Gitweb:
http://git.exim.org/exim.git/commitdiff/02bf26279e41fa715e74ea45d2a5903635ad5ee1
Commit: 02bf26279e41fa715e74ea45d2a5903635ad5ee1
Parent: 214042d23115fe1353ee41041ec91a9dbba3b23d
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Sat Mar 15 14:06:07 2014 +0000
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Sat Mar 15 14:06:07 2014 +0000
Testcases
---
doc/doc-docbook/spec.xfpt | 4 +-
test/confs/2112 | 65 +++++++++++++++++++++++++++++++++++++--
test/log/2112 | 27 +++++++++++++++-
test/scripts/2100-OpenSSL/2112 | 9 +++++
4 files changed, 97 insertions(+), 8 deletions(-)
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 748f5c9..abf69a0 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -23021,7 +23021,7 @@ in clear.
.option tls_try_verify_hosts smtp "host list&!! unset
.cindex "TLS" "server certificate verification"
.cindex "certificate" "verification of server"
-For OpenSSL only, this option gives a list of hosts for which
+For OpenSSL only, this option gives a list of hosts for which, on encrypted connections,
certificate verification will be tried but need not succeed.
The &%tls_verify_certificates%& option must also be set.
@@ -23048,7 +23048,7 @@ and certificate verification fails the TLS connection is closed.
.option tls_verify_hosts smtp "host list&!! unset
.cindex "TLS" "server certificate verification"
.cindex "certificate" "verification of server"
-For OpenSSL only, this option gives a list of hosts for which
+For OpenSSL only, this option gives a list of hosts for which. on encrypted connections,
certificate verification must succeed.
The &%tls_verify_certificates%& option must also be set.
If both this option and &%tls_try_verify_hosts%& are unset
diff --git a/test/confs/2112 b/test/confs/2112
index 7873351..242d2d6 100644
--- a/test/confs/2112
+++ b/test/confs/2112
@@ -1,4 +1,5 @@
# Exim test configuration 2112
+# TLS client: verify certificate from server - fails
SERVER=
@@ -35,18 +36,53 @@ tls_verify_certificates = ${if eq {SERVER}{server}{DIR/aux-fixed/cert2}fail}
begin routers
-client:
+server_dump:
+ driver = redirect
+ condition = ${if eq {SERVER}{server}{yes}{no}}
+ data = :blackhole:
+
+client_x:
+ driver = accept
+ local_parts = userx
+ retry_use_local_part
+ transport = send_to_server_failcert
+ errors_to = ""
+
+client_y:
+ driver = accept
+ local_parts = usery
+ retry_use_local_part
+ transport = send_to_server_retry
+
+client_z:
driver = accept
- condition = ${if eq {SERVER}{server}{no}{yes}}
+ local_parts = userz
retry_use_local_part
- transport = send_to_server
+ transport = send_to_server_crypt
+
+client_q:
+ driver = accept
+ local_parts = userq
+ retry_use_local_part
+ transport = send_to_server_req_fail
# ----- Transports -----
begin transports
-send_to_server:
+# this will fail to verify the cert at HOSTIPV4 so fail the crypt requirement
+send_to_server_failcert:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ hosts_require_tls = HOSTIPV4
+ port = PORT_D
+ tls_certificate = DIR/aux-fixed/cert2
+ tls_verify_certificates = DIR/aux-fixed/cert2
+
+# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
+send_to_server_retry:
driver = smtp
allow_localhost
hosts = HOSTIPV4 : 127.0.0.1
@@ -56,4 +92,25 @@ send_to_server:
tls_verify_certificates = \
${if eq{$host_address}{127.0.0.1}{DIR/aux-fixed/cert1}{DIR/aux-fixed/cert2}}
+# this will fail to verify the cert but continue unverified though cypted
+send_to_server_crypt:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ hosts_require_tls = HOSTIPV4
+ port = PORT_D
+ tls_certificate = DIR/aux-fixed/cert2
+ tls_verify_certificates = DIR/aux-fixed/cert2
+ tls_try_verify_hosts = *
+
+# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted
+send_to_server_req_fail:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_certificate = DIR/aux-fixed/cert2
+ tls_verify_certificates = DIR/aux-fixed/cert2
+ tls_verify_hosts = *
+
# End
diff --git a/test/log/2112 b/test/log/2112
index bee2f6f..3f77e65 100644
--- a/test/log/2112
+++ b/test/log/2112
@@ -1,13 +1,36 @@
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 == userx@??? R=client_x T=send_to_server_failcert defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmaX-0005vi-00 ** userx@???: retry timeout exceeded
+1999-03-02 09:44:33 10HmaX-0005vi-00 userx@???: error ignored
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 10HmaY-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@??? R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbB-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@??? R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbA-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 10HmbA-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbA-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@??? R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbD-0005vi-00"
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaX-0005vi-00@???
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@??? H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@???
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@???
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@???
diff --git a/test/scripts/2100-OpenSSL/2112 b/test/scripts/2100-OpenSSL/2112
index 4793929..98ea4cb 100644
--- a/test/scripts/2100-OpenSSL/2112
+++ b/test/scripts/2100-OpenSSL/2112
@@ -4,6 +4,15 @@ exim -DSERVER=server -bd -oX PORT_D
exim userx@???
Testing
****
+exim usery@???
+Testing
+****
+exim userz@???
+Testing
+****
+exim userq@???
+Testing
+****
exim -qf
****
killdaemon