GnuTLS: Fix client detection of server reject of client cert under TLS1.3
[users/heiko/exim.git] / test / confs / 5861
1 # Exim test configuration 5890
2 # DANE/fail-events
3
4 SERVER=
5
6 .include DIR/aux-var/tls_conf_prefix
7
8 primary_hostname = myhost.test.ex
9
10 # ----- Main settings -----
11
12 .ifndef OPT
13 acl_smtp_rcpt = accept logwrite = "rcpt ACL"
14 .else
15 acl_smtp_rcpt = accept verify = recipient/callout
16 .endif
17
18 log_selector =  +received_recipients +tls_peerdn +tls_certificate_verified
19
20 queue_run_in_order
21
22 tls_advertise_hosts = *
23
24 .ifdef _HAVE_GNUTLS
25 # needed to force generation
26 tls_dhparam = historic
27 .endif
28
29 # Set certificate only if server
30 CDIR1 = DIR/aux-fixed/exim-ca/example.net/server1.example.net
31 CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com
32
33
34 tls_certificate = ${if eq {SERVER}{server} \
35         {${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \
36                 {CDIR2/fullchain.pem}\
37                 {CDIR1/fullchain.pem}}}\
38         fail}
39
40 tls_privatekey = ${if eq {SERVER}{server} \
41         {${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \
42                 {CDIR2/server1.example.com.unlocked.key}\
43                 {CDIR1/server1.example.net.unlocked.key}}}\
44         fail}
45
46 # ----- ACL -----
47 begin acl
48
49 dane_fail:
50   accept        condition =     ${if eq {dane} {${listextract{1}{$event_name}}}}
51                 logwrite =      $event_name <$event_data>
52
53 # ----- Routers -----
54
55 begin routers
56
57 client:
58   driver =              dnslookup
59   condition =           ${if eq {SERVER}{}}
60   dnssec_request_domains = *
61   self =                send
62   transport =           send_to_server
63   errors_to =           ""
64
65 server:
66   driver = redirect
67   data = :blackhole:
68
69
70 # ----- Transports -----
71
72 begin transports
73
74 send_to_server:
75   driver = smtp
76   allow_localhost
77   port = PORT_D
78
79   hosts_try_dane =     *
80   hosts_require_dane = HOSTIPV4
81   tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}}
82   tls_try_verify_hosts = thishost.test.ex
83   tls_verify_certificates = CDIR2/ca_chain.pem
84   event_action =        ${acl {dane_fail}}
85
86
87
88 # ----- Retry -----
89
90
91 begin retry
92
93 * * F,5d,10s
94
95
96 # End