Testsuite: variances for OpenSSL 1.1.1
authorJeremy Harris <jgh146exb@wizmail.org>
Thu, 25 Oct 2018 23:41:36 +0000 (00:41 +0100)
committerJeremy Harris <jgh146exb@wizmail.org>
Fri, 26 Oct 2018 14:53:41 +0000 (15:53 +0100)
13 files changed:
test/confs/2119
test/confs/2132
test/lib/Exim/Runtest.pm
test/log/2102.openssl_1_1_1 [new file with mode: 0644]
test/runtest
test/scripts/2100-OpenSSL/2114
test/scripts/2100-OpenSSL/2124
test/scripts/2100-OpenSSL/2132
test/src/client.c
test/stderr/2132
test/stdout/2114.openssl_1_1_1 [new file with mode: 0644]
test/stdout/2124.openssl_1_1_1 [new file with mode: 0644]
test/stdout/2132.openssl_1_1_1 [new file with mode: 0644]

index d55232d05dc51a8839b3058f22c1f5db982fc65c..fbd83769c6b0d8fd585cce4e18dcadb601d19ffe 100644 (file)
@@ -29,18 +29,7 @@ begin acl
 check_recipient:
   accept  hosts = :
   deny    hosts = HOSTIPV4
-         !encrypted = AES256-SHA:\
-                      AES256-GCM-SHA384:\
-                      AES128-GCM-SHA256:\
-                      IDEA-CBC-MD5:\
-                      DES-CBC3-SHA:\
-                     DHE-RSA-AES256-SHA:\
-                     DHE-RSA-AES256-GCM-SHA384:\
-                      DHE_RSA_AES_256_CBC_SHA1:\
-                      DHE_RSA_3DES_EDE_CBC_SHA:\
-                      ECDHE-RSA-AES256-GCM-SHA384:\
-                      ECDHE-RSA-AES128-GCM-SHA256:\
-                     ECDHE-RSA-CHACHA20-POLY1305
+         !encrypted = *
   accept
 
 
index 7e491b8a6a9b29ff34631e7cd8ec92485eacf0be..4d90a9cd7a949e9eba6d8cd4f1ce17ff38de5513 100644 (file)
@@ -29,18 +29,7 @@ begin acl
 check_recipient:
   accept  hosts = :
   deny    hosts = HOSTIPV4
-         !encrypted = AES256-SHA : \
-                      AES256-GCM-SHA384 : \
-                      AES128-GCM-SHA256 : \
-                      IDEA-CBC-MD5 : \
-                      DES-CBC3-SHA : \
-                     DHE-RSA-AES256-SHA : \
-                     DHE-RSA-AES256-GCM-SHA384 : \
-                      DHE_RSA_AES_256_CBC_SHA1 : \
-                      DHE_RSA_3DES_EDE_CBC_SHA : \
-                      ECDHE-RSA-AES256-GCM-SHA384 : \
-                      ECDHE-RSA-AES128-GCM-SHA256 : \
-                     ECDHE-RSA-CHACHA20-POLY1305
+         !encrypted = *
   warn    logwrite =  ${if def:tls_in_ourcert \
                {Our cert SN: <${certextract{subject}{$tls_in_ourcert}}>} \
                {We did not present a cert}}
index e41a29c8cb83cc0bb03b1375ecaf7d21657db55f..7ba079051c9e88fb9515408e303f57428f996606 100644 (file)
@@ -119,6 +119,10 @@ sub flavour {
         $etc = shift;
     }
 
+    if (open(my $f, '-|', 'openssl version')) {
+       <$f> =~ /1.1.1/ && return "openssl_1_1_1";
+    }
+
     if (open(my $f, '<', "$etc/os-release")) {
         local $_ = join '', <$f>;
         my ($id) = /^ID="?(.*?)"?\s*$/m;
@@ -137,7 +141,7 @@ sub flavour {
 
 sub flavours {
     my %h = map { /\.(\S+)$/, 1 }
-            grep { !/\.orig$/ } glob('stdout/*.*'), glob('stderr/*.*');
+            grep { !/\.orig$/ } glob('stdout/*.*'), glob('stderr/*.*'), glob('log/*.*');
     return sort keys %h;
 }
 
@@ -174,7 +178,7 @@ typical files in the F</etc> directory.
 
