[exim-cvs] Make smtp transport try server cert verify by def…

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Exim Git Commits Mailing List
Dátum:  
Címzett: exim-cvs
Tárgy: [exim-cvs] Make smtp transport try server cert verify by default
Gitweb: http://git.exim.org/exim.git/commitdiff/610ff4388b33ddc2753c17eefb8b03e2fdd7e124
Commit:     610ff4388b33ddc2753c17eefb8b03e2fdd7e124
Parent:     0e0f3f562bf23cf035baf85cdd071d392751b676
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Nov 23 17:01:14 2014 +0000
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Mon Jan 12 18:58:34 2015 +0000


    Make smtp transport try server cert verify by default
    This is an exim client checking a server certificate.
---
 doc/doc-docbook/spec.xfpt |    3 ++-
 doc/doc-txt/ChangeLog     |    3 +++
 src/src/tls-gnu.c         |   12 ++++++------
 src/src/tls-openssl.c     |    4 +++-
 src/src/transports/smtp.c |    2 +-
 test/confs/2000           |    1 +
 test/confs/2001           |    1 +
 test/confs/2012           |    2 ++
 test/confs/2100           |    1 +
 test/confs/2101           |    1 +
 test/confs/2112           |    2 ++
 test/confs/2113           |    1 +
 test/confs/2117           |    1 +
 test/confs/2125           |    1 +
 test/confs/2126           |    1 +
 test/confs/2127           |    1 +
 test/confs/2130           |    2 ++
 test/confs/2131           |    2 ++
 test/confs/2149           |    1 +
 test/confs/3461           |    1 +
 test/confs/3462           |    1 +
 test/confs/3465           |    1 +
 test/confs/5410           |    1 +
 test/confs/5651           |    1 +
 test/confs/5658           |    1 +
 test/confs/5750           |    1 +
 test/confs/5760           |    1 +
 test/log/2100             |    9 ++-------
 test/log/2107             |    3 +++
 test/log/2108             |    9 +++++++++
 test/log/2110             |    3 +++
 test/log/2111             |    3 +++
 test/stderr/2108          |   15 +++++++++++++++
 test/stderr/5410          |    3 ++-
 test/stderr/5420          |    3 ++-
 35 files changed, 80 insertions(+), 18 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 7dfc4d6..b2b703b 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -23433,7 +23433,7 @@ unknown state), opens a new one to the same host, and then tries the delivery
in clear.


-.option tls_try_verify_hosts smtp "host list&!!" unset
+.option tls_try_verify_hosts smtp "host list&!!" *
.cindex "TLS" "server certificate verification"
.cindex "certificate" "verification of server"
This option gives a list of hosts for which, on encrypted connections,
@@ -23489,6 +23489,7 @@ expansion of this option. See chapter &<<CHAPTLS>>& for details of TLS.

For back-compatability,
if neither tls_verify_hosts nor tls_try_verify_hosts are set
+(a single-colon empty list counts as being set)
and certificate verification fails the TLS connection is closed.


diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 76d18a8..ab55078 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -21,6 +21,9 @@ JH/05 The value of the tls_verify_certificates smtp transport and main options
       default to the word "system" to access the system default CA bundle.
       For GnuTLS, only version 3.0.20 or later.


+JH/06 Verification of the server certificate for a TLS connection is now tried
+      (but not required) by default.
+


Exim version 4.85
-----------------
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 42d0422..8b28d55 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -853,14 +853,14 @@ error message is provided. However, if we just refrain from setting anything up
in that case, certificate verification fails, which seems to be the correct
behaviour. */

