From: Jeremy Harris Date: Wed, 4 May 2016 13:48:41 +0000 (+0100) Subject: TLS: when tls_certificates unset, generate a selfsigned cert X-Git-Tag: exim-4_88_RC1~109 X-Git-Url: https://vcs.fsf.org/?p=exim.git;a=commitdiff_plain;h=23bb69826c8d600ce4a268ad27e14b0390e540c8 TLS: when tls_certificates unset, generate a selfsigned cert --- diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index ddb0001a5..ba32403d6 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -16843,8 +16843,8 @@ of the STARTTLS command to set up an encrypted session is advertised in response to EHLO only to those client hosts that match this option. See chapter &<>& for details of Exim's support for TLS. Note that the default value requires that a certificate be supplied -using the &%tls_certificate%& option. If no certificate is available then -the &%tls_advertise_hosts%& option should be set empty. +using the &%tls_certificate%& option. If TLS support for incoming connections +is not required the &%tls_advertise_hosts%& option should be set empty. .option tls_certificate main string&!! unset @@ -16865,6 +16865,11 @@ if the OpenSSL build supports TLS extensions and the TLS client sends the Server Name Indication extension, then this option and others documented in &<>& will be re-expanded. +.new +If this option is unset or empty a fresh self-signed certificate will be +generated for every connection. +.wen + .option tls_crl main string&!! unset .cindex "TLS" "server certificate revocation list" .cindex "certificate" "revocation list for server" @@ -26958,10 +26963,17 @@ with the error If a STARTTLS command is issued within an existing TLS session, it is rejected with a 554 error code. -To enable TLS operations on a server, you must set &%tls_advertise_hosts%& to -match some hosts. You can, of course, set it to * to match all hosts. -However, this is not all you need to do. TLS sessions to a server won't work -without some further configuration at the server end. +To enable TLS operations on a server, the &%tls_advertise_hosts%& option +must be set to match some hosts. The default is * which matches all hosts. + +.new +If this is all you do, TLS encryption will be enabled but not authentication - +meaning that the peer has no assurance it is actually you he is talking to. +You gain protection from a passive sniffer listening on the wire but not +from someone able to intercept the communication. +.wen + +Further protection requires some further configuration at the server end. It is rumoured that all existing clients that support TLS/SSL use RSA encryption. To make this work you need to set, in the server, diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 43009011f..272176cc8 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -23,6 +23,9 @@ JH/03 Upgrade security requirements imposed for hosts_try_dane: previously JH/04 Bug 1810: make continued-use of an open smtp transport connection non-noisy when a race steals the message being considered. +JH/05 If main configuration option tls_certificate is unset, generate a + selfsigned certificate for inbound TLS connections. + Exim version 4.87 ----------------- diff --git a/src/src/readconf.c b/src/src/readconf.c index ba4cb668b..375f01a1a 100644 --- a/src/src/readconf.c +++ b/src/src/readconf.c @@ -2963,8 +2963,8 @@ if ( !tls_advertise_hosts ) return TRUE; else if (!nowarn && !tls_certificate) - log_write(0, LOG_MAIN|LOG_PANIC, - "Warning: No server certificate defined; TLS connections will fail.\n" + log_write(0, LOG_MAIN, + "Warning: No server certificate defined; will use a selfsigned one.\n" " Suggested action: either install a certificate or change tls_advertise_hosts option"); oldsignal = signal(SIGCHLD, SIG_DFL); diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 316906517..522bb9026 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -709,6 +709,70 @@ return OK; +/* Create and install a selfsigned certificate, for use in server mode */ + +static int +tls_install_selfsign(exim_gnutls_state_st * state) +{ +gnutls_x509_crt_t cert = NULL; +time_t now; +gnutls_x509_privkey_t pkey = NULL; +const uschar * where; +int rc; + +where = US"initialising pkey"; +if ((rc = gnutls_x509_privkey_init(&pkey))) goto err; + +where = US"initialising cert"; +if ((rc = gnutls_x509_crt_init(&cert))) goto