[exim-cvs] OCSP observability: variables $tls_{in,out}_ocsp

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Exim Git Commits Mailing List
Dátum:  
Címzett: exim-cvs
Tárgy: [exim-cvs] OCSP observability: variables $tls_{in,out}_ocsp
Gitweb: http://git.exim.org/exim.git/commitdiff/4466248715466b6f251454283642b74de65e9d9a
Commit:     4466248715466b6f251454283642b74de65e9d9a
Parent:     65867078f62db450bd8f91100600f6de559e7590
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Tue May 6 14:44:21 2014 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Tue May 6 22:40:45 2014 +0100


    OCSP observability: variables $tls_{in,out}_ocsp
    and smtp transport option hosts_request_ocsp
---
 doc/doc-txt/ChangeLog               |    4 ++
 doc/doc-txt/experimental-spec.txt   |   23 ++++++---
 src/src/expand.c                    |    2 +
 src/src/globals.c                   |    6 ++-
 src/src/globals.h                   |    6 +++
 src/src/smtp_in.c                   |    1 +
 src/src/spool_in.c                  |    3 +
 src/src/spool_out.c                 |    1 +
 src/src/tls-gnu.c                   |   63 ++++++++++++++++++++------
 src/src/tls-openssl.c               |   84 ++++++++++++++++++++++------------
 src/src/transports/smtp.c           |    5 ++
 src/src/transports/smtp.h           |    1 +
 test/confs/5600                     |    8 +++
 test/confs/5601                     |   30 ++++++++++---
 test/confs/5650                     |    8 +++
 test/confs/5651                     |   29 ++++++++++--
 test/log/5600                       |    4 ++
 test/log/5601                       |   42 +++++++++++-------
 test/log/5650                       |    4 ++
 test/log/5651                       |   35 +++++++++-----
 test/scripts/5600-OCSP-OpenSSL/5601 |   16 +++++--
 test/scripts/5650-OCSP-GnuTLS/5651  |   16 +++++--
 test/stderr/5410                    |    1 +
 test/stderr/5420                    |    1 +
 24 files changed, 292 insertions(+), 101 deletions(-)


diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index c985288..ebf2ead 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -107,6 +107,10 @@ TL/10 Bugzilla 1454: New -oMm option to pass message reference to Exim.
 JH/20 New expansion variables tls_(in,out)_(our,peer)cert, and expansion item
       certextract with support for various fields.  Bug 1358.


+JH/21 Observability of OCSP via variables tls_(in,out)_ocsp.  Stapling
+      is requested by default, modifiable by smtp transport option
+      hosts_request_ocsp;
+


Exim version 4.82
-----------------
diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt
index 16738a5..1ec3234 100644
--- a/doc/doc-txt/experimental-spec.txt
+++ b/doc/doc-txt/experimental-spec.txt
@@ -84,14 +84,21 @@ contents are always valid. Exim will expand the "tls_ocsp_file" option
on each connection, so a new file will be handled transparently on the
next connection.

-Exim will check for a valid next update timestamp in the OCSP proof;
-if not present, or if the proof has expired, it will be ignored.
-
-Also, given EXPERIMENTAL_OCSP, the smtp transport gains
-a "hosts_require_ocsp" option; a host-list for which an OCSP Stapling
-is requested and required for the connection to proceed. The host(s)
-should also be in "hosts_require_tls", and "tls_verify_certificates"
-configured for the transport.
+Under OpenSSL Exim will check for a valid next update timestamp in the
+OCSP proof; if not present, or if the proof has expired, it will be
+ignored.
+
+Also, given EXPERIMENTAL_OCSP, the smtp transport gains two options:
+- "hosts_require_ocsp"; a host-list for which an OCSP Stapling
+is requested and required for the connection to proceed. The default
+value is empty.
+- "hosts_request_ocsp"; a host-list for which (additionally) an OCSP
+Stapling is requested (but not necessarily verified). The default
+value is "*" meaning that requests are made unless configured
+otherwise.
+
+The host(s) should also be in "hosts_require_tls", and
+"tls_verify_certificates" configured for the transport.

