From: Jeremy Harris Date: Thu, 16 Oct 2014 18:11:45 +0000 (+0100) Subject: Handle certificate dir under GnuTLS, if recent enough X-Git-Tag: exim-4_85_RC1~40^2 X-Git-Url: https://git.exim.org/users/heiko/exim.git/commitdiff_plain/a7fec7a71987d40dc09601ae33902d0a761887b9 Handle certificate dir under GnuTLS, if recent enough Add testcases for certificate directories The GnuTLS implementation has been tested on Fedora 21 (alpha), using GnuTLS 3.3.9. The testsuite case is here but with the script commented-out. When enabled, the log/mail/stdout/stderr files will be created fresh. --- diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 9cfc06ca5..e3df0854e 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -16484,9 +16484,11 @@ See &%tls_verify_hosts%& below. The value of this option is expanded, and must then be the absolute path to a file containing permitted certificates for clients that match &%tls_verify_hosts%& or &%tls_try_verify_hosts%&. Alternatively, if you -are using OpenSSL, you can set &%tls_verify_certificates%& to the name of a -directory containing certificate files. This does not work with GnuTLS; the -option must be set to the name of a single file if you are using GnuTLS. +are using either GnuTLS version 3.3.6 (or later) or OpenSSL, +you can set &%tls_verify_certificates%& to the name of a +directory containing certificate files. +For earlier versions of GnuTLS +the option must be set to the name of a single file. These certificates should be for the certificate authorities trusted, rather than the public cert of individual clients. With both OpenSSL and GnuTLS, if @@ -23432,10 +23434,14 @@ certificate verification succeeds. .vindex "&$host_address$&" The value of this option must be the absolute path to a file containing permitted server certificates, for use when setting up an encrypted connection. -Alternatively, if you are using OpenSSL, you can set +Alternatively, +if you are using either GnuTLS version 3.3.6 (or later) or OpenSSL, +you can set &%tls_verify_certificates%& to the name of a directory containing certificate -files. This does not work with GnuTLS; the option must be set to the name of a -single file if you are using GnuTLS. The values of &$host$& and +files. +For earlier versions of GnuTLS the option must be set to the name of a +single file. +The values of &$host$& and &$host_address$& are set to the name and address of the server during the expansion of this option. See chapter &<>& for details of TLS. @@ -25917,7 +25923,8 @@ There are some differences in usage when using GnuTLS instead of OpenSSL: .ilist The &%tls_verify_certificates%& option must contain the name of a file, not the -name of a directory (for OpenSSL it can be either). +name of a directory for GnuTLS versions before 3.3.6 +(for later versions, or OpenSSL, it can be either). .next The default value for &%tls_dhparam%& differs for historical reasons. .next diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 0b03894b2..8b3dfe8c7 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -48,6 +48,9 @@ JH/06 Bug 1533: Fix truncation of items in headers_remove lists. A fixed size buffer was used, resulting in syntax errors when an expansion exceeded it. +JH/07 Add support for directories of certificates when compiled with a GnuTLS + version 3.3.6 or later. + Exim version 4.84 ----------------- diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 3043e3abc..14cdd12d4 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -51,6 +51,11 @@ require current GnuTLS, then we'll drop support for the ancient libraries). # warning "GnuTLS library version too old; TPDA tls:cert event