[exim-cvs] Fix TLS SNI, and add regression test cases

Etusivu
Poista viesti
Vastaa
Lähettäjä: Exim Git Commits Mailing List
Päiväys:  
Vastaanottaja: exim-cvs
Aihe: [exim-cvs] Fix TLS SNI, and add regression test cases
Gitweb: http://git.exim.org/exim.git/commitdiff/0df4ab80579544db421576d92e8a9b783edb1a58
Commit:     0df4ab80579544db421576d92e8a9b783edb1a58
Parent:     4b57b15d12942aff5360105a71f9c1b9d9a4edaf
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Jul 13 12:18:09 2014 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Sun Jul 13 12:18:09 2014 +0100


    Fix TLS SNI, and add regression test cases
---
 doc/doc-txt/ChangeLog          |    2 +
 src/src/tls-gnu.c              |   11 ++---
 src/src/tls-openssl.c          |   21 +++------
 test/confs/2030                |   79 +++++++++++++++++++++++++++++++++
 test/confs/2031                |   92 +++++++++++++++++++++++++++++++++++++++
 test/confs/2130                |   79 +++++++++++++++++++++++++++++++++
 test/confs/2131                |   94 ++++++++++++++++++++++++++++++++++++++++
 test/log/2030                  |   10 ++++
 test/log/2031                  |   17 +++++++
 test/log/2130                  |   10 ++++
 test/log/2131                  |   17 +++++++
 test/scripts/2000-GnuTLS/2030  |   10 ++++
 test/scripts/2000-GnuTLS/2031  |   19 ++++++++
 test/scripts/2100-OpenSSL/2130 |   10 ++++
 test/scripts/2100-OpenSSL/2131 |   19 ++++++++
 15 files changed, 471 insertions(+), 19 deletions(-)


diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 83a0663..ac8fce5 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -142,6 +142,8 @@ TL/14 Enhance documentation of ${run expansion and how it parses the
       commandline after expansion, particularly in the case when an
       unquoted variable expansion results in an empty value.


+JH/27 The TLS SNI feature was broken in 4.82. Fix it.
+

Exim version 4.82
-----------------
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 5bdb21e..266ab89 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -108,7 +108,6 @@ typedef struct exim_gnutls_state {

   uschar *exp_tls_certificate;
   uschar *exp_tls_privatekey;
-  uschar *exp_tls_sni;
   uschar *exp_tls_verify_certificates;
   uschar *exp_tls_crl;
   uschar *exp_tls_require_ciphers;
@@ -1086,15 +1085,15 @@ if (rc != OK) return rc;
 /* set SNI in client, only */
 if (host)
   {
-  if (!expand_check(state->tlsp->sni, US"tls_out_sni", &state->exp_tls_sni))
+  if (!expand_check(sni, US"tls_out_sni", &state->tlsp->sni))
     return DEFER;
-  if (state->exp_tls_sni && *state->exp_tls_sni)
+  if (state->tlsp->sni && *state->tlsp->sni)
     {
     DEBUG(D_tls)
-      debug_printf("Setting TLS client SNI to \"%s\"\n", state->exp_tls_sni);
-    sz = Ustrlen(state->exp_tls_sni);
+      debug_printf("Setting TLS client SNI to \"%s\"\n", state->tlsp->sni);
+    sz = Ustrlen(state->tlsp->sni);
     rc = gnutls_server_name_set(state->session,
-        GNUTLS_NAME_DNS, state->exp_tls_sni, sz);
+        GNUTLS_NAME_DNS, state->tlsp->sni, sz);
     exim_gnutls_err_check(US"gnutls_server_name_set");
     }
   }
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 9609d62..18994ea 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -436,14 +436,11 @@ const char *pem;
 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
   return FALSE;


-if (dhexpanded == NULL || *dhexpanded == '\0')
-  {
+if (!dhexpanded || !*dhexpanded)
   bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
-  }
 else if (dhexpanded[0] == '/')
   {
-  bio = BIO_new_file(CS dhexpanded, "r");
-  if (bio == NULL)
+  if (!(bio = BIO_new_file(CS dhexpanded, "r")))
     {
     tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
           host, US strerror(errno));
@@ -458,8 +455,7 @@ else
     return TRUE;
     }