 For the client to be able to verify the stapled OCSP the server must
 also supply, in its stapled information, any intermediate
diff --git a/src/src/expand.c b/src/src/expand.c
index 05b714a..de911db 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -671,6 +671,7 @@ static var_entry var_table[] = {
   { "tls_in_bits",         vtype_int,         &tls_in.bits },
   { "tls_in_certificate_verified", vtype_int, &tls_in.certificate_verified },
   { "tls_in_cipher",       vtype_stringptr,   &tls_in.cipher },
+  { "tls_in_ocsp",         vtype_int,         &tls_in.ocsp },
   { "tls_in_ourcert",      vtype_cert,        &tls_in.ourcert },
   { "tls_in_peercert",     vtype_cert,        &tls_in.peercert },
   { "tls_in_peerdn",       vtype_stringptr,   &tls_in.peerdn },
@@ -680,6 +681,7 @@ static var_entry var_table[] = {
   { "tls_out_bits",        vtype_int,         &tls_out.bits },
   { "tls_out_certificate_verified", vtype_int,&tls_out.certificate_verified },
   { "tls_out_cipher",      vtype_stringptr,   &tls_out.cipher },
+  { "tls_out_ocsp",        vtype_int,         &tls_out.ocsp },
   { "tls_out_ourcert",     vtype_cert,        &tls_out.ourcert },
   { "tls_out_peercert",    vtype_cert,        &tls_out.peercert },
   { "tls_out_peerdn",      vtype_stringptr,   &tls_out.peerdn },
diff --git a/src/src/globals.c b/src/src/globals.c
index 7b591e4..af29035 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -109,7 +109,8 @@ tls_support tls_in = {
  NULL, /* tls_ourcert */
  NULL, /* tls_peercert */
  NULL, /* tls_peerdn */
- NULL  /* tls_sni */
+ NULL, /* tls_sni */
+ 0     /* tls_ocsp */
 };
 tls_support tls_out = {
  -1,   /* tls_active */
@@ -121,7 +122,8 @@ tls_support tls_out = {
  NULL, /* tls_ourcert */
  NULL, /* tls_peercert */
  NULL, /* tls_peerdn */
- NULL  /* tls_sni */
+ NULL, /* tls_sni */
+ 0     /* tls_ocsp */
 };



diff --git a/src/src/globals.h b/src/src/globals.h
index 584d1bd..9a42fe2 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -89,6 +89,12 @@ typedef struct {
   void     *peercert;           /* Certificate of peer, binary */
   uschar *peerdn;             /* DN from peer */
   uschar *sni;                /* Server Name Indication */
+  enum {
+    OCSP_NOT_REQ=0,        /* not requested */
+    OCSP_NOT_RESP,        /* no response to request */
+    OCSP_NOT_VFY,        /* response not verified */
+    OCSP_VFIED            /* verified */
+    }     ocsp;              /* Stapled OCSP status */
 } tls_support;
 extern tls_support tls_in;
 extern tls_support tls_out;
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index 6810d25..82a805a 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -1820,6 +1820,7 @@ authenticated_by = NULL;
 tls_in.cipher = tls_in.peerdn = NULL;
 tls_in.ourcert = tls_in.peercert = NULL;
 tls_in.sni = NULL;
+tls_in.ocsp = OCSP_NOT_REQ;
 tls_advertised = FALSE;
 #endif


diff --git a/src/src/spool_in.c b/src/src/spool_in.c
index 2006e1b..ba775bb 100644
--- a/src/src/spool_in.c
+++ b/src/src/spool_in.c
@@ -289,6 +289,7 @@ tls_in.ourcert = NULL;
tls_in.peercert = NULL;
tls_in.peerdn = NULL;
tls_in.sni = NULL;
+tls_in.ocsp = OCSP_NOT_REQ;
#endif

 #ifdef WITH_CONTENT_SCAN
@@ -560,6 +561,8 @@ for (;;)
       tls_in.peerdn = string_unprinting(string_copy(big_buffer + 12));
     else if (Ustrncmp(p, "ls_sni", 6) == 0)
       tls_in.sni = string_unprinting(string_copy(big_buffer + 9));
+    else if (Ustrncmp(p, "ls_ocsp", 7) == 0)
+      tls_in.ocsp = big_buffer[10] - '0';
     break;
     #endif


diff --git a/src/src/spool_out.c b/src/src/spool_out.c
index 7bbd42d..de81786 100644
--- a/src/src/spool_out.c
+++ b/src/src/spool_out.c
@@ -242,6 +242,7 @@ if (tls_in.ourcert)
   (void) tls_export_cert(big_buffer, big_buffer_size, tls_in.ourcert);
   fprintf(f, "-tls_ourcert %s\n", CS big_buffer);
   }
+if (tls_in.ocsp)     fprintf(f, "-tls_ocsp %d\n",   tls_in.ocsp);
 #endif