unsupported" # undef EXPERIMENTAL_TPDA #endif +#if GNUTLS_VERSION_NUMBER >= 0x030306 +# define SUPPORT_CA_DIR +#else +# undef SUPPORT_CA_DIR +#endif #ifndef DISABLE_OCSP # include @@ -884,6 +889,7 @@ if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0) return DEFER; } +#ifndef SUPPORT_CA_DIR /* The test suite passes in /dev/null; we could check for that path explicitly, but who knows if someone has some weird FIFO which always dumps some certs, or other weirdness. The thing we really want to check is that it's not a @@ -899,6 +905,7 @@ if (S_ISDIR(statbuf.st_mode)) state->exp_tls_verify_certificates); return DEFER; } +#endif DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n", state->exp_tls_verify_certificates, statbuf.st_size); @@ -910,8 +917,18 @@ if (statbuf.st_size == 0) return OK; } -cert_count = gnutls_certificate_set_x509_trust_file(state->x509_cred, +cert_count = + +#ifdef SUPPORT_CA_DIR + (statbuf.st_mode & S_IFMT) == S_IFDIR + ? + gnutls_certificate_set_x509_trust_dir(state->x509_cred, + CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM) + : +#endif + gnutls_certificate_set_x509_trust_file(state->x509_cred, CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM); + if (cert_count < 0) { rc = cert_count; diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/08c48a5f.0 b/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/08c48a5f.0 new file mode 120000 index 000000000..0bc47166d --- /dev/null +++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/08c48a5f.0 @@ -0,0 +1 @@ +../../CA/CA.pem \ No newline at end of file diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/61e813e6.0 b/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/61e813e6.0 new file mode 120000 index 000000000..890dffc23 --- /dev/null +++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/61e813e6.0 @@ -0,0 +1 @@ +../../CA/Signer.pem \ No newline at end of file diff --git a/test/aux-fixed/exim-ca/genall b/test/aux-fixed/exim-ca/genall index 0e3feb25e..64e5a85b4 100755 --- a/test/aux-fixed/exim-ca/genall +++ b/test/aux-fixed/exim-ca/genall @@ -112,6 +112,18 @@ do openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem done +# Finally, a single certificate-directory +cd example.com/server1.example.com +mkdir -f certdir +cd certdir +f=../../CA/CA.pem +h=`openssl x509 -hash -noout -in $f` +ln -s $f $h.0 +f=../../CA/Signer.pem +h=`openssl x509 -hash -noout -in $f` +ln -s $f $h.0 +cd ../.. + find example.* -type d -print0 | xargs -0 chmod 755 find example.* -type f -print0 | xargs -0 chmod 644 diff --git a/test/confs/2032 b/test/confs/2032 new file mode 100644 index 000000000..5a6099378 --- /dev/null +++ b/test/confs/2032 @@ -0,0 +1,73 @@ +# Exim test configuration 2032 (close copy of 2002) + +exim_path = EXIM_PATH +host_lookup_order = bydns +primary_hostname = myhost.test.ex +rfc1413_query_timeout = 0s +spool_directory = DIR/spool +log_file_path = DIR/spool/log/%slog +gecos_pattern = "" +gecos_name = CALLER_NAME + +# ----- Main settings ----- + +acl_smtp_rcpt = check_recipient + +log_selector = +tls_peerdn + +queue_only +queue_run_in_order + +tls_advertise_hosts = 127.0.0.1 : HOSTIPV4 + +tls_certificate = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem +tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key + +tls_verify_hosts = HOSTIPV4 +tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/certdir + + +# ------ ACL ------ + +begin acl + +check_recipient: + accept hosts = : + deny hosts = HOSTIPV4 + !encrypted = AES256-SHA : \ + AES256-GCM-SHA384 : \ + IDEA-CBC-MD5 : \ + DES-CBC3-SHA : \ + DHE_RSA_AES_256_CBC_SHA1 : \ + DHE_RSA_3DES_EDE_CBC_SHA : \ + RSA_AES_256_CBC_SHA1 + warn logwrite = ${if def:tls_in_ourcert \ + {Our cert SN: <${certextract{subject}{$tls_in_ourcert}}>} \ + {We did not present a cert}} + accept condition = ${if !def:tls_in_peercert} + logwrite = Peer did not present a cert + accept logwrite = SN <${certextract {subject} {$tls_in_peercert}}> + + +# ----- Routers ----- + +begin routers + +abc: + driver = accept + retry_use_local_part + transport = local_delivery + headers_add = tls-certificate-verified: $tls_certificate_verified + + +# ----- Transports ----- + +begin transports + +local_delivery: + driver = appendfile + file = DIR/test-mail/$local_part + headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn + user = CALLER + +# End diff --git a/test/confs/2132 b/test/confs/2132 new file mode 100644 index 000000000..069249322 --- /dev/null +++ b/test/confs/2132 @@ -0,0 +1,74 @@ +# Exim test configuration 2132 (close copy of 2102) + +exim_path = EXIM_PATH +host_lookup_order = bydns +primary_hostname = myhost.test.ex +rfc1413_query_timeout = 0s +spool_directory = DIR/spool +log_file_path = DIR/spool/log/%slog +gecos_pattern = "" +gecos_name = CALLER_NAME + +# ----- Main settings ----- + +acl_smtp_rcpt = check_recipient + +log_selector = +tls_peerdn + +queue_only +queue_run_in_order + +tls_advertise_hosts = 127.0.0.1 : HOSTIPV4 + +tls_certificate = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem +tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key + +tls_verify_hosts = HOSTIPV4 +tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/certdir + + +# ------ ACL ------ + +begin acl + +check_recipient: + accept hosts = : + deny hosts = HOSTIPV4 + !encrypted = AES256-SHA : \ + AES256-GCM-SHA384 : \ + IDEA-CBC-MD5 : \ + DES-CBC3-SHA : \ + DHE-RSA-AES256-SHA : \ + DHE-RSA-AES256-GCM-SHA384 : \ + DHE_RSA_AES_256_CBC_SHA1 : \ + DHE_RSA_3DES_EDE_CBC_SHA + warn logwrite = ${if def:tls_in_ourcert \ + {Our cert SN: <${certextract{subject}{$tls_in_ourcert}}>} \ + {We did not present a cert}} + accept condition = ${if !def:tls_in_peercert} + logwrite = Peer did not present a cert + accept logwrite = SN <${certextract {subject} {$tls_in_peercert}}> + + +# ----- Routers ----- + +begin routers + +abc: + driver = accept + retry_use_local_part + transport = local_delivery + headers_add = tls-certificate-verified: $tls_certificate_verified + + +# ----- Transports ----- + +begin transports + +local_delivery: + driver = appendfile + file = DIR/test-mail/$local_part + headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn + user = CALLER + +# End diff --git a/test/log/2132 b/test/log/2132 new file mode 100644 index 000000000..34633871f --- /dev/null +++ b/test/log/2132 @@ -0,0 +1,20 @@ +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 Our cert SN: +1999-03-02 09:44:33 Peer did not present a cert +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@test.ex H=[127.0.0.1] P=smtps X=TLSv1:AES256-SHA:256 S=sss +1999-03-02 09:44:33 Our cert SN: +1999-03-02 09:44:33 Peer did not present a cert +1999-03-02 09:44:33 10HmaY-0005vi-00 <= "name with spaces"@test.ex H=[127.0.0.1] P=smtps X=TLSv1:AES256-SHA:256 S=sss +1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <> +1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) +1999-03-02 09:44:33 Our cert SN: +1999-03-02 09:44:33 SN +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@test.ex H=[ip4.ip4.ip4.ip4] P=smtps X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" S=sss +1999-03-02 09:44:33 Start queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER R=abc T=local_delivery +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER R=abc