ex>
+data
+Received: from mail.example.com([10.11.12.13] helo=mail.example.com)
+ by mail1-int.example.com with esmtp (Exim 4.80)
+ envelope-from <userx@exim.test.ex>
+ id 1WIJRL-0005Dw-MW
+ for XX@YY; Tue, 25 Feb 2014 15:57:00 +0000
+Received: from mail1-int.example.com([10.120.12.12] helo=mail1-int.example.com)
+ by webmail1.example.com with esmtp (Exim 4.80)
+ envelope-from <userx癑@exim.test.ex>
+ id 1WIJRK-0005Dw-MW
+ for XX@YY; Tue, 25 Feb 2014 15:56:58 +0000
+From: userx@exim.test.ex
+To: userx@test.ex
+Cc: <abcd@x.y.z>
+Subject: testing
+
+Some unicode characters: 顷晦٦
+This email should be accepted because the headers are ok even though the
+content of one of the headers has unicode.
+.
+QUIT
+****
+no_msglog_check
--- /dev/null
+# ${utf8clean:string}
+#
+# -bs to simple local delivery
+exim -bs -odi
+mail from:CALLER@HOSTNAME
+rcpt to:CALLER@HOSTNAME
+data
+x-test-header-good1: 1234567890qwertzuiopasdfghjklyxcvbnm,.-QWERTZUIOP+*ASDFGHJKL#'YXCVBNM,.-;:_
+x-test-header-good2: ßüöä€ÜÖÄ´ऑकजáᑌᑕð«†ð«Ÿ˜
+x-test-header-too-short: Ã.Ã.Ã.ä-â\82.-Ã\9c.Ã..Ã.-Â.-à ..-à ¤.-à ¤.-á\90.-á\91.-á..-ð«\9d..ð«\9f.
+x-test-header-too-long: ø\88\88\88\88-ä-ø\88\88\88\88--Ã\96-Ã\84-´-à ¤\91-à ¤\95-à ¤\9c-á\90\81-á\91\8c-á\91\95-ø\80\80\80\80ð«\9f\86
+x-test-header-too-big: ÷€€€-----ó€€€
+Subject: This is a test message.
+
+This is a test message.
+It has three lines.
+This is the last line.
+.
+quit
+****
+exim -bs -odi
+mail from:CALLER@HOSTNAME
+rcpt to:CALLER@HOSTNAME
+data
+Subject: second
+
+This is a second test message.
+.
+quit
+****
+exim -q
+****
-# TLS server: general
+# TLS server: general ops and certificate extractions
gnutls
exim -DSERVER=server -bd -oX PORT_D
****
starttls
??? 220
****
-client-gnutls HOSTIPV4 PORT_D DIR/aux-fixed/cert2 DIR/aux-fixed/cert2
+client-gnutls HOSTIPV4 PORT_D DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key
??? 220
ehlo rhu.barb
??? 250-
exim userx@test.ex
Testing
****
+exim usery@test.ex
+Testing
+****
+exim userz@test.ex
+Testing
+****
+exim userq@test.ex
+Testing
+****
exim -qf
****
killdaemon
# Wait to allow delivery to finish before killing the daemon
sleep 1
killdaemon
+no_msglog_check
-# TLS server: general
+# TLS server: general ops and certificate extractions
exim -DSERVER=server -bd -oX PORT_D
****
client-ssl 127.0.0.1 PORT_D
starttls
??? 220
****
-client-ssl HOSTIPV4 PORT_D DIR/aux-fixed/cert2 DIR/aux-fixed/cert2
+client-ssl HOSTIPV4 PORT_D DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key
??? 220
ehlo rhu.barb
??? 250-
exim userx@test.ex
Testing
****
+exim usery@test.ex
+Testing
+****
+exim userz@test.ex
+Testing
+****
+exim userq@test.ex
+Testing
+****
exim -qf
****
killdaemon
QUIT
****
# cutthrough_delivery into HELO-only server
-need_ipv4
-#
server PORT_S
220 SMTP only spoken here
EHLO
QUIT
****
sleep 1
+#
+#
+#
+#
+#
+# cutthrough_delivery basic operation, again
+server PORT_S
+220 ESMTP
+EHLO
+250 OK
+MAIL FROM:
+250 Sender OK
+RCPT TO:
+250 Recipient OK
+DATA
+354 Send data
+.
+250 OK
+QUIT
+250 OK
+****
+exim -d-all+acl+transport -bs
+EHLO myhost.test.ex
+MAIL FROM:<CALLER@myhost.test.ex>
+RCPT TO:<userx@domain.com>
+DATA
+X-hdr-rtr: qqq
+X-hdr-tpt: zzz
+
+body
+.
+QUIT
+****
-# cutthrough_delivery to target oferring TLS
+# cutthrough_delivery to target offerring TLS
exim -DSERVER=server -bd -oX PORT_D
****
# this one should succeed
--- /dev/null
+# TLS client: verify certificate from server - fails
+gnutls
+exim -DSERVER=server -bd -oX PORT_D
+****
+exim userr@test.ex
+Testing
+****
+exim users@test.ex
+Testing
+****
+exim -qf
+****
+killdaemon
+no_msglog_check
--- /dev/null
+support GnuTLS
+support Experimental_Certnames
+running IPv4
--- /dev/null
+# TLS client: verify certificate from server - fails
+exim -DSERVER=server -bd -oX PORT_D
+****
+exim userq@test.ex
+Testing
+****
+exim userr@test.ex
+Testing
+****
+exim users@test.ex
+Testing
+****
+exim -qf
+****
+killdaemon
+no_msglog_check
--- /dev/null
+support OpenSSL
+support Experimental_Certnames
+running IPv4
-support Experimental_PRDR
-# TLS server: OCSP stapling
+# OCSP stapling, server
#
#
#
# OCSP stapling, client
#
#
-# Client works when we don't demand OCSP stapling
+# Client works when we request but don't require OCSP stapling and none comes
exim -bd -oX PORT_D -DSERVER=server -DOCSP=/dev/null
****
-exim nostaple@test.ex
+exim norequire@test.ex
test message.
****
sleep 1
#
#
#
-# Client accepts good stapled info
+# Client works when we don't request OCSP stapling
exim -bd -oX PORT_D -DSERVER=server \
-DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp
****
+exim nostaple@test.ex
+test message.
+****
+millisleep 500
+#
+#
+#
+#
+# Client accepts good stapled info
exim CALLER@test.ex
test message.
****
#
#
#
-# Client fails on lack of requested stapled info
+# Client fails on lack of required stapled info
exim -bd -oX PORT_D -DSERVER=server -DOCSP=/dev/null
****
exim CALLER@test.ex
support OpenSSL
-support Experimental_OCSP
+support OCSP
running IPv4
--- /dev/null
+# OCSP stapling, client, tpda
+# duplicate of 5601
+#
+#
+# Client works when we request but don't require OCSP stapling and none comes
+exim -bd -oX PORT_D -DSERVER=server -DOCSP=/dev/null
+****
+exim norequire@test.ex
+test message.
+****
+sleep 1
+killdaemon
+#
+#
+#
+#
+# Client works when we request but don't require OCSP stapling and some arrives
+exim -bd -oX PORT_D -DSERVER=server \
+ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp
+****
+exim norequire@test.ex
+test message.
+****
+millisleep 500
+#
+#
+#
+#
+# Client works when we don't request OCSP stapling
+exim nostaple@test.ex
+test message.
+****
+millisleep 500
+#
+#
+#
+#
+# Client accepts good stapled info
+exim good@test.ex
+test message.
+****
+sleep 1
+killdaemon
+#
+#
+#
+# Client fails on lack of required stapled info
+exim -bd -oX PORT_D -DSERVER=server -DOCSP=/dev/null
+****
+exim failrequire@test.ex
+test message.
+****
+sleep 1
+killdaemon
+no_msglog_check
+#
+#
+#
+# Client fails on revoked stapled info
+EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK=y exim -bd -oX PORT_D -DSERVER=server \
+ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp
+****
+exim failrevoked@test.ex
+test message.
+****
+sleep 1
+killdaemon
+#
+#
+#
+#
+# Client fails on expired stapled info
+EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK=y exim -bd -oX PORT_D -DSERVER=server \
+ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp
+****
+exim failexpired@test.ex
+test message.
+****
+sleep 1
+killdaemon
+#
+#
+#
+#
--- /dev/null
+support OpenSSL
+support OCSP
+support Experimental_TPDA
+running IPv4
--- /dev/null
+# OCSP stapling, server
+#
+#
+#
+# 1: Server sends good staple on request
+exim -bd -oX PORT_D -DSERVER=server \
+ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp
+****
+client-gnutls \
+ -ocsp aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem \
+ HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2
+??? 220
+ehlo rhu.barb
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+starttls
+??? 220
+mail from:<userx@test.ex>
+??? 250
+rcpt to:<userx@test.ex>
+??? 250
+quit
+??? 221
+****
+killdaemon
+#
+#
+#
+# 2: Server does not staple an outdated response
+exim -bd -oX PORT_D -DSERVER=server \
+ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp
+****
+# XXX test sequence might not be quite right; this is for a server refusal
+# and we're expecting a client refusal.
+client-gnutls -ocsp aux-fixed/exim-ca/expired1.example.com/CA.pem HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2
+??? 220
+ehlo rhu.barb
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+starttls
+??? 220
+****
+killdaemon
+#
+#
+#
+#
+#
+# 3: Server does not staple a response for a revoked cert
+exim -bd -oX PORT_D -DSERVER=server \
+ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp
+****
+client-gnutls \
+ -ocsp aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem \
+ HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2
+??? 220
+ehlo rhu.barb
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+starttls
+??? 220
+****
+killdaemon
+#
+#
+#
+#
+#
--- /dev/null
+# OCSP stapling, client
+#
+#
+# Client works when we request but don't require OCSP stapling and none comes
+exim -bd -oX PORT_D -DSERVER=server -DOCSP=""
+****
+exim norequire@test.ex
+test message.
+****
+sleep 1
+killdaemon
+#
+#
+#
+#
+# Client works when we don't request OCSP stapling
+exim -bd -oX PORT_D -DSERVER=server \
+ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp
+****
+exim nostaple@test.ex
+test message.
+****
+millisleep 500
+#
+#
+#
+#
+# Client accepts good stapled info
+exim CALLER@test.ex
+test message.
+****
+sleep 1
+killdaemon
+#
+#
+#
+# Client fails on lack of required stapled info
+exim -bd -oX PORT_D -DSERVER=server -DOCSP=""
+****
+exim CALLER@test.ex
+test message.
+****
+sleep 1
+killdaemon
+no_msglog_check
+#
+#
+#
+# Client fails on revoked stapled info
+EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK=y exim -bd -oX PORT_D -DSERVER=server \
+ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp
+****
+exim CALLER@test.ex
+test message.
+****
+sleep 1
+killdaemon
+#
+#
+#
+#
+# Client fails on expired stapled info
+EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK=y exim -bd -oX PORT_D -DSERVER=server \
+ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp
+****
+exim CALLER@test.ex
+test message.
+****
+sleep 1
+killdaemon
+#
+#
+#
+#
--- /dev/null
+support GnuTLS
+support OCSP
+running IPv4
--- /dev/null
+# OCSP stapling, client, tpda
+# duplicate of 5651
+#
+#
+# Client works when we request but don't require OCSP stapling and none comes
+exim -bd -oX PORT_D -DSERVER=server -DOCSP=""
+****
+exim norequire@test.ex
+test message.
+****
+sleep 1
+killdaemon
+#
+#
+#
+#
+# Client works when we request but don't require OCSP stapling and some arrives
+exim -bd -oX PORT_D -DSERVER=server \
+ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp
+****
+exim norequire@test.ex
+test message.
+****
+millisleep 500
+#
+#
+#
+#
+# Client works when we don't request OCSP stapling
+exim nostaple@test.ex
+test message.
+****
+millisleep 500
+#
+#
+#
+#
+# Client accepts good stapled info
+exim good@test.ex
+test message.
+****
+sleep 1
+killdaemon
+#
+#
+#
+# Client fails on lack of required stapled info
+exim -bd -oX PORT_D -DSERVER=server -DOCSP=""
+****
+exim failrequire@test.ex
+test message.
+****
+sleep 1
+killdaemon
+no_msglog_check
+#
+#
+#
+# Client fails on revoked stapled info
+EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK=y exim -bd -oX PORT_D -DSERVER=server \
+ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp
+****
+exim failrevoked@test.ex
+test message.
+****
+sleep 1
+killdaemon
+#
+#
+#
+#
+# Client fails on expired stapled info
+EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK=y exim -bd -oX PORT_D -DSERVER=server \
+ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp
+****
+exim failexpired@test.ex
+test message.
+****
+sleep 1
+killdaemon
+#
+#
+#
+#
--- /dev/null
+support GnuTLS
+support OCSP
+support Experimental_TPDA
+running IPv4
--- /dev/null
+# TLS client: GnuTLS $tls_out_peercert
+exim -DSERVER=server -bd -oX PORT_D
+****
+exim bad@test.ex
+Testing
+****
+exim good@test.ex
+Testing
+****
+exim -qf
+****
+killdaemon
+no_msglog_check
--- /dev/null
+support Experimental_TPDA
+support GnuTLS
--- /dev/null
+# TLS client: OpenSSL certificates and extractions
+exim -DSERVER=server -bd -oX PORT_D
+****
+exim bad@test.ex
+Testing
+****
+exim good@test.ex
+Testing
+****
+exim -qf
+****
+killdaemon
+no_msglog_check
--- /dev/null
+support Experimental_TPDA
+support OpenSSL
/* A little hacked up program that makes a TCP/IP call and reads a script to
drive it, for testing Exim server code running as a daemon. It's got a bit
messy with the addition of support for either OpenSSL or GnuTLS. The code for
-those was hacked out of Exim itself, then code for OCSP stapling was ripped
-from the openssl ocsp and s_client utilities. */
+those was hacked out of Exim itself, then code for OpenSSL OCSP stapling was
+ripped from the openssl ocsp and s_client utilities. */
/* ANSI C standard includes */
latter needs a whole pile of tables. */
#ifdef HAVE_OPENSSL
-#define HAVE_TLS
-#include <openssl/crypto.h>
-#include <openssl/x509.h>
-#include <openssl/pem.h>
-#include <openssl/ssl.h>
-#include <openssl/err.h>
-#include <openssl/rand.h>
-#include <openssl/ocsp.h>
-
-char * ocsp_stapling = NULL;
+# define HAVE_TLS
+# include <openssl/crypto.h>
+# include <openssl/x509.h>
+# include <openssl/pem.h>
+# include <openssl/ssl.h>
+# include <openssl/err.h>
+# include <openssl/rand.h>
+# include <openssl/ocsp.h>
#endif
#ifdef HAVE_GNUTLS
-#define HAVE_TLS
-#include <gnutls/gnutls.h>
-#include <gnutls/x509.h>
+# define HAVE_TLS
+# include <gnutls/gnutls.h>
+# include <gnutls/x509.h>
+# if GNUTLS_VERSION_NUMBER >= 0x030103
+# define HAVE_OCSP
+# include <gnutls/ocsp.h>
+# endif
-#define DH_BITS 768
+# define DH_BITS 768
/* Local static variables for GNUTLS */
static const int comp_priority[16] = { GNUTLS_COMP_NULL, 0 };
static const int cert_type_priority[16] = { GNUTLS_CRT_X509, 0 };
-#endif
+#endif /*HAVE_GNUTLS*/
+#ifdef HAVE_TLS
+char * ocsp_stapling = NULL;
+#endif
+
/*************************************************
* SIGALRM handler - crash out *
* Start an OpenSSL TLS session *
*************************************************/
-int tls_start(int sock, SSL **ssl, SSL_CTX *ctx)
+int
+tls_start(int sock, SSL **ssl, SSL_CTX *ctx)
{
int rc;
static const char *sid_ctx = "exim";
/* Associate the parameters with the x509 credentials structure. */
gnutls_certificate_set_dh_params(x509_cred, dh_params);
+
+/* set the CA info for server-cert verify */
+if (ocsp_stapling)
+ gnutls_certificate_set_x509_trust_file(x509_cred, ocsp_stapling,
+ GNUTLS_X509_FMT_PEM);
}
tls_on_connect = 1;
argi++;
}
-#ifdef HAVE_OPENSSL
+#ifdef HAVE_TLS
else if (strcmp(argv[argi], "-ocsp") == 0)
{
if (argc < ++argi + 1)
}
ocsp_stapling = argv[argi++];
}
+
#endif
else if (argv[argi][1] == 't' && isdigit(argv[argi][2]))
{
if (keyfile != NULL) printf("Key file = %s\n", keyfile);
tls_init(certfile, keyfile);
tls_session = tls_session_init();
+#ifdef HAVE_OCSP
+if (ocsp_stapling)
+ gnutls_ocsp_status_request_enable_client(tls_session, NULL, 0, NULL);
+#endif
gnutls_transport_set_ptr(tls_session, (gnutls_transport_ptr)sock);
/* When the server asks for a certificate and the client does not have one,
if (!tls_active)
printf("Failed to start TLS\n");
+ #if defined(HAVE_GNUTLS) && defined(HAVE_OCSP)
+ else if ( ocsp_stapling
+ && gnutls_ocsp_status_request_is_checked(tls_session, 0) == 0)
+ printf("Failed to verify certificate status\n");
+ #endif
else
printf("Succeeded in starting TLS\n");
}
{
if (lineptr[0] == '2')
{
+int rc;
+ unsigned int verify;
+
printf("Attempting to start TLS\n");
fflush(stdout);
printf("Failed to start TLS\n");
fflush(stdout);
}
+ #ifdef HAVE_GNUTLS
+ else if (ocsp_stapling)
+ {
+ if ((rc= gnutls_certificate_verify_peers2(tls_session, &verify)) < 0)
+ {
+ printf("Failed to verify certificate: %s\n", gnutls_strerror(rc));
+ fflush(stdout);
+ }
+ else if (verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED))
+ {
+ printf("Bad certificate\n");
+ fflush(stdout);
+ }
+ #ifdef HAVE_OCSP
+ else if (gnutls_ocsp_status_request_is_checked(tls_session, 0) == 0)
+ {
+ printf("Failed to verify certificate status\n");
+ {
+ gnutls_datum_t stapling;
+ gnutls_ocsp_resp_t resp;
+ gnutls_datum_t printed;
+ if ( (rc= gnutls_ocsp_status_request_get(tls_session, &stapling)) == 0
+ && (rc= gnutls_ocsp_resp_init(&resp)) == 0
+ && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
+ && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_FULL, &printed)) == 0
+ )
+ {
+ fprintf(stderr, "%.4096s", printed.data);
+ gnutls_free(printed.data);
+ }
+ else
+ (void) fprintf(stderr,"ocsp decode: %s", gnutls_strerror(rc));
+ }
+ fflush(stdout);
+ }
+ #endif
+ }
+ #endif
else
printf("Succeeded in starting TLS\n");
}
LOG: 10HmaX-0005vi-00 Subject is: ""
>>> warn: condition test succeeded in ACL "check_data"
>>> processing "deny"
+>>> message: reply_address=<$reply_address>
>>> deny: condition test succeeded in ACL "check_data"
LOG: 10HmaX-0005vi-00 H=[V4NET.0.0.0] F=<> rejected after DATA: reply_address=<>
>>> processing "accept"
LOG: 10HmaY-0005vi-00 Subject is: ""
>>> warn: condition test succeeded in ACL "check_data"
>>> processing "deny"
+>>> message: reply_address=<$reply_address>
>>> deny: condition test succeeded in ACL "check_data"
LOG: 10HmaY-0005vi-00 H=[V4NET.0.0.0] F=<> rejected after DATA: reply_address=<a@b>
>>> processing "accept"
LOG: 10HmaZ-0005vi-00 Subject is: ""
>>> warn: condition test succeeded in ACL "check_data"
>>> processing "deny"
+>>> message: reply_address=<$reply_address>
>>> deny: condition test succeeded in ACL "check_data"
LOG: 10HmaZ-0005vi-00 H=[V4NET.0.0.0] F=<> rejected after DATA: reply_address=<c@d>
>>> processing "accept"
LOG: 10HmbA-0005vi-00 Subject is: ""
>>> warn: condition test succeeded in ACL "check_data"
>>> processing "deny"
+>>> message: reply_address=<$reply_address>
>>> deny: condition test succeeded in ACL "check_data"
LOG: 10HmbA-0005vi-00 H=[V4NET.0.0.0] F=<> rejected after DATA: reply_address=<>
>>> processing "accept"
LOG: 10HmbB-0005vi-00 Subject is: ""
>>> warn: condition test succeeded in ACL "check_data"
>>> processing "deny"
+>>> message: reply_address=<$reply_address>
>>> deny: condition test succeeded in ACL "check_data"
LOG: 10HmbB-0005vi-00 H=[V4NET.0.0.0] F=<> rejected after DATA: reply_address=<x@y>
>>> host in hosts_connection_nolog? no (option unset)
LOG: 10HmbC-0005vi-00 Subject is: "=?iso-8859-8?Q?_here_we_go=3A_a_string_that_is_going_to_be_encoded=3A_it_will_go_over_the_75-char_limit_by_a_long_way=3B_in_fact_this_one_will_go_over_the_150_character_limit?="
>>> warn: condition test succeeded in ACL "check_data"
>>> processing "deny"
+>>> message: reply_address=<$reply_address>
>>> deny: condition test succeeded in ACL "check_data"
LOG: 10HmbC-0005vi-00 H=[V4NET.0.0.0] F=<> rejected after DATA: reply_address=<>
>>> host in hosts_connection_nolog? no (option unset)
LOG: 10HmbD-0005vi-00 Subject is: " here we go: a string that is going to be encoded: it will go over the 75-char limit by a long way; in fact this one will go over the 150 character limit"
>>> warn: condition test succeeded in ACL "check_data"
>>> processing "deny"
+>>> message: reply_address=<$reply_address>
>>> deny: condition test succeeded in ACL "check_data"
LOG: 10HmbD-0005vi-00 H=[V4NET.0.0.0] F=<> rejected after DATA: reply_address=<>
Exim version x.yz ....
