Fix testcase "server missing/empty certificate file"

GnuTLS early versions (pre 3.0.0 ?) fail to send a reasonable
client-cert request when tls_verify_certificates is an empty file.
Since the test is for missing *server* certs (tls_certificate)
avoid this by pointing to a real (if non-verifying) cert in
tls_verify_certificates.

diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 7c3625216ae4d0832fa3cf381211aff2acb775f0..cbd44d6f2faa68afce009740b8632edf4422b58d 100644 (file)
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1228,25 +1228,23 @@ unsigned int verify;
 
 *error = NULL;
 
-rc = peer_status(state);
-if (rc != OK)
+if ((rc = peer_status(state)) != OK)
   {
   verify = GNUTLS_CERT_INVALID;
-  *error = "not supplied";
+  *error = "certificate not supplied";
   }
 else
-  {
   rc = gnutls_certificate_verify_peers2(state->session, &verify);
-  }
 
 /* Handle the result of verification. INVALID seems to be set as well
 as REVOKED, but leave the test for both. */
 
-if ((rc < 0) || (verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)) != 0)
+if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED))
   {
   state->peer_cert_verified = FALSE;
-  if (*error == NULL)
-    *error = ((verify & GNUTLS_CERT_REVOKED) != 0) ? "revoked" : "invalid";
+  if (!*error)
+    *error = verify & GNUTLS_CERT_REVOKED
+      ? "certificate revoked" : "certificate invalid";
 
   DEBUG(D_tls)
     debug_printf("TLS certificate verification failed (%s): peerdn=%s\n",

diff --git a/test/confs/2024 b/test/confs/2024
index a677c4c8661767b5ff77b61c30b22f56d21a3355..c59e975deb3c1c590ba31c5fdd05d0478adfb589 100644 (file)
--- a/test/confs/2024
+++ b/test/confs/2024
@@ -24,6 +24,7 @@ tls_certificate = CERT
 tls_privatekey = CERT
 
 tls_verify_hosts = HOSTIPV4
-tls_verify_certificates = TVC
+#tls_verify_certificates = TVC
+tls_verify_certificates = CERT
 
 # End

diff --git a/test/log/2024 b/test/log/2024
index c45da6e89c94d8d2797e9ff7a40a6c8c67d48e75..117382b5a1baa35b1f26683959822f851df0e7a8 100644 (file)
--- a/test/log/2024
+++ b/test/log/2024
@@ -1,4 +1,4 @@
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (gnutls_handshake): The peer did not send any certificate.
+1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (certificate verification failed): certificate invalid
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (cert/key setup: cert=/non/exist key=/non/exist): Error while reading file.

diff --git a/test/stdout/2024 b/test/stdout/2024
index 2e30f7dd6bad3110125a56f028551fc22bb0956c..ecedd4193d1279f742cd83f2f1c9cd795b108881 100644 (file)
--- a/test/stdout/2024
+++ b/test/stdout/2024
@@ -20,7 +20,7 @@ Key file = aux-fixed/cert2
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-Failed to start TLS
+Succeeded in starting TLS
 End of script
 Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
 Certificate file = aux-fixed/cert2