From ffc3d145e3819e1a3762caa1bbe8b07e723fbaf2 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 3 Feb 2019 22:12:48 +0000 Subject: [PATCH] TLS: add variables for the IETF standard name for the connection ciphersuite --- doc/doc-docbook/spec.xfpt | 29 ++- doc/doc-txt/ChangeLog | 2 + doc/doc-txt/NewStuff | 3 + src/OS/Makefile-Base | 3 +- src/scripts/MakeLinks | 3 +- src/src/expand.c | 2 + src/src/globals.c | 12 +- src/src/globals.h | 2 + src/src/tls-cipher-stdname.c | 393 +++++++++++++++++++++++++++++++++ src/src/tls-gnu.c | 56 +++-- src/src/tls-openssl.c | 57 +++-- test/log/2102.openssl_1_1_1 | 8 +- test/runtest | 13 +- test/stderr/0402 | 40 +++- test/stderr/0544 | 40 +++- test/stderr/5410 | 120 +++++++--- test/stderr/5420 | 120 +++++++--- test/stdout/2114.openssl_1_1_1 | 18 +- test/stdout/2124.openssl_1_1_1 | 2 +- test/stdout/2132.openssl_1_1_1 | 8 +- 20 files changed, 784 insertions(+), 147 deletions(-) create mode 100644 src/src/tls-cipher-stdname.c diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 331e56021..1f45a6f04 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -13220,6 +13220,12 @@ The deprecated &$tls_cipher$& variable is the same as &$tls_in_cipher$& during m but in the context of an outward SMTP delivery taking place via the &(smtp)& transport becomes the same as &$tls_out_cipher$&. +.new +.vitem &$tls_in_cipher_std$& +.vindex "&$tls_in_cipher_std$&" +As above, but returning the RFC standard name for the cipher suite. +.wen + .vitem &$tls_out_cipher$& .vindex "&$tls_out_cipher$&" This variable is @@ -13228,6 +13234,12 @@ and then set to the outgoing cipher suite if one is negotiated. See chapter &<>& for details of TLS support and chapter &<>& for details of the &(smtp)& transport. +,new +.vitem &$tls_out_cipher_std$& +.vindex "&$tls_out_cipher_std$&" +As above, but returning the RFC standard name for the cipher suite. +.wen + .vitem &$tls_out_dane$& .vindex &$tls_out_dane$& DANE active status. See section &<>&. @@ -16459,23 +16471,26 @@ on at the end (preceded by a semicolon). The string is expanded each time it is used. If the expansion yields an empty string, no &'Received:'& header line is added to the message. Otherwise, the string should start with the text &"Received:"& and conform to the RFC 2822 specification for &'Received:'& -header lines. The default setting is: +header lines. +.new +The default setting is: .code received_header_text = Received: \ ${if def:sender_rcvhost {from $sender_rcvhost\n\t}\ - {${if def:sender_ident \ - {from ${quote_local_part:$sender_ident} }}\ - ${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}\ + {${if def:sender_ident \ + {from ${quote_local_part:$sender_ident} }}\ + ${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}\ by $primary_hostname \ - ${if def:received_protocol {with $received_protocol}} \ - ${if def:tls_in_cipher {($tls_in_cipher)\n\t}}\ + ${if def:received_protocol {with $received_protocol }}\ + ${if def:tls_in_cipher_std { tls $tls_in_cipher_std\n\t}}\ (Exim $version_number)\n\t\ ${if def:sender_address \ {(envelope-from <$sender_address>)\n\t}}\ id $message_exim_id\ ${if def:received_for {\n\tfor $received_for}} .endd +.wen The reference to the TLS cipher is omitted when Exim is built without TLS support. The use of conditional expansions ensures that this works for both @@ -27350,7 +27365,7 @@ but is a full SMTP SASL authenticator rather than being implicit for TLS-connection carried client certificates only. -The examples and discussion in this chapter assume that +The examples and discussion in this chapter assume that client-certificate authentication is being done. The client must present a certificate, diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index eebc9d8a7..800cfaf57 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -18,6 +18,8 @@ JH/02 OpenSSL: suppress the sending of (stateful) TLS1.3 session tickets. JH/03 Debug output for ACL now gives the config file name and line number for each verb. +JH/04 The default received_header_text now uses the RFC 8314 tls cipher clause. + Exim version 4.92 ----------------- diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index c44e21af0..ac0254ffa 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -13,6 +13,9 @@ Version 4.92 2. A JSON lookup type, and JSON variants of the forall/any expansion conditions. + 3. Variables $tls_in_cipher_std, $tls_out_cipher_std giving the RFC names + for ciphersuites. + Version 4.92 -------------- diff --git a/src/OS/Makefile-Base b/src/OS/Makefile-Base index 79bec063b..b99cb9ffc 100644 --- a/src/OS/Makefile-Base +++ b/src/OS/Makefile-Base @@ -816,7 +816,8 @@ store.o: $(HDRS) store.c string.o: $(HDRS) string.c tls.o: $(HDRS) tls.c \ tls-gnu.c tlscert-gnu.c \ - tls-openssl.c tlscert-openssl.c + tls-openssl.c tlscert-openssl.c \ + tls-cipher-stdname.c tod.o: $(HDRS) tod.c transport.o: $(HDRS) transport.c tree.o: $(HDRS) tree.c diff --git a/src/scripts/MakeLinks b/src/scripts/MakeLinks index b71736797..8d8345c06 100755 --- a/src/scripts/MakeLinks +++ b/src/scripts/MakeLinks @@ -106,7 +106,8 @@ for f in blob.h dbfunctions.h dbstuff.h exim.h functions.h globals.h \ rda.c readconf.c receive.c retry.c rewrite.c rfc2047.c route.c search.c \ setenv.c environment.c \ sieve.c smtp_in.c smtp_out.c spool_in.c spool_out.c std-crypto.c store.c \ - string.c tls.c tlscert-gnu.c tlscert-openssl.c tls-gnu.c tls-openssl.c \ + string.c tls.c tlscert-gnu.c tlscert-openssl.c tls-cipher-stdname.c \ + tls-gnu.c tls-openssl.c \ tod.c transport.c tree.c verify.c version.c \ dkim.c dkim.h dkim_transport.c dmarc.c dmarc.h \ valgrind.h memcheck.h \ diff --git a/src/src/expand.c b/src/src/expand.c index 2128ee72c..ec5660adb 100644 --- a/src/src/expand.c +++ b/src/src/expand.c @@ -749,6 +749,7 @@ static var_entry var_table[] = { { "tls_in_bits", vtype_int, &tls_in.bits }, { "tls_in_certificate_verified", vtype_int, &tls_in.certificate_verified }, { "tls_in_cipher", vtype_stringptr, &tls_in.cipher }, + { "tls_in_cipher_std", vtype_stringptr, &tls_in.cipher_stdname }, { "tls_in_ocsp", vtype_int, &tls_in.ocsp }, { "tls_in_ourcert", vtype_cert, &tls_in.ourcert }, { "tls_in_peercert", vtype_cert, &tls_in.peercert }, @@ -759,6 +760,7 @@ static var_entry var_table[] = { { "tls_out_bits", vtype_int, &tls_out.bits }, { "tls_out_certificate_verified", vtype_int,&tls_out.certificate_verified }, { "tls_out_cipher", vtype_stringptr, &tls_out.cipher }, + { "tls_out_cipher_std", vtype_stringptr, &tls_out.cipher_stdname }, #ifdef SUPPORT_DANE { "tls_out_dane", vtype_bool, &tls_out.dane_verified }, #endif diff --git a/src/src/globals.c b/src/src/globals.c index b3362a34c..df71025a3 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -1246,13 +1246,13 @@ date will be automatically added on the end. */ uschar *received_header_text = US "Received: " "${if def:sender_rcvhost {from $sender_rcvhost\n\t}" - "{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}" - "${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}" + "{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}" + "${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}" "by $primary_hostname " - "${if def:received_protocol {with $received_protocol}} " - #ifdef SUPPORT_TLS - "${if def:tls_cipher {($tls_cipher)\n\t}}" - #endif + "${if def:received_protocol {with $received_protocol }}" +#ifdef SUPPORT_TLS + "${if def:tls_in_cipher_std { tls $tls_in_cipher_std\n\t}}" +#endif "(Exim $version_number)\n\t" "${if def:sender_address {(envelope-from <$sender_address>)\n\t}}" "id $message_exim_id" diff --git a/src/src/globals.h b/src/src/globals.h index c90783e3c..453d8325d 100644 --- a/src/src/globals.h +++ b/src/src/globals.h @@ -88,6 +88,8 @@ typedef struct { int tlsa_usage; /* TLSA record(s) usage */ #endif uschar *cipher; /* Cipher used */ + const uschar *cipher_stdname; /* Cipher used, RFC version */ + BOOL on_connect; /* For older MTAs that don't STARTTLS */ uschar *on_connect_ports; /* Ports always tls-on-connect */ void *ourcert; /* Certificate we presented, binary */ diff --git a/src/src/tls-cipher-stdname.c b/src/src/tls-cipher-stdname.c new file