>>> host in "!localhost"? no (matched "!localhost")
>>> deny: condition test failed in ACL "check_etrn"
>>> processing "warn"
+>>> l_message: accepted $smtp_command
>>> warn: condition test succeeded in ACL "check_etrn"
LOG: H=[127.0.0.1] Warning: accepted etrn #some.random.domain
>>> processing "accept"
host in ": 10.9.8.7"? no (end of list)
deny: condition test failed in ACL "connect"
processing "drop"
+l_message: forcibly dropped
check hosts = 10.9.8.9
host in "10.9.8.9"? no (end of list)
drop: condition test failed in ACL "connect"
accept: condition test succeeded in ACL "connect"
using ACL "mail"
processing "warn"
+ message: added header line
check senders = ok@test3
address match test: subject=bad@test1 pattern=ok@test3
bad@test1 in "ok@test3"? no (end of list)
H=[10.9.8.8] U=CALLER rejected MAIL <bad@test1>
using ACL "mail"
processing "warn"
+ message: added header line
check senders = ok@test3
address match test: subject=ok@test1 pattern=ok@test3
test1 in "test3"? no (end of list)
host in ": 10.9.8.7"? no (end of list)
deny: condition test failed in ACL "connect"
processing "drop"
+l_message: forcibly dropped
check hosts = 10.9.8.9
host in "10.9.8.9"? no (end of list)
drop: condition test failed in ACL "connect"
accept: condition test succeeded in ACL "connect"
using ACL "mail"
processing "warn"
+ message: added header line
check senders = ok@test3
address match test: subject=ok@test3 pattern=ok@test3
test3 in "test3"? yes (matched "test3")
SMTP<< rcpt to:<warn_log@test.ex>
using ACL "warn_log"
processing "warn"
+l_message: warn log message
warn: condition test succeeded in ACL "warn_log"
LOG: MAIN
H=[V4NET.9.8.7] Warning: warn log message
SMTP<< rcpt to:<warn_user@test.ex>
using ACL "warn_user"
processing "warn"
+ message: warn user message
warn: condition test succeeded in ACL "warn_user"
processing "accept"
accept: condition test succeeded in ACL "warn_user"
>>> host in helo_accept_junk_hosts? no (option unset)
>>> using ACL "defer"
>>> processing "defer"
+>>> message: forcibly deferred
>>> defer: condition test succeeded in ACL "defer"
LOG: H=[V4NET.9.8.7] F=<x@y> temporarily rejected RCPT <defer@y>: forcibly deferred
>>> using ACL "accept"
>>> accept: condition test succeeded in ACL "accept"
>>> using ACL "drop"
>>> processing "drop"
+>>> message: forcibly dropped
>>> drop: condition test succeeded in ACL "drop"
LOG: H=[V4NET.9.8.7] F=<x@y> rejected RCPT <drop@y>: forcibly dropped
LOG: SMTP connection from [V4NET.9.8.7] closed by DROP in ACL
>>> processing "deny"
>>> check hosts = net-lsearch;TESTSUITE/aux-var/0022.hosts
>>> host in "net-lsearch;TESTSUITE/aux-var/0022.hosts"? yes (matched "net-lsearch;TESTSUITE/aux-var/0022.hosts")
+>>> message: host data >$host_data<
>>> deny: condition test succeeded in ACL "host_check"
LOG: H=[V4NET.9.8.7] F=<x@y> rejected RCPT <host_check@y>: host data >A host-specific message<
>>> using ACL "host_check"
>>> processing "deny"
>>> check hosts = net-lsearch;TESTSUITE/aux-var/0022.hosts
>>> host in "net-lsearch;TESTSUITE/aux-var/0022.hosts"? yes (matched "net-lsearch;TESTSUITE/aux-var/0022.hosts")
+>>> message: host data >$host_data<
>>> deny: condition test succeeded in ACL "host_check"
LOG: H=[V4NET.9.8.7] F=<x@y> rejected RCPT <host_check@y>: host data >A host-specific message<
>>> using ACL "host_check2"
>>> processing "deny"
+>>> message: host data >$host_data<
>>> check hosts = +some_hosts
>>> host in "net-lsearch;TESTSUITE/aux-var/0022.hosts"? yes (matched "net-lsearch;TESTSUITE/aux-var/0022.hosts")
>>> host in "+some_hosts"? yes (matched "+some_hosts")
LOG: H=[V4NET.9.8.7] F=<x@y> rejected RCPT <host_check2@y>: host data >A host-specific message<
>>> using ACL "host_check2"
>>> processing "deny"
+>>> message: host data >$host_data<
>>> check hosts = +some_hosts
>>> host in "+some_hosts"? yes (matched "+some_hosts" - cached)
>>> deny: condition test succeeded in ACL "host_check2"
>>> check acl = drop
>>> using ACL "drop"
>>> processing "drop"
+>>> message: forcibly dropped
>>> drop: condition test succeeded in ACL "drop"
>>> accept: condition test yielded "drop" in ACL "nested_drop"
>>> accept: endpass encountered - denying access
>>> check acl = drop
>>> using ACL "drop"
>>> processing "drop"
+>>> message: forcibly dropped
>>> drop: condition test succeeded in ACL "drop"
>>> require: condition test yielded "drop" in ACL "nested_drop_require"
LOG: H=[V4NET.9.8.7] F=<x@y> rejected RCPT <nested_drop_require@y>: forcibly dropped
>>> test.ex in "!nopass"? yes (end of list)
>>> require: condition test succeeded in ACL "acl_1_2_3"
>>> processing "require"
+>>> message: $local_part@$domain shall not pass
>>> check domains = !wontpass
>>> test.ex in "!wontpass"? yes (end of list)
>>> require: condition test succeeded in ACL "acl_1_2_3"
>>> processing "deny"
+>>> message: domain explicitly denied
+>>> l_message: DOMAIN EXPLICITLY DENIED
>>> check continue = this value is not used
>>> check domains = deny.test.ex
>>> test.ex in "deny.test.ex"? no (end of list)
>>> check domains = +local_domains
>>> test.ex in "test.ex : *.test.ex"? yes (matched "test.ex")
>>> test.ex in "+local_domains"? yes (matched "+local_domains")
+>>> message: $domain gets refused
>>> check domains = !refuse.test.ex
>>> test.ex in "!refuse.test.ex"? yes (end of list)
>>> accept: condition test succeeded in ACL "acl_1_2_3"
>>> z in "!nopass"? yes (end of list)
>>> require: condition test succeeded in ACL "acl_1_2_3"
>>> processing "require"
+>>> message: $local_part@$domain shall not pass
>>> check domains = !wontpass
>>> z in "!wontpass"? yes (end of list)
>>> require: condition test succeeded in ACL "acl_1_2_3"
>>> processing "deny"
+>>> message: domain explicitly denied
+>>> l_message: DOMAIN EXPLICITLY DENIED
>>> check continue = this value is not used
>>> check domains = deny.test.ex
>>> z in "deny.test.ex"? no (end of list)
>>> test.ex in "!nopass"? yes (end of list)
>>> require: condition test succeeded in ACL "acl_1_2_3"
>>> processing "require"
+>>> message: $local_part@$domain shall not pass
>>> check domains = !wontpass
>>> test.ex in "!wontpass"? yes (end of list)
>>> require: condition test succeeded in ACL "acl_1_2_3"
>>> processing "deny"
+>>> message: domain explicitly denied
+>>> l_message: DOMAIN EXPLICITLY DENIED
>>> check continue = this value is not used
>>> check domains = deny.test.ex
>>> test.ex in "deny.test.ex"? no (end of list)
>>> check domains = +local_domains
>>> test.ex in "test.ex : *.test.ex"? yes (matched "test.ex")
>>> test.ex in "+local_domains"? yes (matched "+local_domains")
+>>> message: $domain gets refused
>>> check domains = !refuse.test.ex
>>> test.ex in "!refuse.test.ex"? yes (end of list)
>>> accept: condition test succeeded in ACL "acl_1_2_3"
>>> test.ex in "!nopass"? yes (end of list)
>>> require: condition test succeeded in ACL "acl_1_2_3"
>>> processing "require"
+>>> message: $local_part@$domain shall not pass
>>> check domains = !wontpass
>>> test.ex in "!wontpass"? yes (end of list)
>>> require: condition test succeeded in ACL "acl_1_2_3"
>>> processing "deny"
+>>> message: domain explicitly denied
+>>> l_message: DOMAIN EXPLICITLY DENIED
>>> check continue = this value is not used
>>> check domains = deny.test.ex
>>> test.ex in "deny.test.ex"? no (end of list)
>>> check domains = +local_domains
>>> test.ex in "test.ex : *.test.ex"? yes (matched "test.ex")
>>> test.ex in "+local_domains"? yes (matched "+local_domains")
+>>> message: $domain gets refused
>>> check domains = !refuse.test.ex
>>> test.ex in "!refuse.test.ex"? yes (end of list)
>>> accept: condition test succeeded in ACL "acl_1_2_3"
>>> relay.test.ex in "!nopass"? yes (end of list)
>>> require: condition test succeeded in ACL "acl_1_2_3"
>>> processing "require"
+>>> message: $local_part@$domain shall not pass
>>> check domains = !wontpass
>>> relay.test.ex in "!wontpass"? yes (end of list)
>>> require: condition test succeeded in ACL "acl_1_2_3"
>>> processing "deny"
+>>> message: domain explicitly denied
+>>> l_message: DOMAIN EXPLICITLY DENIED
>>> check continue = this value is not used
>>> check domains = deny.test.ex
>>> relay.test.ex in "deny.test.ex"? no (end of list)
>>> check domains = +local_domains
>>> relay.test.ex in "test.ex : *.test.ex"? yes (matched "*.test.ex")
>>> relay.test.ex in "+local_domains"? yes (matched "+local_domains")
+>>> message: $domain gets refused
>>> check domains = !refuse.test.ex
>>> relay.test.ex in "!refuse.test.ex"? yes (end of list)
>>> accept: condition test succeeded in ACL "acl_1_2_3"
>>> deny.test.ex in "!nopass"? yes (end of list)
>>> require: condition test succeeded in ACL "acl_1_2_3"
>>> processing "require"
+>>> message: $local_part@$domain shall not pass
>>> check domains = !wontpass
>>> deny.test.ex in "!wontpass"? yes (end of list)
>>> require: condition test succeeded in ACL "acl_1_2_3"
>>> processing "deny"
+>>> message: domain explicitly denied
+>>> l_message: DOMAIN EXPLICITLY DENIED
>>> check continue = this value is not used
>>> check domains = deny.test.ex
>>> deny.test.ex in "deny.test.ex"? yes (matched "deny.test.ex")
>>> refuse.test.ex in "!nopass"? yes (end of list)
>>> require: condition test succeeded in ACL "acl_1_2_3"
>>> processing "require"
+>>> message: $local_part@$domain shall not pass
>>> check domains = !wontpass
>>> refuse.test.ex in "!wontpass"? yes (end of list)
>>> require: condition test succeeded in ACL "acl_1_2_3"
>>> processing "deny"
+>>> message: domain explicitly denied
+>>> l_message: DOMAIN EXPLICITLY DENIED
>>> check continue = this value is not used
>>> check domains = deny.test.ex
>>> refuse.test.ex in "deny.test.ex"? no (end of list)
>>> check domains = +local_domains
>>> refuse.test.ex in "test.ex : *.test.ex"? yes (matched "*.test.ex")
>>> refuse.test.ex in "+local_domains"? yes (matched "+local_domains")
+>>> message: $domain gets refused
>>> check domains = !refuse.test.ex
>>> refuse.test.ex in "!refuse.test.ex"? no (matched "!refuse.test.ex")
>>> accept: condition test failed in ACL "acl_1_2_3"
>>> wontpass in "!nopass"? yes (end of list)
>>> require: condition test succeeded in ACL "acl_1_2_3"
>>> processing "require"
+>>> message: $local_part@$domain shall not pass
>>> check domains = !wontpass
>>> wontpass in "!wontpass"? no (matched "!wontpass")
>>> require: condition test failed in ACL "acl_1_2_3"
>>> host in "+ok9_hosts"? no (end of list)
>>> accept: condition test failed in ACL "acl_9_9_9"
>>> processing "deny"
+>>> message: don't like this host
>>> check hosts = 9.9.9.0/26
>>> host in "9.9.9.0/26"? yes (matched "9.9.9.0/26")
>>> deny: condition test succeeded in ACL "acl_9_9_9"
>>> host in "+ok9_hosts"? no (end of list)
>>> accept: condition test failed in ACL "acl_9_9_9"
>>> processing "deny"
+>>> message: don't like this host
>>> check hosts = 9.9.9.0/26
>>> host in "9.9.9.0/26"? yes (matched "9.9.9.0/26")
>>> deny: condition test succeeded in ACL "acl_9_9_9"
>>> host in "+ok9_hosts"? no (end of list)
>>> accept: condition test failed in ACL "acl_9_9_9"
>>> processing "deny"
+>>> message: don't like this host
>>> check hosts = 9.9.9.0/26
>>> host in "9.9.9.0/26"? no (end of list)
>>> deny: condition test failed in ACL "acl_9_9_9"
>>> host in "+ok9_hosts"? no (end of list)
>>> accept: condition test failed in ACL "acl_9_9_9"
>>> processing "deny"
+>>> message: don't like this host
>>> check hosts = 9.9.9.0/26
>>> host in "9.9.9.0/26"? no (end of list)
>>> deny: condition test failed in ACL "acl_9_9_9"
>>> = no
>>> accept: condition test failed in ACL "acl_5_6_11"
>>> processing "deny"
+>>> message: "local part of wrong type\n(quotes are literal)
>>> deny: condition test succeeded in ACL "acl_5_6_11"
LOG: H=[5.6.11.1] F=<x@y> rejected RCPT <y2@y>: "local part of wrong type
>>> host in hosts_connection_nolog? no (option unset)
>>> processing "accept"
>>> check hosts = 5.6.12.1
>>> host in "5.6.12.1"? yes (matched "5.6.12.1")
+>>> message: failed nested acl
>>> check acl = acl_5_6_12A
>>> using ACL "acl_5_6_12A"
>>> processing "accept"
>>> processing "accept"
>>> check hosts = 5.6.12.1
>>> host in "5.6.12.1"? yes (matched "5.6.12.1")
+>>> message: failed nested acl
>>> check acl = acl_5_6_12A
>>> using ACL "acl_5_6_12A"
>>> processing "accept"
>>> host in helo_accept_junk_hosts? no (option unset)
>>> using ACL "acl_V4NET_11_12"
>>> processing "deny"
+>>> message: host in DNS list $dnslist_domain: $dnslist_text
+>>> l_message: DNSLIST ($dnslist_domain: $dnslist_text)
>>> check dnslists = rbl.test.ex
>>> DNS list check: rbl.test.ex
>>> new DNS lookup for 13.12.11.V4NET.rbl.test.ex
LOG: H=[V4NET.11.12.13] F=<x@y> rejected RCPT <x@y>: DNSLIST (rbl.test.ex: This is a test blacklisting message)
>>> using ACL "acl_V4NET_11_12"
>>> processing "deny"
+>>> message: host in DNS list $dnslist_domain: $dnslist_text
+>>> l_message: DNSLIST ($dnslist_domain: $dnslist_text)
>>> check dnslists = rbl.test.ex
>>> DNS list check: rbl.test.ex
>>> using result of previous DNS lookup
>>> host in helo_accept_junk_hosts? no (option unset)
>>> using ACL "acl_V4NET_11_12"
>>> processing "deny"
+>>> message: host in DNS list $dnslist_domain: $dnslist_text
+>>> l_message: DNSLIST ($dnslist_domain: $dnslist_text)
>>> check dnslists = rbl.test.ex
>>> DNS list check: rbl.test.ex
>>> new DNS lookup for 12.12.11.V4NET.rbl.test.ex
>>> accept: condition test succeeded in ACL "acl_V4NET_11_12"
>>> using ACL "acl_V4NET_11_12"
>>> processing "deny"
+>>> message: host in DNS list $dnslist_domain: $dnslist_text
+>>> l_message: DNSLIST ($dnslist_domain: $dnslist_text)
>>> check dnslists = rbl.test.ex
>>> DNS list check: rbl.test.ex
>>> using result of previous DNS lookup
>>> host in helo_accept_junk_hosts? no (option unset)
>>> using ACL "acl_20_20_20"
>>> processing "accept"
+>>> message: sender verify failure
>>> check verify = sender
>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> routing x@y
LOG: H=[20.20.20.20] F=<x@y> rejected RCPT <x1@y>: Sender verify failed
>>> using ACL "acl_20_20_20"
>>> processing "accept"
+>>> message: sender verify failure
>>> check verify = sender
>>> using cached sender verify result
>>> accept: condition test failed in ACL "acl_20_20_20"
>>> host in helo_accept_junk_hosts? no (option unset)
>>> using ACL "acl_20_20_20"
>>> processing "accept"
+>>> message: sender verify failure
>>> check verify = sender
>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> routing userx@y
>>> calling r1 router
>>> routed by r1 router
>>> ----------- end verify ------------
+>>> message: recipient verify failure
>>> check verify = recipient
>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> routing x1@y
LOG: H=[20.20.20.20] F=<userx@y> rejected RCPT <x1@y>: Unrouteable address
>>> using ACL "acl_20_20_20"
>>> processing "accept"
+>>> message: sender verify failure
>>> check verify = sender
>>> using cached sender verify result
+>>> message: recipient verify failure
>>> check verify = recipient
>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> routing userx@y
>>> processing "deny"
>>> check hosts = 23.23.23.0
>>> host in "23.23.23.0"? yes (matched "23.23.23.0")
+>>> message: sender must verify
>>> check !verify = sender
>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> routing x@y
>>> processing "deny"
>>> check hosts = 23.23.23.0
>>> host in "23.23.23.0"? yes (matched "23.23.23.0")
+>>> message: sender must verify
>>> check !verify = sender
>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> routing userx@y
>>> host in helo_accept_junk_hosts? no (option unset)
>>> using ACL "acl_24_24_24"
>>> processing "warn"
+>>> message: X-Warn: sender didn't verify
>>> check condition = yes
>>> warn: condition test succeeded in ACL "acl_24_24_24"
>>> end of ACL "acl_24_24_24": implicit DENY
>>> host in helo_accept_junk_hosts? no (option unset)
>>> using ACL "acl_25_25_25"
>>> processing "deny"
+>>> message: denying domains=x
>>> check domains = x
>>> y in "x"? no (end of list)
>>> deny: condition test failed in ACL "acl_25_25_25"
>>> processing "deny"
>>> check senders = :
>>> in ":"? yes (matched "")
+>>> message: bounce messages can have only one recipient
>>> check condition = ${if > {$recipients_count}{0}{yes}{no}}
>>> = no
>>> deny: condition test failed in ACL "acl_26_26_26"
>>> processing "deny"
>>> check senders = :
>>> in ":"? yes (matched "")
+>>> message: bounce messages can have only one recipient
>>> check condition = ${if > {$recipients_count}{0}{yes}{no}}
>>> = yes
>>> deny: condition test succeeded in ACL "acl_26_26_26"
>>> processing "deny"
>>> check senders = :
>>> in ":"? yes (matched "")
+>>> message: bounce messages can have only one recipient
>>> check condition = ${if > {$recipients_count}{0}{yes}{no}}
>>> = yes
>>> deny: condition test succeeded in ACL "acl_26_26_26"
>>> host in helo_accept_junk_hosts? no (option unset)
>>> using ACL "acl_30_30_30"
>>> processing "deny"
+>>> message: domain=$dnslist_domain\nvalue=$dnslist_value\nmatched=$dnslist_matched\ntext="$dnslist_text"
>>> check dnslists = test.ex=V4NET.0.0.1,127.0.0.2/$sender_address_domain
>>> = test.ex=V4NET.0.0.1,127.0.0.2/ten-1
>>> DNS list check: test.ex=V4NET.0.0.1,127.0.0.2/ten-1
LOG: H=[30.30.30.30] F=<a@ten-1> rejected RCPT <x@y>: domain=test.ex
>>> using ACL "acl_30_30_30"
>>> processing "deny"
+>>> message: domain=$dnslist_domain\nvalue=$dnslist_value\nmatched=$dnslist_matched\ntext="$dnslist_text"
>>> check dnslists = test.ex=V4NET.0.0.1,127.0.0.2/$sender_address_domain
>>> = test.ex=V4NET.0.0.1,127.0.0.2/ten-2
>>> DNS list check: test.ex=V4NET.0.0.1,127.0.0.2/ten-2
>>> host in smtp_accept_max_nonmail_hosts? yes (matched "*")
>>> using ACL "acl_30_30_30"
>>> processing "deny"
+>>> message: domain=$dnslist_domain\nvalue=$dnslist_value\nmatched=$dnslist_matched\ntext="$dnslist_text"
