[exim-cvs] Handle absent tls_require_ciphers correctly.

Página Inicial
Delete this message
Reply to this message
Autor: Exim Git Commits Mailing List
Data:  
Para: exim-cvs
Assunto: [exim-cvs] Handle absent tls_require_ciphers correctly.
Gitweb: http://git.exim.org/exim.git/commitdiff/83e2f8a2515d1cd787ac68b052f6e4539dd48752
Commit:     83e2f8a2515d1cd787ac68b052f6e4539dd48752
Parent:     6bf5d8f2ca7524fd63f803032cada89e54544cf3
Author:     Phil Pennock <pdp@???>
AuthorDate: Thu May 17 11:17:20 2012 -0400
Committer:  Phil Pennock <pdp@???>
CommitDate: Thu May 17 11:17:20 2012 -0400


    Handle absent tls_require_ciphers correctly.


    Fix test-suite certs to not use MD5.
    Document that we do not support MD5 certs any longer.
    Make test-suite generate probably-correct gnutls-params filename for us.
---
 src/README.UPDATING         |   10 +++++-
 src/src/tls-gnu.c           |    9 +++++
 test/aux-fixed/cert1        |   78 ++++++++++++++++++++++++++-----------------
 test/aux-fixed/cert2        |   78 ++++++++++++++++++++++++++-----------------
 test/aux-fixed/cert2.revoke |   20 -----------
 test/aux-fixed/crl.pem      |   18 +++++----
 test/runtest                |   14 ++++++--
 7 files changed, 133 insertions(+), 94 deletions(-)


diff --git a/src/README.UPDATING b/src/README.UPDATING
index 81e767e..a91794d 100644
--- a/src/README.UPDATING
+++ b/src/README.UPDATING
@@ -26,9 +26,12 @@ The rest of this document contains information about changes in 4.xx releases
that might affect a running system.


-Exim version 4.78
+Exim version 4.80
-----------------

+ * BEWARE backwards-incompatible changes in SSL libraries, thus the version
+   bump.  See points below for details.
+
  * The value of $tls_peerdn is now print-escaped when written to the spool file
    in a -tls_peerdn line, and unescaped when read back in.  We received reports
    of values with embedded newlines, which caused spool file corruption.
@@ -96,6 +99,11 @@ Exim version 4.78
    parsing entirely and the presence of the options will be a configuration
    error.


+   Note that by default, GnuTLS will not accept RSA-MD5 signatures in chains.
+   A tls_require_ciphers value of NORMAL:%VERIFY_ALLOW_SIGN_RSA_MD5 may
