# TLS server: mandatory, optional, and revoked certificates
gnutls
munge gnutls_unexpected
exim -DSERVER=server -bd -oX PORT_D
****
### No certificate, certificate required
client-gnutls HOSTIPV4 PORT_D
??? 220
ehlo rhu1.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
nop
????554
****
### No certificate, certificate optional at TLS time, required by ACL
client-gnutls 127.0.0.1 PORT_D
??? 220
ehlo rhu2.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
helo rhu2tls.barb
??? 250
mail from:<userx@test.ex>
??? 250
rcpt to:<userx@test.ex>
??? 550
quit
??? 221
****
### Good certificate, certificate required
client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
??? 220
ehlo rhu3.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
helo test
??? 250
mail from:<userx@test.ex>
??? 250
rcpt to:<userx@test.ex>
??? 250
quit
??? 221
****
### Good certificate, certificate optional at TLS time, checked by ACL
client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
??? 220
ehlo rhu4.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
helo test
??? 250
mail from:<userx@test.ex>
??? 250
rcpt to:<userx@test.ex>
??? 250
quit
??? 221
****
### Bad certificate, certificate required
# Actually this test does not have the client presenting a cert at all, as it filters what it has
# by the options offered by the server first.  So it's not a good testcase.
client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
??? 220
ehlo rhu5.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
nop
????554
****
### Bad certificate, certificate optional at TLS time, reject at ACL time
# (situation as above)
client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
??? 220
ehlo rhu6.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
helo test
??? 250
mail from:<userx@test.ex>
??? 250
rcpt to:<userx@test.ex>
??? 550
quit
??? 221
****
killdaemon
#
#
#
#
exim -DCRL=DIR/aux-fixed/exim-ca/example.com/CA/crl.v2.pem -DSERVER=server -bd -oX PORT_D
****
### Otherwise good but revoked certificate, certificate required
# The trace for this test appears in the mainlog
# - but the stdout from the client is a problem: the server sends a TLS ALERT. If the client sees that early enough
# then it says that + "Failed to start TLS".  But if it's later, it says "Succeeded in starting TLS"
# and only another command from the client elicits anything from the server (eg "554 Security failure").
# How can we test this?
# An option on client to be quiet about tls problems.
#
# GnuTLS seems to not mind the lack of CRLs for the nonleaf certs in the chain, unlike under OpenSSL
client-gnutls -tls-quiet HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
??? 220
ehlo rhu7.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
STARTTLS
??? 220
NOP
??? 554 Security failure
QUIT
220
****
### Revoked certificate, certificate optional at TLS time, reject at ACL time
client-gnutls 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
??? 220
ehlo rhu8.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
helo test
??? 250
mail from:<userx@test.ex>
??? 250
rcpt to:<userx@test.ex>
??? 550
quit
??? 221
****
### Good certificate, certificate required - but nonmatching CRL also present
client-gnutls HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
??? 220
ehlo rhu9.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
helo test
??? 250
mail from:<userx@test.ex>
??? 250
rcpt to:<userx@test.ex>
??? 250
quit
??? 221
****
killdaemon
