From e9d54d798fa6f58d7a814a77d3ae749901966b23 Mon Sep 17 00:00:00 2001 From: Timo Eisenmann Date: Thu, 22 Aug 2024 16:58:18 +0200 Subject: [PATCH 1/4] Use TLS for notifies if configured to do so --- lib/dns/zone.c | 37 +++++++++++++++++++++++++++++-------- 1 file changed, 29 insertions(+), 8 deletions(-) diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 5c71e68be3..828f61161c 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -12491,6 +12491,7 @@ notify_send_toaddr(void *arg) { isc_sockaddr_t src; unsigned int options, timeout, udptimeout; bool have_notifysource = false; + isc_tlsctx_cache_t *zmgr_tlsctx_cache = NULL; REQUIRE(DNS_NOTIFY_VALID(notify)); @@ -12605,10 +12606,17 @@ again: udptimeout = 0; timeout = 15; } - result = dns_request_create( - notify->zone->view->requestmgr, message, &src, ¬ify->dst, - NULL, NULL, options, key, timeout, udptimeout, 2, - notify->zone->loop, notify_done, notify, ¬ify->request); + + zmgr_tlsctx_attach(notify->zone->zmgr, &zmgr_tlsctx_cache); + + result = dns_request_create(notify->zone->view->requestmgr, message, + &src, ¬ify->dst, notify->transport, + zmgr_tlsctx_cache, options, key, timeout, + udptimeout, 2, notify->zone->loop, + notify_done, notify, ¬ify->request); + + isc_tlsctx_cache_detach(&zmgr_tlsctx_cache); + if (result == ISC_R_SUCCESS) { if (isc_sockaddr_pf(¬ify->dst) == AF_INET) { inc_stats(notify->zone, @@ -12835,11 +12843,23 @@ zone_notify(dns_zone_t *zone, isc_time_t *now) { if (dns_remote_tlsname(&zone->notify) != NULL) { dns_name_t *tlsname = dns_remote_tlsname(&zone->notify); - (void)dns_view_gettransport(view, DNS_TRANSPORT_TLS, - tlsname, &transport); + result = dns_view_gettransport(view, DNS_TRANSPORT_TLS, + tlsname, &transport); - notify_log(zone, ISC_LOG_INFO, - "got TLS configuration for a notify"); + if (result == ISC_R_SUCCESS) { + notify_log( + zone, ISC_LOG_INFO, + "got TLS configuration for a notify"); + } else { + dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, + ISC_LOG_ERROR, + "could not get TLS configuration " + "for zone transfer: %s", + isc_result_totext(result)); + goto next; + } + + flags |= DNS_NOTIFY_TCP; } /* TODO: glue the transport to the notify */ @@ -12901,6 +12921,7 @@ zone_notify(dns_zone_t *zone, isc_time_t *now) { loggednotify = true; } next: + flags &= ~DNS_NOTIFY_TCP; dns_remote_next(&zone->notify, false); } UNLOCK_ZONE(zone); From e00beca8c5ad8c6aaa144fb30bd6b5b023ee830a Mon Sep 17 00:00:00 2001 From: Timo Eisenmann Date: Thu, 29 Aug 2024 15:44:40 +0200 Subject: [PATCH 2/4] Add system tests for notify over TLS We use ns2 as the primary, and ns3 as the secondary server. --- .reuse/dep5 | 5 ++ bin/tests/system/notify/.gitignore | 5 ++ bin/tests/system/notify/CA/CA.cfg | 77 ++++++++++++++++ bin/tests/system/notify/CA/CA.pem | 29 ++++++ bin/tests/system/notify/CA/README | 2 + .../CA/certs/srv02.crt01.example.com.key | 6 ++ .../CA/certs/srv02.crt01.example.com.pem | 76 ++++++++++++++++ .../certs/srv03.crt01-expired.example.com.key | 6 ++ .../certs/srv03.crt01-expired.example.com.pem | 76 ++++++++++++++++ .../CA/certs/srv03.crt01.example.com.key | 6 ++ .../CA/certs/srv03.crt01.example.com.pem | 76 ++++++++++++++++ bin/tests/system/notify/CA/index.txt | 3 + bin/tests/system/notify/CA/index.txt.attr | 1 + .../notify/CA/newcerts/C58668397B1CC49F.pem | 76 ++++++++++++++++ .../notify/CA/newcerts/C58668397B1CC4A0.pem | 76 ++++++++++++++++ .../notify/CA/newcerts/C58668397B1CC4A1.pem | 76 ++++++++++++++++ bin/tests/system/notify/CA/private/CA.key | 39 ++++++++ bin/tests/system/notify/CA/serial | 1 + bin/tests/system/notify/dhparam3072.pem | 11 +++ bin/tests/system/notify/ns2/named-tls.conf.in | 90 +++++++++++++++++++ bin/tests/system/notify/ns2/named.conf.in | 3 + .../system/notify/ns2/options-tls.conf.in | 14 +++ bin/tests/system/notify/ns3/named-tls.conf.in | 40 +++++++++ bin/tests/system/notify/ns3/named.conf.in | 3 + .../system/notify/ns3/options-tls.conf.in | 18 ++++ bin/tests/system/notify/setup.sh | 20 ++++- bin/tests/system/notify/tests.sh | 12 +++ 27 files changed, 845 insertions(+), 2 deletions(-) create mode 100644 bin/tests/system/notify/.gitignore create mode 100644 bin/tests/system/notify/CA/CA.cfg create mode 100644 bin/tests/system/notify/CA/CA.pem create mode 100644 bin/tests/system/notify/CA/README create mode 100644 bin/tests/system/notify/CA/certs/srv02.crt01.example.com.key create mode 100644 bin/tests/system/notify/CA/certs/srv02.crt01.example.com.pem create mode 100644 bin/tests/system/notify/CA/certs/srv03.crt01-expired.example.com.key create mode 100644 bin/tests/system/notify/CA/certs/srv03.crt01-expired.example.com.pem create mode 100644 bin/tests/system/notify/CA/certs/srv03.crt01.example.com.key create mode 100644 bin/tests/system/notify/CA/certs/srv03.crt01.example.com.pem create mode 100644 bin/tests/system/notify/CA/index.txt create mode 100644 bin/tests/system/notify/CA/index.txt.attr create mode 100644 bin/tests/system/notify/CA/newcerts/C58668397B1CC49F.pem create mode 100644 bin/tests/system/notify/CA/newcerts/C58668397B1CC4A0.pem create mode 100644 bin/tests/system/notify/CA/newcerts/C58668397B1CC4A1.pem create mode 100644 bin/tests/system/notify/CA/private/CA.key create mode 100644 bin/tests/system/notify/CA/serial create mode 100644 bin/tests/system/notify/dhparam3072.pem create mode 100644 bin/tests/system/notify/ns2/named-tls.conf.in create mode 100644 bin/tests/system/notify/ns2/options-tls.conf.in create mode 100644 bin/tests/system/notify/ns3/named-tls.conf.in create mode 100644 bin/tests/system/notify/ns3/options-tls.conf.in diff --git a/.reuse/dep5 b/.reuse/dep5 index 26c7e8ac69..e18e08276f 100644 --- a/.reuse/dep5 +++ b/.reuse/dep5 @@ -74,6 +74,11 @@ Files: **/*.after* bin/tests/system/masterfile/knowngood.include bin/tests/system/masterfile/knowngood.ttl1 bin/tests/system/masterfile/knowngood.ttl2 + bin/tests/system/notify/CA/CA.cfg + bin/tests/system/notify/CA/README + bin/tests/system/notify/CA/index.txt + bin/tests/system/notify/CA/index.txt.attr + bin/tests/system/notify/CA/serial bin/tests/system/notify/ns4/named.port.in bin/tests/system/nsupdate/CA/CA.cfg bin/tests/system/nsupdate/CA/README diff --git a/bin/tests/system/notify/.gitignore b/bin/tests/system/notify/.gitignore new file mode 100644 index 0000000000..df5fe68d5d --- /dev/null +++ b/bin/tests/system/notify/.gitignore @@ -0,0 +1,5 @@ +# temporary files generated by "openssl ca" +/CA/*.old +# there is little point in keeping the certificate requests +# for the issued certificates +/CA/certs/*.csr diff --git a/bin/tests/system/notify/CA/CA.cfg b/bin/tests/system/notify/CA/CA.cfg new file mode 100644 index 0000000000..1a3ed65f67 --- /dev/null +++ b/bin/tests/system/notify/CA/CA.cfg @@ -0,0 +1,77 @@ +# See ../../doth/CA/ca.cfg for more information + +# certificate authority configuration +[ca] +default_ca = CA_default # The default ca section + +[CA_default] +dir = . +new_certs_dir = $dir/newcerts # new certs dir (must be created) +certificate = $dir/CA.pem # The CA cert +private_key = $dir/private/CA.key # CA private key + +serial = $dir/serial # serial number file for the next certificate + # Update before issuing it: + # xxd -l 8 -u -ps /dev/urandom > ./serial +database = $dir/index.txt # (must be created manually: touch ./index.txt) + +default_days = 1 # how long to certify for + +#default_crl_days = 30 # the number of days before the +default_crl_days = 10950 # next CRL is due. That is the + # days from now to place in the + # CRL nextUpdate field. If CRL + # is expired, certificate + # verifications will fail even + # for otherwise valid + # certificates. Clients might + # cache the CRL, so the expiry + # period should normally be + # relatively short (default: + # 30) for production CAs. + +default_md = sha256 # digest to use + +policy = policy_default # default policy +email_in_dn = no # Don't add the email into cert DN + +name_opt = ca_default # Subject name display option +cert_opt = ca_default # Certificate display option + +# We need the following in order to copy Subject Alt Name(s) from a +# request to the certificate. +copy_extensions = copy # copy extensions from request + +[policy_default] +countryName = optional +stateOrProvinceName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# default certificate requests settings +[req] +# Options for the `req` tool (`man req`). +default_bits = 3072 # for RSA only +distinguished_name = req_default +string_mask = utf8only +# SHA-1 is deprecated, so use SHA-256 instead. +default_md = sha256 +# do not encrypt the private key file +encrypt_key = no + +[req_default] +# See . +countryName = Country Name (2 letter code) +stateOrProvinceName = State or Province Name (full name) +localityName = Locality Name (e.g., city) +0.organizationName = Organization Name (e.g., company) +organizationalUnitName = Organizational Unit Name (e.g. department) +commonName = Common Name (e.g. server FQDN or YOUR name) +emailAddress = Email Address +# defaults +countryName_default = UA +stateOrProvinceName_default = Kharkiv Oblast +localityName_default = Kharkiv +0.organizationName_default = ISC +organizationalUnitName_default = Software Engeneering (BIND 9) diff --git a/bin/tests/system/notify/CA/CA.pem b/bin/tests/system/notify/CA/CA.pem new file mode 100644 index 0000000000..1f725dbb8a --- /dev/null +++ b/bin/tests/system/notify/CA/CA.