[exim-cvs] Handle certificate dir under GnuTLS, if recent en…

Página Principal
Apagar esta mensagem
Responder a esta mensagem
Autor: Exim Git Commits Mailing List
Data:  
Para: exim-cvs
Assunto: [exim-cvs] Handle certificate dir under GnuTLS, if recent enough
Gitweb: http://git.exim.org/exim.git/commitdiff/a7fec7a71987d40dc09601ae33902d0a761887b9
Commit:     a7fec7a71987d40dc09601ae33902d0a761887b9
Parent:     fe245072af3fdc4440da6cff246ac203a2759b09
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Thu Oct 16 19:11:45 2014 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Thu Oct 16 19:11:45 2014 +0100


    Handle certificate dir under GnuTLS, if recent enough
    Add testcases for certificate directories


    The GnuTLS implementation has been tested on Fedora 21 (alpha),
    using GnuTLS 3.3.9.  The testsuite case is here but with the
    script commented-out.  When enabled, the log/mail/stdout/stderr
    files will be created fresh.
---
 doc/doc-docbook/spec.xfpt                          |   21 ++-
 doc/doc-txt/ChangeLog                              |    3 +
 src/src/tls-gnu.c                                  |   19 ++-
 .../server1.example.com/certdir/08c48a5f.0         |    1 +
 .../server1.example.com/certdir/61e813e6.0         |    1 +
 test/aux-fixed/exim-ca/genall                      |   12 ++
 test/confs/2032                                    |   73 +++++++
 test/confs/2132                                    |   74 +++++++
 test/log/2132                                      |   20 ++
 test/mail/2132.CALLER                              |   36 ++++
 test/scripts/2000-GnuTLS/2032                      |   95 +++++++++
 test/scripts/2100-OpenSSL/2132                     |   91 +++++++++
 test/stderr/2132                                   |   10 +
 test/stdout/2132                                   |  205 ++++++++++++++++++++
 14 files changed, 653 insertions(+), 8 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 9cfc06c..e3df085 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -16484,9 +16484,11 @@ See &%tls_verify_hosts%& below.
The value of this option is expanded, and must then be the absolute path to
a file containing permitted certificates for clients that
match &%tls_verify_hosts%& or &%tls_try_verify_hosts%&. Alternatively, if you
-are using OpenSSL, you can set &%tls_verify_certificates%& to the name of a
-directory containing certificate files. This does not work with GnuTLS; the
-option must be set to the name of a single file if you are using GnuTLS.
+are using either GnuTLS version 3.3.6 (or later) or OpenSSL,
+you can set &%tls_verify_certificates%& to the name of a
+directory containing certificate files.
+For earlier versions of GnuTLS
+the option must be set to the name of a single file.

These certificates should be for the certificate authorities trusted, rather
than the public cert of individual clients. With both OpenSSL and GnuTLS, if
@@ -23432,10 +23434,14 @@ certificate verification succeeds.
.vindex "&$host_address$&"
The value of this option must be the absolute path to a file containing
permitted server certificates, for use when setting up an encrypted connection.
-Alternatively, if you are using OpenSSL, you can set
+Alternatively,
+if you are using either GnuTLS version 3.3.6 (or later) or OpenSSL,
+you can set
&%tls_verify_certificates%& to the name of a directory containing certificate
-files. This does not work with GnuTLS; the option must be set to the name of a
-single file if you are using GnuTLS. The values of &$host$& and
+files.
+For earlier versions of GnuTLS the option must be set to the name of a
+single file.
+The values of &$host$& and
&$host_address$& are set to the name and address of the server during the
expansion of this option. See chapter &<<CHAPTLS>>& for details of TLS.

