+++ /dev/null
-5652
\ No newline at end of file
--- /dev/null
+5665
\ No newline at end of file
-5655
\ No newline at end of file
+5670
\ No newline at end of file
+++ /dev/null
-# Exim test configuration 5652
-# OCSP stapling, server, multiple leaf-certs
-
-.include DIR/aux-var/tls_conf_prefix
-
-primary_hostname = server1.example.com
-
-# ----- Main settings -----
-
-acl_smtp_mail = check_mail
-acl_smtp_rcpt = check_recipient
-
-log_selector = +tls_peerdn
-
-queue_only
-queue_run_in_order
-
-tls_advertise_hosts = *
-
-CADIR = DIR/aux-fixed/exim-ca
-DRSA = CADIR/example.com
-DECDSA = CADIR/example_ec.com
-
-tls_certificate = DRSA/server1.example.com/server1.example.com.pem \
- : DECDSA/server1.example_ec.com/server1.example_ec.com.pem
-tls_privatekey = DRSA/server1.example.com/server1.example.com.unlocked.key \
- : DECDSA/server1.example_ec.com/server1.example_ec.com.unlocked.key
-tls_ocsp_file = DRSA/server1.example.com/server1.example.com.ocsp.good.resp \
- : DECDSA/server1.example_ec.com/server1.example_ec.com.ocsp.good.resp
-
-
-.ifdef _HAVE_GNUTLS
-tls_require_ciphers = NORMAL:!VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.0
-.endif
-.ifdef _OPT_OPENSSL_NO_TLSV1_3_X
-openssl_options = +no_tlsv1_3
-.endif
-
-# ------ ACL ------
-
-begin acl
-
-check_mail:
- accept logwrite = acl_mail: ocsp in status: $tls_in_ocsp \
- (${listextract {${eval:$tls_in_ocsp+1}} \
- {notreq:notresp:vfynotdone:failed:verified}})
-
-check_recipient:
- accept
-
-
-# ----- Routers -----
-
-begin routers
-
-client:
- driver = manualroute
- condition = ${if !eq {SERVER}{server}}
- route_list = * 127.0.0.1
- self = send
- transport = remote_delivery
- errors_to = ""
-
-srvr:
- driver = accept
- retry_use_local_part
- transport = local_delivery
-
-
-# ----- Transports -----
-
-begin transports
-
-remote_delivery:
- driver = smtp
- port = PORT_D
- hosts_require_tls = *
-.ifdef _HAVE_GNUTLS
- tls_require_ciphers = NONE:\
- ${if eq {SELECTOR}{auth_ecdsa} \
- {+SIGN-ECDSA-SHA512:+VERS-TLS-ALL:+KX-ALL:} \
- {+SIGN-RSA-SHA256:+VERS-TLS-ALL:+ECDHE-RSA:+DHE-RSA:+RSA:}}\
- +CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509
-.endif
-.ifdef _HAVE_OPENSSL
- tls_require_ciphers = ${if eq {SELECTOR}{auth_ecdsa} {ECDSA:RSA:!COMPLEMENTOFDEFAULT} {RSA}}
-.endif
- hosts_require_ocsp = *
- tls_verify_certificates = CADIR/\
- ${if eq {SELECTOR}{auth_ecdsa} \
- {example_ec.com/server1.example_ec.com/ca_chain.pem}\
- {example.com/server1.example.com/ca_chain.pem}}
- tls_verify_cert_hostnames = :
-
-local_delivery:
- driver = appendfile
- file = DIR/test-mail/$local_part
- headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
- user = CALLER
-
-# End
+++ /dev/null
-# Exim test configuration 5655
-# OCSP stapling, server, multiple chain-element OCSP. Both GnuTLS and OpenSSL.
