From 9e9ad3eea16e14e8a6c96cde6ddc5c0051e0fd83 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Thu, 20 Sep 2018 18:31:36 +0100 Subject: [PATCH] Testsuite: handle OpenSSL 1.1.1 --- test/confs/2102 | 1 + test/confs/2107 | 1 - test/confs/2111 | 5 ++++- test/confs/2125 | 3 +++ test/confs/2127 | 4 ++++ test/confs/5841 | 10 ++++++++-- test/log/2107 | 4 ++-- test/runtest | 11 +++++++++-- test/scripts/5840-DANE-OpenSSL/5841 | 4 ++-- 9 files changed, 33 insertions(+), 10 deletions(-) diff --git a/test/confs/2102 b/test/confs/2102 index 0139a61c0..c9e00479b 100644 --- a/test/confs/2102 +++ b/test/confs/2102 @@ -43,6 +43,7 @@ check_recipient: !encrypted = * logwrite = cipher: $tls_in_cipher # This appears to lie. Despite what's on the wire, it returns the last cert loaded. +# Fixed in OpenSSL 1.1.1 ? Testcase golden logfile has the incorrect value. warn logwrite = ${if def:tls_in_ourcert \ {Our cert SN: <${certextract{subject}{$tls_in_ourcert}}>} \ {We did not present a cert}} diff --git a/test/confs/2107 b/test/confs/2107 index 679367315..9487445cc 100644 --- a/test/confs/2107 +++ b/test/confs/2107 @@ -16,7 +16,6 @@ queue_only queue_run_in_order tls_advertise_hosts = * -tls_require_ciphers = AES256-SHA # Set certificate only if server diff --git a/test/confs/2111 b/test/confs/2111 index 0d99a23bc..b54c9490d 100644 --- a/test/confs/2111 +++ b/test/confs/2111 @@ -23,6 +23,9 @@ tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} tls_verify_hosts = * tls_verify_certificates = ${if eq {SERVER}{server}{DIR/aux-fixed/cert2}fail} +.ifdef _OPT_OPENSSL_NO_TLSV1_3_X +openssl_options = +no_tlsv1_3 +.endif # ----- Routers ----- @@ -47,7 +50,7 @@ send_to_server: port = PORT_D tls_certificate = DIR/aux-fixed/cert2 tls_privatekey = DIR/aux-fixed/cert2 - tls_require_ciphers = IDEA-CBC-MD5 \ + tls_require_ciphers = IDEA-CBC-MD5:\ ${if eq{$host_address}{127.0.0.1}{:AES256-SHA:RSA_ARCFOUR_SHA}} # End diff --git a/test/confs/2125 b/test/confs/2125 index be2fe1be3..589879133 100644 --- a/test/confs/2125 +++ b/test/confs/2125 @@ -25,6 +25,9 @@ tls_require_ciphers = ${if eq{$sender_host_address}{HOSTIPV4}\ tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} +.ifdef _OPT_OPENSSL_NO_TLSV1_3_X +openssl_options = +no_tlsv1_3 +.endif # ----- Routers ----- diff --git a/test/confs/2127 b/test/confs/2127 index b177444e9..9807ccf11 100644 --- a/test/confs/2127 +++ b/test/confs/2127 @@ -20,6 +20,10 @@ tls_try_verify_hosts = 127.0.0.1 tls_verify_hosts = HOSTIPV4 tls_verify_certificates = DIR/aux-fixed/cert1 +tls_require_ciphers = -ALL:kRSA +.ifdef _OPT_OPENSSL_NO_TLSV1_3_X +openssl_options = +no_tlsv1_3 +.endif # ----- Routers ----- begin routers diff --git a/test/confs/5841 b/test/confs/5841 index 57d692826..98de91d76 100644 --- a/test/confs/5841 +++ b/test/confs/5841 @@ -2,7 +2,7 @@ # DANE/OpenSSL - ciphers option SERVER= -OPT= +LIST= .include DIR/aux-var/tls_conf_prefix @@ -25,6 +25,12 @@ tls_privatekey = ${if eq {SERVER}{server} {CDIR2/server1.example.com.unlocked.k # Permit two