TLS: rework error logging to pass more string back to caller for logging

This permits a library-sourced error to be associated with an address
being delivered, collapsing pairs of log lines

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index c23f9fe2dcb3f9c888cbe158968cb53b7f3108bf..f608e451ab93ee458d974eee204221f9ba9e15d6 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -89,6 +89,11 @@ JH/16 Drop variables when they go out of scope.  Memory management drops a whole
       bug: a transport crash, where a dangling pointer for $sending_ip_address
       originally assigned in a verify callout, is re-used.
 
       bug: a transport crash, where a dangling pointer for $sending_ip_address
       originally assigned in a verify callout, is re-used.
 

+JH/17 Rework error string handling in TLS interface so that the caller in
+      more cases is responsible for logging.  This permits library-sourced
+      string to be attached to addresses during delivery, and collapses
+      pairs of long lines into single ones.
+

 
 Exim version 4.88
 -----------------
 
 Exim version 4.88
 -----------------

diff --git a/src/src/functions.h b/src/src/functions.h
index 0fc69e4ebf1ff9c9f54098d6a1664c2565c19ad9..a0ab39e17dddfad21ccf451151883d5d52e29cac 100644 (file)
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -45,11 +45,11 @@ extern uschar * tls_cert_fprt_sha1(void *);
 extern uschar * tls_cert_fprt_sha256(void *);
 
 extern int     tls_client_start(int, host_item *, address_item *,
 extern uschar * tls_cert_fprt_sha256(void *);
 
 extern int     tls_client_start(int, host_item *, address_item *,

-                transport_instance *
+                transport_instance *,

 # ifdef EXPERIMENTAL_DANE
 # ifdef EXPERIMENTAL_DANE

-               , dns_answer *
+               dns_answer *,

 # endif
 # endif

-                               );
+               uschar **);

 extern void    tls_close(BOOL, BOOL);
 extern int     tls_export_cert(uschar *, size_t, void *);
 extern int     tls_feof(void);
 extern void    tls_close(BOOL, BOOL);
 extern int     tls_export_cert(uschar *, size_t, void *);
 extern int     tls_feof(void);


@@ -59,7 +59,7 @@ extern int     tls_getc(unsigned);
 extern void    tls_get_cache(void);
 extern int     tls_import_cert(const uschar *, void **);
 extern int     tls_read(BOOL, uschar *, size_t);
 extern void    tls_get_cache(void);
 extern int     tls_import_cert(const uschar *, void **);
 extern int     tls_read(BOOL, uschar *, size_t);

-extern int     tls_server_start(const uschar *);
+extern int     tls_server_start(const uschar *, uschar **);

 extern BOOL    tls_smtp_buffered(void);
 extern int     tls_ungetc(int);
 extern int     tls_write(BOOL, const uschar *, size_t);
 extern BOOL    tls_smtp_buffered(void);
 extern int     tls_ungetc(int);
 extern int     tls_write(BOOL, const uschar *, size_t);

diff --git a/src/src/readconf.c b/src/src/readconf.c
index 55bba4c05317f9bee419c86cb6060038938cdb8a..7751b3607847d92557699b94e22d122d82a829a3 100644 (file)
--- a/src/src/readconf.c
+++ b/src/src/readconf.c
@@ -3251,12 +3251,9 @@ if (pid == 0)
     exim_setugid(exim_uid, exim_gid, FALSE,
         US"calling tls_validate_require_cipher");
 
     exim_setugid(exim_uid, exim_gid, FALSE,
         US"calling tls_validate_require_cipher");
 

-  errmsg = tls_validate_require_cipher();
-  if (errmsg)
-    {
+  if ((errmsg = tls_validate_require_cipher()))

     log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
         "tls_require_ciphers invalid: %s", errmsg);
     log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
         "tls_require_ciphers invalid: %s", errmsg);

-    }

   fflush(NULL);
   _exit(0);
   }
   fflush(NULL);
   _exit(0);
   }

diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index bd83de0456b0322662a9a51f1be93295d6b7a8c6..6963e7da2286cbf8d280e15fbe9f6ce0b8b31596 100644 (file)
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -2218,6 +2218,19 @@ return done - 2;  /* Convert yield values */
 
 
 
 
 
 

+static BOOL
+smtp_log_tls_fail(uschar * errstr)
+{
+uschar * conn_info = smtp_get_connection_info();
+
+if (Ustrncmp(conn_info, US"SMTP ", 5) == 0) conn_info += 5;
+/* I'd like to get separated H= here, but too hard for now */
+
+log_write(0, LOG_MAIN, "TLS error on %s %s", conn_info, errstr);
+return FALSE;
+}
+
+

 /*************************************************
 *          Start an SMTP session                 *
 *************************************************/
 /*************************************************
 *          Start an SMTP session                 *
 *************************************************/


@@ -2706,8 +2719,8 @@ if (check_proxy_protocol_host())
   smtps port for use with older style SSL MTAs. */
 
 #ifdef SUPPORT_TLS
   smtps port for use with older style SSL MTAs. */
 
 #ifdef SUPPORT_TLS

-  if (tls_in.on_connect && tls_server_start(tls_require_ciphers) != OK)
-    return FALSE;
+  if (tls_in.on_connect && tls_server_start(tls_require_ciphers, &user_msg) != OK)
+    return smtp_log_tls_fail(user_msg);

 #endif
 
 /* Run the connect ACL if it exists */
 #endif
 
 /* Run the connect ACL if it exists */


@@ -5181,7 +5194,8 @@ while (done <= 0)
     We must allow for an extra EHLO command and an extra AUTH command after
     STARTTLS that don't add to the nonmail command count. */
 
     We must allow for an extra EHLO command and an extra AUTH command after
     STARTTLS that don't add to the nonmail command count. */
 

-    if ((rc = tls_server_start(tls_require_ciphers)) == OK)
+    s = NULL;
+    if ((rc = tls_server_start(tls_require_ciphers, &s)) == OK)

       {
       if (!tls_remember_esmtp)
         helo_seen = esmtp = auth_advertised = pipelining_advertised = FALSE;
       {
       if (!tls_remember_esmtp)
         helo_seen = esmtp = auth_advertised = pipelining_advertised = FALSE;


@@ -5210,11 +5224,13 @@ while (done <= 0)
       DEBUG(D_tls) debug_printf("TLS active\n");
       break;     /* Successful STARTTLS */
       }
       DEBUG(D_tls) debug_printf("TLS active\n");
       break;     /* Successful STARTTLS */
       }

+    else
+      (void) smtp_log_tls_fail(s);

 
     /* Some local configuration problem was discovered before actually trying
     to do a TLS handshake; give a temporary error. */
 
 
     /* Some local configuration problem was discovered before actually trying
     to do a TLS handshake; give a temporary error. */
 

-    else if (rc == DEFER)
+    if (rc == DEFER)

       {
       smtp_printf("454 TLS currently unavailable\r\n");
       break;
       {
       smtp_printf("454 TLS currently unavailable\r\n");
       break;

diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 7b16fc811887724a641d75deaaac023a668e8662..c3f7241de4c413612cbdd0403e11b2feeeb39fd6 100644 (file)
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -206,9 +206,12 @@ before, for now. */
 #endif
 
 #define exim_gnutls_err_check(Label) do { \
 #endif
 
 #define exim_gnutls_err_check(Label) do { \

-  if (rc != GNUTLS_E_SUCCESS) { return tls_error((Label), gnutls_strerror(rc), host); } } while (0)
+  if (rc != GNUTLS_E_SUCCESS) \
+    return tls_error((Label), gnutls_strerror(rc), host, errstr); \
+  } while (0)

 
 

-#define expand_check_tlsvar(Varname) expand_check(state->Varname, US #Varname, &state->exp_##Varname)
+#define expand_check_tlsvar(Varname, errstr) \
+  expand_check(state->Varname, US #Varname, &state->exp_##Varname, errstr)

 
 #if GNUTLS_VERSION_NUMBER >= 0x020c00
 # define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
 
 #if GNUTLS_VERSION_NUMBER >= 0x020c00
 # define HAVE_GNUTLS_SESSION_CHANNEL_BINDING


@@ -264,29 +267,18 @@ Argument:
             usually obtained from gnutls_strerror()
   host      NULL if setting up a server;
             the connected host if setting up a client
             usually obtained from gnutls_strerror()
   host      NULL if setting up a server;
             the connected host if setting up a client

+  errstr    pointer to returned error string

 
 Returns:    OK/DEFER/FAIL
 */
 
 static int
 
 Returns:    OK/DEFER/FAIL
 */
 
 static int

-tls_error(const uschar *prefix, const char *msg, const host_item *host)
+tls_error(const uschar *prefix, const char *msg, const host_item *host,
+  uschar ** errstr)

 {
 {

-if (host)
-  {
-  log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection (%s)%s%s",
-      host->name, host->address, prefix, msg ? ": " : "", msg ? msg : "");
-  return FAIL;
-  }
-else
-  {
-  uschar *conn_info = smtp_get_connection_info();
-  if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
-    conn_info += 5;
-  /* I'd like to get separated H= here, but too hard for now */
-  log_write(0, LOG_MAIN, "TLS error on %s (%s)%s%s",
-      conn_info, prefix, msg ? ": " : "", msg ? msg : "");
-  return DEFER;
-  }
+if (errstr)
+  *errstr = string_sprintf("(%s)%s%s", prefix, msg ? ": " : "", msg ? msg : "");
+return host ? FAIL : DEFER;

 }
 
 
 }
 
 


@@ -310,7 +302,8 @@ Returns:   nothing
 static void
 record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
 {
 static void
 record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
 {

-const char *msg;
+const char * msg;
+uschar * errstr;

 
 if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
   msg = CS string_sprintf("%s: %s", US gnutls_strerror(rc),
 
 if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
   msg = CS string_sprintf("%s: %s", US gnutls_strerror(rc),


@@ -318,7 +311,18 @@ if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
 else
   msg = gnutls_strerror(rc);
 
 else
   msg = gnutls_strerror(rc);
 

-tls_error(when, msg, state->host);
+(void) tls_error(when, msg, state->host, &errstr);
+
+if (state->host)
+  log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection %s",
+    state->host->name, state->host->address, errstr);
+else
+  {
+  uschar * conn_info = smtp_get_connection_info();
+  if (Ustrncmp(conn_info, US"SMTP ", 5) == 0) conn_info += 5;
+  /* I'd like to get separated H= here, but too hard for now */
+  log_write(0, LOG_MAIN, "TLS error on %s %s", conn_info, errstr);
+  }

 }
 
 
 }
 
 


@@ -454,7 +458,7 @@ Returns:     OK/DEFER/FAIL
 */
 
 static int
 */
 
 static int

-init_server_dh(void)
+init_server_dh(uschar ** errstr)

 {
 int fd, rc;
 unsigned int dh_bits;
 {
 int fd, rc;
 unsigned int dh_bits;


@@ -475,7 +479,7 @@ exim_gnutls_err_check(US"gnutls_dh_params_init");
 m.data = NULL;
 m.size = 0;
 
 m.data = NULL;
 m.size = 0;
 

-if (!expand_check(tls_dhparam, US"tls_dhparam", &exp_tls_dhparam))
+if (!expand_check(tls_dhparam, US"tls_dhparam", &exp_tls_dhparam, errstr))

   return DEFER;
 
 if (!exp_tls_dhparam)
   return DEFER;
 
 if (!exp_tls_dhparam)


@@ -494,7 +498,7 @@ else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
 else if (exp_tls_dhparam[0] != '/')
   {
   if (!(m.data = US std_dh_prime_named(exp_tls_dhparam)))
 else if (exp_tls_dhparam[0] != '/')
   {
   if (!(m.data = US std_dh_prime_named(exp_tls_dhparam)))

-    return tls_error(US"No standard prime named", CS exp_tls_dhparam, NULL);
+    return tls_error(US"No standard prime named", CS exp_tls_dhparam, NULL, errstr);

   m.size = Ustrlen(m.data);
   }
 else
   m.size = Ustrlen(m.data);
   }
 else


@@ -516,7 +520,7 @@ if (m.data)
 different filename and ensure we have sufficient bits. */
 dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL);
 if (!dh_bits)
 different filename and ensure we have sufficient bits. */
 dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL);
 if (!dh_bits)

-  return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL);
+  return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL, errstr);

 DEBUG(D_tls)
   debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits.\n",
       dh_bits);
 DEBUG(D_tls)
   debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits.\n",
       dh_bits);


@@ -540,7 +544,7 @@ if (use_file_in_spool)
   {
   if (!string_format(filename_buf, sizeof(filename_buf),
         "%s/gnutls-params-%d", spool_directory, dh_bits))
   {
   if (!string_format(filename_buf, sizeof(filename_buf),
         "%s/gnutls-params-%d", spool_directory, dh_bits))

-    return tls_error(US"overlong filename", NULL, NULL);
+    return tls_error(US"overlong filename", NULL, NULL, errstr);

   filename = filename_buf;
   }
 
   filename = filename_buf;
   }
 


@@ -557,33 +561,33 @@ if ((fd = Uopen(filename, O_RDONLY, 0)) >= 0)
     {
     saved_errno = errno;
     (void)close(fd);
     {
     saved_errno = errno;
     (void)close(fd);

-    return tls_error(US"TLS cache stat failed", strerror(saved_errno), NULL);
+    return tls_error(US"TLS cache stat failed", strerror(saved_errno), NULL, errstr);

     }
   if (!S_ISREG(statbuf.st_mode))
     {
     (void)close(fd);
     }
   if (!S_ISREG(statbuf.st_mode))
     {
     (void)close(fd);

-    return tls_error(US"TLS cache not a file", NULL, NULL);
+    return tls_error(US"TLS cache not a file", NULL, NULL, errstr);

     }
   if (!(fp = fdopen(fd, "rb")))
     {
     saved_errno = errno;
     (void)close(fd);
     return tls_error(US"fdopen(TLS cache stat fd) failed",
     }
   if (!(fp = fdopen(fd, "rb")))
     {
     saved_errno = errno;
     (void)close(fd);
     return tls_error(US"fdopen(TLS cache stat fd) failed",

-        strerror(saved_errno), NULL);
+        strerror(saved_errno), NULL, errstr);

     }
 
   m.size = statbuf.st_size;
   if (!(m.data = malloc(m.size)))
     {
     fclose(fp);
     }
 
   m.size = statbuf.st_size;
   if (!(m.data = malloc(m.size)))
     {
     fclose(fp);

-    return tls_error(US"malloc failed", strerror(errno), NULL);
+    return tls_error(US"malloc failed", strerror(errno), NULL, errstr);

     }
   if (!(sz = fread(m.data, m.size, 1, fp)))
     {
     saved_errno = errno;
     fclose(fp);
     free(m.data);
     }
   if (!(sz = fread(m.data, m.size, 1, fp)))
     {
     saved_errno = errno;
     fclose(fp);
     free(m.data);

-    return tls_error(US"fread failed", strerror(saved_errno), NULL);
+    return tls_error(US"fread failed", strerror(saved_errno), NULL, errstr);

     }
   fclose(fp);
 
     }
   fclose(fp);
 


@@ -604,7 +608,7 @@ else if (errno == ENOENT)
   }
 else
   return tls_error(string_open_failed(errno, "\"%s\" for reading", filename),
   }
 else
   return tls_error(string_open_failed(errno, "\"%s\" for reading", filename),

-      NULL, NULL);
+      NULL, NULL, errstr);

 
 /* If ret < 0, either the cache file does not exist, or the data it contains
 is not useful. One particular case of this is when upgrading from an older
 
 /* If ret < 0, either the cache file does not exist, or the data it contains
 is not useful. One particular case of this is when upgrading from an older


@@ -619,11 +623,11 @@ if (rc < 0)
 
   if ((PATH_MAX - Ustrlen(filename)) < 10)
     return tls_error(US"Filename too long to generate replacement",
 
   if ((PATH_MAX - Ustrlen(filename)) < 10)
     return tls_error(US"Filename too long to generate replacement",

-        CS filename, NULL);
+        CS filename, NULL, errstr);

 
   temp_fn = string_copy(US "%s.XXXXXXX");
   if ((fd = mkstemp(CS temp_fn)) < 0)  /* modifies temp_fn */
 
   temp_fn = string_copy(US "%s.XXXXXXX");
   if ((fd = mkstemp(CS temp_fn)) < 0)  /* modifies temp_fn */

-    return tls_error(US"Unable to open temp file", strerror(errno), NULL);
+    return tls_error(US"Unable to open temp file", strerror(errno), NULL, errstr);

   (void)fchown(fd, exim_uid, exim_gid);   /* Probably not necessary */
 
   /* GnuTLS overshoots!
   (void)fchown(fd, exim_uid, exim_gid);   /* Probably not necessary */
 
   /* GnuTLS overshoots!


