From e5b60be7f6f924ea9730f4829c2eb8d955cb14bf Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Wed, 2 Nov 2016 21:25:49 +0000
Subject: [PATCH] Testsuite: replicate testcases for LE OCSP

---
 test/confs/5610                     |  73 +++++++++++
 test/confs/5611                     | 152 ++++++++++++++++++++++
 test/log/5610                       |  11 ++
 test/log/5611                       |  46 +++++++
 test/scripts/5600-OCSP-OpenSSL/5610 | 115 +++++++++++++++++
 test/scripts/5600-OCSP-OpenSSL/5611 |  77 ++++++++++++
 test/stderr/5610                    |  78 ++++++++++++
 test/stdout/5610                    | 188 ++++++++++++++++++++++++++++
 8 files changed, 740 insertions(+)
 create mode 100644 test/confs/5610
 create mode 100644 test/confs/5611
 create mode 100644 test/log/5610
 create mode 100644 test/log/5611
 create mode 100644 test/scripts/5600-OCSP-OpenSSL/5610
 create mode 100644 test/scripts/5600-OCSP-OpenSSL/5611
 create mode 100644 test/stderr/5610
 create mode 100644 test/stdout/5610

diff --git a/test/confs/5610 b/test/confs/5610
new file mode 100644
index 000000000..b65a2797e
--- /dev/null
+++ b/test/confs/5610
@@ -0,0 +1,73 @@
+# Exim test configuration 5600
+# OCSP stapling, server
+
+CRL=
+
+.include DIR/aux-var/tls_conf_prefix
+
+primary_hostname = server1.example.com
+
+# ----- Main settings -----
+
+acl_smtp_connect = check_connect
+acl_smtp_mail = check_mail
+acl_smtp_rcpt = check_recipient
+
+log_selector = +tls_peerdn
+
+queue_only
+queue_run_in_order
+
+tls_advertise_hosts = *
+
+tls_certificate = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem
+tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+
+tls_verify_hosts = HOSTIPV4
+tls_try_verify_hosts = *
+tls_verify_certificates = DIR/aux-fixed/cert2
+tls_crl = CRL
+tls_ocsp_file = RETURN
+
+
+# ------ ACL ------
+
+begin acl
+
+check_connect:
+  accept   logwrite = acl_conn: ocsp in status: $tls_in_ocsp \
+    (${listextract {${eval:$tls_in_ocsp+1}} \
+		{notreq:notresp:vfynotdone:failed:verified}})
+
+check_mail:
+  accept   logwrite = acl_mail: ocsp in status: $tls_in_ocsp \
+    (${listextract {${eval:$tls_in_ocsp+1}} \
+		{notreq:notresp:vfynotdone:failed:verified}})
+
+check_recipient:
+  deny     message = certificate not verified: peerdn=$tls_peerdn
+         ! verify = certificate
+  accept
+
+
+# ----- Routers -----
+
+begin routers
+
+abc:
+  driver = accept
+  retry_use_local_part
+  transport = local_delivery
+
+
+# ----- Transports -----
+
+begin transports
+
+local_delivery:
+  driver = appendfile
+  file = DIR/test-mail/$local_part
+  headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
+  user = CALLER
+
+# End
diff --git a/test/confs/5611 b/test/confs/5611
new file mode 100644
index 000000000..3309870a3
--- /dev/null
+++ b/test/confs/5611
@@ -0,0 +1,152 @@
+# Exim test configuration 5601
+# OCSP stapling, client
+
+SERVER =
+
+exim_path = EXIM_PATH
+keep_environment  = ^EXIM_TESTHARNESS_DISABLE_[O]CSPVALIDITYCHECK$
+host_lookup_order = bydns
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+chunking_advertise_hosts =
+primary_hostname = server1.example.com
+
+
+# ----- Main settings -----
+
+domainlist local_domains = test.ex : *.test.ex
+
+acl_smtp_rcpt = check_recipient
+acl_smtp_data = check_data
+
+log_selector = +tls_peerdn
+remote_max_parallel = 1
+
+tls_advertise_hosts = *
+
+# Set certificate only if server
+
+tls_certificate = ${if eq {SERVER}{server}\
+{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem}\
+fail\
+}
+
+#{DIR/aux-fixed/exim-ca/example.com/CA/CA.pem}\
+
+tls_privatekey = ${if eq {SERVER}{server}\
+{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key}\
+fail}
+
+tls_ocsp_file = RETURN
+
+
+# ------ ACL ------
+
+begin acl
+
+check_recipient:
+  accept  domains = +local_domains
+  deny    message = relay not permitted
+
+check_data:
+  warn	  condition   = ${if def:h_X-TLS-out:}
+	  logwrite = client claims: $h_X-TLS-out:
+  accept
+
+# ----- Routers -----
+
+begin routers
+
+client:
+  driver = accept
+  condition = ${if eq {SERVER}{server}{no}{yes}}
+  retry_use_local_part
+  transport = send_to_server${if eq{$local_part}{nostaple}{1} \
+				{${if eq{$local_part}{norequire} {2} \
