Gitweb:
https://git.exim.org/exim.git/commitdiff/570cb1bdbc6ea378b2dcaf6ebabb45a5610ed1ef
Commit: 570cb1bdbc6ea378b2dcaf6ebabb45a5610ed1ef
Parent: ebda598a4af7ead204e1f611ec066bb678a275d5
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Mon Sep 17 16:28:58 2018 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Mon Sep 17 16:28:58 2018 +0100
DANE: fix TA-mode verify under GnuTLS. Bug 2311
---
doc/doc-txt/ChangeLog | 7 +++-
src/src/tls-gnu.c | 22 ++++++++----
test/confs/5820 | 2 +-
test/confs/5822 | 67 -------------------------------------
test/confs/5840 | 2 +-
test/confs/5842 | 64 -----------------------------------
test/log/5820 | 4 +--
test/log/5822 | 20 -----------
test/log/5840 | 7 ++--
test/log/5842 | 24 -------------
test/scripts/5820-DANE-GnuTLS/5820 | 8 ++---
test/scripts/5820-DANE-GnuTLS/5822 | 19 -----------
test/scripts/5840-DANE-OpenSSL/5840 | 2 +-
test/scripts/5840-DANE-OpenSSL/5842 | 19 -----------
test/stderr/5820 | 12 +++----
test/stderr/5842 | 8 -----
test/stdout/5820 | 12 +++----
test/stdout/5822 | 8 -----
test/stdout/5842 | 8 -----
19 files changed, 45 insertions(+), 270 deletions(-)
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index f93622b..5a04b1b 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -113,13 +113,18 @@ JH/23 Bug 2318: Fix the noerror command within filters. It wasn't working.
was not set for later routers. Investigation and fix by Matthias Kurz.
JH/24 Bug 2310: Raise a msg:fail:internal event for each undelivered recipient,
- and a msg:complete for the whole, when a message is manually reoved using
+ and a msg:complete for the whole, when a message is manually removed using
-Mrm. Developement by Matthias Kurz, hacked on by JH.
JH/25 Avoid fixed-size buffers for pathnames in DB access. This required using
a "Gnu special" function, asprintf() in the DB utility binary builds; I
hope that is portable enough.
+JH/26 Bug 2311: Fix DANE-TA verification under GnuTLS. Previously it was also
+ requiring a known-CA anchor certificate; make it now rely entirely on the
+ TLSA as an anchor. Checking the name on the leaf cert against the name
+ on the A-record for the host is still done for TA (but not for EE mode).
+
Exim version 4.91
-----------------
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index c5ecf88..3e618a6 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1625,8 +1625,7 @@ else
# ifdef GNUTLS_BROKEN_DANE_VALIDATION
/* Split the TLSA records into two sets, TA and EE selectors. Run the
dane-verification separately so that we know which selector verified;
- then we know whether to do CA-chain-verification and name-verification
- (needed for TA but not EE). */
+ then we know whether to do name-verification (needed for TA but not EE). */
if (usage == ((1<<DANESSL_USAGE_DANE_TA) | (1<<DANESSL_USAGE_DANE_EE)))
{ /* a mixed-usage bundle */
@@ -1708,20 +1707,31 @@ else
*errstr = US str.data; /* don't bother to free */
goto badcert;
}
- state->peer_dane_verified = TRUE;
# ifdef GNUTLS_BROKEN_DANE_VALIDATION
/* If a TA-mode TLSA record was used for verification we must additionally
- verify the CA chain and the cert name. For EE-mode, skip it. */
+ verify the cert name (but not the CA chain). For EE-mode, skip it. */
if (usage & (1 << DANESSL_USAGE_DANE_EE))
# endif
{
- state->peer_cert_verified = TRUE;
+ state->peer_dane_verified = state->peer_cert_verified = TRUE;
goto goodcert;
}
+# ifdef GNUTLS_BROKEN_DANE_VALIDATION
+ /* Assume that the name on the A-record is the one that should be matching
+ the cert. An alternate view is that the domain part of the email address
+ is also permissible. */
+
+ if (gnutls_x509_crt_check_hostname(state->tlsp->peercert,
+ CS state->host->name))
+ {
+ state->peer_dane_verified = state->peer_cert_verified = TRUE;