/* To complete the envelope, write out the tree of non-recipients, followed by
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index d0e1c35..b0b67d8 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -101,6 +101,7 @@ typedef struct exim_gnutls_state {
uschar *exp_tls_verify_certificates;
uschar *exp_tls_crl;
uschar *exp_tls_require_ciphers;
+ uschar *exp_tls_ocsp_file;

   tls_support *tlsp;    /* set in tls_init() */


@@ -115,7 +116,7 @@ static const exim_gnutls_state_st exim_gnutls_state_init = {
NULL, NULL, NULL, VERIFY_NONE, -1, -1, FALSE, FALSE, FALSE,
NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, NULL,
- NULL, NULL, NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL,
NULL, 0, 0, 0, 0,
};
@@ -203,6 +204,10 @@ static void exim_gnutls_logger_cb(int level, const char *message);

static int exim_sni_handling_cb(gnutls_session_t session);

+#ifdef EXPERIMENTAL_OCSP
+static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
+ gnutls_datum_t * ocsp_response);
+#endif



@@ -791,18 +796,18 @@ if (  !host    /* server */
    && tls_ocsp_file
    )
   {
-  uschar * expanded;
-  int rc;
-
-  if (!expand_check(tls_ocsp_file, US"tls_ocsp_file", &expanded))
+  if (!expand_check(tls_ocsp_file, US"tls_ocsp_file",
+    &state->exp_tls_ocsp_file))
     return DEFER;


-  /* Lazy way; would like callback to emit debug on actual response */
+  /* Use the full callback method for stapling just to get observability.
+  More efficient would be to read the file once only, if it never changed
+  (due to SNI). Would need restart on file update, or watch datestamp.  */
+
+  gnutls_certificate_set_ocsp_status_request_function(state->x509_cred,
+    server_ocsp_stapling_cb, state->exp_tls_ocsp_file);


-  rc = gnutls_certificate_set_ocsp_status_request_file(state->x509_cred,
-      expanded, 0);
-  exim_gnutls_err_check(US"gnutls_certificate_set_ocsp_status_request_file");
-  DEBUG(D_tls) debug_printf("Set OCSP response file %s\n", expanded);
+  DEBUG(D_tls) debug_printf("Set OCSP response file %s\n", &state->exp_tls_ocsp_file);
   }
 #endif


@@ -1433,6 +1438,31 @@ return 0;



+#ifdef EXPERIMENTAL_OCSP
+
+static int
+server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
+  gnutls_datum_t * ocsp_response)
+{
+int ret;
+
+tls_in.ocsp = OCSP_NOT_RESP;
+if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
+  {
+  DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
+                  (char *)ptr);
+  return GNUTLS_E_NO_CERTIFICATE_STATUS;
+  }
+
+tls_in.ocsp = OCSP_NOT_VFY;
+return 0;
+}
+
+#endif
+
+
+
+


/* ------------------------------------------------------------------------ */
/* Exported functions */
@@ -1526,8 +1556,8 @@ if (!state->tlsp->on_connect)
that the GnuTLS library doesn't. */

 gnutls_transport_set_ptr2(state->session,
-    (gnutls_transport_ptr)fileno(smtp_in),
-    (gnutls_transport_ptr)fileno(smtp_out));
+    (gnutls_transport_ptr)(long) fileno(smtp_in),
+    (gnutls_transport_ptr)(long) fileno(smtp_out));
 state->fd_in = fileno(smtp_in);
 state->fd_out = fileno(smtp_out);


@@ -1628,6 +1658,9 @@ exim_gnutls_state_st *state = NULL;
 #ifdef EXPERIMENTAL_OCSP
 BOOL require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
   NULL, host->name, host->address, NULL) == OK;
+BOOL request_ocsp = require_ocsp ? TRUE
+  : verify_check_this_host(&ob->hosts_request_ocsp,
+      NULL, host->name, host->address, NULL) == OK;
 #endif


DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", fd);
@@ -1684,17 +1717,18 @@ else
}

 #ifdef EXPERIMENTAL_OCSP    /* since GnuTLS 3.1.3 */
-if (require_ocsp)
+if (request_ocsp)
   {
   DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
   if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
             NULL, 0, NULL)) != OK)
     return tls_error(US"cert-status-req",
             gnutls_strerror(rc), state->host);
+  tls_out.ocsp = OCSP_NOT_RESP;
   }
 #endif


-gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr)fd);
+gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr)(long) fd);
state->fd_in = fd;
state->fd_out = fd;

