Gitweb:
https://git.exim.org/exim.git/commitdiff/ffc3d145e3819e1a3762caa1bbe8b07e723fbaf2
Commit: ffc3d145e3819e1a3762caa1bbe8b07e723fbaf2
Parent: 25d5d9f98ebb30acc8b269c6594f4bc1e1abe654
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Feb 3 22:12:48 2019 +0000
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Mon Feb 4 13:19:36 2019 +0000
TLS: add variables for the IETF standard name for the connection ciphersuite
---
doc/doc-docbook/spec.xfpt | 29 ++-
doc/doc-txt/ChangeLog | 2 +
doc/doc-txt/NewStuff | 3 +
src/OS/Makefile-Base | 3 +-
src/scripts/MakeLinks | 3 +-
src/src/expand.c | 2 +
src/src/globals.c | 12 +-
src/src/globals.h | 2 +
src/src/tls-cipher-stdname.c | 393 +++++++++++++++++++++++++++++++++++++++++
src/src/tls-gnu.c | 56 ++++--
src/src/tls-openssl.c | 57 ++++--
test/log/2102.openssl_1_1_1 | 8 +-
test/runtest | 13 +-
test/stderr/0402 | 40 +++--
test/stderr/0544 | 40 +++--
test/stderr/5410 | 120 +++++++++----
test/stderr/5420 | 120 +++++++++----
test/stdout/2114.openssl_1_1_1 | 18 +-
test/stdout/2124.openssl_1_1_1 | 2 +-
test/stdout/2132.openssl_1_1_1 | 8 +-
20 files changed, 784 insertions(+), 147 deletions(-)
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 331e560..1f45a6f 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -13220,6 +13220,12 @@ The deprecated &$tls_cipher$& variable is the same as &$tls_in_cipher$& during m
but in the context of an outward SMTP delivery taking place via the &(smtp)& transport
becomes the same as &$tls_out_cipher$&.
+.new
+.vitem &$tls_in_cipher_std$&
+.vindex "&$tls_in_cipher_std$&"
+As above, but returning the RFC standard name for the cipher suite.
+.wen
+
.vitem &$tls_out_cipher$&
.vindex "&$tls_out_cipher$&"
This variable is
@@ -13228,6 +13234,12 @@ and then set to the outgoing cipher suite if one is negotiated. See chapter
&<<CHAPTLS>>& for details of TLS support and chapter &<<CHAPsmtptrans>>& for
details of the &(smtp)& transport.
+,new
+.vitem &$tls_out_cipher_std$&
+.vindex "&$tls_out_cipher_std$&"
+As above, but returning the RFC standard name for the cipher suite.
+.wen
+
.vitem &$tls_out_dane$&
.vindex &$tls_out_dane$&
DANE active status. See section &<<SECDANE>>&.
@@ -16459,23 +16471,26 @@ on at the end (preceded by a semicolon). The string is expanded each time it is
used. If the expansion yields an empty string, no &'Received:'& header line is
added to the message. Otherwise, the string should start with the text
&"Received:"& and conform to the RFC 2822 specification for &'Received:'&
-header lines. The default setting is:
+header lines.
+.new
+The default setting is:
.code
received_header_text = Received: \
${if def:sender_rcvhost {from $sender_rcvhost\n\t}\
- {${if def:sender_ident \
- {from ${quote_local_part:$sender_ident} }}\
- ${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}\
+ {${if def:sender_ident \
+ {from ${quote_local_part:$sender_ident} }}\
+ ${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}\
by $primary_hostname \
- ${if def:received_protocol {with $received_protocol}} \
- ${if def:tls_in_cipher {($tls_in_cipher)\n\t}}\
+ ${if def:received_protocol {with $received_protocol }}\
+ ${if def:tls_in_cipher_std { tls $tls_in_cipher_std\n\t}}\
(Exim $version_number)\n\t\
${if def:sender_address \
{(envelope-from <$sender_address>)\n\t}}\
id $message_exim_id\
${if def:received_for {\n\tfor $received_for}}
.endd
+.wen
The reference to the TLS cipher is omitted when Exim is built without TLS
support. The use of conditional expansions ensures that this works for both
@@ -27350,7 +27365,7 @@ but is a full SMTP SASL authenticator
rather than being implicit for TLS-connection carried
client certificates only.
-The examples and discussion in this chapter assume that
+The examples and discussion in this chapter assume that
client-certificate authentication is being done.
The client must present a certificate,
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index eebc9d8..800cfaf 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -18,6 +18,8 @@ JH/02 OpenSSL: suppress the sending of (stateful) TLS1.3 session tickets.
JH/03 Debug output for ACL now gives the config file name and line number for
each verb.
+JH/04 The default received_header_text now uses the RFC 8314 tls cipher clause.
+
Exim version 4.92
-----------------
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index c44e21a..ac0254f 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -13,6 +13,9 @@ Version 4.92
2. A JSON lookup type, and JSON variants of the forall/any expansion conditions.
+ 3. Variables $tls_in_cipher_std, $tls_out_cipher_std giving the RFC names
+ for ciphersuites.
+
Version 4.92
--------------
diff --git a/src/OS/Makefile-Base b/src/OS/Makefile-Base
index 79bec06..b99cb9f 100644
--- a/src/OS/Makefile-Base
+++ b/src/OS/Makefile-Base
@@ -816,7 +816,8 @@ store.o: $(HDRS) store.c
string.o: $(HDRS) string.c
tls.o: $(HDRS) tls.c \
tls-gnu.c tlscert-gnu.c \
- tls-openssl.c tlscert-openssl.c
+ tls-openssl.c tlscert-openssl.c \
+ tls-cipher-stdname.c
tod.o: $(HDRS) tod.c
transport.o: $(HDRS) transport.c
tree.o: $(HDRS) tree.c
diff --git a/src/scripts/MakeLinks b/src/scripts/MakeLinks
index b717367..8d8345c 100755
--- a/src/scripts/MakeLinks
+++ b/src/scripts/MakeLinks
@@ -106,7 +106,8 @@ for f in blob.h dbfunctions.h dbstuff.h exim.h functions.h globals.h \
rda.c readconf.c receive.c retry.c rewrite.c rfc2047.c route.c search.c \
setenv.c environment.c \
sieve.c smtp_in.c smtp_out.c spool_in.c spool_out.c std-crypto.c store.c \
- string.c tls.c tlscert-gnu.c tlscert-openssl.c tls-gnu.c tls-openssl.c \
+ string.c tls.c tlscert-gnu.c tlscert-openssl.c tls-cipher-stdname.c \
+ tls-gnu.c tls-openssl.c \
tod.c transport.c tree.c verify.c version.c \
dkim.c dkim.h dkim_transport.c dmarc.c dmarc.h \
valgrind.h memcheck.h \
diff --git a/src/src/expand.c b/src/src/expand.c
index 2128ee7..ec5660a 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -749,6 +749,7 @@ static var_entry var_table[] = {
{ "tls_in_bits", vtype_int, &tls_in.bits },
{ "tls_in_certificate_verified", vtype_int, &tls_in.certificate_verified },
{ "tls_in_cipher", vtype_stringptr, &tls_in.cipher },
+ { "tls_in_cipher_std", vtype_stringptr, &tls_in.cipher_stdname },
{ "tls_in_ocsp", vtype_int, &tls_in.ocsp },
{ "tls_in_ourcert", vtype_cert, &tls_in.ourcert },
{ "tls_in_peercert", vtype_cert, &tls_in.peercert },
@@ -759,6 +760,7 @@ static var_entry var_table[] = {
{ "tls_out_bits", vtype_int, &tls_out.bits },
{ "tls_out_certificate_verified", vtype_int,&tls_out.certificate_verified },
{ "tls_out_cipher", vtype_stringptr, &tls_out.cipher },
+ { "tls_out_cipher_std", vtype_stringptr, &tls_out.cipher_stdname },
#ifdef SUPPORT_DANE
{ "tls_out_dane", vtype_bool, &tls_out.dane_verified },
#endif
diff --git a/src/src/globals.c b/src/src/globals.c
index b3362a3..df71025 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -1246,13 +1246,13 @@ date will be automatically added on the end. */
uschar *received_header_text = US
"Received: "
"${if def:sender_rcvhost {from $sender_rcvhost\n\t}"
- "{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}"
- "${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}"
+ "{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}"
+ "${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}"
"by $primary_hostname "
- "${if def:received_protocol {with $received_protocol}} "
- #ifdef SUPPORT_TLS
- "${if def:tls_cipher {($tls_cipher)\n\t}}"
- #endif
+ "${if def:received_protocol {with $received_protocol }}"
+#ifdef SUPPORT_TLS
+ "${if def:tls_in_cipher_std { tls $tls_in_cipher_std\n\t}}"
+#endif
"(Exim $version_number)\n\t"
"${if def:sender_address {(envelope-from <$sender_address>)\n\t}}"
"id $message_exim_id"
diff --git a/src/src/globals.h b/src/src/globals.h
index c90783e..453d832 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -88,6 +88,8 @@ typedef struct {
int tlsa_usage; /* TLSA record(s) usage */
#endif
uschar *cipher; /* Cipher used */
+ const uschar *cipher_stdname; /* Cipher used, RFC version */
+
BOOL on_connect; /* For older MTAs that don't STARTTLS */
uschar *on_connect_ports; /* Ports always tls-on-connect */
void *ourcert; /* Certificate we presented, binary */
diff --git a/src/src/tls-cipher-stdname.c b/src/src/tls-cipher-stdname.c
new file mode 100644
index 0000000..ab973af
--- /dev/null
+++ b/src/src/tls-cipher-stdname.c
@@ -0,0 +1,393 @@
+/*************************************************
+* Exim - an Internet mail transport agent *
+*************************************************/
+
+/* Copyright (c) Jeremy Harris 2019 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+/* Translate an IETF TLS ciphersuite code to an IETF ciphersuite name,
+for use when the TLS library do not provide such names.
