[exim-cvs] Testsuite: handle OpenSSL 1.1.1

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Exim Git Commits Mailing List
Dátum:  
Címzett: exim-cvs
Tárgy: [exim-cvs] Testsuite: handle OpenSSL 1.1.1
Gitweb: https://git.exim.org/exim.git/commitdiff/9e9ad3eea16e14e8a6c96cde6ddc5c0051e0fd83
Commit:     9e9ad3eea16e14e8a6c96cde6ddc5c0051e0fd83
Parent:     8442641ee685d02b15ccfdc7290dda2674b8472e
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Thu Sep 20 18:31:36 2018 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Thu Sep 20 22:30:13 2018 +0100


    Testsuite: handle OpenSSL 1.1.1
---
 test/confs/2102                     |  1 +
 test/confs/2107                     |  1 -
 test/confs/2111                     |  5 ++++-
 test/confs/2125                     |  3 +++
 test/confs/2127                     |  4 ++++
 test/confs/5841                     | 10 ++++++++--
 test/log/2107                       |  4 ++--
 test/runtest                        | 11 +++++++++--
 test/scripts/5840-DANE-OpenSSL/5841 |  4 ++--
 9 files changed, 33 insertions(+), 10 deletions(-)


diff --git a/test/confs/2102 b/test/confs/2102
index 0139a61..c9e0047 100644
--- a/test/confs/2102
+++ b/test/confs/2102
@@ -43,6 +43,7 @@ check_recipient:
          !encrypted = *
       logwrite = cipher: $tls_in_cipher
 # This appears to lie. Despite what's on the wire, it returns the last cert loaded.
+# Fixed in OpenSSL 1.1.1 ?  Testcase golden logfile has the incorrect value.
   warn    logwrite =  ${if def:tls_in_ourcert \
         {Our cert SN: <${certextract{subject}{$tls_in_ourcert}}>} \
         {We did not present a cert}}
diff --git a/test/confs/2107 b/test/confs/2107
index 6793673..9487445 100644
--- a/test/confs/2107
+++ b/test/confs/2107
@@ -16,7 +16,6 @@ queue_only
 queue_run_in_order


tls_advertise_hosts = *
-tls_require_ciphers = AES256-SHA

# Set certificate only if server

diff --git a/test/confs/2111 b/test/confs/2111
index 0d99a23..b54c949 100644
--- a/test/confs/2111
+++ b/test/confs/2111
@@ -23,6 +23,9 @@ tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
tls_verify_hosts = *
tls_verify_certificates = ${if eq {SERVER}{server}{DIR/aux-fixed/cert2}fail}

+.ifdef _OPT_OPENSSL_NO_TLSV1_3_X
+openssl_options = +no_tlsv1_3
+.endif

# ----- Routers -----

@@ -47,7 +50,7 @@ send_to_server:
   port = PORT_D
   tls_certificate = DIR/aux-fixed/cert2
   tls_privatekey = DIR/aux-fixed/cert2
-  tls_require_ciphers = IDEA-CBC-MD5 \
+  tls_require_ciphers = IDEA-CBC-MD5:\
     ${if eq{$host_address}{127.0.0.1}{:AES256-SHA:RSA_ARCFOUR_SHA}}


# End
diff --git a/test/confs/2125 b/test/confs/2125
index be2fe1b..5898791 100644
--- a/test/confs/2125
+++ b/test/confs/2125
@@ -25,6 +25,9 @@ tls_require_ciphers = ${if eq{$sender_host_address}{HOSTIPV4}\
tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}

+.ifdef _OPT_OPENSSL_NO_TLSV1_3_X
+openssl_options = +no_tlsv1_3
+.endif

# ----- Routers -----

diff --git a/test/confs/2127 b/test/confs/2127
index b177444..9807ccf 100644
--- a/test/confs/2127
+++ b/test/confs/2127
@@ -20,6 +20,10 @@ tls_try_verify_hosts = 127.0.0.1
tls_verify_hosts = HOSTIPV4
tls_verify_certificates = DIR/aux-fixed/cert1

