[exim-cvs] Testsuite: variances for OpenSSL 1.1.1

Gitweb: https://git.exim.org/exim.git/commitdiff/fd3cf789304c68aec6def76b24f61ea840c1a919

Commit:     fd3cf789304c68aec6def76b24f61ea840c1a919
Parent:     48224640cb97b694c3ea2f159c3e60d64598ba65
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Fri Oct 26 00:41:36 2018 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Fri Oct 26 15:53:41 2018 +0100

    Testsuite: variances for OpenSSL 1.1.1
---
 test/confs/2119                |  13 +-
 test/confs/2132                |  13 +-
 test/lib/Exim/Runtest.pm       |   8 +-
 test/log/2102.openssl_1_1_1    |  46 ++++++
 test/runtest                   |   1 +
 test/scripts/2100-OpenSSL/2114 |  10 +-
 test/scripts/2100-OpenSSL/2124 |   6 +-
 test/scripts/2100-OpenSSL/2132 |  12 +-
 test/src/client.c              |  14 +-
 test/stderr/2132               |   8 +
 test/stdout/2114.openssl_1_1_1 | 324 +++++++++++++++++++++++++++++++++++++++++
 test/stdout/2124.openssl_1_1_1 |  55 +++++++
 test/stdout/2132.openssl_1_1_1 | 167 +++++++++++++++++++++
 13 files changed, 642 insertions(+), 35 deletions(-)

diff --git a/test/confs/2119 b/test/confs/2119
index d55232d..fbd8376 100644
--- a/test/confs/2119
+++ b/test/confs/2119
@@ -29,18 +29,7 @@ begin acl
 check_recipient:
   accept  hosts = :
   deny    hosts = HOSTIPV4
-         !encrypted = AES256-SHA:\
-                      AES256-GCM-SHA384:\
-                      AES128-GCM-SHA256:\
-                      IDEA-CBC-MD5:\
-                      DES-CBC3-SHA:\
-              DHE-RSA-AES256-SHA:\
-              DHE-RSA-AES256-GCM-SHA384:\
-                      DHE_RSA_AES_256_CBC_SHA1:\
-                      DHE_RSA_3DES_EDE_CBC_SHA:\
-                      ECDHE-RSA-AES256-GCM-SHA384:\
-                      ECDHE-RSA-AES128-GCM-SHA256:\
-              ECDHE-RSA-CHACHA20-POLY1305
+         !encrypted = *
   accept

diff --git a/test/confs/2132 b/test/confs/2132
index 7e491b8..4d90a9c 100644
--- a/test/confs/2132
+++ b/test/confs/2132
@@ -29,18 +29,7 @@ begin acl
 check_recipient:
   accept  hosts = :
   deny    hosts = HOSTIPV4
-         !encrypted = AES256-SHA : \
-                      AES256-GCM-SHA384 : \
-                      AES128-GCM-SHA256 : \
-                      IDEA-CBC-MD5 : \
-                      DES-CBC3-SHA : \
-              DHE-RSA-AES256-SHA : \
-              DHE-RSA-AES256-GCM-SHA384 : \
-                      DHE_RSA_AES_256_CBC_SHA1 : \
-                      DHE_RSA_3DES_EDE_CBC_SHA : \
-                      ECDHE-RSA-AES256-GCM-SHA384 : \
-                      ECDHE-RSA-AES128-GCM-SHA256 : \
-              ECDHE-RSA-CHACHA20-POLY1305
+         !encrypted = *
   warn    logwrite =  ${if def:tls_in_ourcert \
         {Our cert SN: <${certextract{subject}{$tls_in_ourcert}}>} \
         {We did not present a cert}}
diff --git a/test/lib/Exim/Runtest.pm b/test/lib/Exim/Runtest.pm
index e41a29c..7ba0790 100644
--- a/test/lib/Exim/Runtest.pm
+++ b/test/lib/Exim/Runtest.pm
@@ -119,6 +119,10 @@ sub flavour {
         $etc = shift;
     }