@@ -1746,6 +1780,7 @@ if (require_ocsp)
   if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
     return tls_error(US"certificate status check failed", NULL, state->host);
   DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
+  tls_out.ocsp = OCSP_VFIED;
   }
 #endif


diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 66fca7d..fd257f3 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -97,7 +97,8 @@ typedef struct tls_ext_ctx_cb {
       OCSP_RESPONSE *response;
     } server;
     struct {
-      X509_STORE    *verify_store;
+      X509_STORE    *verify_store;    /* non-null if status requested */
+      BOOL        verify_required;
     } client;
   } u_ocsp;
 #endif
@@ -797,15 +798,18 @@ else
   DEBUG(D_tls) debug_printf("Received TLS status request (OCSP stapling); %s response.",
     cbinfo->u_ocsp.server.response ? "have" : "lack");


+tls_in.ocsp = OCSP_NOT_RESP;
if (!cbinfo->u_ocsp.server.response)
return SSL_TLSEXT_ERR_NOACK;

 response_der = NULL;
-response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response, &response_der);
+response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response,
+              &response_der);
 if (response_der_len <= 0)
   return SSL_TLSEXT_ERR_NOACK;


SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
+tls_in.ocsp = OCSP_VFIED;
return SSL_TLSEXT_ERR_OK;
}

@@ -832,12 +836,15 @@ DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
 if(!p)
  {
-  if (log_extra_selector & LX_tls_cipher)
-    log_write(0, LOG_MAIN, "Received TLS status response, null content");
+  /* Expect this when we requested ocsp but got none */
+  if (  cbinfo->u_ocsp.client.verify_required
+     && log_extra_selector & LX_tls_cipher)
+    log_write(0, LOG_MAIN, "Received TLS status callback, null content");
   else
     DEBUG(D_tls) debug_printf(" null\n");
-  return 0;    /* This is the fail case for require-ocsp; none from server */
+  return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
  }
+tls_out.ocsp = OCSP_NOT_VFY;
 if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
  {
   if (log_extra_selector & LX_tls_cipher)
@@ -878,11 +885,12 @@ if(!(bs = OCSP_response_get1_basic(rsp)))
     /* Use the chain that verified the server cert to verify the stapled info */
     /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */


-    if ((i = OCSP_basic_verify(bs, NULL, cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
+    if ((i = OCSP_basic_verify(bs, NULL,
+          cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
       {
       BIO_printf(bp, "OCSP response verify failure\n");
       ERR_print_errors(bp);
-      i = 0;
+      i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
       goto out;
       }


@@ -894,39 +902,48 @@ if(!(bs = OCSP_response_get1_basic(rsp)))

       if (sk_OCSP_SINGLERESP_num(sresp) != 1)
         {
-        log_write(0, LOG_MAIN, "OCSP stapling with multiple responses not handled");
+        log_write(0, LOG_MAIN, "OCSP stapling "
+        "with multiple responses not handled");
+    i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
         goto out;
         }
       single = OCSP_resp_get0(bs, 0);
-      status = OCSP_single_get0_status(single, &reason, &rev, &thisupd, &nextupd);
+      status = OCSP_single_get0_status(single, &reason, &rev,
+          &thisupd, &nextupd);
       }


-    i = 0;
     DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
     DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
-    if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
+    if (!OCSP_check_validity(thisupd, nextupd,
+      EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
       {
       DEBUG(D_tls) ERR_print_errors(bp);
       log_write(0, LOG_MAIN, "Server OSCP dates invalid");
-      goto out;
+      i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
       }
-
-    DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n", OCSP_cert_status_str(status));
-    switch(status)
+    else
       {
-      case V_OCSP_CERTSTATUS_GOOD:
-        i = 1;
-        break;
-      case V_OCSP_CERTSTATUS_REVOKED:
-        log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
-            reason != -1 ? "; reason: " : "", reason != -1 ? OCSP_crl_reason_str(reason) : "");
-        DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
-        i = 0;
-        break;
-      default:
-        log_write(0, LOG_MAIN, "Server certificate status unknown, in OCSP stapling");
-        i = 0;
-        break;
+      DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
+            OCSP_cert_status_str(status));
+      switch(status)
+    {
+    case V_OCSP_CERTSTATUS_GOOD:
+      i = 1;
+      tls_out.ocsp = OCSP_VFIED;
+      break;
+    case V_OCSP_CERTSTATUS_REVOKED:
+      log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
+          reason != -1 ? "; reason: " : "",
+          reason != -1 ? OCSP_crl_reason_str(reason) : "");
+      DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
+      i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
+      break;
+    default:
+      log_write(0, LOG_MAIN,
+          "Server certificate status unknown, in OCSP stapling");
+      i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
+      break;
+    }
       }
   out:
     BIO_free(bp);
@@ -1497,12 +1514,15 @@ static uschar cipherbuf[256];
 #ifdef EXPERIMENTAL_OCSP
 BOOL require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
   NULL, host->name, host->address, NULL) == OK;
+BOOL request_ocsp = require_ocsp ? TRUE
+  : verify_check_this_host(&ob->hosts_request_ocsp,
+      NULL, host->name, host->address, NULL) == OK;
 #endif


