Gitweb:
http://git.exim.org/exim.git/commitdiff/01a4a5c5cbaa40ca618d3e233991ce183b551477
Commit: 01a4a5c5cbaa40ca618d3e233991ce183b551477
Parent: ad07e9add2a9959a2cc07c996452fcfc10ccab9f
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Sat Nov 22 19:16:19 2014 +0000
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Mon Jan 12 18:58:33 2015 +0000
Move certificate name checking to mainline, default enabled
This is an exim client checking a server certificate.
---
doc/doc-docbook/spec.xfpt | 13 ++++++++
doc/doc-txt/ChangeLog | 5 +++
doc/doc-txt/experimental-spec.txt | 35 ----------------------
src/src/config.h.defaults | 1 -
src/src/exim.c | 3 --
src/src/functions.h | 2 -
src/src/tls-gnu.c | 14 +--------
src/src/tls-openssl.c | 23 ++------------
src/src/tls.c | 2 -
src/src/transports/smtp.c | 8 +----
src/src/transports/smtp.h | 2 -
test/confs/2012 | 56 ++++++++++++++++++----------------
test/confs/2112 | 56 ++++++++++++++++++----------------
test/confs/5601 | 4 ++
test/confs/5608 | 4 ++
test/confs/5651 | 4 ++
test/confs/5658 | 4 ++
test/confs/5750 | 1 +
test/confs/5760 | 1 +
test/confs/5840 | 1 +
test/log/2012 | 22 ++++++++++----
test/log/2112 | 22 ++++++++++----
test/log/5840 | 2 +
test/scripts/2000-GnuTLS/2012 | 6 ++++
test/scripts/2100-OpenSSL/2112 | 6 ++++
test/scripts/5840-DANE-OpenSSL/5840 | 2 +-
test/stderr/5410 | 1 +
27 files changed, 151 insertions(+), 149 deletions(-)
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 542ccaf..5bdf572 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -23435,6 +23435,19 @@ The &$tls_out_certificate_verified$& variable is set when
certificate verification succeeds.
+.option tls_verify_cert_hostnames smtp "host list&!!" *
+.cindex "TLS" "server certificate hostname verification"
+.cindex "certificate" "verification of server"
+This option give a list of hosts for which,
+while verifying the server certificate,
+checks will be included on the host name
+(note that this will generally be the result of a DNS MX lookup)
+versus Subject and Subject-Alternate-Name fields. Wildcard names are permitted
+limited to being the initial component of a 3-or-more component FQDN.
+
+There is no equivalent checking on client certificates.
+
+
.option tls_verify_certificates smtp string&!! unset
.cindex "TLS" "server certificate verification"
.cindex "certificate" "verification of server"
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 2f29e36..27abe47 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -12,6 +12,11 @@ JH/02 The smtp transport option "multi_domain" is now expanded.
JH/03 The smtp transport now requests PRDR by default, if the server offers
it.
+JH/04 Certificate name checking on server certificates, when exim is a client,
+ is now done by default. The transport option tls_verify_cert_hostname
+ can be used to disable this per-host. The build option
+ EXPERIMENTAL_CERTNAMES is withdrawn.
+
Exim version 4.85
-----------------
diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt
index 4a2a04b..4bcfecf 100644
--- a/doc/doc-txt/experimental-spec.txt
+++ b/doc/doc-txt/experimental-spec.txt
@@ -1146,41 +1146,6 @@ Adding it to a redirect router makes no difference.
-Certificate name checking
---------------------------------------------------------------
-The X509 certificates used for TLS are supposed be verified
-that they are owned by the expected host. The coding of TLS
-support to date has not made these checks.
-
-If built with EXPERIMENTAL_CERTNAMES defined, code is
-included to do so for server certificates, and a new smtp transport option
-"tls_verify_cert_hostnames" supported which takes a hostlist
-which must match the target host for the additional checks must be made.
-The option currently defaults to empty, but this may change in
-the future. "*" is probably a suitable value.
-Whether certificate verification is done at all, and the result of
-it failing, is stll under the control of "tls_verify_hosts" nad
-"tls_try_verify_hosts".
-
-The name being checked is that for the host, generally
-the result of an MX lookup.
-
-Both Subject and Subject-Alternate-Name certificate fields
-are supported, as are wildcard certificates (limited to
-a single wildcard being the initial component of a 3-or-more
-component FQDN).
