[exim-cvs] Make $tls_out_ocsp visible to TPDA (mostly testsu…

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Exim Git Commits Mailing List
Dátum:  
Címzett: exim-cvs
Tárgy: [exim-cvs] Make $tls_out_ocsp visible to TPDA (mostly testsuite)
Gitweb: http://git.exim.org/exim.git/commitdiff/018058b21d17a988ed29cf31a7002da74b599d1a
Commit:     018058b21d17a988ed29cf31a7002da74b599d1a
Parent:     80c974f8633781c6f10a196ed33e6cdce605bcd4
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Wed May 7 20:46:49 2014 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Fri May 9 21:36:27 2014 +0100


    Make $tls_out_ocsp visible to TPDA (mostly testsuite)
---
 src/src/deliver.c                            |   32 +++++++++-
 src/src/globals.c                            |    1 +
 src/src/globals.h                            |    3 +-
 src/src/structs.h                            |    1 +
 src/src/tls-gnu.c                            |    7 ++-
 src/src/tls-openssl.c                        |   36 +++++++-----
 src/src/transports/smtp.c                    |    7 ++-
 test/confs/5600                              |    8 ++-
 test/confs/5601                              |   16 ++++-
 test/confs/{5601 => 5608}                    |   50 +++++++++++-----
 test/confs/5650                              |    8 ++-
 test/confs/5651                              |   16 ++++-
 test/confs/{5651 => 5658}                    |   34 +++++++++--
 test/log/5600                                |    8 +-
 test/log/5601                                |    6 +-
 test/log/{5601 => 5608}                      |   55 +++++++++++------
 test/log/5650                                |    8 +-
 test/log/5651                                |    6 +-
 test/log/{5651 => 5658}                      |   48 ++++++++++-----
 test/scripts/5608-OCSP-OpenSSL-TPDA/5608     |   82 ++++++++++++++++++++++++++
 test/scripts/5608-OCSP-OpenSSL-TPDA/REQUIRES |    4 +
 test/scripts/5658-OCSP-GnuTLS-TPDA/5658      |   82 ++++++++++++++++++++++++++
 test/scripts/5658-OCSP-GnuTLS-TPDA/REQUIRES  |    4 +
 23 files changed, 414 insertions(+), 108 deletions(-)


diff --git a/src/src/deliver.c b/src/src/deliver.c
index fff0e2f..dd7f888 100644
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -718,6 +718,7 @@ uschar *s;              /* building log lines;   */
 void *reset_point;      /* released afterwards.  */



+DEBUG(D_deliver) debug_printf("B cipher %s\n", addr->cipher);
/* Log the delivery on the main log. We use an extensible string to build up
the log line, and reset the store afterwards. Remote deliveries should always
have a pointer to the host item that succeeded; local deliveries can have a
@@ -734,6 +735,7 @@ pointer to a single host item in their host list, for use by the transport. */

s = reset_point = store_get(size);

+DEBUG(D_deliver) debug_printf("C cipher %s\n", addr->cipher);
 log_address = string_log_address(addr, (log_write_selector & L_all_parents) != 0, TRUE);
 if (msg)
   s = string_append(s, &size, &ptr, 3, host_and_ident(TRUE), US" ", log_address);
@@ -876,6 +878,7 @@ if (addr->transport->tpda_delivery_action)
   DEBUG(D_deliver)
     debug_printf("  TPDA(Delivery): tpda_deliver_action=|%s| tpda_delivery_IP=%s\n",
       addr->transport->tpda_delivery_action, tpda_delivery_ip);
+DEBUG(D_deliver) debug_printf("D cipher %s\n", addr->cipher);


   router_name =    addr->router->name;
   transport_name = addr->transport->name;
@@ -1088,6 +1091,11 @@ if (result == OK)
   addr->ourcert = NULL;
   tls_out.peercert = addr->peercert;
   addr->peercert = NULL;
+
+DEBUG(D_deliver) debug_printf("A cipher %s\n", addr->cipher);
+  tls_out.cipher = addr->cipher;
+  tls_out.peerdn = addr->peerdn;
+  tls_out.ocsp = addr->ocsp;
   #endif


   delivery_log(LOG_MAIN, addr, logchar, NULL);
@@ -1103,6 +1111,9 @@ if (result == OK)
     tls_free_cert(tls_out.peercert);
     tls_out.peercert = NULL;
     }
+  tls_out.cipher = NULL;
+  tls_out.peerdn = NULL;
+  tls_out.ocsp = OCSP_NOT_REQ;
   #endif
   }