-if (  state->tls_verify_certificates && *state->tls_verify_certificates
-#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
-   && Ustrcmp(state->exp_tls_verify_certificates, "system") != 0
-#endif
-   )
+if (state->tls_verify_certificates && *state->tls_verify_certificates)
   {
   if (!expand_check_tlsvar(tls_verify_certificates))
     return DEFER;
+#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
+  if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
+    state->exp_tls_verify_certificates = NULL;
+#endif
   if (state->tls_crl && *state->tls_crl)
     if (!expand_check_tlsvar(tls_crl))
       return DEFER;
@@ -1860,7 +1860,7 @@ the specified host patterns if one of them is defined */


 if (  (  state->exp_tls_verify_certificates
       && !ob->tls_verify_hosts
-      && !ob->tls_try_verify_hosts
+      && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
       )
     || verify_check_given_host(&ob->tls_verify_hosts, host) == OK
    )
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index bb17821..ce6b478 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1686,7 +1686,9 @@ int rc;
    set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
    the specified host patterns if one of them is defined */


-if (  (!ob->tls_verify_hosts && !ob->tls_try_verify_hosts)
+if (  (  !ob->tls_verify_hosts
+      && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
+      )
    || (verify_check_given_host(&ob->tls_verify_hosts, host) == OK)
    )
   client_verify_optional = FALSE;
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index a455ba5..181081b 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -260,7 +260,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
                        /* tls_dh_min_bits */
   TRUE,                /* tls_tempfail_tryclear */
   NULL,                /* tls_verify_hosts */
-  NULL,                /* tls_try_verify_hosts */
+  US"*",               /* tls_try_verify_hosts */
   US"*"                /* tls_verify_cert_hostnames */
 #endif
 #ifndef DISABLE_DKIM
diff --git a/test/confs/2000 b/test/confs/2000
index 06e5a15..bc4fff2 100644
--- a/test/confs/2000
+++ b/test/confs/2000
@@ -56,6 +56,7 @@ send_to_server:
   tls_certificate = DIR/aux-fixed/cert2
   tls_privatekey = DIR/aux-fixed/cert2
   tls_verify_certificates = DIR/aux-fixed/cert2
+  tls_try_verify_hosts =



# ----- Retry -----
diff --git a/test/confs/2001 b/test/confs/2001
index 741796b..7e49aed 100644
--- a/test/confs/2001
+++ b/test/confs/2001
@@ -56,6 +56,7 @@ send_to_server:
tls_certificate = DIR/aux-fixed/cert2
tls_privatekey = DIR/aux-fixed/cert2
tls_verify_certificates = DIR/aux-fixed/cert2
+ tls_try_verify_hosts =


# ----- Retry -----
diff --git a/test/confs/2012 b/test/confs/2012
index 6bc5487..023a594 100644
--- a/test/confs/2012
+++ b/test/confs/2012
@@ -104,6 +104,7 @@ send_to_server_failcert:
tls_privatekey = CERT2

tls_verify_certificates = CA2
+ tls_try_verify_hosts =
tls_verify_cert_hostnames =

# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
@@ -118,6 +119,7 @@ send_to_server_retry:

   tls_verify_certificates = \
     ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
+  tls_try_verify_hosts =
   tls_verify_cert_hostnames =


# this will fail to verify the cert but continue unverified though crypted
diff --git a/test/confs/2100 b/test/confs/2100
index 791c6bd..c6a7e69 100644
--- a/test/confs/2100
+++ b/test/confs/2100
@@ -54,6 +54,7 @@ send_to_server:
tls_certificate = DIR/aux-fixed/cert2
tls_privatekey = DIR/aux-fixed/cert2
tls_verify_certificates = DIR/aux-fixed/cert2
+ tls_try_verify_hosts = :


# ----- Retry -----
diff --git a/test/confs/2101 b/test/confs/2101
index 73e0bdd..99fad1a 100644
--- a/test/confs/2101
+++ b/test/confs/2101
@@ -56,6 +56,7 @@ send_to_server:
tls_certificate = DIR/aux-fixed/cert2
tls_privatekey = DIR/aux-fixed/cert2
tls_verify_certificates = DIR/aux-fixed/cert2
+ tls_try_verify_hosts =


# ----- Retry -----
diff --git a/test/confs/2112 b/test/confs/2112
index 2c81e0c..d21fee0 100644
--- a/test/confs/2112
+++ b/test/confs/2112
@@ -104,6 +104,7 @@ send_to_server_failcert:
tls_privatekey = CERT2

tls_verify_certificates = CA2
+ tls_try_verify_hosts =
tls_verify_cert_hostnames =

# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
@@ -118,6 +119,7 @@ send_to_server_retry:

   tls_verify_certificates = \
     ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
+  tls_try_verify_hosts =
   tls_verify_cert_hostnames =


# this will fail to verify the cert but continue unverified though crypted
diff --git a/test/confs/2113 b/test/confs/2113
index bff43ff..d5be248 100644
--- a/test/confs/2113
+++ b/test/confs/2113
@@ -61,5 +61,6 @@ send_to_server:
allow_localhost
hosts = 127.0.0.1
port = PORT_D
+ tls_try_verify_hosts = :

# End
diff --git a/test/confs/2117 b/test/confs/2117
index 16cc0c3..ab809d0 100644
--- a/test/confs/2117
+++ b/test/confs/2117
@@ -60,6 +60,7 @@ send_to_server:
hosts = 127.0.0.1
hosts_nopass_tls = *
port = PORT_D
+ tls_try_verify_hosts = :


# ----- Retry -----
diff --git a/test/confs/2125 b/test/confs/2125
index 70736be..767bb1c 100644
--- a/test/confs/2125
+++ b/test/confs/2125
@@ -53,6 +53,7 @@ send_to_server:
hosts_require_tls = HOSTIPV4
tls_require_ciphers = DES-CBC3-SHA
port = PORT_D
+ tls_try_verify_hosts = :


# ----- Retry -----
diff --git a/test/confs/2126 b/test/confs/2126
index e2b7901..704346e 100644
--- a/test/confs/2126
+++ b/test/confs/2126
@@ -57,6 +57,7 @@ t1:
hosts = 127.0.0.1 : HOSTIPV4
port = PORT_D
allow_localhost
+ tls_try_verify_hosts = :

t2:
driver = appendfile
diff --git a/test/confs/2127 b/test/confs/2127
index 3639c5b..862ad71 100644
--- a/test/confs/2127
+++ b/test/confs/2127
@@ -56,5 +56,6 @@ send_to_server:
allow_localhost
hosts = ${if eq{$local_part}{userx}{127.0.0.1}{HOSTIPV4}}
port = PORT_D
+ tls_try_verify_hosts = :

# End
diff --git a/test/confs/2130 b/test/confs/2130
index 4143fc8..9f6de76 100644
--- a/test/confs/2130
+++ b/test/confs/2130
@@ -60,12 +60,14 @@ send_to_server1:
hosts = HOSTIPV4
port = PORT_D
tls_sni = fred
+ tls_try_verify_hosts = :

send_to_server2:
driver = smtp
allow_localhost
hosts = HOSTIPV4
port = PORT_D
+ tls_try_verify_hosts = :


# ----- Retry -----
diff --git a/test/confs/2131 b/test/confs/2131
index 8566c24..53c06f1 100644
--- a/test/confs/2131
+++ b/test/confs/2131
@@ -73,6 +73,7 @@ send_to_server1:
port = PORT_D
tls_sni = fred
hosts_require_tls = *
+ tls_try_verify_hosts = :

send_to_server2:
driver = smtp
@@ -81,6 +82,7 @@ send_to_server2:
port = PORT_D
tls_sni = bill
hosts_require_tls = *
+ tls_try_verify_hosts = :


# ----- Retry -----
diff --git a/test/confs/2149 b/test/confs/2149
index 1684f11..cf67f8c 100644
--- a/test/confs/2149
+++ b/test/confs/2149
@@ -55,5 +55,6 @@ send_to_server:
allow_localhost
hosts = 127.0.0.1
port = PORT_D
+ tls_try_verify_hosts = :

# End
diff --git a/test/confs/3461 b/test/confs/3461
index 48fe4da..93ab8d8 100644
--- a/test/confs/3461
+++ b/test/confs/3461
@@ -75,5 +75,6 @@ send_to_server:
hosts = 127.0.0.1
hosts_try_auth = *
port = PORT_D
+ tls_try_verify_hosts = :