@@ -660,7 +664,7 @@ if (rc < 0)
     exim_gnutls_err_check(US"gnutls_dh_params_export_pkcs3(NULL) sizing");
   m.size = sz;
   if (!(m.data = malloc(m.size)))
     exim_gnutls_err_check(US"gnutls_dh_params_export_pkcs3(NULL) sizing");
   m.size = sz;
   if (!(m.data = malloc(m.size)))

-    return tls_error(US"memory allocation failed", strerror(errno), NULL);
+    return tls_error(US"memory allocation failed", strerror(errno), NULL, errstr);

 
   /* this will return a size 1 less than the allocation size above */
   rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
 
   /* this will return a size 1 less than the allocation size above */
   rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,


@@ -676,19 +680,19 @@ if (rc < 0)
     {
     free(m.data);
     return tls_error(US"TLS cache write D-H params failed",
     {
     free(m.data);
     return tls_error(US"TLS cache write D-H params failed",

-        strerror(errno), NULL);
+        strerror(errno), NULL, errstr);

     }
   free(m.data);
   if ((sz = write_to_fd_buf(fd, US"\n", 1)) != 1)
     return tls_error(US"TLS cache write D-H params final newline failed",
     }
   free(m.data);
   if ((sz = write_to_fd_buf(fd, US"\n", 1)) != 1)
     return tls_error(US"TLS cache write D-H params final newline failed",

-        strerror(errno), NULL);
+        strerror(errno), NULL, errstr);

 
   if ((rc = close(fd)))
 
   if ((rc = close(fd)))

-    return tls_error(US"TLS cache write close() failed", strerror(errno), NULL);
+    return tls_error(US"TLS cache write close() failed", strerror(errno), NULL, errstr);

 
   if (Urename(temp_fn, filename) < 0)
     return tls_error(string_sprintf("failed to rename \"%s\" as \"%s\"",
 
   if (Urename(temp_fn, filename) < 0)
     return tls_error(string_sprintf("failed to rename \"%s\" as \"%s\"",

-          temp_fn, filename), strerror(errno), NULL);
+          temp_fn, filename), strerror(errno), NULL, errstr);

 
   DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
   }
 
   DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
   }


@@ -703,7 +707,7 @@ return OK;
 /* Create and install a selfsigned certificate, for use in server mode */
 
 static int
 /* Create and install a selfsigned certificate, for use in server mode */
 
 static int

-tls_install_selfsign(exim_gnutls_state_st * state)
+tls_install_selfsign(exim_gnutls_state_st * state, uschar ** errstr)

 {
 gnutls_x509_crt_t cert = NULL;
 time_t now;
 {
 gnutls_x509_crt_t cert = NULL;
 time_t now;


@@ -761,7 +765,7 @@ out:
   return rc;
 
 err:
   return rc;
 
 err:

-  rc = tls_error(where, gnutls_strerror(rc), NULL);
+  rc = tls_error(where, gnutls_strerror(rc), NULL, errstr);

   goto out;
 }
 
   goto out;
 }
 


@@ -782,12 +786,13 @@ which we are responsible for setting on the first pass through.
 
 Arguments:
   state           exim_gnutls_state_st *
 
 Arguments:
   state           exim_gnutls_state_st *

+  errstr         error string pointer

 
 Returns:          OK/DEFER/FAIL
 */
 
 static int
 
 Returns:          OK/DEFER/FAIL
 */
 
 static int

-tls_expand_session_files(exim_gnutls_state_st *state)
+tls_expand_session_files(exim_gnutls_state_st *state, uschar ** errstr)

 {
 struct stat statbuf;
 int rc;
 {
 struct stat statbuf;
 int rc;


@@ -831,7 +836,7 @@ false if expansion failed, unless expansion was forced to fail. */
 /* check if we at least have a certificate, before doing expensive
 D-H generation. */
 
 /* check if we at least have a certificate, before doing expensive
 D-H generation. */
 

-if (!expand_check_tlsvar(tls_certificate))
+if (!expand_check_tlsvar(tls_certificate, errstr))

   return DEFER;
 
 /* certificate is mandatory in server, optional in client */
   return DEFER;
 
 /* certificate is mandatory in server, optional in client */


@@ -840,11 +845,11 @@ if (  !state->exp_tls_certificate
    || !*state->exp_tls_certificate
    )
   if (!host)
    || !*state->exp_tls_certificate
    )
   if (!host)

-    return tls_install_selfsign(state);
+    return tls_install_selfsign(state, errstr);

   else
     DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
 
   else
     DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
 

-if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey))
+if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey, errstr))

   return DEFER;
 
 /* tls_privatekey is optional, defaulting to same file as certificate */
   return DEFER;
 
 /* tls_privatekey is optional, defaulting to same file as certificate */


@@ -897,7 +902,7 @@ if (  !host /* server */
   else
     {
     if (!expand_check(tls_ocsp_file, US"tls_ocsp_file",
   else
     {
     if (!expand_check(tls_ocsp_file, US"tls_ocsp_file",

-         &state->exp_tls_ocsp_file))
+         &state->exp_tls_ocsp_file, errstr))

       return DEFER;
 
     /* Use the full callback method for stapling just to get observability.
       return DEFER;
 
     /* Use the full callback method for stapling just to get observability.


@@ -921,14 +926,14 @@ behaviour. */
 
 if (state->tls_verify_certificates && *state->tls_verify_certificates)
   {
 
 if (state->tls_verify_certificates && *state->tls_verify_certificates)
   {

-  if (!expand_check_tlsvar(tls_verify_certificates))
+  if (!expand_check_tlsvar(tls_verify_certificates, errstr))

     return DEFER;
 #ifndef SUPPORT_SYSDEFAULT_CABUNDLE
   if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
     state->exp_tls_verify_certificates = NULL;
 #endif
   if (state->tls_crl && *state->tls_crl)
     return DEFER;
 #ifndef SUPPORT_SYSDEFAULT_CABUNDLE
   if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
     state->exp_tls_verify_certificates = NULL;
 #endif
   if (state->tls_crl && *state->tls_crl)

-    if (!expand_check_tlsvar(tls_crl))
+    if (!expand_check_tlsvar(tls_crl, errstr))

       return DEFER;
 
   if (!(state->exp_tls_verify_certificates &&
       return DEFER;
 
   if (!(state->exp_tls_verify_certificates &&


@@ -1041,12 +1046,13 @@ out to this.
 
 Arguments:
   state           exim_gnutls_state_st *
 
 Arguments:
   state           exim_gnutls_state_st *

+  errstr         error string pointer

 
 Returns:          OK/DEFER/FAIL
 */
 
 static int
 
 Returns:          OK/DEFER/FAIL
 */
 
 static int

-tls_set_remaining_x509(exim_gnutls_state_st *state)
+tls_set_remaining_x509(exim_gnutls_state_st *state, uschar ** errstr)

 {
 int rc;
 const host_item *host = state->host;  /* macro should be reconsidered? */
 {
 int rc;
 const host_item *host = state->host;  /* macro should be reconsidered? */


@@ -1059,7 +1065,7 @@ if (!state->host)
   {
   if (!dh_server_params)
     {
   {
   if (!dh_server_params)
     {

-    rc = init_server_dh();
+    rc = init_server_dh(errstr);

     if (rc != OK) return rc;
     }
   gnutls_certificate_set_dh_params(state->x509_cred, dh_server_params);
     if (rc != OK) return rc;
     }
   gnutls_certificate_set_dh_params(state->x509_cred, dh_server_params);


@@ -1121,6 +1127,7 @@ Arguments:
   crl             CRL file
   require_ciphers tls_require_ciphers setting
   caller_state    returned state-info structure
   crl             CRL file
   require_ciphers tls_require_ciphers setting
   caller_state    returned state-info structure

+  errstr         error string pointer

 
 Returns:          OK/DEFER/FAIL
 */
 
 Returns:          OK/DEFER/FAIL
 */


@@ -1134,7 +1141,8 @@ tls_init(
     const uschar *cas,
     const uschar *crl,
     const uschar *require_ciphers,
     const uschar *cas,
     const uschar *crl,
     const uschar *require_ciphers,

-    exim_gnutls_state_st **caller_state)
+    exim_gnutls_state_st **caller_state,
+    uschar ** errstr)

 {
 exim_gnutls_state_st *state;
 int rc;
 {
 exim_gnutls_state_st *state;
 int rc;


@@ -1212,19 +1220,17 @@ that's tls_certificate, tls_privatekey, tls_verify_certificates, tls_crl */
 
 DEBUG(D_tls)
   debug_printf("Expanding various TLS configuration options for session credentials.\n");
 
 DEBUG(D_tls)
   debug_printf("Expanding various TLS configuration options for session credentials.\n");

-rc = tls_expand_session_files(state);
-if (rc != OK) return rc;
+if ((rc = tls_expand_session_files(state, errstr)) != OK) return rc;

 
 /* These are all other parts of the x509_cred handling, since SNI in GnuTLS
 requires a new structure afterwards. */
 
 
 /* These are all other parts of the x509_cred handling, since SNI in GnuTLS
 requires a new structure afterwards. */
 

-rc = tls_set_remaining_x509(state);
-if (rc != OK) return rc;
+if ((rc = tls_set_remaining_x509(state, errstr)) != OK) return rc;

 
 /* set SNI in client, only */
 if (host)
   {
 
 /* set SNI in client, only */
 if (host)
   {

-  if (!expand_check(sni, US"tls_out_sni", &state->tlsp->sni))
+  if (!expand_check(sni, US"tls_out_sni", &state->tlsp->sni, errstr))

     return DEFER;
   if (state->tlsp->sni && *state->tlsp->sni)
     {
     return DEFER;
   if (state->tlsp->sni && *state->tlsp->sni)
     {


@@ -1250,7 +1256,7 @@ want_default_priorities = TRUE;
 
 if (state->tls_require_ciphers && *state->tls_require_ciphers)
   {
 
 if (state->tls_require_ciphers && *state->tls_require_ciphers)
   {

-  if (!expand_check_tlsvar(tls_require_ciphers))
+  if (!expand_check_tlsvar(tls_require_ciphers, errstr))

     return DEFER;
   if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
     {
     return DEFER;
   if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
     {


@@ -1324,12 +1330,13 @@ don't apply.
 
 Arguments:
   state           exim_gnutls_state_st *
 
 Arguments:
   state           exim_gnutls_state_st *

+  errstr         pointer to error string

 
 Returns:          OK/DEFER/FAIL
 */
 
 static int
 
 Returns:          OK/DEFER/FAIL
 */
 
 static int

-peer_status(exim_gnutls_state_st *state)
+peer_status(exim_gnutls_state_st *state, uschar ** errstr)

 {
 uschar cipherbuf[256];
 const gnutls_datum_t *cert_list;
 {
 uschar cipherbuf[256];
 const gnutls_datum_t *cert_list;


@@ -1383,7 +1390,7 @@ if (cert_list == NULL || cert_list_size == 0)
       cert_list, cert_list_size);
   if (state->verify_requirement >= VERIFY_REQUIRED)
     return tls_error(US"certificate verification failed",
       cert_list, cert_list_size);
   if (state->verify_requirement >= VERIFY_REQUIRED)
     return tls_error(US"certificate verification failed",

-        "no certificate received from peer", state->host);
+        "no certificate received from peer", state->host, errstr);

   return OK;
   }
 
   return OK;
   }
 


@@ -1395,7 +1402,7 @@ if (ct != GNUTLS_CRT_X509)
     debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
   if (state->verify_requirement >= VERIFY_REQUIRED)
     return tls_error(US"certificate verification not possible, unhandled type",
     debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
   if (state->verify_requirement >= VERIFY_REQUIRED)
     return tls_error(US"certificate verification not possible, unhandled type",

-        ctn, state->host);
+        ctn, state->host, errstr);

   return OK;
   }
 
   return OK;
   }
 


@@ -1406,7 +1413,7 @@ if (ct != GNUTLS_CRT_X509)
       DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \
        (Label), gnutls_strerror(rc)); \
       if (state->verify_requirement >= VERIFY_REQUIRED) \
       DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \
        (Label), gnutls_strerror(rc)); \
       if (state->verify_requirement >= VERIFY_REQUIRED) \

-       return tls_error((Label), gnutls_strerror(rc), state->host); \
+       return tls_error((Label), gnutls_strerror(rc), state->host, errstr); \

       return OK; \
       } \
     } while (0)
       return OK; \
       } \
     } while (0)


@@ -1447,7 +1454,7 @@ the peer information, but that's too new for some OSes.
 
