From: Jeremy Harris Date: Tue, 27 Aug 2019 16:24:23 +0000 (+0100) Subject: GnuTLS: Move to more-modern stapling API X-Git-Tag: exim-4.93-RC0~58 X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/e54893330b92ed765b6872a1c47ba61d5e20ff7c GnuTLS: Move to more-modern stapling API --- diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index f7e930c08..e4dfb98f9 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -17820,6 +17820,7 @@ For GnuTLS 3.5.6 or later the expanded value of this option can be a list of files, to match a list given for the &%tls_certificate%& option. The ordering of the two lists must match. +The file(s) should be in DER format .option tls_on_connect_ports main "string list" unset .cindex SSMTP diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index bbc75b680..a45dd65e9 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -225,6 +225,7 @@ static BOOL exim_gnutls_base_init_done = FALSE; #ifndef DISABLE_OCSP static BOOL gnutls_buggy_ocsp = FALSE; +static BOOL exim_testharness_disable_ocsp_validity_check = FALSE; #endif #ifdef EXPERIMENTAL_TLS_RESUME @@ -287,11 +288,16 @@ static void exim_gnutls_logger_cb(int level, const char *message); static int exim_sni_handling_cb(gnutls_session_t session); -#ifndef DISABLE_OCSP +#if !defined(DISABLE_OCSP) static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr, gnutls_datum_t * ocsp_response); #endif +#ifdef EXPERIMENTAL_TLS_RESUME +static int +tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when, + unsigned incoming, const gnutls_datum_t * msg); +#endif /* Daemon one-time initialisation */ @@ -858,6 +864,9 @@ static int tls_add_certfile(exim_gnutls_state_st * state, const host_item * host, uschar * certfile, uschar * keyfile, uschar ** errstr) { +/*XXX returns certs index for gnutls_certificate_set_x509_key_file(), +given suitable flags set */ + int rc = gnutls_certificate_set_x509_key_file(state->x509_cred, CS certfile, CS keyfile, GNUTLS_X509_FMT_PEM); if (rc < 0) @@ -868,6 +877,78 @@ return -rc; } +/* Make a note that we saw a status-request */ +static int +tls_server_clienthello_ext(void * ctx, unsigned tls_id, + const unsigned char *data, unsigned size) +{ +/* https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */ +if (tls_id == 5) /* status_request */ + { + DEBUG(D_tls) debug_printf("Seen status_request extension\n"); + tls_in.ocsp = OCSP_NOT_RESP; + } +return 0; +} + +/* Callback for client-hello, on server, if we think we might serve stapled-OCSP */ +static int +tls_server_clienthello_cb(gnutls_session_t session, unsigned int htype, + unsigned when, unsigned int incoming, const gnutls_datum_t * msg) +{ +/* Call fn for each extension seen. 3.6.3 onwards */ +return gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg, + GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO); +} + +/* Callback for certificate-status, on server. We sent stapled OCSP. */ +static int +tls_server_certstatus_cb(gnutls_session_t session, unsigned int htype, + unsigned when, unsigned int incoming, const gnutls_datum_t * msg) +{ +DEBUG(D_tls) debug_printf("Sending certificate-status\n"); +#ifdef SUPPORT_SRV_OCSP_STACK +tls_in.ocsp = exim_testharness_disable_ocsp_validity_check + ? OCSP_VFY_NOT_TRIED : OCSP_VFIED; /* We know that GnuTLS verifies responses */ +#else +tls_in.ocsp = OCSP_VFY_NOT_TRIED; +#endif +return 0; +} + +/* Callback for handshake messages, on server */ +static int +tls_server_hook_cb(gnutls_session_t sess, u_int htype, unsigned when, + unsigned incoming, const gnutls_datum_t * msg) +{ +switch (htype) + { + case GNUTLS_HANDSHAKE_CLIENT_HELLO: + return tls_server_clienthello_cb(sess, htype, when, incoming, msg); + case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS: + return tls_server_certstatus_cb(sess, htype, when, incoming, msg); +#ifdef