+This file is #included by the tls-<library>.c file.
+
+Values for these tables pulled on 2019/02/03 from
+https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
+
+
+
+static const uschar * ctb_00[] = {
+[0x00] = US "TLS_NULL_WITH_NULL_NULL",
+[0x01] = US "TLS_RSA_WITH_NULL_MD5",
+[0x02] = US "TLS_RSA_WITH_NULL_SHA",
+[0x03] = US "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
+[0x04] = US "TLS_RSA_WITH_RC4_128_MD5",
+[0x05] = US "TLS_RSA_WITH_RC4_128_SHA",
+[0x06] = US "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
+[0x07] = US "TLS_RSA_WITH_IDEA_CBC_SHA",
+[0x08] = US "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
+[0x09] = US "TLS_RSA_WITH_DES_CBC_SHA",
+[0x0A] = US "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+[0x0B] = US "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
+[0x0C] = US "TLS_DH_DSS_WITH_DES_CBC_SHA",
+[0x0D] = US "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
+[0x0E] = US "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
+[0x0F] = US "TLS_DH_RSA_WITH_DES_CBC_SHA",
+[0x10] = US "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
+[0x11] = US "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
+[0x12] = US "TLS_DHE_DSS_WITH_DES_CBC_SHA",
+[0x13] = US "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
+[0x14] = US "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
+[0x15] = US "TLS_DHE_RSA_WITH_DES_CBC_SHA",
+[0x16] = US "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
+[0x17] = US "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
+[0x18] = US "TLS_DH_anon_WITH_RC4_128_MD5",
+[0x19] = US "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
+[0x1A] = US "TLS_DH_anon_WITH_DES_CBC_SHA",
+[0x1B] = US "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA",
+
+[0x1E] = US "TLS_KRB5_WITH_DES_CBC_SHA",
+[0x1F] = US "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
+[0x20] = US "TLS_KRB5_WITH_RC4_128_SHA",
+[0x21] = US "TLS_KRB5_WITH_IDEA_CBC_SHA",
+[0x22] = US "TLS_KRB5_WITH_DES_CBC_MD5",
+[0x23] = US "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
+[0x24] = US "TLS_KRB5_WITH_RC4_128_MD5",
+[0x25] = US "TLS_KRB5_WITH_IDEA_CBC_MD5",
+[0x26] = US "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
+[0x27] = US "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
+[0x28] = US "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
+[0x29] = US "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
+[0x2A] = US "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
+[0x2B] = US "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
+[0x2C] = US "TLS_PSK_WITH_NULL_SHA",
+[0x2D] = US "TLS_DHE_PSK_WITH_NULL_SHA",
+[0x2E] = US "TLS_RSA_PSK_WITH_NULL_SHA",
+[0x2F] = US "TLS_RSA_WITH_AES_128_CBC_SHA",
+[0x30] = US "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
+[0x31] = US "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
+[0x32] = US "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
+[0x33] = US "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
+[0x34] = US "TLS_DH_anon_WITH_AES_128_CBC_SHA",
+[0x35] = US "TLS_RSA_WITH_AES_256_CBC_SHA",
+[0x36] = US "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
+[0x37] = US "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
+[0x38] = US "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
+[0x39] = US "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
+[0x3A] = US "TLS_DH_anon_WITH_AES_256_CBC_SHA",
+[0x3B] = US "TLS_RSA_WITH_NULL_SHA256",
+[0x3C] = US "TLS_RSA_WITH_AES_128_CBC_SHA256",
+[0x3D] = US "TLS_RSA_WITH_AES_256_CBC_SHA256",
+[0x3E] = US "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
+[0x3F] = US "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
+[0x40] = US "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
+[0x41] = US "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
+[0x42] = US "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
+[0x43] = US "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
+[0x44] = US "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
+[0x45] = US "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
+[0x46] = US "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA",
+
+[0x67] = US "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
+[0x68] = US "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
+[0x69] = US "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
+[0x6A] = US "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
+[0x6B] = US "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
+[0x6C] = US "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
+[0x6D] = US "TLS_DH_anon_WITH_AES_256_CBC_SHA256",
+
+[0x84] = US "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
+[0x85] = US "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
+[0x86] = US "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
+[0x87] = US "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
+[0x88] = US "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
+[0x89] = US "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
+[0x8A] = US "TLS_PSK_WITH_RC4_128_SHA",
+[0x8B] = US "TLS_PSK_WITH_3DES_EDE_CBC_SHA",
+[0x8C] = US "TLS_PSK_WITH_AES_128_CBC_SHA",
+[0x8D] = US "TLS_PSK_WITH_AES_256_CBC_SHA",
+[0x8E] = US "TLS_DHE_PSK_WITH_RC4_128_SHA",
+[0x8F] = US "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
+[0x90] = US "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
+[0x91] = US "TLS_DHE_PSK_WITH_AES_256_CBC_SHA",
+[0x92] = US "TLS_RSA_PSK_WITH_RC4_128_SHA",
+[0x93] = US "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
+[0x94] = US "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
+[0x95] = US "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
+[0x96] = US "TLS_RSA_WITH_SEED_CBC_SHA",
+[0x97] = US "TLS_DH_DSS_WITH_SEED_CBC_SHA",
+[0x98] = US "TLS_DH_RSA_WITH_SEED_CBC_SHA",
+[0x99] = US "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
+[0x9A] = US "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
+[0x9B] = US "TLS_DH_anon_WITH_SEED_CBC_SHA",
+[0x9C] = US "TLS_RSA_WITH_AES_128_GCM_SHA256",
+[0x9D] = US "TLS_RSA_WITH_AES_256_GCM_SHA384",
+[0x9E] = US "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+[0x9F] = US "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
+[0xA0] = US "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
+[0xA1] = US "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
+[0xA2] = US "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
+[0xA3] = US "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
+[0xA4] = US "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
+[0xA5] = US "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
+[0xA6] = US "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
+[0xA7] = US "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
+[0xA8] = US "TLS_PSK_WITH_AES_128_GCM_SHA256",
+[0xA9] = US "TLS_PSK_WITH_AES_256_GCM_SHA384",
+[0xAA] = US "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
+[0xAB] = US "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
+[0xAC] = US "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
+[0xAD] = US "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
+[0xAE] = US "TLS_PSK_WITH_AES_128_CBC_SHA256",
+[0xAF] = US "TLS_PSK_WITH_AES_256_CBC_SHA384",
+[0xB0] = US "TLS_PSK_WITH_NULL_SHA256",
+[0xB1] = US "TLS_PSK_WITH_NULL_SHA384",
+[0xB2] = US "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
+[0xB3] = US "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
+[0xB4] = US "TLS_DHE_PSK_WITH_NULL_SHA256",
+[0xB5] = US "TLS_DHE_PSK_WITH_NULL_SHA384",
+[0xB6] = US "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
+[0xB7] = US "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
+[0xB8] = US "TLS_RSA_PSK_WITH_NULL_SHA256",
+[0xB9] = US "TLS_RSA_PSK_WITH_NULL_SHA384",
+[0xBA] = US "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+[0xBB] = US "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
+[0xBC] = US "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+[0xBD] = US "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
+[0xBE] = US "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+[0xBF] = US "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
+[0xC0] = US "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
+[0xC1] = US "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
+[0xC2] = US "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
+[0xC3] = US "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
+[0xC4] = US "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
+[0xC5] = US "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256",
+};
+static const uschar * ctb_13[] = {
+[0x01] = US "TLS_AES_128_GCM_SHA256",
+[0x02] = US "TLS_AES_256_GCM_SHA384",
+[0x03] = US "TLS_CHACHA20_POLY1305_SHA256",
+[0x04] = US "TLS_AES_128_CCM_SHA256",
+[0x05] = US "TLS_AES_128_CCM_8_SHA256",
+};
+static const uschar * ctb_c0[] = {
+[0x01] = US "TLS_ECDH_ECDSA_WITH_NULL_SHA",
+[0x02] = US "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
+[0x03] = US "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
+[0x04] = US "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
