From: Jeremy Harris Date: Mon, 17 Sep 2018 15:28:58 +0000 (+0100) Subject: DANE: fix TA-mode verify under GnuTLS. Bug 2311 X-Git-Tag: exim-4.92-RC1~105 X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=570cb1bdbc6ea378b2dcaf6ebabb45a5610ed1ef;p=exim.git DANE: fix TA-mode verify under GnuTLS. Bug 2311 --- diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index f93622bf9..5a04b1bdc 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -113,13 +113,18 @@ JH/23 Bug 2318: Fix the noerror command within filters. It wasn't working. was not set for later routers. Investigation and fix by Matthias Kurz. JH/24 Bug 2310: Raise a msg:fail:internal event for each undelivered recipient, - and a msg:complete for the whole, when a message is manually reoved using + and a msg:complete for the whole, when a message is manually removed using -Mrm. Developement by Matthias Kurz, hacked on by JH. JH/25 Avoid fixed-size buffers for pathnames in DB access. This required using a "Gnu special" function, asprintf() in the DB utility binary builds; I hope that is portable enough. +JH/26 Bug 2311: Fix DANE-TA verification under GnuTLS. Previously it was also + requiring a known-CA anchor certificate; make it now rely entirely on the + TLSA as an anchor. Checking the name on the leaf cert against the name + on the A-record for the host is still done for TA (but not for EE mode). + Exim version 4.91 ----------------- diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index c5ecf88f9..3e618a697 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -1625,8 +1625,7 @@ else # ifdef GNUTLS_BROKEN_DANE_VALIDATION /* Split the TLSA records into two sets, TA and EE selectors. Run the dane-verification separately so that we know which selector verified; - then we know whether to do CA-chain-verification and name-verification - (needed for TA but not EE). */ + then we know whether to do name-verification (needed for TA but not EE). */ if (usage == ((1<peer_dane_verified = TRUE; # ifdef GNUTLS_BROKEN_DANE_VALIDATION /* If a TA-mode TLSA record was used for verification we must additionally - verify the CA chain and the cert name. For EE-mode, skip it. */ + verify the cert name (but not the CA chain). For EE-mode, skip it. */ if (usage & (1 << DANESSL_USAGE_DANE_EE)) # endif { - state->peer_cert_verified = TRUE; + state->peer_dane_verified = state->peer_cert_verified = TRUE; goto goodcert; } +# ifdef GNUTLS_BROKEN_DANE_VALIDATION + /* Assume that the name on the A-record is the one that should be matching + the cert. An alternate view is that the domain part of the email address + is also permissible. */ + + if (gnutls_x509_crt_check_hostname(state->tlsp->peercert, + CS state->host->name)) + { + state->peer_dane_verified = state->peer_cert_verified = TRUE; + goto goodcert; + } +# endif } -#endif +#endif /*SUPPORT_DANE*/ rc = gnutls_certificate_verify_peers2(state->session, &verify); } diff --git a/test/confs/5820 b/test/confs/5820 index 72402881a..bcb1a8f34 100644 --- a/test/confs/5820 +++ b/test/confs/5820 @@ -70,7 +70,7 @@ send_to_server: hosts_require_dane = HOSTIPV4 tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}} tls_try_verify_hosts = thishost.test.ex - tls_verify_certificates = CDIR2/ca_chain.pem + tls_verify_certificates = ${if eq {DETAILS}{ca} {CDIR2/ca_chain.pem} {}} diff --git a/test/confs/5822 b/test/confs/5822 deleted file mode 100644 index 80a8ef43b..000000000 --- a/test/confs/5822 +++ /dev/null @@ -1,67 +0,0 @@ -# Exim test configuration 5822 -# DANE/GnuTLS - -SERVER= - -.include DIR/aux-var/tls_conf_prefix - -primary_hostname = myhost.test.ex - -# ----- Main settings ----- - -acl_smtp_rcpt = accept logwrite = "rcpt ACL" - -log_selector = +received_recipients +tls_peerdn +tls_certificate_verified - -queue_run_in_order - -tls_advertise_hosts = * -# needed to force generation -tls_dhparam = historic - -tls_certificate = ${if eq {SERVER}{server} {DIR/aux-fixed/cert1} fail} - -# ----- Routers ----- - -begin routers - -client: - driver = dnslookup - condition = ${if eq {SERVER}{}} - dnssec_request_domains = * - self = send - transport = send_to_server - errors_to = "" - -server: - driver = redirect - condition = ${if !eq {SERVER}{}} - data = :blackhole: - - -# ----- Transports ----- - -begin transports - -send_to_server: - driver = smtp - allow_localhost - port = PORT_D - - hosts_try_dane = * - hosts_require_dane = HOSTIPV4 - tls_verify_cert_hostnames = : - tls_try_verify_hosts = thishost.test.ex -# tls_verify_certificates = CDIR2/ca_chain.pem - - - -# ----- Retry ----- - - -begin retry - -* * F,5d,10s - - -# End diff --git a/test/confs/5840 b/test/confs/5840 index 754945d6e..407846a8a 100644 --- a/test/confs/5840 +++ b/test/confs/5840 @@ -75,7 +75,7 @@ send_to_server: hosts_require_dane = HOSTIPV4 tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}} tls_try_verify_hosts = thishost.test.ex - tls_verify_certificates = CDIR2/ca_chain.pem + tls_verify_certificates = ${if eq {DETAILS}{ca} {CDIR2/ca_chain.pem} {}} diff --git a/test/confs/5842 b/test/confs/5842 deleted file mode 100644 index be45e847c..000000000 --- a/test/confs/5842 +++ /dev/null @@ -1,64 +0,0 @@ -# Exim test configuration 5822 -# DANE/OpenSSL - -SERVER= - -.include DIR/aux-var/tls_conf_prefix - -primary_hostname = myhost.test.ex - -# ----- Main settings ----- - -acl_smtp_rcpt = accept logwrite = "rcpt ACL" - -log_selector = +received_recipients +tls_peerdn +tls_certificate_verified - -queue_run_in_order - -tls_advertise_hosts = * - -tls_certificate = ${if eq {SERVER}{server} {DIR/aux-fixed/cert1} fail} - -# ----- Routers ----- - -begin routers - -client: - driver = dnslookup - condition = ${if eq {SERVER}{}} - dnssec_request_domains = * - self = send - transport = send_to_server - errors_to = "" - -server: - driver = redirect - data = :blackhole: - - -# ----- Transports ----- - -begin transports - -send_to_server: - driver = smtp - allow_localhost - port = PORT_D - - hosts_try_dane = * - hosts_require_dane = HOSTIPV4 - tls_verify_cert_hostnames = : - tls_try_verify_hosts = thishost.test.ex -# tls_verify_certificates = CDIR2/ca_chain.pem - - - -# ----- Retry ----- - - -begin retry - -* * F,5d,10s - - -# End diff --git a/test/log/5820 b/test/log/5820 index b1dc73294..bb16d5e2b 100644 --- a/test/log/5820 +++ b/test/log/5820 @@ -45,7 +45,7 @@ 1999-03-02 09:44:33 10HmbP-0005vi-00 == CALLER@danebroken2.test.ex R=client T=send_to_server defer (-37) H=danebroken2.test.ex [127.0.0.1]: TLS session: (certificate verification failed): Verification failed. CA constrains were violated. 1999-03-02 09:44:33 10HmbQ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken3.test.ex 1999-03-02 09:44:33 10HmbQ-0005vi-00 DANE error: TLSA lookup for danebroken3.test.ex not DNSSEC -1999-03-02 09:44:33 10HmbQ-0005vi-00 => CALLER@danebroken3.test.ex R=client T=send_to_server H=danebroken3.test.ex [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbR-0005vi-00" +1999-03-02 09:44:33 10HmbQ-0005vi-00 => CALLER@danebroken3.test.ex R=client T=send_to_server H=danebroken3.test.ex [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="CN=server1.example.com" C="250 OK id=10HmbR-0005vi-00" 1999-03-02 09:44:33 10HmbQ-0005vi-00 Completed 1999-03-02 09:44:33 10HmbS-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken4.test.ex 1999-03-02 09:44:33 10HmbS-0005vi-00 DANE error: TLSA lookup for danebroken4.test.ex not DNSSEC @@ -53,7 +53,7 @@ 1999-03-02 09:44:33 10HmbS-0005vi-00 