[exim.git] / test / scripts / 2000-GnuTLS / 2014

# TLS server: mandatory, optional, and revoked certificates
gnutls
munge gnutls_unexpected
exim -DSERVER=server -bd -oX PORT_D
****
### No certificate, certificate required
client-gnutls HOSTIPV4 PORT_D
??? 220
ehlo rhu1.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
****
### No certificate, certificate optional at TLS time, required by ACL
client-gnutls 127.0.0.1 PORT_D
??? 220
ehlo rhu2.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
helo rhu2tls.barb
??? 250
mail from:<userx@test.ex>
??? 250
rcpt to:<userx@test.ex>
??? 550
quit
??? 221
****
### Good certificate, certificate required
client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
??? 220
ehlo rhu3.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
mail from:<userx@test.ex>
??? 250
rcpt to:<userx@test.ex>
??? 250
quit
??? 221
****
### Good certificate, certificate optional at TLS time, checked by ACL
client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
??? 220
ehlo rhu4.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
mail from:<userx@test.ex>
??? 250
rcpt to:<userx@test.ex>
??? 250
quit
??? 221
****
### Bad certificate, certificate required
# Actually this test does not have the client presenting a cert at all, as it filters what it has
# by the options offered by the server first.  So it's not a good testcase.
client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
??? 220
ehlo rhu5.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
****
### Bad certificate, certificate optional at TLS time, reject at ACL time
# (situation as above)
client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
??? 220
ehlo rhu6.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
mail from:<userx@test.ex>
??? 250
rcpt to:<userx@test.ex>
??? 550
quit
??? 221
****
killdaemon
#
#
#
#
exim -DCRL=DIR/aux-fixed/exim-ca/example.com/CA/crl.v2.pem -DSERVER=server -bd -oX PORT_D
****
### Otherwise good but revoked certificate, certificate required
# GnuTLS seems to not mind the lack of CRLs for the nonleaf certs in the chain, unlike under OpenSSL
client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
??? 220
ehlo rhu7.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
****
### Revoked certificate, certificate optional at TLS time, reject at ACL time
client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
??? 220
ehlo rhu8.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
mail from:<userx@test.ex>
??? 250
rcpt to:<userx@test.ex>
??? 550
quit
??? 221
****
### Good certificate, certificate required - but nonmatching CRL also present
client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
??? 220
ehlo rhu.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
mail from:<userx@test.ex>
??? 250
rcpt to:<userx@test.ex>
??? 250
quit
??? 221
****
killdaemon
Commit	Line	Data
59371ea7 PH	1	# TLS server: mandatory, optional, and revoked certificates
59371ea7 PH	2	gnutls
c9a55f6a	3	munge gnutls_unexpected
59371ea7 PH	4	exim -DSERVER=server -bd -oX PORT_D
59371ea7 PH	5	****
dc9c8f8b	6	### No certificate, certificate required
59371ea7 PH	7	client-gnutls HOSTIPV4 PORT_D
59371ea7 PH	8	??? 220
5c8cda3a	9	ehlo rhu1.barb
59371ea7 PH	10	??? 250-
	11	??? 250-
	12	??? 250-
	13	??? 250-
5b456975	14	??? 250-
59371ea7 PH	15	??? 250
	16	starttls
	17	??? 220
	18	****
dc9c8f8b	19	### No certificate, certificate optional at TLS time, required by ACL
59371ea7 PH	20	client-gnutls 127.0.0.1 PORT_D
59371ea7 PH	21	??? 220
5c8cda3a	22	ehlo rhu2.barb
59371ea7 PH	23	??? 250-
	24	??? 250-
	25	??? 250-
	26	??? 250-
5b456975	27	??? 250-
59371ea7 PH	28	??? 250
	29	starttls
	30	??? 220
5c8cda3a	31	helo rhu2tls.barb
59371ea7 PH	32	??? 250
	33	mail from:<userx@test.ex>
	34	??? 250
	35	rcpt to:<userx@test.ex>
	36	??? 550
	37	quit
	38	??? 221
	39	****
dc9c8f8b JH	40	### Good certificate, certificate required
dc9c8f8b JH	41	client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
59371ea7	42	??? 220
5c8cda3a	43	ehlo rhu3.barb
59371ea7 PH	44	??? 250-
	45	??? 250-
	46	??? 250-
	47	??? 250-
5b456975	48	??? 250-
59371ea7 PH	49	??? 250
	50	starttls
	51	??? 220
	52	mail from:<userx@test.ex>
	53	??? 250
	54	rcpt to:<userx@test.ex>
	55	??? 250
	56	quit
	57	??? 221
	58	****
dc9c8f8b JH	59	### Good certificate, certificate optional at TLS time, checked by ACL
dc9c8f8b JH	60	client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
59371ea7	61	??? 220
5c8cda3a	62	ehlo rhu4.barb
59371ea7 PH	63	??? 250-
	64	??? 250-
	65	??? 250-
	66	??? 250-
5b456975	67	??? 250-
59371ea7 PH	68	??? 250
	69	starttls
	70	??? 220
	71	mail from:<userx@test.ex>
	72	??? 250
	73	rcpt to:<userx@test.ex>
	74	??? 250
	75	quit
	76	??? 221
	77	****
dc9c8f8b JH	78	### Bad certificate, certificate required
	79	# Actually this test does not have the client presenting a cert at all, as it filters what it has
	80	# by the options offered by the server first. So it's not a good testcase.
