OpenSSL: OCSP under DANE

author: Jeremy Harris <jgh146exb@wizmail.org> 2022-11-22 22:32:59 +0000
committer: Jeremy Harris <jgh146exb@wizmail.org> 2022-11-23 00:06:42 +0000
commit: 415c5379af11bf8777af1a082a336ad7c5369525 (patch)
tree: 6e83a790e09a20e172276887d9060cba05d2dc8f /test
parent: 6242a0bdfb6bacb2fc52e335ca550b62f2f39020 (diff)
download: exim4-415c5379af11bf8777af1a082a336ad7c5369525.tar.gz
10 files changed, 301 insertions, 20 deletions
diff --git a/test/aux-fixed/exim-ca/genall b/test/aux-fixed/exim-ca/genall
index 85edfc29c..878c6aba0 100755
--- a/test/aux-fixed/exim-ca/genall
+++ b/test/aux-fixed/exim-ca/genall
@@ -34,9 +34,12 @@ do
     # -F  create sub-signing cert
     # -C CRL
     # -O create OCSP responder cert
+    # -3 Authority key ID extension
+    # -8 Subject Alternate Names
+
     clica $V -D "$idir" -p password -B 2048 -I -N $iname -F -C http://crl.$iname/latest.crl -O http://oscp.$iname/
 
-    # create server certs
+    # create server leaf certs
     # -m <months>
     clica $V -D $idir -p password -s 101 -S server1.$iname -m 301 \
 	-8 alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex
diff --git a/test/confs/5840 b/test/confs/5840
index 1b3b122b3..1e6406eaa 100644
--- a/test/confs/5840
+++ b/test/confs/5840
@@ -23,28 +23,23 @@ queue_run_in_order
 
 tls_advertise_hosts = *
 
-# Set certificate only if server
 CDIR1 = DIR/aux-fixed/exim-ca/example.net/server1.example.net
 CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com
 
 .ifdef CERT
 tls_certificate = CERT
 .else
-tls_certificate = ${if eq {SERVER}{server} \
-	{${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \
+tls_certificate = ${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \
 		{CDIR2/fullchain.pem}\
-		{CDIR1/fullchain.pem}}}\
-	fail}
+		{CDIR1/fullchain.pem}}
 .endif
 
 .ifdef ALLOW
 tls_privatekey = ALLOW
 .else
-tls_privatekey = ${if eq {SERVER}{server} \
-	{${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \
+tls_privatekey = ${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \
 		{CDIR2/server1.example.com.unlocked.key}\
-		{CDIR1/server1.example.net.unlocked.key}}}\
-	fail}
+		{CDIR1/server1.example.net.unlocked.key}}
 .endif
 
 # ----- Routers -----
diff --git a/test/confs/5847 b/test/confs/5847
new file mode 100644
index 000000000..9f3277cb0
--- /dev/null
+++ b/test/confs/5847
@@ -0,0 +1,150 @@
+# Exim test configuration 5847
+# OCSP stapling under DANE, client
+
+SERVER =
+
+exim_path = EXIM_PATH
+keep_environment  = ^EXIM_TESTHARNESS_DISABLE_[O]CSPVALIDITYCHECK$
+host_lookup_order = bydns
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+chunking_advertise_hosts =
+primary_hostname = server1.example.com
+
+.ifdef _HAVE_DMARC
+dmarc_tld_file =
+.endif
+
+
+# ----- Main settings -----
+
+domainlist local_domains = test.ex : *.test.ex
+
+.ifndef OPT
+acl_smtp_rcpt = check_recipient
+.else
+acl_smtp_rcpt = accept verify = recipient/callout
+.endif
+acl_smtp_data = check_data
+
+log_selector =  +received_recipients +tls_peerdn +tls_certificate_verified +tls_sni
+remote_max_parallel = 1
+queue_run_in_order
+
+tls_advertise_hosts = *
+
+CDIR1 = DIR/aux-fixed/exim-ca/example.net/server1.example.net
+CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com
+
+.ifdef CERT
+tls_certificate = CERT
+.else
+tls_certificate = ${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \
+                {CDIR2/fullchain.pem}\
+                {CDIR1/fullchain.pem}}
+.endif
+
+.ifdef ALLOW
+tls_privatekey = ALLOW
+.else
+tls_privatekey = ${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \
+                {CDIR2/server1.example.com.unlocked.key}\
+                {CDIR1/server1.example.net.unlocked.key}}
+.endif
+
+tls_ocsp_file = RETURN
+
+
+# ------ ACL ------