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIE3TCCA0WgAwIBAgIUeZPKrvbGEBZaRc2jNczlIsJXyPYwDQYJKoZIhvcNAQEL +BQAwfTELMAkGA1UEBhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4G +A1UEBwwHS2hhcmtpdjEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0 +aXVtMRwwGgYDVQQDDBNjYS50ZXN0LmV4YW1wbGUuY29tMCAXDTIyMDEyNDEyNDA1 +NFoYDzIwNTIwMTE3MTI0MDU0WjB9MQswCQYDVQQGEwJVQTEYMBYGA1UECAwPS2hh +cmtpdiBPYmxhc3QnMRAwDgYDVQQHDAdLaGFya2l2MSQwIgYDVQQKDBtJbnRlcm5l +dCBTeXN0ZW1zIENvbnNvcnRpdW0xHDAaBgNVBAMME2NhLnRlc3QuZXhhbXBsZS5j +b20wggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCi6hEegBzpUKbE1NTo +Z7uz7EMUY7TBckkiw/7ydTLKNa8YI4JpBguFvWQsDY0dGFJIoVwyHyNx3seW/LoI +B5zWPZ2xbOvLLceA+t2NZpbc98E7jUOVS123yED+nqlfZjCq9Zt0r/ezwnQtjnFF +ko1mcU4H9Jvg8aIgnU2AxE78zciU9CY8799pFFNThIjbooI8oVbfjbzbpmLzxjA5 +3rDmZBTh+ySTlMa2U2oT4WPjRltZWnJVegRRLpG95GnTbQ1fkJAbj1Iu10XTkCee +wBOqaA1UJem0a6pby5odE414Y7c0ETKcmaJtYENQyO0IJwZWDKtVe5OTIAklakia +eyFTCAw1h5tHCYLaJW/Yu2wlLl5RNQcRZ9+cWXnldTY+TI1iBjfmADjLdKJYUlhX +z7kWJtTi63Sdv6WYcEXxaWpxT+R3e2kaR/R7GOo4gdkWpX1siGlRteHHH2/36CSQ +ZD2etcTUpGW+KDHFR4grnEfL1rt9UgvCjpa4KcssmZtWSSUCAwEAAaNTMFEwHQYD +VR0OBBYEFHyJ6Fzr5R9ySATFj/uSCJz1YCY5MB8GA1UdIwQYMBaAFHyJ6Fzr5R9y +SATFj/uSCJz1YCY5MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggGB +AF3y0hvzyZWtmuG1JwIcOcc1aPl1KdRy8bao/5iHYGYYrsdDgcO5/e+y9S/izalc +TdW7SKB5iBOCiE8fBNtToCvGP+fxNxHijpAmTr37G5sWuSo1T1VYFizHWL+df/Ig +TcSvDrEjSnAwaEdNJUWtjoIC4VzNKTLtZf16QIATTzTZa3bfgSetpWS7LhLQbHod +CSGI2QB1LRbqGC+a1Y85QxHv81jWzPWPzXYvnOLrDdQyBMOBcxDzrN4b6zg+5Itz +qGYt+IS71jAH0IhxAyD/U5n1jGJv02BnSq0ynLEOD6gsnZjqAwPbt/PM9pGbtbXO +70Q9rxr+vQc1IISKAEiH3txaEPi10wU98d6LbInJvQrmgHo/ntet8skWNYuxlEzS +wvynuE9KvvQtOTodWt5AePtKrhHdxu527a4CHVp59nYUjKSdMKjvmhMRXM1cNjFE +rA/pyyhozR47w3RzHMJVHw2GJ2B/HeqmxpXr1CmJjoRP38QCR7N+mqiZy85Fq2j2 +8Q== +-----END CERTIFICATE----- diff --git a/bin/tests/system/notify/CA/README b/bin/tests/system/notify/CA/README new file mode 100644 index 0000000000..13069ca2f8 --- /dev/null +++ b/bin/tests/system/notify/CA/README @@ -0,0 +1,2 @@ +Please take a look at the contents of the CA.cfg file for further +instructions and configurations options. diff --git a/bin/tests/system/notify/CA/certs/srv02.crt01.example.com.key b/bin/tests/system/notify/CA/certs/srv02.crt01.example.com.key new file mode 100644 index 0000000000..c3bade812c --- /dev/null +++ b/bin/tests/system/notify/CA/certs/srv02.crt01.example.com.key @@ -0,0 +1,6 @@ +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDAxARyCz9Aq5XQpE4SV +IKYvvz2K9IjosWKkcbxjh0rW62RGyi4c3pSo6so8tpvHXzmhZANiAAQ2bCdh34Lt +hA8MzF7BeZhYfvUODFH3fSSAJuRDMSaO02f294+E2Icy91W9AhFetSceZa0Dhldc +aVVaPVm3bhhjvLUGFImFmccFtNtQj/llRCbY9VFtbfXaY/Vq5243EAg= +-----END PRIVATE KEY----- diff --git a/bin/tests/system/notify/CA/certs/srv02.crt01.example.com.pem b/bin/tests/system/notify/CA/certs/srv02.crt01.example.com.pem new file mode 100644 index 0000000000..52baf96dfa --- /dev/null +++ b/bin/tests/system/notify/CA/certs/srv02.crt01.example.com.pem @@ -0,0 +1,76 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + c5:86:68:39:7b:1c:c4:9f + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com + Validity + Not Before: Sep 3 15:33:14 2024 GMT + Not After : Aug 27 15:33:14 2054 GMT + Subject: CN=srv02.crt01.example.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:36:6c:27:61:df:82:ed:84:0f:0c:cc:5e:c1:79: + 98:58:7e:f5:0e:0c:51:f7:7d:24:80:26:e4:43:31: + 26:8e:d3:67:f6:f7:8f:84:d8:87:32:f7:55:bd:02: + 11:5e:b5:27:1e:65:ad:03:86:57:5c:69:55:5a:3d: + 59:b7:6e:18:63:bc:b5:06:14:89:85:99:c7:05:b4: + db:50:8f:f9:65:44:26:d8:f5:51:6d:6d:f5:da:63: + f5:6a:e7:6e:37:10:08 + ASN1 OID: secp384r1 + NIST CURVE: P-384 + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:srv02.crt01.example.com, IP Address:10.53.0.2 + X509v3 Subject Key Identifier: + 4C:A6:2B:5F:55:DF:2E:1E:FA:E8:C6:3F:05:25:20:69:BA:60:3B:E2 + X509v3 Authority Key Identifier: + 7C:89:E8:5C:EB:E5:1F:72:48:04:C5:8F:FB:92:08:9C:F5:60:26:39 + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 1d:22:c4:60:42:9a:d8:ac:54:cf:77:be:17:d0:eb:b4:7d:44: + b1:ad:bf:53:0e:be:61:37:bf:7b:a6:78:7e:a0:3f:aa:21:cd: + 09:3a:d4:41:b5:9f:31:a2:c9:db:df:94:a4:05:02:dd:98:04: + 38:55:af:20:3a:4d:82:cd:37:0f:a5:b8:9c:dc:0d:f8:07:c9: + 9d:8e:0a:4f:df:f1:8d:0c:53:9b:56:a2:35:7e:0a:3d:47:89: + ad:76:8f:6c:f5:15:0e:3f:05:af:fb:f8:97:97:a3:91:a6:cf: + 22:04:c0:35:24:84:b4:e5:4d:c0:bf:e0:8d:8b:59:bf:71:2e: + c3:d8:8e:c9:9d:ba:0a:32:cb:0f:b8:b8:e3:91:f9:77:78:55: + 17:9f:6e:09:d6:29:86:25:b6:0d:9b:52:b7:0a:75:f7:cd:09: + 5d:04:83:9f:08:8f:eb:8c:23:73:e0:14:2b:be:ba:22:96:8f: + 68:f8:c7:39:a7:44:9b:1d:ce:cb:eb:04:33:c0:da:b8:03:c0: + 5b:7a:3c:a1:f5:28:92:93:06:f2:32:c3:38:fe:68:5d:64:21: + 6e:3f:8b:80:f8:01:8f:19:5c:fa:13:6c:5e:27:55:19:70:87: + 70:02:80:79:d2:37:d3:d9:05:b1:8e:50:37:24:f0:32:33:bb: + e9:f2:26:f8:19:92:d5:ad:2a:09:c1:b0:48:52:f4:e3:62:cd: + e1:b4:51:d9:0a:88:e3:fb:1e:c9:5c:a5:83:fe:30:9d:cf:83: + 22:ba:1a:cd:c9:a9:e0:3d:cc:8d:f7:68:9e:17:a2:36:78:ab: + 6f:01:de:20:a1:0d:a2:30:12:ee:45:14:b6:f7:c4:e4:d3:4e: + c7:0b:d7:14:b2:49:5c:f8:3a:fc:29:43:fa:97:d1:70:46:54: + c0:a9:c6:eb:f0:91:59:0e:24:8f:e5:38:79:38:fb:86:ab:3c: + b1:ea:d2:a3:4c:2c:e4:29:1a:03:da:54:a0:a6:73:ac:b4:c8: + 02:5a:4c:38:e0:23 +-----BEGIN CERTIFICATE----- +MIIDYjCCAcqgAwIBAgIJAMWGaDl7HMSfMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV +BAYTAlVBMRgwFgYDVQQIDA9LaGFya2l2IE9ibGFzdCcxEDAOBgNVBAcMB0toYXJr +aXYxJDAiBgNVBAoMG0ludGVybmV0IFN5c3RlbXMgQ29uc29ydGl1bTEcMBoGA1UE +AwwTY2EudGVzdC5leGFtcGxlLmNvbTAgFw0yNDA5MDMxNTMzMTRaGA8yMDU0MDgy +NzE1MzMxNFowIjEgMB4GA1UEAwwXc3J2MDIuY3J0MDEuZXhhbXBsZS5jb20wdjAQ +BgcqhkjOPQIBBgUrgQQAIgNiAAQ2bCdh34LthA8MzF7BeZhYfvUODFH3fSSAJuRD +MSaO02f294+E2Icy91W9AhFetSceZa0DhldcaVVaPVm3bhhjvLUGFImFmccFtNtQ +j/llRCbY9VFtbfXaY/Vq5243EAijbDBqMCgGA1UdEQQhMB+CF3NydjAyLmNydDAx +LmV4YW1wbGUuY29thwQKNQACMB0GA1UdDgQWBBRMpitfVd8uHvroxj8FJSBpumA7 +4jAfBgNVHSMEGDAWgBR8iehc6+UfckgExY/7kgic9WAmOTANBgkqhkiG9w0BAQsF +AAOCAYEAHSLEYEKa2KxUz3e+F9DrtH1Esa2/Uw6+YTe/e6Z4fqA/qiHNCTrUQbWf +MaLJ29+UpAUC3ZgEOFWvIDpNgs03D6W4nNwN+AfJnY4KT9/xjQxTm1aiNX4KPUeJ +rXaPbPUVDj8Fr/v4l5ejkabPIgTANSSEtOVNwL/gjYtZv3Euw9iOyZ26CjLLD7i4 +45H5d3hVF59uCdYphiW2DZtStwp1980JXQSDnwiP64wjc+AUK766IpaPaPjHOadE +mx3Oy+sEM8DauAPAW3o8ofUokpMG8jLDOP5oXWQhbj+LgPgBjxlc+hNsXidVGXCH +cAKAedI309kFsY5QNyTwMjO76fIm+BmS1a0qCcGwSFL042LN4bRR2QqI4/seyVyl +g/4wnc+DIroazcmp4D3MjfdonheiNnirbwHeIKENojAS7kUUtvfE5NNOxwvXFLJJ +XPg6/ClD+pfRcEZUwKnG6/CRWQ4kj+U4eTj7hqs8serSo0ws5CkaA9pUoKZzrLTI +AlpMOOAj +-----END CERTIFICATE----- diff --git a/bin/tests/system/notify/CA/certs/srv03.crt01-expired.example.com.key b/bin/tests/system/notify/CA/certs/srv03.crt01-expired.example.com.key new file mode 100644 index 0000000000..ed93725584 --- /dev/null +++ b/bin/tests/system/notify/CA/certs/srv03.crt01-expired.example.com.key @@ -0,0 +1,6 @@ +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDDVfQs1V2UjdqTM0Z0P +DDtGwwtGUR2P6PEyDQgebPRUpWxbVGf4W0N0DWy5C9UkMJihZANiAARNrIyo/8cA +Dc5puRjsTirIBvu+vKntuMfEUganjXfqO/nYzh3XtC3xGv8NcE+KqZz6pMQw8OXY +Pd1i8n1Ajl/cV2zdVDggDr7milzE6feVSPk0JrxduaqV+MnXJity65Q= +-----END PRIVATE KEY----- diff --git a/bin/tests/system/notify/CA/certs/srv03.crt01-expired.example.com.pem b/bin/tests/system/notify/CA/certs/srv03.crt01-expired.example.com.pem new file mode 100644 index 0000000000..d8a1f41f67 --- /dev/null +++ b/bin/tests/system/notify/CA/certs/srv03.crt01-expired.example.com.pem @@ -0,0 +1,76 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + c5:86:68:39:7b:1c:c4:a1 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com + Validity + Not Before: Sep 2 15:33:27 2024 GMT + Not After : Sep 3 15:33:27 2024 GMT + Subject: CN=srv03.crt01-expired.example.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:4d:ac:8c:a8:ff:c7:00:0d:ce:69:b9:18:ec:4e: + 2a:c8:06:fb:be:bc:a9:ed:b8:c7:c4:52:06:a7:8d: + 77:ea:3b:f9:d8:ce:1d:d7:b4:2d:f1:1a:ff:0d:70: + 4f:8a:a9:9c:fa:a4:c4:30:f0:e5:d8:3d:dd:62:f2: + 7d:40:8e:5f:dc:57:6c:dd:54:38:20:0e:be:e6:8a: + 5c:c4:e9:f7:95:48:f9:34:26:bc:5d:b9:aa:95:f8: + c9:d7:26:2b:72:eb:94 + ASN1 OID: secp384r1 + NIST CURVE: P-384 + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:srv03.crt01-expired.example.com, IP Address:10.53.0.3 + X509v3 Subject Key Identifier: + 72:38:25:01:CB:38:FF:CB:D3:78:24:43:BA:64:EA:76:FB:58:F6:EA + X509v3 Authority Key Identifier: + 7C:89:E8:5C:EB:E5:1F:72:48:04:C5:8F:FB:92:08:9C:F5:60:26:39 + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 4a:f3:59:df:4d:ff:fd:de:fc:c8:bc:34:4c:e1:39:00:62:09: + c8:34:2b:d0:3e:52:91:ea:ae:da:86:94:7d:83:84:48:5d:50: + ac:b7:a5:70:87:f4:62:f0:c6:9a:73:d2:78:29:cf:21:20:ae: + 0e:b0:55:36:1d:6c:c1:7f:0f:b7:26:d8:14:43:64:c6:58:8b: + 68:87:fd:cc:3f:d1:c1:f5:67:71:bc:71:7b:d4:f1:02:b0:4c: + dd:b2:4a:18:99:46:3a:44:b2:6b:c4:61:79:8f:be:e8:19:d4: + cc:f7:95:32:b0:74:18:76:c6:df:5f:c1:90:24:3c:a6:5d:2a: + 6f:90:7d:94:43:f3:df:1f:80:70:ff:8a:c8:b9:1f:c5:4e:08: + d1:54:f0:d8:72:af:07:30:9f:8a:65:66:ff:ff:a4:37:de:10: + 01:a6:00:c7:31:08:dd:f0:0a:5f:d3:e6:dd:d1:37:43:f2:44: + 13:bc:9e:68:40:bd:96:84:16:73:0f:01:95:40:65:ba:70:93: + a9:81:27:6e:b6:fb:ad:10:36:46:a3:75:94:00:62:f3:10:32: + c2:4a:0e:3a:bf:ab:07:14:a3:68:fd:eb:c7:c8:16:90:30:80: + f1:28:5c:64:a7:ba:8e:fa:27:09:4c:0b:08:d9:56:77:cd:25: + 7c:1f:58:78:48:c1:8c:73:10:39:f2:06:79:7c:8d:b9:ca:25: + 7c:b1:75:62:68:a7:14:c6:5b:00:78:67:e4:d8:e1:62:0b:6e: + 8d:5a:e6:23:d2:d4:dd:28:71:32:16:88:ad:b3:ee:a6:69:e7: + ff:1e:85:62:3c:65:88:c7:47:0c:1d:a0:d9:12:5c:31:98:01: + cd:a4:28:52:ad:dc:8b:1a:e6:d4:62:3d:1b:c6:52:00:b5:34: + 9d:1d:d8:6b:d3:ce:63:52:62:13:74:2a:7c:ff:0a:d7:0b:99: + a9:2b:b3:ba:e8:cf:a0:77:f0:85:12:ba:4c:54:71:74:dd:32: + 13:ca:44:c2:0f:d9 +-----BEGIN