+ goto goodcert;
+ }
+# endif
}
-#endif
+#endif /*SUPPORT_DANE*/
rc = gnutls_certificate_verify_peers2(state->session, &verify);
}
diff --git a/test/confs/5820 b/test/confs/5820
index 7240288..bcb1a8f 100644
--- a/test/confs/5820
+++ b/test/confs/5820
@@ -70,7 +70,7 @@ send_to_server:
hosts_require_dane = HOSTIPV4
tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}}
tls_try_verify_hosts = thishost.test.ex
- tls_verify_certificates = CDIR2/ca_chain.pem
+ tls_verify_certificates = ${if eq {DETAILS}{ca} {CDIR2/ca_chain.pem} {}}
diff --git a/test/confs/5822 b/test/confs/5822
deleted file mode 100644
index 80a8ef4..0000000
--- a/test/confs/5822
+++ /dev/null
@@ -1,67 +0,0 @@
-# Exim test configuration 5822
-# DANE/GnuTLS
-
-SERVER=
-
-.include DIR/aux-var/tls_conf_prefix
-
-primary_hostname = myhost.test.ex
-
-# ----- Main settings -----
-
-acl_smtp_rcpt = accept logwrite = "rcpt ACL"
-
-log_selector = +received_recipients +tls_peerdn +tls_certificate_verified
-
-queue_run_in_order
-
-tls_advertise_hosts = *
-# needed to force generation
-tls_dhparam = historic
-
-tls_certificate = ${if eq {SERVER}{server} {DIR/aux-fixed/cert1} fail}
-
-# ----- Routers -----
-
-begin routers
-
-client:
- driver = dnslookup
- condition = ${if eq {SERVER}{}}
- dnssec_request_domains = *
- self = send
- transport = send_to_server
- errors_to = ""
-
-server:
- driver = redirect
- condition = ${if !eq {SERVER}{}}
- data = :blackhole:
-
-
-# ----- Transports -----
-
-begin transports
-
-send_to_server:
- driver = smtp
- allow_localhost
- port = PORT_D
-
- hosts_try_dane = *
- hosts_require_dane = HOSTIPV4
- tls_verify_cert_hostnames = :
- tls_try_verify_hosts = thishost.test.ex
-# tls_verify_certificates = CDIR2/ca_chain.pem
-
-
-
-# ----- Retry -----
-
-
-begin retry
-
-* * F,5d,10s
-
-
-# End
diff --git a/test/confs/5840 b/test/confs/5840
index 754945d..407846a 100644
--- a/test/confs/5840
+++ b/test/confs/5840
@@ -75,7 +75,7 @@ send_to_server:
hosts_require_dane = HOSTIPV4
tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}}
tls_try_verify_hosts = thishost.test.ex
- tls_verify_certificates = CDIR2/ca_chain.pem
+ tls_verify_certificates = ${if eq {DETAILS}{ca} {CDIR2/ca_chain.pem} {}}
diff --git a/test/confs/5842 b/test/confs/5842
deleted file mode 100644
index be45e84..0000000
--- a/test/confs/5842
+++ /dev/null
@@ -1,64 +0,0 @@
-# Exim test configuration 5822
-# DANE/OpenSSL
-
-SERVER=
-
-.include DIR/aux-var/tls_conf_prefix
-
-primary_hostname = myhost.test.ex
-
-# ----- Main settings -----
-
-acl_smtp_rcpt = accept logwrite = "rcpt ACL"
-
-log_selector = +received_recipients +tls_peerdn +tls_certificate_verified
-
-queue_run_in_order
-
-tls_advertise_hosts = *
-
-tls_certificate = ${if eq {SERVER}{server} {DIR/aux-fixed/cert1} fail}
-
-# ----- Routers -----
-
-begin routers
-
-client:
- driver = dnslookup
- condition = ${if eq {SERVER}{}}
- dnssec_request_domains = *
- self = send
- transport = send_to_server
- errors_to = ""
-
-server:
- driver = redirect
- data = :blackhole:
-
-
-# ----- Transports -----
-
-begin transports
-
-send_to_server:
- driver = smtp
- allow_localhost
- port = PORT_D
-
- hosts_try_dane = *
- hosts_require_dane = HOSTIPV4
- tls_verify_cert_hostnames = :
- tls_try_verify_hosts = thishost.test.ex
-# tls_verify_certificates = CDIR2/ca_chain.pem
-
-
-
-# ----- Retry -----
-
-
-begin retry
-
-* * F,5d,10s
-
-
-# End
diff --git a/test/log/5820 b/test/log/5820
index b1dc732..bb16d5e 100644
--- a/test/log/5820
+++ b/test/log/5820
@@ -45,7 +45,7 @@
1999-03-02 09:44:33 10HmbP-0005vi-00 == CALLER@??? R=client T=send_to_server defer (-37) H=danebroken2.test.ex [127.0.0.1]: TLS session: (certificate verification failed): Verification failed. CA constrains were violated.