+tls_require_ciphers = -ALL:kRSA
+.ifdef _OPT_OPENSSL_NO_TLSV1_3_X
+openssl_options = +no_tlsv1_3
+.endif
# ----- Routers -----

begin routers
diff --git a/test/confs/5841 b/test/confs/5841
index 57d6928..98de91d 100644
--- a/test/confs/5841
+++ b/test/confs/5841
@@ -2,7 +2,7 @@
# DANE/OpenSSL - ciphers option

SERVER=
-OPT=
+LIST=

.include DIR/aux-var/tls_conf_prefix

@@ -25,6 +25,12 @@ tls_privatekey = ${if eq {SERVER}{server} {CDIR2/server1.example.com.unlocked.k
# Permit two specific ciphers
tls_require_ciphers = ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-RSA-AES256-GCM-SHA384

+# Force TLS1.2 so that the ciphers choice works
+
+.ifdef _OPT_OPENSSL_NO_TLSV1_3_X
+openssl_options = +no_tlsv1_3
+.endif
+
# ----- Routers -----
begin routers

@@ -53,7 +59,7 @@ send_to_server:

   # Some commonly-available cipher, we hope
   tls_require_ciphers =        ECDHE-RSA-AES256-GCM-SHA384
-  dane_require_tls_ciphers =    OPT
+  dane_require_tls_ciphers =    LIST


# ----- Retry -----
begin retry
diff --git a/test/log/2107 b/test/log/2107
index a09c37c..1d01706 100644
--- a/test/log/2107
+++ b/test/log/2107
@@ -2,10 +2,10 @@
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
1999-03-02 09:44:33 10HmaX-0005vi-00 [127.0.0.1] SSL verify error: certificate name mismatch: DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" H="127.0.0.1"
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf

******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@???
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmaX-0005vi-00@???
diff --git a/test/runtest b/test/runtest
index 7921c5b..d6bc7b0 100755
--- a/test/runtest
+++ b/test/runtest
@@ -538,6 +538,9 @@ RESET_AFTER_EXTRA_LINE_READ:
# Test machines might have various different TLS library versions supporting
# different protocols; can't rely upon TLS 1.2's AES256-GCM-SHA384, so we
# treat the standard algorithms the same.
+ #
+ # TLSversion : KeyExchange? - Authentication/Signature - C_iph_er - MAC : ???
+ #
# So far, have seen:
# TLSv1:AES128-GCM-SHA256:128
# TLSv1:AES256-SHA:256
@@ -559,8 +562,12 @@ RESET_AFTER_EXTRA_LINE_READ:
s/((EC)?DHE-)?(RSA|ECDSA)-AES(128|256)-(GCM-SHA(256|384)|SHA):(128|256)/ke-$3-AES256-SHA:xxx/g;

# OpenSSL TLSv1.3 - unsure what to do about the authentication-variant testcases now,
- # as it seems the protocol no longer supports a user choice.
- s/TLS_AES(_256)_GCM_SHA384:256/TLS-AES256-SHA:xxx/g;
+ # as it seems the protocol no longer supports a user choice. Replace the "TLS" field with "RSA".
+ # Also insert a key-exchange field for back-compat, even though 1.3 doesn't do that.
+ #
+ # TLSversion : "TLS" - C_iph_er - MAC : ???
+ #
+ s/:TLS_AES(_256)_GCM_SHA384:256/:ke-RSA-AES256-SHA:xxx/g;

# LibreSSL
# TLSv1:AES256-GCM-SHA384:256
diff --git a/test/scripts/5840-DANE-OpenSSL/5841 b/test/scripts/5840-DANE-OpenSSL/5841
index 52fac18..fff416e 100644
--- a/test/scripts/5840-DANE-OpenSSL/5841
+++ b/test/scripts/5840-DANE-OpenSSL/5841
@@ -15,12 +15,12 @@ Testing
#
### Dane cipher specified, dane unused
# Since dane unused, should get the same cipher as the baseline
-exim -odf -DOPT=ECDHE-RSA-CAMELLIA256-SHA384 CALLER@???
+exim -odf -DLIST=ECDHE-RSA-CAMELLIA256-SHA384 CALLER@???
Testing
****
### Dane cipher specified, dane used
# Should get the cipher specified here
-exim -odf -DOPT=ECDHE-RSA-CAMELLIA256-SHA384 CALLER@???
+exim -odf -DLIST=ECDHE-RSA-CAMELLIA256-SHA384 CALLER@???
Testing
****
#