[exim-cvs] TLS: use RFC 6125 rules for certifucate name chec…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Exim Git Commits Mailing List
Datum:  
To: exim-cvs
Betreff: [exim-cvs] TLS: use RFC 6125 rules for certifucate name checks when CNAMES are present. Bug 2594
Gitweb: https://git.exim.org/exim.git/commitdiff/0851a3bbf4667081d47f5d85b6b3a5cb33cbdba6
Commit:     0851a3bbf4667081d47f5d85b6b3a5cb33cbdba6
Parent:     32bcb602b77fbf4a7a746f448663688694677adc
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Thu Jun 11 20:21:38 2020 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Thu Jun 11 20:30:18 2020 +0100


    TLS: use RFC 6125 rules for certifucate name checks when CNAMES are present. Bug 2594
---
 doc/doc-docbook/spec.xfpt        | 10 ++++--
 doc/doc-txt/ChangeLog            |  7 +++-
 src/src/host.c                   | 23 ++++++++++--
 src/src/structs.h                | 19 +++++-----
 src/src/tls-gnu.c                |  4 +--
 src/src/tls-openssl.c            | 20 +++++------
 test/confs/2012                  | 76 ++++++++++++++++++++++++++++++----------
 test/confs/2112                  | 76 ++++++++++++++++++++++++++++++----------
 test/dnszones-src/db.example.com |  5 ++-
 test/log/2012                    | 34 +++++++++++-------
 test/log/2112                    | 36 ++++++++++++-------
 test/scripts/2000-GnuTLS/2012    |  9 +++--
 test/scripts/2100-OpenSSL/2112   | 12 ++++---
 13 files changed, 234 insertions(+), 97 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index abd235b..e3684ba 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -29242,8 +29242,14 @@ certificate verification to the listed servers. Verification either must
or need not succeed respectively.

The &%tls_verify_cert_hostnames%& option lists hosts for which additional
-checks are made: that the host name (the one in the DNS A record)
-is valid for the certificate.
+name checks are made on the server certificate.
+.new
+The match against this list is, as per other Exim usage, the
+IP for the host. That is most closely associated with the
+name on the DNS A (or AAAA) record for the host.
+However, the name that needs to be in the certificate
+is the one at the head of any CNAME chain leading to the A record.
+.wen
The option defaults to always checking.

 The &(smtp)& transport has two OCSP-related options:
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 6c8349d..4252641 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -30,6 +30,11 @@ JH/05 Bug 2593: Fix "vacation" in Exim filter.  Previously, when a "once"
       path, an error occurred on trying to open it.  Use the transport's working
       directory.


+JH/06 Bug 2594: Change the name used for certificate name checks in the smtp
+      transport.  Previously it was the name on the DNS A-record; use instead
+      the head of the CNAME chain leading there (if there is one).  This seems
+      to align better with RFC 6125.
+


Exim version 4.94
-----------------
@@ -335,7 +340,7 @@ JH/20 Bug 2389: fix server advertising of usable certificates, under GnuTLS in

 JH/21 The smtp transport option "hosts_noproxy_tls" is now unset by default.
       A single TCP connection by a client will now hold a TLS connection open
-      for multiple message deliveries, by default.  Previoud the default was to
+      for multiple message deliveries, by default.  Previously the default was to
       not do so.


JH/22 The smtp transport option "hosts_try_dane" now enables all hosts by
diff --git a/src/src/host.c b/src/src/host.c
index 0e0e013..99bbba7 100644
--- a/src/src/host.c
+++ b/src/src/host.c
@@ -1950,6 +1950,13 @@ BOOL temp_error = FALSE;
int af;
#endif

+#ifndef DISABLE_TLS
+/* Copy the host name at this point to the value which is used for
+TLS certificate name checking, before anything modifies it. */
+
+host->certname = host->name;
+#endif
+
/* Make sure DNS options are set as required. This appears to be necessary in
some circumstances when the get..byname() function actually calls the DNS. */