+[0x05] = US "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
+[0x06] = US "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
+[0x07] = US "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
+[0x08] = US "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
+[0x09] = US "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+[0x0A] = US "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
+[0x0B] = US "TLS_ECDH_RSA_WITH_NULL_SHA",
+[0x0C] = US "TLS_ECDH_RSA_WITH_RC4_128_SHA",
+[0x0D] = US "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
+[0x0E] = US "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
+[0x0F] = US "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
+[0x10] = US "TLS_ECDHE_RSA_WITH_NULL_SHA",
+[0x11] = US "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+[0x12] = US "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
+[0x13] = US "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+[0x14] = US "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+[0x15] = US "TLS_ECDH_anon_WITH_NULL_SHA",
+[0x16] = US "TLS_ECDH_anon_WITH_RC4_128_SHA",
+[0x17] = US "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
+[0x18] = US "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
+[0x19] = US "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
+[0x1A] = US "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
+[0x1B] = US "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
+[0x1C] = US "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
+[0x1D] = US "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
+[0x1E] = US "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
+[0x1F] = US "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
+[0x20] = US "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
+[0x21] = US "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
+[0x22] = US "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
+[0x23] = US "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+[0x24] = US "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
+[0x25] = US "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
+[0x26] = US "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
+[0x27] = US "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+[0x28] = US "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
+[0x29] = US "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
+[0x2A] = US "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
+[0x2B] = US "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+[0x2C] = US "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+[0x2D] = US "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
+[0x2E] = US "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
+[0x2F] = US "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+[0x30] = US "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+[0x31] = US "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
+[0x32] = US "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
+[0x33] = US "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
+[0x34] = US "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
+[0x35] = US "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
+[0x36] = US "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
+[0x37] = US "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
+[0x38] = US "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
+[0x39] = US "TLS_ECDHE_PSK_WITH_NULL_SHA",
+[0x3A] = US "TLS_ECDHE_PSK_WITH_NULL_SHA256",
+[0x3B] = US "TLS_ECDHE_PSK_WITH_NULL_SHA384",
+[0x3C] = US "TLS_RSA_WITH_ARIA_128_CBC_SHA256",
+[0x3D] = US "TLS_RSA_WITH_ARIA_256_CBC_SHA384",
+[0x3E] = US "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256",
+[0x3F] = US "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384",
+[0x40] = US "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256",
+[0x41] = US "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384",
+[0x42] = US "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256",
+[0x43] = US "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384",
+[0x44] = US "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256",
+[0x45] = US "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384",
+[0x46] = US "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256",
+[0x47] = US "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384",
+[0x48] = US "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256",
+[0x49] = US "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384",
+[0x4A] = US "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256",
+[0x4B] = US "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384",
+[0x4C] = US "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256",
+[0x4D] = US "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384",
+[0x4E] = US "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256",
+[0x4F] = US "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384",
+[0x50] = US "TLS_RSA_WITH_ARIA_128_GCM_SHA256",
+[0x51] = US "TLS_RSA_WITH_ARIA_256_GCM_SHA384",
+[0x52] = US "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256",
+[0x53] = US "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384",
+[0x54] = US "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256",
+[0x55] = US "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384",
+[0x56] = US "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256",
+[0x57] = US "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384",
+[0x58] = US "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256",
+[0x59] = US "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384",
+[0x5A] = US "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256",
+[0x5B] = US "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384",
+[0x5C] = US "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256",
+[0x5D] = US "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384",
+[0x5E] = US "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256",
+[0x5F] = US "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384",
+[0x60] = US "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256",
+[0x61] = US "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384",
+[0x62] = US "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256",
+[0x63] = US "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384",
+[0x64] = US "TLS_PSK_WITH_ARIA_128_CBC_SHA256",
+[0x65] = US "TLS_PSK_WITH_ARIA_256_CBC_SHA384",
+[0x66] = US "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256",
+[0x67] = US "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384",
+[0x68] = US "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256",
+[0x69] = US "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384",
+[0x6A] = US "TLS_PSK_WITH_ARIA_128_GCM_SHA256",
+[0x6B] = US "TLS_PSK_WITH_ARIA_256_GCM_SHA384",
+[0x6C] = US "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256",
+[0x6D] = US "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384",
+[0x6E] = US "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256",
+[0x6F] = US "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384",
+[0x70] = US "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256",
+[0x71] = US "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384",
+[0x72] = US "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256",
+[0x73] = US "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384",
+[0x74] = US "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256",
+[0x75] = US "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384",
+[0x76] = US "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+[0x77] = US "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384",
+[0x78] = US "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+[0x79] = US "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384",
+[0x7A] = US "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256",
+[0x7B] = US "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384",
+[0x7C] = US "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256",
+[0x7D] = US "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384",
+[0x7E] = US "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256",
+[0x7F] = US "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384",
+[0x80] = US "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256",
+[0x81] = US "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384",
+[0x82] = US "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256",
+[0x83] = US "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384",
+[0x84] = US "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256",
+[0x85] = US "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384",
+[0x86] = US "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256",
+[0x87] = US "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384",
+[0x88] = US "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256",
+[0x89] = US "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384",
+[0x8A] = US "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256",