-  pem = std_dh_prime_named(dhexpanded);
-  if (!pem)
+  if (!(pem = std_dh_prime_named(dhexpanded)))
     {
     tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
         host, US strerror(errno));
@@ -468,8 +464,7 @@ else
   bio = BIO_new_mem_buf(CS pem, -1);
   }


-dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
-if (dh == NULL)
+if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
{
BIO_free(bio);
tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
@@ -770,8 +765,7 @@ if (!reexpand_tls_files_for_sni)
not confident that memcpy wouldn't break some internal reference counting.
Especially since there's a references struct member, which would be off. */

-server_sni = SSL_CTX_new(SSLv23_server_method());
-if (!server_sni)
+if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
{
ERR_error_string(ERR_get_error(), ssl_errstring);
DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
@@ -805,8 +799,8 @@ OCSP information. */
rc = tls_expand_session_files(server_sni, cbinfo);
if (rc != OK) return SSL_TLSEXT_ERR_NOACK;

-rc = init_dh(server_sni, cbinfo->dhparam, NULL);
-if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
+if (!init_dh(server_sni, cbinfo->dhparam, NULL))
+ return SSL_TLSEXT_ERR_NOACK;

DEBUG(D_tls) debug_printf("Switching SSL context.\n");
SSL_set_SSL_CTX(s, server_sni);
@@ -1052,6 +1046,7 @@ else
cbinfo->u_ocsp.client.verify_store = NULL;
#endif
cbinfo->dhparam = dhparam;
+cbinfo->server_cipher_list = NULL;
cbinfo->host = host;

