From 01a4a5c5cbaa40ca618d3e233991ce183b551477 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sat, 22 Nov 2014 19:16:19 +0000 Subject: [PATCH] Move certificate name checking to mainline, default enabled This is an exim client checking a server certificate. --- doc/doc-docbook/spec.xfpt | 13 +++++++ doc/doc-txt/ChangeLog | 5 +++ doc/doc-txt/experimental-spec.txt | 35 ------------------ src/src/config.h.defaults | 1 - src/src/exim.c | 3 -- src/src/functions.h | 2 -- src/src/tls-gnu.c | 14 +------- src/src/tls-openssl.c | 23 ++---------- src/src/tls.c | 2 -- src/src/transports/smtp.c | 8 ++--- src/src/transports/smtp.h | 2 -- test/confs/2012 | 56 +++++++++++++++-------------- test/confs/2112 | 56 +++++++++++++++-------------- test/confs/5601 | 4 +++ test/confs/5608 | 4 +++ test/confs/5651 | 4 +++ test/confs/5658 | 4 +++ test/confs/5750 | 1 + test/confs/5760 | 1 + test/confs/5840 | 1 + test/log/2012 | 22 ++++++++---- test/log/2112 | 22 ++++++++---- test/log/5840 | 2 ++ test/scripts/2000-GnuTLS/2012 | 6 ++++ test/scripts/2100-OpenSSL/2112 | 6 ++++ test/scripts/5840-DANE-OpenSSL/5840 | 2 +- test/stderr/5410 | 1 + 27 files changed, 151 insertions(+), 149 deletions(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 542ccaf86..5bdf57282 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -23435,6 +23435,19 @@ The &$tls_out_certificate_verified$& variable is set when certificate verification succeeds. +.option tls_verify_cert_hostnames smtp "host list&!!" * +.cindex "TLS" "server certificate hostname verification" +.cindex "certificate" "verification of server" +This option give a list of hosts for which, +while verifying the server certificate, +checks will be included on the host name +(note that this will generally be the result of a DNS MX lookup) +versus Subject and Subject-Alternate-Name fields. Wildcard names are permitted +limited to being the initial component of a 3-or-more component FQDN. + +There is no equivalent checking on client certificates. + + .option tls_verify_certificates smtp string&!! unset .cindex "TLS" "server certificate verification" .cindex "certificate" "verification of server" diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 2f29e3603..27abe4701 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -12,6 +12,11 @@ JH/02 The smtp transport option "multi_domain" is now expanded. JH/03 The smtp transport now requests PRDR by default, if the server offers it. +JH/04 Certificate name checking on server certificates, when exim is a client, + is now done by default. The transport option tls_verify_cert_hostname + can be used to disable this per-host. The build option + EXPERIMENTAL_CERTNAMES is withdrawn. + Exim version 4.85 ----------------- diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt index 4a2a04bb4..4bcfecf04 100644 --- a/doc/doc-txt/experimental-spec.txt +++ b/doc/doc-txt/experimental-spec.txt @@ -1146,41 +1146,6 @@ Adding it to a redirect router makes no difference. -Certificate name checking --------------------------------------------------------------- -The X509 certificates used for TLS are supposed be verified -that they are owned by the expected host. The coding of TLS -support to date has not made these checks. - -If built with EXPERIMENTAL_CERTNAMES defined, code is -included to do so for server certificates, and a new smtp transport option -"tls_verify_cert_hostnames" supported which takes a hostlist -which must match the target host for the additional checks must be made. -The option currently defaults to empty, but this may change in -the future. "*" is probably a suitable value. -Whether certificate verification is done at all, and the result of -it failing, is stll under the control of "tls_verify_hosts" nad -"tls_try_verify_hosts". - -The name being checked is that for the host, generally -the result of an MX lookup. - -Both Subject and Subject-Alternate-Name certificate fields -are supported, as are wildcard certificates (limited to -a single wildcard being the initial component of a 3-or-more -component FQDN). - -The equivalent check on the server for client certificates is not -implemented. At least one major email provider is using a client -certificate