Handle certificate dir under GnuTLS, if recent enough

Add testcases for certificate directories

The GnuTLS implementation has been tested on Fedora 21 (alpha),
using GnuTLS 3.3.9.  The testsuite case is here but with the
script commented-out.  When enabled, the log/mail/stdout/stderr
files will be created fresh.

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 9cfc06ca5fbac4ee77d1a82485fbeee71b2202a1..e3df0854e192b21a691346fcfa7a449053ee5163 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -16484,9 +16484,11 @@ See &%tls_verify_hosts%& below.
 The value of this option is expanded, and must then be the absolute path to
 a file containing permitted certificates for clients that
 match &%tls_verify_hosts%& or &%tls_try_verify_hosts%&. Alternatively, if you
 The value of this option is expanded, and must then be the absolute path to
 a file containing permitted certificates for clients that
 match &%tls_verify_hosts%& or &%tls_try_verify_hosts%&. Alternatively, if you

-are using OpenSSL, you can set &%tls_verify_certificates%& to the name of a
-directory containing certificate files. This does not work with GnuTLS; the
-option must be set to the name of a single file if you are using GnuTLS.
+are using either GnuTLS version 3.3.6 (or later) or OpenSSL,
+you can set &%tls_verify_certificates%& to the name of a
+directory containing certificate files.
+For earlier versions of GnuTLS
+the option must be set to the name of a single file.

 
 These certificates should be for the certificate authorities trusted, rather
 than the public cert of individual clients.  With both OpenSSL and GnuTLS, if
 
 These certificates should be for the certificate authorities trusted, rather
 than the public cert of individual clients.  With both OpenSSL and GnuTLS, if


@@ -23432,10 +23434,14 @@ certificate verification succeeds.
 .vindex "&$host_address$&"
 The value of this option must be the absolute path to a file containing
 permitted server certificates, for use when setting up an encrypted connection.
 .vindex "&$host_address$&"
 The value of this option must be the absolute path to a file containing
 permitted server certificates, for use when setting up an encrypted connection.

-Alternatively, if you are using OpenSSL, you can set
+Alternatively,
+if you are using either GnuTLS version 3.3.6 (or later) or OpenSSL,
+you can set

 &%tls_verify_certificates%& to the name of a directory containing certificate
 &%tls_verify_certificates%& to the name of a directory containing certificate

-files. This does not work with GnuTLS; the option must be set to the name of a
-single file if you are using GnuTLS. The values of &$host$& and
+files.
+For earlier versions of GnuTLS the option must be set to the name of a
+single file.
+The values of &$host$& and

 &$host_address$& are set to the name and address of the server during the
 expansion of this option. See chapter &<<CHAPTLS>>& for details of TLS.
 
 &$host_address$& are set to the name and address of the server during the
 expansion of this option. See chapter &<<CHAPTLS>>& for details of TLS.
 


@@ -25917,7 +25923,8 @@ There are some differences in usage when using GnuTLS instead of OpenSSL:
 
 .ilist
 The &%tls_verify_certificates%& option must contain the name of a file, not the
 
 .ilist
 The &%tls_verify_certificates%& option must contain the name of a file, not the

-name of a directory (for OpenSSL it can be either).
+name of a directory for GnuTLS versions before 3.3.6
+(for later versions, or OpenSSL, it can be either).

 .next
 The default value for &%tls_dhparam%& differs for historical reasons.
 .next
 .next
 The default value for &%tls_dhparam%& differs for historical reasons.
 .next

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 0b03894b2f1651d482413936b42db7f729df1d3e..8b3dfe8c7bb3648803632b1c1d0dcab971063f24 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -48,6 +48,9 @@ JH/06 Bug 1533: Fix truncation of items in headers_remove lists.  A fixed
       size buffer was used, resulting in syntax errors when an expansion
       exceeded it.
 
       size buffer was used, resulting in syntax errors when an expansion
       exceeded it.
 