CALLER@danebroken4.test.ex: error ignored 1999-03-02 09:44:33 10HmbS-0005vi-00 Completed 1999-03-02 09:44:33 10HmbT-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken5.test.ex -1999-03-02 09:44:33 10HmbT-0005vi-00 => CALLER@danebroken5.test.ex R=client T=send_to_server H=danebroken5.test.ex [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbU-0005vi-00" +1999-03-02 09:44:33 10HmbT-0005vi-00 => CALLER@danebroken5.test.ex R=client T=send_to_server H=danebroken5.test.ex [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="CN=server1.example.com" C="250 OK id=10HmbU-0005vi-00" 1999-03-02 09:44:33 10HmbT-0005vi-00 Completed 1999-03-02 09:44:33 10HmbV-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken6.test.ex 1999-03-02 09:44:33 10HmbV-0005vi-00 ** CALLER@danebroken6.test.ex R=client T=send_to_server: DANE error: danebroken6.test.ex lookup not DNSSEC diff --git a/test/log/5822 b/test/log/5822 deleted file mode 100644 index 43b032b13..000000000 --- a/test/log/5822 +++ /dev/null @@ -1,20 +0,0 @@ -1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane256tas.test.ex -1999-03-02 09:44:33 10HmaX-0005vi-00 DANE attempt failed; TLS connection to dane256tas.test.ex [ip4.ip4.ip4.ip4]: (certificate verification failed): TLSA record problem: none usable -1999-03-02 09:44:33 10HmaX-0005vi-00 !!SHOULD_WORK!! CALLER@mxdane256tas.test.ex R=client T=send_to_server defer (-37) H=dane256tas.test.ex [ip4.ip4.ip4.ip4]: TLS session: (certificate verification failed): TLSA record problem: none usable -1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane256task.test.ex -1999-03-02 09:44:33 10HmaY-0005vi-00 DANE attempt failed; TLS connection to dane256task.test.ex [ip4.ip4.ip4.ip4]: (certificate verification failed): TLSA record problem: none usable -1999-03-02 09:44:33 10HmaY-0005vi-00 !!SHOULD_WORK!! CALLER@mxdane256task.test.ex R=client T=send_to_server defer (-37) H=dane256task.test.ex [ip4.ip4.ip4.ip4]: TLS session: (certificate verification failed): TLSA record problem: none usable -1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane256ees.test.ex -1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER@mxdane256ees.test.ex R=client T=send_to_server H=dane256ees.test.ex [ip4.ip4.ip4.ip4] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=dane DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00" -1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed - -******** SERVER ******** -1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad -1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason. -1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad -1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason. -1999-03-02 09:44:33 "rcpt ACL" -1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for CALLER@mxdane256ees.test.ex -1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: R=server -1999-03-02 09:44:33 10HmbA-0005vi-00 Completed diff --git a/test/log/5840 b/test/log/5840 index 756f442fb..6aad3b7db 100644 --- a/test/log/5840 +++ b/test/log/5840 @@ -13,7 +13,6 @@ 1999-03-02 09:44:33 10HmbD-0005vi-00 => CALLER@mxdane256tak.test.ex R=client T=send_to_server H=dane256tak.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=dane DN="/CN=server2.example.com" C="250 OK id=10HmbE-0005vi-00" 1999-03-02 09:44:33 10HmbD-0005vi-00 Completed 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@thishost.test.ex -1999-03-02 09:44:33 10HmbF-0005vi-00 [127.0.0.1] SSL verify error: depth=2 error=self signed certificate in certificate chain cert=/O=example.net/CN=clica CA rsa 1999-03-02 09:44:33 10HmbF-0005vi-00 => CALLER@thishost.test.ex R=client T=send_to_server H=thishost.test.ex [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no DN="/CN=server1.example.net" C="250 