From: Jeremy Harris Date: Mon, 27 Dec 2021 15:15:42 +0000 (+0000) Subject: TLS: Deprecate RFC 5114 DH params. Bug 1895 X-Git-Tag: exim-4.96-RC0~110 X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/ea98874e2a6a5aee2d512f3246f7d3c19c2ec63d TLS: Deprecate RFC 5114 DH params. Bug 1895 --- diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index b20d82311..00f0dac02 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -18481,8 +18481,17 @@ of the later IKE values, which led into RFC7919 providing new fixed constants (the "ffdhe" identifiers). At this point, all of the "ike" values should be considered obsolete; -they're still in Exim to avoid breaking unusual configurations, but are +they are still in Exim to avoid breaking unusual configurations, but are candidates for removal the next time we have backwards-incompatible changes. +.new +Two of them in particular (&`ike1`& and &`ike22`&) are called out by RFC 8247 +as MUST NOT use for IPSEC, and two more (&`ike23`& and &`ike24`&) as +SHOULD NOT. +Because of this, Exim regards them as deprecated; if either of the first pair +are used, warnings will be logged in the paniclog, and if any are used then +warnings will be logged in the mainlog. +All four will be removed in a future Exim release. +.wen The TLS protocol does not negotiate an acceptable size for this; clients tend to hard-drop connections if what is offered by the server is unacceptable, diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index b155e6b9d..e7c7085f8 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -63,6 +63,8 @@ JH/13 Bug 2845: Fix handling of tls_require_ciphers for OpenSSL when a value in 4.95 trapped when normalisation was applied to an option not needing expansion action. +JH/14 Bug 1895: TLS: Deprecate RFC 5114 Diffie-Hellman parameters. + Exim version 4.95 ----------------- diff --git a/src/src/std-crypto.c b/src/src/std-crypto.c index c56d26014..200fb7144 100644 --- a/src/src/std-crypto.c +++ b/src/src/std-crypto.c @@ -914,12 +914,11 @@ static const char dh_ffdhe8192_pem[] = /* ========================================================================= */ -/* - * Generated by Phil as a non-standard option. - * openssl dhparam -2 2048 - * No provenance to prove non-tampering available, beyond trusting that this - * developer generated this as stated above. - */ +/* Generated by Phil as a non-standard option. +openssl dhparam -2 2048 +No provenance to prove non-tampering available, beyond trusting that this +developer generated this as stated above. */ + /* MacOSX 10.10.5 invoking system OpenSSL 0.9.8zg */ static const char dh_exim_20160529_1[] = @@ -957,69 +956,75 @@ static const char dh_exim_20160529_3[] = /* ========================================================================= */ struct dh_constant { - const char *label; - const char *pem; + const char * label; + const char * pem; + int logging; }; #define EXIM_DH_PRIME_DEFAULT dh_exim_20160529_3 /* KEEP SORTED ALPHABETICALLY; - * duplicate PEM are okay, if we want aliases, but names must be alphabetical */ +duplicate PEM are okay, if we want aliases, but names must be alphabetical */ + static struct dh_constant dh_constants[] = { /* label pem */ - { "default", EXIM_DH_PRIME_DEFAULT }, - { "exim.dev.20160529.1", dh_exim_20160529_1 }, - { "exim.dev.20160529.2", dh_exim_20160529_2 }, - { "exim.dev.20160529.3", dh_exim_20160529_3 }, - { "ffdhe2048", dh_ffdhe2048_pem }, - { "ffdhe3072", dh_ffdhe3072_pem }, - { "ffdhe4096", dh_ffdhe4096_pem }, - { "ffdhe6144", dh_ffdhe6144_pem }, - { "ffdhe8192", dh_ffdhe8192_pem }, - { "ike1", dh_ike_1_pem }, - { "ike14", dh_ike_14_pem }, - { "ike15", dh_ike_15_pem }, - { "ike16", dh_ike_16_pem }, - { "ike17", dh_ike_17_pem }, - { "ike18", dh_ike_18_pem }, - { "ike2", dh_ike_2_pem }, - { "ike22", dh_ike_22_pem }, - { "ike23", dh_ike_23_pem }, - { "ike24", dh_ike_24_pem }, - { "ike5", dh_ike_5_pem }, + { "default", EXIM_DH_PRIME_DEFAULT, 0 }, + { "exim.dev.20160529.1", dh_exim_20160529_1, 0 }, + { "exim.dev.20160529.2", dh_exim_20160529_2, 0 }, + { "exim.dev.20160529.3", dh_exim_20160529_3, 0 }, + { "ffdhe2048", dh_ffdhe2048_pem, 0 }, + { "ffdhe3072", dh_ffdhe3072_pem, 0 }, + { "ffdhe4096", dh_ffdhe4096_pem, 0 }, + { "ffdhe6144", dh_ffdhe6144_pem, 0 }, + { "ffdhe8192", dh_ffdhe8192_pem, 0 }, + { "ike1", dh_ike_1_pem, LOG_MAIN | LOG_PANIC }, + { "ike14", dh_ike_14_pem, 0 }, + { "ike15", dh_ike_15_pem, 0 }, + { "ike16", dh_ike_16_pem, 0 }, + { "ike17", dh_ike_17_pem, 0 }, + { "ike18", dh_ike_18_pem, 0 }, + { "ike2", dh_ike_2_pem, LOG_MAIN }, + { "ike22", dh_ike_22_pem, LOG_MAIN | LOG_PANIC }, + { "ike23", dh_ike_23_pem, LOG_MAIN }, + { "ike24", dh_ike_24_pem, LOG_MAIN }, + { "ike5", dh_ike_5_pem, 0 }, }; -static const int dh_constants_count = - sizeof(dh_constants) / sizeof(struct dh_constant); +static const int dh_constants_count = nelem(dh_constants); /* A policy decision; in absence of any other data, use a 2048 bit prime, - * pick the first one from the latest RFC providing such. */ +pick the first one from the latest RFC providing such. */ + const char * std_dh_prime_default(void) { - return EXIM_DH_PRIME_DEFAULT; +return EXIM_DH_PRIME_DEFAULT; } +/* Return PEM string for given name */ + const char * -std_dh_prime_named(const uschar *name) +std_dh_prime_named(const uschar * name) { - int first, last; - char *search_name = CS string_copylc(US name); - - first = 0; - last = dh_constants_count; - while (last > first) { - int middle = (first + last)/2; - int c = strcmp(search_name, dh_constants[middle].label); - if (c == 0) - return dh_constants[middle].pem; - else if (c > 0) - first = middle + 1; - else - last = middle; +for (int first = 0, last = dh_constants_count; last > first; ) + { + int middle = (first + last)/2; + struct dh_constant * dp = &dh_constants[middle]; + int c = Ustrcmp(name, dp->label); + if (c == 0) + { + if (dp->logging) + log_write(0, dp->logging, + "WARNING: deprecated Diffie-Hellman parameter '%s' used", dp->label); + return dp->pem; + } + else if (c > 0) + first = middle + 1; + else + last = middle; } - return NULL; +return NULL; } #endif /*DISABLE_TLS*/ diff --git a/test/confs/2049 b/test/confs/2049 new file mode 100644 index 000000000..4b6bf9b39 --- /dev/null +++ b/test/confs/2049 @@ -0,0 +1,54 @@ +# Exim test configuration 2049 + +SERVER = + +.include DIR/aux-var/tls_conf_prefix + +primary_hostname = myhost.test.ex + +# ----- Main settings ----- + +acl_smtp_rcpt = accept + +tls_advertise_hosts = * +tls_certificate = DIR/aux-fixed/cert1 +tls_dhparam = ${if eq {SERVER}{server}{DATA}fail} + + +# ----- Routers ----- + +begin routers + +client: + driver = accept + condition = ${if eq {SERVER}{server}{no}{yes}} + retry_use_local_part + transport = send_to_server + +server: + driver = accept + retry_use_local_part + transport = local_delivery + + +# ----- Transports ----- + +begin transports + +local_delivery: + driver = appendfile + file = DIR/test-mail/$local_part + create_file = DIR/test-mail + headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn + user = CALLER + +send_to_server: + driver = smtp + allow_localhost + hosts = 127.0.0.1 + port = PORT_D + hosts_try_fastopen = : + tls_verify_certificates = DIR/aux-fixed/cert1 + tls_verify_cert_hostnames = : + +# End diff --git a/test/log/2049 b/test/log/2049 new file mode 100644 index 000000000..90674743e --- /dev/null +++ b/test/log/2049 @@ -0,0 +1,39 @@ +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaX-0005vi-00 => userw@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmaY-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaZ-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbB-0005vi-00 => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmbB-0005vi-00 Completed +1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbD-0005vi-00 => usera@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbE-0005vi-00" +1999-03-02 09:44:33 10HmbD-0005vi-00 Completed +1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbF-0005vi-00 => userb@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbG-0005vi-00" +1999-03-02 09:44:33 10HmbF-0005vi-00 Completed + +******** SERVER ******** +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmaY-0005vi-00 => userw R=server T=local_delivery +1999-03-02 09:44:33 10HmaY-0005vi-00 Completed +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbA-0005vi-00 => userx R=server T=local_delivery +1999-03-02 09:44:33 10HmbA-0005vi-00 Completed +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D +1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbB-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbC-0005vi-00 => userz R=server T=local_delivery +1999-03-02 09:44:33 10HmbC-0005vi-00 Completed +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D +1999-03-02 09:44:33 WARNING: deprecated Diffie-Hellman parameter 'ike24' used +1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbD-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbE-0005vi-00 => usera R=server T=local_delivery +1999-03-02 09:44:33 10HmbE-0005vi-00 Completed +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D +1999-03-02 09:44:33 WARNING: deprecated Diffie-Hellman parameter 'ike22' used +1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbF-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbG-0005vi-00 => userb R=server T=local_delivery +1999-03-02 09:44:33 10HmbG-0005vi-00 Completed diff --git a/test/log/2149 b/test/log/2149 index 4b7e651b0..ea1c7e454 100644 --- a/test/log/2149 +++ b/test/log/2149 @@ -10,6 +10,12 @@ 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 10HmbD-0005vi-00 => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbE-0005vi-00" 1999-03-02 09:44:33 10HmbD-0005vi-00 Completed +1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbF-0005vi-00 => usera@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbG-0005vi-00" +1999-03-02 09:44:33 10HmbF-0005vi-00 Completed +1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbH-0005vi-00 => userb@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbI-0005vi-00" +1999-03-02 09:44:33 10HmbH-0005vi-00 Completed ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D @@ -29,3 +35,14 @@ 1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbD-0005vi-00@myhost.test.ex 1999-03-02 09:44:33 10HmbE-0005vi-00 => userz R=server T=local_delivery 1999-03-02 09:44:33 10HmbE-0005vi-00 Completed +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D +1999-03-02 09:44:33 WARNING: deprecated Diffie-Hellman parameter 'ike24' used +1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbF-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbG-0005vi-00 => usera R=server T=local_delivery +1999-03-02 09:44:33 10HmbG-0005vi-00 Completed +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D +1999-03-02 09:44:33 WARNING: deprecated Diffie-Hellman parameter 'ike22' used +1999-03-02 09:44:33 TLS error (D-H param setting 'ike22'): error:xxxxxxxx:SSL routines::dh key too small +1999-03-02 09:44:33 10HmbI-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbH-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbI-0005vi-00 => userb R=server T=local_delivery +1999-03-02 09:44:33 10HmbI-0005vi-00 Completed diff --git a/test/mail/2149.userw b/test/mail/2149.userw deleted file mode 100644 index 5e571319d..000000000 --- a/test/mail/2149.userw +++ /dev/null @@ -1,20 +0,0 @@ -From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999 -Received: from localhost ([127.0.0.1] helo=myhost.test.ex) - by myhost.test.ex with esmtps (TLS1.x:ke-RSA-AES256-SHAnnn:xxx) - (Exim x.yz) - (envelope-from ) - id 10HmaY-0005vi-00 - for userw@test.ex; - Tue, 2 Mar 1999 09:44:33 +0000 -Received: from CALLER by myhost.test.ex with local (Exim x.yz) - (envelope-from ) - id 10HmaX-0005vi-00 - for userw@test.ex; - Tue, 2 Mar 1999 09:44:33 +0000 -Message-Id: -From: CALLER_NAME -Date: Tue, 2 Mar 1999 09:44:33 +0000 -TLS: cipher=TLS1.x:ke-RSA-AES256-SHAnnn:xxx peerdn= - -Test message - diff --git a/test/mail/2149.userx b/test/mail/2149.userx deleted file mode 100644 index fa117a23e..000000000 --- a/test/mail/2149.userx +++ /dev/null @@ -1,20 +0,0 @@ -From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999 -Received: from localhost ([127.0.0.1] helo=myhost.test.ex) - by myhost.test.ex with esmtps (TLS1.x:ke-RSA-AES256-SHAnnn:xxx) - (Exim x.yz) - (envelope-from ) - id 10HmbA-0005vi-00 - for userx@test.ex; - Tue, 2 Mar 1999 09:44:33 +0000 -Received: from CALLER by myhost.test.ex with local (Exim x.yz) - (envelope-from ) - id 10HmaZ-0005vi-00 - for userx@test.ex; - Tue, 2 Mar 1999 09:44:33 +0000 -Message-Id: -From: CALLER_NAME -Date: Tue, 2 Mar 1999 09:44:33 +0000 -TLS: cipher=TLS1.x:ke-RSA-AES256-SHAnnn:xxx peerdn= - -Test message - diff --git a/test/mail/2149.usery b/test/mail/2149.usery deleted file mode 100644 index 1cf700b26..000000000 --- a/test/mail/2149.usery +++ /dev/null @@ -1,20 +0,0 @@ -From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999 -Received: from localhost ([127.0.0.1] helo=myhost.test.ex) - by myhost.test.ex with esmtps (TLS1.x:ke-RSA-AES256-SHAnnn:xxx) - (Exim x.yz) - (envelope-from ) - id 10HmbC-0005vi-00 - for usery@test.ex; - Tue, 2 Mar 1999 09:44:33 +0000 -Received: from CALLER by myhost.test.ex with local (Exim x.yz) - (envelope-from ) - id 10HmbB-0005vi-00 - for usery@test.ex; - Tue, 2 Mar 1999 09:44:33 +0000 -Message-Id: -From: CALLER_NAME -Date: Tue, 2 Mar 1999 09:44:33 +0000 -TLS: cipher=TLS1.x:ke-RSA-AES256-SHAnnn:xxx peerdn= - -Test message - diff --git a/test/mail/2149.userz b/test/mail/2149.userz deleted file mode 100644 index a09b0f05d..000000000 --- a/test/mail/2149.userz +++ /dev/null @@ -1,20 +0,0 @@ -From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999 -Received: from localhost ([127.0.0.1] helo=myhost.test.ex) - by myhost.test.ex with esmtps (TLS1.x:ke-RSA-AES256-SHAnnn:xxx) - (Exim x.yz) - (envelope-from ) - id 