err; + +where = US"generating pkey"; +if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA, + gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_LOW), + 0))) /* _to_pk_bits() Since: 2.12.0 */ + goto err; + +where = US"configuring cert"; +now = 0; +if ( (rc = gnutls_x509_crt_set_version(cert, 3)) + || (rc = gnutls_x509_crt_set_serial(cert, &now, sizeof(now))) + || (rc = gnutls_x509_crt_set_activation_time(cert, now = time(NULL))) + || (rc = gnutls_x509_crt_set_expiration_time(cert, now + 60 * 60)) /* 1 hr */ + || (rc = gnutls_x509_crt_set_key(cert, pkey)) + + || (rc = gnutls_x509_crt_set_dn_by_oid(cert, + GNUTLS_OID_X520_COUNTRY_NAME, 0, "UK", 2)) + || (rc = gnutls_x509_crt_set_dn_by_oid(cert, + GNUTLS_OID_X520_ORGANIZATION_NAME, 0, "Exim Developers", 15)) + || (rc = gnutls_x509_crt_set_dn_by_oid(cert, + GNUTLS_OID_X520_COMMON_NAME, 0, + smtp_active_hostname, Ustrlen(smtp_active_hostname))) + ) + goto err; + +where = US"signing cert"; +if ((rc = gnutls_x509_crt_sign(cert, cert, pkey))) goto err; + +where = US"installing selfsign cert"; + /* Since: 2.4.0 */ +if ((rc = gnutls_certificate_set_x509_key(state->x509_cred, &cert, 1, pkey))) + goto err; + +rc = OK; + +out: + if (cert) gnutls_x509_crt_deinit(cert); + if (pkey) gnutls_x509_privkey_deinit(pkey); + return rc; + +err: + rc = tls_error(where, gnutls_strerror(rc), NULL); + goto out; +} + + + + /************************************************* * Variables re-expanded post-SNI * *************************************************/ @@ -741,7 +805,6 @@ int cert_count; /* We check for tls_sni *before* expansion. */ if (!host) /* server */ - { if (!state->received_sni) { if (state->tls_certificate && @@ -762,7 +825,6 @@ if (!host) /* server */ saved_tls_verify_certificates = state->exp_tls_verify_certificates; saved_tls_crl = state->exp_tls_crl; } - } rc = gnutls_certificate_allocate_credentials(&state->x509_cred); exim_gnutls_err_check(US"gnutls_certificate_allocate_credentials"); @@ -779,14 +841,13 @@ if (!expand_check_tlsvar(tls_certificate)) /* certificate is mandatory in server, optional in client */ -if ((state->exp_tls_certificate == NULL) || - (*state->exp_tls_certificate == '\0')) - { +if ( !state->exp_tls_certificate + || !*state->exp_tls_certificate + ) if (!host) - return tls_error(US"no TLS server certificate is specified", NULL, NULL); + return tls_install_selfsign(state); else DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n"); - } if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey)) return DEFER; @@ -806,9 +867,9 @@ if (state->exp_tls_certificate && *state->exp_tls_certificate) state->exp_tls_certificate, state->exp_tls_privatekey); if (state->received_sni) - { - if ((Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0) && - (Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0)) + if ( Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0 + && Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0 + ) { DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n"); } @@ -816,7 +877,6 @@ if (state->exp_tls_certificate && *state->exp_tls_certificate) { DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair.\n"); } - } rc = gnutls_certificate_set_x509_key_file(state->x509_cred, CS state->exp_tls_certificate, CS state->exp_tls_privatekey, diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 6036bce52..c24eb4544 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -214,7 +214,7 @@ Returns: OK/DEFER/FAIL */ static int -tls_error(uschar * prefix, const host_item * host, uschar * msg) +tls_error(uschar * prefix, const host_item * host, uschar * msg) { if (!msg) { @@ -273,8 +273,7 @@ if ( !BN_set_word(bn, (unsigned long)RSA_F4) || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL) ) #else -rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL); -if (rsa_key == NULL) +if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL))) #endif { @@ -915,6 +914,73 @@ return; +/* Create and install a selfsigned certificate, for use in server mode */ + +static int +tls_install_selfsign(SSL_CTX * sctx) +{ +X509 * x509 = NULL; +EVP_PKEY * pkey; +RSA * rsa; +X509_NAME * name; +uschar * where; + +where = US"allocating pkey"; +if (!(pkey = EVP_PKEY_new())) + goto err; + +where = US"allocating cert"; +if (!