 =item B<flavours>()
 
-Return a list of available flavours. It does so by scanning F<stdout/> and
+Return a list of available flavours. It does so by scanning F<log/>, F<stdout/> and
 F<stderr/> for I<flavour> files (extensions after the numerical prefix.
 
 =back
diff --git a/test/log/2102.openssl_1_1_1 b/test/log/2102.openssl_1_1_1
new file mode 100644 (file)
index 0000000..0e8e5f6
--- /dev/null
@@ -0,0 +1,46 @@
+1999-03-02 09:44:33 Start queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER <CALLER@test.ex> R=abc T=local_delivery
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER <CALLER@test.ex> R=abc T=local_delivery
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER <CALLER@test.ex> R=abc T=local_delivery
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbA-0005vi-00 => CALLER <CALLER@test.ex> R=abc T=local_delivery
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 End queue run: pid=pppp -qf
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 Our cert SN: <CN=server1.example.com>
+1999-03-02 09:44:33 Peer did not present a cert
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@test.ex H=[127.0.0.1] P=smtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss
+1999-03-02 09:44:33 Our cert SN: <CN=server1.example.com>
+1999-03-02 09:44:33 Peer did not present a cert
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= "name with spaces"@test.ex H=[127.0.0.1] P=smtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss
+1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 Our cert SN: <CN=server1.example.com>
+1999-03-02 09:44:33 Peer cert:
+1999-03-02 09:44:33 ver 2
+1999-03-02 09:44:33 SR  <c9>
+1999-03-02 09:44:33 SN  <CN=server2.example.com>
+1999-03-02 09:44:33 IN  <CN=clica Signing Cert rsa,O=example.com>
+1999-03-02 09:44:33 IN/O <example.com>
+1999-03-02 09:44:33 NB/r <Nov  1 12:34:04 2012 GMT>
+1999-03-02 09:44:33 NB   <Nov  1 12:34:04 2012 +0000>
+1999-03-02 09:44:33 NB/i <1351773244>
+1999-03-02 09:44:33 NA/i <2143283644>
+1999-03-02 09:44:33 NA   <Dec  1 12:34:04 2037 +0000>
+1999-03-02 09:44:33 SA  <sha256WithRSAEncryption>
+1999-03-02 09:44:33 SG  <         80:00:39:4c:bb:2c:16:e6:be:ee:54:b7:f6:9f:89:fe:71:62:\n         79:2f:90:57:95:07:54:67:2f:e9:12:96:41:1b:c5:9b:dd:de:\n         68:2d:e5:d7:a7:35:c7:ea:b1:d9:95:12:40:49:0c:07:3d:0c:\n         74:df:57:d1:b6:04:5f:83:5c:15:fe:9a:7f:b7:35:7d:ec:f8:\n         b7:4d:ac:76:ea:8c:44:8a:86:e0:42:38:78:ff:68:8a:09:83:\n         44:10:67:b4:fd:a4:5c:a4:ea:91:41:e7:8e:a7:79:37:f6:e2:\n         f8:de:9d:0f:96:85:18:22:2c:5c:06:af:01:85:94:62:c1:69:\n         8d:2e\n>
