if (state->verify_requirement == VERIFY_NONE)
return TRUE;
+DEBUG(D_tls) debug_printf("TLS: checking peer certificate\n");
*errstr = NULL;
if ((rc = peer_status(state, errstr)) != OK)
}
/* Now negotiate the TLS session. We put our own timer on it, since it seems
-that the GnuTLS library doesn't. */
+that the GnuTLS library doesn't.
+From 3.1.0 there is gnutls_handshake_set_timeout() - but it requires you
+to set (and clear down afterwards) up a pull-timeout callback function that does
+a select, so we're no better off unless avoiding signals becomes an issue. */
gnutls_transport_set_ptr2(state->session,
(gnutls_transport_ptr_t)(long) fileno(smtp_in),
"hosts_max_try (message older than host's retry time)\n");
}
}
+ if (running_in_test_harness) millisleep(500); /* let server debug out */
} /* End of loop for trying multiple hosts. */
/* If we failed to find a matching host in the list, for an already-open
begin retry
-^[^@]+@ten- * F,2s,1s
-* * F,2s,1s
+^[^@]+@ten- * F,3s,1s
+* * F,3s,1s
# End
#tls_verify_certificates = TVC
tls_verify_certificates = CERT
+# so we can decode in wireshark
+tls_require_ciphers = NORMAL:-KX-ALL:+RSA
# End
tls_advertise_hosts = *
-tls_require_ciphers = ${if eq{$sender_host_address}{HOSTIPV4}\
- {NONE}{SECURE256}}
+tls_require_ciphers = NORMAL:-VERS-ALL:+VERS-TLS1.2:-MAC-ALL:+SHA256
# Set certificate only if server
driver = smtp
allow_localhost
hosts = HOSTIPV4 : 127.0.0.1
- hosts_require_tls = HOSTIPV4
port = PORT_D
-
+ hosts_require_tls = HOSTIPV4
+ tls_require_ciphers = NORMAL:-VERS-ALL:+VERS-TLS1.2:-MAC-ALL:+SHA\
+ ${if eq{$host}{HOSTIPV4} {384} {256} }
# ----- Retry -----
tls_privatekey = ${if eq {SERVER}{server} {CDIR2/server1.example.com.unlocked.key}fail}
# Permit two specific ciphers
-tls_require_ciphers = NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL
+tls_require_ciphers = NORMAL:-KX-ALL:+RSA:-CIPHER-ALL:+AES-128-CBC:+CAMELLIA-256-GCM
# ----- Routers -----
begin routers
tls_verify_certificates = CDIR2/ca_chain.pem
# Some commonly-available cipher, we hope
- tls_require_ciphers = NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+SIGN-ALL:+COMP-NULL
+ tls_require_ciphers = NORMAL:-CIPHER-ALL:+AES-128-CBC
dane_require_tls_ciphers = OPT
# ----- Retry -----
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (certificate verification failed): certificate invalid
+1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (gnutls_handshake): The peer did not send any certificate.
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (cert/key setup: cert=/non/exist key=/non/exist): Error while reading file.
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]: a TLS session is required, but an attempt to start TLS failed
1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
s/No certificate was found/The peer did not send any certificate/g;
#(dodgy test?) s/\(certificate verification failed\): invalid/\(gnutls_handshake\): The peer did not send any certificate./g;
s/\(gnutls_priority_set\): No or insufficient priorities were set/\(gnutls_handshake\): Could not negotiate a supported cipher suite/g;
+ s/\(gnutls_handshake\): \KNo supported cipher suites have been found.$/Could not negotiate a supported cipher suite./;
# (this new one is a generic channel-read error, but the testsuite
# only hits it in one place)
'gnutls_handshake' =>
{ 'mainlog' => 's/\(gnutls_handshake\): Error in the push function/\(gnutls_handshake\): A TLS packet with unexpected length was received/' },
+ 'gnutls_bad_clientcert' =>
+ { 'mainlog' => 's/\(certificate verification failed\): certificate invalid/\(gnutls_handshake\): The peer did not send any certificate./',
+ 'stdout' => 's/Succeeded in starting TLS/A TLS fatal alert has been received.\nFailed to start TLS'
+ },
+
'optional_events' =>
{ 'stdout' => '/event_action =/' },
gnutls
exim -DSERVER=server -bd -oX PORT_D
****
+#
+#
+# This one has a cert, but the server isn't expecting it.