@@ -2117,6 +2124,9 @@ for (int i = 1; i <= times;
       {
       host_item *next = store_get(sizeof(host_item), FALSE);
       next->name = host->name;
+#ifndef DISABLE_TLS
+      next->certname = host->certname;
+#endif
       next->mx = host->mx;
       next->address = text_address;
       next->port = PORT_NONE;
@@ -2135,12 +2145,12 @@ for (int i = 1; i <= times;
 NULL. If temp_error is set, at least one of the lookups gave a temporary error,
 so we pass that back. */


-if (host->address == NULL)
+if (!host->address)
   {
   uschar *msg =
     #ifndef STAND_ALONE
-    (message_id[0] == 0 && smtp_in != NULL)?
-      string_sprintf("no IP address found for host %s (during %s)", host->name,
+    message_id[0] == 0 && smtp_in
+      ? string_sprintf("no IP address found for host %s (during %s)", host->name,
           smtp_get_connection_info()) :
     #endif
     string_sprintf("no IP address found for host %s", host->name);
@@ -2260,6 +2270,13 @@ BOOL v6_find_again = FALSE;
 BOOL dnssec_fail = FALSE;
 int i;


+#ifndef DISABLE_TLS
+/* Copy the host name at this point to the value which is used for
+TLS certificate name checking, before any CNAME-following modifies it. */
+
+host->certname = host->name;
+#endif
+
/* If allow_ip is set, a name which is an IP address returns that value
as its address. This is used for MX records when allow_mx_to_ip is set, for
those sites that feel they have to flaunt the RFC rules. */
diff --git a/src/src/structs.h b/src/src/structs.h
index 9aab603..f88d126 100644
--- a/src/src/structs.h
+++ b/src/src/structs.h
@@ -80,14 +80,17 @@ typedef enum {DS_UNK=-1, DS_NO, DS_YES} dnssec_status_t;

 typedef struct host_item {
   struct host_item *next;
-  const uschar *name;             /* Host name */
-  const uschar *address;          /* IP address in text form */
-  int     port;                   /* port value in host order (if SRV lookup) */
-  int     mx;                     /* MX value if found via MX records */
-  int     sort_key;               /* MX*1000 plus random "fraction" */
-  int     status;                 /* Usable, unusable, or unknown */
-  int     why;                    /* Why host is unusable */
-  int     last_try;               /* Time of last try if known */
+  const uschar *name;        /* Host name */
+#ifndef DISABLE_TLS
+  const uschar *certname;    /* Name used for certificate checks */
+#endif
+  const uschar *address;    /* IP address in text form */
+  int     port;            /* port value in host order (if SRV lookup) */
+  int     mx;            /* MX value if found via MX records */
+  int     sort_key;        /* MX*1000 plus random "fraction" */
+  int     status;        /* Usable, unusable, or unknown */
+  int     why;            /* Why host is unusable */
+  int     last_try;        /* Time of last try if known */
   dnssec_status_t dnssec;
 } host_item;


diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index a351c34..fa48990 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -2603,9 +2603,9 @@ if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
   {
   state->exp_tls_verify_cert_hostnames =
 #ifdef SUPPORT_I18N
-    string_domain_utf8_to_alabel(host->name, NULL);
+    string_domain_utf8_to_alabel(host->certname, NULL);
 #else
-    host->name;
+    host->certname;
 #endif
   DEBUG(D_tls)
     debug_printf("TLS: server cert verification includes hostname: \"%s\".\n",
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 3d0e84f..525afd6 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -372,10 +372,10 @@ typedef struct ocsp_resp {
 } ocsp_resplist;


 typedef struct tls_ext_ctx_cb {
-  tls_support * tlsp;
-  uschar *certificate;
-  uschar *privatekey;
-  BOOL is_server;
+  tls_support *    tlsp;
+  uschar *    certificate;
+  uschar *    privatekey;
+  BOOL        is_server;
 #ifndef DISABLE_OCSP
   STACK_OF(X509) *verify_stack;        /* chain for verifying the proof */
   union {
@@ -390,14 +390,14 @@ typedef struct tls_ext_ctx_cb {
     } client;
   } u_ocsp;
 #endif
-  uschar *dhparam;
+  uschar *    dhparam;
   /* these are cached from first expand */
-  uschar *server_cipher_list;
+  uschar *    server_cipher_list;
   /* only passed down to tls_error: */
-  host_item *host;
+  host_item *    host;
   const uschar * verify_cert_hostnames;
 #ifndef DISABLE_EVENT
-  uschar * event_action;
+  uschar *    event_action;
 #endif
 } tls_ext_ctx_cb;


