TLS: Deprecate RFC 5114 DH params. Bug 1895
authorJeremy Harris <jgh146exb@wizmail.org>
Mon, 27 Dec 2021 15:15:42 +0000 (15:15 +0000)
committerJeremy Harris <jgh146exb@wizmail.org>
Thu, 30 Dec 2021 13:50:33 +0000 (13:50 +0000)
16 files changed:
doc/doc-docbook/spec.xfpt
doc/doc-txt/ChangeLog
src/src/std-crypto.c
test/confs/2049 [new file with mode: 0644]
test/log/2049 [new file with mode: 0644]
test/log/2149
test/mail/2149.userw [deleted file]
test/mail/2149.userx [deleted file]
test/mail/2149.usery [deleted file]
test/mail/2149.userz [deleted file]
test/paniclog/2049 [new file with mode: 0644]
test/paniclog/2149
test/scripts/2000-GnuTLS/2049 [new file with mode: 0644]
test/scripts/2100-OpenSSL/2149
test/stderr/2049 [new file with mode: 0644]
test/stderr/2149

index b20d823117b869c7b8ec6276b6c050603a5163a5..00f0dac02252784586e8a2e5d1aa20c50fab9c0e 100644 (file)
@@ -18481,8 +18481,17 @@ of the later IKE values, which led into RFC7919 providing new fixed constants
 (the "ffdhe" identifiers).
 
 At this point, all of the "ike" values should be considered obsolete;
-they're still in Exim to avoid breaking unusual configurations, but are
+they are still in Exim to avoid breaking unusual configurations, but are
 candidates for removal the next time we have backwards-incompatible changes.
+.new
+Two of them in particular (&`ike1`& and &`ike22`&) are called out by RFC 8247
+as MUST NOT use for IPSEC, and two more (&`ike23`& and &`ike24`&) as
+SHOULD NOT.
+Because of this, Exim regards them as deprecated; if either of the first pair
+are used, warnings will be logged in the paniclog, and if any are used then
+warnings will be logged in the mainlog.
+All four will be removed in a future Exim release.
+.wen
 
 The TLS protocol does not negotiate an acceptable size for this; clients tend
 to hard-drop connections if what is offered by the server is unacceptable,
index b155e6b9dca1fcf6e317b9cb8a8feff0ccd28a4b..e7c7085f81aaa578904dc104c38268f09e47c5b7 100644 (file)
@@ -63,6 +63,8 @@ JH/13 Bug 2845: Fix handling of tls_require_ciphers for OpenSSL when a value
       in 4.95 trapped when normalisation was applied to an option not needing
       expansion action.
 
+JH/14 Bug 1895: TLS: Deprecate RFC 5114 Diffie-Hellman parameters.
+
 
 Exim version 4.95
 -----------------
index c56d260148d802f6a8dea7a1d2174943d9e8bdd0..200fb714496730e5882f441528418a6351cc5f9a 100644 (file)
@@ -914,12 +914,11 @@ static const char dh_ffdhe8192_pem[] =
 
 /* ========================================================================= */
 
-/*
- * Generated by Phil as a non-standard option.
- * openssl dhparam -2 2048
- * No provenance to prove non-tampering available, beyond trusting that this
- * developer generated this as stated above.
- */
+/* Generated by Phil as a non-standard option.
+openssl dhparam -2 2048
+No provenance to prove non-tampering available, beyond trusting that this
+developer generated this as stated above. */
+
 
 /* MacOSX 10.10.5 invoking system OpenSSL 0.9.8zg */
 static const char dh_exim_20160529_1[] =
@@ -957,69 +956,75 @@ static const char dh_exim_20160529_3[] =
 /* ========================================================================= */
 
 struct dh_constant {
-  const char *label;
-  const char *pem;
+  const char * label;
+  const char * pem;
+  int          logging;
 };
 
