[exim-cvs] DANE - testcase for fail under GnuTLS with TA-mod…

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] DANE - testcase for fail under GnuTLS with TA-mode to a selfsigned server cert
Gitweb: https://git.exim.org/exim.git/commitdiff/624f33dfeab938e907251e3cc3062aa45353384f
Commit:     624f33dfeab938e907251e3cc3062aa45353384f
Parent:     2b8d6aff36a25e06f418aec9e90fe7668562914b
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Sat Sep 8 19:31:49 2018 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Sun Sep 9 15:45:27 2018 +0100


    DANE - testcase for fail under GnuTLS with TA-mode to a selfsigned server cert
---
 src/src/lookups/dnsdb.c             | 10 ++--
 src/src/tls-gnu.c                   |  3 +-
 src/src/transports/smtp.c           | 24 ++++++++-
 test/aux-fixed/cert.HOWTO           |  4 ++
 test/aux-fixed/cert.config          | 17 +++++++
 test/aux-fixed/cert1                | 97 ++++++++++++++++++-------------------
 test/confs/5822                     | 67 +++++++++++++++++++++++++
 test/confs/5842                     | 64 ++++++++++++++++++++++++
 test/dnszones-src/db.test.ex        | 19 ++++++++
 test/log/5822                       | 20 ++++++++
 test/log/5842                       | 24 +++++++++
 test/scripts/5820-DANE-GnuTLS/5822  | 19 ++++++++
 test/scripts/5840-DANE-OpenSSL/5842 | 19 ++++++++
 test/stderr/5842                    |  8 +++
 test/stdout/5822                    |  8 +++
 test/stdout/5842                    |  8 +++
 16 files changed, 354 insertions(+), 57 deletions(-)


diff --git a/src/src/lookups/dnsdb.c b/src/src/lookups/dnsdb.c
index a863382..e75bd1e 100644
--- a/src/src/lookups/dnsdb.c
+++ b/src/src/lookups/dnsdb.c
@@ -150,7 +150,7 @@ store as possible later, so we preallocate the result here */

gstring * yield = string_get(256);

-dns_record *rr;
+dns_record * rr;
dns_answer dnsa;
dns_scan dnss;

@@ -421,7 +421,7 @@ while ((domain = string_nextinlist(&keystring, &sep, NULL, 0)))
       else if (type == T_TLSA)
         {
         uint8_t usage, selector, matching_type;
-        uint16_t i, payload_length;
+        uint16_t payload_length;
         uschar s[MAX_TLSA_EXPANDED_SIZE];
     uschar * sp = s;
         uschar * p = US rr->data;
@@ -434,10 +434,8 @@ while ((domain = string_nextinlist(&keystring, &sep, NULL, 0)))
         sp += sprintf(CS s, "%d%c%d%c%d%c", usage, *outsep2,
         selector, *outsep2, matching_type, *outsep2);
         /* Now append the cert/identifier, one hex char at a time */
-        for (i=0;
-             i < payload_length && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4);
-             i++)
-          sp += sprintf(CS sp, "%02x", (unsigned char)p[i]);
+    while (payload_length-- > 0 && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4))
+          sp += sprintf(CS sp, "%02x", *p++);


         yield = string_cat(yield, s);
         }
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index dfe0920..c5ecf88 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1775,7 +1775,8 @@ goodcert:


 #ifdef SUPPORT_DANE
 tlsa_prob:
-  *errstr = string_sprintf("TLSA record problem: %s", dane_strerror(rc));
+  *errstr = string_sprintf("TLSA record problem: %s",
+    rc == DANE_E_REQUESTED_DATA_NOT_AVAILABLE ? "none usable" : dane_strerror(rc));
 #endif


 badcert:
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 0763751..703ee56 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -1247,7 +1247,29 @@ switch (rc)
     return DEFER; /* just defer this TLS'd conn */


   case DNS_SUCCEED:
-    if (sec) return OK;
+    if (sec)
+      {
+      DEBUG(D_transport)
+    {
+    dns_scan dnss;
+    dns_record * rr;
+    for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
+         rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == T_TLSA)
+      {
+      uint16_t payload_length = rr->size - 3;
+      uschar s[MAX_TLSA_EXPANDED_SIZE], * sp = s, * p = US rr->data;
+
+      sp += sprintf(CS sp, "%d ", *p++); /* usage */
+      sp += sprintf(CS sp, "%d ", *p++); /* selector */
+      sp += sprintf(CS sp, "%d ", *p++); /* matchtype */
+      while (payload_length-- > 0 && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4))
+        sp += sprintf(CS sp, "%02x", *p++);
+
+      debug_printf(" %s\n", s);
+      }
+    }
+      return OK;
+      }
     log_write(0, LOG_MAIN,
       "DANE error: TLSA lookup for %s not DNSSEC", host->name);
     /*FALLTRHOUGH*/
diff --git a/test/aux-fixed/cert.HOWTO b/test/aux-fixed/cert.HOWTO
new file mode 100644
index 0000000..dab2915
--- /dev/null
+++ b/test/aux-fixed/cert.HOWTO
@@ -0,0 +1,4 @@
+openssl req -x509 -config cert.config -newkey rsa:2048 -keyout key.pem -out cert.pem -days 7000
+cat key.pem cert.pem > cert1
+# or cert2, as needed.  Mind the day count above does not blow the Y2038 barrier.