+				{${if eq{$local_part}{smtps} {4}{3}}} \
+			     }}}
+
+server:
+  driver = redirect
+  data = :blackhole:
+  #retry_use_local_part
+  #transport = local_delivery
+
+
+# ----- Transports -----
+
+begin transports
+
+local_delivery:
+  driver = appendfile
+  file = DIR/test-mail/$local_part
+  headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
+  user = CALLER
+
+send_to_server1:
+  driver = smtp
+  allow_localhost
+  hosts = HOSTIPV4
+  port = PORT_D
+  tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+  tls_verify_cert_hostnames =
+  hosts_require_tls = *
+  hosts_request_ocsp = :
+  headers_add = X-TLS-out: ocsp status $tls_out_ocsp \
+    (${listextract {${eval:$tls_out_ocsp+1}} \
+		{notreq:notresp:vfynotdone:failed:verified}})
+
+send_to_server2:
+  driver = smtp
+  allow_localhost
+  hosts = HOSTIPV4
+  port = PORT_D
+  tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+  tls_verify_cert_hostnames =
+  hosts_require_tls = *
+# note no ocsp mention here
+  headers_add = X-TLS-out: ocsp status $tls_out_ocsp \
+    (${listextract {${eval:$tls_out_ocsp+1}} \
+		{notreq:notresp:vfynotdone:failed:verified}})
+
+send_to_server3:
+  driver = smtp
+  allow_localhost
+  hosts = 127.0.0.1
+  port = PORT_D
+  helo_data = helo.data.changed
+  tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+  tls_verify_cert_hostnames =
+  hosts_require_tls =  *
+  hosts_require_ocsp = *
+  headers_add = X-TLS-out: ocsp status $tls_out_ocsp \
+    (${listextract {${eval:$tls_out_ocsp+1}} \
+		{notreq:notresp:vfynotdone:failed:verified}})
+
+send_to_server4:
+  driver = smtp
+  allow_localhost
+  hosts = 127.0.0.1
+  port = PORT_D
+  helo_data = helo.data.changed
+  tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+  tls_verify_cert_hostnames =
+  protocol =           smtps
+  hosts_require_tls =  *
+  hosts_require_ocsp = *
+  headers_add = X-TLS-out: ocsp status $tls_out_ocsp \
+    (${listextract {${eval:$tls_out_ocsp+1}} \
+		{notreq:notresp:vfynotdone:failed:verified}})
+
+
+# ----- Retry -----
+
+
+begin retry
+
+* * F,5d,1s
+
+
+# End
diff --git a/test/log/5610 b/test/log/5610
new file mode 100644
index 000000000..b2e785562
--- /dev/null
+++ b/test/log/5610
@@ -0,0 +1,11 @@
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq)
+1999-03-02 09:44:33 acl_mail: ocsp in status: 4 (verified)
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq)
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq)
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq)
diff --git a/test/log/5611 b/test/log/5611
new file mode 100644
index 000000000..f2a03375b
--- /dev/null
+++ b/test/log/5611
@@ -0,0 +1,46 @@
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@test.ex R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbD-0005vi-00 Received TLS status callback, null content
+1999-03-02 09:44:33 10HmbD-0005vi-00 H=127.0.0.1 [127.0.0.1] TLS error on connection (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbD-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: failure while setting up TLS session
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbE-0005vi-00 Server certificate revoked; reason: superseded
+1999-03-02 09:44:33 10HmbE-0005vi-00 H=127.0.0.1 [127.0.0.1] TLS error on connection (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbE-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: failure while setting up TLS session
+1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbF-0005vi-00 Server OSCP dates invalid
+1999-03-02 09:44:33 10HmbF-0005vi-00 H=127.0.0.1 [127.0.0.1] TLS error on connection (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbF-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37) H=127.0.0.1 [127.0.0.1]: failure while setting up TLS session
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: ocsp status 1 (notresp)
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaX-0005vi-00@server1.example.com
+1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <norequire@test.ex> R=server
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 10HmbA-0005vi-00 client claims: ocsp status 0 (notreq)
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmaZ-0005vi-00@server1.example.com
