From 98716abe2b636d275e866f3ad6374cb70bf6e504 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 2 Aug 2015 13:44:31 +0100 Subject: [PATCH 1/1] Testsuite: Add testcase for OCSP-nonaware client, to supporting server. Bug 1664 The logfile here is for (I hope) the passing case, though the fixed GnuTLS library is not yet available. Also due to the bug, client-gnutls is not usable for the test; client-openssl must be used - meaning that a GnuTLS-only system cannot run the testcase: OCSP-GnuTLS/5650 OCSP stapling, server ** Command 15 ("client-ssl", starting at line 98) ** Return code 127 (expected 0) --- src/src/tls-gnu.c | 2 +- test/log/5650 | 6 ++++ test/scripts/5650-OCSP-GnuTLS/5650 | 49 ++++++++++++++++++++++++++++-- test/stdout/5650 | 36 ++++++++++++++++++++++ 4 files changed, 89 insertions(+), 4 deletions(-) diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 61ed0e81c..e2ac17c88 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -842,7 +842,7 @@ if ( !host /* server */ gnutls_certificate_set_ocsp_status_request_function(state->x509_cred, server_ocsp_stapling_cb, state->exp_tls_ocsp_file); - DEBUG(D_tls) debug_printf("Set OCSP response file %s\n", &state->exp_tls_ocsp_file); + DEBUG(D_tls) debug_printf("OCSP response file = %s\n", state->exp_tls_ocsp_file); } #endif diff --git a/test/log/5650 b/test/log/5650 index 6bb550248..b70aebb0e 100644 --- a/test/log/5650 +++ b/test/log/5650 @@ -1,11 +1,17 @@ +1999-03-02 09:44:33 1: Server sends good staple on request 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq) 1999-03-02 09:44:33 acl_mail: ocsp in status: 2 (vfynotdone) +1999-03-02 09:44:33 2: Server does not staple an outdated response 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq) 1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (recv): The TLS connection was non-properly terminated. 1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason. +1999-03-02 09:44:33 3: Server does not staple a response for a revoked cert 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq) 1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (recv): The TLS connection was non-properly terminated. 1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason. +1999-03-02 09:44:33 4: Connection functions when server is prepared to staple but client does not request it +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq) diff --git a/test/scripts/5650-OCSP-GnuTLS/5650 b/test/scripts/5650-OCSP-GnuTLS/5650 index 440053ecb..9ebafb3e2 100644 --- a/test/scripts/5650-OCSP-GnuTLS/5650 +++ b/test/scripts/5650-OCSP-GnuTLS/5650 @@ -2,7 +2,9 @@ # # # -# 1: Server sends good staple on request +exim -z '1: Server sends good staple on request' +**** +# exim -bd -oX PORT_D -DSERVER=server \ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp **** @@ -30,7 +32,9 @@ killdaemon # # # -# 2: Server does not staple an outdated response +exim -z '2: Server does not staple an outdated response' +**** +# exim -bd -oX PORT_D -DSERVER=server \ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp **** @@ -54,7 +58,9 @@ killdaemon # # # -# 3: Server does not staple a response for a revoked cert +exim -z '3: Server does not staple a response for a revoked cert' +**** +# exim -bd -oX PORT_D -DSERVER=server \ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp **** @@ -78,3 +84,40 @@ killdaemon # # # +exim -z '4: Connection functions when server is prepared to staple but client does not request it' +**** +# +exim -bd -oX PORT_D -DSERVER=server \ + -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp +**** +# +# Temporarily (I hope) use OpenSSL-based client, as GnuTLS is buggy and always requests (and understands) +# stapling +# +#client-gnutls \ +client-ssl \ + HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2 +??? 220 +ehlo rhu.barb +??? 250- +??? 250- +??? 250- +??? 250- +??? 250- +??? 250 +starttls +??? 220 +ehlo rhu.barb.tls +??? 250- +??? 250- +??? 250- +??? 250- +??? 250 +quit +**** +killdaemon +# +# +# +# +# diff --git a/test/stdout/5650 b/test/stdout/5650 index e0bbf4507..7b5628c6a 100644 --- a/test/stdout/5650 +++ b/test/stdout/5650 @@ -78,3 +78,39 @@ Key file = aux-fixed/cert2 Attempting to start TLS Bad certificate End of script +Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected +Certificate file = aux-fixed/cert2 +Key file = aux-fixed/cert2 +??? 220 +<<< 220 server1.example.com ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +>>> ehlo rhu.barb +??? 250- +<<< 250-server1.example.com Hello rhu.barb [ip4.ip4.ip4.ip4] +??? 250- +<<< 250-SIZE 52428800 +??? 250- +<<< 250-8BITMIME +??? 250- +<<< 250-PIPELINING +??? 250- +<<< 250-STARTTLS +??? 250 +<<< 250 HELP +>>> starttls +??? 220 +<<< 220 TLS go ahead +Attempting to start TLS +Succeeded in starting TLS +>>> ehlo rhu.barb.tls +??? 250- +<<< 250-server1.example.com Hello rhu.barb.tls [ip4.ip4.ip4.ip4] +??? 250- +<<< 250-SIZE 52428800 +??? 250- +<<< 250-8BITMIME +??? 250- +<<< 250-PIPELINING +??? 250 +<<< 250 HELP +>>> quit +End of script -- 2.25.1