which fails this check. They do not retry either without -the client certificate or in clear. - -It is possible to duplicate the effect of this checking by -creative use of Events. - - - - DANE ------------------------------------------------------------ DNS-based Authentication of Named Entities, as applied diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults index a0997a01e..ec4322c70 100644 --- a/src/src/config.h.defaults +++ b/src/src/config.h.defaults @@ -167,7 +167,6 @@ it's a default value. */ /* EXPERIMENTAL features */ #define EXPERIMENTAL_BRIGHTMAIL -#define EXPERIMENTAL_CERTNAMES #define EXPERIMENTAL_DANE #define EXPERIMENTAL_DCC #define EXPERIMENTAL_DMARC diff --git a/src/src/exim.c b/src/src/exim.c index d6915d4ad..e0b754666 100644 --- a/src/src/exim.c +++ b/src/src/exim.c @@ -853,9 +853,6 @@ fprintf(f, "Support for:"); #ifdef EXPERIMENTAL_REDIS fprintf(f, " Experimental_Redis"); #endif -#ifdef EXPERIMENTAL_CERTNAMES - fprintf(f, " Experimental_Certnames"); -#endif #ifdef EXPERIMENTAL_DSN fprintf(f, " Experimental_DSN"); #endif diff --git a/src/src/functions.h b/src/src/functions.h index a74c94b83..68609f232 100644 --- a/src/src/functions.h +++ b/src/src/functions.h @@ -67,9 +67,7 @@ extern void tls_version_report(FILE *); extern BOOL tls_openssl_options_parse(uschar *, long *); # endif extern uschar * tls_field_from_dn(uschar *, uschar *); -# ifdef EXPERIMENTAL_CERTNAMES extern BOOL tls_is_name_for_cert(uschar *, void *); -# endif # ifdef EXPERIMENTAL_DANE extern int tlsa_lookup(const host_item *, dns_answer *, BOOL, BOOL *); diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index bdc032f35..b520ebfd8 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -117,9 +117,7 @@ typedef struct exim_gnutls_state { uschar *exp_tls_crl; uschar *exp_tls_require_ciphers; uschar *exp_tls_ocsp_file; -#ifdef EXPERIMENTAL_CERTNAMES uschar *exp_tls_verify_cert_hostnames; -#endif #ifdef EXPERIMENTAL_EVENT uschar *event_action; #endif @@ -138,9 +136,7 @@ static const exim_gnutls_state_st exim_gnutls_state_init = { NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, -#ifdef EXPERIMENTAL_CERTNAMES - NULL, -#endif + NULL, #ifdef EXPERIMENTAL_EVENT NULL, #endif @@ -1385,7 +1381,6 @@ if (rc < 0 || else { -#ifdef EXPERIMENTAL_CERTNAMES if (state->exp_tls_verify_cert_hostnames) { int sep = 0; @@ -1407,7 +1402,6 @@ else return TRUE; } } -#endif state->peer_cert_verified = TRUE; DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n", state->peerdn ? state->peerdn : US""); @@ -1771,7 +1765,6 @@ return OK; -#ifdef EXPERIMENTAL_CERTNAMES static void tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state, smtp_transport_options_block * ob) @@ -1784,7 +1777,6 @@ if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK) state->exp_tls_verify_cert_hostnames); } } -#endif /************************************************* @@ -1859,9 +1851,7 @@ if ( ( state->exp_tls_verify_certificates || verify_check_given_host(&ob->tls_verify_hosts, host) == OK ) { -#ifdef EXPERIMENTAL_CERTNAMES tls_client_setup_hostname_checks(host, state, ob); -#endif DEBUG(D_tls) debug_printf("TLS: server certificate verification required.\n"); state->verify_requirement = VERIFY_REQUIRED; @@ -1869,9 +1859,7 @@ if ( ( state->exp_tls_verify_certificates } else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK) { -#ifdef EXPERIMENTAL_CERTNAMES tls_client_setup_hostname_checks(host, state, ob); -#endif DEBUG(D_tls) debug_printf("TLS: server certificate verification optional.\n"); state->verify_requirement = VERIFY_OPTIONAL; diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 43fbaa41a..7c66775c0 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -123,10 +123,7 @@ typedef struct tls_ext_ctx_cb { uschar *server_cipher_list; /* only passed down to tls_error: */ host_item *host; - -#ifdef EXPERIMENTAL_CERTNAMES uschar * verify_cert_hostnames; -#endif #ifdef EXPERIMENTAL_EVENT uschar * event_action; #endif @@ -354,14 +351,11 @@ else if (depth != 0) } else { -#ifdef EXPERIMENTAL_CERTNAMES uschar * verify_cert_hostnames; -#endif tlsp->peerdn = txt; tlsp->peercert = X509_dup(cert); -#ifdef EXPERIMENTAL_CERTNAMES if ( tlsp == &tls_out && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames))) /* client, wanting hostname check */ @@ -413,7 +407,6 @@ else "tls_try_verify_hosts)\n"); } # endif -#endif /*EXPERIMENTAL_CERTNAMES*/ #ifdef EXPERIMENTAL_EVENT ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action; @@ -1289,9 +1282,7 @@ else /* client */ # endif #endif -#ifdef EXPERIMENTAL_CERTNAMES cbinfo->verify_cert_hostnames = NULL; -#endif /* Set up the RSA callback */ @@ -1672,10 +1663,7 @@ return OK; static int tls_client_basic_ctx_init(SSL_CTX * ctx, - host_item * host, smtp_transport_options_block * ob -#ifdef EXPERIMENTAL_CERTNAMES - , tls_ext_ctx_cb * cbinfo -#endif + host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo ) { int rc; @@ -1696,14 +1684,12 @@ if ((rc = setup_certs(ctx, ob->tls_verify_certificates, ob->tls_crl, host, client_verify_optional, verify_callback_client)) != OK) return rc; -#ifdef EXPERIMENTAL_CERTNAMES if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK) { cbinfo->verify_cert_hostnames = host->name; DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n", cbinfo->verify_cert_hostnames); } -#endif return OK; } @@ -1882,11 +1868,8 @@ else #endif - if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob -#ifdef EXPERIMENTAL_CERTNAMES - , client_static_cbinfo -#endif - )) != OK) + if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob, client_static_cbinfo)) + != OK) return rc; if ((client_ssl = SSL_new(client_ctx)) == NULL) diff --git a/src/src/tls.c b/src/src/tls.c index b3d088df3..11823795c 100644 --- a/src/src/tls.c +++ b/src/src/tls.c @@ -281,7 +281,6 @@ return list; } -# ifdef EXPERIMENTAL_CERTNAMES /* Compare a domain name with a possibly-wildcarded name. Wildcards are restricted to a single one, as the first element of patterns having at least three dot-separated elements. Case-independent. @@ -353,7 +352,6 @@ else if ((subjdn = tls_cert_subject(cert, NULL))) } return FALSE; } -# endif /*EXPERIMENTAL_CERTNAMES*/ #endif /*SUPPORT_TLS*/ /* vi: aw ai sw=2 diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 3dae1d2f2..f57ee69d0 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -176,10 +176,8 @@ optionlist smtp_transport_options[] = { (void *)offsetof(smtp_transport_options_block, tls_tempfail_tryclear) }, { "tls_try_verify_hosts", opt_stringptr, (void *)offsetof(smtp_transport_options_block, tls_try_verify_hosts) }, -#ifdef EXPERIMENTAL_CERTNAMES { "tls_verify_cert_hostnames", opt_stringptr, (void *)offsetof(smtp_transport_options_block,tls_verify_cert_hostnames)}, -#endif { "tls_verify_certificates", opt_stringptr, (void *)offsetof(smtp_transport_options_block, tls_verify_certificates) }, { "tls_verify_hosts", opt_stringptr, @@ -262,10 +260,8 @@ smtp_transport_options_block smtp_transport_option_defaults = { /* tls_dh_min_bits */ TRUE, /* tls_tempfail_tryclear */ NULL, /* tls_verify_hosts */ - NULL /* tls_try_verify_hosts */ -# ifdef EXPERIMENTAL_CERTNAMES - ,NULL /* tls_verify_cert_hostnames */ -# endif + NULL, /* tls_try_verify_hosts */ + US"*" /* tls_verify_cert_hostnames */ #endif #ifndef DISABLE_DKIM ,NULL, /* dkim_canon */ diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h index 95e9195f4..1b51c133d 100644 --- a/src/src/transports/smtp.h +++ b/src/src/transports/smtp.h @@ -74,9 +74,7 @@ typedef struct { BOOL tls_tempfail_tryclear; uschar *tls_verify_hosts; uschar *tls_try_verify_hosts; -# ifdef EXPERIMENTAL_CERTNAMES uschar *tls_verify_cert_hostnames; -# endif #endif #ifndef DISABLE_DKIM uschar *dkim_domain; diff --git a/test/confs/2012 b/test/confs/2012 index 97dc25e75..6bc5487ff 100644 --- a/test/confs/2012 +++ b/test/confs/2012 @@ -104,6 +104,7 @@ send_to_server_failcert: tls_privatekey = CERT2 tls_verify_certificates = CA2 + tls_verify_cert_hostnames = # this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok send_to_server_retry: @@ -117,6 +118,7 @@ send_to_server_retry: tls_verify_certificates = \ ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}} + tls_verify_cert_hostnames = # this will fail to verify the cert but continue unverified though crypted send_to_server_crypt: @@ -130,6 +132,7 @@ send_to_server_crypt: tls_verify_certificates = CA2 tls_try_verify_hosts = * + tls_verify_cert_hostnames = # this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted send_to_server_req_fail: @@ -142,31 +145,32 @@ send_to_server_req_fail: tls_verify_certificates = CA2 tls_verify_hosts = * - -# # this will fail to verify the cert name and fallback to unencrypted -# send_to_server_req_failname: -# driver = smtp -# allow_localhost -# hosts = HOSTIPV4 -# port = PORT_D -# tls_certificate = CERT2 -# tls_privatekey = CERT2 -# -# tls_verify_certificates = CA1 -# tls_verify_cert_hostnames = server1.example.net : server1.example.org -# tls_verify_hosts = * -# -# # this will pass the cert verify including name check -# send_to_server_req_passname: -# driver = smtp -# allow_localhost -# hosts = HOSTIPV4 -# port = PORT_D -# tls_certificate = CERT2 -# tls_privatekey = CERT2 -# -# tls_verify_certificates = CA1 -# tls_verify_cert_hostnames = noway.example.com : server1.example.com -# tls_verify_hosts = * + tls_verify_cert_hostnames = + + # this will fail to verify the cert name and fallback to unencrypted + send_to_server_req_failname: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA1 + tls_verify_cert_hostnames = server1.example.net : server1.example.org + tls_verify_hosts = * + + # this will pass the cert verify including name check + send_to_server_req_passname: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA1 + tls_verify_cert_hostnames = noway.example.com : server1.example.com + tls_verify_hosts = * # End diff --git a/test/confs/2112 b/test/confs/2112 index 4751e6015..2c81e0cf3 100644 --- a/test/confs/2112 +++ b/test/confs/2112 @@ -104,6 +104,7 @@ send_to_server_failcert: tls_privatekey = CERT2 tls_verify_certificates = CA2 + tls_verify_cert_hostnames = # this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok send_to_server_retry: @@ -117,6 +118,7 @@ send_to_server_retry: tls_verify_certificates = \ ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}} + tls_verify_cert_hostnames = # this will fail to verify the cert but continue unverified though crypted send_to_server_crypt: @@ -130,6 +132,7 @@ send_to_server_crypt: tls_verify_certificates = CA2 tls_try_verify_hosts = * + tls_verify_cert_hostnames = # this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted send_to_server_req_fail: @@ -142,31 +145,32 @@ send_to_server_req_fail: tls_verify_certificates = CA2 tls_verify_hosts = * - -# # this will fail to verify the cert name and fallback to unencrypted -# send_to_server_req_failname: -# driver = smtp -# allow_localhost -# hosts = HOSTIPV4 -# port = PORT_D -# tls_certificate = CERT2 -# tls_privatekey = CERT2 -# -# tls_verify_certificates = CA1 -# tls_verify_cert_hostnames = server1.example.net : server1.example.org -# tls_verify_hosts = * -# -# # this will pass the cert verify including name check -# send_to_server_req_passname: -# driver = smtp -# allow_localhost -# hosts = HOSTIPV4 -# port = PORT_D -# tls_certificate = CERT2 -# tls_privatekey = CERT2 -# -# tls_verify_certificates = CA1 -# tls_verify_cert_hostnames = noway.example.com : server1.example.com -# tls_verify_hosts = * + tls_verify_cert_hostnames = + + # this will fail to verify the cert name and fallback to unencrypted + send_to_server_req_failname: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA1 + tls_verify_cert_hostnames = server1.example.net : server1.example.org + tls_verify_hosts = * + + # this will pass the cert verify including name check + send_to_server_req_passname: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA1 + tls_verify_cert_hostnames = noway.example.com : server1.example.com + tls_verify_hosts = * # End diff --git a/test/confs/5601 b/test/confs/5601 index 3e97fcbea..1a7320300 100644 --- a/test/confs/5601 +++ b/test/confs/5601 @@ -90,6 +90,7 @@ send_to_server1: hosts = HOSTIPV4 port = PORT_D tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + tls_verify_cert_hostnames = hosts_require_tls = * hosts_request_ocsp = : headers_add = X-TLS-out: ocsp status $tls_out_ocsp \ @@ -102,6 +103,7 @@ send_to_server2: hosts = HOSTIPV4 port = PORT_D tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + tls_verify_cert_hostnames = hosts_require_tls = * # note no ocsp mention here