>>> check dnslists = test.ex=V4NET.0.0.1,127.0.0.2/$sender_address_domain
>>> = test.ex=V4NET.0.0.1,127.0.0.2/13.12.11.V4NET.rbl
>>> DNS list check: test.ex=V4NET.0.0.1,127.0.0.2/13.12.11.V4NET.rbl
>>> host in helo_accept_junk_hosts? no (option unset)
>>> using ACL "acl_33_33_33"
>>> processing "accept"
+>>> message: sender verify failure
>>> check verify = sender/no_details
>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> routing x@y
LOG: H=[33.33.33.33] F=<x@y> rejected RCPT <x1@y>: Sender verify failed
>>> using ACL "acl_33_33_33"
>>> processing "accept"
+>>> message: sender verify failure
>>> check verify = sender/no_details
>>> using cached sender verify result
>>> accept: condition test failed in ACL "acl_33_33_33"
>>> host in ignore_fromline_hosts? no (option unset)
>>> using ACL "acl_data"
>>> processing "deny"
+>>> l_message: body contains trigger
>>> check condition = ${if match{$message_body}{trigger}{yes}{no}}
>>> = no
>>> deny: condition test failed in ACL "acl_data"
>>> host in ignore_fromline_hosts? no (option unset)
>>> using ACL "acl_data"
>>> processing "deny"
+>>> l_message: body contains trigger
>>> check condition = ${if match{$message_body}{trigger}{yes}{no}}
>>> = yes
>>> deny: condition test succeeded in ACL "acl_data"
>>> ratelimit initializing new key's rate data
>>> ratelimit db updated
>>> ratelimit computed rate 1.0
+>>> l_message: RCPT: sender_rate=$sender_rate sender_rate_limit=$sender_rate_limit sender_rate_period=$sender_rate_period
>>> warn: condition test succeeded in ACL "check_rcpt"
LOG: H=(test.ex) [V4NET.9.8.7] Warning: RCPT: sender_rate=1.0 sender_rate_limit=0 sender_rate_period=1h
>>> processing "accept"
>>> check ratelimit = 0/1h/per_byte/strict
>>> ratelimit condition count=19 0.0/1h/per_mail/V4NET.9.8.7
>>> ratelimit found pre-computed rate 1.0
+>>> l_message: DATA: sender_rate=$sender_rate sender_rate_limit=$sender_rate_limit sender_rate_period=$sender_rate_period
>>> warn: condition test succeeded in ACL "check_data"
LOG: 10HmaX-0005vi-00 H=(test.ex) [V4NET.9.8.7] Warning: DATA: sender_rate=1.0 sender_rate_limit=0 sender_rate_period=1h
>>> processing "deny"
>>> ratelimit found key in database
>>> ratelimit db updated
>>> ratelimit computed rate 2.0
+>>> l_message: RCPT: sender_rate=$sender_rate sender_rate_limit=$sender_rate_limit sender_rate_period=$sender_rate_period
>>> warn: condition test succeeded in ACL "check_rcpt"
LOG: H=(test.ex) [V4NET.9.8.7] Warning: RCPT: sender_rate=2.0 sender_rate_limit=0 sender_rate_period=1h
>>> processing "accept"
>>> check ratelimit = 0/1h/per_byte/strict
>>> ratelimit condition count=19 0.0/1h/per_mail/V4NET.9.8.7
>>> ratelimit found pre-computed rate 2.0
+>>> l_message: DATA: sender_rate=$sender_rate sender_rate_limit=$sender_rate_limit sender_rate_period=$sender_rate_period
>>> warn: condition test succeeded in ACL "check_data"
LOG: 10HmaY-0005vi-00 H=(test.ex) [V4NET.9.8.7] Warning: DATA: sender_rate=2.0 sender_rate_limit=0 sender_rate_period=1h
>>> processing "deny"
>>> ratelimit initializing new key's rate data
>>> ratelimit db updated
>>> ratelimit computed rate 1.0
+>>> l_message: RCPT: sender_rate=$sender_rate sender_rate_limit=$sender_rate_limit sender_rate_period=$sender_rate_period
>>> warn: condition test succeeded in ACL "check_rcpt"
LOG: H=(test.ex) [V4NET.9.8.7] Warning: RCPT: sender_rate=1.0 sender_rate_limit=0 sender_rate_period=1h
>>> processing "accept"
>>> check ratelimit = 0/1h/per_conn/strict
>>> ratelimit condition count=1 0.0/1h/per_conn/V4NET.9.8.7
>>> ratelimit found pre-computed rate 1.0
+>>> l_message: DATA: sender_rate=$sender_rate sender_rate_limit=$sender_rate_limit sender_rate_period=$sender_rate_period
>>> warn: condition test succeeded in ACL "check_data"
LOG: 10HmaZ-0005vi-00 H=(test.ex) [V4NET.9.8.7] Warning: DATA: sender_rate=1.0 sender_rate_limit=0 sender_rate_period=1h
>>> processing "deny"
>>> ratelimit found key in database
>>> ratelimit db updated
>>> ratelimit computed rate 2.0
+>>> l_message: RCPT: sender_rate=$sender_rate sender_rate_limit=$sender_rate_limit sender_rate_period=$sender_rate_period
>>> warn: condition test succeeded in ACL "check_rcpt"
LOG: H=(test.ex) [V4NET.9.8.7] Warning: RCPT: sender_rate=2.0 sender_rate_limit=0 sender_rate_period=1h
>>> processing "accept"
>>> check ratelimit = 0/1h/per_conn/strict
>>> ratelimit condition count=1 0.0/1h/per_conn/V4NET.9.8.7
>>> ratelimit found pre-computed rate 2.0
+>>> l_message: DATA: sender_rate=$sender_rate sender_rate_limit=$sender_rate_limit sender_rate_period=$sender_rate_period
>>> warn: condition test succeeded in ACL "check_data"
LOG: 10HmbA-0005vi-00 H=(test.ex) [V4NET.9.8.7] Warning: DATA: sender_rate=2.0 sender_rate_limit=0 sender_rate_period=1h
>>> processing "deny"
>>> ratelimit initializing new key's rate data
>>> ratelimit db not updated: over the limit, but leaky
>>> ratelimit computed rate 1.0
+>>> l_message: RCPT: sender_rate=$sender_rate sender_rate_limit=$sender_rate_limit sender_rate_period=$sender_rate_period
>>> warn: condition test succeeded in ACL "check_rcpt"
LOG: H=(test.ex) [V4NET.9.8.7] Warning: RCPT: sender_rate=1.0 sender_rate_limit=0 sender_rate_period=1h
>>> processing "accept"
>>> ratelimit initializing new key's rate data
>>> ratelimit db not updated: over the limit, but leaky
>>> ratelimit computed rate 1.0
+>>> l_message: RCPT: sender_rate=$sender_rate sender_rate_limit=$sender_rate_limit sender_rate_period=$sender_rate_period
>>> warn: condition test succeeded in ACL "check_rcpt"
>>> processing "accept"
>>> accept: condition test succeeded in ACL "check_rcpt"
>>> ratelimit initializing new key's rate data
>>> ratelimit db not updated: over the limit, but leaky
>>> ratelimit computed rate 1.0
+>>> l_message: RCPT: sender_rate=$sender_rate sender_rate_limit=$sender_rate_limit sender_rate_period=$sender_rate_period
>>> warn: condition test succeeded in ACL "check_rcpt"
>>> processing "accept"
>>> accept: condition test succeeded in ACL "check_rcpt"
>>> ratelimit found key in database
>>> ratelimit db not updated: over the limit, but leaky
>>> ratelimit computed rate 3.0
+>>> l_message: DATA: sender_rate=$sender_rate sender_rate_limit=$sender_rate_limit sender_rate_period=$sender_rate_period
>>> warn: condition test succeeded in ACL "check_data"
LOG: 10HmbB-0005vi-00 H=(test.ex) [V4NET.9.8.7] Warning: DATA: sender_rate=3.0 sender_rate_limit=0 sender_rate_period=1h
>>> processing "deny"
>>> ratelimit initializing new key's rate data
>>> ratelimit db updated
>>> ratelimit computed rate 19.0
+>>> l_message: DATA: sender_rate=$sender_rate sender_rate_limit=$sender_rate_limit sender_rate_period=$sender_rate_period
>>> warn: condition test succeeded in ACL "check_data"
LOG: 10HmbC-0005vi-00 H=(test.ex) [V4NET.9.8.6] Warning: DATA: sender_rate=19.0 sender_rate_limit=0 sender_rate_period=1h
>>> processing "deny"
--- /dev/null
+-oMm must be a valid message ID
+-oMm must be called by a trusted user/config
>>> ----------- end verify ------------
>>> require: condition test succeeded in ACL "check_recipient"
>>> processing "deny"
+>>> message: unrouteable address
>>> check !verify = recipient
>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> routing postmaster@exim.test.ex
>>> using cached sender verify result
>>> require: condition test succeeded in ACL "check_recipient"
>>> processing "deny"
+>>> message: unrouteable address
>>> check !verify = recipient
>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> routing junkjunk@exim.test.ex
>>> using cached sender verify result
>>> require: condition test succeeded in ACL "check_recipient"
>>> processing "deny"
+>>> message: unrouteable address
>>> check !verify = recipient
>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> routing fail@exim.test.ex
>>> postmaster@exim.test.ex in "myfriend@*"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: host is listed in $dnslist_domain
>>> check dnslists = rbl.test.ex
>>> DNS list check: rbl.test.ex
>>> new DNS lookup for 13.12.11.V4NET.rbl.test.ex
>>> anotherhost.example.com in "+relay_domains"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: relay not permitted
>>> deny: condition test succeeded in ACL "check_recipient"
LOG: H=[V4NET.0.0.1] F=<userx@somehost.example.com> rejected RCPT <userx@anotherhost.example.com>: relay not permitted
>>> 3rdhost.example.com in percent_hack_domains? no (end of list)
>>> 3rdhost.example.com in "+relay_domains"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: relay not permitted
>>> deny: condition test succeeded in ACL "check_recipient"
LOG: H=[V4NET.0.0.1] F=<userx@somehost.example.com> rejected RCPT <userx@3rdhost.example.com>: relay not permitted
LOG: 10HmaX-0005vi-00 <= userx@somehost.example.com H=[V4NET.0.0.1] P=smtp S=sss
>>> host in "+relay_hosts"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: relay not permitted
>>> deny: condition test succeeded in ACL "check_recipient"
LOG: H=[V4NET.0.0.1] F=<userx@somehost.example.com> rejected RCPT <userx@anotherhost.example.com>: relay not permitted
LOG: 10HmaX-0005vi-00 <= userx@somehost.example.com H=[V4NET.0.0.1] P=smtp S=sss
>>> host in "+relay_hosts"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: relay not permitted
>>> deny: condition test succeeded in ACL "check_recipient"
LOG: H=[V4NET.0.0.2] F=<userx@somehost.example.com> rejected RCPT <userx@anotherhost.example.com>: relay not permitted
LOG: 10HmaY-0005vi-00 <= userx@somehost.example.com H=[V4NET.0.0.2] P=smtp S=sss
>>> host in "+relay_hosts"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: relay not permitted
>>> deny: condition test succeeded in ACL "check_recipient"
LOG: H=[V4NET.255.0.1] F=<userx@somehost.example.com> rejected RCPT <userx@anotherhost.example.com>: relay not permitted
LOG: 10HmbB-0005vi-00 <= userx@somehost.example.com H=[V4NET.255.0.1] P=smtp S=sss
>>> host in "+relay_hosts"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: relay not permitted
>>> deny: condition test succeeded in ACL "check_recipient"
LOG: H=[V4NET.255.0.2] F=<userx@somehost.example.com> rejected RCPT <userx@anotherhost.example.com>: relay not permitted
LOG: 10HmbC-0005vi-00 <= userx@somehost.example.com H=[V4NET.255.0.2] P=smtp S=sss
>>> host in "+relay_hosts"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: relay not permitted
>>> deny: condition test succeeded in ACL "check_recipient"
LOG: H=[V4NET.255.0.3] F=<userx@somehost.example.com> rejected RCPT <userx@anotherhost.example.com>: relay not permitted
LOG: 10HmbD-0005vi-00 <= userx@somehost.example.com H=[V4NET.255.0.3] P=smtp S=sss
>>> host in "+relay_hosts"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: relay not permitted
>>> deny: condition test succeeded in ACL "check_recipient"
LOG: H=[V4NET.255.0.4] F=<userx@somehost.example.com> rejected RCPT <userx@anotherhost.example.com>: relay not permitted
LOG: 10HmbE-0005vi-00 <= userx@somehost.example.com H=[V4NET.255.0.4] P=smtp S=sss
>>> host in "+relay_hosts"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: relay not permitted
>>> deny: condition test succeeded in ACL "check_recipient"
LOG: H=[V4NET.0.0.2] F=<userx@somehost.example.com> rejected RCPT <userx@anotherhost.example.com>: relay not permitted
LOG: 10HmaY-0005vi-00 <= userx@somehost.example.com H=[V4NET.0.0.2] P=smtp S=sss
>>> host in "+relay_hosts"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: relay not permitted
>>> deny: condition test succeeded in ACL "check_recipient"
LOG: H=ten-1.test.ex [V4NET.0.0.1] F=<userx@somehost.example.com> rejected RCPT <userx@anotherhost.example.com>: relay not permitted
>>> using ACL "check_message"
>>> host in "+relay_hosts"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: relay not permitted
>>> deny: condition test succeeded in ACL "check_recipient"
LOG: H=ten-1.test.ex [V4NET.0.0.1] F=<userx@somehost.example.com> rejected RCPT <userx@anotherhost.example.com>: relay not permitted
LOG: 10HmaX-0005vi-00 <= userx@somehost.example.com H=ten-1.test.ex [V4NET.0.0.1] P=smtp S=sss
>>> host in "+relay_hosts"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: relay not permitted
>>> deny: condition test succeeded in ACL "check_recipient"
LOG: H=ten-1.test.ex [V4NET.0.0.1] F=<userx@somehost.example.com> rejected RCPT <userx@anotherhost.example.com>: relay not permitted
LOG: 10HmaX-0005vi-00 <= userx@somehost.example.com H=ten-1.test.ex [V4NET.0.0.1] P=smtp S=sss
>>> host in "+relay_hosts"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: relay not permitted
>>> deny: condition test succeeded in ACL "check_recipient"
LOG: H=[1.2.3.5] F=<userx@somehost.example.com> rejected RCPT <userx@anotherhost.example.com>: relay not permitted
LOG: 10HmaY-0005vi-00 <= userx@somehost.example.com H=[1.2.3.5] P=smtp S=sss
>>> host in "+relay_hosts"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: relay not permitted
>>> deny: condition test succeeded in ACL "check_recipient"
LOG: H=[1.3.2.4] F=<userx@somehost.example.com> rejected RCPT <userx@anotherhost.example.com>: relay not permitted
LOG: 10HmbA-0005vi-00 <= userx@somehost.example.com H=[1.3.2.4] P=smtp S=sss
>>> host in "+relay_hosts"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: relay not permitted
>>> deny: condition test succeeded in ACL "check_recipient"
LOG: H=[1.2.3.5] F=<userx@somehost.example.com> rejected RCPT <userx@anotherhost.example.com>: relay not permitted
LOG: 10HmaY-0005vi-00 <= userx@somehost.example.com H=[1.2.3.5] P=smtp S=sss
>>> host in "+relay_hosts"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: relay not permitted
>>> deny: condition test succeeded in ACL "check_recipient"
LOG: H=[1.3.2.4] F=<userx@somehost.example.com> rejected RCPT <userx@anotherhost.example.com>: relay not permitted
LOG: 10HmbA-0005vi-00 <= userx@somehost.example.com H=[1.3.2.4] P=smtp S=sss
>>> host in "+relay_hosts"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: relay not permitted
>>> deny: condition test succeeded in ACL "check_recipient"
LOG: H=[V4NET.11.12.13] F=<userx@somehost.example.com> rejected RCPT <userx@anotherhost.example.com>: relay not permitted
LOG: 10HmbE-0005vi-00 <= userx@somehost.example.com H=[V4NET.11.12.13] P=smtp S=sss
>>> host in "non.existent.invalid : V4NET.0.0.13"? no (failed to find IP address for non.existent.invalid)
>>> accept: condition test failed in ACL "check_recipienty"
>>> processing "deny"
+>>> message: "Denied"
>>> deny: condition test succeeded in ACL "check_recipienty"
LOG: H=[V4NET.0.0.13] F=<userx@test.ex> rejected RCPT <y@test.ex>: "Denied"
>>> host in hosts_connection_nolog? no (option unset)
LOG: list matching forced to fail: failed to find IP address for non.existent.invalid
>>> accept: condition test failed in ACL "check_recipienty"
>>> processing "deny"
+>>> message: "Denied"
>>> deny: condition test succeeded in ACL "check_recipienty"
LOG: H=[V4NET.0.0.13] F=<userx@test.ex> rejected RCPT <y@test.ex>: "Denied"
>>> host in hosts_connection_nolog? no (option unset)
>>> host in helo_accept_junk_hosts? no (option unset)
>>> using ACL "rcpt"
>>> processing "require"
+>>> message: helo not verified
>>> check verify = helo
>>> verifying EHLO/HELO argument "NULL"
>>> no EHLO/HELO command was issued
>>> HELO verification failed but host is in helo_try_verify_hosts
>>> using ACL "rcpt"
>>> processing "require"
+>>> message: helo not verified
>>> check verify = helo
>>> require: condition test failed in ACL "rcpt"
LOG: H=([V4NET.0.0.1]) [V4NET.0.0.2] F=<a@b> rejected RCPT <c@d>: helo not verified
>>> matched host address
>>> using ACL "rcpt"
>>> processing "require"
+>>> message: helo not verified
>>> check verify = helo
>>> require: condition test succeeded in ACL "rcpt"
>>> processing "deny"
+>>> message: helo did verify
>>> deny: condition test succeeded in ACL "rcpt"
LOG: H=([V4NET.0.0.2]) [V4NET.0.0.2] F=<a@b> rejected RCPT <c@d>: helo did verify
>>> host in hosts_connection_nolog? no (option unset)
>>> [V4NET.0.0.99] in helo_lookup_domains? no (end of list)
>>> using ACL "rcpt"
>>> processing "require"
+>>> message: helo not verified
>>> check verify = helo
>>> verifying EHLO/HELO argument "[V4NET.0.0.99]"
>>> require: condition test failed in ACL "rcpt"
>>> [V4NET.0.0.13] in helo_lookup_domains? no (end of list)
>>> using ACL "rcpt"
>>> processing "require"
+>>> message: helo not verified
>>> check verify = helo
>>> verifying EHLO/HELO argument "[V4NET.0.0.13]"
>>> matched host address
>>> require: condition test succeeded in ACL "rcpt"
>>> processing "deny"
+>>> message: helo did verify
>>> deny: condition test succeeded in ACL "rcpt"
LOG: H=([V4NET.0.0.13]) [V4NET.0.0.13] F=<a@b> rejected RCPT <c@d>: helo did verify
>>> host in hosts_connection_nolog? no (option unset)
>>> host in pipelining_advertise_hosts? yes (matched "*")
>>> using ACL "rcpt"
>>> processing "require"
+>>> message: helo not verified
>>> check verify = helo
>>> verifying EHLO/HELO argument "rhubarb"
>>> looking up host name for 99.99.99.99
>>> host in ":"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "warn"
+>>> message: X-Warning: $sender_host_address is blacklisted at $dnslist_domain
+>>> l_message: $sender_host_address is in $dnslist_domain
>>> check dnslists = rbl.test.ex
>>> DNS list check: rbl.test.ex
>>> new DNS lookup for 14.12.11.V4NET.rbl.test.ex
>>> warn: condition test succeeded in ACL "check_recipient"
LOG: H=(exim.test.ex) [V4NET.11.12.14] Warning: V4NET.11.12.14 is in rbl.test.ex
>>> processing "warn"
+>>> message: X-Warning: $sender_host_address is blacklisted at $dnslist_domain
+>>> l_message: accepting postmaster from host in $dnslist_domain
>>> check recipients = postmaster@exim.test.ex