10HmbE-0005vi-00 - for userz@test.ex; - Tue, 2 Mar 1999 09:44:33 +0000 -Received: from CALLER by myhost.test.ex with local (Exim x.yz) - (envelope-from ) - id 10HmbD-0005vi-00 - for userz@test.ex; - Tue, 2 Mar 1999 09:44:33 +0000 -Message-Id: -From: CALLER_NAME -Date: Tue, 2 Mar 1999 09:44:33 +0000 -TLS: cipher=TLS1.x:ke-RSA-AES256-SHAnnn:xxx peerdn= - -Test message - diff --git a/test/paniclog/2049 b/test/paniclog/2049 new file mode 100644 index 000000000..e08849638 --- /dev/null +++ b/test/paniclog/2049 @@ -0,0 +1,3 @@ + +******** SERVER ******** +1999-03-02 09:44:33 WARNING: deprecated Diffie-Hellman parameter 'ike22' used diff --git a/test/paniclog/2149 b/test/paniclog/2149 index 2221cd458..dff86ef7c 100644 --- a/test/paniclog/2149 +++ b/test/paniclog/2149 @@ -1,3 +1,5 @@ ******** SERVER ******** 1999-03-02 09:44:33 TLS error (D-H param setting 'TESTSUITE/aux-fixed/dh512'): error:xxxxxxxx:SSL routines::dh key too small +1999-03-02 09:44:33 WARNING: deprecated Diffie-Hellman parameter 'ike22' used +1999-03-02 09:44:33 TLS error (D-H param setting 'ike22'): error:xxxxxxxx:SSL routines::dh key too small diff --git a/test/scripts/2000-GnuTLS/2049 b/test/scripts/2000-GnuTLS/2049 new file mode 100644 index 000000000..e66d952ab --- /dev/null +++ b/test/scripts/2000-GnuTLS/2049 @@ -0,0 +1,43 @@ +# TLS: DH ciphers for GnuTLS +# +# DH param from file +exim -DSERVER=server -DDATA=DIR/aux-fixed/dh2048 -bd -oX PORT_D +**** +exim -odf userw@test.ex +Test message +**** +killdaemon +# +# Too-big DH param (vs. tls_dh_max_bits), from file +exim -DSERVER=server -DDATA=DIR/aux-fixed/dh3072 -bd -oX PORT_D +**** +exim -odf userx@test.ex +Test message +**** +killdaemon +# +# +# Named DH-param +exim -DSERVER=server -DDATA=ffdhe2048 -bd -oX PORT_D +**** +exim -odf userz@test.ex +Test message +**** +killdaemon +# +# Named DH-param, logged deprecation +exim -DSERVER=server -DDATA=ike24 -bd -oX PORT_D +**** +exim -odf usera@test.ex +Test message +**** +killdaemon +# +# Named DH-param, panic-logged deprecation +exim -DSERVER=server -DDATA=ike22 -bd -oX PORT_D +**** +exim -odf userb@test.ex +Test message +**** +killdaemon +no_message_check diff --git a/test/scripts/2100-OpenSSL/2149 b/test/scripts/2100-OpenSSL/2149 index 4435fca19..b8ff65560 100644 --- a/test/scripts/2100-OpenSSL/2149 +++ b/test/scripts/2100-OpenSSL/2149 @@ -31,3 +31,20 @@ exim -odf userz@test.ex Test message **** killdaemon +# +# Named DH-param, logged deprecation +exim -DSERVER=server -DDATA=ike24 -bd -oX PORT_D +**** +exim -odf usera@test.ex +Test message +**** +killdaemon +# +# Named DH-param, panic-logged deprecation +exim -DSERVER=server -DDATA=ike22 -bd -oX PORT_D +**** +exim -odf userb@test.ex +Test message +**** +killdaemon +no_message_check diff --git a/test/stderr/2049 b/test/stderr/2049 new file mode 100644 index 000000000..e08849638 --- /dev/null +++ b/test/stderr/2049 @@ -0,0 +1,3 @@ + +******** SERVER ******** +1999-03-02 09:44:33 WARNING: deprecated Diffie-Hellman parameter 'ike22' used diff --git a/test/stderr/2149 b/test/stderr/2149 index 2221cd458..dff86ef7c 100644 --- a/test/stderr/2149 +++ b/test/stderr/2149 @@ -1,3 +1,5 @@ ******** SERVER ******** 1999-03-02 09:44:33 TLS error (D-H param setting 'TESTSUITE/aux-fixed/dh512'): error:xxxxxxxx:SSL routines::dh key too small +1999-03-02 09:44:33 WARNING: deprecated Diffie-Hellman parameter 'ike22' used +1999-03-02 09:44:33 TLS error (D-H param setting 'ike22'): error:xxxxxxxx:SSL routines::dh key too small