@@ -2987,9 +2998,7 @@ while (!done)
     addr->cipher = string_copy(ptr);
       while (*ptr++);
       if (*ptr)
-    {
     addr->peerdn = string_copy(ptr);
-    }
       break;


       case '2':
@@ -3003,6 +3012,14 @@ while (!done)
       if (*ptr)
     (void) tls_import_cert(ptr, &addr->ourcert);
       break;
+
+      #ifdef EXPERIMENTAL_OCSP
+      case '4':
+      addr->ocsp = OCSP_NOT_REQ;
+      if (*ptr)
+    addr->ocsp = *ptr - '0';
+      break;
+      #endif
       }
     while (*ptr++);
     break;
@@ -4132,7 +4149,16 @@ for (delivery_count = 0; addr_remote != NULL; delivery_count++)
       *ptr++ = 0;
         rmt_dlv_checked_write(fd, big_buffer, ptr - big_buffer);
     }
-      #endif
+      # ifdef EXPERIMENTAL_OCSP
+      if (addr->ocsp > OCSP_NOT_REQ)
+    {
+    ptr = big_buffer;
+    sprintf(CS ptr, "X4%c", addr->ocsp + '0');
+    while(*ptr++);
+        rmt_dlv_checked_write(fd, big_buffer, ptr - big_buffer);
+    }
+      # endif
+      #endif    /*SUPPORT_TLS


       if (client_authenticator)
         {
diff --git a/src/src/globals.c b/src/src/globals.c
index af29035..a2cc503 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -341,6 +341,7 @@ address_item address_defaults = {
   NULL,            /* ourcert */
   NULL,            /* peercert */
   NULL,                 /* peerdn */
+  OCSP_NOT_REQ,         /* ocsp */
   #endif
   NULL,            /* authenticator */
   NULL,            /* auth_id */
diff --git a/src/src/globals.h b/src/src/globals.h
index 9a42fe2..8b55321 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -92,7 +92,8 @@ typedef struct {
   enum {
     OCSP_NOT_REQ=0,        /* not requested */
     OCSP_NOT_RESP,        /* no response to request */
-    OCSP_NOT_VFY,        /* response not verified */
+    OCSP_VFY_NOT_TRIED,        /* response not verified */
+    OCSP_FAILED,        /* verify failed */
     OCSP_VFIED            /* verified */
     }     ocsp;              /* Stapled OCSP status */
 } tls_support;
diff --git a/src/src/structs.h b/src/src/structs.h
index a6c78f4..aba579f 100644
--- a/src/src/structs.h
+++ b/src/src/structs.h
@@ -543,6 +543,7 @@ typedef struct address_item {
   void   *ourcert;                /* Certificate offered to peer, binary */
   void   *peercert;               /* Certificate from peer, binary */
   uschar *peerdn;                 /* DN of server's certificate */
+  int    ocsp;              /* OCSP status of peer cert */
   #endif


   uschar *authenticator;      /* auth driver name used by transport */
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index b0b67d8..3c926c0 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1446,15 +1446,15 @@ server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
 {
 int ret;


-tls_in.ocsp = OCSP_NOT_RESP;
 if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
   {
   DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
                   (char *)ptr);
+  tls_in.ocsp = OCSP_NOT_RESP;
   return GNUTLS_E_NO_CERTIFICATE_STATUS;
   }


-tls_in.ocsp = OCSP_NOT_VFY;
+tls_in.ocsp = OCSP_VFY_NOT_TRIED;
return 0;
}

@@ -1778,7 +1778,10 @@ if (require_ocsp)
     }


   if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
+    {
+    tls_out.ocsp = OCSP_FAILED;
     return tls_error(US"certificate status check failed", NULL, state->host);
+    }
   DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
   tls_out.ocsp = OCSP_VFIED;
   }
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index fd257f3..16612d3 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -572,21 +572,21 @@ if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX
   }


supply_response:
-cbinfo->u_ocsp.server.response = resp;
+ cbinfo->u_ocsp.server.response = resp;
return;

 bad:
-if (running_in_test_harness)
-  {
-  extern char ** environ;
-  uschar ** p;
-  for (p = USS environ; *p != NULL; p++)
-    if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
-      {
-      DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
-      goto supply_response;
-      }
-  }
+  if (running_in_test_harness)
+    {
+    extern char ** environ;
+    uschar ** p;
+    for (p = USS environ; *p != NULL; p++)
+      if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
+    {
+    DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
+    goto supply_response;
+    }
+    }
 return;
 }
 #endif    /*EXPERIMENTAL_OCSP*/
@@ -844,9 +844,10 @@ if(!p)
     DEBUG(D_tls) debug_printf(" null\n");
   return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
  }
-tls_out.ocsp = OCSP_NOT_VFY;
+
 if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
  {
+  tls_out.ocsp = OCSP_FAILED;
   if (log_extra_selector & LX_tls_cipher)
     log_write(0, LOG_MAIN, "Received TLS status response, parse error");
   else
@@ -856,6 +857,7 @@ if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))


 if(!(bs = OCSP_response_get1_basic(rsp)))
   {
+  tls_out.ocsp = OCSP_FAILED;
   if (log_extra_selector & LX_tls_cipher)
     log_write(0, LOG_MAIN, "Received TLS status response, error parsing response");
   else
@@ -867,7 +869,6 @@ if(!(bs = OCSP_response_get1_basic(rsp)))
 /* We'd check the nonce here if we'd put one in the request. */
 /* However that would defeat cacheability on the server so we don't. */