>>> exim.test.ex in "exim.test.ex"? yes (matched "exim.test.ex")
>>> postmaster@exim.test.ex in "postmaster@exim.test.ex"? yes (matched "postmaster@exim.test.ex")
>>> host in ":"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "warn"
+>>> message: X-Warning: $sender_host_address is blacklisted at $dnslist_domain
+>>> l_message: $sender_host_address is in $dnslist_domain
>>> check dnslists = rbl.test.ex
>>> DNS list check: rbl.test.ex
>>> using result of previous DNS lookup
>>> => that means V4NET.11.12.14 is listed at rbl.test.ex
>>> warn: condition test succeeded in ACL "check_recipient"
>>> processing "warn"
+>>> message: X-Warning: $sender_host_address is blacklisted at $dnslist_domain
+>>> l_message: accepting postmaster from host in $dnslist_domain
>>> check recipients = postmaster@exim.test.ex
>>> list@exim.test.ex in "postmaster@exim.test.ex"? no (end of list)
>>> warn: condition test failed in ACL "check_recipient"
>>> list@exim.test.ex in "postmaster@exim.test.ex"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: host is listed in $dnslist_domain
>>> check dnslists = rbl2.test.ex
>>> DNS list check: rbl2.test.ex
>>> using result of previous DNS lookup
>>> list@exim.test.ex in "postmaster@exim.test.ex"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: host is listed in $dnslist_domain
>>> check dnslists = rbl.test.ex:rbl2.test.ex
>>> DNS list check: rbl.test.ex
>>> new DNS lookup for 14.12.11.V4NET.rbl.test.ex
>>> else.where in "+relay_domains"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: relay not permitted
>>> deny: condition test succeeded in ACL "check_recipient"
LOG: H=(abc_xyz) [V4NET.0.0.0] F=<userx@cus.cam.ac.uk> rejected RCPT <userx@else.where>: relay not permitted
>>> host in hosts_connection_nolog? no (option unset)
>>> relay.two.ex in "+relay_domains"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: relay not permitted
>>> deny: condition test succeeded in ACL "check_recipient"
LOG: H=ten-99.test.ex (@#$%^&*()) [V4NET.0.0.99] F=<root@myhost.test.ex> rejected RCPT <yy@relay.two.ex>: relay not permitted
>>> host in ":"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: unrouteable address
>>> check recipients = verify@test.ex
>>> userx@test.ex in "verify@test.ex"? no (end of list)
>>> deny: condition test failed in ACL "check_recipient"
>>> host in ":"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: unrouteable address
>>> check recipients = verify@test.ex
>>> test.ex in "test.ex"? yes (matched "test.ex")
>>> verify@test.ex in "verify@test.ex"? yes (matched "verify@test.ex")
>>> host in "+relay_hosts"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: relay not permitted
>>> deny: condition test succeeded in ACL "check_recipient"
LOG: H=[V4NET.11.12.13] F=<userx@cam.ac.uk> rejected RCPT <userx@cam.ac.uk>: relay not permitted
>>> host in hosts_connection_nolog? no (option unset)
>>> host in "+relay_hosts"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: relay not permitted
>>> deny: condition test succeeded in ACL "check_recipient"
LOG: H=ten-1.test.ex [V4NET.0.0.1] F=<userx@cam.ac.uk> rejected RCPT <userx@cam.ac.uk>: relay not permitted
Exim version x.yz ....
host in "+relay_hosts"? no (end of list)
accept: condition test failed in ACL "check_recipient"
processing "deny"
+ message: relay not permitted
deny: condition test succeeded in ACL "check_recipient"
SMTP>> 550 relay not permitted
LOG: MAIN REJECT
>>> host in "+relay_hosts"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: relay not permitted
>>> deny: condition test succeeded in ACL "check_recipient"
LOG: H=[V4NET.0.0.97] F=<userx@test.ex> rejected RCPT <userx@external.test.ex>: relay not permitted
>>> using ACL "check_recipient"
>>> host in "+relay_hosts"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: relay not permitted
>>> deny: condition test succeeded in ACL "check_recipient"
LOG: H=[V4NET.0.0.97] F=<userx@test.ex> rejected RCPT <userx@external.test.ex>: relay not permitted
>>> host in helo_accept_junk_hosts? no (option unset)
>>> using ACL "check_recipient"
>>> processing "deny"
+>>> message: unrouteable address
>>> check !verify = recipient
>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> routing userx@not.test.ex
>>> => that means V4NET.11.12.13 is not listed at rbl3.test.ex
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: host is listed in $dnslist_domain
>>> check dnslists = rbl2.test.ex
>>> DNS list check: rbl2.test.ex
>>> new DNS lookup for 13.12.11.V4NET.rbl2.test.ex
>>> => that means V4NET.11.12.13 is not listed at rbl2.test.ex
>>> deny: condition test failed in ACL "check_recipient"
>>> processing "warn"
+>>> message: X-Warning: $sender_host_address is listed at $dnslist_domain
>>> check dnslists = rbl.test.ex
>>> DNS list check: rbl.test.ex
>>> new DNS lookup for 13.12.11.V4NET.rbl.test.ex
>>> ----------- end verify ------------
>>> require: condition test succeeded in ACL "check_recipient"
>>> processing "deny"
+>>> message: unrouteable address
>>> check !verify = recipient
>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> routing userx@exim.test.ex
>>> accept: condition test succeeded in ACL "check_mail"
>>> using ACL "check_recipient"
>>> processing "warn"
+>>> message: X-Warn: host is listed in $dnslist_domain but not =127.0.0.3${if def:dnslist_text{\n $dnslist_text}}
>>> check dnslists = rbl3.test.ex!=127.0.0.3
>>> DNS list check: rbl3.test.ex!=127.0.0.3
>>> new DNS lookup for 14.12.11.V4NET.rbl3.test.ex
>>> => that means V4NET.11.12.14 is listed at rbl3.test.ex
>>> warn: condition test succeeded in ACL "check_recipient"
>>> processing "deny"
+>>> message: host is listed in $dnslist_domain with value 127.0.0.3${if def:dnslist_text{\n$dnslist_text}}
>>> check dnslists = rbl3.test.ex=127.0.0.3
>>> DNS list check: rbl3.test.ex=127.0.0.3
>>> using result of previous DNS lookup
>>> ----------- end verify ------------
>>> require: condition test succeeded in ACL "check_recipient"
>>> processing "deny"
+>>> message: unrouteable address
>>> check !verify = recipient
>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> routing userx@exim.test.ex
>>> accept: condition test succeeded in ACL "check_recipient"
>>> using ACL "check_recipient"
>>> processing "warn"
+>>> message: X-Warn: host is listed in $dnslist_domain but not =127.0.0.3${if def:dnslist_text{\n $dnslist_text}}
>>> check dnslists = rbl3.test.ex!=127.0.0.3
>>> DNS list check: rbl3.test.ex!=127.0.0.3
>>> using result of previous DNS lookup
>>> => that means V4NET.11.12.14 is listed at rbl3.test.ex
>>> warn: condition test succeeded in ACL "check_recipient"
>>> processing "deny"
+>>> message: host is listed in $dnslist_domain with value 127.0.0.3${if def:dnslist_text{\n$dnslist_text}}
>>> check dnslists = rbl3.test.ex=127.0.0.3
>>> DNS list check: rbl3.test.ex=127.0.0.3
>>> using result of previous DNS lookup
>>> using cached sender verify result
>>> require: condition test succeeded in ACL "check_recipient"
>>> processing "deny"
+>>> message: unrouteable address
>>> check !verify = recipient
>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> routing list@exim.test.ex
>>> accept: condition test succeeded in ACL "check_mail"
>>> using ACL "check_recipient"
>>> processing "warn"
+>>> message: X-Warn: host is listed in $dnslist_domain but not =127.0.0.3${if def:dnslist_text{\n $dnslist_text}}
>>> check dnslists = rbl3.test.ex!=127.0.0.3
>>> DNS list check: rbl3.test.ex!=127.0.0.3
>>> new DNS lookup for 15.12.11.V4NET.rbl3.test.ex
>>> => there was an exclude match for =127.0.0.3
>>> warn: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: host is listed in $dnslist_domain with value 127.0.0.3${if def:dnslist_text{\n$dnslist_text}}
>>> check dnslists = rbl3.test.ex=127.0.0.3
>>> DNS list check: rbl3.test.ex=127.0.0.3
>>> using result of previous DNS lookup
>>> processing "accept"
>>> check hosts = V4NET.0.0.1
>>> host in "V4NET.0.0.1"? yes (matched "V4NET.0.0.1")
+>>> message: invalid sender
>>> check senders = userx@test.ex
>>> x@y.z in "userx@test.ex"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "accept"
>>> check hosts = V4NET.0.0.1
>>> host in "V4NET.0.0.1"? yes (matched "V4NET.0.0.1")
+>>> message: invalid sender
>>> check senders = userx@test.ex
>>> test.ex in "test.ex"? yes (matched "test.ex")
>>> userx@test.ex in "userx@test.ex"? yes (matched "userx@test.ex")
>>> host in "+relay_hosts"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: relay not permitted
>>> deny: condition test succeeded in ACL "check_recipient"
LOG: H=[V4NET.0.0.3] F=<x@y.z> rejected RCPT <a@b.c>: relay not permitted
>>> using ACL "check_recipient"
>>> host in "+relay_hosts"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: relay not permitted
>>> deny: condition test succeeded in ACL "check_recipient"
LOG: H=[V4NET.0.0.3] F=<userx@test.ex> rejected RCPT <a@b.c>: relay not permitted
>>> d in "+relay_domains"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: relay not permitted
>>> deny: condition test succeeded in ACL "check_recipient"
LOG: H=[V4NET.0.0.0] F=<a@b> rejected RCPT <c@d>: relay not permitted
>>> using ACL "check_recipient"
>>> host in pipelining_advertise_hosts? yes (matched "*")
>>> using ACL "check_recipient"
>>> processing "deny"
+>>> message: unrouteable address
>>> check !verify = recipient
>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> routing faq@nl.demon.net
>>> host in helo_accept_junk_hosts? no (option unset)
>>> using ACL "check_recipient"
>>> processing "deny"
+>>> message: unrouteable address
>>> check !verify = recipient
>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> routing oklist@listr.test.ex
>>> accept: condition test succeeded in ACL "check_recipient"
>>> using ACL "check_recipient"
>>> processing "deny"
+>>> message: unrouteable address
>>> check !verify = recipient
>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> routing oklist@listr.test.ex
>>> host in helo_accept_junk_hosts? no (option unset)
>>> using ACL "acl_rcpt_1"
>>> processing "require"
+>>> message: domain doesn't match @ or @[]
>>> check domains = @ : @[]
>>> myhost.test.ex in "@ : @[]"? yes (matched "@")
>>> require: condition test succeeded in ACL "acl_rcpt_1"
>>> accept: condition test succeeded in ACL "acl_rcpt_1"
>>> using ACL "acl_rcpt_1"
>>> processing "require"
+>>> message: domain doesn't match @ or @[]
>>> check domains = @ : @[]
>>> [127.0.0.1] in "@ : @[]"? yes (matched "@[]")
>>> require: condition test succeeded in ACL "acl_rcpt_1"
>>> accept: condition test succeeded in ACL "acl_rcpt_1"
>>> using ACL "acl_rcpt_1"
>>> processing "require"
+>>> message: domain doesn't match @ or @[]
>>> check domains = @ : @[]
>>> else.where in "@ : @[]"? no (end of list)
>>> require: condition test failed in ACL "acl_rcpt_1"
LOG: H=[V4NET.1.1.1] F=<x@y> rejected RCPT <1@else.where>: domain doesn't match @ or @[]
>>> using ACL "acl_rcpt_2"
>>> processing "require"
+>>> message: domain doesn't match @mx_any
>>> check domains = @mx_any
>>> other1.test.ex in hosts_treat_as_local? yes (matched "other1.test.ex")
>>> local host has lowest MX
>>> accept: condition test succeeded in ACL "acl_rcpt_2"
>>> using ACL "acl_rcpt_2"
>>> processing "require"
+>>> message: domain doesn't match @mx_any
>>> check domains = @mx_any
>>> eximtesthost.test.ex in hosts_treat_as_local? no (end of list)
>>> local host has lowest MX
>>> accept: condition test succeeded in ACL "acl_rcpt_2"
>>> using ACL "acl_rcpt_2"
>>> processing "require"
+>>> message: domain doesn't match @mx_any
>>> check domains = @mx_any
>>> ten-1.test.ex in hosts_treat_as_local? no (end of list)
>>> eximtesthost.test.ex in hosts_treat_as_local? no (end of list)
>>> accept: condition test succeeded in ACL "acl_rcpt_2"
>>> using ACL "acl_rcpt_2"
>>> processing "require"
+>>> message: domain doesn't match @mx_any
>>> check domains = @mx_any
>>> ten-1.test.ex in hosts_treat_as_local? no (end of list)
>>> ten-2.test.ex in hosts_treat_as_local? no (end of list)
LOG: H=[V4NET.1.1.1] F=<x@y> rejected RCPT <2@mxt9.test.ex>: domain doesn't match @mx_any
>>> using ACL "acl_rcpt_2"
>>> processing "require"
+>>> message: domain doesn't match @mx_any
>>> check domains = @mx_any
>>> mxnone.test.ex in "@mx_any"? no (end of list)
>>> require: condition test failed in ACL "acl_rcpt_2"
LOG: H=[V4NET.1.1.1] F=<x@y> rejected RCPT <2@mxnone.test.ex>: domain doesn't match @mx_any
>>> using ACL "acl_rcpt_3"
>>> processing "require"
+>>> message: domain doesn't match @mx_primary
>>> check domains = @mx_primary
>>> ten-1.test.ex in hosts_treat_as_local? no (end of list)
>>> eximtesthost.test.ex in hosts_treat_as_local? no (end of list)
>>> accept: condition test succeeded in ACL "acl_rcpt_3"
>>> using ACL "acl_rcpt_3"
>>> processing "require"
+>>> message: domain doesn't match @mx_primary
>>> check domains = @mx_primary
>>> ten-1.test.ex in hosts_treat_as_local? no (end of list)
>>> ten-2.test.ex in hosts_treat_as_local? no (end of list)
LOG: H=[V4NET.1.1.1] F=<x@y> rejected RCPT <3@mxt6.test.ex>: domain doesn't match @mx_primary
>>> using ACL "acl_rcpt_3"
>>> processing "require"
+>>> message: domain doesn't match @mx_primary
>>> check domains = @mx_primary
>>> ten-1.test.ex in hosts_treat_as_local? no (end of list)
>>> ten-2.test.ex in hosts_treat_as_local? no (end of list)
LOG: H=[V4NET.1.1.1] F=<x@y> rejected RCPT <3@mxt9.test.ex>: domain doesn't match @mx_primary
>>> using ACL "acl_rcpt_3"
>>> processing "require"
+>>> message: domain doesn't match @mx_primary
>>> check domains = @mx_primary
>>> mxnone.test.ex in "@mx_primary"? no (end of list)
>>> require: condition test failed in ACL "acl_rcpt_3"
LOG: H=[V4NET.1.1.1] F=<x@y> rejected RCPT <3@mxnone.test.ex>: domain doesn't match @mx_primary
>>> using ACL "acl_rcpt_4"
>>> processing "require"
+>>> message: domain doesn't match @mx_secondary
>>> check domains = @mx_secondary
>>> eximtesthost.test.ex in hosts_treat_as_local? no (end of list)
>>> local host has lowest MX
LOG: H=[V4NET.1.1.1] F=<x@y> rejected RCPT <4@mxt5.test.ex>: domain doesn't match @mx_secondary
>>> using ACL "acl_rcpt_4"
>>> processing "require"
+>>> message: domain doesn't match @mx_secondary
>>> check domains = @mx_secondary
>>> ten-1.test.ex in hosts_treat_as_local? no (end of list)
>>> ten-2.test.ex in hosts_treat_as_local? no (end of list)
>>> accept: condition test succeeded in ACL "acl_rcpt_4"
>>> using ACL "acl_rcpt_4"
>>> processing "require"
+>>> message: domain doesn't match @mx_secondary
>>> check domains = @mx_secondary
>>> ten-1.test.ex in hosts_treat_as_local? no (end of list)
>>> ten-2.test.ex in hosts_treat_as_local? no (end of list)
LOG: H=[V4NET.1.1.1] F=<x@y> rejected RCPT <4@mxt9.test.ex>: domain doesn't match @mx_secondary
>>> using ACL "acl_rcpt_4"
>>> processing "require"
+>>> message: domain doesn't match @mx_secondary
>>> check domains = @mx_secondary
>>> mxnone.test.ex in "@mx_secondary"? no (end of list)
>>> require: condition test failed in ACL "acl_rcpt_4"
LOG: H=[V4NET.1.1.1] F=<x@y> rejected RCPT <4@mxnone.test.ex>: domain doesn't match @mx_secondary
>>> using ACL "acl_rcpt_5"
>>> processing "require"
+>>> message: host doesn't match @ or @[]
>>> check hosts = @ : @[]
MUNGED: ::1 will be omitted in what follows
>>> get[host|ipnode]byname[2] looked up these IP addresses:
>>> host in helo_accept_junk_hosts? no (option unset)
>>> using ACL "acl_rcpt_5"
>>> processing "require"
+>>> message: host doesn't match @ or @[]
>>> check hosts = @ : @[]
MUNGED: ::1 will be omitted in what follows
>>> get[host|ipnode]byname[2] looked up these IP addresses:
>>> host in helo_accept_junk_hosts? no (option unset)
>>> using ACL "acl_rcpt_5"
>>> processing "require"
+>>> message: host doesn't match @ or @[]
>>> check hosts = @ : @[]
MUNGED: ::1 will be omitted in what follows
>>> get[host|ipnode]byname[2] looked up these IP addresses:
>>> host in helo_accept_junk_hosts? no (option unset)
>>> using ACL "acl_rcpt_2"
>>> processing "require"
+>>> message: domain doesn't match @mx_any
>>> check domains = @mx_any
>>> not-exist.test.ex in hosts_treat_as_local? no (end of list)
>>> eximtesthost.test.ex in hosts_treat_as_local? no (end of list)
>>> accept: condition test succeeded in ACL "acl_rcpt_2"
>>> using ACL "acl_rcpt_3"
>>> processing "require"
+>>> message: domain doesn't match @mx_primary
>>> check domains = @mx_primary
>>> not-exist.test.ex in hosts_treat_as_local? no (end of list)
>>> eximtesthost.test.ex in hosts_treat_as_local? no (end of list)
LOG: H=[V4NET.1.1.1] F=<x@y> rejected RCPT <3@mxt3.test.ex>: domain doesn't match @mx_primary
>>> using ACL "acl_rcpt_4"
>>> processing "require"
+>>> message: domain doesn't match @mx_secondary
>>> check domains = @mx_secondary
>>> not-exist.test.ex in hosts_treat_as_local? no (end of list)
>>> eximtesthost.test.ex in hosts_treat_as_local? no (end of list)
>>> host in helo_accept_junk_hosts? no (option unset)
>>> using ACL "acl1"
>>> processing "deny"
+>>> message: failed 1
>>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b
>>> b1@x in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 2
>>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1
>>> b1@x in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 3
>>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2
>>> b1@x in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 4
>>> check recipients = domain.only : *.domain2.only
>>> x in "domain.only"? no (end of list)
>>> x in "*.domain2.only"? no (end of list)
>>> b1@x in "domain.only : *.domain2.only"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 5
>>> check recipients = abc@domain3 : xyz@*.domain4
>>> b1@x in "abc@domain3 : xyz@*.domain4"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 6
