DANE: smtp transport option dane_require_tls_ciphers

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index cf80e92f7ae747a41ee9cab42702d6de42fc5c8e..8e78c7bad6e102c59555b339fa4813f1d2804c77 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -23913,6 +23913,24 @@ For testing purposes, this value can be overridden by the &%-oB%& command line
 option.
 
 
 option.
 
 

+.new
+.option dane_require_tls_ciphers smtp string&!! unset
+.cindex "TLS" "requiring specific ciphers for DANE"
+.cindex "cipher" "requiring specific"
+.cindex DANE "TLS ciphers"
+This option may be used to override &%tls_require_ciphers%& for connections
+where DANE has been determined to be in effect.
+If not set, then &%tls_require_ciphers%& will be used.
+Normal SMTP delivery is not able to make strong demands of TLS cipher
+configuration, because delivery will fall back to plaintext.  Once DANE has
+been determined to be in effect, there is no plaintext fallback and making the
+TLS cipherlist configuration stronger will increase security, rather than
+counter-intuitively decreasing it.
+If the option expands to be empty or is forced to fail, then it will
+be treated as unset and &%tls_require_ciphers%& will be used instead.
+.wen
+
+

 .option data_timeout smtp time 5m
 This sets a timeout for the transmission of each block in the data portion of
 the message. As a result, the overall timeout for a message depends on the size
 .option data_timeout smtp time 5m
 This sets a timeout for the transmission of each block in the data portion of
 the message. As a result, the overall timeout for a message depends on the size


@@ -28068,8 +28086,7 @@ that DNS lookups they do for the server have not been tampered with.  The domain
 to this server, its A record, its TLSA record and any associated CNAME records must all be covered by
 DNSSEC.
 2) add TLSA DNS records.  These say what the server certificate for a TLS connection should be.
 to this server, its A record, its TLSA record and any associated CNAME records must all be covered by
 DNSSEC.
 2) add TLSA DNS records.  These say what the server certificate for a TLS connection should be.

-3) offer a server certificate, or certificate chain, in TLS connections which is traceable to the one
-defined by (one of?) the TSLA records
+3) offer a server certificate, or certificate chain, in TLS connections which is is anchored by one of the TLSA records.

 
 There are no changes to Exim specific to server-side operation of DANE.
 Support for client-side operation of DANE can be included at compile time by defining SUPPORT_DANE=yes
 
 There are no changes to Exim specific to server-side operation of DANE.
 Support for client-side operation of DANE can be included at compile time by defining SUPPORT_DANE=yes


@@ -28124,8 +28141,9 @@ This modification of hosts_request_ocsp is only done if it has the default value
 those who use &%hosts_require_ocsp%&, should consider the interaction with DANE in their OCSP settings.
 
 
 those who use &%hosts_require_ocsp%&, should consider the interaction with DANE in their OCSP settings.
 
 

-For client-side DANE there are two new smtp transport options, &%hosts_try_dane%& and &%hosts_require_dane%&.
-The latter variant will result in failure if the target host is not DNSSEC-secured.
+For client-side DANE there are three new smtp transport options, &%hosts_try_dane%&, &%hosts_require_dane%&
+and &%dane_require_tls_ciphers%&.
+The require variant will result in failure if the target host is not DNSSEC-secured.

 
 DANE will only be usable if the target host has DNSSEC-secured MX, A and TLSA records.
 
 
 DANE will only be usable if the target host has DNSSEC-secured MX, A and TLSA records.
 


@@ -28134,6 +28152,14 @@ If a TLSA lookup is done and succeeds, a DANE-verified TLS connection
 will be required for the host.  If it does not, the host will not
 be used; there is no fallback to non-DANE or non-TLS.
 
 will be required for the host.  If it does not, the host will not
 be used; there is no fallback to non-DANE or non-TLS.
 