@@ -25917,7 +25923,8 @@ There are some differences in usage when using GnuTLS instead of OpenSSL:

 .ilist
 The &%tls_verify_certificates%& option must contain the name of a file, not the
-name of a directory (for OpenSSL it can be either).
+name of a directory for GnuTLS versions before 3.3.6
+(for later versions, or OpenSSL, it can be either).
 .next
 The default value for &%tls_dhparam%& differs for historical reasons.
 .next
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 0b03894..8b3dfe8 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -48,6 +48,9 @@ JH/06 Bug 1533: Fix truncation of items in headers_remove lists.  A fixed
       size buffer was used, resulting in syntax errors when an expansion
       exceeded it.


+JH/07 Add support for directories of certificates when compiled with a GnuTLS
+      version 3.3.6 or later.
+


Exim version 4.84
-----------------
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 3043e3a..14cdd12 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -51,6 +51,11 @@ require current GnuTLS, then we'll drop support for the ancient libraries).
# warning "GnuTLS library version too old; TPDA tls:cert event unsupported"
# undef EXPERIMENTAL_TPDA
#endif
+#if GNUTLS_VERSION_NUMBER >= 0x030306
+# define SUPPORT_CA_DIR
+#else
+# undef SUPPORT_CA_DIR
+#endif

#ifndef DISABLE_OCSP
# include <gnutls/ocsp.h>
@@ -884,6 +889,7 @@ if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
return DEFER;
}

+#ifndef SUPPORT_CA_DIR
 /* The test suite passes in /dev/null; we could check for that path explicitly,
 but who knows if someone has some weird FIFO which always dumps some certs, or
 other weirdness.  The thing we really want to check is that it's not a
@@ -899,6 +905,7 @@ if (S_ISDIR(statbuf.st_mode))
       state->exp_tls_verify_certificates);
   return DEFER;
   }
+#endif


 DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
         state->exp_tls_verify_certificates, statbuf.st_size);
@@ -910,8 +917,18 @@ if (statbuf.st_size == 0)
   return OK;
   }


-cert_count = gnutls_certificate_set_x509_trust_file(state->x509_cred,
+cert_count =
+
+#ifdef SUPPORT_CA_DIR
+  (statbuf.st_mode & S_IFMT) == S_IFDIR
+  ?
+  gnutls_certificate_set_x509_trust_dir(state->x509_cred,
+    CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM)
+  :
+#endif
+  gnutls_certificate_set_x509_trust_file(state->x509_cred,
     CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
+
 if (cert_count < 0)
   {
   rc = cert_count;
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/08c48a5f.0 b/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/08c48a5f.0
new file mode 120000
index 0000000..0bc4716
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/08c48a5f.0
@@ -0,0 +1 @@
+../../CA/CA.pem
\ No newline at end of file
diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/61e813e6.0 b/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/61e813e6.0
new file mode 120000
index 0000000..890dffc
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/61e813e6.0
@@ -0,0 +1 @@
+../../CA/Signer.pem
\ No newline at end of file
diff --git a/test/aux-fixed/exim-ca/genall b/test/aux-fixed/exim-ca/genall
index 0e3feb2..64e5a85 100755
--- a/test/aux-fixed/exim-ca/genall
+++ b/test/aux-fixed/exim-ca/genall
@@ -112,6 +112,18 @@ do
     openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem
 done


+# Finally, a single certificate-directory
+cd example.com/server1.example.com
+mkdir -f certdir
+cd certdir
+f=../../CA/CA.pem
+h=`openssl x509 -hash -noout -in $f`
+ln -s $f $h.0
+f=../../CA/Signer.pem
+h=`openssl x509 -hash -noout -in $f`
+ln -s $f $h.0
+cd ../..
+
find example.* -type d -print0 | xargs -0 chmod 755
find example.* -type f -print0 | xargs -0 chmod 644

