[exim.git] / test / scripts / 2000-GnuTLS / 2014

# TLS server: mandatory, optional, and revoked certificates
gnutls
munge gnutls_unexpected
exim -DSERVER=server -bd -oX PORT_D
****
### No certificate, certificate required
client-gnutls HOSTIPV4 PORT_D
??? 220
ehlo rhu1.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
nop
????554
****
### No certificate, certificate optional at TLS time, required by ACL
client-gnutls 127.0.0.1 PORT_D
??? 220
ehlo rhu2.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
helo rhu2tls.barb
??? 250
mail from:<userx@test.ex>
??? 250
rcpt to:<userx@test.ex>
??? 550
quit
??? 221
****
### Good certificate, certificate required
client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
??? 220
ehlo rhu3.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
mail from:<userx@test.ex>
??? 250
rcpt to:<userx@test.ex>
??? 250
quit
??? 221
****
### Good certificate, certificate optional at TLS time, checked by ACL
client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
??? 220
ehlo rhu4.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
mail from:<userx@test.ex>
??? 250
rcpt to:<userx@test.ex>
??? 250
quit
??? 221
****
### Bad certificate, certificate required
# Actually this test does not have the client presenting a cert at all, as it filters what it has
# by the options offered by the server first.  So it's not a good testcase.
client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
??? 220
ehlo rhu5.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
nop
????554
****
### Bad certificate, certificate optional at TLS time, reject at ACL time
# (situation as above)
client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
??? 220
ehlo rhu6.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
mail from:<userx@test.ex>
??? 250
rcpt to:<userx@test.ex>
??? 550
quit
??? 221
****
killdaemon
#
#
#
#
exim -DCRL=DIR/aux-fixed/exim-ca/example.com/CA/crl.v2.pem -DSERVER=server -bd -oX PORT_D
****
### Otherwise good but revoked certificate, certificate required
# GnuTLS seems to not mind the lack of CRLs for the nonleaf certs in the chain, unlike under OpenSSL
client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
??? 220
ehlo rhu7.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
mail from:<userx@test.ex>
??? 554
****
### Revoked certificate, certificate optional at TLS time, reject at ACL time
client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
??? 220
ehlo rhu8.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
mail from:<userx@test.ex>
??? 250
rcpt to:<userx@test.ex>
??? 550
quit
??? 221
****
### Good certificate, certificate required - but nonmatching CRL also present
client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
??? 220
ehlo rhu9.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
mail from:<userx@test.ex>
??? 250
rcpt to:<userx@test.ex>
??? 250
quit
??? 221
****
killdaemon
Commit	Line	Data
59371ea7 PH	1	# TLS server: mandatory, optional, and revoked certificates
59371ea7 PH	2	gnutls
c9a55f6a	3	munge gnutls_unexpected
59371ea7 PH	4	exim -DSERVER=server -bd -oX PORT_D
59371ea7 PH	5	****
dc9c8f8b	6	### No certificate, certificate required
59371ea7 PH	7	client-gnutls HOSTIPV4 PORT_D
59371ea7 PH	8	??? 220
5c8cda3a	9	ehlo rhu1.barb
59371ea7 PH	10	??? 250-
	11	??? 250-
	12	??? 250-
	13	??? 250-
5b456975	14	??? 250-
59371ea7 PH	15	??? 250
	16	starttls
	17	??? 220
099afc4f JH	18	nop
099afc4f JH	19	????554
59371ea7	20	****
dc9c8f8b	21	### No certificate, certificate optional at TLS time, required by ACL
59371ea7 PH	22	client-gnutls 127.0.0.1 PORT_D
59371ea7 PH	23	??? 220
5c8cda3a	24	ehlo rhu2.barb
59371ea7 PH	25	??? 250-
	26	??? 250-
	27	??? 250-
	28	??? 250-
5b456975	29	??? 250-
59371ea7 PH	30	??? 250
	31	starttls
	32	??? 220
5c8cda3a	33	helo rhu2tls.barb
59371ea7 PH	34	??? 250
	35	mail from:<userx@test.ex>
	36	??? 250
	37	rcpt to:<userx@test.ex>
	38	??? 550
	39	quit
	40	??? 221
	41	****
dc9c8f8b JH	42	### Good certificate, certificate required
dc9c8f8b JH	43	client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
59371ea7	44	??? 220
5c8cda3a	45	ehlo rhu3.barb
59371ea7 PH	46	??? 250-
	47	??? 250-
	48	??? 250-
	49	??? 250-
5b456975	50	??? 250-
59371ea7 PH	51	??? 250
	52	starttls
	53	??? 220
	54	mail from:<userx@test.ex>
	55	??? 250
	56	rcpt to:<userx@test.ex>
	57	??? 250
	58	quit
	59	??? 221
	60	****
dc9c8f8b JH	61	### Good certificate, certificate optional at TLS time, checked by ACL
dc9c8f8b JH	62	client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
59371ea7	63	??? 220
5c8cda3a	64	ehlo rhu4.barb
59371ea7 PH	65	??? 250-
	66	??? 250-
	67	??? 250-
	68	??? 250-
5b456975	69	??? 250-
59371ea7 PH	70	??? 250
	71	starttls
	72	??? 220
	73	mail from:<userx@test.ex>
	74	??? 250
	75	rcpt to:<userx@test.ex>
	76	??? 250
	77	quit
	78	??? 221
	79	****
dc9c8f8b JH	80	### Bad certificate, certificate required
	81	# Actually this test does not have the client presenting a cert at all, as it filters what it has
	82	# by the options offered by the server first. So it's not a good testcase.