+rm cert.pem key.pem
diff --git a/test/aux-fixed/cert.config b/test/aux-fixed/cert.config
new file mode 100644
index 0000000..36be59f
--- /dev/null
+++ b/test/aux-fixed/cert.config
@@ -0,0 +1,17 @@
+prompt=no
+encrypt_key=no
+default_bits=2048
+distinguished_name=fixed_dn
+x509_extensions=fixed_ex
+
+[ fixed_dn ]
+C=UK
+O=The Exim Maintainers
+OU=Test Suite
+CN=Phil Pennock
+
+[ fixed_ex ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=critical,CA:TRUE, pathlen:0
+subjectAltName=DNS:test.ex, DNS:*.test.ex
diff --git a/test/aux-fixed/cert1 b/test/aux-fixed/cert1
index 1323e39..b939fb9 100644
--- a/test/aux-fixed/cert1
+++ b/test/aux-fixed/cert1
@@ -1,51 +1,50 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA0dyUFZ7037DgtRfGoR0bVqUvCetxdZa42E3sLyZLviWRcKbY
-XyYD1M44zClRq6vGwQGLI0Hea4jlJdIftyr3SmuaerJt2frPVAKcHHAHJ7rOjkUT
-Kp+XHGjsinQg9Up6nz2Qo6Xdg0oPm8YRaMgIa1Qc75cWqzTn3++B5qaW2RtffYf7
-8c1OA958BHWyWlcZJNuJHYLR3CdqJb7ojtfcuCq3cWRRxJhyd/j1T51D+Xw6nGbe
-QovD2+oQ/TBTUuo3Zc2YCRE+PWIQMZakdbD335HjvVj1PAu6oBKQRdccactigkR9
-tBlBIxH0q1Uh1fOd+dgLSoccCK2HlnM/GOzcfwIDAQABAoIBAB71b1MRNAabzUpp
-y3+RD6tkit/nv8EdDv+53xHFkH7og+AefOTscrw9/9r+bXHp0VQ/qgr1eJ5cf5Fo
-wgz/ZaOw5AUdtV7mxRcbm3QGgse1oysRvZYYHO6v+9Ug9Iu7BQPgzSmXGmp3zn2o
-ZoESoUtUCUC/BTUUhPBgIMWp5a75OkaOS3fO3kSaGHPiqX1IbD8T6b7+ViR2qIwU
-LjwFNTBRjorL25VXCsfChGih5TUgR9jIJcGzN6QykCHV7D29AfkRuVrKMRLEM3VD
-3E0ObQfVRoXFEZR3fccJqU6E1Mg9BXbl+I9rwv3GUJXS7fXnmHKRhjzD1Dbo5Afv
-jnSPL+ECgYEA9hepWibJe8N3fSCb7Eqqi/Q8ufCQqnDSCrnY6WJpRIA79DKU7OFm
-3dct5pqXPUlaYC6TDQ8G0LAQL1knsuFejvV8v0y0mZspRbOg94EDTuQWp4oCIqWr
-MEYbiRVHXIg5OjylVAQLM1y9IF+n3aXQAUfcStFtiiM49vRJs9StcdsCgYEA2k+B
-lXN3UjZvwkDeZcjfCH1n0Rxrt0kZ7UbqEPZSz/77m9XIjWv32lpTDLecRdcR8KSx
-OKH24WSQXd7DTWn+DitfSwGJjiduU2c0p4eePzfK7Yeo0bMNVixvjUZt+w9ijkWH
-4CUVgo9TfuxdaTyYlmONk9JVLMeOwR8MdagVWy0CgYEAlpVn9Vgile7HoPNhNbeC
-oFz1A7oma4TZoeKSzkx/qYDmLsj8w+4w6bIPzjnuLXxDJvOY27bELtJtNOvTFOw+
-1i91BAHFyPBe0t3Vs11oTs/W5PHX2KeTFtjvZHR21DIvAmm1qLFIwUcQG00tBL2/
-h+kW7Vk1M//VjZdxue57q10CgYEAufZT+gzbrYp1dNFxIN8VLdQ1ZSmCkCSTE03/
-AOfy7v7TMZHQPrej77pVWFXnpo5n18dSt10wQhs55txlHUKWiVdk2y26EP+BuUYG
-0lZx9IQANooCwm51g9xiQcOm19/pIiwUbFjqk8anZ0zM3WIi0KiI50yaBYUQE23x
-XSAK4RkCgYBsPJiK2BGPvFNBJo6368SVgB1H2Bu9GPUpORdirbFuy/VanSEaAGIK
-vWjIOvEKnJd9NX430drAdD7hcx52fxdCsn97LSBi73Weqov4zNDadsLvTWhxlh+D
-b1SITBDYjxdm9oqv4Uj10l3Ft4/X0MN2aJ4+W3/cFTGL9pNlv21Daw==
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDbSr1VPY2sW/7a