 SSL_load_error_strings();          /* basic set up */
diff --git a/test/confs/2030 b/test/confs/2030
new file mode 100644
index 0000000..4ad1463
--- /dev/null
+++ b/test/confs/2030
@@ -0,0 +1,79 @@
+# Exim test configuration 2030
+# SNI
+
+SERVER =
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+
+# ----- Main settings -----
+
+domainlist local_domains = test.ex : *.test.ex
+
+acl_smtp_rcpt = acl_log_sni
+log_selector = +tls_peerdn +tls_sni
+remote_max_parallel = 1
+
+tls_advertise_hosts = *
+
+# Set certificate only if server
+
+tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
+
+
+# ------ ACL ------
+
+begin acl
+
+acl_log_sni:
+  accept
+     logwrite = SNI <$tls_in_sni>
+
+# ----- Routers -----
+
+begin routers
+
+client:
+  driver = accept
+  condition = ${if !eq {SERVER}{server}}
+  transport = send_to_server${if eq{$local_part}{abcd}{2}{1}}
+
+server:
+  driver = redirect
+  data = :blackhole:
+
+
+# ----- Transports -----
+
+begin transports
+
+send_to_server1:
+  driver = smtp
+  allow_localhost
+  hosts = HOSTIPV4
+  port = PORT_D
+  tls_sni = fred
+
+send_to_server2:
+  driver = smtp
+  allow_localhost
+  hosts = HOSTIPV4
+  port = PORT_D
+
+
+# ----- Retry -----
+
+
+begin retry
+
+* * F,5d,10s
+
+
+# End
diff --git a/test/confs/2031 b/test/confs/2031
new file mode 100644
index 0000000..a52b21e
--- /dev/null
+++ b/test/confs/2031
@@ -0,0 +1,92 @@
+# Exim test configuration 2030
+# SNI
+
+SERVER =
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+
+# ----- Main settings -----
+
+domainlist local_domains = test.ex : *.test.ex
+
+acl_smtp_rcpt = acl_log_sni
+log_selector = +tls_peerdn +tls_sni
+remote_max_parallel = 1
+
+tls_advertise_hosts = *
+
+# Set certificate only if server
+
+tls_certificate = ${if eq {SERVER}{server} \
+    {DIR/aux-fixed/${if eq {$tls_in_sni}{bill} \
+        {exim-ca/example.com/server1.example.com/server1.example.com.pem} \
+        {cert1} \
+            }\
+    }fail}
+
+tls_privatekey = ${if eq {SERVER}{server} \
+    {DIR/aux-fixed/${if eq {$tls_in_sni}{bill} \
+        {exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key} \
+        {cert1} \
+            }\
+    }fail}
+
+
+# ------ ACL ------
+
+begin acl
+
+acl_log_sni:
+  accept
+     logwrite = SNI <$tls_in_sni>
+
+# ----- Routers -----
+
+begin routers
+
+client:
+  driver = accept
+  condition = ${if !eq {SERVER}{server}}
+  transport = send_to_server${if eq{$local_part}{abcd}{2}{1}}
+
+server:
+  driver = redirect
+  data = :blackhole:
+
+
+# ----- Transports -----
+
+begin transports
+
+send_to_server1:
+  driver = smtp
+  allow_localhost
+  hosts = HOSTIPV4
+  port = PORT_D
+  tls_sni = fred
+
+send_to_server2:
+  driver = smtp
+  allow_localhost
+  hosts = HOSTIPV4
+  port = PORT_D
+  tls_sni = bill
+
+
+# ----- Retry -----
+
+
+begin retry
+
+* * F,5d,10s
+
+
+# End
diff --git a/test/confs/2130 b/test/confs/2130
new file mode 100644
index 0000000..4143fc8
--- /dev/null
+++ b/test/confs/2130
@@ -0,0 +1,79 @@
+# Exim test configuration 2130
+# SNI
+
+SERVER =
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+
+# ----- Main settings -----
+
+domainlist local_domains = test.ex : *.test.ex
+
+acl_smtp_rcpt = acl_log_sni
+log_selector = +tls_peerdn +tls_sni
+remote_max_parallel = 1
+
+tls_advertise_hosts = *
+
+# Set certificate only if server
+
+tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
+
+
+# ------ ACL ------
+
+begin acl
+
+acl_log_sni:
+  accept
+     logwrite = SNI <$tls_in_sni>
+
+# ----- Routers -----
+
+begin routers
+
+client:
+  driver = accept
+  condition = ${if !eq {SERVER}{server}}
+  transport = send_to_server${if eq{$local_part}{abcd}{2}{1}}
+
+server:
+  driver = redirect
+  data = :blackhole:
+
+
+# ----- Transports -----
+
+begin transports
+
+send_to_server1:
+  driver = smtp
+  allow_localhost
+  hosts = HOSTIPV4
+  port = PORT_D
+  tls_sni = fred
+
+send_to_server2:
+  driver = smtp
+  allow_localhost
+  hosts = HOSTIPV4
+  port = PORT_D
+
+
+# ----- Retry -----
+
+
+begin retry
+
+* * F,5d,10s
+
+
+# End
diff --git a/test/confs/2131 b/test/confs/2131
new file mode 100644
index 0000000..c52ceed
--- /dev/null
+++ b/test/confs/2131
@@ -0,0 +1,94 @@
+# Exim test configuration 2130
+# SNI
+
+SERVER =
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+
+# ----- Main settings -----
+
+domainlist local_domains = test.ex : *.test.ex
+
+acl_smtp_rcpt = acl_log_sni
+log_selector = +tls_peerdn +tls_sni
+remote_max_parallel = 1
+
+tls_advertise_hosts = *
+
+# Set certificate only if server
+
+tls_certificate = ${if eq {SERVER}{server} \
+    {DIR/aux-fixed/${if eq {$tls_in_sni}{bill} \
+        {exim-ca/example.com/server1.example.com/server1.example.com.pem} \
+        {cert1} \
+            }\
+    }fail}
+
+tls_privatekey = ${if eq {SERVER}{server} \
+    {DIR/aux-fixed/${if eq {$tls_in_sni}{bill} \
+        {exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key} \
+        {cert1} \
+            }\
+    }fail}
+
+
+# ------ ACL ------
+
+begin acl
