From 4466248715466b6f251454283642b74de65e9d9a Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Tue, 6 May 2014 14:44:21 +0100 Subject: [PATCH] OCSP observability: variables $tls_{in,out}_ocsp and smtp transport option hosts_request_ocsp --- doc/doc-txt/ChangeLog | 4 ++ doc/doc-txt/experimental-spec.txt | 23 +++++--- src/src/expand.c | 2 + src/src/globals.c | 6 ++- src/src/globals.h | 6 +++ src/src/smtp_in.c | 1 + src/src/spool_in.c | 3 ++ src/src/spool_out.c | 1 + src/src/tls-gnu.c | 63 +++++++++++++++++----- src/src/tls-openssl.c | 84 ++++++++++++++++++----------- src/src/transports/smtp.c | 5 ++ src/src/transports/smtp.h | 1 + test/confs/5600 | 8 +++ test/confs/5601 | 30 ++++++++--- test/confs/5650 | 8 +++ test/confs/5651 | 29 ++++++++-- test/log/5600 | 4 ++ test/log/5601 | 42 +++++++++------ test/log/5650 | 4 ++ test/log/5651 | 35 +++++++----- test/scripts/5600-OCSP-OpenSSL/5601 | 16 ++++-- test/scripts/5650-OCSP-GnuTLS/5651 | 16 ++++-- test/stderr/5410 | 1 + test/stderr/5420 | 1 + 24 files changed, 292 insertions(+), 101 deletions(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index c98528884..ebf2eadb2 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -107,6 +107,10 @@ TL/10 Bugzilla 1454: New -oMm option to pass message reference to Exim. JH/20 New expansion variables tls_(in,out)_(our,peer)cert, and expansion item certextract with support for various fields. Bug 1358. +JH/21 Observability of OCSP via variables tls_(in,out)_ocsp. Stapling + is requested by default, modifiable by smtp transport option + hosts_request_ocsp; + Exim version 4.82 ----------------- diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt index 16738a51f..1ec323433 100644 --- a/doc/doc-txt/experimental-spec.txt +++ b/doc/doc-txt/experimental-spec.txt @@ -84,14 +84,21 @@ contents are always valid. Exim will expand the "tls_ocsp_file" option on each connection, so a new file will be handled transparently on the next connection. -Exim will check for a valid next update timestamp in the OCSP proof; -if not present, or if the proof has expired, it will be ignored. - -Also, given EXPERIMENTAL_OCSP, the smtp transport gains -a "hosts_require_ocsp" option; a host-list for which an OCSP Stapling -is requested and required for the connection to proceed. The host(s) -should also be in "hosts_require_tls", and "tls_verify_certificates" -configured for the transport. +Under OpenSSL Exim will check for a valid next update timestamp in the +OCSP proof; if not present, or if the proof has expired, it will be +ignored. + +Also, given EXPERIMENTAL_OCSP, the smtp transport gains two options: +- "hosts_require_ocsp"; a host-list for which an OCSP Stapling +is requested and required for the connection to proceed. The default +value is empty. +- "hosts_request_ocsp"; a host-list for which (additionally) an OCSP +Stapling is requested (but not necessarily verified). The default +value is "*" meaning that requests are made unless configured +otherwise. + +The host(s) should also be in "hosts_require_tls", and +"tls_verify_certificates" configured for the transport. For the client to be able to verify the stapled OCSP the server must also supply, in its stapled information, any intermediate diff --git a/src/src/expand.c b/src/src/expand.c index 05b714a7f..de911db90 100644 --- a/src/src/expand.c +++ b/src/src/expand.c @@ -671,6 +671,7 @@ static var_entry var_table[] = { { "tls_in_bits", vtype_int, &tls_in.bits }, { "tls_in_certificate_verified", vtype_int, &tls_in.certificate_verified }, { "tls_in_cipher", vtype_stringptr, &tls_in.cipher }, + { "tls_in_ocsp", vtype_int, &tls_in.ocsp }, { "tls_in_ourcert", vtype_cert, &tls_in.ourcert }, { "tls_in_peercert", vtype_cert, &tls_in.peercert }, { "tls_in_peerdn", vtype_stringptr, &tls_in.peerdn }, @@ -680,6 +681,7 @@ static var_entry var_table[] = { { "tls_out_bits", vtype_int, &tls_out.bits }, { "tls_out_certificate_verified", vtype_int,&tls_out.certificate_verified }, { "tls_out_cipher", vtype_stringptr, &tls_out.cipher }, + { "tls_out_ocsp", vtype_int, &tls_out.ocsp }, { "tls_out_ourcert", vtype_cert, &tls_out.ourcert }, { "tls_out_peercert", vtype_cert, &tls_out.peercert }, { "tls_out_peerdn", vtype_stringptr, &tls_out.peerdn }, diff --git a/src/src/globals.c b/src/src/globals.c index 7b591e42a..af2903525 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -109,7 +109,8 @@ tls_support tls_in = { NULL, /* tls_ourcert */ NULL, /* tls_peercert */ NULL, /* tls_peerdn */ - NULL /* tls_sni */ + NULL, /* tls_sni */ + 0 /* tls_ocsp */ }; tls_support tls_out = { -1, /* tls_active */ @@ -121,7 +122,8 @@ tls_support tls_out = { NULL, /* tls_ourcert */ NULL, /* tls_peercert */ NULL, /* tls_peerdn */ - NULL /* tls_sni */ + NULL, /* tls_sni */ + 0 /* tls_ocsp */ }; diff --git a/src/src/globals.h b/src/src/globals.h index 584d1bd09..9a42fe27e 100644 --- a/src/src/globals.h +++ b/src/src/globals.h @@ -89,6 +89,12 @@ typedef struct { void *peercert; /* Certificate of peer, binary */ uschar *peerdn; /* DN from peer */ uschar *sni; /* Server Name Indication */ + enum { + OCSP_NOT_REQ=0, /* not requested */ + OCSP_NOT_RESP, /* no response to request */ + OCSP_NOT_VFY, /* response not verified */ + OCSP_VFIED /* verified */ + } ocsp; /* Stapled OCSP status */ } tls_support; extern tls_support tls_in; extern tls_support tls_out; diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index 6810d25e3..82a805a21 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -1820,6 +1820,7 @@ authenticated_by = NULL; tls_in.cipher = tls_in.peerdn = NULL; tls_in.ourcert = tls_in.peercert = NULL; tls_in.sni = NULL; +tls_in.ocsp = OCSP_NOT_REQ; tls_advertised = FALSE; #endif diff --git a/src/src/spool_in.c b/src/src/spool_in.c index 2006e1b02..ba775bbce 100644 --- a/src/src/spool_in.c +++ b/src/src/spool_in.c @@ -289,6 +289,7 @@ tls_in.ourcert = NULL; tls_in.peercert = NULL; tls_in.peerdn = NULL; tls_in.sni = NULL; +tls_in.ocsp = OCSP_NOT_REQ; #endif #ifdef WITH_CONTENT_SCAN @@ -560,6 +561,8 @@ for (;;) tls_in.peerdn = string_unprinting(string_copy(big_buffer + 12)); else if (Ustrncmp(p, "ls_sni", 6) == 0) tls_in.sni = string_unprinting(string_copy(big_buffer + 9)); + else if (Ustrncmp(p, "ls_ocsp", 7) == 0) + tls_in.ocsp = big_buffer[10] - '0'; break; #endif diff --git a/src/src/spool_out.c b/src/src/spool_out.c index 7bbd42df0..de81786b3 100644 --- a/src/src/spool_out.c +++ b/src/src/spool_out.c @@ -242,6 +242,7 @@ if (tls_in.ourcert) (void) tls_export_cert(big_buffer, big_buffer_size, tls_in.ourcert); fprintf(f, "-tls_ourcert %s\n", CS big_buffer); } +if (tls_in.ocsp) fprintf(f, "-tls_ocsp %d\n", tls_in.ocsp); #endif /* To complete the envelope, write out the tree of non-recipients, followed by diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index d0e1c35d7..b0b67d820 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -101,6 +101,7 @@ typedef struct exim_gnutls_state { uschar *exp_tls_verify_certificates; uschar *exp_tls_crl; uschar *exp_tls_require_ciphers; + uschar *exp_tls_ocsp_file; tls_support *tlsp; /* set in tls_init() */ @@ -115,7 +116,7 @@ static const exim_gnutls_state_st exim_gnutls_state_init = { NULL, NULL, NULL, VERIFY_NONE, -1, -1, FALSE, FALSE, FALSE, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, - NULL, NULL, NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0, 0, 0, 0, }; @@ -203,6 +204,10 @@ static void exim_gnutls_logger_cb(int level, const char *message); static int exim_sni_handling_cb(gnutls_session_t session); +#ifdef EXPERIMENTAL_OCSP +static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr, + gnutls_datum_t * ocsp_response); +#endif @@ -791,18 +796,18 @@ if ( !host /* server */ && tls_ocsp_file ) { - uschar * expanded; - int rc; - - if (!expand_check(tls_ocsp_file, US"tls_ocsp_file", &expanded)) + if (!expand_check(tls_ocsp_file, US"tls_ocsp_file", + &state->exp_tls_ocsp_file)) return DEFER; - /* Lazy way; would like callback to emit debug on actual response */ + /* Use the full callback method for stapling just to get observability. + More efficient would be to read the file once only, if it never changed + (due to SNI). Would need restart on file update, or watch datestamp. */ + + gnutls_certificate_set_ocsp_status_request_function(state->x509_cred, + server_ocsp_stapling_cb, state->exp_tls_ocsp_file); - rc = gnutls_certificate_set_ocsp_status_request_file(state->x509_cred, - expanded, 