From 0509be3542344cf27658df9935d930cb2d2b9560 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 23 Nov 2014 17:01:14 +0000 Subject: [PATCH] Make smtp transport try server cert verify by default This is an exim client checking a server certificate. --- doc/doc-docbook/spec.xfpt | 3 ++- doc/doc-txt/ChangeLog | 3 +++ src/src/tls-gnu.c | 12 ++++++------ src/src/tls-openssl.c | 4 +++- src/src/transports/smtp.c | 2 +- test/confs/2000 | 1 + test/confs/2001 | 1 + test/confs/2012 | 2 ++ test/confs/2100 | 1 + test/confs/2101 | 1 + test/confs/2112 | 2 ++ test/confs/2113 | 1 + test/confs/2117 | 1 + test/confs/2125 | 1 + test/confs/2126 | 1 + test/confs/2127 | 1 + test/confs/2130 | 2 ++ test/confs/2131 | 2 ++ test/confs/2149 | 1 + test/confs/3461 | 1 + test/confs/3462 | 1 + test/confs/3465 | 1 + test/confs/5410 | 1 + test/confs/5651 | 1 + test/confs/5658 | 1 + test/confs/5750 | 1 + test/confs/5760 | 1 + test/log/2100 | 9 ++------- test/log/2107 | 3 +++ test/log/2108 | 9 +++++++++ test/log/2110 | 3 +++ test/log/2111 | 3 +++ test/stderr/2108 | 15 +++++++++++++++ test/stderr/5410 | 3 ++- test/stderr/5420 | 3 ++- 35 files changed, 80 insertions(+), 18 deletions(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 843379b6d..c811d991b 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -23446,7 +23446,7 @@ unknown state), opens a new one to the same host, and then tries the delivery in clear. -.option tls_try_verify_hosts smtp "host list&!!" unset +.option tls_try_verify_hosts smtp "host list&!!" * .cindex "TLS" "server certificate verification" .cindex "certificate" "verification of server" This option gives a list of hosts for which, on encrypted connections, @@ -23502,6 +23502,7 @@ expansion of this option. See chapter &<>& for details of TLS. For back-compatability, if neither tls_verify_hosts nor tls_try_verify_hosts are set +(a single-colon empty list counts as being set) and certificate verification fails the TLS connection is closed. diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index f0acc09d0..bfb10d34a 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -21,6 +21,9 @@ JH/05 The value of the tls_verify_certificates smtp transport and main options default to the word "system" to access the system default CA bundle. For GnuTLS, only version 3.0.20 or later. +JH/06 Verification of the server certificate for a TLS connection is now tried + (but not required) by default. + Exim version 4.85 ----------------- diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 42d04224a..8b28d5566 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -853,14 +853,14 @@ error message is provided. However, if we just refrain from setting anything up in that case, certificate verification fails, which seems to be the correct behaviour. */ -if ( state->tls_verify_certificates && *state->tls_verify_certificates -#ifndef SUPPORT_SYSDEFAULT_CABUNDLE - && Ustrcmp(state->exp_tls_verify_certificates, "system") != 0 -#endif - ) +if (state->tls_verify_certificates && *state->tls_verify_certificates) { if (!expand_check_tlsvar(tls_verify_certificates)) return DEFER; +#ifndef SUPPORT_SYSDEFAULT_CABUNDLE + if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0) + state->exp_tls_verify_certificates = NULL; +#endif if (state->tls_crl && *state->tls_crl) if (!expand_check_tlsvar(tls_crl)) return DEFER; @@ -1860,7 +1860,7 @@ the specified host patterns if one of them is defined */ if ( ( state->exp_tls_verify_certificates && !ob->tls_verify_hosts - && !ob->tls_try_verify_hosts + && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts) ) || verify_check_given_host(&ob->tls_verify_hosts, host) == OK ) diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 957f927e7..944e33bc9 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1686,7 +1686,9 @@ int rc; set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only the specified host patterns if one of them is defined */ -if ( (!ob->tls_verify_hosts && !ob->tls_try_verify_hosts) +if ( ( !ob->tls_verify_hosts + && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts) + ) || (verify_check_given_host(&ob->tls_verify_hosts, host) == OK) ) client_verify_optional = FALSE; diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 7bc0fa086..addbf0ed8 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -260,7 +260,7 @@ smtp_transport_options_block smtp_transport_option_defaults = { /* tls_dh_min_bits */ TRUE, /* tls_tempfail_tryclear */ NULL, /* tls_verify_hosts */ - NULL, /* tls_try_verify_hosts */ + US"*", /* tls_try_verify_hosts */ US"*" /* tls_verify_cert_hostnames */ #endif #ifndef DISABLE_DKIM diff --git a/test/confs/2000 b/test/confs/2000 index 06e5a153c..bc4fff2a4 100644 --- a/test/confs/2000 +++ b/test/confs/2000 @@ -56,6 +56,7 @@ send_to_server: tls_certificate = DIR/aux-fixed/cert2 tls_privatekey = DIR/aux-fixed/cert2 tls_verify_certificates = DIR/aux-fixed/cert2 + tls_try_verify_hosts = # ----- Retry ----- diff --git a/test/confs/2001 b/test/confs/2001 index 741796b67..7e49aeda2 100644 --- a/test/confs/2001 +++ b/test/confs/2001 @@ -56,6 +56,7 @@ send_to_server: tls_certificate = DIR/aux-fixed/cert2 tls_privatekey = DIR/aux-fixed/cert2 tls_verify_certificates = DIR/aux-fixed/cert2 + tls_try_verify_hosts = # ----- Retry ----- diff --git a/test/confs/2012 b/test/confs/2012 index 6bc5487ff..023a594a8 100644 --- a/test/confs/2012 +++ b/test/confs/2012 @@ -104,6 +104,7 @@ send_to_server_failcert: tls_privatekey = CERT2 tls_verify_certificates = CA2 + tls_try_verify_hosts = tls_verify_cert_hostnames = # this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok @@ -118,6 +119,7 @@ send_to_server_retry: tls_verify_certificates = \ ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}} + tls_try_verify_hosts = tls_verify_cert_hostnames = # this will fail to verify the cert but continue unverified though crypted diff --git a/test/confs/2100 b/test/confs/2100 index 791c6bd43..c6a7e698e 100644 --- a/test/confs/2100 +++ b/test/confs/2100 @@ -54,6 +54,7 @@ send_to_server: tls_certificate = DIR/aux-fixed/cert2 tls_privatekey = DIR/aux-fixed/cert2 tls_verify_certificates = DIR/aux-fixed/cert2 + tls_try_verify_hosts = : # ----- Retry ----- diff --git a/test/confs/2101 b/test/confs/2101 index 73e0bdd7d..99fad1a48 100644 --- a/test/confs/2101 +++ b/test/confs/2101 @@ -56,6 +56,7 @@ send_to_server: tls_certificate = DIR/aux-fixed/cert2 tls_privatekey = DIR/aux-fixed/cert2 tls_verify_certificates = DIR/aux-fixed/cert2 + tls_try_verify_hosts = # ----- Retry ----- diff --git a/test/confs/2112 b/test/confs/2112 index 2c81e0cf3..d21fee064 100644 --- a/test/confs/2112 +++ b/test/confs/2112 @@ -104,6 +104,7 @@ send_to_server_failcert: tls_privatekey = CERT2 tls_verify_certificates = CA2 + tls_try_verify_hosts = tls_verify_cert_hostnames = # this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok @@ -118,6 +119,7 @@ send_to_server_retry: tls_verify_certificates = \ ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}} + tls_try_verify_hosts = tls_verify_cert_hostnames = # this will fail to verify the cert but continue unverified though crypted diff --git a/test/confs/2113 b/test/confs/2113 index bff43ff57..d5be24861 100644 --- a/test/confs/2113 +++ b/test/confs/2113 @@ -61,5 +61,6 @@ send_to_server: allow_localhost hosts = 127.0.0.1 port = PORT_D + tls_try_verify_hosts = : # End diff --git a/test/confs/2117 b/test/confs/2117 index 16cc0c39e..ab809d081 100644 --- a/test/confs/2117 +++ b/test/confs/2117 @@ -60,6 +60,7 @@ send_to_server: hosts = 127.0.0.1 hosts_nopass_tls = * port = PORT_D + tls_try_verify_hosts = : # ----- Retry ----- diff --git a/test/confs/2125 b/test/confs/2125 index 70736be88..767bb1c4f 100644 --- a/test/confs/2125 +++ b/test/confs/2125 @@ -53,6 +53,7 @@ send_to_server: hosts_require_tls = HOSTIPV4 tls_require_ciphers = DES-CBC3-SHA port = PORT_D + tls_try_verify_hosts = : # ----- Retry ----- diff --git a/test/confs/2126 b/test/confs/2126 index e2b790168..704346e56 100644 --- a/test/confs/2126 +++ b/test/confs/2126 @@ -57,6 +57,7 @@ t1: hosts = 127.0.0.1 : HOSTIPV4 port = PORT_D allow_localhost + tls_try_verify_hosts = : t2: driver = appendfile diff --git a/test/confs/2127 b/test/confs/2127 index 3639c5bbf..862ad710d 100644 --- a/test/confs/2127 +++ b/test/confs/2127 @@ -56,5 +56,6 @@ send_to_server: allow_localhost hosts = ${if eq{$local_part}{userx}{127.0.0.1}{HOSTIPV4}} port = PORT_D + tls_try_verify_hosts = : # End diff --git a/test/confs/2130 b/test/confs/2130 index 4143fc8ca..9f6de76b4 100644 --- a/test/confs/2130 +++ b/test/confs/2130 @@ -60,12 +60,14 @@ send_to_server1: hosts = HOSTIPV4 port = PORT_D tls_sni = fred + tls_try_verify_hosts = : send_to_server2: driver = smtp allow_localhost hosts = HOSTIPV4 port = PORT_D + tls_try_verify_hosts = : # ----- Retry ----- diff --git a/test/confs/2131 b/test/confs/2131 index b1719baee..15cfed977 100644 --- a/test/confs/2131 +++ b/test/confs/2131 @@ -73,6 +73,7 @@ send_to_server1: port = PORT_D tls_sni = fred hosts_require_tls = * + tls_try_verify_hosts = : send_to_server2: driver = smtp @@ -81,6 +82,7 @@ send_to_server2: port = PORT_D tls_sni = bill hosts_require_tls = * + tls_try_verify_hosts = : # ----- Retry ----- diff --git a/test/confs/2149 b/test/confs/2149 index 1684f11c6..cf67f8cbc 100644 --- a/test/confs/2149 +++ b/test/confs/2149 @@ -55,5 +55,6 @@ send_to_server: allow_localhost hosts = 127.0.0.1 port = PORT_D + tls_try_verify_hosts = : # End diff --git a/test/confs/3461 b/test/confs/3461 index 48fe4da3e..93ab8d8d8 100644 --- a/test/confs/3461 +++ b/test/confs/3461 @@ -75,5 +75,6 @@ send_to_server: hosts = 127.0.0.1 hosts_try_auth = * port = PORT_D + tls_try_verify_hosts = : # End diff --git a/test/confs/3462 b/test/confs/3462 index ec155bfdd..3907aecef 100644 --- a/test/confs/3462 +++ b/test/confs/3462 @@ -74,6 +74,7 @@ send_to_server: hosts = 127.0.0.1 hosts_try_auth = * port = PORT_D + tls_try_verify_hosts = : # ----- Retry ----- diff --git a/test/confs/3465 b/test/confs/3465 index 83592a678..2f2061be0 100644 --- a/test/confs/3465 +++ b/test/confs/3465 @@ -67,6 +67,7 @@ t1: hosts = 127.0.0.1 port = PORT_D hosts_avoid_tls = HOSTS_AVOID_TLS + tls_try_verify_hosts = : hosts_require_auth = * allow_localhost diff --git a/test/confs/5410 b/test/confs/5410 index 576967cac..bea8e10ba 100644 --- a/test/confs/5410 +++ b/test/confs/5410 @@ -54,6 +54,7 @@ smtp: port = PORT_D hosts_avoid_tls = ${if eq {$address_data}{usery}{*}{:}} hosts_verify_avoid_tls = ${if eq {$address_data}{userz}{*}{:}} + tls_try_verify_hosts = : # End