Re: [exim] testing evaluation of tls_certificate

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Felipe Gasper
CC: exim-users
Subject: Re: [exim] testing evaluation of tls_certificate
On 2016-08-23 at 10:42 -0400, Felipe Gasper wrote:
> I’ve got a module that generates exim.conf. I’d like to test that
> generated .conf file by having exim use it to evaluate
> tls_certificate.
>
> Can I do this and control the value of $tls_in_sni as a test parameter?


For the Exim side, not in the style of `-bh <IP>`, no.

You can use `exim -bdf -d -oX $PORT` to get a debugging instance up on a
different port; if using TRUSTED_CONFIG_LIST at build-time, the Exim
config for testing must be at a path listed in that file. It's
worthwhile to keep a couple of extra entries, still in a trusted
directory, to let you test configs while leaving the "live" config
working.

Then for testing promotion, I prefer:

gnutls-cli --x509cafile "$SSL_CERT_FILE" --starttls --crlf --port $TESTPORT $TESTHOST

Unless told not to, `gnutls-cli` will send SNI. With the `--starttls`
option, you type SMTP as normal when debugging, then when you type
`STARTTLS` and get back the `220 TLS go ahead` message, send an EOF
(type Ctrl-D at the start of the line) and gnutls-cli will do the TLS
handshake at that point, and thereafter lines you send and receive will
pass through TLS instead of being passed in the clear.

If you want to set up more automated testing, then the Exim test-suite
(see the Git repo) has handling which looks at SNI in:

2000-GnuTLS/2030 server can see SNI information
2000-GnuTLS/2031 server can use SNI to select key & certificate
2100-OpenSSL/2130 server can see SNI information
2100-OpenSSL/2131 server can use SNI to select key & certificate

Adapting the test-suite to site-specific testing is not a task for the
faint-hearted without significant time on their hands. But it at least
lets you look at what's tested to work before release. In the git repo,
`test/confgs/$NNNN` will have the stripped down Exim config file used
for a given test.

-Phil