+1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <nostaple@test.ex> R=server
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: ocsp status 4 (verified)
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbB-0005vi-00@server1.example.com
+1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <CALLER@test.ex> R=server
+1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
diff --git a/test/scripts/5600-OCSP-OpenSSL/5610 b/test/scripts/5600-OCSP-OpenSSL/5610
new file mode 100644
index 000000000..c8668ea38
--- /dev/null
+++ b/test/scripts/5600-OCSP-OpenSSL/5610
@@ -0,0 +1,115 @@
+# OCSP stapling, server, LE variation
+#
+#
+#
+# '1: Server sends good staple on request'
+#
+exim -bd -oX PORT_D -DSERVER=server \
+ -DRETURN=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp
+****
+client-ssl \
+ -ocsp aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem \
+ HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2
+??? 220
+ehlo rhu.barb
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+starttls
+??? 220
+mail from:<userx@test.ex>
+??? 250
+rcpt to:<userx@test.ex>
+??? 250
+quit
+??? 221
+****
+killdaemon
+#
+#
+#
+# '2: Server does not staple an outdated response'
+#
+exim -bd -oX PORT_D -DSERVER=server \
+ -DRETURN=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp
+****
+# XXX test sequence might not be quite right; this is for a server refusal
+# and we're expecting a client refusal.
+client-ssl -ocsp aux-fixed/exim-ca/expired1.example.com/CA.pem HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2
+??? 220
+ehlo rhu.barb
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+starttls
+??? 220
+****
+killdaemon
+#
+#
+#
+#
+#
+# '3: Server does not staple a response for a revoked cert'
+#
+exim -bd -oX PORT_D -DSERVER=server \
+ -DRETURN=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp
+****
+client-ssl \
+ -ocsp aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem \
+ HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2
+??? 220
+ehlo rhu.barb
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+starttls
+??? 220
+****
+killdaemon
+#
+#
+#
+#
+#
+# '4: Connection functions when server is prepared to staple but client does not request it'
+#
+exim -bd -oX PORT_D -DSERVER=server \
+ -DRETURN=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp
+****
+#
+client-ssl \
+ HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2
+??? 220
+ehlo rhu.barb
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+starttls
+??? 220
+ehlo rhu.barb.tls
+??? 250-
+??? 250-
+??? 250-
+??? 250-
+??? 250
+quit
+****
+killdaemon
+#
+#
+#
+#
+#
diff --git a/test/scripts/5600-OCSP-OpenSSL/5611 b/test/scripts/5600-OCSP-OpenSSL/5611
new file mode 100644
index 000000000..248c44219
--- /dev/null
+++ b/test/scripts/5600-OCSP-OpenSSL/5611
@@ -0,0 +1,77 @@
+# OCSP stapling, client, LE variation
+#
+#
+# Client works when we request but don't require OCSP stapling and none comes
+exim -bd -oX PORT_D -DSERVER=server -DRETURN=/dev/null
+****
+exim norequire@test.ex
+test message.
+****
+sleep 1
+killdaemon
+#
+#
+#
+#
+# Client works when we don't request OCSP stapling
+exim -bd -oX PORT_D -DSERVER=server \
+ -DRETURN=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp
+****
+exim nostaple@test.ex
+test message.
+****
+millisleep 500
+#
+#
+#
+#
+# Client accepts good stapled info
+exim CALLER@test.ex
+test message.
+****
+sleep 1
+killdaemon
+#
+#
+#
+# Client fails on lack of required stapled info
+exim -bd -oX PORT_D -DSERVER=server -DRETURN=/dev/null
+****
+exim CALLER@test.ex
+test message.
+****
+sleep 1
+killdaemon
+sudo rm spool/db/retry
+#
+#
+#
+# Client fails on revoked stapled info
+EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK=y exim -bd -oX PORT_D -DSERVER=server \
+ -DRETURN=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp
+****
+exim CALLER@test.ex
+test message.
+****
+sleep 1
+killdaemon
+millisleep 200
+sudo rm spool/db/retry
+#
+#
+#
+#
+# Client fails on expired stapled info
+EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK=y exim -bd -oX PORT_D -DSERVER=server \
+ -DRETURN=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp
+****
+exim CALLER@test.ex
+test message.