+If DANE is requested and usable, then the TLS cipher list configuration
+prefers to use the option &%dane_require_tls_ciphers%& and falls
+back to &%tls_require_ciphers%& only if that is unset.
+This lets you configure "decent crypto" for DANE and "better than nothing
+crypto" as the default.  Note though that while GnuTLS lets the string control
+which versions of TLS/SSL will be negotiated, OpenSSL does not and you're
+limited to ciphersuite constraints.
+

 If DANE is requested and useable (see above) the following transport options are ignored:
 .code
   hosts_require_tls
 If DANE is requested and useable (see above) the following transport options are ignored:
 .code
   hosts_require_tls

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index f3f849af6cac68fab668788ad9e3b19acc80cb0f..ef62b2d07058012541f687708b5cecb1ef348b9d 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -148,6 +148,9 @@ JH/28 Ensure that variables possibly set during message acceptance are marked
       Do the same for the queue-runner loop, for variables set from spool
       message files.
 
       Do the same for the queue-runner loop, for variables set from spool
       message files.
 

+PP/02 DANE: add dane_require_tls_ciphers SMTP Transport option; if unset,
+      tls_require_ciphers is used as before.
+

 
 Exim version 4.90
 -----------------
 
 Exim version 4.90
 -----------------

diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 1ff45b4255ac449587ad6ec3f2b81dc0d1cd0556..5f732ec92d3ee28f3f12193fb86cd52b23a0b3a2 100644 (file)
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -14,6 +14,7 @@ Version 4.91
 
  2. DANE is now supported under GnuTLS version 3.0.0 or later.  Both GnuTLS and
     OpenSSL versions are moved to mainline support from Experimental.
 
  2. DANE is now supported under GnuTLS version 3.0.0 or later.  Both GnuTLS and
     OpenSSL versions are moved to mainline support from Experimental.

+    New SMTP transport option "dane_require_tls_ciphers".

 
  3. Feature macros for the compiled-in set of malware scanner interfaces.
 
 
  3. Feature macros for the compiled-in set of malware scanner interfaces.
 

diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt
index 1fe72be6b094a6b756859f8eb90b3f9d1ddefc16..dfb0219cb19097a6bc49450a15c641a7d377fcc7 100644 (file)
--- a/doc/doc-txt/OptionLists.txt
+++ b/doc/doc-txt/OptionLists.txt
@@ -149,12 +149,13 @@ current_directory                    string          unset         transports
 daemon_smtp_ports                    string          unset         main              1.75  pluralised in 4.21
 daemon_startup_retries               int             9             main              4.52
 daemon_startup_sleep                 time            30s           main              4.52
 daemon_smtp_ports                    string          unset         main              1.75  pluralised in 4.21
 daemon_startup_retries               int             9             main              4.52
 daemon_startup_sleep                 time            30s           main              4.52

+dane_require_tls_ciphers             string*         unset         smtp              4.91

 data                                 string          unset         redirect          4.00
 data_timeout                         time            5m            smtp
 debug_print                          string*         unset         authenticators    4.00
                                                      unset         routers           4.00
                                                      unset         transports        2.00
 data                                 string          unset         redirect          4.00
 data_timeout                         time            5m            smtp
 debug_print                          string*         unset         authenticators    4.00
                                                      unset         routers           4.00
                                                      unset         transports        2.00

-debug_store                          boolean         false         main                     4.90
+debug_store                          boolean         false         main              4.90

 delay_after_cutoff                   boolean         true          smtp
 delay_warning                        time list       24h           main
 delay_warning_condition              string*         +             main              1.73
 delay_after_cutoff                   boolean         true          smtp
 delay_warning                        time list       24h           main
 delay_warning_condition              string*         +             main              1.73


@@ -300,10 +301,12 @@ hosts_override                       boolean         false         smtp
 hosts_randomize                      boolean         false         manualroute       4.00
                                                      false         smtp              3.14
 hosts_require_auth                   host list       unset         smtp              4.00
 hosts_randomize                      boolean         false         manualroute       4.00
                                                      false         smtp              3.14
 hosts_require_auth                   host list       unset         smtp              4.00