 Arguments:
   state           exim_gnutls_state_st *
 
 Arguments:
   state           exim_gnutls_state_st *

-  error           where to put an error message
+  errstr          where to put an error message

 
 Returns:
   FALSE     if the session should be rejected
 
 Returns:
   FALSE     if the session should be rejected


@@ -1455,17 +1462,17 @@ Returns:
 */
 
 static BOOL
 */
 
 static BOOL

-verify_certificate(exim_gnutls_state_st *state, const char **error)
+verify_certificate(exim_gnutls_state_st *state, uschar ** errstr)

 {
 int rc;
 unsigned int verify;
 
 {
 int rc;
 unsigned int verify;
 

-*error = NULL;
+*errstr = NULL;

 
 

-if ((rc = peer_status(state)) != OK)
+if ((rc = peer_status(state, errstr)) != OK)

   {
   verify = GNUTLS_CERT_INVALID;
   {
   verify = GNUTLS_CERT_INVALID;

-  *error = "certificate not supplied";
+  *errstr = US"certificate not supplied";

   }
 else
   rc = gnutls_certificate_verify_peers2(state->session, &verify);
   }
 else
   rc = gnutls_certificate_verify_peers2(state->session, &verify);


@@ -1478,13 +1485,13 @@ if (rc < 0 ||
    )
   {
   state->peer_cert_verified = FALSE;
    )
   {
   state->peer_cert_verified = FALSE;

-  if (!*error)
-    *error = verify & GNUTLS_CERT_REVOKED
-      ? "certificate revoked" : "certificate invalid";
+  if (!*errstr)
+    *errstr = verify & GNUTLS_CERT_REVOKED
+      ? US"certificate revoked" : US"certificate invalid";

 
   DEBUG(D_tls)
     debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",
 
   DEBUG(D_tls)
     debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",

-        *error, state->peerdn ? state->peerdn : US"<unset>");
+        *errstr, state->peerdn ? state->peerdn : US"<unset>");

 
   if (state->verify_requirement >= VERIFY_REQUIRED)
     {
 
   if (state->verify_requirement >= VERIFY_REQUIRED)
     {


@@ -1579,6 +1586,7 @@ size_t data_len = MAX_HOST_LEN;
 exim_gnutls_state_st *state = &state_server;
 unsigned int sni_type;
 int rc, old_pool;
 exim_gnutls_state_st *state = &state_server;
 unsigned int sni_type;
 int rc, old_pool;

+uschar * dummy_errstr;

 
 rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
 if (rc != GNUTLS_E_SUCCESS)
 
 rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
 if (rc != GNUTLS_E_SUCCESS)


@@ -1589,7 +1597,7 @@ if (rc != GNUTLS_E_SUCCESS)
     else
       debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
         gnutls_strerror(rc), rc);
     else
       debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
         gnutls_strerror(rc), rc);

-  };
+    }

   return 0;
   }
 
   return 0;
   }
 


@@ -1614,15 +1622,14 @@ DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", sni_name,
 if (!state->trigger_sni_changes)
   return 0;
 
 if (!state->trigger_sni_changes)
   return 0;
 

-rc = tls_expand_session_files(state);
-if (rc != OK)
+if ((rc = tls_expand_session_files(state, &dummy_errstr)) != OK)

   {
   /* If the setup of certs/etc failed before handshake, TLS would not have
   been offered.  The best we can do now is abort. */
   return GNUTLS_E_APPLICATION_ERROR_MIN;
   }
 
   {
   /* If the setup of certs/etc failed before handshake, TLS would not have
   been offered.  The best we can do now is abort. */
   return GNUTLS_E_APPLICATION_ERROR_MIN;
   }
 

-rc = tls_set_remaining_x509(state);
+rc = tls_set_remaining_x509(state, &dummy_errstr);

 if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
 
 return 0;
 if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
 
 return 0;


@@ -1720,6 +1727,7 @@ a TLS session.
 
 Arguments:
   require_ciphers  list of allowed ciphers or NULL
 
 Arguments:
   require_ciphers  list of allowed ciphers or NULL

+  errstr          pointer to error string

 
 Returns:           OK on success
                    DEFER for errors before the start of the negotiation
 
 Returns:           OK on success
                    DEFER for errors before the start of the negotiation


@@ -1728,16 +1736,15 @@ Returns:           OK on success
 */
 
 int
 */
 
 int

-tls_server_start(const uschar *require_ciphers)
+tls_server_start(const uschar * require_ciphers, uschar ** errstr)

 {
 int rc;
 {
 int rc;

-const char *error;
-exim_gnutls_state_st *state = NULL;
+exim_gnutls_state_st * state = NULL;

 
 /* Check for previous activation */
 if (tls_in.active >= 0)
   {
 
 /* Check for previous activation */
 if (tls_in.active >= 0)
   {

-  tls_error(US"STARTTLS received after TLS started", "", NULL);
+  tls_error(US"STARTTLS received after TLS started", "", NULL, errstr);

   smtp_printf("554 Already in TLS\r\n");
   return FAIL;
   }
   smtp_printf("554 Already in TLS\r\n");
   return FAIL;
   }


@@ -1747,10 +1754,9 @@ and sent an SMTP response. */
 
 DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
 
 
 DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
 

-rc = tls_init(NULL, tls_certificate, tls_privatekey,
+if ((rc = tls_init(NULL, tls_certificate, tls_privatekey,

     NULL, tls_verify_certificates, tls_crl,
     NULL, tls_verify_certificates, tls_crl,

-    require_ciphers, &state);
-if (rc != OK) return rc;
+    require_ciphers, &state, errstr)) != OK) return rc;

 
 /* If this is a host for which certificate verification is mandatory or
 optional, set up appropriately. */
 
 /* If this is a host for which certificate verification is mandatory or
 optional, set up appropriately. */


@@ -1828,12 +1834,12 @@ if (rc != GNUTLS_E_SUCCESS)
 
   if (sigalrm_seen)
     {
 
   if (sigalrm_seen)
     {

-    tls_error(US"gnutls_handshake", "timed out", NULL);
+    tls_error(US"gnutls_handshake", "timed out", NULL, errstr);

     gnutls_db_remove_session(state->session);
     }
   else
     {
     gnutls_db_remove_session(state->session);
     }
   else
     {

-    tls_error(US"gnutls_handshake", gnutls_strerror(rc), NULL);
+    tls_error(US"gnutls_handshake", gnutls_strerror(rc), NULL, errstr);

     (void) gnutls_alert_send_appropriate(state->session, rc);
     gnutls_deinit(state->session);
     gnutls_certificate_free_credentials(state->x509_cred);
     (void) gnutls_alert_send_appropriate(state->session, rc);
     gnutls_deinit(state->session);
     gnutls_certificate_free_credentials(state->x509_cred);


@@ -1853,21 +1859,21 @@ DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
 /* Verify after the fact */
 
 if (  state->verify_requirement != VERIFY_NONE
 /* Verify after the fact */
 
 if (  state->verify_requirement != VERIFY_NONE

-   && !verify_certificate(state, &error))
+   && !verify_certificate(state, errstr))

   {
   if (state->verify_requirement != VERIFY_OPTIONAL)
     {
   {
   if (state->verify_requirement != VERIFY_OPTIONAL)
     {

-    tls_error(US"certificate verification failed", error, NULL);
+    (void) tls_error(US"certificate verification failed", *errstr, NULL, errstr);

     return FAIL;
     }
   DEBUG(D_tls)
     debug_printf("TLS: continuing on only because verification was optional, after: %s\n",
     return FAIL;
     }
   DEBUG(D_tls)
     debug_printf("TLS: continuing on only because verification was optional, after: %s\n",

-       error);
+       *errstr);

   }
 
 /* Figure out peer DN, and if authenticated, etc. */
 
   }
 
 /* Figure out peer DN, and if authenticated, etc. */
 

-if ((rc = peer_status(state)) != OK) return rc;
+if ((rc = peer_status(state, NULL)) != OK) return rc;

 
 /* Sets various Exim expansion variables; always safe within server */
 
 
 /* Sets various Exim expansion variables; always safe within server */
 


@@ -1922,6 +1928,8 @@ Arguments:
   addr              the first address (not used)
   tb                transport (always smtp)
 
   addr              the first address (not used)
   tb                transport (always smtp)
 

+  errstr           error string pointer
+

 Returns:            OK/DEFER/FAIL (because using common functions),
                     but for a client, DEFER and FAIL have the same meaning
 */
 Returns:            OK/DEFER/FAIL (because using common functions),
                     but for a client, DEFER and FAIL have the same meaning
 */


@@ -1929,16 +1937,15 @@ Returns:            OK/DEFER/FAIL (because using common functions),
 int
 tls_client_start(int fd, host_item *host,
     address_item *addr ARG_UNUSED,
 int
 tls_client_start(int fd, host_item *host,
     address_item *addr ARG_UNUSED,

-    transport_instance *tb
+    transport_instance * tb,

 #ifdef EXPERIMENTAL_DANE
 #ifdef EXPERIMENTAL_DANE

-    , dns_answer * unused_tlsa_dnsa
+    dns_answer * tlsa_dnsa ARG_UNUSED,

 #endif
 #endif

-    )
+    uschar ** errstr)

 {
 smtp_transport_options_block *ob =
   (smtp_transport_options_block *)tb->options_block;
 int rc;
 {
 smtp_transport_options_block *ob =
   (smtp_transport_options_block *)tb->options_block;
 int rc;

-const char *error;

 exim_gnutls_state_st *state = NULL;
 #ifndef DISABLE_OCSP
 BOOL require_ocsp =
 exim_gnutls_state_st *state = NULL;
 #ifndef DISABLE_OCSP
 BOOL require_ocsp =


@@ -1951,7 +1958,7 @@ DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", fd);
 
 if ((rc = tls_init(host, ob->tls_certificate, ob->tls_privatekey,
     ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
 
 if ((rc = tls_init(host, ob->tls_certificate, ob->tls_privatekey,
     ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,

-    ob->tls_require_ciphers, &state)) != OK)
+    ob->tls_require_ciphers, &state, errstr)) != OK)

   return rc;
 
   {
   return rc;
 
   {


@@ -2012,7 +2019,7 @@ if (request_ocsp)
   if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
                    NULL, 0, NULL)) != OK)
     return tls_error(US"cert-status-req",
   if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
                    NULL, 0, NULL)) != OK)
     return tls_error(US"cert-status-req",

-                   gnutls_strerror(rc), state->host);
+                   gnutls_strerror(rc), state->host, errstr);

   tls_out.ocsp = OCSP_NOT_RESP;
   }
 #endif
   tls_out.ocsp = OCSP_NOT_RESP;
   }
 #endif


@@ -2046,18 +2053,18 @@ if (rc != GNUTLS_E_SUCCESS)
   if (sigalrm_seen)
     {
     gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_USER_CANCELED);
   if (sigalrm_seen)
     {
     gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_USER_CANCELED);

-    return tls_error(US"gnutls_handshake", "timed out", state->host);
+    return tls_error(US"gnutls_handshake", "timed out", state->host, errstr);

     }
   else
     }
   else

-    return tls_error(US"gnutls_handshake", gnutls_strerror(rc), state->host);
+    return tls_error(US"gnutls_handshake", gnutls_strerror(rc), state->host, errstr);

 
 DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
 
 /* Verify late */
 
 if (state->verify_requirement != VERIFY_NONE &&
 
 DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
 
 /* Verify late */
 
 if (state->verify_requirement != VERIFY_NONE &&

-    !verify_certificate(state, &error))
-  return tls_error(US"certificate verification failed", error, state->host);
+    !verify_certificate(state, errstr))
+  return tls_error(US"certificate verification failed", *errstr, state->host, errstr);

 
 #ifndef DISABLE_OCSP
 if (require_ocsp)
 
 #ifndef DISABLE_OCSP
 if (require_ocsp)


@@ -2077,13 +2084,13 @@ if (require_ocsp)
       gnutls_free(printed.data);
       }
     else
       gnutls_free(printed.data);
       }
     else

-      (void) tls_error(US"ocsp decode", gnutls_strerror(rc), state->host);
+      (void) tls_error(US"ocsp decode", gnutls_strerror(rc), state->host, errstr);

     }
 
   if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
     {
     tls_out.ocsp = OCSP_FAILED;
     }
 
   if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
     {
     tls_out.ocsp = OCSP_FAILED;

-    return tls_error(US"certificate status check failed", NULL, state->host);
+    return tls_error(US"certificate status check failed", NULL, state->host, errstr);

     }
   DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
   tls_out.ocsp = OCSP_VFIED;
     }
   DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
   tls_out.ocsp = OCSP_VFIED;


@@ -2092,7 +2099,7 @@ if (require_ocsp)
 
 /* Figure out peer DN, and if authenticated, etc. */
 
 
 /* Figure out peer DN, and if authenticated, etc. */
 

-if ((rc = peer_status(state)) != OK)
+if ((rc = peer_status(state, errstr)) != OK)

   return rc;
 
 /* Sets various Exim expansion variables; may need to adjust for ACL callouts */
   return rc;
 
 /* Sets various Exim expansion variables; may need to adjust for ACL callouts */


@@ -2437,6 +2444,7 @@ int rc;
 uschar *expciphers = NULL;
 gnutls_priority_t priority_cache;
 const char *errpos;
 uschar *expciphers = NULL;
 gnutls_priority_t priority_cache;
 const char *errpos;

+uschar * dummy_errstr;

 
 #define validate_check_rc(Label) do { \
   if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) gnutls_global_deinit(); \
 
 #define validate_check_rc(Label) do { \
   if (rc != GNUTLS_E_SUCCESS) { if (exim_gnutls_base_init_done) gnutls_global_deinit(); \


@@ -2461,7 +2469,8 @@ exim_gnutls_base_init_done = TRUE;
 if (!(tls_require_ciphers && *tls_require_ciphers))
   return_deinit(NULL);
 
 if (!(tls_require_ciphers && *tls_require_ciphers))
   return_deinit(NULL);
 

-if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers))
+if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
+                 &dummy_errstr))

   return_deinit(US"failed to expand tls_require_ciphers");
 
 if (!(expciphers && *expciphers))
   return_deinit(US"failed to expand tls_require_ciphers");
 
 if (!(expciphers && *expciphers))

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 392d59dd5ac28223a9475203963a3a5473795ff4..dd9affb659d610a5c25ca264f21fd3ed1851c36b 100644 (file)
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -180,7 +180,7 @@ tls_ext_ctx_cb *server_static_cbinfo = NULL;
 
 static int
 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
 
 static int
 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,

-    int (*cert_vfy_cb)(int, X509_STORE_CTX *) );
+    int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );

 
 /* Callbacks */
 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
 
 /* Callbacks */
 #ifdef EXIM_HAVE_OPENSSL_TLSEXT


@@ -207,35 +207,22 @@ Argument:
   host      NULL if setting up a server;
             the connected host if setting up a client
   msg       error message or NULL if we should ask OpenSSL
   host      NULL if setting up a server;
             the connected host if setting up a client
   msg       error message or NULL if we should ask OpenSSL

+  errstr    pointer to output error message

 
 Returns:    OK/DEFER/FAIL
 */
 
 static int
 
 Returns:    OK/DEFER/FAIL
 */
 
 static int

-tls_error(uschar * prefix, const host_item * host, uschar * msg)
+tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)

 {
 if (!msg)
   {
   ERR_error_string(ERR_get_error(), ssl_errstring);
 {
 if (!msg)
   {
   ERR_error_string(ERR_get_error(), ssl_errstring);

-  msg = (uschar *)ssl_errstring;
+  msg = US ssl_errstring;

   }
 
   }
 

-if (host)
-  {
-  log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection (%s): %s",
-    host->name, host->address, prefix, msg);
-  return FAIL;
-  }
-else
-  {
-  uschar *conn_info = smtp_get_connection_info();
-  if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
-    conn_info += 5;
-  /* I'd like to get separated H= here, but too hard for now */
-  log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
-    conn_info, prefix, msg);
-  return DEFER;
-  }
+if (errstr) *errstr = string_sprintf("(%s): %s", prefix, msg);
+return host ? FAIL : DEFER;

 }
 
 
 }
 
 


@@ -596,19 +583,20 @@ Arguments:
   sctx      The current SSL CTX (inbound or outbound)
   dhparam   DH parameter file or fixed parameter identity string
   host      connected host, if client; NULL if server
   sctx      The current SSL CTX (inbound or outbound)
   dhparam   DH parameter file or fixed parameter identity string
   host      connected host, if client; NULL if server