-
 /* This section of code reworked from OpenSSL apps source;
    The OpenSSL Project retains copyright:
    Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
@@ -888,6 +889,7 @@ if(!(bs = OCSP_response_get1_basic(rsp)))
     if ((i = OCSP_basic_verify(bs, NULL,
           cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
       {
+      tls_out.ocsp = OCSP_FAILED;
       BIO_printf(bp, "OCSP response verify failure\n");
       ERR_print_errors(bp);
       i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
@@ -902,6 +904,7 @@ if(!(bs = OCSP_response_get1_basic(rsp)))


       if (sk_OCSP_SINGLERESP_num(sresp) != 1)
         {
+    tls_out.ocsp = OCSP_FAILED;
         log_write(0, LOG_MAIN, "OCSP stapling "
         "with multiple responses not handled");
     i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
@@ -917,6 +920,7 @@ if(!(bs = OCSP_response_get1_basic(rsp)))
     if (!OCSP_check_validity(thisupd, nextupd,
       EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
       {
+      tls_out.ocsp = OCSP_FAILED;
       DEBUG(D_tls) ERR_print_errors(bp);
       log_write(0, LOG_MAIN, "Server OSCP dates invalid");
       i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
@@ -928,10 +932,11 @@ if(!(bs = OCSP_response_get1_basic(rsp)))
       switch(status)
     {
     case V_OCSP_CERTSTATUS_GOOD:
-      i = 1;
       tls_out.ocsp = OCSP_VFIED;
+      i = 1;
       break;
     case V_OCSP_CERTSTATUS_REVOKED:
+      tls_out.ocsp = OCSP_FAILED;
       log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
           reason != -1 ? "; reason: " : "",
           reason != -1 ? OCSP_crl_reason_str(reason) : "");
@@ -939,6 +944,7 @@ if(!(bs = OCSP_response_get1_basic(rsp)))
       i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
       break;
     default:
+      tls_out.ocsp = OCSP_FAILED;
       log_write(0, LOG_MAIN,
           "Server certificate status unknown, in OCSP stapling");
       i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 9089d90..1232965 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -1232,6 +1232,7 @@ tls_out.peerdn = NULL;
 #if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
 tls_out.sni = NULL;
 #endif
+tls_out.ocsp = OCSP_NOT_REQ;


 /* Flip the legacy TLS-related variables over to the outbound set in case
 they're used in the context of the transport.  Don't bother resetting
@@ -1242,8 +1243,8 @@ tls_modify_variables(&tls_out);
 #ifndef SUPPORT_TLS
 if (smtps)
   {
-    set_errno(addrlist, 0, US"TLS support not available", DEFER, FALSE);
-    return ERROR;
+  set_errno(addrlist, 0, US"TLS support not available", DEFER, FALSE);
+  return ERROR;
   }
 #endif


@@ -1475,6 +1476,7 @@ if (tls_offered && !suppress_tls &&
         addr->ourcert = tls_out.ourcert;
         addr->peercert = tls_out.peercert;
         addr->peerdn = tls_out.peerdn;
+    addr->ocsp = tls_out.ocsp;
         }
       }
     }
@@ -2514,6 +2516,7 @@ for (addr = addrlist; addr != NULL; addr = addr->next)
   addr->ourcert = NULL;
   addr->peercert = NULL;
   addr->peerdn = NULL;
+  addr->ocsp = OCSP_NOT_REQ;
   #endif
   }
 return first_addr;
diff --git a/test/confs/5600 b/test/confs/5600
index cd5f3c8..018ee3a 100644
--- a/test/confs/5600
+++ b/test/confs/5600
@@ -40,10 +40,14 @@ tls_ocsp_file = OCSP
 begin acl


 check_connect:
-  accept   logwrite = acl_conn: ocsp in status: $tls_in_ocsp
+  accept   logwrite = acl_conn: ocsp in status: $tls_in_ocsp \
+    (${listextract {${eval:$tls_in_ocsp+1}} \
+        {notreq:notresp:vfynotdone:failed:verified}})


 check_mail:
-  accept   logwrite = acl_mail: ocsp in status: $tls_in_ocsp
+  accept   logwrite = acl_mail: ocsp in status: $tls_in_ocsp \
+    (${listextract {${eval:$tls_in_ocsp+1}} \
+        {notreq:notresp:vfynotdone:failed:verified}})


 check_recipient:
   deny     message = certificate not verified: peerdn=$tls_peerdn
diff --git a/test/confs/5601 b/test/confs/5601
index 7eb19f7..3e97fcb 100644
--- a/test/confs/5601
+++ b/test/confs/5601
@@ -92,7 +92,9 @@ send_to_server1:
   tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
   hosts_require_tls = *
   hosts_request_ocsp = :
-  headers_add = X-TLS-out: ocsp status $tls_out_ocsp
+  headers_add = X-TLS-out: ocsp status $tls_out_ocsp \
+    (${listextract {${eval:$tls_out_ocsp+1}} \
+        {notreq:notresp:vfynotdone:failed:verified}})


