Gitweb:
https://git.exim.org/exim.git/commitdiff/fd3cf789304c68aec6def76b24f61ea840c1a919
Commit: fd3cf789304c68aec6def76b24f61ea840c1a919
Parent: 48224640cb97b694c3ea2f159c3e60d64598ba65
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Fri Oct 26 00:41:36 2018 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Fri Oct 26 15:53:41 2018 +0100
Testsuite: variances for OpenSSL 1.1.1
---
test/confs/2119 | 13 +-
test/confs/2132 | 13 +-
test/lib/Exim/Runtest.pm | 8 +-
test/log/2102.openssl_1_1_1 | 46 ++++++
test/runtest | 1 +
test/scripts/2100-OpenSSL/2114 | 10 +-
test/scripts/2100-OpenSSL/2124 | 6 +-
test/scripts/2100-OpenSSL/2132 | 12 +-
test/src/client.c | 14 +-
test/stderr/2132 | 8 +
test/stdout/2114.openssl_1_1_1 | 324 +++++++++++++++++++++++++++++++++++++++++
test/stdout/2124.openssl_1_1_1 | 55 +++++++
test/stdout/2132.openssl_1_1_1 | 167 +++++++++++++++++++++
13 files changed, 642 insertions(+), 35 deletions(-)
diff --git a/test/confs/2119 b/test/confs/2119
index d55232d..fbd8376 100644
--- a/test/confs/2119
+++ b/test/confs/2119
@@ -29,18 +29,7 @@ begin acl
check_recipient:
accept hosts = :
deny hosts = HOSTIPV4
- !encrypted = AES256-SHA:\
- AES256-GCM-SHA384:\
- AES128-GCM-SHA256:\
- IDEA-CBC-MD5:\
- DES-CBC3-SHA:\
- DHE-RSA-AES256-SHA:\
- DHE-RSA-AES256-GCM-SHA384:\
- DHE_RSA_AES_256_CBC_SHA1:\
- DHE_RSA_3DES_EDE_CBC_SHA:\
- ECDHE-RSA-AES256-GCM-SHA384:\
- ECDHE-RSA-AES128-GCM-SHA256:\
- ECDHE-RSA-CHACHA20-POLY1305
+ !encrypted = *
accept
diff --git a/test/confs/2132 b/test/confs/2132
index 7e491b8..4d90a9c 100644
--- a/test/confs/2132
+++ b/test/confs/2132
@@ -29,18 +29,7 @@ begin acl
check_recipient:
accept hosts = :
deny hosts = HOSTIPV4
- !encrypted = AES256-SHA : \
- AES256-GCM-SHA384 : \
- AES128-GCM-SHA256 : \
- IDEA-CBC-MD5 : \
- DES-CBC3-SHA : \
- DHE-RSA-AES256-SHA : \
- DHE-RSA-AES256-GCM-SHA384 : \
- DHE_RSA_AES_256_CBC_SHA1 : \
- DHE_RSA_3DES_EDE_CBC_SHA : \
- ECDHE-RSA-AES256-GCM-SHA384 : \
- ECDHE-RSA-AES128-GCM-SHA256 : \
- ECDHE-RSA-CHACHA20-POLY1305
+ !encrypted = *
warn logwrite = ${if def:tls_in_ourcert \
{Our cert SN: <${certextract{subject}{$tls_in_ourcert}}>} \
{We did not present a cert}}
diff --git a/test/lib/Exim/Runtest.pm b/test/lib/Exim/Runtest.pm
index e41a29c..7ba0790 100644
--- a/test/lib/Exim/Runtest.pm
+++ b/test/lib/Exim/Runtest.pm
@@ -119,6 +119,10 @@ sub flavour {
$etc = shift;
}
+ if (open(my $f, '-|', 'openssl version')) {
+ <$f> =~ /1.1.1/ && return "openssl_1_1_1";
+ }
+
if (open(my $f, '<', "$etc/os-release")) {
local $_ = join '', <$f>;
my ($id) = /^ID="?(.*?)"?\s*$/m;
@@ -137,7 +141,7 @@ sub flavour {
sub flavours {
my %h = map { /\.(\S+)$/, 1 }
- grep { !/\.orig$/ } glob('stdout/*.*'), glob('stderr/*.*');
+ grep { !/\.orig$/ } glob('stdout/*.*'), glob('stderr/*.*'), glob('log/*.*');
return sort keys %h;
}
@@ -174,7 +178,7 @@ typical files in the F</etc> directory.