+  errstr    error string pointer

 
 Returns:    TRUE if OK (nothing to set up, or setup worked)
 */
 
 static BOOL
 
 Returns:    TRUE if OK (nothing to set up, or setup worked)
 */
 
 static BOOL

-init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host)
+init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)

 {
 BIO *bio;
 DH *dh;
 uschar *dhexpanded;
 const char *pem;
 
 {
 BIO *bio;
 DH *dh;
 uschar *dhexpanded;
 const char *pem;
 

-if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
+if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))

   return FALSE;
 
 if (!dhexpanded || !*dhexpanded)
   return FALSE;
 
 if (!dhexpanded || !*dhexpanded)


@@ -618,7 +606,7 @@ else if (dhexpanded[0] == '/')
   if (!(bio = BIO_new_file(CS dhexpanded, "r")))
     {
     tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
   if (!(bio = BIO_new_file(CS dhexpanded, "r")))
     {
     tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),

-          host, US strerror(errno));
+          host, US strerror(errno), errstr);

     return FALSE;
     }
   }
     return FALSE;
     }
   }


@@ -633,7 +621,7 @@ else
   if (!(pem = std_dh_prime_named(dhexpanded)))
     {
     tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
   if (!(pem = std_dh_prime_named(dhexpanded)))
     {
     tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),

-        host, US strerror(errno));
+        host, US strerror(errno), errstr);

     return FALSE;
     }
   bio = BIO_new_mem_buf(CS pem, -1);
     return FALSE;
     }
   bio = BIO_new_mem_buf(CS pem, -1);


@@ -643,7 +631,7 @@ if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
   {
   BIO_free(bio);
   tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
   {
   BIO_free(bio);
   tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),

-      host, NULL);
+      host, NULL, errstr);

   return FALSE;
   }
 
   return FALSE;
   }
 


@@ -696,12 +684,13 @@ Patches welcome.
 Arguments:
   sctx      The current SSL CTX (inbound or outbound)
   host      connected host, if client; NULL if server
 Arguments:
   sctx      The current SSL CTX (inbound or outbound)
   host      connected host, if client; NULL if server

+  errstr    error string pointer

 
 Returns:    TRUE if OK (nothing to set up, or setup worked)
 */
 
 static BOOL
 
 Returns:    TRUE if OK (nothing to set up, or setup worked)
 */
 
 static BOOL

-init_ecdh(SSL_CTX * sctx, host_item * host)
+init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)

 {
 #ifdef OPENSSL_NO_ECDH
 return TRUE;
 {
 #ifdef OPENSSL_NO_ECDH
 return TRUE;


@@ -721,7 +710,7 @@ DEBUG(D_tls)
 return TRUE;
 # else
 
 return TRUE;
 # else
 

-if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve))
+if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))

   return FALSE;
 if (!exp_curve || !*exp_curve)
   return TRUE;
   return FALSE;
 if (!exp_curve || !*exp_curve)
   return TRUE;


@@ -760,15 +749,14 @@ if (  (nid = OBJ_sn2nid       (CCS exp_curve)) == NID_undef
 #   endif
    )
   {
 #   endif
    )
   {

-  tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'",
-      exp_curve),
-    host, NULL);
+  tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
+    host, NULL, errstr);

   return FALSE;
   }
 
 if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
   {
   return FALSE;
   }
 
 if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
   {

-  tls_error(US"Unable to create ec curve", host, NULL);
+  tls_error(US"Unable to create ec curve", host, NULL, errstr);

   return FALSE;
   }
 
   return FALSE;
   }
 


@@ -776,7 +764,7 @@ if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
 not to the stability of the interface. */
 
 if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
 not to the stability of the interface. */
 
 if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))

-  tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL);
+  tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);

 else
   DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
 
 else
   DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
 


@@ -951,7 +939,7 @@ return;
 /* Create and install a selfsigned certificate, for use in server mode */
 
 static int
 /* Create and install a selfsigned certificate, for use in server mode */
 
 static int

-tls_install_selfsign(SSL_CTX * sctx)
+tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)

 {
 X509 * x509 = NULL;
 EVP_PKEY * pkey;
 {
 X509 * x509 = NULL;
 EVP_PKEY * pkey;


@@ -1006,7 +994,7 @@ if (!SSL_CTX_use_PrivateKey(sctx, pkey))
 return OK;
 
 err:
 return OK;
 
 err:

-  (void) tls_error(where, NULL, NULL);
+  (void) tls_error(where, NULL, NULL, errstr);

   if (x509) X509_free(x509);
   if (pkey) EVP_PKEY_free(pkey);
   return DEFER;
   if (x509) X509_free(x509);
   if (pkey) EVP_PKEY_free(pkey);
   return DEFER;


@@ -1026,12 +1014,14 @@ the certificate string.
 Arguments:
   sctx            the SSL_CTX* to update
   cbinfo          various parts of session state
 Arguments:
   sctx            the SSL_CTX* to update
   cbinfo          various parts of session state

+  errstr         error string pointer

 
 Returns:          OK/DEFER/FAIL
 */
 
 static int
 
 Returns:          OK/DEFER/FAIL
 */
 
 static int

-tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo)
+tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo,
+  uschar ** errstr)

 {
 uschar *expanded;
 
 {
 uschar *expanded;
 


@@ -1040,7 +1030,7 @@ if (!cbinfo->certificate)
   if (cbinfo->host)                    /* client */
     return OK;
                                        /* server */
   if (cbinfo->host)                    /* client */
     return OK;
                                        /* server */

-  if (tls_install_selfsign(sctx) != OK)
+  if (tls_install_selfsign(sctx, errstr) != OK)

     return DEFER;
   }
 else
     return DEFER;
   }
 else


@@ -1051,7 +1041,7 @@ else
      )
     reexpand_tls_files_for_sni = TRUE;
 
      )
     reexpand_tls_files_for_sni = TRUE;
 

-  if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded))
+  if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))

     return DEFER;
 
   if (expanded != NULL)
     return DEFER;
 
   if (expanded != NULL)


@@ -1060,11 +1050,11 @@ else
     if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
       return tls_error(string_sprintf(
        "SSL_CTX_use_certificate_chain_file file=%s", expanded),
     if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
       return tls_error(string_sprintf(
        "SSL_CTX_use_certificate_chain_file file=%s", expanded),

-         cbinfo->host, NULL);
+         cbinfo->host, NULL, errstr);

     }
 
   if (cbinfo->privatekey != NULL &&
     }
 
   if (cbinfo->privatekey != NULL &&

-      !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded))
+      !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))

     return DEFER;
 
   /* If expansion was forced to fail, key_expanded will be NULL. If the result
     return DEFER;
 
   /* If expansion was forced to fail, key_expanded will be NULL. If the result


@@ -1076,14 +1066,14 @@ else
     DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
     if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
       return tls_error(string_sprintf(
     DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
     if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
       return tls_error(string_sprintf(

-       "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL);
+       "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL, errstr);

     }
   }
 
 #ifndef DISABLE_OCSP
 if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
   {
     }
   }
 
 #ifndef DISABLE_OCSP
 if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
   {

-  if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded))
+  if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded, errstr))

     return DEFER;
 
   if (expanded && *expanded)
     return DEFER;
 
   if (expanded && *expanded)


@@ -1131,6 +1121,7 @@ const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
 tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
 int rc;
 int old_pool = store_pool;
 tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
 int rc;
 int old_pool = store_pool;

+uschar * dummy_errstr;

 
 if (!servername)
   return SSL_TLSEXT_ERR_OK;
 
 if (!servername)
   return SSL_TLSEXT_ERR_OK;


@@ -1167,8 +1158,8 @@ SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
 SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
 SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
 
 SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
 SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
 

-if (  !init_dh(server_sni, cbinfo->dhparam, NULL)
-   || !init_ecdh(server_sni, NULL)
+if (  !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
+   || !init_ecdh(server_sni, NULL, &dummy_errstr)

    )
   return SSL_TLSEXT_ERR_NOACK;
 
    )
   return SSL_TLSEXT_ERR_NOACK;
 


@@ -1183,12 +1174,12 @@ if (cbinfo->u_ocsp.server.file)
 #endif
 
 if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
 #endif
 
 if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,

-                     verify_callback_server)) != OK)
+                     verify_callback_server, &dummy_errstr)) != OK)

   return SSL_TLSEXT_ERR_NOACK;
 
 /* do this after setup_certs, because this can require the certs for verifying
 OCSP information. */
   return SSL_TLSEXT_ERR_NOACK;
 
 /* do this after setup_certs, because this can require the certs for verifying
 OCSP information. */

-if ((rc = tls_expand_session_files(server_sni, cbinfo)) != OK)
+if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)

   return SSL_TLSEXT_ERR_NOACK;
 
 DEBUG(D_tls) debug_printf("Switching SSL context.\n");
   return SSL_TLSEXT_ERR_NOACK;
 
 DEBUG(D_tls) debug_printf("Switching SSL context.\n");


@@ -1414,6 +1405,7 @@ Arguments:
   ocsp_file       file of stapling info (server); flag for require ocsp (client)
   addr            address if client; NULL if server (for some randomness)
   cbp             place to put allocated callback context
   ocsp_file       file of stapling info (server); flag for require ocsp (client)
   addr            address if client; NULL if server (for some randomness)
   cbp             place to put allocated callback context

+  errstr         error string pointer

 
 Returns:          OK/DEFER/FAIL
 */
 
 Returns:          OK/DEFER/FAIL
 */


@@ -1424,7 +1416,7 @@ tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
 #ifndef DISABLE_OCSP
   uschar *ocsp_file,
 #endif
 #ifndef DISABLE_OCSP
   uschar *ocsp_file,
 #endif

-  address_item *addr, tls_ext_ctx_cb ** cbp)
+  address_item *addr, tls_ext_ctx_cb ** cbp, uschar ** errstr)

 {
 long init_options;
 int rc;
 {
 long init_options;
 int rc;


@@ -1471,7 +1463,7 @@ existing knob. */
 
 *ctxp = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method());
 
 
 *ctxp = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method());
 

-if (!*ctxp) return tls_error(US"SSL_CTX_new", host, NULL);
+if (!*ctxp) return tls_error(US"SSL_CTX_new", host, NULL, errstr);

 
 /* It turns out that we need to seed the random number generator this early in
 order to get the full complement of ciphers to work. It took me roughly a day
 
 /* It turns out that we need to seed the random number generator this early in
 order to get the full complement of ciphers to work. It took me roughly a day


@@ -1493,7 +1485,7 @@ if (!RAND_status())
 
   if (!RAND_status())
     return tls_error(US"RAND_status", host,
 
   if (!RAND_status())
     return tls_error(US"RAND_status", host,

-      US"unable to seed random number generator");
+      US"unable to seed random number generator", errstr);

   }
 
 /* Set up the information callback, which outputs if debugging is at a suitable
   }
 
 /* Set up the information callback, which outputs if debugging is at a suitable


@@ -1515,14 +1507,14 @@ availability of the option value macros from OpenSSL.  */
 
 okay = tls_openssl_options_parse(openssl_options, &init_options);
 if (!okay)
 
 okay = tls_openssl_options_parse(openssl_options, &init_options);
 if (!okay)

-  return tls_error(US"openssl_options parsing failed", host, NULL);
+  return tls_error(US"openssl_options parsing failed", host, NULL, errstr);

 
 if (init_options)
   {
   DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
   if (!(SSL_CTX_set_options(*ctxp, init_options)))
     return tls_error(string_sprintf(
 
 if (init_options)
   {
   DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
   if (!(SSL_CTX_set_options(*ctxp, init_options)))
     return tls_error(string_sprintf(

-          "SSL_CTX_set_option(%#lx)", init_options), host, NULL);
+          "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);

   }
 else
   DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
   }
 else
   DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");


@@ -1530,14 +1522,14 @@ else
 /* Initialize with DH parameters if supplied */
 /* Initialize ECDH temp key parameter selection */
 
 /* Initialize with DH parameters if supplied */
 /* Initialize ECDH temp key parameter selection */
 

-if (  !init_dh(*ctxp, dhparam, host)
-   || !init_ecdh(*ctxp, host)
+if (  !init_dh(*ctxp, dhparam, host, errstr)
+   || !init_ecdh(*ctxp, host, errstr)

    )
   return DEFER;
 
 /* Set up certificate and key (and perhaps OCSP info) */
 
    )
   return DEFER;
 
 /* Set up certificate and key (and perhaps OCSP info) */
 

-if ((rc = tls_expand_session_files(*ctxp, cbinfo)) != OK)
+if ((rc = tls_expand_session_files(*ctxp, cbinfo, errstr)) != OK)

   return rc;
 
 /* If we need to handle SNI or OCSP, do so */
   return rc;
 
 /* If we need to handle SNI or OCSP, do so */


@@ -1694,17 +1686,18 @@ Arguments:
   optional      TRUE if called from a server for a host in tls_try_verify_hosts;
                 otherwise passed as FALSE
   cert_vfy_cb  Callback function for certificate verification
   optional      TRUE if called from a server for a host in tls_try_verify_hosts;
                 otherwise passed as FALSE
   cert_vfy_cb  Callback function for certificate verification

+  errstr       error string pointer

 
 Returns:        OK/DEFER/FAIL
 */
 
 static int
 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
 
 Returns:        OK/DEFER/FAIL
 */
 
 static int
 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,

-    int (*cert_vfy_cb)(int, X509_STORE_CTX *) )
+    int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)

 {
 uschar *expcerts, *expcrl;
 
 {
 uschar *expcerts, *expcrl;
 

-if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
+if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))

   return DEFER;
 
 if (expcerts && *expcerts)
   return DEFER;
 
 if (expcerts && *expcerts)


@@ -1713,7 +1706,7 @@ if (expcerts && *expcerts)
   CA bundle. Then add the ones specified in the config, if any. */
 
   if (!SSL_CTX_set_default_verify_paths(sctx))
   CA bundle. Then add the ones specified in the config, if any. */
 
   if (!SSL_CTX_set_default_verify_paths(sctx))

-    return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
+    return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);

 
   if (Ustrcmp(expcerts, "system") != 0)
     {
 
   if (Ustrcmp(expcerts, "system") != 0)
     {


@@ -1757,7 +1750,7 @@ if (expcerts && *expcerts)
 
       if (  (!file || statbuf.st_size > 0)
          && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
 
       if (  (!file || statbuf.st_size > 0)
          && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))

-       return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
+       return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);

 
       /* Load the list of CAs for which we will accept certs, for sending
       to the client.  This is only for the one-file tls_verify_certificates
 
       /* Load the list of CAs for which we will accept certs, for sending
       to the client.  This is only for the one-file tls_verify_certificates


@@ -1795,7 +1788,7 @@ if (expcerts && *expcerts)
   OpenSSL will then handle the verify against CA certs and CRLs by
   itself in the verify callback." */
 
   OpenSSL will then handle the verify against CA certs and CRLs by
   itself in the verify callback." */
 

-  if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
+  if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;

   if (expcrl && *expcrl)
     {
     struct stat statbufcrl;
   if (expcrl && *expcrl)
     {
     struct stat statbufcrl;


@@ -1823,7 +1816,7 @@ if (expcerts && *expcerts)
         DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
         }
       if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
         DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
         }
       if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)

-        return tls_error(US"X509_STORE_load_locations", host, NULL);
+        return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);

 
       /* setting the flags to check against the complete crl chain */
 
 
       /* setting the flags to check against the complete crl chain */
 


@@ -1856,6 +1849,7 @@ a TLS session.
 