 send_to_server2:
   driver = smtp
@@ -102,7 +104,9 @@ send_to_server2:
   tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
   hosts_require_tls = *
 # note no ocsp mention here
-  headers_add = X-TLS-out: ocsp status $tls_out_ocsp
+  headers_add = X-TLS-out: ocsp status $tls_out_ocsp \
+    (${listextract {${eval:$tls_out_ocsp+1}} \
+        {notreq:notresp:vfynotdone:failed:verified}})


 send_to_server3:
   driver = smtp
@@ -113,7 +117,9 @@ send_to_server3:
   tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
   hosts_require_tls =  *
   hosts_require_ocsp = *
-  headers_add = X-TLS-out: ocsp status $tls_out_ocsp
+  headers_add = X-TLS-out: ocsp status $tls_out_ocsp \
+    (${listextract {${eval:$tls_out_ocsp+1}} \
+        {notreq:notresp:vfynotdone:failed:verified}})


 send_to_server4:
   driver = smtp
@@ -125,7 +131,9 @@ send_to_server4:
   protocol =           smtps
   hosts_require_tls =  *
   hosts_require_ocsp = *
-  headers_add = X-TLS-out: ocsp status $tls_out_ocsp
+  headers_add = X-TLS-out: ocsp status $tls_out_ocsp \
+    (${listextract {${eval:$tls_out_ocsp+1}} \
+        {notreq:notresp:vfynotdone:failed:verified}})



# ----- Retry -----
diff --git a/test/confs/5601 b/test/confs/5608
similarity index 63%
copy from test/confs/5601
copy to test/confs/5608
index 7eb19f7..55d9a20 100644
--- a/test/confs/5601
+++ b/test/confs/5608
@@ -1,5 +1,5 @@
# Exim test configuration 5601
-# OCSP stapling, client
+# OCSP stapling, client, tpda

SERVER =

@@ -54,6 +54,12 @@ check_data:
       logwrite = client claims: $h_X-TLS-out:
   accept


+logger:
+  warn    logwrite = client ocsp status: $tls_out_ocsp \
+    (${listextract {${eval:$tls_out_ocsp+1}} \
+        {notreq:notresp:vfynotdone:failed:verified}})
+  accept
+
 # ----- Routers -----


begin routers
@@ -84,48 +90,60 @@ local_delivery:
headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
user = CALLER

+# nostaple: deliberately do not request cert-status
 send_to_server1:
   driver = smtp
   allow_localhost
   hosts = HOSTIPV4
   port = PORT_D
-  tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
-  hosts_require_tls = *
-  hosts_request_ocsp = :
-  headers_add = X-TLS-out: ocsp status $tls_out_ocsp
-
+  tls_verify_certificates =    DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+  hosts_require_tls =    *
+  hosts_request_ocsp =    :
+  headers_add =            X-TLS-out: ocsp status $tls_out_ocsp
+  tpda_delivery_action =    ${acl {logger}}
+  tpda_host_defer_action =     ${acl {logger}}
+
+# norequire: request stapling but do not verify
 send_to_server2:
   driver = smtp
   allow_localhost
   hosts = HOSTIPV4
   port = PORT_D
-  tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
-  hosts_require_tls = *
+  tls_verify_certificates =    DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+  hosts_require_tls =    *
 # note no ocsp mention here
-  headers_add = X-TLS-out: ocsp status $tls_out_ocsp
+  headers_add =            X-TLS-out: ocsp status $tls_out_ocsp
+  tpda_delivery_action =    ${acl {logger}}
+  tpda_host_defer_action =     ${acl {logger}}


+# (any other name): request and verify
 send_to_server3:
   driver = smtp
   allow_localhost
   hosts = 127.0.0.1
   port = PORT_D
   helo_data = helo.data.changed
-  tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
-  hosts_require_tls =  *
-  hosts_require_ocsp = *
-  headers_add = X-TLS-out: ocsp status $tls_out_ocsp
-
+  tls_verify_certificates =    DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+  hosts_require_tls =    *
+  hosts_require_ocsp =    *
+  headers_add =            X-TLS-out: ocsp status $tls_out_ocsp
+  tpda_delivery_action =    ${acl {logger}}
+  tpda_host_defer_action =     ${acl {logger}}
+
+# (any other name): request and verify, ssl-on-connect
 send_to_server4:
   driver = smtp
   allow_localhost
   hosts = 127.0.0.1
   port = PORT_D
   helo_data = helo.data.changed
-  tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+  tls_verify_certificates =    DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
   protocol =           smtps
   hosts_require_tls =  *
   hosts_require_ocsp = *
-  headers_add = X-TLS-out: ocsp status $tls_out_ocsp
+  headers_add =            X-TLS-out: ocsp status $tls_out_ocsp
+  tpda_delivery_action =    ${acl {logger}}
+  tpda_host_defer_action =     ${acl {logger}}



