From: Jeremy Harris Date: Wed, 1 Dec 2021 18:52:21 +0000 (+0000) Subject: OpenSSL: tidy DH and ECDH param setup X-Git-Tag: exim-4.96-RC0~117 X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/c6a290f4d8df3734b3cdc2232b4334ff8386c1da OpenSSL: tidy DH and ECDH param setup Testsuite: expand DH testcase --- diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 692636498..4bc92bd05 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -549,18 +549,18 @@ EVP_add_digest(EVP_sha256()); *************************************************/ /* If dhparam is set, expand it, and load up the parameters for DH encryption. +Server only. Arguments: sctx The current SSL CTX (inbound or outbound) dhparam DH parameter file or fixed parameter identity string - host connected host, if client; NULL if server errstr error string pointer Returns: TRUE if OK (nothing to set up, or setup worked) */ static BOOL -init_dh(SSL_CTX * sctx, uschar * dhparam, const host_item * host, uschar ** errstr) +init_dh(SSL_CTX * sctx, uschar * dhparam, uschar ** errstr) { BIO * bio; #if OPENSSL_VERSION_NUMBER < 0x30000000L @@ -582,7 +582,7 @@ else if (dhexpanded[0] == '/') if (!(bio = BIO_new_file(CS dhexpanded, "r"))) { tls_error(string_sprintf("could not read dhparams file %s", dhexpanded), - host, US strerror(errno), errstr); + NULL, US strerror(errno), errstr); return FALSE; } } @@ -597,7 +597,7 @@ else if (!(pem = std_dh_prime_named(dhexpanded))) { tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded), - host, US strerror(errno), errstr); + NULL, US strerror(errno), errstr); return FALSE; } bio = BIO_new_mem_buf(CS pem, -1); @@ -613,7 +613,7 @@ if (!( { BIO_free(bio); tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded), - host, NULL, errstr); + NULL, NULL, errstr); return FALSE; } @@ -636,7 +636,7 @@ dh_bitsize = EVP_PKEY_get_bits(pkey); /* Even if it is larger, we silently return success rather than cause things to fail out, so that a too-large DH will not knock out all TLS; it's a debatable -choice. */ +choice. Likewise for a failing attempt to set one. */ if (dh_bitsize <= tls_dh_max_bits) { @@ -646,28 +646,29 @@ if (dh_bitsize <= tls_dh_max_bits) #else SSL_CTX_set0_tmp_dh_pkey(sctx, pkey) #endif - == 0) + == 0) { - DEBUG(D_tls) debug_printf("failed to set D-H parameters\n"); -#if OPENSSL_VERSION_NUMBER < 0x30000000L - DH_free(dh); -#else - EVP_PKEY_free(pkey); + ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring)); + log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (D-H param setting '%s'): %s", + dhexpanded ? dhexpanded : US"default", ssl_errstring); +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + /* EVP_PKEY_free(pkey); crashes */ #endif - return FALSE; } - DEBUG(D_tls) - debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n", - dhexpanded ? dhexpanded : US"default", dh_bitsize); + else + DEBUG(D_tls) + debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n", + dhexpanded ? dhexpanded : US"default", dh_bitsize); } else DEBUG(D_tls) - debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n", - dh_bitsize, tls_dh_max_bits); + debug_printf("dhparams '%s' %d bits, is > tls_dh_max_bits limit of %d\n", + dhexpanded ? dhexpanded : US"default", dh_bitsize, tls_dh_max_bits); #if OPENSSL_VERSION_NUMBER < 0x30000000L DH_free(dh); #endif +/* The EVP_PKEY ownership stays with the ctx; do not free it */ BIO_free(bio); return TRUE; @@ -680,7 +681,7 @@ return TRUE; * Initialize for ECDH * *************************************************/ -/* Load parameters for ECDH encryption. +/* Load parameters for ECDH encryption. Server only. For now, we stick to NIST P-256 because: it's simple and easy to configure; it avoids any patent issues that might bite redistributors; despite events in @@ -698,14 +699,13 @@ Patches welcome. Arguments: sctx The current SSL CTX (inbound or outbound) - host connected host, if client; NULL if server errstr error string pointer Returns: TRUE if OK (nothing to set up, or setup worked) */ static BOOL -init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr) +init_ecdh(SSL_CTX * sctx, uschar ** errstr) { #ifdef OPENSSL_NO_ECDH return TRUE; @@ -715,9 +715,6 @@ uschar * exp_curve; int nid; BOOL rv; -if (host) /* No ECDH setup for clients, only for servers */ - return TRUE; - # ifndef EXIM_HAVE_ECDH DEBUG(D_tls) debug_printf("No OpenSSL API to define ECDH parameters, skipping\n"); @@ -764,7 +761,7 @@ if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef ) { tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve), - host, NULL, errstr); + NULL, NULL, errstr); return FALSE; } @@ -773,7 +770,7 @@ if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef EC_KEY * ecdh; if (!(ecdh = EC_KEY_new_by_curve_name(nid))) { - tls_error(US"Unable to create ec curve", host, NULL, errstr); + tls_error(US"Unable to create ec curve", NULL, NULL, errstr); return FALSE; } @@ -781,7 +778,7 @@ if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef not to the stability of the interface. */ if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0)) - tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr); + tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), NULL, NULL, errstr); else DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve); EC_KEY_free(ecdh); @@ -790,7 +787,7 @@ if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef #else /* v 3.0.0 + */ if ((rv = SSL_CTX_set1_groups(sctx, &nid, 1)) == 0) - tls_error(string_sprintf("Error enabling '%s' group", exp_curve), host, NULL, errstr); + tls_error(string_sprintf("Error enabling '%s' group", exp_curve), NULL, NULL, errstr); else DEBUG(D_tls) debug_printf("ECDH: enabled '%s' group\n", exp_curve); @@ -1704,15 +1701,19 @@ state_server.lib_state.lib_ctx = ctx; if (opt_unset_or_noexpand(tls_dhparam)) { DEBUG(D_tls) debug_printf("TLS: preloading DH params for server\n"); - if (init_dh(ctx, tls_dhparam, NULL, &dummy_errstr)) + if (init_dh(ctx, tls_dhparam, &dummy_errstr)) state_server.lib_state.dh = TRUE; } +else + DEBUG(D_tls) debug_printf("TLS: not preloading DH params for server\n"); if (opt_unset_or_noexpand(tls_eccurve)) { DEBUG(D_tls) debug_printf("TLS: preloading ECDH curve for server\n"); - if (init_ecdh(ctx, NULL, &dummy_errstr)) + if (init_ecdh(ctx, &dummy_errstr)) state_server.lib_state.ecdh = TRUE; } +else + DEBUG(D_tls) debug_printf("TLS: not preloading ECDH curve for server\n"); #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT) /* If we can, preload the server-side cert, key and ocsp */ @@ -1824,19 +1825,6 @@ ob->tls_preload.lib_ctx = ctx; tpt_dummy_state.lib_state = ob->tls_preload; -if (opt_unset_or_noexpand(tls_dhparam)) - { - DEBUG(D_tls) debug_printf("TLS: preloading DH params for transport '%s'\n", t->name); - if (init_dh(ctx, tls_dhparam, NULL, &dummy_errstr)) - ob->tls_preload.dh = TRUE; - } -if (opt_unset_or_noexpand(tls_eccurve)) - { - DEBUG(D_tls) debug_printf("TLS: preloading ECDH curve for transport '%s'\n", t->name); - if (init_ecdh(ctx, NULL, &dummy_errstr)) - ob->tls_preload.ecdh = TRUE; - } - #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT) if ( opt_set_and_noexpand(ob->tls_certificate) && opt_unset_or_noexpand(ob->tls_privatekey)) @@ -2146,8 +2134,8 @@ already exists. Might even need this selfsame callback, for reneg? */ SSL_CTX_set_tlsext_servername_arg(server_sni, state); } -if ( !init_dh(server_sni, state->dhparam, NULL, &dummy_errstr) - || !init_ecdh(server_sni, NULL, &dummy_errstr) +if ( !init_dh(server_sni, state->dhparam, &dummy_errstr) + || !init_ecdh(server_sni, &dummy_errstr) ) goto bad; @@ -2652,15 +2640,18 @@ will never be used because we use a new context every time. */ /* Initialize with DH parameters if supplied */ /* Initialize ECDH temp key parameter selection */ -if (state->lib_state.dh) - { DEBUG(D_tls) debug_printf("TLS: DH params were preloaded\n"); } -else - if (!init_dh(ctx, state->dhparam, host, errstr)) return DEFER; +if (!host) + { + if (state->lib_state.dh) + { DEBUG(D_tls) debug_printf("TLS: DH params were preloaded\n"); } + else + if (!init_dh(ctx, state->dhparam, errstr)) return DEFER; -if (state->lib_state.ecdh) - { DEBUG(D_tls) debug_printf("TLS: ECDH curve was preloaded\n"); } -else - if (!init_ecdh(ctx, host, errstr)) return DEFER; + if (state->lib_state.ecdh) + { DEBUG(D_tls) debug_printf("TLS: ECDH curve was preloaded\n"); } + else + if (!init_ecdh(ctx, errstr)) return DEFER; + } /* Set up certificate and key (and perhaps OCSP info) */ diff --git a/test/aux-fixed/dh1 b/test/aux-fixed/dh1 deleted file mode 100644 index 19790719c..000000000 --- a/test/aux-fixed/dh1 +++ /dev/null @@ -1,4 +0,0 @@ ------BEGIN DH PARAMETERS----- -MEYCQQDvm7YRO1eI8/KvUDLgSUYCXJD4wbcrK1W4LN943KQa3jquluhNuJhYIgzY -yq1N9SdKxoz3aOctoib4Mq6If0HbAgEC ------END DH PARAMETERS----- diff --git a/test/aux-fixed/dh2048 b/test/aux-fixed/dh2048 new file mode 100644 index 000000000..24260bf84 --- /dev/null +++ b/test/aux-fixed/dh2048 @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBDAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAgICB/8= +-----END DH PARAMETERS----- diff --git a/test/aux-fixed/dh3072 b/test/aux-fixed/dh3072 new file mode 100644 index 000000000..4949d336a --- /dev/null +++ b/test/aux-fixed/dh3072 @@ -0,0 +1,11 @@ +-----BEGIN DH PARAMETERS----- +MIIBjAKCAYEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3 +7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32 +nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZsYu +N///////////AgECAgIL/w== +-----END DH PARAMETERS----- diff --git a/test/aux-fixed/dh512 b/test/aux-fixed/dh512 new file mode 100644 index 000000000..19790719c --- /dev/null +++ b/test/aux-fixed/dh512 @@ -0,0 +1,4 @@ +-----BEGIN DH PARAMETERS----- +MEYCQQDvm7YRO1eI8/KvUDLgSUYCXJD4wbcrK1W4LN943KQa3jquluhNuJhYIgzY +yq1N9SdKxoz3aOctoib4Mq6If0HbAgEC +-----END DH PARAMETERS----- diff --git a/test/confs/2149 b/test/confs/2149 index dda9094a9..d70cd5c63 100644 --- a/test/confs/2149 +++ b/test/confs/2149 @@ -10,12 +10,9 @@ primary_hostname = myhost.test.ex acl_smtp_rcpt = accept -queue_only -queue_run_in_order - tls_advertise_hosts = * tls_certificate = DIR/aux-fixed/cert1 -tls_dhparam = ${if eq {SERVER}{server}{DIR/aux-fixed/dh1}fail} +tls_dhparam = ${if eq {SERVER}{server}{DATA}fail} # ----- Routers ----- diff --git a/test/log/2149 b/test/log/2149 index 234fbcc8e..4b7e651b0 100644 --- a/test/log/2149 +++ b/test/log/2149 @@ -1,13 +1,31 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss -1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmaY-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 => userw@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmaY-0005vi-00" 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed -1999-03-02 09:44:33 End queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaZ-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbB-0005vi-00 => usery@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmbB-0005vi-00 Completed +1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbD-0005vi-00 => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbE-0005vi-00" +1999-03-02 09:44:33 10HmbD-0005vi-00 Completed ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex -1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmaY-0005vi-00 => userx R=server T=local_delivery +1999-03-02 09:44:33 10HmaY-0005vi-00 => userw R=server T=local_delivery 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed -1999-03-02 09:44:33 End queue run: pid=pppp -qf +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbA-0005vi-00 => userx R=server T=local_delivery +1999-03-02 09:44:33 10HmbA-0005vi-00 Completed +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D +1999-03-02 09:44:33 TLS error (D-H param setting 'TESTSUITE/aux-fixed/dh512'): error:xxxxxxxx:SSL routines::dh key too small +1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbB-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbC-0005vi-00 => usery R=server T=local_delivery +1999-03-02 09:44:33 10HmbC-0005vi-00 Completed +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D +1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbD-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbE-0005vi-00 => userz R=server T=local_delivery +1999-03-02 09:44:33 10HmbE-0005vi-00 Completed diff --git a/test/mail/2149.userw b/test/mail/2149.userw new file mode 100644 index 000000000..5e571319d --- /dev/null +++ b/test/mail/2149.userw @@ -0,0 +1,20 @@ +From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999 +Received: from localhost ([127.0.0.1] helo=myhost.test.ex) + by myhost.test.ex with esmtps (TLS1.x:ke-RSA-AES256-SHAnnn:xxx) + (Exim x.yz) + (envelope-from ) + id 10HmaY-0005vi-00 + for userw@test.ex; + Tue, 2 Mar 1999 09:44:33 +0000 +Received: from CALLER by myhost.test.ex with local (Exim x.yz) + (envelope-from ) + id 10HmaX-0005vi-00 + for userw@test.ex; + Tue, 2 Mar 1999 09:44:33 +0000 +Message-Id: +From: CALLER_NAME +Date: Tue, 2 Mar 1999 09:44:33 +0000 +TLS: cipher=TLS1.x:ke-RSA-AES256-SHAnnn:xxx peerdn= + +Test message + diff --git a/test/mail/2149.userx b/test/mail/2149.userx index 72c9a3f6f..fa117a23e 100644 --- a/test/mail/2149.userx +++ b/test/mail/2149.userx @@ -3,15 +3,15 @@ Received: from localhost ([127.0.0.1] helo=myhost.test.ex) by myhost.test.ex with esmtps (TLS1.x:ke-RSA-AES256-SHAnnn:xxx) (Exim x.yz) (envelope-from ) - id 10HmaY-0005vi-00 + id 10HmbA-0005vi-00 for userx@test.ex; Tue, 2 Mar 1999 09:44:33 +0000 Received: from CALLER by myhost.test.ex with local (Exim x.yz) (envelope-from ) - id 10HmaX-0005vi-00 + id 10HmaZ-0005vi-00 for userx@test.ex; Tue, 2 Mar 1999 09:44:33 +0000 -Message-Id: +Message-Id: From: CALLER_NAME Date: Tue, 2 Mar 1999 09:44:33 +0000 TLS: cipher=TLS1.x:ke-RSA-AES256-SHAnnn:xxx peerdn= diff --git a/test/mail/2149.usery b/test/mail/2149.usery new file mode 100644 index 000000000..1cf700b26 --- /dev/null +++ b/test/mail/2149.usery @@ -0,0 +1,20 @@ +From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999 +Received: from localhost ([127.0.0.1] helo=myhost.test.ex) + by myhost.test.ex with esmtps (TLS1.x:ke-RSA-AES256-SHAnnn:xxx) + (Exim x.yz) + (envelope-from ) + id 10HmbC-0005vi-00 + for usery@test.ex; + Tue, 2 Mar 1999 09:44:33 +0000 +Received: from CALLER by myhost.test.ex with local (Exim x.yz) + (envelope-from ) + id 10HmbB-0005vi-00 + for usery@test.ex; + Tue, 2 Mar 1999 09:44:33 +0000 +Message-Id: +From: CALLER_NAME +Date: Tue, 2 Mar 1999 09:44:33 +0000 +TLS: cipher=TLS1.x:ke-RSA-AES256-SHAnnn:xxx peerdn= + +Test message + diff --git a/test/mail/2149.userz b/test/mail/2149.userz new file mode 100644 index 000000000..a09b0f05d --- /dev/null +++ b/test/mail/2149.userz @@ -0,0 +1,20 @@ +From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999 +Received: from localhost ([127.0.0.1] helo=myhost.test.ex) + by myhost.test.ex with esmtps (TLS1.x:ke-RSA-AES256-SHAnnn:xxx) + (Exim x.yz) + (envelope-from ) + id 10HmbE-0005vi-00 + for userz@test.ex; + Tue, 2 Mar 1999 09:44:33 +0000 +Received: from CALLER by myhost.test.ex with local (Exim x.yz) + (envelope-from ) + id 10HmbD-0005vi-00 + for userz@test.ex; + Tue, 2 Mar 1999 09:44:33 +0000 +Message-Id: +From: CALLER_NAME +Date: Tue, 2 Mar 1999 09:44:33 +0000 +TLS: cipher=TLS1.x:ke-RSA-AES256-SHAnnn:xxx peerdn= + +Test message + diff --git a/test/paniclog/2149 b/test/paniclog/2149 new file mode 100644 index 000000000..2221cd458 --- /dev/null +++ b/test/paniclog/2149 @@ -0,0 +1,3 @@ + +******** SERVER ******** +1999-03-02 09:44:33 TLS error (D-H param setting 'TESTSUITE/aux-fixed/dh512'): error:xxxxxxxx:SSL routines::dh key too small diff --git a/test/runtest b/test/runtest index f595634e9..0f883e8fc 100755 --- a/test/runtest +++ b/test/runtest @@ -908,6 +908,9 @@ RESET_AFTER_EXTRA_LINE_READ: s/(TLS error on connection from .* \(SSL_\w+\): error:)(.*)/$1 <>/; next if /SSL verify error: depth=0 error=certificate not trusted/; + # OpenSSL 3.0.0 + s/TLS error \(D-H param setting .* error:\K.*dh key too small/xxxxxxxx:SSL routines::dh key too small/; + # ======== Maildir things ======== # timestamp output in maildir processing s/(timestamp=|\(timestamp_only\): )\d+/$1ddddddd/g; diff --git a/test/scripts/2100-OpenSSL/2149 b/test/scripts/2100-OpenSSL/2149 index bba059158..4435fca19 100644 --- a/test/scripts/2100-OpenSSL/2149 +++ b/test/scripts/2100-OpenSSL/2149 @@ -1,11 +1,33 @@ # TLS: DH ciphers for OpenSSL -exim -DSERVER=server -bd -oX PORT_D +# +# DH param from file +exim -DSERVER=server -DDATA=DIR/aux-fixed/dh2048 -bd -oX PORT_D **** -exim userx@test.ex +exim -odf userw@test.ex Test message **** -exim -qf +killdaemon +# +# Too-big DH param (vs. tls_dh_max_bits), from file +exim -DSERVER=server -DDATA=DIR/aux-fixed/dh3072 -bd -oX PORT_D +**** +exim -odf userx@test.ex +Test message +**** +killdaemon +# +# Too-small DH param (library limitation), from file +exim -DSERVER=server -DDATA=DIR/aux-fixed/dh512 -bd -oX PORT_D +**** +exim -odf usery@test.ex +Test message **** killdaemon -exim -DSERVER=server -DNOTDAEMON -qf +# +# Named DH-param +exim -DSERVER=server -DDATA=ffdhe2048 -bd -oX PORT_D **** +exim -odf userz@test.ex +Test message +**** +killdaemon diff --git a/test/stderr/2149 b/test/stderr/2149 new file mode 100644 index 000000000..2221cd458 --- /dev/null +++ b/test/stderr/2149 @@ -0,0 +1,3 @@ + +******** SERVER ******** +1999-03-02 09:44:33 TLS error (D-H param setting 'TESTSUITE/aux-fixed/dh512'): error:xxxxxxxx:SSL routines::dh key too small