[exim.git] / test / scripts / 2100-OpenSSL / 2102

# TLS server: general ops and certificate extractions
#
# NOTE: OpenSSL libraries return faulty my-cert information prior to OpenSSL 1.1.1
# when more than one cert is loaded, which the conf for this testcase does.
# As a result the expansion done and logged is misleading.
# While the golden log output is set to the misleading result, the testcase
# would unfortunately fail on the fixed OpenSSL versions.  This has been bodged
# by the addition of log/2102.openssl_1_1_1 and some detection coding in
# runtest to force a "flavour".  This is fragile and bound to break in the future.
#
# Make RSA authentication the only acceptable
exim -DSERVER=server -DORDER=RSA -bd -oX PORT_D
****
client-ssl 127.0.0.1 PORT_D
??? 220
ehlo rhu.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
mail from:<a@test.ex>
??? 250
rcpt to:<CALLER@test.ex>
??? 250
DATA
??? 3
This is a test encrypted message.
.
??? 250
quit
??? 221
****
client-ssl 127.0.0.1 PORT_D
??? 220
ehlo rhu.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
mail from:<"name with spaces"@test.ex>
??? 250
rcpt to:<CALLER@test.ex>
??? 250
DATA
??? 3
This is a test encrypted message.
.
??? 250
quit
??? 221
****
# nonloop addr conn rejected lacking cert
client-ssl HOSTIPV4 PORT_D
??? 220
ehlo rhu.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220 TLS go ahead
+++ 1
help
??? 554
****
client-ssl HOSTIPV4 PORT_D DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key
??? 220
ehlo rhu.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
mail from:<b@test.ex>
??? 250
rcpt to:<CALLER@test.ex>
??? 250
DATA
??? 3
This is a test encrypted message from a verified host.
.
??? 250
quit
??? 221
****
killdaemon
#
# make ECDSA authentication preferred
# DEFAULT:+RSA should work but does not seem to
# also, will fail under TLS1.3 because there is no choice of auth
# - so we disable that in the conf
exim -DSERVER=server -DORDER=ECDSA:RSA:!COMPLEMENTOFDEFAULT -bd -oX PORT_D
****
client-ssl 127.0.0.1 PORT_D
??? 220
ehlo rhu.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
mail from:<c@test.ex>
??? 250
rcpt to:<CALLER@test.ex>
??? 250
DATA
??? 3
This is a test encrypted message.
It should be sent under the EC server cert and with an ECDSA cipher.
.
??? 250
quit
??? 221
****
killdaemon
exim -qf
****
exim -bh 10.0.0.1
starttls
quit
****
Commit	Line	Data
9d1c15ef	1	# TLS server: general ops and certificate extractions
176cf342	2	#
5dcadbf4 JH	3	# NOTE: OpenSSL libraries return faulty my-cert information prior to OpenSSL 1.1.1
5dcadbf4 JH	4	# when more than one cert is loaded, which the conf for this testcase does.
176cf342	5	# As a result the expansion done and logged is misleading.
5dcadbf4	6	# While the golden log output is set to the misleading result, the testcase
90e30e31 JH	7	# would unfortunately fail on the fixed OpenSSL versions. This has been bodged
	8	# by the addition of log/2102.openssl_1_1_1 and some detection coding in
	9	# runtest to force a "flavour". This is fragile and bound to break in the future.
176cf342 JH	10	#
176cf342 JH	11	# Make RSA authentication the only acceptable
6678a497	12	exim -DSERVER=server -DORDER=RSA -bd -oX PORT_D
59371ea7 PH	13	****
	14	client-ssl 127.0.0.1 PORT_D
	15	??? 220
	16	ehlo rhu.barb
	17	??? 250-
	18	??? 250-
	19	??? 250-
	20	??? 250-
5b456975	21	??? 250-
59371ea7 PH	22	??? 250
	23	starttls
	24	??? 220
798f6588	25	mail from:<a@test.ex>
59371ea7 PH	26	??? 250
	27	rcpt to:<CALLER@test.ex>
	28	??? 250
	29	DATA
	30	??? 3
	31	This is a test encrypted message.
	32	.
	33	??? 250
	34	quit
	35	??? 221
	36	****
fd98a5c6 JH	37	client-ssl 127.0.0.1 PORT_D
	38	??? 220
	39	ehlo rhu.barb
	40	??? 250-
	41	??? 250-
	42	??? 250-
	43	??? 250-
	44	??? 250-
	45	??? 250
	46	starttls
	47	??? 220
	48	mail from:<"name with spaces"@test.ex>
	49	??? 250
	50	rcpt to:<CALLER@test.ex>
	51	??? 250
	52	DATA
	53	??? 3
	54	This is a test encrypted message.
	55	.
	56	??? 250
	57	quit
	58	??? 221
	59	****
131c0f8a	60	# nonloop addr conn rejected lacking cert
59371ea7 PH	61	client-ssl HOSTIPV4 PORT_D
	62	??? 220
	63	ehlo rhu.barb
	64	??? 250-
	65	??? 250-
	66	??? 250-
	67	??? 250-
5b456975	68	??? 250-
59371ea7 PH	69	??? 250
59371ea7 PH	70	starttls
131c0f8a JH	71	??? 220 TLS go ahead
	72	+++ 1
	73	help
	74	??? 554
59371ea7	75	****
9d1c15ef	76	client-ssl HOSTIPV4 PORT_D DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key
59371ea7 PH	77	??? 220
	78	ehlo rhu.barb
	79	??? 250-
	80	??? 250-
	81	??? 250-
	82	??? 250-
5b456975	83	??? 250-
59371ea7 PH	84	??? 250
	85	starttls
	86	??? 220
798f6588	87	mail from:<b@test.ex>
59371ea7 PH	88	??? 250
	89	rcpt to:<CALLER@test.ex>
	90	??? 250
	91	DATA
	92	??? 3
	93	This is a test encrypted message from a verified host.
	94	.
	95	??? 250
	96	quit
	97	??? 221
	98	****
	99	killdaemon
ba86e143 JH	100	#
	101	# make ECDSA authentication preferred
	102	# DEFAULT:+RSA should work but does not seem to
5dcadbf4 JH	103	# also, will fail under TLS1.3 because there is no choice of auth
5dcadbf4 JH	104	# - so we disable that in the conf
ba86e143 JH	105	exim -DSERVER=server -DORDER=ECDSA:RSA:!COMPLEMENTOFDEFAULT -bd -oX PORT_D
	106	****
	107	client-ssl 127.0.0.1 PORT_D
	108	??? 220
	109	ehlo rhu.barb
	110	??? 250-
	111	??? 250-
	112	??? 250-
	113	??? 250-
	114	??? 250-
	115	??? 250
	116	starttls
	117	??? 220
798f6588	118	mail from:<c@test.ex>
ba86e143 JH	119	??? 250
	120	rcpt to:<CALLER@test.ex>
	121	??? 250
	122	DATA
	123	??? 3
	124	This is a test encrypted message.
	125	It should be sent under the EC server cert and with an ECDSA cipher.
	126	.
	127	??? 250
	128	quit
	129	??? 221
	130	****
	131	killdaemon
59371ea7 PH	132	exim -qf
	133	****
	134	exim -bh 10.0.0.1
	135	starttls
	136	quit
	137	****