doc: DANE: don't claim TA can be elided from chain
[users/jgh/exim.git] / test / scripts / 2000-GnuTLS / 2014
1 # TLS server: mandatory, optional, and revoked certificates
2 gnutls
3 munge gnutls_unexpected
4 exim -DSERVER=server -bd -oX PORT_D
5 ****
6 ### No certificate, certificate required
7 client-gnutls HOSTIPV4 PORT_D
8 ??? 220
9 ehlo rhu1.barb
10 ??? 250-
11 ??? 250-
12 ??? 250-
13 ??? 250-
14 ??? 250-
15 ??? 250
16 starttls
17 ??? 220
18 ****
19 ### No certificate, certificate optional at TLS time, required by ACL
20 client-gnutls 127.0.0.1 PORT_D
21 ??? 220
22 ehlo rhu2.barb
23 ??? 250-
24 ??? 250-
25 ??? 250-
26 ??? 250-
27 ??? 250-
28 ??? 250
29 starttls
30 ??? 220
31 helo rhu2tls.barb
32 ??? 250
33 mail from:<userx@test.ex>
34 ??? 250
35 rcpt to:<userx@test.ex>
36 ??? 550
37 quit
38 ??? 221
39 ****
40 ### Good certificate, certificate required
41 client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
42 ??? 220
43 ehlo rhu3.barb
44 ??? 250-
45 ??? 250-
46 ??? 250-
47 ??? 250-
48 ??? 250-
49 ??? 250
50 starttls
51 ??? 220
52 mail from:<userx@test.ex>
53 ??? 250
54 rcpt to:<userx@test.ex>
55 ??? 250
56 quit
57 ??? 221
58 ****
59 ### Good certificate, certificate optional at TLS time, checked by ACL
60 client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
61 ??? 220
62 ehlo rhu4.barb
63 ??? 250-
64 ??? 250-
65 ??? 250-
66 ??? 250-
67 ??? 250-
68 ??? 250
69 starttls
70 ??? 220
71 mail from:<userx@test.ex>
72 ??? 250
73 rcpt to:<userx@test.ex>
74 ??? 250
75 quit
76 ??? 221
77 ****
78 ### Bad certificate, certificate required
79 # Actually this test does not have the client presenting a cert at all, as it filters what it has
80 # by the options offered by the server first.  So it's not a good testcase.
81 client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
82 ??? 220
83 ehlo rhu5.barb
84 ??? 250-
85 ??? 250-
86 ??? 250-
87 ??? 250-
88 ??? 250-
89 ??? 250
90 starttls
91 ??? 220
92 ****
93 ### Bad certificate, certificate optional at TLS time, reject at ACL time
94 # (situation as above)
95 client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
96 ??? 220
97 ehlo rhu6.barb
98 ??? 250-
99 ??? 250-
100 ??? 250-
101 ??? 250-
102 ??? 250-
103 ??? 250
104 starttls
105 ??? 220
106 mail from:<userx@test.ex>
107 ??? 250
108 rcpt to:<userx@test.ex>
109 ??? 550
110 quit
111 ??? 221
112 ****
113 killdaemon
114 #
115 #
116 #
117 #
118 exim -DCRL=DIR/aux-fixed/exim-ca/example.com/CA/crl.v2.pem -DSERVER=server -bd -oX PORT_D
119 ****
120 ### Otherwise good but revoked certificate, certificate required
121 # GnuTLS seems to not mind the lack of CRLs for the nonleaf certs in the chain, unlike under OpenSSL
122 client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
123 ??? 220
124 ehlo rhu7.barb
125 ??? 250-
126 ??? 250-
127 ??? 250-
128 ??? 250-
129 ??? 250-
130 ??? 250
131 starttls
132 ??? 220
133 ****
134 ### Revoked certificate, certificate optional at TLS time, reject at ACL time
135 client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
136 ??? 220
137 ehlo rhu8.barb
138 ??? 250-
139 ??? 250-
140 ??? 250-
141 ??? 250-
142 ??? 250-
143 ??? 250
144 starttls
145 ??? 220
146 mail from:<userx@test.ex>
147 ??? 250
148 rcpt to:<userx@test.ex>
149 ??? 550
150 quit
151 ??? 221
152 ****
153 ### Good certificate, certificate required - but nonmatching CRL also present
154 client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
155 ??? 220
156 ehlo rhu.barb
157 ??? 250-
158 ??? 250-
159 ??? 250-
160 ??? 250-
161 ??? 250-
162 ??? 250
163 starttls
164 ??? 220
165 mail from:<userx@test.ex>
166 ??? 250
167 rcpt to:<userx@test.ex>
168 ??? 250
169 quit
170 ??? 221
171 ****
172 killdaemon