>>> check recipients = pqr@@
>>> b1@x in "pqr@@"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 7
>>> check senders = :
>>> in ":"? yes (matched "")
>>> check recipients = b1@x
LOG: H=[1.2.3.4] F=<> rejected RCPT <b1@x>: failed 7
>>> using ACL "acl1"
>>> processing "deny"
+>>> message: failed 1
>>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b
>>> b2@x in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 2
>>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1
>>> b2@x in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 3
>>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2
>>> b2@x in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 4
>>> check recipients = domain.only : *.domain2.only
>>> x in "domain.only"? no (end of list)
>>> x in "*.domain2.only"? no (end of list)
>>> b2@x in "domain.only : *.domain2.only"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 5
>>> check recipients = abc@domain3 : xyz@*.domain4
>>> b2@x in "abc@domain3 : xyz@*.domain4"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 6
>>> check recipients = pqr@@
>>> b2@x in "pqr@@"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 7
>>> check senders = :
>>> in ":"? yes (matched "")
>>> check recipients = b1@x
>>> b2@x in "b1@x"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 8
>>> check senders = ^\$
>>> in "^$"? yes (matched "^$")
>>> check recipients = b2@x
LOG: H=[1.2.3.4] F=<> rejected RCPT <b2@x>: failed 8
>>> using ACL "acl1"
>>> processing "deny"
+>>> message: failed 1
>>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b
>>> b9@x in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 2
>>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1
>>> b9@x in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 3
>>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2
>>> b9@x in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 4
>>> check recipients = domain.only : *.domain2.only
>>> x in "domain.only"? no (end of list)
>>> x in "*.domain2.only"? no (end of list)
>>> b9@x in "domain.only : *.domain2.only"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 5
>>> check recipients = abc@domain3 : xyz@*.domain4
>>> b9@x in "abc@domain3 : xyz@*.domain4"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 6
>>> check recipients = pqr@@
>>> b9@x in "pqr@@"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 7
>>> check senders = :
>>> in ":"? yes (matched "")
>>> check recipients = b1@x
>>> b9@x in "b1@x"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 8
>>> check senders = ^\$
>>> in "^$"? yes (matched "^$")
>>> check recipients = b2@x
>>> b9@x in "b2@x"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 9
>>> check recipients = *@lsearch;TESTSUITE/aux-fixed/0304.d3
>>> x in "lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list)
>>> b9@x in "*@lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 10
>>> check recipients = xyz@lsearch;TESTSUITE/aux-fixed/0304.d4
>>> b9@x in "xyz@lsearch;TESTSUITE/aux-fixed/0304.d4"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 11
>>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d5
>>> b9@x in "lsearch*@;TESTSUITE/aux-fixed/0304.d5"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> accept: condition test succeeded in ACL "acl1"
>>> using ACL "acl1"
>>> processing "deny"
+>>> message: failed 1
>>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b
>>> abc@w.x.y.z in "^abc.*@.*\.x\.y\.z : a@b"? yes (matched "^abc.*@.*\.x\.y\.z")
>>> deny: condition test succeeded in ACL "acl1"
LOG: H=[1.2.3.4] F=<x@y> rejected RCPT <abc@w.x.y.z>: failed 1
>>> using ACL "acl1"
>>> processing "deny"
+>>> message: failed 1
>>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b
>>> abcdef@q.x.y.z in "^abc.*@.*\.x\.y\.z : a@b"? yes (matched "^abc.*@.*\.x\.y\.z")
>>> deny: condition test succeeded in ACL "acl1"
LOG: H=[1.2.3.4] F=<x@y> rejected RCPT <abcdef@q.x.y.z>: failed 1
>>> using ACL "acl1"
>>> processing "deny"
+>>> message: failed 1
>>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b
>>> b in "b"? yes (matched "b")
>>> a@b in "^abc.*@.*\.x\.y\.z : a@b"? yes (matched "a@b")
LOG: H=[1.2.3.4] F=<x@y> rejected RCPT <a@b>: failed 1
>>> using ACL "acl1"
>>> processing "deny"
+>>> message: failed 1
>>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b
>>> ok@ok in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 2
>>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1
>>> ok@ok in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 3
>>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2
>>> ok@ok in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 4
>>> check recipients = domain.only : *.domain2.only
>>> ok in "domain.only"? no (end of list)
>>> ok in "*.domain2.only"? no (end of list)
>>> ok@ok in "domain.only : *.domain2.only"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 5
>>> check recipients = abc@domain3 : xyz@*.domain4
>>> ok@ok in "abc@domain3 : xyz@*.domain4"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 6
>>> check recipients = pqr@@
>>> ok@ok in "pqr@@"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 7
>>> check senders = :
>>> y in ""? no (end of list)
>>> x@y in ":"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 8
>>> check senders = ^\$
>>> x@y in "^$"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 9
>>> check recipients = *@lsearch;TESTSUITE/aux-fixed/0304.d3
>>> ok in "lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list)
>>> ok@ok in "*@lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 10
>>> check recipients = xyz@lsearch;TESTSUITE/aux-fixed/0304.d4
>>> ok@ok in "xyz@lsearch;TESTSUITE/aux-fixed/0304.d4"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 11
>>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d5
>>> ok@ok in "lsearch*@;TESTSUITE/aux-fixed/0304.d5"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> accept: condition test succeeded in ACL "acl1"
>>> using ACL "acl1"
>>> processing "deny"
+>>> message: failed 1
>>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b
>>> x@a.b.c in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 2
>>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1
>>> x@a.b.c in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? yes (matched "lsearch*@;TESTSUITE/aux-fixed/0304.d1")
>>> deny: condition test succeeded in ACL "acl1"
LOG: H=[1.2.3.4] F=<x@y> rejected RCPT <x@a.b.c>: failed 2
>>> using ACL "acl1"
>>> processing "deny"
+>>> message: failed 1
>>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b
>>> abc@d.e.f in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 2
>>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1
>>> abc@d.e.f in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? yes (matched "lsearch*@;TESTSUITE/aux-fixed/0304.d1")
>>> deny: condition test succeeded in ACL "acl1"
LOG: H=[1.2.3.4] F=<x@y> rejected RCPT <abc@d.e.f>: failed 2
>>> using ACL "acl1"
>>> processing "deny"
+>>> message: failed 1
>>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b
>>> x@d.e.f in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 2
>>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1
>>> x@d.e.f in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 3
>>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2
>>> x@d.e.f in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 4
>>> check recipients = domain.only : *.domain2.only
>>> d.e.f in "domain.only"? no (end of list)
>>> d.e.f in "*.domain2.only"? no (end of list)
>>> x@d.e.f in "domain.only : *.domain2.only"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 5
>>> check recipients = abc@domain3 : xyz@*.domain4
>>> x@d.e.f in "abc@domain3 : xyz@*.domain4"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 6
>>> check recipients = pqr@@
>>> x@d.e.f in "pqr@@"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 7
>>> check senders = :
>>> y in ""? no (end of list)
>>> x@y in ":"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 8
>>> check senders = ^\$
>>> x@y in "^$"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 9
>>> check recipients = *@lsearch;TESTSUITE/aux-fixed/0304.d3
>>> d.e.f in "lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list)
>>> x@d.e.f in "*@lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 10
>>> check recipients = xyz@lsearch;TESTSUITE/aux-fixed/0304.d4
>>> x@d.e.f in "xyz@lsearch;TESTSUITE/aux-fixed/0304.d4"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 11
>>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d5
>>> x@d.e.f in "lsearch*@;TESTSUITE/aux-fixed/0304.d5"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> accept: condition test succeeded in ACL "acl1"
>>> using ACL "acl1"
>>> processing "deny"
+>>> message: failed 1
>>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b
>>> abc@at.1 in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 2
>>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1
>>> abc@at.1 in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 3
>>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2
>>> abc@at.1 in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? yes (matched "@@lsearch;TESTSUITE/aux-fixed/0304.d2")
>>> deny: condition test succeeded in ACL "acl1"
LOG: H=[1.2.3.4] F=<x@y> rejected RCPT <abc@at.1>: failed 3
>>> using ACL "acl1"
>>> processing "deny"
+>>> message: failed 1
>>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b
>>> xyz@at.1 in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 2
>>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1
>>> xyz@at.1 in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 3
>>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2
>>> xyz@at.1 in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? yes (matched "@@lsearch;TESTSUITE/aux-fixed/0304.d2")
>>> deny: condition test succeeded in ACL "acl1"
LOG: H=[1.2.3.4] F=<x@y> rejected RCPT <xyz@at.1>: failed 3
>>> using ACL "acl1"
>>> processing "deny"
+>>> message: failed 1
>>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b
>>> abcxyz@at.1 in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 2
>>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1
>>> abcxyz@at.1 in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 3
>>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2
>>> abcxyz@at.1 in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? yes (matched "@@lsearch;TESTSUITE/aux-fixed/0304.d2")
>>> deny: condition test succeeded in ACL "acl1"
LOG: H=[1.2.3.4] F=<x@y> rejected RCPT <abcxyz@at.1>: failed 3
>>> using ACL "acl1"
>>> processing "deny"
+>>> message: failed 1
>>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b
>>> ok@at.1 in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 2
>>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1
>>> ok@at.1 in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 3
>>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2
>>> ok@at.1 in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 4
>>> check recipients = domain.only : *.domain2.only
>>> at.1 in "domain.only"? no (end of list)
>>> at.1 in "*.domain2.only"? no (end of list)
>>> ok@at.1 in "domain.only : *.domain2.only"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 5
>>> check recipients = abc@domain3 : xyz@*.domain4
>>> ok@at.1 in "abc@domain3 : xyz@*.domain4"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 6
>>> check recipients = pqr@@
>>> ok@at.1 in "pqr@@"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 7
>>> check senders = :
>>> y in ""? no (end of list)
>>> x@y in ":"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 8
>>> check senders = ^\$
>>> x@y in "^$"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 9
>>> check recipients = *@lsearch;TESTSUITE/aux-fixed/0304.d3
>>> at.1 in "lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list)
>>> ok@at.1 in "*@lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 10
>>> check recipients = xyz@lsearch;TESTSUITE/aux-fixed/0304.d4
>>> ok@at.1 in "xyz@lsearch;TESTSUITE/aux-fixed/0304.d4"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 11
>>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d5
>>> ok@at.1 in "lsearch*@;TESTSUITE/aux-fixed/0304.d5"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> accept: condition test succeeded in ACL "acl1"
>>> using ACL "acl1"
>>> processing "deny"
+>>> message: failed 1
>>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b
>>> x@domain.only in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 2
>>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1
>>> x@domain.only in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 3
>>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2
>>> x@domain.only in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 4
>>> check recipients = domain.only : *.domain2.only
>>> domain.only in "domain.only"? yes (matched "domain.only")
>>> x@domain.only in "domain.only : *.domain2.only"? yes (matched "domain.only")
LOG: H=[1.2.3.4] F=<x@y> rejected RCPT <x@domain.only>: failed 4
>>> using ACL "acl1"
>>> processing "deny"
+>>> message: failed 1
>>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b
>>> x@abc.domain2.only in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 2
>>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1
>>> x@abc.domain2.only in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 3
>>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2
>>> x@abc.domain2.only in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 4
>>> check recipients = domain.only : *.domain2.only
>>> abc.domain2.only in "domain.only"? no (end of list)
>>> abc.domain2.only in "*.domain2.only"? yes (matched "*.domain2.only")
LOG: H=[1.2.3.4] F=<x@y> rejected RCPT <x@abc.domain2.only>: failed 4
>>> using ACL "acl1"
>>> processing "deny"
+>>> message: failed 1
>>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b
>>> x@domain2.only in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 2
>>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1
>>> x@domain2.only in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 3
>>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2
>>> x@domain2.only in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 4
>>> check recipients = domain.only : *.domain2.only
>>> domain2.only in "domain.only"? no (end of list)
>>> domain2.only in "*.domain2.only"? no (end of list)
>>> x@domain2.only in "domain.only : *.domain2.only"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 5
>>> check recipients = abc@domain3 : xyz@*.domain4
>>> x@domain2.only in "abc@domain3 : xyz@*.domain4"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 6
>>> check recipients = pqr@@
>>> x@domain2.only in "pqr@@"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 7
>>> check senders = :
>>> y in ""? no (end of list)
>>> x@y in ":"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 8
>>> check senders = ^\$
>>> x@y in "^$"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 9
>>> check recipients = *@lsearch;TESTSUITE/aux-fixed/0304.d3
>>> domain2.only in "lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list)
>>> x@domain2.only in "*@lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 10
>>> check recipients = xyz@lsearch;TESTSUITE/aux-fixed/0304.d4
>>> x@domain2.only in "xyz@lsearch;TESTSUITE/aux-fixed/0304.d4"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 11
>>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d5
>>> x@domain2.only in "lsearch*@;TESTSUITE/aux-fixed/0304.d5"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> accept: condition test succeeded in ACL "acl1"
>>> using ACL "acl1"
>>> processing "deny"
+>>> message: failed 1
>>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b
>>> abc@domain3 in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 2
>>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1
>>> abc@domain3 in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 3
>>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2
>>> abc@domain3 in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 4
>>> check recipients = domain.only : *.domain2.only
>>> domain3 in "domain.only"? no (end of list)
>>> domain3 in "*.domain2.only"? no (end of list)
>>> abc@domain3 in "domain.only : *.domain2.only"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 5
>>> check recipients = abc@domain3 : xyz@*.domain4
>>> domain3 in "domain3"? yes (matched "domain3")
>>> abc@domain3 in "abc@domain3 : xyz@*.domain4"? yes (matched "abc@domain3")
LOG: H=[1.2.3.4] F=<x@y> rejected RCPT <abc@domain3>: failed 5
>>> using ACL "acl1"
>>> processing "deny"
+>>> message: failed 1
>>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b
>>> xyz@x.domain4 in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 2
>>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1
>>> xyz@x.domain4 in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 3
>>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2
>>> xyz@x.domain4 in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 4
>>> check recipients = domain.only : *.domain2.only
>>> x.domain4 in "domain.only"? no (end of list)
>>> x.domain4 in "*.domain2.only"? no (end of list)
>>> xyz@x.domain4 in "domain.only : *.domain2.only"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 5
>>> check recipients = abc@domain3 : xyz@*.domain4
>>> x.domain4 in "*.domain4"? yes (matched "*.domain4")
>>> xyz@x.domain4 in "abc@domain3 : xyz@*.domain4"? yes (matched "xyz@*.domain4")
LOG: H=[1.2.3.4] F=<x@y> rejected RCPT <xyz@x.domain4>: failed 5
>>> using ACL "acl1"
>>> processing "deny"
+>>> message: failed 1
>>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b
>>> abc@x.domain4 in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 2