+[0x8B] = US "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384",
+[0x8C] = US "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256",
+[0x8D] = US "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384",
+[0x8E] = US "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256",
+[0x8F] = US "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384",
+[0x90] = US "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256",
+[0x91] = US "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384",
+[0x92] = US "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256",
+[0x93] = US "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384",
+[0x94] = US "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256",
+[0x95] = US "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384",
+[0x96] = US "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256",
+[0x97] = US "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384",
+[0x98] = US "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256",
+[0x99] = US "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384",
+[0x9A] = US "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256",
+[0x9B] = US "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384",
+[0x9C] = US "TLS_RSA_WITH_AES_128_CCM",
+[0x9D] = US "TLS_RSA_WITH_AES_256_CCM",
+[0x9E] = US "TLS_DHE_RSA_WITH_AES_128_CCM",
+[0x9F] = US "TLS_DHE_RSA_WITH_AES_256_CCM",
+[0xA0] = US "TLS_RSA_WITH_AES_128_CCM_8",
+[0xA1] = US "TLS_RSA_WITH_AES_256_CCM_8",
+[0xA2] = US "TLS_DHE_RSA_WITH_AES_128_CCM_8",
+[0xA3] = US "TLS_DHE_RSA_WITH_AES_256_CCM_8",
+[0xA4] = US "TLS_PSK_WITH_AES_128_CCM",
+[0xA5] = US "TLS_PSK_WITH_AES_256_CCM",
+[0xA6] = US "TLS_DHE_PSK_WITH_AES_128_CCM",
+[0xA7] = US "TLS_DHE_PSK_WITH_AES_256_CCM",
+[0xA8] = US "TLS_PSK_WITH_AES_128_CCM_8",
+[0xA9] = US "TLS_PSK_WITH_AES_256_CCM_8",
+[0xAA] = US "TLS_PSK_DHE_WITH_AES_128_CCM_8",
+[0xAB] = US "TLS_PSK_DHE_WITH_AES_256_CCM_8",
+[0xAC] = US "TLS_ECDHE_ECDSA_WITH_AES_128_CCM",
+[0xAD] = US "TLS_ECDHE_ECDSA_WITH_AES_256_CCM",
+[0xAE] = US "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8",
+[0xAF] = US "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8",
+[0xB0] = US "TLS_ECCPWD_WITH_AES_128_GCM_SHA256",
+[0xB1] = US "TLS_ECCPWD_WITH_AES_256_GCM_SHA384",
+[0xB2] = US "TLS_ECCPWD_WITH_AES_128_CCM_SHA256",
+[0xB3] = US "TLS_ECCPWD_WITH_AES_256_CCM_SHA384",
+[0xB4] = US "TLS_SHA256_SHA256",
+[0xB5] = US "TLS_SHA384_SHA384",
+};
+static const uschar * ctb_cc[] = {
+[0xA8] = US "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+[0xA9] = US "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+[0xAA] = US "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+[0xAB] = US "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256",
+[0xAC] = US "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
+[0xAD] = US "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
+[0xAE] = US "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256",
+};
+static const uschar * ctb_d0[] = {
+[0x01] = US "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256",
+[0x02] = US "TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384",
+[0x03] = US "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256",
+
+[0x05] = US "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256",
+};
+
+static const uschar *
+cipher_stdname_tb(uschar idx, const uschar ** tb, int lim)
+{
+return idx >= lim ? NULL : tb[idx];
+}
+
+static const uschar *
+cipher_stdname(uschar id0, uschar id1)
+{
+switch (id0)
+ {
+ case 0x00: return cipher_stdname_tb(id1, ctb_00, nelem(ctb_00));
+ case 0x13: return cipher_stdname_tb(id1, ctb_13, nelem(ctb_00));
+ case 0xc0: return cipher_stdname_tb(id1, ctb_c0, nelem(ctb_c0));
+ case 0xcc: return cipher_stdname_tb(id1, ctb_cc, nelem(ctb_cc));
+ case 0xd0: return cipher_stdname_tb(id1, ctb_d0, nelem(ctb_d0));
+ default: return NULL;
+ }
+}
+
+/* vi: aw ai sw=2
+*/
+/* End of tls-cipher-stdname.c */
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index beb439e..7d52369 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -96,6 +96,9 @@ require current GnuTLS, then we'll drop support for the ancient libraries).
# include <gnutls/dane.h>
#endif
+#include "tls-cipher-stdname.c"
+
+
/* GnuTLS 2 vs 3
GnuTLS 3 only:
@@ -1451,6 +1454,25 @@ return OK;
* Extract peer information *
*************************************************/
+static const uschar *
+cipher_stdname_kcm(gnutls_kx_algorithm_t kx, gnutls_cipher_algorithm_t cipher,
+ gnutls_mac_algorithm_t mac)
+{
+uschar cs_id[2];
+gnutls_kx_algorithm_t kx_i;
+gnutls_cipher_algorithm_t cipher_i;
+gnutls_mac_algorithm_t mac_i;
+
+for (size_t i = 0;
+ gnutls_cipher_suite_info(i, cs_id, &kx_i, &cipher_i, &mac_i, NULL);
+ i++)
+ if (kx_i == kx && cipher_i == cipher && mac_i == mac)
+ return cipher_stdname(cs_id[0], cs_id[1]);
+return NULL;
+}
+
+
+
/* Called from both server and client code.
Only this is allowed to set state->peerdn and state->have_set_peerdn
and we use that to detect double-calls.
@@ -1479,7 +1501,6 @@ Returns: OK/DEFER/FAIL
static int
peer_status(exim_gnutls_state_st *state, uschar ** errstr)
{
-uschar cipherbuf[256];
const gnutls_datum_t *cert_list;
int old_pool, rc;
unsigned int cert_list_size = 0;
@@ -1504,28 +1525,29 @@ protocol = gnutls_protocol_get_version(state->session);
mac = gnutls_mac_get(state->session);
kx = gnutls_kx_get(state->session);
-string_format(cipherbuf, sizeof(cipherbuf),
- "%s:%s:%d",
- gnutls_protocol_get_name(protocol),
- gnutls_cipher_suite_get_name(kx, cipher, mac),
- (int) gnutls_cipher_get_key_size(cipher) * 8);
-
-/* I don't see a way that spaces could occur, in the current GnuTLS
-code base, but it was a concern in the old code and perhaps older GnuTLS
-releases did return "TLS 1.0"; play it safe, just in case. */
-for (uschar * p = cipherbuf; *p != '\0'; ++p)
- if (isspace(*p))
- *p = '-';
old_pool = store_pool;
-store_pool = POOL_PERM;
-state->ciphersuite = string_copy(cipherbuf);
+ {
+ store_pool = POOL_PERM;
+ state->ciphersuite = string_sprintf("%s:%s:%d",
+ gnutls_protocol_get_name(protocol),
+ gnutls_cipher_suite_get_name(kx, cipher, mac),
+ (int) gnutls_cipher_get_key_size(cipher) * 8);
+
+ /* I don't see a way that spaces could occur, in the current GnuTLS
+ code base, but it was a concern in the old code and perhaps older GnuTLS
+ releases did return "TLS 1.0"; play it safe, just in case. */
+
+ for (uschar * p = state->ciphersuite; *p; p++) if (isspace(*p)) *p = '-';
+ state->tlsp->cipher = state->ciphersuite;
+
+ state->tlsp->cipher_stdname = cipher_stdname_kcm(kx, cipher, mac);
+ }
store_pool = old_pool;
-state->tlsp->cipher = state->ciphersuite;
/* tls_peerdn */
cert_list = gnutls_certificate_get_peers(state->session, &cert_list_size);
-if (cert_list == NULL || cert_list_size == 0)
+if (!cert_list || cert_list_size == 0)
{
DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
cert_list, cert_list_size);
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index c8349e7..f94df0b 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -71,6 +71,7 @@ change this guard and punt the issue for a while longer. */
# define EXIM_HAVE_OPENSSL_DH_BITS
# define EXIM_HAVE_OPENSSL_TLS_METHOD
# define EXIM_HAVE_OPENSSL_KEYLOG
+# define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
# else
# define EXIM_NEED_OPENSSL_INIT
# endif
@@ -96,6 +97,7 @@ change this guard and punt the issue for a while longer. */
# if OPENSSL_VERSION_NUMBER >= 0x010101000L
# define OPENSSL_HAVE_KEYLOG_CB
# define OPENSSL_HAVE_NUM_TICKETS
+# define EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
# endif
#endif
@@ -108,6 +110,13 @@ change this guard and punt the issue for a while longer. */
# include <openssl/x509v3.h>
#endif
+#ifndef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
+# ifndef EXIM_HAVE_OPENSSL_CIPHER_GET_ID
+# define SSL_CIPHER_get_id(c) (c->id)
+# endif
+# include "tls-cipher-stdname.c"
+#endif
+
/*************************************************
* OpenSSL option parse *
*************************************************/
@@ -1911,28 +1920,46 @@ return OK;
/*
Argument: pointer to an SSL structure for the connection
- buffer to use for answer
- size of buffer
pointer to number of bits for cipher
-Returns: nothing
+Returns: pointer to allocated string in perm-pool
*/
-static void
-construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
+static uschar *
+construct_cipher_name(SSL * ssl, int * bits)
{
+int pool = store_pool;
/* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
the accessor functions use const in the prototype. */
const uschar * ver = CUS SSL_get_version(ssl);
const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
+uschar * s;
SSL_CIPHER_get_bits(c, bits);
-string_format(cipherbuf, bsize, "%s:%s:%u", ver,
- SSL_CIPHER_get_name(c), *bits);
+store_pool = POOL_PERM;
+s = string_sprintf("%s:%s:%u", ver, SSL_CIPHER_get_name(c), *bits);
+store_pool = pool;
+DEBUG(D_tls) debug_printf("Cipher: %s\n", s);
+return s;
+}
+
-DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
+/* Get IETF-standard name for ciphersuite.