1999-03-02 09:44:33 10HmbQ-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
1999-03-02 09:44:33 10HmbQ-0005vi-00 DANE error: TLSA lookup for danebroken3.test.ex not DNSSEC
-1999-03-02 09:44:33 10HmbQ-0005vi-00 => CALLER@??? R=client T=send_to_server H=danebroken3.test.ex [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbR-0005vi-00"
+1999-03-02 09:44:33 10HmbQ-0005vi-00 => CALLER@??? R=client T=send_to_server H=danebroken3.test.ex [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="CN=server1.example.com" C="250 OK id=10HmbR-0005vi-00"
1999-03-02 09:44:33 10HmbQ-0005vi-00 Completed
1999-03-02 09:44:33 10HmbS-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
1999-03-02 09:44:33 10HmbS-0005vi-00 DANE error: TLSA lookup for danebroken4.test.ex not DNSSEC
@@ -53,7 +53,7 @@
1999-03-02 09:44:33 10HmbS-0005vi-00 CALLER@???: error ignored
1999-03-02 09:44:33 10HmbS-0005vi-00 Completed
1999-03-02 09:44:33 10HmbT-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
-1999-03-02 09:44:33 10HmbT-0005vi-00 => CALLER@??? R=client T=send_to_server H=danebroken5.test.ex [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbU-0005vi-00"
+1999-03-02 09:44:33 10HmbT-0005vi-00 => CALLER@??? R=client T=send_to_server H=danebroken5.test.ex [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="CN=server1.example.com" C="250 OK id=10HmbU-0005vi-00"
1999-03-02 09:44:33 10HmbT-0005vi-00 Completed
1999-03-02 09:44:33 10HmbV-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
1999-03-02 09:44:33 10HmbV-0005vi-00 ** CALLER@??? R=client T=send_to_server: DANE error: danebroken6.test.ex lookup not DNSSEC
diff --git a/test/log/5822 b/test/log/5822
deleted file mode 100644
index 43b032b..0000000
--- a/test/log/5822
+++ /dev/null
@@ -1,20 +0,0 @@
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
-1999-03-02 09:44:33 10HmaX-0005vi-00 DANE attempt failed; TLS connection to dane256tas.test.ex [ip4.ip4.ip4.ip4]: (certificate verification failed): TLSA record problem: none usable
-1999-03-02 09:44:33 10HmaX-0005vi-00 !!SHOULD_WORK!! CALLER@??? R=client T=send_to_server defer (-37) H=dane256tas.test.ex [ip4.ip4.ip4.ip4]: TLS session: (certificate verification failed): TLSA record problem: none usable
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
-1999-03-02 09:44:33 10HmaY-0005vi-00 DANE attempt failed; TLS connection to dane256task.test.ex [ip4.ip4.ip4.ip4]: (certificate verification failed): TLSA record problem: none usable
-1999-03-02 09:44:33 10HmaY-0005vi-00 !!SHOULD_WORK!! CALLER@??? R=client T=send_to_server defer (-37) H=dane256task.test.ex [ip4.ip4.ip4.ip4]: TLS session: (certificate verification failed): TLSA record problem: none usable
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER@??? R=client T=send_to_server H=dane256ees.test.ex [ip4.ip4.ip4.ip4] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=dane DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
-1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
-
-******** SERVER ********
-1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad
-1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
-1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad
-1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
-1999-03-02 09:44:33 "rcpt ACL"
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaZ-0005vi-00@??? for CALLER@???