+JH/07 Add support for directories of certificates when compiled with a GnuTLS
+      version 3.3.6 or later.
+

 
 Exim version 4.84
 -----------------
 
 Exim version 4.84
 -----------------

diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 3043e3abc925ff07f2ee9b6ed8a069d118c853a9..14cdd12d439724b3cddf426c6a1015bec290cb4f 100644 (file)
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -51,6 +51,11 @@ require current GnuTLS, then we'll drop support for the ancient libraries).
 # warning "GnuTLS library version too old; TPDA tls:cert event unsupported"
 # undef EXPERIMENTAL_TPDA
 #endif
 # warning "GnuTLS library version too old; TPDA tls:cert event unsupported"
 # undef EXPERIMENTAL_TPDA
 #endif

+#if GNUTLS_VERSION_NUMBER >= 0x030306
+# define SUPPORT_CA_DIR
+#else
+# undef  SUPPORT_CA_DIR
+#endif

 
 #ifndef DISABLE_OCSP
 # include <gnutls/ocsp.h>
 
 #ifndef DISABLE_OCSP
 # include <gnutls/ocsp.h>


@@ -884,6 +889,7 @@ if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
   return DEFER;
   }
 
   return DEFER;
   }
 

+#ifndef SUPPORT_CA_DIR

 /* The test suite passes in /dev/null; we could check for that path explicitly,
 but who knows if someone has some weird FIFO which always dumps some certs, or
 other weirdness.  The thing we really want to check is that it's not a
 /* The test suite passes in /dev/null; we could check for that path explicitly,
 but who knows if someone has some weird FIFO which always dumps some certs, or
 other weirdness.  The thing we really want to check is that it's not a


@@ -899,6 +905,7 @@ if (S_ISDIR(statbuf.st_mode))
       state->exp_tls_verify_certificates);
   return DEFER;
   }
       state->exp_tls_verify_certificates);
   return DEFER;
   }

+#endif

 
 DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
         state->exp_tls_verify_certificates, statbuf.st_size);
 
 DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
         state->exp_tls_verify_certificates, statbuf.st_size);


@@ -910,8 +917,18 @@ if (statbuf.st_size == 0)
   return OK;
   }
 
   return OK;
   }
 

-cert_count = gnutls_certificate_set_x509_trust_file(state->x509_cred,
+cert_count =
+
+#ifdef SUPPORT_CA_DIR
+  (statbuf.st_mode & S_IFMT) == S_IFDIR
+  ?
+  gnutls_certificate_set_x509_trust_dir(state->x509_cred,
+    CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM)
+  :
+#endif
+  gnutls_certificate_set_x509_trust_file(state->x509_cred,

     CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
     CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);

+

 if (cert_count < 0)
   {
   rc = cert_count;
 if (cert_count < 0)
   {
   rc = cert_count;

diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/08c48a5f.0 b/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/08c48a5f.0
new file mode 120000 (symlink)
index 0000000..0bc4716
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/08c48a5f.0
@@ -0,0 +1 @@
+../../CA/CA.pem
\ No newline at end of file

diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/61e813e6.0 b/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/61e813e6.0
new file mode 120000 (symlink)
index 0000000..890dffc
--- /dev/null
+++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/certdir/61e813e6.0
@@ -0,0 +1 @@
+../../CA/Signer.pem
\ No newline at end of file

diff --git a/test/aux-fixed/exim-ca/genall b/test/aux-fixed/exim-ca/genall
index 0e3feb25e3b0861940b4aa265e90cd8c948a6093..64e5a85b44b0af72a4774bfeff6bac183d8546b1 100755 (executable)
--- a/test/aux-fixed/exim-ca/genall
+++ b/test/aux-fixed/exim-ca/genall
@@ -112,6 +112,18 @@ do
     openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem
 done
 
     openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem
 done
 

+# Finally, a single certificate-directory
+cd example.com/server1.example.com
+mkdir -f certdir
+cd certdir
+f=../../CA/CA.pem
+h=`openssl x509 -hash -noout -in $f`
+ln -s $f $h.0
+f=../../CA/Signer.pem
+h=`openssl x509 -hash -noout -in $f`
+ln -s $f $h.0
+cd ../..
+