EXPERIMENTAL_TLS_RESUME + case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET: + return tls_server_ticket_cb(sess, htype, when, incoming, msg); +#endif + default: + return 0; + } +} + + +static void +tls_server_testharness_ocsp_fiddle(void) +{ +extern char ** environ; +if (environ) for (uschar ** p = USS environ; *p; p++) + if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0) + { + DEBUG(D_tls) debug_printf("Permitting known bad OCSP response\n"); + exim_testharness_disable_ocsp_validity_check = TRUE; + } +} + /************************************************* * Variables re-expanded post-SNI * *************************************************/ @@ -1002,12 +1083,13 @@ if (state->exp_tls_certificate && *state->exp_tls_certificate) else { int gnutls_cert_index = -rc; - DEBUG(D_tls) debug_printf("TLS: cert/key %s registered\n", cfile); + DEBUG(D_tls) debug_printf("TLS: cert/key %d %s registered\n", gnutls_cert_index, cfile); /* Set the OCSP stapling server info */ #ifndef DISABLE_OCSP if (tls_ocsp_file) + { if (gnutls_buggy_ocsp) { DEBUG(D_tls) @@ -1015,37 +1097,45 @@ if (state->exp_tls_certificate && *state->exp_tls_certificate) } else if ((ofile = string_nextinlist(&olist, &osep, NULL, 0))) { - /* Use the full callback method for stapling just to get - observability. More efficient would be to read the file once only, - if it never changed (due to SNI). Would need restart on file update, - or watch datestamp. */ + DEBUG(D_tls) debug_printf("OCSP response file = %s\n", ofile); # ifdef SUPPORT_SRV_OCSP_STACK - if ((rc = gnutls_certificate_set_ocsp_status_request_function2( - state->x509_cred, gnutls_cert_index, - server_ocsp_stapling_cb, ofile))) - return tls_error_gnu( - US"gnutls_certificate_set_ocsp_status_request_function2", - rc, host, errstr); -# else - if (cnt++ > 0) + if (f.running_in_test_harness) tls_server_testharness_ocsp_fiddle(); + + if (!exim_testharness_disable_ocsp_validity_check) { - DEBUG(D_tls) - debug_printf("oops; multiple OCSP files not supported\n"); - break; + if ((rc = gnutls_certificate_set_ocsp_status_request_file2( + state->x509_cred, CCS ofile, gnutls_cert_index, + GNUTLS_X509_FMT_DER)) < 0) + return tls_error_gnu( + US"gnutls_certificate_set_ocsp_status_request_file2", + rc, host, errstr); + + /* Arrange callbacks for OCSP request observability */ + + gnutls_handshake_set_hook_function(state->session, + GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb); } - gnutls_certificate_set_ocsp_status_request_function( - state->x509_cred, server_ocsp_stapling_cb, ofile); + else # endif - - DEBUG(D_tls) debug_printf("OCSP response file = %s\n", ofile); + { + if (cnt++ > 0) + { + DEBUG(D_tls) + debug_printf("oops; multiple OCSP files not supported\n"); + break; + } + gnutls_certificate_set_ocsp_status_request_function( + state->x509_cred, server_ocsp_stapling_cb, ofile); + } } else DEBUG(D_tls) debug_printf("ran out of OCSP response files in list\n"); #endif + } } } - else + else /* client */ { if (0 < (rc = tls_add_certfile(state, host, state->exp_tls_certificate, state->exp_tls_privatekey, errstr))) @@ -1983,7 +2073,7 @@ return 0; -#ifndef DISABLE_OCSP +#if !defined(DISABLE_OCSP) static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr, @@ -2133,7 +2223,7 @@ if (verify_check_host(&tls_resumption_hosts) == OK) /* Try to tell if we see a ticket request */ gnutls_handshake_set_hook_function(state->session, - GNUTLS_HANDSHAKE_NEW_SESSION_TICKET, GNUTLS_HOOK_POST, tls_server_ticket_cb); + GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb); } } diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 541c45a94..dc8729106 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1312,7 +1312,8 @@ if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX } supply_response: - cbinfo->u_ocsp.server.response = resp; /*XXX stack?