+# Earlier versions of GnuTLS would send it despite the server giving a list of acceptable ones, and the
+# server would fail its verification. Now the client correctly doesn't send it; the mainlog reflects
+# this, the custom munge patches output with old GnuTLS (I hope; not actually tested).
+munge gnutls_bad_clientcert
client-gnutls HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2
??? 220
ehlo rhu.barb
??? 220
****
killdaemon
+#
+# Here the server really doesn't have a cert
exim -DSERVER=server -DCERT=/non/exist -bd -oX PORT_D
****
client-gnutls HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2
****
exim -qf
****
+millisleep 500
killdaemon
no_msglog_check
#
### Dane cipher specified, dane unused
# Since dane unused, should get the same cipher as the baseline
-exim -odf -DOPT=NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL CALLER@localhost.test.ex
+exim -odf -DOPT=NORMAL:-CIPHER-ALL:+CAMELLIA-256-GCM CALLER@localhost.test.ex
Testing
****
### Dane cipher specified, dane used
# Should get the cipher specified here
-exim -odf -DOPT=NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL CALLER@dane256ee.test.ex
+exim -odf -DOPT=NORMAL:-CIPHER-ALL:+CAMELLIA-256-GCM CALLER@dane256ee.test.ex
Testing
****
#
address match test: subject=*@127.0.0.1 pattern=*
127.0.0.1 in "*"? yes (matched "*")
*@127.0.0.1 in "*"? yes (matched "*")
+set_process_info: pppp delivering 10HmaX-0005vi-00: waiting for a remote delivery subprocess to finish
checking status of V4NET.0.0.0
locking TESTSUITE/spool/db/retry.lockfile
locked TESTSUITE/spool/db/retry.lockfile
added retry item for T:V4NET.0.0.0:V4NET.0.0.0:1224: errno=dd more_errno=dd,A flags=2
set_process_info: pppp delivering 10HmaX-0005vi-00 (just run smtp for x@y in subprocess)
search_tidyup called
-set_process_info: pppp delivering 10HmaX-0005vi-00: waiting for a remote delivery subprocess to finish
-set_process_info: pppp delivering 10HmaX-0005vi-00
reading retry information for T:V4NET.0.0.0:V4NET.0.0.0:1224 from subprocess
added retry item
reading retry information for R:x@y from subprocess
added retry item
+set_process_info: pppp delivering 10HmaX-0005vi-00
LOG: MAIN
== x@y R=r1 T=smtp defer (dd): Network Error H=127.0.0.1 [127.0.0.1]
changed uid/gid: post-delivery tidying
H=127.0.0.1 [127.0.0.1] Connection refused
set_process_info: pppp delivering 10HmaZ-0005vi-00: just tried 127.0.0.1 [127.0.0.1] for CALLER@the.local.host.name: result DEFER
added retry item for T:127.0.0.1:127.0.0.1:1224: errno=dd more_errno=dd,A flags=2
+set_process_info: pppp delivering 10HmaZ-0005vi-00: waiting for a remote delivery subprocess to finish
all IP addresses skipped or deferred at least one address
updating wait-t1 database
added to list for 127.0.0.1
Leaving t1 transport
set_process_info: pppp delivering 10HmaZ-0005vi-00 (just run t1 for CALLER@the.local.host.name in subprocess)
-set_process_info: pppp delivering 10HmaZ-0005vi-00: waiting for a remote delivery subprocess to finish
set_process_info: pppp delivering 10HmaZ-0005vi-00
LOG: MAIN
== CALLER@the.local.host.name R=r1 T=t1 defer (dd): Connection refused
-Retry rule: ^[^@]+@ten- * F,2s,1s;
+Retry rule: ^[^@]+@ten- * F,3s,1s;
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-Succeeded in starting TLS
+A TLS fatal alert has been received.
+Failed to start TLS
End of script
Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
Certificate file = aux-fixed/cert2