+    if (open(my $f, '-|', 'openssl version')) {
+    <$f> =~ /1.1.1/ && return "openssl_1_1_1";
+    }
+
     if (open(my $f, '<', "$etc/os-release")) {
         local $_ = join '', <$f>;
         my ($id) = /^ID="?(.*?)"?\s*$/m;
@@ -137,7 +141,7 @@ sub flavour {

 sub flavours {
     my %h = map { /\.(\S+)$/, 1 }
-            grep { !/\.orig$/ } glob('stdout/*.*'), glob('stderr/*.*');
+            grep { !/\.orig$/ } glob('stdout/*.*'), glob('stderr/*.*'), glob('log/*.*');
     return sort keys %h;
 }

@@ -174,7 +178,7 @@ typical files in the F</etc> directory.

=item B<flavours>()

-Return a list of available flavours. It does so by scanning F<stdout/> and
+Return a list of available flavours. It does so by scanning F<log/>, F<stdout/> and
F<stderr/> for I<flavour> files (extensions after the numerical prefix.

 =back
diff --git a/test/log/2102.openssl_1_1_1 b/test/log/2102.openssl_1_1_1
new file mode 100644
index 0000000..0e8e5f6
--- /dev/null
+++ b/test/log/2102.openssl_1_1_1
@@ -0,0 +1,46 @@
+1999-03-02 09:44:33 Start queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER <CALLER@???> R=abc T=local_delivery
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER <CALLER@???> R=abc T=local_delivery
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER <CALLER@???> R=abc T=local_delivery
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbA-0005vi-00 => CALLER <CALLER@???> R=abc T=local_delivery
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 End queue run: pid=pppp -qf
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 Our cert SN: <CN=server1.example.com>
+1999-03-02 09:44:33 Peer did not present a cert
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? H=[127.0.0.1] P=smtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss
+1999-03-02 09:44:33 Our cert SN: <CN=server1.example.com>
+1999-03-02 09:44:33 Peer did not present a cert
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= "name with spaces"@??? H=[127.0.0.1] P=smtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss
+1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 Our cert SN: <CN=server1.example.com>
+1999-03-02 09:44:33 Peer cert:
+1999-03-02 09:44:33 ver 2
+1999-03-02 09:44:33 SR  <c9>
+1999-03-02 09:44:33 SN  <CN=server2.example.com>
+1999-03-02 09:44:33 IN  <CN=clica Signing Cert rsa,O=example.com>
+1999-03-02 09:44:33 IN/O <example.com>
+1999-03-02 09:44:33 NB/r <Nov  1 12:34:04 2012 GMT>
+1999-03-02 09:44:33 NB   <Nov  1 12:34:04 2012 +0000>
+1999-03-02 09:44:33 NB/i <1351773244>
+1999-03-02 09:44:33 NA/i <2143283644>
+1999-03-02 09:44:33 NA   <Dec  1 12:34:04 2037 +0000>
+1999-03-02 09:44:33 SA  <sha256WithRSAEncryption>