# End
diff --git a/test/confs/3462 b/test/confs/3462
index ec155bf..3907aec 100644
--- a/test/confs/3462
+++ b/test/confs/3462
@@ -74,6 +74,7 @@ send_to_server:
hosts = 127.0.0.1
hosts_try_auth = *
port = PORT_D
+ tls_try_verify_hosts = :


# ----- Retry -----
diff --git a/test/confs/3465 b/test/confs/3465
index 83592a6..2f2061b 100644
--- a/test/confs/3465
+++ b/test/confs/3465
@@ -67,6 +67,7 @@ t1:
hosts = 127.0.0.1
port = PORT_D
hosts_avoid_tls = HOSTS_AVOID_TLS
+ tls_try_verify_hosts = :
hosts_require_auth = *
allow_localhost

diff --git a/test/confs/5410 b/test/confs/5410
index 576967c..bea8e10 100644
--- a/test/confs/5410
+++ b/test/confs/5410
@@ -54,6 +54,7 @@ smtp:
   port = PORT_D
   hosts_avoid_tls =        ${if eq {$address_data}{usery}{*}{:}}
   hosts_verify_avoid_tls = ${if eq {$address_data}{userz}{*}{:}}
+  tls_try_verify_hosts = :



 # End
diff --git a/test/confs/5651 b/test/confs/5651
index 19f16d0..f09df57 100644
--- a/test/confs/5651
+++ b/test/confs/5651
@@ -116,6 +116,7 @@ send_to_server3:
   helo_data = helo.data.changed
   #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
   tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+  tls_try_verify_hosts =
   tls_verify_cert_hostnames =
   hosts_require_tls =  *
   hosts_require_ocsp = *
diff --git a/test/confs/5658 b/test/confs/5658
index de486e0..6a75b8c 100644
--- a/test/confs/5658
+++ b/test/confs/5658
@@ -125,6 +125,7 @@ send_to_server3:
   helo_data = helo.data.changed
   #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
   tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+  tls_try_verify_hosts =
   tls_verify_cert_hostnames =
   hosts_require_tls =  *
   hosts_require_ocsp = *
diff --git a/test/confs/5750 b/test/confs/5750
index d1e2e7c..98fd46f 100644
--- a/test/confs/5750
+++ b/test/confs/5750
@@ -104,6 +104,7 @@ send_to_server:
        ${if eq {$local_part}{good}\
 {example.com/server1.example.com/ca_chain.pem}\
 {example.net/server1.example.net/ca_chain.pem}}
+  tls_try_verify_hosts =
   tls_verify_cert_hostnames =


event_action = ${acl {logger} {$event_name} {$domain} }
diff --git a/test/confs/5760 b/test/confs/5760
index 80dde3e..03d1a6b 100644
--- a/test/confs/5760
+++ b/test/confs/5760
@@ -105,6 +105,7 @@ send_to_server:
{example.com/server1.example.com/ca_chain.pem}\
{example.net/server1.example.net/ca_chain.pem}}
tls_verify_cert_hostnames =
+ tls_try_verify_hosts =

event_action = ${acl {logger} {$event_name} {$domain} }

diff --git a/test/log/2100 b/test/log/2100
index 02b6f0e..9c57bff 100644
--- a/test/log/2100
+++ b/test/log/2100
@@ -1,14 +1,9 @@
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
-1999-03-02 09:44:33 10HmaX-0005vi-00 H=127.0.0.1 [127.0.0.1] TLS error on connection (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to 127.0.0.1 [127.0.0.1] (not in hosts_require_tls)
-1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf

 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 TLS error on connection from localhost (myhost.test.ex) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
-1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmaX-0005vi-00@???
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaX-0005vi-00@???
diff --git a/test/log/2107 b/test/log/2107
index 5d3817a..73b5d8e 100644
--- a/test/log/2107
+++ b/test/log/2107
@@ -1,5 +1,8 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock"
+
 1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
diff --git a/test/log/2108 b/test/log/2108
index 12ab295..b727ccb 100644
--- a/test/log/2108
+++ b/test/log/2108
@@ -1,10 +1,19 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock"
+
 1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock"
+
 1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 -> xyz@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock"
+
 1999-03-02 09:44:33 10HmaY-0005vi-00 => abcd@??? R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbB-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
diff --git a/test/log/2110 b/test/log/2110
index 72f08dc..574b1b7 100644
--- a/test/log/2110
+++ b/test/log/2110
@@ -1,6 +1,9 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaX-0005vi-00 H=127.0.0.1 [127.0.0.1]: a TLS session is required, but the server did not offer TLS support
+1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock"
+
 1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@??? R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
diff --git a/test/log/2111 b/test/log/2111
index 0fef3f4..584c3de 100644
--- a/test/log/2111
+++ b/test/log/2111
@@ -1,6 +1,9 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaX-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock"
+
 1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:DES-CBC3-SHA:168 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
diff --git a/test/stderr/2108 b/test/stderr/2108
index 743f7ba..3d6d876 100644
--- a/test/stderr/2108
+++ b/test/stderr/2108
@@ -12,6 +12,11 @@ Connecting to 127.0.0.1 [127.0.0.1]:1225 ... connected
          250 HELP
   SMTP>> STARTTLS
   SMTP<< 220 TLS go ahead
+LOG: MAIN
+  SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+LOG: MAIN
+  SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock"
+
   SMTP>> EHLO helo.data.changed
   SMTP<< 250-myhost.test.ex Hello helo.data.changed [127.0.0.1]
          250-SIZE 52428800
@@ -43,6 +48,11 @@ Connecting to 127.0.0.1 [127.0.0.1]:1225 ... connected
          250 HELP
   SMTP>> STARTTLS
   SMTP<< 220 TLS go ahead
+LOG: MAIN
+  SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+LOG: MAIN
+  SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock"
+
   SMTP>> EHLO helo.data.changed
   SMTP<< 250-myhost.test.ex Hello helo.data.changed [127.0.0.1]
          250-SIZE 52428800
@@ -75,6 +85,11 @@ Connecting to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]:1225 ... connected
          250 HELP
   SMTP>> STARTTLS
   SMTP<< 220 TLS go ahead
+LOG: MAIN
+  SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+LOG: MAIN
+  SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock"
+
   SMTP>> EHLO myhost.test.ex
   SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
          250-SIZE 52428800
diff --git a/test/stderr/5410 b/test/stderr/5410
index 943681e..54a99c7 100644
--- a/test/stderr/5410
+++ b/test/stderr/5410
@@ -83,7 +83,8 @@ expanding: ${if eq {$address_data}{userz}{*}{:}}
   SMTP<< 220 TLS go ahead
 127.0.0.1 in hosts_require_ocsp? no (option unset)
 127.0.0.1 in hosts_request_ocsp? yes (matched "*")
-127.0.0.1 in tls_verify_cert_hostnames? yes (matched "*")
+127.0.0.1 in tls_verify_hosts? no (option unset)
+127.0.0.1 in tls_try_verify_hosts? no (end of list)
   SMTP>> EHLO myhost.test.ex
   SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
          250-SIZE 52428800
diff --git a/test/stderr/5420 b/test/stderr/5420
index 464cb2c..f08ae8e 100644
--- a/test/stderr/5420
+++ b/test/stderr/5420
@@ -82,7 +82,8 @@ expanding: ${if eq {$address_data}{userz}{*}{:}}
   SMTP>> STARTTLS
   SMTP<< 220 TLS go ahead
 127.0.0.1 in tls_verify_hosts? no (option unset)
-127.0.0.1 in tls_try_verify_hosts? no (option unset)
+127.0.0.1 in tls_try_verify_hosts? yes (matched "*")
+127.0.0.1 in tls_verify_cert_hostnames? yes (matched "*")
   SMTP>> EHLO myhost.test.ex
   SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
          250-SIZE 52428800