T=local_delivery +1999-03-02 09:44:33 10HmaY-0005vi-00 Completed +1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER R=abc T=local_delivery +1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed +1999-03-02 09:44:33 End queue run: pid=pppp -qf diff --git a/test/mail/2132.CALLER b/test/mail/2132.CALLER new file mode 100644 index 000000000..21b5e2c66 --- /dev/null +++ b/test/mail/2132.CALLER @@ -0,0 +1,36 @@ +From CALLER@test.ex Tue Mar 02 09:44:33 1999 +Received: from [127.0.0.1] + by myhost.test.ex with smtps (TLSv1:AES256-SHA:256) + (Exim x.yz) + (envelope-from ) + id 10HmaX-0005vi-00 + for CALLER@test.ex; Tue, 2 Mar 1999 09:44:33 +0000 +tls-certificate-verified: 0 +TLS: cipher=TLSv1:AES256-SHA:256 peerdn= + +This is a test encrypted message. + +From "name with spaces"@test.ex Tue Mar 02 09:44:33 1999 +Received: from [127.0.0.1] + by myhost.test.ex with smtps (TLSv1:AES256-SHA:256) + (Exim x.yz) + (envelope-from <"name with spaces"@test.ex>) + id 10HmaY-0005vi-00 + for CALLER@test.ex; Tue, 2 Mar 1999 09:44:33 +0000 +tls-certificate-verified: 0 +TLS: cipher=TLSv1:AES256-SHA:256 peerdn= + +This is a test encrypted message. + +From CALLER@test.ex Tue Mar 02 09:44:33 1999 +Received: from [ip4.ip4.ip4.ip4] + by myhost.test.ex with smtps (TLSv1:AES256-SHA:256) + (Exim x.yz) + (envelope-from ) + id 10HmaZ-0005vi-00 + for CALLER@test.ex; Tue, 2 Mar 1999 09:44:33 +0000 +tls-certificate-verified: 1 +TLS: cipher=TLSv1:AES256-SHA:256 peerdn=/CN=server1.example.com + +This is a test encrypted message from a verified host. + diff --git a/test/scripts/2000-GnuTLS/2032 b/test/scripts/2000-GnuTLS/2032 new file mode 100644 index 000000000..88c0e8ac9 --- /dev/null +++ b/test/scripts/2000-GnuTLS/2032 @@ -0,0 +1,95 @@ +# TLS server: server ca cert from directory +# - tests all disabled until GnuTLS 3.3.6 (or later) is in common use +# - or we get a library-version dependency mechanism in the testsuite +# +#gnutls +#exim -DSERVER=server -bd -oX PORT_D +#**** +#client-gnutls 127.0.0.1 PORT_D +#??? 220 +#ehlo rhu.barb +#??? 250- +#??? 250- +#??? 250- +#??? 250- +#??? 250- +#??? 250 +#starttls +#??? 220 +#mail from: +#??? 250 +#rcpt to: +#??? 250 +#DATA +#??? 3 +#This is a test encrypted message. +#. +#??? 250 +#quit +#??? 221 +#**** +#client-gnutls 127.0.0.1 PORT_D +#??? 220 +#ehlo rhu.barb +#??? 250- +#??? 250- +#??? 250- +#??? 250- +#??? 250- +#??? 250 +#starttls +#??? 220 +#mail from:<"name with spaces"@test.ex> +#??? 250 +#rcpt to: +#??? 250 +#DATA +#??? 3 +#This is a test encrypted message. +#. +#??? 250 +#quit +#??? 221 +#**** +#client-gnutls HOSTIPV4 PORT_D +#??? 220 +#ehlo rhu.barb +#??? 250- +#??? 250- +#??? 250- +#??? 250- +#??? 250- +#??? 250 +#starttls +#??? 220 +#**** +#client-gnutls HOSTIPV4 PORT_D DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key +#??? 220 +#ehlo rhu.barb +#??? 250- +#??? 250- +#??? 250- +#??? 250- +#??? 250- +#??? 250 +#starttls +#??? 220 +#mail from: +#??? 250 +#rcpt to: +#??? 250 +#DATA +#??? 3 +#This is a test encrypted message from a verified host. +#. +#??? 250 +#quit +#??? 221 +#**** +#killdaemon +#exim -qf +#**** +#exim -bh 10.0.0.1 +#starttls +#quit +#**** diff --git a/test/scripts/2100-OpenSSL/2132 b/test/scripts/2100-OpenSSL/2132 new file mode 100644 index 000000000..620a63f57 --- /dev/null +++ b/test/scripts/2100-OpenSSL/2132 @@ -0,0 +1,91 @@ +# TLS server: server ca cert from directory +exim -DSERVER=server -bd -oX PORT_D +**** +client-ssl 127.0.0.1 PORT_D +??? 220 +ehlo rhu.barb +??? 250- +??? 250- +??? 250- +??? 250- +??? 250- +??? 250 +starttls +??? 220 +mail from: +??? 250 +rcpt to: +??? 250 +DATA +??? 3 +This is a test encrypted message. +. +??? 