-
-The equivalent check on the server for client certificates is not
-implemented. At least one major email provider is using a client
-certificate which fails this check. They do not retry either without
-the client certificate or in clear.
-
-It is possible to duplicate the effect of this checking by
-creative use of Events.
-
-
-
-
DANE
------------------------------------------------------------
DNS-based Authentication of Named Entities, as applied
diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults
index a0997a0..ec4322c 100644
--- a/src/src/config.h.defaults
+++ b/src/src/config.h.defaults
@@ -167,7 +167,6 @@ it's a default value. */
/* EXPERIMENTAL features */
#define EXPERIMENTAL_BRIGHTMAIL
-#define EXPERIMENTAL_CERTNAMES
#define EXPERIMENTAL_DANE
#define EXPERIMENTAL_DCC
#define EXPERIMENTAL_DMARC
diff --git a/src/src/exim.c b/src/src/exim.c
index d6915d4..e0b7546 100644
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -853,9 +853,6 @@ fprintf(f, "Support for:");
#ifdef EXPERIMENTAL_REDIS
fprintf(f, " Experimental_Redis");
#endif
-#ifdef EXPERIMENTAL_CERTNAMES
- fprintf(f, " Experimental_Certnames");
-#endif
#ifdef EXPERIMENTAL_DSN
fprintf(f, " Experimental_DSN");
#endif
diff --git a/src/src/functions.h b/src/src/functions.h
index a74c94b..68609f2 100644
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -67,9 +67,7 @@ extern void tls_version_report(FILE *);
extern BOOL tls_openssl_options_parse(uschar *, long *);
# endif
extern uschar * tls_field_from_dn(uschar *, uschar *);
-# ifdef EXPERIMENTAL_CERTNAMES
extern BOOL tls_is_name_for_cert(uschar *, void *);
-# endif
# ifdef EXPERIMENTAL_DANE
extern int tlsa_lookup(const host_item *, dns_answer *, BOOL, BOOL *);
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index bdc032f..b520ebf 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -117,9 +117,7 @@ typedef struct exim_gnutls_state {
uschar *exp_tls_crl;
uschar *exp_tls_require_ciphers;
uschar *exp_tls_ocsp_file;
-#ifdef EXPERIMENTAL_CERTNAMES
uschar *exp_tls_verify_cert_hostnames;
-#endif
#ifdef EXPERIMENTAL_EVENT
uschar *event_action;
#endif
@@ -138,9 +136,7 @@ static const exim_gnutls_state_st exim_gnutls_state_init = {
NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL,
-#ifdef EXPERIMENTAL_CERTNAMES
- NULL,
-#endif
+ NULL,
#ifdef EXPERIMENTAL_EVENT
NULL,
#endif
@@ -1385,7 +1381,6 @@ if (rc < 0 ||
else
{
-#ifdef EXPERIMENTAL_CERTNAMES
if (state->exp_tls_verify_cert_hostnames)
{
int sep = 0;
@@ -1407,7 +1402,6 @@ else
return TRUE;
}
}
-#endif
state->peer_cert_verified = TRUE;
DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n",
state->peerdn ? state->peerdn : US"<unset>");
@@ -1771,7 +1765,6 @@ return OK;
-#ifdef EXPERIMENTAL_CERTNAMES
static void
tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state,
smtp_transport_options_block * ob)
@@ -1784,7 +1777,6 @@ if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
state->exp_tls_verify_cert_hostnames);
}
}
-#endif
/*************************************************
@@ -1859,9 +1851,7 @@ if ( ( state->exp_tls_verify_certificates
|| verify_check_given_host(&ob->tls_verify_hosts, host) == OK
)
{
-#ifdef EXPERIMENTAL_CERTNAMES
tls_client_setup_hostname_checks(host, state, ob);
-#endif
DEBUG(D_tls)
debug_printf("TLS: server certificate verification required.\n");
state->verify_requirement = VERIFY_REQUIRED;
@@ -1869,9 +1859,7 @@ if ( ( state->exp_tls_verify_certificates
}
else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
{
-#ifdef EXPERIMENTAL_CERTNAMES
tls_client_setup_hostname_checks(host, state, ob);
-#endif
DEBUG(D_tls)
debug_printf("TLS: server certificate verification optional.\n");
state->verify_requirement = VERIFY_OPTIONAL;
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 43fbaa4..7c66775 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -123,10 +123,7 @@ typedef struct tls_ext_ctx_cb {
uschar *server_cipher_list;
/* only passed down to tls_error: */
host_item *host;
-
-#ifdef EXPERIMENTAL_CERTNAMES
uschar * verify_cert_hostnames;
-#endif
#ifdef EXPERIMENTAL_EVENT
uschar * event_action;
#endif