 Arguments:
   require_ciphers   allowed ciphers
 
 Arguments:
   require_ciphers   allowed ciphers

+  errstr           pointer to error message

 
 Returns:            OK on success
                     DEFER for errors before the start of the negotiation
 
 Returns:            OK on success
                     DEFER for errors before the start of the negotiation


@@ -1864,11 +1858,11 @@ Returns:            OK on success
 */
 
 int
 */
 
 int

-tls_server_start(const uschar *require_ciphers)
+tls_server_start(const uschar * require_ciphers, uschar ** errstr)

 {
 int rc;
 {
 int rc;

-uschar *expciphers;
-tls_ext_ctx_cb *cbinfo;
+uschar * expciphers;
+tls_ext_ctx_cb * cbinfo;

 static uschar peerdn[256];
 static uschar cipherbuf[256];
 
 static uschar peerdn[256];
 static uschar cipherbuf[256];
 


@@ -1876,7 +1870,7 @@ static uschar cipherbuf[256];
 
 if (tls_in.active >= 0)
   {
 
 if (tls_in.active >= 0)
   {

-  tls_error(US"STARTTLS received after TLS started", NULL, US"");
+  tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);

   smtp_printf("554 Already in TLS\r\n");
   return FAIL;
   }
   smtp_printf("554 Already in TLS\r\n");
   return FAIL;
   }


@@ -1888,11 +1882,11 @@ rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
 #ifndef DISABLE_OCSP
     tls_ocsp_file,
 #endif
 #ifndef DISABLE_OCSP
     tls_ocsp_file,
 #endif

-    NULL, &server_static_cbinfo);
+    NULL, &server_static_cbinfo, errstr);

 if (rc != OK) return rc;
 cbinfo = server_static_cbinfo;
 
 if (rc != OK) return rc;
 cbinfo = server_static_cbinfo;
 

-if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
+if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))

   return FAIL;
 
 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
   return FAIL;
 
 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they


@@ -1906,7 +1900,7 @@ if (expciphers)
   while (*s != 0) { if (*s == '_') *s = '-'; s++; }
   DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
   if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
   while (*s != 0) { if (*s == '_') *s = '-'; s++; }
   DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
   if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))

-    return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
+    return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);

   cbinfo->server_cipher_list = expciphers;
   }
 
   cbinfo->server_cipher_list = expciphers;
   }
 


@@ -1922,21 +1916,22 @@ server_verify_callback_called = FALSE;
 if (verify_check_host(&tls_verify_hosts) == OK)
   {
   rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
 if (verify_check_host(&tls_verify_hosts) == OK)
   {
   rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,

-                       FALSE, verify_callback_server);
+                       FALSE, verify_callback_server, errstr);

   if (rc != OK) return rc;
   server_verify_optional = FALSE;
   }
 else if (verify_check_host(&tls_try_verify_hosts) == OK)
   {
   rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
   if (rc != OK) return rc;
   server_verify_optional = FALSE;
   }
 else if (verify_check_host(&tls_try_verify_hosts) == OK)
   {
   rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,

-                       TRUE, verify_callback_server);
+                       TRUE, verify_callback_server, errstr);

   if (rc != OK) return rc;
   server_verify_optional = TRUE;
   }
 
 /* Prepare for new connection */
 
   if (rc != OK) return rc;
   server_verify_optional = TRUE;
   }
 
 /* Prepare for new connection */
 

-if (!(server_ssl = SSL_new(server_ctx))) return tls_error(US"SSL_new", NULL, NULL);
+if (!(server_ssl = SSL_new(server_ctx)))
+  return tls_error(US"SSL_new", NULL, NULL, errstr);

 
 /* Warning: we used to SSL_clear(ssl) here, it was removed.
  *
 
 /* Warning: we used to SSL_clear(ssl) here, it was removed.
  *


@@ -1980,10 +1975,7 @@ alarm(0);
 
 if (rc <= 0)
   {
 
 if (rc <= 0)
   {

-  tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
-  if (ERR_get_error() == 0)
-    log_write(0, LOG_MAIN,
-        "TLS client disconnected cleanly (rejected our certificate?)");
+  (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);

   return FAIL;
   }
 
   return FAIL;
   }
 


@@ -2035,8 +2027,8 @@ return OK;
 
 static int
 tls_client_basic_ctx_init(SSL_CTX * ctx,
 
 static int
 tls_client_basic_ctx_init(SSL_CTX * ctx,

-    host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo
-                         )
+    host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
+    uschar ** errstr)

 {
 int rc;
 /* stick to the old behaviour for compatibility if tls_verify_certificates is
 {
 int rc;
 /* stick to the old behaviour for compatibility if tls_verify_certificates is


@@ -2055,7 +2047,8 @@ else
   return OK;
 
 if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
   return OK;
 
 if ((rc = setup_certs(ctx, ob->tls_verify_certificates,

-      ob->tls_crl, host, client_verify_optional, verify_callback_client)) != OK)
+      ob->tls_crl, host, client_verify_optional, verify_callback_client,
+      errstr)) != OK)

   return rc;
 
 if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
   return rc;
 
 if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)


@@ -2075,7 +2068,7 @@ return OK;
 
 #ifdef EXPERIMENTAL_DANE
 static int
 
 #ifdef EXPERIMENTAL_DANE
 static int

-dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa)
+dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)

 {
 dns_record * rr;
 dns_scan dnss;
 {
 dns_record * rr;
 dns_scan dnss;


@@ -2083,7 +2076,7 @@ const char * hostnames[2] = { CS host->name, NULL };
 int found = 0;
 
 if (DANESSL_init(ssl, NULL, hostnames) != 1)
 int found = 0;
 
 if (DANESSL_init(ssl, NULL, hostnames) != 1)

-  return tls_error(US"hostnames load", host, NULL);
+  return tls_error(US"hostnames load", host, NULL, errstr);

 
 for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
      rr;
 
 for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
      rr;


@@ -2114,7 +2107,7 @@ for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
   switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
     {
     default:
   switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
     {
     default:

-      return tls_error(US"tlsa load", host, NULL);
+      return tls_error(US"tlsa load", host, NULL, errstr);

     case 0:    /* action not taken */
     case 1:    break;
     }
     case 0:    /* action not taken */
     case 1:    break;
     }


@@ -2144,6 +2137,7 @@ Argument:
   addr             the first address
   tb               transport (always smtp)
   tlsa_dnsa        tlsa lookup, if DANE, else null
   addr             the first address
   tb               transport (always smtp)
   tlsa_dnsa        tlsa lookup, if DANE, else null

+  errstr          error string pointer

 
 Returns:           OK on success
                    FAIL otherwise - note that tls_error() will not give DEFER
 
 Returns:           OK on success
                    FAIL otherwise - note that tls_error() will not give DEFER


@@ -2152,11 +2146,11 @@ Returns:           OK on success
 
 int
 tls_client_start(int fd, host_item *host, address_item *addr,
 
 int
 tls_client_start(int fd, host_item *host, address_item *addr,

-  transport_instance *tb
+  transport_instance * tb,

 #ifdef EXPERIMENTAL_DANE
 #ifdef EXPERIMENTAL_DANE

-  , dns_answer * tlsa_dnsa
+  dns_answer * tlsa_dnsa,

 #endif
 #endif

-  )
+  uschar ** errstr)

 {
 smtp_transport_options_block * ob =
   (smtp_transport_options_block *)tb->options_block;
 {
 smtp_transport_options_block * ob =
   (smtp_transport_options_block *)tb->options_block;


@@ -2207,27 +2201,27 @@ rc = tls_init(&client_ctx, host, NULL,
 #ifndef DISABLE_OCSP
     (void *)(long)request_ocsp,
 #endif
 #ifndef DISABLE_OCSP
     (void *)(long)request_ocsp,
 #endif

-    addr, &client_static_cbinfo);
+    addr, &client_static_cbinfo, errstr);

 if (rc != OK) return rc;
 
 tls_out.certificate_verified = FALSE;
 client_verify_callback_called = FALSE;
 
 if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
 if (rc != OK) return rc;
 
 tls_out.certificate_verified = FALSE;
 client_verify_callback_called = FALSE;
 
 if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",

-    &expciphers))
+    &expciphers, errstr))

   return FAIL;
 
 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
 are separated by underscores. So that I can use either form in my tests, and
 also for general convenience, we turn underscores into hyphens here. */
 
   return FAIL;
 
 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
 are separated by underscores. So that I can use either form in my tests, and
 also for general convenience, we turn underscores into hyphens here. */
 

-if (expciphers != NULL)
+if (expciphers)

   {
   uschar *s = expciphers;
   {
   uschar *s = expciphers;

-  while (*s != 0) { if (*s == '_') *s = '-'; s++; }
+  while (*s) { if (*s == '_') *s = '-'; s++; }

   DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
   if (!SSL_CTX_set_cipher_list(client_ctx, CS expciphers))
   DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
   if (!SSL_CTX_set_cipher_list(client_ctx, CS expciphers))

-    return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
+    return tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);

   }
 
 #ifdef EXPERIMENTAL_DANE
   }
 
 #ifdef EXPERIMENTAL_DANE


@@ -2238,29 +2232,29 @@ if (tlsa_dnsa)
     verify_callback_client_dane);
 
   if (!DANESSL_library_init())
     verify_callback_client_dane);
 
   if (!DANESSL_library_init())

-    return tls_error(US"library init", host, NULL);
+    return tls_error(US"library init", host, NULL, errstr);

   if (DANESSL_CTX_init(client_ctx) <= 0)
   if (DANESSL_CTX_init(client_ctx) <= 0)

-    return tls_error(US"context init", host, NULL);
+    return tls_error(US"context init", host, NULL, errstr);

   }
 else
 
 #endif
 
   }
 else
 
 #endif
 

-  if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob, client_static_cbinfo))
-      != OK)
+  if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob,
+      client_static_cbinfo, errstr)) != OK)

     return rc;
 
 if ((client_ssl = SSL_new(client_ctx)) == NULL)
     return rc;
 
 if ((client_ssl = SSL_new(client_ctx)) == NULL)

-  return tls_error(US"SSL_new", host, NULL);
+  return tls_error(US"SSL_new", host, NULL, errstr);

 SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx));
 SSL_set_fd(client_ssl, fd);
 SSL_set_connect_state(client_ssl);
 
 if (ob->tls_sni)
   {
 SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx));
 SSL_set_fd(client_ssl, fd);
 SSL_set_connect_state(client_ssl);
 
 if (ob->tls_sni)
   {

-  if (!expand_check(ob->tls_sni, US"tls_sni", &tls_out.sni))
+  if (!expand_check(ob->tls_sni, US"tls_sni", &tls_out.sni, errstr))

     return FAIL;
     return FAIL;

-  if (tls_out.sni == NULL)
+  if (!tls_out.sni)

     {
     DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
     }
     {
     DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
     }


@@ -2280,7 +2274,7 @@ if (ob->tls_sni)
 
 #ifdef EXPERIMENTAL_DANE
 if (tlsa_dnsa)
 
 #ifdef EXPERIMENTAL_DANE
 if (tlsa_dnsa)

-  if ((rc = dane_tlsa_load(client_ssl, host, tlsa_dnsa)) != OK)
+  if ((rc = dane_tlsa_load(client_ssl, host, tlsa_dnsa, errstr)) != OK)

     return rc;
 #endif
 
     return rc;
 #endif
 


@@ -2330,7 +2324,8 @@ if (tlsa_dnsa)
 #endif
 
 if (rc <= 0)
 #endif
 
 if (rc <= 0)

-  return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
+  return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL,
+    errstr);

 
 DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
 
 
 DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
 


@@ -2625,7 +2620,8 @@ EVP_add_digest(EVP_sha256());
 if (!(tls_require_ciphers && *tls_require_ciphers))
   return NULL;
 
 if (!(tls_require_ciphers && *tls_require_ciphers))
   return NULL;
 

-if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers))
+if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
+                 &err))

   return US"failed to expand tls_require_ciphers";
 
 if (!(expciphers && *expciphers))
   return US"failed to expand tls_require_ciphers";
 
 if (!(expciphers && *expciphers))


@@ -2650,7 +2646,8 @@ DEBUG(D_tls)
 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
   {
   ERR_error_string(ERR_get_error(), ssl_errstring);
 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
   {
   ERR_error_string(ERR_get_error(), ssl_errstring);

-  err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed", expciphers);
+  err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
+                     expciphers, ssl_errstring);

   }
 
 SSL_CTX_free(ctx);
   }
 
 SSL_CTX_free(ctx);

diff --git a/src/src/tls.c b/src/src/tls.c
index f34cf632182c52f6ebb335db36600d55015bc261..a5cb35bd9bba039f03478edf4fb1b2634dc192a5 100644 (file)
--- a/src/src/tls.c
+++ b/src/src/tls.c
@@ -64,17 +64,18 @@ Returns:    TRUE if OK; result may still be NULL after forced failure
 */
 
 static BOOL
 */
 
 static BOOL

-expand_check(const uschar *s, const uschar *name, uschar **result)
+expand_check(const uschar *s, const uschar *name, uschar **result, uschar ** errstr)

 {
 {

-if (s == NULL) *result = NULL; else
+if (!s)
+  *result = NULL;
+else if (  !(*result = expand_string(US s)) /* need to clean up const more */
+       && !expand_string_forcedfail
+       )

   {
   {

-  *result = expand_string(US s); /* need to clean up const some more */
-  if (*result == NULL && !expand_string_forcedfail)
-    {
-    log_write(0, LOG_MAIN|LOG_PANIC, "expansion of %s failed: %s", name,
-      expand_string_message);
-    return FALSE;
-    }
+  *errstr = US"Internal error";
+  log_write(0, LOG_MAIN|LOG_PANIC, "expansion of %s failed: %s", name,
+    expand_string_message);
+  return FALSE;

   }
 return TRUE;
 }
   }
 return TRUE;
 }

diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index c1f5ad45ab67f88b85a11797b1a0d67156bbbbcf..a4c03664238796ee5ef37a22fee7e652e280ac68 100644 (file)
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -1863,11 +1863,12 @@ if (  smtp_peer_options & PEER_OFFERED_TLS
   TLS_NEGOTIATE:
     {
     address_item * addr;
   TLS_NEGOTIATE:
     {
     address_item * addr;

-    int rc = tls_client_start(sx->inblock.sock, sx->host, sx->addrlist, sx->tblock
+    uschar * errstr;
+    int rc = tls_client_start(sx->inblock.sock, sx->host, sx->addrlist, sx->tblock,

 # ifdef EXPERIMENTAL_DANE
 # ifdef EXPERIMENTAL_DANE

-                            , sx->dane ? &tlsa_dnsa : NULL
+                            sx->dane ? &tlsa_dnsa : NULL,

 # endif
 # endif

-                            );
+                            &errstr);

 
     /* TLS negotiation failed; give an error. From outside, this function may
     be called again to try in clear on a new connection, if the options permit
 