+1999-03-02 09:44:33 SAN <DNS=*.test.ex\nDNS=server2.example.com>
+1999-03-02 09:44:33 OCU <http://oscp.example.com/>
+1999-03-02 09:44:33 (no CRU)
+1999-03-02 09:44:33 md5    fingerprint 313E07141F2FF0CBC0A76EB57CA49D58
+1999-03-02 09:44:33 sha1   fingerprint 778B892247D2ABD365BA1530A50141AF052E271E
+1999-03-02 09:44:33 sha256 fingerprint 05F3012D41AE8A8173BE3AE71F7F9B3535391CACF77003B723F14B21064F6648
+1999-03-02 09:44:33 der_b64 MIICszCCAhygAwIBAgICAMkwDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIxMTAxMTIzNDA0WhcNMzcxMjAxMTIzNDA0WjAeMRwwGgYDVQQDExNzZXJ2ZXIyLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCf6MdoozlJCZPwdIHXdFHddXJfZ5xn2e6XoMmSjqOrOJYIIFKdgtlrMhtTVU1VLlK6V7H8142r78YQ4RKcj9QhTuQJxrrVtVuRt38Zy4RW0/+ujMcXoV8nV7Yt1c1z/tIJ4afSapAnAAm5wVdIbUhUeM/K5Wozm1gV5OCtNZPa4QIDAQABo4HmMIHjMA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwTgYDVR0jBEcwRYANQUFidHdDeGNYZ2IwUaExpC8wLTEUMBIGA1UEChMLZXhhbXBsZS5jb20xFTATBgNVBAMTDGNsaWNhIENBIHJzYYIBQjA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUuY29tLzApBgNVHREEIjAgghNzZXJ2ZXIyLmV4YW1wbGUuY29tggkqLnRlc3QuZXgwDQYJKoZIhvcNAQELBQADgYEAgAA5TLssFua+7lS39p+J/nFieS+QV5UHVGcv6RKWQRvFm93eaC3l16c1x+qx2ZUSQEkMBz0MdN9X0bYEX4NcFf6af7c1fez4t02sduqMRIqG4EI4eP9oigmDRBBntP2kXKTqkUHnjqd5N/bi+N6dD5aFGCIsXAavAYWUYsFpjS4=
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@test.ex H=[ip4.ip4.ip4.ip4] P=smtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=yes DN="/CN=server2.example.com" S=sss
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 Our cert SN: <CN=server1.example_ec.com>
+1999-03-02 09:44:33 Peer did not present a cert
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@test.ex H=[127.0.0.1] P=smtps X=TLSv1:ke-ECDSA-AES256-SHA:xxx CV=no S=sss
index 7c89f10b0bc52fa97e832c39e233111fade9d74b..efb352b234422534823619a4f84c28e0e4ef5389 100755 (executable)
@@ -935,6 +935,7 @@ RESET_AFTER_EXTRA_LINE_READ:
     s/SSL3_READ_BYTES/ssl3_read_bytes/i;
     s/CONNECT_CR_FINISHED/ssl3_read_bytes/i;
     s/^\d+:error:\d+(?:E\d+)?(:SSL routines:ssl3_read_bytes:[^:]+:).*(:SSL alert number \d\d)$/pppp:error:dddddddd$1\[...\]$2/;
+    s/^error:[^:]*:(SSL routines:ssl3_read_bytes:(tls|ssl)v\d+ alert)/error:dddddddd:$1/;
 
