Commit | Line | Data |
---|---|---|
59371ea7 PH |
1 | # TLS server: mandatory, optional, and revoked certificates |
2 | gnutls | |
c9a55f6a | 3 | munge gnutls_unexpected |
59371ea7 PH |
4 | exim -DSERVER=server -bd -oX PORT_D |
5 | **** | |
dc9c8f8b | 6 | ### No certificate, certificate required |
59371ea7 PH |
7 | client-gnutls HOSTIPV4 PORT_D |
8 | ??? 220 | |
5c8cda3a | 9 | ehlo rhu1.barb |
59371ea7 PH |
10 | ??? 250- |
11 | ??? 250- | |
12 | ??? 250- | |
13 | ??? 250- | |
5b456975 | 14 | ??? 250- |
59371ea7 PH |
15 | ??? 250 |
16 | starttls | |
17 | ??? 220 | |
099afc4f JH |
18 | nop |
19 | ????554 | |
59371ea7 | 20 | **** |
dc9c8f8b | 21 | ### No certificate, certificate optional at TLS time, required by ACL |
59371ea7 PH |
22 | client-gnutls 127.0.0.1 PORT_D |
23 | ??? 220 | |
5c8cda3a | 24 | ehlo rhu2.barb |
59371ea7 PH |
25 | ??? 250- |
26 | ??? 250- | |
27 | ??? 250- | |
28 | ??? 250- | |
5b456975 | 29 | ??? 250- |
59371ea7 PH |
30 | ??? 250 |
31 | starttls | |
32 | ??? 220 | |
5c8cda3a | 33 | helo rhu2tls.barb |
59371ea7 PH |
34 | ??? 250 |
35 | mail from:<userx@test.ex> | |
36 | ??? 250 | |
37 | rcpt to:<userx@test.ex> | |
38 | ??? 550 | |
39 | quit | |
40 | ??? 221 | |
41 | **** | |
dc9c8f8b JH |
42 | ### Good certificate, certificate required |
43 | client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key | |
59371ea7 | 44 | ??? 220 |
5c8cda3a | 45 | ehlo rhu3.barb |
59371ea7 PH |
46 | ??? 250- |
47 | ??? 250- | |
48 | ??? 250- | |
49 | ??? 250- | |
5b456975 | 50 | ??? 250- |
59371ea7 PH |
51 | ??? 250 |
52 | starttls | |
53 | ??? 220 | |
54 | mail from:<userx@test.ex> | |
55 | ??? 250 | |
56 | rcpt to:<userx@test.ex> | |
57 | ??? 250 | |
58 | quit | |
59 | ??? 221 | |
60 | **** | |
dc9c8f8b JH |
61 | ### Good certificate, certificate optional at TLS time, checked by ACL |
62 | client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key | |
59371ea7 | 63 | ??? 220 |
5c8cda3a | 64 | ehlo rhu4.barb |
59371ea7 PH |
65 | ??? 250- |
66 | ??? 250- | |
67 | ??? 250- | |
68 | ??? 250- | |
5b456975 | 69 | ??? 250- |
59371ea7 PH |
70 | ??? 250 |
71 | starttls | |
72 | ??? 220 | |
73 | mail from:<userx@test.ex> | |
74 | ??? 250 | |
75 | rcpt to:<userx@test.ex> | |
76 | ??? 250 | |
77 | quit | |
78 | ??? 221 | |
79 | **** | |
dc9c8f8b JH |
80 | ### Bad certificate, certificate required |
81 | # Actually this test does not have the client presenting a cert at all, as it filters what it has | |
82 | # by the options offered by the server first. So it's not a good testcase. | |
83 | client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key | |
59371ea7 | 84 | ??? 220 |
5c8cda3a | 85 | ehlo rhu5.barb |
59371ea7 PH |
86 | ??? 250- |
87 | ??? 250- | |
88 | ??? 250- | |
89 | ??? 250- | |
5b456975 | 90 | ??? 250- |
59371ea7 PH |
91 | ??? 250 |
92 | starttls | |
93 | ??? 220 | |
099afc4f JH |
94 | nop |
95 | ????554 | |
59371ea7 | 96 | **** |
dc9c8f8b JH |
97 | ### Bad certificate, certificate optional at TLS time, reject at ACL time |
98 | # (situation as above) | |
99 | client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key | |
59371ea7 | 100 | ??? 220 |
5c8cda3a | 101 | ehlo rhu6.barb |
59371ea7 PH |
102 | ??? 250- |
103 | ??? 250- | |
104 | ??? 250- | |
105 | ??? 250- | |
5b456975 | 106 | ??? 250- |
59371ea7 PH |
107 | ??? 250 |
108 | starttls | |
109 | ??? 220 | |
110 | mail from:<userx@test.ex> | |
111 | ??? 250 | |
112 | rcpt to:<userx@test.ex> | |
59371ea7 PH |
113 | ??? 550 |
114 | quit | |
115 | ??? 221 | |
116 | **** | |
117 | killdaemon | |
dc9c8f8b JH |
118 | # |
119 | # | |
120 | # | |
121 | # | |
122 | exim -DCRL=DIR/aux-fixed/exim-ca/example.com/CA/crl.v2.pem -DSERVER=server -bd -oX PORT_D | |
59371ea7 | 123 | **** |
dc9c8f8b JH |
124 | ### Otherwise good but revoked certificate, certificate required |
125 | # GnuTLS seems to not mind the lack of CRLs for the nonleaf certs in the chain, unlike under OpenSSL | |
126 | client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key | |
59371ea7 | 127 | ??? 220 |
5c8cda3a | 128 | ehlo rhu7.barb |
59371ea7 PH |
129 | ??? 250- |
130 | ??? 250- | |
131 | ??? 250- | |
132 | ??? 250- | |
5b456975 | 133 | ??? 250- |
59371ea7 PH |
134 | ??? 250 |
135 | starttls | |
136 | ??? 220 | |
b2ba9267 JH |
137 | mail from:<userx@test.ex> |
138 | ??? 554 | |
59371ea7 | 139 | **** |
dc9c8f8b JH |
140 | ### Revoked certificate, certificate optional at TLS time, reject at ACL time |
141 | client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key | |
59371ea7 | 142 | ??? 220 |
5c8cda3a | 143 | ehlo rhu8.barb |
59371ea7 PH |
144 | ??? 250- |
145 | ??? 250- | |
146 | ??? 250- | |
147 | ??? 250- | |
5b456975 | 148 | ??? 250- |
59371ea7 PH |
149 | ??? 250 |
150 | starttls | |
151 | ??? 220 | |
152 | mail from:<userx@test.ex> | |
153 | ??? 250 | |
154 | rcpt to:<userx@test.ex> | |
59371ea7 PH |
155 | ??? 550 |
156 | quit | |
157 | ??? 221 | |
158 | **** | |
dc9c8f8b JH |
159 | ### Good certificate, certificate required - but nonmatching CRL also present |
160 | client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key | |
161 | ??? 220 | |
099afc4f | 162 | ehlo rhu9.barb |
dc9c8f8b JH |
163 | ??? 250- |
164 | ??? 250- | |
165 | ??? 250- | |
166 | ??? 250- | |
167 | ??? 250- | |
168 | ??? 250 | |
169 | starttls | |
170 | ??? 220 | |
171 | mail from:<userx@test.ex> | |
172 | ??? 250 | |
173 | rcpt to:<userx@test.ex> | |
174 | ??? 250 | |
175 | quit | |
176 | ??? 221 | |
177 | **** | |
59371ea7 | 178 | killdaemon |