=item B<flavours>()
-Return a list of available flavours. It does so by scanning F<stdout/> and
+Return a list of available flavours. It does so by scanning F<log/>, F<stdout/> and
F<stderr/> for I<flavour> files (extensions after the numerical prefix.
=back
diff --git a/test/log/2102.openssl_1_1_1 b/test/log/2102.openssl_1_1_1
new file mode 100644
index 0000000..0e8e5f6
--- /dev/null
+++ b/test/log/2102.openssl_1_1_1
@@ -0,0 +1,46 @@
+1999-03-02 09:44:33 Start queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER <CALLER@???> R=abc T=local_delivery
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER <CALLER@???> R=abc T=local_delivery
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER <CALLER@???> R=abc T=local_delivery
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbA-0005vi-00 => CALLER <CALLER@???> R=abc T=local_delivery
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 End queue run: pid=pppp -qf
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 Our cert SN: <CN=server1.example.com>
+1999-03-02 09:44:33 Peer did not present a cert
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? H=[127.0.0.1] P=smtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss
+1999-03-02 09:44:33 Our cert SN: <CN=server1.example.com>
+1999-03-02 09:44:33 Peer did not present a cert
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= "name with spaces"@??? H=[127.0.0.1] P=smtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss
+1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 Our cert SN: <CN=server1.example.com>
+1999-03-02 09:44:33 Peer cert:
+1999-03-02 09:44:33 ver 2
+1999-03-02 09:44:33 SR <c9>
+1999-03-02 09:44:33 SN <CN=server2.example.com>
+1999-03-02 09:44:33 IN <CN=clica Signing Cert rsa,O=example.com>
+1999-03-02 09:44:33 IN/O <example.com>
+1999-03-02 09:44:33 NB/r <Nov 1 12:34:04 2012 GMT>
+1999-03-02 09:44:33 NB <Nov 1 12:34:04 2012 +0000>
+1999-03-02 09:44:33 NB/i <1351773244>
+1999-03-02 09:44:33 NA/i <2143283644>
+1999-03-02 09:44:33 NA <Dec 1 12:34:04 2037 +0000>
+1999-03-02 09:44:33 SA <sha256WithRSAEncryption>
+1999-03-02 09:44:33 SG < 80:00:39:4c:bb:2c:16:e6:be:ee:54:b7:f6:9f:89:fe:71:62:\n 79:2f:90:57:95:07:54:67:2f:e9:12:96:41:1b:c5:9b:dd:de:\n 68:2d:e5:d7:a7:35:c7:ea:b1:d9:95:12:40:49:0c:07:3d:0c:\n 74:df:57:d1:b6:04:5f:83:5c:15:fe:9a:7f:b7:35:7d:ec:f8:\n b7:4d:ac:76:ea:8c:44:8a:86:e0:42:38:78:ff:68:8a:09:83:\n 44:10:67:b4:fd:a4:5c:a4:ea:91:41:e7:8e:a7:79:37:f6:e2:\n f8:de:9d:0f:96:85:18:22:2c:5c:06:af:01:85:94:62:c1:69:\n 8d:2e\n>
+1999-03-02 09:44:33 SAN <DNS=*.test.ex\nDNS=server2.example.com>
+1999-03-02 09:44:33 OCU <http://oscp.example.com/>
+1999-03-02 09:44:33 (no CRU)
+1999-03-02 09:44:33 md5 fingerprint 313E07141F2FF0CBC0A76EB57CA49D58
+1999-03-02 09:44:33 sha1 fingerprint 778B892247D2ABD365BA1530A50141AF052E271E
+1999-03-02 09:44:33 sha256 fingerprint 05F3012D41AE8A8173BE3AE71F7F9B3535391CACF77003B723F14B21064F6648
+1999-03-02 09:44:33 der_b64 MIICszCCAhygAwIBAgICAMkwDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIxMTAxMTIzNDA0WhcNMzcxMjAxMTIzNDA0WjAeMRwwGgYDVQQDExNzZXJ2ZXIyLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCf6MdoozlJCZPwdIHXdFHddXJfZ5xn2e6XoMmSjqOrOJYIIFKdgtlrMhtTVU1VLlK6V7H8142r78YQ4RKcj9QhTuQJxrrVtVuRt38Zy4RW0/+ujMcXoV8nV7Yt1c1z/tIJ4afSapAnAAm5wVdIbUhUeM/K5Wozm1gV5OCtNZPa4QIDAQABo4HmMIHjMA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwTgYDVR0jBEcwRYANQUFidHdDeGNYZ2IwUaExpC8wLTEUMBIGA1UEChMLZXhhbXBsZS5jb20xFTATBgNVBAMTDGNsaWNhIENBIHJzYYIBQjA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUuY29tLzApBgNVHREEIjAgghNzZXJ2ZXIyLmV4YW1wbGUuY29tggkqLnRlc3QuZXgwDQYJKoZIhvcNAQELBQADgYEAgAA5TLssFua+7lS39p+J/nFieS+QV5UHVGcv6RKWQRvFm93eaC3l16c1x+qx2ZUSQEkMBz0MdN9X0bYEX4NcFf6af7c1fez4t02sduqMRIqG4EI4eP9oigmDRBBntP2kXKTqkUHnjqd5N/bi+N6dD5aFGCIsXAavAYWUYsFpjS4=
