[exim.git] / test / scripts / 2000-GnuTLS / 2002

# TLS server: general ops and certificate extractions
gnutls
#
# Very early (unsure when) GnuTLS prefers RSA auth by default.  Later, but before 3.6.x, prefers
# ECDSA but the client can be given a priority order to override that.  We're running the server
# with no priority string given (tls_require_ciphers) hence default, and with both types of
# server cert loaded (RSA first, though we don't document that as relevant and in testing it
# does not appear to matter).
#
# GnuTLS 3.6.5 appears to ignore the client priority ordering, always choosing ECDSA if both
# are permitted, if TLS1.3 is permitted, so we limit to TLS1.2.
#
exim -DSERVER=server -bd -oX PORT_D
****
# Have the client do RSA (but support ECDSA as well).  That should get us RSA on both older and newer GnuTLS.
client-gnutls -p NONE:+SIGN-RSA-SHA256:+SIGN-ECDSA-SHA512:+VERS-TLS1.2:+ECDHE-RSA:+DHE-RSA:+RSA:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 127.0.0.1 PORT_D
??? 220
ehlo rhu.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
mail from:<CALLER@test.ex>
??? 250
rcpt to:<CALLER@test.ex>
??? 250
DATA
??? 3
This is a test encrypted message.
.
??? 250
quit
??? 221
****
client-gnutls -p NONE:+SIGN-RSA-SHA256:+SIGN-ECDSA-SHA512:+VERS-TLS1.2:+ECDHE-RSA:+DHE-RSA:+RSA:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 127.0.0.1 PORT_D
??? 220
ehlo rhu.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
mail from:<"name with spaces"@test.ex>
??? 250
rcpt to:<CALLER@test.ex>
??? 250
DATA
??? 3
This is a test encrypted message.
.
??? 250
quit
??? 221
****
#
# Server asks for a client cert but client does not supply one
client-gnutls -p NONE:+SIGN-RSA-SHA256:+SIGN-ECDSA-SHA512:+VERS-TLS1.2:+ECDHE-RSA:+DHE-RSA:+RSA:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 HOSTIPV4 PORT_D
??? 220
ehlo rhu.barb
??? 250-
??? 250-SIZE
??? 250-8BITMIME
??? 250-PIPELINING
??? 250-STARTTLS
??? 250 HELP
starttls
??? 220 TLS go ahead
nop
???*
****
# ensure sequence of log TLS error line
killdaemon
sleep 1
exim -DSERVER=server -bd -oX PORT_D
****
#
#
# Server asks for a client cert, and one is given which is verifiable by the server
client-gnutls -p NONE:+SIGN-RSA-SHA256:+SIGN-ECDSA-SHA512:+VERS-TLS1.2:+ECDHE-RSA:+DHE-RSA:+RSA:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 HOSTIPV4 PORT_D DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key
??? 220
ehlo rhu.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
mail from:<CALLER@test.ex>
??? 250
rcpt to:<CALLER@test.ex>
??? 250
DATA
??? 3
This is a test encrypted message from a verified host.
.
??? 250
quit
??? 221
****
#
#
# A client that only talks RSA.
#
# We have to specify the key-exchange as well as the authentication, otherwise,
# the GnuTLS server side being foolish - it picks an ECDSA cipher-suite and then can't use it :(
# Possibly fixed in 3.6.x ? 
client-gnutls -p NONE:+SIGN-RSA-SHA256:+VERS-TLS1.2:+ECDHE-RSA:+DHE-RSA:+RSA:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 127.0.0.1 PORT_D
??? 220
ehlo rhu.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
mail from:<CALLER@test.ex>
??? 250
rcpt to:<CALLER@test.ex>
??? 250
DATA
??? 3
This is a test encrypted message.
It should be sent under the RSA server cert and with an RSA cipher.
.
??? 250
quit
??? 221
****
#
#
# Make ECDSA authentication preferred (Older GnuTLS prefers RSA, it seems, Newer, ECDSA).
client-gnutls -p NONE:+SIGN-ECDSA-SHA512:+VERS-TLS1.2:+KX-ALL:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 127.0.0.1 PORT_D
??? 220
ehlo rhu.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
mail from:<CALLER@test.ex>
??? 250
rcpt to:<CALLER@test.ex>
??? 250
DATA
??? 3
This is a test encrypted message.
It should be sent under the EC server cert and with an ECDSA cipher.
.
??? 250
quit
??? 221
****
killdaemon
sleep 1
# clear out the queue
exim -qf
****
sleep 1
#
# STARTTLS used when not advertised
exim -bh 10.0.0.1
starttls
quit
****
Commit	Line	Data
	1	# TLS server: general ops and certificate extractions
	2	gnutls
	3	#
	4	# Very early (unsure when) GnuTLS prefers RSA auth by default. Later, but before 3.6.x, prefers
	5	# ECDSA but the client can be given a priority order to override that. We're running the server
	6	# with no priority string given (tls_require_ciphers) hence default, and with both types of
	7	# server cert loaded (RSA first, though we don't document that as relevant and in testing it
	8	# does not appear to matter).
	9	#
	10	# GnuTLS 3.6.5 appears to ignore the client priority ordering, always choosing ECDSA if both
	11	# are permitted, if TLS1.3 is permitted, so we limit to TLS1.2.
	12	#
	13	exim -DSERVER=server -bd -oX PORT_D
	14	****
	15	# Have the client do RSA (but support ECDSA as well). That should get us RSA on both older and newer GnuTLS.