+****
+sleep 1
+killdaemon
+#
+#
+#
+#
+no_msglog_check
diff --git a/test/stderr/5610 b/test/stderr/5610
new file mode 100644
index 000000000..9282f1ea0
--- /dev/null
+++ b/test/stderr/5610
@@ -0,0 +1,78 @@
+
+******** SERVER ********
+Exim version x.yz ....
+configuration file is TESTSUITE/test-config
+admin user
+daemon_smtp_port overridden by -oX:
+  <: 1225
+listening on all interfaces (IPv6) port 1225
+listening on all interfaces (IPv4) port 1225
+pid written to TESTSUITE/spool/exim-daemon.pid
+LOG: MAIN
+  exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+daemon running with uid=EXIM_UID gid=EXIM_GID euid=EXIM_UID egid=EXIM_GID
+Listening...
+Connection request from ip4.ip4.ip4.ip4 port 51808
+1 SMTP accept process running
+Listening...
+11402 Process 11402 is handling incoming connection from [ip4.ip4.ip4.ip4]
+LOG: MAIN
+  acl_conn: ocsp in status: 0 (notreq)
+Process 11402 is ready for new message
+setting SSL CTX options: 0x1100000
+Diffie-Hellman initialized from default with 2048-bit prime
+ECDH: curve 'prime256v1'
+ECDH: enabled 'prime256v1' curve
+tls_certificate file TESTSUITE/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem
+tls_privatekey file TESTSUITE/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+tls_ocsp_file TESTSUITE/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp
+Initialized TLS
+Added 1 certificate authorities.
+Calling SSL_accept
+SSL info: before/accept initialization
+SSL info: before/accept initialization
+Received TLS status request (OCSP stapling); have response
+SSL info: SSLv3 read client hello A
+SSL info: SSLv3 write server hello A
+SSL info: SSLv3 write certificate A
+SSL info: unknown state
+SSL info: SSLv3 write key exchange A
+SSL info: SSLv3 write certificate request A
+SSL info: SSLv3 flush data
+SSL authenticated verify ok: depth=0 SN=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+SSL info: SSLv3 read client certificate A
+SSL info: SSLv3 read client key exchange A
+SSL info: SSLv3 read certificate verify A
+SSL info: SSLv3 read finished A
+SSL info: SSLv3 write session ticket A
+SSL info: SSLv3 write change cipher spec A
+SSL info: SSLv3 write finished A
+SSL info: SSLv3 flush data
+SSL info: SSL negotiation finished successfully
+SSL info: SSL negotiation finished successfully
+SSL_accept was successful
+Cipher: TLSv1:AES256-SHA:256
+Shared ciphers: AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:AES256-SHA:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES256-SHA:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:DHE-DSS-AES256-SHA:AES256-SHA:AES256-SHA:DHE-DSS-AES256-SHA256:AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA
+TLS active
+Calling SSL_read(0x970690, 0x981230, 4096)
+LOG: MAIN
+  acl_mail: ocsp in status: 4 (verified)
+tls_do_write(0x83cc40, 8)
+SSL_write(SSL, 0x83cc40, 8)
+outbytes=8 error=0
+Calling SSL_read(0x970690, 0x981230, 4096)
+tls_do_write(0x83cc40, 14)
+SSL_write(SSL, 0x83cc40, 14)
+outbytes=14 error=0
+Calling SSL_read(0x970690, 0x981230, 4096)
+tls_do_write(0x83cc40, 44)
+SSL_write(SSL, 0x83cc40, 44)
+outbytes=44 error=0
+tls_close(): shutting down SSL
+SSL info: SSL negotiation finished successfully
+LOG: smtp_connection MAIN
+  SMTP connection from [ip4.ip4.ip4.ip4] closed by QUIT
+11398 child 11402 ended: status=0x0
+11398   normal exit, 0
+11398 0 SMTP accept processes now running
+11398 Listening...