-1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <CALLER@???> R=server
-1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
diff --git a/test/log/5840 b/test/log/5840
index 756f442..6aad3b7 100644
--- a/test/log/5840
+++ b/test/log/5840
@@ -13,7 +13,6 @@
1999-03-02 09:44:33 10HmbD-0005vi-00 => CALLER@??? R=client T=send_to_server H=dane256tak.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=dane DN="/CN=server2.example.com" C="250 OK id=10HmbE-0005vi-00"
1999-03-02 09:44:33 10HmbD-0005vi-00 Completed
1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
-1999-03-02 09:44:33 10HmbF-0005vi-00 [127.0.0.1] SSL verify error: depth=2 error=self signed certificate in certificate chain cert=/O=example.net/CN=clica CA rsa
1999-03-02 09:44:33 10HmbF-0005vi-00 => CALLER@??? R=client T=send_to_server H=thishost.test.ex [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no DN="/CN=server1.example.net" C="250 OK id=10HmbG-0005vi-00"
1999-03-02 09:44:33 10HmbF-0005vi-00 Completed
1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
@@ -34,7 +33,6 @@
1999-03-02 09:44:33 10HmbK-0005vi-00 ** CALLER@??? R=client T=send_to_server: DANE error: tlsa lookup FAIL
1999-03-02 09:44:33 10HmbK-0005vi-00 CALLER@???: error ignored
1999-03-02 09:44:33 10HmbK-0005vi-00 Completed
-1999-03-02 09:44:33 10HmbL-0005vi-00 [127.0.0.1] SSL verify error: certificate name mismatch: DN="/CN=server1.example.com" H="dane.no.2.test.ex"
1999-03-02 09:44:33 10HmbL-0005vi-00 => CALLER@??? R=client T=send_to_server H=dane.no.2.test.ex [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbP-0005vi-00"
1999-03-02 09:44:33 10HmbL-0005vi-00 Completed
1999-03-02 09:44:33 10HmbM-0005vi-00 H=danebroken1.test.ex [127.0.0.1]: DANE error: tlsa lookup DEFER
@@ -42,7 +40,6 @@
1999-03-02 09:44:33 10HmbN-0005vi-00 ** CALLER@??? R=client T=send_to_server: DANE error: tlsa lookup FAIL
1999-03-02 09:44:33 10HmbN-0005vi-00 CALLER@???: error ignored
1999-03-02 09:44:33 10HmbN-0005vi-00 Completed
-1999-03-02 09:44:33 10HmbO-0005vi-00 [127.0.0.1] SSL verify error: certificate name mismatch: DN="/CN=server1.example.com" H="dane.no.4.test.ex"
1999-03-02 09:44:33 10HmbO-0005vi-00 => CALLER@??? R=client T=send_to_server H=dane.no.4.test.ex [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbQ-0005vi-00"
1999-03-02 09:44:33 10HmbO-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
@@ -51,7 +48,7 @@
1999-03-02 09:44:33 10HmbR-0005vi-00 == CALLER@??? R=client T=send_to_server defer (-37) H=danebroken2.test.ex [127.0.0.1]: TLS session: (SSL_connect): error: <<detail omitted>>
1999-03-02 09:44:33 10HmbS-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
1999-03-02 09:44:33 10HmbS-0005vi-00 DANE error: TLSA lookup for danebroken3.test.ex not DNSSEC
-1999-03-02 09:44:33 10HmbS-0005vi-00 => CALLER@??? R=client T=send_to_server H=danebroken3.test.ex [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbT-0005vi-00"
+1999-03-02 09:44:33 10HmbS-0005vi-00 => CALLER@??? R=client T=send_to_server H=danebroken3.test.ex [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbT-0005vi-00"
1999-03-02 09:44:33 10HmbS-0005vi-00 Completed
1999-03-02 09:44:33 10HmbU-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
1999-03-02 09:44:33 10HmbU-0005vi-00 DANE error: TLSA lookup for danebroken4.test.ex not DNSSEC
@@ -59,7 +56,7 @@
1999-03-02 09:44:33 10HmbU-0005vi-00 CALLER@???: error ignored
1999-03-02 09:44:33 10HmbU-0005vi-00 Completed
1999-03-02 09:44:33 10HmbV-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
-1999-03-02 09:44:33 10HmbV-0005vi-00 => CALLER@??? R=client T=send_to_server H=danebroken5.test.ex [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbW-0005vi-00"
+1999-03-02 09:44:33 10HmbV-0005vi-00 => CALLER@??? R=client T=send_to_server H=danebroken5.test.ex [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbW-0005vi-00"
1999-03-02 09:44:33 10HmbV-0005vi-00 Completed
1999-03-02 09:44:33 10HmbX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
1999-03-02 09:44:33 10HmbX-0005vi-00 ** CALLER@??? R=client T=send_to_server: DANE error: danebroken6.test.ex lookup not DNSSEC
diff --git a/test/log/5842 b/test/log/5842
deleted file mode 100644
index 1146cba..0000000
--- a/test/log/5842
+++ /dev/null
@@ -1,24 +0,0 @@
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
-1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@??? R=client T=send_to_server H=dane256tas.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
-1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER@??? R=client T=send_to_server H=dane256task.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
-1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
-1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
-1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@??? R=client T=send_to_server H=dane256ees.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbC-0005vi-00"
-1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
-
-******** SERVER ********
-1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 "rcpt ACL"
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmaX-0005vi-00@??? for CALLER@???