-
-.include DIR/aux-var/tls_conf_prefix
-
-primary_hostname = server1.example.com
-
-# ----- Main settings -----
-
-acl_smtp_mail = check_mail
-acl_smtp_rcpt = check_recipient
-
-log_selector = +tls_peerdn
-
-queue_only
-queue_run_in_order
-
-tls_advertise_hosts = *
-
-CADIR = DIR/aux-fixed/exim-ca
-DRSA = CADIR/example.com
-DECDSA = CADIR/example_ec.com
-
-tls_certificate = DRSA/server1.example.com/fullchain.pem
-tls_privatekey = DRSA/server1.example.com/server1.example.com.unlocked.key
-
-.ifndef CONTROL
-tls_ocsp_file = PEM DRSA/server1.example.com/fullchain.ocsp.resp.pem
-.else
-tls_ocsp_file = PEM DIR/tmp/ocsp/double_r.ocsp.pem
-.endif
-
-
-.ifdef _HAVE_GNUTLS
-tls_require_ciphers = ${if eq {LIMIT}{TLS1.2} {NORMAL:!VERS-ALL:+VERS-TLS1.2} {}}
-.endif
-.ifdef _HAVE_OPENSSL
-.ifdef LIMIT
-openssl_options = ${if eq {LIMIT}{TLS1.2} {+no_tlsv1_3} {}}
-.endif
-.endif
-
-# ------ ACL ------
-
-begin acl
-
-check_mail:
- accept logwrite = acl_mail: ocsp in status: $tls_in_ocsp \
- (${listextract {${eval:$tls_in_ocsp+1}} \
- {notreq:notresp:vfynotdone:failed:verified}})
-
-check_recipient:
- accept
-
-
-# ----- Routers -----
-
-begin routers
-
-client:
- driver = manualroute
- condition = ${if !eq {SERVER}{server}}
- route_list = * 127.0.0.1
- self = send
- transport = remote_delivery
- errors_to = ""
-
-srvr:
- driver = accept
- retry_use_local_part
- transport = local_delivery
-
-
-# ----- Transports -----
-
-begin transports
-
-remote_delivery:
- driver = smtp
- port = PORT_D
- hosts_require_tls = *
-
-.ifdef _HAVE_GNUTLS
- tls_require_ciphers = ${if eq {LIMIT}{TLS1.2} \
- {NONE:\
- +SIGN-RSA-SHA256:+VERS-TLS-ALL:+ECDHE-RSA:+DHE-RSA:+RSA\
- :+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509} \
- {}}
-.endif
-.ifdef _HAVE_OPENSSL
- tls_require_ciphers = RSA
-.endif
- tls_verify_certificates = CADIR/example.com/server1.example.com/ca_chain.pem
- hosts_require_ocsp = *
- tls_verify_cert_hostnames = :
-
-local_delivery:
- driver = appendfile
- file = DIR/test-mail/$local_part
- headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
- user = CALLER
-
-# End
--- /dev/null
+# Exim test configuration 5652
+# OCSP stapling, server, multiple leaf-certs
+
+.include DIR/aux-var/tls_conf_prefix
+
+primary_hostname = server1.example.com
+
+# ----- Main settings -----
+
+acl_smtp_mail = check_mail
+acl_smtp_rcpt = check_recipient
+
+log_selector = +tls_peerdn
+
+queue_only
+queue_run_in_order
+
+tls_advertise_hosts = *
+
+CADIR = DIR/aux-fixed/exim-ca
+DRSA = CADIR/example.com
+DECDSA = CADIR/example_ec.com
+
+tls_certificate = DRSA/server1.example.com/server1.example.com.pem \
+ : DECDSA/server1.example_ec.com/server1.example_ec.com.pem
+tls_privatekey = DRSA/server1.example.com/server1.example.com.unlocked.key \
+ : DECDSA/server1.example_ec.com/server1.example_ec.com.unlocked.key
+tls_ocsp_file = DRSA/server1.example.com/server1.example.com.ocsp.good.resp \
+ : DECDSA/server1.example_ec.com/server1.example_ec.com.ocsp.good.resp
+
+
+.ifdef _HAVE_GNUTLS
+tls_require_ciphers = NORMAL:!VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.0
+.endif
+.ifdef _OPT_OPENSSL_NO_TLSV1_3_X
+openssl_options = +no_tlsv1_3
+.endif
+
+# ------ ACL ------
+
+begin acl
+
+check_mail:
+ accept logwrite = acl_mail: ocsp in status: $tls_in_ocsp \
+ (${listextract {${eval:$tls_in_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
+
+check_recipient:
+ accept
+
+
+# ----- Routers -----
+
+begin routers
+
+client:
+ driver = manualroute
+ condition = ${if !eq {SERVER}{server}}
+ route_list = * 127.0.0.1
+ self = send
+ transport = remote_delivery
+ errors_to = ""
+
+srvr:
+ driver = accept
+ retry_use_local_part
+ transport = local_delivery
+
+
+# ----- Transports -----
+
+begin transports
+
+remote_delivery:
+ driver = smtp
+ port = PORT_D
+ hosts_require_tls = *
+.ifdef _HAVE_GNUTLS
+ tls_require_ciphers = NONE:\
+ ${if eq {SELECTOR}{auth_ecdsa} \
+ {+SIGN-ECDSA-SHA512:+VERS-TLS-ALL:+KX-ALL:} \
+ {+SIGN-RSA-SHA256:+VERS-TLS-ALL:+ECDHE-RSA:+DHE-RSA:+RSA:}}\
+ +CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509
+.endif
+.ifdef _HAVE_OPENSSL
+ tls_require_ciphers = ${if eq {SELECTOR}{auth_ecdsa} {ECDSA:RSA:!COMPLEMENTOFDEFAULT} {RSA}}
