test/scripts/2000-GnuTLS/2002

   1 # TLS server: general ops and certificate extractions
   2 gnutls
   3 #
   4 # Very early (unsure when) GnuTLS prefers RSA auth by default.  Later, but before 3.6.x, prefers
   5 # ECDSA but the client can be given a priority order to override that.  We're running the server
   6 # with no priority string given (tls_require_ciphers) hence default, and with both types of
   7 # server cert loaded (RSA first, though we don't document that as relevant and in testing it
   8 # does not appear to matter).
   9 #
  10 # GnuTLS 3.6.5 appears to ignore the client priority ordering, always choosing ECDSA if both
  11 # are permitted, if TLS1.3 is permitted, so we limit to TLS1.2.
  12 #
  13 exim -DSERVER=server -bd -oX PORT_D
  14 ****
  15 # Have the client do RSA (but support ECDSA as well).  That should get us RSA on both older and newer GnuTLS.
  16 client-gnutls -p NONE:+SIGN-RSA-SHA256:+SIGN-ECDSA-SHA512:+VERS-TLS1.2:+ECDHE-RSA:+DHE-RSA:+RSA:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 127.0.0.1 PORT_D
  17 ??? 220
  18 ehlo rhu.barb
  19 ??? 250-
  20 ??? 250-
  21 ??? 250-
  22 ??? 250-
  23 ??? 250-
  24 ??? 250
  25 starttls
  26 ??? 220
  27 mail from:<CALLER@test.ex>
  28 ??? 250
  29 rcpt to:<CALLER@test.ex>
  30 ??? 250
  31 DATA
  32 ??? 3
  33 This is a test encrypted message.
  34 .
  35 ??? 250
  36 quit
  37 ??? 221
  38 ****
  39 client-gnutls -p NONE:+SIGN-RSA-SHA256:+SIGN-ECDSA-SHA512:+VERS-TLS1.2:+ECDHE-RSA:+DHE-RSA:+RSA:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 127.0.0.1 PORT_D
  40 ??? 220
  41 ehlo rhu.barb
  42 ??? 250-
  43 ??? 250-
  44 ??? 250-
  45 ??? 250-
  46 ??? 250-
  47 ??? 250
  48 starttls
  49 ??? 220
  50 mail from:<"name with spaces"@test.ex>
  51 ??? 250
  52 rcpt to:<CALLER@test.ex>
  53 ??? 250
  54 DATA
  55 ??? 3
  56 This is a test encrypted message.
  57 .
  58 ??? 250
  59 quit
  60 ??? 221
  61 ****
  62 # Server asks for a client cert (?but client does not supply one?)
  63 client-gnutls -p NONE:+SIGN-RSA-SHA256:+SIGN-ECDSA-SHA512:+VERS-TLS1.2:+ECDHE-RSA:+DHE-RSA:+RSA:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 HOSTIPV4 PORT_D
  64 ??? 220
  65 ehlo rhu.barb
  66 ??? 250-
  67 ??? 250-
  68 ??? 250-
  69 ??? 250-
  70 ??? 250-
  71 ??? 250
  72 starttls
  73 ??? 220
  74 ****
  75 # Server asks for a client cert, and one is given which is verifiable by the server
  76 client-gnutls -p NONE:+SIGN-RSA-SHA256:+SIGN-ECDSA-SHA512:+VERS-TLS1.2:+ECDHE-RSA:+DHE-RSA:+RSA:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 HOSTIPV4 PORT_D DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key
  77 ??? 220
  78 ehlo rhu.barb
  79 ??? 250-
  80 ??? 250-
  81 ??? 250-
  82 ??? 250-
  83 ??? 250-
  84 ??? 250
  85 starttls
  86 ??? 220
  87 mail from:<CALLER@test.ex>
  88 ??? 250
  89 rcpt to:<CALLER@test.ex>
  90 ??? 250
  91 DATA
  92 ??? 3
  93 This is a test encrypted message from a verified host.
  94 .
  95 ??? 250
  96 quit
  97 ??? 221
  98 ****
  99 #
 100 #
 101 # A client that only talks RSA.
 102 #
 103 # We have to specify the key-exchange as well as the authentication, otherwise,
 104 # the GnuTLS server side being foolish - it picks an ECDSA cipher-suite and then can't use it :(
 105 # Possibly fixed in 3.6.x ?
 106 client-gnutls -p NONE:+SIGN-RSA-SHA256:+VERS-TLS1.2:+ECDHE-RSA:+DHE-RSA:+RSA:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 127.0.0.1 PORT_D
 107 ??? 220
 108 ehlo rhu.barb
 109 ??? 250-
 110 ??? 250-
 111 ??? 250-
 112 ??? 250-
 113 ??? 250-
 114 ??? 250
 115 starttls
 116 ??? 220
 117 mail from:<CALLER@test.ex>
 118 ??? 250
 119 rcpt to:<CALLER@test.ex>
 120 ??? 250
 121 DATA
 122 ??? 3
 123 This is a test encrypted message.
 124 It should be sent under the RSA server cert and with an RSA cipher.
 125 .
 126 ??? 250
 127 quit
 128 ??? 221
 129 ****
 130 #
 131 #
 132 # Make ECDSA authentication preferred (Older GnuTLS prefers RSA, it seems, Newer, ECDSA).
 133 client-gnutls -p NONE:+SIGN-ECDSA-SHA512:+VERS-TLS1.2:+KX-ALL:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 127.0.0.1 PORT_D
 134 ??? 220
 135 ehlo rhu.barb
 136 ??? 250-
 137 ??? 250-
 138 ??? 250-
 139 ??? 250-
 140 ??? 250-
 141 ??? 250
 142 starttls
 143 ??? 220
 144 mail from:<CALLER@test.ex>
 145 ??? 250
 146 rcpt to:<CALLER@test.ex>
 147 ??? 250
 148 DATA
 149 ??? 3
 150 This is a test encrypted message.
 151 It should be sent under the EC server cert and with an ECDSA cipher.
 152 .
 153 ??? 250
 154 quit
 155 ??? 221
 156 ****
 157 killdaemon
 158 exim -qf
 159 ****
 160 exim -bh 10.0.0.1
 161 starttls
 162 quit
 163 ****