>>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1
>>> abc@x.domain4 in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 3
>>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2
>>> abc@x.domain4 in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 4
>>> check recipients = domain.only : *.domain2.only
>>> x.domain4 in "domain.only"? no (end of list)
>>> x.domain4 in "*.domain2.only"? no (end of list)
>>> abc@x.domain4 in "domain.only : *.domain2.only"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 5
>>> check recipients = abc@domain3 : xyz@*.domain4
>>> x.domain4 in "domain3"? no (end of list)
>>> abc@x.domain4 in "abc@domain3 : xyz@*.domain4"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 6
>>> check recipients = pqr@@
>>> abc@x.domain4 in "pqr@@"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 7
>>> check senders = :
>>> y in ""? no (end of list)
>>> x@y in ":"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 8
>>> check senders = ^\$
>>> x@y in "^$"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 9
>>> check recipients = *@lsearch;TESTSUITE/aux-fixed/0304.d3
>>> x.domain4 in "lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list)
>>> abc@x.domain4 in "*@lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 10
>>> check recipients = xyz@lsearch;TESTSUITE/aux-fixed/0304.d4
>>> abc@x.domain4 in "xyz@lsearch;TESTSUITE/aux-fixed/0304.d4"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 11
>>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d5
>>> abc@x.domain4 in "lsearch*@;TESTSUITE/aux-fixed/0304.d5"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> accept: condition test succeeded in ACL "acl1"
>>> using ACL "acl1"
>>> processing "deny"
+>>> message: failed 1
>>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b
>>> xyz@domain3 in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 2
>>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1
>>> xyz@domain3 in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 3
>>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2
>>> xyz@domain3 in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 4
>>> check recipients = domain.only : *.domain2.only
>>> domain3 in "domain.only"? no (end of list)
>>> domain3 in "*.domain2.only"? no (end of list)
>>> xyz@domain3 in "domain.only : *.domain2.only"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 5
>>> check recipients = abc@domain3 : xyz@*.domain4
>>> domain3 in "*.domain4"? no (end of list)
>>> xyz@domain3 in "abc@domain3 : xyz@*.domain4"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 6
>>> check recipients = pqr@@
>>> xyz@domain3 in "pqr@@"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 7
>>> check senders = :
>>> y in ""? no (end of list)
>>> x@y in ":"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 8
>>> check senders = ^\$
>>> x@y in "^$"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 9
>>> check recipients = *@lsearch;TESTSUITE/aux-fixed/0304.d3
>>> domain3 in "lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list)
>>> xyz@domain3 in "*@lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 10
>>> check recipients = xyz@lsearch;TESTSUITE/aux-fixed/0304.d4
>>> domain3 in "lsearch;TESTSUITE/aux-fixed/0304.d4"? no (end of list)
>>> xyz@domain3 in "xyz@lsearch;TESTSUITE/aux-fixed/0304.d4"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 11
>>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d5
>>> xyz@domain3 in "lsearch*@;TESTSUITE/aux-fixed/0304.d5"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> accept: condition test succeeded in ACL "acl1"
>>> using ACL "acl1"
>>> processing "deny"
+>>> message: failed 1
>>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b
>>> pqr@myhost.test.ex in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 2
>>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1
>>> pqr@myhost.test.ex in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 3
>>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2
>>> pqr@myhost.test.ex in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 4
>>> check recipients = domain.only : *.domain2.only
>>> myhost.test.ex in "domain.only"? no (end of list)
>>> myhost.test.ex in "*.domain2.only"? no (end of list)
>>> pqr@myhost.test.ex in "domain.only : *.domain2.only"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 5
>>> check recipients = abc@domain3 : xyz@*.domain4
>>> pqr@myhost.test.ex in "abc@domain3 : xyz@*.domain4"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 6
>>> check recipients = pqr@@
>>> myhost.test.ex in "@"? yes (matched "@")
>>> pqr@myhost.test.ex in "pqr@@"? yes (matched "pqr@@")
LOG: H=[1.2.3.4] F=<x@y> rejected RCPT <pqr@myhost.test.ex>: failed 6
>>> using ACL "acl1"
>>> processing "deny"
+>>> message: failed 1
>>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b
>>> xxx@myhost.test.ex in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 2
>>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1
>>> xxx@myhost.test.ex in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 3
>>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2
>>> xxx@myhost.test.ex in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 4
>>> check recipients = domain.only : *.domain2.only
>>> myhost.test.ex in "domain.only"? no (end of list)
>>> myhost.test.ex in "*.domain2.only"? no (end of list)
>>> xxx@myhost.test.ex in "domain.only : *.domain2.only"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 5
>>> check recipients = abc@domain3 : xyz@*.domain4
>>> xxx@myhost.test.ex in "abc@domain3 : xyz@*.domain4"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 6
>>> check recipients = pqr@@
>>> xxx@myhost.test.ex in "pqr@@"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 7
>>> check senders = :
>>> y in ""? no (end of list)
>>> x@y in ":"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 8
>>> check senders = ^\$
>>> x@y in "^$"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 9
>>> check recipients = *@lsearch;TESTSUITE/aux-fixed/0304.d3
>>> myhost.test.ex in "lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list)
>>> xxx@myhost.test.ex in "*@lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 10
>>> check recipients = xyz@lsearch;TESTSUITE/aux-fixed/0304.d4
>>> xxx@myhost.test.ex in "xyz@lsearch;TESTSUITE/aux-fixed/0304.d4"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 11
>>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d5
>>> xxx@myhost.test.ex in "lsearch*@;TESTSUITE/aux-fixed/0304.d5"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> accept: condition test succeeded in ACL "acl1"
>>> using ACL "acl1"
>>> processing "deny"
+>>> message: failed 1
>>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b
>>> domain5 in "b"? no (end of list)
>>> a@domain5 in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 2
>>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1
>>> a@domain5 in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 3
>>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2
>>> a@domain5 in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 4
>>> check recipients = domain.only : *.domain2.only
>>> domain5 in "domain.only"? no (end of list)
>>> domain5 in "*.domain2.only"? no (end of list)
>>> a@domain5 in "domain.only : *.domain2.only"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 5
>>> check recipients = abc@domain3 : xyz@*.domain4
>>> a@domain5 in "abc@domain3 : xyz@*.domain4"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 6
>>> check recipients = pqr@@
>>> a@domain5 in "pqr@@"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 7
>>> check senders = :
>>> y in ""? no (end of list)
>>> x@y in ":"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 8
>>> check senders = ^\$
>>> x@y in "^$"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 9
>>> check recipients = *@lsearch;TESTSUITE/aux-fixed/0304.d3
>>> domain5 in "lsearch;TESTSUITE/aux-fixed/0304.d3"? yes (matched "lsearch;TESTSUITE/aux-fixed/0304.d3")
>>> a@domain5 in "*@lsearch;TESTSUITE/aux-fixed/0304.d3"? yes (matched "*@lsearch;TESTSUITE/aux-fixed/0304.d3")
LOG: H=[1.2.3.4] F=<x@y> rejected RCPT <a@domain5>: failed 9
>>> using ACL "acl1"
>>> processing "deny"
+>>> message: failed 1
>>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b
>>> xyz@domain6 in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 2
>>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1
>>> xyz@domain6 in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 3
>>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2
>>> xyz@domain6 in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 4
>>> check recipients = domain.only : *.domain2.only
>>> domain6 in "domain.only"? no (end of list)
>>> domain6 in "*.domain2.only"? no (end of list)
>>> xyz@domain6 in "domain.only : *.domain2.only"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 5
>>> check recipients = abc@domain3 : xyz@*.domain4
>>> domain6 in "*.domain4"? no (end of list)
>>> xyz@domain6 in "abc@domain3 : xyz@*.domain4"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 6
>>> check recipients = pqr@@
>>> xyz@domain6 in "pqr@@"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 7
>>> check senders = :
>>> y in ""? no (end of list)
>>> x@y in ":"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 8
>>> check senders = ^\$
>>> x@y in "^$"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 9
>>> check recipients = *@lsearch;TESTSUITE/aux-fixed/0304.d3
>>> domain6 in "lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list)
>>> xyz@domain6 in "*@lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 10
>>> check recipients = xyz@lsearch;TESTSUITE/aux-fixed/0304.d4
>>> domain6 in "lsearch;TESTSUITE/aux-fixed/0304.d4"? yes (matched "lsearch;TESTSUITE/aux-fixed/0304.d4")
>>> xyz@domain6 in "xyz@lsearch;TESTSUITE/aux-fixed/0304.d4"? yes (matched "xyz@lsearch;TESTSUITE/aux-fixed/0304.d4")
LOG: H=[1.2.3.4] F=<x@y> rejected RCPT <xyz@domain6>: failed 10
>>> using ACL "acl1"
>>> processing "deny"
+>>> message: failed 1
>>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b
>>> abc@domain6 in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 2
>>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1
>>> abc@domain6 in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 3
>>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2
>>> abc@domain6 in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 4
>>> check recipients = domain.only : *.domain2.only
>>> domain6 in "domain.only"? no (end of list)
>>> domain6 in "*.domain2.only"? no (end of list)
>>> abc@domain6 in "domain.only : *.domain2.only"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 5
>>> check recipients = abc@domain3 : xyz@*.domain4
>>> domain6 in "domain3"? no (end of list)
>>> abc@domain6 in "abc@domain3 : xyz@*.domain4"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 6
>>> check recipients = pqr@@
>>> abc@domain6 in "pqr@@"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 7
>>> check senders = :
>>> y in ""? no (end of list)
>>> x@y in ":"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 8
>>> check senders = ^\$
>>> x@y in "^$"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 9
>>> check recipients = *@lsearch;TESTSUITE/aux-fixed/0304.d3
>>> domain6 in "lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list)
>>> abc@domain6 in "*@lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 10
>>> check recipients = xyz@lsearch;TESTSUITE/aux-fixed/0304.d4
>>> abc@domain6 in "xyz@lsearch;TESTSUITE/aux-fixed/0304.d4"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 11
>>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d5
>>> abc@domain6 in "lsearch*@;TESTSUITE/aux-fixed/0304.d5"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> accept: condition test succeeded in ACL "acl1"
>>> using ACL "acl1"
>>> processing "deny"
+>>> message: failed 1
>>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b
>>> x@domain7 in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 2
>>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1
>>> x@domain7 in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 3
>>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2
>>> x@domain7 in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 4
>>> check recipients = domain.only : *.domain2.only
>>> domain7 in "domain.only"? no (end of list)
>>> domain7 in "*.domain2.only"? no (end of list)
>>> x@domain7 in "domain.only : *.domain2.only"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 5
>>> check recipients = abc@domain3 : xyz@*.domain4
>>> x@domain7 in "abc@domain3 : xyz@*.domain4"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 6
>>> check recipients = pqr@@
>>> x@domain7 in "pqr@@"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 7
>>> check senders = :
>>> y in ""? no (end of list)
>>> x@y in ":"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 8
>>> check senders = ^\$
>>> x@y in "^$"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 9
>>> check recipients = *@lsearch;TESTSUITE/aux-fixed/0304.d3
>>> domain7 in "lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list)
>>> x@domain7 in "*@lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 10
>>> check recipients = xyz@lsearch;TESTSUITE/aux-fixed/0304.d4
>>> x@domain7 in "xyz@lsearch;TESTSUITE/aux-fixed/0304.d4"? no (end of list)
>>> deny: condition test failed in ACL "acl1"
>>> processing "deny"
+>>> message: failed 11
>>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d5
>>> x@domain7 in "lsearch*@;TESTSUITE/aux-fixed/0304.d5"? yes (matched "lsearch*@;TESTSUITE/aux-fixed/0304.d5")
>>> deny: condition test succeeded in ACL "acl1"
>>> a.b.c in "+test_domains"? yes (matched "+test_domains" - cached)
>>> check local_parts = +test_local_parts
>>> xxx in "+test_local_parts"? yes (matched "+test_local_parts" - cached)
+>>> message: \$domain_data=$domain_data \$local_part_data=$local_part_data
>>> deny: condition test succeeded in ACL "a1"
LOG: H=[V4NET.0.0.0] F=<a@b.c> rejected RCPT xxx@a.b.c: $domain_data=DOMAIN DATA $local_part_data=LOCAL PART DATA
>>> host in helo_accept_junk_hosts? no (option unset)
>>> using ACL "check_rcpt"
>>> processing "deny"
+>>> message: unverifiable
>>> check !verify = recipient
>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> routing x@ten-1
1 in "^.*[@%!/|]"? no (end of list)
deny: condition test failed in ACL "TESTSUITE/aux-fixed/0386.acl1"
processing "require"
+l_message: Invalid sender
+ message: Couldn't verify the sender
check verify = sender/defer_ok
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Verifying x@y
sender x@y verified ok
require: condition test succeeded in ACL "TESTSUITE/aux-fixed/0386.acl1"
processing "deny"
+ message: No such user here
deny: condition test succeeded in ACL "TESTSUITE/aux-fixed/0386.acl1"
SMTP>> 550 No such user here
LOG: MAIN REJECT
1 in "^.*[@%!/|]"? no (end of list)
deny: condition test failed in ACL "TESTSUITE/aux-fixed/0386.acl1"
processing "require"
+l_message: Invalid sender
+ message: Couldn't verify the sender
check verify = sender/defer_ok
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Verifying x@y
sender x@y verified ok
require: condition test succeeded in ACL "TESTSUITE/aux-fixed/0386.acl1"
processing "deny"
+ message: No such user here
deny: condition test succeeded in ACL "TESTSUITE/aux-fixed/0386.acl1"
SMTP>> 550 No such user here
LOG: MAIN REJECT
SMTP<< rcpt to:<2@b>
read ACL from file TESTSUITE/aux-fixed/0386.acl2
processing "warn"
+ message: X-Warning: $sender_host_address is listed at $dnslist_domain\nX-Warning: $dnslist_text
+l_message: found in $dnslist_domain: $dnslist_text
check dnslists = rbl.test.ex
DNS list check: rbl.test.ex
new DNS lookup for 13.12.11.V4NET.rbl.test.ex
SMTP<< rcpt to:<2@b>
using ACL "TESTSUITE/aux-fixed/0386.acl2"
processing "warn"
+ message: X-Warning: $sender_host_address is listed at $dnslist_domain\nX-Warning: $dnslist_text
+l_message: found in $dnslist_domain: $dnslist_text
check dnslists = rbl.test.ex
DNS list check: rbl.test.ex
using result of previous DNS lookup
dbfn_write: key=qq@remote
wrote negative callout cache address record
----------- end verify ------------
+l_message: $acl_verify_message
warn: condition test succeeded in ACL "rcpt"
LOG: MAIN
U=CALLER Warning: Sender verify failed: response to "RCPT TO:<qq@remote>" from 127.0.0.1 [127.0.0.1] was: 550 Unknown
callout cache: found address record
callout cache: address record is negative
----------- end verify ------------
+l_message: $acl_verify_message
warn: condition test succeeded in ACL "rcpt"
LOG: MAIN
U=CALLER Warning: Sender verify failed
>>> host in helo_accept_junk_hosts? no (option unset)
>>> using ACL "connect"
>>> processing "deny"
+>>> message: dnslist_value is $dnslist_value
>>> check dnslists = rbl.test.ex=127.0.0.2
>>> DNS list check: rbl.test.ex=127.0.0.2
>>> new DNS lookup for 1.13.13.V4NET.rbl.test.ex
>>> host in helo_accept_junk_hosts? no (option unset)
>>> using ACL "connect"
>>> processing "deny"
+>>> message: dnslist_value is $dnslist_value
>>> check dnslists = rbl.test.ex=127.0.0.2
>>> DNS list check: rbl.test.ex=127.0.0.2
>>> new DNS lookup for 2.13.13.V4NET.rbl.test.ex
>>> host in helo_accept_junk_hosts? no (option unset)
>>> using ACL "connect"
>>> processing "deny"
+>>> message: xxxxxxxxxxxxxx has refused this message because it looks like it is infected with the Sobig.E worm. See http://www.xxxx.xxx/xxxxxxxx/xxxx/xxxx/w32.sobig.e@xx.html for details. If you feel this determination is in error, please forward the entire message to postmaster@xxxxxxxxxxxxx.com and include code \"xx#1\" in the Subject