(x509 = X509_new())) + goto err; + +where = US"generating pkey"; + /* deprecated, use RSA_generate_key_ex() */ +if (!(rsa = RSA_generate_key(1024, RSA_F4, NULL, NULL))) + goto err; + +where = US"assiging pkey"; +if (!EVP_PKEY_assign_RSA(pkey, rsa)) + goto err; + +X509_set_version(x509, 2); /* N+1 - version 3 */ +ASN1_INTEGER_set(X509_get_serialNumber(x509), 0); +X509_gmtime_adj(X509_get_notBefore(x509), 0); +X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */ +X509_set_pubkey(x509, pkey); + +name = X509_get_subject_name(x509); +X509_NAME_add_entry_by_txt(name, "C", + MBSTRING_ASC, "UK", -1, -1, 0); +X509_NAME_add_entry_by_txt(name, "O", + MBSTRING_ASC, "Exim Developers", -1, -1, 0); +X509_NAME_add_entry_by_txt(name, "CN", + MBSTRING_ASC, CS smtp_active_hostname, -1, -1, 0); +X509_set_issuer_name(x509, name); + +where = US"signing cert"; +if (!X509_sign(x509, pkey, EVP_md5())) + goto err; + +where = US"installing selfsign cert"; +if (!SSL_CTX_use_certificate(sctx, x509)) + goto err; + +where = US"installing selfsign key"; +if (!SSL_CTX_use_PrivateKey(sctx, pkey)) + goto err; + +return OK; + +err: + (void) tls_error(where, NULL, NULL); + if (x509) X509_free(x509); + if (pkey) EVP_PKEY_free(pkey); + return DEFER; +} + + + + /************************************************* * Expand key and cert file specs * *************************************************/ @@ -935,41 +1001,49 @@ tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo) { uschar *expanded; -if (cbinfo->certificate == NULL) - return OK; - -if (Ustrstr(cbinfo->certificate, US"tls_sni") || - Ustrstr(cbinfo->certificate, US"tls_in_sni") || - Ustrstr(cbinfo->certificate, US"tls_out_sni") - ) - reexpand_tls_files_for_sni = TRUE; - -if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded)) - return DEFER; - -if (expanded != NULL) +if (!cbinfo->certificate) { - DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded); - if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded)) - return tls_error(string_sprintf( - "SSL_CTX_use_certificate_chain_file file=%s", expanded), - cbinfo->host, NULL); + if (cbinfo->host) /* client */ + return OK; + /* server */ + if (tls_install_selfsign(sctx) != OK) + return DEFER; } +else + { + if (Ustrstr(cbinfo->certificate, US"tls_sni") || + Ustrstr(cbinfo->certificate, US"tls_in_sni") || + Ustrstr(cbinfo->certificate, US"tls_out_sni") + ) + reexpand_tls_files_for_sni = TRUE; -if (cbinfo->privatekey != NULL && - !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded)) - return DEFER; + if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded)) + return DEFER; -/* If expansion was forced to fail, key_expanded will be NULL. If the result -of the expansion is an empty string, ignore it also, and assume the private -key is in the same file as the certificate. */ + if (expanded != NULL) + { + DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded); + if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded)) + return tls_error(string_sprintf( + "SSL_CTX_use_certificate_chain_file file=%s", expanded), + cbinfo->host, NULL); + } -if (expanded && *expanded) - { - DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded); - if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM)) - return tls_error(string_sprintf( - "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL); + if (cbinfo->privatekey != NULL && + !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded)) + return DEFER; + + /* If expansion was forced to fail, key_expanded will be NULL. If the result + of the expansion is an empty string, ignore it also, and assume the private + key is in the same file as the certificate. */ + + if (expanded && *expanded) + { + DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded); + if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM)) + return tls_error(string_sprintf( + "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL); + } } #ifndef DISABLE_OCSP @@ -1429,8 +1503,8 @@ if ( !init_dh(*ctxp, dhparam, host) /* Set up certificate and key (and perhaps OCSP info) */ -rc = tls_expand_session_files(*ctxp, cbinfo); -if (rc != OK) return rc; +if ((rc = tls_expand_session_files(*ctxp, cbinfo)) != OK) + return rc; /* If we need to handle SNI, do so */ #ifdef EXIM_HAVE_OPENSSL_TLSEXT diff --git a/test/confs/2020 b/test/confs/2020 deleted file mode 100644 