+
+begin acl
+
+check_recipient:
+  accept  domains = +local_domains
+  deny    message = relay not permitted
+
+check_data:
+  warn	  condition   = ${if def:h_X-TLS-out:}
+	  logwrite = client claims: $h_X-TLS-out:
+  accept
+
+# ----- Routers -----
+
+begin routers
+
+client:
+  driver =	dnslookup
+  condition =	${if eq {SERVER}{server}{no}{yes}}
+  dnssec_request_domains = *
+  self =	send
+  retry_use_local_part
+  transport =	send_to_server${if eq{$local_part}{norequest}{1} \
+				{${if eq{$local_part}{norequire} {2} \
+				{3} \
+			     }}}
+  errors_to =	""
+
+server:
+  driver = redirect
+  data = :blackhole:
+
+
+# ----- Transports -----
+
+begin transports
+
+			# nostaple
+send_to_server1:
+  driver =		smtp
+  allow_localhost
+  port =		PORT_D
+  hosts_try_fastopen =	:
+  tls_verify_certificates = ${if eq {DETAILS}{ca} {CDIR2/ca_chain.pem} {}}
+  tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}}
+  hosts_try_dane =	*
+  hosts_require_tls =	*
+  hosts_request_ocsp =	:
+  headers_add =		X-TLS-out: ocsp status $tls_out_ocsp \
+		(${listextract {${eval:$tls_out_ocsp+1}} {notreq:notresp:vfynotdone:failed:verified}})
+
+			# norequire
+send_to_server2:
+  driver =		smtp
+  allow_localhost
+  port =		PORT_D
+  hosts_try_fastopen =	:
+  tls_verify_certificates = ${if eq {DETAILS}{ca} {CDIR2/ca_chain.pem} {}}
+  tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}}
+  hosts_try_dane =	*
+  hosts_require_tls =	*
+# note no ocsp mention here
+  headers_add =		X-TLS-out: ocsp status $tls_out_ocsp \
+		(${listextract {${eval:$tls_out_ocsp+1}} {notreq:notresp:vfynotdone:failed:verified}})
+
+#			default
+send_to_server3:
+  driver =		smtp
+  allow_localhost
+  port =		PORT_D
+  hosts_try_fastopen =	:
+  helo_data =		helo.data.changed
+  tls_verify_certificates = ${if eq {DETAILS}{ca} {CDIR2/ca_chain.pem} {}}
+  tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}}
+  hosts_try_dane =	*
+  hosts_require_tls =	*
+  hosts_require_ocsp =	*
+  headers_add =		X-TLS-out: ocsp status $tls_out_ocsp \
+		(${listextract {${eval:$tls_out_ocsp+1}} {notreq:notresp:vfynotdone:failed:verified}})
+
+
+# ----- Retry -----
+
+
+begin retry
+
+* * F,5d,1s
+
+
+# End
diff --git a/test/log/5601 b/test/log/5601
index 6bdac8712..471acd45c 100644
--- a/test/log/5601
+++ b/test/log/5601
@@ -9,13 +9,13 @@
 1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for nostaple_required@test.ex
 1999-03-02 09:44:33 10HmbD-0005vi-00 Required TLS certificate status not received
-1999-03-02 09:44:33 10HmbD-0005vi-00 == nostaple_required@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbD-0005vi-00 == nostaple_required@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect) Required TLS certificate status not received
 1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for revoked@test.ex
 1999-03-02 09:44:33 10HmbE-0005vi-00 Server certificate revoked; reason: superseded
-1999-03-02 09:44:33 10HmbE-0005vi-00 == revoked@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbE-0005vi-00 == revoked@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect) Server certificate revoked
 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for expired@test.ex
 1999-03-02 09:44:33 10HmbF-0005vi-00 OCSP dates invalid
-1999-03-02 09:44:33 10HmbF-0005vi-00 == expired@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbF-0005vi-00 == expired@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect) Server certificate status is out-of-date
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1234, no queue runs, listening for SMTP on port PORT_D
diff --git a/test/log/5611 b/test/log/5611
index bb4349560..1def09191 100644
--- a/test/log/5611
+++ b/test/log/5611
@@ -9,13 +9,13 @@
