From: Jeremy Harris Date: Tue, 20 Jan 2015 12:11:15 +0000 (+0000) Subject: Testsuite: Experimental_Certnames absorbed into mainline X-Git-Tag: exim-4_86_RC1~137 X-Git-Url: https://git.exim.org/users/jgh/exim.git/commitdiff_plain/7f3555b3d8e1fccfe8f5d450bdde367018a5e764?ds=inline Testsuite: Experimental_Certnames absorbed into mainline --- diff --git a/test/confs/2033 b/test/confs/2033 new file mode 100644 index 000000000..ce5505180 --- /dev/null +++ b/test/confs/2033 @@ -0,0 +1,193 @@ +# Exim test configuration 2033 +# TLS client: verify certificate from server - name-fails + +SERVER= + +exim_path = EXIM_PATH +host_lookup_order = bydns +primary_hostname = myhost.test.ex +spool_directory = DIR/spool +log_file_path = DIR/spool/log/SERVER%slog +gecos_pattern = "" +gecos_name = CALLER_NAME + +FX = DIR/aux-fixed +S1 = FX/exim-ca/example.com/server1.example.com + +CA1 = S1/ca_chain.pem +CERT1 = S1/server1.example.com.pem +KEY1 = S1/server1.example.com.unlocked.key +CA2 = FX/cert2 +CERT2 = FX/cert2 +KEY2 = FX/cert2 + +# ----- Main settings ----- + +acl_smtp_rcpt = accept + +log_selector = +tls_peerdn+tls_certificate_verified + +queue_only +queue_run_in_order + +tls_advertise_hosts = * + +# Set certificate only if server + +tls_certificate = ${if eq {SERVER}{server}{CERT1}fail} +tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail} + +tls_verify_hosts = * +tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail} + + +# ----- Routers ----- + +begin routers + +server_dump: + driver = redirect + condition = ${if eq {SERVER}{server}{yes}{no}} + data = :blackhole: + +client_x: + driver = accept + local_parts = userx + retry_use_local_part + transport = send_to_server_failcert + errors_to = "" + +client_y: + driver = accept + local_parts = usery + retry_use_local_part + transport = send_to_server_retry + +client_z: + driver = accept + local_parts = userz + retry_use_local_part + transport = send_to_server_crypt + +client_q: + driver = accept + local_parts = userq + retry_use_local_part + transport = send_to_server_req_fail + +client_r: + driver = accept + local_parts = userr + retry_use_local_part + transport = send_to_server_req_failname + +client_s: + driver = accept + local_parts = users + retry_use_local_part + transport = send_to_server_req_passname + +client_t: + driver = accept + local_parts = usert + retry_use_local_part + transport = send_to_server_req_failcarryon + +# ----- Transports ----- + +begin transports + +# this will fail to verify the cert at HOSTIPV4 so fail the crypt requirement +send_to_server_failcert: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + hosts_require_tls = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 + +# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok +send_to_server_retry: + driver = smtp + allow_localhost + hosts = HOSTIPV4 : 127.0.0.1 + hosts_require_tls = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = \ + ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}} + +# this will fail to verify the cert but continue unverified though crypted +send_to_server_crypt: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + hosts_require_tls = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 + tls_try_verify_hosts = * + +# this will fail to verify the cert at HOSTNAME and fallback to unencrypted +# Fail due to lack of correct CA +send_to_server_req_fail: + driver = smtp + allow_localhost + hosts = HOSTNAME + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 + tls_verify_hosts = * + +# this will fail to verify the cert name and fallback to unencrypted +# fail because the cert is "server1.example.com" and the test system is something else +send_to_server_req_failname: + driver = smtp + allow_localhost + hosts = HOSTNAME + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA1 + tls_verify_cert_hostnames = * + tls_verify_hosts = * + +# this will pass the cert verify including name check +# our stunt DNS has an A record for server1.example.com -> HOSTIPV4 +send_to_server_req_passname: + driver = smtp + allow_localhost + hosts = server1.example.com + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA1 + tls_verify_cert_hostnames = * + tls_verify_hosts = * + +# this will fail to verify the cert name but carry on (try-verify mode) +# fail because the cert is "server1.example.com" and the test system is something else +send_to_server_req_failcarryon: + driver = smtp + allow_localhost + hosts = HOSTNAME + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA1 + tls_verify_cert_hostnames = * + tls_try_verify_hosts = * + +# End diff --git a/test/confs/2133 b/test/confs/2133 new file mode 100644 index 000000000..e05197980 --- /dev/null +++ b/test/confs/2133 @@ -0,0 +1,192 @@ +# Exim test configuration 2133 +# TLS client: verify certificate from server - name-fails + +SERVER= + +exim_path = EXIM_PATH +host_lookup_order = bydns +primary_hostname = myhost.test.ex +spool_directory = DIR/spool +log_file_path = DIR/spool/log/SERVER%slog +gecos_pattern = "" +gecos_name = CALLER_NAME + +FX = DIR/aux-fixed +S1 = FX/exim-ca/example.com/server1.example.com + +CA1 = S1/ca_chain.pem +CERT1 = S1/server1.example.com.pem +KEY1 = S1/server1.example.com.unlocked.key +CA2 = FX/cert2 +CERT2 = FX/cert2 +KEY2 = FX/cert2 + +# ----- Main settings ----- + +acl_smtp_rcpt = accept + +log_selector = +tls_peerdn+tls_certificate_verified + +queue_only +queue_run_in_order + +tls_advertise_hosts = * + +# Set certificate only if server + +tls_certificate = ${if eq {SERVER}{server}{CERT1}fail} +tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail} + +tls_verify_hosts = * +tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail} + + +# ----- Routers ----- + +begin routers + +server_dump: + driver = redirect + condition = ${if eq {SERVER}{server}{yes}{no}} + data = :blackhole: + +client_x: + driver = accept + local_parts = userx + retry_use_local_part + transport = send_to_server_failcert + errors_to = "" + +client_y: + driver = accept + local_parts = usery + retry_use_local_part + transport = send_to_server_retry + +client_z: + driver = accept + local_parts = userz + retry_use_local_part + transport = send_to_server_crypt + +client_q: + driver = accept + local_parts = userq + retry_use_local_part + transport = send_to_server_req_fail + +client_r: + driver = accept + local_parts = userr + retry_use_local_part + transport = send_to_server_req_failname + +client_s: + driver = accept + local_parts = users + retry_use_local_part + transport = send_to_server_req_passname + +client_t: + driver = accept + local_parts = usert + retry_use_local_part + transport = send_to_server_req_failcarryon + + +# ----- Transports ----- + +begin transports + +# this will fail to verify the cert at HOSTIPV4 so fail the crypt requirement +send_to_server_failcert: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + hosts_require_tls = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 + +# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok +send_to_server_retry: + driver = smtp + allow_localhost + hosts = HOSTIPV4 : 127.0.0.1 + hosts_require_tls = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = \ + ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}} + +# this will fail to verify the cert but continue unverified though crypted +send_to_server_crypt: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + hosts_require_tls = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 + tls_try_verify_hosts = * + +# this will fail to verify the cert at HOSTNAME and fallback to unencrypted +# Fail due to lack of correct CA +send_to_server_req_fail: + driver = smtp + allow_localhost + hosts = HOSTNAME + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 + tls_verify_hosts = * + +# this will fail to verify the cert name and fallback to unencrypted +# fail because the cert is "server1.example.com" and the test system is something else +send_to_server_req_failname: + driver = smtp + allow_localhost + hosts = HOSTNAME + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA1 + tls_verify_cert_hostnames = * + tls_verify_hosts = * + +# this will pass the cert