 #define EXIM_DH_PRIME_DEFAULT dh_exim_20160529_3
 
 /* KEEP SORTED ALPHABETICALLY;
- * duplicate PEM are okay, if we want aliases, but names must be alphabetical */
+duplicate PEM are okay, if we want aliases, but names must be alphabetical */
+
 static struct dh_constant dh_constants[] = {
     /*  label                  pem */
-    { "default",               EXIM_DH_PRIME_DEFAULT },
-    { "exim.dev.20160529.1",   dh_exim_20160529_1 },
-    { "exim.dev.20160529.2",   dh_exim_20160529_2 },
-    { "exim.dev.20160529.3",   dh_exim_20160529_3 },
-    { "ffdhe2048",             dh_ffdhe2048_pem },
-    { "ffdhe3072",             dh_ffdhe3072_pem },
-    { "ffdhe4096",             dh_ffdhe4096_pem },
-    { "ffdhe6144",             dh_ffdhe6144_pem },
-    { "ffdhe8192",             dh_ffdhe8192_pem },
-    { "ike1",                  dh_ike_1_pem },
-    { "ike14",                 dh_ike_14_pem },
-    { "ike15",                 dh_ike_15_pem },
-    { "ike16",                 dh_ike_16_pem },
-    { "ike17",                 dh_ike_17_pem },
-    { "ike18",                 dh_ike_18_pem },
-    { "ike2",                  dh_ike_2_pem },
-    { "ike22",                 dh_ike_22_pem },
-    { "ike23",                 dh_ike_23_pem },
-    { "ike24",                 dh_ike_24_pem },
-    { "ike5",                  dh_ike_5_pem },
+    { "default",               EXIM_DH_PRIME_DEFAULT,  0 },
+    { "exim.dev.20160529.1",   dh_exim_20160529_1,     0 },
+    { "exim.dev.20160529.2",   dh_exim_20160529_2,     0 },
+    { "exim.dev.20160529.3",   dh_exim_20160529_3,     0 },
+    { "ffdhe2048",             dh_ffdhe2048_pem,       0 },
+    { "ffdhe3072",             dh_ffdhe3072_pem,       0 },
+    { "ffdhe4096",             dh_ffdhe4096_pem,       0 },
+    { "ffdhe6144",             dh_ffdhe6144_pem,       0 },
+    { "ffdhe8192",             dh_ffdhe8192_pem,       0 },
+    { "ike1",                  dh_ike_1_pem,           LOG_MAIN | LOG_PANIC },
+    { "ike14",                 dh_ike_14_pem,          0 },
+    { "ike15",                 dh_ike_15_pem,          0 },
+    { "ike16",                 dh_ike_16_pem,          0 },
+    { "ike17",                 dh_ike_17_pem,          0 },
+    { "ike18",                 dh_ike_18_pem,          0 },
+    { "ike2",                  dh_ike_2_pem,           LOG_MAIN },
+    { "ike22",                 dh_ike_22_pem,          LOG_MAIN | LOG_PANIC },
+    { "ike23",                 dh_ike_23_pem,          LOG_MAIN },
+    { "ike24",                 dh_ike_24_pem,          LOG_MAIN },
+    { "ike5",                  dh_ike_5_pem,           0 },
 };
-static const int dh_constants_count =
-  sizeof(dh_constants) / sizeof(struct dh_constant);
+static const int dh_constants_count = nelem(dh_constants);
 
 
 /* A policy decision; in absence of any other data, use a 2048 bit prime,
- * pick the first one from the latest RFC providing such. */
+pick the first one from the latest RFC providing such. */
+
 const char *
 std_dh_prime_default(void)
 {
-  return EXIM_DH_PRIME_DEFAULT;
+return EXIM_DH_PRIME_DEFAULT;
 }
 
 
+/* Return PEM string for given name */
+
 const char *
-std_dh_prime_named(const uschar *name)
+std_dh_prime_named(const uschar * name)
 {
-  int first, last;
-  char *search_name = CS string_copylc(US name);
-
-  first = 0;
-  last = dh_constants_count;
-  while (last > first) {
-    int middle = (first + last)/2;
-    int c = strcmp(search_name, dh_constants[middle].label);
-    if (c == 0)
-      return dh_constants[middle].pem;
-    else if (c > 0)
-      first = middle + 1;
-    else
-      last = middle;
+for (int first = 0, last = dh_constants_count; last > first; )
+  {
+  int middle = (first + last)/2;
+  struct dh_constant * dp = &dh_constants[middle];
+  int c = Ustrcmp(name, dp->label);
+  if (c == 0)
+    {
+    if (dp->logging)
+      log_write(0, dp->logging,
+       "WARNING: deprecated Diffie-Hellman parameter '%s' used", dp->label);
+    return dp->pem;
+    }
+  else if (c > 0)
+    first = middle + 1;
+  else
+    last = middle;
   }
-  return NULL;
+return NULL;
 }
 