CERTIFICATE----- +MIIDcDCCAdigAwIBAgIJAMWGaDl7HMShMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV +BAYTAlVBMRgwFgYDVQQIDA9LaGFya2l2IE9ibGFzdCcxEDAOBgNVBAcMB0toYXJr +aXYxJDAiBgNVBAoMG0ludGVybmV0IFN5c3RlbXMgQ29uc29ydGl1bTEcMBoGA1UE +AwwTY2EudGVzdC5leGFtcGxlLmNvbTAeFw0yNDA5MDIxNTMzMjdaFw0yNDA5MDMx +NTMzMjdaMCoxKDAmBgNVBAMMH3NydjAzLmNydDAxLWV4cGlyZWQuZXhhbXBsZS5j +b20wdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARNrIyo/8cADc5puRjsTirIBvu+vKnt +uMfEUganjXfqO/nYzh3XtC3xGv8NcE+KqZz6pMQw8OXYPd1i8n1Ajl/cV2zdVDgg +Dr7milzE6feVSPk0JrxduaqV+MnXJity65SjdDByMDAGA1UdEQQpMCeCH3NydjAz +LmNydDAxLWV4cGlyZWQuZXhhbXBsZS5jb22HBAo1AAMwHQYDVR0OBBYEFHI4JQHL +OP/L03gkQ7pk6nb7WPbqMB8GA1UdIwQYMBaAFHyJ6Fzr5R9ySATFj/uSCJz1YCY5 +MA0GCSqGSIb3DQEBCwUAA4IBgQBK81nfTf/93vzIvDRM4TkAYgnINCvQPlKR6q7a +hpR9g4RIXVCst6Vwh/Ri8Maac9J4Kc8hIK4OsFU2HWzBfw+3JtgUQ2TGWItoh/3M +P9HB9WdxvHF71PECsEzdskoYmUY6RLJrxGF5j77oGdTM95UysHQYdsbfX8GQJDym +XSpvkH2UQ/PfH4Bw/4rIuR/FTgjRVPDYcq8HMJ+KZWb//6Q33hABpgDHMQjd8Apf +0+bd0TdD8kQTvJ5oQL2WhBZzDwGVQGW6cJOpgSdutvutEDZGo3WUAGLzEDLCSg46 +v6sHFKNo/evHyBaQMIDxKFxkp7qO+icJTAsI2VZ3zSV8H1h4SMGMcxA58gZ5fI25 +yiV8sXViaKcUxlsAeGfk2OFiC26NWuYj0tTdKHEyFoits+6maef/HoViPGWIx0cM +HaDZElwxmAHNpChSrdyLGubUYj0bxlIAtTSdHdhr085jUmITdCp8/wrXC5mpK7O6 +6M+gd/CFErpMVHF03TITykTCD9k= +-----END CERTIFICATE----- diff --git a/bin/tests/system/notify/CA/certs/srv03.crt01.example.com.key b/bin/tests/system/notify/CA/certs/srv03.crt01.example.com.key new file mode 100644 index 0000000000..cde19c37a0 --- /dev/null +++ b/bin/tests/system/notify/CA/certs/srv03.crt01.example.com.key @@ -0,0 +1,6 @@ +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDAEmVA9V00diOvZfEJV +N7piEbfN7fULRHWg2k4g7V2Ivpn9LfBsaYh5+Acf271G0mKhZANiAAQSbFty27Ro +RO7BPZFI9yM5V64xIUGMe4o4LYBA6cKhFFCVO0fX6h6bO0wgh2fCgYbWOq2X6Q1X +/x36gVJCzgXSBXPNktdMIxki9cttREvXo1cmELKl/n+PXDgxcbg/RbM= +-----END PRIVATE KEY----- diff --git a/bin/tests/system/notify/CA/certs/srv03.crt01.example.com.pem b/bin/tests/system/notify/CA/certs/srv03.crt01.example.com.pem new file mode 100644 index 0000000000..0d45e7af59 --- /dev/null +++ b/bin/tests/system/notify/CA/certs/srv03.crt01.example.com.pem @@ -0,0 +1,76 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + c5:86:68:39:7b:1c:c4:a0 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com + Validity + Not Before: Sep 3 15:33:18 2024 GMT + Not After : Aug 27 15:33:18 2054 GMT + Subject: CN=srv03.crt01.example.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:12:6c:5b:72:db:b4:68:44:ee:c1:3d:91:48:f7: + 23:39:57:ae:31:21:41:8c:7b:8a:38:2d:80:40:e9: + c2:a1:14:50:95:3b:47:d7:ea:1e:9b:3b:4c:20:87: + 67:c2:81:86:d6:3a:ad:97:e9:0d:57:ff:1d:fa:81: + 52:42:ce:05:d2:05:73:cd:92:d7:4c:23:19:22:f5: + cb:6d:44:4b:d7:a3:57:26:10:b2:a5:fe:7f:8f:5c: + 38:31:71:b8:3f:45:b3 + ASN1 OID: secp384r1 + NIST CURVE: P-384 + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:srv03.crt01.example.com, IP Address:10.53.0.3 + X509v3 Subject Key Identifier: + 6A:4F:85:19:52:0E:08:29:28:1B:96:53:84:97:0E:AA:35:C3:96:27 + X509v3 Authority Key Identifier: + 7C:89:E8:5C:EB:E5:1F:72:48:04:C5:8F:FB:92:08:9C:F5:60:26:39 + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 62:05:bb:62:4e:2a:6a:46:00:49:3e:83:b3:a7:ff:40:68:02: + 36:06:1f:e7:c9:47:db:72:09:be:78:bc:e6:c5:b4:8c:51:7c: + d5:93:06:ec:24:ad:11:a7:32:16:3a:55:79:a3:ab:4c:68:10: + 78:f2:e8:24:b3:c0:9c:3a:cd:11:45:7a:22:37:3e:a3:9d:5d: + 3e:ed:91:bd:58:04:2d:f6:6d:2e:0f:61:1d:4f:ab:d7:47:11: + 1b:c7:06:9d:1d:2d:df:85:93:fa:08:dc:27:32:3a:70:37:61: + 7a:58:95:0a:ca:62:ea:28:64:a1:2d:37:0e:7d:f9:0a:6c:71: + 23:20:6a:5d:2d:6b:f2:fe:23:f8:7b:89:51:21:e3:dd:2d:52: + e7:a3:bc:b9:62:86:65:21:de:90:6a:66:f8:ef:25:aa:da:e5: + b7:5f:f1:8e:ab:2d:5a:50:5f:b8:98:8a:00:d0:7b:e3:51:ec: + d8:a5:67:ee:2a:93:b5:62:84:9b:f5:c7:cd:72:de:53:99:a8: + 45:b3:f6:4c:31:58:f2:5c:cd:a3:ec:f1:1c:3a:29:cf:8e:b8: + 60:ba:c3:cd:d9:7d:bd:9a:b0:41:b3:dd:fb:37:0f:56:54:5b: + 5e:99:d1:a7:58:57:ac:9e:52:c5:74:3e:c2:df:72:82:07:bf: + b2:48:87:9e:16:d8:03:3b:3b:a2:0a:03:55:83:69:44:f2:14: + c8:6b:50:20:89:85:16:b4:be:c6:6c:42:91:00:09:d7:55:9f: + c3:0c:9b:5f:58:bf:43:9d:42:ca:f3:25:1f:d8:f4:b2:87:86: + a8:59:60:e9:53:23:2e:27:e8:97:02:d6:a6:91:9a:81:fb:28: + e4:47:86:c3:3a:55:ca:f0:24:1f:be:dd:00:d3:db:6a:20:5c: + a3:b0:7a:5f:d9:a7:9b:35:f7:23:c7:2b:9d:98:f9:5c:89:5a: + 6d:d4:ed:1c:d7:ec:40:0c:b0:c2:92:24:4b:78:a1:ab:7e:27: + cf:19:2c:ec:3a:77 +-----BEGIN CERTIFICATE----- +MIIDYjCCAcqgAwIBAgIJAMWGaDl7HMSgMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV +BAYTAlVBMRgwFgYDVQQIDA9LaGFya2l2IE9ibGFzdCcxEDAOBgNVBAcMB0toYXJr +aXYxJDAiBgNVBAoMG0ludGVybmV0IFN5c3RlbXMgQ29uc29ydGl1bTEcMBoGA1UE +AwwTY2EudGVzdC5leGFtcGxlLmNvbTAgFw0yNDA5MDMxNTMzMThaGA8yMDU0MDgy +NzE1MzMxOFowIjEgMB4GA1UEAwwXc3J2MDMuY3J0MDEuZXhhbXBsZS5jb20wdjAQ +BgcqhkjOPQIBBgUrgQQAIgNiAAQSbFty27RoRO7BPZFI9yM5V64xIUGMe4o4LYBA +6cKhFFCVO0fX6h6bO0wgh2fCgYbWOq2X6Q1X/x36gVJCzgXSBXPNktdMIxki9ctt +REvXo1cmELKl/n+PXDgxcbg/RbOjbDBqMCgGA1UdEQQhMB+CF3NydjAzLmNydDAx +LmV4YW1wbGUuY29thwQKNQADMB0GA1UdDgQWBBRqT4UZUg4IKSgbllOElw6qNcOW +JzAfBgNVHSMEGDAWgBR8iehc6+UfckgExY/7kgic9WAmOTANBgkqhkiG9w0BAQsF +AAOCAYEAYgW7Yk4qakYAST6Ds6f/QGgCNgYf58lH23IJvni85sW0jFF81ZMG7CSt +EacyFjpVeaOrTGgQePLoJLPAnDrNEUV6Ijc+o51dPu2RvVgELfZtLg9hHU+r10cR +G8cGnR0t34WT+gjcJzI6cDdheliVCspi6ihkoS03Dn35CmxxIyBqXS1r8v4j+HuJ +USHj3S1S56O8uWKGZSHekGpm+O8lqtrlt1/xjqstWlBfuJiKANB741Hs2KVn7iqT +tWKEm/XHzXLeU5moRbP2TDFY8lzNo+zxHDopz464YLrDzdl9vZqwQbPd+zcPVlRb +XpnRp1hXrJ5SxXQ+wt9ygge/skiHnhbYAzs7ogoDVYNpRPIUyGtQIImFFrS+xmxC +kQAJ11WfwwybX1i/Q51CyvMlH9j0soeGqFlg6VMjLifolwLWppGagfso5EeGwzpV +yvAkH77dANPbaiBco7B6X9mnmzX3I8crnZj5XIlabdTtHNfsQAywwpIkS3ihq34n +zxks7Dp3 +-----END CERTIFICATE----- diff --git a/bin/tests/system/notify/CA/index.txt b/bin/tests/system/notify/CA/index.txt new file mode 100644 index 0000000000..323e3f95b5 --- /dev/null +++ b/bin/tests/system/notify/CA/index.txt @@ -0,0 +1,3 @@ +V 20540827153314Z C58668397B1CC49F unknown /CN=srv02.crt01.example.com +V 20540827153318Z C58668397B1CC4A0 unknown /CN=srv03.crt01.example.com +V 240903153327Z C58668397B1CC4A1 unknown /CN=srv03.crt01-expired.example.com diff --git a/bin/tests/system/notify/CA/index.txt.attr b/bin/tests/system/notify/CA/index.txt.attr new file mode 100644 index 0000000000..8f7e63a347 --- /dev/null +++ b/bin/tests/system/notify/CA/index.txt.attr @@ -0,0 +1 @@ +unique_subject = yes diff --git a/bin/tests/system/notify/CA/newcerts/C58668397B1CC49F.pem b/bin/tests/system/notify/CA/newcerts/C58668397B1CC49F.pem new file mode 100644 index 0000000000..52baf96dfa --- /dev/null +++ b/bin/tests/system/notify/CA/newcerts/C58668397B1CC49F.pem @@ -0,0 +1,76 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + c5:86:68:39:7b:1c:c4:9f + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com + Validity + Not Before: Sep 3 15:33:14 2024 GMT + Not After : Aug 27 15:33:14 2054 GMT + Subject: CN=srv02.crt01.example.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:36:6c:27:61:df:82:ed:84:0f:0c:cc:5e:c1:79: + 98:58:7e:f5:0e:0c:51:f7:7d:24:80:26:e4:43:31: + 26:8e:d3:67:f6:f7:8f:84:d8:87:32:f7:55:bd:02: + 11:5e:b5:27:1e:65:ad:03:86:57:5c:69:55:5a:3d: + 59:b7:6e:18:63:bc:b5:06:14:89:85:99:c7:05:b4: + db:50:8f:f9:65:44:26:d8:f5:51:6d:6d:f5:da:63: + f5:6a:e7:6e:37:10:08 + ASN1 OID: secp384r1 + NIST CURVE: P-384 + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:srv02.crt01.example.com, IP Address:10.53.0.2 + X509v3 Subject Key Identifier: + 4C:A6:2B:5F:55:DF:2E:1E:FA:E8:C6:3F:05:25:20:69:BA:60:3B:E2 + X509v3 Authority Key Identifier: + 7C:89:E8:5C:EB:E5:1F:72:48:04:C5:8F:FB:92:08:9C:F5:60:26:39 + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 1d:22:c4:60:42:9a:d8:ac:54:cf:77:be:17:d0:eb:b4:7d:44: + b1:ad:bf:53:0e:be:61:37:bf:7b:a6:78:7e:a0:3f:aa:21:cd: + 09:3a:d4:41:b5:9f:31:a2:c9:db:df:94:a4:05:02:dd:98:04: + 38:55:af:20:3a:4d:82:cd:37:0f:a5:b8:9c:dc:0d:f8:07:c9: + 9d:8e:0a:4f:df:f1:8d:0c:53:9b:56:a2:35:7e:0a:3d:47:89: + ad:76:8f:6c:f5:15:0e:3f:05:af:fb:f8:97:97:a3:91:a6:cf: + 22:04:c0:35:24:84:b4:e5:4d:c0:bf:e0:8d:8b:59:bf:71:2e: + c3:d8:8e:c9:9d:ba:0a:32:cb:0f:b8:b8:e3:91:f9:77:78:55: + 17:9f:6e:09:d6:29:86:25:b6:0d:9b:52:b7:0a:75:f7:cd:09: + 5d:04:83:9f:08:8f:eb:8c:23:73:e0:14:2b:be:ba:22:96:8f: + 68:f8:c7:39:a7:44:9b:1d:ce:cb:eb:04:33:c0:da:b8:03:c0: + 5b:7a:3c:a1:f5:28:92:93:06:f2:32:c3:38:fe:68:5d:64:21: + 6e:3f:8b:80:f8:01:8f:19:5c:fa:13:6c:5e:27:55:19:70:87: + 70:02:80:79:d2:37:d3:d9:05:b1:8e:50:37:24:f0:32:33:bb: + e9:f2:26:f8:19:92:d5:ad:2a:09:c1:b0:48:52:f4:e3:62:cd: + e1:b4:51:d9:0a:88:e3:fb:1e:c9:5c:a5:83:fe:30:9d:cf:83: + 22:ba:1a:cd:c9:a9:e0:3d:cc:8d:f7:68:9e:17:a2:36:78:ab: + 6f:01:de:20:a1:0d:a2:30:12:ee:45:14:b6:f7:c4:e4:d3:4e: + c7:0b:d7:14:b2:49:5c:f8:3a:fc:29:43:fa:97:d1:70:46:54: + c0:a9:c6:eb:f0:91:59:0e:24:8f:e5:38:79:38:fb:86:ab:3c: + b1:ea:d2:a3:4c:2c:e4:29:1a:03:da:54:a0:a6:73:ac:b4:c8: + 02:5a:4c:38:e0:23 +-----BEGIN CERTIFICATE----- +MIIDYjCCAcqgAwIBAgIJAMWGaDl7HMSfMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV +BAYTAlVBMRgwFgYDVQQIDA9LaGFya2l2IE9ibGFzdCcxEDAOBgNVBAcMB0toYXJr +aXYxJDAiBgNVBAoMG0ludGVybmV0IFN5c3RlbXMgQ29uc29ydGl1bTEcMBoGA1UE +AwwTY2EudGVzdC5leGFtcGxlLmNvbTAgFw0yNDA5MDMxNTMzMTRaGA8yMDU0MDgy +NzE1MzMxNFowIjEgMB4GA1UEAwwXc3J2MDIuY3J0MDEuZXhhbXBsZS5jb20wdjAQ +BgcqhkjOPQIBBgUrgQQAIgNiAAQ2bCdh34LthA8MzF7BeZhYfvUODFH3fSSAJuRD +MSaO02f294+E2Icy91W9AhFetSceZa0DhldcaVVaPVm3bhhjvLUGFImFmccFtNtQ +j/llRCbY9VFtbfXaY/Vq5243EAijbDBqMCgGA1UdEQQhMB+CF3NydjAyLmNydDAx +LmV4YW1wbGUuY29thwQKNQACMB0GA1UdDgQWBBRMpitfVd8uHvroxj8FJSBpumA7 +4jAfBgNVHSMEGDAWgBR8iehc6+UfckgExY/7kgic9WAmOTANBgkqhkiG9w0BAQsF +AAOCAYEAHSLEYEKa2KxUz3e+F9DrtH1Esa2/Uw6+YTe/e6Z4fqA/qiHNCTrUQbWf +MaLJ29+UpAUC3ZgEOFWvIDpNgs03D6W4nNwN+AfJnY4KT9/xjQxTm1aiNX4KPUeJ +rXaPbPUVDj8Fr/v4l5ejkabPIgTANSSEtOVNwL/gjYtZv3Euw9iOyZ26CjLLD7i4 +45H5d3hVF59uCdYphiW2DZtStwp1980JXQSDnwiP64wjc+AUK766IpaPaPjHOadE +mx3Oy+sEM8DauAPAW3o8ofUokpMG8jLDOP5oXWQhbj+LgPgBjxlc+hNsXidVGXCH +cAKAedI309kFsY5QNyTwMjO76fIm+BmS1a0qCcGwSFL042LN4bRR2QqI4/seyVyl +g/4wnc+DIroazcmp4D3MjfdonheiNnirbwHeIKENojAS7kUUtvfE5NNOxwvXFLJJ +XPg6/ClD+pfRcEZUwKnG6/CRWQ4kj+U4eTj7hqs8serSo0ws5CkaA9pUoKZzrLTI +AlpMOOAj +-----END CERTIFICATE----- diff --git a/bin/tests/system/notify/CA/newcerts/C58668397B1CC4A0.pem b/bin/tests/system/notify/CA/newcerts/C58668397B1CC4A0.pem new file mode 100644 index 0000000000..0d45e7af59 --- /dev/null +++ b/bin/tests/system/notify/CA/newcerts/C58668397B1CC4A0.pem @@ -0,0 +1,76 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + c5:86:68:39:7b:1c:c4:a0 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com + Validity + Not Before: Sep 3 15:33:18 2024 GMT + Not After : Aug 27 15:33:18 2054 GMT + Subject: CN=srv03.crt01.example.