 rc = tls_init(&client_ctx, host, NULL,
     ob->tls_certificate, ob->tls_privatekey,
 #ifdef EXPERIMENTAL_OCSP
-    require_ocsp ? US"" : NULL,
+    (void *)(long)request_ocsp,
 #endif
     addr, &client_static_cbinfo);
 if (rc != OK) return rc;
@@ -1578,8 +1598,12 @@ if (ob->tls_sni)
 #ifdef EXPERIMENTAL_OCSP
 /* Request certificate status at connection-time.  If the server
 does OCSP stapling we will get the callback (set in tls_init()) */
-if (require_ocsp)
+if (request_ocsp)
+  {
   SSL_set_tlsext_status_type(client_ssl, TLSEXT_STATUSTYPE_ocsp);
+  client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
+  tls_out.ocsp = OCSP_NOT_RESP;
+  }
 #endif


 /* There doesn't seem to be a built-in timeout on connection. */
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 7223f9c..9089d90 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -102,6 +102,10 @@ optionlist smtp_transport_options[] = {
       (void *)offsetof(smtp_transport_options_block, hosts_override) },
   { "hosts_randomize",      opt_bool,
       (void *)offsetof(smtp_transport_options_block, hosts_randomize) },
+#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_OCSP)
+  { "hosts_request_ocsp",   opt_stringptr,
+      (void *)offsetof(smtp_transport_options_block, hosts_request_ocsp) },
+#endif
   { "hosts_require_auth",   opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_require_auth) },
 #ifdef SUPPORT_TLS
@@ -196,6 +200,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
   NULL,                /* hosts_try_prdr */
 #endif
 #ifdef EXPERIMENTAL_OCSP
+  US"*",               /* hosts_request_ocsp */
   NULL,                /* hosts_require_ocsp */
 #endif
   NULL,                /* hosts_require_tls */
diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h
index 6912ad8..9005425 100644
--- a/src/src/transports/smtp.h
+++ b/src/src/transports/smtp.h
@@ -25,6 +25,7 @@ typedef struct {
   uschar *hosts_try_prdr;
 #endif
 #ifdef EXPERIMENTAL_OCSP
+  uschar *hosts_request_ocsp;
   uschar *hosts_require_ocsp;
 #endif
   uschar *hosts_require_tls;
diff --git a/test/confs/5600 b/test/confs/5600
index 8b26ee7..cd5f3c8 100644
--- a/test/confs/5600
+++ b/test/confs/5600
@@ -14,6 +14,8 @@ gecos_name = CALLER_NAME


# ----- Main settings -----

+acl_smtp_connect = check_connect
+acl_smtp_mail = check_mail
acl_smtp_rcpt = check_recipient

log_selector = +tls_peerdn
@@ -37,6 +39,12 @@ tls_ocsp_file = OCSP

begin acl

+check_connect:
+  accept   logwrite = acl_conn: ocsp in status: $tls_in_ocsp
+
+check_mail:
+  accept   logwrite = acl_mail: ocsp in status: $tls_in_ocsp
+
 check_recipient:
   deny     message = certificate not verified: peerdn=$tls_peerdn
          ! verify = certificate
diff --git a/test/confs/5601 b/test/confs/5601
index 5172ff2..7eb19f7 100644
--- a/test/confs/5601
+++ b/test/confs/5601
@@ -18,6 +18,8 @@ gecos_name = CALLER_NAME
 domainlist local_domains = test.ex : *.test.ex


acl_smtp_rcpt = check_recipient
+acl_smtp_data = check_data
+
log_selector = +tls_peerdn
remote_max_parallel = 1

@@ -47,6 +49,10 @@ check_recipient:
   accept  domains = +local_domains
   deny    message = relay not permitted


+check_data:
+  warn      condition   = ${if def:h_X-TLS-out:}
+      logwrite = client claims: $h_X-TLS-out:
+  accept