 find example.* -type d -print0 | xargs -0 chmod 755
 find example.* -type f -print0 | xargs -0 chmod 644
 
 find example.* -type d -print0 | xargs -0 chmod 755
 find example.* -type f -print0 | xargs -0 chmod 644
 

diff --git a/test/confs/2032 b/test/confs/2032
new file mode 100644 (file)
index 0000000..5a60993
--- /dev/null
+++ b/test/confs/2032
@@ -0,0 +1,73 @@
+# Exim test configuration 2032 (close copy of 2002)
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = check_recipient
+
+log_selector = +tls_peerdn
+
+queue_only
+queue_run_in_order
+
+tls_advertise_hosts = 127.0.0.1 : HOSTIPV4
+
+tls_certificate = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem
+tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key
+
+tls_verify_hosts = HOSTIPV4
+tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/certdir
+
+
+# ------ ACL ------
+
+begin acl
+
+check_recipient:
+  accept  hosts = :
+  deny    hosts = HOSTIPV4
+         !encrypted = AES256-SHA : \
+                      AES256-GCM-SHA384 : \
+                      IDEA-CBC-MD5 : \
+                      DES-CBC3-SHA : \
+                      DHE_RSA_AES_256_CBC_SHA1 : \
+                      DHE_RSA_3DES_EDE_CBC_SHA : \
+                      RSA_AES_256_CBC_SHA1
+  warn    logwrite =  ${if def:tls_in_ourcert \
+               {Our cert SN: <${certextract{subject}{$tls_in_ourcert}}>} \
+               {We did not present a cert}}
+  accept  condition = ${if !def:tls_in_peercert}
+         logwrite =  Peer did not present a cert
+  accept  logwrite =  SN  <${certextract {subject}     {$tls_in_peercert}}>
+
+
+# ----- Routers -----
+
+begin routers
+
+abc:
+  driver = accept
+  retry_use_local_part
+  transport = local_delivery
+  headers_add = tls-certificate-verified: $tls_certificate_verified
+
+
+# ----- Transports -----
+
+begin transports
+
+local_delivery:
+  driver = appendfile
+  file = DIR/test-mail/$local_part
+  headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
+  user = CALLER
+
+# End

diff --git a/test/confs/2132 b/test/confs/2132
new file mode 100644 (file)
index 0000000..0692493
--- /dev/null
+++ b/test/confs/2132
@@ -0,0 +1,74 @@
+# Exim test configuration 2132 (close copy of 2102)
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = check_recipient
+
+log_selector = +tls_peerdn
+
+queue_only
+queue_run_in_order
+
+tls_advertise_hosts = 127.0.0.1 : HOSTIPV4
+
+tls_certificate = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem
+tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key
+
+tls_verify_hosts = HOSTIPV4
+tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/certdir
+
+
+# ------ ACL ------
+
+begin acl
+
+check_recipient:
+  accept  hosts = :
+  deny    hosts = HOSTIPV4
+         !encrypted = AES256-SHA : \
+                      AES256-GCM-SHA384 : \
+                      IDEA-CBC-MD5 : \
+                      DES-CBC3-SHA : \
+                     DHE-RSA-AES256-SHA : \
+                     DHE-RSA-AES256-GCM-SHA384 : \
+                      DHE_RSA_AES_256_CBC_SHA1 : \
+                      DHE_RSA_3DES_EDE_CBC_SHA
+  warn    logwrite =  ${if def:tls_in_ourcert \
+               {Our cert SN: <${certextract{subject}{$tls_in_ourcert}}>} \
+               {We did not present a cert}}
+  accept  condition = ${if !def:tls_in_peercert}
+         logwrite =  Peer did not present a cert
+  accept  logwrite =  SN  <${certextract {subject}     {$tls_in_peercert}}>
+
+
+# ----- Routers -----
+
+begin routers
+
+abc:
+  driver = accept
+  retry_use_local_part
+  transport = local_delivery
+  headers_add = tls-certificate-verified: $tls_certificate_verified
+
+
+# ----- Transports -----
+
+begin transports
+
+local_delivery:
+  driver = appendfile
+  file = DIR/test-mail/$local_part
+  headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
+  user = CALLER
+
+# End