     # gnutls version variances
     next if /^Error in the pull function./;
index cc78ab0fb0598be3714a184513856d10a37c1d6e..edf3b6c11af9eee5c7bacf82fc36407c111d7ea9 100644 (file)
@@ -2,7 +2,7 @@
 exim -DSERVER=server -bd -oX PORT_D
 ****
 ### No certificate, certificate required
-client-ssl HOSTIPV4 PORT_D
+client-ssl -t2 HOSTIPV4 PORT_D
 ??? 220
 ehlo rhu.barb
 ??? 250-
@@ -14,10 +14,12 @@ ehlo rhu.barb
 starttls
 ??? 220
 noop
+????554 Security failure
+noop
 ??? 554 Security failure
 quit
 ????554 Security failure
-??? 221
+????221
 ???*
 ****
 ### No certificate, certificate optional at TLS time, required by ACL
@@ -92,6 +94,8 @@ ehlo rhu.barb
 starttls
 ??? 220
 noop
+????554 Security failure
+noop
 ??? 554 Security failure
 ****
 ### Bad certificate, certificate optional at TLS time, reject at ACL time
@@ -133,6 +137,8 @@ ehlo rhu.barb
 starttls
 ??? 220
 noop
+????554 Security failure
+noop
 ??? 554 Security failure
 ****
 ### Revoked certificate, certificate optional at TLS time, reject at ACL time
index eb999d6bf01690d63569bc059a36d7baf899440f..6649ed9681e9f2d5fa642bee38a7dd83dd0aa46e 100644 (file)
@@ -1,7 +1,7 @@
 # TLS server: empty/non-existent certificate file
 exim -DSERVER=server -bd -oX PORT_D
 ****
-client-ssl HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2
+client-ssl -t2 HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2
 ??? 220
 ehlo rhu.barb
 ??? 250-
@@ -12,6 +12,10 @@ ehlo rhu.barb
 ??? 250
 starttls
 ??? 220
+noop
+????554 Security failure
+noop
+??? 554 Security failure
 ****
 killdaemon
 exim -DSERVER=server -DCERT=/non/exist -bd -oX PORT_D
index 4a12fb0bb344e0c178f46fe710d7b41c3cc50ea8..cdf4ed2fd8721fdb7f71887f196c09349693338a 100644 (file)
@@ -1,6 +1,8 @@
 # TLS server: server ca cert from directory
 exim -DSERVER=server -bd -oX PORT_D
 ****
+#
+### Should accept message
 client-ssl 127.0.0.1 PORT_D
 ??? 220
 ehlo rhu.barb
@@ -24,6 +26,7 @@ This is a test encrypted message.
 quit
 ??? 221
 ****
+### Should accept message (with a difficult env-from)
 client-ssl 127.0.0.1 PORT_D
 ??? 220
 ehlo rhu.barb
@@ -47,7 +50,8 @@ This is a test encrypted message.
 quit
 ??? 221
 ****
-client-ssl HOSTIPV4 PORT_D
+### client cert verify required; none given
+client-ssl -t2 HOSTIPV4 PORT_D
 ??? 220
 ehlo rhu.barb
 ??? 250-
@@ -58,10 +62,12 @@ ehlo rhu.barb
 ??? 250
 starttls
 ??? 220
-+++ 1
-help
+noop
+????554
+noop
 ??? 554
 ****
+### client cert verify required; good one supplied
 client-ssl HOSTIPV4 PORT_D DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
 ??? 220
 ehlo rhu.barb
index de36ef0651ee9bae0b524fb217ffaef3d52ef796..c143739d08ad866d332455604b8da405b2a14670 100644 (file)
@@ -578,18 +578,24 @@ nextinput:
            case SSL_ERROR_ZERO_RETURN:
              break;
            case SSL_ERROR_SYSCALL:
-             printf("%s\n", ERR_error_string(ERR_get_error(), NULL)); break;
+             printf("%s\n", ERR_error_string(ERR_get_error(), NULL));
              rc = -1;
+             break;
            case SSL_ERROR_SSL:
-             printf("%s\n", ERR_error_string(ERR_get_error(), NULL)); break;
+             printf("%s\nTLS terminated\n", ERR_error_string(ERR_get_error(), NULL));
              SSL_shutdown(srv->ssl);
              SSL_free(srv->ssl);
              srv->tls_active = FALSE;
+             { /* OpenSSL leaves it in restartsys mode */
+             struct sigaction act = {.sa_handler = sigalrm_handler_flag, .sa_flags = 0};
+             sigalrm_seen = 1;
+             sigaction(SIGALRM, &act, NULL);
+             }
+             *inptr = 0;
              goto nextinput;
            default:
              printf("SSL error code %d\n", error);
            }
-
 #endif
 #ifdef HAVE_GNUTLS
         rc = gnutls_record_recv(tls_session, CS inbuffer, bsiz - 1);
@@ -601,6 +607,8 @@ nextinput:
 