+   re-enable support, but this is not supported by the Exim maintainers.
+   Our test suite no longer includes MD5-based certificates.
+
    This rewrite means that Exim will continue to build against GnuTLS in the
    future, brings Exim closer to other GnuTLS applications and lets us add
    support for SNI and other features more readily.  We regret that it wasn't
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index a0a35b4..2f50787 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -698,6 +698,12 @@ if (state->tls_verify_certificates && *state->tls_verify_certificates)
     return OK;
     }
   }
+else
+  {
+  DEBUG(D_tls)
+    debug_printf("TLS: tls_verify_certificates not set or empty, ignoring\n");
+  return OK;
+  }


 if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
   {
@@ -939,6 +945,9 @@ if (state->tls_require_ciphers && *state->tls_require_ciphers)
   }
 if (want_default_priorities)
   {
+  DEBUG(D_tls)
+    debug_printf("GnuTLS using default session cipher/priority \"%s\"\n",
+        exim_default_gnutls_priority);
   rc = gnutls_priority_init(&state->priority_cache,
       exim_default_gnutls_priority, &errpos);
   p = US exim_default_gnutls_priority;
diff --git a/test/aux-fixed/cert1 b/test/aux-fixed/cert1
index 25a9677..1323e39 100644
--- a/test/aux-fixed/cert1
+++ b/test/aux-fixed/cert1
@@ -1,35 +1,51 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQC4eIDtpcY7ff5P3yCnXXdLWNcewKgUBj6GuNqHAFrfbZq6tDlS
-Z3FXVvOwU4Rgn6ciGP5REYuR4TB26/PY+bJEVUMyAb8OmcE+l6aeG0kQlM3Wa0UU
-fo3GNt9U7+VU7puS3SwLjKYSI6ny17xyFcukBkiRTOo3H6z0yM742wPFeQIDAQAB
-AoGAHOHZJdw/tk7aw3ym6y1qISTuwYTejAwSPBuzM1Ht6G+Lu1G+a9WAXHFjxCa/
-YjV9AIyzPNQnaxa79NKqoj0uGNqixYPI4A3M6T5nmawXXivAbV2fNX1Pg0LQ4DMh
-EdaPwtkghavuPz2CFvIcvsG/XGNo1rUkGrCIpWldPF8bynUCQQDn/x3bdnHpSL7X
-RlFsTRqyiW3/ZFgJnyQvOCDpUcscPPZMD/M+hWqxIIpJAGSrZPIols2kMFUPXkUX
-+8PzNfrjAkEAy46SegCQWQahpiipZq52ffuhFDfhMYU1uANWwRyu1IAOyQ+M+saI
-3cI0ok1bkWsOtNKRr+QgK54zGJIyU8Dg8wJBALjKoxOucumpAiojXrPvbraLdUya
-tu1jD8V05fIzLp/dhynrAovoZaWVD9E6OPW0wJbIGCESRo6pPkvuRJSziJUCQQCE
-rz99dSaiUTdHVtPtUaV9Q2thAXexztIQS2TeZfL0IzEAEDnmMUl/u5qRfPlGFdG1
-PlimnX320J0f1BQoEd7PAkAqp9yNGAjKTqOicyYJ2m87EeudvUzryt0fO3yA5W76
-p0YX7ETgqQqDNOWHrJGHntEXMGhirx7lV5nzva5ypQmt