+.endif
+ hosts_require_ocsp = *
+ tls_verify_certificates = CADIR/\
+ ${if eq {SELECTOR}{auth_ecdsa} \
+ {example_ec.com/server1.example_ec.com/ca_chain.pem}\
+ {example.com/server1.example.com/ca_chain.pem}}
+ tls_verify_cert_hostnames = :
+
+local_delivery:
+ driver = appendfile
+ file = DIR/test-mail/$local_part
+ headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
+ user = CALLER
+
+# End
--- /dev/null
+# Exim test configuration 5655
+# OCSP stapling, server, multiple chain-element OCSP. Both GnuTLS and OpenSSL.
+
+.include DIR/aux-var/tls_conf_prefix
+
+primary_hostname = server1.example.com
+
+# ----- Main settings -----
+
+acl_smtp_mail = check_mail
+acl_smtp_rcpt = check_recipient
+
+log_selector = +tls_peerdn
+
+queue_only
+queue_run_in_order
+
+tls_advertise_hosts = *
+
+CADIR = DIR/aux-fixed/exim-ca
+DRSA = CADIR/example.com
+DECDSA = CADIR/example_ec.com
+
+tls_certificate = DRSA/server1.example.com/fullchain.pem
+tls_privatekey = DRSA/server1.example.com/server1.example.com.unlocked.key
+
+.ifndef CONTROL
+tls_ocsp_file = PEM DRSA/server1.example.com/fullchain.ocsp.resp.pem
+.else
+tls_ocsp_file = PEM DIR/tmp/ocsp/double_r.ocsp.pem
+.endif
+
+
+.ifdef _HAVE_GNUTLS
+tls_require_ciphers = ${if eq {LIMIT}{TLS1.2} {NORMAL:!VERS-ALL:+VERS-TLS1.2} {}}
+.endif
+.ifdef _HAVE_OPENSSL
+.ifdef LIMIT
+openssl_options = ${if eq {LIMIT}{TLS1.2} {+no_tlsv1_3} {}}
+.endif
+.endif
+
+# ------ ACL ------
+
+begin acl
+
+check_mail:
+ accept logwrite = acl_mail: ocsp in status: $tls_in_ocsp \
+ (${listextract {${eval:$tls_in_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
+
+check_recipient:
+ accept
+
+
+# ----- Routers -----
+
+begin routers
+
+client:
+ driver = manualroute
+ condition = ${if !eq {SERVER}{server}}
+ route_list = * 127.0.0.1
+ self = send
+ transport = remote_delivery
+ errors_to = ""
+
+srvr:
+ driver = accept
+ retry_use_local_part
+ transport = local_delivery
+
+
+# ----- Transports -----
+
+begin transports
+
+remote_delivery:
+ driver = smtp
+ port = PORT_D
+ hosts_require_tls = *
+
+.ifdef _HAVE_GNUTLS
+ tls_require_ciphers = ${if eq {LIMIT}{TLS1.2} \
+ {NONE:\
+ +SIGN-RSA-SHA256:+VERS-TLS-ALL:+ECDHE-RSA:+DHE-RSA:+RSA\
+ :+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509} \
+ {}}
+.endif
+.ifdef _HAVE_OPENSSL
+ tls_require_ciphers = RSA
+.endif
+ tls_verify_certificates = CADIR/example.com/server1.example.com/ca_chain.pem
+ hosts_require_ocsp = *
+ tls_verify_cert_hostnames = :
+
+local_delivery:
+ driver = appendfile
+ file = DIR/test-mail/$local_part
+ headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
+ user = CALLER
+
+# End
+++ /dev/null
-1999-03-02 09:44:33 1: Server sends good staple on request, to client requiring RSA auth
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaX-0005vi-00 => rsa.auth@test.ex R=client T=remote_delivery H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
-1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 2: Server sends good staple on request, to client preferring ECDSA auth
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => ecdsa.auth@test.ex R=client T=remote_delivery H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-ECDSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example_ec.com" C="250 OK id=10HmbA-0005vi-00"
-1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
-
-******** SERVER ********
-1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
-1999-03-02 09:44:33 acl_mail: ocsp in status: 4 (verified)
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=localhost (server1.example.com) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@server1.example.com
-1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
-1999-03-02 09:44:33 acl_mail: ocsp in status: 4 (verified)
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=localhost (server1.example.com) [127.0.0.1] P=esmtps X=TLS1.x:ke-ECDSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaZ-0005vi-00@server1.example.com
--- /dev/null
+1999-03-02 09:44:33 1: Server sends good staple on request, to client requiring RSA auth