@@ -354,14 +351,11 @@ else if (depth != 0)
}
else
{
-#ifdef EXPERIMENTAL_CERTNAMES
uschar * verify_cert_hostnames;
-#endif
tlsp->peerdn = txt;
tlsp->peercert = X509_dup(cert);
-#ifdef EXPERIMENTAL_CERTNAMES
if ( tlsp == &tls_out
&& ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
/* client, wanting hostname check */
@@ -413,7 +407,6 @@ else
"tls_try_verify_hosts)\n");
}
# endif
-#endif /*EXPERIMENTAL_CERTNAMES*/
#ifdef EXPERIMENTAL_EVENT
ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
@@ -1289,9 +1282,7 @@ else /* client */
# endif
#endif
-#ifdef EXPERIMENTAL_CERTNAMES
cbinfo->verify_cert_hostnames = NULL;
-#endif
/* Set up the RSA callback */
@@ -1672,10 +1663,7 @@ return OK;
static int
tls_client_basic_ctx_init(SSL_CTX * ctx,
- host_item * host, smtp_transport_options_block * ob
-#ifdef EXPERIMENTAL_CERTNAMES
- , tls_ext_ctx_cb * cbinfo
-#endif
+ host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo
)
{
int rc;
@@ -1696,14 +1684,12 @@ if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
ob->tls_crl, host, client_verify_optional, verify_callback_client)) != OK)
return rc;
-#ifdef EXPERIMENTAL_CERTNAMES
if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
{
cbinfo->verify_cert_hostnames = host->name;
DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
cbinfo->verify_cert_hostnames);
}
-#endif
return OK;
}
@@ -1882,11 +1868,8 @@ else
#endif
- if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob
-#ifdef EXPERIMENTAL_CERTNAMES
- , client_static_cbinfo
-#endif
- )) != OK)
+ if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob, client_static_cbinfo))
+ != OK)
return rc;
if ((client_ssl = SSL_new(client_ctx)) == NULL)
diff --git a/src/src/tls.c b/src/src/tls.c
index b3d088d..1182379 100644
--- a/src/src/tls.c
+++ b/src/src/tls.c
@@ -281,7 +281,6 @@ return list;
}
-# ifdef EXPERIMENTAL_CERTNAMES
/* Compare a domain name with a possibly-wildcarded name. Wildcards
are restricted to a single one, as the first element of patterns
having at least three dot-separated elements. Case-independent.
@@ -353,7 +352,6 @@ else if ((subjdn = tls_cert_subject(cert, NULL)))
}
return FALSE;
}
-# endif /*EXPERIMENTAL_CERTNAMES*/
#endif /*SUPPORT_TLS*/
/* vi: aw ai sw=2
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 3dae1d2..f57ee69 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -176,10 +176,8 @@ optionlist smtp_transport_options[] = {
(void *)offsetof(smtp_transport_options_block, tls_tempfail_tryclear) },
{ "tls_try_verify_hosts", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, tls_try_verify_hosts) },
-#ifdef EXPERIMENTAL_CERTNAMES
{ "tls_verify_cert_hostnames", opt_stringptr,
(void *)offsetof(smtp_transport_options_block,tls_verify_cert_hostnames)},
-#endif
{ "tls_verify_certificates", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, tls_verify_certificates) },
{ "tls_verify_hosts", opt_stringptr,
@@ -262,10 +260,8 @@ smtp_transport_options_block smtp_transport_option_defaults = {
/* tls_dh_min_bits */
TRUE, /* tls_tempfail_tryclear */
NULL, /* tls_verify_hosts */
- NULL /* tls_try_verify_hosts */
-# ifdef EXPERIMENTAL_CERTNAMES
- ,NULL /* tls_verify_cert_hostnames */
-# endif
+ NULL, /* tls_try_verify_hosts */
+ US"*" /* tls_verify_cert_hostnames */
#endif
#ifndef DISABLE_DKIM
,NULL, /* dkim_canon */
diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h
index 95e9195..1b51c13 100644
--- a/src/src/transports/smtp.h
+++ b/src/src/transports/smtp.h
@@ -74,9 +74,7 @@ typedef struct {
BOOL tls_tempfail_tryclear;
uschar *tls_verify_hosts;
uschar *tls_try_verify_hosts;
-# ifdef EXPERIMENTAL_CERTNAMES
uschar *tls_verify_cert_hostnames;
-# endif
#endif
#ifndef DISABLE_DKIM
uschar *dkim_domain;
diff --git a/test/confs/2012 b/test/confs/2012
index 97dc25e..6bc5487 100644
--- a/test/confs/2012
+++ b/test/confs/2012
@@ -104,6 +104,7 @@ send_to_server_failcert:
tls_privatekey = CERT2
tls_verify_certificates = CA2
+ tls_verify_cert_hostnames =
# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
send_to_server_retry:
@@ -117,6 +118,7 @@ send_to_server_retry:
tls_verify_certificates = \
${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