+1999-03-02 09:44:33 SG  <         80:00:39:4c:bb:2c:16:e6:be:ee:54:b7:f6:9f:89:fe:71:62:\n         79:2f:90:57:95:07:54:67:2f:e9:12:96:41:1b:c5:9b:dd:de:\n         68:2d:e5:d7:a7:35:c7:ea:b1:d9:95:12:40:49:0c:07:3d:0c:\n         74:df:57:d1:b6:04:5f:83:5c:15:fe:9a:7f:b7:35:7d:ec:f8:\n         b7:4d:ac:76:ea:8c:44:8a:86:e0:42:38:78:ff:68:8a:09:83:\n         44:10:67:b4:fd:a4:5c:a4:ea:91:41:e7:8e:a7:79:37:f6:e2:\n         f8:de:9d:0f:96:85:18:22:2c:5c:06:af:01:85:94:62:c1:69:\n         8d:2e\n>
+1999-03-02 09:44:33 SAN <DNS=*.test.ex\nDNS=server2.example.com>
+1999-03-02 09:44:33 OCU <http://oscp.example.com/>
+1999-03-02 09:44:33 (no CRU)
+1999-03-02 09:44:33 md5    fingerprint 313E07141F2FF0CBC0A76EB57CA49D58
+1999-03-02 09:44:33 sha1   fingerprint 778B892247D2ABD365BA1530A50141AF052E271E
+1999-03-02 09:44:33 sha256 fingerprint 05F3012D41AE8A8173BE3AE71F7F9B3535391CACF77003B723F14B21064F6648
+1999-03-02 09:44:33 der_b64 MIICszCCAhygAwIBAgICAMkwDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIxMTAxMTIzNDA0WhcNMzcxMjAxMTIzNDA0WjAeMRwwGgYDVQQDExNzZXJ2ZXIyLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCf6MdoozlJCZPwdIHXdFHddXJfZ5xn2e6XoMmSjqOrOJYIIFKdgtlrMhtTVU1VLlK6V7H8142r78YQ4RKcj9QhTuQJxrrVtVuRt38Zy4RW0/+ujMcXoV8nV7Yt1c1z/tIJ4afSapAnAAm5wVdIbUhUeM/K5Wozm1gV5OCtNZPa4QIDAQABo4HmMIHjMA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwTgYDVR0jBEcwRYANQUFidHdDeGNYZ2IwUaExpC8wLTEUMBIGA1UEChMLZXhhbXBsZS5jb20xFTATBgNVBAMTDGNsaWNhIENBIHJzYYIBQjA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUuY29tLzApBgNVHREEIjAgghNzZXJ2ZXIyLmV4YW1wbGUuY29tggkqLnRlc3QuZXgwDQYJKoZIhvcNAQELBQADgYEAgAA5TLssFua+7lS39p+J/nFieS+QV5UHVGcv6RKWQRvFm93eaC3l16c1x+qx2ZUSQEkMBz0MdN9X0bYEX4NcFf6af7c1fez4t02sduqMRIqG4EI4eP9oigmDRBBntP2kXKTqkUHnjqd5N/bi+N6dD5aFGCIsXAavAYWUYsFpjS4=
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? H=[ip4.ip4.ip4.ip4] P=smtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=yes DN="/CN=server2.example.com" S=sss
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 Our cert SN: <CN=server1.example_ec.com>
+1999-03-02 09:44:33 Peer did not present a cert
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@??? H=[127.0.0.1] P=smtps X=TLSv1:ke-ECDSA-AES256-SHA:xxx CV=no S=sss
diff --git a/test/runtest b/test/runtest
index 7c89f10..efb352b 100755
--- a/test/runtest
+++ b/test/runtest
@@ -935,6 +935,7 @@ RESET_AFTER_EXTRA_LINE_READ:
     s/SSL3_READ_BYTES/ssl3_read_bytes/i;
     s/CONNECT_CR_FINISHED/ssl3_read_bytes/i;
     s/^\d+:error:\d+(?:E\d+)?(:SSL routines:ssl3_read_bytes:[^:]+:).*(:SSL alert number \d\d)$/pppp:error:dddddddd$1\[...\]$2/;
+    s/^error:[^:]*:(SSL routines:ssl3_read_bytes:(tls|ssl)v\d+ alert)/error:dddddddd:$1/;