+MIIEpAIBAAKCAQEA0dyUFZ7037DgtRfGoR0bVqUvCetxdZa42E3sLyZLviWRcKbY
+XyYD1M44zClRq6vGwQGLI0Hea4jlJdIftyr3SmuaerJt2frPVAKcHHAHJ7rOjkUT
+Kp+XHGjsinQg9Up6nz2Qo6Xdg0oPm8YRaMgIa1Qc75cWqzTn3++B5qaW2RtffYf7
+8c1OA958BHWyWlcZJNuJHYLR3CdqJb7ojtfcuCq3cWRRxJhyd/j1T51D+Xw6nGbe
+QovD2+oQ/TBTUuo3Zc2YCRE+PWIQMZakdbD335HjvVj1PAu6oBKQRdccactigkR9
+tBlBIxH0q1Uh1fOd+dgLSoccCK2HlnM/GOzcfwIDAQABAoIBAB71b1MRNAabzUpp
+y3+RD6tkit/nv8EdDv+53xHFkH7og+AefOTscrw9/9r+bXHp0VQ/qgr1eJ5cf5Fo
+wgz/ZaOw5AUdtV7mxRcbm3QGgse1oysRvZYYHO6v+9Ug9Iu7BQPgzSmXGmp3zn2o
+ZoESoUtUCUC/BTUUhPBgIMWp5a75OkaOS3fO3kSaGHPiqX1IbD8T6b7+ViR2qIwU
+LjwFNTBRjorL25VXCsfChGih5TUgR9jIJcGzN6QykCHV7D29AfkRuVrKMRLEM3VD
+3E0ObQfVRoXFEZR3fccJqU6E1Mg9BXbl+I9rwv3GUJXS7fXnmHKRhjzD1Dbo5Afv
+jnSPL+ECgYEA9hepWibJe8N3fSCb7Eqqi/Q8ufCQqnDSCrnY6WJpRIA79DKU7OFm
+3dct5pqXPUlaYC6TDQ8G0LAQL1knsuFejvV8v0y0mZspRbOg94EDTuQWp4oCIqWr
+MEYbiRVHXIg5OjylVAQLM1y9IF+n3aXQAUfcStFtiiM49vRJs9StcdsCgYEA2k+B
+lXN3UjZvwkDeZcjfCH1n0Rxrt0kZ7UbqEPZSz/77m9XIjWv32lpTDLecRdcR8KSx
+OKH24WSQXd7DTWn+DitfSwGJjiduU2c0p4eePzfK7Yeo0bMNVixvjUZt+w9ijkWH
+4CUVgo9TfuxdaTyYlmONk9JVLMeOwR8MdagVWy0CgYEAlpVn9Vgile7HoPNhNbeC
+oFz1A7oma4TZoeKSzkx/qYDmLsj8w+4w6bIPzjnuLXxDJvOY27bELtJtNOvTFOw+
+1i91BAHFyPBe0t3Vs11oTs/W5PHX2KeTFtjvZHR21DIvAmm1qLFIwUcQG00tBL2/
+h+kW7Vk1M//VjZdxue57q10CgYEAufZT+gzbrYp1dNFxIN8VLdQ1ZSmCkCSTE03/
+AOfy7v7TMZHQPrej77pVWFXnpo5n18dSt10wQhs55txlHUKWiVdk2y26EP+BuUYG
+0lZx9IQANooCwm51g9xiQcOm19/pIiwUbFjqk8anZ0zM3WIi0KiI50yaBYUQE23x
+XSAK4RkCgYBsPJiK2BGPvFNBJo6368SVgB1H2Bu9GPUpORdirbFuy/VanSEaAGIK
+vWjIOvEKnJd9NX430drAdD7hcx52fxdCsn97LSBi73Weqov4zNDadsLvTWhxlh+D
+b1SITBDYjxdm9oqv4Uj10l3Ft4/X0MN2aJ4+W3/cFTGL9pNlv21Daw==
 -----END RSA PRIVATE KEY-----
 -----BEGIN CERTIFICATE-----
-MIIDNjCCAp+gAwIBAgIBADANBgkqhkiG9w0BAQQFADB2MQswCQYDVQQGEwJVSzES
-MBAGA1UEBxMJQ2FtYnJpZGdlMSAwHgYDVQQKExdVbml2ZXJzaXR5IG9mIENhbWJy
-aWRnZTEaMBgGA1UECxMRQ29tcHV0aW5nIFNlcnZpY2UxFTATBgNVBAMTDFBoaWxp
-cCBIYXplbDAeFw0wMjA0MTUwODA0MThaFw0yOTA4MzAwODA0MThaMHYxCzAJBgNV
-BAYTAlVLMRIwEAYDVQQHEwlDYW1icmlkZ2UxIDAeBgNVBAoTF1VuaXZlcnNpdHkg
-b2YgQ2FtYnJpZGdlMRowGAYDVQQLExFDb21wdXRpbmcgU2VydmljZTEVMBMGA1UE
-AxMMUGhpbGlwIEhhemVsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4eIDt
-pcY7ff5P3yCnXXdLWNcewKgUBj6GuNqHAFrfbZq6tDlSZ3FXVvOwU4Rgn6ciGP5R