+ tls_verify_cert_hostnames =
# this will fail to verify the cert but continue unverified though crypted
send_to_server_crypt:
@@ -130,6 +132,7 @@ send_to_server_crypt:
tls_verify_certificates = CA2
tls_try_verify_hosts = *
+ tls_verify_cert_hostnames =
# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted
send_to_server_req_fail:
@@ -142,31 +145,32 @@ send_to_server_req_fail:
tls_verify_certificates = CA2
tls_verify_hosts = *
-
-# # this will fail to verify the cert name and fallback to unencrypted
-# send_to_server_req_failname:
-# driver = smtp
-# allow_localhost
-# hosts = HOSTIPV4
-# port = PORT_D
-# tls_certificate = CERT2
-# tls_privatekey = CERT2
-#
-# tls_verify_certificates = CA1
-# tls_verify_cert_hostnames = server1.example.net : server1.example.org
-# tls_verify_hosts = *
-#
-# # this will pass the cert verify including name check
-# send_to_server_req_passname:
-# driver = smtp
-# allow_localhost
-# hosts = HOSTIPV4
-# port = PORT_D
-# tls_certificate = CERT2
-# tls_privatekey = CERT2
-#
-# tls_verify_certificates = CA1
-# tls_verify_cert_hostnames = noway.example.com : server1.example.com
-# tls_verify_hosts = *
+ tls_verify_cert_hostnames =
+
+ # this will fail to verify the cert name and fallback to unencrypted
+ send_to_server_req_failname:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA1
+ tls_verify_cert_hostnames = server1.example.net : server1.example.org
+ tls_verify_hosts = *
+
+ # this will pass the cert verify including name check
+ send_to_server_req_passname:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA1
+ tls_verify_cert_hostnames = noway.example.com : server1.example.com
+ tls_verify_hosts = *
# End
diff --git a/test/confs/2112 b/test/confs/2112
index 4751e60..2c81e0c 100644
--- a/test/confs/2112
+++ b/test/confs/2112
@@ -104,6 +104,7 @@ send_to_server_failcert:
tls_privatekey = CERT2
tls_verify_certificates = CA2
+ tls_verify_cert_hostnames =
# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
send_to_server_retry:
@@ -117,6 +118,7 @@ send_to_server_retry:
tls_verify_certificates = \
${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
+ tls_verify_cert_hostnames =
# this will fail to verify the cert but continue unverified though crypted
send_to_server_crypt:
@@ -130,6 +132,7 @@ send_to_server_crypt:
tls_verify_certificates = CA2
tls_try_verify_hosts = *
+ tls_verify_cert_hostnames =
# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted
send_to_server_req_fail:
@@ -142,31 +145,32 @@ send_to_server_req_fail:
tls_verify_certificates = CA2
tls_verify_hosts = *
-
-# # this will fail to verify the cert name and fallback to unencrypted
-# send_to_server_req_failname:
-# driver = smtp
-# allow_localhost
-# hosts = HOSTIPV4
-# port = PORT_D
-# tls_certificate = CERT2
-# tls_privatekey = CERT2
-#
-# tls_verify_certificates = CA1
-# tls_verify_cert_hostnames = server1.example.net : server1.example.org
-# tls_verify_hosts = *
-#
-# # this will pass the cert verify including name check
-# send_to_server_req_passname:
-# driver = smtp
-# allow_localhost
-# hosts = HOSTIPV4
-# port = PORT_D
-# tls_certificate = CERT2
-# tls_privatekey = CERT2
-#
-# tls_verify_certificates = CA1
-# tls_verify_cert_hostnames = noway.example.com : server1.example.com
-# tls_verify_hosts = *
+ tls_verify_cert_hostnames =
+
+ # this will fail to verify the cert name and fallback to unencrypted
+ send_to_server_req_failname:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA1
+ tls_verify_cert_hostnames = server1.example.net : server1.example.org
+ tls_verify_hosts = *
+
+ # this will pass the cert verify including name check
+ send_to_server_req_passname:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA1
+ tls_verify_cert_hostnames = noway.example.com : server1.example.com
+ tls_verify_hosts = *
# End
diff --git a/test/confs/5601 b/test/confs/5601
index 3e97fcb..1a73203 100644
--- a/test/confs/5601
+++ b/test/confs/5601
@@ -90,6 +90,7 @@ send_to_server1:
hosts = HOSTIPV4
port = PORT_D
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ tls_verify_cert_hostnames =