	16	client-gnutls -p NONE:+SIGN-RSA-SHA256:+SIGN-ECDSA-SHA512:+VERS-TLS1.2:+ECDHE-RSA:+DHE-RSA:+RSA:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 127.0.0.1 PORT_D
	17	??? 220
	18	ehlo rhu.barb
	19	??? 250-
	20	??? 250-
	21	??? 250-
	22	??? 250-
	23	??? 250-
	24	??? 250
	25	starttls
	26	??? 220
	27	mail from:<CALLER@test.ex>
	28	??? 250
	29	rcpt to:<CALLER@test.ex>
	30	??? 250
	31	DATA
	32	??? 3
	33	This is a test encrypted message.
	34	.
	35	??? 250
	36	quit
	37	??? 221
	38	****
	39	client-gnutls -p NONE:+SIGN-RSA-SHA256:+SIGN-ECDSA-SHA512:+VERS-TLS1.2:+ECDHE-RSA:+DHE-RSA:+RSA:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 127.0.0.1 PORT_D
	40	??? 220
	41	ehlo rhu.barb
	42	??? 250-
	43	??? 250-
	44	??? 250-
	45	??? 250-
	46	??? 250-
	47	??? 250
	48	starttls
	49	??? 220
	50	mail from:<"name with spaces"@test.ex>
	51	??? 250
	52	rcpt to:<CALLER@test.ex>
	53	??? 250
	54	DATA
	55	??? 3
	56	This is a test encrypted message.
	57	.
	58	??? 250
	59	quit
	60	??? 221
	61	****
	62	#
	63	# Server asks for a client cert but client does not supply one
	64	client-gnutls -p NONE:+SIGN-RSA-SHA256:+SIGN-ECDSA-SHA512:+VERS-TLS1.2:+ECDHE-RSA:+DHE-RSA:+RSA:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 HOSTIPV4 PORT_D
	65	??? 220
	66	ehlo rhu.barb
	67	??? 250-
	68	??? 250-SIZE
	69	??? 250-8BITMIME
	70	??? 250-PIPELINING
	71	??? 250-STARTTLS
	72	??? 250 HELP
	73	starttls
	74	??? 220 TLS go ahead
	75	nop
	76	???*
	77	****
	78	# ensure sequence of log TLS error line
	79	killdaemon
	80	sleep 1
	81	exim -DSERVER=server -bd -oX PORT_D
	82	****
	83	#
	84	#
	85	# Server asks for a client cert, and one is given which is verifiable by the server
	86	client-gnutls -p NONE:+SIGN-RSA-SHA256:+SIGN-ECDSA-SHA512:+VERS-TLS1.2:+ECDHE-RSA:+DHE-RSA:+RSA:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 HOSTIPV4 PORT_D DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key
	87	??? 220
	88	ehlo rhu.barb
	89	??? 250-
	90	??? 250-
	91	??? 250-
	92	??? 250-
	93	??? 250-
	94	??? 250
	95	starttls
	96	??? 220
	97	mail from:<CALLER@test.ex>
	98	??? 250
	99	rcpt to:<CALLER@test.ex>
	100	??? 250
	101	DATA
	102	??? 3
	103	This is a test encrypted message from a verified host.
	104	.
	105	??? 250
	106	quit
	107	??? 221
	108	****
	109	#
	110	#
	111	# A client that only talks RSA.
	112	#
	113	# We have to specify the key-exchange as well as the authentication, otherwise,
	114	# the GnuTLS server side being foolish - it picks an ECDSA cipher-suite and then can't use it :(
	115	# Possibly fixed in 3.6.x ?
	116	client-gnutls -p NONE:+SIGN-RSA-SHA256:+VERS-TLS1.2:+ECDHE-RSA:+DHE-RSA:+RSA:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 127.0.0.1 PORT_D
	117	??? 220
	118	ehlo rhu.barb
	119	??? 250-
	120	??? 250-
	121	??? 250-
	122	??? 250-
	123	??? 250-
	124	??? 250
	125	starttls
	126	??? 220
	127	mail from:<CALLER@test.ex>
	128	??? 250
	129	rcpt to:<CALLER@test.ex>
	130	??? 250
	131	DATA
	132	??? 3
	133	This is a test encrypted message.
	134	It should be sent under the RSA server cert and with an RSA cipher.
	135	.
	136	??? 250
	137	quit
	138	??? 221
	139	****
	140	#
	141	#
	142	# Make ECDSA authentication preferred (Older GnuTLS prefers RSA, it seems, Newer, ECDSA).
	143	client-gnutls -p NONE:+SIGN-ECDSA-SHA512:+VERS-TLS1.2:+KX-ALL:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 127.0.0.1 PORT_D
	144	??? 220
	145	ehlo rhu.barb
	146	??? 250-
	147	??? 250-
	148	??? 250-
	149	??? 250-
	150	??? 250-
	151	??? 250
	152	starttls
	153	??? 220
	154	mail from:<CALLER@test.ex>
	155	??? 250
	156	rcpt to:<CALLER@test.ex>
	157	??? 250
	158	DATA
	159	??? 3
	160	This is a test encrypted message.
	161	It should be sent under the EC server cert and with an ECDSA cipher.
	162	.
	163	??? 250
	164	quit
	165	??? 221
	166	****
	167	killdaemon
	168	sleep 1
	169	# clear out the queue
	170	exim -qf
	171	****
	172	sleep 1
	173	#
	174	# STARTTLS used when not advertised
	175	exim -bh 10.0.0.1
	176	starttls
	177	quit
	178	****