 #endif /*DISABLE_TLS*/
diff --git a/test/confs/2049 b/test/confs/2049
new file mode 100644 (file)
index 0000000..4b6bf9b
--- /dev/null
@@ -0,0 +1,54 @@
+# Exim test configuration 2049
+
+SERVER =
+
+.include DIR/aux-var/tls_conf_prefix
+
+primary_hostname = myhost.test.ex
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept
+
+tls_advertise_hosts = *
+tls_certificate = DIR/aux-fixed/cert1
+tls_dhparam = ${if eq {SERVER}{server}{DATA}fail}
+
+
+# ----- Routers -----
+
+begin routers
+
+client:
+  driver = accept
+  condition = ${if eq {SERVER}{server}{no}{yes}}
+  retry_use_local_part
+  transport = send_to_server
+
+server:
+  driver = accept
+  retry_use_local_part
+  transport = local_delivery
+
+
+# ----- Transports -----
+
+begin transports
+
+local_delivery:
+  driver = appendfile
+  file = DIR/test-mail/$local_part
+  create_file = DIR/test-mail
+  headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
+  user = CALLER
+
+send_to_server:
+  driver = smtp
+  allow_localhost
+  hosts = 127.0.0.1
+  port = PORT_D
+  hosts_try_fastopen = :
+  tls_verify_certificates =    DIR/aux-fixed/cert1
+  tls_verify_cert_hostnames =  :
+
+# End
diff --git a/test/log/2049 b/test/log/2049
new file mode 100644 (file)
index 0000000..9067474
--- /dev/null
@@ -0,0 +1,39 @@
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userw@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbB-0005vi-00 => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbD-0005vi-00 => usera@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbE-0005vi-00"
+1999-03-02 09:44:33 10HmbD-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbF-0005vi-00 => userb@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbG-0005vi-00"
+1999-03-02 09:44:33 10HmbF-0005vi-00 Completed
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 => userw <userw@test.ex> R=server T=local_delivery
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 => userx <userx@test.ex> R=server T=local_delivery
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbB-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbC-0005vi-00 => userz <userz@test.ex> R=server T=local_delivery
+1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 WARNING: deprecated Diffie-Hellman parameter 'ike24' used
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbD-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbE-0005vi-00 => usera <usera@test.ex> R=server T=local_delivery
+1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 WARNING: deprecated Diffie-Hellman parameter 'ike22' used
+1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbF-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbG-0005vi-00 => userb <userb@test.ex> R=server T=local_delivery
+1999-03-02 09:44:33 10HmbG-0005vi-00 Completed
index 4b7e651b0c7053fd076d86cc68228eb9f8168abc..ea1c7e454bcf67e1e36af50a4e990a967e18a63e 100644 (file)
 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmbD-0005vi-00 => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbE-0005vi-00"
 1999-03-02 09:44:33 10HmbD-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbF-0005vi-00 => usera@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbG-0005vi-00"
+1999-03-02 09:44:33 10HmbF-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbH-0005vi-00 => userb@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbI-0005vi-00"
+1999-03-02 09:44:33 10HmbH-0005vi-00 Completed
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
 1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbD-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmbE-0005vi-00 => userz <userz@test.ex> R=server T=local_delivery