OK id=10HmbG-0005vi-00" 1999-03-02 09:44:33 10HmbF-0005vi-00 Completed 1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@thishost.test.ex @@ -34,7 +33,6 @@ 1999-03-02 09:44:33 10HmbK-0005vi-00 ** CALLER@dane.no.1.test.ex R=client T=send_to_server: DANE error: tlsa lookup FAIL 1999-03-02 09:44:33 10HmbK-0005vi-00 CALLER@dane.no.1.test.ex: error ignored 1999-03-02 09:44:33 10HmbK-0005vi-00 Completed -1999-03-02 09:44:33 10HmbL-0005vi-00 [127.0.0.1] SSL verify error: certificate name mismatch: DN="/CN=server1.example.com" H="dane.no.2.test.ex" 1999-03-02 09:44:33 10HmbL-0005vi-00 => CALLER@dane.no.2.test.ex R=client T=send_to_server H=dane.no.2.test.ex [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbP-0005vi-00" 1999-03-02 09:44:33 10HmbL-0005vi-00 Completed 1999-03-02 09:44:33 10HmbM-0005vi-00 H=danebroken1.test.ex [127.0.0.1]: DANE error: tlsa lookup DEFER @@ -42,7 +40,6 @@ 1999-03-02 09:44:33 10HmbN-0005vi-00 ** CALLER@dane.no.3.test.ex R=client T=send_to_server: DANE error: tlsa lookup FAIL 1999-03-02 09:44:33 10HmbN-0005vi-00 CALLER@dane.no.3.test.ex: error ignored 1999-03-02 09:44:33 10HmbN-0005vi-00 Completed -1999-03-02 09:44:33 10HmbO-0005vi-00 [127.0.0.1] SSL verify error: certificate name mismatch: DN="/CN=server1.example.com" H="dane.no.4.test.ex" 1999-03-02 09:44:33 10HmbO-0005vi-00 => CALLER@dane.no.4.test.ex R=client T=send_to_server H=dane.no.4.test.ex [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbQ-0005vi-00" 1999-03-02 09:44:33 10HmbO-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf @@ -51,7 +48,7 @@ 1999-03-02 09:44:33 10HmbR-0005vi-00 == CALLER@danebroken2.test.ex R=client T=send_to_server defer (-37) H=danebroken2.test.ex [127.0.0.1]: TLS session: (SSL_connect): error: <> 1999-03-02 09:44:33 10HmbS-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken3.test.ex 1999-03-02 09:44:33 10HmbS-0005vi-00 DANE error: TLSA lookup for danebroken3.test.ex not DNSSEC -1999-03-02 09:44:33 10HmbS-0005vi-00 => CALLER@danebroken3.test.ex R=client T=send_to_server H=danebroken3.test.ex [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbT-0005vi-00" +1999-03-02 09:44:33 10HmbS-0005vi-00 => CALLER@danebroken3.test.ex R=client T=send_to_server H=danebroken3.test.ex [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbT-0005vi-00" 1999-03-02 09:44:33 10HmbS-0005vi-00 Completed 1999-03-02 09:44:33 10HmbU-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken4.test.ex 1999-03-02 09:44:33 10HmbU-0005vi-00 DANE error: TLSA lookup for danebroken4.test.ex not DNSSEC @@ -59,7 +56,7 @@ 1999-03-02 09:44:33 10HmbU-0005vi-00 CALLER@danebroken4.test.ex: error ignored 1999-03-02 09:44:33 10HmbU-0005vi-00 Completed 1999-03-02 09:44:33 10HmbV-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken5.test.ex -1999-03-02 09:44:33 10HmbV-0005vi-00 => CALLER@danebroken5.test.ex R=client T=send_to_server H=danebroken5.test.ex [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbW-0005vi-00" +1999-03-02 09:44:33 10HmbV-0005vi-00 => CALLER@danebroken5.test.ex R=client T=send_to_server H=danebroken5.test.ex [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbW-0005vi-00" 1999-03-02 09:44:33 10HmbV-0005vi-00 Completed 1999-03-02 09:44:33 10HmbX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken6.test.ex 1999-03-02 09:44:33 10HmbX-0005vi-00 ** CALLER@danebroken6.test.ex R=client T=send_to_server: DANE error: danebroken6.test.ex lookup not DNSSEC diff --git a/test/log/5842 b/test/log/5842 deleted file mode 100644 index 1146cba34..000000000 --- a/test/log/5842 +++ /dev/null @@ -1,24 +0,0 @@ -1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane256tas.test.ex -1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@mxdane256tas.test.ex R=client T=send_to_server H=dane256tas.