index 241d88335..000000000 --- a/test/confs/2020 +++ /dev/null @@ -1,52 +0,0 @@ -# Exim test configuration 2020 - -SERVER= - -exim_path = EXIM_PATH -keep_environment = -host_lookup_order = bydns -log_file_path = DIR/spool/log/SERVER%slog -gecos_pattern = "" -gecos_name = CALLER_NAME -primary_hostname = myhost.test.ex -spool_directory = DIR/spool - -# ----- Main settings ----- - -acl_smtp_rcpt = accept - -log_selector = +tls_peerdn - -queue_only -queue_run_in_order - -tls_advertise_hosts = * - - -# ----- Routers ----- - -begin routers - -abc: - driver = accept - transport = t1 - - -# ----- Transports ----- - -begin transports - -t1: - driver = smtp - hosts = 127.0.0.1 - allow_localhost - port = PORT_D - - -# ----- Retry ----- - -begin retry - -* * F,1d,1d - -# End diff --git a/test/confs/2020 b/test/confs/2020 new file mode 120000 index 000000000..5ec250ecd --- /dev/null +++ b/test/confs/2020 @@ -0,0 +1 @@ +2120 \ No newline at end of file diff --git a/test/confs/2120 b/test/confs/2120 index e3a0ba1af..75b8dfa7f 100644 --- a/test/confs/2120 +++ b/test/confs/2120 @@ -8,7 +8,7 @@ host_lookup_order = bydns log_file_path = DIR/spool/log/SERVER%slog gecos_pattern = "" gecos_name = CALLER_NAME -primary_hostname = myhost.test.ex +primary_hostname = thishost.test.ex spool_directory = DIR/spool # ----- Main settings ----- @@ -38,7 +38,7 @@ begin transports t1: driver = smtp - hosts = 127.0.0.1 + hosts = thishost.test.ex allow_localhost port = PORT_D diff --git a/test/log/2020 b/test/log/2020 index 25a01dfb3..2e4a0944b 100644 --- a/test/log/2020 +++ b/test/log/2020 @@ -1,16 +1,15 @@ -1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail. +1999-03-02 09:44:33 Warning: No server certificate defined; will use a selfsigned one. Suggested action: either install a certificate or change tls_advertise_hosts option -1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss -1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail. +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@thishost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 Warning: No server certificate defined; will use a selfsigned one. Suggested action: either install a certificate or change tls_advertise_hosts option 1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@myhost.test.ex R=abc T=t1 H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaY-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@thishost.test.ex R=abc T=t1 H=thishost.test.ex [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=Exim Developers,CN=thishost.test.ex" C="250 OK id=10HmaY-0005vi-00" 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf ******** SERVER ******** -1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail. +1999-03-02 09:44:33 Warning: No server certificate defined; will use a selfsigned one. Suggested action: either install a certificate or change tls_advertise_hosts option 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 TLS error on connection from localhost (myhost.test.ex) [127.0.0.1] (no TLS server certificate is specified) -1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@thishost.test.ex H=localhost (thishost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@thishost.test.ex diff --git a/test/log/2120 b/test/log/2120 index 10e2316c0..c70f7d401 100644 --- a/test/log/2120 +++ b/test/log/2120 @@ -1,19 +1,16 @@ -1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail. +1999-03-02 09:44:33 Warning: No server certificate defined; will use a selfsigned one. Suggested action: either install a certificate or change tls_advertise_hosts option -1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss -1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail. +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@thishost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 Warning: No server certificate defined; will use a selfsigned one. Suggested action: either install a certificate or change tls_advertise_hosts option 1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmaX-0005vi-00 H=127.0.0.1 [127.0.0.1] TLS error on connection (SSL_connect): error: <> -1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to 127.0.0.1 [127.0.0.1] (not in hosts_require_tls) -1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@myhost.test.ex R=abc