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 => rsa.auth@test.ex R=client T=remote_delivery H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 2: Server sends good staple on request, to client preferring ECDSA auth
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => ecdsa.auth@test.ex R=client T=remote_delivery H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-ECDSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example_ec.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 acl_mail: ocsp in status: 4 (verified)
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=localhost (server1.example.com) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@server1.example.com
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 acl_mail: ocsp in status: 4 (verified)
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=localhost (server1.example.com) [127.0.0.1] P=esmtps X=TLS1.x:ke-ECDSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaZ-0005vi-00@server1.example.com
+++ /dev/null
-1999-03-02 09:44:33 1: Server sends good staple on request, to client requiring RSA auth
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaX-0005vi-00 => rsa.auth@test.ex R=client T=remote_delivery H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
-1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 2: Server sends good staple on request, to client preferring ECDSA auth
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => ecdsa.auth@test.ex R=client T=remote_delivery H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-ECDSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example_ec.com" C="250 OK id=10HmbA-0005vi-00"
-1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
-
-******** SERVER ********
-1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
-1999-03-02 09:44:33 acl_mail: ocsp in status: 4 (verified)
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=localhost (server1.example.com) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@server1.example.com
-1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
-1999-03-02 09:44:33 acl_mail: ocsp in status: 4 (verified)
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=localhost (server1.example.com) [127.0.0.1] P=esmtps X=TLS1.x:ke-ECDSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaZ-0005vi-00@server1.example.com
+++ /dev/null
-1999-03-02 09:44:33 1: TLS1.2 Server sends good leaf-staple on request, to client requiring RSA auth
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaX-0005vi-00 => rsa.auth@test.ex R=client T=remote_delivery H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
-1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 2: TLS1.3 Server sends good 3-element staple on request, to client requiring RSA auth
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => rsa.auth@test.ex R=client T=remote_delivery H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
-1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
-1999-03-02 09:44:33 3: TLS1.3 Server sends bad nonleaf staple, client detects it
-1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbB-0005vi-00 == rsa.auth@test.ex R=client T=remote_delivery defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (certificate status check failed)
-1999-03-02 09:44:33 10HmbB-0005vi-00 ** rsa.auth@test.ex: retry timeout exceeded
-1999-03-02 09:44:33 10HmbB-0005vi-00 rsa.auth@test.ex: error ignored
-1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
-
-******** SERVER ********
-1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
-1999-03-02 09:44:33 acl_mail: ocsp in status: 4 (verified)
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=localhost (server1.example.com) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@server1.example.com
-1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
-1999-03-02 09:44:33 acl_mail: ocsp in status: 1 (notresp)
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=localhost (server1.example.com) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaZ-0005vi-00@server1.example.com
-1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
-1999-03-02 09:44:33 TLS error on connection from localhost [127.0.0.1] (recv): The TLS connection was non-properly terminated.