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? H=[ip4.ip4.ip4.ip4] P=smtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=yes DN="/CN=server2.example.com" S=sss
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 Our cert SN: <CN=server1.example_ec.com>
+1999-03-02 09:44:33 Peer did not present a cert
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@??? H=[127.0.0.1] P=smtps X=TLSv1:ke-ECDSA-AES256-SHA:xxx CV=no S=sss
diff --git a/test/runtest b/test/runtest
index 7c89f10..efb352b 100755
--- a/test/runtest
+++ b/test/runtest
@@ -935,6 +935,7 @@ RESET_AFTER_EXTRA_LINE_READ:
s/SSL3_READ_BYTES/ssl3_read_bytes/i;
s/CONNECT_CR_FINISHED/ssl3_read_bytes/i;
s/^\d+:error:\d+(?:E\d+)?(:SSL routines:ssl3_read_bytes:[^:]+:).*(:SSL alert number \d\d)$/pppp:error:dddddddd$1\[...\]$2/;
+ s/^error:[^:]*:(SSL routines:ssl3_read_bytes:(tls|ssl)v\d+ alert)/error:dddddddd:$1/;
# gnutls version variances
next if /^Error in the pull function./;
diff --git a/test/scripts/2100-OpenSSL/2114 b/test/scripts/2100-OpenSSL/2114
index cc78ab0..edf3b6c 100644
--- a/test/scripts/2100-OpenSSL/2114
+++ b/test/scripts/2100-OpenSSL/2114
@@ -2,7 +2,7 @@
exim -DSERVER=server -bd -oX PORT_D
****
### No certificate, certificate required
-client-ssl HOSTIPV4 PORT_D
+client-ssl -t2 HOSTIPV4 PORT_D
??? 220
ehlo rhu.barb
??? 250-
@@ -14,10 +14,12 @@ ehlo rhu.barb
starttls
??? 220
noop
+????554 Security failure
+noop
??? 554 Security failure
quit
????554 Security failure
-??? 221
+????221
???*
****
### No certificate, certificate optional at TLS time, required by ACL
@@ -92,6 +94,8 @@ ehlo rhu.barb
starttls
??? 220
noop
+????554 Security failure
+noop
??? 554 Security failure
****
### Bad certificate, certificate optional at TLS time, reject at ACL time
@@ -133,6 +137,8 @@ ehlo rhu.barb
starttls
??? 220
noop
+????554 Security failure
+noop
??? 554 Security failure
****
### Revoked certificate, certificate optional at TLS time, reject at ACL time
diff --git a/test/scripts/2100-OpenSSL/2124 b/test/scripts/2100-OpenSSL/2124
index eb999d6..6649ed9 100644
--- a/test/scripts/2100-OpenSSL/2124
+++ b/test/scripts/2100-OpenSSL/2124
@@ -1,7 +1,7 @@
# TLS server: empty/non-existent certificate file
exim -DSERVER=server -bd -oX PORT_D
****
-client-ssl HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2
+client-ssl -t2 HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2
??? 220
ehlo rhu.barb
??? 250-
@@ -12,6 +12,10 @@ ehlo rhu.barb
??? 250
starttls
??? 220
+noop
+????554 Security failure
+noop
+??? 554 Security failure
****
killdaemon
exim -DSERVER=server -DCERT=/non/exist -bd -oX PORT_D
diff --git a/test/scripts/2100-OpenSSL/2132 b/test/scripts/2100-OpenSSL/2132
index 4a12fb0..cdf4ed2 100644
--- a/test/scripts/2100-OpenSSL/2132
+++ b/test/scripts/2100-OpenSSL/2132
@@ -1,6 +1,8 @@
# TLS server: server ca cert from directory
exim -DSERVER=server -bd -oX PORT_D
****
+#
+### Should accept message
client-ssl 127.0.0.1 PORT_D
??? 220
ehlo rhu.barb
@@ -24,6 +26,7 @@ This is a test encrypted message.
quit
??? 221
****
+### Should accept message (with a difficult env-from)