diff --git a/test/confs/5651 b/test/confs/5651 index 19f16d03d..f09df575b 100644 --- a/test/confs/5651 +++ b/test/confs/5651 @@ -116,6 +116,7 @@ send_to_server3: helo_data = helo.data.changed #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + tls_try_verify_hosts = tls_verify_cert_hostnames = hosts_require_tls = * hosts_require_ocsp = * diff --git a/test/confs/5658 b/test/confs/5658 index de486e083..6a75b8c67 100644 --- a/test/confs/5658 +++ b/test/confs/5658 @@ -125,6 +125,7 @@ send_to_server3: helo_data = helo.data.changed #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + tls_try_verify_hosts = tls_verify_cert_hostnames = hosts_require_tls = * hosts_require_ocsp = * diff --git a/test/confs/5750 b/test/confs/5750 index 193041d62..20a6eecd9 100644 --- a/test/confs/5750 +++ b/test/confs/5750 @@ -102,6 +102,7 @@ send_to_server: ${if eq {$local_part}{good}\ {example.com/server1.example.com/ca_chain.pem}\ {example.net/server1.example.net/ca_chain.pem}} + tls_try_verify_hosts = tls_verify_cert_hostnames = event_action = ${acl {logger} {$event_name} {$domain} } diff --git a/test/confs/5760 b/test/confs/5760 index 4dd2f7393..eaff5b090 100644 --- a/test/confs/5760 +++ b/test/confs/5760 @@ -103,6 +103,7 @@ send_to_server: {example.com/server1.example.com/ca_chain.pem}\ {example.net/server1.example.net/ca_chain.pem}} tls_verify_cert_hostnames = + tls_try_verify_hosts = event_action = ${acl {logger} {$event_name} {$domain} } diff --git a/test/log/2100 b/test/log/2100 index 02b6f0e60..9c57bffcc 100644 --- a/test/log/2100 +++ b/test/log/2100 @@ -1,14 +1,9 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock -1999-03-02 09:44:33 10HmaX-0005vi-00 H=127.0.0.1 [127.0.0.1] TLS error on connection (SSL_connect): error: <> -1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to 127.0.0.1 [127.0.0.1] (not in hosts_require_tls) -1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaY-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00" 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 TLS error on connection from localhost (myhost.test.ex) [127.0.0.1] (SSL_accept): error: <> -1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) -1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaX-0005vi-00@myhost.test.ex diff --git a/test/log/2107 b/test/log/2107 index 5d3817acc..73b5d8e59 100644 --- a/test/log/2107 +++ b/test/log/2107 @@ -1,5 +1,8 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock +1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" + 1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00" 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf diff --git a/test/log/2108 b/test/log/2108 index 12ab295f4..b727ccb55 100644 --- a/test/log/2108 +++ b/test/log/2108 @@ -1,10 +1,19 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock +1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" + 1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00" 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock +1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" + 1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00" 1999-03-02 09:44:33 10HmaY-0005vi-00 -> xyz@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock +1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" + 1999-03-02 09:44:33 10HmaY-0005vi-00 => abcd@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbB-0005vi-00" 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf diff --git a/test/log/2110 b/test/log/2110 index 72f08dc20..574b1b7b8 