250 +quit +??? 221 +**** +client-ssl 127.0.0.1 PORT_D +??? 220 +ehlo rhu.barb +??? 250- +??? 250- +??? 250- +??? 250- +??? 250- +??? 250 +starttls +??? 220 +mail from:<"name with spaces"@test.ex> +??? 250 +rcpt to: +??? 250 +DATA +??? 3 +This is a test encrypted message. +. +??? 250 +quit +??? 221 +**** +client-ssl HOSTIPV4 PORT_D +??? 220 +ehlo rhu.barb +??? 250- +??? 250- +??? 250- +??? 250- +??? 250- +??? 250 +starttls +??? 220 +**** +client-ssl HOSTIPV4 PORT_D DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key +??? 220 +ehlo rhu.barb +??? 250- +??? 250- +??? 250- +??? 250- +??? 250- +??? 250 +starttls +??? 220 +mail from: +??? 250 +rcpt to: +??? 250 +DATA +??? 3 +This is a test encrypted message from a verified host. +. +??? 250 +quit +??? 221 +**** +killdaemon +exim -qf +**** +exim -bh 10.0.0.1 +starttls +quit +**** diff --git a/test/stderr/2132 b/test/stderr/2132 new file mode 100644 index 000000000..59f338294 --- /dev/null +++ b/test/stderr/2132 @@ -0,0 +1,10 @@ +>>> host in hosts_connection_nolog? no (option unset) +>>> host in host_lookup? no (option unset) +>>> host in host_reject_connection? no (option unset) +>>> host in sender_unqualified_hosts? no (option unset) +>>> host in recipient_unqualified_hosts? no (option unset) +>>> host in helo_verify_hosts? no (option unset) +>>> host in helo_try_verify_hosts? no (option unset) +>>> host in helo_accept_junk_hosts? no (option unset) + +******** SERVER ******** diff --git a/test/stdout/2132 b/test/stdout/2132 new file mode 100644 index 000000000..a9724e170 --- /dev/null +++ b/test/stdout/2132 @@ -0,0 +1,205 @@ +Connecting to 127.0.0.1 port 1225 ... connected +??? 220 +<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +>>> ehlo rhu.barb +??? 250- +<<< 250-myhost.test.ex Hello rhu.barb [127.0.0.1] +??? 250- +<<< 250-SIZE 52428800 +??? 250- +<<< 250-8BITMIME +??? 250- +<<< 250-PIPELINING +??? 250- +<<< 250-STARTTLS +??? 250 +<<< 250 HELP +>>> starttls +??? 220 +<<< 220 TLS go ahead +Attempting to start TLS +SSL info: before/connect initialization +SSL info: before/connect initialization +SSL info: SSLv3 read server hello A +SSL info: SSLv3 read server certificate A +SSL info: SSLv3 read server done A +SSL info: SSLv3 write client key exchange A +SSL info: SSLv3 write change cipher spec A +SSL info: SSLv3 write finished A +SSL info: SSLv3 flush data +SSL info: SSLv3 read server session ticket A +SSL info: SSLv3 read finished A +SSL info: SSL negotiation finished successfully +SSL info: SSL negotiation finished successfully +SSL connection using AES256-SHA +Succeeded in starting TLS +>>> mail from: +??? 250 +<<< 250 OK +>>> rcpt to: +??? 250 +<<< 250 Accepted +>>> DATA +??? 3 +<<< 354 Enter message, ending with "." on a line by itself +>>> This is a test encrypted message. +>>> . +??? 250 +<<< 250 OK id=10HmaX-0005vi-00 +>>> quit +??? 221 +<<< 221 myhost.test.ex closing connection +End of script +Connecting to 127.0.0.1 port 1225 ... connected +??? 220 +<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +>>> ehlo rhu.barb +??? 250- +<<< 250-myhost.test.ex Hello rhu.barb [127.0.0.1] +??? 250- +<<< 250-SIZE 52428800 +??? 250- +<<< 250-8BITMIME +??? 250- +<<< 250-PIPELINING +??? 250- +<<< 250-STARTTLS +??? 250 +<<< 250 HELP +>>> starttls +??? 220 +<<< 220 TLS go ahead +Attempting to start TLS +SSL info: before/connect initialization +SSL info: before/connect initialization +SSL info: SSLv3 read server hello A +SSL info: SSLv3 read server certificate A +SSL info: SSLv3 read server done A +SSL info: SSLv3 write client key exchange A +SSL info: SSLv3 write change cipher spec A +SSL info: SSLv3 write finished A +SSL info: SSLv3 flush data +SSL info: SSLv3 read server session ticket A +SSL info: SSLv3 read finished A +SSL info: SSL negotiation finished successfully +SSL info: SSL negotiation finished successfully +SSL connection using AES256-SHA +Succeeded in starting TLS +>>> mail from:<"name with spaces"@test.ex> +??? 