-1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <CALLER@???> R=server
-1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
-1999-03-02 09:44:33 "rcpt ACL"
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmaZ-0005vi-00@??? for CALLER@???
-1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <CALLER@???> R=server
-1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
-1999-03-02 09:44:33 "rcpt ACL"
-1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmbB-0005vi-00@??? for CALLER@???
-1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <CALLER@???> R=server
-1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
diff --git a/test/scripts/5820-DANE-GnuTLS/5820 b/test/scripts/5820-DANE-GnuTLS/5820
index 652661c..d7824a3 100644
--- a/test/scripts/5820-DANE-GnuTLS/5820
+++ b/test/scripts/5820-DANE-GnuTLS/5820
@@ -2,11 +2,11 @@
#
exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D
****
-### TLSA (3 1 1)
+### TLSA (3 1 1) (DANE-EE SPKI SHA2-256)
exim -odq CALLER@???
Testing
****
-### TLSA (3 1 2)
+### TLSA (3 1 2) ( SHA2-512)
exim -odq CALLER@???
Testing
****
@@ -24,7 +24,7 @@ killdaemon
#
exim -DSERVER=server -DDETAILS=ta -bd -oX PORT_D
****
-### TLSA (2 0 1)
+### TLSA (2 0 1) (DANE-TA CERT SHA2-256)
exim -odf CALLER@???
Testing
****
@@ -44,7 +44,7 @@ killdaemon
# Check we get a CV and TLS connection, with try_dane but no require_dane
exim -DSERVER=server -DDETAILS=ca -bd -oX PORT_D
****
-exim -odf CALLER@???
+exim -odf -DDETAILS=ca CALLER@???
Testing
****
exim -DOPT=no_certname -qf
diff --git a/test/scripts/5820-DANE-GnuTLS/5822 b/test/scripts/5820-DANE-GnuTLS/5822
deleted file mode 100644
index 9e565ab..0000000
--- a/test/scripts/5820-DANE-GnuTLS/5822
+++ /dev/null
@@ -1,19 +0,0 @@
-# DANE server: selfsigned cert
-#
-exim -DSERVER=server -bd -oX PORT_D
-****
-### TLSA (2 0 1)
-exim -odf CALLER@???
-Testing
-****
-### TLSA (2 1 1)
-exim -odf CALLER@???
-Testing
-****
-### TLSA (3 1 1)
-exim -odf CALLER@???
-Testing
-****
-killdaemon
-#
-no_msglog_check
diff --git a/test/scripts/5840-DANE-OpenSSL/5840 b/test/scripts/5840-DANE-OpenSSL/5840
index b1ea2f3..4d88131 100644
--- a/test/scripts/5840-DANE-OpenSSL/5840
+++ b/test/scripts/5840-DANE-OpenSSL/5840
@@ -52,7 +52,7 @@ killdaemon
# Check we get a CV and TLS connection, with try_dane but no require_dane
exim -DSERVER=server -DDETAILS=ca -bd -oX PORT_D
****
-exim -odf CALLER@???
+exim -odf -DDETAILS=ca CALLER@???
Testing
****
exim -DOPT=no_certname -qf
diff --git a/test/scripts/5840-DANE-OpenSSL/5842 b/test/scripts/5840-DANE-OpenSSL/5842
deleted file mode 100644
index da9e4e3..0000000
--- a/test/scripts/5840-DANE-OpenSSL/5842
+++ /dev/null
@@ -1,19 +0,0 @@
-# DANE server: selfsigned and TA-mode
-#
-exim -DSERVER=server -bd -oX PORT_D
-****
-### TLSA (2 0 1)
-exim -odf CALLER@???
-Testing
-****
-### TLSA (2 1 1)
-exim -odf CALLER@???
-Testing
-****
-### TLSA (3 1 1)
-exim -odf CALLER@???