# ----- Routers -----

@@ -57,8 +63,9 @@ client:
   condition = ${if eq {SERVER}{server}{no}{yes}}
   retry_use_local_part
   transport = send_to_server${if eq{$local_part}{nostaple}{1} \
-                {${if eq{$local_part}{smtps} {3}{2}}} \
-                 }
+                {${if eq{$local_part}{norequire} {2} \
+                {${if eq{$local_part}{smtps} {4}{3}}} \
+                 }}}


server:
driver = redirect
@@ -84,30 +91,41 @@ send_to_server1:
port = PORT_D
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
hosts_require_tls = *
-# note no ocsp here
+ hosts_request_ocsp = :
+ headers_add = X-TLS-out: ocsp status $tls_out_ocsp

send_to_server2:
driver = smtp
allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ hosts_require_tls = *
+# note no ocsp mention here
+ headers_add = X-TLS-out: ocsp status $tls_out_ocsp
+
+send_to_server3:
+ driver = smtp
+ allow_localhost
hosts = 127.0.0.1
port = PORT_D
helo_data = helo.data.changed
- #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
hosts_require_tls = *
hosts_require_ocsp = *
+ headers_add = X-TLS-out: ocsp status $tls_out_ocsp

-send_to_server3:
+send_to_server4:
   driver = smtp
   allow_localhost
   hosts = 127.0.0.1
   port = PORT_D
   helo_data = helo.data.changed
-  #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
   tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
   protocol =           smtps
   hosts_require_tls =  *
   hosts_require_ocsp = *
+  headers_add = X-TLS-out: ocsp status $tls_out_ocsp



# ----- Retry -----
diff --git a/test/confs/5650 b/test/confs/5650
index 12584c7..3d4a68e 100644
--- a/test/confs/5650
+++ b/test/confs/5650
@@ -14,6 +14,8 @@ gecos_name = CALLER_NAME

# ----- Main settings -----

+acl_smtp_connect = check_connect
+acl_smtp_mail = check_mail
acl_smtp_rcpt = check_recipient

log_selector = +tls_peerdn
@@ -38,6 +40,12 @@ tls_ocsp_file = OCSP

begin acl

+check_connect:
+ accept logwrite = acl_conn: ocsp in status: $tls_in_ocsp
+
+check_mail:
+ accept logwrite = acl_mail: ocsp in status: $tls_in_ocsp
+
check_recipient:
accept

diff --git a/test/confs/5651 b/test/confs/5651
index e38043f..4a1989f 100644
--- a/test/confs/5651
+++ b/test/confs/5651
@@ -18,6 +18,8 @@ gecos_name = CALLER_NAME
domainlist local_domains = test.ex : *.test.ex

acl_smtp_rcpt = check_recipient
+acl_smtp_data = check_data
+
log_selector = +tls_peerdn
remote_max_parallel = 1

@@ -44,6 +46,11 @@ check_recipient:
   accept  domains = +local_domains
   deny    message = relay not permitted


+check_data:
+  warn      condition   = ${if def:h_X-TLS-out:}
+      logwrite = client claims: $h_X-TLS-out:
+  accept
+


# ----- Routers -----

@@ -54,8 +61,9 @@ client:
   condition = ${if eq {SERVER}{server}{no}{yes}}
   retry_use_local_part
   transport = send_to_server${if eq{$local_part}{nostaple}{1} \
-                {${if eq{$local_part}{smtps} {3}{2}}} \
-                 }
+                {${if eq{$local_part}{norequire} {2} \
+                {${if eq{$local_part}{smtps} {4}{3}}} \
+                 }}}


server:
driver = redirect
@@ -81,11 +89,22 @@ send_to_server1:
port = PORT_D
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
hosts_require_tls = *
-# note no ocsp here
+ hosts_request_ocsp = :
+ headers_add = X-TLS-out: OCSP status $tls_out_ocsp

send_to_server2:
driver = smtp
allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ hosts_require_tls = *
+# note no ocsp mention here
+ headers_add = X-TLS-out: OCSP status $tls_out_ocsp
+
+send_to_server3:
+ driver = smtp
+ allow_localhost
hosts = 127.0.0.1
port = PORT_D
helo_data = helo.data.changed
@@ -93,8 +112,9 @@ send_to_server2:
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
hosts_require_tls = *
hosts_require_ocsp = *
+ headers_add = X-TLS-out: OCSP status $tls_out_ocsp

-send_to_server3:
+send_to_server4:
   driver = smtp
   allow_localhost
   hosts = 127.0.0.1
@@ -105,6 +125,7 @@ send_to_server3:
   protocol =           smtps
   hosts_require_tls =  *
   hosts_require_ocsp = *
+  headers_add = X-TLS-out: OCSP status $tls_out_ocsp