-EYuR4TB26/PY+bJEVUMyAb8OmcE+l6aeG0kQlM3Wa0UUfo3GNt9U7+VU7puS3SwL
-jKYSI6ny17xyFcukBkiRTOo3H6z0yM742wPFeQIDAQABo4HTMIHQMB0GA1UdDgQW
-BBTEcwEd5VFb4YlzEKcvHKP/s4gpVDCBoAYDVR0jBIGYMIGVgBTEcwEd5VFb4Ylz
-EKcvHKP/s4gpVKF6pHgwdjELMAkGA1UEBhMCVUsxEjAQBgNVBAcTCUNhbWJyaWRn
-ZTEgMB4GA1UEChMXVW5pdmVyc2l0eSBvZiBDYW1icmlkZ2UxGjAYBgNVBAsTEUNv
-bXB1dGluZyBTZXJ2aWNlMRUwEwYDVQQDEwxQaGlsaXAgSGF6ZWyCAQAwDAYDVR0T
-BAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQBpuWb36BAO+aDbCWVSnt8C2rAz3Ii7
-05kmrTugCiDj4VLHk6DL126Q6AuBWs9HKM/ynOOTcYTz20WkgpXaYf6Cdq/Z538d
-tqD1gAAL2M04O6K41RLcIicVFeXWjjwp5tfQc+AMI7rD0FCHSbhY67+UHUFyoyFK
-x8LiaV5jYIFfbg==
+MIID8DCCAtigAwIBAgIJALYf3pBgPTGPMA0GCSqGSIb3DQEBBQUAMFgxCzAJBgNV
+BAYTAlVLMR0wGwYDVQQKExRUaGUgRXhpbSBNYWludGFpbmVyczETMBEGA1UECxMK
+VGVzdCBTdWl0ZTEVMBMGA1UEAxMMUGhpbCBQZW5ub2NrMB4XDTEyMDUxNzE0NDYw
+M1oXDTMxMDUxMzE0NDYwM1owWDELMAkGA1UEBhMCVUsxHTAbBgNVBAoTFFRoZSBF
+eGltIE1haW50YWluZXJzMRMwEQYDVQQLEwpUZXN0IFN1aXRlMRUwEwYDVQQDEwxQ
+aGlsIFBlbm5vY2swggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDR3JQV
+nvTfsOC1F8ahHRtWpS8J63F1lrjYTewvJku+JZFwpthfJgPUzjjMKVGrq8bBAYsj
+Qd5riOUl0h+3KvdKa5p6sm3Z+s9UApwccAcnus6ORRMqn5ccaOyKdCD1SnqfPZCj
+pd2DSg+bxhFoyAhrVBzvlxarNOff74HmppbZG199h/vxzU4D3nwEdbJaVxkk24kd
+gtHcJ2olvuiO19y4KrdxZFHEmHJ3+PVPnUP5fDqcZt5Ci8Pb6hD9MFNS6jdlzZgJ
+ET49YhAxlqR1sPffkeO9WPU8C7qgEpBF1xxpy2KCRH20GUEjEfSrVSHV85352AtK
+hxwIrYeWcz8Y7Nx/AgMBAAGjgbwwgbkwHQYDVR0OBBYEFDZtAgvs96t7shvAZbPt
+YIzxz06fMIGJBgNVHSMEgYEwf4AUNm0CC+z3q3uyG8Bls+1gjPHPTp+hXKRaMFgx
+CzAJBgNVBAYTAlVLMR0wGwYDVQQKExRUaGUgRXhpbSBNYWludGFpbmVyczETMBEG
+A1UECxMKVGVzdCBTdWl0ZTEVMBMGA1UEAxMMUGhpbCBQZW5ub2NrggkAth/ekGA9
+MY8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEANtHbMYqw3Ln07gif
+F11TyWuUzfZ1HAdj5x+ec/ZhOrMbXJwNnQnZzdESoiqk0C1fqNsog1ur9pzYxBJo
+92OpxkTxvBr2Wi2igfUPbMXWttKu5OFTU00Y8Lp6JEJjtw1zAQB1ka+/5xGYAPfC
+lL/a4RQygNb2e+Q+fOwWz8YZZ2hsidtc7UbH96Eu4489PipD8GXH0T2SY4VEtwUT
+g6uUJjZpznusPhc/uoq5vZVP9AU1EiU+KE55bRuP0QGKIGK3K5WfodKYvF76lhsG
+gLuqb/jVqZsQKcDSj0BGnlimvgEnydeXSYYIUJichEK7dTSjsAn40hUO2dFRMYTx
+W45BdA==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/cert2 b/test/aux-fixed/cert2
index e41499e..760154a 100644
--- a/test/aux-fixed/cert2
+++ b/test/aux-fixed/cert2