>>> deny: condition test succeeded in ACL "connect"
LOG: H=[V4NET.13.13.1] rejected connection in "connect" ACL: xxxxxxxxxxxxxx has refused this message because it looks like it is infected with the Sobig.E worm. See http://www.xxxx.xxx/xxxxxxxx/xxxx/xxxx/w32.sobig.e@xx.html for details. If you feel this determination is in error, please forward the entire message to postmaster@xxxxxxxxxxxxx.com and include code "xx#1" in the Subject
>>> r1 router declined for x@mxt2.test.ex
>>> no more routers
>>> ----------- end verify ------------
+>>> message: >$acl_verify_message< ++++
>>> defer: condition test succeeded in ACL "check_rcpt"
LOG: H=(a.b.c.d) [1.2.3.4] F=<> temporarily rejected RCPT <x@mxt2.test.ex>: all relevant MX records point to non-existent hosts
>>> host in pipelining_advertise_hosts? yes (matched "*")
>>> using ACL "check_mail"
>>> processing "accept"
+>>> message: CSA status is $csa_status
>>> check verify = csa
>>> accept: condition test succeeded in ACL "check_mail"
>>> host in smtp_accept_max_nonmail_hosts? yes (matched "*")
>>> host in pipelining_advertise_hosts? yes (matched "*")
>>> using ACL "check_mail"
>>> processing "accept"
+>>> message: CSA status is $csa_status
>>> check verify = csa
>>> accept: condition test failed in ACL "check_mail"
>>> accept: endpass encountered - denying access
>>> host in pipelining_advertise_hosts? yes (matched "*")
>>> using ACL "check_mail"
>>> processing "accept"
+>>> message: CSA status is $csa_status
>>> check verify = csa
>>> accept: condition test failed in ACL "check_mail"
>>> accept: endpass encountered - denying access
>>> host in pipelining_advertise_hosts? yes (matched "*")
>>> using ACL "check_mail"
>>> processing "accept"
+>>> message: CSA status is $csa_status
>>> check verify = csa
>>> accept: condition test failed in ACL "check_mail"
>>> accept: endpass encountered - denying access
--- /dev/null
+>>> host in hosts_connection_nolog? no (option unset)
+>>> host in host_lookup? no (option unset)
+>>> host in host_reject_connection? no (option unset)
+>>> host in sender_unqualified_hosts? no (option unset)
+>>> host in recipient_unqualified_hosts? no (end of list)
+>>> host in helo_verify_hosts? no (option unset)
+>>> host in helo_try_verify_hosts? no (option unset)
+>>> host in helo_accept_junk_hosts? no (option unset)
+>>> using ACL "check_from"
+>>> processing "accept"
+>>> check senders = usery@exim.test.ex
+>>> userx@exim.test.ex in "usery@exim.test.ex"? no (end of list)
+>>> accept: condition test failed in ACL "check_from"
+>>> processing "accept"
+>>> accept: condition test succeeded in ACL "check_from"
+>>> processing "accept"
+>>> accept: condition test succeeded in inline ACL
+>>> host in ignore_fromline_hosts? no (option unset)
+>>> using ACL "check_message"
+>>> processing "require"
+>>> message: ${if def:acl_m_message {$acl_m_message}}
+>>> check verify = header_names_ascii
+>>> require: condition test succeeded in ACL "check_message"
+>>> processing "accept"
+>>> accept: condition test succeeded in ACL "check_message"
+LOG: 10HmaX-0005vi-00 <= userx@exim.test.ex H=[V4NET.10.10.10] P=smtp S=sss
+>>> host in hosts_connection_nolog? no (option unset)
+>>> host in host_lookup? no (option unset)
+>>> host in host_reject_connection? no (option unset)
+>>> host in sender_unqualified_hosts? no (option unset)
+>>> host in recipient_unqualified_hosts? no (end of list)
+>>> host in helo_verify_hosts? no (option unset)
+>>> host in helo_try_verify_hosts? no (option unset)
+>>> host in helo_accept_junk_hosts? no (option unset)
+>>> using ACL "check_from"
+>>> processing "accept"
+>>> check senders = usery@exim.test.ex
+>>> userx@exim.test.ex in "usery@exim.test.ex"? no (end of list)
+>>> accept: condition test failed in ACL "check_from"
+>>> processing "accept"
+>>> accept: condition test succeeded in ACL "check_from"
+>>> processing "accept"
+>>> accept: condition test succeeded in inline ACL
+>>> host in ignore_fromline_hosts? no (option unset)
+>>> using ACL "check_message"
+>>> processing "require"
+>>> message: ${if def:acl_m_message {$acl_m_message}}
+>>> check verify = header_names_ascii
+>>> require: condition test failed in ACL "check_message"
+LOG: 10HmbA-0005vi-00 H=[V4NET.10.10.10] F=<userx@exim.test.ex> rejected after DATA: Invalid character in header "Received" found
+>>> host in hosts_connection_nolog? no (option unset)
+>>> host in host_lookup? no (option unset)
+>>> host in host_reject_connection? no (option unset)
+>>> host in sender_unqualified_hosts? no (option unset)
+>>> host in recipient_unqualified_hosts? no (end of list)
+>>> host in helo_verify_hosts? no (option unset)
+>>> host in helo_try_verify_hosts? no (option unset)
+>>> host in helo_accept_junk_hosts? no (option unset)
+>>> using ACL "check_from"
+>>> processing "accept"
+>>> check senders = usery@exim.test.ex
+>>> exim.test.ex in "exim.test.ex"? yes (matched "exim.test.ex")
+>>> usery@exim.test.ex in "usery@exim.test.ex"? yes (matched "usery@exim.test.ex")
+>>> check set acl_m_message = I do not like your message
+>>> accept: condition test succeeded in ACL "check_from"
+>>> processing "accept"
+>>> accept: condition test succeeded in inline ACL
+>>> host in ignore_fromline_hosts? no (option unset)
+>>> using ACL "check_message"
+>>> processing "require"
+>>> message: ${if def:acl_m_message {$acl_m_message}}
+>>> check verify = header_names_ascii
+>>> require: condition test failed in ACL "check_message"
+LOG: 10HmbB-0005vi-00 H=[V4NET.10.10.10] F=<usery@exim.test.ex> rejected after DATA: Invalid character in header "Subjecâ…" found
+>>> host in hosts_connection_nolog? no (option unset)
+>>> host in host_lookup? no (option unset)
+>>> host in host_reject_connection? no (option unset)
+>>> host in sender_unqualified_hosts? no (option unset)
+>>> host in recipient_unqualified_hosts? no (end of list)
+>>> host in helo_verify_hosts? no (option unset)
+>>> host in helo_try_verify_hosts? no (option unset)
+>>> host in helo_accept_junk_hosts? no (option unset)
+>>> using ACL "check_from"
+>>> processing "accept"
+>>> check senders = usery@exim.test.ex
+>>> userx@exim.test.ex in "usery@exim.test.ex"? no (end of list)
+>>> accept: condition test failed in ACL "check_from"
+>>> processing "accept"
+>>> accept: condition test succeeded in ACL "check_from"
+>>> processing "accept"
+>>> accept: condition test succeeded in inline ACL
+>>> host in ignore_fromline_hosts? no (option unset)
+>>> using ACL "check_message"
+>>> processing "require"
+>>> message: ${if def:acl_m_message {$acl_m_message}}
+>>> check verify = header_names_ascii
+>>> require: condition test failed in ACL "check_message"
+LOG: 10HmbC-0005vi-00 H=[V4NET.10.10.10] F=<userx@exim.test.ex> rejected after DATA: Invalid character in header "Subjecâ…" found
+>>> host in hosts_connection_nolog? no (option unset)
+>>> host in host_lookup? no (option unset)
+>>> host in host_reject_connection? no (option unset)
+>>> host in sender_unqualified_hosts? no (option unset)
+>>> host in recipient_unqualified_hosts? no (end of list)
+>>> host in helo_verify_hosts? no (option unset)
+>>> host in helo_try_verify_hosts? no (option unset)
+>>> host in helo_accept_junk_hosts? no (option unset)
+>>> using ACL "check_from"
+>>> processing "accept"
+>>> check senders = usery@exim.test.ex
+>>> userx@exim.test.ex in "usery@exim.test.ex"? no (end of list)
+>>> accept: condition test failed in ACL "check_from"
+>>> processing "accept"
+>>> accept: condition test succeeded in ACL "check_from"
+>>> processing "accept"
+>>> accept: condition test succeeded in inline ACL
+>>> host in ignore_fromline_hosts? no (option unset)
+>>> using ACL "check_message"
+>>> processing "require"
+>>> message: ${if def:acl_m_message {$acl_m_message}}
+>>> check verify = header_names_ascii
+>>> require: condition test succeeded in ACL "check_message"
+>>> processing "accept"
+>>> accept: condition test succeeded in ACL "check_message"
+LOG: 10HmaY-0005vi-00 <= userx@exim.test.ex H=[V4NET.10.10.10] P=smtp S=sss
+>>> host in hosts_connection_nolog? no (option unset)
+>>> host in host_lookup? no (option unset)
+>>> host in host_reject_connection? no (option unset)
+>>> host in sender_unqualified_hosts? no (option unset)
+>>> host in recipient_unqualified_hosts? no (end of list)
+>>> host in helo_verify_hosts? no (option unset)
+>>> host in helo_try_verify_hosts? no (option unset)
+>>> host in helo_accept_junk_hosts? no (option unset)
+>>> using ACL "check_from"
+>>> processing "accept"
+>>> check senders = usery@exim.test.ex
+>>> userx@exim.test.ex in "usery@exim.test.ex"? no (end of list)
+>>> accept: condition test failed in ACL "check_from"
+>>> processing "accept"
+>>> accept: condition test succeeded in ACL "check_from"
+>>> processing "accept"
+>>> accept: condition test succeeded in inline ACL
+>>> host in ignore_fromline_hosts? no (option unset)
+>>> using ACL "check_message"
+>>> processing "require"
+>>> message: ${if def:acl_m_message {$acl_m_message}}
+>>> check verify = header_names_ascii
+>>> require: condition test succeeded in ACL "check_message"
+>>> processing "accept"
+>>> accept: condition test succeeded in ACL "check_message"
+LOG: 10HmaZ-0005vi-00 <= userx@exim.test.ex H=[V4NET.10.10.10] P=smtp S=sss
>>> host in helo_accept_junk_hosts? no (option unset)
>>> using ACL "check_connect"
>>> processing "warn"
+>>> l_message: matched hostlist
>>> check hosts = <; 2001:ab8:37f:20:0:0:0:1 ; v6.test.ex
>>> host in "<; 2001:ab8:37f:20:0:0:0:1 ; v6.test.ex"? yes (matched "2001:ab8:37f:20:0:0:0:1")
>>> warn: condition test succeeded in ACL "check_connect"
>>> host in helo_accept_junk_hosts? no (option unset)
>>> using ACL "check_connect"
>>> processing "warn"
+>>> l_message: matched hostlist
>>> check hosts = <; 2001:ab8:37f:20:0:0:0:1 ; v6.test.ex
MUNGED: ::1 will be omitted in what follows
>>> get[host|ipnode]byname[2] looked up these IP addresses:
>>> host in helo_accept_junk_hosts? no (option unset)
>>> using ACL "check_connect"
>>> processing "warn"
+>>> l_message: matched hostlist
>>> check hosts = <; 2001:ab8:37f:20:0:0:0:1 ; v6.test.ex
MUNGED: ::1 will be omitted in what follows
>>> get[host|ipnode]byname[2] looked up these IP addresses:
>>> host in helo_accept_junk_hosts? no (option unset)
>>> using ACL "acl_rcpt_1"
>>> processing "require"
+>>> message: domain doesn't match @ or @[]
>>> check domains = @ : @[]
>>> [::1] in "@ : @[]"? yes (matched "@[]")
>>> require: condition test succeeded in ACL "acl_rcpt_1"
>>> accept: condition test succeeded in ACL "acl_rcpt_1"
>>> using ACL "acl_rcpt_6"
>>> processing "require"
+>>> message: domain doesn't match @mx_any/ignore=<;127.0.0.1;::1
>>> check domains = <+ @mx_any/ignore=<;127.0.0.1;::1
>>> ::1 in "<;127.0.0.1;::1"? yes (matched "::1")
>>> 127.0.0.1 in "<;127.0.0.1;::1"? yes (matched "127.0.0.1")
host in "+relay_hosts"? no (end of list)
accept: condition test failed in ACL "check_recipient"
processing "deny"
+ message: relay not permitted
deny: condition test succeeded in ACL "check_recipient"
SMTP>> 550 relay not permitted
LOG: MAIN REJECT
host in "+relay_hosts"? no (end of list)
accept: condition test failed in ACL "check_recipient"
processing "deny"
+ message: relay not permitted
deny: condition test succeeded in ACL "check_recipient"
SMTP>> 550 relay not permitted
LOG: MAIN REJECT
>>> host in "10.0.0.0/24"? yes (matched "10.0.0.0/24")
>>> require: condition test succeeded in ACL "check_etrn"
>>> processing "warn"
+>>> l_message: accepted ETRN $smtp_command_argument
>>> warn: condition test succeeded in ACL "check_etrn"
LOG: H=[10.0.0.2] Warning: accepted ETRN #abcd
>>> processing "accept"
>>> processing "deny"
>>> check hosts = +auth_hosts
>>> host in "+auth_hosts"? yes (matched "+auth_hosts" - cached)
+>>> message: authentication required
>>> check !authenticated = *
>>> deny: condition test succeeded in ACL "check_vrfy"
LOG: H=(test.host) [10.0.0.1] rejected VRFY userx@test.ex: authentication required
>>> processing "deny"
>>> check hosts = +auth_hosts
>>> host in "+auth_hosts"? yes (matched "+auth_hosts" - cached)
+>>> message: authentication required
>>> check !authenticated = *
>>> deny: condition test succeeded in ACL "check_expn"
LOG: H=(test.host) [10.0.0.1] rejected EXPN list@test.ex: authentication required
>>> processing "deny"
>>> check hosts = +auth_hosts
>>> host in "+auth_hosts"? yes (matched "+auth_hosts" - cached)
+>>> message: authentication required
>>> check !authenticated = *
>>> deny: condition test succeeded in ACL "check_etrn"
LOG: H=(test.host) [10.0.0.1] rejected ETRN abcd: authentication required
>>> processing "deny"
>>> check hosts = +auth_hosts
>>> host in "+auth_hosts"? yes (matched "+auth_hosts" - cached)
+>>> message: authentication required
>>> check !authenticated = *
>>> deny: condition test succeeded in ACL "check_recipient"
LOG: H=(test.host) [10.0.0.1] F=<junk@jink.jonk.test.ex> rejected RCPT <userx@test.ex>: authentication required
>>> processing "deny"
>>> check hosts = +auth_hosts
>>> host in "+auth_hosts"? yes (matched "+auth_hosts" - cached)
+>>> message: authentication required
>>> check !authenticated = *
>>> mylogin in "*"? yes (matched "*")
>>> deny: condition test failed in ACL "check_recipient"
>>> processing "deny"
>>> check hosts = +auth_hosts
>>> host in "+auth_hosts"? yes (matched "+auth_hosts" - cached)
+>>> message: authentication required
>>> check !authenticated = *
>>> mylogin in "*"? yes (matched "*")
>>> deny: condition test failed in ACL "check_recipient"
>>> host in "+auth_relay_hosts"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: relay not permitted
>>> deny: condition test succeeded in ACL "check_recipient"
LOG: H=(test.host) [10.0.0.1] F=<junk@jink.jonk.test.ex> A=mylogin rejected RCPT <userx@cus.cam.ac.uk>: relay not permitted
>>> using ACL "check_vrfy"
>>> processing "deny"
>>> check hosts = +auth_hosts
>>> host in "+auth_hosts"? yes (matched "+auth_hosts" - cached)
+>>> message: authentication required
>>> check !authenticated = *
>>> mylogin in "*"? yes (matched "*")
>>> deny: condition test failed in ACL "check_vrfy"
>>> processing "deny"
>>> check hosts = +auth_hosts
>>> host in "+auth_hosts"? yes (matched "+auth_hosts" - cached)
+>>> message: authentication required
>>> check !authenticated = *
>>> mylogin in "*"? yes (matched "*")
>>> deny: condition test failed in ACL "check_expn"
>>> processing "deny"
>>> check hosts = +auth_hosts
>>> host in "+auth_hosts"? yes (matched "+auth_hosts" - cached)
+>>> message: authentication required
>>> check !authenticated = *
>>> mylogin in "*"? yes (matched "*")
>>> deny: condition test failed in ACL "check_etrn"
>>> host in "10.0.0.0/24"? yes (matched "10.0.0.0/24")
>>> require: condition test succeeded in ACL "check_etrn"
>>> processing "warn"
+>>> l_message: accepted ETRN $smtp_command_argument
>>> warn: condition test succeeded in ACL "check_etrn"
LOG: H=(test.host) [10.0.0.1] Warning: accepted ETRN #abcd
>>> processing "accept"
>>> processing "accept"
>>> check hosts = +auth_relay_hosts
>>> host in "+auth_relay_hosts"? yes (matched "+auth_relay_hosts" - cached)
+>>> message: authentication required
>>> check authenticated = *
>>> accept: condition test failed in ACL "check_recipient"
>>> accept: endpass encountered - denying access
>>> processing "accept"
>>> check hosts = +auth_relay_hosts
>>> host in "+auth_relay_hosts"? yes (matched "+auth_relay_hosts" - cached)
+>>> message: authentication required
>>> check authenticated = *
>>> mylogin in "*"? yes (matched "*")
>>> accept: condition test succeeded in ACL "check_recipient"
>>> userx@exim.test.ex in "postmaster@exim.test.ex"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: host is listed in $dnslist_domain
>>> check !authenticated = *
>>> check dnslists = rbl.test.ex
>>> DNS list check: rbl.test.ex
>>> userx@exim.test.ex in "postmaster@exim.test.ex"? no (end of list)
>>> accept: condition test failed in ACL "check_recipient"
>>> processing "deny"
+>>> message: host is listed in $dnslist_domain
>>> check !authenticated = *
>>> plain in "*"? yes (matched "*")
>>> deny: condition test failed in ACL "check_recipient"
>>> ----------- end verify ------------
>>> require: condition test succeeded in ACL "check_recipient"
>>> processing "deny"
+>>> message: unrouteable address
>>> check !verify = recipient
>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> routing userx@exim.test.ex
>>> host in helo_accept_junk_hosts? no (option unset)
>>> using ACL "acl_5_6_9"
>>> processing "accept"
+>>> message: You must authenticate
>>> check authenticated = *
>>> accept: condition test failed in ACL "acl_5_6_9"
>>> accept: endpass encountered - denying access
>>> expanded string: yes
>>> using ACL "acl_5_6_9"
>>> processing "accept"
+>>> message: You must authenticate
>>> check authenticated = *
>>> auth1 in "*"? yes (matched "*")
>>> accept: condition test succeeded in ACL "acl_5_6_9"
>>> processing "deny"
>>> check hosts = +auth_hosts
>>> host in "+auth_hosts"? yes (matched "+auth_hosts" - cached)
+>>> message: authentication required
>>> check !authenticated = *
>>> cram_md5 in "*"? yes (matched "*")
>>> deny: condition test failed in ACL "check_recipient"
>>> processing "warn"
>>> check hosts = 10.0.0.5
>>> host in "10.0.0.5"? yes (matched "10.0.0.5")
+>>> message: authentication-failed: $authentication_failed
>>> warn: condition test succeeded in ACL "check_recipient"
>>> processing "accept"
>>> check hosts = 10.0.0.5
accept: condition test succeeded in inline ACL
SMTP>> DATA
SMTP<< 354 Send data
- SMTP>>(nl)
+----------- start cutthrough headers send -----------
+added header line(s):
+X-hdr-rtr-new: +++
+---
+----------- done cutthrough headers send ------------
SMTP>> .