diff --git a/test/confs/2032 b/test/confs/2032
new file mode 100644
index 0000000..5a60993
--- /dev/null
+++ b/test/confs/2032
@@ -0,0 +1,73 @@
+# Exim test configuration 2032 (close copy of 2002)
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = check_recipient
+
+log_selector = +tls_peerdn
+
+queue_only
+queue_run_in_order
+
+tls_advertise_hosts = 127.0.0.1 : HOSTIPV4
+
+tls_certificate = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem
+tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key
+
+tls_verify_hosts = HOSTIPV4
+tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/certdir
+
+
+# ------ ACL ------
+
+begin acl
+
+check_recipient:
+  accept  hosts = :
+  deny    hosts = HOSTIPV4
+         !encrypted = AES256-SHA : \
+                      AES256-GCM-SHA384 : \
+                      IDEA-CBC-MD5 : \
+                      DES-CBC3-SHA : \
+                      DHE_RSA_AES_256_CBC_SHA1 : \
+                      DHE_RSA_3DES_EDE_CBC_SHA : \
+                      RSA_AES_256_CBC_SHA1
+  warn    logwrite =  ${if def:tls_in_ourcert \
+        {Our cert SN: <${certextract{subject}{$tls_in_ourcert}}>} \
+        {We did not present a cert}}
+  accept  condition = ${if !def:tls_in_peercert}
+      logwrite =  Peer did not present a cert
+  accept  logwrite =  SN  <${certextract {subject}    {$tls_in_peercert}}>
+
+
+# ----- Routers -----
+
+begin routers
+
+abc:
+  driver = accept
+  retry_use_local_part
+  transport = local_delivery
+  headers_add = tls-certificate-verified: $tls_certificate_verified
+
+
+# ----- Transports -----
+
+begin transports
+
+local_delivery:
+  driver = appendfile
+  file = DIR/test-mail/$local_part
+  headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
+  user = CALLER
+
+# End
diff --git a/test/confs/2132 b/test/confs/2132
new file mode 100644
index 0000000..0692493
--- /dev/null
+++ b/test/confs/2132
@@ -0,0 +1,74 @@
+# Exim test configuration 2132 (close copy of 2102)
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = check_recipient
+
+log_selector = +tls_peerdn
+
+queue_only
+queue_run_in_order
+
+tls_advertise_hosts = 127.0.0.1 : HOSTIPV4
+
+tls_certificate = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem
+tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key
+
+tls_verify_hosts = HOSTIPV4
+tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/certdir
+
+
+# ------ ACL ------
+
+begin acl
+
+check_recipient:
+  accept  hosts = :
+  deny    hosts = HOSTIPV4
+         !encrypted = AES256-SHA : \
+                      AES256-GCM-SHA384 : \
+                      IDEA-CBC-MD5 : \
+                      DES-CBC3-SHA : \
+              DHE-RSA-AES256-SHA : \
+              DHE-RSA-AES256-GCM-SHA384 : \
+                      DHE_RSA_AES_256_CBC_SHA1 : \
+                      DHE_RSA_3DES_EDE_CBC_SHA
+  warn    logwrite =  ${if def:tls_in_ourcert \
+        {Our cert SN: <${certextract{subject}{$tls_in_ourcert}}>} \
+        {We did not present a cert}}
+  accept  condition = ${if !def:tls_in_peercert}
+      logwrite =  Peer did not present a cert
+  accept  logwrite =  SN  <${certextract {subject}    {$tls_in_peercert}}>
+
+
+# ----- Routers -----
+
+begin routers
+
+abc:
+  driver = accept
+  retry_use_local_part
+  transport = local_delivery
+  headers_add = tls-certificate-verified: $tls_certificate_verified
+
+
+# ----- Transports -----
+
+begin transports
+
+local_delivery:
+  driver = appendfile
+  file = DIR/test-mail/$local_part
+  headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
+  user = CALLER
+
+# End