 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for lack_required@test.ex
 1999-03-02 09:44:33 10HmbD-0005vi-00 Required TLS certificate status not received
-1999-03-02 09:44:33 10HmbD-0005vi-00 == lack_required@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbD-0005vi-00 == lack_required@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect) Required TLS certificate status not received
 1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for revoved@test.ex
 1999-03-02 09:44:33 10HmbE-0005vi-00 Server certificate revoked; reason: superseded
-1999-03-02 09:44:33 10HmbE-0005vi-00 == revoved@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbE-0005vi-00 == revoved@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect) Server certificate revoked
 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for expired@test.ex
 1999-03-02 09:44:33 10HmbF-0005vi-00 OCSP dates invalid
-1999-03-02 09:44:33 10HmbF-0005vi-00 == expired@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbF-0005vi-00 == expired@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect) Server certificate status is out-of-date
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1234, no queue runs, listening for SMTP on port PORT_D
diff --git a/test/log/5740 b/test/log/5740
index 88e4a46bb..f8a6c8d23 100644
--- a/test/log/5740
+++ b/test/log/5740
@@ -17,15 +17,15 @@
 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for failrequire@test.ex
 1999-03-02 09:44:33 10HmbF-0005vi-00 Required TLS certificate status not received
 1999-03-02 09:44:33 10HmbF-0005vi-00 client ocsp status: 1 (notresp)
-1999-03-02 09:44:33 10HmbF-0005vi-00 == failrequire@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbF-0005vi-00 == failrequire@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect) Required TLS certificate status not received
 1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for failrevoked@test.ex
 1999-03-02 09:44:33 10HmbG-0005vi-00 Server certificate revoked; reason: superseded
 1999-03-02 09:44:33 10HmbG-0005vi-00 client ocsp status: 3 (failed)
-1999-03-02 09:44:33 10HmbG-0005vi-00 == failrevoked@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbG-0005vi-00 == failrevoked@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect) Server certificate revoked
 1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for failexpired@test.ex
 1999-03-02 09:44:33 10HmbH-0005vi-00 OCSP dates invalid
 1999-03-02 09:44:33 10HmbH-0005vi-00 client ocsp status: 3 (failed)
-1999-03-02 09:44:33 10HmbH-0005vi-00 == failexpired@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbH-0005vi-00 == failexpired@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect) Server certificate status is out-of-date
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1234, no queue runs, listening for SMTP on port PORT_D
diff --git a/test/log/5847 b/test/log/5847
new file mode 100644
index 000000000..4f8632640
--- /dev/null
+++ b/test/log/5847
@@ -0,0 +1,51 @@
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for norequire@mxdane256tak.test.ex
+1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire@mxdane256tak.test.ex R=client T=send_to_server2 H=dane256tak.test.ex [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=dane DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for norequest@mxdane256tak.test.ex
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => norequest@mxdane256tak.test.ex R=client T=send_to_server1 H=dane256tak.test.ex [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=dane DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for goodstaple@mxdane256tak.test.ex
+1999-03-02 09:44:33 10HmbB-0005vi-00 => goodstaple@mxdane256tak.test.ex R=client T=send_to_server3 H=dane256tak.test.ex [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=dane DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for nostaple_required@mxdane256tak.test.ex