--- /dev/null
+1999-03-02 09:44:33 1: Server sends good staple on request, to client requiring RSA auth
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 => rsa.auth@test.ex R=client T=remote_delivery H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 2: Server sends good staple on request, to client preferring ECDSA auth
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => ecdsa.auth@test.ex R=client T=remote_delivery H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-ECDSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example_ec.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 acl_mail: ocsp in status: 4 (verified)
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=localhost (server1.example.com) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@server1.example.com
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 acl_mail: ocsp in status: 4 (verified)
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=localhost (server1.example.com) [127.0.0.1] P=esmtps X=TLS1.x:ke-ECDSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaZ-0005vi-00@server1.example.com
--- /dev/null
+1999-03-02 09:44:33 1: TLS1.2 Server sends good leaf-staple on request, to client requiring RSA auth
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 => rsa.auth@test.ex R=client T=remote_delivery H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 2: TLS1.3 Server sends good 3-element staple on request, to client requiring RSA auth
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => rsa.auth@test.ex R=client T=remote_delivery H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 3: TLS1.3 Server sends bad nonleaf staple, client detects it
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbB-0005vi-00 == rsa.auth@test.ex R=client T=remote_delivery defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (certificate status check failed)
+1999-03-02 09:44:33 10HmbB-0005vi-00 ** rsa.auth@test.ex: retry timeout exceeded
+1999-03-02 09:44:33 10HmbB-0005vi-00 rsa.auth@test.ex: error ignored
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 acl_mail: ocsp in status: 4 (verified)
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=localhost (server1.example.com) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@server1.example.com
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 acl_mail: ocsp in status: 1 (notresp)
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=localhost (server1.example.com) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaZ-0005vi-00@server1.example.com
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 TLS error on connection from localhost [127.0.0.1] (recv): The TLS connection was non-properly terminated.
+++ /dev/null
-# OCSP stapling, server, multiple leaf-certs
-# This will fail on OpenSSL versions before 1.1.0
-#
-#
-#
-exim -z '1: Server sends good staple on request, to client requiring RSA auth'
-****
-#
-exim -bd -oX PORT_D -DSERVER=server
-****
-exim -odf -DSELECTOR=auth_rsa rsa.auth@test.ex
-Subject: test
-
-.
-****
-killdaemon
-#
-#
-#
-#
-exim -z '2: Server sends good staple on request, to client preferring ECDSA auth'
-****
-#
-exim -bd -oX PORT_D -DSERVER=server
-****
-exim -odf -DSELECTOR=auth_ecdsa ecdsa.auth@test.ex
-Subject: test
-
-.
-****
-killdaemon
-no_msglog_check
--- /dev/null
+# OCSP stapling, server, multiple leaf-certs
+# This will fail on OpenSSL versions before 1.1.0
+#
+#
+#
+exim -z '1: Server sends good staple on request, to client requiring RSA auth'
+****
+#
+exim -bd -oX PORT_D -DSERVER=server
+****
+exim -odf -DSELECTOR=auth_rsa rsa.auth@test.ex
+Subject: test
+
+.
+****
+killdaemon
+#
+#
+#
+#
+exim -z '2: Server sends good staple on request, to client preferring ECDSA auth'
+****
+#
+exim -bd -oX PORT_D -DSERVER=server
+****
+exim -odf -DSELECTOR=auth_ecdsa ecdsa.auth@test.ex
+Subject: test
+
+.
+****
+killdaemon
+no_msglog_check
--- /dev/null
+support OpenSSL
+support OCSP
+running IPv4
+feature _HAVE_TLS_OCSP_LIST
+++ /dev/null
-# OCSP stapling, server, multiple leaf-certs
-#
-#
-#
-exim -z '1: Server sends good staple on request, to client requiring RSA auth'
-****
-#
-exim -bd -oX PORT_D -DSERVER=server
-****
-exim -odf -DSELECTOR=auth_rsa rsa.auth@test.ex
-Subject: test
-
-.
-****
-killdaemon
-#
-#
-#
-#
-exim -z '2: Server sends good staple on request, to client preferring ECDSA auth'
-****
-#
-exim -bd -oX PORT_D -DSERVER=server
-****
-exim -odf -DSELECTOR=auth_ecdsa ecdsa.auth@test.ex
-Subject: test
-
-.
-****
-killdaemon
-no_msglog_check
+++ /dev/null
-# OCSP stapling, server, multiple chain-element OCSP
-#
-#
-#
-mkdir -p DIR/tmp/ocsp
-sudo chown -R EXIMUSER:EXIMGROUP tmp
-sudo chmod -R a+rwx DIR/tmp/ocsp
-perl
-chdir 'aux-fixed/exim-ca/example.com';
-system 'cat server1.example.com/server1.example.com.ocsp.signernocert.good.resp.pem CA/Signer.ocsp.signernocert.revoked.resp.pem > DIR/tmp/ocsp/double_r.ocsp.pem';
-****
-#
-#
-exim -z '1: TLS1.2 Server sends good leaf-staple on request, to client requiring RSA auth'
-****
-#
-sudo exim -bd -oX PORT_D -DSERVER=server -DLIMIT=TLS1.2
-****
-#
-exim -odf -DOPT=rsa -DLIMIT=TLS1.2 rsa.auth@test.ex
-Subject: test
-
-.