0); - exim_gnutls_err_check(US"gnutls_certificate_set_ocsp_status_request_file"); - DEBUG(D_tls) debug_printf("Set OCSP response file %s\n", expanded); + DEBUG(D_tls) debug_printf("Set OCSP response file %s\n", &state->exp_tls_ocsp_file); } #endif @@ -1433,6 +1438,31 @@ return 0; +#ifdef EXPERIMENTAL_OCSP + +static int +server_ocsp_stapling_cb(gnutls_session_t session, void * ptr, + gnutls_datum_t * ocsp_response) +{ +int ret; + +tls_in.ocsp = OCSP_NOT_RESP; +if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0) + { + DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n", + (char *)ptr); + return GNUTLS_E_NO_CERTIFICATE_STATUS; + } + +tls_in.ocsp = OCSP_NOT_VFY; +return 0; +} + +#endif + + + + /* ------------------------------------------------------------------------ */ /* Exported functions */ @@ -1526,8 +1556,8 @@ if (!state->tlsp->on_connect) that the GnuTLS library doesn't. */ gnutls_transport_set_ptr2(state->session, - (gnutls_transport_ptr)fileno(smtp_in), - (gnutls_transport_ptr)fileno(smtp_out)); + (gnutls_transport_ptr)(long) fileno(smtp_in), + (gnutls_transport_ptr)(long) fileno(smtp_out)); state->fd_in = fileno(smtp_in); state->fd_out = fileno(smtp_out); @@ -1628,6 +1658,9 @@ exim_gnutls_state_st *state = NULL; #ifdef EXPERIMENTAL_OCSP BOOL require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp, NULL, host->name, host->address, NULL) == OK; +BOOL request_ocsp = require_ocsp ? TRUE + : verify_check_this_host(&ob->hosts_request_ocsp, + NULL, host->name, host->address, NULL) == OK; #endif DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", fd); @@ -1684,17 +1717,18 @@ else } #ifdef EXPERIMENTAL_OCSP /* since GnuTLS 3.1.3 */ -if (require_ocsp) +if (request_ocsp) { DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n"); if ((rc = gnutls_ocsp_status_request_enable_client(state->session, NULL, 0, NULL)) != OK) return tls_error(US"cert-status-req", gnutls_strerror(rc), state->host); + tls_out.ocsp = OCSP_NOT_RESP; } #endif -gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr)fd); +gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr)(long) fd); state->fd_in = fd; state->fd_out = fd; @@ -1746,6 +1780,7 @@ if (require_ocsp) if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0) return tls_error(US"certificate status check failed", NULL, state->host); DEBUG(D_tls) debug_printf("Passed OCSP checking\n"); + tls_out.ocsp = OCSP_VFIED; } #endif diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 66fca7dbb..fd257f3c6 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -97,7 +97,8 @@ typedef struct tls_ext_ctx_cb { OCSP_RESPONSE *response; } server; struct { - X509_STORE *verify_store; + X509_STORE *verify_store; /* non-null if status requested */ + BOOL verify_required; } client; } u_ocsp; #endif @@ -797,15 +798,18 @@ else DEBUG(D_tls) debug_printf("Received TLS status request (OCSP stapling); %s response.", cbinfo->u_ocsp.server.response ? "have" : "lack"); +tls_in.ocsp = OCSP_NOT_RESP; if (!cbinfo->u_ocsp.server.response) return SSL_TLSEXT_ERR_NOACK; response_der = NULL; -response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response, &response_der); +response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response, + &response_der); if (response_der_len <= 0) return SSL_TLSEXT_ERR_NOACK; SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len); +tls_in.ocsp = OCSP_VFIED; return SSL_TLSEXT_ERR_OK; } @@ -832,12 +836,15 @@ DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):"); len = SSL_get_tlsext_status_ocsp_resp(s, &p); if(!p) { - if (log_extra_selector & LX_tls_cipher) - log_write(0, LOG_MAIN, "Received TLS status response, null content"); + /* Expect this when we requested ocsp but got none */ + if ( cbinfo->u_ocsp.client.verify_required + && log_extra_selector & LX_tls_cipher) + log_write(0, LOG_MAIN, "Received TLS status callback, null content"); else DEBUG(D_tls) debug_printf(" null\n"); - return 0; /* This is the fail case for require-ocsp; none from server */ + return cbinfo->u_ocsp.client.verify_required ? 0 : 1; } +tls_out.ocsp = OCSP_NOT_VFY; if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len))) { if (log_extra_selector & LX_tls_cipher) @@ -878,11 +885,12 @@ if(!