       if (rc < 0)
        {
+       if (errno == EINTR && sigalrm_seen && resp_optional)
+         continue;     /* next scriptline */
         printf("Read error %s\n", strerror(errno));
         exit(81);
        }
index 59f338294319f7993995f7a3fdd7d297df3b9f66..6babd94f16b915022328cd65fbe274a45116c55d 100644 (file)
@@ -1,3 +1,7 @@
+### Should accept message
+### Should accept message (with a difficult env-from)
+### client cert verify required; none given
+### client cert verify required; good one supplied
 >>> host in hosts_connection_nolog? no (option unset)
 >>> host in host_lookup? no (option unset)
 >>> host in host_reject_connection? no (option unset)
@@ -8,3 +12,7 @@
 >>> host in helo_accept_junk_hosts? no (option unset)
 
 ******** SERVER ********
+### Should accept message
+### Should accept message (with a difficult env-from)
+### client cert verify required; none given
+### client cert verify required; good one supplied
diff --git a/test/stdout/2114.openssl_1_1_1 b/test/stdout/2114.openssl_1_1_1
new file mode 100644 (file)
index 0000000..744d0e2
--- /dev/null
@@ -0,0 +1,324 @@
+### No certificate, certificate required
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> noop
+????554 Security failure
+error:dddddddd:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required
+TLS terminated
+>>> noop
+??? 554 Security failure
+<<< 554 Security failure
+>>> quit
+????554 Security failure
+????221
+???*
+Expected EOF read
+End of script
+### No certificate, certificate optional at TLS time, required by ACL
+Connecting to 127.0.0.1 port 1225 ... connected
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [127.0.0.1]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> helo rhu.barb
+??? 250
+<<< 250 myhost.test.ex Hello rhu.barb [127.0.0.1]
+>>> mail from:<userx@test.ex>
+??? 250
+<<< 250 OK
+>>> rcpt to:<userx@test.ex>
+??? 550
+<<< 550 certificate not verified: peerdn=
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+### Good certificate, certificate required
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem
+Key file = aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<userx@test.ex>
+??? 250
+<<< 250 OK
+>>> rcpt to:<userx@test.ex>
+??? 250
+<<< 250 Accepted
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+### Good certificate, certificate optional at TLS time, checked by ACL
+Connecting to 127.0.0.1 port 1225 ... connected
+Certificate file = aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem
+Key file = aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [127.0.0.1]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<userx@test.ex>
+??? 250
+<<< 250 OK
+>>> rcpt to:<userx@test.ex>
+??? 250
+<<< 250 Accepted
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+### Bad certificate, certificate required
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem
+Key file = aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> noop
+????554 Security failure
+error:dddddddd:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
+TLS terminated
+>>> noop
+??? 554 Security failure
+<<< 554 Security failure
+End of script
+### Bad certificate, certificate optional at TLS time, reject at ACL time
+Connecting to 127.0.0.1 port 1225 ... connected
+Certificate file = aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem
+Key file = aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [127.0.0.1]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<userx@test.ex>
+??? 250
+<<< 250 OK
+>>> rcpt to:<userx@test.ex>
+??? 550
+<<< 550 certificate not verified: peerdn=/CN=server1.example.net
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+### Otherwise good but revoked certificate, certificate required
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem
+Key file = aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> noop
+????554 Security failure
+error:dddddddd:SSL routines:ssl3_read_bytes:sslv3 alert certificate revoked
+TLS terminated
+>>> noop
+??? 554 Security failure
+<<< 554 Security failure
+End of script
+### Revoked certificate, certificate optional at TLS time, reject at ACL time
+Connecting to 127.0.0.1 port 1225 ... connected
+Certificate file = aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem
+Key file = aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [127.0.0.1]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<userx@test.ex>
+??? 250