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:12:6c:5b:72:db:b4:68:44:ee:c1:3d:91:48:f7: + 23:39:57:ae:31:21:41:8c:7b:8a:38:2d:80:40:e9: + c2:a1:14:50:95:3b:47:d7:ea:1e:9b:3b:4c:20:87: + 67:c2:81:86:d6:3a:ad:97:e9:0d:57:ff:1d:fa:81: + 52:42:ce:05:d2:05:73:cd:92:d7:4c:23:19:22:f5: + cb:6d:44:4b:d7:a3:57:26:10:b2:a5:fe:7f:8f:5c: + 38:31:71:b8:3f:45:b3 + ASN1 OID: secp384r1 + NIST CURVE: P-384 + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:srv03.crt01.example.com, IP Address:10.53.0.3 + X509v3 Subject Key Identifier: + 6A:4F:85:19:52:0E:08:29:28:1B:96:53:84:97:0E:AA:35:C3:96:27 + X509v3 Authority Key Identifier: + 7C:89:E8:5C:EB:E5:1F:72:48:04:C5:8F:FB:92:08:9C:F5:60:26:39 + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 62:05:bb:62:4e:2a:6a:46:00:49:3e:83:b3:a7:ff:40:68:02: + 36:06:1f:e7:c9:47:db:72:09:be:78:bc:e6:c5:b4:8c:51:7c: + d5:93:06:ec:24:ad:11:a7:32:16:3a:55:79:a3:ab:4c:68:10: + 78:f2:e8:24:b3:c0:9c:3a:cd:11:45:7a:22:37:3e:a3:9d:5d: + 3e:ed:91:bd:58:04:2d:f6:6d:2e:0f:61:1d:4f:ab:d7:47:11: + 1b:c7:06:9d:1d:2d:df:85:93:fa:08:dc:27:32:3a:70:37:61: + 7a:58:95:0a:ca:62:ea:28:64:a1:2d:37:0e:7d:f9:0a:6c:71: + 23:20:6a:5d:2d:6b:f2:fe:23:f8:7b:89:51:21:e3:dd:2d:52: + e7:a3:bc:b9:62:86:65:21:de:90:6a:66:f8:ef:25:aa:da:e5: + b7:5f:f1:8e:ab:2d:5a:50:5f:b8:98:8a:00:d0:7b:e3:51:ec: + d8:a5:67:ee:2a:93:b5:62:84:9b:f5:c7:cd:72:de:53:99:a8: + 45:b3:f6:4c:31:58:f2:5c:cd:a3:ec:f1:1c:3a:29:cf:8e:b8: + 60:ba:c3:cd:d9:7d:bd:9a:b0:41:b3:dd:fb:37:0f:56:54:5b: + 5e:99:d1:a7:58:57:ac:9e:52:c5:74:3e:c2:df:72:82:07:bf: + b2:48:87:9e:16:d8:03:3b:3b:a2:0a:03:55:83:69:44:f2:14: + c8:6b:50:20:89:85:16:b4:be:c6:6c:42:91:00:09:d7:55:9f: + c3:0c:9b:5f:58:bf:43:9d:42:ca:f3:25:1f:d8:f4:b2:87:86: + a8:59:60:e9:53:23:2e:27:e8:97:02:d6:a6:91:9a:81:fb:28: + e4:47:86:c3:3a:55:ca:f0:24:1f:be:dd:00:d3:db:6a:20:5c: + a3:b0:7a:5f:d9:a7:9b:35:f7:23:c7:2b:9d:98:f9:5c:89:5a: + 6d:d4:ed:1c:d7:ec:40:0c:b0:c2:92:24:4b:78:a1:ab:7e:27: + cf:19:2c:ec:3a:77 +-----BEGIN CERTIFICATE----- +MIIDYjCCAcqgAwIBAgIJAMWGaDl7HMSgMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV +BAYTAlVBMRgwFgYDVQQIDA9LaGFya2l2IE9ibGFzdCcxEDAOBgNVBAcMB0toYXJr +aXYxJDAiBgNVBAoMG0ludGVybmV0IFN5c3RlbXMgQ29uc29ydGl1bTEcMBoGA1UE +AwwTY2EudGVzdC5leGFtcGxlLmNvbTAgFw0yNDA5MDMxNTMzMThaGA8yMDU0MDgy +NzE1MzMxOFowIjEgMB4GA1UEAwwXc3J2MDMuY3J0MDEuZXhhbXBsZS5jb20wdjAQ +BgcqhkjOPQIBBgUrgQQAIgNiAAQSbFty27RoRO7BPZFI9yM5V64xIUGMe4o4LYBA +6cKhFFCVO0fX6h6bO0wgh2fCgYbWOq2X6Q1X/x36gVJCzgXSBXPNktdMIxki9ctt +REvXo1cmELKl/n+PXDgxcbg/RbOjbDBqMCgGA1UdEQQhMB+CF3NydjAzLmNydDAx +LmV4YW1wbGUuY29thwQKNQADMB0GA1UdDgQWBBRqT4UZUg4IKSgbllOElw6qNcOW +JzAfBgNVHSMEGDAWgBR8iehc6+UfckgExY/7kgic9WAmOTANBgkqhkiG9w0BAQsF +AAOCAYEAYgW7Yk4qakYAST6Ds6f/QGgCNgYf58lH23IJvni85sW0jFF81ZMG7CSt +EacyFjpVeaOrTGgQePLoJLPAnDrNEUV6Ijc+o51dPu2RvVgELfZtLg9hHU+r10cR +G8cGnR0t34WT+gjcJzI6cDdheliVCspi6ihkoS03Dn35CmxxIyBqXS1r8v4j+HuJ +USHj3S1S56O8uWKGZSHekGpm+O8lqtrlt1/xjqstWlBfuJiKANB741Hs2KVn7iqT +tWKEm/XHzXLeU5moRbP2TDFY8lzNo+zxHDopz464YLrDzdl9vZqwQbPd+zcPVlRb +XpnRp1hXrJ5SxXQ+wt9ygge/skiHnhbYAzs7ogoDVYNpRPIUyGtQIImFFrS+xmxC +kQAJ11WfwwybX1i/Q51CyvMlH9j0soeGqFlg6VMjLifolwLWppGagfso5EeGwzpV +yvAkH77dANPbaiBco7B6X9mnmzX3I8crnZj5XIlabdTtHNfsQAywwpIkS3ihq34n +zxks7Dp3 +-----END CERTIFICATE----- diff --git a/bin/tests/system/notify/CA/newcerts/C58668397B1CC4A1.pem b/bin/tests/system/notify/CA/newcerts/C58668397B1CC4A1.pem new file mode 100644 index 0000000000..d8a1f41f67 --- /dev/null +++ b/bin/tests/system/notify/CA/newcerts/C58668397B1CC4A1.pem @@ -0,0 +1,76 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + c5:86:68:39:7b:1c:c4:a1 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com + Validity + Not Before: Sep 2 15:33:27 2024 GMT + Not After : Sep 3 15:33:27 2024 GMT + Subject: CN=srv03.crt01-expired.example.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:4d:ac:8c:a8:ff:c7:00:0d:ce:69:b9:18:ec:4e: + 2a:c8:06:fb:be:bc:a9:ed:b8:c7:c4:52:06:a7:8d: + 77:ea:3b:f9:d8:ce:1d:d7:b4:2d:f1:1a:ff:0d:70: + 4f:8a:a9:9c:fa:a4:c4:30:f0:e5:d8:3d:dd:62:f2: + 7d:40:8e:5f:dc:57:6c:dd:54:38:20:0e:be:e6:8a: + 5c:c4:e9:f7:95:48:f9:34:26:bc:5d:b9:aa:95:f8: + c9:d7:26:2b:72:eb:94 + ASN1 OID: secp384r1 + NIST CURVE: P-384 + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:srv03.crt01-expired.example.com, IP Address:10.53.0.3 + X509v3 Subject Key Identifier: + 72:38:25:01:CB:38:FF:CB:D3:78:24:43:BA:64:EA:76:FB:58:F6:EA + X509v3 Authority Key Identifier: + 7C:89:E8:5C:EB:E5:1F:72:48:04:C5:8F:FB:92:08:9C:F5:60:26:39 + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 4a:f3:59:df:4d:ff:fd:de:fc:c8:bc:34:4c:e1:39:00:62:09: + c8:34:2b:d0:3e:52:91:ea:ae:da:86:94:7d:83:84:48:5d:50: + ac:b7:a5:70:87:f4:62:f0:c6:9a:73:d2:78:29:cf:21:20:ae: + 0e:b0:55:36:1d:6c:c1:7f:0f:b7:26:d8:14:43:64:c6:58:8b: + 68:87:fd:cc:3f:d1:c1:f5:67:71:bc:71:7b:d4:f1:02:b0:4c: + dd:b2:4a:18:99:46:3a:44:b2:6b:c4:61:79:8f:be:e8:19:d4: + cc:f7:95:32:b0:74:18:76:c6:df:5f:c1:90:24:3c:a6:5d:2a: + 6f:90:7d:94:43:f3:df:1f:80:70:ff:8a:c8:b9:1f:c5:4e:08: + d1:54:f0:d8:72:af:07:30:9f:8a:65:66:ff:ff:a4:37:de:10: + 01:a6:00:c7:31:08:dd:f0:0a:5f:d3:e6:dd:d1:37:43:f2:44: + 13:bc:9e:68:40:bd:96:84:16:73:0f:01:95:40:65:ba:70:93: + a9:81:27:6e:b6:fb:ad:10:36:46:a3:75:94:00:62:f3:10:32: + c2:4a:0e:3a:bf:ab:07:14:a3:68:fd:eb:c7:c8:16:90:30:80: + f1:28:5c:64:a7:ba:8e:fa:27:09:4c:0b:08:d9:56:77:cd:25: + 7c:1f:58:78:48:c1:8c:73:10:39:f2:06:79:7c:8d:b9:ca:25: + 7c:b1:75:62:68:a7:14:c6:5b:00:78:67:e4:d8:e1:62:0b:6e: + 8d:5a:e6:23:d2:d4:dd:28:71:32:16:88:ad:b3:ee:a6:69:e7: + ff:1e:85:62:3c:65:88:c7:47:0c:1d:a0:d9:12:5c:31:98:01: + cd:a4:28:52:ad:dc:8b:1a:e6:d4:62:3d:1b:c6:52:00:b5:34: + 9d:1d:d8:6b:d3:ce:63:52:62:13:74:2a:7c:ff:0a:d7:0b:99: + a9:2b:b3:ba:e8:cf:a0:77:f0:85:12:ba:4c:54:71:74:dd:32: + 13:ca:44:c2:0f:d9 +-----BEGIN CERTIFICATE----- +MIIDcDCCAdigAwIBAgIJAMWGaDl7HMShMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV +BAYTAlVBMRgwFgYDVQQIDA9LaGFya2l2IE9ibGFzdCcxEDAOBgNVBAcMB0toYXJr +aXYxJDAiBgNVBAoMG0ludGVybmV0IFN5c3RlbXMgQ29uc29ydGl1bTEcMBoGA1UE +AwwTY2EudGVzdC5leGFtcGxlLmNvbTAeFw0yNDA5MDIxNTMzMjdaFw0yNDA5MDMx +NTMzMjdaMCoxKDAmBgNVBAMMH3NydjAzLmNydDAxLWV4cGlyZWQuZXhhbXBsZS5j +b20wdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARNrIyo/8cADc5puRjsTirIBvu+vKnt +uMfEUganjXfqO/nYzh3XtC3xGv8NcE+KqZz6pMQw8OXYPd1i8n1Ajl/cV2zdVDgg +Dr7milzE6feVSPk0JrxduaqV+MnXJity65SjdDByMDAGA1UdEQQpMCeCH3NydjAz +LmNydDAxLWV4cGlyZWQuZXhhbXBsZS5jb22HBAo1AAMwHQYDVR0OBBYEFHI4JQHL +OP/L03gkQ7pk6nb7WPbqMB8GA1UdIwQYMBaAFHyJ6Fzr5R9ySATFj/uSCJz1YCY5 +MA0GCSqGSIb3DQEBCwUAA4IBgQBK81nfTf/93vzIvDRM4TkAYgnINCvQPlKR6q7a +hpR9g4RIXVCst6Vwh/Ri8Maac9J4Kc8hIK4OsFU2HWzBfw+3JtgUQ2TGWItoh/3M +P9HB9WdxvHF71PECsEzdskoYmUY6RLJrxGF5j77oGdTM95UysHQYdsbfX8GQJDym +XSpvkH2UQ/PfH4Bw/4rIuR/FTgjRVPDYcq8HMJ+KZWb//6Q33hABpgDHMQjd8Apf +0+bd0TdD8kQTvJ5oQL2WhBZzDwGVQGW6cJOpgSdutvutEDZGo3WUAGLzEDLCSg46 +v6sHFKNo/evHyBaQMIDxKFxkp7qO+icJTAsI2VZ3zSV8H1h4SMGMcxA58gZ5fI25 +yiV8sXViaKcUxlsAeGfk2OFiC26NWuYj0tTdKHEyFoits+6maef/HoViPGWIx0cM +HaDZElwxmAHNpChSrdyLGubUYj0bxlIAtTSdHdhr085jUmITdCp8/wrXC5mpK7O6 +6M+gd/CFErpMVHF03TITykTCD9k= +-----END CERTIFICATE----- diff --git a/bin/tests/system/notify/CA/private/CA.key b/bin/tests/system/notify/CA/private/CA.key new file mode 100644 index 0000000000..2d5419d89a --- /dev/null +++ b/bin/tests/system/notify/CA/private/CA.key @@ -0,0 +1,39 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIG5AIBAAKCAYEAouoRHoAc6VCmxNTU6Ge7s+xDFGO0wXJJIsP+8nUyyjWvGCOC +aQYLhb1kLA2NHRhSSKFcMh8jcd7Hlvy6CAec1j2dsWzryy3HgPrdjWaW3PfBO41D +lUtdt8hA/p6pX2YwqvWbdK/3s8J0LY5xRZKNZnFOB/Sb4PGiIJ1NgMRO/M3IlPQm +PO/faRRTU4SI26KCPKFW342826Zi88YwOd6w5mQU4fskk5TGtlNqE+Fj40ZbWVpy +VXoEUS6RveRp020NX5CQG49SLtdF05AnnsATqmgNVCXptGuqW8uaHRONeGO3NBEy +nJmibWBDUMjtCCcGVgyrVXuTkyAJJWpImnshUwgMNYebRwmC2iVv2LtsJS5eUTUH +EWffnFl55XU2PkyNYgY35gA4y3SiWFJYV8+5FibU4ut0nb+lmHBF8WlqcU/kd3tp +Gkf0exjqOIHZFqV9bIhpUbXhxx9v9+gkkGQ9nrXE1KRlvigxxUeIK5xHy9a7fVIL +wo6WuCnLLJmbVkklAgMBAAECggGBAI5ZV3v/FUQIZK+4CBDKEwizeClotZgR9DWc +bDgOj8KABe5hmKGL1qWVRuH3NUYm6j7sP1LMQnxM3LjhOuupOzE3xYIyWhW+eoQI +r23OJiQNl5ohZNweblUXdTMGD5h8AipfUOY0m4tGbZ0gyXixBTxt5HCvG0UB3VgC +GqZY4Wujo5ADhSXZsqxuRiDDvZGr/YBcuTu87Tg/ulam5ZyrKIcnC9gpSVxqsva9 +DAMy/cSoxUjd7ukhJISK3G3AF3fV4GSslQcJTlyJ2D3+LnqPuHJKYTI4hc46lN3x +E2g24GdSCPYf6SoEPwACXtbavV8TXwQPJrHN+f+0/ePCI4jkYe5NoA3gwVgMb/WB +wFchxzVh3V4e8tPGiG+ofKl81DSAW8VZCJLUIbTEce9oxafPT78WJxdC0wWbh5S8 +V/qN6sW/yWnK3oY9SilWhJGRwKOZ+8xtStaDeCzyCaOqEcWi8ZR0QfC33UozlhdC +SrMKnOXmn/rUuXGrVR56IzIl0M7YAQKBwQDM3GJDdlFuHn6L0syKYdHDS8gXD9ke +s+ochIP6jvkEPcayaEoZGl8s7RT3iztqXod7wLaZdotktxfDAZnJfeuOcVrCu+Bx +HLytnBvV6czMfp3REGgQAJQeusSgtlBCTHHVOsDzIjdnkY3WBa7IiFYWO5wnYrGx +r3ucnwnHaUVDMj1r4YI7mYIpCuYQl6eGyW7mhWewyhVwoQXKbifdrXxjvOigL0Cp +tgsoU9pql3hpphOaYMX6hLOincTfaMxfnCECgcEAy5UXp3dA0OwK+4iDGKr+cUpk +AtGTheiE+8zEVh2KYFLt921mW/QZiB1+xtnkknp3c7u07Ugk8jAEXzCkwMnN5ZCx +LrJ72fC+cLIAbRm6/vMMP8iz83wyttao4qNMeoOBBfE9rEiP+lrugpv282V3ZHYa +IUZWTeugJbckUHTbD3RZQExmQcRVG3m/TzonBfoZ8HoRj/n3d7V2T911cHUhi8Xn +RQIi2m63VofOIep86LgartlKneMWnL0oOPq4RKyFAoHAZUzpDkD4nUJZAx025Yrf +ZfoYNEcy7vq6XmWsuX5vZoiBs4DcezNOMvH9NzdTJxMdXbV61cIHxcK/7j7hZABv +NZ2Z6sdqgaRbLGIQZaPaEJjfwxygyKDwnY1vY6UjZNVWSMFn3hJiYUVZZKakuiao +ow/Q9KzZ/2ot7tG5zTCh/ktekfUOKBiNg2wPPc8wGPeMblMzZflXxrzpFyOHdRev +dcZZJbSX/hO1yrhEPgculNd5xBHsdCegiF4JlwvEW9bhAoHAZQQiy5bx03j8bhkr +q6bVQFPAUmG5iL16lxLg7TYVPnyH1bk0DDaQIKk6CeN+dmxML2IZgY/FvWK0GKOj +bIH2J43nTRuFNvwtEvBQI9KbpfvlvRSSriOXaoATJvoObdAoylEM4BrVTk2mgapw +HA/h8Thk+NPU6S8ctPouC7ogJIf/7Va7erC35j0//0kEqgOSsW9wnXdUItMo1LI3 +nsiQD7Hwcp5/utErKcWTM+MNfdA0dUQesT9ILhfyCGvn2TOdAoHBAKldZkDyRcu9 +r9uDF1bhUEnpV2k4hgvTuCvQ3rzyx3WrVT8ChEmePC8Ke5A54ffu/YdbpDLbdf2c +j4n5CQhHbMIZs3P2hB3WqDCImApCfMbXaltfBbaT0j7uLJPMp+2+f/wWYpc3R+bn +HVnaRI2PoXXmG9OjQSQdVZ5gNpkEuemAo3dJOSS6BMqQaSxUynGy7o/a/d4izBjd +B58Fwq3sZI/Xv90Se9+b6ICST3YJ3p0vn8RKzmlCQjLg/xynpCByiw== +-----END RSA PRIVATE KEY----- diff --git a/bin/tests/system/notify/CA/serial b/bin/tests/system/notify/CA/serial new file mode 100644 index 0000000000..c611a6a182 --- /dev/null +++ b/bin/tests/system/notify/CA/serial @@ -0,0 +1 @@ +C58668397B1CC4A2 diff --git a/bin/tests/system/notify/dhparam3072.pem b/bin/tests/system/notify/dhparam3072.pem new file mode 100644 index 0000000000..9c2e0aa42b --- /dev/null +++ b/bin/tests/system/notify/dhparam3072.pem @@ -0,0 +1,11 @@ +-----BEGIN DH PARAMETERS----- +MIIBiAKCAYEA5D/Oioe+G+EMf/9RVxmcV4rZAtqZpVTFHcX0ZulvdiQGCQmopm6K +3+0uoU2J6WVMjhna5nHD2NO9miRDI/jIxX9g9k6PedSB4o3fSTtkAnGtUbB8S+Ab +EHtWfd7FTES8P1n16HN7BfPXVbP8zTcK+jO63KdQoxueYoETcrw0Myi9Lm8ri8os +O4oQ+XAH7GzZ60bcYV9jge0XIRUGVnYZDjWMlnwMvZyjLivxKXTC9HPNA6FF1/0H +0LPhsfjdoLNsVHFzfQz7QELMfHbTd0C8y0UMDQw9FqUp0esHZ5gsTlqnDHp2ZHoR +JDfNl4yVO5Gv4HiFJ0NSdggefhESU3FRAOhMmUkctOCxk5hyPqGMsvofOajY2MBp +eCffrKuAU6/dGUeq8inwrZlAMIZ20WyskHmbHnc4DXo2Uo6xSZo3xyEq1ofXXwTZ +vPw4e12so3RJAT2a8UsHf7DG1tH+9ke7HCAJQWxUizRFRsMi1Nl/7ikS4f3zgIbX +GKz9+uk5eS6jAgEC +-----END DH PARAMETERS----- diff --git a/bin/tests/system/notify/ns2/named-tls.conf.in b/bin/tests/system/notify/ns2/named-tls.conf.in new file mode 100644 index 0000000000..16fe186f97 --- /dev/null +++ b/bin/tests/system/notify/ns2/named-tls.conf.in @@ -0,0 +1,90 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +tls tls-forward-secrecy { + protocols { TLSv1.2; }; + ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + dhparam-file "../dhparam3072.pem"; + ca-file "../CA/CA.pem"; +}; + +tls tls-forward-secrecy-remote-hostname { + protocols { TLSv1.2; }; + ca-file "../CA/CA.pem"; + remote-hostname "srv03.crt01.example.com"; +}; + +tls tls-forward-secrecy-bad-remote-hostname { + protocols { TLSv1.2; }; + ca-file "../CA/CA.pem"; + remote-hostname "srv03-bad.crt01.example.com"; +}; + +tls tls-forward-secrecy-mutual-tls { + protocols { TLSv1.2; }; + ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + key-file "../CA/certs/srv02.crt01.example.com.key"; + cert-file "../CA/certs/srv02.crt01.example.com.pem"; + dhparam-file "../dhparam3072.pem"; + ca-file "../CA/CA.pem"; +}; + +tls tls-expired { + protocols { TLSv1.2; }; + ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + prefer-server-ciphers yes; + dhparam-file "../dhparam3072.pem"; + ca-file "../CA/CA.pem"; +}; + +zone tls-x1 { + type primary; + file "generic.db"; + notify explicit; + also-notify { 10.53.0.3 tls ephemeral; }; +}; + +zone tls-x2 { + type primary; + file "generic.db"; + notify explicit; + also-notify { 10.53.0.3 port @EXTRAPORT1@ tls tls-expired; }; +}; + +zone tls-x3 { + type primary; + file "generic.db"; + notify explicit; + also-notify { 10.53.0.3 port @EXTRAPORT1@ tls tls-forward-secrecy-remote-hostname; }; +}; + +zone tls-x4 { + type primary; + file "generic.db"; + notify explicit; + also-notify { 10.53.0.3 port @EXTRAPORT1@ tls tls-forward-secrecy-bad-remote-hostname; }; +}; + +zone tls-x5 { + type primary; + file "generic.db"; + notify explicit; + also-notify { 10.53.0.3 port @EXTRAPORT3@ tls tls-forward-secrecy-mutual-tls; }; +}; + +zone tls-x6 { + type primary; + file "generic.db"; + notify explicit; + also-notify { 10.53.0.3 port @EXTRAPORT4@ tls tls-expired; }; +}; diff --git a/bin/tests/system/notify/ns2/named.conf.in b/bin/tests/system/notify/ns2/named.conf.in index 71a7055940..f655551c8c 100644 --- a/bin/tests/system/notify/ns2/named.conf.in +++ b/bin/tests/system/notify/ns2/named.conf.in @@ -11,12 +11,15 @@ * information regarding copyright ownership. */ +include "named-tls.conf"; + options { query-source address 10.53.0.2; notify-source 10.53.0.2; notify-source-v6 fd92:7065:b8e:ffff::2; transfer-source 10.53.0.2; port @PORT@; + include "options-tls.conf"; pid-file "named.pid"; listen-on { 10.53.0.2; }; listen-on-v6 { none; }; diff --git a/bin/tests/system/notify/ns2/options-tls.conf.in b/bin/tests/system/notify/ns2/options-tls.conf.in new file mode 100644 index 0000000000..fe3491e6c8 --- /dev/null +++ b/bin/tests/system/notify/ns2/options-tls.conf.in @@ -0,0 +1,14 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + + tls-port @TLSPORT@; diff --git a/bin/tests/system/notify/ns3/named-tls.conf.in b/bin/tests/system/notify/ns3/named-tls.conf.in new file mode 100644 index 0000000000..429f3a8b85 --- /dev/null +++ b/bin/tests/system/notify/ns3/named-tls.conf.in @@ -0,0 +1,40 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +tls tls-forward-secrecy { + protocols { TLSv1.2; }; + ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + prefer-server-ciphers yes; + key-file "../CA/certs/srv03.crt01.example.com.key"; + cert-file "../CA/certs/srv03.crt01.example.com.pem"; + dhparam-file "../dhparam3072.pem"; +}; + +tls tls-forward-secrecy-mutual-tls { + protocols { TLSv1.2; }; + ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + prefer-server-ciphers yes; + key-file "../CA/certs/srv03.crt01.example.com.key"; + cert-file "../CA/certs/srv03.crt01.example.com.pem"; + dhparam-file "../dhparam3072.pem"; + ca-file "../CA/CA.pem"; +}; + +tls tls-expired { + protocols { TLSv1.2; }; + ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + prefer-server-ciphers yes; + key-file "../CA/certs/srv03.crt01-expired.example.com.key"; + cert-file "../CA/certs/srv03.crt01-expired.example.com.pem"; + dhparam-file "../dhparam3072.pem"; +}; diff --git a/bin/tests/system/notify/ns3/named.conf.in b/bin/tests/system/notify/ns3/named.conf.in index 8a744cd637..832043d9f6 100644 --- a/bin/tests/system/notify/ns3/named.conf.in +++ b/bin/tests/system/notify/ns3/named.conf.in @@ -11,11 +11,14 @@ * information regarding copyright ownership. */ +include "named-tls.conf"; + options { query-source address 10.53.0.3; notify-source 10.53.0.3; transfer-source 10.53.0.3; port @PORT@; + include "options-tls.conf"; pid-file "named.pid"; listen-on { 10.53.0.3; }; listen-on-v6 { fd92:7065:b8e:ffff::3; }; diff --git a/bin/tests/system/notify/ns3/options-tls.conf.in b/bin/tests/system/notify/ns3/options-tls.conf.in new file mode 100644 index 0000000000..23c0658bd5 --- /dev/null +++ b/bin/tests/system/notify/ns3/options-tls.conf.in @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + + tls-port @TLSPORT@; + listen-on tls ephemeral { 10.53.0.3; }; + listen-on port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.3; }; + listen-on port @EXTRAPORT3@ tls tls-forward-secrecy-mutual-tls { 10.53.0.3; }; + listen-on port @EXTRAPORT4@ tls tls-expired { 10.53.0.3; }; diff --git a/bin/tests/system/notify/setup.sh b/bin/tests/system/notify/setup.sh index 19c41fc2c1..6793a33f8d 100644 --- a/bin/tests/system/notify/setup.sh +++ b/bin/tests/system/notify/setup.sh @@ -14,8 +14,24 @@ . ../conf.sh copy_setports ns1/named.conf.in ns1/named.conf -copy_setports ns2/named.conf.in ns2/named.conf -copy_setports ns3/named.conf.in ns3/named.conf +if $FEATURETEST --have-fips-dh; then + copy_setports ns2/named-tls.conf.in ns2/named-tls.conf + copy_setports ns2/options-tls.conf.in ns2/options-tls.conf + copy_setports ns2/named.conf.in ns2/named.conf +else + cp /dev/null ns2/named-tls.conf + cp /dev/null ns2/options-tls.conf + copy_setports ns2/named.conf.in ns2/named.conf +fi +if $FEATURETEST --have-fips-dh; then + copy_setports ns3/named-tls.conf.in ns3/named-tls.conf + copy_setports ns3/options-tls.conf.in ns3/options-tls.conf + copy_setports ns3/named.conf.in ns3/named.conf +else + cp /dev/null ns3/named-tls.conf + cp /dev/null ns3/options-tls.conf + copy_setports ns3/named.conf.in ns3/named.conf +fi copy_setports ns4/named.conf.in ns4/named.conf copy_setports ns5/named.conf.in ns5/named.conf diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh index a827e6da5c..2fbccbd37f 100644 --- a/bin/tests/system/notify/tests.sh +++ b/bin/tests/system/notify/tests.sh @@ -119,6 +119,18 @@ grep 'notify from 10.53.0.2#[0-9][0-9]*: serial 2$' ns3/named.run >/dev/null || grep 'refused notify from non-primary: fd92:7065:b8e:ffff::2#[0-9][0-9]*$' ns3/named.run >/dev/null || ret=1 test_end +test_start "checking notify over TLS successful" +grep "zone tls-x1/IN: notify to 10.53.0.3#${TLSPORT} successful" ns2/named.run >/dev/null || ret=1 +grep "zone tls-x2/IN: notify to 10.53.0.3#${EXTRAPORT1} successful" ns2/named.run >/dev/null || ret=1 +grep "zone tls-x3/IN: notify to 10.53.0.3#${EXTRAPORT1} successful" ns2/named.run >/dev/null || ret=1 +grep "zone tls-x5/IN: notify to 10.53.0.3#${EXTRAPORT3} successful" ns2/named.run >/dev/null || ret=1 +test_end + +test_start "checking notify over TLS failed" +grep "zone tls-x4/IN: notify to 10.53.0.3#${EXTRAPORT1} failed: TLS peer certificate verification failed" ns2/named.run >/dev/null || ret=1 +grep "zone tls-x6/IN: notify to 10.53.0.3#${EXTRAPORT4} failed: TLS peer certificate verification failed" ns2/named.run >/dev/null || ret=1 +test_end + test_start "checking example2 loaded" dig_plus_opts a.example. @10.53.0.2 a >dig.out.ns2.test$n || ret=1 grep "10.0.0.2" dig.out.ns2.test$n >/dev/null || ret=1 From 87e287c9844cea3c2667246e5f8f23bbf4b7c330 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 18 Sep 2024 15:52:42 +1000 Subject: [PATCH 3/4] swap ns2 and ns3 rolls in tls notify tests Still need to regenerate the expired certificate as it has the wrong IP address --- ...ey => srv02.crt01-expired.example.com.key} | 0 ...em => srv02.crt01-expired.example.com.pem} | 0 bin/tests/system/notify/ns2/named-tls.conf.in | 62 ++----------------- .../system/notify/ns2/options-tls.conf.in | 4 ++ bin/tests/system/notify/ns3/generic.db | 25 ++++++++ bin/tests/system/notify/ns3/named-tls.conf.in | 62 +++++++++++++++++-- .../system/notify/ns3/options-tls.conf.in | 4 -- bin/tests/system/notify/tests.sh | 12 ++-- 8 files changed, 97 insertions(+), 72 deletions(-) rename bin/tests/system/notify/CA/certs/{srv03.crt01-expired.example.com.key => srv02.crt01-expired.example.com.key} (100%) rename bin/tests/system/notify/CA/certs/{srv03.crt01-expired.example.com.pem => srv02.crt01-expired.example.com.pem} (100%) create mode 100644 bin/tests/system/notify/ns3/generic.db diff --git a/bin/tests/system/notify/CA/certs/srv03.crt01-expired.example.com.key b/bin/tests/system/notify/CA/certs/srv02.crt01-expired.example.com.key similarity index 100% rename from bin/tests/system/notify/CA/certs/srv03.crt01-expired.example.com.key rename to bin/tests/system/notify/CA/certs/srv02.crt01-expired.example.com.key diff --git a/bin/tests/system/notify/CA/certs/srv03.crt01-expired.example.com.pem b/bin/tests/system/notify/CA/certs/srv02.crt01-expired.example.com.pem similarity index 100% rename from bin/tests/system/notify/CA/certs/srv03.crt01-expired.example.com.pem rename to bin/tests/system/notify/CA/certs/srv02.crt01-expired.example.com.pem diff --git a/bin/tests/system/notify/ns2/named-tls.conf.in b/bin/tests/system/notify/ns2/named-tls.conf.in index 16fe186f97..e069662d71 100644 --- a/bin/tests/system/notify/ns2/named-tls.conf.in +++ b/bin/tests/system/notify/ns2/named-tls.conf.in @@ -14,25 +14,16 @@ tls tls-forward-secrecy { protocols { TLSv1.2; }; ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + prefer-server-ciphers yes; + key-file "../CA/certs/srv02.crt01.example.com.key"; + cert-file "../CA/certs/srv02.crt01.example.com.pem"; dhparam-file "../dhparam3072.pem"; - ca-file "../CA/CA.pem"; -}; - -tls tls-forward-secrecy-remote-hostname { - protocols { TLSv1.2; }; - ca-file "../CA/CA.pem"; - remote-hostname "srv03.crt01.example.com"; -}; - -tls tls-forward-secrecy-bad-remote-hostname { - protocols { TLSv1.2; }; - ca-file "../CA/CA.pem"; - remote-hostname "srv03-bad.crt01.example.com"; }; tls tls-forward-secrecy-mutual-tls { protocols { TLSv1.2; }; ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; + prefer-server-ciphers yes; key-file "../CA/certs/srv02.crt01.example.com.key"; cert-file "../CA/certs/srv02.crt01.example.com.pem"; dhparam-file "../dhparam3072.pem"; @@ -43,48 +34,7 @@ tls tls-expired { protocols { TLSv1.2; }; ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; prefer-server-ciphers yes; + key-file "../CA/certs/srv02.crt01-expired.example.com.key"; + cert-file "../CA/certs/srv02.crt01-expired.example.com.pem"; dhparam-file "../dhparam3072.pem"; - ca-file "../CA/CA.pem"; -}; - -zone tls-x1 { - type primary; - file "generic.db"; - notify explicit; - also-notify { 10.53.0.3 tls ephemeral; }; -}; - -zone tls-x2 { - type primary; - file "generic.db"; - notify explicit; - also-notify { 10.53.0.3 port @EXTRAPORT1@ tls tls-expired; }; -}; - -zone tls-x3 { - type primary; - file "generic.db"; - notify explicit; - also-notify { 10.53.0.3 port @EXTRAPORT1@ tls tls-forward-secrecy-remote-hostname; }; -}; - -zone tls-x4 { - type primary; - file "generic.db"; - notify explicit; - also-notify { 10.53.0.3 port @EXTRAPORT1@ tls tls-forward-secrecy-bad-remote-hostname; }; -}; - -zone tls-x5 { - type primary; - file "generic.db"; - notify explicit; - also-notify { 10.53.0.3 port @EXTRAPORT3@ tls tls-forward-secrecy-mutual-tls; }; -}; - -zone tls-x6 { - type primary; - file "generic.db"; - notify explicit; - also-notify { 10.53.0.3 port @EXTRAPORT4@ tls tls-expired; }; }; diff --git a/bin/tests/system/notify/ns2/options-tls.conf.in b/bin/tests/system/notify/ns2/options-tls.conf.in index fe3491e6c8..29f4df51a7 100644 --- a/bin/tests/system/notify/ns2/options-tls.conf.in +++ b/bin/tests/system/notify/ns2/options-tls.conf.in @@ -12,3 +12,7 @@ */ tls-port @TLSPORT@; + listen-on tls ephemeral { 10.53.0.2; }; + listen-on port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.2; }; + listen-on port @EXTRAPORT3@ tls tls-forward-secrecy-mutual-tls { 10.53.0.2; }; + listen-on port @EXTRAPORT4@ tls tls-expired { 10.53.0.2; }; diff --git a/bin/tests/system/notify/ns3/generic.db b/bin/tests/system/notify/ns3/generic.db new file mode 100644 index 0000000000..42a669e0ab --- /dev/null +++ b/bin/tests/system/notify/ns3/generic.db @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 1 ; serial + 300 ; refresh (300 seconds) + 300 ; retry (300 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 + NS ns3 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +a A 10.0.0.1 diff --git a/bin/tests/system/notify/ns3/named-tls.conf.in b/bin/tests/system/notify/ns3/named-tls.conf.in index 429f3a8b85..3269091c87 100644 --- a/bin/tests/system/notify/ns3/named-tls.conf.in +++ b/bin/tests/system/notify/ns3/named-tls.conf.in @@ -14,16 +14,25 @@ tls tls-forward-secrecy { protocols { TLSv1.2; }; ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; - prefer-server-ciphers yes; - key-file "../CA/certs/srv03.crt01.example.com.key"; - cert-file "../CA/certs/srv03.crt01.example.com.pem"; dhparam-file "../dhparam3072.pem"; + ca-file "../CA/CA.pem"; +}; + +tls tls-forward-secrecy-remote-hostname { + protocols { TLSv1.2; }; + ca-file "../CA/CA.pem"; + remote-hostname "srv02.crt01.example.com"; +}; + +tls tls-forward-secrecy-bad-remote-hostname { + protocols { TLSv1.2; }; + ca-file "../CA/CA.pem"; + remote-hostname "srv02-bad.crt01.example.com"; }; tls tls-forward-secrecy-mutual-tls { protocols { TLSv1.2; }; ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; - prefer-server-ciphers yes; key-file "../CA/certs/srv03.crt01.example.com.key"; cert-file "../CA/certs/srv03.crt01.example.com.pem"; dhparam-file "../dhparam3072.pem"; @@ -34,7 +43,48 @@ tls tls-expired { protocols { TLSv1.2; }; ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; prefer-server-ciphers yes; - key-file "../CA/certs/srv03.crt01-expired.example.com.key"; - cert-file "../CA/certs/srv03.crt01-expired.example.com.pem"; dhparam-file "../dhparam3072.pem"; + ca-file "../CA/CA.pem"; +}; + +zone tls-x1 { + type primary; + file "generic.db"; + notify explicit; + also-notify { 10.53.0.2 tls ephemeral; }; +}; + +zone tls-x2 { + type primary; + file "generic.db"; + notify explicit; + also-notify { 10.53.0.2 port @EXTRAPORT1@ tls tls-expired; }; +}; + +zone tls-x3 { + type primary; + file "generic.db"; + notify explicit; + also-notify { 10.53.0.2 port @EXTRAPORT1@ tls tls-forward-secrecy-remote-hostname; }; +}; + +zone tls-x4 { + type primary; + file "generic.db"; + notify explicit; + also-notify { 10.53.0.2 port @EXTRAPORT1@ tls tls-forward-secrecy-bad-remote-hostname; }; +}; + +zone tls-x5 { + type primary; + file "generic.db"; + notify explicit; + also-notify { 10.53.0.2 port @EXTRAPORT3@ tls tls-forward-secrecy-mutual-tls; }; +}; + +zone tls-x6 { + type primary; + file "generic.db"; + notify explicit; + also-notify { 10.53.0.2 port @EXTRAPORT4@ tls tls-expired; }; }; diff --git a/bin/tests/system/notify/ns3/options-tls.conf.in b/bin/tests/system/notify/ns3/options-tls.conf.in index 23c0658bd5..fe3491e6c8 100644 --- a/bin/tests/system/notify/ns3/options-tls.conf.in +++ b/bin/tests/system/notify/ns3/options-tls.conf.in @@ -12,7 +12,3 @@ */ tls-port @TLSPORT@; - listen-on tls ephemeral { 10.53.0.3; }; - listen-on port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.3; }; - listen-on port @EXTRAPORT3@ tls tls-forward-secrecy-mutual-tls { 10.53.0.3; }; - listen-on port @EXTRAPORT4@ tls tls-expired { 10.53.0.3; }; diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh index 2fbccbd37f..22a50eeb42 100644 --- a/bin/tests/system/notify/tests.sh +++ b/bin/tests/system/notify/tests.sh @@ -120,15 +120,15 @@ grep 'refused notify from non-primary: fd92:7065:b8e:ffff::2#[0-9][0-9]*$' ns3/n test_end test_start "checking notify over TLS successful" -grep "zone tls-x1/IN: notify to 10.53.0.3#${TLSPORT} successful" ns2/named.run >/dev/null || ret=1 -grep "zone tls-x2/IN: notify to 10.53.0.3#${EXTRAPORT1} successful" ns2/named.run >/dev/null || ret=1 -grep "zone tls-x3/IN: notify to 