     # gnutls version variances
     next if /^Error in the pull function./;
diff --git a/test/scripts/2100-OpenSSL/2114 b/test/scripts/2100-OpenSSL/2114
index cc78ab0..edf3b6c 100644
--- a/test/scripts/2100-OpenSSL/2114
+++ b/test/scripts/2100-OpenSSL/2114
@@ -2,7 +2,7 @@
 exim -DSERVER=server -bd -oX PORT_D
 ****
 ### No certificate, certificate required
-client-ssl HOSTIPV4 PORT_D
+client-ssl -t2 HOSTIPV4 PORT_D
 ??? 220
 ehlo rhu.barb
 ??? 250-
@@ -14,10 +14,12 @@ ehlo rhu.barb
 starttls
 ??? 220
 noop
+????554 Security failure
+noop
 ??? 554 Security failure
 quit
 ????554 Security failure
-??? 221
+????221
 ???*
 ****
 ### No certificate, certificate optional at TLS time, required by ACL
@@ -92,6 +94,8 @@ ehlo rhu.barb
 starttls
 ??? 220
 noop
+????554 Security failure
+noop
 ??? 554 Security failure
 ****
 ### Bad certificate, certificate optional at TLS time, reject at ACL time
@@ -133,6 +137,8 @@ ehlo rhu.barb
 starttls
 ??? 220
 noop
+????554 Security failure
+noop
 ??? 554 Security failure
 ****
 ### Revoked certificate, certificate optional at TLS time, reject at ACL time
diff --git a/test/scripts/2100-OpenSSL/2124 b/test/scripts/2100-OpenSSL/2124
index eb999d6..6649ed9 100644
--- a/test/scripts/2100-OpenSSL/2124
+++ b/test/scripts/2100-OpenSSL/2124
@@ -1,7 +1,7 @@
 # TLS server: empty/non-existent certificate file
 exim -DSERVER=server -bd -oX PORT_D
 ****
-client-ssl HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2
+client-ssl -t2 HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2
 ??? 220
 ehlo rhu.barb
 ??? 250-
@@ -12,6 +12,10 @@ ehlo rhu.barb
 ??? 250
 starttls
 ??? 220
+noop
+????554 Security failure
+noop
+??? 554 Security failure
 ****
 killdaemon
 exim -DSERVER=server -DCERT=/non/exist -bd -oX PORT_D
diff --git a/test/scripts/2100-OpenSSL/2132 b/test/scripts/2100-OpenSSL/2132
index 4a12fb0..cdf4ed2 100644
--- a/test/scripts/2100-OpenSSL/2132
+++ b/test/scripts/2100-OpenSSL/2132
@@ -1,6 +1,8 @@
 # TLS server: server ca cert from directory
 exim -DSERVER=server -bd -oX PORT_D
 ****
+#
+### Should accept message
 client-ssl 127.0.0.1 PORT_D
 ??? 220
 ehlo rhu.barb
@@ -24,6 +26,7 @@ This is a test encrypted message.
 quit
 ??? 221
 ****
+### Should accept message (with a difficult env-from)
 client-ssl 127.0.0.1 PORT_D
 ??? 220
 ehlo rhu.barb
@@ -47,7 +50,8 @@ This is a test encrypted message.
 quit
 ??? 221
 ****
-client-ssl HOSTIPV4 PORT_D
+### client cert verify required; none given
+client-ssl -t2 HOSTIPV4 PORT_D
 ??? 220
 ehlo rhu.barb
 ??? 250-
@@ -58,10 +62,12 @@ ehlo rhu.barb
 ??? 250
 starttls
 ??? 220
-+++ 1
-help
+noop
+????554
+noop
 ??? 554
 ****
+### client cert verify required; good one supplied
 client-ssl HOSTIPV4 PORT_D DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
 ??? 220
 ehlo rhu.barb
diff --git a/test/src/client.c b/test/src/client.c
index de36ef0..c143739 100644
--- a/test/src/client.c
+++ b/test/src/client.c
@@ -578,18 +578,24 @@ nextinput:
         case SSL_ERROR_ZERO_RETURN:
           break;
         case SSL_ERROR_SYSCALL:
-          printf("%s\n", ERR_error_string(ERR_get_error(), NULL)); break;
+          printf("%s\n", ERR_error_string(ERR_get_error(), NULL));
           rc = -1;
+          break;
         case SSL_ERROR_SSL:
-          printf("%s\n", ERR_error_string(ERR_get_error(), NULL)); break;
+          printf("%s\nTLS terminated\n", ERR_error_string(ERR_get_error(), NULL));
           SSL_shutdown(srv->ssl);
           SSL_free(srv->ssl);
           srv->tls_active = FALSE;
+          {    /* OpenSSL leaves it in restartsys mode */
+          struct sigaction act = {.sa_handler = sigalrm_handler_flag, .sa_flags = 0};
+          sigalrm_seen = 1;
+          sigaction(SIGALRM, &act, NULL);
+          }
+          *inptr = 0;
           goto nextinput;
         default:
           printf("SSL error code %d\n", error);
         }
-
 #endif
 #ifdef HAVE_GNUTLS
         rc = gnutls_record_recv(tls_session, CS inbuffer, bsiz - 1);
@@ -601,6 +607,8 @@ nextinput:

       if (rc < 0)
     {
+    if (errno == EINTR && sigalrm_seen && resp_optional)
+      continue;    /* next scriptline */
         printf("Read error %s\n", strerror(errno));
         exit(81);
     }
diff --git a/test/stderr/2132 b/test/stderr/2132
index 59f3382..6babd94 100644
--- a/test/stderr/2132
+++ b/test/stderr/2132
@@ -1,3 +1,7 @@
+### Should accept message
+### Should accept message (with a difficult env-from)
+### client cert verify required; none given
+### client cert verify required; good one supplied

>>> host in hosts_connection_nolog? no (option unset)
>>> host in host_lookup? no (option unset)
>>> host in host_reject_connection? no (option unset)
@@ -8,3 +12,7 @@
>>> host in helo_accept_junk_hosts? no (option unset)

******** SERVER ********
+### Should accept message
+### Should accept message (with a difficult env-from)
+### client cert verify required; none given
+### client cert verify required; good one supplied
diff --git a/test/stdout/2114.openssl_1_1_1 b/test/stdout/2114.openssl_1_1_1
new file mode 100644
index 0000000..744d0e2
--- /dev/null
+++ b/test/stdout/2114.openssl_1_1_1
@@ -0,0 +1,324 @@
+### No certificate, certificate required
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> noop
+????554 Security failure
+error:dddddddd:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required
+TLS terminated
+>>> noop
+??? 554 Security failure
+<<< 554 Security failure
+>>> quit
+????554 Security failure
+????221
+???*
+Expected EOF read
+End of script
+### No certificate, certificate optional at TLS time, required by ACL
+Connecting to 127.0.0.1 port 1225 ... connected
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [127.0.0.1]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> helo rhu.barb
+??? 250
+<<< 250 myhost.test.ex Hello rhu.barb [127.0.0.1]
+>>> mail from:<userx@???>
+??? 250
+<<< 250 OK
+>>> rcpt to:<userx@???>
+??? 550
+<<< 550 certificate not verified: peerdn=
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+### Good certificate, certificate required
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem
+Key file = aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<userx@???>
+??? 250
+<<< 250 OK
+>>> rcpt to:<userx@???>
+??? 250
+<<< 250 Accepted
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+### Good certificate, certificate optional at TLS time, checked by ACL
+Connecting to 127.0.0.1 port 1225 ... connected
+Certificate file = aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem
+Key file = aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [127.0.0.1]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<userx@???>
+??? 250
+<<< 250 OK
+>>> rcpt to:<userx@???>
+??? 250
+<<< 250 Accepted
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+### Bad certificate, certificate required
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem
+Key file = aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> noop
+????554 Security failure
+error:dddddddd:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
+TLS terminated
+>>> noop
+??? 554 Security failure
+<<< 554 Security failure
+End of script
+### Bad certificate, certificate optional at TLS time, reject at ACL time
+Connecting to 127.0.0.1 port 1225 ... connected
+Certificate file = aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem
+Key file = aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [127.0.0.1]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<userx@???>
+??? 250
+<<< 250 OK
+>>> rcpt to:<userx@???>
+??? 550
+<<< 550 certificate not verified: peerdn=/CN=server1.example.net
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+### Otherwise good but revoked certificate, certificate required
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem
+Key file = aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> noop
+????554 Security failure
+error:dddddddd:SSL routines:ssl3_read_bytes:sslv3 alert certificate revoked
+TLS terminated
+>>> noop
+??? 554 Security failure
+<<< 554 Security failure
+End of script
+### Revoked certificate, certificate optional at TLS time, reject at ACL time
+Connecting to 127.0.0.1 port 1225 ... connected
+Certificate file = aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem
+Key file = aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [127.0.0.1]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<userx@???>
+??? 250
+<<< 250 OK
