From 624f33dfeab938e907251e3cc3062aa45353384f Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sat, 8 Sep 2018 19:31:49 +0100 Subject: [PATCH] DANE - testcase for fail under GnuTLS with TA-mode to a selfsigned server cert --- src/src/lookups/dnsdb.c | 10 ++- src/src/tls-gnu.c | 3 +- src/src/transports/smtp.c | 24 ++++++- test/aux-fixed/cert.HOWTO | 4 ++ test/aux-fixed/cert.config | 17 +++++ test/aux-fixed/cert1 | 97 ++++++++++++++--------------- test/confs/5822 | 67 ++++++++++++++++++++ test/confs/5842 | 64 +++++++++++++++++++ test/dnszones-src/db.test.ex | 19 ++++++ test/log/5822 | 20 ++++++ test/log/5842 | 24 +++++++ test/scripts/5820-DANE-GnuTLS/5822 | 19 ++++++ test/scripts/5840-DANE-OpenSSL/5842 | 19 ++++++ test/stderr/5842 | 8 +++ test/stdout/5822 | 8 +++ test/stdout/5842 | 8 +++ 16 files changed, 354 insertions(+), 57 deletions(-) create mode 100644 test/aux-fixed/cert.HOWTO create mode 100644 test/aux-fixed/cert.config create mode 100644 test/confs/5822 create mode 100644 test/confs/5842 create mode 100644 test/log/5822 create mode 100644 test/log/5842 create mode 100644 test/scripts/5820-DANE-GnuTLS/5822 create mode 100644 test/scripts/5840-DANE-OpenSSL/5842 create mode 100644 test/stderr/5842 create mode 100644 test/stdout/5822 create mode 100644 test/stdout/5842 diff --git a/src/src/lookups/dnsdb.c b/src/src/lookups/dnsdb.c index a86338261..e75bd1edd 100644 --- a/src/src/lookups/dnsdb.c +++ b/src/src/lookups/dnsdb.c @@ -150,7 +150,7 @@ store as possible later, so we preallocate the result here */ gstring * yield = string_get(256); -dns_record *rr; +dns_record * rr; dns_answer dnsa; dns_scan dnss; @@ -421,7 +421,7 @@ while ((domain = string_nextinlist(&keystring, &sep, NULL, 0))) else if (type == T_TLSA) { uint8_t usage, selector, matching_type; - uint16_t i, payload_length; + uint16_t payload_length; uschar s[MAX_TLSA_EXPANDED_SIZE]; uschar * sp = s; uschar * p = US rr->data; @@ -434,10 +434,8 @@ while ((domain = string_nextinlist(&keystring, &sep, NULL, 0))) sp += sprintf(CS s, "%d%c%d%c%d%c", usage, *outsep2, selector, *outsep2, matching_type, *outsep2); /* Now append the cert/identifier, one hex char at a time */ - for (i=0; - i < payload_length && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4); - i++) - sp += sprintf(CS sp, "%02x", (unsigned char)p[i]); + while (payload_length-- > 0 && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4)) + sp += sprintf(CS sp, "%02x", *p++); yield = string_cat(yield, s); } diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index dfe09200b..c5ecf88f9 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -1775,7 +1775,8 @@ goodcert: #ifdef SUPPORT_DANE tlsa_prob: - *errstr = string_sprintf("TLSA record problem: %s", dane_strerror(rc)); + *errstr = string_sprintf("TLSA record problem: %s", + rc == DANE_E_REQUESTED_DATA_NOT_AVAILABLE ? "none usable" : dane_strerror(rc)); #endif