     /* TLS negotiation failed; give an error. From outside, this function may
     be called again to try in clear on a new connection, if the options permit


@@ -1877,12 +1878,12 @@ if (  smtp_peer_options & PEER_OFFERED_TLS
       {
 # ifdef EXPERIMENTAL_DANE
       if (sx->dane) log_write(0, LOG_MAIN,
       {
 # ifdef EXPERIMENTAL_DANE
       if (sx->dane) log_write(0, LOG_MAIN,

-         "DANE attempt failed; no TLS connection to %s [%s]",
-         sx->host->name, sx->host->address);
+         "DANE attempt failed; TLS connection to %s [%s]: %s",
+         sx->host->name, sx->host->address, errstr);

 # endif
 
       errno = ERRNO_TLSFAILURE;
 # endif
 
       errno = ERRNO_TLSFAILURE;

-      message = US"failure while setting up TLS session";
+      message = string_sprintf("TLS session: %s", errstr);

       sx->send_quit = FALSE;
       goto TLS_FAILED;
       }
       sx->send_quit = FALSE;
       goto TLS_FAILED;
       }


@@ -4053,8 +4054,9 @@ for (cutoff_retry = 0;
         && verify_check_given_host(&ob->hosts_require_tls, host) != OK
         )
         {
         && verify_check_given_host(&ob->hosts_require_tls, host) != OK
         )
         {

-        log_write(0, LOG_MAIN, "TLS session failure: delivering unencrypted "
-          "to %s [%s] (not in hosts_require_tls)", host->name, host->address);
+        log_write(0, LOG_MAIN,
+         "%s: delivering unencrypted to H=%s [%s] (not in hosts_require_tls)",
+         first_addr->message, host->name, host->address);

         first_addr = prepare_addresses(addrlist, host);
         rc = smtp_deliver(addrlist, thost, host_af, port, interface, tblock,
           &message_defer, TRUE);
         first_addr = prepare_addresses(addrlist, host);
         rc = smtp_deliver(addrlist, thost, host_af, port, interface, tblock,
           &message_defer, TRUE);

diff --git a/src/src/verify.c b/src/src/verify.c
index 9c4776b31d7f5bae87b03f865eb4c647415e2472..a152a8f2414a3aa5b9e2e6677158625283ec618e 100644 (file)
--- a/src/src/verify.c
+++ b/src/src/verify.c
@@ -690,9 +690,9 @@ tls_retry_connection:
        && verify_check_given_host(&ob->hosts_require_tls, host) != OK
        )
       {
        && verify_check_given_host(&ob->hosts_require_tls, host) != OK
        )
       {

-      log_write(0, LOG_MAIN, "TLS session failure:"
-       " callout unencrypted to %s [%s] (not in hosts_require_tls)",
-       host->name, host->address);
+      log_write(0, LOG_MAIN,
+       "%s: callout unencrypted to %s [%s] (not in hosts_require_tls)",
+       addr->message, host->name, host->address);

       addr->transport_return = PENDING_DEFER;
       yield = smtp_setup_conn(&sx, TRUE);
       }
       addr->transport_return = PENDING_DEFER;
       yield = smtp_setup_conn(&sx, TRUE);
       }


@@ -730,8 +730,7 @@ tls_retry_connection:
     sx.send_rset = TRUE;
     sx.completed_addr = FALSE;
 
     sx.send_rset = TRUE;
     sx.completed_addr = FALSE;
 

-    new_domain_record.result =
-      old_domain_cache_result == ccache_reject_mfnull
+    new_domain_record.result = old_domain_cache_result == ccache_reject_mfnull

       ? ccache_reject_mfnull : ccache_accept;
 
     /* Do the random local part check first. Temporarily replace the recipient
       ? ccache_reject_mfnull : ccache_accept;
 
     /* Do the random local part check first. Temporarily replace the recipient

diff --git a/test/log/2000 b/test/log/2000
index 68c88a33037b9c87ae8115a7fbc5c65f4522b4bc..04c72f5ebca246cc47133062e790e7f1cc901a3b 100644 (file)
--- a/test/log/2000
+++ b/test/log/2000
@@ -1,7 +1,6 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf

-1999-03-02 09:44:33 10HmaX-0005vi-00 H=127.0.0.1 [127.0.0.1] TLS error on connection (certificate verification failed): certificate invalid
-1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to 127.0.0.1 [127.0.0.1] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session: (certificate verification failed): certificate invalid: delivering unencrypted to H=127.0.0.1 [127.0.0.1] (not in hosts_require_tls)

 1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf

diff --git a/test/log/2001 b/test/log/2001
index 13cf3702a6c4fb161b006aa133b8eb30331f62a6..e5615e2232b90432e36b22d9a3cc011076c62594 100644 (file)
--- a/test/log/2001
+++ b/test/log/2001
@@ -1,11 +1,9 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf

-1999-03-02 09:44:33 10HmaX-0005vi-00 H=127.0.0.1 [127.0.0.1] TLS error on connection (certificate verification failed): certificate invalid
-1999-03-02 09:44:33 10HmaX-0005vi-00 == CALLER@test.ex R=client T=send_to_server defer (-37) H=127.0.0.1 [127.0.0.1]: failure while setting up TLS session
+1999-03-02 09:44:33 10HmaX-0005vi-00 == CALLER@test.ex R=client T=send_to_server defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (certificate verification failed): certificate invalid

 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf

-1999-03-02 09:44:33 10HmaX-0005vi-00 H=127.0.0.1 [127.0.0.1] TLS error on connection (certificate verification failed): certificate invalid
-1999-03-02 09:44:33 10HmaX-0005vi-00 == CALLER@test.ex R=client T=send_to_server defer (-37) H=127.0.0.1 [127.0.0.1]: failure while setting up TLS session
+1999-03-02 09:44:33 10HmaX-0005vi-00 == CALLER@test.ex R=client T=send_to_server defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (certificate verification failed): certificate invalid

 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 
 ******** SERVER ********
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 
 ******** SERVER ********

diff --git a/test/log/2012 b/test/log/2012
index efb293303489b130c5246775828011a21f280ddb..4d6699ab0fab1568faa6141d3f3f7991088c441f 100644 (file)
--- a/test/log/2012
+++ b/test/log/2012
@@ -5,18 +5,15 @@
 1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf

-1999-03-02 09:44:33 10HmaX-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (certificate verification failed): certificate invalid
-1999-03-02 09:44:33 10HmaX-0005vi-00 == userx@test.ex R=client_x T=send_to_server_failcert defer (-37) H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]: failure while setting up TLS session
+1999-03-02 09:44:33 10HmaX-0005vi-00 == userx@test.ex R=client_x T=send_to_server_failcert defer (-37) H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]: TLS session: (certificate verification failed): certificate invalid

 1999-03-02 09:44:33 10HmaX-0005vi-00 ** userx@test.ex: retry timeout exceeded
 1999-03-02 09:44:33 10HmaX-0005vi-00 userx@test.ex: error ignored
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaX-0005vi-00 ** userx@test.ex: retry timeout exceeded
 1999-03-02 09:44:33 10HmaX-0005vi-00 userx@test.ex: error ignored
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed

-1999-03-02 09:44:33 10HmaY-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (certificate verification failed): certificate invalid

 1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed

-1999-03-02 09:44:33 10HmbA-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (certificate verification failed): certificate invalid
-1999-03-02 09:44:33 10HmbA-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmbA-0005vi-00 TLS session: (certificate verification failed): certificate invalid: delivering unencrypted to H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)

 1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbF-0005vi-00"
 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbB-0005vi-00 no IP address found for host server1.example.net
 1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbF-0005vi-00"
 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbB-0005vi-00 no IP address found for host server1.example.net

diff --git a/test/log/2016 b/test/log/2016
index d784bfceadc21d3118ea6d811f28986908a4e109..039002bb05ec4fcdc57c998bf4b508e096768e3d 100644 (file)
--- a/test/log/2016
+++ b/test/log/2016
@@ -1,3 +1,2 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@test.ex U=CALLER P=local S=sss

-1999-03-02 09:44:33 10HmaX-0005vi-00 H=127.0.0.1 [127.0.0.1] TLS error on connection (gnutls_handshake): timed out
-1999-03-02 09:44:33 10HmaX-0005vi-00 == userx@domain1 R=others T=smtp defer (-37) H=127.0.0.1 [127.0.0.1]: failure while setting up TLS session
+1999-03-02 09:44:33 10HmaX-0005vi-00 == userx@domain1 R=others T=smtp defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (gnutls_handshake): timed out

diff --git a/test/log/2027 b/test/log/2027
index 18b020a626b878ea341a79580f347633cf9c9616..1c5a6a1471294491e3689ef3c1f3e6b3db74f4b0 100644 (file)
--- a/test/log/2027
+++ b/test/log/2027
@@ -3,8 +3,7 @@
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmaZ-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmaZ-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed

-1999-03-02 09:44:33 10HmaY-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (gnutls_handshake): A TLS fatal alert has been received.
-1999-03-02 09:44:33 10HmaY-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmaY-0005vi-00 TLS session: (gnutls_handshake): A TLS fatal alert has been received.: delivering unencrypted to H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)

 1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf


@@ -12,8 +11,8 @@
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex

-1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (gnutls_handshake): The peer did not send any certificate.

 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaY-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaY-0005vi-00@myhost.test.ex

+1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (gnutls_handshake): The peer did not send any certificate.

 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaZ-0005vi-00 => userx <userx@test.ex> R=server T=local_delivery
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaZ-0005vi-00 => userx <userx@test.ex> R=server T=local_delivery
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed

diff --git a/test/log/2033 b/test/log/2033
index 44cec64b1cb588b11a33252345897607da688453..d6686d572dcf0349fa9f914f85ac2f68122716b1 100644 (file)
--- a/test/log/2033
+++ b/test/log/2033
@@ -2,8 +2,7 @@
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf

-1999-03-02 09:44:33 10HmaX-0005vi-00 H=the.local.host.name [ip4.ip4.ip4.ip4] TLS error on connection (certificate verification failed)
-1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to the.local.host.name [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session: (certificate verification failed): delivering unencrypted to H=the.local.host.name [ip4.ip4.ip4.ip4] (not in hosts_require_tls)

 1999-03-02 09:44:33 10HmaX-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=the.local.host.name [ip4.ip4.ip4.ip4] C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaY-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=server1.example.com [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbB-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=the.local.host.name [ip4.ip4.ip4.ip4] C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaY-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=server1.example.com [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbB-0005vi-00"

diff --git a/test/log/2051 b/test/log/2051
index baa775c0d7729143c2caf71df5d62e83f2669da4..e59a2819b8af02ec073e70de75d0ac1b34ce865c 100644 (file)
--- a/test/log/2051
+++ b/test/log/2051
@@ -1,3 +1,2 @@
-1999-03-02 09:44:33 H=127.0.0.1 [127.0.0.1] TLS error on connection (gnutls_handshake): timed out
-1999-03-02 09:44:33 TLS session failure: callout unencrypted to 127.0.0.1 [127.0.0.1] (not in hosts_require_tls)
+1999-03-02 09:44:33 TLS session: (gnutls_handshake): timed out: callout unencrypted to 127.0.0.1 [127.0.0.1] (not in hosts_require_tls)

 1999-03-02 09:44:33 10HmaX-0005vi-00 <= s1@test.ex U=CALLER P=local-esmtp S=sss
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= s1@test.ex U=CALLER P=local-esmtp S=sss

diff --git a/test/log/2052 b/test/log/2052
index 68c88a33037b9c87ae8115a7fbc5c65f4522b4bc..04c72f5ebca246cc47133062e790e7f1cc901a3b 100644 (file)
--- a/test/log/2052
+++ b/test/log/2052
@@ -1,7 +1,6 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf

-1999-03-02 09:44:33 10HmaX-0005vi-00 H=127.0.0.1 [127.0.0.1] TLS error on connection (certificate verification failed): certificate invalid
-1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to 127.0.0.1 [127.0.0.1] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session: (certificate verification failed): certificate invalid: delivering unencrypted to H=127.0.0.1 [127.0.0.1] (not in hosts_require_tls)

 1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf

diff --git a/test/log/2101 b/test/log/2101
index c3d184a4806f3f638d1d104253ad5e2667742917..84d665197afc83b3da99fdc909a631f515440869 100644 (file)
--- a/test/log/2101
+++ b/test/log/2101
@@ -1,18 +1,14 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaX-0005vi-00 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaX-0005vi-00 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock

-1999-03-02 09:44:33 10HmaX-0005vi-00 H=127.0.0.1 [127.0.0.1] TLS error on connection (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmaX-0005vi-00 == CALLER@test.ex R=client T=send_to_server defer (-37) H=127.0.0.1 [127.0.0.1]: failure while setting up TLS session
+1999-03-02 09:44:33 10HmaX-0005vi-00 == CALLER@test.ex R=client T=send_to_server defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect): error: <<detail omitted>>

 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaX-0005vi-00 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaX-0005vi-00 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock

-1999-03-02 09:44:33 10HmaX-0005vi-00 H=127.0.0.1 [127.0.0.1] TLS error on connection (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmaX-0005vi-00 == CALLER@test.ex R=client T=send_to_server defer (-37) H=127.0.0.1 [127.0.0.1]: failure while setting up TLS session
+1999-03-02 09:44:33 10HmaX-0005vi-00 == CALLER@test.ex R=client T=send_to_server defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect): error: <<detail omitted>>

 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from localhost (myhost.test.ex) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from localhost (myhost.test.ex) [127.0.0.1] (SSL_accept): error: <<detail omitted>>

-1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)

 1999-03-02 09:44:33 TLS error on connection from localhost (myhost.test.ex) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
 1999-03-02 09:44:33 TLS error on connection from localhost (myhost.test.ex) [127.0.0.1] (SSL_accept): error: <<detail omitted>>

-1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)

diff --git a/test/log/2102 b/test/log/2102
index d9a1b0588717287c8a92374e769d9cfe17e3bf3d..3d6de84d0f09eaff462235b41dfd5b5c40ec17ca 100644 (file)
--- a/test/log/2102
+++ b/test/log/2102
@@ -16,7 +16,6 @@
 1999-03-02 09:44:33 Peer did not present a cert
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= "name with spaces"@test.ex H=[127.0.0.1] P=smtps X=TLSv1:AES256-SHA:256 CV=no S=sss
 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
 1999-03-02 09:44:33 Peer did not present a cert
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= "name with spaces"@test.ex H=[127.0.0.1] P=smtps X=TLSv1:AES256-SHA:256 CV=no S=sss
 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>

-1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)

 1999-03-02 09:44:33 Our cert SN: <CN=server1.example.com>
 1999-03-02 09:44:33 Peer cert:
 1999-03-02 09:44:33 ver 2
 1999-03-02 09:44:33 Our cert SN: <CN=server1.example.com>
 1999-03-02 09:44:33 Peer cert:
 1999-03-02 09:44:33 ver 2

diff --git a/test/log/2111 b/test/log/2111
index e16581c56fcd74e878ae919f3f25863ef98bf748..c378f8035ca64d5a9d952c7ee1d0de516ba483e8 100644 (file)
--- a/test/log/2111
+++ b/test/log/2111
@@ -1,6 +1,5 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf

-1999-03-02 09:44:33 10HmaX-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>