(bs = OCSP_response_get1_basic(rsp))) /* Use the chain that verified the server cert to verify the stapled info */ /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */ - if ((i = OCSP_basic_verify(bs, NULL, cbinfo->u_ocsp.client.verify_store, 0)) <= 0) + if ((i = OCSP_basic_verify(bs, NULL, + cbinfo->u_ocsp.client.verify_store, 0)) <= 0) { BIO_printf(bp, "OCSP response verify failure\n"); ERR_print_errors(bp); - i = 0; + i = cbinfo->u_ocsp.client.verify_required ? 0 : 1; goto out; } @@ -894,39 +902,48 @@ if(!(bs = OCSP_response_get1_basic(rsp))) if (sk_OCSP_SINGLERESP_num(sresp) != 1) { - log_write(0, LOG_MAIN, "OCSP stapling with multiple responses not handled"); + log_write(0, LOG_MAIN, "OCSP stapling " + "with multiple responses not handled"); + i = cbinfo->u_ocsp.client.verify_required ? 0 : 1; goto out; } single = OCSP_resp_get0(bs, 0); - status = OCSP_single_get0_status(single, &reason, &rev, &thisupd, &nextupd); + status = OCSP_single_get0_status(single, &reason, &rev, + &thisupd, &nextupd); } - i = 0; DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd); DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd); - if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE)) + if (!OCSP_check_validity(thisupd, nextupd, + EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE)) { DEBUG(D_tls) ERR_print_errors(bp); log_write(0, LOG_MAIN, "Server OSCP dates invalid"); - goto out; + i = cbinfo->u_ocsp.client.verify_required ? 0 : 1; } - - DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n", OCSP_cert_status_str(status)); - switch(status) + else { - case V_OCSP_CERTSTATUS_GOOD: - i = 1; - break; - case V_OCSP_CERTSTATUS_REVOKED: - log_write(0, LOG_MAIN, "Server certificate revoked%s%s", - reason != -1 ? "; reason: " : "", reason != -1 ? OCSP_crl_reason_str(reason) : ""); - DEBUG(D_tls) time_print(bp, "Revocation Time", rev); - i = 0; - break; - default: - log_write(0, LOG_MAIN, "Server certificate status unknown, in OCSP stapling"); - i = 0; - break; + DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n", + OCSP_cert_status_str(status)); + switch(status) + { + case V_OCSP_CERTSTATUS_GOOD: + i = 1; + tls_out.ocsp = OCSP_VFIED; + break; + case V_OCSP_CERTSTATUS_REVOKED: + log_write(0, LOG_MAIN, "Server certificate revoked%s%s", + reason != -1 ? "; reason: " : "", + reason != -1 ? OCSP_crl_reason_str(reason) : ""); + DEBUG(D_tls) time_print(bp, "Revocation Time", rev); + i = cbinfo->u_ocsp.client.verify_required ? 0 : 1; + break; + default: + log_write(0, LOG_MAIN, + "Server certificate status unknown, in OCSP stapling"); + i = cbinfo->u_ocsp.client.verify_required ? 0 : 1; + break; + } } out: BIO_free(bp); @@ -1497,12 +1514,15 @@ static uschar cipherbuf[256]; #ifdef EXPERIMENTAL_OCSP BOOL require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp, NULL, host->name, host->address, NULL) == OK; +BOOL request_ocsp = require_ocsp ? TRUE + : verify_check_this_host(&ob->hosts_request_ocsp, + NULL, host->name, host->address, NULL) == OK; #endif rc = tls_init(&client_ctx, host, NULL, ob->tls_certificate, ob->tls_privatekey, #ifdef EXPERIMENTAL_OCSP - require_ocsp ? US"" : NULL, + (void *)(long)request_ocsp, #endif addr, &client_static_cbinfo); if (rc != OK) return rc; @@ -1578,8 +1598,12 @@ if (ob->tls_sni) #ifdef EXPERIMENTAL_OCSP /* Request certificate status at connection-time. If the server does OCSP stapling we will get the callback (set in tls_init()) */ -if (require_ocsp) +if (request_ocsp) + { SSL_set_tlsext_status_type(client_ssl, TLSEXT_STATUSTYPE_ocsp); + client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp; + tls_out.ocsp = OCSP_NOT_RESP; + } #endif /* There doesn't seem to be a built-in timeout on connection. */ diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 7223f9c89..9089d90c1 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -102,6 +102,10 @@ optionlist smtp_transport_options[] = { (void *)offsetof(smtp_transport_options_block, hosts_override) }, { "hosts_randomize", opt_bool, (void *)offsetof(smtp_transport_options_block, hosts_randomize) }, +#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_OCSP) + { "hosts_request_ocsp", opt_stringptr, + (void *)offsetof(smtp_transport_options_block, hosts_request_ocsp) }, +#endif { "hosts_require_auth", opt_stringptr, (void *)offsetof(smtp_transport_options_block, hosts_require_auth) }, #ifdef SUPPORT_TLS @@ -196,6 +200,7 @@ smtp_transport_options_block smtp_transport_option_defaults = { NULL, /* hosts_try_prdr */ #endif #ifdef EXPERIMENTAL_OCSP + US"*", /* hosts_request_ocsp */ NULL, /* hosts_require_ocsp */ #endif NULL, /* hosts_require_tls */ diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h index 6912ad83e..900542564 100644 --- a/src/src/transports/smtp.h +++ b/src/src/transports/smtp.h @@ -25,6 +25,7 @@ typedef struct { uschar *hosts_try_prdr; #endif #ifdef EXPERIMENTAL_OCSP + uschar *hosts_request_ocsp; uschar *hosts_require_ocsp; #endif uschar *hosts_require_tls; diff --git a/test/confs/5600 b/test/confs/5600 index 8b26ee7fa..cd5f3c8e7 100644 --- a/test/confs/5600 +++ b/test/confs/5600 @@ -14,6 +14,8 @@ gecos_name = CALLER_NAME # ----- Main settings ----- +acl_smtp_connect = check_connect +acl_smtp_mail = check_mail acl_smtp_rcpt = check_recipient log_selector = +tls_peerdn @@ -37,6 +39,12 @@ tls_ocsp_file = OCSP begin acl +check_connect: + accept logwrite = acl_conn: ocsp in status: $tls_in_ocsp + +check_mail: + accept logwrite = acl_mail: ocsp in status: $tls_in_ocsp + check_recipient: deny message = certificate not verified: peerdn=$tls_peerdn ! verify = certificate diff --git a/test/confs/5601 b/test/confs/5601 index 5172ff279..7eb19f754 100644 --- a/test/confs/5601 +++ b/test/confs/5601 @@ -18,6 +18,8 @@ gecos_name = CALLER_NAME domainlist local_domains = test.ex : *.test.ex acl_smtp_rcpt = check_recipient +acl_smtp_data = check_data + log_selector = +tls_peerdn remote_max_parallel = 1 @@ -47,6 +49,10 @@ check_recipient: accept domains = +local_domains deny message = relay not permitted +check_data: + warn condition = ${if def:h_X-TLS-out:} + logwrite = client claims: $h_X-TLS-out: + accept # ----- Routers ----- @@ -57,8 +63,9 @@ client: condition = ${if eq {SERVER}{server}{no}{yes}} retry_use_local_part transport = send_to_server${if eq{$local_part}{nostaple}{1} \ - {${if eq{$local_part}{smtps} {3}{2}}} \ - } + {${if eq{$local_part}{norequire} {2} \ + {${if eq{$local_part}{smtps} {4}{3}}} \ + }}} server: driver = redirect @@ -84,30 +91,41 @@ send_to_server1: port = PORT_D tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem hosts_require_tls = * -# note no ocsp here + hosts_request_ocsp = : + headers_add = X-TLS-out: ocsp status $tls_out_ocsp send_to_server2: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + hosts_require_tls = * +# note no ocsp mention here + headers_add = X-TLS-out: ocsp status $tls_out_ocsp + +send_to_server3: driver = smtp allow_localhost hosts = 127.0.0.1 port = PORT_D helo_data = helo.data.changed - #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem hosts_require_tls = * hosts_require_ocsp = * + headers_add = X-TLS-out: ocsp status $tls_out_ocsp -send_to_server3: +send_to_server4: driver = smtp allow_localhost hosts = 127.0.0.1 port = PORT_D helo_data = helo.data.changed - #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem protocol = smtps hosts_require_tls = * hosts_require_ocsp = * + headers_add = X-TLS-out: ocsp status $tls_out_ocsp # ----- Retry ----- diff --git a/test/confs/5650 b/test/confs/5650 index 12584c731..3d4a68ef3 100644 --- a/test/confs/5650 +++ b/test/confs/5650 @@ -14,6 +14,8 @@ gecos_name = CALLER_NAME # ----- Main settings ----- +acl_smtp_connect = check_connect +acl_smtp_mail = check_mail acl_smtp_rcpt = check_recipient log_selector = +tls_peerdn @@ -38,6 +40,12 @@ tls_ocsp_file = OCSP begin acl +check_connect: + accept logwrite = acl_conn: ocsp in status: $tls_in_ocsp + +check_mail: + accept logwrite = acl_mail: ocsp in status: $tls_in_ocsp + check_recipient: accept diff --git a/test/confs/5651 b/test/confs/5651 index e38043f3e..4a1989f43 100644 --- a/test/confs/5651 +++ b/test/confs/5651 @@ -18,6 +18,8 @@ gecos_name = CALLER_NAME domainlist local_domains = test.ex : *.test.ex acl_smtp_rcpt = check_recipient +acl_smtp_data = check_data + log_selector = +tls_peerdn remote_max_parallel = 1 @@ -44,6 +46,11 @@ check_recipient: accept domains = +local_domains deny message = relay not permitted +check_data: + warn condition = ${if def:h_X-TLS-out:} + logwrite = client claims: $h_X-TLS-out: + accept + # ----- Routers ----- @@ -54,8 +61,9 @@ client: condition = ${if eq {SERVER}{server}{no}{yes}} retry_use_local_part transport = send_to_server${if eq{$local_part}{nostaple}{1} \ - {${if eq{$local_part}{smtps} {3}{2}}} \ - } + {${if eq{$local_part}{norequire} {2} \ + {${if eq{$local_part}{smtps} {4}{3}}} \ + }}} server: driver = redirect @@ -81,9 +89,20 @@ send_to_server1: port = PORT_D tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem hosts_require_tls = * -# note no ocsp here + hosts_request_ocsp = : + headers_add = X-TLS-out: OCSP status $tls_out_ocsp send_to_server2: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + hosts_require_tls = * +# note no ocsp mention here + headers_add = X-TLS-out: OCSP status $tls_out_ocsp + +send_to_server3: driver = smtp allow_localhost hosts = 127.0.0.1 @@ -93,8 +112,9 @@ send_to_server2: tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem hosts_require_tls = * hosts_require_ocsp = * + headers_add = X-TLS-out: OCSP status $tls_out_ocsp -send_to_server3: +send_to_server4: driver = smtp allow_localhost hosts = 127.0.0.1 @@ -105,6 +125,7 @@ send_to_server3: protocol = smtps hosts_require_tls = * hosts_require_ocsp = * + headers_add = X-TLS-out: OCSP status $tls_out_ocsp # ----- Retry ----- diff --git a/test/log/5600 b/test/log/5600 index 869883f06..d0dc7b16e 100644 --- a/test/log/5600 +++ b/test/log/5600 @@ -1,6 +1,10 @@ 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 acl_conn: ocsp in status: 0 1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; responding +1999-03-02 09:44:33 acl_mail: ocsp in status: 3 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 acl_conn: ocsp in status: 0 1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; not responding 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 acl_conn: ocsp in status: 0 1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; not responding diff --git a/test/log/5601 b/test/log/5601 index 40caa0f88..d3c46eda0 100644 --- a/test/log/5601 +++ b/test/log/5601 @@ -1,32 +1,42 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmaX-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00" 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER@test.ex R=client T=send_to_server2 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaZ-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbB-0005vi-00" 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed -1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmbB-0005vi-00 Received TLS status response, null content -1999-03-02 09:44:33 10HmbB-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <> -1999-03-02 09:44:33 10HmbB-0005vi-00 == CALLER@test.ex R=client T=send_to_server2 defer (-37): failure while setting up TLS session -1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmbC-0005vi-00 Server certificate revoked; reason: superseded -1999-03-02 09:44:33 10HmbC-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <> -1999-03-02 09:44:33 10HmbC-0005vi-00 == CALLER@test.ex R=client T=send_to_server2 defer (-37): failure while setting up TLS session +1999-03-02 09:44:33 10HmbA-0005vi-00 => CALLER@test.ex R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmbA-0005vi-00 Completed 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmbD-0005vi-00 Server OSCP dates invalid +1999-03-02 09:44:33 10HmbD-0005vi-00 Received TLS status callback, null content 1999-03-02 09:44:33 10HmbD-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <> -1999-03-02 09:44:33 10HmbD-0005vi-00 == CALLER@test.ex R=client T=send_to_server2 defer (-37): failure while setting up TLS session +1999-03-02 09:44:33 10HmbD-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session +1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbE-0005vi-00 Server certificate revoked; reason: superseded +1999-03-02 09:44:33 10HmbE-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <> +1999-03-02 09:44:33 