T=t1 H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaY-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=Exim Developers/CN=thishost.test.ex +1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@thishost.test.ex R=abc T=t1 H=thishost.test.ex [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=Exim Developers/CN=thishost.test.ex" C="250 OK id=10HmaY-0005vi-00" 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf ******** SERVER ******** -1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail. +1999-03-02 09:44:33 Warning: No server certificate defined; will use a selfsigned one. Suggested action: either install a certificate or change tls_advertise_hosts option 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 TLS error on connection from localhost (myhost.test.ex) [127.0.0.1] (SSL_accept): error: <> -1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) -1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@thishost.test.ex H=localhost (thishost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@thishost.test.ex diff --git a/test/paniclog/2020 b/test/paniclog/2020 deleted file mode 100644 index e16a6800b..000000000 --- a/test/paniclog/2020 +++ /dev/null @@ -1,8 +0,0 @@ -1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail. - Suggested action: either install a certificate or change tls_advertise_hosts option -1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail. - Suggested action: either install a certificate or change tls_advertise_hosts option - -******** SERVER ******** -1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail. - Suggested action: either install a certificate or change tls_advertise_hosts option diff --git a/test/paniclog/2120 b/test/paniclog/2120 deleted file mode 100644 index e16a6800b..000000000 --- a/test/paniclog/2120 +++ /dev/null @@ -1,8 +0,0 @@ -1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail. - Suggested action: either install a certificate or change tls_advertise_hosts option -1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail. - Suggested action: either install a certificate or change tls_advertise_hosts option - -******** SERVER ******** -1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail. - Suggested action: either install a certificate or change tls_advertise_hosts option diff --git a/test/scripts/2000-GnuTLS/2020 b/test/scripts/2000-GnuTLS/2020 index bd00740bf..3203ab4ea 100644 --- a/test/scripts/2000-GnuTLS/2020 +++ b/test/scripts/2000-GnuTLS/2020 @@ -1,4 +1,4 @@ -# TLS server: no certificate defined, client sends in clear +# TLS server: no certificate defined, autogen selfsign used gnutls exim -DSERVER=server -bd -oX PORT_D **** diff --git a/test/scripts/2100-OpenSSL/2120 b/test/scripts/2100-OpenSSL/2120 index 7e0aa1e0e..53cd81333 100644 --- a/test/scripts/2100-OpenSSL/2120 +++ b/test/scripts/2100-OpenSSL/2120 @@ -1,4 +1,4 @@ -# TLS server: no certificate defined, client sends in clear +# TLS server: no certificate defined, autogen selfsign used exim -DSERVER=server -bd -oX PORT_D **** exim userx diff --git a/test/stderr/2020 b/test/stderr/2020 index e16a6800b..045fadc9b 100644 --- a/test/stderr/2020 +++ b/test/stderr/2020 @@ -1,8 +1,2 @@ -1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail. - Suggested action: either install a certificate or change tls_advertise_hosts option -1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail. - Suggested action: either install a certificate or change tls_advertise_hosts option ******** SERVER ******** -1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail. - Suggested action: either install a certificate or change tls_advertise_hosts option diff --git a/test/stderr/2120 b/test/stderr/2120 index e16a6800b..045fadc9b 100644 --- a/test/stderr/2120 +++ b/test/stderr/2120 @@ -1,8 +1,2 @@ -1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail. - Suggested action: either install a certificate or change tls_advertise_hosts option -1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail. - Suggested action: either install a certificate or change tls_advertise_hosts option ******** SERVER ******** -1999-03-02 09:44:33 Warning: No server certificate defined; TLS connections will fail. - Suggested action: either install a certificate or change tls_advertise_hosts option