+hosts_require_dane                   host list       unset         smtp              4.91 (4.85 experimental)

 hosts_require_ocsp                   host list       unset         smtp              4.82 if experimental_ocsp
 hosts_require_tls                    host list       unset         smtp              3.20
 hosts_treat_as_local                 domain list     unset         main              1.95
 hosts_try_auth                       host list       unset         smtp              4.00
 hosts_require_ocsp                   host list       unset         smtp              4.82 if experimental_ocsp
 hosts_require_tls                    host list       unset         smtp              3.20
 hosts_treat_as_local                 domain list     unset         main              1.95
 hosts_try_auth                       host list       unset         smtp              4.00

+hosts_try_dane                       host list       unset         smtp              4.91 (4.85 experimental)

 hosts_try_fastopen                   host list       unset         smtp              4.88
 hosts_try_prdr                       host list       unset         smtp              4.82 if experimental_prdr
 ibase_servers                        string          unset         main              4.23
 hosts_try_fastopen                   host list       unset         smtp              4.88
 hosts_try_prdr                       host list       unset         smtp              4.82 if experimental_prdr
 ibase_servers                        string          unset         main              4.23

diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index eed8c06dc9d01bbdabcb7cbbf8ed456fe651b110..d73188277be2b6171d419023b70f5b56e7814c0b 100644 (file)
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1681,7 +1681,7 @@ else
                        1, 0))
         || (rc = dane_verify_crt_raw(s, certlist, lsize,
                        gnutls_certificate_type_get(state->session),
                        1, 0))
         || (rc = dane_verify_crt_raw(s, certlist, lsize,
                        gnutls_certificate_type_get(state->session),

-                       r, 0, 
+                       r, 0,

 # ifdef GNUTLS_BROKEN_DANE_VALIDATION
                        usage == (1 << DANESSL_USAGE_DANE_EE)
                        ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
 # ifdef GNUTLS_BROKEN_DANE_VALIDATION
                        usage == (1 << DANESSL_USAGE_DANE_EE)
                        ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,


@@ -2260,6 +2260,7 @@ smtp_transport_options_block *ob =
   (smtp_transport_options_block *)tb->options_block;
 int rc;
 exim_gnutls_state_st * state = NULL;
   (smtp_transport_options_block *)tb->options_block;
 int rc;
 exim_gnutls_state_st * state = NULL;

+uschar *cipher_list = NULL;

 #ifndef DISABLE_OCSP
 BOOL require_ocsp =
   verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;
 #ifndef DISABLE_OCSP
 BOOL require_ocsp =
   verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;


@@ -2269,9 +2270,24 @@ BOOL request_ocsp = require_ocsp ? TRUE
 
 DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", fd);
 
 
 DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", fd);
 

+#ifdef SUPPORT_DANE
+if (tlsa_dnsa && ob->dane_require_tls_ciphers)
+  {
+  /* not using expand_check_tlsvar because not yet in state */
+  if (!expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
+      &cipher_list, errstr))
+    return DEFER;
+  cipher_list = cipher_list && *cipher_list
+    ? ob->dane_require_tls_ciphers : ob->tls_require_ciphers;
+  }
+#endif
+
+if (!cipher_list)
+  cipher_list = ob->tls_require_ciphers;
+

 if ((rc = tls_init(host, ob->tls_certificate, ob->tls_privatekey,
     ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
 if ((rc = tls_init(host, ob->tls_certificate, ob->tls_privatekey,
     ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,

-    ob->tls_require_ciphers, &state, errstr)) != OK)
+    cipher_list, &state, errstr)) != OK)

   return rc;
 
   {
   return rc;
 
   {

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 969a99d997a4658328e25e29948ba5dc29de4a55..c142bd05926dcab759a61484eeba75886c570187 100644 (file)
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -904,7 +904,7 @@ We do not free the stack since it could be needed a second time for
 SNI handling.
 