# ----- Retry -----
diff --git a/test/confs/5650 b/test/confs/5650
index 3d4a68e..2b89603 100644
--- a/test/confs/5650
+++ b/test/confs/5650
@@ -41,10 +41,14 @@ tls_ocsp_file = OCSP
begin acl

 check_connect:
-  accept   logwrite = acl_conn: ocsp in status: $tls_in_ocsp
+  accept   logwrite = acl_conn: ocsp in status: $tls_in_ocsp \
+    (${listextract {${eval:$tls_in_ocsp+1}} \
+        {notreq:notresp:vfynotdone:failed:verified}})


 check_mail:
-  accept   logwrite = acl_mail: ocsp in status: $tls_in_ocsp
+  accept   logwrite = acl_mail: ocsp in status: $tls_in_ocsp \
+    (${listextract {${eval:$tls_in_ocsp+1}} \
+        {notreq:notresp:vfynotdone:failed:verified}})


 check_recipient:
   accept
diff --git a/test/confs/5651 b/test/confs/5651
index 4a1989f..6b70d33 100644
--- a/test/confs/5651
+++ b/test/confs/5651
@@ -90,7 +90,9 @@ send_to_server1:
   tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
   hosts_require_tls = *
   hosts_request_ocsp = :
-  headers_add = X-TLS-out: OCSP status $tls_out_ocsp
+  headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
+    (${listextract {${eval:$tls_out_ocsp+1}} \
+        {notreq:notresp:vfynotdone:failed:verified}})


 send_to_server2:
   driver = smtp
@@ -100,7 +102,9 @@ send_to_server2:
   tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
   hosts_require_tls = *
 # note no ocsp mention here
-  headers_add = X-TLS-out: OCSP status $tls_out_ocsp
+  headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
+    (${listextract {${eval:$tls_out_ocsp+1}} \
+        {notreq:notresp:vfynotdone:failed:verified}})


 send_to_server3:
   driver = smtp
@@ -112,7 +116,9 @@ send_to_server3:
   tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
   hosts_require_tls =  *
   hosts_require_ocsp = *
-  headers_add = X-TLS-out: OCSP status $tls_out_ocsp
+  headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
+    (${listextract {${eval:$tls_out_ocsp+1}} \
+        {notreq:notresp:vfynotdone:failed:verified}})


 send_to_server4:
   driver = smtp
@@ -125,7 +131,9 @@ send_to_server4:
   protocol =           smtps
   hosts_require_tls =  *
   hosts_require_ocsp = *
-  headers_add = X-TLS-out: OCSP status $tls_out_ocsp
+  headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
+    (${listextract {${eval:$tls_out_ocsp+1}} \
+        {notreq:notresp:vfynotdone:failed:verified}})



# ----- Retry -----
diff --git a/test/confs/5651 b/test/confs/5658
similarity index 70%
copy from test/confs/5651
copy to test/confs/5658
index 4a1989f..e8f2494 100644
--- a/test/confs/5651
+++ b/test/confs/5658
@@ -1,5 +1,5 @@
-# Exim test configuration 5651
-# OCSP stapling, client
+# Exim test configuration 5658
+# OCSP stapling, client, tpda

SERVER =

@@ -51,6 +51,12 @@ check_data:
       logwrite = client claims: $h_X-TLS-out:
   accept


+logger:
+  warn    logwrite = client ocsp status: $tls_out_ocsp \
+    (${listextract {${eval:$tls_out_ocsp+1}} \
+        {notreq:notresp:vfynotdone:failed:verified}})
+  accept
+


# ----- Routers -----

@@ -90,7 +96,11 @@ send_to_server1:
   tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
   hosts_require_tls = *
   hosts_request_ocsp = :
-  headers_add = X-TLS-out: OCSP status $tls_out_ocsp
+  headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
+    (${listextract {${eval:$tls_out_ocsp+1}} \
+        {notreq:notresp:vfynotdone:failed:verified}})
+  tpda_delivery_action =    ${acl {logger}}
+  tpda_host_defer_action =     ${acl {logger}}


 send_to_server2:
   driver = smtp
@@ -100,7 +110,11 @@ send_to_server2:
   tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
   hosts_require_tls = *
 # note no ocsp mention here
-  headers_add = X-TLS-out: OCSP status $tls_out_ocsp
+  headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
+    (${listextract {${eval:$tls_out_ocsp+1}} \
+        {notreq:notresp:vfynotdone:failed:verified}})
+  tpda_delivery_action =    ${acl {logger}}
+  tpda_host_defer_action =     ${acl {logger}}


 send_to_server3:
   driver = smtp
@@ -112,7 +126,11 @@ send_to_server3:
   tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
   hosts_require_tls =  *
   hosts_require_ocsp = *
-  headers_add = X-TLS-out: OCSP status $tls_out_ocsp
+  headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
+    (${listextract {${eval:$tls_out_ocsp+1}} \
+        {notreq:notresp:vfynotdone:failed:verified}})
+  tpda_delivery_action =    ${acl {logger}}
+  tpda_host_defer_action =     ${acl {logger}}


 send_to_server4:
   driver = smtp
@@ -125,7 +143,11 @@ send_to_server4:
   protocol =           smtps
   hosts_require_tls =  *
   hosts_require_ocsp = *
-  headers_add = X-TLS-out: OCSP status $tls_out_ocsp
+  headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
+    (${listextract {${eval:$tls_out_ocsp+1}} \
+        {notreq:notresp:vfynotdone:failed:verified}})
+  tpda_delivery_action =    ${acl {logger}}
+  tpda_host_defer_action =     ${acl {logger}}