client-ssl 127.0.0.1 PORT_D
??? 220
ehlo rhu.barb
@@ -47,7 +50,8 @@ This is a test encrypted message.
quit
??? 221
****
-client-ssl HOSTIPV4 PORT_D
+### client cert verify required; none given
+client-ssl -t2 HOSTIPV4 PORT_D
??? 220
ehlo rhu.barb
??? 250-
@@ -58,10 +62,12 @@ ehlo rhu.barb
??? 250
starttls
??? 220
-+++ 1
-help
+noop
+????554
+noop
??? 554
****
+### client cert verify required; good one supplied
client-ssl HOSTIPV4 PORT_D DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
??? 220
ehlo rhu.barb
diff --git a/test/src/client.c b/test/src/client.c
index de36ef0..c143739 100644
--- a/test/src/client.c
+++ b/test/src/client.c
@@ -578,18 +578,24 @@ nextinput:
case SSL_ERROR_ZERO_RETURN:
break;
case SSL_ERROR_SYSCALL:
- printf("%s\n", ERR_error_string(ERR_get_error(), NULL)); break;
+ printf("%s\n", ERR_error_string(ERR_get_error(), NULL));
rc = -1;
+ break;
case SSL_ERROR_SSL:
- printf("%s\n", ERR_error_string(ERR_get_error(), NULL)); break;
+ printf("%s\nTLS terminated\n", ERR_error_string(ERR_get_error(), NULL));
SSL_shutdown(srv->ssl);
SSL_free(srv->ssl);
srv->tls_active = FALSE;
+ { /* OpenSSL leaves it in restartsys mode */
+ struct sigaction act = {.sa_handler = sigalrm_handler_flag, .sa_flags = 0};
+ sigalrm_seen = 1;
+ sigaction(SIGALRM, &act, NULL);
+ }
+ *inptr = 0;
goto nextinput;
default:
printf("SSL error code %d\n", error);
}
-
#endif
#ifdef HAVE_GNUTLS
rc = gnutls_record_recv(tls_session, CS inbuffer, bsiz - 1);
@@ -601,6 +607,8 @@ nextinput:
if (rc < 0)
{
+ if (errno == EINTR && sigalrm_seen && resp_optional)
+ continue; /* next scriptline */
printf("Read error %s\n", strerror(errno));
exit(81);
}
diff --git a/test/stderr/2132 b/test/stderr/2132
index 59f3382..6babd94 100644
--- a/test/stderr/2132
+++ b/test/stderr/2132
@@ -1,3 +1,7 @@
+### Should accept message
+### Should accept message (with a difficult env-from)
+### client cert verify required; none given
+### client cert verify required; good one supplied
>>> host in hosts_connection_nolog? no (option unset)
>>> host in host_lookup? no (option unset)
>>> host in host_reject_connection? no (option unset)
@@ -8,3 +12,7 @@
>>> host in helo_accept_junk_hosts? no (option unset)
******** SERVER ********
+### Should accept message
+### Should accept message (with a difficult env-from)
+### client cert verify required; none given
+### client cert verify required; good one supplied
diff --git a/test/stdout/2114.openssl_1_1_1 b/test/stdout/2114.openssl_1_1_1
new file mode 100644
index 0000000..744d0e2
--- /dev/null
+++ b/test/stdout/2114.openssl_1_1_1
@@ -0,0 +1,324 @@
+### No certificate, certificate required
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> noop
+????554 Security failure
+error:dddddddd:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required
+TLS terminated
+>>> noop
+??? 554 Security failure
+<<< 554 Security failure
+>>> quit
+????554 Security failure
+????221
+???*
+Expected EOF read
+End of script
+### No certificate, certificate optional at TLS time, required by ACL
+Connecting to 127.0.0.1 port 1225 ... connected
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [127.0.0.1]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> helo rhu.barb
+??? 250
+<<< 250 myhost.test.ex Hello rhu.barb [127.0.0.1]
+>>> mail from:<userx@???>
+??? 250
+<<< 250 OK
+>>> rcpt to:<userx@???>
+??? 550
+<<< 550 certificate not verified: peerdn=
