diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2022-12-11 15:14:54 +0000 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2022-12-11 16:54:54 +0000 |
| commit | 520ef00f56cea3d35688bf4e13599a6e37ba275f (patch) | |
| tree | d82a14604c5b1216213dcffcfe40ad43a715404b /test/confs | |
| parent | 4f7a93c27e3d43b44c42d3fc503f03b9b42ca622 (diff) | |
| download | exim4-520ef00f56cea3d35688bf4e13599a6e37ba275f.tar.gz | |
TLS: Fix handling for server cert/key file SNI re-expansion forced-fail
Diffstat (limited to 'test/confs')
| -rw-r--r-- | test/confs/2031 | 62 | ||||
| -rw-r--r-- | test/confs/2131 | 60 |
2 files changed, 73 insertions, 49 deletions
diff --git a/test/confs/2031 b/test/confs/2031 index af27b2ffd..62577a61a 100644 --- a/test/confs/2031 +++ b/test/confs/2031 @@ -1,4 +1,4 @@ -# Exim test configuration 2030 +# Exim test configuration 2031 # SNI SERVER = @@ -17,21 +17,33 @@ remote_max_parallel = 1 tls_advertise_hosts = * -# Set certificate only if server - -tls_certificate = ${if eq {SERVER}{server} \ - {DIR/aux-fixed/${if eq {$tls_in_sni}{bill} \ - {exim-ca/example.com/server1.example.com/server1.example.com.pem} \ +tls_certificate = DIR/aux-fixed/${if inlist {$tls_in_sni}{ : normal : badkey : noneistkeyfile : expansionfailkey} \ {cert1} \ - }\ - }fail} - -tls_privatekey = ${if eq {SERVER}{server} \ - {DIR/aux-fixed/${if eq {$tls_in_sni}{bill} \ - {exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key} \ + {${if eq {$tls_in_sni}{alternate} \ + {exim-ca/example.com/server1.example.com/server1.example.com.pem} \ + {${if eq {$tls_in_sni}{badcert} \ + {exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key} \ + {${if eq {$tls_in_sni}{nonexistcertfile} \ + {nonexistent_file} \ + fail \ + } } \ + } } \ + } } \ + } + +tls_privatekey = DIR/aux-fixed/${if inlist {$tls_in_sni}{ : normal : badcert : nonexistcertfile : expansionfailedcert} \ {cert1} \ - }\ - }fail} + {${if eq {$tls_in_sni}{alternate} \ + {exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key} \ + {${if eq {$tls_in_sni}{badkey} \ + {cert2} \ + {${if eq {$tls_in_sni}{noneistkeyfile} \ + {nonexist_file} \ + fail \ + } } \ + } } \ + } } \ + } # ------ ACL ------ @@ -49,7 +61,7 @@ begin routers client: driver = accept condition = ${if !eq {SERVER}{server}} - transport = send_to_server${if eq{$local_part}{abcd}{2}{1}} + transport = send_to_server server: driver = redirect @@ -60,22 +72,14 @@ server: begin transports -send_to_server1: - driver = smtp - allow_localhost - hosts = HOSTIPV4 - port = PORT_D - hosts_try_fastopen = : - tls_sni = fred - -send_to_server2: - driver = smtp +send_to_server: + driver = smtp allow_localhost - hosts = HOSTIPV4 - port = PORT_D + hosts = HOSTIPV4 + port = PORT_D hosts_try_fastopen = : - tls_sni = bill - + hosts_require_tls = * + tls_sni = ${local_part} # ----- Retry ----- diff --git a/test/confs/2131 b/test/confs/2131 index e4d4ae551..a9924ab5b 100644 --- a/test/confs/2131 +++ b/test/confs/2131 @@ -17,13 +17,34 @@ remote_max_parallel = 1 tls_advertise_hosts = * -tls_certificate = DIR/aux-fixed/${if eq {$tls_in_sni}{bill} \ - {exim-ca/example.com/server1.example.com/server1.example.com.pem} \ - {cert1} } +tls_certificate = DIR/aux-fixed/${if inlist {$tls_in_sni}{ : normal : badkey : noneistkeyfile : expansionfailkey} \ + {cert1} \ + {${if eq {$tls_in_sni}{alternate} \ + {exim-ca/example.com/server1.example.com/server1.example.com.pem} \ + {${if eq {$tls_in_sni}{badcert} \ + {exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key} \ + {${if eq {$tls_in_sni}{nonexistcertfile} \ + {nonexistent_file} \ + fail \ + } } \ + } } \ + } } \ + } + +tls_privatekey = DIR/aux-fixed/${if inlist {$tls_in_sni}{ : normal : badcert : nonexistcertfile : expansionfailedcert} \ + {cert1} \ + {${if eq {$tls_in_sni}{alternate} \ + {exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key} \ + {${if eq {$tls_in_sni}{badkey} \ + {cert2} \ + {${if eq {$tls_in_sni}{noneistkeyfile} \ + {nonexist_file} \ + fail \ + } } \ + } } \ + } } \ + } -tls_privatekey = DIR/aux-fixed/${if eq {$tls_in_sni}{bill} \ - {exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key} \ - {cert1} } # ------ ACL ------ @@ -40,7 +61,7 @@ begin routers client: driver = accept condition = ${if !eq {SERVER}{server}} - transport = send_to_server${if eq{$local_part}{abcd}{2}{1}} + transport = send_to_server_${if inlist {$local_part}{normal} {1}{2}} server: driver = redirect @@ -51,29 +72,28 @@ server: begin transports -send_to_server1: - driver = smtp +send_to_server_1: + driver = smtp allow_localhost - hosts = HOSTIPV4 - port = PORT_D + hosts = HOSTIPV4 + port = PORT_D hosts_try_fastopen = : - tls_sni = fred - hosts_require_tls = * + hosts_require_tls = * + tls_sni = ${local_part} tls_verify_certificates = DIR/aux-fixed/cert1 tls_verify_cert_hostnames = : -send_to_server2: - driver = smtp +send_to_server_2: + driver = smtp allow_localhost - hosts = HOSTIPV4 - port = PORT_D + hosts = HOSTIPV4 + port = PORT_D hosts_try_fastopen = : - tls_sni = bill - hosts_require_tls = * + hosts_require_tls = * + tls_sni = ${local_part} tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem tls_verify_cert_hostnames = : - # ----- Retry ----- |