 1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 WARNING: deprecated Diffie-Hellman parameter 'ike24' used
+1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbF-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbG-0005vi-00 => usera <usera@test.ex> R=server T=local_delivery
+1999-03-02 09:44:33 10HmbG-0005vi-00 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 WARNING: deprecated Diffie-Hellman parameter 'ike22' used
+1999-03-02 09:44:33 TLS error (D-H param setting 'ike22'): error:xxxxxxxx:SSL routines::dh key too small
+1999-03-02 09:44:33 10HmbI-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbH-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbI-0005vi-00 => userb <userb@test.ex> R=server T=local_delivery
+1999-03-02 09:44:33 10HmbI-0005vi-00 Completed
diff --git a/test/mail/2149.userw b/test/mail/2149.userw
deleted file mode 100644 (file)
index 5e57131..0000000
+++ /dev/null
@@ -1,20 +0,0 @@
-From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
-Received: from localhost ([127.0.0.1] helo=myhost.test.ex)
-       by myhost.test.ex with esmtps (TLS1.x:ke-RSA-AES256-SHAnnn:xxx)
-       (Exim x.yz)
-       (envelope-from <CALLER@myhost.test.ex>)
-       id 10HmaY-0005vi-00
-       for userw@test.ex;
-       Tue, 2 Mar 1999 09:44:33 +0000
-Received: from CALLER by myhost.test.ex with local (Exim x.yz)
-       (envelope-from <CALLER@myhost.test.ex>)
-       id 10HmaX-0005vi-00
-       for userw@test.ex;
-       Tue, 2 Mar 1999 09:44:33 +0000
-Message-Id: <E10HmaX-0005vi-00@myhost.test.ex>
-From: CALLER_NAME <CALLER@myhost.test.ex>
-Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLS1.x:ke-RSA-AES256-SHAnnn:xxx peerdn=
-
-Test message
-
diff --git a/test/mail/2149.userx b/test/mail/2149.userx
deleted file mode 100644 (file)
index fa117a2..0000000
+++ /dev/null
@@ -1,20 +0,0 @@
-From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
-Received: from localhost ([127.0.0.1] helo=myhost.test.ex)
-       by myhost.test.ex with esmtps (TLS1.x:ke-RSA-AES256-SHAnnn:xxx)
-       (Exim x.yz)
-       (envelope-from <CALLER@myhost.test.ex>)
-       id 10HmbA-0005vi-00
-       for userx@test.ex;
-       Tue, 2 Mar 1999 09:44:33 +0000
-Received: from CALLER by myhost.test.ex with local (Exim x.yz)
-       (envelope-from <CALLER@myhost.test.ex>)
-       id 10HmaZ-0005vi-00
-       for userx@test.ex;
-       Tue, 2 Mar 1999 09:44:33 +0000
-Message-Id: <E10HmaZ-0005vi-00@myhost.test.ex>
-From: CALLER_NAME <CALLER@myhost.test.ex>
-Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLS1.x:ke-RSA-AES256-SHAnnn:xxx peerdn=
-
-Test message
-
diff --git a/test/mail/2149.usery b/test/mail/2149.usery
deleted file mode 100644 (file)
index 1cf700b..0000000
+++ /dev/null
@@ -1,20 +0,0 @@
-From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
-Received: from localhost ([127.0.0.1] helo=myhost.test.ex)
-       by myhost.test.ex with esmtps (TLS1.x:ke-RSA-AES256-SHAnnn:xxx)
-       (Exim x.yz)
-       (envelope-from <CALLER@myhost.test.ex>)
-       id 10HmbC-0005vi-00
-       for usery@test.ex;
-       Tue, 2 Mar 1999 09:44:33 +0000
-Received: from CALLER by myhost.test.ex with local (Exim x.yz)
-       (envelope-from <CALLER@myhost.test.ex>)
-       id 10HmbB-0005vi-00
-       for usery@test.ex;
-       Tue, 2 Mar 1999 09:44:33 +0000
-Message-Id: <E10HmbB-0005vi-00@myhost.test.ex>
-From: CALLER_NAME <CALLER@myhost.test.ex>
-Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLS1.x:ke-RSA-AES256-SHAnnn:xxx peerdn=
-
-Test message
-
diff --git a/test/mail/2149.userz b/test/mail/2149.userz
deleted file mode 100644 (file)
index a09b0f0..0000000
+++ /dev/null
@@ -1,20 +0,0 @@
