1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
|
# TLS server: general ops and certificate extractions
gnutls
#
# Very early (unsure when) GnuTLS prefers RSA auth by default. Later, but before 3.6.x, prefers
# ECDSA but the client can be given a priority order to override that. We're running the server
# with no priority string given (tls_require_ciphers) hence default, and with both types of
# server cert loaded (RSA first, though we don't document that as relevant and in testing it
# does not appear to matter).
#
# GnuTLS 3.6.5 appears to ignore the client priority ordering, always choosing ECDSA if both
# are permitted, if TLS1.3 is permitted, so we limit to TLS1.2.
#
exim -DSERVER=server -bd -oX PORT_D
****
# Have the client do RSA (but support ECDSA as well). That should get us RSA on both older and newer GnuTLS.
client-gnutls -p NONE:+SIGN-RSA-SHA256:+SIGN-ECDSA-SHA512:+VERS-TLS1.2:+ECDHE-RSA:+DHE-RSA:+RSA:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 127.0.0.1 PORT_D
??? 220
ehlo rhu.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
mail from:<CALLER@test.ex>
??? 250
rcpt to:<CALLER@test.ex>
??? 250
DATA
??? 3
This is a test encrypted message.
.
??? 250
quit
??? 221
****
client-gnutls -p NONE:+SIGN-RSA-SHA256:+SIGN-ECDSA-SHA512:+VERS-TLS1.2:+ECDHE-RSA:+DHE-RSA:+RSA:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 127.0.0.1 PORT_D
??? 220
ehlo rhu.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
mail from:<"name with spaces"@test.ex>
??? 250
rcpt to:<CALLER@test.ex>
??? 250
DATA
??? 3
This is a test encrypted message.
.
??? 250
quit
??? 221
****
#
# Server asks for a client cert but client does not supply one
client-gnutls -p NONE:+SIGN-RSA-SHA256:+SIGN-ECDSA-SHA512:+VERS-TLS1.2:+ECDHE-RSA:+DHE-RSA:+RSA:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 HOSTIPV4 PORT_D
??? 220
ehlo rhu.barb
??? 250-
??? 250-SIZE
??? 250-8BITMIME
??? 250-PIPELINING
??? 250-STARTTLS
??? 250 HELP
starttls
??? 220 TLS go ahead
nop
???*
****
# ensure sequence of log TLS error line
killdaemon
sleep 1
exim -DSERVER=server -bd -oX PORT_D
****
#
#
# Server asks for a client cert, and one is given which is verifiable by the server
client-gnutls -p NONE:+SIGN-RSA-SHA256:+SIGN-ECDSA-SHA512:+VERS-TLS1.2:+ECDHE-RSA:+DHE-RSA:+RSA:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 HOSTIPV4 PORT_D DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key
??? 220
ehlo rhu.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
mail from:<CALLER@test.ex>
??? 250
rcpt to:<CALLER@test.ex>
??? 250
DATA
??? 3
This is a test encrypted message from a verified host.
.
??? 250
quit
??? 221
****
#
#
# A client that only talks RSA.
#
# We have to specify the key-exchange as well as the authentication, otherwise,
# the GnuTLS server side being foolish - it picks an ECDSA cipher-suite and then can't use it :(
# Possibly fixed in 3.6.x ?
client-gnutls -p NONE:+SIGN-RSA-SHA256:+VERS-TLS1.2:+ECDHE-RSA:+DHE-RSA:+RSA:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 127.0.0.1 PORT_D
??? 220
ehlo rhu.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
mail from:<CALLER@test.ex>
??? 250
rcpt to:<CALLER@test.ex>
??? 250
DATA
??? 3
This is a test encrypted message.
It should be sent under the RSA server cert and with an RSA cipher.
.
??? 250
quit
??? 221
****
#
#
# Make ECDSA authentication preferred (Older GnuTLS prefers RSA, it seems, Newer, ECDSA).
client-gnutls -p NONE:+SIGN-ECDSA-SHA512:+VERS-TLS1.2:+KX-ALL:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 127.0.0.1 PORT_D
??? 220
ehlo rhu.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
mail from:<CALLER@test.ex>
??? 250
rcpt to:<CALLER@test.ex>
??? 250
DATA
??? 3
This is a test encrypted message.
It should be sent under the EC server cert and with an ECDSA cipher.
.
??? 250
quit
??? 221
****
killdaemon
sleep 1
# clear out the queue
exim -qf
****
sleep 1
#
# STARTTLS used when not advertised
exim -bh 10.0.0.1
starttls
quit
****
|
