# endif
)
{
- tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
- NULL, NULL, errstr);
+ uschar * s = string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve);
+ DEBUG(D_tls) debug_printf("TLS error '%s'\n", s);
+ if (errstr) *errstr = s;
return FALSE;
}
/* The "tmp" in the name here refers to setting a temporary key
not to the stability of the interface. */
- if ((rc = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
+ if ((rc = SSL_CTX_set_tmp_ecdh(sctx, ecdh)) == 0)
tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), NULL, NULL, errstr);
else
DEBUG(D_tls) debug_printf(" ECDH: enabled '%s' curve\n", exp_curve);
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => optnotpresent@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmaY-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => explicitauto@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbA-0005vi-00"
1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbB-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 => explicitempty@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbC-0005vi-00"
1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbD-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbE-0005vi-00"
+1999-03-02 09:44:33 10HmbD-0005vi-00 => prime256v1@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbE-0005vi-00"
1999-03-02 09:44:33 10HmbD-0005vi-00 Completed
1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbF-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbG-0005vi-00"
+1999-03-02 09:44:33 10HmbF-0005vi-00 => secp384r1@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbG-0005vi-00"
1999-03-02 09:44:33 10HmbF-0005vi-00 Completed
1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmbH-0005vi-00 H=127.0.0.1 [127.0.0.1]: a TLS session is required, but an attempt to start TLS failed
-1999-03-02 09:44:33 10HmbH-0005vi-00 == userx@test.ex R=client T=send_to_server defer (-38) H=127.0.0.1 [127.0.0.1]: a TLS session is required, but an attempt to start TLS failed
-1999-03-02 09:44:33 10HmbH-0005vi-00 ** userx@test.ex: retry timeout exceeded
-1999-03-02 09:44:33 10HmbH-0005vi-00 userx@test.ex: error ignored
+1999-03-02 09:44:33 10HmbH-0005vi-00 == user_fail@test.ex R=client T=send_to_server defer (-38) H=127.0.0.1 [127.0.0.1]: a TLS session is required, but an attempt to start TLS failed
+1999-03-02 09:44:33 10HmbH-0005vi-00 ** user_fail@test.ex: retry timeout exceeded
+1999-03-02 09:44:33 10HmbH-0005vi-00 user_fail@test.ex: error ignored
1999-03-02 09:44:33 10HmbH-0005vi-00 Completed
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=p1234, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmaY-0005vi-00 => userx <userx@test.ex> R=server T=local_delivery
+1999-03-02 09:44:33 10HmaY-0005vi-00 => optnotpresent <optnotpresent@test.ex> R=server T=local_delivery
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=p1235, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbA-0005vi-00 => userx <userx@test.ex> R=server T=local_delivery
+1999-03-02 09:44:33 10HmbA-0005vi-00 => explicitauto <explicitauto@test.ex> R=server T=local_delivery
1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=p1236, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbB-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbC-0005vi-00 => userx <userx@test.ex> R=server T=local_delivery
+1999-03-02 09:44:33 10HmbC-0005vi-00 => explicitempty <explicitempty@test.ex> R=server T=local_delivery
1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=p1237, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 10HmbE-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbD-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbE-0005vi-00 => userx <userx@test.ex> R=server T=local_delivery
+1999-03-02 09:44:33 10HmbE-0005vi-00 => prime256v1 <prime256v1@test.ex> R=server T=local_delivery
1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=p1238, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 10HmbG-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbF-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbG-0005vi-00 => userx <userx@test.ex> R=server T=local_delivery
+1999-03-02 09:44:33 10HmbG-0005vi-00 => secp384r1 <secp384r1@test.ex> R=server T=local_delivery
1999-03-02 09:44:33 10HmbG-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=p1239, no queue runs, listening for SMTP on port PORT_D
-1999-03-02 09:44:33 TLS error on connection from localhost (myhost.test.ex) [127.0.0.1] (Unknown curve name tls_eccurve 'bogus'): error:00000000:lib(0)::reason(0)
+1999-03-02 09:44:33 TLS error on connection from localhost (myhost.test.ex) [127.0.0.1] Unknown curve name tls_eccurve 'bogus'
# Baseline: tls_eccurve option not present
exim -DSERVER=server -bd -oX PORT_D
****
-exim -odf userx@test.ex
+exim -odf optnotpresent@test.ex
****
killdaemon
#
# Explicit tls_eccurve setting of "auto"
exim -DSERVER=server -DDATA=auto -bd -oX PORT_D
****
-exim -odf userx@test.ex
+exim -odf explicitauto@test.ex
****
killdaemon
#
# - unclear this works. At least with OpenSSL 3.0.5 we still get an x25519 keyshare in the Server Hello
exim -DSERVER=server -DDATA= -bd -oX PORT_D
****
-exim -odf userx@test.ex
+exim -odf explicitempty@test.ex
****
killdaemon
#
# prime256v1
+# Oddly, 3.0.5 packets show an EC-groups negotiation of C:x255519 S:secp256r1 C:secp384r1 S:secp384r1.
+# Hoever, note that RFC 8446 (TLS1.3) does NOT include prime256v1 as one of the allowable
+# supported groups (and it's not in the client "supported groups" extension, so what we see seems good.
exim -DSERVER=server -DDATA=prime256v1 -bd -oX PORT_D
****
-exim -odf userx@test.ex
+exim -odf prime256v1@test.ex
****
killdaemon
#
-# X448
-# Client Hello offers an x25519 keyshare, server says "Hello Retry Request" with a KeyShare extension "X448"
-# and the client retries Client Hello with that in the KeyShare.
-exim -DSERVER=server -DDATA=X448 -bd -oX PORT_D
+# secp384r1
+# C:x25519 S:secp384r1
+exim -DSERVER=server -DDATA=secp384r1 -bd -oX PORT_D
****
-exim -odf userx@test.ex
+exim -odf secp384r1@test.ex
****
killdaemon
#
# "bogus". Should fail to make connection.
exim -DSERVER=server -DDATA=bogus -bd -oX PORT_D
****
-exim -odf userx@test.ex
+exim -odf user_fail@test.ex
****
killdaemon
#
projects / user / henk / code / exim.git / commitdiff