	81	client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
59371ea7	82	??? 220
5c8cda3a	83	ehlo rhu5.barb
59371ea7 PH	84	??? 250-
	85	??? 250-
	86	??? 250-
	87	??? 250-
5b456975	88	??? 250-
59371ea7 PH	89	??? 250
	90	starttls
	91	??? 220
	92	****
dc9c8f8b JH	93	### Bad certificate, certificate optional at TLS time, reject at ACL time
	94	# (situation as above)
	95	client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
59371ea7	96	??? 220
5c8cda3a	97	ehlo rhu6.barb
59371ea7 PH	98	??? 250-
	99	??? 250-
	100	??? 250-
	101	??? 250-
5b456975	102	??? 250-
59371ea7 PH	103	??? 250
	104	starttls
	105	??? 220
	106	mail from:<userx@test.ex>
	107	??? 250
	108	rcpt to:<userx@test.ex>
59371ea7 PH	109	??? 550
	110	quit
	111	??? 221
	112	****
	113	killdaemon
dc9c8f8b JH	114	#
	115	#
	116	#
	117	#
	118	exim -DCRL=DIR/aux-fixed/exim-ca/example.com/CA/crl.v2.pem -DSERVER=server -bd -oX PORT_D
59371ea7	119	****
dc9c8f8b JH	120	### Otherwise good but revoked certificate, certificate required
	121	# GnuTLS seems to not mind the lack of CRLs for the nonleaf certs in the chain, unlike under OpenSSL
	122	client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
59371ea7	123	??? 220
5c8cda3a	124	ehlo rhu7.barb
59371ea7 PH	125	??? 250-
	126	??? 250-
	127	??? 250-
	128	??? 250-
5b456975	129	??? 250-
59371ea7 PH	130	??? 250
	131	starttls
	132	??? 220
	133	****
dc9c8f8b JH	134	### Revoked certificate, certificate optional at TLS time, reject at ACL time
dc9c8f8b JH	135	client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
59371ea7	136	??? 220
5c8cda3a	137	ehlo rhu8.barb
59371ea7 PH	138	??? 250-
	139	??? 250-
	140	??? 250-
	141	??? 250-
5b456975	142	??? 250-
59371ea7 PH	143	??? 250
	144	starttls
	145	??? 220
	146	mail from:<userx@test.ex>
	147	??? 250
	148	rcpt to:<userx@test.ex>
59371ea7 PH	149	??? 550
	150	quit
	151	??? 221
	152	****
dc9c8f8b JH	153	### Good certificate, certificate required - but nonmatching CRL also present
	154	client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
	155	??? 220
	156	ehlo rhu.barb
	157	??? 250-
	158	??? 250-
	159	??? 250-
	160	??? 250-
	161	??? 250-
	162	??? 250
	163	starttls
	164	??? 220
	165	mail from:<userx@test.ex>
	166	??? 250
	167	rcpt to:<userx@test.ex>
	168	??? 250
	169	quit
	170	??? 221
	171	****
59371ea7	172	killdaemon