+1999-03-02 09:44:33 10HmbD-0005vi-00 Required TLS certificate status not received
+1999-03-02 09:44:33 10HmbD-0005vi-00 DANE attempt failed; TLS connection to dane256tak.test.ex [ip4.ip4.ip4.ip4]: (SSL_connect) Required TLS certificate status not received
+1999-03-02 09:44:33 10HmbD-0005vi-00 == nostaple_required@mxdane256tak.test.ex R=client T=send_to_server3 defer (-37) H=dane256tak.test.ex [ip4.ip4.ip4.ip4]: TLS session: (SSL_connect) Required TLS certificate status not received
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for revoked@mxdane256tak.test.ex
+1999-03-02 09:44:33 10HmbE-0005vi-00 Server certificate revoked; reason: superseded
+1999-03-02 09:44:33 10HmbE-0005vi-00 DANE attempt failed; TLS connection to dane256tak.test.ex [ip4.ip4.ip4.ip4]: (SSL_connect) Server certificate revoked
+1999-03-02 09:44:33 10HmbE-0005vi-00 == revoked@mxdane256tak.test.ex R=client T=send_to_server3 defer (-37) H=dane256tak.test.ex [ip4.ip4.ip4.ip4]: TLS session: (SSL_connect) Server certificate revoked
+1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for expired@mxdane256tak.test.ex
+1999-03-02 09:44:33 10HmbF-0005vi-00 OCSP dates invalid
+1999-03-02 09:44:33 10HmbF-0005vi-00 DANE attempt failed; TLS connection to dane256tak.test.ex [ip4.ip4.ip4.ip4]: (SSL_connect) Server certificate status is out-of-date
+1999-03-02 09:44:33 10HmbF-0005vi-00 == expired@mxdane256tak.test.ex R=client T=send_to_server3 defer (-37) H=dane256tak.test.ex [ip4.ip4.ip4.ip4]: TLS session: (SSL_connect) Server certificate status is out-of-date
+1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss for goodstaple_le@mxdane256tak.test.ex
+1999-03-02 09:44:33 10HmbG-0005vi-00 => goodstaple_le@mxdane256tak.test.ex R=client T=send_to_server3 H=dane256tak.test.ex [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=dane DN="/CN=server1.example.com" C="250 OK id=10HmbH-0005vi-00"
+1999-03-02 09:44:33 10HmbG-0005vi-00 Completed
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=p1234, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: ocsp status 1 (notresp)
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=dane256tak.test.ex S=sss id=E10HmaX-0005vi-00@server1.example.com for norequire@mxdane256tak.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <norequire@mxdane256tak.test.ex> R=server
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=p1235, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 10HmbA-0005vi-00 client claims: ocsp status 0 (notreq)
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=dane256tak.test.ex S=sss id=E10HmaZ-0005vi-00@server1.example.com for norequest@mxdane256tak.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <norequest@mxdane256tak.test.ex> R=server
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: ocsp status 4 (verified)
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=(helo.data.changed) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=dane256tak.test.ex S=sss id=E10HmbB-0005vi-00@server1.example.com for goodstaple@mxdane256tak.test.ex
+1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <goodstaple@mxdane256tak.test.ex> R=server
+1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=p1236, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 exim x.yz daemon started: pid=p1237, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 exim x.yz daemon started: pid=p1238, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 exim x.yz daemon started: pid=p1239, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 10HmbH-0005vi-00 client claims: ocsp status 4 (verified)