-From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
-Received: from localhost ([127.0.0.1] helo=myhost.test.ex)
-       by myhost.test.ex with esmtps (TLS1.x:ke-RSA-AES256-SHAnnn:xxx)
-       (Exim x.yz)
-       (envelope-from <CALLER@myhost.test.ex>)
-       id 10HmbE-0005vi-00
-       for userz@test.ex;
-       Tue, 2 Mar 1999 09:44:33 +0000
-Received: from CALLER by myhost.test.ex with local (Exim x.yz)
-       (envelope-from <CALLER@myhost.test.ex>)
-       id 10HmbD-0005vi-00
-       for userz@test.ex;
-       Tue, 2 Mar 1999 09:44:33 +0000
-Message-Id: <E10HmbD-0005vi-00@myhost.test.ex>
-From: CALLER_NAME <CALLER@myhost.test.ex>
-Date: Tue, 2 Mar 1999 09:44:33 +0000
-TLS: cipher=TLS1.x:ke-RSA-AES256-SHAnnn:xxx peerdn=
-
-Test message
-
diff --git a/test/paniclog/2049 b/test/paniclog/2049
new file mode 100644 (file)
index 0000000..e088496
--- /dev/null
@@ -0,0 +1,3 @@
+
+******** SERVER ********
+1999-03-02 09:44:33 WARNING: deprecated Diffie-Hellman parameter 'ike22' used
index 2221cd458ae13c6d8329b221a70ede420ed97dcd..dff86ef7c42af4ae7356a24b761ca2eef2fb4fba 100644 (file)
@@ -1,3 +1,5 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 TLS error (D-H param setting 'TESTSUITE/aux-fixed/dh512'): error:xxxxxxxx:SSL routines::dh key too small
+1999-03-02 09:44:33 WARNING: deprecated Diffie-Hellman parameter 'ike22' used
+1999-03-02 09:44:33 TLS error (D-H param setting 'ike22'): error:xxxxxxxx:SSL routines::dh key too small
diff --git a/test/scripts/2000-GnuTLS/2049 b/test/scripts/2000-GnuTLS/2049
new file mode 100644 (file)
index 0000000..e66d952
--- /dev/null
@@ -0,0 +1,43 @@
+# TLS: DH ciphers for GnuTLS
+#
+# DH param from file
+exim -DSERVER=server -DDATA=DIR/aux-fixed/dh2048 -bd -oX PORT_D
+****
+exim -odf userw@test.ex
+Test message
+****
+killdaemon
+#
+# Too-big DH param (vs. tls_dh_max_bits), from file
+exim -DSERVER=server -DDATA=DIR/aux-fixed/dh3072 -bd -oX PORT_D
+****
+exim -odf userx@test.ex
+Test message
+****
+killdaemon
+#
+#
+# Named DH-param
+exim -DSERVER=server -DDATA=ffdhe2048 -bd -oX PORT_D
+****
+exim -odf userz@test.ex
+Test message
+****
+killdaemon
+#
+# Named DH-param, logged deprecation
+exim -DSERVER=server -DDATA=ike24 -bd -oX PORT_D
+****
+exim -odf usera@test.ex
+Test message
+****
+killdaemon
+#
+# Named DH-param, panic-logged deprecation
+exim -DSERVER=server -DDATA=ike22 -bd -oX PORT_D
+****
+exim -odf userb@test.ex
+Test message
+****
+killdaemon
+no_message_check
index 4435fca1910c12ff941055554bcc8decc3621b71..b8ff655604fcd98dcd9f7b600ced0f638cd63211 100644 (file)
@@ -31,3 +31,20 @@ exim -odf userz@test.ex
 Test message
 ****
 killdaemon
+#
+# Named DH-param, logged deprecation
+exim -DSERVER=server -DDATA=ike24 -bd -oX PORT_D
+****
+exim -odf usera@test.ex
+Test message
+****
+killdaemon
+#
+# Named DH-param, panic-logged deprecation
+exim -DSERVER=server -DDATA=ike22 -bd -oX PORT_D
+****
+exim -odf userb@test.ex
+Test message
+****
+killdaemon
+no_message_check
diff --git a/test/stderr/2049 b/test/stderr/2049
new file mode 100644 (file)
index 0000000..e088496
--- /dev/null
@@ -0,0 +1,3 @@
+
+******** SERVER ********
+1999-03-02 09:44:33 WARNING: deprecated Diffie-Hellman parameter 'ike22' used
index 2221cd458ae13c6d8329b221a70ede420ed97dcd..dff86ef7c42af4ae7356a24b761ca2eef2fb4fba 100644 (file)
@@ -1,3 +1,5 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 TLS error (D-H param setting 'TESTSUITE/aux-fixed/dh512'): error:xxxxxxxx:SSL routines::dh key too small
+1999-03-02 09:44:33 WARNING: deprecated Diffie-Hellman parameter 'ike22' used
+1999-03-02 09:44:33 TLS error (D-H param setting 'ike22'): error:xxxxxxxx:SSL routines::dh key too small