Re: [exim-dev] Test case 2112

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Phil Pennock
Data:  
Para: Jeremy Harris
CC: exim-dev
Asunto: Re: [exim-dev] Test case 2112
On 2012-05-15 at 01:16 +0100, Jeremy Harris wrote:
> I'm confused by testcase 2112. The script comment:


I was. I'm not now, but do think we need better comments explaining WTH
is going on. It's non-trivial.

> 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
> 1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/L=Cambridge/O=University of Cambridge/OU=Computing Service/CN=Philip Hazel
> 1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (SSL_connect): error: <<detail omitted>>
> 1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/L=Cambridge/O=University of Cambridge/OU=Computing Service/CN=Philip Hazel"


So to be clear here: there are two different connection attempts.
Attempt 1 is to HOSTIPV4, when the client attempts to validate the
server certificate, and fails the connection if not. Because
hosts_require_tls is set, the message can't be sent plaintext, so the
second IP in the hosts list is tried, 127.0.0.1.

There are two key/cert pairs in aux-fixed/, cert1 and cert2.

The client presents the same certificate each time. That's
tls_certificate in the transport, always "cert2". The *verification* CA
information, for information expected *from* the server, is set in
tls_verify_certificates on the transport. That changes, depending upon
the remote IP address.

The *server* config always presents cert1 and expects cert2. So the
server always gets the cert it expects.

The client config expects cert1 on 127.0.0.1, and cert2 otherwise.
Since the server is always presenting cert1, the client configuration
fails the first connection (HOSTIPV4) and succeeds on the second
connection, 127.0.0.1.

Thus the logging is correct and CV is always correct. It's just that
the configuration demands different server identity on log-line 3 and
log-line 4 above.

Feel free to add waaay more commentary to that test script. :)

-Phil