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+### Good certificate, certificate required
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem
+Key file = aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<userx@???>
+??? 250
+<<< 250 OK
+>>> rcpt to:<userx@???>
+??? 250
+<<< 250 Accepted
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+### Good certificate, certificate optional at TLS time, checked by ACL
+Connecting to 127.0.0.1 port 1225 ... connected
+Certificate file = aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem
+Key file = aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [127.0.0.1]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<userx@???>
+??? 250
+<<< 250 OK
+>>> rcpt to:<userx@???>
+??? 250
+<<< 250 Accepted
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+### Bad certificate, certificate required
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem
+Key file = aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> noop
+????554 Security failure
+error:dddddddd:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
+TLS terminated
+>>> noop
+??? 554 Security failure
+<<< 554 Security failure
+End of script
+### Bad certificate, certificate optional at TLS time, reject at ACL time
+Connecting to 127.0.0.1 port 1225 ... connected
+Certificate file = aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem
+Key file = aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [127.0.0.1]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<userx@???>
+??? 250
+<<< 250 OK
+>>> rcpt to:<userx@???>
+??? 550
+<<< 550 certificate not verified: peerdn=/CN=server1.example.net
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+### Otherwise good but revoked certificate, certificate required
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem
+Key file = aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> noop
+????554 Security failure
+error:dddddddd:SSL routines:ssl3_read_bytes:sslv3 alert certificate revoked
+TLS terminated
+>>> noop
+??? 554 Security failure
+<<< 554 Security failure
+End of script
+### Revoked certificate, certificate optional at TLS time, reject at ACL time
+Connecting to 127.0.0.1 port 1225 ... connected
+Certificate file = aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem
+Key file = aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [127.0.0.1]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<userx@???>
+??? 250
+<<< 250 OK
+>>> rcpt to:<userx@???>
+??? 550
+<<< 550 certificate not verified: peerdn=/CN=revoked1.example.com
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+### Good certificate, certificate required - but nonmatching CRL also present
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem
+Key file = aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<userx@???>
+??? 250
+<<< 250 OK
+>>> rcpt to:<userx@???>
+??? 250
+<<< 250 Accepted
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+
+******** SERVER ********
+### No certificate, certificate required
+### No certificate, certificate optional at TLS time, required by ACL
+### Good certificate, certificate required
+### Good certificate, certificate optional at TLS time, checked by ACL
+### Bad certificate, certificate required
+### Bad certificate, certificate optional at TLS time, reject at ACL time
+### Otherwise good but revoked certificate, certificate required
+### Revoked certificate, certificate optional at TLS time, reject at ACL time
