Commit | Line | Data |
---|---|---|
59371ea7 PH |
1 | # TLS server: mandatory, optional, and revoked certificates |
2 | gnutls | |
c9a55f6a | 3 | munge gnutls_unexpected |
59371ea7 PH |
4 | exim -DSERVER=server -bd -oX PORT_D |
5 | **** | |
dc9c8f8b | 6 | ### No certificate, certificate required |
59371ea7 PH |
7 | client-gnutls HOSTIPV4 PORT_D |
8 | ??? 220 | |
5c8cda3a | 9 | ehlo rhu1.barb |
59371ea7 PH |
10 | ??? 250- |
11 | ??? 250- | |
12 | ??? 250- | |
13 | ??? 250- | |
5b456975 | 14 | ??? 250- |
59371ea7 PH |
15 | ??? 250 |
16 | starttls | |
17 | ??? 220 | |
18 | **** | |
dc9c8f8b | 19 | ### No certificate, certificate optional at TLS time, required by ACL |
59371ea7 PH |
20 | client-gnutls 127.0.0.1 PORT_D |
21 | ??? 220 | |
5c8cda3a | 22 | ehlo rhu2.barb |
59371ea7 PH |
23 | ??? 250- |
24 | ??? 250- | |
25 | ??? 250- | |
26 | ??? 250- | |
5b456975 | 27 | ??? 250- |
59371ea7 PH |
28 | ??? 250 |
29 | starttls | |
30 | ??? 220 | |
5c8cda3a | 31 | helo rhu2tls.barb |
59371ea7 PH |
32 | ??? 250 |
33 | mail from:<userx@test.ex> | |
34 | ??? 250 | |
35 | rcpt to:<userx@test.ex> | |
36 | ??? 550 | |
37 | quit | |
38 | ??? 221 | |
39 | **** | |
dc9c8f8b JH |
40 | ### Good certificate, certificate required |
41 | client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key | |
59371ea7 | 42 | ??? 220 |
5c8cda3a | 43 | ehlo rhu3.barb |
59371ea7 PH |
44 | ??? 250- |
45 | ??? 250- | |
46 | ??? 250- | |
47 | ??? 250- | |
5b456975 | 48 | ??? 250- |
59371ea7 PH |
49 | ??? 250 |
50 | starttls | |
51 | ??? 220 | |
52 | mail from:<userx@test.ex> | |
53 | ??? 250 | |
54 | rcpt to:<userx@test.ex> | |
55 | ??? 250 | |
56 | quit | |
57 | ??? 221 | |
58 | **** | |
dc9c8f8b JH |
59 | ### Good certificate, certificate optional at TLS time, checked by ACL |
60 | client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key | |
59371ea7 | 61 | ??? 220 |
5c8cda3a | 62 | ehlo rhu4.barb |
59371ea7 PH |
63 | ??? 250- |
64 | ??? 250- | |
65 | ??? 250- | |
66 | ??? 250- | |
5b456975 | 67 | ??? 250- |
59371ea7 PH |
68 | ??? 250 |
69 | starttls | |
70 | ??? 220 | |
71 | mail from:<userx@test.ex> | |
72 | ??? 250 | |
73 | rcpt to:<userx@test.ex> | |
74 | ??? 250 | |
75 | quit | |
76 | ??? 221 | |
77 | **** | |
dc9c8f8b JH |
78 | ### Bad certificate, certificate required |
79 | # Actually this test does not have the client presenting a cert at all, as it filters what it has | |
80 | # by the options offered by the server first. So it's not a good testcase. | |
81 | client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key | |
59371ea7 | 82 | ??? 220 |
5c8cda3a | 83 | ehlo rhu5.barb |
59371ea7 PH |
84 | ??? 250- |
85 | ??? 250- | |
86 | ??? 250- | |
87 | ??? 250- | |
5b456975 | 88 | ??? 250- |
59371ea7 PH |
89 | ??? 250 |
90 | starttls | |
91 | ??? 220 | |
92 | **** | |
dc9c8f8b JH |
93 | ### Bad certificate, certificate optional at TLS time, reject at ACL time |
94 | # (situation as above) | |
95 | client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key | |
59371ea7 | 96 | ??? 220 |
5c8cda3a | 97 | ehlo rhu6.barb |
59371ea7 PH |
98 | ??? 250- |
99 | ??? 250- | |
100 | ??? 250- | |
101 | ??? 250- | |
5b456975 | 102 | ??? 250- |
59371ea7 PH |
103 | ??? 250 |
104 | starttls | |
105 | ??? 220 | |
106 | mail from:<userx@test.ex> | |
107 | ??? 250 | |
108 | rcpt to:<userx@test.ex> | |
59371ea7 PH |
109 | ??? 550 |
110 | quit | |
111 | ??? 221 | |
112 | **** | |
113 | killdaemon | |
dc9c8f8b JH |
114 | # |
115 | # | |
116 | # | |
117 | # | |
118 | exim -DCRL=DIR/aux-fixed/exim-ca/example.com/CA/crl.v2.pem -DSERVER=server -bd -oX PORT_D | |
59371ea7 | 119 | **** |
dc9c8f8b JH |
120 | ### Otherwise good but revoked certificate, certificate required |
121 | # GnuTLS seems to not mind the lack of CRLs for the nonleaf certs in the chain, unlike under OpenSSL | |
122 | client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key | |
59371ea7 | 123 | ??? 220 |
5c8cda3a | 124 | ehlo rhu7.barb |
59371ea7 PH |
125 | ??? 250- |
126 | ??? 250- | |
127 | ??? 250- | |
128 | ??? 250- | |
5b456975 | 129 | ??? 250- |
59371ea7 PH |
130 | ??? 250 |
131 | starttls | |
132 | ??? 220 | |
133 | **** | |
dc9c8f8b JH |
134 | ### Revoked certificate, certificate optional at TLS time, reject at ACL time |
135 | client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key | |
59371ea7 | 136 | ??? 220 |
5c8cda3a | 137 | ehlo rhu8.barb |
59371ea7 PH |
138 | ??? 250- |
139 | ??? 250- | |
140 | ??? 250- | |
141 | ??? 250- | |
5b456975 | 142 | ??? 250- |
59371ea7 PH |
143 | ??? 250 |
144 | starttls | |
145 | ??? 220 | |
146 | mail from:<userx@test.ex> | |
147 | ??? 250 | |
148 | rcpt to:<userx@test.ex> | |
59371ea7 PH |
149 | ??? 550 |
150 | quit | |
151 | ??? 221 | |
152 | **** | |
dc9c8f8b JH |
153 | ### Good certificate, certificate required - but nonmatching CRL also present |
154 | client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key | |
155 | ??? 220 | |
156 | ehlo rhu.barb | |
157 | ??? 250- | |
158 | ??? 250- | |
159 | ??? 250- | |
160 | ??? 250- | |
161 | ??? 250- | |
162 | ??? 250 | |
163 | starttls | |
164 | ??? 220 | |
165 | mail from:<userx@test.ex> | |
166 | ??? 250 | |
167 | rcpt to:<userx@test.ex> | |
168 | ??? 250 | |
169 | quit | |
170 | ??? 221 | |
171 | **** | |
59371ea7 | 172 | killdaemon |