diff --git a/test/log/2132 b/test/log/2132
new file mode 100644 (file)
index 0000000..3463387
--- /dev/null
+++ b/test/log/2132
@@ -0,0 +1,20 @@
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 Our cert SN: <CN=server2.example.com>
+1999-03-02 09:44:33 Peer did not present a cert
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@test.ex H=[127.0.0.1] P=smtps X=TLSv1:AES256-SHA:256 S=sss
+1999-03-02 09:44:33 Our cert SN: <CN=server2.example.com>
+1999-03-02 09:44:33 Peer did not present a cert
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= "name with spaces"@test.ex H=[127.0.0.1] P=smtps X=TLSv1:AES256-SHA:256 S=sss
+1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
+1999-03-02 09:44:33 Our cert SN: <CN=server2.example.com>
+1999-03-02 09:44:33 SN  <CN=server1.example.com>
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@test.ex H=[ip4.ip4.ip4.ip4] P=smtps X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" S=sss
+1999-03-02 09:44:33 Start queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER <CALLER@test.ex> R=abc T=local_delivery
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER <CALLER@test.ex> R=abc T=local_delivery
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER <CALLER@test.ex> R=abc T=local_delivery
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 End queue run: pid=pppp -qf

diff --git a/test/mail/2132.CALLER b/test/mail/2132.CALLER
new file mode 100644 (file)
index 0000000..21b5e2c
--- /dev/null
+++ b/test/mail/2132.CALLER
@@ -0,0 +1,36 @@
+From CALLER@test.ex Tue Mar 02 09:44:33 1999
+Received: from [127.0.0.1]
+       by myhost.test.ex with smtps (TLSv1:AES256-SHA:256)
+       (Exim x.yz)
+       (envelope-from <CALLER@test.ex>)
+       id 10HmaX-0005vi-00
+       for CALLER@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
+tls-certificate-verified: 0
+TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+
+This is a test encrypted message.
+
+From "name with spaces"@test.ex Tue Mar 02 09:44:33 1999
+Received: from [127.0.0.1]
+       by myhost.test.ex with smtps (TLSv1:AES256-SHA:256)
+       (Exim x.yz)
+       (envelope-from <"name with spaces"@test.ex>)
+       id 10HmaY-0005vi-00
+       for CALLER@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
+tls-certificate-verified: 0
+TLS: cipher=TLSv1:AES256-SHA:256 peerdn=
+
+This is a test encrypted message.
+
+From CALLER@test.ex Tue Mar 02 09:44:33 1999
+Received: from [ip4.ip4.ip4.ip4]
+       by myhost.test.ex with smtps (TLSv1:AES256-SHA:256)
+       (Exim x.yz)
+       (envelope-from <CALLER@test.ex>)
+       id 10HmaZ-0005vi-00
+       for CALLER@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
+tls-certificate-verified: 1
+TLS: cipher=TLSv1:AES256-SHA:256 peerdn=/CN=server1.example.com
+
+This is a test encrypted message from a verified host.
+