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00" -1999-03-02 09:44:33 10HmaX-0005vi-00 Completed -1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane256task.test.ex -1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER@mxdane256task.test.ex R=client T=send_to_server H=dane256task.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00" -1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed -1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane256ees.test.ex -1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@mxdane256ees.test.ex R=client T=send_to_server H=dane256ees.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbC-0005vi-00" -1999-03-02 09:44:33 10HmbB-0005vi-00 Completed - -******** SERVER ******** -1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 "rcpt ACL" -1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@mxdane256tas.test.ex -1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: R=server -1999-03-02 09:44:33 10HmaY-0005vi-00 Completed -1999-03-02 09:44:33 "rcpt ACL" -1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for CALLER@mxdane256task.test.ex -1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: R=server -1999-03-02 09:44:33 10HmbA-0005vi-00 Completed -1999-03-02 09:44:33 "rcpt ACL" -1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmbB-0005vi-00@myhost.test.ex for CALLER@mxdane256ees.test.ex -1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: R=server -1999-03-02 09:44:33 10HmbC-0005vi-00 Completed diff --git a/test/scripts/5820-DANE-GnuTLS/5820 b/test/scripts/5820-DANE-GnuTLS/5820 index 652661cc1..d7824a38c 100644 --- a/test/scripts/5820-DANE-GnuTLS/5820 +++ b/test/scripts/5820-DANE-GnuTLS/5820 @@ -2,11 +2,11 @@ # exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D **** -### TLSA (3 1 1) +### TLSA (3 1 1) (DANE-EE SPKI SHA2-256) exim -odq CALLER@dane256ee.test.ex Testing **** -### TLSA (3 1 2) +### TLSA (3 1 2) ( SHA2-512) exim -odq CALLER@mxdane512ee.test.ex Testing **** @@ -24,7 +24,7 @@ killdaemon # exim -DSERVER=server -DDETAILS=ta -bd -oX PORT_D **** -### TLSA (2 0 1) +### TLSA (2 0 1) (DANE-TA CERT SHA2-256) exim -odf CALLER@mxdane256ta.test.ex Testing **** @@ -44,7 +44,7 @@ killdaemon # Check we get a CV and TLS connection, with try_dane but no require_dane exim -DSERVER=server -DDETAILS=ca -bd -oX PORT_D **** -exim -odf CALLER@thishost.test.ex +exim -odf -DDETAILS=ca CALLER@thishost.test.ex Testing **** exim -DOPT=no_certname -qf diff --git a/test/scripts/5820-DANE-GnuTLS/5822 b/test/scripts/5820-DANE-GnuTLS/5822 deleted file mode 100644 index 9e565ab49..000000000 --- a/test/scripts/5820-DANE-GnuTLS/5822 +++ /dev/null @@ -1,19 +0,0 @@ -# DANE server: selfsigned cert -# -exim -DSERVER=server -bd -oX PORT_D -**** -### TLSA (2 0 1) -exim -odf CALLER@mxdane256tas.test.ex -Testing -**** -### TLSA (2 1 1) -exim -odf CALLER@mxdane256task.test.ex -Testing -**** -### TLSA (3 1 1) -exim -odf CALLER@mxdane256ees.test.ex -Testing -**** -killdaemon -# -no_msglog_check diff --git a/test/scripts/5840-DANE-OpenSSL/5840 b/test/scripts/5840-DANE-OpenSSL/5840 index b1ea2f307..4d88131ea 100644 --- a/test/scripts/5840-DANE-OpenSSL/5840 +++ b/test/scripts/5840-DANE-OpenSSL/5840 @@ -52,7 +52,7 @@ killdaemon # Check we get a CV and TLS connection, with try_dane but no require_dane exim -DSERVER=server -DDETAILS=ca -bd -oX PORT_D **** -exim -odf CALLER@thishost.test.ex +exim -odf -DDETAILS=ca CALLER@thishost.test.ex Testing **** exim -DOPT=no_certname -qf diff --git a/test/scripts/5840-DANE-OpenSSL/5842 b/test/scripts/5840-DANE-OpenSSL/5842 deleted file mode 100644 index da9e4e3c7..000000000 --- a/test/scripts/5840-DANE-OpenSSL/5842 +++ /dev/null @@ -1,19 +0,0 @@ -# DANE server: selfsigned and TA-mode -# -exim -DSERVER=server -bd -oX PORT_D -**** -### TLSA (2 0 1) -exim -odf CALLER@mxdane256tas.test.ex -Testing -**** -### TLSA (2 1 1) -exim -odf CALLER@mxdane256task.test.ex -Testing -**** -### TLSA (3 1 1) -exim -odf CALLER@mxdane256ees.test.ex -Testing -**** -killdaemon -# -no_msglog_check diff --git a/test/stderr/5820 b/test/stderr/5820 index 34fcb0fd4..5807a1059 100644 --- a/test/stderr/5820 +++ b/test/stderr/5820 @@ -1,5 +1,5 @@ -### TLSA (3 1 1) -### TLSA (3 1 2) +### TLSA (3 1 1) (DANE-EE SPKI SHA2-256) +### TLSA (3 1 2) ( SHA2-512) ### Recipient callout >>> host in hosts_connection_nolog? no (option unset) >>> host in host_lookup? no (option unset) @@ -65,7 +65,7 @@ >>> accept: condition test succeeded in inline ACL >>> end of inline ACL: ACCEPT LOG: unexpected disconnection while reading SMTP command from [127.0.0.1] D=qqs -### TLSA (2 0 1) +### TLSA (2 0 1) (DANE-TA CERT SHA2-256) ### A server with a nonverifying cert and no TLSA ### A server with a verifying cert and no TLSA ### A server with two MXs for which both TLSA lookups return defer (delivery should defer) @@ -84,10 +84,10 @@ LOG: unexpected disconnection while reading SMTP command from [127.0.0.1] D=qqs ### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode ******** SERVER ******** -### TLSA (3 1 1) -### TLSA (3 1 2) +### TLSA (3 1 1) (DANE-EE SPKI SHA2-256) +### TLSA (3 1 2) ( SHA2-512) ### Recipient callout -### TLSA (2 0 1) +### TLSA (2 0 1) (DANE-TA CERT SHA2-256) ### A server with a nonverifying cert and no TLSA ### A server with a verifying cert and no TLSA ### A server with two MXs for which both TLSA lookups return defer (delivery should defer) diff --git a/test/stderr/5842 b/test/stderr/5842 deleted file mode 100644 index ed5eb4f58..000000000 --- a/test/stderr/5842 +++ /dev/null @@ -1,8 +0,0 @@ -### TLSA (2 0 1) -### TLSA (2 1 1) -### TLSA (3 1 1) - -******** SERVER ******** -### TLSA (2 0 1) -### TLSA (2 1 1) -### TLSA (3 1 1) diff --git a/test/stdout/5820 b/test/stdout/5820 index 9bdf21c3f..4b26b4c79 100644 --- a/test/stdout/5820 +++ b/test/stdout/5820 @@ -1,5 +1,5 @@ -### TLSA (3 1 1) -### TLSA (3 1 2) +### TLSA (3 1 1) (DANE-EE SPKI SHA2-256) +### TLSA (3 1 2) ( SHA2-512) ### Recipient callout **** SMTP testing session as if from host 127.0.0.1 @@ -10,7 +10,7 @@ 250 OK 250 Accepted 421 myhost.test.ex lost input connection -### TLSA (2 0 1) +### TLSA (2 0 1) (DANE-TA CERT SHA2-256) ### A server with a nonverifying cert and no TLSA ### A server with a verifying cert and no TLSA ### A server with two MXs for which both TLSA lookups return defer (delivery should defer) @@ -29,10 +29,10 @@ ### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode ******** SERVER ******** -### TLSA (3 1 1) -### TLSA (3 1 2) +### TLSA (3 1 1) (DANE-EE SPKI SHA2-256) +### TLSA (3 1 2) ( SHA2-512) ### Recipient callout -### TLSA (2 0 1) +### TLSA (2 0 1) (DANE-TA CERT SHA2-256) ### A server with a nonverifying cert and no TLSA ### A server with a verifying cert and no TLSA ### A server with two MXs for which both TLSA lookups return defer (delivery should defer) diff --git a/test/stdout/5822 b/test/stdout/5822 deleted file mode 100644 index ed5eb4f58..000000000 --- a/test/stdout/5822 +++ /dev/null @@ -1,8 +0,0 @@ -### TLSA (2 0 1) -### TLSA (2 1 1) -### TLSA (3 1 1) - -******** SERVER ******** -### TLSA (2 0 1) -### TLSA (2 1 1) -### TLSA (3 1 1) diff --git a/test/stdout/5842 b/test/stdout/5842 deleted file mode 100644 index ed5eb4f58..000000000 --- a/test/stdout/5842 +++ /dev/null @@ -1,8 +0,0 @@ -### TLSA (2 0 1) -### TLSA (2 1 1) -### TLSA (3 1 1) - -******** SERVER ******** -### TLSA (2 0 1) -### TLSA (2 1 1) -### TLSA (3 1 1)