+g4GiBfBYXbO9NroHTBJqi831QwPsN5F2Tyx/dQ0vByiOP8nxSmIkQ/eZM6IS3jl0
+8H8jqamyipfSghrQC3QSgtRl6wp8TEfJpwxdDyKAV1zP+TiIEqWYJLc1tmRwQ72J
+0gXID7ME7TNDvek4Oo9BJJ2mtn0K9oY4Z6pvv5O+uljUxTryYbBtMtgMD5ZvL12b
+FiNkRhgx3XX+9vpWw5o6vKdKUbKwT7KhwvUSC1eKOFMBZthUpxxH+RbYyNET1qJU
+u4UrbNI1Wdwm+Cg7JkEdU1NcJbTP8CVR8Z1U7FkbhAD5HNHaTyVWO20MVYjXU/4B
+3bVHWhhNAgMBAAECggEAJY9KmIP/dQsYvqKRnIe539jExV7PRBqyeM9TSnPdAyON
+ZZ8v9vC8flaSirLASvS7lIyTpwjh9KtdWfsrO5d+ulbkpCimoQWlLtp7uK0mUZ3b
+Gd3jzzidZzAPdIuyNBRFiqaXPrrrvxLLLwTq+pY9ylU6V5r6jCfzi2vTGM/e4PaB
+Yo0YkQG9vFveCbGwG+v66ZIq8lH4CxjAfNOVXte+dKFdk6PnUSBMAq4B3n7eFjye
+5nMl9fwFHVtZyBZI59i/1hSLzCjE1j0BrvTlL8BftU5SdF5sYdi/9yvUPjiRnvHT
+ZPQPBH/hVzE52+VcRoWZ7vNjVaBzf/W5XkJsUc35/QKBgQDs/mSpWbiJxhGVRxuf
+DiBxDAw1x+BVHd0bWe8Wp850ooBOI0TQ+wwcegySBaDpATBI1ML/plv7cWJ1+0fi
+8AdG9VSDascH0OE8Y+OnHI2WDCJjRzwKPYvD+4LuQcrF6GDCdIrbitRfwdGGF7He
+gsRS7GFqXawijDkCYolutqgUjwKBgQDs4Otrf2KieW6q12a+3MuSONPhiuLHDUuE
+hCfX7hdSRSI4O6F9vZwkt7l9UluGW5E8cASIimfKoVfJj2m3sv6T33CacB1zQlLW
+TtZb414kJ0ExbdfgxcVSvLIk+H4DSBa17iF+v8mdjbpkgT0m11QTmpqgHQamwdo0
+qUEySQgLYwKBgQDj0cjCY1VaW+UbMzgCNnpJMeOq73FfYU3jtRh5FucIiA3/Dzhg
+DHUgCtN6q557XoEkAiNRzoItvFmCQQRhy4uzUrLjggnCIbHjc8KsKm6RBykndpro
+3TE2PNkoYGakyTX6uD2jvllZk9/un2iFFf/UFxeuQE3xCArlmAO1QjFhUQKBgQCb
+waVrEN71gK1xLqPDuoEtC6resik9w5M1doSQamDxWr4Ohb9BY+0JA7m3GvFNnmYY
+fHuuoHtw9Lg5s9BK1yqoZxKuqivjPugjPMGcuBuN4DXw345EoSaHqcXlo3OQitVM
+GWHy6v8SV0AJmCVypcIGBfHIeG2INw1Y9TYGb5kXiwKBgCDqpa46uROTxQW4CU12
+TuEPeGkojRqNf/f1OzTULwO71rKxZ7Hl2LWCkygX7Nn2XogrHhBTNEoAmDzxuC6g
+hGIoBak7P/GOcaiT2GFzsCgGjRIB8REOLywnl+KkLQI2FjOCztNtBdXwaCZo4/wa
+O1GQXNSW4Ktbr4eq/l+loftA
+-----END PRIVATE KEY-----
 -----BEGIN CERTIFICATE-----
-MIID8DCCAtigAwIBAgIJALYf3pBgPTGPMA0GCSqGSIb3DQEBBQUAMFgxCzAJBgNV
-BAYTAlVLMR0wGwYDVQQKExRUaGUgRXhpbSBNYWludGFpbmVyczETMBEGA1UECxMK
-VGVzdCBTdWl0ZTEVMBMGA1UEAxMMUGhpbCBQZW5ub2NrMB4XDTEyMDUxNzE0NDYw
-M1oXDTMxMDUxMzE0NDYwM1owWDELMAkGA1UEBhMCVUsxHTAbBgNVBAoTFFRoZSBF
-eGltIE1haW50YWluZXJzMRMwEQYDVQQLEwpUZXN0IFN1aXRlMRUwEwYDVQQDEwxQ
-aGlsIFBlbm5vY2swggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDR3JQV
-nvTfsOC1F8ahHRtWpS8J63F1lrjYTewvJku+JZFwpthfJgPUzjjMKVGrq8bBAYsj
-Qd5riOUl0h+3KvdKa5p6sm3Z+s9UApwccAcnus6ORRMqn5ccaOyKdCD1SnqfPZCj
-pd2DSg+bxhFoyAhrVBzvlxarNOff74HmppbZG199h/vxzU4D3nwEdbJaVxkk24kd
-gtHcJ2olvuiO19y4KrdxZFHEmHJ3+PVPnUP5fDqcZt5Ci8Pb6hD9MFNS6jdlzZgJ
-ET49YhAxlqR1sPffkeO9WPU8C7qgEpBF1xxpy2KCRH20GUEjEfSrVSHV85352AtK