# ----- Retry -----
diff --git a/test/log/5600 b/test/log/5600
index d0dc7b1..f2a469d 100644
--- a/test/log/5600
+++ b/test/log/5600
@@ -1,10 +1,10 @@
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 acl_conn: ocsp in status: 0
+1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq)
1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; responding
-1999-03-02 09:44:33 acl_mail: ocsp in status: 3
+1999-03-02 09:44:33 acl_mail: ocsp in status: 4 (verified)
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 acl_conn: ocsp in status: 0
+1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq)
1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; not responding
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 acl_conn: ocsp in status: 0
+1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq)
1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; not responding
diff --git a/test/log/5601 b/test/log/5601
index d3c46ed..1276861 100644
--- a/test/log/5601
+++ b/test/log/5601
@@ -23,17 +23,17 @@
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; not responding
-1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: ocsp status 1
+1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: ocsp status 1 (notresp)
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaX-0005vi-00@???
1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <norequire@???> R=server
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmbB-0005vi-00 client claims: ocsp status 0
+1999-03-02 09:44:33 10HmbB-0005vi-00 client claims: ocsp status 0 (notreq)
1999-03-02 09:44:33 [127.0.0.1] Recieved OCSP stapling req; responding
1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@??? H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaZ-0005vi-00@???
1999-03-02 09:44:33 10HmbB-0005vi-00 => :blackhole: <nostaple@???> R=server
1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
-1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: ocsp status 3
+1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: ocsp status 4 (verified)
1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmbA-0005vi-00@???
1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <CALLER@???> R=server
1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
diff --git a/test/log/5601 b/test/log/5608
similarity index 58%
copy from test/log/5601
copy to test/log/5608
index d3c46ed..2c0c980 100644
--- a/test/log/5601
+++ b/test/log/5608
@@ -1,24 +1,34 @@
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire@??? R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 client ocsp status: 1 (notresp)
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => nostaple@??? R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbB-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => norequire@??? R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 client ocsp status: 4 (verified)
1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
-1999-03-02 09:44:33 10HmbA-0005vi-00 => CALLER@??? R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmbA-0005vi-00 => nostaple@??? R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00"
+1999-03-02 09:44:33 10HmbA-0005vi-00 client ocsp status: 0 (notreq)
1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
-1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbD-0005vi-00 Received TLS status callback, null content
-1999-03-02 09:44:33 10HmbD-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmbD-0005vi-00 == CALLER@??? R=client T=send_to_server3 defer (-37): failure while setting up TLS session
-1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbE-0005vi-00 Server certificate revoked; reason: superseded
-1999-03-02 09:44:33 10HmbE-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmbE-0005vi-00 == CALLER@??? R=client T=send_to_server3 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbB-0005vi-00 => good@??? R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 client ocsp status: 4 (verified)
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbF-0005vi-00 Server OSCP dates invalid
+1999-03-02 09:44:33 10HmbF-0005vi-00 Received TLS status callback, null content
1999-03-02 09:44:33 10HmbF-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmbF-0005vi-00 == CALLER@??? R=client T=send_to_server3 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbF-0005vi-00 client ocsp status: 1 (notresp)
+1999-03-02 09:44:33 10HmbF-0005vi-00 == failrequire@??? R=client T=send_to_server3 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbG-0005vi-00 Server certificate revoked; reason: superseded
+1999-03-02 09:44:33 10HmbG-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbG-0005vi-00 client ocsp status: 3 (failed)
+1999-03-02 09:44:33 10HmbG-0005vi-00 == failrevoked@??? R=client T=send_to_server3 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbH-0005vi-00 Server OSCP dates invalid
+1999-03-02 09:44:33 10HmbH-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbH-0005vi-00 client ocsp status: 3 (failed)
+1999-03-02 09:44:33 10HmbH-0005vi-00 == failexpired@??? R=client T=send_to_server3 defer (-37): failure while setting up TLS session