+<<< 250 OK
+>>> rcpt to:<userx@test.ex>
+??? 550
+<<< 550 certificate not verified: peerdn=/CN=revoked1.example.com
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+### Good certificate, certificate required - but nonmatching CRL also present
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem
+Key file = aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<userx@test.ex>
+??? 250
+<<< 250 OK
+>>> rcpt to:<userx@test.ex>
+??? 250
+<<< 250 Accepted
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+
+******** SERVER ********
+### No certificate, certificate required
+### No certificate, certificate optional at TLS time, required by ACL
+### Good certificate, certificate required
+### Good certificate, certificate optional at TLS time, checked by ACL
+### Bad certificate, certificate required
+### Bad certificate, certificate optional at TLS time, reject at ACL time
+### Otherwise good but revoked certificate, certificate required
+### Revoked certificate, certificate optional at TLS time, reject at ACL time
+### Good certificate, certificate required - but nonmatching CRL also present
diff --git a/test/stdout/2124.openssl_1_1_1 b/test/stdout/2124.openssl_1_1_1
new file mode 100644 (file)
index 0000000..e7777a1
--- /dev/null
@@ -0,0 +1,55 @@
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = aux-fixed/cert2
+Key file = aux-fixed/cert2
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> noop
+????554 Security failure
+error:dddddddd:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
+TLS terminated
+>>> noop
+??? 554 Security failure
+<<< 554 Security failure
+End of script
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = aux-fixed/cert2
+Key file = aux-fixed/cert2
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 454
+<<< 454 TLS currently unavailable
+Abandoning TLS start attempt
+End of script
diff --git a/test/stdout/2132.openssl_1_1_1 b/test/stdout/2132.openssl_1_1_1
new file mode 100644 (file)
index 0000000..179a9ef
--- /dev/null
@@ -0,0 +1,167 @@
+### Should accept message
+Connecting to 127.0.0.1 port 1225 ... connected
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [127.0.0.1]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<CALLER@test.ex>
+??? 250
+<<< 250 OK
+>>> rcpt to:<CALLER@test.ex>
+??? 250
+<<< 250 Accepted
+>>> DATA
+??? 3
+<<< 354 Enter message, ending with "." on a line by itself
+>>> This is a test encrypted message.
+>>> .
+??? 250
+<<< 250 OK id=10HmaX-0005vi-00
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+### Should accept message (with a difficult env-from)
+Connecting to 127.0.0.1 port 1225 ... connected
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [127.0.0.1]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<"name with spaces"@test.ex>
+??? 250
+<<< 250 OK
+>>> rcpt to:<CALLER@test.ex>
+??? 250
+<<< 250 Accepted
+>>> DATA
+??? 3
+<<< 354 Enter message, ending with "." on a line by itself
+>>> This is a test encrypted message.
+>>> .
+??? 250
+<<< 250 OK id=10HmaY-0005vi-00
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+### client cert verify required; none given
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> noop
+????554
+error:dddddddd:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required
+TLS terminated
+>>> noop
+??? 554
+<<< 554 Security failure
+End of script
+### client cert verify required; good one supplied
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = TESTSUITE/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem
+Key file = TESTSUITE/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<CALLER@test.ex>
+??? 250
+<<< 250 OK
+>>> rcpt to:<CALLER@test.ex>
+??? 250
+<<< 250 Accepted
+>>> DATA
+??? 3
+<<< 354 Enter message, ending with "." on a line by itself
+>>> This is a test encrypted message from a verified host.
+>>> .
+??? 250
+<<< 250 OK id=10HmaZ-0005vi-00
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+
+**** SMTP testing session as if from host 10.0.0.1
+**** but without any ident (RFC 1413) callback.
+**** This is not for real!
+
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+503 STARTTLS command used when not advertised\r
+221 myhost.test.ex closing connection\r
+
+******** SERVER ********
+### Should accept message
+### Should accept message (with a difficult env-from)
+### client cert verify required; none given
+### client cert verify required; good one supplied