diff --git a/test/scripts/2000-GnuTLS/2032 b/test/scripts/2000-GnuTLS/2032
new file mode 100644 (file)
index 0000000..88c0e8a
--- /dev/null
+++ b/test/scripts/2000-GnuTLS/2032
@@ -0,0 +1,95 @@
+# TLS server: server ca cert from directory
+# - tests all disabled until GnuTLS 3.3.6 (or later) is in common use
+# - or we get a library-version dependency mechanism in the testsuite
+#
+#gnutls
+#exim -DSERVER=server -bd -oX PORT_D
+#****
+#client-gnutls 127.0.0.1 PORT_D
+#??? 220
+#ehlo rhu.barb
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250
+#starttls
+#??? 220
+#mail from:<CALLER@test.ex>
+#??? 250
+#rcpt to:<CALLER@test.ex>
+#??? 250
+#DATA
+#??? 3
+#This is a test encrypted message.
+#.
+#??? 250
+#quit
+#??? 221
+#****
+#client-gnutls 127.0.0.1 PORT_D
+#??? 220
+#ehlo rhu.barb
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250
+#starttls
+#??? 220
+#mail from:<"name with spaces"@test.ex>
+#??? 250
+#rcpt to:<CALLER@test.ex>
+#??? 250
+#DATA
+#??? 3
+#This is a test encrypted message.
+#.
+#??? 250
+#quit
+#??? 221
+#****
+#client-gnutls HOSTIPV4 PORT_D
+#??? 220
+#ehlo rhu.barb
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250
+#starttls
+#??? 220
+#****
+#client-gnutls HOSTIPV4 PORT_D DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+#??? 220
+#ehlo rhu.barb
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250-
+#??? 250
+#starttls
+#??? 220
+#mail from:<CALLER@test.ex>
+#??? 250
+#rcpt to:<CALLER@test.ex>
+#??? 250
+#DATA
+#??? 3
+#This is a test encrypted message from a verified host.
+#.
+#??? 250
+#quit
+#??? 221
+#****
+#killdaemon
+#exim -qf
+#****
+#exim -bh 10.0.0.1
+#starttls
+#quit
+#****

diff --git a/test/scripts/2100-OpenSSL/2132 b/test/scripts/2100-OpenSSL/2132
new file mode 100644 (file)
index 0000000..620a63f
--- /dev/null
+++ b/test/scripts/2100-OpenSSL/2132
@@ -0,0 +1,91 @@
+# TLS server: server ca cert from directory
+exim -DSERVER=server -bd -oX PORT_D
+****
+client-ssl 127.0.0.1 PORT_D
+??? 220
+ehlo rhu.barb
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+starttls
+??? 220
+mail from:<CALLER@test.ex>
+??? 250
+rcpt to:<CALLER@test.ex>
+??? 250
+DATA
+??? 3
+This is a test encrypted message.
+.
+??? 250
+quit
+??? 221
+****
+client-ssl 127.0.0.1 PORT_D
+??? 220
+ehlo rhu.barb
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+starttls
+??? 220
+mail from:<"name with spaces"@test.ex>
+??? 250
+rcpt to:<CALLER@test.ex>
+??? 250
+DATA
+??? 3
+This is a test encrypted message.
+.
+??? 250
+quit
+??? 221
+****
+client-ssl HOSTIPV4 PORT_D
+??? 220
+ehlo rhu.barb
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+starttls
+??? 220
+****
+client-ssl HOSTIPV4 PORT_D DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+??? 220
+ehlo rhu.barb
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+starttls
+??? 220
+mail from:<CALLER@test.ex>
+??? 250
+rcpt to:<CALLER@test.ex>
+??? 250
+DATA
+??? 3
+This is a test encrypted message from a verified host.
+.
+??? 250
+quit
+??? 221
+****
+killdaemon
+exim -qf
+****
+exim -bh 10.0.0.1
+starttls
+quit
+****

diff --git a/test/stderr/2132 b/test/stderr/2132
new file mode 100644 (file)
index 0000000..59f3382
--- /dev/null
+++ b/test/stderr/2132
@@ -0,0 +1,10 @@
+>>> host in hosts_connection_nolog? no (option unset)
+>>> host in host_lookup? no (option unset)
+>>> host in host_reject_connection? no (option unset)
+>>> host in sender_unqualified_hosts? no (option unset)
+>>> host in recipient_unqualified_hosts? no (option unset)
+>>> host in helo_verify_hosts? no (option unset)
+>>> host in helo_try_verify_hosts? no (option unset)
+>>> host in helo_accept_junk_hosts? no (option unset)
+
+******** SERVER ********