-hxwIrYeWcz8Y7Nx/AgMBAAGjgbwwgbkwHQYDVR0OBBYEFDZtAgvs96t7shvAZbPt
-YIzxz06fMIGJBgNVHSMEgYEwf4AUNm0CC+z3q3uyG8Bls+1gjPHPTp+hXKRaMFgx
-CzAJBgNVBAYTAlVLMR0wGwYDVQQKExRUaGUgRXhpbSBNYWludGFpbmVyczETMBEG
-A1UECxMKVGVzdCBTdWl0ZTEVMBMGA1UEAxMMUGhpbCBQZW5ub2NrggkAth/ekGA9
-MY8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEANtHbMYqw3Ln07gif
-F11TyWuUzfZ1HAdj5x+ec/ZhOrMbXJwNnQnZzdESoiqk0C1fqNsog1ur9pzYxBJo
-92OpxkTxvBr2Wi2igfUPbMXWttKu5OFTU00Y8Lp6JEJjtw1zAQB1ka+/5xGYAPfC
-lL/a4RQygNb2e+Q+fOwWz8YZZ2hsidtc7UbH96Eu4489PipD8GXH0T2SY4VEtwUT
-g6uUJjZpznusPhc/uoq5vZVP9AU1EiU+KE55bRuP0QGKIGK3K5WfodKYvF76lhsG
-gLuqb/jVqZsQKcDSj0BGnlimvgEnydeXSYYIUJichEK7dTSjsAn40hUO2dFRMYTx
-W45BdA==
+MIIDqDCCApCgAwIBAgIJAKqgt56kQKU1MA0GCSqGSIb3DQEBCwUAMFgxCzAJBgNV
+BAYTAlVLMR0wGwYDVQQKDBRUaGUgRXhpbSBNYWludGFpbmVyczETMBEGA1UECwwK
+VGVzdCBTdWl0ZTEVMBMGA1UEAwwMUGhpbCBQZW5ub2NrMB4XDTE4MDkwODIxNTkz
+M1oXDTM3MTEwNzIxNTkzM1owWDELMAkGA1UEBhMCVUsxHTAbBgNVBAoMFFRoZSBF
+eGltIE1haW50YWluZXJzMRMwEQYDVQQLDApUZXN0IFN1aXRlMRUwEwYDVQQDDAxQ
+aGlsIFBlbm5vY2swggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbSr1V
+PY2sW/7ag4GiBfBYXbO9NroHTBJqi831QwPsN5F2Tyx/dQ0vByiOP8nxSmIkQ/eZ
+M6IS3jl08H8jqamyipfSghrQC3QSgtRl6wp8TEfJpwxdDyKAV1zP+TiIEqWYJLc1
+tmRwQ72J0gXID7ME7TNDvek4Oo9BJJ2mtn0K9oY4Z6pvv5O+uljUxTryYbBtMtgM
+D5ZvL12bFiNkRhgx3XX+9vpWw5o6vKdKUbKwT7KhwvUSC1eKOFMBZthUpxxH+RbY
+yNET1qJUu4UrbNI1Wdwm+Cg7JkEdU1NcJbTP8CVR8Z1U7FkbhAD5HNHaTyVWO20M
+VYjXU/4B3bVHWhhNAgMBAAGjdTBzMB0GA1UdDgQWBBSf1ImemL7AfEX6VnxKJAfV
+0AoufDAfBgNVHSMEGDAWgBSf1ImemL7AfEX6VnxKJAfV0AoufDASBgNVHRMBAf8E
+CDAGAQH/AgEAMB0GA1UdEQQWMBSCB3Rlc3QuZXiCCSoudGVzdC5leDANBgkqhkiG
+9w0BAQsFAAOCAQEAWvHVO8qVwR9SO3DGtGPbecIcXfwdBX/uajiOr6tMhRK/9Dqk
++PW3sdHbfNc4IVREdT8RPZYLirJVR71JxCThsoM0waNtl/g6GEaq6RH8zZ4d65Kr
+ov1UaaazK+T5cxqclkTXFNelsm+Rx242U1/YlwOgV+nWmkI7TfMBY1HxkPjGfTSc
+hJ3td5/MkUnCrzLLYWZXA01bTCSsvFe0eiMeqMGIJ3qYHpoFlQOZRKF2k/E0p9Ge
+lzhhpYsbDhJHOAxD2eMTJ4z4HrAtZx9ZUJSbShB3T3yfFUkHF7SITMyTzNtv0as7
+cNViaXlSAA5v9isr/xdBvljHyhTjm9nXya4ylQ==
 -----END CERTIFICATE-----
diff --git a/test/confs/5822 b/test/confs/5822
new file mode 100644
index 0000000..80a8ef4
--- /dev/null
+++ b/test/confs/5822
@@ -0,0 +1,67 @@
+# Exim test configuration 5822
+# DANE/GnuTLS
+
+SERVER=
+
+.include DIR/aux-var/tls_conf_prefix
+
+primary_hostname = myhost.test.ex
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept logwrite = "rcpt ACL"