 Separately we might try to replace using OCSP_basic_verify() - which seems to not
 SNI handling.
 
 Separately we might try to replace using OCSP_basic_verify() - which seems to not

-be a public interface into the OpenSSL library (there's no manual entry) - 
+be a public interface into the OpenSSL library (there's no manual entry) -

 But what with?  We also use OCSP_basic_verify in the client stapling callback.
 And there we NEED it; we must verify that status... unless the
 library does it for us anyway?  */
 But what with?  We also use OCSP_basic_verify in the client stapling callback.
 And there we NEED it; we must verify that status... unless the
 library does it for us anyway?  */


@@ -2300,8 +2300,23 @@ if (rc != OK) return rc;
 tls_out.certificate_verified = FALSE;
 client_verify_callback_called = FALSE;
 
 tls_out.certificate_verified = FALSE;
 client_verify_callback_called = FALSE;
 

-if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
-    &expciphers, errstr))
+expciphers = NULL;
+#ifdef SUPPORT_DANE
+if (tlsa_dnsa)
+  {
+  /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
+  other failures should be treated as problems. */
+  if (ob->dane_require_tls_ciphers &&
+      !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
+        &expciphers, errstr))
+    return FAIL;
+  if (expciphers && *expciphers == '\0')
+    expciphers = NULL;
+  }
+#endif
+if (!expciphers &&
+    !expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
+      &expciphers, errstr))

   return FAIL;
 
 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
   return FAIL;
 
 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they

diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index c4a6c028350eec39448da697281b1c7a15eb6240..bd1e20d7fc3a35667af2e79d9a71a71fc09ac1a2 100644 (file)
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -38,6 +38,10 @@ optionlist smtp_transport_options[] = {
       (void *)offsetof(smtp_transport_options_block, connect_timeout) },
   { "connection_max_messages", opt_int | opt_public,
       (void *)offsetof(transport_instance, connection_max_messages) },
       (void *)offsetof(smtp_transport_options_block, connect_timeout) },
   { "connection_max_messages", opt_int | opt_public,
       (void *)offsetof(transport_instance, connection_max_messages) },

+# ifdef SUPPORT_DANE
+  { "dane_require_tls_ciphers", opt_stringptr,
+      (void *)offsetof(smtp_transport_options_block, dane_require_tls_ciphers) },
+# endif

   { "data_timeout",         opt_time,
       (void *)offsetof(smtp_transport_options_block, data_timeout) },
   { "delay_after_cutoff", opt_bool,
   { "data_timeout",         opt_time,
       (void *)offsetof(smtp_transport_options_block, data_timeout) },
   { "delay_after_cutoff", opt_bool,


@@ -225,6 +229,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
 #ifdef SUPPORT_DANE
   .hosts_try_dane =            NULL,
   .hosts_require_dane =                NULL,
 #ifdef SUPPORT_DANE
   .hosts_try_dane =            NULL,
   .hosts_require_dane =                NULL,

+  .dane_require_tls_ciphers =  NULL,

 #endif
   .hosts_try_fastopen =                NULL,
 #ifndef DISABLE_PRDR
 #endif
   .hosts_try_fastopen =                NULL,
 #ifndef DISABLE_PRDR

diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h
index 749c6f778713e65fd8c5913cb73292edf21f30c3..7727c0c6db5d20cb108c276f92b5ecd1db9205d3 100644 (file)
--- a/src/src/transports/smtp.h
+++ b/src/src/transports/smtp.h
@@ -32,6 +32,7 @@ typedef struct {
 #ifdef SUPPORT_DANE
   uschar *hosts_try_dane;
   uschar *hosts_require_dane;
 #ifdef SUPPORT_DANE
   uschar *hosts_try_dane;
   uschar *hosts_require_dane;