@@ -1,35 +1,51 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQDUN6wesp5nny2A5IAy9PqN9pajhpMLWhggY7Sx7uG5v7bPpupH
-zQ9/Hq0K6vQevCp62Mi2lN5xM4kRwMyd8q8gH5hgt23dJFSkBKmmK067TZ53/yOZ
-y270sisQNELlqRfws9CvX/AFXMVs6SjVsLIuAD3sn6x+yeMW/ipr450nXQIDAQAB
-AoGAYZZsTv2CfFIlgaUSEty2rzuaz/3ddpXqjFJtUHlyUZGIhnrSN0xj+OfpWSDs
-O4n52t3/hn50wAeb248WSPfFcaClKMGdCBAMQnbwSoQR4oNiSZQqGw8vyF2PQ2CQ
-FOqQzwnBffimRGInpanoysRazxs6JzsmcLC4a94uIFt7/uECQQDzScFkxUATse5P
-ekilv5Zge2cNa7LO5hACLp9eP46Lxd/0S8eMNlGlftYpqmXhxu6zMUuRyKQAu0Y/
-C14EHIl5AkEA305QKgfzVbo6EWmOvGwIBo3pLWuyI7IntNtLrIE728mankRbnW0f
-mfx+FWmNKgbIXC803X2vAxQwIpnWldw4BQJAcejdqO4GI3KS7xmFPD3pDcGZrZn4
-fZEQe8USj1FYz67VPg/hHZAtSDyLz7RdwYmgJ7xz8o0r5L/KkygiW/B0mQJBAJgH
-LxiOdSImOSZloSGywvwDXX7o1UzsG5BLxIdbLK+D39pkW6MgCeXCOuzFAbBdEceA
-9BLfYGlOMz87URaR6SkCQQCyAwDmaBjF8OiUDQVl4JqJaGNhagocA3h7NIGeccSt
-NtO+qfBHfW7qCBQ7LTgAB6v9CGasRbkrZvglCxRVg6Mj
+MIIEpAIBAAKCAQEA/C6n/2tr0fWFp8vGrP7BfgFTBwnr7cg/XYXso4+WZUOB1aaW
+XmU3sawrwYj5caTZQkapLDkI8pS3SQjIZGqbs+95nKezwnsqjwa8mmhWOaRwqt32
+6mbVvalP88NUvBn4e48w1WcOcRb+IT1LjzMY7RMtQ4F+1LQwybSzMoqUQuQ/z+6d
+cH8k/NtNc4x1cUSTCCBGCwGPqyOqHlnr+ur7v2dMmG6E4NKnrU9+sr7uv0LQ8K+v
+EGN6HSGwFG4HjmFKjdIFm8xi6rXs14rUnj8F/fArpZUAzOEb6IoUz5C98s3wm9W6
+xqRhn4XG/Sikt3EGGk6x6SA3n+wZ0qtCge2KdwIDAQABAoIBABiajLV0y44ugB3A
+2d9i84nRo0Iai7QlR1leiZnjlm7GyVII8L7A7VAeVh6JuJyH0tKOhk7UObVBISi0
+/KgfZpWFlb3c9sLQtXRC2f/OkisJihyBj2eLJOteK3jC4+9+MSoM7FzFszkBX0Xq
+7wZHm/T1XAMsDS2/bssfICScNJ7Z6HNhzttwme+izmraejRhlK46a2Z6SAxFiuc+
+S7r7dflkt1/ZrT6jzReHnrZYjET6QTz/+vh11Z4oBERlvUVYJLpI+nr3DPPZJa4m
+nCDFoMvyV8kW3aTjF3mIJ23NZ6keoIIiZB/DAqMSoZ5YvBi191Sr7zW4bJp2U5xz
+qeJ6eIECgYEA/6CAJap6InU1ZN+0/8ACOIiRL/ByD6ZwGol0a04yBiiGMEfljH2H
+bBILE4QXdntkJwhdmXD/WKsDEewdp8cPjuMkojIrKyqLMgQR1jLRFL6TmIkyapJU
+jCi4cBtN7YjZ2aZWuCGC+eUpXuGoxA4WonJPewQ1f1gX/NmDlvZFl1cCgYEA/Ize
+Zzpj7H/uX9KqLMorz1XgN56JeTCZVEtrbeLOOJP4D7hZrqBE6urp2BXwyz3sWQ+/
+tVrQjJYrAzIVNkGeCq8DW7pIvPWnL3GHeeuPMNgZZwMiqFXnwKZzMkdTVMHIyLH0
+81g2h28zI+ykNsOx/V/1czRdsdbOL0d/Vr2HUeECgYAXdiSs0FO7W+SVqI6VNos9
+oxMoQjpFw3HgjaMYwimHNSrzvXWNCmxmd9V6ahI5NqP/jR4CGkPlYHS8rV4fav67
+j49qL46UvKff5E26yhk0fTVQt67f5yRJZOdgqrDhT0EnX8PvzGuYAfdlFPMHY3+i
+UzmGQeGjGXPCKjiQn3PNqwKBgQCV+Plhh7UrDlV6JdnUu0IE39REcyrkAs4q1pa3
+LIaV5pjajPkE0Dvc3R98qJrTtrQRt156zbEmq05jmWwrShAV/BQcdqUXQTHE5MA0