+
+acl_log_sni:
+  accept
+     logwrite = SNI <$tls_in_sni>
+
+# ----- Routers -----
+
+begin routers
+
+client:
+  driver = accept
+  condition = ${if !eq {SERVER}{server}}
+  transport = send_to_server${if eq{$local_part}{abcd}{2}{1}}
+
+server:
+  driver = redirect
+  data = :blackhole:
+
+
+# ----- Transports -----
+
+begin transports
+
+send_to_server1:
+  driver = smtp
+  allow_localhost
+  hosts = HOSTIPV4
+  port = PORT_D
+  tls_sni = fred
+  hosts_require_tls = *
+
+send_to_server2:
+  driver = smtp
+  allow_localhost
+  hosts = HOSTIPV4
+  port = PORT_D
+  tls_sni = bill
+  hosts_require_tls = *
+
+
+# ----- Retry -----
+
+
+begin retry
+
+* * F,5d,10s
+
+
+# End
diff --git a/test/log/2030 b/test/log/2030
new file mode 100644
index 0000000..820b84f
--- /dev/null
+++ b/test/log/2030
@@ -0,0 +1,10 @@
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@??? R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 SNI <fred>
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 SNI="fred" S=sss id=E10HmaX-0005vi-00@???
+1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <CALLER@???> R=server
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
diff --git a/test/log/2031 b/test/log/2031
new file mode 100644
index 0000000..6d6b4f7
--- /dev/null
+++ b/test/log/2031
@@ -0,0 +1,17 @@
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@??? R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => abcd@??? R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 SNI <fred>
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 SNI="fred" S=sss id=E10HmaX-0005vi-00@???
+1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <CALLER@???> R=server
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 SNI <bill>
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 SNI="bill" S=sss id=E10HmaZ-0005vi-00@???
+1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <abcd@???> R=server
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
diff --git a/test/log/2130 b/test/log/2130
new file mode 100644
index 0000000..5b5b568
--- /dev/null
+++ b/test/log/2130
@@ -0,0 +1,10 @@
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@??? R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 SNI <fred>
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 SNI="fred" S=sss id=E10HmaX-0005vi-00@???
+1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <CALLER@???> R=server
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
diff --git a/test/log/2131 b/test/log/2131
new file mode 100644
index 0000000..1fbd246
--- /dev/null
+++ b/test/log/2131
@@ -0,0 +1,17 @@
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@??? R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => abcd@??? R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 SNI <fred>
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 SNI="fred" S=sss id=E10HmaX-0005vi-00@???
+1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <CALLER@???> R=server
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 SNI <bill>
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 SNI="bill" S=sss id=E10HmaZ-0005vi-00@???
+1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <abcd@???> R=server
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
diff --git a/test/scripts/2000-GnuTLS/2030 b/test/scripts/2000-GnuTLS/2030
new file mode 100644
index 0000000..ef7a8de
--- /dev/null
+++ b/test/scripts/2000-GnuTLS/2030
@@ -0,0 +1,10 @@
+# TLS: SNI
+gnutls
+exim -DSERVER=server -bd -oX PORT_D
+****
+# Basic: is SNI set on tpt seen by server
+exim CALLER@???
+Test message.
+****
+millisleep 500
+killdaemon
diff --git a/test/scripts/2000-GnuTLS/2031 b/test/scripts/2000-GnuTLS/2031
new file mode 100644
index 0000000..65b5290
--- /dev/null
+++ b/test/scripts/2000-GnuTLS/2031
@@ -0,0 +1,19 @@
+# TLS server: SNI used to select certificate
+gnutls
+exim -DSERVER=server -bd -oX PORT_D
+****
+# Extended: certificate choice is unchanged by received SNI
+exim CALLER@???
+Test message.
+****
+millisleep 500
+#
+#
+# Extended: server uses SNI to choose certificate
+exim abcd@???
+Test message.
+****
+millisleep 500
+#
+#
+killdaemon
diff --git a/test/scripts/2100-OpenSSL/2130 b/test/scripts/2100-OpenSSL/2130
new file mode 100644
index 0000000..43695f6
--- /dev/null
+++ b/test/scripts/2100-OpenSSL/2130
@@ -0,0 +1,10 @@
+# TLS: SNI
+#
+exim -DSERVER=server -bd -oX PORT_D
+****
+# Basic: is SNI set on tpt seen by server
+exim CALLER@???
+Test message.
+****
+millisleep 500
+killdaemon
diff --git a/test/scripts/2100-OpenSSL/2131 b/test/scripts/2100-OpenSSL/2131
new file mode 100644
index 0000000..74d3dbb
--- /dev/null
+++ b/test/scripts/2100-OpenSSL/2131
@@ -0,0 +1,19 @@
+# TLS server: SNI used to select certificate
+#
+exim -DSERVER=server -bd -oX PORT_D
+****
+# Extended: certificate choice is unchanged by received SNI
+exim CALLER@???
+Test message.
+****
+millisleep 500
+#
+#
+# Extended: server uses SNI to change certificate
+exim abcd@???
+Test message.
+****
+millisleep 500
+#
+#
+killdaemon