diff --git a/test/log/2132 b/test/log/2132
new file mode 100644
index 0000000..3463387
--- /dev/null
+++ b/test/log/2132
@@ -0,0 +1,20 @@
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 Our cert SN: <CN=server2.example.com>
+1999-03-02 09:44:33 Peer did not present a cert
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? H=[127.0.0.1] P=smtps X=TLSv1:AES256-SHA:256 S=sss
+1999-03-02 09:44:33 Our cert SN: <CN=server2.example.com>
+1999-03-02 09:44:33 Peer did not present a cert
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= "name with spaces"@??? H=[127.0.0.1] P=smtps X=TLSv1:AES256-SHA:256 S=sss
+1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
+1999-03-02 09:44:33 Our cert SN: <CN=server2.example.com>
+1999-03-02 09:44:33 SN  <CN=server1.example.com>
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? H=[ip4.ip4.ip4.ip4] P=smtps X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" S=sss
+1999-03-02 09:44:33 Start queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER <CALLER@???> R=abc T=local_delivery
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER <CALLER@???> R=abc T=local_delivery
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER <CALLER@???> R=abc T=local_delivery
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 End queue run: pid=pppp -qf
diff --git a/test/mail/2132.CALLER b/test/mail/2132.CALLER
new file mode 100644
index 0000000..21b5e2c
--- /dev/null
+++ b/test/mail/2132.CALLER
@@ -0,0 +1,36 @@
+From CALLER@??? Tue Mar 02 09:44:33 1999
+Received: from [127.0.0.1]
+    by myhost.test.ex with smtps (TLSv1:AES256-SHA:256)
+    (Exim x.yz)
+    (envelope-from <CALLER@???>)
+    id 10HmaX-0005vi-00
+    for CALLER@???; Tue, 2 Mar 1999 09:44:33 +0000
+tls-certificate-verified: 0
+TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+
+This is a test encrypted message.
+
+From "name with spaces"@??? Tue Mar 02 09:44:33 1999
+Received: from [127.0.0.1]
+    by myhost.test.ex with smtps (TLSv1:AES256-SHA:256)
+    (Exim x.yz)
+    (envelope-from <"name with spaces"@???>)
+    id 10HmaY-0005vi-00
+    for CALLER@???; Tue, 2 Mar 1999 09:44:33 +0000
+tls-certificate-verified: 0
+TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+
+This is a test encrypted message.
+
+From CALLER@??? Tue Mar 02 09:44:33 1999
+Received: from [ip4.ip4.ip4.ip4]
+    by myhost.test.ex with smtps (TLSv1:AES256-SHA:256)
+    (Exim x.yz)
+    (envelope-from <CALLER@???>)
+    id 10HmaZ-0005vi-00
+    for CALLER@???; Tue, 2 Mar 1999 09:44:33 +0000
+tls-certificate-verified: 1
+TLS: cipher=TLSv1:AES256-SHA:256 peerdn=/CN=server1.example.com
+
+This is a test encrypted message from a verified host.
+
diff --git a/test/scripts/2000-GnuTLS/2032 b/test/scripts/2000-GnuTLS/2032
new file mode 100644
index 0000000..88c0e8a
--- /dev/null
+++ b/test/scripts/2000-GnuTLS/2032
@@ -0,0 +1,95 @@
+# TLS server: server ca cert from directory
+# - tests all disabled until GnuTLS 3.3.6 (or later) is in common use
+# - or we get a library-version dependency mechanism in the testsuite
+#
+#gnutls
+#exim -DSERVER=server -bd -oX PORT_D
+#****
+#client-gnutls 127.0.0.1 PORT_D
+#??? 220
+#ehlo rhu.barb
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250
+#starttls
+#??? 220
+#mail from:<CALLER@???>
+#??? 250
+#rcpt to:<CALLER@???>
+#??? 250
+#DATA
+#??? 3
+#This is a test encrypted message.
+#.
+#??? 250
+#quit
+#??? 221
+#****
+#client-gnutls 127.0.0.1 PORT_D
+#??? 220
+#ehlo rhu.barb
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250
+#starttls
+#??? 220
+#mail from:<"name with spaces"@???>
+#??? 250
