diff options
author | Jeremy Harris <jgh146exb@wizmail.org> | 2022-11-22 22:32:59 +0000 |
---|---|---|
committer | Jeremy Harris <jgh146exb@wizmail.org> | 2022-11-23 00:06:42 +0000 |
commit | 415c5379af11bf8777af1a082a336ad7c5369525 (patch) | |
tree | 6e83a790e09a20e172276887d9060cba05d2dc8f /test | |
parent | 6242a0bdfb6bacb2fc52e335ca550b62f2f39020 (diff) | |
download | exim4-415c5379af11bf8777af1a082a336ad7c5369525.tar.gz |
OpenSSL: OCSP under DANE
Diffstat (limited to 'test')
-rwxr-xr-x | test/aux-fixed/exim-ca/genall | 5 | ||||
-rw-r--r-- | test/confs/5840 | 13 | ||||
-rw-r--r-- | test/confs/5847 | 150 | ||||
-rw-r--r-- | test/log/5601 | 6 | ||||
-rw-r--r-- | test/log/5611 | 6 | ||||
-rw-r--r-- | test/log/5740 | 6 | ||||
-rw-r--r-- | test/log/5847 | 51 | ||||
-rw-r--r-- | test/scripts/5846-DANE-OpenSSL-OCSP/5847 | 78 | ||||
-rw-r--r-- | test/scripts/5846-DANE-OpenSSL-OCSP/REQUIRES | 4 | ||||
-rw-r--r-- | test/stderr/5840 | 2 |
10 files changed, 301 insertions, 20 deletions
diff --git a/test/aux-fixed/exim-ca/genall b/test/aux-fixed/exim-ca/genall index 85edfc29c..878c6aba0 100755 --- a/test/aux-fixed/exim-ca/genall +++ b/test/aux-fixed/exim-ca/genall @@ -34,9 +34,12 @@ do # -F create sub-signing cert # -C CRL # -O create OCSP responder cert + # -3 Authority key ID extension + # -8 Subject Alternate Names + clica $V -D "$idir" -p password -B 2048 -I -N $iname -F -C http://crl.$iname/latest.crl -O http://oscp.$iname/ - # create server certs + # create server leaf certs # -m <months> clica $V -D $idir -p password -s 101 -S server1.$iname -m 301 \ -8 alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex diff --git a/test/confs/5840 b/test/confs/5840 index 1b3b122b3..1e6406eaa 100644 --- a/test/confs/5840 +++ b/test/confs/5840 @@ -23,28 +23,23 @@ queue_run_in_order tls_advertise_hosts = * -# Set certificate only if server CDIR1 = DIR/aux-fixed/exim-ca/example.net/server1.example.net CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com .ifdef CERT tls_certificate = CERT .else -tls_certificate = ${if eq {SERVER}{server} \ - {${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \ +tls_certificate = ${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \ {CDIR2/fullchain.pem}\ - {CDIR1/fullchain.pem}}}\ - fail} + {CDIR1/fullchain.pem}} .endif .ifdef ALLOW tls_privatekey = ALLOW .else -tls_privatekey = ${if eq {SERVER}{server} \ - {${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \ +tls_privatekey = ${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \ {CDIR2/server1.example.com.unlocked.key}\ - {CDIR1/server1.example.net.unlocked.key}}}\ - fail} + {CDIR1/server1.example.net.unlocked.key}} .endif # ----- Routers ----- diff --git a/test/confs/5847 b/test/confs/5847 new file mode 100644 index 000000000..9f3277cb0 --- /dev/null +++ b/test/confs/5847 @@ -0,0 +1,150 @@ +# Exim test configuration 5847 +# OCSP stapling under DANE, client + +SERVER = + +exim_path = EXIM_PATH +keep_environment = ^EXIM_TESTHARNESS_DISABLE_[O]CSPVALIDITYCHECK$ +host_lookup_order = bydns +spool_directory = DIR/spool +log_file_path = DIR/spool/log/SERVER%slog +gecos_pattern = "" +gecos_name = CALLER_NAME +chunking_advertise_hosts = +primary_hostname = server1.example.com + +.ifdef _HAVE_DMARC +dmarc_tld_file = +.endif + + +# ----- Main settings ----- + +domainlist local_domains = test.ex : *.test.ex + +.ifndef OPT +acl_smtp_rcpt = check_recipient +.else +acl_smtp_rcpt = accept verify = recipient/callout +.endif +acl_smtp_data = check_data + +log_selector = +received_recipients +tls_peerdn +tls_certificate_verified +tls_sni +remote_max_parallel = 1 +queue_run_in_order + +tls_advertise_hosts = * + +CDIR1 = DIR/aux-fixed/exim-ca/example.net/server1.example.net +CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com + +.ifdef CERT +tls_certificate = CERT +.else +tls_certificate = ${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \ + {CDIR2/fullchain.pem}\ + {CDIR1/fullchain.pem}} +.endif + +.ifdef ALLOW +tls_privatekey = ALLOW +.else +tls_privatekey = ${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \ + {CDIR2/server1.example.com.unlocked.key}\ + {CDIR1/server1.example.net.unlocked.key}} +.endif + +tls_ocsp_file = RETURN + + +# ------ ACL ------ + +begin acl + +check_recipient: + accept domains = +local_domains + deny message = relay not permitted + +check_data: + warn condition = ${if def:h_X-TLS-out:} + logwrite = client claims: $h_X-TLS-out: + accept + +# ----- Routers ----- + +begin routers + +client: + driver = dnslookup + condition = ${if eq {SERVER}{server}{no}{yes}} + dnssec_request_domains = * + self = send + retry_use_local_part + transport = send_to_server${if eq{$local_part}{norequest}{1} \ + {${if eq{$local_part}{norequire} {2} \ + {3} \ + }}} + errors_to = "" + +server: + driver = redirect + data = :blackhole: + + +# ----- Transports ----- + +begin transports + + # nostaple +send_to_server1: + driver = smtp + allow_localhost + port = PORT_D + hosts_try_fastopen = : + tls_verify_certificates = ${if eq {DETAILS}{ca} {CDIR2/ca_chain.pem} {}} + tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}} + hosts_try_dane = * + hosts_require_tls = * + hosts_request_ocsp = : + headers_add = X-TLS-out: ocsp status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} {notreq:notresp:vfynotdone:failed:verified}}) + + # norequire +send_to_server2: + driver = smtp + allow_localhost + port = PORT_D + hosts_try_fastopen = : + tls_verify_certificates = ${if eq {DETAILS}{ca} {CDIR2/ca_chain.pem} {}} + tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}} + hosts_try_dane = * + hosts_require_tls = * +# note no ocsp mention here + headers_add = X-TLS-out: ocsp status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} {notreq:notresp:vfynotdone:failed:verified}}) + +# default +send_to_server3: + driver = smtp + allow_localhost + port = PORT_D + hosts_try_fastopen = : + helo_data = helo.data.changed + tls_verify_certificates = ${if eq {DETAILS}{ca} {CDIR2/ca_chain.pem} {}} + tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}} + hosts_try_dane = * + hosts_require_tls = * + hosts_require_ocsp = * + headers_add = X-TLS-out: ocsp status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} {notreq:notresp:vfynotdone:failed:verified}}) + + +# ----- Retry ----- + + +begin retry + +* * F,5d,1s + + +# End diff --git a/test/log/5601 b/test/log/5601 index 6bdac8712..471acd45c 100644 --- a/test/log/5601 +++ b/test/log/5601 @@ -9,13 +9,13 @@ 1999-03-02 09:44:33 10HmbB-0005vi-00 Completed 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for nostaple_required@test.ex 1999-03-02 09:44:33 10HmbD-0005vi-00 Required TLS certificate status not received -1999-03-02 09:44:33 10HmbD-0005vi-00 == nostaple_required@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect): error: <<detail omitted>> +1999-03-02 09:44:33 10HmbD-0005vi-00 == nostaple_required@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect) Required TLS certificate status not received 1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for revoked@test.ex 1999-03-02 09:44:33 10HmbE-0005vi-00 Server certificate revoked; reason: superseded -1999-03-02 09:44:33 10HmbE-0005vi-00 == revoked@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect): error: <<detail omitted>> +1999-03-02 09:44:33 10HmbE-0005vi-00 == revoked@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect) Server certificate revoked 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for expired@test.ex 1999-03-02 09:44:33 10HmbF-0005vi-00 OCSP dates invalid -1999-03-02 09:44:33 10HmbF-0005vi-00 == expired@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect): error: <<detail omitted>> +1999-03-02 09:44:33 10HmbF-0005vi-00 == expired@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect) Server certificate status is out-of-date ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1234, no queue runs, listening for SMTP on port PORT_D diff --git a/test/log/5611 