+
+log_selector =  +received_recipients +tls_peerdn +tls_certificate_verified
+
+queue_run_in_order
+
+tls_advertise_hosts = *
+# needed to force generation
+tls_dhparam = historic
+
+tls_certificate = ${if eq {SERVER}{server} {DIR/aux-fixed/cert1} fail}
+
+# ----- Routers -----
+
+begin routers
+
+client:
+  driver = dnslookup
+  condition = ${if eq {SERVER}{}}
+  dnssec_request_domains = *
+  self = send
+  transport = send_to_server
+  errors_to = ""
+
+server:
+  driver = redirect
+  condition = ${if !eq {SERVER}{}}
+  data = :blackhole:
+
+
+# ----- Transports -----
+
+begin transports
+
+send_to_server:
+  driver = smtp
+  allow_localhost
+  port = PORT_D
+
+  hosts_try_dane =     *
+  hosts_require_dane = HOSTIPV4
+  tls_verify_cert_hostnames = :
+  tls_try_verify_hosts = thishost.test.ex
+#  tls_verify_certificates = CDIR2/ca_chain.pem
+
+
+
+# ----- Retry -----
+
+
+begin retry
+
+* * F,5d,10s
+
+
+# End
diff --git a/test/confs/5842 b/test/confs/5842
new file mode 100644
index 0000000..be45e84
--- /dev/null
+++ b/test/confs/5842
@@ -0,0 +1,64 @@
+# Exim test configuration 5822
+# DANE/OpenSSL
+
+SERVER=
+
+.include DIR/aux-var/tls_conf_prefix
+
+primary_hostname = myhost.test.ex
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept logwrite = "rcpt ACL"
+
+log_selector =  +received_recipients +tls_peerdn +tls_certificate_verified
+
+queue_run_in_order
+
+tls_advertise_hosts = *
+
+tls_certificate = ${if eq {SERVER}{server} {DIR/aux-fixed/cert1} fail}
+
+# ----- Routers -----
+
+begin routers
+
+client:
+  driver = dnslookup
+  condition = ${if eq {SERVER}{}}
+  dnssec_request_domains = *
+  self = send
+  transport = send_to_server
+  errors_to = ""
+
+server:
+  driver = redirect
+  data = :blackhole:
+
+
+# ----- Transports -----
+
+begin transports
+
+send_to_server:
+  driver = smtp
+  allow_localhost
+  port = PORT_D
+
+  hosts_try_dane =     *
+  hosts_require_dane = HOSTIPV4
+  tls_verify_cert_hostnames = :
+  tls_try_verify_hosts = thishost.test.ex
+#  tls_verify_certificates = CDIR2/ca_chain.pem
+
+
+
+# ----- Retry -----
+
+
+begin retry
+
+* * F,5d,10s
+
+
+# End
diff --git a/test/dnszones-src/db.test.ex b/test/dnszones-src/db.test.ex
index 492ee5d..0efd1a2 100644
--- a/test/dnszones-src/db.test.ex
+++ b/test/dnszones-src/db.test.ex
@@ -470,6 +470,25 @@ DNSSEC dane256tak            A      HOSTIPV4