100644 --- a/test/log/2110 +++ b/test/log/2110 @@ -1,6 +1,9 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf 1999-03-02 09:44:33 10HmaX-0005vi-00 H=127.0.0.1 [127.0.0.1]: a TLS session is required, but the server did not offer TLS support +1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock +1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" + 1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 C="250 OK id=10HmaY-0005vi-00" 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf diff --git a/test/log/2111 b/test/log/2111 index 0fef3f408..584c3deb5 100644 --- a/test/log/2111 +++ b/test/log/2111 @@ -1,6 +1,9 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf 1999-03-02 09:44:33 10HmaX-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <> +1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock +1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" + 1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:DES-CBC3-SHA:168 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00" 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf diff --git a/test/stderr/2108 b/test/stderr/2108 index 743f7ba71..3d6d87643 100644 --- a/test/stderr/2108 +++ b/test/stderr/2108 @@ -12,6 +12,11 @@ Connecting to 127.0.0.1 [127.0.0.1]:1225 ... connected 250 HELP SMTP>> STARTTLS SMTP<< 220 TLS go ahead +LOG: MAIN + SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock +LOG: MAIN + SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" + SMTP>> EHLO helo.data.changed SMTP<< 250-myhost.test.ex Hello helo.data.changed [127.0.0.1] 250-SIZE 52428800 @@ -43,6 +48,11 @@ Connecting to 127.0.0.1 [127.0.0.1]:1225 ... connected 250 HELP SMTP>> STARTTLS SMTP<< 220 TLS go ahead +LOG: MAIN + SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock +LOG: MAIN + SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" + SMTP>> EHLO helo.data.changed SMTP<< 250-myhost.test.ex Hello helo.data.changed [127.0.0.1] 250-SIZE 52428800 @@ -75,6 +85,11 @@ Connecting to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]:1225 ... connected 250 HELP SMTP>> STARTTLS SMTP<< 220 TLS go ahead +LOG: MAIN + SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock +LOG: MAIN + SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" + SMTP>> EHLO myhost.test.ex SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4] 250-SIZE 52428800 diff --git a/test/stderr/5410 b/test/stderr/5410 index 943681e13..54a99c7ed 100644 --- a/test/stderr/5410 +++ b/test/stderr/5410 @@ -83,7 +83,8 @@ expanding: ${if eq {$address_data}{userz}{*}{:}} SMTP<< 220 TLS go ahead 127.0.0.1 in hosts_require_ocsp? no (option unset) 127.0.0.1 in hosts_request_ocsp? yes (matched "*") -127.0.0.1 in tls_verify_cert_hostnames? yes (matched "*") +127.0.0.1 in tls_verify_hosts? no (option unset) +127.0.0.1 in tls_try_verify_hosts? no (end of list) SMTP>> EHLO myhost.test.ex SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4] 250-SIZE 52428800 diff --git a/test/stderr/5420 b/test/stderr/5420 index 464cb2c4d..f08ae8e9e 100644 --- a/test/stderr/5420 +++ b/test/stderr/5420 @@ -82,7 +82,8 @@ expanding: ${if eq {$address_data}{userz}{*}{:}} SMTP>> STARTTLS SMTP<< 220 TLS go ahead 127.0.0.1 in tls_verify_hosts? no (option unset) -127.0.0.1 in tls_try_verify_hosts? no (option unset) +127.0.0.1 in tls_try_verify_hosts? yes (matched "*") +127.0.0.1 in tls_verify_cert_hostnames? yes (matched "*") SMTP>> EHLO myhost.test.ex SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4] 250-SIZE 52428800 -- 2.30.2