diff --git a/test/stdout/5610 b/test/stdout/5610
new file mode 100644
index 000000000..d2d28dce6
--- /dev/null
+++ b/test/stdout/5610
@@ -0,0 +1,188 @@
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = aux-fixed/cert2
+Key file = aux-fixed/cert2
+??? 220
+<<< 220 server1.example.com ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-server1.example.com Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL info: before/connect initialization
+SSL info: before/connect initialization
+SSL info: SSLv3 read server hello A
+SSL info: SSLv3 read server certificate A
+Response verify OK
+SSL info: SSLv3 read server certificate request A
+SSL info: SSLv3 read server done A
+SSL info: SSLv3 write client certificate A
+SSL info: SSLv3 write client key exchange A
+SSL info: SSLv3 write certificate verify A
+SSL info: SSLv3 write change cipher spec A
+SSL info: SSLv3 write finished A
+SSL info: SSLv3 flush data
+SSL info: SSLv3 read server session ticket A
+SSL info: SSLv3 read finished A
+SSL info: SSL negotiation finished successfully
+SSL info: SSL negotiation finished successfully
+SSL connection using AES256-SHA
+Succeeded in starting TLS
+>>> mail from:<userx@test.ex>
+??? 250
+<<< 250 OK
+>>> rcpt to:<userx@test.ex>
+??? 250
+<<< 250 Accepted
+>>> quit
+??? 221
+<<< 221 server1.example.com closing connection
+End of script
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = aux-fixed/cert2
+Key file = aux-fixed/cert2
+??? 220
+<<< 220 server1.example.com ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-server1.example.com Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL info: before/connect initialization
+SSL info: before/connect initialization
+no response received
+SSL info: SSLv3 read server hello A
+SSL info: SSLv3 read server certificate A
+SSL info: SSLv3 read server certificate request A
+SSL info: SSLv3 read server done A
+SSL info: SSLv3 write client certificate A
+SSL info: SSLv3 write client key exchange A
+SSL info: SSLv3 write certificate verify A
+SSL info: SSLv3 write change cipher spec A
+SSL info: SSLv3 write finished A
+SSL info: SSLv3 flush data
+SSL info: SSLv3 read server session ticket A
+SSL info: SSLv3 read finished A
+SSL info: SSL negotiation finished successfully
+SSL info: SSL negotiation finished successfully
+SSL connection using AES256-SHA
+Succeeded in starting TLS
+End of script
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = aux-fixed/cert2
+Key file = aux-fixed/cert2
+??? 220
+<<< 220 server1.example.com ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-server1.example.com Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL info: before/connect initialization
+SSL info: before/connect initialization
+no response received
+SSL info: SSLv3 read server hello A
+SSL info: SSLv3 read server certificate A
+SSL info: SSLv3 read server certificate request A
+SSL info: SSLv3 read server done A
+SSL info: SSLv3 write client certificate A
+SSL info: SSLv3 write client key exchange A
+SSL info: SSLv3 write certificate verify A
+SSL info: SSLv3 write change cipher spec A
+SSL info: SSLv3 write finished A
+SSL info: SSLv3 flush data
+SSL info: SSLv3 read server session ticket A
+SSL info: SSLv3 read finished A
+SSL info: SSL negotiation finished successfully
+SSL info: SSL negotiation finished successfully
+SSL connection using AES256-SHA
+Succeeded in starting TLS
+End of script
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+Certificate file = aux-fixed/cert2
+Key file = aux-fixed/cert2
+??? 220
+<<< 220 server1.example.com ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ehlo rhu.barb
+??? 250-
+<<< 250-server1.example.com Hello rhu.barb [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250-
+<<< 250-STARTTLS
+??? 250
+<<< 250 HELP
+>>> starttls
+??? 220
+<<< 220 TLS go ahead
+Attempting to start TLS
+SSL info: before/connect initialization
+SSL info: before/connect initialization
+SSL info: SSLv3 read server hello A
+SSL info: SSLv3 read server certificate A
+SSL info: SSLv3 read server certificate request A
+SSL info: SSLv3 read server done A
+SSL info: SSLv3 write client certificate A
+SSL info: SSLv3 write client key exchange A
+SSL info: SSLv3 write certificate verify A
+SSL info: SSLv3 write change cipher spec A
+SSL info: SSLv3 write finished A
+SSL info: SSLv3 flush data
+SSL info: SSLv3 read server session ticket A
+SSL info: SSLv3 read finished A
+SSL info: SSL negotiation finished successfully
+SSL info: SSL negotiation finished successfully
+SSL connection using AES256-SHA
+Succeeded in starting TLS
+>>> ehlo rhu.barb.tls
+??? 250-
+<<< 250-server1.example.com Hello rhu.barb.tls [ip4.ip4.ip4.ip4]
+??? 250-
+<<< 250-SIZE 52428800
+??? 250-
+<<< 250-8BITMIME
+??? 250-
+<<< 250-PIPELINING
+??? 250
+<<< 250 HELP
+>>> quit
+End of script
-- 
2.25.1