******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
@@ -28,15 +38,20 @@
1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <norequire@???> R=server
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmbB-0005vi-00 client claims: ocsp status 0
-1999-03-02 09:44:33 [127.0.0.1] Recieved OCSP stapling req; responding
-1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@??? H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaZ-0005vi-00@???
-1999-03-02 09:44:33 10HmbB-0005vi-00 => :blackhole: <nostaple@???> R=server
-1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
-1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: ocsp status 3
-1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmbA-0005vi-00@???
-1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <CALLER@???> R=server
+1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; responding
+1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: ocsp status 4
+1999-03-02 09:44:33 10HmbD-0005vi-00 client claims: ocsp status 0
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@??? H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaZ-0005vi-00@???
+1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <norequire@???> R=server
1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@??? H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmbA-0005vi-00@???
+1999-03-02 09:44:33 10HmbD-0005vi-00 => :blackhole: <nostaple@???> R=server
+1999-03-02 09:44:33 10HmbD-0005vi-00 Completed
+1999-03-02 09:44:33 [127.0.0.1] Recieved OCSP stapling req; responding
+1999-03-02 09:44:33 10HmbE-0005vi-00 client claims: ocsp status 4
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmbB-0005vi-00@???
+1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: <good@???> R=server
+1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
1999-03-02 09:44:33 [127.0.0.1] Recieved OCSP stapling req; not responding
1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
diff --git a/test/log/5650 b/test/log/5650
index 139d3e7..6bb5502 100644
--- a/test/log/5650
+++ b/test/log/5650
@@ -1,11 +1,11 @@
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 acl_conn: ocsp in status: 0
-1999-03-02 09:44:33 acl_mail: ocsp in status: 2
+1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq)
+1999-03-02 09:44:33 acl_mail: ocsp in status: 2 (vfynotdone)
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 acl_conn: ocsp in status: 0
+1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq)
1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (recv): The TLS connection was non-properly terminated.
1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 acl_conn: ocsp in status: 0
+1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq)
1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (recv): The TLS connection was non-properly terminated.
1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
diff --git a/test/log/5651 b/test/log/5651
index 194443a..d3a2775 100644
--- a/test/log/5651
+++ b/test/log/5651
@@ -19,16 +19,16 @@

******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: OCSP status 1
+1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: OCSP status 1 (notresp)
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaX-0005vi-00@???
1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <norequire@???> R=server
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmbB-0005vi-00 client claims: OCSP status 0
+1999-03-02 09:44:33 10HmbB-0005vi-00 client claims: OCSP status 0 (notreq)
1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@??? H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaZ-0005vi-00@???
1999-03-02 09:44:33 10HmbB-0005vi-00 => :blackhole: <nostaple@???> R=server
1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
-1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: OCSP status 3
+1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: OCSP status 4 (verified)
1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmbA-0005vi-00@???
1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <CALLER@???> R=server
1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
diff --git a/test/log/5651 b/test/log/5658
similarity index 59%
copy from test/log/5651
copy to test/log/5658
index 194443a..3479b66 100644
--- a/test/log/5651
+++ b/test/log/5658
@@ -1,37 +1,51 @@
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire@??? R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 client ocsp status: 1 (notresp)
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => nostaple@??? R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbB-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => norequire@??? R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 client ocsp status: 1 (notresp)
1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
-1999-03-02 09:44:33 10HmbA-0005vi-00 => CALLER@??? R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmbA-0005vi-00 => nostaple@??? R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00"
+1999-03-02 09:44:33 10HmbA-0005vi-00 client ocsp status: 0 (notreq)
1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
-1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbD-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate status check failed)
-1999-03-02 09:44:33 10HmbD-0005vi-00 == CALLER@??? R=client T=send_to_server3 defer (-37): failure while setting up TLS session
-1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbE-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate verification failed): certificate revoked
-1999-03-02 09:44:33 10HmbE-0005vi-00 == CALLER@??? R=client T=send_to_server3 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbB-0005vi-00 => good@??? R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 client ocsp status: 4 (verified)
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmbF-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate status check failed)
-1999-03-02 09:44:33 10HmbF-0005vi-00 == CALLER@??? R=client T=send_to_server3 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbF-0005vi-00 client ocsp status: 3 (failed)
+1999-03-02 09:44:33 10HmbF-0005vi-00 == failrequire@??? R=client T=send_to_server3 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbG-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate verification failed): certificate revoked
+1999-03-02 09:44:33 10HmbG-0005vi-00 client ocsp status: 1 (notresp)
+1999-03-02 09:44:33 10HmbG-0005vi-00 == failrevoked@??? R=client T=send_to_server3 defer (-37): failure while setting up TLS session
+1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbH-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate status check failed)
+1999-03-02 09:44:33 10HmbH-0005vi-00 client ocsp status: 3 (failed)
+1999-03-02 09:44:33 10HmbH-0005vi-00 == failexpired@??? R=client T=send_to_server3 defer (-37): failure while setting up TLS session