 1999-03-02 09:44:33 10HmaX-0005vi-00 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
 1999-03-02 09:44:33 10HmaX-0005vi-00 [127.0.0.1] SSL verify error: certificate name mismatch: DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" H="127.0.0.1"
 1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
 1999-03-02 09:44:33 10HmaX-0005vi-00 [127.0.0.1] SSL verify error: certificate name mismatch: DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" H="127.0.0.1"
 1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"


@@ -10,5 +9,4 @@
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>

-1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)

 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaX-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaX-0005vi-00@myhost.test.ex

diff --git a/test/log/2112 b/test/log/2112
index f46b5ca923a261b1d8985cd81a3273edbdef6466..2e8211991117f65e281b76ea973bdda85ead90df 100644 (file)
--- a/test/log/2112
+++ b/test/log/2112
@@ -12,13 +12,11 @@
 1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for users@test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaX-0005vi-00 [ip4.ip4.ip4.ip4] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
 1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for users@test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaX-0005vi-00 [ip4.ip4.ip4.ip4] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com

-1999-03-02 09:44:33 10HmaX-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmaX-0005vi-00 == userx@test.ex R=client_x T=send_to_server_failcert defer (-37) H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]: failure while setting up TLS session
+1999-03-02 09:44:33 10HmaX-0005vi-00 == userx@test.ex R=client_x T=send_to_server_failcert defer (-37) H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]: TLS session: (SSL_connect): error: <<detail omitted>>

 1999-03-02 09:44:33 10HmaX-0005vi-00 ** userx@test.ex: retry timeout exceeded
 1999-03-02 09:44:33 10HmaX-0005vi-00 userx@test.ex: error ignored
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaY-0005vi-00 [ip4.ip4.ip4.ip4] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
 1999-03-02 09:44:33 10HmaX-0005vi-00 ** userx@test.ex: retry timeout exceeded
 1999-03-02 09:44:33 10HmaX-0005vi-00 userx@test.ex: error ignored
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaY-0005vi-00 [ip4.ip4.ip4.ip4] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com

-1999-03-02 09:44:33 10HmaY-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>

 1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaZ-0005vi-00 [ip4.ip4.ip4.ip4] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
 1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaZ-0005vi-00 [ip4.ip4.ip4.ip4] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com


@@ -26,8 +24,7 @@
 1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbA-0005vi-00 [ip4.ip4.ip4.ip4] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
 1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbA-0005vi-00 [ip4.ip4.ip4.ip4] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com

-1999-03-02 09:44:33 10HmbA-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmbA-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmbA-0005vi-00 TLS session: (SSL_connect): error: <<detail omitted>>

 1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbF-0005vi-00"
 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbB-0005vi-00 no IP address found for host server1.example.net
 1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbF-0005vi-00"
 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbB-0005vi-00 no IP address found for host server1.example.net


@@ -41,13 +38,10 @@
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>

-1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)

 1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
 1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>

-1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)

 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex for usery@test.ex
 1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for userz@test.ex
 1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex for usery@test.ex
 1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for userz@test.ex
 1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>

-1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)

 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@myhost.test.ex for userq@test.ex
 1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmbB-0005vi-00@myhost.test.ex for userr@test.ex
 1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmbC-0005vi-00@myhost.test.ex for users@test.ex
 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@myhost.test.ex for userq@test.ex
 1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmbB-0005vi-00@myhost.test.ex for userr@test.ex
 1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmbC-0005vi-00@myhost.test.ex for users@test.ex

diff --git a/test/log/2114 b/test/log/2114
index 3d42197743177e6e812af98924241d5bd6a7a6cc..b1afe484f2c2c26603e8ae6f132c0a45f4af7e44 100644 (file)
--- a/test/log/2114
+++ b/test/log/2114
@@ -2,17 +2,14 @@
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>

-1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)

 1999-03-02 09:44:33 H=(rhu.barb) [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=
 1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
 1999-03-02 09:44:33 H=(rhu.barb) [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=
 1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>

-1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)

 1999-03-02 09:44:33 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
 1999-03-02 09:44:33 H=[127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] SSL verify error: depth=0 error=certificate revoked cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
 1999-03-02 09:44:33 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
 1999-03-02 09:44:33 H=[127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] SSL verify error: depth=0 error=certificate revoked cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>

-1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)

 1999-03-02 09:44:33 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
 1999-03-02 09:44:33 [127.0.0.1] SSL verify error: depth=0 error=CRL signature failure cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
 1999-03-02 09:44:33 H=[127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
 1999-03-02 09:44:33 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
 1999-03-02 09:44:33 [127.0.0.1] SSL verify error: depth=0 error=CRL signature failure cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
 1999-03-02 09:44:33 H=[127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock

diff --git a/test/log/2115 b/test/log/2115
index bb8794be6b8bdc044401c0188c22fa4e8da37732..ffcb0893b3d185e9ec4e0927586cf33e6687faa1 100644 (file)
--- a/test/log/2115
+++ b/test/log/2115
@@ -3,5 +3,4 @@
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 SMTP connection from [127.0.0.1] (TCP/IP connection count = 1)
 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [127.0.0.1] (SSL_accept): timed out
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 SMTP connection from [127.0.0.1] (TCP/IP connection count = 1)
 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [127.0.0.1] (SSL_accept): timed out

-1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)

 1999-03-02 09:44:33 SMTP command timeout on connection from (rhu.barb) [127.0.0.1]
 1999-03-02 09:44:33 SMTP command timeout on connection from (rhu.barb) [127.0.0.1]

diff --git a/test/log/2116 b/test/log/2116
index b7968201cdbbe0aac96bc3f5df1fe7da7952b17f..32596c2060e71bac2f137fa1d99113a446656d09 100644 (file)
--- a/test/log/2116
+++ b/test/log/2116
@@ -1,3 +1,2 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@test.ex U=CALLER P=local S=sss

-1999-03-02 09:44:33 10HmaX-0005vi-00 H=127.0.0.1 [127.0.0.1] TLS error on connection (SSL_connect): timed out
-1999-03-02 09:44:33 10HmaX-0005vi-00 == userx@domain1 R=others T=smtp defer (-37) H=127.0.0.1 [127.0.0.1]: failure while setting up TLS session
+1999-03-02 09:44:33 10HmaX-0005vi-00 == userx@domain1 R=others T=smtp defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect): timed out

diff --git a/test/log/2124 b/test/log/2124
index ba22aac7fee6f3c68b994024b971878835aa302a..cafa67b4d25a0874680b6f6d7ae4c2e7ac3331a6 100644 (file)
--- a/test/log/2124
+++ b/test/log/2124
@@ -3,6 +3,5 @@
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>

-1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)

 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_CTX_use_certificate_chain_file file=/non/exist): error:02001002:system library:fopen:No such file or directory
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_CTX_use_certificate_chain_file file=/non/exist): error:02001002:system library:fopen:No such file or directory

diff --git a/test/log/2125 b/test/log/2125
index 2045a10dca556b79dde65746ba8f7daaf876e263..ca583c89df52cada491aae5127af2de03845382f 100644 (file)
--- a/test/log/2125
+++ b/test/log/2125
@@ -1,6 +1,5 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf

-1999-03-02 09:44:33 10HmaX-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>

 1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES128-SHA:128 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES128-SHA:128 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf


@@ -8,5 +7,4 @@
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>

-1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)

 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES128-SHA:128 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES128-SHA:128 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex

diff --git a/test/log/2127 b/test/log/2127
index 37a45168f671d8ef024ce58e9d665d21f20a3d4a..7bc71bbdef469d43b9d2b2e79ad92a2b55611abd 100644 (file)
--- a/test/log/2127
+++ b/test/log/2127
@@ -3,8 +3,7 @@
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmaZ-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmaZ-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed

-1999-03-02 09:44:33 10HmaY-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmaY-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmaY-0005vi-00 TLS session: (SSL_connect): error: <<detail omitted>>

 1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf


@@ -13,7 +12,6 @@
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>

-1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)

 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaY-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaZ-0005vi-00 => userx <userx@test.ex> R=server T=local_delivery
 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaY-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaZ-0005vi-00 => userx <userx@test.ex> R=server T=local_delivery

diff --git a/test/log/2132 b/test/log/2132
index d968a907ae8a668506fe9c984fa9636e73a60621..0ef458308e2deb8387f611320ffa7b56dbb5fc2f 100644 (file)
--- a/test/log/2132
+++ b/test/log/2132
@@ -16,7 +16,6 @@
 1999-03-02 09:44:33 Peer did not present a cert
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= "name with spaces"@test.ex H=[127.0.0.1] P=smtps X=TLSv1:AES256-SHA:256 CV=no S=sss
 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
 1999-03-02 09:44:33 Peer did not present a cert
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= "name with spaces"@test.ex H=[127.0.0.1] P=smtps X=TLSv1:AES256-SHA:256 CV=no S=sss
 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>

-1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)

 1999-03-02 09:44:33 Our cert SN: <CN=server2.example.com>
 1999-03-02 09:44:33 SN  <CN=server1.example.com>
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@test.ex H=[ip4.ip4.ip4.ip4] P=smtps X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" S=sss
 1999-03-02 09:44:33 Our cert SN: <CN=server2.example.com>
 1999-03-02 09:44:33 SN  <CN=server1.example.com>
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@test.ex H=[ip4.ip4.ip4.ip4] P=smtps X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" S=sss

diff --git a/test/log/2133 b/test/log/2133
index 03fc16ce9ebb8f6edfcf5e91765213ba1e31c733..d0f0a306f7b3e978fd04bdec0680e31857700241 100644 (file)
--- a/test/log/2133
+++ b/test/log/2133
@@ -4,13 +4,11 @@
 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaX-0005vi-00 [ip4.ip4.ip4.ip4] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaX-0005vi-00 [ip4.ip4.ip4.ip4] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com

-1999-03-02 09:44:33 10HmaX-0005vi-00 H=the.local.host.name [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to the.local.host.name [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session: (SSL_connect): error: <<detail omitted>>

 1999-03-02 09:44:33 10HmaX-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=the.local.host.name [ip4.ip4.ip4.ip4] C="250 OK id=10HmbB-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaY-0005vi-00 [ip4.ip4.ip4.ip4] SSL verify error: certificate name mismatch: DN="/CN=server1.example.com" H="the.local.host.name"
 1999-03-02 09:44:33 10HmaX-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=the.local.host.name [ip4.ip4.ip4.ip4] C="250 OK id=10HmbB-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaY-0005vi-00 [ip4.ip4.ip4.ip4] SSL verify error: certificate name mismatch: DN="/CN=server1.example.com" H="the.local.host.name"

-1999-03-02 09:44:33 10HmaY-0005vi-00 H=the.local.host.name [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmaY-0005vi-00 TLS session failure: delivering unencrypted to the.local.host.name [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmaY-0005vi-00 TLS session: (SSL_connect): error: <<detail omitted>>

 1999-03-02 09:44:33 10HmaY-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=the.local.host.name [ip4.ip4.ip4.ip4] C="250 OK id=10HmbC-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaZ-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=server1.example.com [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=the.local.host.name [ip4.ip4.ip4.ip4] C="250 OK id=10HmbC-0005vi-00"
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaZ-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=server1.example.com [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00"


@@ -23,10 +21,8 @@
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>

-1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)

 1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
 1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>

-1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)

 1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaY-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmbA-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaY-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmbA-0005vi-00@myhost.test.ex

diff --git a/test/log/2151 b/test/log/2151
index c2cc1136338b7f7d2ef5e6163f4bfa0d8b23a233..a649f43e02fb8d5caefb75a5450c6606f06144de 100644 (file)
--- a/test/log/2151
+++ b/test/log/2151
@@ -1,3 +1,2 @@
-1999-03-02 09:44:33 H=127.0.0.1 [127.0.0.1] TLS error on connection (SSL_connect): timed out
-1999-03-02 09:44:33 TLS session failure: callout unencrypted to 127.0.0.1 [127.0.0.1] (not in hosts_require_tls)
+1999-03-02 09:44:33 TLS session: (SSL_connect): timed out: callout unencrypted to 127.0.0.1 [127.0.0.1] (not in hosts_require_tls)

 1999-03-02 09:44:33 10HmaX-0005vi-00 <= s1@test.ex U=CALLER P=local-esmtp S=sss
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= s1@test.ex U=CALLER P=local-esmtp S=sss

diff --git a/test/log/5601 b/test/log/5601
index f2a03375b47894ebd1c69f287eb6c344eb697e7b..2ddf7e2cdfb89443bc43f28db27c81486c12b6c9 100644 (file)
--- a/test/log/5601
+++ b/test/log/5601
@@ -9,16 +9,13 @@
 1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmbD-0005vi-00 Received TLS status callback, null content
 1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmbD-0005vi-00 Received TLS status callback, null content

-1999-03-02 09:44:33 10HmbD-0005vi-00 H=127.0.0.1 [127.0.0.1] TLS error on connection (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmbD-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: failure while setting up TLS session
+1999-03-02 09:44:33 10HmbD-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect): error: <<detail omitted>>

 1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmbE-0005vi-00 Server certificate revoked; reason: superseded
 1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmbE-0005vi-00 Server certificate revoked; reason: superseded

-1999-03-02 09:44:33 10HmbE-0005vi-00 H=127.0.0.1 [127.0.0.1] TLS error on connection (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmbE-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: failure while setting up TLS session
+1999-03-02 09:44:33 10HmbE-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect): error: <<detail omitted>>

 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmbF-0005vi-00 Server OSCP dates invalid
 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmbF-0005vi-00 Server OSCP dates invalid

-1999-03-02 09:44:33 10HmbF-0005vi-00 H=127.0.0.1 [127.0.0.1] TLS error on connection (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmbF-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: failure while setting up TLS session
+1999-03-02 09:44:33 10HmbF-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect): error: <<detail omitted>>

 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225


@@ -37,10 +34,7 @@
 1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
 1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>

-1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)

 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>

-1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)

 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>

-1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)

diff --git a/test/log/5611 b/test/log/5611
index f2a03375b47894ebd1c69f287eb6c344eb697e7b..2ddf7e2cdfb89443bc43f28db27c81486c12b6c9 100644 (file)
--- a/test/log/5611
+++ b/test/log/5611
@@ -9,16 +9,13 @@
 1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmbD-0005vi-00 Received TLS status callback, null content
 1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmbD-0005vi-00 Received TLS status callback, null content

-1999-03-02 09:44:33 10HmbD-0005vi-00 H=127.0.0.1 [127.0.0.1] TLS error on connection (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmbD-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: failure while setting up TLS session
+1999-03-02 09:44:33 10HmbD-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect): error: <<detail omitted>>

 1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmbE-0005vi-00 Server certificate revoked; reason: superseded
 1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmbE-0005vi-00 Server certificate revoked; reason: superseded

-1999-03-02 09:44:33 10HmbE-0005vi-00 H=127.0.0.1 [127.0.0.1] TLS error on connection (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmbE-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: failure while setting up TLS session
+1999-03-02 09:44:33 10HmbE-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect): error: <<detail omitted>>

 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmbF-0005vi-00 Server OSCP dates invalid
 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmbF-0005vi-00 Server OSCP dates invalid

