diff --git a/Changes b/Changes index 330061e4..a96b5097 100644 --- a/Changes +++ b/Changes @@ -1024,3 +1024,4 @@ * 20231126 In prep for handling peer chains properly, change the printing of local cert labeling from local/chain to local[i], but only if there is more than one local cert. +* 20231130 Show debug for entire peer cert chain, not just for the end cert diff --git a/testing/regressions/_exec-transactions/00229.test b/testing/regressions/_exec-transactions/00229.test new file mode 100644 index 00000000..c32c75a0 --- /dev/null +++ b/testing/regressions/_exec-transactions/00229.test @@ -0,0 +1,18 @@ +auto: REMOVE_FILE,CREATE_FILE,MUNGE,COMPARE_FILE %TESTID%.stdout %TESTID%.stderr %TESTID%.exits + + + +test action: CMD_CAPTURE %SWAKS% --to user@host1.nodns.test.swaks.net --from recip@host1.nodns.test.swaks.net --helo hserver \ + --tls \ + --pipe '%TEST_SERVER% --silent --domain pipe \ + --cert %CERTDIR%/signed-intermediate-full-chain.pem \ + --key %CERTDIR%/signed-intermediate.example.com.key \ + part-0000-connect-standard.txt \ + part-0101-ehlo-all.txt \ + part-0203-starttls-basic-verify.txt \ + part-0105-ehlo-post-tls-info.txt \ + part-1000-mail-basic.txt \ + part-1100-rcpt-basic-accept.txt \ + part-2500-data-accept-basic.txt \ + part-3000-shutdown-accept.txt \ + ' diff --git a/testing/regressions/_exec-transactions/out-ref/00229.exits b/testing/regressions/_exec-transactions/out-ref/00229.exits new file mode 100644 index 00000000..cd7e82d0 --- /dev/null +++ b/testing/regressions/_exec-transactions/out-ref/00229.exits @@ -0,0 +1 @@ +CMD_CAPTURE 0 %SWAKS_COMMAND% --to user@host1.nodns.test.swaks.net --from recip@host1.nodns.test.swaks.net --helo hserver --tls --pipe %TEST_SERVER% --silent --domain pipe --cert %CERTDIR%/signed-intermediate-full-chain.pem --key %CERTDIR%/signed-intermediate.example.com.key part-0000-connect-standard.txt part-0101-ehlo-all.txt part-0203-starttls-basic-verify.txt part-0105-ehlo-post-tls-info.txt part-1000-mail-basic.txt part-1100-rcpt-basic-accept.txt part-2500-data-accept-basic.txt part-3000-shutdown-accept.txt diff --git a/testing/regressions/_exec-transactions/out-ref/00229.stderr b/testing/regressions/_exec-transactions/out-ref/00229.stderr new file mode 100644 index 00000000..e69de29b diff --git a/testing/regressions/_exec-transactions/out-ref/00229.stdout b/testing/regressions/_exec-transactions/out-ref/00229.stdout new file mode 100644 index 00000000..abf56611 --- /dev/null +++ b/testing/regressions/_exec-transactions/out-ref/00229.stdout @@ -0,0 +1,73 @@ +=== Trying pipe to %TEST_SERVER% --silent --domain pipe --cert %CERTDIR%/signed-intermediate-full-chain.pem --key %CERTDIR%/signed-intermediate.example.com.key part-0000-connect-standard.txt part-0101-ehlo-all.txt part-0203-starttls-basic-verify.txt part-0105-ehlo-post-tls-info.txt part-1000-mail-basic.txt part-1100-rcpt-basic-accept.txt part-2500-data-accept-basic.txt part-3000-shutdown-accept.txt ... +=== Connected to %TEST_SERVER% --silent --domain pipe --cert %CERTDIR%/signed-intermediate-full-chain.pem --key %CERTDIR%/signed-intermediate.example.com.key part-0000-connect-standard.txt part-0101-ehlo-all.txt part-0203-starttls-basic-verify.txt part-0105-ehlo-post-tls-info.txt part-1000-mail-basic.txt part-1100-rcpt-basic-accept.txt part-2500-data-accept-basic.txt part-3000-shutdown-accept.txt . +<- 220 SERVER ESMTP ready + -> EHLO hserver +<- 250-SERVER Hello Server [1.1.1.1] +<- 250-STARTTLS +<- 250-PIPELINING +<- 250-XCLIENT ADDR NAME PORT PROTO DESTADDR DESTPORT HELO LOGIN REVERSE_NAME +<- 250-PRDR +<- 250-AUTH CRAM-MD5 +<- 250-AUTH CRAM-SHA1 +<- 250-AUTH PLAIN +<- 250-AUTH LOGIN +<- 250-AUTH NTLM +<- 250-AUTH DIGEST-MD5 +<- 250-AUTH=login +<- 250 HELP + -> STARTTLS +<- 220 TLS go ahead +=== TLS started with cipher VERSION:CIPHER:BITS +=== TLS client certificate requested and not sent +=== TLS no client certificate set +=== TLS peer[0] DN="/C=US/ST=Indiana/O=Swaks Development (signed-intermediate.example.com, with-SAN)/CN=signed-intermediate.example.com/emailAddress=proj-swaks@jetmore.net" +=== notBefore=2023-11-07T22:49:58Z +=== notAfter=2033-09-15T22:49:58Z +=== subjectAltName=[ DNS:signed-intermediate.example.com ] +=== commonName=signed-intermediate.example.com +=== TLS peer[1] DN="/C=US/ST=Indiana/O=Swaks Development (signed-intermediate.example.com, with-SAN)/CN=signed-intermediate.example.com/emailAddress=proj-swaks@jetmore.net" +=== notBefore=2023-11-07T22:49:58Z +=== notAfter=2033-09-15T22:49:58Z +=== subjectAltName=[ DNS:signed-intermediate.example.com ] +=== commonName=signed-intermediate.example.com +=== TLS peer[2] DN="/C=US/ST=Indiana/O=Swaks Development (signed-intermediate.example.com, with-SAN)/CN=signed-intermediate.example.com/emailAddress=proj-swaks@jetmore.net" +=== notBefore=2023-11-07T22:49:58Z +=== notAfter=2033-09-15T22:49:58Z +=== subjectAltName=[ DNS:signed-intermediate.example.com ] +=== commonName=signed-intermediate.example.com +=== TLS peer certificate failed CA verification, failed host verification (no host string available to verify) + ~> EHLO hserver +<~ 250-SERVER Hello Server [1.1.1.1] +<~ 250-TLS peer DN=No client certificate present +<~ 250-PIPELINING +<~ 250-XCLIENT ADDR NAME PORT PROTO DESTADDR DESTPORT HELO LOGIN REVERSE_NAME +<~ 250-PRDR +<~ 250-AUTH CRAM-MD5 +<~ 250-AUTH CRAM-SHA1 +<~ 250-AUTH PLAIN +<~ 250-AUTH LOGIN +<~ 250-AUTH NTLM +<~ 250-AUTH DIGEST-MD5 +<~ 250-AUTH=login +<~ 250 HELP + ~> MAIL FROM: +<~ 250 Accepted + ~> RCPT TO: +<~ 250 Accepted + ~> DATA +<~ 354 Enter message, ending with "." on a line by itself + ~> Date: Wed, 03 Nov 1999 11:24:29 -0500 + ~> To: user@host1.nodns.test.swaks.net + ~> From: recip@host1.nodns.test.swaks.net + ~> Subject: test Wed, 03 Nov 1999 11:24:29 -0500 + ~> Message-Id: <19991103112429.047942@localhost> + ~> X-Mailer: swaks v99999999.9 jetmore.org/john/code/swaks/ + ~> + ~> This is a test mailing + ~> + ~> + ~> . +<~ 250 OK id=fakeemail + ~> QUIT +<~ 221 SERVER closing connection +=== Connection closed with child process. diff --git a/testing/regressions/_exec-transactions/test.txt b/testing/regressions/_exec-transactions/test.txt index a93e05a5..946e4579 100644 --- a/testing/regressions/_exec-transactions/test.txt +++ b/testing/regressions/_exec-transactions/test.txt @@ -47,6 +47,7 @@ 26 TLS client certificate info line -- client certs ARE present, server does NOT request them 27 --tls-cert contains a chain 28 --tls-cert + --tls-chain + 29 TLS peer presents chain 40 TLS verification info line: --fail ca (unsigned cert), --fail host (pipe - no target host) 41 TLS verification info line: --fail ca (signed but unknown cert), --fail host (pipe - no target host) 42 TLS verification info line: ++pass ca (signed and known cert), --fail host (pipe - no target host) diff --git a/testing/regressions/bin/runenv b/testing/regressions/bin/runenv index 831d39f1..d7333fcb 100755 --- a/testing/regressions/bin/runenv +++ b/testing/regressions/bin/runenv @@ -7,8 +7,8 @@ export SWAKS_TEST_SERVER=../server/smtp-server.pl # Either or both of these can be really convenient when you have a ton of small changes to accept. # Setting SWAKS_TEST_PAGER to cat means you don't have to quit out of a pager when viewing the diff -#export SWAKS_TEST_PAGER=cat +export SWAKS_TEST_PAGER=cat # Setting SWAKS_TEST_AUTOCAT to 1 means that everytime a test fails, the diff is auto-catted for review -#export SWAKS_TEST_AUTOCAT=1 +export SWAKS_TEST_AUTOCAT=1 exec $*