	83	client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
59371ea7	84	??? 220
5c8cda3a	85	ehlo rhu5.barb
59371ea7 PH	86	??? 250-
	87	??? 250-
	88	??? 250-
	89	??? 250-
5b456975	90	??? 250-
59371ea7 PH	91	??? 250
	92	starttls
	93	??? 220
099afc4f JH	94	nop
099afc4f JH	95	????554
59371ea7	96	****
dc9c8f8b JH	97	### Bad certificate, certificate optional at TLS time, reject at ACL time
	98	# (situation as above)
	99	client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
59371ea7	100	??? 220
5c8cda3a	101	ehlo rhu6.barb
59371ea7 PH	102	??? 250-
	103	??? 250-
	104	??? 250-
	105	??? 250-
5b456975	106	??? 250-
59371ea7 PH	107	??? 250
	108	starttls
	109	??? 220
	110	mail from:<userx@test.ex>
	111	??? 250
	112	rcpt to:<userx@test.ex>
59371ea7 PH	113	??? 550
	114	quit
	115	??? 221
	116	****
	117	killdaemon
dc9c8f8b JH	118	#
	119	#
	120	#
	121	#
	122	exim -DCRL=DIR/aux-fixed/exim-ca/example.com/CA/crl.v2.pem -DSERVER=server -bd -oX PORT_D
59371ea7	123	****
dc9c8f8b JH	124	### Otherwise good but revoked certificate, certificate required
	125	# GnuTLS seems to not mind the lack of CRLs for the nonleaf certs in the chain, unlike under OpenSSL
	126	client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
59371ea7	127	??? 220
5c8cda3a	128	ehlo rhu7.barb
59371ea7 PH	129	??? 250-
	130	??? 250-
	131	??? 250-
	132	??? 250-
5b456975	133	??? 250-
59371ea7 PH	134	??? 250
	135	starttls
	136	??? 220
b2ba9267 JH	137	mail from:<userx@test.ex>
b2ba9267 JH	138	??? 554
59371ea7	139	****
dc9c8f8b JH	140	### Revoked certificate, certificate optional at TLS time, reject at ACL time
dc9c8f8b JH	141	client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
59371ea7	142	??? 220
5c8cda3a	143	ehlo rhu8.barb
59371ea7 PH	144	??? 250-
	145	??? 250-
	146	??? 250-
	147	??? 250-
5b456975	148	??? 250-
59371ea7 PH	149	??? 250
	150	starttls
	151	??? 220
	152	mail from:<userx@test.ex>
	153	??? 250
	154	rcpt to:<userx@test.ex>
59371ea7 PH	155	??? 550
	156	quit
	157	??? 221
	158	****
dc9c8f8b JH	159	### Good certificate, certificate required - but nonmatching CRL also present
	160	client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
	161	??? 220
099afc4f	162	ehlo rhu9.barb
dc9c8f8b JH	163	??? 250-
	164	??? 250-
	165	??? 250-
	166	??? 250-
	167	??? 250-
	168	??? 250
	169	starttls
	170	??? 220
	171	mail from:<userx@test.ex>
	172	??? 250
	173	rcpt to:<userx@test.ex>
	174	??? 250
	175	quit
	176	??? 221
	177	****
59371ea7	178	killdaemon