+Argument: pointer to an SSL structure for the connection
+Returns: pointer to string
+*/
+
+static const uschar *
+cipher_stdname_ssl(SSL * ssl)
+{
+#ifdef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
+return CUS SSL_CIPHER_standard_name(SSL_get_current_cipher(ssl));
+#else
+ushort id = 0xffff & SSL_CIPHER_get_id(SSL_get_current_cipher(ssl));
+return cipher_stdname(id >> 8, id & 0xff);
+#endif
}
@@ -2179,7 +2206,6 @@ int rc;
uschar * expciphers;
tls_ext_ctx_cb * cbinfo;
static uschar peerdn[256];
-static uschar cipherbuf[256];
/* Check for previous activation */
@@ -2305,10 +2331,13 @@ and initialize things. */
peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
+tls_in.cipher = construct_cipher_name(server_ssl, &tls_in.bits);
+tls_in.cipher_stdname = cipher_stdname_ssl(server_ssl);
+
DEBUG(D_tls)
{
uschar buf[2048];
- if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
+ if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)))
debug_printf("Shared ciphers: %s\n", buf);
#ifdef EXIM_HAVE_OPENSSL_KEYLOG
@@ -2324,9 +2353,6 @@ DEBUG(D_tls)
#endif
}
-construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
-tls_in.cipher = cipherbuf;
-
/* Record the certificate we presented */
{
X509 * crt = SSL_get_certificate(server_ssl);
@@ -2489,7 +2515,6 @@ exim_openssl_client_tls_ctx * exim_client_ctx;
static uschar peerdn[256];
uschar * expciphers;
int rc;
-static uschar cipherbuf[256];
#ifndef DISABLE_OCSP
BOOL request_ocsp = FALSE;
@@ -2711,8 +2736,8 @@ DEBUG(D_tls)
peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));
-construct_cipher_name(exim_client_ctx->ssl, cipherbuf, sizeof(cipherbuf), &tlsp->bits);
-tlsp->cipher = cipherbuf;
+tlsp->cipher = construct_cipher_name(exim_client_ctx->ssl, &tlsp->bits);
+tlsp->cipher_stdname = cipher_stdname_ssl(exim_client_ctx->ssl);
/* Record the certificate we presented */
{
diff --git a/test/log/2102.openssl_1_1_1 b/test/log/2102.openssl_1_1_1
index d5efeef..51f739b 100644
--- a/test/log/2102.openssl_1_1_1
+++ b/test/log/2102.openssl_1_1_1
@@ -13,10 +13,10 @@
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
1999-03-02 09:44:33 Our cert SN: <CN=server1.example.com>
1999-03-02 09:44:33 Peer did not present a cert
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? H=[127.0.0.1] P=smtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? H=[127.0.0.1] P=smtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss
1999-03-02 09:44:33 Our cert SN: <CN=server1.example.com>
1999-03-02 09:44:33 Peer did not present a cert
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= "name with spaces"@??? H=[127.0.0.1] P=smtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= "name with spaces"@??? H=[127.0.0.1] P=smtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss
1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
1999-03-02 09:44:33 Our cert SN: <CN=server1.example.com>
1999-03-02 09:44:33 Peer cert:
@@ -39,8 +39,8 @@
1999-03-02 09:44:33 sha1 fingerprint E75D537E478758010505D4F339B00DFD73728088
1999-03-02 09:44:33 sha256 fingerprint E251FA7D0372CB784294CF92B243DCE53FDDABD9F58A1B89226586C07C82CAC6
1999-03-02 09:44:33 der_b64 MIIDuDCCAqCgAwIBAgICAMkwDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIxMTAxMTI0MDA0WhcNMzcxMjAxMTI0MDA0WjAeMRwwGgYDVQQDExNzZXJ2ZXIyLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA52Rfiv2Igy0NiaKN5gc0VPLbEoHngkdJWv3wEORp+iFl6skQRbsCylT8djJ2pvHstFpnzSodF3Wwjj2/EDuj3iKBzN9HeXJOvJz8j9Si1xkgCxJeUjPGgYcvKdxybaZAOpi9l3xwPCCEXN4JBq/WaQQ9+eP1PczeMNfvFtXma+VcHXG743ttPOv7eSMr0JxQl3zjQvYGOhFP/KAw6jh/N6YPqii9kV0cC/ubeVzpqJ5/+hndx5YrmAu39N5qzwWujhDPkFNSgCJUhfkEiMaQiPxFxDTbUzWnQ5jpAQ5El4WJVkGWkqxose1bOjSSNzFPJt59YtxxJC3IWN3UtGODTwIDAQABo4HmMIHjMA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwTgYDVR0jBEcwRYANQUFidHdDeGNYZ2IwUaExpC8wLTEUMBIGA1UEChMLZXhhbXBsZS5jb20xFTATBgNVBAMTDGNsaWNhIENBIHJzYYIBQjA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUuY29tLzApBgNVHREEIjAgghNzZXJ2ZXIyLmV4YW1wbGUuY29tggkqLnRlc3QuZXgwDQYJKoZIhvcNAQELBQADggEBALHOkZkvHLpNm0QSof09vmmdNFE6/+0TCIoPExeqqSOsy4NsF+Ha46WttjJRSVtbhRxF8jxEU7btPiFgQUaOcJZTwQPDhmQSOPNO8GS46oJ57aQ7U7O+X3M1sVS5Pa2IzE6vrJSh349/CNbTA8WPQdWLlxVJhJXAcZNtaEu6lCsZuDSMTpAsW5I4+snyrm3yvP5t0eD28K5LgCKePX962drkAOP6XGQ51VnbMQ7b1TSdQedtYKIpR3VKUvG5Ky/+0c+Rmwfi2aQ8oXXwekzJyS5jvovdVVsdhO68It+Rz/zursN5Pn+Gj1YuQNUs2nDrGHN+VIIFpgWUjLZO4bcJctY=
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? H=[ip4.ip4.ip4.ip4] P=smtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=yes DN="/CN=server2.example.com" S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? H=[ip4.ip4.ip4.ip4] P=smtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server2.example.com" S=sss
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
1999-03-02 09:44:33 Our cert SN: <CN=server1.example_ec.com>
1999-03-02 09:44:33 Peer did not present a cert
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@??? H=[127.0.0.1] P=smtps X=TLSv1:ke-ECDSA-AES256-SHA:xxx CV=no S=sss
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@??? H=[127.0.0.1] P=smtps X=TLS1.x:ke-ECDSA-AES256-SHAnnn:xxx CV=no S=sss
diff --git a/test/runtest b/test/runtest
index 8df2be0..ad04968 100755
--- a/test/runtest
+++ b/test/runtest
@@ -544,6 +544,15 @@ RESET_AFTER_EXTRA_LINE_READ:
s/(could not connect to .*: Connection) reset by peer$/$1 refused/;
# ======== TLS certificate algorithms ========
+ #
+ # In Received: headers, convert RFC 8314 style ciphersuite to
+ # the older (comment) style, keeping only the Auth element
+ # (discarding kex, cipher, mac). For TLS 1.3 there is no kex
+ # element (and no _WITH); insert a spurious "RSA".