+#rcpt to:<CALLER@???>
+#??? 250
+#DATA
+#??? 3
+#This is a test encrypted message.
+#.
+#??? 250
+#quit
+#??? 221
+#****
+#client-gnutls HOSTIPV4 PORT_D
+#??? 220
+#ehlo rhu.barb
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250
+#starttls
+#??? 220
+#****
+#client-gnutls HOSTIPV4 PORT_D DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+#??? 220
+#ehlo rhu.barb
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250
+#starttls
+#??? 220
+#mail from:<CALLER@???>
+#??? 250
+#rcpt to:<CALLER@???>
+#??? 250
+#DATA
+#??? 3
+#This is a test encrypted message from a verified host.
+#.
+#??? 250
+#quit
+#??? 221
+#****
+#killdaemon
+#exim -qf
+#****
+#exim -bh 10.0.0.1
+#starttls
+#quit
+#****
diff --git a/test/scripts/2100-OpenSSL/2132 b/test/scripts/2100-OpenSSL/2132
new file mode 100644
index 0000000..620a63f
--- /dev/null
+++ b/test/scripts/2100-OpenSSL/2132
@@ -0,0 +1,91 @@
+# TLS server: server ca cert from directory
+exim -DSERVER=server -bd -oX PORT_D
+****
+client-ssl 127.0.0.1 PORT_D
+??? 220
+ehlo rhu.barb
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+starttls
+??? 220
+mail from:<CALLER@???>
+??? 250
+rcpt to:<CALLER@???>
+??? 250
+DATA
+??? 3
+This is a test encrypted message.
+.
+??? 250
+quit
+??? 221
+****
+client-ssl 127.0.0.1 PORT_D
+??? 220
+ehlo rhu.barb
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+starttls
+??? 220
+mail from:<"name with spaces"@???>
+??? 250
+rcpt to:<CALLER@???>
+??? 250
+DATA
+??? 3
+This is a test encrypted message.
+.
+??? 250
+quit
+??? 221
+****
+client-ssl HOSTIPV4 PORT_D
+??? 220
+ehlo rhu.barb
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+starttls
+??? 220
+****
+client-ssl HOSTIPV4 PORT_D DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+??? 220
+ehlo rhu.barb
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+starttls
+??? 220
+mail from:<CALLER@???>
+??? 250
+rcpt to:<CALLER@???>
+??? 250
+DATA
+??? 3
+This is a test encrypted message from a verified host.
+.
+??? 250
+quit
+??? 221
+****
+killdaemon
+exim -qf
+****
+exim -bh 10.0.0.1
+starttls
+quit
+****
diff --git a/test/stderr/2132 b/test/stderr/2132
new file mode 100644
index 0000000..59f3382
--- /dev/null
+++ b/test/stderr/2132
@@ -0,0 +1,10 @@
+>>> host in hosts_connection_nolog? no (option unset)
+>>> host in host_lookup? no (option unset)
+>>> host in host_reject_connection? no (option unset)
+>>> host in sender_unqualified_hosts? no (option unset)
+>>> host in recipient_unqualified_hosts? no (option unset)
+>>> host in helo_verify_hosts? no (option unset)
+>>> host in helo_try_verify_hosts? no (option unset)
+>>> host in helo_accept_junk_hosts? no (option unset)
+
+******** SERVER ********
diff --git a/test/stdout/2132 b/test/stdout/2132
new file mode 100644
index 0000000..a9724e1
--- /dev/null
+++ b/test/stdout/2132
@@ -0,0 +1,205 @@
+Connecting to 127.0.0.1 port 1225 ... connected
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [127.0.0.1]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL info: before/connect initialization
+SSL info: before/connect initialization
+SSL info: SSLv3 read server hello A
+SSL info: SSLv3 read server certificate A
+SSL info: SSLv3 read server done A
+SSL info: SSLv3 write client key exchange A
+SSL info: SSLv3 write change cipher spec A
+SSL info: SSLv3 write finished A
+SSL info: SSLv3 flush data
+SSL info: SSLv3 read server session ticket A
+SSL info: SSLv3 read finished A
+SSL info: SSL negotiation finished successfully
+SSL info: SSL negotiation finished successfully
+SSL connection using AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<CALLER@???>