hosts_require_tls = *
hosts_request_ocsp = :
headers_add = X-TLS-out: ocsp status $tls_out_ocsp \
@@ -102,6 +103,7 @@ send_to_server2:
hosts = HOSTIPV4
port = PORT_D
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ tls_verify_cert_hostnames =
hosts_require_tls = *
# note no ocsp mention here
headers_add = X-TLS-out: ocsp status $tls_out_ocsp \
@@ -115,6 +117,7 @@ send_to_server3:
port = PORT_D
helo_data = helo.data.changed
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ tls_verify_cert_hostnames =
hosts_require_tls = *
hosts_require_ocsp = *
headers_add = X-TLS-out: ocsp status $tls_out_ocsp \
@@ -128,6 +131,7 @@ send_to_server4:
port = PORT_D
helo_data = helo.data.changed
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ tls_verify_cert_hostnames =
protocol = smtps
hosts_require_tls = *
hosts_require_ocsp = *
diff --git a/test/confs/5608 b/test/confs/5608
index da0f670..6061a13 100644
--- a/test/confs/5608
+++ b/test/confs/5608
@@ -98,6 +98,7 @@ send_to_server1:
hosts = HOSTIPV4
port = PORT_D
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ tls_verify_cert_hostnames =
hosts_require_tls = *
hosts_request_ocsp = :
headers_add = X-TLS-out: ocsp status $tls_out_ocsp
@@ -110,6 +111,7 @@ send_to_server2:
hosts = HOSTIPV4
port = PORT_D
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ tls_verify_cert_hostnames =
hosts_require_tls = *
# note no ocsp mention here
headers_add = X-TLS-out: ocsp status $tls_out_ocsp
@@ -123,6 +125,7 @@ send_to_server3:
port = PORT_D
helo_data = helo.data.changed
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ tls_verify_cert_hostnames =
hosts_require_tls = *
hosts_require_ocsp = *
headers_add = X-TLS-out: ocsp status $tls_out_ocsp
@@ -136,6 +139,7 @@ send_to_server4:
port = PORT_D
helo_data = helo.data.changed
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ tls_verify_cert_hostnames =
protocol = smtps
hosts_require_tls = *
hosts_require_ocsp = *
diff --git a/test/confs/5651 b/test/confs/5651
index 6b70d33..19f16d0 100644
--- a/test/confs/5651
+++ b/test/confs/5651
@@ -88,6 +88,7 @@ send_to_server1:
hosts = HOSTIPV4
port = PORT_D
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ tls_verify_cert_hostnames =
hosts_require_tls = *
hosts_request_ocsp = :
headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
@@ -100,6 +101,7 @@ send_to_server2:
hosts = HOSTIPV4
port = PORT_D
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ tls_verify_cert_hostnames =
hosts_require_tls = *
# note no ocsp mention here
headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
@@ -114,6 +116,7 @@ send_to_server3:
helo_data = helo.data.changed
#tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ tls_verify_cert_hostnames =
hosts_require_tls = *
hosts_require_ocsp = *
headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
@@ -128,6 +131,7 @@ send_to_server4:
helo_data = helo.data.changed
#tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ tls_verify_cert_hostnames =
protocol = smtps
hosts_require_tls = *
hosts_require_ocsp = *
diff --git a/test/confs/5658 b/test/confs/5658
index 7ab2de6..de486e0 100644
--- a/test/confs/5658
+++ b/test/confs/5658
@@ -95,6 +95,7 @@ send_to_server1:
hosts = HOSTIPV4
port = PORT_D
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ tls_verify_cert_hostnames =
hosts_require_tls = *
hosts_request_ocsp = :
headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
@@ -108,6 +109,7 @@ send_to_server2:
hosts = HOSTIPV4
port = PORT_D
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ tls_verify_cert_hostnames =
hosts_require_tls = *
# note no ocsp mention here
headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
@@ -123,6 +125,7 @@ send_to_server3:
helo_data = helo.data.changed
#tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ tls_verify_cert_hostnames =
hosts_require_tls = *
hosts_require_ocsp = *
headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
@@ -138,6 +141,7 @@ send_to_server4:
helo_data = helo.data.changed
#tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ tls_verify_cert_hostnames =
protocol = smtps
hosts_require_tls = *