badcert: diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 076375158..703ee563a 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -1247,7 +1247,29 @@ switch (rc) return DEFER; /* just defer this TLS'd conn */ case DNS_SUCCEED: - if (sec) return OK; + if (sec) + { + DEBUG(D_transport) + { + dns_scan dnss; + dns_record * rr; + for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr; + rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == T_TLSA) + { + uint16_t payload_length = rr->size - 3; + uschar s[MAX_TLSA_EXPANDED_SIZE], * sp = s, * p = US rr->data; + + sp += sprintf(CS sp, "%d ", *p++); /* usage */ + sp += sprintf(CS sp, "%d ", *p++); /* selector */ + sp += sprintf(CS sp, "%d ", *p++); /* matchtype */ + while (payload_length-- > 0 && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4)) + sp += sprintf(CS sp, "%02x", *p++); + + debug_printf(" %s\n", s); + } + } + return OK; + } log_write(0, LOG_MAIN, "DANE error: TLSA lookup for %s not DNSSEC", host->name); /*FALLTRHOUGH*/ diff --git a/test/aux-fixed/cert.HOWTO b/test/aux-fixed/cert.HOWTO new file mode 100644 index 000000000..dab291548 --- /dev/null +++ b/test/aux-fixed/cert.HOWTO @@ -0,0 +1,4 @@ +openssl req -x509 -config cert.config -newkey rsa:2048 -keyout key.pem -out cert.pem -days 7000 +cat key.pem cert.pem > cert1 +# or cert2, as needed. Mind the day count above does not blow the Y2038 barrier. +rm cert.pem key.pem diff --git a/test/aux-fixed/cert.config b/test/aux-fixed/cert.config new file mode 100644 index 000000000..36be59f60 --- /dev/null +++ b/test/aux-fixed/cert.config @@ -0,0 +1,17 @@ +prompt=no +encrypt_key=no +default_bits=2048 +distinguished_name=fixed_dn +x509_extensions=fixed_ex + +[ fixed_dn ] +C=UK +O=The Exim Maintainers +OU=Test Suite +CN=Phil Pennock + +[ fixed_ex ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer +basicConstraints=critical,CA:TRUE, pathlen:0 +subjectAltName=DNS:test.ex, DNS:*.test.ex diff --git a/test/aux-fixed/cert1 b/test/aux-fixed/cert1 index 1323e39c9..b939fb9df 100644 --- a/test/aux-fixed/cert1 +++ b/test/aux-fixed/cert1 @@ -1,51 +1,50 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEA0dyUFZ7037DgtRfGoR0bVqUvCetxdZa42E3sLyZLviWRcKbY -XyYD1M44zClRq6vGwQGLI0Hea4jlJdIftyr3SmuaerJt2frPVAKcHHAHJ7rOjkUT -Kp+XHGjsinQg9Up6nz2Qo6Xdg0oPm8YRaMgIa1Qc75cWqzTn3++B5qaW2RtffYf7 -8c1OA958BHWyWlcZJNuJHYLR3CdqJb7ojtfcuCq3cWRRxJhyd/j1T51D+Xw6nGbe -QovD2+oQ/TBTUuo3Zc2YCRE+PWIQMZakdbD335HjvVj1PAu6oBKQRdccactigkR9 -tBlBIxH0q1Uh1fOd+dgLSoccCK2HlnM/GOzcfwIDAQABAoIBAB71b1MRNAabzUpp -y3+RD6tkit/nv8EdDv+53xHFkH7og+AefOTscrw9/9r+bXHp0VQ/qgr1eJ5cf5Fo -wgz/ZaOw5AUdtV7mxRcbm3QGgse1oysRvZYYHO6v+9Ug9Iu7BQPgzSmXGmp3zn2o -ZoESoUtUCUC/BTUUhPBgIMWp5a75OkaOS3fO3kSaGHPiqX1IbD8T6b7+ViR2qIwU -LjwFNTBRjorL25VXCsfChGih5TUgR9jIJcGzN6QykCHV7D29AfkRuVrKMRLEM3VD -3E0ObQfVRoXFEZR3fccJqU6E1Mg9BXbl+I9rwv3GUJXS7fXnmHKRhjzD1Dbo5Afv -jnSPL+ECgYEA9hepWibJe8N3fSCb7Eqqi/Q8ufCQqnDSCrnY6WJpRIA79DKU7OFm -3dct5pqXPUlaYC6TDQ8G0LAQL1knsuFejvV8v0y0mZspRbOg94EDTuQWp4oCIqWr -MEYbiRVHXIg5OjylVAQLM1y9IF+n3aXQAUfcStFtiiM49vRJs9StcdsCgYEA2k+B -lXN3UjZvwkDeZcjfCH1n0Rxrt0kZ7UbqEPZSz/77m9XIjWv32lpTDLecRdcR8KSx -OKH24WSQXd7DTWn+DitfSwGJjiduU2c0p4eePzfK7Yeo0bMNVixvjUZt+w9ijkWH -4CUVgo9TfuxdaTyYlmONk9JVLMeOwR8MdagVWy0CgYEAlpVn9Vgile7HoPNhNbeC -oFz1A7oma4TZoeKSzkx/qYDmLsj8w+4w6bIPzjnuLXxDJvOY27bELtJtNOvTFOw+ -1i91BAHFyPBe0t3Vs11oTs/W5PHX2KeTFtjvZHR21DIvAmm1qLFIwUcQG00tBL2/ -h+kW7Vk1M//VjZdxue57q10CgYEAufZT+gzbrYp1dNFxIN8VLdQ1ZSmCkCSTE03/ -AOfy7v7TMZHQPrej77pVWFXnpo5n18dSt10wQhs55txlHUKWiVdk2y26EP+BuUYG -0lZx9IQANooCwm51g9xiQcOm19/pIiwUbFjqk8anZ0zM3WIi0KiI50yaBYUQE23x -XSAK4RkCgYBsPJiK2BGPvFNBJo6368SVgB1H2Bu9GPUpORdirbFuy/VanSEaAGIK -vWjIOvEKnJd9NX430drAdD7hcx52fxdCsn97LSBi73Weqov4zNDadsLvTWhxlh+D -b1SITBDYjxdm9oqv4Uj10l3Ft4/X0MN2aJ4+W3/cFTGL9pNlv21Daw== ------END RSA PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDbSr1VPY2sW/7a +g4GiBfBYXbO9NroHTBJqi831QwPsN5F2Tyx/dQ0vByiOP8nxSmIkQ/eZM6IS3jl0 +8H8jqamyipfSghrQC3QSgtRl6wp8TEfJpwxdDyKAV1zP+TiIEqWYJLc1tmRwQ72J +0gXID7ME7TNDvek4Oo9BJJ2mtn0K9oY4Z6pvv5O+uljUxTryYbBtMtgMD5ZvL12b +FiNkRhgx3XX+9vpWw5o6vKdKUbKwT7KhwvUSC1eKOFMBZthUpxxH+RbYyNET1qJU +u4UrbNI1Wdwm+Cg7JkEdU1NcJbTP8CVR8Z1U7FkbhAD5HNHaTyVWO20MVYjXU/4B +3bVHWhhNAgMBAAECggEAJY9KmIP/dQsYvqKRnIe539jExV7PRBqyeM9TSnPdAyON +ZZ8v9vC8flaSirLASvS7lIyTpwjh9KtdWfsrO5d+ulbkpCimoQWlLtp7uK0mUZ3b +Gd3jzzidZzAPdIuyNBRFiqaXPrrrvxLLLwTq+pY9ylU6V5r6jCfzi2vTGM/e4PaB +Yo0YkQG9vFveCbGwG+v66ZIq8lH4CxjAfNOVXte+dKFdk6PnUSBMAq4B3n7eFjye +5nMl9fwFHVtZyBZI59i/1hSLzCjE1j0BrvTlL8BftU5SdF5sYdi/9yvUPjiRnvHT +ZPQPBH/hVzE52+VcRoWZ7vNjVaBzf/W5XkJsUc35/QKBgQDs/mSpWbiJxhGVRxuf +DiBxDAw1x+BVHd0bWe8Wp850ooBOI0TQ+wwcegySBaDpATBI1ML/plv7cWJ1+0fi +8AdG9VSDascH0OE8Y+OnHI2WDCJjRzwKPYvD+4LuQcrF6GDCdIrbitRfwdGGF7He +gsRS7GFqXawijDkCYolutqgUjwKBgQDs4Otrf2KieW6q12a+3MuSONPhiuLHDUuE +hCfX7hdSRSI4O6F9vZwkt7l9UluGW5E8cASIimfKoVfJj2m3sv6T33CacB1zQlLW +TtZb414kJ0ExbdfgxcVSvLIk+H4DSBa17iF+v8mdjbpkgT0m11QTmpqgHQamwdo0 +qUEySQgLYwKBgQDj0cjCY1VaW+UbMzgCNnpJMeOq73FfYU3jtRh5FucIiA3/Dzhg +DHUgCtN6q557XoEkAiNRzoItvFmCQQRhy4uzUrLjggnCIbHjc8KsKm6RBykndpro +3TE2PNkoYGakyTX6uD2jvllZk9/un2iFFf/UFxeuQE3xCArlmAO1QjFhUQKBgQCb +waVrEN71gK1xLqPDuoEtC6resik9w5M1doSQamDxWr4Ohb9BY+0JA7m3GvFNnmYY +fHuuoHtw9Lg5s9BK1yqoZxKuqivjPugjPMGcuBuN4DXw345EoSaHqcXlo3OQitVM +GWHy6v8SV0AJmCVypcIGBfHIeG2INw1Y9TYGb5kXiwKBgCDqpa46uROTxQW4CU12 +TuEPeGkojRqNf/f1OzTULwO71rKxZ7Hl2LWCkygX7Nn2XogrHhBTNEoAmDzxuC6g +hGIoBak7P/GOcaiT2GFzsCgGjRIB8REOLywnl+KkLQI2FjOCztNtBdXwaCZo4/wa +O1GQXNSW4Ktbr4eq/l+loftA +-----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- -MIID8DCCAtigAwIBAgIJALYf3pBgPTGPMA0GCSqGSIb3DQEBBQUAMFgxCzAJBgNV -BAYTAlVLMR0wGwYDVQQKExRUaGUgRXhpbSBNYWludGFpbmVyczETMBEGA1UECxMK -VGVzdCBTdWl0ZTEVMBMGA1UEAxMMUGhpbCBQZW5ub2NrMB4XDTEyMDUxNzE0NDYw -M1oXDTMxMDUxMzE0NDYwM1owWDELMAkGA1UEBhMCVUsxHTAbBgNVBAoTFFRoZSBF -eGltIE1haW50YWluZXJzMRMwEQYDVQQLEwpUZXN0IFN1aXRlMRUwEwYDVQQDEwxQ -aGlsIFBlbm5vY2swggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDR3JQV -nvTfsOC1F8ahHRtWpS8J63F1lrjYTewvJku+JZFwpthfJgPUzjjMKVGrq8bBAYsj -Qd5riOUl0h+3KvdKa5p6sm3Z+s9UApwccAcnus6ORRMqn5ccaOyKdCD1SnqfPZCj -pd2DSg+bxhFoyAhrVBzvlxarNOff74HmppbZG199h/vxzU4D3nwEdbJaVxkk24kd -gtHcJ2olvuiO19y4KrdxZFHEmHJ3+PVPnUP5fDqcZt5Ci8Pb6hD9MFNS6jdlzZgJ -ET49YhAxlqR1sPffkeO9WPU8C7qgEpBF1xxpy2KCRH20GUEjEfSrVSHV85352AtK -hxwIrYeWcz8Y7Nx/AgMBAAGjgbwwgbkwHQYDVR0OBBYEFDZtAgvs96t7shvAZbPt -YIzxz06fMIGJBgNVHSMEgYEwf4AUNm0CC+z3q3uyG8Bls+1gjPHPTp+hXKRaMFgx -CzAJBgNVBAYTAlVLMR0wGwYDVQQKExRUaGUgRXhpbSBNYWludGFpbmVyczETMBEG -A1UECxMKVGVzdCBTdWl0ZTEVMBMGA1UEAxMMUGhpbCBQZW5ub2NrggkAth/ekGA9 -MY8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEANtHbMYqw3Ln07gif -F11TyWuUzfZ1HAdj5x+ec/ZhOrMbXJwNnQnZzdESoiqk0C1fqNsog1ur9pzYxBJo -92OpxkTxvBr2Wi2igfUPbMXWttKu5OFTU00Y8Lp6JEJjtw1zAQB1ka+/5xGYAPfC -lL/a4RQygNb2e+Q+fOwWz8YZZ2hsidtc7UbH96Eu4489PipD8GXH0T2SY4VEtwUT -g6uUJjZpznusPhc/uoq5vZVP9AU1EiU+KE55bRuP0QGKIGK3K5WfodKYvF76lhsG -gLuqb/jVqZsQKcDSj0BGnlimvgEnydeXSYYIUJichEK7dTSjsAn40hUO2dFRMYTx -W45BdA== +MIIDqDCCApCgAwIBAgIJAKqgt56kQKU1MA0GCSqGSIb3DQEBCwUAMFgxCzAJBgNV +BAYTAlVLMR0wGwYDVQQKDBRUaGUgRXhpbSBNYWludGFpbmVyczETMBEGA1UECwwK +VGVzdCBTdWl0ZTEVMBMGA1UEAwwMUGhpbCBQZW5ub2NrMB4XDTE4MDkwODIxNTkz +M1oXDTM3MTEwNzIxNTkzM1owWDELMAkGA1UEBhMCVUsxHTAbBgNVBAoMFFRoZSBF +eGltIE1haW50YWluZXJzMRMwEQYDVQQLDApUZXN0IFN1aXRlMRUwEwYDVQQDDAxQ +aGlsIFBlbm5vY2swggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbSr1V +PY2sW/7ag4GiBfBYXbO9NroHTBJqi831QwPsN5F2Tyx/dQ0vByiOP8nxSmIkQ/eZ +M6IS3jl08H8jqamyipfSghrQC3QSgtRl6wp8TEfJpwxdDyKAV1zP+TiIEqWYJLc1 +tmRwQ72J0gXID7ME7TNDvek4Oo9BJJ2mtn0K9oY4Z6pvv5O+uljUxTryYbBtMtgM +D5ZvL12bFiNkRhgx3XX+9vpWw5o6vKdKUbKwT7KhwvUSC1eKOFMBZthUpxxH+RbY +yNET1qJUu4UrbNI1Wdwm+Cg7JkEdU1NcJbTP8CVR8Z1U7FkbhAD5HNHaTyVWO20M +VYjXU/4B3bVHWhhNAgMBAAGjdTBzMB0GA1UdDgQWBBSf1ImemL7AfEX6VnxKJAfV +0AoufDAfBgNVHSMEGDAWgBSf1ImemL7AfEX6VnxKJAfV0AoufDASBgNVHRMBAf8E +CDAGAQH/AgEAMB0GA1UdEQQWMBSCB3Rlc3QuZXiCCSoudGVzdC5leDANBgkqhkiG +9w0BAQsFAAOCAQEAWvHVO8qVwR9SO3DGtGPbecIcXfwdBX/uajiOr6tMhRK/9Dqk ++PW3sdHbfNc4IVREdT8RPZYLirJVR71JxCThsoM0waNtl/g6GEaq6RH8zZ4d65Kr +ov1UaaazK+T5cxqclkTXFNelsm+Rx242U1/YlwOgV+nWmkI7TfMBY1HxkPjGfTSc +hJ3td5/MkUnCrzLLYWZXA01bTCSsvFe0eiMeqMGIJ3qYHpoFlQOZRKF2k/E0p9Ge +lzhhpYsbDhJHOAxD2eMTJ4z4HrAtZx9ZUJSbShB3T3yfFUkHF7SITMyTzNtv0as7 +cNViaXlSAA5v9isr/xdBvljHyhTjm9nXya4ylQ== -----END CERTIFICATE----- diff --git a/test/confs/5822 b/test/confs/5822 new file mode 100644 index 000000000..80a8ef43b --- /dev/null +++ b/test/confs/5822 @@ -0,0 +1,67 @@ +# Exim test configuration 5822 +# DANE/GnuTLS + +SERVER= + +.include DIR/aux-var/tls_conf_prefix + +primary_hostname = myhost.test.ex + +# ----- Main settings ----- + +acl_smtp_rcpt = accept