10HmbE-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session +1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbF-0005vi-00 Server OSCP dates invalid +1999-03-02 09:44:33 10HmbF-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <> +1999-03-02 09:44:33 10HmbF-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; not responding +1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: ocsp status 1 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaX-0005vi-00@server1.example.com -1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 10HmbB-0005vi-00 client claims: ocsp status 0 1999-03-02 09:44:33 [127.0.0.1] Recieved OCSP stapling req; responding -1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaZ-0005vi-00@server1.example.com -1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: R=server -1999-03-02 09:44:33 10HmbA-0005vi-00 Completed +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaZ-0005vi-00@server1.example.com +1999-03-02 09:44:33 10HmbB-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbB-0005vi-00 Completed +1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: ocsp status 3 +1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmbA-0005vi-00@server1.example.com +1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbC-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 1999-03-02 09:44:33 [127.0.0.1] Recieved OCSP stapling req; not responding 1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <> diff --git a/test/log/5650 b/test/log/5650 index 072756d4e..139d3e7b5 100644 --- a/test/log/5650 +++ b/test/log/5650 @@ -1,7 +1,11 @@ 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 acl_conn: ocsp in status: 0 +1999-03-02 09:44:33 acl_mail: ocsp in status: 2 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 acl_conn: ocsp in status: 0 1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (recv): The TLS connection was non-properly terminated. 1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason. 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 acl_conn: ocsp in status: 0 1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (recv): The TLS connection was non-properly terminated. 1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason. diff --git a/test/log/5651 b/test/log/5651 index a42426a7e..194443aa8 100644 --- a/test/log/5651 +++ b/test/log/5651 @@ -1,28 +1,37 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmaX-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00" 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER@test.ex R=client T=send_to_server2 H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaZ-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbB-0005vi-00" 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed -1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmbB-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate status check failed) -1999-03-02 09:44:33 10HmbB-0005vi-00 == CALLER@test.ex R=client T=send_to_server2 defer (-37): failure while setting up TLS session -1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmbC-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate verification failed): certificate revoked -1999-03-02 09:44:33 10HmbC-0005vi-00 == CALLER@test.ex R=client T=send_to_server2 defer (-37): failure while setting up TLS session +1999-03-02 09:44:33 10HmbA-0005vi-00 => CALLER@test.ex R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmbA-0005vi-00 Completed 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss 1999-03-02 09:44:33 10HmbD-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate status check failed) -1999-03-02 09:44:33 10HmbD-0005vi-00 == CALLER@test.ex R=client T=send_to_server2 defer (-37): failure while setting up TLS session +1999-03-02 09:44:33 10HmbD-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session +1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbE-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate verification failed): certificate revoked +1999-03-02 09:44:33 10HmbE-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session +1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbF-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate status check failed) +1999-03-02 09:44:33 10HmbF-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: OCSP status 1 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaX-0005vi-00@server1.example.com -1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaZ-0005vi-00@server1.example.com -1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: R=server -1999-03-02 09:44:33 10HmbA-0005vi-00 Completed +1999-03-02 09:44:33 10HmbB-0005vi-00 client claims: OCSP status 0 +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaZ-0005vi-00@server1.example.com +1999-03-02 09:44:33 10HmbB-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbB-0005vi-00 Completed +1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: OCSP status 3 +1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmbA-0005vi-00@server1.example.com +1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbC-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (recv): The TLS connection was non-properly terminated. 1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (send): The specified session has been invalidated for some reason. diff --git a/test/scripts/5600-OCSP-OpenSSL/5601 b/test/scripts/5600-OCSP-OpenSSL/5601 index b2983eb0d..cf0f68fc7 100644 --- a/test/scripts/5600-OCSP-OpenSSL/5601 +++ b/test/scripts/5600-OCSP-OpenSSL/5601 @@ -1,10 +1,10 @@ # OCSP stapling, client # # -# Client works when we don't demand OCSP stapling +# Client works when we request but don't require OCSP stapling and none comes exim -bd -oX PORT_D -DSERVER=server -DOCSP=/dev/null **** -exim nostaple@test.ex +exim norequire@test.ex test message. **** sleep 1 @@ -13,10 +13,18 @@ killdaemon # # # -# Client accepts good stapled info +# Client works when we don't request OCSP stapling exim -bd -oX PORT_D -DSERVER=server \ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp **** +exim nostaple@test.ex +test message. +**** +# +# +# +# +# Client accepts good stapled info exim CALLER@test.ex test message. **** @@ -25,7 +33,7 @@ killdaemon # # # -# Client fails on lack of requested stapled info +# Client fails on lack of required stapled info exim -bd -oX PORT_D -DSERVER=server -DOCSP=/dev/null **** exim CALLER@test.ex diff --git a/test/scripts/5650-OCSP-GnuTLS/5651 b/test/scripts/5650-OCSP-GnuTLS/5651 index f5432be19..5ed784be2 100644 --- a/test/scripts/5650-OCSP-GnuTLS/5651 +++ b/test/scripts/5650-OCSP-GnuTLS/5651 @@ -1,10 +1,10 @@ # OCSP stapling, client # # -# Client works when we don't demand OCSP stapling +# Client works when we request but don't require OCSP stapling and none comes exim -bd -oX PORT_D -DSERVER=server -DOCSP="" **** -exim nostaple@test.ex +exim norequire@test.ex test message. **** sleep 1 @@ -13,10 +13,18 @@ killdaemon # # # -# Client accepts good stapled info +# Client works when we don't request OCSP stapling exim -bd -oX PORT_D -DSERVER=server \ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp **** +exim nostaple@test.ex +test message. +**** +# +# +# +# +# Client accepts good stapled info exim CALLER@test.ex test message. **** @@ -25,7 +33,7 @@ killdaemon # # # -# Client fails on lack of requested stapled info +# Client fails on lack of required stapled info exim -bd -oX PORT_D -DSERVER=server -DOCSP="" **** exim CALLER@test.ex diff --git a/test/stderr/5410 b/test/stderr/5410 index b84c26492..ddd6dbcc6 100644 --- a/test/stderr/5410 +++ b/test/stderr/5410 @@ -81,6 +81,7 @@ expanding: ${if eq {$address_data}{userz}{*}{:}} SMTP>> STARTTLS SMTP<< 220 TLS go ahead 127.0.0.1 in hosts_require_ocsp? no (option unset) +127.0.0.1 in hosts_request_ocsp? yes (matched "*") SMTP>> EHLO myhost.test.ex SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4] 250-SIZE 52428800 diff --git a/test/stderr/5420 b/test/stderr/5420 index d2fb575b5..9eea77d05 100644 --- a/test/stderr/5420 +++ b/test/stderr/5420 @@ -81,6 +81,7 @@ expanding: ${if eq {$address_data}{userz}{*}{:}} SMTP>> STARTTLS SMTP<< 220 TLS go ahead 127.0.0.1 in hosts_require_ocsp? no (option unset) +127.0.0.1 in hosts_request_ocsp? yes (matched "*") in tls_verify_hosts? no (option unset) in tls_try_verify_hosts? no (option unset) SMTP>> EHLO myhost.test.ex -- 2.30.2