10.53.0.3#${EXTRAPORT1} successful" ns2/named.run >/dev/null || ret=1 -grep "zone tls-x5/IN: notify to 10.53.0.3#${EXTRAPORT3} successful" ns2/named.run >/dev/null || ret=1 +grep "zone tls-x1/IN: notify to 10.53.0.2#${TLSPORT} successful" ns3/named.run >/dev/null || ret=1 +grep "zone tls-x2/IN: notify to 10.53.0.2#${EXTRAPORT1} successful" ns3/named.run >/dev/null || ret=1 +grep "zone tls-x3/IN: notify to 10.53.0.2#${EXTRAPORT1} successful" ns3/named.run >/dev/null || ret=1 +grep "zone tls-x5/IN: notify to 10.53.0.2#${EXTRAPORT3} successful" ns3/named.run >/dev/null || ret=1 test_end test_start "checking notify over TLS failed" -grep "zone tls-x4/IN: notify to 10.53.0.3#${EXTRAPORT1} failed: TLS peer certificate verification failed" ns2/named.run >/dev/null || ret=1 -grep "zone tls-x6/IN: notify to 10.53.0.3#${EXTRAPORT4} failed: TLS peer certificate verification failed" ns2/named.run >/dev/null || ret=1 +grep "zone tls-x4/IN: notify to 10.53.0.2#${EXTRAPORT1} failed: TLS peer certificate verification failed" ns3/named.run >/dev/null || ret=1 +grep "zone tls-x6/IN: notify to 10.53.0.2#${EXTRAPORT4} failed: TLS peer certificate verification failed" ns3/named.run >/dev/null || ret=1 test_end test_start "checking example2 loaded" From bbdc6b26aa93677cd895dc813b873621e987d40a Mon Sep 17 00:00:00 2001 From: Timo Eisenmann Date: Wed, 18 Sep 2024 19:40:30 +0200 Subject: [PATCH 4/4] Use correct certificates for TLS notify tests Use tls-forward-secrecy instead of tls-expired for tls-x2 and regenerate the expired certificate for tls-x6 to reflect the swap of ns2 and ns3. --- .../certs/srv02.crt01-expired.example.com.key | 8 +- .../certs/srv02.crt01-expired.example.com.pem | 104 +++++++++--------- bin/tests/system/notify/CA/index.txt | 2 +- .../notify/CA/newcerts/C58668397B1CC4A1.pem | 76 ------------- .../notify/CA/newcerts/C58668397B1CC4A2.pem | 76 +++++++++++++ bin/tests/system/notify/CA/serial | 2 +- bin/tests/system/notify/ns3/named-tls.conf.in | 2 +- 7 files changed, 135 insertions(+), 135 deletions(-) delete mode 100644 bin/tests/system/notify/CA/newcerts/C58668397B1CC4A1.pem create mode 100644 bin/tests/system/notify/CA/newcerts/C58668397B1CC4A2.pem diff --git a/bin/tests/system/notify/CA/certs/srv02.crt01-expired.example.com.key b/bin/tests/system/notify/CA/certs/srv02.crt01-expired.example.com.key index ed93725584..68fa7b65cf 100644 --- a/bin/tests/system/notify/CA/certs/srv02.crt01-expired.example.com.key +++ b/bin/tests/system/notify/CA/certs/srv02.crt01-expired.example.com.key @@ -1,6 +1,6 @@ -----BEGIN PRIVATE KEY----- -MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDDVfQs1V2UjdqTM0Z0P -DDtGwwtGUR2P6PEyDQgebPRUpWxbVGf4W0N0DWy5C9UkMJihZANiAARNrIyo/8cA -Dc5puRjsTirIBvu+vKntuMfEUganjXfqO/nYzh3XtC3xGv8NcE+KqZz6pMQw8OXY -Pd1i8n1Ajl/cV2zdVDggDr7milzE6feVSPk0JrxduaqV+MnXJity65Q= +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDBbu3hxycrhJ+msVeQ0 +mNB/WkW7rxNr8Zi8iXLETgBJ40cJu0d/IA4jrJ4gvfwT82uhZANiAAT+AGZM20R/ +AnlbmJOoZ4qHWgcPhEDIZ3+5rzIYpyL67adW2henRZ2s/ULMi/v/OpLYfuT8f1Ro +RHxhJUK0kpu1yx1R0mEI94kimw2Ocpnf2VHIksml+D8tEek0h0lczC0= -----END PRIVATE KEY----- diff --git a/bin/tests/system/notify/CA/certs/srv02.crt01-expired.example.com.pem b/bin/tests/system/notify/CA/certs/srv02.crt01-expired.example.com.pem index d8a1f41f67..1ccfd320f9 100644 --- a/bin/tests/system/notify/CA/certs/srv02.crt01-expired.example.com.pem +++ b/bin/tests/system/notify/CA/certs/srv02.crt01-expired.example.com.pem @@ -2,75 +2,75 @@ Certificate: Data: Version: 3 (0x2) Serial Number: - c5:86:68:39:7b:1c:c4:a1 + c5:86:68:39:7b:1c:c4:a2 Signature Algorithm: sha256WithRSAEncryption Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com Validity - Not Before: Sep 2 15:33:27 2024 GMT - Not After : Sep 3 15:33:27 2024 GMT - Subject: CN=srv03.crt01-expired.example.com + Not Before: Sep 17 16:18:18 2024 GMT + Not After : Sep 18 16:18:18 2024 GMT + Subject: CN=srv02.crt01-expired.example.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit) pub: - 04:4d:ac:8c:a8:ff:c7:00:0d:ce:69:b9:18:ec:4e: - 2a:c8:06:fb:be:bc:a9:ed:b8:c7:c4:52:06:a7:8d: - 77:ea:3b:f9:d8:ce:1d:d7:b4:2d:f1:1a:ff:0d:70: - 4f:8a:a9:9c:fa:a4:c4:30:f0:e5:d8:3d:dd:62:f2: - 7d:40:8e:5f:dc:57:6c:dd:54:38:20:0e:be:e6:8a: - 5c:c4:e9:f7:95:48:f9:34:26:bc:5d:b9:aa:95:f8: - c9:d7:26:2b:72:eb:94 + 04:fe:00:66:4c:db:44:7f:02:79:5b:98:93:a8:67: + 8a:87:5a:07:0f:84:40:c8:67:7f:b9:af:32:18:a7: + 22:fa:ed:a7:56:da:17:a7:45:9d:ac:fd:42:cc:8b: + fb:ff:3a:92:d8:7e:e4:fc:7f:54:68:44:7c:61:25: + 42:b4:92:9b:b5:cb:1d:51:d2:61:08:f7:89:22:9b: + 0d:8e:72:99:df:d9:51:c8:92:c9:a5:f8:3f:2d:11: + e9:34:87:49:5c:cc:2d ASN1 OID: secp384r1 NIST CURVE: P-384 X509v3 extensions: X509v3 Subject Alternative Name: - DNS:srv03.crt01-expired.example.com, IP Address:10.53.0.3 + DNS:srv02.crt01-expired.example.com, IP Address:10.53.0.2 X509v3 Subject Key Identifier: - 72:38:25:01:CB:38:FF:CB:D3:78:24:43:BA:64:EA:76:FB:58:F6:EA + 03:4C:AC:DE:C0:A3:EB:04:56:1C:10:47:EB:C9:4D:1A:5F:FD:8E:A1 X509v3 Authority Key Identifier: 7C:89:E8:5C:EB:E5:1F:72:48:04:C5:8F:FB:92:08:9C:F5:60:26:39 Signature Algorithm: sha256WithRSAEncryption Signature Value: - 4a:f3:59:df:4d:ff:fd:de:fc:c8:bc:34:4c:e1:39:00:62:09: - c8:34:2b:d0:3e:52:91:ea:ae:da:86:94:7d:83:84:48:5d:50: - ac:b7:a5:70:87:f4:62:f0:c6:9a:73:d2:78:29:cf:21:20:ae: - 0e:b0:55:36:1d:6c:c1:7f:0f:b7:26:d8:14:43:64:c6:58:8b: - 68:87:fd:cc:3f:d1:c1:f5:67:71:bc:71:7b:d4:f1:02:b0:4c: - dd:b2:4a:18:99:46:3a:44:b2:6b:c4:61:79:8f:be:e8:19:d4: - cc:f7:95:32:b0:74:18:76:c6:df:5f:c1:90:24:3c:a6:5d:2a: - 6f:90:7d:94:43:f3:df:1f:80:70:ff:8a:c8:b9:1f:c5:4e:08: - d1:54:f0:d8:72:af:07:30:9f:8a:65:66:ff:ff:a4:37:de:10: - 01:a6:00:c7:31:08:dd:f0:0a:5f:d3:e6:dd:d1:37:43:f2:44: - 13:bc:9e:68:40:bd:96:84:16:73:0f:01:95:40:65:ba:70:93: - a9:81:27:6e:b6:fb:ad:10:36:46:a3:75:94:00:62:f3:10:32: - c2:4a:0e:3a:bf:ab:07:14:a3:68:fd:eb:c7:c8:16:90:30:80: - f1:28:5c:64:a7:ba:8e:fa:27:09:4c:0b:08:d9:56:77:cd:25: - 7c:1f:58:78:48:c1:8c:73:10:39:f2:06:79:7c:8d:b9:ca:25: - 7c:b1:75:62:68:a7:14:c6:5b:00:78:67:e4:d8:e1:62:0b:6e: - 8d:5a:e6:23:d2:d4:dd:28:71:32:16:88:ad:b3:ee:a6:69:e7: - ff:1e:85:62:3c:65:88:c7:47:0c:1d:a0:d9:12:5c:31:98:01: - cd:a4:28:52:ad:dc:8b:1a:e6:d4:62:3d:1b:c6:52:00:b5:34: - 9d:1d:d8:6b:d3:ce:63:52:62:13:74:2a:7c:ff:0a:d7:0b:99: - a9:2b:b3:ba:e8:cf:a0:77:f0:85:12:ba:4c:54:71:74:dd:32: - 13:ca:44:c2:0f:d9 + 25:33:d0:30:6e:60:5e:f3:29:e7:1d:36:83:4d:cd:06:d2:35: + df:80:76:25:e5:56:c6:e7:5f:cb:70:c8:30:da:a1:15:50:1b: + 5d:e0:7b:01:60:47:32:ee:ea:98:cd:27:c2:2e:b8:d5:4a:2f: + 76:7b:f1:0d:ff:c3:b3:74:f9:98:37:c1:07:85:04:55:8f:42: + 25:b7:21:03:50:83:50:01:6a:88:84:bc:83:2c:48:3f:e5:96: + 04:d7:b5:56:68:7c:fe:d9:06:e2:bc:f0:fd:47:fd:4b:4c:9b: + 15:ca:ab:10:e4:8d:8f:b5:f7:dd:69:8c:9d:06:00:8f:80:5b: + 30:a6:6c:31:d2:b8:4b:cf:10:2a:bf:64:fb:be:da:3f:e2:ee: + f1:6c:74:02:a7:c5:0c:e2:13:f1:54:63:a9:45:43:7b:b7:85: + a3:48:00:62:34:db:ac:a1:b6:b8:76:b9:d9:aa:17:a2:f9:0b: + 96:87:ad:da:5e:95:50:2b:73:17:d7:2c:d0:43:40:e3:e9:80: + e2:87:be:1d:65:68:17:0d:90:98:0a:9b:6d:4f:2d:91:3e:f0: + 16:4e:c0:c3:e7:a9:a6:e8:bf:8e:b6:d0:3b:72:e6:d9:9a:b3: + 70:82:23:c1:02:c2:cc:91:d7:75:19:3c:79:33:ea:86:8d:80: + 9a:6b:f2:93:b4:dc:22:19:11:82:3d:62:1d:e5:58:58:7f:50: + 84:b0:d4:5a:67:be:d0:28:b0:be:a1:7f:9d:1b:a2:98:9b:70: + 5a:c0:a8:c5:03:ec:de:8a:e2:ea:03:2d:4e:9f:6c:7d:d8:0e: + 41:3c:58:df:3f:1e:4f:69:04:68:54:59:58:ef:dd:e3:32:b3: + 2c:b4:cc:40:28:eb:3e:3b:37:fd:42:f7:d9:60:bf:fa:6d:87: + ca:ed:43:24:93:47:a8:bc:54:cc:c9:4d:ac:d0:b8:09:cb:85: + c3:02:55:73:bf:f0:ff:a3:fc:d2:d1:ae:ea:5a:96:6a:76:51: + fb:da:d9:ad:e4:cd -----BEGIN CERTIFICATE----- -MIIDcDCCAdigAwIBAgIJAMWGaDl7HMShMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV +MIIDcDCCAdigAwIBAgIJAMWGaDl7HMSiMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV BAYTAlVBMRgwFgYDVQQIDA9LaGFya2l2IE9ibGFzdCcxEDAOBgNVBAcMB0toYXJr aXYxJDAiBgNVBAoMG0ludGVybmV0IFN5c3RlbXMgQ29uc29ydGl1bTEcMBoGA1UE -AwwTY2EudGVzdC5leGFtcGxlLmNvbTAeFw0yNDA5MDIxNTMzMjdaFw0yNDA5MDMx -NTMzMjdaMCoxKDAmBgNVBAMMH3NydjAzLmNydDAxLWV4cGlyZWQuZXhhbXBsZS5j -b20wdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARNrIyo/8cADc5puRjsTirIBvu+vKnt -uMfEUganjXfqO/nYzh3XtC3xGv8NcE+KqZz6pMQw8OXYPd1i8n1Ajl/cV2zdVDgg -Dr7milzE6feVSPk0JrxduaqV+MnXJity65SjdDByMDAGA1UdEQQpMCeCH3NydjAz -LmNydDAxLWV4cGlyZWQuZXhhbXBsZS5jb22HBAo1AAMwHQYDVR0OBBYEFHI4JQHL -OP/L03gkQ7pk6nb7WPbqMB8GA1UdIwQYMBaAFHyJ6Fzr5R9ySATFj/uSCJz1YCY5 -MA0GCSqGSIb3DQEBCwUAA4IBgQBK81nfTf/93vzIvDRM4TkAYgnINCvQPlKR6q7a -hpR9g4RIXVCst6Vwh/Ri8Maac9J4Kc8hIK4OsFU2HWzBfw+3JtgUQ2TGWItoh/3M -P9HB9WdxvHF71PECsEzdskoYmUY6RLJrxGF5j77oGdTM95UysHQYdsbfX8GQJDym -XSpvkH2UQ/PfH4Bw/4rIuR/FTgjRVPDYcq8HMJ+KZWb//6Q33hABpgDHMQjd8Apf -0+bd0TdD8kQTvJ5oQL2WhBZzDwGVQGW6cJOpgSdutvutEDZGo3WUAGLzEDLCSg46 -v6sHFKNo/evHyBaQMIDxKFxkp7qO+icJTAsI2VZ3zSV8H1h4SMGMcxA58gZ5fI25 -yiV8sXViaKcUxlsAeGfk2OFiC26NWuYj0tTdKHEyFoits+6maef/HoViPGWIx0cM -HaDZElwxmAHNpChSrdyLGubUYj0bxlIAtTSdHdhr085jUmITdCp8/wrXC5mpK7O6 -6M+gd/CFErpMVHF03TITykTCD9k= +AwwTY2EudGVzdC5leGFtcGxlLmNvbTAeFw0yNDA5MTcxNjE4MThaFw0yNDA5MTgx +NjE4MThaMCoxKDAmBgNVBAMMH3NydjAyLmNydDAxLWV4cGlyZWQuZXhhbXBsZS5j +b20wdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT+AGZM20R/AnlbmJOoZ4qHWgcPhEDI +Z3+5rzIYpyL67adW2henRZ2s/ULMi/v/OpLYfuT8f1RoRHxhJUK0kpu1yx1R0mEI +94kimw2Ocpnf2VHIksml+D8tEek0h0lczC2jdDByMDAGA1UdEQQpMCeCH3NydjAy +LmNydDAxLWV4cGlyZWQuZXhhbXBsZS5jb22HBAo1AAIwHQYDVR0OBBYEFANMrN7A +o+sEVhwQR+vJTRpf/Y6hMB8GA1UdIwQYMBaAFHyJ6Fzr5R9ySATFj/uSCJz1YCY5 +MA0GCSqGSIb3DQEBCwUAA4IBgQAlM9AwbmBe8ynnHTaDTc0G0jXfgHYl5VbG51/L +cMgw2qEVUBtd4HsBYEcy7uqYzSfCLrjVSi92e/EN/8OzdPmYN8EHhQRVj0IltyED +UINQAWqIhLyDLEg/5ZYE17VWaHz+2QbivPD9R/1LTJsVyqsQ5I2PtffdaYydBgCP +gFswpmwx0rhLzxAqv2T7vto/4u7xbHQCp8UM4hPxVGOpRUN7t4WjSABiNNusoba4 +drnZqhei+QuWh63aXpVQK3MX1yzQQ0Dj6YDih74dZWgXDZCYCpttTy2RPvAWTsDD +56mm6L+OttA7cubZmrNwgiPBAsLMkdd1GTx5M+qGjYCaa/KTtNwiGRGCPWId5VhY +f1CEsNRaZ77QKLC+oX+dG6KYm3BawKjFA+zeiuLqAy1On2x92A5BPFjfPx5PaQRo +VFlY793jMrMstMxAKOs+Ozf9QvfZYL/6bYfK7UMkk0eovFTMyU2s0LgJy4XDAlVz +v/D/o/zS0a7qWpZqdlH72tmt5M0= -----END CERTIFICATE----- diff --git a/bin/tests/system/notify/CA/index.txt b/bin/tests/system/notify/CA/index.txt index 323e3f95b5..73de299004 100644 --- a/bin/tests/system/notify/CA/index.txt +++ b/bin/tests/system/notify/CA/index.txt @@ -1,3 +1,3 @@ V 20540827153314Z C58668397B1CC49F unknown /CN=srv02.crt01.example.com V 20540827153318Z C58668397B1CC4A0 unknown /CN=srv03.crt01.example.com -V 240903153327Z C58668397B1CC4A1 unknown /CN=srv03.crt01-expired.example.com +V 240918161818Z C58668397B1CC4A2 unknown /CN=srv02.crt01-expired.example.com diff --git a/bin/tests/system/notify/CA/newcerts/C58668397B1CC4A1.pem b/bin/tests/system/notify/CA/newcerts/C58668397B1CC4A1.pem deleted file mode 100644 index d8a1f41f67..0000000000 --- a/bin/tests/system/notify/CA/newcerts/C58668397B1CC4A1.pem +++ /dev/null @@ -1,76 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - c5:86:68:39:7b:1c:c4:a1 - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com - Validity - Not Before: Sep 2 15:33:27 2024 GMT - Not After : Sep 3 15:33:27 2024 GMT - Subject: CN=srv03.crt01-expired.example.com - Subject Public Key Info: - Public Key Algorithm: id-ecPublicKey - Public-Key: (384 bit) - pub: - 04:4d:ac:8c:a8:ff:c7:00:0d:ce:69:b9:18:ec:4e: - 2a:c8:06:fb:be:bc:a9:ed:b8:c7:c4:52:06:a7:8d: - 77:ea:3b:f9:d8:ce:1d:d7:b4:2d:f1:1a:ff:0d:70: - 4f:8a:a9:9c:fa:a4:c4:30:f0:e5:d8:3d:dd:62:f2: - 7d:40:8e:5f:dc:57:6c:dd:54:38:20:0e:be:e6:8a: - 5c:c4:e9:f7:95:48:f9:34:26:bc:5d:b9:aa:95:f8: - c9:d7:26:2b:72:eb:94 - ASN1 OID: secp384r1 - NIST CURVE: P-384 - X509v3 extensions: - X509v3 Subject Alternative Name: - DNS:srv03.crt01-expired.example.com, IP Address:10.53.0.3 - X509v3 Subject Key Identifier: - 72:38:25:01:CB:38:FF:CB:D3:78:24:43:BA:64:EA:76:FB:58:F6:EA - X509v3 Authority Key Identifier: - 7C:89:E8:5C:EB:E5:1F:72:48:04:C5:8F:FB:92:08:9C:F5:60:26:39 - Signature Algorithm: sha256WithRSAEncryption - Signature Value: - 4a:f3:59:df:4d:ff:fd:de:fc:c8:bc:34:4c:e1:39:00:62:09: - c8:34:2b:d0:3e:52:91:ea:ae:da:86:94:7d:83:84:48:5d:50: - ac:b7:a5:70:87:f4:62:f0:c6:9a:73:d2:78:29:cf:21:20:ae: - 0e:b0:55:36:1d:6c:c1:7f:0f:b7:26:d8:14:43:64:c6:58:8b: - 68:87:fd:cc:3f:d1:c1:f5:67:71:bc:71:7b:d4:f1:02:b0:4c: - dd:b2:4a:18:99:46:3a:44:b2:6b:c4:61:79:8f:be:e8:19:d4: - cc:f7:95:32:b0:74:18:76:c6:df:5f:c1:90:24:3c:a6:5d:2a: - 6f:90:7d:94:43:f3:df:1f:80:70:ff:8a:c8:b9:1f:c5:4e:08: - d1:54:f0:d8:72:af:07:30:9f:8a:65:66:ff:ff:a4:37:de:10: - 01:a6:00:c7:31:08:dd:f0:0a:5f:d3:e6:dd:d1:37:43:f2:44: - 13:bc:9e:68:40:bd:96:84:16:73:0f:01:95:40:65:ba:70:93: - a9:81:27:6e:b6:fb:ad:10:36:46:a3:75:94:00:62:f3:10:32: - c2:4a:0e:3a:bf:ab:07:14:a3:68:fd:eb:c7:c8:16:90:30:80: - f1:28:5c:64:a7:ba:8e:fa:27:09:4c:0b:08:d9:56:77:cd:25: - 7c:1f:58:78:48:c1:8c:73:10:39:f2:06:79:7c:8d:b9:ca:25: - 7c:b1:75:62:68:a7:14:c6:5b:00:78:67:e4:d8:e1:62:0b:6e: - 8d:5a:e6:23:d2:d4:dd:28:71:32:16:88:ad:b3:ee:a6:69:e7: - ff:1e:85:62:3c:65:88:c7:47:0c:1d:a0:d9:12:5c:31:98:01: - cd:a4:28:52:ad:dc:8b:1a:e6:d4:62:3d:1b:c6:52:00:b5:34: - 9d:1d:d8:6b:d3:ce:63:52:62:13:74:2a:7c:ff:0a:d7:0b:99: - a9:2b:b3:ba:e8:cf:a0:77:f0:85:12:ba:4c:54:71:74:dd:32: - 13:ca:44:c2:0f:d9 ------BEGIN CERTIFICATE----- -MIIDcDCCAdigAwIBAgIJAMWGaDl7HMShMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV -BAYTAlVBMRgwFgYDVQQIDA9LaGFya2l2IE9ibGFzdCcxEDAOBgNVBAcMB0toYXJr -aXYxJDAiBgNVBAoMG0ludGVybmV0IFN5c3RlbXMgQ29uc29ydGl1bTEcMBoGA1UE -AwwTY2EudGVzdC5leGFtcGxlLmNvbTAeFw0yNDA5MDIxNTMzMjdaFw0yNDA5MDMx -NTMzMjdaMCoxKDAmBgNVBAMMH3NydjAzLmNydDAxLWV4cGlyZWQuZXhhbXBsZS5j -b20wdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARNrIyo/8cADc5puRjsTirIBvu+vKnt -uMfEUganjXfqO/nYzh3XtC3xGv8NcE+KqZz6pMQw8OXYPd1i8n1Ajl/cV2zdVDgg -Dr7milzE6feVSPk0JrxduaqV+MnXJity65SjdDByMDAGA1UdEQQpMCeCH3NydjAz -LmNydDAxLWV4cGlyZWQuZXhhbXBsZS5jb22HBAo1AAMwHQYDVR0OBBYEFHI4JQHL -OP/L03gkQ7pk6nb7WPbqMB8GA1UdIwQYMBaAFHyJ6Fzr5R9ySATFj/uSCJz1YCY5 -MA0GCSqGSIb3DQEBCwUAA4IBgQBK81nfTf/93vzIvDRM4TkAYgnINCvQPlKR6q7a -hpR9g4RIXVCst6Vwh/Ri8Maac9J4Kc8hIK4OsFU2HWzBfw+3JtgUQ2TGWItoh/3M -P9HB9WdxvHF71PECsEzdskoYmUY6RLJrxGF5j77oGdTM95UysHQYdsbfX8GQJDym -XSpvkH2UQ/PfH4Bw/4rIuR/FTgjRVPDYcq8HMJ+KZWb//6Q33hABpgDHMQjd8Apf -0+bd0TdD8kQTvJ5oQL2WhBZzDwGVQGW6cJOpgSdutvutEDZGo3WUAGLzEDLCSg46 -v6sHFKNo/evHyBaQMIDxKFxkp7qO+icJTAsI2VZ3zSV8H1h4SMGMcxA58gZ5fI25 -yiV8sXViaKcUxlsAeGfk2OFiC26NWuYj0tTdKHEyFoits+6maef/HoViPGWIx0cM -HaDZElwxmAHNpChSrdyLGubUYj0bxlIAtTSdHdhr085jUmITdCp8/wrXC5mpK7O6 -6M+gd/CFErpMVHF03TITykTCD9k= ------END CERTIFICATE----- diff --git a/bin/tests/system/notify/CA/newcerts/C58668397B1CC4A2.pem b/bin/tests/system/notify/CA/newcerts/C58668397B1CC4A2.pem new file mode 100644 index 0000000000..1ccfd320f9 --- /dev/null +++ b/bin/tests/system/notify/CA/newcerts/C58668397B1CC4A2.pem @@ -0,0 +1,76 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + c5:86:68:39:7b:1c:c4:a2 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com + Validity + Not Before: Sep 17 16:18:18 2024 GMT + Not After : Sep 18 16:18:18 2024 GMT + Subject: CN=srv02.crt01-expired.example.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:fe:00:66:4c:db:44:7f:02:79:5b:98:93:a8:67: + 8a:87:5a:07:0f:84:40:c8:67:7f:b9:af:32:18:a7: + 22:fa:ed:a7:56:da:17:a7:45:9d:ac:fd:42:cc:8b: + fb:ff:3a:92:d8:7e:e4:fc:7f:54:68:44:7c:61:25: + 42:b4:92:9b:b5:cb:1d:51:d2:61:08:f7:89:22:9b: + 0d:8e:72:99:df:d9:51:c8:92:c9:a5:f8:3f:2d:11: + e9:34:87:49:5c:cc:2d + ASN1 OID: secp384r1 + NIST CURVE: P-384 + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:srv02.crt01-expired.example.com, IP Address:10.53.0.2 + X509v3 Subject Key Identifier: + 03:4C:AC:DE:C0:A3:EB:04:56:1C:10:47:EB:C9:4D:1A:5F:FD:8E:A1 + X509v3 Authority Key Identifier: + 7C:89:E8:5C:EB:E5:1F:72:48:04:C5:8F:FB:92:08:9C:F5:60:26:39 + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 25:33:d0:30:6e:60:5e:f3:29:e7:1d:36:83:4d:cd:06:d2:35: + df:80:76:25:e5:56:c6:e7:5f:cb:70:c8:30:da:a1:15:50:1b: + 5d:e0:7b:01:60:47:32:ee:ea:98:cd:27:c2:2e:b8:d5:4a:2f: + 76:7b:f1:0d:ff:c3:b3:74:f9:98:37:c1:07:85:04:55:8f:42: + 25:b7:21:03:50:83:50:01:6a:88:84:bc:83:2c:48:3f:e5:96: + 04:d7:b5:56:68:7c:fe:d9:06:e2:bc:f0:fd:47:fd:4b:4c:9b: + 15:ca:ab:10:e4:8d:8f:b5:f7:dd:69:8c:9d:06:00:8f:80:5b: + 30:a6:6c:31:d2:b8:4b:cf:10:2a:bf:64:fb:be:da:3f:e2:ee: + f1:6c:74:02:a7:c5:0c:e2:13:f1:54:63:a9:45:43:7b:b7:85: + a3:48:00:62:34:db:ac:a1:b6:b8:76:b9:d9:aa:17:a2:f9:0b: + 96:87:ad:da:5e:95:50:2b:73:17:d7:2c:d0:43:40:e3:e9:80: + e2:87:be:1d:65:68:17:0d:90:98:0a:9b:6d:4f:2d:91:3e:f0: + 16:4e:c0:c3:e7:a9:a6:e8:bf:8e:b6:d0:3b:72:e6:d9:9a:b3: + 70:82:23:c1:02:c2:cc:91:d7:75:19:3c:79:33:ea:86:8d:80: + 9a:6b:f2:93:b4:dc:22:19:11:82:3d:62:1d:e5:58:58:7f:50: + 84:b0:d4:5a:67:be:d0:28:b0:be:a1:7f:9d:1b:a2:98:9b:70: + 5a:c0:a8:c5:03:ec:de:8a:e2:ea:03:2d:4e:9f:6c:7d:d8:0e: + 41:3c:58:df:3f:1e:4f:69:04:68:54:59:58:ef:dd:e3:32:b3: + 2c:b4:cc:40:28:eb:3e:3b:37:fd:42:f7:d9:60:bf:fa:6d:87: + ca:ed:43:24:93:47:a8:bc:54:cc:c9:4d:ac:d0:b8:09:cb:85: + c3:02:55:73:bf:f0:ff:a3:fc:d2:d1:ae:ea:5a:96:6a:76:51: + fb:da:d9:ad:e4:cd +-----BEGIN CERTIFICATE----- +MIIDcDCCAdigAwIBAgIJAMWGaDl7HMSiMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV +BAYTAlVBMRgwFgYDVQQIDA9LaGFya2l2IE9ibGFzdCcxEDAOBgNVBAcMB0toYXJr +aXYxJDAiBgNVBAoMG0ludGVybmV0IFN5c3RlbXMgQ29uc29ydGl1bTEcMBoGA1UE +AwwTY2EudGVzdC5leGFtcGxlLmNvbTAeFw0yNDA5MTcxNjE4MThaFw0yNDA5MTgx +NjE4MThaMCoxKDAmBgNVBAMMH3NydjAyLmNydDAxLWV4cGlyZWQuZXhhbXBsZS5j +b20wdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT+AGZM20R/AnlbmJOoZ4qHWgcPhEDI +Z3+5rzIYpyL67adW2henRZ2s/ULMi/v/OpLYfuT8f1RoRHxhJUK0kpu1yx1R0mEI +94kimw2Ocpnf2VHIksml+D8tEek0h0lczC2jdDByMDAGA1UdEQQpMCeCH3NydjAy +LmNydDAxLWV4cGlyZWQuZXhhbXBsZS5jb22HBAo1AAIwHQYDVR0OBBYEFANMrN7A +o+sEVhwQR+vJTRpf/Y6hMB8GA1UdIwQYMBaAFHyJ6Fzr5R9ySATFj/uSCJz1YCY5 +MA0GCSqGSIb3DQEBCwUAA4IBgQAlM9AwbmBe8ynnHTaDTc0G0jXfgHYl5VbG51/L +cMgw2qEVUBtd4HsBYEcy7uqYzSfCLrjVSi92e/EN/8OzdPmYN8EHhQRVj0IltyED +UINQAWqIhLyDLEg/5ZYE17VWaHz+2QbivPD9R/1LTJsVyqsQ5I2PtffdaYydBgCP +gFswpmwx0rhLzxAqv2T7vto/4u7xbHQCp8UM4hPxVGOpRUN7t4WjSABiNNusoba4 +drnZqhei+QuWh63aXpVQK3MX1yzQQ0Dj6YDih74dZWgXDZCYCpttTy2RPvAWTsDD +56mm6L+OttA7cubZmrNwgiPBAsLMkdd1GTx5M+qGjYCaa/KTtNwiGRGCPWId5VhY +f1CEsNRaZ77QKLC+oX+dG6KYm3BawKjFA+zeiuLqAy1On2x92A5BPFjfPx5PaQRo +VFlY793jMrMstMxAKOs+Ozf9QvfZYL/6bYfK7UMkk0eovFTMyU2s0LgJy4XDAlVz +v/D/o/zS0a7qWpZqdlH72tmt5M0= +-----END CERTIFICATE----- diff --git a/bin/tests/system/notify/CA/serial b/bin/tests/system/notify/CA/serial index c611a6a182..82f4fbef2b 100644 --- a/bin/tests/system/notify/CA/serial +++ b/bin/tests/system/notify/CA/serial @@ -1 +1 @@ -C58668397B1CC4A2 +C58668397B1CC4A3 diff --git a/bin/tests/system/notify/ns3/named-tls.conf.in b/bin/tests/system/notify/ns3/named-tls.conf.in index 3269091c87..1e1b291b17 100644 --- a/bin/tests/system/notify/ns3/named-tls.conf.in +++ b/bin/tests/system/notify/ns3/named-tls.conf.in @@ -58,7 +58,7 @@ zone tls-x2 { type primary; file "generic.db"; notify explicit; - also-notify { 10.53.0.2 port @EXTRAPORT1@ tls tls-expired; }; + also-notify { 10.53.0.2 port @EXTRAPORT1@ tls tls-forward-secrecy; }; }; zone tls-x3 {