+
+ s/^\s+by .+ with .+ \K tls TLS_.*?([^_]+)_WITH.+$/(TLS1.x:ke-\1-AES256-SHAnnn:xxx)/;
+ s/^\s+by .+ with .+ \K tls TLS_.+$/(TLS1.x:ke-RSA-AES256-SHAnnn:xxx)/;
+
# Test machines might have various different TLS library versions supporting
# different protocols; can't rely upon TLS 1.2's AES256-GCM-SHA384, so we
# treat the standard algorithms the same.
@@ -1628,7 +1637,9 @@ $munges =
s! DN="[^,"]*\K,!/!;
',
'rejectlog' => 's/ X=TLS\S+ / X=TLS_proto_and_cipher /',
- 'mail' => 's/ \(TLS[^)]*\)/ (TLS_proto_and_cipher)/',
+ 'mail' => 's/^\s+by .+ with .+ \K tls TLS_.+$/(TLS_proto_and_cipher)/;
+ s/ \(TLS[^)]*\)/ (TLS_proto_and_cipher)/;
+ ',
},
'debug_pid' =>
diff --git a/test/stderr/0402 b/test/stderr/0402
index 6c2e922..9f7ad28 100644
--- a/test/stderr/0402
+++ b/test/stderr/0402
@@ -41,7 +41,8 @@ Data file written for message 10HmaX-0005vi-00
└─────result: Tue, 2 Mar 1999 09:44:33 +0000
┌considering: Received: ${if def:sender_rcvhost {from $sender_rcvhost
}{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
@@ -49,7 +50,8 @@ Data file written for message 10HmaX-0005vi-00
├─────result: false
┌───scanning: from $sender_rcvhost
}{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
@@ -59,19 +61,22 @@ Data file written for message 10HmaX-0005vi-00
└───skipping: result is not used
┌considering: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
├──condition: def:sender_ident
├─────result: true
┌considering: from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
╎┌considering: $sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- ╎ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ ╎ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ ╎ }}(Exim $version_number)
╎ ${if def:sender_address {(envelope-from <$sender_address>)
╎ }}id $message_exim_id${if def:received_for {
╎ for $received_for}}
@@ -82,7 +87,8 @@ Data file written for message 10HmaX-0005vi-00
├──condition: def:sender_helo_name
├─────result: false
┌───scanning: (helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
@@ -96,12 +102,25 @@ Data file written for message 10HmaX-0005vi-00
└─────result: from CALLER
├──condition: def:received_protocol
├─────result: true
- ┌considering: with $received_protocol}} (Exim $version_number)
+ ┌considering: with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
- ├──expanding: with $received_protocol
- └─────result: with local
+ ├──expanding: with $received_protocol
+ └─────result: with local
+ ├──condition: def:tls_in_cipher_std
+ ├─────result: false
+ ┌───scanning: tls $tls_in_cipher_std
+ }}(Exim $version_number)
+ ${if def:sender_address {(envelope-from <$sender_address>)
+ }}id $message_exim_id${if def:received_for {
+ for $received_for}}
+ ├──expanding: tls $tls_in_cipher_std
+
+ ├─────result: tls
+
+ └───skipping: result is not used
├──condition: def:sender_address
├─────result: true
┌considering: (envelope-from <$sender_address>)
@@ -122,7 +141,8 @@ Data file written for message 10HmaX-0005vi-00
└───skipping: result is not used
├──expanding: Received: ${if def:sender_rcvhost {from $sender_rcvhost
}{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
diff --git a/test/stderr/0544 b/test/stderr/0544
index e45faa1..a8a961e 100644
--- a/test/stderr/0544
+++ b/test/stderr/0544
@@ -6,7 +6,8 @@ admin user
└─────result: Tue, 2 Mar 1999 09:44:33 +0000
┌considering: Received: ${if def:sender_rcvhost {from $sender_rcvhost
}{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
@@ -14,7 +15,8 @@ admin user
├─────result: false
┌───scanning: from $sender_rcvhost
}{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
@@ -24,19 +26,22 @@ admin user
└───skipping: result is not used
┌considering: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
├──condition: def:sender_ident
├─────result: true
┌considering: from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
╎┌considering: $sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- ╎ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ ╎ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ ╎ }}(Exim $version_number)
╎ ${if def:sender_address {(envelope-from <$sender_address>)
╎ }}id $message_exim_id${if def:received_for {
╎ for $received_for}}
@@ -47,7 +52,8 @@ admin user
├──condition: def:sender_helo_name
├─────result: false
┌───scanning: (helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
@@ -61,12 +67,25 @@ admin user
└─────result: from CALLER
├──condition: def:received_protocol
├─────result: true
- ┌considering: with $received_protocol}} (Exim $version_number)
+ ┌considering: with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
- ├──expanding: with $received_protocol
- └─────result: with local
+ ├──expanding: with $received_protocol
+ └─────result: with local
+ ├──condition: def:tls_in_cipher_std
+ ├─────result: false
+ ┌───scanning: tls $tls_in_cipher_std
+ }}(Exim $version_number)
+ ${if def:sender_address {(envelope-from <$sender_address>)
+ }}id $message_exim_id${if def:received_for {
+ for $received_for}}
+ ├──expanding: tls $tls_in_cipher_std
+
+ ├─────result: tls
+
+ └───skipping: result is not used
├──condition: def:sender_address
├─────result: true
┌considering: (envelope-from <$sender_address>)
@@ -87,7 +106,8 @@ admin user
└───skipping: result is not used
├──expanding: Received: ${if def:sender_rcvhost {from $sender_rcvhost
}{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
diff --git a/test/stderr/5410 b/test/stderr/5410
index e4ef02c..8e6e7bb 100644
--- a/test/stderr/5410
+++ b/test/stderr/5410
@@ -136,7 +136,8 @@ end of inline ACL: ACCEPT
└─────result: Tue, 2 Mar 1999 09:44:33 +0000
┌considering: Received: ${if def:sender_rcvhost {from $sender_rcvhost
}{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
@@ -144,7 +145,8 @@ end of inline ACL: ACCEPT
├─────result: false
┌───scanning: from $sender_rcvhost
}{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
@@ -154,19 +156,22 @@ end of inline ACL: ACCEPT
└───skipping: result is not used
┌considering: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
├──condition: def:sender_ident
├─────result: true
┌considering: from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
╎┌considering: $sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- ╎ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ ╎ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ ╎ }}(Exim $version_number)
╎ ${if def:sender_address {(envelope-from <$sender_address>)
╎ }}id $message_exim_id${if def:received_for {
╎ for $received_for}}
@@ -177,7 +182,8 @@ end of inline ACL: ACCEPT
├──condition: def:sender_helo_name
├─────result: true
┌considering: (helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
@@ -191,12 +197,25 @@ end of inline ACL: ACCEPT
├──condition: def:received_protocol
├─────result: true
- ┌considering: with $received_protocol}} (Exim $version_number)
+ ┌considering: with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
- ├──expanding: with $received_protocol
- └─────result: with local-esmtp
+ ├──expanding: with $received_protocol
+ └─────result: with local-esmtp
+ ├──condition: def:tls_in_cipher_std
+ ├─────result: false
+ ┌───scanning: tls $tls_in_cipher_std
+ }}(Exim $version_number)
+ ${if def:sender_address {(envelope-from <$sender_address>)
+ }}id $message_exim_id${if def:received_for {
+ for $received_for}}
+ ├──expanding: tls $tls_in_cipher_std
+
+ ├─────result: tls
+
+ └───skipping: result is not used
├──condition: def:sender_address
├─────result: true
┌considering: (envelope-from <$sender_address>)
@@ -216,7 +235,8 @@ end of inline ACL: ACCEPT
for userx@???