+  uschar *dane_require_tls_ciphers;

 #endif
   uschar *hosts_try_fastopen;
 #ifndef DISABLE_PRDR
 #endif
   uschar *hosts_try_fastopen;
 #ifndef DISABLE_PRDR

diff --git a/test/confs/5821 b/test/confs/5821
new file mode 100644 (file)
index 0000000..db2dc19
--- /dev/null
+++ b/test/confs/5821
@@ -0,0 +1,61 @@
+# Exim test configuration 5821
+# DANE/OpenSSL - ciphers option
+
+SERVER=
+OPT=
+
+.include DIR/aux-var/tls_conf_prefix
+
+primary_hostname = myhost.test.ex
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept logwrite = "rcpt ACL"
+
+log_selector =  +received_recipients +tls_peerdn +tls_certificate_verified
+
+tls_advertise_hosts = *
+
+# Set certificate only if server
+CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com
+
+tls_certificate = ${if eq {SERVER}{server} {CDIR2/fullchain.pem}fail}
+tls_privatekey =  ${if eq {SERVER}{server} {CDIR2/server1.example.com.unlocked.key}fail}
+
+# Permit two specific ciphers
+tls_require_ciphers = NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL
+
+# ----- Routers -----
+begin routers
+
+client:
+  driver =             dnslookup
+  condition =          ${if eq {SERVER}{}}
+  dnssec_request_domains = *
+  self =               send
+  transport =          send_to_server
+  errors_to =          ""
+
+server:
+  driver =             redirect
+  data =               :blackhole:
+
+# ----- Transports -----
+begin transports
+
+send_to_server:
+  driver =                     smtp
+  allow_localhost
+  port =                       PORT_D
+  hosts_try_dane =             *
+  tls_verify_certificates =    CDIR2/ca_chain.pem
+
+  # Some commonly-available cipher, we hope
+  tls_require_ciphers =                NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+SIGN-ALL:+COMP-NULL
+  dane_require_tls_ciphers =   OPT
+
+# ----- Retry -----
+begin retry
+* * F,5d,10s
+
+# End

diff --git a/test/confs/5841 b/test/confs/5841
new file mode 100644 (file)
index 0000000..867c160
--- /dev/null
+++ b/test/confs/5841
@@ -0,0 +1,61 @@
+# Exim test configuration 5841
+# DANE/OpenSSL - ciphers option
+
+SERVER=
+OPT=
+
+.include DIR/aux-var/tls_conf_prefix
+
+primary_hostname = myhost.test.ex
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept logwrite = "rcpt ACL"
+
+log_selector =  +received_recipients +tls_peerdn +tls_certificate_verified
+
+tls_advertise_hosts = *
+
+# Set certificate only if server
+CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com
+
+tls_certificate = ${if eq {SERVER}{server} {CDIR2/fullchain.pem}fail}
+tls_privatekey =  ${if eq {SERVER}{server} {CDIR2/server1.example.com.unlocked.key}fail}
+
+# Permit two specific ciphers
+tls_require_ciphers = ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-RSA-AES256-GCM-SHA384
+
+# ----- Routers -----
+begin routers
+
+client:
+  driver =             dnslookup
+  condition =          ${if eq {SERVER}{}}
+  dnssec_request_domains = *
+  self =               send
+  transport =          send_to_server
+  errors_to =          ""
+
+server:
+  driver =             redirect
+  data =               :blackhole:
+
+# ----- Transports -----
+begin transports
+
+send_to_server:
+  driver =                     smtp
+  allow_localhost
+  port =                       PORT_D
+  hosts_try_dane =             *
+  tls_verify_certificates =    CDIR2/ca_chain.pem
+
+  # Some commonly-available cipher, we hope
+  tls_require_ciphers =                ECDHE-RSA-AES256-GCM-SHA384
+  dane_require_tls_ciphers =   OPT
+
+# ----- Retry -----
+begin retry
+* * F,5d,10s
+
+# End