*/ + /*XXX stack? (these tag points are for multiple leaf-cert support for ocsp */ + cbinfo->u_ocsp.server.response = resp; return; bad: diff --git a/test/confs/5651 b/test/confs/5651 index 5803c3ce9..01fa45524 100644 --- a/test/confs/5651 +++ b/test/confs/5651 @@ -3,10 +3,21 @@ SERVER = -.include DIR/aux-var/tls_conf_prefix - +exim_path = EXIM_PATH +keep_environment = ^EXIM_TESTHARNESS_DISABLE_[O]CSPVALIDITYCHECK$ +host_lookup_order = bydns +spool_directory = DIR/spool +log_file_path = DIR/spool/log/SERVER%slog +gecos_pattern = "" +gecos_name = CALLER_NAME +chunking_advertise_hosts = primary_hostname = server1.example.com +.ifdef _HAVE_DMARC +dmarc_tld_file = +.endif + + # ----- Main settings ----- domainlist local_domains = test.ex : *.test.ex diff --git a/test/confs/5653 b/test/confs/5653 new file mode 100644 index 000000000..5b29f5b68 --- /dev/null +++ b/test/confs/5653 @@ -0,0 +1,84 @@ +# Exim test configuration 5652 +# OCSP stapling, server, multiple certs + +.include DIR/aux-var/tls_conf_prefix + +primary_hostname = server1.example.com + +# ----- Main settings ----- + +acl_smtp_mail = check_mail +acl_smtp_rcpt = check_recipient + +log_selector = +tls_peerdn + +queue_only +queue_run_in_order + +tls_advertise_hosts = * + +CADIR = DIR/aux-fixed/exim-ca +DRSA = CADIR/example.com +DECDSA = CADIR/example_ec.com + +tls_certificate = DRSA/server1.example.com/server1.example.com.pem \ + : DECDSA/server1.example_ec.com/server1.example_ec.com.pem +tls_privatekey = DRSA/server1.example.com/server1.example.com.unlocked.key \ + : DECDSA/server1.example_ec.com/server1.example_ec.com.unlocked.key +tls_ocsp_file = DRSA/server1.example.com/server1.example.com.ocsp.good.resp \ + : DECDSA/server1.example_ec.com/server1.example_ec.com.ocsp.good.resp + + +tls_require_ciphers = NORMAL:!VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.0 + +# ------ ACL ------ + +begin acl + +check_mail: + accept logwrite = acl_mail: ocsp in status: $tls_in_ocsp \ + (${listextract {${eval:$tls_in_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) + +check_recipient: + accept + + +# ----- Routers ----- + +begin routers + +client: + driver = manualroute + condition = ${if !eq {SERVER}{server}} + route_list = * 127.0.0.1 + self = send + transport = remote_delivery + errors_to = "" + +srvr: + driver = accept + retry_use_local_part + transport = local_delivery + + +# ----- Transports ----- + +begin transports + +remote_delivery: + driver = smtp + port = PORT_D + hosts_require_tls = * + tls_require_ciphers = OPT + hosts_require_ocsp = * + tls_verify_certificates = CERT + tls_verify_cert_hostnames = : + +local_delivery: + driver = appendfile + file = DIR/test-mail/$local_part + headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn + user = CALLER + +# End diff --git a/test/confs/5730 b/test/confs/5730 index 625decec7..2b32008d4 100644 --- a/test/confs/5730 +++ b/test/confs/5730 @@ -3,9 +3,20 @@ SERVER = -.include DIR/aux-var/tls_conf_prefix +exim_path = EXIM_PATH +keep_environment = ^EXIM_TESTHARNESS_DISABLE_[O]CSPVALIDITYCHECK$ +host_lookup_order = bydns +spool_directory = DIR/spool +log_file_path = DIR/spool/log/SERVER%slog +gecos_pattern = "" +gecos_name = CALLER_NAME +chunking_advertise_hosts = primary_hostname = server1.example.com + +.ifdef _HAVE_DMARC +dmarc_tld_file = +.endif # ----- Main settings ----- diff --git a/test/log/5650 b/test/log/5650 index 75428e24f..7f46ba122 100644 --- a/test/log/5650 +++ b/test/log/5650 @@ -6,12 +6,12 @@ ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D 1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq) -1999-03-02 09:44:33 acl_mail: ocsp in status: 2 (vfynotdone) +1999-03-02 09:44:33 acl_mail: ocsp in status: 1 (notresp) 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D 1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq) -1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (recv): The TLS connection was non-properly terminated. +1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (gnutls_certificate_set_ocsp_status_request_file2): The session or certificate has expired. 