# ----- Retry -----
diff --git a/test/log/5600 b/test/log/5600
index 869883f..d0dc7b1 100644
--- a/test/log/5600
+++ b/test/log/5600
@@ -1,6 +1,10 @@
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 acl_conn: ocsp in status: 0
1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; responding
+1999-03-02 09:44:33 acl_mail: ocsp in status: 3
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 acl_conn: ocsp in status: 0
1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; not responding
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 acl_conn: ocsp in status: 0
1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; not responding
diff --git a/test/log/5601 b/test/log/5601
index 40caa0f..d3c46ed 100644
--- a/test/log/5601
+++ b/test/log/5601
@@ -1,32 +1,42 @@
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaX-0005vi-00 => nostaple@??? R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire@??? R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER@??? R=client T=send_to_server2 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => nostaple@??? R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbB-0005vi-00"
1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
-1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbB-0005vi-00 Received TLS status response, null content
-1999-03-02 09:44:33 10HmbB-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmbB-0005vi-00 == CALLER@??? R=client T=send_to_server2 defer (-37): failure while setting up TLS session
-1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbC-0005vi-00 Server certificate revoked; reason: superseded
-1999-03-02 09:44:33 10HmbC-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmbC-0005vi-00 == CALLER@??? R=client T=send_to_server2 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbA-0005vi-00 => CALLER@??? R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbD-0005vi-00 Server OSCP dates invalid
+1999-03-02 09:44:33 10HmbD-0005vi-00 Received TLS status callback, null content
1999-03-02 09:44:33 10HmbD-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmbD-0005vi-00 == CALLER@??? R=client T=send_to_server2 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbD-0005vi-00 == CALLER@??? R=client T=send_to_server3 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbE-0005vi-00 Server certificate revoked; reason: superseded
+1999-03-02 09:44:33 10HmbE-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbE-0005vi-00 == CALLER@??? R=client T=send_to_server3 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbF-0005vi-00 Server OSCP dates invalid
+1999-03-02 09:44:33 10HmbF-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbF-0005vi-00 == CALLER@??? R=client T=send_to_server3 defer (-37): failure while setting up TLS session

******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; not responding
+1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: ocsp status 1
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaX-0005vi-00@???
-1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <nostaple@???> R=server
+1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <norequire@???> R=server
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 10HmbB-0005vi-00 client claims: ocsp status 0
1999-03-02 09:44:33 [127.0.0.1] Recieved OCSP stapling req; responding
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaZ-0005vi-00@???
-1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <CALLER@???> R=server
-1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@??? H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaZ-0005vi-00@???
+1999-03-02 09:44:33 10HmbB-0005vi-00 => :blackhole: <nostaple@???> R=server
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: ocsp status 3
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmbA-0005vi-00@???
+1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <CALLER@???> R=server
+1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
1999-03-02 09:44:33 [127.0.0.1] Recieved OCSP stapling req; not responding
1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
diff --git a/test/log/5650 b/test/log/5650
index 072756d..139d3e7 100644
--- a/test/log/5650
+++ b/test/log/5650
@@ -1,7 +1,11 @@
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 acl_conn: ocsp in status: 0
+1999-03-02 09:44:33 acl_mail: ocsp in status: 2
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 acl_conn: ocsp in status: 0
1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (recv): The TLS connection was non-properly terminated.
1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 acl_conn: ocsp in status: 0
1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (recv): The TLS connection was non-properly terminated.
1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
diff --git a/test/log/5651 b/test/log/5651
index a42426a..194443a 100644
--- a/test/log/5651
+++ b/test/log/5651
@@ -1,28 +1,37 @@
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaX-0005vi-00 => nostaple@??? R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire@??? R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER@??? R=client T=send_to_server2 H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => nostaple@??? R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbB-0005vi-00"
1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
-1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbB-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate status check failed)
-1999-03-02 09:44:33 10HmbB-0005vi-00 == CALLER@??? R=client T=send_to_server2 defer (-37): failure while setting up TLS session
-1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbC-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate verification failed): certificate revoked
-1999-03-02 09:44:33 10HmbC-0005vi-00 == CALLER@??? R=client T=send_to_server2 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbA-0005vi-00 => CALLER@??? R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmbD-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate status check failed)
-1999-03-02 09:44:33 10HmbD-0005vi-00 == CALLER@??? R=client T=send_to_server2 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbD-0005vi-00 == CALLER@??? R=client T=send_to_server3 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbE-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate verification failed): certificate revoked
+1999-03-02 09:44:33 10HmbE-0005vi-00 == CALLER@??? R=client T=send_to_server3 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbF-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate status check failed)
+1999-03-02 09:44:33 10HmbF-0005vi-00 == CALLER@??? R=client T=send_to_server3 defer (-37): failure while setting up TLS session