diff --git a/test/log/5821 b/test/log/5821
new file mode 100644 (file)
index 0000000..e842e6d
--- /dev/null
+++ b/test/log/5821
@@ -0,0 +1,35 @@
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@localhost.test.ex
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@localhost.test.ex R=client T=send_to_server H=localhost.test.ex [::1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane256ee.test.ex
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=dane DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@localhost.test.ex
+1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@localhost.test.ex R=client T=send_to_server H=localhost.test.ex [::1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane256ee.test.ex
+1999-03-02 09:44:33 10HmbD-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLS1.2:RSA_CAMELLIA_256_GCM_SHA384:256 CV=dane DN="CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
+1999-03-02 09:44:33 10HmbD-0005vi-00 Completed
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 no host name found for IP address ::1
+1999-03-02 09:44:33 no host name found for IP address ::1
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=(myhost.test.ex) [::1] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@localhost.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <CALLER@localhost.test.ex> R=server
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for CALLER@dane256ee.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <CALLER@dane256ee.test.ex> R=server
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 no host name found for IP address ::1
+1999-03-02 09:44:33 no host name found for IP address ::1
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=(myhost.test.ex) [::1] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmbB-0005vi-00@myhost.test.ex for CALLER@localhost.test.ex
+1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <CALLER@localhost.test.ex> R=server
+1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.2:RSA_CAMELLIA_256_GCM_SHA384:256 CV=no S=sss id=E10HmbD-0005vi-00@myhost.test.ex for CALLER@dane256ee.test.ex
+1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: <CALLER@dane256ee.test.ex> R=server
+1999-03-02 09:44:33 10HmbE-0005vi-00 Completed

diff --git a/test/log/5841 b/test/log/5841
new file mode 100644 (file)
index 0000000..06f8d5d
--- /dev/null
+++ b/test/log/5841
@@ -0,0 +1,35 @@
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@localhost.test.ex
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@localhost.test.ex R=client T=send_to_server H=localhost.test.ex [::1] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane256ee.test.ex
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=dane DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@localhost.test.ex
+1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@localhost.test.ex R=client T=send_to_server H=localhost.test.ex [::1] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane256ee.test.ex
+1999-03-02 09:44:33 10HmbD-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ECDHE-RSA-CAMELLIA256-SHA384:256 CV=dane DN="/CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
+1999-03-02 09:44:33 10HmbD-0005vi-00 Completed
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 no host name found for IP address ::1
+1999-03-02 09:44:33 no host name found for IP address ::1
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=(myhost.test.ex) [::1] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@localhost.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <CALLER@localhost.test.ex> R=server
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for CALLER@dane256ee.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <CALLER@dane256ee.test.ex> R=server
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 no host name found for IP address ::1
+1999-03-02 09:44:33 no host name found for IP address ::1
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=(myhost.test.ex) [::1] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmbB-0005vi-00@myhost.test.ex for CALLER@localhost.test.ex
+1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <CALLER@localhost.test.ex> R=server
+1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ECDHE-RSA-CAMELLIA256-SHA384:256 CV=no S=sss id=E10HmbD-0005vi-00@myhost.test.ex for CALLER@dane256ee.test.ex
+1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: <CALLER@dane256ee.test.ex> R=server
+1999-03-02 09:44:33 10HmbE-0005vi-00 Completed