-1999-03-02 09:44:33 10HmbF-0005vi-00 H=127.0.0.1 [127.0.0.1] TLS error on connection (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmbF-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: failure while setting up TLS session
+1999-03-02 09:44:33 10HmbF-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect): error: <<detail omitted>>

 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225


@@ -37,10 +34,7 @@
 1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
 1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>

-1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)

 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>

-1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)

 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>

-1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)

diff --git a/test/log/5651 b/test/log/5651
index f1a1b9cf255e13834e2ba45410e6367bfc288dc1..74d5a3343964b158c15bf9f5bf8ef787080bb3d0 100644 (file)
--- a/test/log/5651
+++ b/test/log/5651
@@ -8,14 +8,11 @@
 1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@test.ex R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
 1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@test.ex R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
 1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss

-1999-03-02 09:44:33 10HmbD-0005vi-00 H=127.0.0.1 [127.0.0.1] TLS error on connection (certificate status check failed)
-1999-03-02 09:44:33 10HmbD-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: failure while setting up TLS session
+1999-03-02 09:44:33 10HmbD-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (certificate status check failed)

 1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss

-1999-03-02 09:44:33 10HmbE-0005vi-00 H=127.0.0.1 [127.0.0.1] TLS error on connection (certificate verification failed): certificate revoked
-1999-03-02 09:44:33 10HmbE-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: failure while setting up TLS session
+1999-03-02 09:44:33 10HmbE-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (certificate verification failed): certificate revoked

 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss

-1999-03-02 09:44:33 10HmbF-0005vi-00 H=127.0.0.1 [127.0.0.1] TLS error on connection (certificate status check failed)
-1999-03-02 09:44:33 10HmbF-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: failure while setting up TLS session
+1999-03-02 09:44:33 10HmbF-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (certificate status check failed)

 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225

diff --git a/test/log/5710 b/test/log/5710
index 24c40d60777d81c10442ad67a9fa3917dbdc85b2..af98f686f9f3203dc2cc68b34443ac9462796e22 100644 (file)
--- a/test/log/5710
+++ b/test/log/5710
@@ -2,7 +2,6 @@
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaX-0005vi-00 tls:cert depth=0 <CN=server1.example.com>
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaX-0005vi-00 tls:cert depth=0 <CN=server1.example.com>

-1999-03-02 09:44:33 10HmaX-0005vi-00 H=127.0.0.1 [127.0.0.1] TLS error on connection (certificate verification failed): certificate invalid

 1999-03-02 09:44:33 10HmaX-0005vi-00 msg:host:defer bad
 1999-03-02 09:44:33 10HmaX-0005vi-00 NO CLIENT CERT presented
 1999-03-02 09:44:33 10HmaX-0005vi-00 Peer cert:
 1999-03-02 09:44:33 10HmaX-0005vi-00 msg:host:defer bad
 1999-03-02 09:44:33 10HmaX-0005vi-00 NO CLIENT CERT presented
 1999-03-02 09:44:33 10HmaX-0005vi-00 Peer cert:


@@ -17,7 +16,7 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 SG  <67 ef 2d 43 8e 43 50 f5 3f 41 ee 42 cf f4 b4 31 3d d8 88 b5 f7 24 1f 26 83 32 6a 6c ff 8a 36 b7 be cb 28 48 68 9c a9 3c 6e 2f 2d a5 f4 fc d2 09 9b 1d 04 00 26 7d a5 f9 39 13 06 dd 9d 69 78 f8 7b f5 3c 82 9d 8f b9 4f 1a b6 f0 0b 7f 20 82 6e 80 4e 38 09 d1 43 23 22 dd 37 5d 80 6d 5a aa 23 33 e4 79 c9 0d 8d cc b8 ed 5f 6b 01 56 2c 49 89 9b ca 5e d5 b3 b0 93 7e d5 5e f0 98 7d 5f 07 4b>
 1999-03-02 09:44:33 10HmaX-0005vi-00 SAN <DNS=alternatename2.server1.example.com\nDNS=alternatename.server1.example.com\nDNS=*.test.ex\nDNS=server1.example.com>
 1999-03-02 09:44:33 10HmaX-0005vi-00 CRU <http://crl.example.com/latest.crl>
 1999-03-02 09:44:33 10HmaX-0005vi-00 SG  <67 ef 2d 43 8e 43 50 f5 3f 41 ee 42 cf f4 b4 31 3d d8 88 b5 f7 24 1f 26 83 32 6a 6c ff 8a 36 b7 be cb 28 48 68 9c a9 3c 6e 2f 2d a5 f4 fc d2 09 9b 1d 04 00 26 7d a5 f9 39 13 06 dd 9d 69 78 f8 7b f5 3c 82 9d 8f b9 4f 1a b6 f0 0b 7f 20 82 6e 80 4e 38 09 d1 43 23 22 dd 37 5d 80 6d 5a aa 23 33 e4 79 c9 0d 8d cc b8 ed 5f 6b 01 56 2c 49 89 9b ca 5e d5 b3 b0 93 7e d5 5e f0 98 7d 5f 07 4b>
 1999-03-02 09:44:33 10HmaX-0005vi-00 SAN <DNS=alternatename2.server1.example.com\nDNS=alternatename.server1.example.com\nDNS=*.test.ex\nDNS=server1.example.com>
 1999-03-02 09:44:33 10HmaX-0005vi-00 CRU <http://crl.example.com/latest.crl>

-1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to 127.0.0.1 [127.0.0.1] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session: (certificate verification failed): certificate invalid: delivering unencrypted to H=127.0.0.1 [127.0.0.1] (not in hosts_require_tls)

 1999-03-02 09:44:33 10HmaX-0005vi-00 => bad@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaZ-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 msg:delivery bad
 1999-03-02 09:44:33 10HmaX-0005vi-00 NO CLIENT CERT presented
 1999-03-02 09:44:33 10HmaX-0005vi-00 => bad@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaZ-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 msg:delivery bad
 1999-03-02 09:44:33 10HmaX-0005vi-00 NO CLIENT CERT presented

diff --git a/test/log/5720 b/test/log/5720
index 8fff2368a0721e8fdb8b0779bc72f611ebcb8ea9..55602874e3b0ddc91e1a26feb3539143fe6d820a 100644 (file)
--- a/test/log/5720
+++ b/test/log/5720
@@ -2,7 +2,6 @@
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaX-0005vi-00 [127.0.0.1] SSL verify error: depth=2 error=self signed certificate in certificate chain cert=/O=example.com/CN=clica CA
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmaX-0005vi-00 [127.0.0.1] SSL verify error: depth=2 error=self signed certificate in certificate chain cert=/O=example.com/CN=clica CA

-1999-03-02 09:44:33 10HmaX-0005vi-00 H=127.0.0.1 [127.0.0.1] TLS error on connection (SSL_connect): error: <<detail omitted>>

 1999-03-02 09:44:33 10HmaX-0005vi-00 msg:host:defer bad
 1999-03-02 09:44:33 10HmaX-0005vi-00 NO CLIENT CERT presented
 1999-03-02 09:44:33 10HmaX-0005vi-00 Peer cert:
 1999-03-02 09:44:33 10HmaX-0005vi-00 msg:host:defer bad
 1999-03-02 09:44:33 10HmaX-0005vi-00 NO CLIENT CERT presented
 1999-03-02 09:44:33 10HmaX-0005vi-00 Peer cert:


@@ -18,7 +17,7 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 (no SAN)
 1999-03-02 09:44:33 10HmaX-0005vi-00 (no OCU)
 1999-03-02 09:44:33 10HmaX-0005vi-00 (no CRU)
 1999-03-02 09:44:33 10HmaX-0005vi-00 (no SAN)
 1999-03-02 09:44:33 10HmaX-0005vi-00 (no OCU)
 1999-03-02 09:44:33 10HmaX-0005vi-00 (no CRU)

-1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to 127.0.0.1 [127.0.0.1] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session: (SSL_connect): error: <<detail omitted>>

 1999-03-02 09:44:33 10HmaX-0005vi-00 => bad@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaZ-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 msg:delivery bad
 1999-03-02 09:44:33 10HmaX-0005vi-00 NO CLIENT CERT presented
 1999-03-02 09:44:33 10HmaX-0005vi-00 => bad@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaZ-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 msg:delivery bad
 1999-03-02 09:44:33 10HmaX-0005vi-00 NO CLIENT CERT presented


@@ -49,7 +48,6 @@
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from localhost (myhost.test.ex) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from localhost (myhost.test.ex) [127.0.0.1] (SSL_accept): error: <<detail omitted>>

-1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)

 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 [127.0.0.1] depth=2 CN=clica CA,O=example.com
 1999-03-02 09:44:33 [127.0.0.1] depth=1 CN=clica Signing Cert,O=example.com
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 [127.0.0.1] depth=2 CN=clica CA,O=example.com
 1999-03-02 09:44:33 [127.0.0.1] depth=1 CN=clica Signing Cert,O=example.com

diff --git a/test/log/5730 b/test/log/5730
index 0b0735448dbfe873a9cf8ba8fd9c37b22fcc7440..f73bd20ebf54f67facd8d17531673b42dae11393 100644 (file)
--- a/test/log/5730
+++ b/test/log/5730
@@ -15,17 +15,14 @@
 1999-03-02 09:44:33 10HmbD-0005vi-00 client ocsp status: 4 (verified)
 1999-03-02 09:44:33 10HmbD-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmbD-0005vi-00 client ocsp status: 4 (verified)
 1999-03-02 09:44:33 10HmbD-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss

-1999-03-02 09:44:33 10HmbF-0005vi-00 H=127.0.0.1 [127.0.0.1] TLS error on connection (certificate status check failed)

 1999-03-02 09:44:33 10HmbF-0005vi-00 client ocsp status: 3 (failed)
 1999-03-02 09:44:33 10HmbF-0005vi-00 client ocsp status: 3 (failed)

-1999-03-02 09:44:33 10HmbF-0005vi-00 == failrequire@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: failure while setting up TLS session
+1999-03-02 09:44:33 10HmbF-0005vi-00 == failrequire@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (certificate status check failed)

 1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss

-1999-03-02 09:44:33 10HmbG-0005vi-00 H=127.0.0.1 [127.0.0.1] TLS error on connection (certificate verification failed): certificate revoked

 1999-03-02 09:44:33 10HmbG-0005vi-00 client ocsp status: 1 (notresp)
 1999-03-02 09:44:33 10HmbG-0005vi-00 client ocsp status: 1 (notresp)

-1999-03-02 09:44:33 10HmbG-0005vi-00 == failrevoked@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: failure while setting up TLS session
+1999-03-02 09:44:33 10HmbG-0005vi-00 == failrevoked@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (certificate verification failed): certificate revoked

 1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss

-1999-03-02 09:44:33 10HmbH-0005vi-00 H=127.0.0.1 [127.0.0.1] TLS error on connection (certificate status check failed)

 1999-03-02 09:44:33 10HmbH-0005vi-00 client ocsp status: 3 (failed)
 1999-03-02 09:44:33 10HmbH-0005vi-00 client ocsp status: 3 (failed)

-1999-03-02 09:44:33 10HmbH-0005vi-00 == failexpired@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: failure while setting up TLS session
+1999-03-02 09:44:33 10HmbH-0005vi-00 == failexpired@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (certificate status check failed)

 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225

diff --git a/test/log/5740 b/test/log/5740
index 5aee9f12842e60de4bb403404ca92660ca60e337..3fc357b76db34dadfdeba9fede35c68d95974653 100644 (file)
--- a/test/log/5740
+++ b/test/log/5740
@@ -16,19 +16,16 @@
 1999-03-02 09:44:33 10HmbD-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmbF-0005vi-00 Received TLS status callback, null content
 1999-03-02 09:44:33 10HmbD-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmbF-0005vi-00 Received TLS status callback, null content

-1999-03-02 09:44:33 10HmbF-0005vi-00 H=127.0.0.1 [127.0.0.1] TLS error on connection (SSL_connect): error: <<detail omitted>>

 1999-03-02 09:44:33 10HmbF-0005vi-00 client ocsp status: 1 (notresp)
 1999-03-02 09:44:33 10HmbF-0005vi-00 client ocsp status: 1 (notresp)

-1999-03-02 09:44:33 10HmbF-0005vi-00 == failrequire@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: failure while setting up TLS session
+1999-03-02 09:44:33 10HmbF-0005vi-00 == failrequire@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect): error: <<detail omitted>>

 1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmbG-0005vi-00 Server certificate revoked; reason: superseded
 1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmbG-0005vi-00 Server certificate revoked; reason: superseded

-1999-03-02 09:44:33 10HmbG-0005vi-00 H=127.0.0.1 [127.0.0.1] TLS error on connection (SSL_connect): error: <<detail omitted>>

 1999-03-02 09:44:33 10HmbG-0005vi-00 client ocsp status: 3 (failed)
 1999-03-02 09:44:33 10HmbG-0005vi-00 client ocsp status: 3 (failed)

-1999-03-02 09:44:33 10HmbG-0005vi-00 == failrevoked@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: failure while setting up TLS session
+1999-03-02 09:44:33 10HmbG-0005vi-00 == failrevoked@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect): error: <<detail omitted>>

 1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmbH-0005vi-00 Server OSCP dates invalid
 1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmbH-0005vi-00 Server OSCP dates invalid

-1999-03-02 09:44:33 10HmbH-0005vi-00 H=127.0.0.1 [127.0.0.1] TLS error on connection (SSL_connect): error: <<detail omitted>>

 1999-03-02 09:44:33 10HmbH-0005vi-00 client ocsp status: 3 (failed)
 1999-03-02 09:44:33 10HmbH-0005vi-00 client ocsp status: 3 (failed)

-1999-03-02 09:44:33 10HmbH-0005vi-00 == failexpired@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: failure while setting up TLS session
+1999-03-02 09:44:33 10HmbH-0005vi-00 == failexpired@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: TLS session: (SSL_connect): error: <<detail omitted>>

 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225


@@ -51,10 +48,7 @@
 1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
 1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>

-1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)

 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>

-1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)

 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>

-1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)

diff --git a/test/runtest b/test/runtest
index 59f61c6a6fb5b0bf5bdc6bc91caae25b3503d2fe..15631dfeb4273d789ec460b40ede416fa967d871 100755 (executable)
--- a/test/runtest
+++ b/test/runtest
@@ -800,7 +800,10 @@ RESET_AFTER_EXTRA_LINE_READ:
   # numbers, or handle specific bad conditions in different ways, leading to
   # different wording in the error messages, so we cannot compare them.
 
   # numbers, or handle specific bad conditions in different ways, leading to
   # different wording in the error messages, so we cannot compare them.
 

-  s/(TLS error on connection (?:from .* )?\(SSL_\w+\): error:)(.*)/$1 <<detail omitted>>/;
+#XXX This loses any trailing "deliving unencypted to" which is unfortunate
+#    but I can't work out how to deal with that.
+  s/(TLS session: \(SSL_\w+\): error:)(.*)(?!: delivering)/$1 <<detail omitted>>/;
+  s/(TLS error on connection from .* \(SSL_\w+\): error:)(.*)/$1 <<detail omitted>>/;

   next if /SSL verify error: depth=0 error=certificate not trusted/;
 
   # ======== Maildir things ========
   next if /SSL verify error: depth=0 error=certificate not trusted/;
 
   # ======== Maildir things ========