logwrite = "rcpt ACL" + +log_selector = +received_recipients +tls_peerdn +tls_certificate_verified + +queue_run_in_order + +tls_advertise_hosts = * +# needed to force generation +tls_dhparam = historic + +tls_certificate = ${if eq {SERVER}{server} {DIR/aux-fixed/cert1} fail} + +# ----- Routers ----- + +begin routers + +client: + driver = dnslookup + condition = ${if eq {SERVER}{}} + dnssec_request_domains = * + self = send + transport = send_to_server + errors_to = "" + +server: + driver = redirect + condition = ${if !eq {SERVER}{}} + data = :blackhole: + + +# ----- Transports ----- + +begin transports + +send_to_server: + driver = smtp + allow_localhost + port = PORT_D + + hosts_try_dane = * + hosts_require_dane = HOSTIPV4 + tls_verify_cert_hostnames = : + tls_try_verify_hosts = thishost.test.ex +# tls_verify_certificates = CDIR2/ca_chain.pem + + + +# ----- Retry ----- + + +begin retry + +* * F,5d,10s + + +# End diff --git a/test/confs/5842 b/test/confs/5842 new file mode 100644 index 000000000..be45e847c --- /dev/null +++ b/test/confs/5842 @@ -0,0 +1,64 @@ +# Exim test configuration 5822 +# DANE/OpenSSL + +SERVER= + +.include DIR/aux-var/tls_conf_prefix + +primary_hostname = myhost.test.ex + +# ----- Main settings ----- + +acl_smtp_rcpt = accept logwrite = "rcpt ACL" + +log_selector = +received_recipients +tls_peerdn +tls_certificate_verified + +queue_run_in_order + +tls_advertise_hosts = * + +tls_certificate = ${if eq {SERVER}{server} {DIR/aux-fixed/cert1} fail} + +# ----- Routers ----- + +begin routers + +client: + driver = dnslookup + condition = ${if eq {SERVER}{}} + dnssec_request_domains = * + self = send + transport = send_to_server + errors_to = "" + +server: + driver = redirect + data = :blackhole: + + +# ----- Transports ----- + +begin transports + +send_to_server: + driver = smtp + allow_localhost + port = PORT_D + + hosts_try_dane = * + hosts_require_dane = HOSTIPV4 + tls_verify_cert_hostnames = : + tls_try_verify_hosts = thishost.test.ex +# tls_verify_certificates = CDIR2/ca_chain.pem + + + +# ----- Retry ----- + + +begin retry + +* * F,5d,10s + + +# End diff --git a/test/dnszones-src/db.test.ex b/test/dnszones-src/db.test.ex index 492ee5df8..0efd1a28b 100644 --- a/test/dnszones-src/db.test.ex +++ b/test/dnszones-src/db.test.ex @@ -470,6 +470,25 @@ DNSSEC dane256tak A HOSTIPV4 DNSSEC _1225._tcp.dane256tak TLSA 2 1 1 73e279c0f5f5a9ee9851bbbc39023603d7b266acfd0764419c3b07cc380b79f9 +; full MX, both TA & EE modes, cert is selfsigned +; for testing an issue in the gnutls impl +; +; tas: +; openssl x509 -in aux-fixed/cert1 -fingerprint -sha256 -noout \ +; | awk -F= '{print $2}' | tr -d : | tr '[A-F]' '[a-f]' +; +DNSSEC mxdane256tas MX 1 dane256tas +DNSSEC dane256tas A HOSTIPV4 +DNSSEC _1225._tcp.dane256tas TLSA 2 0 1 34d3624101b954d667c1a5ac18078b196cd17fbd61e23df73249c1afab747124 +DNSSEC mxdane256task MX 1 dane256task +DNSSEC dane256task A HOSTIPV4 +DNSSEC _1225._tcp.dane256task TLSA 2 1 1 c1241d8cc61401079437240467a47e21db921d3398883cd9bb038cc461d7beab +DNSSEC mxdane256ees MX 1 dane256ees +DNSSEC dane256ees A HOSTIPV4 +DNSSEC _1225._tcp.dane256ees TLSA 3 1 1 c1241d8cc61401079437240467a47e21db921d3398883cd9bb038cc461d7beab + + + ; A multiple-return MX where all TLSA lookups defer DNSSEC mxdanelazy MX 1 danelazy DNSSEC MX 2 danelazy2 diff --git a/test/log/5822 b/test/log/5822 new file mode 100644 index 000000000..43b032b13 --- /dev/null +++ b/test/log/5822 @@ -0,0 +1,20 @@ +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane256tas.test.ex +1999-03-02 09:44:33 10HmaX-0005vi-00 DANE attempt failed; TLS connection to dane256tas.test.ex [ip4.ip4.ip4.ip4]: (certificate verification failed): TLSA record problem: none usable +1999-03-02 09:44:33 10HmaX-0005vi-00 !!SHOULD_WORK!! CALLER@mxdane256tas.test.ex R=client T=send_to_server defer (-37) H=dane256tas.test.ex [ip4.ip4.ip4.ip4]: TLS session: (certificate verification failed): TLSA record problem: none usable +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane256task.test.ex +1999-03-02 09:44:33 10HmaY-0005vi-00 DANE attempt failed; TLS connection to dane256task.test.ex [ip4.ip4.ip4.ip4]: (certificate verification failed): TLSA record problem: none usable +1999-03-02 09:44:33 10HmaY-0005vi-00 !!SHOULD_WORK!! CALLER@mxdane256task.test.ex R=client T=send_to_server defer (-37) H=dane256task.test.ex [ip4.ip4.ip4.ip4]: TLS session: (certificate verification failed): TLSA record problem: none usable +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane256ees.test.ex +1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER@mxdane256ees.test.ex R=client T=send_to_server H=dane256ees.test.ex [ip4.ip4.ip4.ip4] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=dane DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed + +******** SERVER ******** +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad +1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason. +1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad +1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason. +1999-03-02 09:44:33 "rcpt ACL" +1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for CALLER@mxdane256ees.test.ex +1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbA-0005vi-00 Completed diff --git a/test/log/5842 b/test/log/5842 new file mode 100644 index 000000000..1146cba34 --- /dev/null +++ b/test/log/5842 @@ -0,0 +1,24 @@ +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane256tas.test.ex +1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@mxdane256tas.test.ex R=client T=send_to_server H=dane256tas.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane256task.test.ex +1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER@mxdane256task.test.ex R=client T=send_to_server H=dane256task.