hosts_require_ocsp = *
diff --git a/test/confs/5750 b/test/confs/5750
index 364f73a..d1e2e7c 100644
--- a/test/confs/5750
+++ b/test/confs/5750
@@ -104,6 +104,7 @@ send_to_server:
${if eq {$local_part}{good}\
{example.com/server1.example.com/ca_chain.pem}\
{example.net/server1.example.net/ca_chain.pem}}
+ tls_verify_cert_hostnames =
event_action = ${acl {logger} {$event_name} {$domain} }
diff --git a/test/confs/5760 b/test/confs/5760
index 60f386b..80dde3e 100644
--- a/test/confs/5760
+++ b/test/confs/5760
@@ -104,6 +104,7 @@ send_to_server:
${if eq {$local_part}{good}\
{example.com/server1.example.com/ca_chain.pem}\
{example.net/server1.example.net/ca_chain.pem}}
+ tls_verify_cert_hostnames =
event_action = ${acl {logger} {$event_name} {$domain} }
diff --git a/test/confs/5840 b/test/confs/5840
index 2c72b64..5c0f6a5 100644
--- a/test/confs/5840
+++ b/test/confs/5840
@@ -68,6 +68,7 @@ send_to_server:
hosts_request_ocsp = ${if or { {= {4}{$tls_out_tlsa_usage}} \
{= {0}{$tls_out_tlsa_usage}} } \
{*}{}}
+ tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}}
tls_try_verify_hosts = thishost.test.ex
tls_verify_certificates = CDIR2/ca_chain.pem
diff --git a/test/log/2012 b/test/log/2012
index 48c75d2..efb2933 100644
--- a/test/log/2012
+++ b/test/log/2012
@@ -2,6 +2,8 @@
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (certificate verification failed): certificate invalid
1999-03-02 09:44:33 10HmaX-0005vi-00 == userx@??? R=client_x T=send_to_server_failcert defer (-37) H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]: failure while setting up TLS session
@@ -9,14 +11,20 @@
1999-03-02 09:44:33 10HmaX-0005vi-00 userx@???: error ignored
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 10HmaY-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (certificate verification failed): certificate invalid
-1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@??? R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbB-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@??? R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00"
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@??? R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@??? R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
1999-03-02 09:44:33 10HmbA-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (certificate verification failed): certificate invalid
1999-03-02 09:44:33 10HmbA-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
-1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@??? R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbD-0005vi-00"
+1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@??? R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbF-0005vi-00"
1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 no IP address found for host server1.example.net
+1999-03-02 09:44:33 10HmbB-0005vi-00 => userr@??? R=client_r T=send_to_server_req_failname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbG-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbC-0005vi-00 no IP address found for host noway.example.com
+1999-03-02 09:44:33 10HmbC-0005vi-00 => users@??? R=client_s T=send_to_server_req_passname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbH-0005vi-00"
+1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
******** SERVER ********
@@ -25,8 +33,10 @@
1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad
1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
-1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@??? H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@???
-1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@???
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@??? H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@???
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@???
1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad
1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
-1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@???
+1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@???
+1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmbB-0005vi-00@???