-Testing
-****
-killdaemon
-#
-no_msglog_check
diff --git a/test/stderr/5820 b/test/stderr/5820
index 34fcb0f..5807a10 100644
--- a/test/stderr/5820
+++ b/test/stderr/5820
@@ -1,5 +1,5 @@
-### TLSA (3 1 1)
-### TLSA (3 1 2)
+### TLSA (3 1 1) (DANE-EE SPKI SHA2-256)
+### TLSA (3 1 2) ( SHA2-512)
### Recipient callout
>>> host in hosts_connection_nolog? no (option unset)
>>> host in host_lookup? no (option unset)
@@ -65,7 +65,7 @@
>>> accept: condition test succeeded in inline ACL
>>> end of inline ACL: ACCEPT
LOG: unexpected disconnection while reading SMTP command from [127.0.0.1] D=qqs
-### TLSA (2 0 1)
+### TLSA (2 0 1) (DANE-TA CERT SHA2-256)
### A server with a nonverifying cert and no TLSA
### A server with a verifying cert and no TLSA
### A server with two MXs for which both TLSA lookups return defer (delivery should defer)
@@ -84,10 +84,10 @@ LOG: unexpected disconnection while reading SMTP command from [127.0.0.1] D=qqs
### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode
******** SERVER ********
-### TLSA (3 1 1)
-### TLSA (3 1 2)
+### TLSA (3 1 1) (DANE-EE SPKI SHA2-256)
+### TLSA (3 1 2) ( SHA2-512)
### Recipient callout
-### TLSA (2 0 1)
+### TLSA (2 0 1) (DANE-TA CERT SHA2-256)
### A server with a nonverifying cert and no TLSA
### A server with a verifying cert and no TLSA
### A server with two MXs for which both TLSA lookups return defer (delivery should defer)
diff --git a/test/stderr/5842 b/test/stderr/5842
deleted file mode 100644
index ed5eb4f..0000000
--- a/test/stderr/5842
+++ /dev/null
@@ -1,8 +0,0 @@
-### TLSA (2 0 1)
-### TLSA (2 1 1)
-### TLSA (3 1 1)
-
-******** SERVER ********
-### TLSA (2 0 1)
-### TLSA (2 1 1)
-### TLSA (3 1 1)
diff --git a/test/stdout/5820 b/test/stdout/5820
index 9bdf21c..4b26b4c 100644
--- a/test/stdout/5820
+++ b/test/stdout/5820
@@ -1,5 +1,5 @@
-### TLSA (3 1 1)
-### TLSA (3 1 2)
+### TLSA (3 1 1) (DANE-EE SPKI SHA2-256)
+### TLSA (3 1 2) ( SHA2-512)
### Recipient callout
**** SMTP testing session as if from host 127.0.0.1
@@ -10,7 +10,7 @@
250 OK
250 Accepted
421 myhost.test.ex lost input connection
-### TLSA (2 0 1)
+### TLSA (2 0 1) (DANE-TA CERT SHA2-256)
### A server with a nonverifying cert and no TLSA
### A server with a verifying cert and no TLSA
### A server with two MXs for which both TLSA lookups return defer (delivery should defer)
@@ -29,10 +29,10 @@
### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode
******** SERVER ********
-### TLSA (3 1 1)
-### TLSA (3 1 2)
+### TLSA (3 1 1) (DANE-EE SPKI SHA2-256)
+### TLSA (3 1 2) ( SHA2-512)
### Recipient callout
-### TLSA (2 0 1)
+### TLSA (2 0 1) (DANE-TA CERT SHA2-256)
### A server with a nonverifying cert and no TLSA
### A server with a verifying cert and no TLSA
### A server with two MXs for which both TLSA lookups return defer (delivery should defer)
diff --git a/test/stdout/5822 b/test/stdout/5822
deleted file mode 100644
index ed5eb4f..0000000
--- a/test/stdout/5822
+++ /dev/null
@@ -1,8 +0,0 @@
-### TLSA (2 0 1)
-### TLSA (2 1 1)
-### TLSA (3 1 1)
-
-******** SERVER ********
-### TLSA (2 0 1)
-### TLSA (2 1 1)
-### TLSA (3 1 1)
diff --git a/test/stdout/5842 b/test/stdout/5842
deleted file mode 100644
index ed5eb4f..0000000
--- a/test/stdout/5842
+++ /dev/null
@@ -1,8 +0,0 @@
-### TLSA (2 0 1)
-### TLSA (2 1 1)
-### TLSA (3 1 1)
-
-******** SERVER ********
-### TLSA (2 0 1)
-### TLSA (2 1 1)
-### TLSA (3 1 1)