├──expanding: Received: ${if def:sender_rcvhost {from $sender_rcvhost
}{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
@@ -352,7 +372,8 @@ end of inline ACL: ACCEPT
└─────result: Tue, 2 Mar 1999 09:44:33 +0000
┌considering: Received: ${if def:sender_rcvhost {from $sender_rcvhost
}{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
@@ -360,7 +381,8 @@ end of inline ACL: ACCEPT
├─────result: false
┌───scanning: from $sender_rcvhost
}{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
@@ -370,19 +392,22 @@ end of inline ACL: ACCEPT
└───skipping: result is not used
┌considering: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
├──condition: def:sender_ident
├─────result: true
┌considering: from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
╎┌considering: $sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- ╎ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ ╎ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ ╎ }}(Exim $version_number)
╎ ${if def:sender_address {(envelope-from <$sender_address>)
╎ }}id $message_exim_id${if def:received_for {
╎ for $received_for}}
@@ -393,7 +418,8 @@ end of inline ACL: ACCEPT
├──condition: def:sender_helo_name
├─────result: true
┌considering: (helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
@@ -407,12 +433,25 @@ end of inline ACL: ACCEPT
├──condition: def:received_protocol
├─────result: true
- ┌considering: with $received_protocol}} (Exim $version_number)
+ ┌considering: with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
+ ${if def:sender_address {(envelope-from <$sender_address>)
+ }}id $message_exim_id${if def:received_for {
+ for $received_for}}
+ ├──expanding: with $received_protocol
+ └─────result: with local-esmtp
+ ├──condition: def:tls_in_cipher_std
+ ├─────result: false
+ ┌───scanning: tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
- ├──expanding: with $received_protocol
- └─────result: with local-esmtp
+ ├──expanding: tls $tls_in_cipher_std
+
+ ├─────result: tls
+
+ └───skipping: result is not used
├──condition: def:sender_address
├─────result: true
┌considering: (envelope-from <$sender_address>)
@@ -432,7 +471,8 @@ end of inline ACL: ACCEPT
for usery@???
├──expanding: Received: ${if def:sender_rcvhost {from $sender_rcvhost
}{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
@@ -568,7 +608,8 @@ end of inline ACL: ACCEPT
└─────result: Tue, 2 Mar 1999 09:44:33 +0000
┌considering: Received: ${if def:sender_rcvhost {from $sender_rcvhost
}{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
@@ -576,7 +617,8 @@ end of inline ACL: ACCEPT
├─────result: false
┌───scanning: from $sender_rcvhost
}{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
@@ -586,19 +628,22 @@ end of inline ACL: ACCEPT
└───skipping: result is not used
┌considering: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
├──condition: def:sender_ident
├─────result: true
┌considering: from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
╎┌considering: $sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- ╎ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ ╎ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ ╎ }}(Exim $version_number)
╎ ${if def:sender_address {(envelope-from <$sender_address>)
╎ }}id $message_exim_id${if def:received_for {
╎ for $received_for}}
@@ -609,7 +654,8 @@ end of inline ACL: ACCEPT
├──condition: def:sender_helo_name
├─────result: true
┌considering: (helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
@@ -623,12 +669,25 @@ end of inline ACL: ACCEPT
├──condition: def:received_protocol
├─────result: true
- ┌considering: with $received_protocol}} (Exim $version_number)
+ ┌considering: with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
+ ${if def:sender_address {(envelope-from <$sender_address>)
+ }}id $message_exim_id${if def:received_for {
+ for $received_for}}
+ ├──expanding: with $received_protocol
+ └─────result: with local-esmtp
+ ├──condition: def:tls_in_cipher_std
+ ├─────result: false
+ ┌───scanning: tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
- ├──expanding: with $received_protocol
- └─────result: with local-esmtp
+ ├──expanding: tls $tls_in_cipher_std
+
+ ├─────result: tls
+
+ └───skipping: result is not used
├──condition: def:sender_address
├─────result: true
┌considering: (envelope-from <$sender_address>)
@@ -648,7 +707,8 @@ end of inline ACL: ACCEPT
for usery@???
├──expanding: Received: ${if def:sender_rcvhost {from $sender_rcvhost
}{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
diff --git a/test/stderr/5420 b/test/stderr/5420
index 2596332..5bc80bb 100644
--- a/test/stderr/5420
+++ b/test/stderr/5420
@@ -137,7 +137,8 @@ end of inline ACL: ACCEPT
└─────result: Tue, 2 Mar 1999 09:44:33 +0000
┌considering: Received: ${if def:sender_rcvhost {from $sender_rcvhost
}{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
@@ -145,7 +146,8 @@ end of inline ACL: ACCEPT
├─────result: false
┌───scanning: from $sender_rcvhost
}{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
@@ -155,19 +157,22 @@ end of inline ACL: ACCEPT
└───skipping: result is not used
┌considering: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
├──condition: def:sender_ident
├─────result: true
┌considering: from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
╎┌considering: $sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- ╎ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ ╎ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ ╎ }}(Exim $version_number)
╎ ${if def:sender_address {(envelope-from <$sender_address>)
╎ }}id $message_exim_id${if def:received_for {
╎ for $received_for}}
@@ -178,7 +183,8 @@ end of inline ACL: ACCEPT
├──condition: def:sender_helo_name
├─────result: true
┌considering: (helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
@@ -192,12 +198,25 @@ end of inline ACL: ACCEPT
├──condition: def:received_protocol
├─────result: true
- ┌considering: with $received_protocol}} (Exim $version_number)
+ ┌considering: with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
- ├──expanding: with $received_protocol
- └─────result: with local-esmtp
+ ├──expanding: with $received_protocol
+ └─────result: with local-esmtp
+ ├──condition: def:tls_in_cipher_std
+ ├─────result: false
+ ┌───scanning: tls $tls_in_cipher_std
+ }}(Exim $version_number)
+ ${if def:sender_address {(envelope-from <$sender_address>)
+ }}id $message_exim_id${if def:received_for {
+ for $received_for}}
+ ├──expanding: tls $tls_in_cipher_std
+
+ ├─────result: tls
+
+ └───skipping: result is not used
├──condition: def:sender_address
├─────result: true
┌considering: (envelope-from <$sender_address>)
@@ -217,7 +236,8 @@ end of inline ACL: ACCEPT
for userx@???