@@ -2919,9 +2919,9 @@ if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
   {
   cbinfo->verify_cert_hostnames =
 #ifdef SUPPORT_I18N
-    string_domain_utf8_to_alabel(host->name, NULL);
+    string_domain_utf8_to_alabel(host->certname, NULL);
 #else
-    host->name;
+    host->certname;
 #endif
   DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
             cbinfo->verify_cert_hostnames);
diff --git a/test/confs/2012 b/test/confs/2012
index f59b91a..c0ed029 100644
--- a/test/confs/2012
+++ b/test/confs/2012
@@ -83,6 +83,18 @@ client_s:
   retry_use_local_part
   transport = send_to_server_req_passname


+client_t:
+ driver = accept
+ local_parts = usert
+ retry_use_local_part
+ transport = send_to_server_req_failchain
+
+client_u:
+ driver = accept
+ local_parts = useru
+ retry_use_local_part
+ transport = send_to_server_req_passchain
+

# ----- Transports -----

@@ -150,30 +162,58 @@ send_to_server_req_fail:

  # this will fail to verify the cert name and fallback to unencrypted
  send_to_server_req_failname:
-   driver = smtp
+   driver =        smtp
    allow_localhost
-   hosts = HOSTIPV4
-   port = PORT_D
-  hosts_try_fastopen =    :
-   tls_certificate = CERT2
-   tls_privatekey = CERT2
+   hosts =        serverbadname.example.com
+   port =        PORT_D
+   hosts_try_fastopen =    :
+   tls_certificate =    CERT2
+   tls_privatekey =    CERT2


-   tls_verify_certificates = CA1
-   tls_verify_cert_hostnames = server1.example.net : server1.example.org
-   tls_verify_hosts = *
+   tls_verify_certificates =    CA1
+   tls_verify_cert_hostnames =    HOSTIPV4
+   tls_verify_hosts =        *


  # this will pass the cert verify including name check
  send_to_server_req_passname:
-   driver = smtp
+   driver =        smtp
    allow_localhost
-   hosts = HOSTIPV4
-   port = PORT_D
-  hosts_try_fastopen =    :
-   tls_certificate = CERT2
-   tls_privatekey = CERT2
+   hosts =        server1.example.com
+   port =        PORT_D
+   hosts_try_fastopen =    :
+   tls_certificate =    CERT2
+   tls_privatekey =    CERT2
+ 
+   tls_verify_certificates =    CA1
+   tls_verify_cert_hostnames =    HOSTIPV4
+   tls_verify_hosts =        *
+
+ # this will fail the cert verify name check, because CNAME rules
+ send_to_server_req_failchain:
+   driver =        smtp
+   allow_localhost
+   hosts =        serverchain1.example.com
+   port =        PORT_D
+   hosts_try_fastopen =    :
+   tls_certificate =    CERT2
+   tls_privatekey =    CERT2
+ 
+   tls_verify_certificates =    CA1
+   tls_verify_cert_hostnames =    HOSTIPV4
+   tls_verify_hosts =        *
+
+ # this will pass the cert verify name check, because CNAME rules
+ send_to_server_req_passchain:
+   driver =        smtp
+   allow_localhost
+   hosts =        alternatename.server1.example.com
+   port =        PORT_D
+   hosts_try_fastopen =    :
+   tls_certificate =    CERT2
+   tls_privatekey =    CERT2


-   tls_verify_certificates = CA1
-   tls_verify_cert_hostnames = noway.example.com : server1.example.com
-   tls_verify_hosts = *
+   tls_verify_certificates =    CA1
+   tls_verify_cert_hostnames =    HOSTIPV4
+   tls_verify_hosts =        *


# End
diff --git a/test/confs/2112 b/test/confs/2112
index 2b3f33e..4ec0b4f 100644
--- a/test/confs/2112
+++ b/test/confs/2112
@@ -83,6 +83,18 @@ client_s:
retry_use_local_part
transport = send_to_server_req_passname