 DNSSEC _1225._tcp.dane256tak TLSA 2 1 1 73e279c0f5f5a9ee9851bbbc39023603d7b266acfd0764419c3b07cc380b79f9



+; full MX, both TA & EE modes, cert is selfsigned
+; for testing an issue in the gnutls impl
+;
+; tas:
+; openssl x509 -in aux-fixed/cert1 -fingerprint -sha256 -noout \
+; | awk -F= '{print $2}' | tr -d : | tr '[A-F]' '[a-f]'
+;
+DNSSEC mxdane256tas           MX  1  dane256tas
+DNSSEC dane256tas             A      HOSTIPV4
+DNSSEC _1225._tcp.dane256tas  TLSA 2 0 1 34d3624101b954d667c1a5ac18078b196cd17fbd61e23df73249c1afab747124
+DNSSEC mxdane256task          MX  1  dane256task
+DNSSEC dane256task            A      HOSTIPV4
+DNSSEC _1225._tcp.dane256task TLSA 2 1 1 c1241d8cc61401079437240467a47e21db921d3398883cd9bb038cc461d7beab
+DNSSEC mxdane256ees           MX  1  dane256ees
+DNSSEC dane256ees             A      HOSTIPV4
+DNSSEC _1225._tcp.dane256ees  TLSA 3 1 1 c1241d8cc61401079437240467a47e21db921d3398883cd9bb038cc461d7beab
+
+
+
 ; A multiple-return MX where all TLSA lookups defer
 DNSSEC mxdanelazy           MX  1   danelazy
 DNSSEC                      MX  2   danelazy2
diff --git a/test/log/5822 b/test/log/5822
new file mode 100644
index 0000000..43b032b
--- /dev/null
+++ b/test/log/5822
@@ -0,0 +1,20 @@
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
+1999-03-02 09:44:33 10HmaX-0005vi-00 DANE attempt failed; TLS connection to dane256tas.test.ex [ip4.ip4.ip4.ip4]: (certificate verification failed): TLSA record problem: none usable
+1999-03-02 09:44:33 10HmaX-0005vi-00 !!SHOULD_WORK!! CALLER@??? R=client T=send_to_server defer (-37) H=dane256tas.test.ex [ip4.ip4.ip4.ip4]: TLS session: (certificate verification failed): TLSA record problem: none usable
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
+1999-03-02 09:44:33 10HmaY-0005vi-00 DANE attempt failed; TLS connection to dane256task.test.ex [ip4.ip4.ip4.ip4]: (certificate verification failed): TLSA record problem: none usable
+1999-03-02 09:44:33 10HmaY-0005vi-00 !!SHOULD_WORK!! CALLER@??? R=client T=send_to_server defer (-37) H=dane256task.test.ex [ip4.ip4.ip4.ip4]: TLS session: (certificate verification failed): TLSA record problem: none usable
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER@??? R=client T=send_to_server H=dane256ees.test.ex [ip4.ip4.ip4.ip4] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=dane DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaZ-0005vi-00@??? for CALLER@???