-****
-killdaemon
-#
-#
-exim -z '2: TLS1.3 Server sends good 3-element staple on request, to client requiring RSA auth'
-****
-#
-# Prefix with sudo to get SSLKEYLOGFILE to work. Only works on the server.
-exim -bd -oX PORT_D -DSERVER=server -DLIMIT=TLS1.3
-****
-exim -odf -DOPT=rsa rsa.auth@test.ex
-Subject: test
-
-.
-****
-killdaemon
-#
-#
-#
-exim -z '3: TLS1.3 Server sends bad nonleaf staple, client detects it'
-****
-#
-EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK=y exim -bd -oX PORT_D -DSERVER=server -DLIMIT=TLS1.3 -DCONTROL=bad
-****
-exim -odf -DOPT=rsa rsa.auth@test.ex
-Subject: test
-
-.
-****
-killdaemon
-#
-#
-#
-#
-sudo rm -fr tmp/
-no_msglog_check
+++ /dev/null
-support GnuTLS
-support OCSP
-running IPv4
-feature _HAVE_TLS1_3
--- /dev/null
+# OCSP stapling, server, multiple leaf-certs
+#
+#
+#
+exim -z '1: Server sends good staple on request, to client requiring RSA auth'
+****
+#
+exim -bd -oX PORT_D -DSERVER=server
+****
+exim -odf -DSELECTOR=auth_rsa rsa.auth@test.ex
+Subject: test
+
+.
+****
+killdaemon
+#
+#
+#
+#
+exim -z '2: Server sends good staple on request, to client preferring ECDSA auth'
+****
+#
+exim -bd -oX PORT_D -DSERVER=server
+****
+exim -odf -DSELECTOR=auth_ecdsa ecdsa.auth@test.ex
+Subject: test
+
+.
+****
+killdaemon
+no_msglog_check
--- /dev/null
+support GnuTLS
+support OCSP
+running IPv4
+feature _HAVE_TLS_OCSP_LIST
--- /dev/null
+# OCSP stapling, server, multiple chain-element OCSP
+#
+#
+#
+mkdir -p DIR/tmp/ocsp
+sudo chown -R EXIMUSER:EXIMGROUP tmp
+sudo chmod -R a+rwx DIR/tmp/ocsp
+perl
+chdir 'aux-fixed/exim-ca/example.com';
+system 'cat server1.example.com/server1.example.com.ocsp.signernocert.good.resp.pem CA/Signer.ocsp.signernocert.revoked.resp.pem > DIR/tmp/ocsp/double_r.ocsp.pem';
+****
+#
+#
+exim -z '1: TLS1.2 Server sends good leaf-staple on request, to client requiring RSA auth'
+****
+#
+sudo exim -bd -oX PORT_D -DSERVER=server -DLIMIT=TLS1.2
+****
+#
+exim -odf -DOPT=rsa -DLIMIT=TLS1.2 rsa.auth@test.ex
+Subject: test
+
+.
+****
+killdaemon
+#
+#
+exim -z '2: TLS1.3 Server sends good 3-element staple on request, to client requiring RSA auth'
+****
+#
+# Prefix with sudo to get SSLKEYLOGFILE to work. Only works on the server.
+exim -bd -oX PORT_D -DSERVER=server -DLIMIT=TLS1.3
+****
+exim -odf -DOPT=rsa rsa.auth@test.ex
+Subject: test
+
+.
+****
+killdaemon
+#
+#
+#
+exim -z '3: TLS1.3 Server sends bad nonleaf staple, client detects it'
+****
+#
+EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK=y exim -bd -oX PORT_D -DSERVER=server -DLIMIT=TLS1.3 -DCONTROL=bad
+****
+exim -odf -DOPT=rsa rsa.auth@test.ex
+Subject: test
+
+.
+****
+killdaemon
+#
+#
+#
+#
+sudo rm -fr tmp/
+no_msglog_check
--- /dev/null
+support GnuTLS
+support OCSP
+running IPv4
+feature _HAVE_TLS1_3
git://git.exim.org / users / jgh / exim.git / commitdiff