specific ciphers tls_require_ciphers = ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-RSA-AES256-GCM-SHA384 +# Force TLS1.2 so that the ciphers choice works + +.ifdef _OPT_OPENSSL_NO_TLSV1_3_X +openssl_options = +no_tlsv1_3 +.endif + # ----- Routers ----- begin routers @@ -53,7 +59,7 @@ send_to_server: # Some commonly-available cipher, we hope tls_require_ciphers = ECDHE-RSA-AES256-GCM-SHA384 - dane_require_tls_ciphers = OPT + dane_require_tls_ciphers = LIST # ----- Retry ----- begin retry diff --git a/test/log/2107 b/test/log/2107 index a09c37c5f..1d01706c1 100644 --- a/test/log/2107 +++ b/test/log/2107 @@ -2,10 +2,10 @@ 1999-03-02 09:44:33 Start queue run: pid=pppp -qf 1999-03-02 09:44:33 10HmaX-0005vi-00 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock 1999-03-02 09:44:33 10HmaX-0005vi-00 [127.0.0.1] SSL verify error: certificate name mismatch: DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" H="127.0.0.1" -1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00" 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex diff --git a/test/runtest b/test/runtest index 7921c5bee..d6bc7b03d 100755 --- a/test/runtest +++ b/test/runtest @@ -538,6 +538,9 @@ RESET_AFTER_EXTRA_LINE_READ: # Test machines might have various different TLS library versions supporting # different protocols; can't rely upon TLS 1.2's AES256-GCM-SHA384, so we # treat the standard algorithms the same. + # + # TLSversion : KeyExchange? - Authentication/Signature - C_iph_er - MAC : ??? + # # So far, have seen: # TLSv1:AES128-GCM-SHA256:128 # TLSv1:AES256-SHA:256 @@ -559,8 +562,12 @@ RESET_AFTER_EXTRA_LINE_READ: s/((EC)?DHE-)?(RSA|ECDSA)-AES(128|256)-(GCM-SHA(256|384)|SHA):(128|256)/ke-$3-AES256-SHA:xxx/g; # OpenSSL TLSv1.3 - unsure what to do about the authentication-variant testcases now, - # as it seems the protocol no longer supports a user choice. - s/TLS_AES(_256)_GCM_SHA384:256/TLS-AES256-SHA:xxx/g; + # as it seems the protocol no longer supports a user choice. Replace the "TLS" field with "RSA". + # Also insert a key-exchange field for back-compat, even though 1.3 doesn't do that. + # + # TLSversion : "TLS" - C_iph_er - MAC : ??? + # + s/:TLS_AES(_256)_GCM_SHA384:256/:ke-RSA-AES256-SHA:xxx/g; # LibreSSL # TLSv1:AES256-GCM-SHA384:256 diff --git a/test/scripts/5840-DANE-OpenSSL/5841 b/test/scripts/5840-DANE-OpenSSL/5841 index 52fac186a..fff416e2a 100644 --- a/test/scripts/5840-DANE-OpenSSL/5841 +++ b/test/scripts/5840-DANE-OpenSSL/5841 @@ -15,12 +15,12 @@ Testing # ### Dane cipher specified, dane unused # Since dane unused, should get the same cipher as the baseline -exim -odf -DOPT=ECDHE-RSA-CAMELLIA256-SHA384 CALLER@localhost.test.ex +exim -odf -DLIST=ECDHE-RSA-CAMELLIA256-SHA384 CALLER@localhost.test.ex Testing **** ### Dane cipher specified, dane used # Should get the cipher specified here -exim -odf -DOPT=ECDHE-RSA-CAMELLIA256-SHA384 CALLER@dane256ee.test.ex +exim -odf -DLIST=ECDHE-RSA-CAMELLIA256-SHA384 CALLER@dane256ee.test.ex Testing **** # -- 2.30.2