diff --git a/test/scripts/5820-DANE-GnuTLS/5821 b/test/scripts/5820-DANE-GnuTLS/5821
new file mode 100644 (file)
index 0000000..f4ea305
--- /dev/null
+++ b/test/scripts/5820-DANE-GnuTLS/5821
@@ -0,0 +1,30 @@
+# DANE client: ciphers option
+#
+gnutls
+exim -DSERVER=server -bd -oX PORT_D
+****
+
+### Baseline, dane unused
+exim -odf CALLER@localhost.test.ex
+Testing
+****
+### Baseline, dane used
+exim -odf CALLER@dane256ee.test.ex
+Testing
+****
+#
+#
+### Dane cipher specified, dane unused
+# Since dane unused, should get the same cipher as the baseline
+exim -odf -DOPT=NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL CALLER@localhost.test.ex
+Testing
+****
+### Dane cipher specified, dane used
+# Should get the cipher specified here
+exim -odf -DOPT=NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL CALLER@dane256ee.test.ex
+Testing
+****
+#
+#
+killdaemon
+no_msglog_check

diff --git a/test/scripts/5840-DANE-OpenSSL/5841 b/test/scripts/5840-DANE-OpenSSL/5841
new file mode 100644 (file)
index 0000000..52fac18
--- /dev/null
+++ b/test/scripts/5840-DANE-OpenSSL/5841
@@ -0,0 +1,29 @@
+# DANE client: ciphers option
+#
+exim -DSERVER=server -bd -oX PORT_D
+****
+
+### Baseline, dane unused
+exim -odf CALLER@localhost.test.ex
+Testing
+****
+### Baseline, dane used
+exim -odf CALLER@dane256ee.test.ex
+Testing
+****
+#
+#
+### Dane cipher specified, dane unused
+# Since dane unused, should get the same cipher as the baseline
+exim -odf -DOPT=ECDHE-RSA-CAMELLIA256-SHA384 CALLER@localhost.test.ex
+Testing
+****
+### Dane cipher specified, dane used
+# Should get the cipher specified here
+exim -odf -DOPT=ECDHE-RSA-CAMELLIA256-SHA384 CALLER@dane256ee.test.ex
+Testing
+****
+#
+#
+killdaemon
+no_msglog_check

diff --git a/test/stderr/5821 b/test/stderr/5821
new file mode 100644 (file)
index 0000000..3f9e5f2
--- /dev/null
+++ b/test/stderr/5821
@@ -0,0 +1,10 @@
+### Baseline, dane unused
+### Baseline, dane used
+### Dane cipher specified, dane unused
+### Dane cipher specified, dane used
+
+******** SERVER ********
+### Baseline, dane unused
+### Baseline, dane used
+### Dane cipher specified, dane unused
+### Dane cipher specified, dane used

diff --git a/test/stderr/5841 b/test/stderr/5841
new file mode 100644 (file)
index 0000000..3f9e5f2
--- /dev/null
+++ b/test/stderr/5841
@@ -0,0 +1,10 @@
+### Baseline, dane unused
+### Baseline, dane used
+### Dane cipher specified, dane unused
+### Dane cipher specified, dane used
+
+******** SERVER ********
+### Baseline, dane unused
+### Baseline, dane used
+### Dane cipher specified, dane unused
+### Dane cipher specified, dane used

diff --git a/test/stdout/5821 b/test/stdout/5821
new file mode 100644 (file)
index 0000000..3f9e5f2
--- /dev/null
+++ b/test/stdout/5821
@@ -0,0 +1,10 @@
+### Baseline, dane unused
+### Baseline, dane used
+### Dane cipher specified, dane unused
+### Dane cipher specified, dane used
+
+******** SERVER ********
+### Baseline, dane unused
+### Baseline, dane used
+### Dane cipher specified, dane unused
+### Dane cipher specified, dane used

diff --git a/test/stdout/5841 b/test/stdout/5841
new file mode 100644 (file)
index 0000000..3f9e5f2
--- /dev/null
+++ b/test/stdout/5841
@@ -0,0 +1,10 @@
+### Baseline, dane unused
+### Baseline, dane used
+### Dane cipher specified, dane unused
+### Dane cipher specified, dane used
+
+******** SERVER ********
+### Baseline, dane unused
+### Baseline, dane used
+### Dane cipher specified, dane unused
+### Dane cipher specified, dane used