diff --git a/test/stdout/2132 b/test/stdout/2132
new file mode 100644 (file)
index 0000000..a9724e1
--- /dev/null
+++ b/test/stdout/2132
@@ -0,0 +1,205 @@
+Connecting to 127.0.0.1 port 1225 ... connected
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [127.0.0.1]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL info: before/connect initialization
+SSL info: before/connect initialization
+SSL info: SSLv3 read server hello A
+SSL info: SSLv3 read server certificate A
+SSL info: SSLv3 read server done A
+SSL info: SSLv3 write client key exchange A
+SSL info: SSLv3 write change cipher spec A
+SSL info: SSLv3 write finished A
+SSL info: SSLv3 flush data
+SSL info: SSLv3 read server session ticket A
+SSL info: SSLv3 read finished A
+SSL info: SSL negotiation finished successfully
+SSL info: SSL negotiation finished successfully
+SSL connection using AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<CALLER@test.ex>
+??? 250
+<<< 250 OK
+>>> rcpt to:<CALLER@test.ex>
+??? 250
+<<< 250 Accepted
+>>> DATA
+??? 3
+<<< 354 Enter message, ending with "." on a line by itself
+>>> This is a test encrypted message.
+>>> .
+??? 250
+<<< 250 OK id=10HmaX-0005vi-00
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+Connecting to 127.0.0.1 port 1225 ... connected
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [127.0.0.1]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL info: before/connect initialization
+SSL info: before/connect initialization
+SSL info: SSLv3 read server hello A
+SSL info: SSLv3 read server certificate A
+SSL info: SSLv3 read server done A
+SSL info: SSLv3 write client key exchange A
+SSL info: SSLv3 write change cipher spec A
+SSL info: SSLv3 write finished A
+SSL info: SSLv3 flush data
+SSL info: SSLv3 read server session ticket A
+SSL info: SSLv3 read finished A
+SSL info: SSL negotiation finished successfully
+SSL info: SSL negotiation finished successfully
+SSL connection using AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<"name with spaces"@test.ex>
+??? 250
+<<< 250 OK
+>>> rcpt to:<CALLER@test.ex>
+??? 250
+<<< 250 Accepted
+>>> DATA
+??? 3
+<<< 354 Enter message, ending with "." on a line by itself
+>>> This is a test encrypted message.
+>>> .
+??? 250
+<<< 250 OK id=10HmaY-0005vi-00
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL info: before/connect initialization
+SSL info: before/connect initialization
+SSL info: SSLv3 read server hello A
+SSL info: SSLv3 read server certificate A
+SSL info: SSLv3 read server certificate request A
+SSL info: SSLv3 read server done A
+SSL info: SSLv3 write client certificate A
+SSL info: SSLv3 write client key exchange A
+SSL info: SSLv3 write change cipher spec A
+SSL info: SSLv3 write finished A
+SSL info: SSLv3 flush data
+SSL info: SSLv3 read server session ticket A
+SSL info: SSLv3 read server session ticket A
+pppp:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:dddd:SSL alert number 40
+Failed to start TLS
+End of script
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = TESTSUITE/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem
+Key file = TESTSUITE/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL info: before/connect initialization
+SSL info: before/connect initialization
+SSL info: SSLv3 read server hello A
+SSL info: SSLv3 read server certificate A
+SSL info: SSLv3 read server certificate request A
+SSL info: SSLv3 read server done A
+SSL info: SSLv3 write client certificate A
+SSL info: SSLv3 write client key exchange A
+SSL info: SSLv3 write certificate verify A
+SSL info: SSLv3 write change cipher spec A
+SSL info: SSLv3 write finished A
+SSL info: SSLv3 flush data
+SSL info: SSLv3 read server session ticket A
+SSL info: SSLv3 read finished A
+SSL info: SSL negotiation finished successfully
+SSL info: SSL negotiation finished successfully
+SSL connection using AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<CALLER@test.ex>
+??? 250
+<<< 250 OK
+>>> rcpt to:<CALLER@test.ex>
+??? 250
+<<< 250 Accepted
+>>> DATA
+??? 3
+<<< 354 Enter message, ending with "." on a line by itself
+>>> This is a test encrypted message from a verified host.
+>>> .
+??? 250
+<<< 250 OK id=10HmaZ-0005vi-00
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+
+**** SMTP testing session as if from host 10.0.0.1
+**** but without any ident (RFC 1413) callback.
+**** This is not for real!
+
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+503 STARTTLS command used when not advertised\r
+221 myhost.test.ex closing connection\r