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane256ees.test.ex +1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@mxdane256ees.test.ex R=client T=send_to_server H=dane256ees.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmbB-0005vi-00 Completed + +******** SERVER ******** +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 "rcpt ACL" +1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@mxdane256tas.test.ex +1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmaY-0005vi-00 Completed +1999-03-02 09:44:33 "rcpt ACL" +1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for CALLER@mxdane256task.test.ex +1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbA-0005vi-00 Completed +1999-03-02 09:44:33 "rcpt ACL" +1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmbB-0005vi-00@myhost.test.ex for CALLER@mxdane256ees.test.ex +1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbC-0005vi-00 Completed diff --git a/test/scripts/5820-DANE-GnuTLS/5822 b/test/scripts/5820-DANE-GnuTLS/5822 new file mode 100644 index 000000000..9e565ab49 --- /dev/null +++ b/test/scripts/5820-DANE-GnuTLS/5822 @@ -0,0 +1,19 @@ +# DANE server: selfsigned cert +# +exim -DSERVER=server -bd -oX PORT_D +**** +### TLSA (2 0 1) +exim -odf CALLER@mxdane256tas.test.ex +Testing +**** +### TLSA (2 1 1) +exim -odf CALLER@mxdane256task.test.ex +Testing +**** +### TLSA (3 1 1) +exim -odf CALLER@mxdane256ees.test.ex +Testing +**** +killdaemon +# +no_msglog_check diff --git a/test/scripts/5840-DANE-OpenSSL/5842 b/test/scripts/5840-DANE-OpenSSL/5842 new file mode 100644 index 000000000..da9e4e3c7 --- /dev/null +++ b/test/scripts/5840-DANE-OpenSSL/5842 @@ -0,0 +1,19 @@ +# DANE server: selfsigned and TA-mode +# +exim -DSERVER=server -bd -oX PORT_D +**** +### TLSA (2 0 1) +exim -odf CALLER@mxdane256tas.test.ex +Testing +**** +### TLSA (2 1 1) +exim -odf CALLER@mxdane256task.test.ex +Testing +**** +### TLSA (3 1 1) +exim -odf CALLER@mxdane256ees.test.ex +Testing +**** +killdaemon +# +no_msglog_check diff --git a/test/stderr/5842 b/test/stderr/5842 new file mode 100644 index 000000000..ed5eb4f58 --- /dev/null +++ b/test/stderr/5842 @@ -0,0 +1,8 @@ +### TLSA (2 0 1) +### TLSA (2 1 1) +### TLSA (3 1 1) + +******** SERVER ******** +### TLSA (2 0 1) +### TLSA (2 1 1) +### TLSA (3 1 1) diff --git a/test/stdout/5822 b/test/stdout/5822 new file mode 100644 index 000000000..ed5eb4f58 --- /dev/null +++ b/test/stdout/5822 @@ -0,0 +1,8 @@ +### TLSA (2 0 1) +### TLSA (2 1 1) +### TLSA (3 1 1) + +******** SERVER ******** +### TLSA (2 0 1) +### TLSA (2 1 1) +### TLSA (3 1 1) diff --git a/test/stdout/5842 b/test/stdout/5842 new file mode 100644 index 000000000..ed5eb4f58 --- /dev/null +++ b/test/stdout/5842 @@ -0,0 +1,8 @@ +### TLSA (2 0 1) +### TLSA (2 1 1) +### TLSA (3 1 1) + +******** SERVER ******** +### TLSA (2 0 1) +### TLSA (2 1 1) +### TLSA (3 1 1) -- 2.25.1