+>>> rcpt to:<userx@???>
+??? 550
+<<< 550 certificate not verified: peerdn=/CN=revoked1.example.com
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+### Good certificate, certificate required - but nonmatching CRL also present
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem
+Key file = aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<userx@???>
+??? 250
+<<< 250 OK
+>>> rcpt to:<userx@???>
+??? 250
+<<< 250 Accepted
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+
+******** SERVER ********
+### No certificate, certificate required
+### No certificate, certificate optional at TLS time, required by ACL
+### Good certificate, certificate required
+### Good certificate, certificate optional at TLS time, checked by ACL
+### Bad certificate, certificate required
+### Bad certificate, certificate optional at TLS time, reject at ACL time
+### Otherwise good but revoked certificate, certificate required
+### Revoked certificate, certificate optional at TLS time, reject at ACL time
+### Good certificate, certificate required - but nonmatching CRL also present
diff --git a/test/stdout/2124.openssl_1_1_1 b/test/stdout/2124.openssl_1_1_1
new file mode 100644
index 0000000..e7777a1
--- /dev/null
+++ b/test/stdout/2124.openssl_1_1_1
@@ -0,0 +1,55 @@
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = aux-fixed/cert2
+Key file = aux-fixed/cert2
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> noop
+????554 Security failure
+error:dddddddd:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
+TLS terminated
+>>> noop
+??? 554 Security failure
+<<< 554 Security failure
+End of script
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = aux-fixed/cert2
+Key file = aux-fixed/cert2
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 454
+<<< 454 TLS currently unavailable
+Abandoning TLS start attempt
+End of script
diff --git a/test/stdout/2132.openssl_1_1_1 b/test/stdout/2132.openssl_1_1_1
new file mode 100644
index 0000000..179a9ef
--- /dev/null
+++ b/test/stdout/2132.openssl_1_1_1
@@ -0,0 +1,167 @@
+### Should accept message
+Connecting to 127.0.0.1 port 1225 ... connected
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [127.0.0.1]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<CALLER@???>
+??? 250
+<<< 250 OK
+>>> rcpt to:<CALLER@???>
+??? 250
+<<< 250 Accepted
+>>> DATA
+??? 3
+<<< 354 Enter message, ending with "." on a line by itself
+>>> This is a test encrypted message.
+>>> .
+??? 250
+<<< 250 OK id=10HmaX-0005vi-00
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+### Should accept message (with a difficult env-from)
+Connecting to 127.0.0.1 port 1225 ... connected
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [127.0.0.1]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<"name with spaces"@???>
+??? 250
+<<< 250 OK
+>>> rcpt to:<CALLER@???>
+??? 250
+<<< 250 Accepted
+>>> DATA
+??? 3
+<<< 354 Enter message, ending with "." on a line by itself
+>>> This is a test encrypted message.
+>>> .
+??? 250
+<<< 250 OK id=10HmaY-0005vi-00
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+### client cert verify required; none given
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> noop
+????554
+error:dddddddd:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required
+TLS terminated
+>>> noop
+??? 554
+<<< 554 Security failure
+End of script
+### client cert verify required; good one supplied
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = TESTSUITE/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem
+Key file = TESTSUITE/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<CALLER@???>
+??? 250
+<<< 250 OK
+>>> rcpt to:<CALLER@???>
+??? 250
+<<< 250 Accepted
+>>> DATA
+??? 3
+<<< 354 Enter message, ending with "." on a line by itself
+>>> This is a test encrypted message from a verified host.
+>>> .
+??? 250
+<<< 250 OK id=10HmaZ-0005vi-00
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+
+**** SMTP testing session as if from host 10.0.0.1
+**** but without any ident (RFC 1413) callback.
+**** This is not for real!
+
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+503 STARTTLS command used when not advertised
+221 myhost.test.ex closing connection
+
+******** SERVER ********
+### Should accept message
+### Should accept message (with a difficult env-from)
+### client cert verify required; none given
+### client cert verify required; good one supplied