+??? 250
+<<< 250 OK
+>>> rcpt to:<CALLER@???>
+??? 250
+<<< 250 Accepted
+>>> DATA
+??? 3
+<<< 354 Enter message, ending with "." on a line by itself
+>>> This is a test encrypted message.
+>>> .
+??? 250
+<<< 250 OK id=10HmaX-0005vi-00
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+Connecting to 127.0.0.1 port 1225 ... connected
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [127.0.0.1]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL info: before/connect initialization
+SSL info: before/connect initialization
+SSL info: SSLv3 read server hello A
+SSL info: SSLv3 read server certificate A
+SSL info: SSLv3 read server done A
+SSL info: SSLv3 write client key exchange A
+SSL info: SSLv3 write change cipher spec A
+SSL info: SSLv3 write finished A
+SSL info: SSLv3 flush data
+SSL info: SSLv3 read server session ticket A
+SSL info: SSLv3 read finished A
+SSL info: SSL negotiation finished successfully
+SSL info: SSL negotiation finished successfully
+SSL connection using AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<"name with spaces"@???>
+??? 250
+<<< 250 OK
+>>> rcpt to:<CALLER@???>
+??? 250
+<<< 250 Accepted
+>>> DATA
+??? 3
+<<< 354 Enter message, ending with "." on a line by itself
+>>> This is a test encrypted message.
+>>> .
+??? 250
+<<< 250 OK id=10HmaY-0005vi-00
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL info: before/connect initialization
+SSL info: before/connect initialization
+SSL info: SSLv3 read server hello A
+SSL info: SSLv3 read server certificate A
+SSL info: SSLv3 read server certificate request A
+SSL info: SSLv3 read server done A
+SSL info: SSLv3 write client certificate A
+SSL info: SSLv3 write client key exchange A
+SSL info: SSLv3 write change cipher spec A
+SSL info: SSLv3 write finished A
+SSL info: SSLv3 flush data
+SSL info: SSLv3 read server session ticket A
+SSL info: SSLv3 read server session ticket A
+pppp:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:dddd:SSL alert number 40
+Failed to start TLS
+End of script
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = TESTSUITE/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem
+Key file = TESTSUITE/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL info: before/connect initialization
+SSL info: before/connect initialization
+SSL info: SSLv3 read server hello A
+SSL info: SSLv3 read server certificate A
+SSL info: SSLv3 read server certificate request A
+SSL info: SSLv3 read server done A
+SSL info: SSLv3 write client certificate A
+SSL info: SSLv3 write client key exchange A
+SSL info: SSLv3 write certificate verify A
+SSL info: SSLv3 write change cipher spec A
+SSL info: SSLv3 write finished A
+SSL info: SSLv3 flush data
+SSL info: SSLv3 read server session ticket A
+SSL info: SSLv3 read finished A
+SSL info: SSL negotiation finished successfully
+SSL info: SSL negotiation finished successfully
+SSL connection using AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<CALLER@???>
+??? 250
+<<< 250 OK
+>>> rcpt to:<CALLER@???>
+??? 250
+<<< 250 Accepted
+>>> DATA
+??? 3
+<<< 354 Enter message, ending with "." on a line by itself
+>>> This is a test encrypted message from a verified host.
+>>> .
+??? 250
+<<< 250 OK id=10HmaZ-0005vi-00
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+
+**** SMTP testing session as if from host 10.0.0.1
+**** but without any ident (RFC 1413) callback.
+**** This is not for real!
+
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+503 STARTTLS command used when not advertised
+221 myhost.test.ex closing connection