mode 100644 index 000000000..ab973af51 --- /dev/null +++ b/src/src/tls-cipher-stdname.c @@ -0,0 +1,393 @@ +/************************************************* +* Exim - an Internet mail transport agent * +*************************************************/ + +/* Copyright (c) Jeremy Harris 2019 */ +/* See the file NOTICE for conditions of use and distribution. */ + +/* Translate an IETF TLS ciphersuite code to an IETF ciphersuite name, +for use when the TLS library do not provide such names. +This file is #included by the tls-.c file. + +Values for these tables pulled on 2019/02/03 from +https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */ + + + +static const uschar * ctb_00[] = { +[0x00] = US "TLS_NULL_WITH_NULL_NULL", +[0x01] = US "TLS_RSA_WITH_NULL_MD5", +[0x02] = US "TLS_RSA_WITH_NULL_SHA", +[0x03] = US "TLS_RSA_EXPORT_WITH_RC4_40_MD5", +[0x04] = US "TLS_RSA_WITH_RC4_128_MD5", +[0x05] = US "TLS_RSA_WITH_RC4_128_SHA", +[0x06] = US "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5", +[0x07] = US "TLS_RSA_WITH_IDEA_CBC_SHA", +[0x08] = US "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA", +[0x09] = US "TLS_RSA_WITH_DES_CBC_SHA", +[0x0A] = US "TLS_RSA_WITH_3DES_EDE_CBC_SHA", +[0x0B] = US "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA", +[0x0C] = US "TLS_DH_DSS_WITH_DES_CBC_SHA", +[0x0D] = US "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA", +[0x0E] = US "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA", +[0x0F] = US "TLS_DH_RSA_WITH_DES_CBC_SHA", +[0x10] = US "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA", +[0x11] = US "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA", +[0x12] = US "TLS_DHE_DSS_WITH_DES_CBC_SHA", +[0x13] = US "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA", +[0x14] = US "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", +[0x15] = US "TLS_DHE_RSA_WITH_DES_CBC_SHA", +[0x16] = US "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA", +[0x17] = US "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5", +[0x18] = US "TLS_DH_anon_WITH_RC4_128_MD5", +[0x19] = US "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA", +[0x1A] = US "TLS_DH_anon_WITH_DES_CBC_SHA", +[0x1B] = US "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA", + +[0x1E] = US "TLS_KRB5_WITH_DES_CBC_SHA", +[0x1F] = US "TLS_KRB5_WITH_3DES_EDE_CBC_SHA", +[0x20] = US "TLS_KRB5_WITH_RC4_128_SHA", +[0x21] = US "TLS_KRB5_WITH_IDEA_CBC_SHA", +[0x22] = US "TLS_KRB5_WITH_DES_CBC_MD5", +[0x23] = US "TLS_KRB5_WITH_3DES_EDE_CBC_MD5", +[0x24] = US "TLS_KRB5_WITH_RC4_128_MD5", +[0x25] = US "TLS_KRB5_WITH_IDEA_CBC_MD5", +[0x26] = US "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA", +[0x27] = US "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA", +[0x28] = US "TLS_KRB5_EXPORT_WITH_RC4_40_SHA", +[0x29] = US "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5", +[0x2A] = US "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5", +[0x2B] = US "TLS_KRB5_EXPORT_WITH_RC4_40_MD5", +[0x2C] = US "TLS_PSK_WITH_NULL_SHA", +[0x2D] = US "TLS_DHE_PSK_WITH_NULL_SHA", +[0x2E] = US "TLS_RSA_PSK_WITH_NULL_SHA", +[0x2F] = US "TLS_RSA_WITH_AES_128_CBC_SHA", +[0x30] = US "TLS_DH_DSS_WITH_AES_128_CBC_SHA", +[0x31] = US "TLS_DH_RSA_WITH_AES_128_CBC_SHA", +[0x32] = US "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", +[0x33] = US "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", +[0x34] = US "TLS_DH_anon_WITH_AES_128_CBC_SHA", +[0x35] = US "TLS_RSA_WITH_AES_256_CBC_SHA", +[0x36] = US "TLS_DH_DSS_WITH_AES_256_CBC_SHA", +[0x37] = US "TLS_DH_RSA_WITH_AES_256_CBC_SHA", +[0x38] = US "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", +[0x39] = US "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", +[0x3A] = US "TLS_DH_anon_WITH_AES_256_CBC_SHA", +[0x3B] = US "TLS_RSA_WITH_NULL_SHA256", +[0x3C] = US "TLS_RSA_WITH_AES_128_CBC_SHA256", +[0x3D] = US "TLS_RSA_WITH_AES_256_CBC_SHA256", +[0x3E] = US "TLS_DH_DSS_WITH_AES_128_CBC_SHA256", +[0x3F] = US "TLS_DH_RSA_WITH_AES_128_CBC_SHA256", +[0x40] = US "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", +[0x41] = US "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", +[0x42] = US "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA", +[0x43] = US "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA", +[0x44] = US "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA", +[0x45] = US "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA", +[0x46] = US "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA", + +[0x67] = US "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", +[0x68] = US "TLS_DH_DSS_WITH_AES_256_CBC_SHA256", +[0x69] = US "TLS_DH_RSA_WITH_AES_256_CBC_SHA256", +[0x6A] = US "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", +[0x6B] = US "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", +[0x6C] = US "TLS_DH_anon_WITH_AES_128_CBC_SHA256", +[0x6D] = US "TLS_DH_anon_WITH_AES_256_CBC_SHA256", + +[0x84] = US "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA", +[0x85] = US "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA", +[0x86] = US "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA", +[0x87] = US "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA", +[0x88] = US "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", +[0x89] = US "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA", +[0x8A] = US "TLS_PSK_WITH_RC4_128_SHA", +[0x8B] = US "TLS_PSK_WITH_3DES_EDE_CBC_SHA", +[0x8C] = US "TLS_PSK_WITH_AES_128_CBC_SHA", +[0x8D] = US "TLS_PSK_WITH_AES_256_CBC_SHA", +[0x8E] = US "TLS_DHE_PSK_WITH_RC4_128_SHA", +[0x8F] = US "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA", +[0x90] = US "TLS_DHE_PSK_WITH_AES_128_CBC_SHA", +[0x91] = US "TLS_DHE_PSK_WITH_AES_256_CBC_SHA", +[0x92] = US "TLS_RSA_PSK_WITH_RC4_128_SHA", +[0x93] = US "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA", +[0x94] = US "TLS_RSA_PSK_WITH_AES_128_CBC_SHA", +[0x95] = US "TLS_RSA_PSK_WITH_AES_256_CBC_SHA", +[0x96] = US "TLS_RSA_WITH_SEED_CBC_SHA", +[0x97] = US "TLS_DH_DSS_WITH_SEED_CBC_SHA", +[0x98] = US "TLS_DH_RSA_WITH_SEED_CBC_SHA", +[0x99] = US "TLS_DHE_DSS_WITH_SEED_CBC_SHA", +[0x9A] = US "TLS_DHE_RSA_WITH_SEED_CBC_SHA", +[0x9B] = US "TLS_DH_anon_WITH_SEED_CBC_SHA", +[0x9C] = US "TLS_RSA_WITH_AES_128_GCM_SHA256", +[0x9D] = US "TLS_RSA_WITH_AES_256_GCM_SHA384", +[0x9E] = US "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", +[0x9F] = US "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", +[0xA0] = US "TLS_DH_RSA_WITH_AES_128_GCM_SHA256", +[0xA1] = US "TLS_DH_RSA_WITH_AES_256_GCM_SHA384", +[0xA2] = US "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", +[0xA3] = US "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", +[0xA4] = US "TLS_DH_DSS_WITH_AES_128_GCM_SHA256", +[0xA5] = US "TLS_DH_DSS_WITH_AES_256_GCM_SHA384", +[0xA6] = US "TLS_DH_anon_WITH_AES_128_GCM_SHA256", +[0xA7] = US "TLS_DH_anon_WITH_AES_256_GCM_SHA384", +[0xA8] = US "TLS_PSK_WITH_AES_128_GCM_SHA256", +[0xA9] = US "TLS_PSK_WITH_AES_256_GCM_SHA384", +[0xAA] = US "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256", +[0xAB] = US "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384", +[0xAC] = US "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256", +[0xAD] = US "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384", +[0xAE] = US "TLS_PSK_WITH_AES_128_CBC_SHA256", +[0xAF] = US "TLS_PSK_WITH_AES_256_CBC_SHA384", +[0xB0] = US "TLS_PSK_WITH_NULL_SHA256", +[0xB1] = US "TLS_PSK_WITH_NULL_SHA384", +[0xB2] = US "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256", +[0xB3] = US "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384", +[0xB4] = US "TLS_DHE_PSK_WITH_NULL_SHA256", +[0xB5] = US "TLS_DHE_PSK_WITH_NULL_SHA384", +[0xB6] = US "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256", +[0xB7] = US "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384", +[0xB8] = US "TLS_RSA_PSK_WITH_NULL_SHA256", +[0xB9] = US "TLS_RSA_PSK_WITH_NULL_SHA384", +[0xBA] = US "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256", +[0xBB] = US "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256", +[0xBC] = US "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256", +[0xBD] = US "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256", +[0xBE] = US "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", +[0xBF] = US "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256", +[0xC0] = US "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256", +[0xC1] = US "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256", +[0xC2] = US "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256", +[0xC3] = US "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256", +[0xC4] = US "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256", +[0xC5] = US "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256", +}; +static const uschar * ctb_13[] = { +[0x01] = US "TLS_AES_128_GCM_SHA256", +[0x02] = US "TLS_AES_256_GCM_SHA384", +[0x03] = US "TLS_CHACHA20_POLY1305_SHA256", +[0x04] = US "TLS_AES_128_CCM_SHA256", +[0x05] = US "TLS_AES_128_CCM_8_SHA256", +}; +static const uschar * ctb_c0[] = { +[0x01] = US "TLS_ECDH_ECDSA_WITH_NULL_SHA", +[0x02] = US "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", +[0x03] = US "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", +[0x04] = US "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", +[0x05] = US "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", +[0x06] = US "TLS_ECDHE_ECDSA_WITH_NULL_SHA", +[0x07] = US "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", +[0x08] = US "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", +[0x09] = US "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", +[0x0A] = US "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", +[0x0B] = US "TLS_ECDH_RSA_WITH_NULL_SHA", +[0x0C] = US "TLS_ECDH_RSA_WITH_RC4_128_SHA", +[0x0D] = US "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", +[0x0E] = US "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", +[0x0F] = US "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", +[0x10] = US "TLS_ECDHE_RSA_WITH_NULL_SHA", +[0x11] = US "TLS_ECDHE_RSA_WITH_RC4_128_SHA", +[0x12] = US "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", +[0x13] = US "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", +[0x14] = US "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", +[0x15] = US "TLS_ECDH_anon_WITH_NULL_SHA", +[0x16] = US "TLS_ECDH_anon_WITH_RC4_128_SHA", +[0x17] = US "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA", +[0x18] = US "TLS_ECDH_anon_WITH_AES_128_CBC_SHA", +[0x19] = US "TLS_ECDH_anon_WITH_AES_256_CBC_SHA", +[0x1A] = US "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA", +[0x1B] = US "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA", +[0x1C] = US "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA", +[0x1D] = US "TLS_SRP_SHA_WITH_AES_128_CBC_SHA", +[0x1E] = US "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA", +[0x1F] = US "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA", +[0x20] = US "TLS_SRP_SHA_WITH_AES_256_CBC_SHA", +[0x21] = US "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA", +[0x22] = US "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA", +[0x23] = US "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", +[0x24] = US "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", +[0x25] = US "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", +[0x26] = US "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", +[0x27] = US "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", +[0x28] = US "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", +[0x29] = US "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", +[0x2A] = US "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384", +[0x2B] = US "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", +[0x2C] = US "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", +[0x2D] = US "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", +[0x2E] = US "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", +[0x2F] = US "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", +[0x30] = US "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", +[0x31] = US "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", +[0x32] = US "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384", +[0x33] = US "TLS_ECDHE_PSK_WITH_RC4_128_SHA", +[0x34] = US "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA", +[0x35] = US "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA", +[0x36] = US "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA", +[0x37] = US "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256", +[0x38] = US "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384", +[0x39] = US "TLS_ECDHE_PSK_WITH_NULL_SHA", +[0x3A] = US "TLS_ECDHE_PSK_WITH_NULL_SHA256", +[0x3B] = US "TLS_ECDHE_PSK_WITH_NULL_SHA384", +[0x3C] = US "TLS_RSA_WITH_ARIA_128_CBC_SHA256", +[0x3D] = US "TLS_RSA_WITH_ARIA_256_CBC_SHA384", +[0x3E] = US "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256", +[0x3F] = US "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384", +[0x40] = US "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256", +[0x41] = US "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384", +[0x42] = US "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256", +[0x43] = US "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384", +[0x44] = US "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256", +[0x45] = US "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384", +[0x46] = US "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256", +[0x47] = US "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384", +[0x48] = US "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256", +[0x49] = US "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384", +[0x4A] = US "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256", +[0x4B] = US "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384", +[0x4C] = US "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256", +[0x4D] = US "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384", +[0x4E] = US "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256", +[0x4F] = US "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384", +[0x50] = US "TLS_RSA_WITH_ARIA_128_GCM_SHA256", +[0x51] = US "TLS_RSA_WITH_ARIA_256_GCM_SHA384", +[0x52] = US "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256", +[0x53] = US "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384", +[0x54] = US "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256", +[0x55] = US "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384", +[0x56] = US "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256", +[0x57] = US "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384", +[0x58] = US "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256", +[0x59] = US "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384", +[0x5A] = US "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256", +[0x5B] = US "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384", +[0x5C] = US "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256", +[0x5D] = US "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384", +[0x5E] = US "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256", +[0x5F] = US "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384", +[0x60] = US "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256", +[0x61] = US "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384", +[0x62] = US "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256", +[0x63] = US "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384", +[0x64] = US "TLS_PSK_WITH_ARIA_128_CBC_SHA256", +[0x65] = US "TLS_PSK_WITH_ARIA_256_CBC_SHA384", +[0x66] = US "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256", +[0x67] = US "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384", +[0x68] = US "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256", +[0x69] = US "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384", +[0x6A] = US "TLS_PSK_WITH_ARIA_128_GCM_SHA256", +[0x6B] = US "TLS_PSK_WITH_ARIA_256_GCM_SHA384", +[0x6C] = US "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256", +[0x6D] = US "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384", +[0x6E] = US "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256", +[0x6F] = US "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384", +[0x70] = US "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256", +[0x71] = US "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384", +[0x72] = US "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256", +[0x73] = US "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384", +[0x74] = US "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256", +[0x75] = US "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384", +[0x76] = US "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", +[0x77] = US "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384", +[0x78] = US "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256", +[0x79] = US "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384", +[0x7A] = US "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256", +[0x7B] = US "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384", +[0x7C] = US "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256", +[0x7D] = US "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384", +[0x7E] = US "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256", +[0x7F] = US "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384", +[0x80] = US "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256", +[0x81] = US "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384", +[0x82] = US "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256", +[0x83] = US "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384", +[0x84] = US "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256", +[0x85] = US "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384", +[0x86] = US "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256", +[0x87] = US "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384", +[0x88] = US "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256", +[0x89] = US "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384", +[0x8A] = US "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256", +[0x8B] = US "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384", +[0x8C] = US "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256", +[0x8D] = US "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384", +[0x8E] = US "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256", +[0x8F] = US "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384", +[0x90] = US "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256", +[0x91] = US "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384", +[0x92] = US "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256", +[0x93] = US "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384", +[0x94] = US "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256", +[0x95] = US "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384", +[0x96] = US "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256", +[0x97] = US "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384", +[0x98] = US "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256", +[0x99] = US "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384", +[0x9A] = US "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256", +[0x9B] = US "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384", +[0x9C] = US "TLS_RSA_WITH_AES_128_CCM", +[0x9D] = US "TLS_RSA_WITH_AES_256_CCM", +[0x9E] = US "TLS_DHE_RSA_WITH_AES_128_CCM", +[0x9F] = US "TLS_DHE_RSA_WITH_AES_256_CCM", +[0xA0] = US "TLS_RSA_WITH_AES_128_CCM_8", +[0xA1] = US "TLS_RSA_WITH_AES_256_CCM_8", +[0xA2] = US "TLS_DHE_RSA_WITH_AES_128_CCM_8", +[0xA3] = US "TLS_DHE_RSA_WITH_AES_256_CCM_8", +[0xA4] = US "TLS_PSK_WITH_AES_128_CCM", +[0xA5] = US "TLS_PSK_WITH_AES_256_CCM", +[0xA6] = US "TLS_DHE_PSK_WITH_AES_128_CCM", +[0xA7] = US "TLS_DHE_PSK_WITH_AES_256_CCM", +[0xA8] = US "TLS_PSK_WITH_AES_128_CCM_8", +[0xA9] = US "TLS_PSK_WITH_AES_256_CCM_8", +[0xAA] = US "TLS_PSK_DHE_WITH_AES_128_CCM_8", +[0xAB] = US "TLS_PSK_DHE_WITH_AES_256_CCM_8", +[0xAC] = US "TLS_ECDHE_ECDSA_WITH_AES_128_CCM", +[0xAD] = US "TLS_ECDHE_ECDSA_WITH_AES_256_CCM", +[0xAE] = US "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8", +[0xAF] = US "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8", +[0xB0] = US "TLS_ECCPWD_WITH_AES_128_GCM_SHA256", +[0xB1] = US "TLS_ECCPWD_WITH_AES_256_GCM_SHA384", +[0xB2] = US "TLS_ECCPWD_WITH_AES_128_CCM_SHA256", +[0xB3] = US "TLS_ECCPWD_WITH_AES_256_CCM_SHA384", +[0xB4] = US "TLS_SHA256_SHA256", +[0xB5] = US "TLS_SHA384_SHA384", +}; +static const uschar * ctb_cc[] = { +[0xA8] = US "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", +[0xA9] = US "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", +[0xAA] = US "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", +[0xAB] = US "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256", +[0xAC] = US "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256", +[0xAD] = US "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256", +[0xAE] = US "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256", +}; +static const uschar * ctb_d0[] = { +[0x01] = US "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256", +[0x02] = US "TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384", +[0x03] = US "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256", + +[0x05] = US "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256", +}; + +static const uschar * +cipher_stdname_tb(uschar idx, const uschar ** tb, int lim) +{ +return idx >= lim ? NULL : tb[idx]; +} + +static const uschar * +cipher_stdname(uschar id0, uschar id1) +{ +switch (id0) + { + case 0x00: return cipher_stdname_tb(id1, ctb_00, nelem(ctb_00)); + case 0x13: return cipher_stdname_tb(id1, ctb_13, nelem(ctb_00)); + case 0xc0: return cipher_stdname_tb(id1, ctb_c0, nelem(ctb_c0)); + case 0xcc: return cipher_stdname_tb(id1, ctb_cc, nelem(ctb_cc)); + case 0xd0: return cipher_stdname_tb(id1, ctb_d0, nelem(ctb_d0)); + default: return NULL; + } +} + +/* vi: aw ai sw=2 +*/ +/* End of tls-cipher-stdname.c */ diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index beb439eba..7d52369e0 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -96,6 +96,9 @@ require current GnuTLS, then we'll drop support for the ancient libraries). # include #endif +#include "tls-cipher-stdname.c" + + /* GnuTLS 2 vs 3 GnuTLS 3 only: @@ -1451,6 +1454,25 @@ return OK; * Extract peer information * *************************************************/ +static const uschar * +cipher_stdname_kcm(gnutls_kx_algorithm_t kx, gnutls_cipher_algorithm_t cipher, + gnutls_mac_algorithm_t mac) +{ +uschar cs_id[2]; +gnutls_kx_algorithm_t kx_i; +gnutls_cipher_algorithm_t cipher_i; +gnutls_mac_algorithm_t mac_i; + +for (size_t i = 0; + gnutls_cipher_suite_info(i, cs_id, &kx_i, &cipher_i, &mac_i, NULL); + i++) + if (kx_i == kx && cipher_i == cipher && mac_i == mac) + return cipher_stdname(cs_id[0], cs_id[1]); +return NULL; +} + + + /* Called from both server and client code. Only this is allowed to set state->peerdn and state->have_set_peerdn and we use that to detect double-calls. @@ -1479,7 +1501,6 @@ Returns: OK/DEFER/FAIL static int peer_status(exim_gnutls_state_st *state, uschar ** errstr) { -uschar cipherbuf[256]; const gnutls_datum_t *cert_list; int old_pool, rc; unsigned int cert_list_size = 0; @@ -1504,28 +1525,29 @@ protocol = gnutls_protocol_get_version(state->session); mac = gnutls_mac_get(state->session); kx = gnutls_kx_get(state->session); -string_format(cipherbuf, sizeof(cipherbuf), - "%s:%s:%d", - gnutls_protocol_get_name(protocol), - gnutls_cipher_suite_get_name(kx, cipher, mac), - (int) gnutls_cipher_get_key_size(cipher) * 8); - -/* I don't see a way that spaces could occur, in the current GnuTLS -code base, but it was a concern in the old code and perhaps older GnuTLS -releases did return "TLS 1.0"; play it safe, just in case. */ -for (uschar * p = cipherbuf; *p != '\0'; ++p) - if (isspace(*p)) - *p = '-'; old_pool = store_pool; -store_pool = POOL_PERM; -state->ciphersuite = string_copy(cipherbuf); + { + store_pool = POOL_PERM; + state->ciphersuite = string_sprintf("%s:%s:%d", + gnutls_protocol_get_name(protocol), + gnutls_cipher_suite_get_name(kx, cipher, mac), + (int) gnutls_cipher_get_key_size(cipher) * 8); + + /* I don't see a way that spaces could occur, in the current GnuTLS + code base, but it was a concern in the old code and perhaps older GnuTLS + releases did return "TLS 1.0"; play it safe, just in case. */ + + for (uschar * p = state->ciphersuite; *p; p++) if (isspace(*p)) *p = '-'; + state->tlsp->cipher = state->ciphersuite; + + state->tlsp->cipher_stdname = cipher_stdname_kcm(kx, cipher, mac); + } store_pool = old_pool; -state->tlsp->cipher = state->ciphersuite; /* tls_peerdn */ cert_list = gnutls_certificate_get_peers(state->session, &cert_list_size); -if (cert_list == NULL || cert_list_size == 0) +if (!cert_list || cert_list_size == 0) { DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n", cert_list, cert_list_size); diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index c8349e7c5..f94df0bea 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -71,6 +71,7 @@ change this guard and punt the issue for a while longer. */ # define EXIM_HAVE_OPENSSL_DH_BITS # define EXIM_HAVE_OPENSSL_TLS_METHOD # define EXIM_HAVE_OPENSSL_KEYLOG +# define EXIM_HAVE_OPENSSL_CIPHER_GET_ID # else # define EXIM_NEED_OPENSSL_INIT # endif @@ -96,6 +97,7 @@ change this guard and punt the issue for a while longer. */ # if OPENSSL_VERSION_NUMBER >= 0x010101000L # define OPENSSL_HAVE_KEYLOG_CB # define OPENSSL_HAVE_NUM_TICKETS +# define EXIM_HAVE_OPENSSL_CIPHER_STD_NAME # endif #endif @@ -108,6 +110,13 @@ change this guard and punt the issue for a while longer. */ # include #endif +#ifndef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME +# ifndef EXIM_HAVE_OPENSSL_CIPHER_GET_ID +# define SSL_CIPHER_get_id(c) (c->id) +# endif +# include "tls-cipher-stdname.c" +#endif + /************************************************* * OpenSSL option parse * *************************************************/ @@ -1911,28 +1920,46 @@ return OK; /* Argument: pointer to an SSL structure for the connection - buffer to use for answer - size of buffer pointer to number of bits for cipher -Returns: nothing +Returns: pointer to allocated string in perm-pool */ -static void -construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits) +static uschar * +construct_cipher_name(SSL * ssl, int * bits) { +int pool = store_pool; /* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't yet reflect that. It should be a safe change anyway, even 0.9.8 versions have the accessor functions use const in the prototype. */ const uschar * ver = CUS SSL_get_version(ssl); const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl); +uschar * s; SSL_CIPHER_get_bits(c, bits); -string_format(cipherbuf, bsize, "%s:%s:%u", ver, - SSL_CIPHER_get_name(c), *bits); +store_pool = POOL_PERM; +s = string_sprintf("%s:%s:%u", ver, SSL_CIPHER_get_name(c), *bits); +store_pool = pool; +DEBUG(D_tls) debug_printf("Cipher: %s\n", s); +return s; +} + -DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf); +/* Get IETF-standard name for ciphersuite. +Argument: pointer to an SSL structure for the connection +Returns: pointer to string +*/ + +static const uschar * +cipher_stdname_ssl(SSL * ssl) +{ +#ifdef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME +return CUS SSL_CIPHER_standard_name(SSL_get_current_cipher(ssl)); +#else +ushort id = 0xffff & SSL_CIPHER_get_id(SSL_get_current_cipher(ssl)); +return cipher_stdname(id >> 8, id & 0xff); +#endif } @@ -2179,7 +2206,6 @@ int rc; uschar * expciphers; tls_ext_ctx_cb * cbinfo; static uschar peerdn[256]; -static uschar cipherbuf[256]; /* Check for previous activation */ @@ -2305,10 +2331,13 @@ and initialize things. */ peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn)); +tls_in.cipher = construct_cipher_name(server_ssl, &tls_in.bits); +tls_in.cipher_stdname = cipher_stdname_ssl(server_ssl); + DEBUG(D_tls) { uschar buf[2048]; - if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL) + if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf))) debug_printf("Shared ciphers: %s\n", buf); #ifdef EXIM_HAVE_OPENSSL_KEYLOG @@ -2324,9 +2353,6 @@ DEBUG(D_tls) #endif } -construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits); -tls_in.cipher = cipherbuf; - /* Record the certificate we presented */ { X509 * crt = SSL_get_certificate(server_ssl); @@ -2489,7 +2515,6 @@ exim_openssl_client_tls_ctx * exim_client_ctx; static uschar peerdn[256]; uschar * expciphers; int rc; -static uschar cipherbuf[256]; #ifndef DISABLE_OCSP BOOL request_ocsp = FALSE; @@ -2711,8 +2736,8 @@ DEBUG(D_tls) peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn)); -construct_cipher_name(exim_client_ctx->ssl, cipherbuf, sizeof(cipherbuf), &tlsp->bits); -tlsp->cipher = cipherbuf; +tlsp->cipher = construct_cipher_name(exim_client_ctx->ssl, &tlsp->bits); +tlsp->cipher_stdname = cipher_stdname_ssl(exim_client_ctx->ssl); /* Record the certificate we presented */ { diff --git a/test/log/2102.openssl_1_1_1 b/test/log/2102.openssl_1_1_1 index d5efeef30..51f739b63 100644 --- a/test/log/2102.openssl_1_1_1 +++ b/test/log/2102.openssl_1_1_1 @@ -13,10 +13,10 @@ 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 1999-03-02 09:44:33 Our cert SN: 1999-03-02 09:44:33 Peer did not present a cert -1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@test.ex H=[127.0.0.1] P=smtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@test.ex H=[127.0.0.1] P=smtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss 1999-03-02 09:44:33 Our cert SN: 1999-03-02 09:44:33 Peer did not present a cert -1999-03-02 09:44:33 10HmaY-0005vi-00 <= "name with spaces"@test.ex H=[127.0.0.1] P=smtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss +1999-03-02 09:44:33 10HmaY-0005vi-00 <= "name with spaces"@test.ex H=[127.0.0.1] P=smtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <> 1999-03-02 09:44:33 Our cert SN: 1999-03-02 09:44:33 Peer cert: @@ -39,8 +39,8 @@ 1999-03-02 09:44:33 sha1 fingerprint E75D537E478758010505D4F339B00DFD73728088 1999-03-02 09:44:33 sha256 fingerprint E251FA7D0372CB784294CF92B243DCE53FDDABD9F58A1B89226586C07C82CAC6 1999-03-02 09:44:33 der_b64 MIIDuDCCAqCgAwIBAgICAMkwDQYJKoZIhvcNAQELBQAwNzEUMBIGA1UEChMLZXhhbXBsZS5jb20xHzAdBgNVBAMTFmNsaWNhIFNpZ25pbmcgQ2VydCByc2EwHhcNMTIxMTAxMTI0MDA0WhcNMzcxMjAxMTI0MDA0WjAeMRwwGgYDVQQDExNzZXJ2ZXIyLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA52Rfiv2Igy0NiaKN5gc0VPLbEoHngkdJWv3wEORp+iFl6skQRbsCylT8djJ2pvHstFpnzSodF3Wwjj2/EDuj3iKBzN9HeXJOvJz8j9Si1xkgCxJeUjPGgYcvKdxybaZAOpi9l3xwPCCEXN4JBq/WaQQ9+eP1PczeMNfvFtXma+VcHXG743ttPOv7eSMr0JxQl3zjQvYGOhFP/KAw6jh/N6YPqii9kV0cC/ubeVzpqJ5/+hndx5YrmAu39N5qzwWujhDPkFNSgCJUhfkEiMaQiPxFxDTbUzWnQ5jpAQ5El4WJVkGWkqxose1bOjSSNzFPJt59YtxxJC3IWN3UtGODTwIDAQABo4HmMIHjMA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwTgYDVR0jBEcwRYANQUFidHdDeGNYZ2IwUaExpC8wLTEUMBIGA1UEChMLZXhhbXBsZS5jb20xFTATBgNVBAMTDGNsaWNhIENBIHJzYYIBQjA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vc2NwLmV4YW1wbGUuY29tLzApBgNVHREEIjAgghNzZXJ2ZXIyLmV4YW1wbGUuY29tggkqLnRlc3QuZXgwDQYJKoZIhvcNAQELBQADggEBALHOkZkvHLpNm0QSof09vmmdNFE6/+0TCIoPExeqqSOsy4NsF+Ha46WttjJRSVtbhRxF8jxEU7btPiFgQUaOcJZTwQPDhmQSOPNO8GS46oJ57aQ7U7O+X3M1sVS5Pa2IzE6vrJSh349/CNbTA8WPQdWLlxVJhJXAcZNtaEu6lCsZuDSMTpAsW5I4+snyrm3yvP5t0eD28K5LgCKePX962drkAOP6XGQ51VnbMQ7b1TSdQedtYKIpR3VKUvG5Ky/+0c+Rmwfi2aQ8oXXwekzJyS5jvovdVVsdhO68It+Rz/zursN5Pn+Gj1YuQNUs2nDrGHN+VIIFpgWUjLZO4bcJctY= -1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@test.ex H=[ip4.ip4.ip4.ip4] P=smtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=yes DN="/CN=server2.example.com" S=sss +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@test.ex H=[ip4.ip4.ip4.ip4] P=smtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server2.example.com" S=sss 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 1999-03-02 09:44:33 Our cert SN: 1999-03-02 09:44:33 Peer did not present a cert -1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@test.ex H=[127.0.0.1] P=smtps X=TLSv1:ke-ECDSA-AES256-SHA:xxx CV=no S=sss +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@test.ex H=[127.0.0.1] P=smtps X=TLS1.x:ke-ECDSA-AES256-SHAnnn:xxx CV=no S=sss diff --git a/test/runtest b/test/runtest index 8df2be005..ad049685e 100755 --- a/test/runtest +++ b/test/runtest @@ -544,6 +544,15 @@ RESET_AFTER_EXTRA_LINE_READ: s/(could not connect to .