+1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmbC-0005vi-00@???
diff --git a/test/log/2112 b/test/log/2112
index 45a0458..02d1d31 100644
--- a/test/log/2112
+++ b/test/log/2112
@@ -2,6 +2,8 @@
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
1999-03-02 09:44:33 10HmaX-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>
@@ -11,18 +13,24 @@
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
1999-03-02 09:44:33 10HmaY-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@??? R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbB-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@??? R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00"
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 10HmaZ-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
1999-03-02 09:44:33 10HmaZ-0005vi-00 SSL verify error: depth=0 error=certificate not trusted cert=/CN=server1.example.com
1999-03-02 09:44:33 10HmaZ-0005vi-00 SSL verify error: depth=0 error=unable to verify the first certificate cert=/CN=server1.example.com
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@??? R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@??? R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
1999-03-02 09:44:33 10HmbA-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
1999-03-02 09:44:33 10HmbA-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>
1999-03-02 09:44:33 10HmbA-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
-1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@??? R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbD-0005vi-00"
+1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@??? R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbF-0005vi-00"
1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 no IP address found for host server1.example.net
+1999-03-02 09:44:33 10HmbB-0005vi-00 => userr@??? R=client_r T=send_to_server_req_failname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbG-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbC-0005vi-00 no IP address found for host noway.example.com
+1999-03-02 09:44:33 10HmbC-0005vi-00 => users@??? R=client_s T=send_to_server_req_passname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbH-0005vi-00"
+1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
******** SERVER ********
@@ -31,8 +39,10 @@
1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
-1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@??? H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@???
-1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@???
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@??? H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@???
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@???
1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
-1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@???
+1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@???
+1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmbB-0005vi-00@???
+1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmbC-0005vi-00@???
diff --git a/test/log/5840 b/test/log/5840
index 7507c5c..a842abc 100644
--- a/test/log/5840
+++ b/test/log/5840
@@ -14,6 +14,8 @@
1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmbD-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 10HmbD-0005vi-00 SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock"
+
1999-03-02 09:44:33 10HmbD-0005vi-00 => CALLER@??? R=client T=send_to_server H=thishost.test.ex [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbE-0005vi-00"
1999-03-02 09:44:33 10HmbD-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
diff --git a/test/scripts/2000-GnuTLS/2012 b/test/scripts/2000-GnuTLS/2012
index 3b25ba2..76a6d50 100644
--- a/test/scripts/2000-GnuTLS/2012
+++ b/test/scripts/2000-GnuTLS/2012
@@ -14,6 +14,12 @@ Testing
exim userq@???
Testing
****
+exim userr@???
+Testing
+****
+exim users@???
+Testing
+****
exim -qf
****
killdaemon
diff --git a/test/scripts/2100-OpenSSL/2112 b/test/scripts/2100-OpenSSL/2112
index 98ea4cb..c500751 100644
--- a/test/scripts/2100-OpenSSL/2112
+++ b/test/scripts/2100-OpenSSL/2112
@@ -13,6 +13,12 @@ Testing
exim userq@???
Testing
****
+exim userr@???
+Testing
+****
+exim users@???
+Testing
+****
exim -qf
****
killdaemon
diff --git a/test/scripts/5840-DANE-OpenSSL/5840 b/test/scripts/5840-DANE-OpenSSL/5840
index eef14c2..c0133ea 100644
--- a/test/scripts/5840-DANE-OpenSSL/5840
+++ b/test/scripts/5840-DANE-OpenSSL/5840
@@ -43,7 +43,7 @@ exim -DSERVER=server -DDETAILS=ca -bd -oX PORT_D
exim -odq CALLER@???
Testing
****
-exim -qf
+exim -DOPT=no_certname -qf
****
killdaemon
#
diff --git a/test/stderr/5410 b/test/stderr/5410
index 0968549..943681e 100644
--- a/test/stderr/5410
+++ b/test/stderr/5410
@@ -83,6 +83,7 @@ expanding: ${if eq {$address_data}{userz}{*}{:}}
SMTP<< 220 TLS go ahead
127.0.0.1 in hosts_require_ocsp? no (option unset)
127.0.0.1 in hosts_request_ocsp? yes (matched "*")
+127.0.0.1 in tls_verify_cert_hostnames? yes (matched "*")
SMTP>> EHLO myhost.test.ex
SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
250-SIZE 52428800