250 +<<< 250 OK +>>> rcpt to: +??? 250 +<<< 250 Accepted +>>> DATA +??? 3 +<<< 354 Enter message, ending with "." on a line by itself +>>> This is a test encrypted message. +>>> . +??? 250 +<<< 250 OK id=10HmaY-0005vi-00 +>>> quit +??? 221 +<<< 221 myhost.test.ex closing connection +End of script +Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected +??? 220 +<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +>>> ehlo rhu.barb +??? 250- +<<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4] +??? 250- +<<< 250-SIZE 52428800 +??? 250- +<<< 250-8BITMIME +??? 250- +<<< 250-PIPELINING +??? 250- +<<< 250-STARTTLS +??? 250 +<<< 250 HELP +>>> starttls +??? 220 +<<< 220 TLS go ahead +Attempting to start TLS +SSL info: before/connect initialization +SSL info: before/connect initialization +SSL info: SSLv3 read server hello A +SSL info: SSLv3 read server certificate A +SSL info: SSLv3 read server certificate request A +SSL info: SSLv3 read server done A +SSL info: SSLv3 write client certificate A +SSL info: SSLv3 write client key exchange A +SSL info: SSLv3 write change cipher spec A +SSL info: SSLv3 write finished A +SSL info: SSLv3 flush data +SSL info: SSLv3 read server session ticket A +SSL info: SSLv3 read server session ticket A +pppp:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:dddd:SSL alert number 40 +Failed to start TLS +End of script +Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected +Certificate file = TESTSUITE/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem +Key file = TESTSUITE/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key +??? 220 +<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +>>> ehlo rhu.barb +??? 250- +<<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4] +??? 250- +<<< 250-SIZE 52428800 +??? 250- +<<< 250-8BITMIME +??? 250- +<<< 250-PIPELINING +??? 250- +<<< 250-STARTTLS +??? 250 +<<< 250 HELP +>>> starttls +??? 220 +<<< 220 TLS go ahead +Attempting to start TLS +SSL info: before/connect initialization +SSL info: before/connect initialization +SSL info: SSLv3 read server hello A +SSL info: SSLv3 read server certificate A +SSL info: SSLv3 read server certificate request A +SSL info: SSLv3 read server done A +SSL info: SSLv3 write client certificate A +SSL info: SSLv3 write client key exchange A +SSL info: SSLv3 write certificate verify A +SSL info: SSLv3 write change cipher spec A +SSL info: SSLv3 write finished A +SSL info: SSLv3 flush data +SSL info: SSLv3 read server session ticket A +SSL info: SSLv3 read finished A +SSL info: SSL negotiation finished successfully +SSL info: SSL negotiation finished successfully +SSL connection using AES256-SHA +Succeeded in starting TLS +>>> mail from: +??? 250 +<<< 250 OK +>>> rcpt to: +??? 250 +<<< 250 Accepted +>>> DATA +??? 3 +<<< 354 Enter message, ending with "." on a line by itself +>>> This is a test encrypted message from a verified host. +>>> . +??? 250 +<<< 250 OK id=10HmaZ-0005vi-00 +>>> quit +??? 221 +<<< 221 myhost.test.ex closing connection +End of script + +**** SMTP testing session as if from host 10.0.0.1 +**** but without any ident (RFC 1413) callback. +**** This is not for real! + +220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +503 STARTTLS command used when not advertised +221 myhost.test.ex closing connection