Commit | Line | Data |
---|---|---|
9d1c15ef | 1 | # TLS server: general ops and certificate extractions |
59371ea7 | 2 | gnutls |
cbe4bbb2 JH |
3 | # |
4 | # Very early (unsure when) GnuTLS prefers RSA auth by default. Later, but before 3.6.x, prefers | |
5 | # ECDSA but the client can be given a priority order to override that. We're running the server | |
6 | # with no priority string given (tls_require_ciphers) hence default, and with both types of | |
7 | # server cert loaded (RSA first, though we don't document that as relevant and in testing it | |
8 | # does not appear to matter). | |
9 | # | |
10 | # GnuTLS 3.6.5 appears to ignore the client priority ordering, always choosing ECDSA if both | |
11 | # are permitted, if TLS1.3 is permitted, so we limit to TLS1.2. | |
12 | # | |
59371ea7 PH |
13 | exim -DSERVER=server -bd -oX PORT_D |
14 | **** | |
cbe4bbb2 JH |
15 | # Have the client do RSA (but support ECDSA as well). That should get us RSA on both older and newer GnuTLS. |
16 | client-gnutls -p NONE:+SIGN-RSA-SHA256:+SIGN-ECDSA-SHA512:+VERS-TLS1.2:+ECDHE-RSA:+DHE-RSA:+RSA:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 127.0.0.1 PORT_D | |
59371ea7 PH |
17 | ??? 220 |
18 | ehlo rhu.barb | |
19 | ??? 250- | |
20 | ??? 250- | |
21 | ??? 250- | |
22 | ??? 250- | |
5b456975 | 23 | ??? 250- |
59371ea7 PH |
24 | ??? 250 |
25 | starttls | |
26 | ??? 220 | |
27 | mail from:<CALLER@test.ex> | |
28 | ??? 250 | |
29 | rcpt to:<CALLER@test.ex> | |
30 | ??? 250 | |
31 | DATA | |
32 | ??? 3 | |
33 | This is a test encrypted message. | |
34 | . | |
35 | ??? 250 | |
36 | quit | |
37 | ??? 221 | |
38 | **** | |
cbe4bbb2 | 39 | client-gnutls -p NONE:+SIGN-RSA-SHA256:+SIGN-ECDSA-SHA512:+VERS-TLS1.2:+ECDHE-RSA:+DHE-RSA:+RSA:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 127.0.0.1 PORT_D |
fd98a5c6 JH |
40 | ??? 220 |
41 | ehlo rhu.barb | |
42 | ??? 250- | |
43 | ??? 250- | |
44 | ??? 250- | |
45 | ??? 250- | |
46 | ??? 250- | |
47 | ??? 250 | |
48 | starttls | |
49 | ??? 220 | |
50 | mail from:<"name with spaces"@test.ex> | |
51 | ??? 250 | |
52 | rcpt to:<CALLER@test.ex> | |
53 | ??? 250 | |
54 | DATA | |
55 | ??? 3 | |
56 | This is a test encrypted message. | |
57 | . | |
58 | ??? 250 | |
59 | quit | |
60 | ??? 221 | |
61 | **** | |
5f5708ef JH |
62 | # |
63 | # Server asks for a client cert but client does not supply one | |
cbe4bbb2 | 64 | client-gnutls -p NONE:+SIGN-RSA-SHA256:+SIGN-ECDSA-SHA512:+VERS-TLS1.2:+ECDHE-RSA:+DHE-RSA:+RSA:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 HOSTIPV4 PORT_D |
59371ea7 PH |
65 | ??? 220 |
66 | ehlo rhu.barb | |
67 | ??? 250- | |
5f5708ef JH |
68 | ??? 250-SIZE |
69 | ??? 250-8BITMIME | |
70 | ??? 250-PIPELINING | |
71 | ??? 250-STARTTLS | |
72 | ??? 250 HELP | |
59371ea7 | 73 | starttls |
5f5708ef JH |
74 | ??? 220 TLS go ahead |
75 | nop | |
76 | ???* | |
59371ea7 | 77 | **** |
5f5708ef JH |
78 | # ensure sequence of log TLS error line |
79 | killdaemon | |
80 | sleep 1 | |
81 | exim -DSERVER=server -bd -oX PORT_D | |
82 | **** | |