******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: OCSP status 1
+1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: OCSP status 1 (notresp)
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaX-0005vi-00@???
1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <norequire@???> R=server
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmbB-0005vi-00 client claims: OCSP status 0
-1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@??? H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaZ-0005vi-00@???
-1999-03-02 09:44:33 10HmbB-0005vi-00 => :blackhole: <nostaple@???> R=server
-1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
-1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: OCSP status 3
-1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmbA-0005vi-00@???
-1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <CALLER@???> R=server
+1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: OCSP status 1 (notresp)
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@??? H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaZ-0005vi-00@???
+1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <norequire@???> R=server
1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbD-0005vi-00 client claims: OCSP status 0 (notreq)
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@??? H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmbA-0005vi-00@???
+1999-03-02 09:44:33 10HmbD-0005vi-00 => :blackhole: <nostaple@???> R=server
+1999-03-02 09:44:33 10HmbD-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbE-0005vi-00 client claims: OCSP status 4 (verified)
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmbB-0005vi-00@???
+1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: <good@???> R=server
+1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (recv): The TLS connection was non-properly terminated.
1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (send): The specified session has been invalidated for some reason.
diff --git a/test/scripts/5608-OCSP-OpenSSL-TPDA/5608 b/test/scripts/5608-OCSP-OpenSSL-TPDA/5608
new file mode 100644
index 0000000..409b48b
--- /dev/null
+++ b/test/scripts/5608-OCSP-OpenSSL-TPDA/5608
@@ -0,0 +1,82 @@
+# OCSP stapling, client, tpda
+# duplicate of 5601
+#
+#
+# Client works when we request but don't require OCSP stapling and none comes
+exim -bd -oX PORT_D -DSERVER=server -DOCSP=/dev/null
+****
+exim norequire@???
+test message.
+****
+sleep 1
+killdaemon
+#
+#
+#
+#
+# Client works when we request but don't require OCSP stapling and some arrives
+exim -bd -oX PORT_D -DSERVER=server \
+ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp
+****
+exim norequire@???
+test message.
+****
+#
+#
+#
+#
+# Client works when we don't request OCSP stapling
+exim nostaple@???
+test message.
+****
+#
+#
+#
+#
+# Client accepts good stapled info
+exim good@???
+test message.
+****
+sleep 1
+killdaemon
+#
+#
+#
+# Client fails on lack of required stapled info
+exim -bd -oX PORT_D -DSERVER=server -DOCSP=/dev/null
+****
+exim failrequire@???
+test message.
+****
+sleep 1
+killdaemon
+no_msglog_check
+#
+#
+#
+# Client fails on revoked stapled info
+EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK=y exim -bd -oX PORT_D -DSERVER=server \
+ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp
+****
+exim failrevoked@???
+test message.
+****
+sleep 1
+killdaemon
+#
+#
+#
+#
+# Client fails on expired stapled info
+EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK=y exim -bd -oX PORT_D -DSERVER=server \
+ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp
+****
+exim failexpired@???
+test message.
+****
+sleep 1
+killdaemon
+#
+#
+#
+#
diff --git a/test/scripts/5608-OCSP-OpenSSL-TPDA/REQUIRES b/test/scripts/5608-OCSP-OpenSSL-TPDA/REQUIRES
new file mode 100644
index 0000000..77fbd5b
--- /dev/null
+++ b/test/scripts/5608-OCSP-OpenSSL-TPDA/REQUIRES
@@ -0,0 +1,4 @@
+support OpenSSL
+support Experimental_OCSP
+support Experimental_TPDA
+running IPv4
diff --git a/test/scripts/5658-OCSP-GnuTLS-TPDA/5658 b/test/scripts/5658-OCSP-GnuTLS-TPDA/5658
new file mode 100644
index 0000000..2e3028b
--- /dev/null
+++ b/test/scripts/5658-OCSP-GnuTLS-TPDA/5658
@@ -0,0 +1,82 @@
+# OCSP stapling, client, tpda
+# duplicate of 5651
+#
+#
+# Client works when we request but don't require OCSP stapling and none comes
+exim -bd -oX PORT_D -DSERVER=server -DOCSP=""
+****
+exim norequire@???
+test message.
+****
+sleep 1
+killdaemon
+#
+#
+#
+#
+# Client works when we request but don't require OCSP stapling and some arrives
+exim -bd -oX PORT_D -DSERVER=server \
+ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp
+****
+exim norequire@???
+test message.
+****
+#
+#
+#
+#
+# Client works when we don't request OCSP stapling
+exim nostaple@???
+test message.
+****
+#
+#
+#
+#
+# Client accepts good stapled info
+exim good@???
+test message.
+****
+sleep 1
+killdaemon
+#
+#
+#
+# Client fails on lack of required stapled info
+exim -bd -oX PORT_D -DSERVER=server -DOCSP=""
+****
+exim failrequire@???
+test message.
+****
+sleep 1
+killdaemon
+no_msglog_check
+#
+#
+#
+# Client fails on revoked stapled info
+EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK=y exim -bd -oX PORT_D -DSERVER=server \
+ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp
+****
+exim failrevoked@???
+test message.
+****
+sleep 1
+killdaemon
+#
+#
+#
+#
+# Client fails on expired stapled info
+EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK=y exim -bd -oX PORT_D -DSERVER=server \
+ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp
+****
+exim failexpired@???
+test message.
+****
+sleep 1
+killdaemon
+#
+#
+#
+#
diff --git a/test/scripts/5658-OCSP-GnuTLS-TPDA/REQUIRES b/test/scripts/5658-OCSP-GnuTLS-TPDA/REQUIRES
new file mode 100644
index 0000000..2650bd9
--- /dev/null
+++ b/test/scripts/5658-OCSP-GnuTLS-TPDA/REQUIRES
@@ -0,0 +1,4 @@
+support GnuTLS
+support Experimental_OCSP
+support Experimental_TPDA
+running IPv4