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D 1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq) -1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (recv): The TLS connection was non-properly terminated. +1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (gnutls_certificate_set_ocsp_status_request_file2): The session or certificate has expired. 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D 1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq) diff --git a/test/log/5652 b/test/log/5652 index 48034447f..cf31aa340 100644 --- a/test/log/5652 +++ b/test/log/5652 @@ -9,8 +9,8 @@ ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D -1999-03-02 09:44:33 acl_mail: ocsp in status: 2 (vfynotdone) +1999-03-02 09:44:33 acl_mail: ocsp in status: 4 (verified) 1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=localhost (server1.example.com) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@server1.example.com 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D -1999-03-02 09:44:33 acl_mail: ocsp in status: 2 (vfynotdone) +1999-03-02 09:44:33 acl_mail: ocsp in status: 4 (verified) 1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=localhost (server1.example.com) [127.0.0.1] P=esmtps X=TLS1.x:ke-ECDSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaZ-0005vi-00@server1.example.com diff --git a/test/log/5653 b/test/log/5653 new file mode 100644 index 000000000..82d2e7aeb --- /dev/null +++ b/test/log/5653 @@ -0,0 +1,9 @@ +1999-03-02 09:44:33 1: Server sends good staple on request, to client requiring RSA auth +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaX-0005vi-00 => rsa.auth@test.ex R=client T=remote_delivery H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed + +******** SERVER ******** +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D +1999-03-02 09:44:33 acl_mail: ocsp in status: 4 (verified) +1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=localhost (server1.example.com) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@server1.example.com diff --git a/test/log/5890 b/test/log/5890 index 324e5a4a7..5ffb9ccf7 100644 --- a/test/log/5890 +++ b/test/log/5890 @@ -180,7 +180,7 @@ 1999-03-02 09:44:33 peer cert subject 1999-03-02 09:44:33 peer cert verified 0 1999-03-02 09:44:33 peer dn -1999-03-02 09:44:33 ocsp 2 +1999-03-02 09:44:33 ocsp 4 1999-03-02 09:44:33 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx 1999-03-02 09:44:33 bits 256 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for getticket@test.ex @@ -191,7 +191,7 @@ 1999-03-02 09:44:33 peer cert subject 1999-03-02 09:44:33 peer cert verified 0 1999-03-02 09:44:33 peer dn -1999-03-02 09:44:33 ocsp 0 +1999-03-02 09:44:33 ocsp 1 1999-03-02 09:44:33 cipher TLS1.x:ke--AES256-SHAnnn:xxx 1999-03-02 09:44:33 bits 256 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for resume@test.ex xyz@test.ex @@ -203,7 +203,7 @@ 1999-03-02 09:44:33 peer cert subject 1999-03-02 09:44:33 peer cert verified 0 1999-03-02 09:44:33 peer dn -1999-03-02 09:44:33 ocsp 2 +1999-03-02 09:44:33 ocsp 4 1999-03-02 09:44:33 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx 1999-03-02 09:44:33 bits 256 1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for abcd@test.ex @@ -214,7 +214,7 @@ 1999-03-02 09:44:33 peer cert subject 1999-03-02 09:44:33 peer cert verified 0 1999-03-02 09:44:33 peer dn -1999-03-02 09:44:33 ocsp 0 +1999-03-02 09:44:33 ocsp 1 1999-03-02 09:44:33 cipher TLS1.x:ke--AES256-SHAnnn:xxx 1999-03-02 09:44:33 bits 256 