+0IO517pOB/ieylTTfITQCLcdj+4x8CusDmhjSM+vt6lUtCWQd1mEzkYNg6fxP54I
+3ofrQQKBgQDpu0ewR3+YVBBqDKx399tFZkfuV4kk5JRAYibByyS7yKmCE6y9zfXZ
+CewG9iQeovN0YrDj9dOC14cyivq7WUB4tCkYuShraoRfU5KhV/SUx0j8gY3apScn
+aLrvRSeV6G240i4SMU7UJawLtdaTQ/w9lZlbbo4DJowpuBdedbUcIQ==
 -----END RSA PRIVATE KEY-----
 -----BEGIN CERTIFICATE-----
-MIIDNjCCAp+gAwIBAgIBADANBgkqhkiG9w0BAQQFADB2MQswCQYDVQQGEwJVSzES
-MBAGA1UEBxMJQ2FtYnJpZGdlMSAwHgYDVQQKExdVbml2ZXJzaXR5IG9mIENhbWJy
-aWRnZTEaMBgGA1UECxMRQ29tcHV0aW5nIFNlcnZpY2UxFTATBgNVBAMTDFBoaWxp
-cCBIYXplbDAeFw0wMjA0MTUwODA0NTBaFw0yOTA4MzAwODA0NTBaMHYxCzAJBgNV
-BAYTAlVLMRIwEAYDVQQHEwlDYW1icmlkZ2UxIDAeBgNVBAoTF1VuaXZlcnNpdHkg
-b2YgQ2FtYnJpZGdlMRowGAYDVQQLExFDb21wdXRpbmcgU2VydmljZTEVMBMGA1UE
-AxMMUGhpbGlwIEhhemVsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUN6we
-sp5nny2A5IAy9PqN9pajhpMLWhggY7Sx7uG5v7bPpupHzQ9/Hq0K6vQevCp62Mi2
-lN5xM4kRwMyd8q8gH5hgt23dJFSkBKmmK067TZ53/yOZy270sisQNELlqRfws9Cv
-X/AFXMVs6SjVsLIuAD3sn6x+yeMW/ipr450nXQIDAQABo4HTMIHQMB0GA1UdDgQW
-BBRgFqRZUo+RgbAGSGs4mLA+eW0WDjCBoAYDVR0jBIGYMIGVgBRgFqRZUo+RgbAG
-SGs4mLA+eW0WDqF6pHgwdjELMAkGA1UEBhMCVUsxEjAQBgNVBAcTCUNhbWJyaWRn
-ZTEgMB4GA1UEChMXVW5pdmVyc2l0eSBvZiBDYW1icmlkZ2UxGjAYBgNVBAsTEUNv
-bXB1dGluZyBTZXJ2aWNlMRUwEwYDVQQDEwxQaGlsaXAgSGF6ZWyCAQAwDAYDVR0T
-BAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQDDU60ui0hP3WIvFWqV/eDVpEN1wRoo
-NcNDfOLhAavQQOKrhrIwcFHIh2mm727z4+uzKBghssrQ+9mVx/VbUKH1QCCJkdSp
-Gy5mp5Uym/piVcGEuNqZ8SkOg4+f+1LCqcVl+tgNaT7+NoPFWcu2Vn5MYZHkd4Mw
-oCabzXDoxmo0lQ==
+MIID8DCCAtigAwIBAgIJAIG5na6gDPTNMA0GCSqGSIb3DQEBBQUAMFgxCzAJBgNV
+BAYTAlVLMR0wGwYDVQQKExRUaGUgRXhpbSBNYWludGFpbmVyczETMBEGA1UECxMK
+VGVzdCBTdWl0ZTEVMBMGA1UEAxMMUGhpbCBQZW5ub2NrMB4XDTEyMDUxNzE0NDU1
+MloXDTMxMDUxMzE0NDU1MlowWDELMAkGA1UEBhMCVUsxHTAbBgNVBAoTFFRoZSBF
+eGltIE1haW50YWluZXJzMRMwEQYDVQQLEwpUZXN0IFN1aXRlMRUwEwYDVQQDEwxQ
+aGlsIFBlbm5vY2swggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD8Lqf/
+a2vR9YWny8as/sF+AVMHCevtyD9dheyjj5ZlQ4HVppZeZTexrCvBiPlxpNlCRqks
+OQjylLdJCMhkapuz73mcp7PCeyqPBryaaFY5pHCq3fbqZtW9qU/zw1S8Gfh7jzDV
+Zw5xFv4hPUuPMxjtEy1DgX7UtDDJtLMyipRC5D/P7p1wfyT8201zjHVxRJMIIEYL
+AY+rI6oeWev66vu/Z0yYboTg0qetT36yvu6/QtDwr68QY3odIbAUbgeOYUqN0gWb
+zGLqtezXitSePwX98CullQDM4RvoihTPkL3yzfCb1brGpGGfhcb9KKS3cQYaTrHp