├──expanding: Received: ${if def:sender_rcvhost {from $sender_rcvhost
}{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
@@ -353,7 +373,8 @@ end of inline ACL: ACCEPT
└─────result: Tue, 2 Mar 1999 09:44:33 +0000
┌considering: Received: ${if def:sender_rcvhost {from $sender_rcvhost
}{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
@@ -361,7 +382,8 @@ end of inline ACL: ACCEPT
├─────result: false
┌───scanning: from $sender_rcvhost
}{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
@@ -371,19 +393,22 @@ end of inline ACL: ACCEPT
└───skipping: result is not used
┌considering: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
├──condition: def:sender_ident
├─────result: true
┌considering: from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
╎┌considering: $sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- ╎ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ ╎ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ ╎ }}(Exim $version_number)
╎ ${if def:sender_address {(envelope-from <$sender_address>)
╎ }}id $message_exim_id${if def:received_for {
╎ for $received_for}}
@@ -394,7 +419,8 @@ end of inline ACL: ACCEPT
├──condition: def:sender_helo_name
├─────result: true
┌considering: (helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
@@ -408,12 +434,25 @@ end of inline ACL: ACCEPT
├──condition: def:received_protocol
├─────result: true
- ┌considering: with $received_protocol}} (Exim $version_number)
+ ┌considering: with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
+ ${if def:sender_address {(envelope-from <$sender_address>)
+ }}id $message_exim_id${if def:received_for {
+ for $received_for}}
+ ├──expanding: with $received_protocol
+ └─────result: with local-esmtp
+ ├──condition: def:tls_in_cipher_std
+ ├─────result: false
+ ┌───scanning: tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
- ├──expanding: with $received_protocol
- └─────result: with local-esmtp
+ ├──expanding: tls $tls_in_cipher_std
+
+ ├─────result: tls
+
+ └───skipping: result is not used
├──condition: def:sender_address
├─────result: true
┌considering: (envelope-from <$sender_address>)
@@ -433,7 +472,8 @@ end of inline ACL: ACCEPT
for usery@???
├──expanding: Received: ${if def:sender_rcvhost {from $sender_rcvhost
}{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
@@ -569,7 +609,8 @@ end of inline ACL: ACCEPT
└─────result: Tue, 2 Mar 1999 09:44:33 +0000
┌considering: Received: ${if def:sender_rcvhost {from $sender_rcvhost
}{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
@@ -577,7 +618,8 @@ end of inline ACL: ACCEPT
├─────result: false
┌───scanning: from $sender_rcvhost
}{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
@@ -587,19 +629,22 @@ end of inline ACL: ACCEPT
└───skipping: result is not used
┌considering: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
├──condition: def:sender_ident
├─────result: true
┌considering: from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
╎┌considering: $sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- ╎ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ ╎ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ ╎ }}(Exim $version_number)
╎ ${if def:sender_address {(envelope-from <$sender_address>)
╎ }}id $message_exim_id${if def:received_for {
╎ for $received_for}}
@@ -610,7 +655,8 @@ end of inline ACL: ACCEPT
├──condition: def:sender_helo_name
├─────result: true
┌considering: (helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
@@ -624,12 +670,25 @@ end of inline ACL: ACCEPT
├──condition: def:received_protocol
├─────result: true
- ┌considering: with $received_protocol}} (Exim $version_number)
+ ┌considering: with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
+ ${if def:sender_address {(envelope-from <$sender_address>)
+ }}id $message_exim_id${if def:received_for {
+ for $received_for}}
+ ├──expanding: with $received_protocol
+ └─────result: with local-esmtp
+ ├──condition: def:tls_in_cipher_std
+ ├─────result: false
+ ┌───scanning: tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
- ├──expanding: with $received_protocol
- └─────result: with local-esmtp
+ ├──expanding: tls $tls_in_cipher_std
+
+ ├─────result: tls
+
+ └───skipping: result is not used
├──condition: def:sender_address
├─────result: true
┌considering: (envelope-from <$sender_address>)
@@ -649,7 +708,8 @@ end of inline ACL: ACCEPT
for usery@???
├──expanding: Received: ${if def:sender_rcvhost {from $sender_rcvhost
}{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
- }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number)
+ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std
+ }}(Exim $version_number)
${if def:sender_address {(envelope-from <$sender_address>)
}}id $message_exim_id${if def:received_for {
for $received_for}}
diff --git a/test/stdout/2114.openssl_1_1_1 b/test/stdout/2114.openssl_1_1_1
index 744d0e2..ee0af95 100644
--- a/test/stdout/2114.openssl_1_1_1
+++ b/test/stdout/2114.openssl_1_1_1
@@ -19,7 +19,7 @@ Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-SSL connection using ke-RSA-AES256-SHA
+SSL connection using ke-RSA-AES256-SHAnnn
Succeeded in starting TLS
>>> noop
????554 Security failure
@@ -55,7 +55,7 @@ Connecting to 127.0.0.1 port 1225 ... connected
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-SSL connection using ke-RSA-AES256-SHA
+SSL connection using ke-RSA-AES256-SHAnnn
Succeeded in starting TLS
>>> helo rhu.barb
??? 250
@@ -93,7 +93,7 @@ Key file = aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-SSL connection using ke-RSA-AES256-SHA
+SSL connection using ke-RSA-AES256-SHAnnn
Succeeded in starting TLS
>>> mail from:<userx@???>
??? 250
@@ -128,7 +128,7 @@ Key file = aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-SSL connection using ke-RSA-AES256-SHA
+SSL connection using ke-RSA-AES256-SHAnnn
Succeeded in starting TLS
>>> mail from:<userx@???>
??? 250
@@ -163,7 +163,7 @@ Key file = aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-SSL connection using ke-RSA-AES256-SHA
+SSL connection using ke-RSA-AES256-SHAnnn
Succeeded in starting TLS
>>> noop
????554 Security failure
@@ -196,7 +196,7 @@ Key file = aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-SSL connection using ke-RSA-AES256-SHA
+SSL connection using ke-RSA-AES256-SHAnnn
Succeeded in starting TLS
>>> mail from:<userx@???>
??? 250
@@ -231,7 +231,7 @@ Key file = aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.c
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-SSL connection using ke-RSA-AES256-SHA
+SSL connection using ke-RSA-AES256-SHAnnn
Succeeded in starting TLS
>>> noop
????554 Security failure
@@ -264,7 +264,7 @@ Key file = aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.c
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-SSL connection using ke-RSA-AES256-SHA
+SSL connection using ke-RSA-AES256-SHAnnn
Succeeded in starting TLS
>>> mail from:<userx@???>
??? 250
@@ -299,7 +299,7 @@ Key file = aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-SSL connection using ke-RSA-AES256-SHA
+SSL connection using ke-RSA-AES256-SHAnnn
Succeeded in starting TLS
>>> mail from:<userx@???>
??? 250
diff --git a/test/stdout/2124.openssl_1_1_1 b/test/stdout/2124.openssl_1_1_1
index e7777a1..d40f58a 100644
--- a/test/stdout/2124.openssl_1_1_1
+++ b/test/stdout/2124.openssl_1_1_1
@@ -20,7 +20,7 @@ Key file = aux-fixed/cert2
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-SSL connection using ke-RSA-AES256-SHA
+SSL connection using ke-RSA-AES256-SHAnnn
Succeeded in starting TLS
>>> noop
????554 Security failure
diff --git a/test/stdout/2132.openssl_1_1_1 b/test/stdout/2132.openssl_1_1_1
index 179a9ef..a3a8ec5 100644
--- a/test/stdout/2132.openssl_1_1_1
+++ b/test/stdout/2132.openssl_1_1_1
@@ -19,7 +19,7 @@ Connecting to 127.0.0.1 port 1225 ... connected
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-SSL connection using ke-RSA-AES256-SHA
+SSL connection using ke-RSA-AES256-SHAnnn
Succeeded in starting TLS
>>> mail from:<CALLER@???>
??? 250
@@ -59,7 +59,7 @@ Connecting to 127.0.0.1 port 1225 ... connected
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-SSL connection using ke-RSA-AES256-SHA
+SSL connection using ke-RSA-AES256-SHAnnn
Succeeded in starting TLS
>>> mail from:<"name with spaces"@???>
??? 250
@@ -99,7 +99,7 @@ Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-SSL connection using ke-RSA-AES256-SHA
+SSL connection using ke-RSA-AES256-SHAnnn
Succeeded in starting TLS
>>> noop
????554
@@ -132,7 +132,7 @@ Key file = TESTSUITE/aux-fixed/exim-ca/example.com/server1.example.com/server1.e
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-SSL connection using ke-RSA-AES256-SHA
+SSL connection using ke-RSA-AES256-SHAnnn
Succeeded in starting TLS
>>> mail from:<CALLER@???>
??? 250