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbC-0005vi-00@myhost.test.ex for renewal@test.ex @@ -225,7 +225,7 @@ 1999-03-02 09:44:33 peer cert subject 1999-03-02 09:44:33 peer cert verified 0 1999-03-02 09:44:33 peer dn -1999-03-02 09:44:33 ocsp 0 +1999-03-02 09:44:33 ocsp 1 1999-03-02 09:44:33 cipher TLS1.x:ke--AES256-SHAnnn:xxx 1999-03-02 09:44:33 bits 256 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbE-0005vi-00@myhost.test.ex for postrenewal@test.ex @@ -236,7 +236,7 @@ 1999-03-02 09:44:33 peer cert subject 1999-03-02 09:44:33 peer cert verified 0 1999-03-02 09:44:33 peer dn -1999-03-02 09:44:33 ocsp 2 +1999-03-02 09:44:33 ocsp 4 1999-03-02 09:44:33 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx 1999-03-02 09:44:33 bits 256 1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbG-0005vi-00@myhost.test.ex for timeout@test.ex @@ -247,7 +247,7 @@ 1999-03-02 09:44:33 peer cert subject 1999-03-02 09:44:33 peer cert verified 0 1999-03-02 09:44:33 peer dn -1999-03-02 09:44:33 ocsp 2 +1999-03-02 09:44:33 ocsp 4 1999-03-02 09:44:33 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx 1999-03-02 09:44:33 bits 256 1999-03-02 09:44:33 10HmbJ-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbI-0005vi-00@myhost.test.ex for notreq@test.ex @@ -258,7 +258,7 @@ 1999-03-02 09:44:33 peer cert subject 1999-03-02 09:44:33 peer cert verified 0 1999-03-02 09:44:33 peer dn -1999-03-02 09:44:33 ocsp 2 +1999-03-02 09:44:33 ocsp 4 1999-03-02 09:44:33 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx 1999-03-02 09:44:33 bits 256 1999-03-02 09:44:33 10HmbL-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbK-0005vi-00@myhost.test.ex for noverify_getticket@test.ex @@ -269,7 +269,7 @@ 1999-03-02 09:44:33 peer cert subject 1999-03-02 09:44:33 peer cert verified 0 1999-03-02 09:44:33 peer dn -1999-03-02 09:44:33 ocsp 0 +1999-03-02 09:44:33 ocsp 1 1999-03-02 09:44:33 cipher TLS1.x:ke--AES256-SHAnnn:xxx 1999-03-02 09:44:33 bits 256 1999-03-02 09:44:33 10HmbN-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbM-0005vi-00@myhost.test.ex for noverify_resume@test.ex @@ -281,7 +281,7 @@ 1999-03-02 09:44:33 peer cert subject 1999-03-02 09:44:33 peer cert verified 0 1999-03-02 09:44:33 peer dn -1999-03-02 09:44:33 ocsp 2 +1999-03-02 09:44:33 ocsp 1 1999-03-02 09:44:33 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx 1999-03-02 09:44:33 bits 256 1999-03-02 09:44:33 10HmbP-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbO-0005vi-00@myhost.test.ex for getticket@test.ex @@ -292,7 +292,7 @@ 1999-03-02 09:44:33 peer cert subject 1999-03-02 09:44:33 peer cert verified 0 1999-03-02 09:44:33 peer dn -1999-03-02 09:44:33 ocsp 0 +1999-03-02 09:44:33 ocsp 1 1999-03-02 09:44:33 cipher TLS1.x:ke-PSK-AES256-SHAnnn:xxx 1999-03-02 09:44:33 bits 256 1999-03-02 09:44:33 10HmbR-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbQ-0005vi-00@myhost.test.ex for resume@test.ex xyz@test.ex @@ -304,7 +304,7 @@ 1999-03-02 09:44:33 peer cert subject 1999-03-02 09:44:33 peer cert verified 0 1999-03-02 09:44:33 peer dn -1999-03-02 09:44:33 ocsp 2 +1999-03-02 09:44:33 ocsp 1 1999-03-02 09:44:33 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx 1999-03-02 09:44:33 bits 256 1999-03-02 09:44:33 10HmbS-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbQ-0005vi-00@myhost.test.ex for abcd@test.ex @@ -315,7 +315,7 @@ 1999-03-02 09:44:33 peer cert subject 1999-03-02 09:44:33 peer cert verified 0 1999-03-02 09:44:33 peer dn -1999-03-02 09:44:33 ocsp 0 +1999-03-02 09:44:33 ocsp 1 1999-03-02 09:44:33 cipher TLS1.x:ke-PSK-AES256-SHAnnn:xxx 1999-03-02 09:44:33 bits 256 1999-03-02 09:44:33 10HmbU-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbT-0005vi-00@myhost.test.ex for renewal@test.ex @@ -326,7 +326,7 @@ 1999-03-02 09:44:33 peer cert subject 