headers_add = X-TLS-out: ocsp status $tls_out_ocsp \ @@ -115,6 +117,7 @@ send_to_server3: port = PORT_D helo_data = helo.data.changed tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + tls_verify_cert_hostnames = hosts_require_tls = * hosts_require_ocsp = * headers_add = X-TLS-out: ocsp status $tls_out_ocsp \ @@ -128,6 +131,7 @@ send_to_server4: port = PORT_D helo_data = helo.data.changed tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + tls_verify_cert_hostnames = protocol = smtps hosts_require_tls = * hosts_require_ocsp = * diff --git a/test/confs/5608 b/test/confs/5608 index da0f6707f..6061a1343 100644 --- a/test/confs/5608 +++ b/test/confs/5608 @@ -98,6 +98,7 @@ send_to_server1: hosts = HOSTIPV4 port = PORT_D tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + tls_verify_cert_hostnames = hosts_require_tls = * hosts_request_ocsp = : headers_add = X-TLS-out: ocsp status $tls_out_ocsp @@ -110,6 +111,7 @@ send_to_server2: hosts = HOSTIPV4 port = PORT_D tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + tls_verify_cert_hostnames = hosts_require_tls = * # note no ocsp mention here headers_add = X-TLS-out: ocsp status $tls_out_ocsp @@ -123,6 +125,7 @@ send_to_server3: port = PORT_D helo_data = helo.data.changed tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + tls_verify_cert_hostnames = hosts_require_tls = * hosts_require_ocsp = * headers_add = X-TLS-out: ocsp status $tls_out_ocsp @@ -136,6 +139,7 @@ send_to_server4: port = PORT_D helo_data = helo.data.changed tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + tls_verify_cert_hostnames = protocol = smtps hosts_require_tls = * hosts_require_ocsp = * diff --git a/test/confs/5651 b/test/confs/5651 index 6b70d33b2..19f16d03d 100644 --- a/test/confs/5651 +++ b/test/confs/5651 @@ -88,6 +88,7 @@ send_to_server1: hosts = HOSTIPV4 port = PORT_D tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + tls_verify_cert_hostnames = hosts_require_tls = * hosts_request_ocsp = : headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ @@ -100,6 +101,7 @@ send_to_server2: hosts = HOSTIPV4 port = PORT_D tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + tls_verify_cert_hostnames = hosts_require_tls = * # note no ocsp mention here headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ @@ -114,6 +116,7 @@ send_to_server3: helo_data = helo.data.changed #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + tls_verify_cert_hostnames = hosts_require_tls = * hosts_require_ocsp = * headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ @@ -128,6 +131,7 @@ send_to_server4: helo_data = helo.data.changed #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + tls_verify_cert_hostnames = protocol = smtps hosts_require_tls = * hosts_require_ocsp = * diff --git a/test/confs/5658 b/test/confs/5658 index 7ab2de68f..de486e083 100644 --- a/test/confs/5658 +++ b/test/confs/5658 @@ -95,6 +95,7 @@ send_to_server1: hosts = HOSTIPV4 port = PORT_D tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + tls_verify_cert_hostnames = hosts_require_tls = * hosts_request_ocsp = : headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ @@ -108,6 +109,7 @@ send_to_server2: hosts = HOSTIPV4 port = PORT_D tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + tls_verify_cert_hostnames = hosts_require_tls = * # note no ocsp mention here headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ @@ -123,6 +125,7 @@ send_to_server3: helo_data = helo.data.changed #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + tls_verify_cert_hostnames = hosts_require_tls = * hosts_require_ocsp = * headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ @@ -138,6 +141,7 @@ send_to_server4: helo_data = helo.data.changed #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + tls_verify_cert_hostnames = protocol = smtps hosts_require_tls = * hosts_require_ocsp = * diff --git a/test/confs/5750 b/test/confs/5750 index 364f73a90..d1e2e7ce0 100644 --- a/test/confs/5750 +++ b/test/confs/5750 @@ -104,6 +104,7 @@ send_to_server: ${if eq {$local_part}{good}\ {example.com/server1.example.com/ca_chain.pem}\ {example.net/server1.example.net/ca_chain.pem}} + tls_verify_cert_hostnames = event_action = ${acl {logger} {$event_name} {$domain} } diff --git a/test/confs/5760 b/test/confs/5760 index 60f386ba4..80dde3e15 100644 --- a/test/confs/5760 +++ b/test/confs/5760 @@ -104,6 +104,7 @@ send_to_server: ${if eq {$local_part}{good}\ {example.com/server1.example.com/ca_chain.pem}\ {example.net/server1.example.net/ca_chain.pem}} + tls_verify_cert_hostnames = event_action = ${acl {logger} {$event_name} {$domain} } diff --git a/test/confs/5840 b/test/confs/5840 index 2c72b64c3..5c0f6a51d 100644 --- a/test/confs/5840 +++ b/test/confs/5840 @@ -68,6 +68,7 @@ send_to_server: hosts_request_ocsp = ${if or { {= {4}{$tls_out_tlsa_usage}} \ {= {0}{$tls_out_tlsa_usage}} } \ {*}{}} + tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}} tls_try_verify_hosts = thishost.test.ex tls_verify_certificates = CDIR2/ca_chain.pem diff --git a/test/log/2012 b/test/log/2012 index 48c75d2b8..efb293303 100644 --- a/test/log/2012 +++ b/test/log/2012 @@ -2,6 +2,8 @@ 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf 1999-03-02 09:44:33 10HmaX-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (certificate verification failed): certificate invalid 1999-03-02 09:44:33 10HmaX-0005vi-00 == userx@test.ex R=client_x T=send_to_server_failcert defer (-37) H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]: failure while setting up TLS session @@ -9,14 +11,20 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 userx@test.ex: error ignored 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed 1999-03-02 09:44:33 10HmaY-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (certificate verification failed): certificate invalid -1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbB-0005vi-00" +1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00" 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed -1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00" 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed 1999-03-02 09:44:33 10HmbA-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (certificate verification failed): certificate invalid 1999-03-02 09:44:33 10HmbA-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls) -1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbD-0005vi-00" +1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbF-0005vi-00" 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed +1999-03-02 09:44:33 10HmbB-0005vi-00 no IP address found for host server1.example.net +1999-03-02 09:44:33 10HmbB-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbG-0005vi-00" +1999-03-02 09:44:33 10HmbB-0005vi-00 Completed +1999-03-02 09:44:33 10HmbC-0005vi-00 no IP address found for host noway.example.com +1999-03-02 09:44:33 10HmbC-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbH-0005vi-00" +1999-03-02 09:44:33 10HmbC-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf ******** SERVER ******** @@ -25,8 +33,10 @@ 1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason. 1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad 1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason. -1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex -1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex 1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad 1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason. -1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmbB-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmbC-0005vi-00@myhost.test.ex diff --git a/test/log/2112 b/test/log/2112 index 45a0458d7..02d1d315c 100644 --- a/test/log/2112 +++ b/test/log/2112 @@ -2,6 +2,8 @@ 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf 1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com 1999-03-02 09:44:33 10HmaX-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <> @@ -11,18 +13,24 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed 1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com 1999-03-02 09:44:33 10HmaY-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <> -1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbB-0005vi-00" +1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00" 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed 1999-03-02 09:44:33 