+client_t:
+ driver = accept
+ local_parts = usert
+ retry_use_local_part
+ transport = send_to_server_req_failchain
+
+client_u:
+ driver = accept
+ local_parts = useru
+ retry_use_local_part
+ transport = send_to_server_req_passchain
+

# ----- Transports -----

@@ -150,30 +162,58 @@ send_to_server_req_fail:

 # this will fail to verify the cert name and fallback to unencrypted
 send_to_server_req_failname:
-   driver = smtp
+   driver =        smtp
    allow_localhost
-   hosts = HOSTIPV4
-   port = PORT_D
-  hosts_try_fastopen = :
-   tls_certificate = CERT2
-   tls_privatekey = CERT2
+   hosts =        serverbadname.example.com
+   port =        PORT_D
+  hosts_try_fastopen =    :
+   tls_certificate =    CERT2
+   tls_privatekey =    CERT2


-   tls_verify_certificates = CA1
-   tls_verify_cert_hostnames = server1.example.net : server1.example.org
-   tls_verify_hosts = *
+   tls_verify_certificates =    CA1
+   tls_verify_cert_hostnames =    HOSTIPV4
+   tls_verify_hosts =        *


 # this will pass the cert verify including name check
 send_to_server_req_passname:
-   driver = smtp
+   driver =        smtp
    allow_localhost
-   hosts = HOSTIPV4
-   port = PORT_D
-  hosts_try_fastopen = :
-   tls_certificate = CERT2
-   tls_privatekey = CERT2
+   hosts =        server1.example.com
+   port =        PORT_D
+  hosts_try_fastopen =    :
+   tls_certificate =    CERT2
+   tls_privatekey =    CERT2
+ 
+   tls_verify_certificates =    CA1
+   tls_verify_cert_hostnames =    HOSTIPV4
+   tls_verify_hosts =        *
+
+ # this will fail the cert verify name check, because CNAME rules
+ send_to_server_req_failchain:
+   driver =        smtp
+   allow_localhost
+   hosts =        serverchain1.example.com
+   port =        PORT_D
+   hosts_try_fastopen =    :
+   tls_certificate =    CERT2
+   tls_privatekey =    CERT2


-   tls_verify_certificates = CA1
-   tls_verify_cert_hostnames = noway.example.com : server1.example.com
-   tls_verify_hosts = *
+   tls_verify_certificates =    CA1
+   tls_verify_cert_hostnames =    HOSTIPV4
+   tls_verify_hosts =        *
+
+ # this will pass the cert verify name check, because CNAME rules
+ send_to_server_req_passchain:
+   driver =        smtp
+   allow_localhost
+   hosts =        alternatename.server1.example.com
+   port =        PORT_D
+   hosts_try_fastopen =    :
+   tls_certificate =    CERT2
+   tls_privatekey =    CERT2
+
+   tls_verify_certificates =    CA1
+   tls_verify_cert_hostnames =    HOSTIPV4
+   tls_verify_hosts =        *


 # End
diff --git a/test/dnszones-src/db.example.com b/test/dnszones-src/db.example.com
index b12d9a6..2d2cca0 100644
--- a/test/dnszones-src/db.example.com
+++ b/test/dnszones-src/db.example.com
@@ -36,7 +36,10 @@ uppercase    TXT    v=sPf1 +all


; Alias A record for the local host, under the name "server1"

-server1     A       HOSTIPV4
+server1               A     HOSTIPV4
+serverbadname         A     HOSTIPV4
+serverchain1          CNAME server1
+alternatename.server1 CNAME server1