b/test/log/5611 index bb4349560..1def09191 100644 --- a/test/log/5611 +++ b/test/log/5611 @@ -9,13 +9,13 @@ 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for lack_required@test.ex 1999-03-02 09:44:33 10HmbD-0005vi-00 Required TLS certificate status not received -1999-03-02 09:44:33 10HmbD-0005vi-00 == lack_required@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect): error: <<detail omitted>> +1999-03-02 09:44:33 10HmbD-0005vi-00 == lack_required@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect) Required TLS certificate status not received 1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for revoved@test.ex 1999-03-02 09:44:33 10HmbE-0005vi-00 Server certificate revoked; reason: superseded -1999-03-02 09:44:33 10HmbE-0005vi-00 == revoved@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect): error: <<detail omitted>> +1999-03-02 09:44:33 10HmbE-0005vi-00 == revoved@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect) Server certificate revoked 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for expired@test.ex 1999-03-02 09:44:33 10HmbF-0005vi-00 OCSP dates invalid -1999-03-02 09:44:33 10HmbF-0005vi-00 == expired@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect): error: <<detail omitted>> +1999-03-02 09:44:33 10HmbF-0005vi-00 == expired@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect) Server certificate status is out-of-date ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1234, no queue runs, listening for SMTP on port PORT_D diff --git a/test/log/5740 b/test/log/5740 index 88e4a46bb..f8a6c8d23 100644 --- a/test/log/5740 +++ b/test/log/5740 @@ -17,15 +17,15 @@ 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for failrequire@test.ex 1999-03-02 09:44:33 10HmbF-0005vi-00 Required TLS certificate status not received 1999-03-02 09:44:33 10HmbF-0005vi-00 client ocsp status: 1 (notresp) -1999-03-02 09:44:33 10HmbF-0005vi-00 == failrequire@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect): error: <<detail omitted>> +1999-03-02 09:44:33 10HmbF-0005vi-00 == failrequire@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect) Required TLS certificate status not received 1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for failrevoked@test.ex 1999-03-02 09:44:33 10HmbG-0005vi-00 Server certificate revoked; reason: superseded 1999-03-02 09:44:33 10HmbG-0005vi-00 client ocsp status: 3 (failed) -1999-03-02 09:44:33 10HmbG-0005vi-00 == failrevoked@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect): error: <<detail omitted>> +1999-03-02 09:44:33 10HmbG-0005vi-00 == failrevoked@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect) Server certificate revoked 1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for failexpired@test.ex 1999-03-02 09:44:33 10HmbH-0005vi-00 OCSP dates invalid 1999-03-02 09:44:33 10HmbH-0005vi-00 client ocsp status: 3 (failed) -1999-03-02 09:44:33 10HmbH-0005vi-00 == failexpired@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect): error: <<detail omitted>> +1999-03-02 09:44:33 10HmbH-0005vi-00 == failexpired@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect) Server certificate status is out-of-date ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1234, no queue runs, listening for SMTP on port PORT_D diff --git a/test/log/5847 b/test/log/5847 new file mode 100644 index 000000000..4f8632640 --- /dev/null +++ b/test/log/5847 @@ -0,0 +1,51 @@ +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for norequire@mxdane256tak.test.ex +1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire@mxdane256tak.test.ex R=client T=send_to_server2 H=dane256tak.test.ex [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=dane DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for norequest@mxdane256tak.test.ex +1999-03-02 09:44:33 10HmaZ-0005vi-00 => norequest@mxdane256tak.test.ex R=client T=send_to_server1 H=dane256tak.test.ex [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=dane DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for goodstaple@mxdane256tak.test.ex +1999-03-02 09:44:33 10HmbB-0005vi-00 => goodstaple@mxdane256tak.test.ex R=client T=send_to_server3 H=dane256tak.test.ex [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=dane DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmbB-0005vi-00 Completed +1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for nostaple_required@mxdane256tak.test.ex +1999-03-02 09:44:33 10HmbD-0005vi-00 Required TLS certificate status not received +1999-03-02 09:44:33 10HmbD-0005vi-00 DANE attempt failed; TLS connection to dane256tak.test.ex [ip4.ip4.ip4.ip4]: (SSL_connect) Required TLS certificate status not received +1999-03-02 09:44:33 10HmbD-0005vi-00 == nostaple_required@mxdane256tak.test.ex R=client T=send_to_server3 defer (-37) H=dane256tak.test.ex [ip4.ip4.ip4.ip4]: TLS session: (SSL_connect) Required TLS certificate status not received +1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for revoked@mxdane256tak.test.ex +1999-03-02 09:44:33 10HmbE-0005vi-00 Server certificate revoked; reason: superseded +1999-03-02 09:44:33 10HmbE-0005vi-00 DANE attempt failed; TLS connection to dane256tak.test.ex [ip4.ip4.ip4.ip4]: (SSL_connect) Server certificate revoked +1999-03-02 09:44:33 10HmbE-0005vi-00 == revoked@mxdane256tak.test.ex R=client T=send_to_server3 defer (-37) H=dane256tak.test.ex [ip4.ip4.ip4.ip4]: TLS session: (SSL_connect) Server certificate revoked +1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for expired@mxdane256tak.test.ex +1999-03-02 09:44:33 10HmbF-0005vi-00 OCSP dates invalid +1999-03-02 09:44:33 10HmbF-0005vi-00 DANE attempt failed; TLS connection to dane256tak.test.ex [ip4.ip4.ip4.ip4]: (SSL_connect) Server certificate status is out-of-date +1999-03-02 09:44:33 10HmbF-0005vi-00 == expired@mxdane256tak.test.ex R=client T=send_to_server3 defer (-37) H=dane256tak.test.ex [ip4.ip4.ip4.ip4]: TLS session: (SSL_connect) Server certificate status is out-of-date +1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for goodstaple_le@mxdane256tak.test.ex +1999-03-02 09:44:33 10HmbG-0005vi-00 => goodstaple_le@mxdane256tak.test.ex R=client T=send_to_server3 H=dane256tak.test.ex [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=dane DN="/CN=server1.example.com" C="250 OK id=10HmbH-0005vi-00" +1999-03-02 09:44:33 10HmbG-0005vi-00 Completed + +******** SERVER ******** +1999-03-02 09:44:33 exim x.yz daemon started: pid=p1234, no queue runs, listening for SMTP on port PORT_D +1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: ocsp status 1 (notresp) +1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=dane256tak.test.ex S=sss id=E10HmaX-0005vi-00@server1.example.com for norequire@mxdane256tak.test.ex +1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <norequire@mxdane256tak.test.ex> R=server +1999-03-02 09:44:33 10HmaY-0005vi-00 Completed +1999-03-02 09:44:33 exim x.yz daemon started: pid=p1235, no queue runs, listening for SMTP on port PORT_D +1999-03-02 09:44:33 10HmbA-0005vi-00 client claims: ocsp status 0 (notreq) +1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=dane256tak.test.ex S=sss id=E10HmaZ-0005vi-00@server1.example.com for norequest@mxdane256tak.test.ex +1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <norequest@mxdane256tak.test.ex> R=server +1999-03-02 09:44:33 10HmbA-0005vi-00 Completed +1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: ocsp status 4 (verified) +1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=(helo.data.changed) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=dane256tak.test.ex S=sss id=E10HmbB-0005vi-00@server1.example.com for goodstaple@mxdane256tak.test.ex +1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <goodstaple@mxdane256tak.test.ex> R=server +1999-03-02 09:44:33 10HmbC-0005vi-00 Completed +1999-03-02 09:44:33 exim x.yz daemon started: pid=p1236, no queue runs, listening for SMTP on port PORT_D +1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>> +1999-03-02 09:44:33 exim x.yz daemon started: pid=p1237, no queue runs, listening for SMTP on port PORT_D +1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>> +1999-03-02 09:44:33 exim x.yz daemon started: pid=p1238, no queue runs, listening for SMTP on port PORT_D +1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>> +1999-03-02 09:44:33 exim x.yz daemon started: pid=p1239, no queue runs, listening for SMTP on port PORT_D +1999-03-02 09:44:33 10HmbH-0005vi-00 client claims: ocsp status 4 (verified) +1999-03-02 09:44:33 10HmbH-0005vi-00 <= <> H=(helo.data.changed) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=dane256tak.test.ex S=sss id=E10HmbG-0005vi-00@server1.example.com for goodstaple_le@mxdane256tak.test.ex +1999-03-02 09:44:33 10HmbH-0005vi-00 => :blackhole: <goodstaple_le@mxdane256tak.test.ex> R=server +1999-03-02 09:44:33 10HmbH-0005vi-00 Completed diff --git a/test/scripts/5846-DANE-OpenSSL-OCSP/5847 b/test/scripts/5846-DANE-OpenSSL-OCSP/5847 new file mode 100644 index 000000000..0916bd97a --- /dev/null +++ b/test/scripts/5846-DANE-OpenSSL-OCSP/5847 @@ -0,0 +1,78 @@ +# OCSP stapling under DANE, client +# +# +# ============================================ +# Group 1: TLSA (2 1 1) (DANE-TA SPKI SHA2-256) +# +# Client works when we request but don't require OCSP stapling and none comes +exim -bd -oX PORT_D -DSERVER=server -DDETAILS=ta -DRETURN="" +**** +exim -odf norequire@mxdane256tak.test.ex +**** +killdaemon +# +# +# +# +# Client works when we don't request OCSP stapling +exim -bd -oX PORT_D -DSERVER=server -DDETAILS=ta \ + -DRETURN=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp +**** +exim -odf norequest@mxdane256tak.test.ex +**** +# +# +# +# +# Client accepts good stapled info +exim -odf goodstaple@mxdane256tak.test.ex +**** +killdaemon +# +# +# +# Client fails on lack of required stapled info +exim -bd -oX PORT_D -DSERVER=server -DDETAILS=ta -DRETURN="" +**** +exim -odf nostaple_required@mxdane256tak.test.ex +**** +killdaemon +sudo rm -f spool/db/retry* spool/input/* +# +# +# +# Client fails on revoked stapled info +EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK=y exim -bd -oX PORT_D -DSERVER=server -DDETAILS=ta \ + -DRETURN=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp +**** +exim -odf revoked@mxdane256tak.test.ex +**** +killdaemon +sudo rm -f spool/db/retry* spool/input/* +# +# +# +# +# Client fails on expired stapled info +EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK=y exim -bd -oX PORT_D -DSERVER=server -DDETAILS=ta \ + -DRETURN=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp +**** +exim -odf expired@mxdane256tak.test.ex +**** +killdaemon +sudo rm -f spool/db/retry* spool/input/* +# +# +# ============================================ +# Group 2: TLSA (2 1 1) (DANE-TA SPKI SHA2-256) but with LE-mode OCSP +# +exim -bd -oX PORT_D -DSERVER=server -DDETAILS=ta \ + -DRETURN=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.signernocert.good.resp +**** +# +# Client accepts good stapled info +exim -odf goodstaple_le@mxdane256tak.test.ex +**** +killdaemon +# +no_msglog_check diff --git a/test/scripts/5846-DANE-OpenSSL-OCSP/REQUIRES b/test/scripts/5846-DANE-OpenSSL-OCSP/REQUIRES new file mode 100644 index 000000000..fa226f8e2 --- /dev/null +++ b/test/scripts/5846-DANE-OpenSSL-OCSP/REQUIRES @@ -0,0 +1,4 @@ +support DANE +support OpenSSL +support OCSP +running IPv4 diff --git a/test/stderr/5840 b/test/stderr/5840 index 6cae7d46e..35e6c22e2 100644 --- a/test/stderr/5840 +++ b/test/stderr/5840 @@ -10,7 +10,7 @@ >>> host in helo_try_verify_hosts? no (option unset) >>> host in helo_accept_junk_hosts? no (option unset) >>> test in helo_lookup_domains? no (end of list) ->>> processing "accept" (TESTSUITE/test-config 93) +>>> processing "accept" (TESTSUITE/test-config 88) >>> check verify = recipient/callout >>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>> routing rcptuser@dane256ee.test.ex |