+1999-03-02 09:44:33 10HmbH-0005vi-00 <= <> H=(helo.data.changed) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=dane256tak.test.ex S=sss id=E10HmbG-0005vi-00@server1.example.com for goodstaple_le@mxdane256tak.test.ex
+1999-03-02 09:44:33 10HmbH-0005vi-00 => :blackhole: <goodstaple_le@mxdane256tak.test.ex> R=server
+1999-03-02 09:44:33 10HmbH-0005vi-00 Completed
diff --git a/test/scripts/5846-DANE-OpenSSL-OCSP/5847 b/test/scripts/5846-DANE-OpenSSL-OCSP/5847
new file mode 100644
index 000000000..0916bd97a
--- /dev/null
+++ b/test/scripts/5846-DANE-OpenSSL-OCSP/5847
@@ -0,0 +1,78 @@
+# OCSP stapling under DANE, client
+#
+#
+# ============================================
+# Group 1: TLSA (2 1 1) (DANE-TA SPKI SHA2-256)
+#
+# Client works when we request but don't require OCSP stapling and none comes
+exim -bd -oX PORT_D -DSERVER=server -DDETAILS=ta -DRETURN=""
+****
+exim -odf norequire@mxdane256tak.test.ex
+****
+killdaemon
+#
+#
+#
+#
+# Client works when we don't request OCSP stapling
+exim -bd -oX PORT_D -DSERVER=server -DDETAILS=ta \
+ -DRETURN=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp
+****
+exim -odf norequest@mxdane256tak.test.ex
+****
+#
+#
+#
+#
+# Client accepts good stapled info
+exim -odf goodstaple@mxdane256tak.test.ex
+****
+killdaemon
+#
+#
+#
+# Client fails on lack of required stapled info
+exim -bd -oX PORT_D -DSERVER=server -DDETAILS=ta -DRETURN=""
+****
+exim -odf nostaple_required@mxdane256tak.test.ex
+****
+killdaemon
+sudo rm -f spool/db/retry* spool/input/*
+#
+#
+#
+# Client fails on revoked stapled info
+EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK=y exim -bd -oX PORT_D -DSERVER=server -DDETAILS=ta \
+ -DRETURN=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp
+****
+exim -odf revoked@mxdane256tak.test.ex
+****
+killdaemon
+sudo rm -f spool/db/retry* spool/input/*
+#
+#
+#
+#
+# Client fails on expired stapled info
+EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK=y exim -bd -oX PORT_D -DSERVER=server -DDETAILS=ta \
+ -DRETURN=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp
+****
+exim -odf expired@mxdane256tak.test.ex
+****
+killdaemon
+sudo rm -f spool/db/retry* spool/input/*
+#
+#
+# ============================================
+# Group 2: TLSA (2 1 1) (DANE-TA SPKI SHA2-256) but with LE-mode OCSP
+#
+exim -bd -oX PORT_D -DSERVER=server -DDETAILS=ta \
+ -DRETURN=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.signernocert.good.resp
+****
+#
+# Client accepts good stapled info
+exim -odf goodstaple_le@mxdane256tak.test.ex
+****
+killdaemon
+#
+no_msglog_check
diff --git a/test/scripts/5846-DANE-OpenSSL-OCSP/REQUIRES b/test/scripts/5846-DANE-OpenSSL-OCSP/REQUIRES
new file mode 100644
index 000000000..fa226f8e2
--- /dev/null
+++ b/test/scripts/5846-DANE-OpenSSL-OCSP/REQUIRES
@@ -0,0 +1,4 @@
+support DANE
+support OpenSSL
+support OCSP
+running IPv4
diff --git a/test/stderr/5840 b/test/stderr/5840
index 6cae7d46e..35e6c22e2 100644
--- a/test/stderr/5840
+++ b/test/stderr/5840
@@ -10,7 +10,7 @@
 >>> host in helo_try_verify_hosts? no (option unset)
 >>> host in helo_accept_junk_hosts? no (option unset)
 >>> test in helo_lookup_domains? no (end of list)
->>> processing "accept" (TESTSUITE/test-config 93)
+>>> processing "accept" (TESTSUITE/test-config 88)
 >>> check verify = recipient/callout
 >>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
 >>> routing rcptuser@dane256ee.test.ex
author	Jeremy Harris <jgh146exb@wizmail.org>	2022-11-22 22:32:59 +0000
committer	Jeremy Harris <jgh146exb@wizmail.org>	2022-11-23 00:06:42 +0000
commit	415c5379af11bf8777af1a082a336ad7c5369525 (patch)
tree	6e83a790e09a20e172276887d9060cba05d2dc8f /test
parent	6242a0bdfb6bacb2fc52e335ca550b62f2f39020 (diff)
download	exim4-415c5379af11bf8777af1a082a336ad7c5369525.tar.gz