SMTP<< 250 OK
LOG: MAIN
accept: condition test succeeded in inline ACL
SMTP>> DATA
SMTP<< 354 Send data
- SMTP>>(nl)
+----------- start cutthrough headers send -----------
+added header line(s):
+X-hdr-rtr-new: +++
+---
+----------- done cutthrough headers send ------------
SMTP>> .
SMTP<< 250 OK
LOG: MAIN
SMTP>> DATA
SMTP<< 354 Send data
SMTP>> writing message and terminating "."
+added header line(s):
+X-hdr-rtr-new: +++
+---
writing data block fd=dddd size=sss timeout=300
SMTP<< 250 OK
ok=1 send_quit=1 send_rset=0 continue_more=0 yield=0 first_address is NULL
LOG: MAIN
Completed
>>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>>
+Exim version x.yz ....
+configuration file is TESTSUITE/test-config
+admin user
+LOG: smtp_connection MAIN
+ SMTP connection from CALLER
+using ACL "ar"
+processing "accept"
+check control = cutthrough_delivery
+check logwrite = rcpt for $local_part@$domain
+ = rcpt for userx@domain.com
+LOG: MAIN
+ rcpt for userx@domain.com
+accept: condition test succeeded in ACL "ar"
+----------- start cutthrough setup ------------
+Connecting to 127.0.0.1 [127.0.0.1]:1224 from ip4.ip4.ip4.ip4 ... connected
+ SMTP<< 220 ESMTP
+ SMTP>> EHLO myhost.test.ex
+ SMTP<< 250 OK
+ SMTP>> MAIL FROM:<CALLER@myhost.test.ex>
+ SMTP<< 250 Sender OK
+ SMTP>> RCPT TO:<userx@domain.com>
+ SMTP<< 250 Recipient OK
+----------- end cutthrough setup ------------
+processing "accept"
+accept: condition test succeeded in inline ACL
+ SMTP>> DATA
+ SMTP<< 354 Send data
+----------- start cutthrough headers send -----------
+removed header line:
+X-hdr-rtr: qqq
+---
+added header line(s):
+X-hdr-rtr-new: +++
+---
+added header line:
+X-hdr-tpt-new: new
+---
+----------- done cutthrough headers send ------------
+ SMTP>> .
+ SMTP<< 250 OK
+LOG: MAIN
+ >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] C="250 OK"
+ SMTP>> QUIT
+----------- cutthrough shutdown (delivered) ------------
+LOG: MAIN
+ <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
+LOG: MAIN
+ Completed
+LOG: smtp_connection MAIN
+ SMTP connection from CALLER closed by QUIT
+>>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>>
accept: condition test succeeded in inline ACL
SMTP>> DATA
SMTP<< 354 Send data
- SMTP>>(nl)
+----------- start cutthrough headers send -----------
+----------- done cutthrough headers send ------------
SMTP>> .
SMTP<< 250 OK
LOG: MAIN
127.0.0.1 in hosts_verify_avoid_tls? no (end of list)
SMTP>> STARTTLS
SMTP<< 220 TLS go ahead
+127.0.0.1 in hosts_require_ocsp? no (option unset)
+127.0.0.1 in hosts_request_ocsp? yes (matched "*")
SMTP>> EHLO myhost.test.ex
SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
250-SIZE 52428800
for $received_for
result:
for userx@domain.com
-PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
+----------- start cutthrough headers send -----------
+----------- done cutthrough headers send ------------
expanding: ${tod_full}
result: Tue, 2 Mar 1999 09:44:33 +0000
SMTP>> .
for $received_for
result:
for usery@domain.com
-PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
+----------- start cutthrough headers send -----------
+----------- done cutthrough headers send ------------
expanding: ${tod_full}
result: Tue, 2 Mar 1999 09:44:33 +0000
SMTP>> .
for $received_for
result:
for usery@domain.com
-PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
+----------- start cutthrough headers send -----------
+----------- done cutthrough headers send ------------
expanding: ${tod_full}
result: Tue, 2 Mar 1999 09:44:33 +0000
SMTP>> .
127.0.0.1 in hosts_verify_avoid_tls? no (end of list)
SMTP>> STARTTLS
SMTP<< 220 TLS go ahead
+127.0.0.1 in hosts_require_ocsp? no (option unset)
+127.0.0.1 in hosts_request_ocsp? yes (matched "*")
+ in tls_verify_hosts? no (option unset)
+ in tls_try_verify_hosts? no (option unset)
SMTP>> EHLO myhost.test.ex
SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
250-SIZE 52428800
for $received_for
result:
for userx@domain.com
-PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
+----------- start cutthrough headers send -----------
+----------- done cutthrough headers send ------------
expanding: ${tod_full}
result: Tue, 2 Mar 1999 09:44:33 +0000
SMTP>> .
for $received_for
result:
for usery@domain.com
-PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
+----------- start cutthrough headers send -----------
+----------- done cutthrough headers send ------------
expanding: ${tod_full}
result: Tue, 2 Mar 1999 09:44:33 +0000
SMTP>> .
for $received_for
result:
for usery@domain.com
-PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
+----------- start cutthrough headers send -----------
+----------- done cutthrough headers send ------------
expanding: ${tod_full}
result: Tue, 2 Mar 1999 09:44:33 +0000
SMTP>> .
> listcount: 3
> listcount: 2
>
+> listextract: b
+> listextract: XcX
+> listextract:
+> listextract:
+> listextract: fail
+> Failed: "extract" failed and "fail" requested
+>
> # Tests with iscntrl() and illegal separators
>
> map: 'a'
> " yes" true EXPECT: true
> " no" false EXPECT: false
> "yes " true EXPECT: true
-> Failed: unrecognised boolean value "-1"
+> "-1" true EXPECT: true
> "0" false EXPECT: false
> "1" true EXPECT: true
> " 0 " false EXPECT: false
> " " false EXPECT: false
> Failed: unrecognised boolean value "text"
> Failed: unrecognised boolean value "text"
+> Failed: unrecognised boolean value "-text"
> Failed: unrecognised boolean value "text"
> Failed: unrecognised boolean value "text"
> "00" false EXPECT: false
250 OK id=10HmbK-0005vi-00\r
250 OK\r
451 Temporary local problem - please try later\r
+250 Reset OK\r
+250 OK\r
+250 accepted by condition\r
+354 Enter message, ending with "." on a line by itself\r
+250 OK id=10HmbL-0005vi-00\r
221 myhost.test.ex closing connection\r
220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
250 OK\r
250 Accepted\r
354 Enter message, ending with "." on a line by itself\r
-250 OK id=10HmbL-0005vi-00\r
+250 OK id=10HmbM-0005vi-00\r
221 myhost.test.ex closing connection\r
220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
250 OK\r
550 Administrative prohibition\r
550 Administrative prohibition\r
354 Enter message, ending with "." on a line by itself\r
-250 OK id=10HmbM-0005vi-00\r
+250 OK id=10HmbN-0005vi-00\r
221 myhost.test.ex closing connection\r
220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
250 OK\r
--- /dev/null
+
+**** SMTP testing session as if from host V4NET.10.10.10
+**** but without any ident (RFC 1413) callback.
+**** This is not for real!
+
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250 OK\r
+250 Accepted\r
+354 Enter message, ending with "." on a line by itself\r
+250 OK id=10HmaX-0005vi-00\r
+
+**** SMTP testing: that is not a real message id!
+
+221 myhost.test.ex closing connection\r
+
+**** SMTP testing session as if from host V4NET.10.10.10
+**** but without any ident (RFC 1413) callback.
+**** This is not for real!
+
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250 OK\r
+250 Accepted\r
+354 Enter message, ending with "." on a line by itself\r
+550 Administrative prohibition\r
+221 myhost.test.ex closing connection\r
+
+**** SMTP testing session as if from host V4NET.10.10.10
+**** but without any ident (RFC 1413) callback.
+**** This is not for real!
+
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250 OK\r
+250 Accepted\r
+354 Enter message, ending with "." on a line by itself\r
+550 I do not like your message\r
+221 myhost.test.ex closing connection\r
+
+**** SMTP testing session as if from host V4NET.10.10.10
+**** but without any ident (RFC 1413) callback.
+**** This is not for real!
+
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250 OK\r
+250 Accepted\r
+354 Enter message, ending with "." on a line by itself\r
+550 Administrative prohibition\r
+221 myhost.test.ex closing connection\r
+
+**** SMTP testing session as if from host V4NET.10.10.10
+**** but without any ident (RFC 1413) callback.
+**** This is not for real!
+
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250 OK\r
+250 Accepted\r
+354 Enter message, ending with "." on a line by itself\r
+250 OK id=10HmaY-0005vi-00\r
+
+**** SMTP testing: that is not a real message id!
+
+221 myhost.test.ex closing connection\r
+
+**** SMTP testing session as if from host V4NET.10.10.10
+**** but without any ident (RFC 1413) callback.
+**** This is not for real!
+
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250 OK\r
+250 Accepted\r
+354 Enter message, ending with "." on a line by itself\r
+250 OK id=10HmaZ-0005vi-00\r
+
+**** SMTP testing: that is not a real message id!
+
+221 myhost.test.ex closing connection\r
--- /dev/null
+220 the.local.host.name ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250 OK\r
+250 Accepted\r
+354 Enter message, ending with "." on a line by itself\r
+250 OK id=10HmaX-0005vi-00\r
+221 the.local.host.name closing connection\r
+220 the.local.host.name ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250 OK\r
+250 Accepted\r
+354 Enter message, ending with "." on a line by itself\r
+250 OK id=10HmaY-0005vi-00\r
+221 the.local.host.name closing connection\r
Failed to start TLS
End of script
Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
-Certificate file = TESTSUITE/aux-fixed/cert2
-Key file = TESTSUITE/aux-fixed/cert2
+Certificate file = TESTSUITE/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem
+Key file = TESTSUITE/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key
??? 220
<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
>>> ehlo rhu.barb
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-Failed to start TLS
+Succeeded in starting TLS
End of script
Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
Certificate file = aux-fixed/cert2
Failed to start TLS
End of script
Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
-Certificate file = TESTSUITE/aux-fixed/cert2
-Key file = TESTSUITE/aux-fixed/cert2
+Certificate file = TESTSUITE/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem
+Key file = TESTSUITE/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key
??? 220
<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
>>> ehlo rhu.barb
354 Enter message, ending with "." on a line by itself\r
250 OK id=10HmaZ-0005vi-00\r
221 myhost.test.ex closing connection\r
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250-myhost.test.ex Hello CALLER at myhost.test.ex\r
+250-SIZE 52428800\r
+250-8BITMIME\r
+250-PIPELINING\r
+250 HELP\r
+250 OK\r
+250 Accepted\r
+354 Enter message, ending with "." on a line by itself\r
+250 OK id=10HmbA-0005vi-00\r
+221 myhost.test.ex closing connection\r
******** SERVER ********
Listening on port 1224 ...
Message-Id: <E10HmaX-0005vi-00@myhost.test.ex>
From: CALLER_NAME <CALLER@myhost.test.ex>
Date: Tue, 2 Mar 1999 09:44:33 +0000
+X-hdr-rtr-new: +++
.
250 OK
Message-Id: <E10HmaY-0005vi-00@myhost.test.ex>
From: CALLER_NAME <CALLER@myhost.test.ex>
Date: Tue, 2 Mar 1999 09:44:33 +0000
+X-hdr-rtr-new: +++
.
250 OK
Message-Id: <E10HmaZ-0005vi-00@myhost.test.ex>
From: CALLER_NAME <CALLER@myhost.test.ex>
Date: Tue, 2 Mar 1999 09:44:33 +0000
+X-hdr-rtr-new: +++
+
+.
+250 OK
+QUIT
+250 OK
+End of script
+Listening on port 1224 ...
+Connection request from [ip4.ip4.ip4.ip4]
+220 ESMTP
+EHLO myhost.test.ex
+250 OK
+MAIL FROM:<CALLER@myhost.test.ex>
+250 Sender OK
+RCPT TO:<userx@domain.com>
+250 Recipient OK
+DATA
+354 Send data
+Received: from CALLER (helo=myhost.test.ex)
+ by myhost.test.ex with local-esmtp (Exim x.yz)
+ (envelope-from <CALLER@myhost.test.ex>)
+ id 10HmbA-0005vi-00
+ for userx@domain.com; Tue, 2 Mar 1999 09:44:33 +0000
+X-hdr-tpt: zzz
+Message-Id: <E10HmbA-0005vi-00@myhost.test.ex>
+From: CALLER_NAME <CALLER@myhost.test.ex>
+Date: Tue, 2 Mar 1999 09:44:33 +0000
+X-hdr-rtr-new: +++
+
+body
.
250 OK
QUIT
--- /dev/null
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = aux-fixed/cert2
+Key file = aux-fixed/cert2
+??? 220
+<<< 220 server1.example.com ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-server1.example.com Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+>>> mail from:<userx@test.ex>
+??? 250
+<<< 250 OK
+>>> rcpt to:<userx@test.ex>
+??? 250
+<<< 250 Accepted
+>>> quit
+??? 221
+<<< 221 server1.example.com closing connection
+End of script
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = aux-fixed/cert2
+Key file = aux-fixed/cert2
+??? 220
+<<< 220 server1.example.com ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-server1.example.com Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+Bad certificate
+End of script
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = aux-fixed/cert2
+Key file = aux-fixed/cert2
+??? 220
+<<< 220 server1.example.com ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-server1.example.com Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+Bad certificate
+End of script
git://git.exim.org / exim.git / commitdiff