+### Good certificate, certificate required - but nonmatching CRL also present
diff --git a/test/stdout/2124.openssl_1_1_1 b/test/stdout/2124.openssl_1_1_1
new file mode 100644
index 0000000..e7777a1
--- /dev/null
+++ b/test/stdout/2124.openssl_1_1_1
@@ -0,0 +1,55 @@
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = aux-fixed/cert2
+Key file = aux-fixed/cert2
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> noop
+????554 Security failure
+error:dddddddd:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
+TLS terminated
+>>> noop
+??? 554 Security failure
+<<< 554 Security failure
+End of script
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = aux-fixed/cert2
+Key file = aux-fixed/cert2
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 454
+<<< 454 TLS currently unavailable
+Abandoning TLS start attempt
+End of script
diff --git a/test/stdout/2132.openssl_1_1_1 b/test/stdout/2132.openssl_1_1_1
new file mode 100644
index 0000000..179a9ef
--- /dev/null
+++ b/test/stdout/2132.openssl_1_1_1
@@ -0,0 +1,167 @@
+### Should accept message
+Connecting to 127.0.0.1 port 1225 ... connected
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [127.0.0.1]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<CALLER@???>
+??? 250
+<<< 250 OK
+>>> rcpt to:<CALLER@???>
+??? 250
+<<< 250 Accepted
+>>> DATA
+??? 3
+<<< 354 Enter message, ending with "." on a line by itself
+>>> This is a test encrypted message.
+>>> .
+??? 250
+<<< 250 OK id=10HmaX-0005vi-00
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+### Should accept message (with a difficult env-from)
+Connecting to 127.0.0.1 port 1225 ... connected
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [127.0.0.1]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<"name with spaces"@???>
+??? 250
+<<< 250 OK
+>>> rcpt to:<CALLER@???>
+??? 250
+<<< 250 Accepted
+>>> DATA
+??? 3
+<<< 354 Enter message, ending with "." on a line by itself
+>>> This is a test encrypted message.
+>>> .
+??? 250
+<<< 250 OK id=10HmaY-0005vi-00
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+### client cert verify required; none given
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> noop
+????554
+error:dddddddd:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required
+TLS terminated
+>>> noop
+??? 554
+<<< 554 Security failure
+End of script
+### client cert verify required; good one supplied
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = TESTSUITE/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem
+Key file = TESTSUITE/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL connection using ke-RSA-AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<CALLER@???>
+??? 250
+<<< 250 OK
+>>> rcpt to:<CALLER@???>
+??? 250
+<<< 250 Accepted
+>>> DATA
+??? 3
+<<< 354 Enter message, ending with "." on a line by itself
+>>> This is a test encrypted message from a verified host.
+>>> .
+??? 250
+<<< 250 OK id=10HmaZ-0005vi-00
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+
+**** SMTP testing session as if from host 10.0.0.1
+**** but without any ident (RFC 1413) callback.
+**** This is not for real!
+
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+503 STARTTLS command used when not advertised
+221 myhost.test.ex closing connection
+
+******** SERVER ********
+### Should accept message
+### Should accept message (with a difficult env-from)
+### client cert verify required; none given
+### client cert verify required; good one supplied