10HmaZ-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com 1999-03-02 09:44:33 10HmaZ-0005vi-00 SSL verify error: depth=0 error=certificate not trusted cert=/CN=server1.example.com 1999-03-02 09:44:33 10HmaZ-0005vi-00 SSL verify error: depth=0 error=unable to verify the first certificate cert=/CN=server1.example.com -1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00" 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed 1999-03-02 09:44:33 10HmbA-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com 1999-03-02 09:44:33 10HmbA-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <> 1999-03-02 09:44:33 10HmbA-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls) -1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbD-0005vi-00" +1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbF-0005vi-00" 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed +1999-03-02 09:44:33 10HmbB-0005vi-00 no IP address found for host server1.example.net +1999-03-02 09:44:33 10HmbB-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbG-0005vi-00" +1999-03-02 09:44:33 10HmbB-0005vi-00 Completed +1999-03-02 09:44:33 10HmbC-0005vi-00 no IP address found for host noway.example.com +1999-03-02 09:44:33 10HmbC-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbH-0005vi-00" +1999-03-02 09:44:33 10HmbC-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf ******** SERVER ******** @@ -31,8 +39,10 @@ 1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) 1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <> 1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) -1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex -1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex 1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <> 1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) -1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmbB-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmbC-0005vi-00@myhost.test.ex diff --git a/test/log/5840 b/test/log/5840 index 7507c5cba..a842abc2e 100644 --- a/test/log/5840 +++ b/test/log/5840 @@ -14,6 +14,8 @@ 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@thishost.test.ex 1999-03-02 09:44:33 Start queue run: pid=pppp -qf 1999-03-02 09:44:33 10HmbD-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock +1999-03-02 09:44:33 10HmbD-0005vi-00 SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" + 1999-03-02 09:44:33 10HmbD-0005vi-00 => CALLER@thishost.test.ex R=client T=send_to_server H=thishost.test.ex [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbE-0005vi-00" 1999-03-02 09:44:33 10HmbD-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf diff --git a/test/scripts/2000-GnuTLS/2012 b/test/scripts/2000-GnuTLS/2012 index 3b25ba206..76a6d50ea 100644 --- a/test/scripts/2000-GnuTLS/2012 +++ b/test/scripts/2000-GnuTLS/2012 @@ -14,6 +14,12 @@ Testing exim userq@test.ex Testing **** +exim userr@test.ex +Testing +**** +exim users@test.ex +Testing +**** exim -qf **** killdaemon diff --git a/test/scripts/2100-OpenSSL/2112 b/test/scripts/2100-OpenSSL/2112 index 98ea4cb17..c500751d5 100644 --- a/test/scripts/2100-OpenSSL/2112 +++ b/test/scripts/2100-OpenSSL/2112 @@ -13,6 +13,12 @@ Testing exim userq@test.ex Testing **** +exim userr@test.ex +Testing +**** +exim users@test.ex +Testing +**** exim -qf **** killdaemon diff --git a/test/scripts/5840-DANE-OpenSSL/5840 b/test/scripts/5840-DANE-OpenSSL/5840 index eef14c2fe..c0133eae3 100644 --- a/test/scripts/5840-DANE-OpenSSL/5840 +++ b/test/scripts/5840-DANE-OpenSSL/5840 @@ -43,7 +43,7 @@ exim -DSERVER=server -DDETAILS=ca -bd -oX PORT_D exim -odq CALLER@thishost.test.ex Testing **** -exim -qf +exim -DOPT=no_certname -qf **** killdaemon # diff --git a/test/stderr/5410 b/test/stderr/5410 index 09685491d..943681e13 100644 --- a/test/stderr/5410 +++ b/test/stderr/5410 @@ -83,6 +83,7 @@ expanding: ${if eq {$address_data}{userz}{*}{:}} SMTP<< 220 TLS go ahead 127.0.0.1 in hosts_require_ocsp? no (option unset) 127.0.0.1 in hosts_request_ocsp? yes (matched "*") +127.0.0.1 in tls_verify_cert_hostnames? yes (matched "*") SMTP>> EHLO myhost.test.ex SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4] 250-SIZE 52428800 -- 2.25.1