+IDef7BnSq0KB7Yp3AgMBAAGjgbwwgbkwHQYDVR0OBBYEFOR3occfwjSts823Q720
+gyuMA4ATMIGJBgNVHSMEgYEwf4AU5Hehxx/CNK2zzbdDvbSDK4wDgBOhXKRaMFgx
+CzAJBgNVBAYTAlVLMR0wGwYDVQQKExRUaGUgRXhpbSBNYWludGFpbmVyczETMBEG
+A1UECxMKVGVzdCBTdWl0ZTEVMBMGA1UEAxMMUGhpbCBQZW5ub2NrggkAgbmdrqAM
+9M0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEA+lGUhwhthgcAQyp+
+XblU+2I5MsKuAr8vL3kOSs4hYRQ7LZIhOLDvM/a5uvDJCiHEOdCJgiT1JJokqHu6
+IQDyBE1T1dILMCtfQqV+Kjxg8DHWnUJRuVj0NJU2NhbzoqjrjQ7dnJLocl3OqhNw
+Kgy2VObQ0lxdPt199fc6BdNfTmgz5R+nQHqoi9haLN6cbKVJ1vwARVBiD4WR8xGu
+Dxlr1oW3+lrv5RPIrU8Zw8ks+R0pKy+RCJcRdErfmJxnKVtIjOCRIwfJirq/g1sn
+hWLBno9FlbreMmp06S+AtRJjY35OSk+ak8lPPXlOtDdMW6gJmaj/+EqIKcInbDSU
+8gPp4Q==
 -----END CERTIFICATE-----
diff --git a/test/aux-fixed/cert2.revoke b/test/aux-fixed/cert2.revoke
deleted file mode 100644
index 9371735..0000000
--- a/test/aux-fixed/cert2.revoke
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDNjCCAp+gAwIBAgIBADANBgkqhkiG9w0BAQQFADB2MQswCQYDVQQGEwJVSzES
-MBAGA1UEBxMJQ2FtYnJpZGdlMSAwHgYDVQQKExdVbml2ZXJzaXR5IG9mIENhbWJy
-aWRnZTEaMBgGA1UECxMRQ29tcHV0aW5nIFNlcnZpY2UxFTATBgNVBAMTDFBoaWxp
-cCBIYXplbDAeFw0wMjA0MTUwODA0NTBaFw0yOTA4MzAwODA0NTBaMHYxCzAJBgNV
-BAYTAlVLMRIwEAYDVQQHEwlDYW1icmlkZ2UxIDAeBgNVBAoTF1VuaXZlcnNpdHkg
-b2YgQ2FtYnJpZGdlMRowGAYDVQQLExFDb21wdXRpbmcgU2VydmljZTEVMBMGA1UE
-AxMMUGhpbGlwIEhhemVsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUN6we
-sp5nny2A5IAy9PqN9pajhpMLWhggY7Sx7uG5v7bPpupHzQ9/Hq0K6vQevCp62Mi2
-lN5xM4kRwMyd8q8gH5hgt23dJFSkBKmmK067TZ53/yOZy270sisQNELlqRfws9Cv
-X/AFXMVs6SjVsLIuAD3sn6x+yeMW/ipr450nXQIDAQABo4HTMIHQMB0GA1UdDgQW
-BBRgFqRZUo+RgbAGSGs4mLA+eW0WDjCBoAYDVR0jBIGYMIGVgBRgFqRZUo+RgbAG
-SGs4mLA+eW0WDqF6pHgwdjELMAkGA1UEBhMCVUsxEjAQBgNVBAcTCUNhbWJyaWRn
-ZTEgMB4GA1UEChMXVW5pdmVyc2l0eSBvZiBDYW1icmlkZ2UxGjAYBgNVBAsTEUNv
-bXB1dGluZyBTZXJ2aWNlMRUwEwYDVQQDEwxQaGlsaXAgSGF6ZWyCAQAwDAYDVR0T
-BAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQDDU60ui0hP3WIvFWqV/eDVpEN1wRoo
-NcNDfOLhAavQQOKrhrIwcFHIh2mm727z4+uzKBghssrQ+9mVx/VbUKH1QCCJkdSp
-Gy5mp5Uym/piVcGEuNqZ8SkOg4+f+1LCqcVl+tgNaT7+NoPFWcu2Vn5MYZHkd4Mw
-oCabzXDoxmo0lQ==
------END CERTIFICATE-----
diff --git a/test/aux-fixed/crl.pem b/test/aux-fixed/crl.pem
index c4ae333..1cb30e8 100644
--- a/test/aux-fixed/crl.pem
+++ b/test/aux-fixed/crl.pem