*: Connection) reset by peer$/$1 refused/; # ======== TLS certificate algorithms ======== + # + # In Received: headers, convert RFC 8314 style ciphersuite to + # the older (comment) style, keeping only the Auth element + # (discarding kex, cipher, mac). For TLS 1.3 there is no kex + # element (and no _WITH); insert a spurious "RSA". + + s/^\s+by .+ with .+ \K tls TLS_.*?([^_]+)_WITH.+$/(TLS1.x:ke-\1-AES256-SHAnnn:xxx)/; + s/^\s+by .+ with .+ \K tls TLS_.+$/(TLS1.x:ke-RSA-AES256-SHAnnn:xxx)/; + # Test machines might have various different TLS library versions supporting # different protocols; can't rely upon TLS 1.2's AES256-GCM-SHA384, so we # treat the standard algorithms the same. @@ -1628,7 +1637,9 @@ $munges = s! DN="[^,"]*\K,!/!; ', 'rejectlog' => 's/ X=TLS\S+ / X=TLS_proto_and_cipher /', - 'mail' => 's/ \(TLS[^)]*\)/ (TLS_proto_and_cipher)/', + 'mail' => 's/^\s+by .+ with .+ \K tls TLS_.+$/(TLS_proto_and_cipher)/; + s/ \(TLS[^)]*\)/ (TLS_proto_and_cipher)/; + ', }, 'debug_pid' => diff --git a/test/stderr/0402 b/test/stderr/0402 index 6c2e92211..9f7ad2841 100644 --- a/test/stderr/0402 +++ b/test/stderr/0402 @@ -41,7 +41,8 @@ Data file written for message 10HmaX-0005vi-00 └─────result: Tue, 2 Mar 1999 09:44:33 +0000 ┌considering: Received: ${if def:sender_rcvhost {from $sender_rcvhost }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} @@ -49,7 +50,8 @@ Data file written for message 10HmaX-0005vi-00 ├─────result: false ┌───scanning: from $sender_rcvhost }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} @@ -59,19 +61,22 @@ Data file written for message 10HmaX-0005vi-00 └───skipping: result is not used ┌considering: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} ├──condition: def:sender_ident ├─────result: true ┌considering: from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} ╎┌considering: $sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - ╎ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + ╎ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + ╎ }}(Exim $version_number) ╎ ${if def:sender_address {(envelope-from <$sender_address>) ╎ }}id $message_exim_id${if def:received_for { ╎ for $received_for}} @@ -82,7 +87,8 @@ Data file written for message 10HmaX-0005vi-00 ├──condition: def:sender_helo_name ├─────result: false ┌───scanning: (helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} @@ -96,12 +102,25 @@ Data file written for message 10HmaX-0005vi-00 └─────result: from CALLER ├──condition: def:received_protocol ├─────result: true - ┌considering: with $received_protocol}} (Exim $version_number) + ┌considering: with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} - ├──expanding: with $received_protocol - └─────result: with local + ├──expanding: with $received_protocol + └─────result: with local + ├──condition: def:tls_in_cipher_std + ├─────result: false + ┌───scanning: tls $tls_in_cipher_std + }}(Exim $version_number) + ${if def:sender_address {(envelope-from <$sender_address>) + }}id $message_exim_id${if def:received_for { + for $received_for}} + ├──expanding: tls $tls_in_cipher_std + + ├─────result: tls + + └───skipping: result is not used ├──condition: def:sender_address ├─────result: true ┌considering: (envelope-from <$sender_address>) @@ -122,7 +141,8 @@ Data file written for message 10HmaX-0005vi-00 └───skipping: result is not used ├──expanding: Received: ${if def:sender_rcvhost {from $sender_rcvhost }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} diff --git a/test/stderr/0544 b/test/stderr/0544 index e45faa1e9..a8a961e9c 100644 --- a/test/stderr/0544 +++ b/test/stderr/0544 @@ -6,7 +6,8 @@ admin user └─────result: Tue, 2 Mar 1999 09:44:33 +0000 ┌considering: Received: ${if def:sender_rcvhost {from $sender_rcvhost }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} @@ -14,7 +15,8 @@ admin user ├─────result: false ┌───scanning: from $sender_rcvhost }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} @@ -24,19 +26,22 @@ admin user └───skipping: result is not used ┌considering: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} ├──condition: def:sender_ident ├─────result: true ┌considering: from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} ╎┌considering: $sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - ╎ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + ╎ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + ╎ }}(Exim $version_number) ╎ ${if def:sender_address {(envelope-from <$sender_address>) ╎ }}id $message_exim_id${if def:received_for { ╎ for $received_for}} @@ -47,7 +52,8 @@ admin user ├──condition: def:sender_helo_name ├─────result: false ┌───scanning: (helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} @@ -61,12 +67,25 @@ admin user └─────result: from CALLER ├──condition: def:received_protocol ├─────result: true - ┌considering: with $received_protocol}} (Exim $version_number) + ┌considering: with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} - ├──expanding: with $received_protocol - └─────result: with local + ├──expanding: with $received_protocol + └─────result: with local + ├──condition: def:tls_in_cipher_std + ├─────result: false + ┌───scanning: tls $tls_in_cipher_std + }}(Exim $version_number) + ${if def:sender_address {(envelope-from <$sender_address>) + }}id $message_exim_id${if def:received_for { + for $received_for}} + ├──expanding: tls $tls_in_cipher_std + + ├─────result: tls + + └───skipping: result is not used ├──condition: def:sender_address ├─────result: true ┌considering: (envelope-from <$sender_address>) @@ -87,7 +106,8 @@ admin user └───skipping: result is not used ├──expanding: Received: ${if def:sender_rcvhost {from $sender_rcvhost }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} diff --git a/test/stderr/5410 b/test/stderr/5410 index e4ef02cfd..8e6e7bbc9 100644 --- a/test/stderr/5410 +++ b/test/stderr/5410 @@ -136,7 +136,8 @@ end of inline ACL: ACCEPT └─────result: Tue, 2 Mar 1999 09:44:33 +0000 ┌considering: Received: ${if def:sender_rcvhost {from $sender_rcvhost }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} @@ -144,7 +145,8 @@ end of inline ACL: ACCEPT ├─────result: false ┌───scanning: from $sender_rcvhost }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} @@ -154,19 +156,22 @@ end of inline ACL: ACCEPT └───skipping: result is not used ┌considering: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} ├──condition: def:sender_ident ├─────result: true ┌considering: from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} ╎┌considering: $sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - ╎ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + ╎ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + ╎ }}(Exim $version_number) ╎ ${if def:sender_address {(envelope-from <$sender_address>) ╎ }}id $message_exim_id${if def:received_for { ╎ for $received_for}} @@ -177,7 +182,8 @@ end of inline ACL: ACCEPT ├──condition: def:sender_helo_name ├─────result: true ┌considering: (helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} @@ -191,12 +197,25 @@ end of inline ACL: ACCEPT ├──condition: def:received_protocol ├─────result: true - ┌considering: with $received_protocol}} (Exim $version_number) + ┌considering: with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} - ├──expanding: with $received_protocol - └─────result: with local-esmtp + ├──expanding: with $received_protocol + └─────result: with local-esmtp + ├──condition: def:tls_in_cipher_std + ├─────result: false + ┌───scanning: tls $tls_in_cipher_std + }}(Exim $version_number) + ${if def:sender_address {(envelope-from <$sender_address>) + }}id $message_exim_id${if def:received_for { + for $received_for}} + ├──expanding: tls $tls_in_cipher_std + + ├─────result: tls + + └───skipping: result is not used ├──condition: def:sender_address ├─────result: true ┌considering: (envelope-from <$sender_address>) @@ -216,7 +235,8 @@ end of inline ACL: ACCEPT for userx@domain.com ├──expanding: Received: ${if def:sender_rcvhost {from $sender_rcvhost }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} @@ -352,7 +372,8 @@ end of inline ACL: ACCEPT └─────result: Tue, 2 Mar 1999 09:44:33 +0000 ┌considering: Received: ${if def:sender_rcvhost {from $sender_rcvhost }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} @@ -360,7 +381,8 @@ end of inline ACL: ACCEPT ├─────result: false ┌───scanning: from $sender_rcvhost }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} @@ -370,19 +392,22 @@ end of inline ACL: ACCEPT └───skipping: result is not used ┌considering: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} ├──condition: def:sender_ident ├─────result: true ┌considering: from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} ╎┌considering: $sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - ╎ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + ╎ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + ╎ }}(Exim $version_number) ╎ ${if def:sender_address {(envelope-from <$sender_address>) ╎ }}id $message_exim_id${if def:received_for { ╎ for $received_for}} @@ -393,7 +418,8 @@ end of inline ACL: ACCEPT ├──condition: def:sender_helo_name ├─────result: true ┌considering: (helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} @@ -407,12 +433,25 @@ end of inline ACL: ACCEPT ├──condition: def:received_protocol ├─────result: true - ┌considering: with $received_protocol}} (Exim $version_number) + ┌considering: with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) + ${if def:sender_address {(envelope-from <$sender_address>) + }}id $message_exim_id${if def:received_for { + for $received_for}} + ├──expanding: with $received_protocol + └─────result: with local-esmtp + ├──condition: def:tls_in_cipher_std + ├─────result: false + ┌───scanning: tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} - ├──expanding: with $received_protocol - └─────result: with local-esmtp + ├──expanding: tls $tls_in_cipher_std + + ├─────result: tls + + └───skipping: result is not used ├──condition: def:sender_address ├─────result: true ┌considering: (envelope-from <$sender_address>) @@ -432,7 +471,8 @@ end of inline ACL: ACCEPT for usery@domain.com ├──expanding: Received: ${if def:sender_rcvhost {from $sender_rcvhost }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} @@ -568,7 +608,8 @@ end of inline ACL: ACCEPT └─────result: Tue, 2 Mar 1999 09:44:33 +0000 ┌considering: Received: ${if def:sender_rcvhost {from $sender_rcvhost }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} @@ -576,7 +617,8 @@ end of inline ACL: ACCEPT ├─────result: false ┌───scanning: from $sender_rcvhost }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} @@ -586,19 +628,22 @@ end of inline ACL: ACCEPT └───skipping: result is not used ┌considering: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} ├──condition: def:sender_ident ├─────result: true ┌considering: from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} ╎┌considering: $sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - ╎ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + ╎ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + ╎ }}(Exim $version_number) ╎ ${if def:sender_address {(envelope-from <$sender_address>) ╎ }}id $message_exim_id${if def:received_for { ╎ for $received_for}} @@ -609,7 +654,8 @@ end of inline ACL: ACCEPT ├──condition: def:sender_helo_name ├─────result: true ┌considering: (helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} @@ -623,12 +669,25 @@ end of inline ACL: ACCEPT ├──condition: def:received_protocol ├─────result: true - ┌considering: with $received_protocol}} (Exim $version_number) + ┌considering: with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) + ${if def:sender_address {(envelope-from <$sender_address>) + }}id $message_exim_id${if def:received_for { + for $received_for}} + ├──expanding: with $received_protocol + └─────result: with local-esmtp + ├──condition: def:tls_in_cipher_std + ├─────result: false + ┌───scanning: tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} - ├──expanding: with $received_protocol - └─────result: with local-esmtp + ├──expanding: tls $tls_in_cipher_std + + ├─────result: tls + + └───skipping: result is not used ├──condition: def:sender_address ├─────result: true ┌considering: (envelope-from <$sender_address>) @@ -648,7 +707,8 @@ end of inline ACL: ACCEPT for usery@domain.com ├──expanding: Received: ${if def:sender_rcvhost {from $sender_rcvhost }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} diff --git a/test/stderr/5420 b/test/stderr/5420 index 25963326b..5bc80bb1f 100644 --- a/test/stderr/5420 +++ b/test/stderr/5420 @@ -137,7 +137,8 @@ end of inline ACL: ACCEPT └─────result: Tue, 2 Mar 1999 09:44:33 +0000 ┌considering: Received: ${if def:sender_rcvhost {from $sender_rcvhost }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} @@ -145,7 +146,8 @@ end of inline ACL: ACCEPT ├─────result: false ┌───scanning: from $sender_rcvhost }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} @@ -155,19 +157,22 @@ end of inline ACL: ACCEPT └───skipping: result is not used ┌considering: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} ├──condition: def:sender_ident ├─────result: true ┌considering: from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} ╎┌considering: $sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - ╎ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + ╎ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + ╎ }}(Exim $version_number) ╎ ${if def:sender_address {(envelope-from <$sender_address>) ╎ }}id $message_exim_id${if def:received_for { ╎ for $received_for}} @@ -178,7 +183,8 @@ end of inline ACL: ACCEPT ├──condition: def:sender_helo_name ├─────result: true ┌considering: (helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} @@ -192,12 +198,25 @@ end of inline ACL: ACCEPT ├──condition: def:received_protocol ├─────result: true - ┌considering: with $received_protocol}} (Exim $version_number) + ┌considering: with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} - ├──expanding: with $received_protocol - └─────result: with local-esmtp + ├──expanding: with $received_protocol + └─────result: with local-esmtp + ├──condition: def:tls_in_cipher_std + ├─────result: false + ┌───scanning: tls $tls_in_cipher_std + }}(Exim $version_number) + ${if def:sender_address {(envelope-from <$sender_address>) + }}id $message_exim_id${if def:received_for { + for $received_for}} + ├──expanding: tls $tls_in_cipher_std + + ├─────result: tls + + └───skipping: result is not used ├──condition: def:sender_address ├─────result: true ┌considering: (envelope-from <$sender_address>) @@ -217,7 +236,8 @@ end of inline ACL: ACCEPT for userx@domain.com ├──expanding: Received: ${if def:sender_rcvhost {from $sender_rcvhost }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} @@ -353,7 +373,8 @@ end of inline ACL: ACCEPT └─────result: Tue, 2 Mar 1999 09:44:33 +0000 ┌considering: Received: ${if def:sender_rcvhost {from $sender_rcvhost }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} @@ -361,7 +382,8 @@ end of inline ACL: ACCEPT ├─────result: false ┌───scanning: from $sender_rcvhost }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} @@ -371,19 +393,22 @@ end of inline ACL: ACCEPT └───skipping: result is not used ┌considering: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} ├──condition: def:sender_ident ├─────result: true ┌considering: from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} ╎┌considering: $sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - ╎ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + ╎ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + ╎ }}(Exim $version_number) ╎ ${if def:sender_address {(envelope-from <$sender_address>) ╎ }}id $message_exim_id${if def:received_for { ╎ for $received_for}} @@ -394,7 +419,8 @@ end of inline ACL: ACCEPT ├──condition: def:sender_helo_name ├─────result: true ┌considering: (helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} @@ -408,12 +434,25 @@ end of inline ACL: ACCEPT ├──condition: def:received_protocol ├─────result: true - ┌considering: with $received_protocol}} (Exim $version_number) + ┌considering: with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) + ${if def:sender_address {(envelope-from <$sender_address>) + }}id $message_exim_id${if def:received_for { + for $received_for}} + ├──expanding: with $received_protocol + └─────result: with local-esmtp + ├──condition: def:tls_in_cipher_std + ├─────result: false + ┌───scanning: tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} - ├──expanding: with $received_protocol - └─────result: with local-esmtp + ├──expanding: tls $tls_in_cipher_std + + ├─────result: tls + + └───skipping: result is not used ├──condition: def:sender_address ├─────result: true ┌considering: (envelope-from <$sender_address>) @@ -433,7 +472,8 @@ end of inline ACL: ACCEPT for usery@domain.com ├──expanding: Received: ${if def:sender_rcvhost {from $sender_rcvhost }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} @@ -569,7 +609,8 @@ end of inline ACL: ACCEPT └─────result: Tue, 2 Mar 1999 09:44:33 +0000 ┌considering: Received: ${if def:sender_rcvhost {from $sender_rcvhost }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} @@ -577,7 +618,8 @@ end of inline ACL: ACCEPT ├─────result: false ┌───scanning: from $sender_rcvhost }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} @@ -587,19 +629,22 @@ end of inline ACL: ACCEPT └───skipping: result is not used ┌considering: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} ├──condition: def:sender_ident ├─────result: true ┌considering: from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} ╎┌considering: $sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - ╎ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + ╎ }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + ╎ }}(Exim $version_number) ╎ ${if def:sender_address {(envelope-from <$sender_address>) ╎ }}id $message_exim_id${if def:received_for { ╎ for $received_for}} @@ -610,7 +655,8 @@ end of inline ACL: ACCEPT ├──condition: def:sender_helo_name ├─────result: true ┌considering: (helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} @@ -624,12 +670,25 @@ end of inline ACL: ACCEPT ├──condition: def:received_protocol ├─────result: true - ┌considering: with $received_protocol}} (Exim $version_number) + ┌considering: with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) + ${if def:sender_address {(envelope-from <$sender_address>) + }}id $message_exim_id${if def:received_for { + for $received_for}} + ├──expanding: with $received_protocol + └─────result: with local-esmtp + ├──condition: def:tls_in_cipher_std + ├─────result: false + ┌───scanning: tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} - ├──expanding: with $received_protocol - └─────result: with local-esmtp + ├──expanding: tls $tls_in_cipher_std + + ├─────result: tls + + └───skipping: result is not used ├──condition: def:sender_address ├─────result: true ┌considering: (envelope-from <$sender_address>) @@ -649,7 +708,8 @@ end of inline ACL: ACCEPT for usery@domain.com ├──expanding: Received: ${if def:sender_rcvhost {from $sender_rcvhost }{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) - }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} (Exim $version_number) + }}}}by $primary_hostname ${if def:received_protocol {with $received_protocol }}${if def:tls_in_cipher_std { tls $tls_in_cipher_std + }}(Exim $version_number) ${if def:sender_address {(envelope-from <$sender_address>) }}id $message_exim_id${if def:received_for { for $received_for}} diff --git a/test/stdout/2114.openssl_1_1_1 b/test/stdout/2114.openssl_1_1_1 index 744d0e2fa..ee0af955f 100644 --- a/test/stdout/2114.openssl_1_1_1 +++ b/test/stdout/2114.openssl_1_1_1 @@ -19,7 +19,7 @@ Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected ??? 220 <<< 220 TLS go ahead Attempting to start TLS -SSL connection using ke-RSA-AES256-SHA +SSL connection using ke-RSA-AES256-SHAnnn Succeeded in starting TLS >>> noop ????554 Security failure @@ -55,7 +55,7 @@ Connecting to 127.0.0.1 port 1225 ... connected ??? 220 <<< 220 TLS go ahead Attempting to start TLS -SSL connection using ke-RSA-AES256-SHA +SSL connection using ke-RSA-AES256-SHAnnn Succeeded in starting TLS >>> helo rhu.barb ??? 250 @@ -93,7 +93,7 @@ Key file = aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com ??? 220 <<< 220 TLS go ahead Attempting to start TLS -SSL connection using ke-RSA-AES256-SHA +SSL connection using ke-RSA-AES256-SHAnnn Succeeded in starting TLS >>> mail from: ??? 250 @@ -128,7 +128,7 @@ Key file = aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com ??? 220 <<< 220 TLS go ahead Attempting to start TLS -SSL connection using ke-RSA-AES256-SHA +SSL connection using ke-RSA-AES256-SHAnnn Succeeded in starting TLS >>> mail from: ??? 250 @@ -163,7 +163,7 @@ Key file = aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net ??? 220 <<< 220 TLS go ahead Attempting to start TLS -SSL connection using ke-RSA-AES256-SHA +SSL connection using ke-RSA-AES256-SHAnnn Succeeded in starting TLS >>> noop ????554 Security failure @@ -196,7 +196,7 @@ Key file = aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net ??? 220 <<< 220 TLS go ahead Attempting to start TLS -SSL connection using ke-RSA-AES256-SHA +SSL connection using ke-RSA-AES256-SHAnnn Succeeded in starting TLS >>> mail from: ??? 250 @@ -231,7 +231,7 @@ Key file = aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.c ??? 220 <<< 220 TLS go ahead Attempting to start TLS -SSL connection using ke-RSA-AES256-SHA +SSL connection using ke-RSA-AES256-SHAnnn Succeeded in starting TLS >>> noop ????554 Security failure @@ -264,7 +264,7 @@ Key file = aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.c ??? 220 <<< 220 TLS go ahead Attempting to start TLS -SSL connection using ke-RSA-AES256-SHA +SSL connection using ke-RSA-AES256-SHAnnn Succeeded in starting TLS >>> mail from: ??? 250 @@ -299,7 +299,7 @@ Key file = aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com ??? 220 <<< 220 TLS go ahead Attempting to start TLS -SSL connection using ke-RSA-AES256-SHA +SSL connection using ke-RSA-AES256-SHAnnn Succeeded in starting TLS >>> mail from: ??? 250 diff --git a/test/stdout/2124.openssl_1_1_1 b/test/stdout/2124.openssl_1_1_1 index e7777a1b2..d40f58a31 100644 --- a/test/stdout/2124.openssl_1_1_1 +++ b/test/stdout/2124.openssl_1_1_1 @@ -20,7 +20,7 @@ Key file = aux-fixed/cert2 ??? 220 <<< 220 TLS go ahead Attempting to start TLS -SSL connection using ke-RSA-AES256-SHA +SSL connection using ke-RSA-AES256-SHAnnn Succeeded in starting TLS >>> noop ????554 Security failure diff --git a/test/stdout/2132.openssl_1_1_1 b/test/stdout/2132.openssl_1_1_1 index 179a9ef32..a3a8ec5ef 100644 --- a/test/stdout/2132.openssl_1_1_1 +++ b/test/stdout/2132.openssl_1_1_1 @@ -19,7 +19,7 @@ Connecting to 127.0.0.1 port 1225 ... connected ??? 220 <<< 220 TLS go ahead Attempting to start TLS -SSL connection using ke-RSA-AES256-SHA +SSL connection using ke-RSA-AES256-SHAnnn Succeeded in starting TLS >>> mail from: ??? 250 @@ -59,7 +59,7 @@ Connecting to 127.0.0.1 port 1225 ... connected ??? 220 <<< 220 TLS go ahead Attempting to start TLS -SSL connection using ke-RSA-AES256-SHA +SSL connection using ke-RSA-AES256-SHAnnn Succeeded in starting TLS >>> mail from:<"name with spaces"@test.ex> ??? 250 @@ -99,7 +99,7 @@ Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected ??? 220 <<< 220 TLS go ahead Attempting to start TLS -SSL connection using ke-RSA-AES256-SHA +SSL connection using ke-RSA-AES256-SHAnnn Succeeded in starting TLS >>> noop ????554 @@ -132,7 +132,7 @@ Key file = TESTSUITE/aux-fixed/exim-ca/example.com/server1.example.com/server1.e ??? 220 <<< 220 TLS go ahead Attempting to start TLS -SSL connection using ke-RSA-AES256-SHA +SSL connection using ke-RSA-AES256-SHAnnn Succeeded in starting TLS >>> mail from: ??? 250 -- 2.25.1