From 7fa5764c203f2f4a900898a79ed02d674075313f Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Mon, 2 Jan 2023 15:04:14 +0000 Subject: OpenSSL: Fix tls_eccurve on earlier versions than 3.0.0. Bug 2954 Broken-by: ca4014de81e6 --- test/log/2149 | 28 ++++++++++++++-------------- test/runtest | 3 +++ test/scripts/2100-OpenSSL/2149 | 22 ++++++++++++---------- 3 files changed, 29 insertions(+), 24 deletions(-) (limited to 'test') diff --git a/test/log/2149 b/test/log/2149 index 0d4235846..3832ba076 100644 --- a/test/log/2149 +++ b/test/log/2149 @@ -1,45 +1,45 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmaY-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 => optnotpresent@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmaY-0005vi-00" 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmaZ-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 => explicitauto@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbA-0005vi-00" 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed 1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmbB-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmbB-0005vi-00 => explicitempty@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbC-0005vi-00" 1999-03-02 09:44:33 10HmbB-0005vi-00 Completed 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmbD-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbE-0005vi-00" +1999-03-02 09:44:33 10HmbD-0005vi-00 => prime256v1@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbE-0005vi-00" 1999-03-02 09:44:33 10HmbD-0005vi-00 Completed 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmbF-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbG-0005vi-00" +1999-03-02 09:44:33 10HmbF-0005vi-00 => secp384r1@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbG-0005vi-00" 1999-03-02 09:44:33 10HmbF-0005vi-00 Completed 1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 10HmbH-0005vi-00 H=127.0.0.1 [127.0.0.1]: a TLS session is required, but an attempt to start TLS failed -1999-03-02 09:44:33 10HmbH-0005vi-00 == userx@test.ex R=client T=send_to_server defer (-38) H=127.0.0.1 [127.0.0.1]: a TLS session is required, but an attempt to start TLS failed -1999-03-02 09:44:33 10HmbH-0005vi-00 ** userx@test.ex: retry timeout exceeded -1999-03-02 09:44:33 10HmbH-0005vi-00 userx@test.ex: error ignored +1999-03-02 09:44:33 10HmbH-0005vi-00 == user_fail@test.ex R=client T=send_to_server defer (-38) H=127.0.0.1 [127.0.0.1]: a TLS session is required, but an attempt to start TLS failed +1999-03-02 09:44:33 10HmbH-0005vi-00 ** user_fail@test.ex: retry timeout exceeded +1999-03-02 09:44:33 10HmbH-0005vi-00 user_fail@test.ex: error ignored 1999-03-02 09:44:33 10HmbH-0005vi-00 Completed ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1234, no queue runs, listening for SMTP on port PORT_D 1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex -1999-03-02 09:44:33 10HmaY-0005vi-00 => userx R=server T=local_delivery +1999-03-02 09:44:33 10HmaY-0005vi-00 => optnotpresent R=server T=local_delivery 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1235, no queue runs, listening for SMTP on port PORT_D 1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex -1999-03-02 09:44:33 10HmbA-0005vi-00 => userx R=server T=local_delivery +1999-03-02 09:44:33 10HmbA-0005vi-00 => explicitauto R=server T=local_delivery 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1236, no queue runs, listening for SMTP on port PORT_D 1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbB-0005vi-00@myhost.test.ex -1999-03-02 09:44:33 10HmbC-0005vi-00 => userx R=server T=local_delivery +1999-03-02 