verify including name check +# our stunt DNS has an A record for server1.example.com -> HOSTIPV4 +send_to_server_req_passname: + driver = smtp + allow_localhost + hosts = server1.example.com + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA1 + tls_verify_cert_hostnames = * + tls_verify_hosts = * + +send_to_server_req_failcarryon: + driver = smtp + allow_localhost + hosts = HOSTNAME + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA1 + tls_verify_cert_hostnames = * + tls_try_verify_hosts = * + +# End diff --git a/test/confs/5440 b/test/confs/5440 deleted file mode 100644 index 479038ad6..000000000 --- a/test/confs/5440 +++ /dev/null @@ -1,193 +0,0 @@ -# Exim test configuration 5440 -# TLS client: verify certificate from server - name-fails - -SERVER= - -exim_path = EXIM_PATH -host_lookup_order = bydns -primary_hostname = myhost.test.ex -spool_directory = DIR/spool -log_file_path = DIR/spool/log/SERVER%slog -gecos_pattern = "" -gecos_name = CALLER_NAME - -FX = DIR/aux-fixed -S1 = FX/exim-ca/example.com/server1.example.com - -CA1 = S1/ca_chain.pem -CERT1 = S1/server1.example.com.pem -KEY1 = S1/server1.example.com.unlocked.key -CA2 = FX/cert2 -CERT2 = FX/cert2 -KEY2 = FX/cert2 - -# ----- Main settings ----- - -acl_smtp_rcpt = accept - -log_selector = +tls_peerdn+tls_certificate_verified - -queue_only -queue_run_in_order - -tls_advertise_hosts = * - -# Set certificate only if server - -tls_certificate = ${if eq {SERVER}{server}{CERT1}fail} -tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail} - -tls_verify_hosts = * -tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail} - - -# ----- Routers ----- - -begin routers - -server_dump: - driver = redirect - condition = ${if eq {SERVER}{server}{yes}{no}} - data = :blackhole: - -client_x: - driver = accept - local_parts = userx - retry_use_local_part - transport = send_to_server_failcert - errors_to = "" - -client_y: - driver = accept - local_parts = usery - retry_use_local_part - transport = send_to_server_retry - -client_z: - driver = accept - local_parts = userz - retry_use_local_part - transport = send_to_server_crypt - -client_q: - driver = accept - local_parts = userq - retry_use_local_part - transport = send_to_server_req_fail - -client_r: - driver = accept - local_parts = userr - retry_use_local_part - transport = send_to_server_req_failname - -client_s: - driver = accept - local_parts = users - retry_use_local_part - transport = send_to_server_req_passname - -client_t: - driver = accept - local_parts = usert - retry_use_local_part - transport = send_to_server_req_failcarryon - -# ----- Transports ----- - -begin transports - -# this will fail to verify the cert at HOSTIPV4 so fail the crypt requirement -send_to_server_failcert: - driver = smtp - allow_localhost - hosts = HOSTIPV4 - hosts_require_tls = HOSTIPV4 - port = PORT_D - tls_certificate = CERT2 - tls_privatekey = CERT2 - - tls_verify_certificates = CA2 - -# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok -send_to_server_retry: - driver = smtp - allow_localhost - hosts = HOSTIPV4 : 127.0.0.1 - hosts_require_tls = HOSTIPV4 - port = PORT_D - tls_certificate = CERT2 - tls_privatekey = CERT2 - - tls_verify_certificates = \ - ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}} - -# this will fail to verify the cert but continue unverified though crypted -send_to_server_crypt: - driver = smtp - allow_localhost - hosts = HOSTIPV4 - hosts_require_tls = HOSTIPV4 - port = PORT_D - tls_certificate = CERT2 - tls_privatekey = CERT2 - - tls_verify_certificates = CA2 - tls_try_verify_hosts = * - -# this will fail to verify the cert at HOSTNAME and fallback to unencrypted -# Fail due to lack of correct CA -send_to_server_req_fail: - driver = smtp - allow_localhost - hosts = HOSTNAME - port = PORT_D - tls_certificate = CERT2 - tls_privatekey = CERT2 - - tls_verify_certificates = CA2 - tls_verify_hosts = * - -# this will fail to verify the cert name and fallback to unencrypted -# fail because the cert is "server1.example.com" and the test system is something else -send_to_server_req_failname: - driver = smtp - allow_localhost - hosts = HOSTNAME - port = PORT_D - tls_certificate = CERT2 - tls_privatekey = CERT2 - - tls_verify_certificates = CA1 - tls_verify_cert_hostnames = * - tls_verify_hosts = * - -# this will pass the cert verify including name check -# our stunt DNS has an A record for server1.example.com -> HOSTIPV4 -send_to_server_req_passname: - driver = smtp - allow_localhost - hosts = server1.example.com - port = PORT_D - tls_certificate = CERT2 - tls_privatekey = CERT2 - - tls_verify_certificates = CA1 - tls_verify_cert_hostnames = * - tls_verify_hosts = * - -# this will fail to verify the cert name but carry on (try-verify mode) -# fail because the cert is "server1.example.com" and the test system is something else -send_to_server_req_failcarryon: - driver = smtp - allow_localhost - hosts = HOSTNAME - port = PORT_D - tls_certificate = CERT2 - tls_privatekey = CERT2 - - tls_verify_certificates = CA1 - tls_verify_cert_hostnames = * - tls_try_verify_hosts = * - -# End diff --git a/test/confs/5450 b/test/confs/5450 deleted file mode 100644 index 145bdc84e..000000000 --- a/test/confs/5450 +++ /dev/null @@ -1,192 +0,0 @@ -# Exim test configuration 5450 -# TLS client: verify certificate from server - name-fails - -SERVER= - -exim_path = EXIM_PATH -host_lookup_order = bydns -primary_hostname = myhost.test.ex -spool_directory = DIR/spool -log_file_path = DIR/spool/log/SERVER%slog -gecos_pattern = "" -gecos_name = CALLER_NAME - -FX = DIR/aux-fixed -S1 = FX/exim-ca/example.com/server1.example.com - -CA1 = S1/ca_chain.pem -CERT1 = S1/server1.example.com.pem -KEY1 = S1/server1.example.com.unlocked.key -CA2 = FX/cert2 -CERT2 = FX/cert2 -KEY2 = FX/cert2 - -# ----- Main settings ----- - -acl_smtp_rcpt = accept - -log_selector = +tls_peerdn+tls_certificate_verified - -queue_only -queue_run_in_order - -tls_advertise_hosts = * - -# Set certificate only if server - -tls_certificate = ${if eq {SERVER}{server}{CERT1}fail} -tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail} - -tls_verify_hosts = * -tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail} - - -# ----- Routers ----- - -begin routers - -server_dump: - driver = redirect - condition = ${if eq {SERVER}{server}{yes}{no}} - data = :blackhole: - -client_x: - driver = accept - local_parts = userx - retry_use_local_part - transport = send_to_server_failcert - errors_to = "" - -client_y: - driver = accept - local_parts = usery - retry_use_local_part - transport = send_to_server_retry - -client_z: - driver = accept - local_parts = userz - retry_use_local_part - transport = send_to_server_crypt - -client_q: - driver = accept - local_parts = userq - retry_use_local_part - transport = send_to_server_req_fail - -client_r: - driver = accept - local_parts = userr - retry_use_local_part - transport = send_to_server_req_failname - -client_s: - driver = accept - local_parts = users - retry_use_local_part - transport = send_to_server_req_passname - -client_t: - driver = accept - local_parts = usert - retry_use_local_part - transport = send_to_server_req_failcarryon - - -# ----- Transports ----- - -begin transports - -# this will fail to verify the cert at HOSTIPV4 so fail the crypt requirement -send_to_server_failcert: - driver = smtp - allow_localhost - hosts = HOSTIPV4 - hosts_require_tls = HOSTIPV4 - port = PORT_D - tls_certificate = CERT2 - tls_privatekey = CERT2 - - tls_verify_certificates = CA2 - -# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok -send_to_server_retry: - driver = smtp - allow_localhost - hosts = HOSTIPV4 : 127.0.0.1 - hosts_require_tls = HOSTIPV4 - port = PORT_D - tls_certificate = CERT2 - tls_privatekey = CERT2 - - tls_verify_certificates = \ - ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}} - -# this will fail to verify the cert but continue unverified though crypted -send_to_server_crypt: - driver = smtp - allow_localhost - hosts = HOSTIPV4 - hosts_require_tls = HOSTIPV4 - port = PORT_D - tls_certificate = CERT2 - tls_privatekey = CERT2 - - tls_verify_certificates = CA2 - tls_try_verify_hosts = * - -# this will fail to verify the cert at HOSTNAME and fallback to unencrypted -# Fail due to lack of correct CA -send_to_server_req_fail: - driver = smtp - allow_localhost - hosts = HOSTNAME - port = PORT_D - tls_certificate = CERT2 - tls_privatekey = CERT2 - - tls_verify_certificates = CA2 - tls_verify_hosts = * - -# this will fail to verify the cert name and fallback to unencrypted -# fail because the cert is "server1.example.com" and the test system is something else -send_to_server_req_failname: - driver = smtp - allow_localhost - hosts = HOSTNAME - port = PORT_D - tls_certificate = CERT2 - tls_privatekey = CERT2 - - tls_verify_certificates = CA1 - tls_verify_cert_hostnames = * - tls_verify_hosts = * - -# this will pass the cert verify including name check -# our stunt DNS has an A record for server1.example.com -> HOSTIPV4 -send_to_server_req_passname: - driver = smtp - allow_localhost - hosts = server1.example.com - port = PORT_D - tls_certificate = CERT2 - tls_privatekey = CERT2 - - tls_verify_certificates = CA1 - tls_verify_cert_hostnames = * - tls_verify_hosts = * - -send_to_server_req_failcarryon: - driver = smtp - allow_localhost - hosts = HOSTNAME - port = PORT_D - tls_certificate = CERT2 - tls_privatekey = CERT2 - - tls_verify_certificates = CA1 - tls_verify_cert_hostnames = * - tls_try_verify_hosts = * - -# End diff --git a/test/log/2033 b/test/log/2033 new file mode 100644 index 000000000..44cec64b1 --- /dev/null +++ b/test/log/2033 @@ -0,0 +1,21 @@ +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 Start queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmaX-0005vi-00 H=the.local.host.name [ip4.ip4.ip4.ip4] TLS error on connection (certificate verification failed) +1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to the.local.host.name [ip4.ip4.ip4.ip4] (not in hosts_require_tls) +1999-03-02 09:44:33 10HmaX-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=the.local.host.name [ip4.ip4.ip4.ip4] C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaY-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=server1.example.com [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbB-0005vi-00" +1999-03-02 09:44:33 10HmaY-0005vi-00 Completed +1999-03-02 09:44:33 10HmaZ-0005vi-00 => usert@test.ex R=client_t T=send_to_server_req_failcarryon H=the.local.host.name [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed +1999-03-02 09:44:33 End queue run: pid=pppp -qf + +******** SERVER ******** +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad +1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason. +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex diff --git a/test/log/2133 b/test/log/2133 new file mode 100644 index 000000000..2cd0960b2 --- /dev/null +++ b/test/log/2133 @@ -0,0 +1,34 @@ +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 Start queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com +1999-03-02 09:44:33 10HmaX-0005vi-00 H=the.local.host.name [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <> +1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to the.local.host.name [ip4.ip4.ip4.ip4] (not in hosts_require_tls) +1999-03-02 09:44:33 10HmaX-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=the.local.host.name [ip4.ip4.ip4.ip4] C="250 OK id=10HmbB-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: certificate name mismatch: "/CN=server1.example.com" + +1999-03-02 09:44:33 10HmaY-0005vi-00 H=the.local.host.name [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <> +1999-03-02 09:44:33 10HmaY-0005vi-00 TLS session failure: delivering unencrypted to the.local.host.name [ip4.ip4.ip4.ip4] (not in hosts_require_tls) +1999-03-02 09:44:33 10HmaY-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=the.local.host.name [ip4.ip4.ip4.ip4] C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmaY-0005vi-00 Completed +1999-03-02 09:44:33 10HmaZ-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=server1.example.com [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed +1999-03-02 09:44:33 10HmbA-0005vi-00 SSL verify error: certificate name mismatch: "/CN=server1.example.com" + +1999-03-02 09:44:33 10HmbA-0005vi-00 => usert@test.ex R=client_t T=send_to_server_req_failcarryon H=the.local.host.name [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00" +1999-03-02 09:44:33 10HmbA-0005vi-00 Completed +1999-03-02 09:44:33 End queue run: pid=pppp -qf + +******** SERVER ******** +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <> +1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <> +1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) +1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaY-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmbA-0005vi-00@myhost.test.ex diff --git a/test/log/5440 b/test/log/5440 deleted file mode 100644 index 44cec64b1..000000000 --- a/test/log/5440 +++ /dev/null @@ -1,21 +0,0 @@ -1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss -1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmaX-0005vi-00 H=the.local.host.name [ip4.ip4.ip4.ip4] TLS error on connection (certificate verification failed) -1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to the.local.host.name [ip4.ip4.ip4.ip4] (not in hosts_require_tls) -1999-03-02 09:44:33 10HmaX-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=the.local.host.name [ip4.ip4.ip4.ip4] C="250 OK id=10HmbA-0005vi-00" -1999-03-02 09:44:33 10HmaX-0005vi-00 Completed -1999-03-02 09:44:33 10HmaY-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=server1.example.com [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbB-0005vi-00" -1999-03-02 09:44:33 10HmaY-0005vi-00 Completed -1999-03-02 09:44:33 10HmaZ-0005vi-00 => usert@test.ex R=client_t T=send_to_server_req_failcarryon H=the.local.host.name [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" -1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed -1999-03-02 09:44:33 End queue run: pid=pppp -qf - -******** SERVER ******** -1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad -1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason. -1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex -1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex -1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex diff --git a/test/log/5450 b/test/log/5450 deleted file mode 100644 index 2cd0960b2..000000000 --- a/test/log/5450 +++ /dev/null @@ -1,34 +0,0 @@ -1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss -1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com -1999-03-02 09:44:33 10HmaX-0005vi-00 H=the.local.host.name [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <> -1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to the.local.host.name [ip4.ip4.ip4.ip4] (not in hosts_require_tls) -1999-03-02 09:44:33 10HmaX-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=the.local.host.name [ip4.ip4.ip4.ip4] C="250 OK id=10HmbB-0005vi-00" -1999-03-02 09:44:33 10HmaX-0005vi-00 Completed -1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: certificate name mismatch: "/CN=server1.example.com" - -1999-03-02 09:44:33 10HmaY-0005vi-00 H=the.local.host.name [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <> -1999-03-02 09:44:33 10HmaY-0005vi-00 TLS session failure: delivering unencrypted to the.local.host.name [ip4.ip4.ip4.ip4] (not in hosts_require_tls) -1999-03-02 09:44:33 10HmaY-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=the.local.host.name [ip4.ip4.ip4.ip4] C="250 OK id=10HmbC-0005vi-00" -1999-03-02 09:44:33 10HmaY-0005vi-00 Completed -1999-03-02 09:44:33 10HmaZ-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=server1.example.com [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00" -1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed -1999-03-02 09:44:33 10HmbA-0005vi-00 SSL verify error: certificate name mismatch: "/CN=server1.example.com" - -1999-03-02 09:44:33 10HmbA-0005vi-00 => usert@test.ex R=client_t T=send_to_server_req_failcarryon H=the.local.host.name [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00" -1999-03-02 09:44:33 