 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: OCSP status 1
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaX-0005vi-00@???
-1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <nostaple@???> R=server
+1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <norequire@???> R=server
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaZ-0005vi-00@???
-1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <CALLER@???> R=server
-1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 client claims: OCSP status 0
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@??? H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaZ-0005vi-00@???
+1999-03-02 09:44:33 10HmbB-0005vi-00 => :blackhole: <nostaple@???> R=server
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: OCSP status 3
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmbA-0005vi-00@???
+1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <CALLER@???> R=server
+1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (recv): The TLS connection was non-properly terminated.
 1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (send): The specified session has been invalidated for some reason.
diff --git a/test/scripts/5600-OCSP-OpenSSL/5601 b/test/scripts/5600-OCSP-OpenSSL/5601
index b2983eb..cf0f68f 100644
--- a/test/scripts/5600-OCSP-OpenSSL/5601
+++ b/test/scripts/5600-OCSP-OpenSSL/5601
@@ -1,10 +1,10 @@
 # OCSP stapling, client
 #
 #
-# Client works when we don't demand OCSP stapling
+# Client works when we request but don't require OCSP stapling and none comes
 exim -bd -oX PORT_D -DSERVER=server -DOCSP=/dev/null
 ****
-exim nostaple@???
+exim norequire@???
 test message.
 ****
 sleep 1
@@ -13,10 +13,18 @@ killdaemon
 #
 #
 #
-# Client accepts good stapled info
+# Client works when we don't request OCSP stapling
 exim -bd -oX PORT_D -DSERVER=server \
  -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp
 ****
+exim nostaple@???
+test message.
+****
+#
+#
+#
+#
+# Client accepts good stapled info
 exim CALLER@???
 test message.
 ****
@@ -25,7 +33,7 @@ killdaemon
 #
 #
 #
-# Client fails on lack of requested stapled info
+# Client fails on lack of required stapled info
 exim -bd -oX PORT_D -DSERVER=server -DOCSP=/dev/null
 ****
 exim CALLER@???
diff --git a/test/scripts/5650-OCSP-GnuTLS/5651 b/test/scripts/5650-OCSP-GnuTLS/5651
index f5432be..5ed784b 100644
--- a/test/scripts/5650-OCSP-GnuTLS/5651
+++ b/test/scripts/5650-OCSP-GnuTLS/5651
@@ -1,10 +1,10 @@
 # OCSP stapling, client
 #
 #
-# Client works when we don't demand OCSP stapling
+# Client works when we request but don't require OCSP stapling and none comes
 exim -bd -oX PORT_D -DSERVER=server -DOCSP=""
 ****
-exim nostaple@???
+exim norequire@???
 test message.
 ****
 sleep 1
@@ -13,10 +13,18 @@ killdaemon
 #
 #
 #
-# Client accepts good stapled info
+# Client works when we don't request OCSP stapling
 exim -bd -oX PORT_D -DSERVER=server \
  -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp
 ****
+exim nostaple@???
+test message.
+****
+#
+#
+#
+#
+# Client accepts good stapled info
 exim CALLER@???
 test message.
 ****
@@ -25,7 +33,7 @@ killdaemon
 #
 #
 #
-# Client fails on lack of requested stapled info
+# Client fails on lack of required stapled info
 exim -bd -oX PORT_D -DSERVER=server -DOCSP=""
 ****
 exim CALLER@???
diff --git a/test/stderr/5410 b/test/stderr/5410
index b84c264..ddd6dbc 100644
--- a/test/stderr/5410
+++ b/test/stderr/5410
@@ -81,6 +81,7 @@ expanding: ${if eq {$address_data}{userz}{*}{:}}
   SMTP>> STARTTLS
   SMTP<< 220 TLS go ahead
 127.0.0.1 in hosts_require_ocsp? no (option unset)
+127.0.0.1 in hosts_request_ocsp? yes (matched "*")
   SMTP>> EHLO myhost.test.ex
   SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
          250-SIZE 52428800
diff --git a/test/stderr/5420 b/test/stderr/5420
index d2fb575..9eea77d 100644
--- a/test/stderr/5420
+++ b/test/stderr/5420
@@ -81,6 +81,7 @@ expanding: ${if eq {$address_data}{userz}{*}{:}}
   SMTP>> STARTTLS
   SMTP<< 220 TLS go ahead
 127.0.0.1 in hosts_require_ocsp? no (option unset)
+127.0.0.1 in hosts_request_ocsp? yes (matched "*")
  in tls_verify_hosts? no (option unset)
  in tls_try_verify_hosts? no (option unset)
   SMTP>> EHLO myhost.test.ex