+1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <CALLER@???> R=server
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
diff --git a/test/log/5842 b/test/log/5842
new file mode 100644
index 0000000..1146cba
--- /dev/null
+++ b/test/log/5842
@@ -0,0 +1,24 @@
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@??? R=client T=send_to_server H=dane256tas.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER@??? R=client T=send_to_server H=dane256task.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
+1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@??? R=client T=send_to_server H=dane256ees.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmaX-0005vi-00@??? for CALLER@???
+1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <CALLER@???> R=server
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmaZ-0005vi-00@??? for CALLER@???
+1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <CALLER@???> R=server
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmbB-0005vi-00@??? for CALLER@???
+1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <CALLER@???> R=server
+1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
diff --git a/test/scripts/5820-DANE-GnuTLS/5822 b/test/scripts/5820-DANE-GnuTLS/5822
new file mode 100644
index 0000000..9e565ab
--- /dev/null
+++ b/test/scripts/5820-DANE-GnuTLS/5822
@@ -0,0 +1,19 @@
+# DANE server: selfsigned cert
+#
+exim -DSERVER=server -bd -oX PORT_D
+****
+### TLSA (2 0 1)
+exim -odf CALLER@???
+Testing
+****
+### TLSA (2 1 1)
+exim -odf CALLER@???
+Testing
+****
+### TLSA (3 1 1)
+exim -odf CALLER@???
+Testing
+****
+killdaemon
+# 
+no_msglog_check
diff --git a/test/scripts/5840-DANE-OpenSSL/5842 b/test/scripts/5840-DANE-OpenSSL/5842
new file mode 100644
index 0000000..da9e4e3
--- /dev/null
+++ b/test/scripts/5840-DANE-OpenSSL/5842
@@ -0,0 +1,19 @@
+# DANE server: selfsigned and TA-mode
+#
+exim -DSERVER=server -bd -oX PORT_D
+****
+### TLSA (2 0 1)
+exim -odf CALLER@???
+Testing
+****
+### TLSA (2 1 1)
+exim -odf CALLER@???
+Testing
+****
+### TLSA (3 1 1)
+exim -odf CALLER@???
+Testing
+****
+killdaemon
+# 
+no_msglog_check
diff --git a/test/stderr/5842 b/test/stderr/5842
new file mode 100644
index 0000000..ed5eb4f
--- /dev/null
+++ b/test/stderr/5842
@@ -0,0 +1,8 @@
+### TLSA (2 0 1)
+### TLSA (2 1 1)
+### TLSA (3 1 1)
+
+******** SERVER ********
+### TLSA (2 0 1)
+### TLSA (2 1 1)
+### TLSA (3 1 1)
diff --git a/test/stdout/5822 b/test/stdout/5822
new file mode 100644
index 0000000..ed5eb4f
--- /dev/null
+++ b/test/stdout/5822
@@ -0,0 +1,8 @@
+### TLSA (2 0 1)
+### TLSA (2 1 1)
+### TLSA (3 1 1)
+
+******** SERVER ********
+### TLSA (2 0 1)
+### TLSA (2 1 1)
+### TLSA (3 1 1)
diff --git a/test/stdout/5842 b/test/stdout/5842
new file mode 100644
index 0000000..ed5eb4f
--- /dev/null
+++ b/test/stdout/5842
@@ -0,0 +1,8 @@
+### TLSA (2 0 1)
+### TLSA (2 1 1)
+### TLSA (3 1 1)
+
+******** SERVER ********
+### TLSA (2 0 1)
+### TLSA (2 1 1)
+### TLSA (3 1 1)