10HmbA-0005vi-00 Completed -1999-03-02 09:44:33 End queue run: pid=pppp -qf - -******** SERVER ******** -1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <> -1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) -1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex -1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <> -1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) -1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaY-0005vi-00@myhost.test.ex -1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex -1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmbA-0005vi-00@myhost.test.ex diff --git a/test/scripts/2000-GnuTLS/2033 b/test/scripts/2000-GnuTLS/2033 new file mode 100644 index 000000000..f43d18de4 --- /dev/null +++ b/test/scripts/2000-GnuTLS/2033 @@ -0,0 +1,20 @@ +# TLS client: verify certificate from server - name-fails +gnutls +exim -DSERVER=server -bd -oX PORT_D +**** +# this will fail to verify the cert name and fallback to unencrypted +exim userr@test.ex +Testing +**** +# this will pass the cert verify including name check +exim users@test.ex +Testing +**** +# this will fail to verify the cert name but carry on (try-verify mode) +exim usert@test.ex +Testing +**** +exim -qf +**** +killdaemon +no_msglog_check diff --git a/test/scripts/2100-OpenSSL/2133 b/test/scripts/2100-OpenSSL/2133 new file mode 100644 index 000000000..3b2221c9c --- /dev/null +++ b/test/scripts/2100-OpenSSL/2133 @@ -0,0 +1,23 @@ +# TLS client: verify certificate from server - name-fails +exim -DSERVER=server -bd -oX PORT_D +**** +# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted +exim userq@test.ex +Testing +**** +# this will fail to verify the cert name and fallback to unencrypted +exim userr@test.ex +Testing +**** +# this will pass the cert verify including name check +exim users@test.ex +Testing +**** +# this will fail to verify the cert name but carry on (try-verify mode) +exim usert@test.ex +Testing +**** +exim -qf +**** +killdaemon +no_msglog_check diff --git a/test/scripts/5440-certnames-GnuTLS/5440 b/test/scripts/5440-certnames-GnuTLS/5440 deleted file mode 100644 index f43d18de4..000000000 --- a/test/scripts/5440-certnames-GnuTLS/5440 +++ /dev/null @@ -1,20 +0,0 @@ -# TLS client: verify certificate from server - name-fails -gnutls -exim -DSERVER=server -bd -oX PORT_D -**** -# this will fail to verify the cert name and fallback to unencrypted -exim userr@test.ex -Testing -**** -# this will pass the cert verify including name check -exim users@test.ex -Testing -**** -# this will fail to verify the cert name but carry on (try-verify mode) -exim usert@test.ex -Testing -**** -exim -qf -**** -killdaemon -no_msglog_check diff --git a/test/scripts/5440-certnames-GnuTLS/REQUIRES b/test/scripts/5440-certnames-GnuTLS/REQUIRES deleted file mode 100644 index 5a5fac1f1..000000000 --- a/test/scripts/5440-certnames-GnuTLS/REQUIRES +++ /dev/null @@ -1,3 +0,0 @@ -support GnuTLS -support Experimental_Certnames -running IPv4 diff --git a/test/scripts/5450-certnames-OpenSSL/5450 b/test/scripts/5450-certnames-OpenSSL/5450 deleted file mode 100644 index 3b2221c9c..000000000 --- a/test/scripts/5450-certnames-OpenSSL/5450 +++ /dev/null @@ -1,23 +0,0 @@ -# TLS client: verify certificate from server - name-fails -exim -DSERVER=server -bd -oX PORT_D -**** -# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted -exim userq@test.ex -Testing -**** -# this will fail to verify the cert name and fallback to unencrypted -exim userr@test.ex -Testing -**** -# this will pass the cert verify including name check -exim users@test.ex -Testing -**** -# this will fail to verify the cert name but carry on (try-verify mode) -exim usert@test.ex -Testing -**** -exim -qf -**** -killdaemon -no_msglog_check diff --git a/test/scripts/5450-certnames-OpenSSL/REQUIRES b/test/scripts/5450-certnames-OpenSSL/REQUIRES deleted file mode 100644 index 663b390a9..000000000 --- a/test/scripts/5450-certnames-OpenSSL/REQUIRES +++ /dev/null @@ -1,3 +0,0 @@ -support OpenSSL -support Experimental_Certnames -running IPv4