; DANE testing

diff --git a/test/log/2012 b/test/log/2012
index 3b81cfd..294ad4d 100644
--- a/test/log/2012
+++ b/test/log/2012
@@ -4,33 +4,43 @@
1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 == userx@??? R=client_x T=send_to_server_failcert defer (-37) H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]: TLS session: (certificate verification failed): certificate invalid
1999-03-02 09:44:33 10HmaX-0005vi-00 ** userx@???: retry timeout exceeded
1999-03-02 09:44:33 10HmaX-0005vi-00 userx@???: error ignored
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@??? R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@??? R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbF-0005vi-00"
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@??? R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no DN="CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@??? R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no DN="CN=server1.example.com" C="250 OK id=10HmbG-0005vi-00"
1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
1999-03-02 09:44:33 10HmbA-0005vi-00 TLS session: (certificate verification failed): certificate invalid: delivering unencrypted to H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
-1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@??? R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbF-0005vi-00"
+1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@??? R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbH-0005vi-00"
1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
-1999-03-02 09:44:33 10HmbB-0005vi-00 no IP address found for host server1.example.net
-1999-03-02 09:44:33 10HmbB-0005vi-00 => userr@??? R=client_r T=send_to_server_req_failname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbG-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 TLS session: (certificate verification failed): delivering unencrypted to H=serverbadname.example.com [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmbB-0005vi-00 => userr@??? R=client_r T=send_to_server_req_failname H=serverbadname.example.com [ip4.ip4.ip4.ip4] C="250 OK id=10HmbI-0005vi-00"
1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
-1999-03-02 09:44:33 10HmbC-0005vi-00 no IP address found for host noway.example.com
-1999-03-02 09:44:33 10HmbC-0005vi-00 => users@??? R=client_s T=send_to_server_req_passname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbH-0005vi-00"
+1999-03-02 09:44:33 10HmbC-0005vi-00 => users@??? R=client_s T=send_to_server_req_passname H=server1.example.com [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbJ-0005vi-00"
1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbD-0005vi-00 TLS session: (certificate verification failed): delivering unencrypted to H=server1.example.com [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmbD-0005vi-00 => usert@??? R=client_t T=send_to_server_req_failchain H=server1.example.com [ip4.ip4.ip4.ip4] C="250 OK id=10HmbK-0005vi-00"
+1999-03-02 09:44:33 10HmbD-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbE-0005vi-00 => useru@??? R=client_u T=send_to_server_req_passchain H=server1.example.com [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbL-0005vi-00"
+1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf

******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received: Certificate is bad
1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received: Certificate is bad
-1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@??? H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@???
-1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@???
+1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@??? H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@???
+1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@???
1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received: Certificate is bad
-1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@???
-1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmbB-0005vi-00@???
-1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmbC-0005vi-00@???
+1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@???
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received: Certificate is bad
+1999-03-02 09:44:33 10HmbI-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbB-0005vi-00@???
+1999-03-02 09:44:33 10HmbJ-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmbC-0005vi-00@???
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received: Certificate is bad
+1999-03-02 09:44:33 10HmbK-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbD-0005vi-00@???
+1999-03-02 09:44:33 10HmbL-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmbE-0005vi-00@???
diff --git a/test/log/2112 b/test/log/2112
index cdc37df..0813bb6 100644
--- a/test/log/2112
+++ b/test/log/2112
@@ -10,6 +10,8 @@
1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for userr@???
1999-03-02 09:44:33 this will pass the cert verify including name check
1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for user_s@???
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for usert@???
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for useru@???
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 [ip4.ip4.ip4.ip4] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
1999-03-02 09:44:33 10HmaX-0005vi-00 == userx@??? R=client_x T=send_to_server_failcert defer (-37) H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]: TLS session: (SSL_connect): error: <<detail omitted>>
@@ -17,31 +19,41 @@
1999-03-02 09:44:33 10HmaX-0005vi-00 userx@???: error ignored
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 10HmaY-0005vi-00 [ip4.ip4.ip4.ip4] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
-1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@??? R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@??? R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbF-0005vi-00"
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 10HmaZ-0005vi-00 [ip4.ip4.ip4.ip4] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
1999-03-02 09:44:33 10HmaZ-0005vi-00 [ip4.ip4.ip4.ip4] SSL verify error: depth=0 error=unable to verify the first certificate cert=/CN=server1.example.com
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@??? R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@??? R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbG-0005vi-00"
1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
1999-03-02 09:44:33 10HmbA-0005vi-00 [ip4.ip4.ip4.ip4] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
1999-03-02 09:44:33 10HmbA-0005vi-00 TLS session: (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@??? R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbF-0005vi-00"
+1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@??? R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbH-0005vi-00"
1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
-1999-03-02 09:44:33 10HmbB-0005vi-00 no IP address found for host server1.example.net
-1999-03-02 09:44:33 10HmbB-0005vi-00 => userr@??? R=client_r T=send_to_server_req_failname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbG-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 [ip4.ip4.ip4.ip4] SSL verify error: certificate name mismatch: DN="/CN=server1.example.com" H="serverbadname.example.com"
+1999-03-02 09:44:33 10HmbB-0005vi-00 TLS session: (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbB-0005vi-00 => userr@??? R=client_r T=send_to_server_req_failname H=serverbadname.example.com [ip4.ip4.ip4.ip4] C="250 OK id=10HmbI-0005vi-00"
1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
-1999-03-02 09:44:33 10HmbC-0005vi-00 no IP address found for host noway.example.com
-1999-03-02 09:44:33 10HmbC-0005vi-00 => user_s@??? R=client_s T=send_to_server_req_passname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbH-0005vi-00"
+1999-03-02 09:44:33 10HmbC-0005vi-00 => user_s@??? R=client_s T=send_to_server_req_passname H=server1.example.com [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbJ-0005vi-00"
1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbD-0005vi-00 [ip4.ip4.ip4.ip4] SSL verify error: certificate name mismatch: DN="/CN=server1.example.com" H="serverchain1.example.com"
+1999-03-02 09:44:33 10HmbD-0005vi-00 TLS session: (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbD-0005vi-00 => usert@??? R=client_t T=send_to_server_req_failchain H=server1.example.com [ip4.ip4.ip4.ip4] C="250 OK id=10HmbK-0005vi-00"
+1999-03-02 09:44:33 10HmbD-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbE-0005vi-00 => useru@??? R=client_u T=send_to_server_req_passchain H=server1.example.com [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbL-0005vi-00"
+1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf

******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@??? H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@??? for usery@???
-1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@??? for userz@???
+1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@??? H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@??? for usery@???
+1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@??? for userz@???
1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@??? for userq@???
-1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmbB-0005vi-00@??? for userr@???
-1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmbC-0005vi-00@??? for user_s@???
+1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@??? for userq@???
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbI-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbB-0005vi-00@??? for userr@???
+1999-03-02 09:44:33 10HmbJ-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmbC-0005vi-00@??? for user_s@???
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbK-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbD-0005vi-00@??? for usert@???
+1999-03-02 09:44:33 10HmbL-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmbE-0005vi-00@??? for useru@???
diff --git a/test/scripts/2000-GnuTLS/2012 b/test/scripts/2000-GnuTLS/2012
index 76a6d50..0eba751 100644
--- a/test/scripts/2000-GnuTLS/2012
+++ b/test/scripts/2000-GnuTLS/2012
@@ -6,19 +6,18 @@ exim userx@???
Testing
****
exim usery@???
-Testing
****
exim userz@???
-Testing
****
exim userq@???
-Testing
****
exim userr@???
-Testing
****
exim users@???
-Testing
+****
+exim usert@???
+****
+exim useru@???
****
exim -qf
****
diff --git a/test/scripts/2100-OpenSSL/2112 b/test/scripts/2100-OpenSSL/2112
index 8dfb1dc..e2cc9e0 100644
--- a/test/scripts/2100-OpenSSL/2112
+++ b/test/scripts/2100-OpenSSL/2112
@@ -13,35 +13,37 @@ Testing
exim -z 'this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok'
****
exim usery@???
-Testing
****
#
#
exim -z 'this will fail to verify the cert but continue unverified though crypted'
****
exim userz@???
-Testing
****
#
#
exim -z 'this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted'
****
exim userq@???
-Testing
****
#
#
exim -z 'this will fail to verify the cert name and fallback to unencrypted'
****
exim userr@???
-Testing
****
#
#
exim -z 'this will pass the cert verify including name check'
****
exim user_s@???
-Testing
+****
+#
+#
+exim usert@???
+****
+#
+exim useru@???
****
#
#