@@ -1,10 +1,12 @@
 -----BEGIN X509 CRL-----
-MIIBUTCBuzANBgkqhkiG9w0BAQQFADB2MQswCQYDVQQGEwJVSzESMBAGA1UEBxMJ
-Q2FtYnJpZGdlMSAwHgYDVQQKExdVbml2ZXJzaXR5IG9mIENhbWJyaWRnZTEaMBgG
-A1UECxMRQ29tcHV0aW5nIFNlcnZpY2UxFTATBgNVBAMTDFBoaWxpcCBIYXplbBcN
-MDQwMjI3MTIxNDEyWhcNMzEwNzE0MTIxNDEyWjAUMBICAQAXDTA0MDIyNzEyMDU0
-M1owDQYJKoZIhvcNAQEEBQADgYEAzoMDrsieUPRMPNzc0jzMmL0DKgxeUcyKPGNS
-cvJbh5z3obcCDq1HUAGb9k+J5jtWEMIqt27PN/qvmaeXJEsgoKvXnWAPIAF49UaT
-JfuRUztWJYMGPOzaYxivcHVp4oqMxyZhy89PdPaJJAtd/ovMHoaURUjoxfL/H5tZ
-TbLmzSE=
+MIIBzzCBuAIBATANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQGEwJVSzEdMBsGA1UE
+ChMUVGhlIEV4aW0gTWFpbnRhaW5lcnMxEzARBgNVBAsTClRlc3QgU3VpdGUxFTAT
+BgNVBAMTDFBoaWwgUGVubm9jaxcNMTIwNTE3MTUwMjI0WhcNMjYwNTE0MTUwMjI0
+WjAcMBoCCQCBuZ2uoAz0zRcNMTIwNTE3MTUwMDQ0WqAOMAwwCgYDVR0UBAMCAQIw
+DQYJKoZIhvcNAQEFBQADggEBADuR38p1aAdpHXEN+JZQ7ZnBRAOIZ+ZHb8I4SY9T
+EjnaVhhaI5NpVzan+ETbgAsRxs9gVgvyeVzRbTtY5hWw5Y0DuC53eD8eP5r/uUln
+rxGpy2FQpKTXCAQPOnnXC9jieVu2jkZr++wH3r9MkfCfVJkq72+Bp5DUkzGdbVUa
+7FgbVCGFAb8UmbcZPeeOHrY66gxn7k8Fm9fyBPR8+cVlH6proOnPunYG5mPUmK+J
+3B59/a6Lb6aZwmr+JntjPGPABopb72FDHptXJsTby1ghGd+V7AjvXIEsrbI3JEUI
+4TvT1nxE/4r1f8SATp7eM7pyXhfB6tv1E5UVDMepMWDRsbA=
 -----END X509 CRL-----
diff --git a/test/runtest b/test/runtest
index 51658b8..53516d0 100755
--- a/test/runtest
+++ b/test/runtest
@@ -25,6 +25,13 @@ use Time::Local;


$testversion = "4.78 (08-May-12)";

+# This gets embedded in the D-H params filename, and the value comes
+# from asking GnuTLS for "normal", but there appears to be no way to
+# use certtool/... to ask what that value currently is. *sigh*
+# This value is correct as of GnuTLS 2.12.18.
+#
+$gnutls_dh_bits_normal = 2432;
+
$cf = "bin/cf -exact";
$cr = "\r";
$debug = 0;
@@ -1578,9 +1585,10 @@ if (/^eximstats\s+(.*)/)

 if (/^gnutls/)
   {
-  run_system "sudo cp -p aux-fixed/gnutls-params spool/gnutls-params;" .
-         "sudo chown $parm_eximuser:$parm_eximgroup spool/gnutls-params;" .
-         "sudo chmod 0400 spool/gnutls-params";
+  my $gen_fn = "spool/gnutls-params-$gnutls_dh_bits_normal";
+  run_system "sudo cp -p aux-fixed/gnutls-params $gen_fn;" .
+         "sudo chown $parm_eximuser:$parm_eximgroup $gen_fn;" .
+         "sudo chmod 0400 $gen_fn";
   return 1;
   }