1999-03-02 09:44:33 peer cert verified 0 1999-03-02 09:44:33 peer dn -1999-03-02 09:44:33 ocsp 0 +1999-03-02 09:44:33 ocsp 1 1999-03-02 09:44:33 cipher TLS1.x:ke-PSK-AES256-SHAnnn:xxx 1999-03-02 09:44:33 bits 256 1999-03-02 09:44:33 10HmbW-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbV-0005vi-00@myhost.test.ex for postrenewal@test.ex @@ -337,7 +337,7 @@ 1999-03-02 09:44:33 peer cert subject 1999-03-02 09:44:33 peer cert verified 0 1999-03-02 09:44:33 peer dn -1999-03-02 09:44:33 ocsp 2 +1999-03-02 09:44:33 ocsp 1 1999-03-02 09:44:33 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx 1999-03-02 09:44:33 bits 256 1999-03-02 09:44:33 10HmbY-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbX-0005vi-00@myhost.test.ex for timeout@test.ex @@ -348,7 +348,7 @@ 1999-03-02 09:44:33 peer cert subject 1999-03-02 09:44:33 peer cert verified 0 1999-03-02 09:44:33 peer dn -1999-03-02 09:44:33 ocsp 2 +1999-03-02 09:44:33 ocsp 1 1999-03-02 09:44:33 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx 1999-03-02 09:44:33 bits 256 1999-03-02 09:44:33 10HmcA-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbZ-0005vi-00@myhost.test.ex for notreq@test.ex diff --git a/test/scripts/5650-OCSP-GnuTLS/5650 b/test/scripts/5650-OCSP-GnuTLS/5650 index 78c0afd61..99aaa0b7a 100644 --- a/test/scripts/5650-OCSP-GnuTLS/5650 +++ b/test/scripts/5650-OCSP-GnuTLS/5650 @@ -38,8 +38,6 @@ exim -z '2: Server does not staple an outdated response' exim -bd -oX PORT_D -DSERVER=server \ -DOPTION=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp **** -# XXX test sequence might not be quite right; this is for a server refusal -# and we're expecting a client refusal. client-gnutls -ocsp aux-fixed/exim-ca/expired1.example.com/CA.pem HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2 ??? 220 ehlo rhu.barb @@ -50,7 +48,7 @@ ehlo rhu.barb ??? 250- ??? 250 starttls -??? 220 +??? 454 **** killdaemon # @@ -76,7 +74,7 @@ ehlo rhu.barb ??? 250- ??? 250 starttls -??? 220 +??? 454 **** killdaemon # diff --git a/test/scripts/5650-OCSP-GnuTLS/5652 b/test/scripts/5650-OCSP-GnuTLS/5652 index 4a33ea862..9130f65e6 100644 --- a/test/scripts/5650-OCSP-GnuTLS/5652 +++ b/test/scripts/5650-OCSP-GnuTLS/5652 @@ -1,4 +1,4 @@ -# OCSP stapling, server, multiple certs +# OCSP stapling, server, multiple leaf certs # # # diff --git a/test/scripts/5650-OCSP-GnuTLS/5653 b/test/scripts/5650-OCSP-GnuTLS/5653 new file mode 100644 index 000000000..55cea8b31 --- /dev/null +++ b/test/scripts/5650-OCSP-GnuTLS/5653 @@ -0,0 +1,23 @@ +# OCSP stapling, server, multiple chain-element OCSP +# +# +# +exim -z '1: Server sends good staple on request, to client requiring RSA auth' +**** +# +exim -d+all -bd -oX PORT_D -DSERVER=server +**** +exim -odf \ + -DOPT=NONE:+SIGN-RSA-SHA256:+VERS-TLS-ALL:+ECDHE-RSA:+DHE-RSA:+RSA:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 \ + -DCERT=DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem \ + rsa.auth@test.ex +Subject: test + +. +**** +killdaemon +# +# +# +# +no_msglog_check diff --git a/test/stdout/5650 b/test/stdout/5650 index 7b5628c6a..8a72c0f6f 100644 --- a/test/stdout/5650 +++ b/test/stdout/5650 @@ -49,10 +49,9 @@ Key file = aux-fixed/cert2 ??? 250 <<< 250 HELP >>> starttls -??? 220 -<<< 220 TLS go ahead -Attempting to start TLS -Bad certificate +??? 454 +<<< 454 TLS currently unavailable +Abandoning TLS start attempt End of script Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected Certificate file = aux-fixed/cert2 @@ -73,10 +72,9 @@ Key file = aux-fixed/cert2 ??? 250 <<< 250 HELP >>> starttls -??? 220 -<<< 220 TLS go ahead -Attempting to start TLS -Bad certificate +??? 454 +<<< 454 TLS currently unavailable +Abandoning TLS start attempt End of script Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected Certificate file = aux-fixed/cert2