09:44:33 10HmbC-0005vi-00 => explicitempty R=server T=local_delivery 1999-03-02 09:44:33 10HmbC-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1237, no queue runs, listening for SMTP on port PORT_D 1999-03-02 09:44:33 10HmbE-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbD-0005vi-00@myhost.test.ex -1999-03-02 09:44:33 10HmbE-0005vi-00 => userx R=server T=local_delivery +1999-03-02 09:44:33 10HmbE-0005vi-00 => prime256v1 R=server T=local_delivery 1999-03-02 09:44:33 10HmbE-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1238, no queue runs, listening for SMTP on port PORT_D 1999-03-02 09:44:33 10HmbG-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbF-0005vi-00@myhost.test.ex -1999-03-02 09:44:33 10HmbG-0005vi-00 => userx R=server T=local_delivery +1999-03-02 09:44:33 10HmbG-0005vi-00 => secp384r1 R=server T=local_delivery 1999-03-02 09:44:33 10HmbG-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1239, no queue runs, listening for SMTP on port PORT_D -1999-03-02 09:44:33 TLS error on connection from localhost (myhost.test.ex) [127.0.0.1] (Unknown curve name tls_eccurve 'bogus'): error:00000000:lib(0)::reason(0) +1999-03-02 09:44:33 TLS error on connection from localhost (myhost.test.ex) [127.0.0.1] Unknown curve name tls_eccurve 'bogus' diff --git a/test/runtest b/test/runtest index c518c1080..900fc7bbb 100755 --- a/test/runtest +++ b/test/runtest @@ -1165,6 +1165,9 @@ RESET_AFTER_EXTRA_LINE_READ: next if /^TLS: not preloading (CA bundle|cipher list) for server$/; next if /^TLS: not preloading server certs$/; + # some plaatforms are missing the standard CA bundle file + next if /^tls_set_watch\(\) fail on '\/usr\/lib\/ssl\/cert.pem': No such file or directory$/; + # drop lookups next if /^$time_pid?(?: Lookups\ \(built-in\): | Loading\ lookup\ modules\ from diff --git a/test/scripts/2100-OpenSSL/2149 b/test/scripts/2100-OpenSSL/2149 index 59263df81..f1af49907 100644 --- a/test/scripts/2100-OpenSSL/2149 +++ b/test/scripts/2100-OpenSSL/2149 @@ -6,14 +6,14 @@ # Baseline: tls_eccurve option not present exim -DSERVER=server -bd -oX PORT_D **** -exim -odf userx@test.ex +exim -odf optnotpresent@test.ex **** killdaemon # # Explicit tls_eccurve setting of "auto" exim -DSERVER=server -DDATA=auto -bd -oX PORT_D **** -exim -odf userx@test.ex +exim -odf explicitauto@test.ex **** killdaemon # @@ -21,30 +21,32 @@ killdaemon # - unclear this works. At least with OpenSSL 3.0.5 we still get an x25519 keyshare in the Server Hello exim -DSERVER=server -DDATA= -bd -oX PORT_D **** -exim -odf userx@test.ex +exim -odf explicitempty@test.ex **** killdaemon # # prime256v1 +# Oddly, 3.0.5 packets show an EC-groups negotiation of C:x255519 S:secp256r1 C:secp384r1 S:secp384r1. +# Hoever, note that RFC 8446 (TLS1.3) does NOT include prime256v1 as one of the allowable +# supported groups (and it's not in the client "supported groups" extension, so what we see seems good. exim -DSERVER=server -DDATA=prime256v1 -bd -oX PORT_D **** -exim -odf userx@test.ex +exim -odf prime256v1@test.ex **** killdaemon # -# X448 -# Client Hello offers an x25519 keyshare, server says "Hello Retry Request" with a KeyShare extension "X448" -# and the client retries Client Hello with that in the KeyShare. -exim -DSERVER=server -DDATA=X448 -bd -oX PORT_D +# secp384r1 +# C:x25519 S:secp384r1 +exim -DSERVER=server -DDATA=secp384r1 -bd -oX PORT_D **** -exim -odf userx@test.ex +exim -odf secp384r1@test.ex **** killdaemon # # "bogus". Should fail to make connection. exim -DSERVER=server -DDATA=bogus -bd -oX PORT_D **** -exim -odf userx@test.ex +exim -odf user_fail@test.ex **** killdaemon # -- cgit v1.2.1