83 | # | |
84 | # | |
cbe4bbb2 JH |
85 | # Server asks for a client cert, and one is given which is verifiable by the server |
86 | client-gnutls -p NONE:+SIGN-RSA-SHA256:+SIGN-ECDSA-SHA512:+VERS-TLS1.2:+ECDHE-RSA:+DHE-RSA:+RSA:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 HOSTIPV4 PORT_D DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key | |
59371ea7 PH |
87 | ??? 220 |
88 | ehlo rhu.barb | |
89 | ??? 250- | |
90 | ??? 250- | |
91 | ??? 250- | |
92 | ??? 250- | |
5b456975 | 93 | ??? 250- |
59371ea7 PH |
94 | ??? 250 |
95 | starttls | |
96 | ??? 220 | |
97 | mail from:<CALLER@test.ex> | |
98 | ??? 250 | |
99 | rcpt to:<CALLER@test.ex> | |
100 | ??? 250 | |
101 | DATA | |
102 | ??? 3 | |
103 | This is a test encrypted message from a verified host. | |
104 | . | |
105 | ??? 250 | |
106 | quit | |
107 | ??? 221 | |
108 | **** | |
ba86e143 JH |
109 | # |
110 | # | |
111 | # A client that only talks RSA. | |
112 | # | |
113 | # We have to specify the key-exchange as well as the authentication, otherwise, | |
114 | # the GnuTLS server side being foolish - it picks an ECDSA cipher-suite and then can't use it :( | |
115 | # Possibly fixed in 3.6.x ? | |
cbe4bbb2 | 116 | client-gnutls -p NONE:+SIGN-RSA-SHA256:+VERS-TLS1.2:+ECDHE-RSA:+DHE-RSA:+RSA:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 127.0.0.1 PORT_D |
ba86e143 JH |
117 | ??? 220 |
118 | ehlo rhu.barb | |
119 | ??? 250- | |
120 | ??? 250- | |
121 | ??? 250- | |
122 | ??? 250- | |
123 | ??? 250- | |
124 | ??? 250 | |
125 | starttls | |
126 | ??? 220 | |
127 | mail from:<CALLER@test.ex> | |
128 | ??? 250 | |
129 | rcpt to:<CALLER@test.ex> | |
130 | ??? 250 | |
131 | DATA | |
132 | ??? 3 | |
133 | This is a test encrypted message. | |
134 | It should be sent under the RSA server cert and with an RSA cipher. | |
135 | . | |
136 | ??? 250 | |
137 | quit | |
138 | ??? 221 | |
139 | **** | |
140 | # | |
141 | # | |
cdf0cd2e | 142 | # Make ECDSA authentication preferred (Older GnuTLS prefers RSA, it seems, Newer, ECDSA). |
cbe4bbb2 | 143 | client-gnutls -p NONE:+SIGN-ECDSA-SHA512:+VERS-TLS1.2:+KX-ALL:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 127.0.0.1 PORT_D |
ba86e143 JH |
144 | ??? 220 |
145 | ehlo rhu.barb | |
146 | ??? 250- | |
147 | ??? 250- | |
148 | ??? 250- | |
149 | ??? 250- | |
150 | ??? 250- | |
151 | ??? 250 | |
152 | starttls | |
153 | ??? 220 | |
154 | mail from:<CALLER@test.ex> | |
155 | ??? 250 | |
156 | rcpt to:<CALLER@test.ex> | |
157 | ??? 250 | |
158 | DATA | |
159 | ??? 3 | |
160 | This is a test encrypted message. | |
161 | It should be sent under the EC server cert and with an ECDSA cipher. | |
162 | . | |
163 | ??? 250 | |
164 | quit | |
165 | ??? 221 | |
166 | **** | |
59371ea7 | 167 | killdaemon |
5f5708ef JH |
168 | sleep 1 |
169 | # clear out the queue | |
59371ea7 PH |
170 | exim -qf |
171 | **** | |
5f5708ef JH |
172 | sleep 1 |
173 | # | |
174 | # STARTTLS used when not advertised | |
59371ea7 PH |
175 | exim -bh 10.0.0.1 |
176 | starttls | |
177 | quit | |
178 | **** |